Financial Crime Risk Management


May not cover factors relevant to a particular situation or circumstance.


Frequently Asked Questions

Click Questions to see example responses, some of which include embedded links to reference sources.

EU Context

The Fifth Money Laundering Directive, (EU) 2018/843 (‘5MLD’) amended the Fourth Money Laundering Directive, (EU) 2015/849 (‘4MLD’), on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing:

UK Context
  • 4MLD requirements were predominantly transposed into UK law through the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (‘MLR 2017’).
  • 5MLD requirements were transposed into UK law through The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (‘MLR 2019’).

MLR 2019 were published on 20 December 2019 and entered into force on 10 January 2020. An Explanatory Memorandum accompanying MLR 2019 includes: "There are over 100,000 businesses within scope of the MLRs, requiring businesses to know their customers and manage their risks. The MLRs are deliberately not prescriptive, providing flexibility in order to promote a proportionate and effective risk based approach to combating money laundering and terrorist financing."

New risk-management variables

MLR 2019 introduced amendments to MLR 2017. These FAQ highlight elements of new and enhanced obligations relevant to regulated firms’ and their internal compliance arrangements but does not reflect a full analysis or representation of all MLR 2019 requirements.

MLR 2019 influences include:

  • Expanding the regulated sector perimeter;
  • Changing aspects of customer due diligence and enhanced due diligence obligations; and
  • Requiring regulated firms to report to Companies House on discrepancies identified, as between, information collected during customer due diligence and information on the ‘Persons with Significant Control Register’.

Examples of systems and controls enhancements required include:

Policies, Controls and Procedures

When new technology is adopted - Firms must consider whether their policies, controls and procedures are adequate enough from a wider risk perspective, such that Regulation 19.4.(c) effectively requires The policies, controls and procedures referred to in paragraph (1) must include policies, controls and procedures … which ensure that when new products, new business practices (including new delivery mechanisms) or new technology are adopted by the relevant person, appropriate measures are taken in preparation for, and during, the adoption of such products, practices or technology to assess and if necessary mitigate any money laundering or terrorist financing risks this new product, practice or technology may cause.

Information-sharing enhancements - Regulation 20(1)(b) has been expanded to require the establishment and maintenance of group-wide Policies, Controls and Procedures for information-sharing with other group companies for AML/CTF purposes. The MLR expressly require inclusion of "policies on the sharing of information about customers, customer accounts and transactions".

Customer Due Diligence (‘CDD’)

Electronic verification – Regulation 28 has been amended to include a new paragraph (19), to wit: ‘verification’ of certain customer information obtained during CDD may be regarded as obtained from a reliable and independent source where it is obtained by means of an electronic identification process which is "secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.”

Whilst setting the scene for enabling increased reliance on electronic verification and reduced processing of hardcopy identification documents, from an operating perspective a risk-based approach should be adopted, to:

  • Assess the adequacy and reliability of tools used for electronic verification purposes;
  • Deploying such functionality in the first line of defence; and
  • Applying second line oversight of a firm’s reliance on third party solutions used for electronic verification of identity.

Corporate Clients & Beneficial Ownership - Regulation 27 (8) requires customer due diligence measures to be applied when a firm has:

  1. Any legal duty in the course of the calendar year to contact an existing customer for the purpose of reviewing any information which:
    • is relevant to the firm’s risk assessment for that customer, and
    • relates to the beneficial ownership of the customer, including information which enables the firm to understand the ownership or control structure of a legal person, trust, foundation or similar arrangement who is the beneficial owner of the customer;
  2. To contact an existing customer in order to fulfil any duty under the International Tax Compliance Regulations 2015.
Reporting to Companies House

Under new Regulation 30A firms are required to report to the Registrar of Companies any discrepancy found between information on beneficial ownership gathered by the firm (whether through CDD or otherwise), and the company’s registered information.

Training requirements enhanced

Regulated firms were already required to take appropriate measures to ensure their relevant employees were:

  1. Made aware of the law relating to money laundering and terrorist financing and of data protection requirements relevant to MLR implementation; and
  2. Regularly given training in how to recognise and deal with transactions and other activities or situations which may be related to money laundering or terrorist financing.

Under the revised Regulation 24, firms are now also required to take appropriate measures to ensure any agents it uses for the purposes of its business (covered by the Regulations) are provided with training, and to keep records of that training in the same way as for employees.

Obligation to apply enhanced customer due diligence

Regulation 33 (1) (b) - Amended to require firms must apply enhanced customer due diligence (EDD) measures and enhanced ongoing monitoring (in addition to customer due diligence measures (CDD)), to manage and mitigate the risks arising in any business relationship with a person established in a high-risk third country or in relation to any relevant transaction where either of the parties to the transaction is established in a high-risk third country.

For the purposes of the above:

  1. a ‘high-risk third country’ means a country which has been identified by the European Commission in delegated acts adopted under Article 9.2 of the fourth money laundering directive as a high-risk third country; For reference, see also EU List
  2. a ‘relevant transaction’ means a transaction in relation to which the relevant person is required to apply CDD measures under regulation 27;
  3. being ‘established in’ a country means:
    1. in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and
    2. in the case of an individual, being resident in that country, but not merely having been born in that country.

