In the latest of our legal guide series, BCL partner John Binns explores the sorts of considerations that regulated-sector businesses should have when establishing themselves.
Regulations and guidance
The money laundering regulations (‘MLRs’) provide a useful structure for the sorts of considerations that regulated-sector businesses should have when establishing themselves and throughout their commercial life. Starting with the basics of defining what they do and whether the regulations are engaged, they must then undertake a risk assessment (considering the nature of their business and their client base), and design policies, procedures and training with this in mind. They must register and accept the jurisdiction of their supervising agency, including the prospect of enforcement action.
Lest the prospect of all of that seem too daunting, help is at hand from the regulations themselves, and the industry that has grown up around them. The accumulated wisdom of decades of compliance work, painstakingly supervised, monitored and assessed, has resulted in a vast ecosystem of guidance documents from national and international sources.
The MLRs contemplate that relevant businesses will have regard to such guidance, and this will be considered in the event of questions about whether and to what extent they have been compliant. They also require sector-specific guidance to be produced by each supervisor, which in turn must consider the learning of the UK national risk assessment.
Policies, controls, and procedures
The challenge for those setting up in the regulated sector, then, is to identify the guidance documents (and/or their specific sections) that are most useful to them, and to establish robust systems to put them into practice. To a large extent the business can make use of template systems, outsourced services and software that are suitable for their sector.
It will always be important, however, for those in overall control to give proper consideration to the specifics of how the regulations apply to them, and to ensure that it not only appoints a Money Laundering Reporting Officer (‘MLRO’), but ensures that they have appropriate expertise, support and resources to carry out their functions.
Know your customer
While the specifics of the systems to be operated must depend on the business concerned, it is possible to identify in broad terms at least the basics of what will be required. When establishing a new business relationship or considering a one-off transaction, the regulated-sector business must carry out a Know Your Customer (KYC) procedure to establish basic identifying information, including name, address and date of birth for individuals, the ultimate beneficial owners (UBOs) where appropriate, and an account of the nature of the customer’s business, their source of wealth (in general terms), and the source of the specific funds involved.
The process of verifying this information by collecting certified or other copies of documents (including for example passports and recent utility bills) is referred to as Customer Due Diligence (CDD), with any more in-depth process of exploring these questions being referred to as Enhanced Due Diligence (EDD).
Procedures in practice
Once the systems are in place, the imperative is to ensure they are enforced appropriately, as well as kept under review and revised where necessary. The concept of the ‘three lines of defence’ is vital here: the first line represents the ‘coal face’ of the business, whose personnel need to be familiar with its KYC, CDD and EDD systems, and to know when to escalate issues or seek advice; the second line is the MLRO (and any deputies), whose job includes assisting the first line where needed; and the third line is the (in-house or external) audit function, who will monitor the systems’ operation and recommend changes where necessary.
The need for advice
The job of advising a regulated-sector business, then, will either be in establishing or revising their systems, or in assisting the MLRO when specific issues arise that are particularly complex and/or serious. Typically, the questions in the latter scenario will be about whether a SAR should be submitted, what it should say, what consent (if any) is required, and how to deal with the risks of tipping off.
While in many cases the business’ own systems will have led it, quite properly, to a place where external advice is required, there will be some scenarios in which the systems themselves are arguably deficient, necessitating advice from someone other than whoever designed them in the first place.
In addition, the adviser will need to keep in mind any additional obligations arising from the business’ particular sector, including for instance a bank’s duties to and relationship with the FCA, or a lawyer’s professional standards and duties to report to a supervisor such as the Solicitors’ Regulation Authority (SRA) or the Bar Standards Board (BSB).