Preventing financial crime
5.1. Money Laundering and Financial Crime
What do you need to know?
Money Laundering can take many forms (5.1.1)
Systems and Controls are in place to deter Money Laundering (5.1.6)
Regulation requires firms to have an individual who is approved by the Financial Conduct Authority (FCA) and appointed as Money laundering Reporting Officer (MLRO). At ShareIn the role of MLRO is filled by Jude Cook. (5.1.6)
A risk based approach is applied which can change dependant on the category of client (5.1.7)
The steps we take at ShareIn when a potential investor wants to invest in a project, what forms of identity are acceptable and who cannot be accepted as a client (5.1.8)
What a Suspicious Activity Report (SAR) is, who to report to and what happens with the report once completed (5.1.9)
All employees should be aware of, and given training on, the risks of Money Laundering / Terrorist Financing (5.1.10)
We must keep copies of Client Identity, Client transactions and any Suspicious Activity Reports that have been completed for 5years (5.1.11)
Any financial services business that becomes involved with criminal money will suffer severe reputational damage, possible criminal prosecution and will risk losing its authorisation to conduct financial services business. Accordingly, it is essential that all members of staff are and remain aware of the risks of becoming involved in money laundering, and of the procedures ShareIn have adopted to manage this risk.
We operate within a legal and regulatory structure that places major obligations on our business and us as individuals to assist in preventing money laundering.
We use a third party to transmit funds to the project on behalf of the investor only once the fundraising has been successfully closed. As such, the investors are AML checked by this third party Mangopay.
We do have an obligation to conduct due diligence and AML checks on the projects and our clients themselves, before the fundraising begins as part of the on-boarding process.
5.1.2. What is Money Laundering?
Money laundering is the means whereby criminals use various methods to conceal the identity of illegally obtained money, so that it appears to have come from a legal source. Furthermore, it enables criminals to maintain control of their illicit assets and to operate what are ostensibly respectable businesses as fronts for their activities.
Money laundering can take many forms, including:
Trying to turn money raised through criminal activity, such as drug trafficking, into 'clean' money (that is classic money laundering).
Handling the benefit of acquisitive crimes such as theft, fraud and tax evasion.
Handling stolen goods.
Being directly involved with any criminal or terrorist property, or entering into arrangements to facilitate the laundering of criminal or terrorist property.
Criminals investing the proceeds of their crimes in the whole range of financial products.
Furthermore, there are three broad groups of offences that you need to avoid committing:
Knowingly assisting (in a number of specified ways) in concealing or entering into arrangement for the acquisition, use and/or possession of criminal property.
Failing to report knowledge, suspicion, or where there are reasonable grounds for knowing or suspecting that another person is engaged in money laundering.
Tipping off, or prejudicing an investigation.
Under previous regulations it was an offence to knowingly provide a false or misleading statement about financial crime. Under MLR 2017 this has been expanded to include statements that are not knowingly false but which are made recklessly, with little regard as to whether or not they are false.
It follows that the key aim of money laundering legislation is to attack the proceeds of crime. If funds derived from, for instance, drug trafficking, human trafficking or terrorism are detected and confiscated, it will have a direct impact on reducing these illegal activities.
5.1.3. The Stages of Money Laundering
The starting point of money laundering is often (especially when drug trafficking and some other serious crimes, such as robbery, are concerned) cash, which needs to be processed through the financial system. Whatever method is used by the criminals, and whatever the source of the illegal funds, this activity falls into three basic stages:
Placement. The physical disposal of cash proceeds derived from illegal activity. For example, the cash can be paid into a bank or used to buy high value goods, property or business assets.
Layering. The structuring of complex layers of financial transactions to conceal the source of the funds. For example, goods or other assets can be resold or funds transferred abroad.
Integration. The provision of apparent legitimacy to the proceeds of crime by returning them into the economy as bona fide business funds.
Generally speaking, the criminal is at his/her most vulnerable at the placement stage, since at this point the money has not been layered and so should be easier to identify as the proceeds of crime. However, many criminals can try to confuse the trail. For instance, they may pay the money into a bank by inflating the takings of an ostensibly bona fide business. It is therefore a requirement that all firms that accept large sums of cash take steps to satisfy themselves as to the origin of the funds concerned. Placement can also consist of the purchase of high value goods or property, which are then sold on to produce apparently legitimate proceeds.
Layering is often very complicated. It can involve paying money abroad in settlement of bogus trade invoices, possibly using 'shell companies'. This is also the point where the funds can be used to purchase investments, which can be realised in due course by the criminals.
Integration takes place when the layered funds are used to purchase assets or invest in genuine businesses. By this point, the funds are far removed from the original 'hot money' and as a result do not generally arouse suspicion.
5.1.4. AML Laws, Regulations and Guidance
In the UK, there has been a long-standing obligation to have effective procedures in place to detect and prevent money laundering. The UK anti-money laundering Regulations, applying to financial institutions, date from 1993.
Currently operating within the UK is a series of measures covering laws (acts of parliament), regulations and guidance. It can best be summarised as follows:
Proceeds of Crime Act 2002 (POCA) as amended by the Serious Crime Act 2015 - Defines money laundering offences and gives exemption from civil liability for money laundering disclosures.
Terrorism Act 2000 as amended by the Anti-Terrorism Crime & Security Act 2001 - Offences applicable to terrorist crime and funding.
Counter Terrorism Act 2008 - Empowers the Treasury to direct financial services firms to take specific actions against terrorist financing.
Bribery Act 2010 - Any money or benefit given to induce someone to act improperly in his/her employment is the proceeds of crime.
Crime and Courts Act 2013 - Establishes the National Crime Agency (NCA) and abolishes the Serious Organised Crime Agency (SOCA).