Note: A consequence of the amendment is that EDD and ongoing monitoring are required, when either the customer or a counterparty to a transaction is ‘established in’ a high-risk third country.

Regulation 33 (1) (f) - Amended to require firms must apply enhanced customer due diligence measures and enhanced ongoing monitoring (in addition to customer due diligence measures), to manage and mitigate the risks arising in any case where:

  1. a transaction is complex or unusually large [NB: This was previously “a transaction is complex and unusually large”],
  2. there is an unusual pattern of transactions, or [NB: previously and]
  3. the transaction or transactions have no apparent economic or legal purpose.

A much broader risk consideration exists in the revised MLR, when the ‘obligation’ to apply enhanced customer due diligence could apply.

Regulation 33 (3A) - A new ‘must’ requirement for EDD on business relationships with persons established in high-risk third countries or in relation to any relevant transaction where either of the parties to a transaction is established in a high-risk third country – In such cases EDD measures must include:

  • obtaining additional information on the customer and on the customer’s beneficial owner;
  • obtaining additional information on the intended nature of the business relationship;
  • obtaining information on the source of funds and source of wealth of the customer and of the customer’s beneficial owner;
  • obtaining information on the reasons for the transactions;
  • obtaining the approval of senior management for establishing or continuing the business relationship;
  • conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

FCA Guidance - High-risk factors

The FCA notes Regulation 33 amendments require firms to include new additional high-risk factors when assessing the need for EDD, and to seek additional information and monitoring in certain cases, such as, where:

  • there are relevant transactions between parties based in high-risk third countries
  • the customer is the beneficiary of a life insurance policy
  • the customer is a third-country national seeking residence rights or citizenship in exchange for transfers of capital, purchase of a property, governments bonds or investment in corporate entities
  • non-face to face business relationships or transactions without certain safeguards, for example, as set out in Regulation 28 (19) concerning electronic identification processes
  • transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory or other items related to protected species, or archaeological, historical, cultural and religious significance, or of rare scientific value

Expansion of regulated sector

Commercial firms (or sole traders) engaged in the following activities must now comply with MLR 2017 (and MLR 2019 revisions) and be supervised by HMRC or regulated by the FCA:

  1. Letting agents conducting ‘letting agency work’ (e.g. Customer due diligence measures must be applied to any relevant transaction which concludes with a letting agreement (for a term of at least a month and at a rent of at least 10,000 euros in any one month), and must be undertaken on both the landlord and the tenant).
  2. Art market participants who:
    • by way of business trades in, or acts as an intermediary in the sale or purchase of, works of art and the value of the transaction, or a series of linked transactions, amounts to 10,000 euros or more; or
    • is the operator of a freeport when it, or any other firm or sole practitioner, by way of business stores works of art in the freeport and the value of the works of art so stored for a person, or a series of linked persons, amounts to 10,000 euros or more;
  3. Cryptoasset Exchange Providers – Which exchange, arrange or make arrangements (i.e. automated or otherwise) for the exchange of money and cryptoassets; or of one cryptoasset for another.
  4. Custodian Wallet Providers – Which provide services to safeguard, or to safeguard and administer: cryptoassets or private cryptographic keys on behalf of customers in order to hold, store and transfer cryptoassets.

The MLR 2019 define ‘Cryptoasset’, as: ‘A cryptographically secured digital representation of value or contractual rights that uses a form of distributed ledger technology and can be transferred, stored or traded electronically’.

Money is also considered to be money in Sterling, any other currency, or in any other medium of exchange (but does not include Cryptoassets).

Compliance with Money Laundering Regulation

From 10 January 2020 firms are subject to MLR 2017 requirements (as amended by MLR 2019), and so are required to:

  • Assess money laundering and terrorist financing risks facing their business.
  • Deploy and maintain appropriate Customer Due Diligence policies and procedures.
  • Ensure staff awareness of money laundering and terrorist financing risks, and the need to report any suspicion identified in regulated business to the Nominated Officer, or the Money Laundering Reporting Officer (‘MLRO’), where applicable.

See also: (i) FAQ 3 “What do the Regulations require?” in our Money laundering FAQ; and (ii) FAQ 10 below (Where should I start?).

HM Treasury

The Explanatory Memorandum accompanying the MLR 2019 includes: "HM Treasury will not be issuing guidance to accompany the instrument."

In April 2019, HM Treasury issued a Consultation Paper (‘Transposition of the Fifth Money Laundering Directive’) to inform the UK’s approach to implementing 5MLD:

  • As at 10 January 2020, the Treasury had not published its response to the consultation.
  • Consultation outcomes may therefore impact scope and content of current and/or future guidance relating to 5MLD implementation.
Financial Conduct Authority

Cryptoasset Exchange Providers and Custodian Wallet Providers are supervised by the Financial Conduct Authority (‘FCA’). The FCA expects all UK Cryptoasset businesses carrying on activities in scope of the MLRs will need to register with the FCA from 10 January 2020. FCA responsibility is limited to AML/CTF registration supervision and enforcement only.