Money Laundering Regulations 2017 - Places legal obligations on businesses and professions to combat money laundering, including the appointment of a money laundering reporting officer (MLRO).
Joint Money Laundering Steering Group (JMLSG) guidance 2007-2017 - Detailed measures that regulated firms must put in place to comply with the laws and regulations.
The FCA is the principal UK regulator supervising the anti-money laundering (AML) regime for the financial services industry. With this in mind, during April 2013, the FCA issued some financial crime guidance. This guidance:
Consolidates FCA guidance on financial crime but does not contain rules and its contents are not binding.
Provides assistance to firms on steps that can be taken to reduce their financial crime risk.
Aims to enhance understanding of FCA expectations and help firms to assess the adequacy of their financial crime systems and controls, and remedy deficiencies.
Is designed to help firms adopt a more effective, risk-based and outcomes-focused approach to mitigating financial crime risk.
Contains information drawn primarily from FCA thematic reviews.
Is not a stand-alone document (as it does not attempt to set out all applicable requirements) and therefore should be read in conjunction with existing laws, rules and guidance on financial crime.
Further details of the FCA's guide can be found in the Regulatory Guides section of the FCA Handbook.
The National Crime Agency
The National Crime Agency (NCA) leads UK law enforcement's fight to cut serious and organised crime and has national and international reach. It also has the mandate and powers to work in partnership with other law enforcement organisations to bring the full weight of the law to bear on serious and organised criminals. With effect from 7 October 2013, the NCA replaced the Serious Organised Crime Agency (SOCA).
It is its intention to have a single comprehensive picture of serious and organised crime affecting the UK, drawing on information and intelligence from a wide range of sources, which drives its operational activity.
The NCA delivers this activity through:
Pursuit - Identify and disrupt serious and organised crime by investigating and enabling the prosecution of those responsible.
Prevention - Prevent people from becoming involved in serious and organised criminal activity.
Protection - Reduce the impact of serious and organised crime.
Preparation - Strengthen protection against serious and organised crime.
5.1.5. Senior Management Responsibility
Senior management responsibility for anti-money laundering activity is of growing importance, particularly within FCA regulated businesses. This ties in with the need for anti-money laundering policies and procedures to be part of the firm's entire risk management activity.
Senior management of FCA regulated firms must:
Allocate to a director or senior manager (who may or may not be the MLRO - "Money Laundering Reporting Officer") overall responsibility for the establishment and maintenance of the firm's AML systems and controls.
Appoint an appropriately qualified senior member of the firm's staff as the MLRO.
Provide direction to and oversight of the firm's anti-money laundering strategy.
At least once in each calendar year, an FCA regulated firm should commission a report from its MLRO on the operation and effectiveness of the firm's systems and controls to combat money laundering. The MLRO may also wish to report to senior management more frequently than annually, as circumstances dictate. When senior management receives reports from the firm's MLRO it should consider them and take any necessary action to remedy any deficiencies identified in a timely manner.
5.1.6. Internal Controls/MLRO
Monitoring customer activity during the life of the business relationship is key to helping the firm identify suspicious transactions or unusual activity. Frequency and intensity of monitoring will depend on the risk assessment of customers or classes of customers. In its guidance notes, the JMLSG ("Joint Money Laundering Steering Group") suggests that monitoring can be conducted on a manual or automated basis. It also sets out guidance on the typical contents scope of monitoring arrangements.
The regulations impose on businesses five main duties to deter and detect money laundering:
Identification of customers ('know your customer').
Implementation of record-keeping procedures.
Establishment of internal reporting procedures and, where money laundering is suspected, external reporting to the authorities.
Relevant internal control and communication procedures to forestall and prevent money laundering.
Implementation of regular training programmes for employees to maintain their awareness of their employer's money laundering compliance procedures.
In addition, there is the requirement to designate a senior member of staff to be the Money Laundering Reporting Officer (MLRO). This role is currently filled by Jude Cook. The role of MLROhas been designated as a controlled function under Section 59 of FSMA ("Financial Services and Markets Act"). As a consequence, any person invited to perform this function must be individually approved by the FCA for individual approval of the person to be appointed as an MLRO. The firm itself has an obligation under SYSC ("Senior Management Arrangements, Systems and Control Sourcebook") to appoint as MLRO someone with a sufficient level of seniority within the firm.
The MLRO is responsible, under delegation from senior management, for oversight of the firm's compliance with FCA rules and guidance on anti-money laundering systems and controls. In particular the MLRO will be responsible for the following:
Identification of the firm's money laundering risk profile.
Development and documentation of the firm's customer identification procedures and risk management policies and processes, and regular assessment of their adequacy.
Oversight of the firm's compliance with its obligations to train staff in its anti-money laundering policy. This will include ensuring that staff training is offered, that staff training records are kept, and that the training is of an appropriate standard and scope to ensure staff are aware of their obligations and alert to money laundering risks.
Provision of reports to senior management on the operation of the firm's anti-money laundering systems and controls. The FCA expects this to include a formal report to senior management at least annually, and the JMLSG's guidance notes recommend that firms should determine whether or not reports should be prepared more frequently.
Risk assessment of proposed new activities, including in relation to new products, new customers and any changes to the firm's business profile.
Ensuring that the firm obtains and stays up to date with national and international findings on deficiencies in the anti-money laundering regimes of other jurisdictions.
In order that the MLRO can perform effectively, firms must ensure that the MLRO:
Is sufficiently senior. He/she will be either a member of senior management or directly responsible to someone who is.
Is able to liaise closely with other functions of the firm dealing with other aspects of financial crime such as fraud and market abuse.
Has the authority to act independently.
Has access to the relevant business information to enable him/her to consider fully internal reports. This might include details of the financial circumstances of a customer (or underlying customer), and relevant features of the transactions concerned.
Is able to access the FCA and law enforcement agencies such as the National Crime Agency (NCA) and be free to liaise directly with NCA on the question whether the firm can proceed with a transaction in respect of which a report has been made.
Have sufficient resources available to him/her, including appropriate staff and technology.
The JMLSG guidance notes expand on the obligation of firms to establish appropriate procedures of internal control and communication for the purposes of forestalling and preventing money laundering. This obligation is imposed on all firms carrying out relevant business under the 2017 regulations and similar regulatory obligations apply in SYSC to FCA regulated firms.
Accordingly, to establish the nature and extent of adequate systems and controls, we need to consider factors including the following:
The nature, scale and complexity of our business.
The diversity of our operations (across business lines and geographically).
Our customer, product and activity profile.
Our distribution channels.
The volume and size of our transactions.
The degree of risk associated with each area of our operation.
In essence, the review of adequacy of systems and controls should include:
Senior management accountability and appointment of a sufficiently senior person as our MLRO.
Appropriate anti-money laundering training for our staff so that they are aware of their legal and regulatory responsibilities and their role in handling criminal property and money laundering/terrorist financing risk management.
Appropriate provision of regular and timely information to senior management relevant to the management of our risks relating to criminal property, money laundering or terrorist financing. This should include at least an annual report from our MLRO on the operation and effectiveness of the systems and controls in place.
Appropriate documentation of our risk management policies and risk profile in relation to money laundering.
Appropriate measures to ensure that money laundering risk is taken into account in the day-to-day operation of the firm, in relation to, for example, the development of new products, the taking on of new customers and changes to our business profile.
Should we have outsourced any of our systems or controls (or processing), we should have regard to the FCA's guidance on appropriate control and oversight of outsourced activities, since FCA regulated firms retain responsibility for any activities they have outsourced.
5.1.7. Risk-Based Approach
The Money Laundering Regulations 2017, as well as regulatory guidance, require a risk-based approach to be applied to both verification of identity and further customer due diligence (CDD) activity. It is now accepted that it is unrealistic to apply the same level of checking to all types of clients. It is now permitted to perform reduced checks (simplified due diligence) on those clients whom you consider present a low risk of money laundering, while being required to undertake more thorough checks on those clients whom you consider to be higher risk propositions.
Whatever approach is considered most appropriate to the firm's money laundering/terrorist financing risk, the broad objective is that we should know who our customers are, what they do, and whether they are likely to be engaged in criminal activity. The profile of their financial behaviour will build up over time, allowing us to identify transactions or activity that may be suspicious.
However carried out, a risk-based approach requires the full commitment and support of senior management, and the active co-operation of business units. The risk-based approach needs to be part of our philosophy, and as such reflected in our procedures and controls. There needs to be a clear communication of policies and procedures across the firm. We also need to have robust mechanisms to ensure that they are carried out effectively, weaknesses are identified, and improvements are made wherever necessary.
A risk assessment will often result in a stylised categorisation of risk. For example, high/medium/low. Criteria will be attached to each category to assist in allocating customers and products to risk categories. This will help determine the different treatments of identification, verification, additional customer information and monitoring for each category, in a way that minimises complexity. Ultimately, the weight given to each of these factors is likely to vary from product to product and customer to customer and from one firm to another.
In identifying and assessing the money laundering or terrorist financing risks, firms must take account of whether new products and new business practices are involved, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products. As well as being specifically required under Regulation 19 of MLR 2017 to assess whether there is a high risk of ML/TF in a particular situation, such risk assessment should take place prior to the launch of the new products, business practices or the use of new or developing technologies. JMLSG 2017 guidance advises appropriate measures should be taken to manage and mitigate those risks, including where relevant in particular cases of enhanced due diligence measures.
Under the Money Laundering Regulations 2017, you are permitted to apply simplified CDD (if you have determined that the business relationship or transaction presents a low degree risk of money laundering) when the following circumstances apply. You must of course verify that the client is in the category claimed and therefore eligible for this exemption. If any doubts exist, you should carry out risk assessment in the normal way. Note here that a determination that simplified DD measures may be applied in a particular situation does not remove the obligation to conduct ongoing monitoring of the business relationship, although the extent of this may be adjusted to reflect its determination of the low degree of money laundering/terrorist financing risk. Such determination does not affect the duty to report knowledge of such.
The client is itself a financial institution regulated in the UK, the EU or a comparable jurisdiction (except for the specific case of a money service operator which does not qualify for this exemption).
The client is a listed company whose securities are traded on a regulated market in the UK, the EU or a comparable jurisdiction.
The client is a beneficial owner of a pooled account held by an independent legal professional in the UK, the EU or a comparable jurisdiction and information on the beneficial owner is available to the depositary institution holding the pooled account.
If the holder of the above pooled account in in another EEA state, the holder is subject to the requirements in national legislation implementing the fourth money laundering directive, and is supervised for compliance with these requirements.
The client is a public administration, or a publicly owned enterprise.
Carries out an occasional transaction that amounts to a transfer of funds within the meaning of Article 3.9 of the transfer of funds regulation which amounts to less than 1000 EUR.
A transaction carried out other than in the course of a business relationship (e.g. single foreign currency transaction, or an isolated instruction to purchase shares), amounting to less that 15,000 EUR, whether the transaction is a single operation or in several operations which appear to be linked.
The product is a life insurance policy for which the premium is low.
The product is a pension or superannuation scheme to provide retirement benefits to employees, where contributions are made by the employer or by reduction from employee wages.
The product is electronic money stored in a non-rechargeable device with a maximum capacity of €250, (if the amount stored can only be used in the United Kingdom €500) or in a rechargeable device with an annual transaction limit of €2,500.
The product is a child trust fund as defined in the Child Trust Funds Act 2004 or is a Junior ISA.
In respect of Junior ISAs, although SDD measures may be applied, firms will, in due course need to verify identity at the point in which the child reaches 18 and becomes entitled to the funds, or at the next 'trigger' event thereafter (unless the child's identity has by then already been verified for the purposes of some other relationship).
Regulation 37 of the MLR 2017 advises SDD measures must not be applied, or continue to be applied, where: the firm's risk assessment changes and it no longer considers that there is a low degree of risk of ML/TF; where the firm suspects money laundering or terrorist financing; or where there are doubts about the accuracy and authenticity of the documents or information previously provided by the customer.
Under the Money Laundering Regulations 2017, you must on a risk-sensitive basis apply enhanced due diligence measures in any situation by which its nature can present a higher risk of money laundering or terrorist financing. As part of this, a firm may conclude, under its risk-based approach, that the information it has collected as part of the customer due diligence process is insufficient in relation to the risk posed, and that it must obtain additional information about a particular customer, the customer's beneficial owner (where applicable) and the purpose and intended nature of the business relationship.
The extent of additional information sought, and of any monitoring carried out in respect of any particular business relationship will depend on the ML/TF risk that it poses to the firm. JMLSG 2017 Guidance notes advise that at all time firms should bear in mind their obligations under the Data Protection Act (DPA) -- and its 25 May 2018 successor the General Data Protection Regulation (GDPR) -- only to seek information that is needed for the declared purpose, not to retain personal information longer than is necessary, and to ensure all information is up to date.
At ShareIn as part of the risk based approach for enhanced due diligence we will first ask more questions of the individual as to establish the nature of the match result. A signed letter of declaration may also be requested from the individual advising that the individual is unknown to them or describing the link if there is one.
In addition to the general obligation referred to above regarding EDD measures, the Money laundering Regulations provide six specific examples of when EDD must be applied:
In any case identified by the firm under its risk assessment (or in the information provided by the supervisory authorities) where there is a high risk of ML/TF.
A respondent bank in a non-EEA state and the firm is in a correspondent banking relationship.
In any business relationship or transaction with a person established in a high-risk third country.
A politically exposed person (PEP), or a family member or known close associate of a PEP.
A client that has provided false or stolen documentation or information and the relevant person proposes to continue to deal with that client.
A transaction is complex and unusually large, unusual patterns of transactions or transactions which have no apparent economic or legal purpose.
We must conduct ongoing monitoring of the business relationship with our clients, including the scrutiny of transactions undertaken throughout the course of the relationship and keeping due diligence information up to date. It is important to note here that ShareIn are ultimately accountable from a ML/TF perspective, however standard KYC checks are also completed by a third party MangoPay who are our investment intermediary.
5.1.8. Customer Due Diligence
The CDD and monitoring obligations on firms under both legislation and regulation are designed to make it more difficult for the financial services industry to be used for money laundering or terrorist financing. Firms also need to know who their customers are to guard against fraud, and the risk of committing offences under POCA and the Terrorism Act, relating to the above.
Therefore we need to carry out customer due diligence and monitoring for two main reasons:
To help us, at the time due diligence is carried out, to be reasonably satisfied that customers are who they say they are, to know whether they are acting on behalf of another, and that there are no legal barriers (e.g. government sanctions) to providing them with the product or service requested;
To enable us to assist with law enforcement, by providing available information on customers or activities being investigated.
Who is the Client?
Identifying who exactly is our client can be straightforward. But it can also be a complex process when we are dealing with someone who is acting on behalf of another party, or where the proposed transaction to be entered into involves complex structures or a number of different parties.
Under the 2017 regulations, an 'applicant for business' includes any natural or legal person who seeks to enter into a business relationship or conduct a one-off transaction with a firm as principal or as an agent for someone else.
Application of Customer Due Diligence Measures.
Under Regulation 27 of the Money Laundering Regulations we must apply CDD measures when we do any of the following:
Establishes a business relationship
Carries out an occasional transaction
Suspects money laundering or terrorist financing
Doubts the veracity of documents or information previously obtained for the purpose of identification or verification.
Who Should Not Be Accepted as a Client?
It is a criminal offence under the UK financial sanctions legislation to make funds available to any of the targets (or the agents of those targets) listed on the consolidated financial sanctions list maintained by OFSI (Office of Financial Sanctions Implementation). We should therefore check the most up-to-date version of this list for a match against an applicant's name.
OFSI's consolidated list includes:
All names on target lists relating to UN financial sanctions measures for the prevention and suppression of terrorist acts (which are directly implemented in the EU by binding and directly applicable EC regulations).
All names on target lists relating to EU/UN countries/regimes and specific measures (aimed at targeting specific individuals and entities connected with the political leadership of targeted countries).
The names of all proscribed organisations under UK anti-terrorism legislation that are subject to financial sanctions.
OFSI may also be contacted directly to provide guidance and to assist with any concerns regarding the implementation of financial sanctions:
Office of Financial Sanctions Implementation
1 Horse Guards Road
Tel: +44 (0) 20 7270 5454
In relation to proscribed organisations, however, firms should also consult the list of proscribed organisations maintained by the Home Office pursuant to the Terrorism Act 2000 as amended from time to time, since this also contains up-to-date information on aliases.
In addition to the above, the Treasury can direct that a firm may not enter into a business relationship or carry out a one-off transaction in relation to a person based or incorporated in a non-EEA country subject to Financial Action Task Force (FATF) countermeasures. Firms operating internationally should also be aware of trade sanctions imposed on particular countries and decide whether these have implications for their procedures.
Possible Exceptions to the Requirement to Verify Client Identity
If we already know or suspect that a proposed business relationship or one-off transaction involves money laundering or terrorist financing, then even if the client falls into one of the categories below, there will be no applicable exception.
The identity of a client may not need to be verified if:
The client qualifies for simplified due diligence under the 2017 regulations.
The client had an existing business relationship with us, established before 1 April 2004.
The client has come to us as a result of us acquiring another financial services firm or a portfolio of clients (subject to underlying client identity records being supplied at time of acquisition and a warranty being provided by the seller to the effect that the identity of all acquired clients has been verified. It is recommended that, prior to acquisition, sample testing of client identity records is undertaken as part of the due diligence exercise).
Existing Business Relationship
If the relationship with the existing client has changed since original onboarding, or if the client has taken on new products or services, you should review the identity information you are holding and ensure it conforms to current standards.
Even where the exception applies, we are required to hold information to demonstrate that we know our customers, which will necessitate obtaining up-to-date customer information from time to time. Not confirming the identity of existing customers could expose us to risk of financial crime, which could be a breach of the 2017 regulations.
Steps we take at ShareIn.
The below steps outline what will happen when a potential investor wants to invest to a project:
The potential investor will complete registration information to generate a profile. This information will include:
o First Name
o Valid email address
o Date of Birth
o Country of Residence
Once the profile has been created, an appropriateness test will need to be completed -- this will determine if the investor meets the characteristics necessary to be considered appropriate for this project.
If the investor wishes to proceed and contribute towards this project (and the appropriateness test has deemed them suitable for such) an amount must next be specified as to how much they wish to invest.
If the investment is over €2500 (or if the withdrawal of funds is over €1000) ID will be requested from the investor. Examples of ID that can be accepted include the below, noting here that proof of address may also be requested if we are deem the ID to be unsatisfactory. The examples of ID below are appropriate for Individual persons, examples of suitable ID for other types of clients are listed further down in this manual.
o Valid Passport
o Valid photocard driving licence
o National identity card (for nationals of countries who issue them)
o Firearms certificate or shotgun licence.
The above documents are then passed to our third-party payment provider MangoPay for processing.
The MangoPay Policy brief dated 29^th^ March 2017 describes their AML/KYC checking as:
o Using both human and electronic verification systems -- an in-house team in Luxembourg and two external electronic service providers that check the validity of ID documents and screen individuals through PEP and Sanctions databases.
If any of the above is not satisfied or completed in full (i.e. registration information, app test, ID submitted) then the investor will not be permitted to continue with the investment journey and funds will not be moved.
Additional checks that are performed on the ShareIn platform are:
o Blacklisted emails
o Event Logs
o Suspicious Activity
o Trigger monitoring
Identifying the Client and Verifying Identification Evidence
If an exception does not apply, satisfactory identification evidence for the client should be obtained and verified as soon as reasonably practicable after first contact between us and the client. That is, as soon as practicable after the business relationship has been formed.
Sometimes there may be a delay between the formation of the business relationship and the verification of the client's identity. For example, in non-face-to-face business. In this case, our risk management procedures should limit the extent of the relationship until such time as the verification is complete. An example would be imposing restrictions on the transactions the customer can enter into, or on the transfer of funds.
If we cannot satisfactorily verify identity, we should not proceed with the business relationship, and should consider whether the circumstances require making a report to the National Crime Agency (NCA). If it is simply the case that the client cannot produce the correct documents or information, we should consider whether there is any other way we can satisfy ourselves as to identity.
The JMLSG's 2017 guidance notes set out guidance on the identification requirements for all types of clients.
5.1.9. Suspicious Activity Reporting
You must raise an internal report where you have knowledge or suspicion, or where there are reasonable grounds for having knowledge or suspicion, that another person is engaged in money laundering, or that terrorist property exists.
Our MLRO must consider all internal reports.
Our MLRO must make an external report to the National Crime Agency (NCA) as soon as is practicable if he/she considers that there is knowledge, suspicion, or reasonable grounds for knowledge or suspicion, that another person is engaged in money laundering, or that terrorist property exists.
We must seek consent from NCA before proceeding with a suspicious transaction or entering into suspicious arrangements.
We must freeze funds if a customer is identified as being on the consolidated list on the Treasury website of suspected terrorists or sanctioned individuals and entities and make an external report to the Treasury.
It is a criminal offence for anyone, following a disclosure to the MLRO or to NCA, to do or say anything that might either 'tip off' another person that a disclosure has been made or prejudice an investigation.
Our MLRO must report suspicious approaches, even if no transaction takes place.
Enquiries made in respect of disclosures must be documented.
The reasons why a suspicious activity report (SAR) was, or was not, submitted should be recorded.
Any communications made with or received from the authorities, including NCA, in relation to a SAR should be maintained on file.
In cases where advance notice of a transaction or of arrangements is given, the need for prior consent before it is allowed to proceed should be considered.
The JMLSG guidance notes provide an overview of how firms can identify suspicious activities, the practical steps to be taken when a suspicious activity has been identified, and the content of internal and external reports. This section of the JMLSG2017 guidance notes is summarised in the next section below.
Knowledge, Suspicion or Reasonable Grounds to Know or Suspect
Understanding what constitutes knowledge, suspicion or reasonable grounds to know or suspect is obviously key to understanding the circumstances where we must make internal and external reports.
In its guidance notes, the Joint Money Laundering Steering Group (JMLSG) advises that:
Having knowledge means actually knowing something to be true. In a criminal court, it must be proved that the individual in factknew that a person was engaged in money laundering. That said, knowledge can be inferredfrom the surrounding circumstances. So, for example, a failure to ask obvious questions may be relied upon by a jury to imply knowledge. The knowledge must, however, have come to the firm (or to the member of staff) in the course of business or (in the case of the MLRO) as a consequence of a disclosure under Section 330 of POCA (the "Proceeds of Crime Act") or Section 21A of the Terrorism Act. Information that comes to us in other circumstances does not come within the scope of the regulated sector obligation to make a report. This does not preclude a report being made should you choose to do so, or if obligated to do so by other parts of these Acts.
Suspicion is more subjective and falls short of proof based on firm evidence. Suspicion has been defined by the courts as being beyond mere speculation and based on some foundation. For example: "A degree of satisfaction and not necessarily amounting to belief but at least extending beyond speculation as to whether an event has occurred or not". Also, "Although the creation of suspicion requires a lesser factual basis than the creation of a belief, it must nonetheless be built upon some foundation."
A transaction which appears unusual is not necessarily suspicious. Even customers with a stable and predictable transactions profile will have periodic transactions that are unusual for them. Many customers will, for perfectly good reasons, have an erratic pattern of transactions or account activity. So the unusual is, in the first instance, only a basis for further enquiry, which may in turn require judgement as to whether it is suspicious. A transaction or activity may not be suspicious at the time, but if suspicions are raised later, an obligation to report then arises.
A member of staff, including the MLRO, who considers a transaction or activity to be suspicious would not necessarily be expected either to know or to establish the exact nature of any underlying criminal offence, or that the particular funds or property were definitely those arising from a crime or terrorist financing.
Again, noting here that under previous regulations it was an offence to knowingly provide a false or misleading statement about financial crime. With the MLR 2017 update this has been expanded to include statements that are not knowingly false, but which are made recklessly, with little regard as to whether or not they are false.
Internal Report to the Nominated Officer
Whatever your role, you must report directly to the MLRO where you have grounds for knowledge or suspicion of money laundering or terrorist financing. You may first want to speak with your line manager, unless he/she is party to the transaction. The obligation under POCA is to report 'as soon as is reasonably practicable', and so any such discussion should take this into account.
Whether or not you consult colleagues, the legal obligation remains with you to decide for yourself whether a report should be made. You must not allow colleagues to decide for you. Where a colleague has been consulted, he/she will then have knowledge on the basis of which he/she must consider whether a report to the MLRO is necessary.
All suspicions reported to the MLRO should be documented or recorded electronically. The report should include full details of the customer who is the subject of concern and as full statements as possible of the information giving rise to the knowledge or suspicion. These statements are also to include the whereabouts of any laundered property where possible. All internal enquiries made in relation to the report should also be documented or recorded electronically. This information may be required to supplement the initial report or as evidence of good practice and best endeavours if, at some future date, there is an investigation and the suspicions are confirmed or disproved.
Once you have reported your suspicion in an appropriate manner to the MLRO (or deputy), you have fully satisfied your statutory obligation. Until the MLRO advises you that no report to NCA is to be made, you should report any further transactions or activity in respect of that customer to the MLRO (whether of the same nature or different from that giving rise to the previous suspicion).
Consideration of Internal Reports
The MLRO must consider each report and determine whether it gives rise to knowledge or suspicion, or reasonable grounds for knowledge or suspicion. The firm must permit the MLRO to have access to any information, including 'know your customer' information, in our possession which could be relevant. The MLRO may also require further information to be obtained, from the customer if necessary. Alternatively, it could be obtained from an intermediary who introduced the customer to us, to the extent that the introducer still holds the information (bearing in mind his/her own record-keeping requirements). Any approach to the customer or to the intermediary should be made sensitively and probably by someone other than the MLRO, to minimise the risk of alerting the customer or intermediary that a disclosure to NCA may be being considered.
When considering an internal suspicion report, the MLRO, taking account of the risk posed by the transaction or activity being addresses, will need to strike the appropriate balance between the requirement to make a timely disclosure to the NCA, especially if consent is required, and any delays that might arise in searching a number of unlinked systems and records that might hold relevant information.
As part of the review, other known connected accounts or relationships may need to be examined. Connectivity can arise commercially (through linked accounts, introducers, etc.), or through individuals (third parties, controllers, signatories, etc.). Given the need for timely reporting, it may be prudent for the MLRO to consider making an initial report to NCA prior to completing a full review.
If the MLRO decides not to make a report to NCA, the reasons for not doing so should be clearly documented or recorded electronically and retained with the internal suspicion report.
External Reports to NCA
Our MLRO must report to NCA any transaction or activity that, after his/her evaluation, he/she knows or suspects, or has reasonable grounds to know or suspect, may be linked to money laundering or terrorist financing. Such reports must be made as soon as is reasonably practicable after the information comes to him/her.
We should include in each SAR as much relevant information about the customer, transaction or activity as we have in our records. Law enforcement agencies have indicated that details of an individual's occupation/company's business and National Insurance number are valuable in enabling them to access other relevant information about the customer. As there is no obligation to collect this information (other than in very specific cases), we may not hold these details for all our customers. Where we have obtained this information, however, it would be helpful to include it as part of a SAR.
NCA's website contains guidance on completing SARs in a way that gives most assistance to law enforcement. In particular, the NCA has published a glossary of terms, and find it helpful if firms use these terms when completing the SAR. NCA also publish, from time to time, guides to reporting entities.
We must report to the Treasury:
Details of funds frozen under financial sanctions legislation.
Where we have knowledge or a suspicion that the financial sanctions measures have been or are being contravened.
That a customer is a listed person, or a person acting on behalf of a listed person.
We may also need to consider whether we have an obligation to report under POCA or the Terrorism Act.
To avoid committing a failure to report an offence under financial sanctions legislation, we must, as previously indicated, make reports to the Treasury. The relevant unit is: Asset Freezing Unit, HM Treasury, 1 Horse Guards Road, London SW1A 2HQ. Reports can be submitted electronically at firstname.lastname@example.org and the unit can be contacted by telephone on 020 7270 5454.
There is no obligation to make a report to NCA where none of the following is known or suspected:
The identity of the person who is engaged in money laundering.
The whereabouts of any of the laundered property.
That any of the information that is available would assist in identifying that person, or the whereabouts of the laundered property.
If you fail to make disclosures to the MLRO and/or NCA as soon as practicable after attaining the information giving rise to the knowledge or suspicion, we are open to criminal prosecution or regulatory censure. The criminal sanction, under POCA or the Terrorism Act, is a prison term of up to five years, and/or a fine.
We are open to prosecution if we fail to comply with our obligations:
To freeze funds.
Not to make funds, economic resources and (in relation to suspected terrorists) financial services available to listed persons.
To report knowledge or suspicion.
Obtaining Consent to Proceed
A report must be made to NCA where there are grounds for knowledge or suspicion that a transaction, arrangements or the funds/property involved may relate to money laundering. We must seek the NCA's consent to proceed before carrying out the customer's instructions. Indeed, it is an offence for the MLRO to agree to a transaction or activity going ahead until seven working days from the working day following the date of disclosure have expired, unless NCA gives consent.
The MLRO may need to let an activity or transaction (or related transaction) proceed and report it later where:
It is already within an automated clearing or settlement system.
A delay would lead to a breach of a contractual obligation.
It would breach market settlement or clearing rules.
Where the MLRO intends to make a report, but delays doing so for such reasons, POCA provides a defence from making a report where there is a reasonable excuse for not doing so. However, it should be noted that this defence is untested by case law, and would need to be considered on a case-by-case basis.
When consent is needed to undertake a future transaction or activity, or to enter into an arrangement, the disclosure should be faxed or electronically submitted via the SAR online system immediately the suspicion is identified. (See NCA website www.nationalcrimeagency.gov.uk.) Defence requests should not be posted due to the timings involved, and additional postal copies are not required following submission by electronic means or fax. The consent desk will apply the NCA agreed consent criteria to each submission, carrying out the necessary internal enquiries. It will also contact the appropriate law enforcement agency, where necessary, for a consent recommendation. Once NCA's decision has been reached, we will be informed of the decision by telephone, and be given a consent reference number, which should be recorded. A formal consent letter will follow.
If the NCA does not refuse consent within seven working days following the working day after the disclosure is made, we may process the transaction or activity, subject to normal commercial considerations. If, however, consent is refused within that period, a restraint order must be obtained by the authorities within a further 31 calendar days (the moratorium period) from the day consent is refused, if they wish to prevent the transaction going ahead after that date. The moratorium period may be extended, on application by authorities, by up to 31 days at a time, to a maximum of 186 further days in total. In cases where consent is refused, we should consult the law enforcement agency refusing consent to establish what information we can give the customer.
For a defence against a possible later charge of laundering the proceeds of crime in respect of a transaction or activity if it proceeds, we need:
Consent from NCA.
The absence of a refusal of consent within seven working days following the working day after we made the disclosure.
In order to provide a defence against future prosecution for failing to report, the reasons for any conscious decision not to report should be documented or recorded electronically. We should make an appropriate report as soon as is practicable after the event. This should include full details of the transaction, the circumstances precluding advance notice, and to where any money or assets were transferred.
There are no provisions under the Terrorism Act for consent to be given within a specified period. Where we have made a report to NCA under this act, no related transaction or activity is allowed to proceed until we have been contacted by NCA or a law enforcement agency.
How can Firms Avoid Tipping Off or Prejudicing an Investigation?
POCA contains two separate sections creating offences of tipping off and prejudicing an investigation. These sections are similar and overlapping, but there are also significant differences between them. It is important for those working in the regulated sector to be aware of the provisions of both sections. The Terrorism Act contains similar offences.
Once an internal or external suspicion report has been made, it is a criminal offence for anyone to release information which is likely to prejudice an investigation. Reasonable enquiries of a customer, conducted in a tactful manner, regarding the background to a transaction or activity that is inconsistent with the normal pattern of activity is prudent practice. It forms an integral part of CDD ("Customer Due Diligence") measures, and should not give rise to tipping off.
Where a confiscation investigation, a civil recovery investigation or a money laundering investigation is being, or is about to be, conducted, it is a criminal offence for anyone to release information which is likely to prejudice the investigation. It is also a criminal offence to falsify, conceal, destroy or otherwise dispose of documents which are relevant to the investigation (or to cause or permit these offences). It is, however, a defence if the person does not know or suspect that disclosure is likely to prejudice the investigation, or if the disclosure is made in compliance with other provisions of POCA, or similar enactments.
The fact that a transaction is notified to NCA before the event, and NCA does not refuse consent within seven working days following the day after disclosure is made, or a restraint order is not obtained, does not alter the position so far as 'tipping off' is concerned.
This means that we cannot:
At the time, tell a customer that a transaction is being delayed because a report is awaiting consent from NCA.
Later (unless law enforcement/NCA agrees, or a court order is obtained permitting disclosure), tell a customer that a transaction or activity was delayed because a report had been made under POCA.
Tell the customer that law enforcement is conducting an investigation.
The case of Squirrell Ltd v National Westminster Bank Plc (2005) EWHC 664 (Ch) confirmed the application of the above provisions.
If we receive a complaint in these circumstances, we may be unable to provide a satisfactory explanation to the customer, who may then bring a complaint to the Financial Ombudsman Service (FOS). If we receive an approach from the FOS about such a case, we will contact a member of the FOS legal department immediately.
NCA has confirmed that, in such cases, we may tell the FOS legal department about a report to NCA and the outcome. This is on the basis that the FOS will keep the information confidential (which it must do, to avoid any 'tipping off'). The FOS legal department will then ensure that the case is handled appropriately in these difficult circumstances -- liaising as necessary with NCA.
Where we have delayed a transaction while awaiting consent from NCA, it may be the case that the client incurs a perceived or real loss. Such was the case for a Mr Shah, who took the HSBC to court to claim $300 million from the bank for losses incurred when a number of transactions had been delayed whilst HSBC (which had filed a SAR with NCA) awaited consent to proceed. Mr Shah contested that he had lost money because of these delays, and that HSBC was responsible. The judgement was given in the Court of Appeal in May 2012 and was in favour of HSBC and its MLRO.
This case was seen as being very important. It confirmed in case law that a firm complying with its statutory obligations of submitting SARs to NCA on the basis of a suspicion could not be held accountable for any financial costs incurred in making such a report. (Shah v HSBC Private Bank (UK) Limited  EWHC 1283 (QB))
5.1.10. Staff Awareness Training
All relevant employees should be made aware of the risks of money laundering and terrorist financing, the relevant legislation, and their obligations under that legislation.
All relevant employees should be made aware of the identity and responsibilities of our MLRO.
All relevant employees should be trained in our risk-based procedures (which may include case studies and examples relating to our business), and in how to recognise and deal with potential money laundering or terrorist financing transactions or activity.
Staff training should be given at regular intervals, and details recorded.
The MLRO is responsible for oversight of our compliance with requirements in respect of staff training.
The relevant director or senior manager has overall responsibility for the establishment and maintenance of effective training arrangements.
We must provide appropriate training to make relevant employees aware of money laundering and terrorist financing issues, including how these crimes operate and how they might take place through our firm.
We must ensure that relevant employees are provided with information on, and understand, the legal position of the firm and of individual members of staff, and of changes to these legal positions.
We must train relevant employees in how to operate a risk-based approach to AML/CTF.
The JMLSG guidance notes recommend that, rather than adopting a one-size-fits-all approach, we should ensure individual employees are given training tailored to their particular function.
Training should adequately enable staff to recognise when a customer's identification evidence, a transaction or a set of circumstances is suspicious. The JMLSG 2017 guidance notes do set out some typical examples of suspicious customer evidence, transactions or activities. For example, these may include:
Transactions which have no apparent purpose, or which make no obvious economic sense (including where a person makes a loss against tax), or which involve apparently unnecessary complexity.
The use of non-resident accounts, companies or structures in circumstances where the customer's needs do not appear to support such economic requirements.
Where the transaction being requested by the customer, or the size or pattern of transactions is, without reasonable explanation, out of the ordinary range of services normally requested or is inconsistent with our experience in relation to the particular customer.
Dealing with customers not normally expected in that part of the business.
Transfers to and from high-risk jurisdictions, without reasonable explanation, which are not consistent with the customer's declared foreign business dealings or interests.
Where a series of transactions is structured just below a regulatory threshold.
Where a customer who has entered into a business relationship with us uses the relationship for a single transaction or for only a very short period of time.
Unnecessary routing of funds through third party accounts.
Unusual investment transactions without an apparently discernible profit motive.
The money laundering legislation itself contains no provisions on how staff should actually be trained. The appropriate training delivery method is a matter for senior management to consider, and it may be that a mixture of methods is needed. Methods could include classroom training, training videos, e-learning, or paper-based procedures manuals.
In addition to training on recognising suspicious customers, transactions or activities, staff should also be kept up to date on changing money laundering and terrorist financing typologies. Likewise, any changing guidance on the risk from certain individuals or jurisdictions. We also have a high-level obligation under the FCA's Training and Competence Sourcebook to assess staff regularly to ensure they remain competent for the work that they do.
Chapter 8 of the JMLSG 2017 guidance notes sets out the details of what the firm's records should cover, along with guidance on the format in which the records should be kept.
We must retain:
Copies of, or references to, the evidence we obtained of a customer's identity, for five years after the end of the customer relationship.
Details of customer transactions for five years from the date of the transaction.
Details of actions taken in respect of internal and external suspicion reports.
Details of information considered by the MLRO in respect of an internal report where no external report is made.
We must delete any personal data relating to CDD and client transactions in accordance with Regulation 40. Regulation 40 advises upon the expiry of the five-year period referred to above, we must delete any personal data unless:
We are required to retain records containing personal data by, or under, any enactment, or for the purposes of any court proceedings; or
We have reasonable grounds the believing that records containing the personal data needs to be retained for the purpose of any legal proceedings; or
The data subject has given consent to the retention of that data.
We should maintain appropriate systems for retaining records and appropriate systems for making records available when required, within the specified timescales.
Where a firm has an appointed representative, it must ensure that the representative complies with the record-keeping obligations under the Money Laundering Regulations. This principle would also apply where the record-keeping is delegated in any way to a third party (such as to an administrator or an introducer).
Our records should cover:
Internal and external suspicion reports.
MLRO annual (and other) reports.
Information not acted upon.
Training and compliance monitoring.
Information about the effectiveness of training.
Records of all internal and external reports should be retained for five years from the date the report was made. Our records should include:
(a) In relation to training:
Dates AML training was given.
The nature of the training.
The names of the staff who received training and the results of the tests undertaken by staff, where appropriate.
(b) In relation to compliance monitoring:
Reports by the MLRO to senior management.
Records of consideration of those reports and of any action taken as a consequence.
The Money Laundering Regulations do not state where relevant records should be kept. However, the overriding objective is for firms to be able to retrieve relevant information without undue delay. Where the record-keeping obligations under the regulations are not observed, a firm or person is open to prosecution. Consequences include imprisonment for up to two years and/or a fine, or regulatory censure.