In July 2019 the FCA issued Policy Statement 19/22, setting out guidance on the types of Cryptoasset which fall within its regulatory remit, and the implications this has on consumer protection.

The FCA web page ‘Cryptoassets: AML / CTF regime’, suggests firms may want to consider guidance from:

Her Majesty’s Revenue and Customs

Art Market Participants and Letting Agents (which are not supervised by one of the professional bodies listed in Schedule 1 to the MLR 2017) join other businesses which are supervised by the Commissioners for Her Majesty’s Revenue and Customs (‘HMRC’). HMRC’s library of ’AML Guidance’ includes AML guidance for estate agents and letting agents.

British Art Market Federation

Guidance issued by the British Art Market Federation and approved by HM Treasury, is designed to provide a detailed explanation of AML requirements. The guidance document is divided into two parts.

  • Part 1 - A general overview of the legislation and answers for many of the more general questions art market participants may have about whether they fall within the scope of the Regulations and what they need to do to comply.
  • Part II – Designed to provide a more comprehensive analysis of the Regulations addressing some of the more detailed aspects of the requirements.
See also
  1. FAQ 4 ‘Is guidance available on anti-money laundering (‘AML’)?’ in our ’Money laundering FAQ’.
  2. FCRM works with clients to address AML and Financial Sanctions risk – Click here.

Mandatory Registration

Regulation 56 prohibitions apply to the regulated sector, including Cryptoasset businesses. Operating or trading in the regulated sector without being registered could lead legal and/or regulatory action being taken against the parties involved.

Cryptoasset Exchange Providers and Custodian Wallet Providers are supervised by the FCA, with Art Market Participants and Letting Agents (if not supervised by a relevant professional body) supervised by HMRC.

The FCA will maintain the register of Cryptoasset Exchange Providers and Custodian Wallet Providers. HMRC might do so for Art Market Participants and Letting Agents.

From 10 January 2020, Regulation 56 prohibitions apply to all new Cryptoasset Exchange Providers and Custodian Wallet Providers which intend to undertake Cryptoasset activity (i.e. They must register before doing so). Whereas, Regulation 56A transitional provisions allow some limited flexibility for pre-existing Cryptoasset businesses, such that, the FCA has stated '"Existing cryptoasset businesses which were already carrying out cryptoasset activity before 10 January 2020 may continue their business, in compliance with the MLRs, but must register by 10 January 2021 or stop all cryptoasset activity. We encourage businesses to apply well in advance of this deadline.":

  • Regulation 56 prohibitions will apply from the earlier of: (a) 10 January 2021; or (b) The FCA’s decision to register or not register a business taking effect.
  • The FCA Gateway is available for Cryptoasset businesses to commence registration – See ‘Register with the FCA’.
  • Firms not registered by 10 January 2021 must cease trading.

New Reporting Requirement

Arising out of new Regulation 30A, all regulated firms are required to report to the Registrar of Companies any discrepancy found between information on beneficial ownership gathered by the firm (whether through CDD or otherwise), and the company’s (i.e. the customer’s) registered information.

The Companies House website describes ”Discrepancies must be reported if there’s a material difference between the 2 sets of information. Companies House will investigate these discrepancies and, if necessary, contact the company.” The website also provides:

  • ‘Guidance’ - Reporting a discrepancy about a beneficial owner on the People with Significant Control (PSC) register.
  • ‘Report Template’ - To submit details of discrepancies identified in relation to beneficial ownership information.

Supervision approach

Cryptoasset Exchange Providers and Custodian Wallet Providers

FCA View - "All businesses will need to comply with the MLRs from 10 January 2020. We will start supervising businesses from 10 January 2020, irrespective of whether they have registered or applied to be registered. Our supervisory approach to cryptoasset businesses will be in line with our approach to other businesses under the MLRs. Firms who pose the greatest money laundering and terrorist financing risk will receive an increased level of supervisory focus. If, following supervisory engagement, we have reason to believe serious misconduct has taken place, we may decide to commence an enforcement investigation."

The FCA also observed:"We expect firms to comply with the new, amended regulations from 10 January 2020. In assessing our approach to firms that may not be compliant on that date, we will take into account evidence that they have taken sufficient steps before that date to comply with these new obligations."

Regulation 26 requires that no person may be the beneficial owner, officer or manager of a relevant firm (‘BOOMs’), or a relevant sole practitioner, unless that person has been approved as a beneficial owner, officer or manager of the firm or as a sole practitioner by the supervisory authority of the firm or sole practitioner.

Regulation 58 requires the FCA to apply an additional 'fit and proper’ test when assessing applicants who wish to carry on the business of a Cryptoasset Exchange Provider or Custodian Wallet Provider, including whether an applicant or any BOOM has adequate skills and experience and has acted and may be expected to act with probity.

The FCA can suspend or cancel a Cryptoasset business's registration at any time, if the business or its BOOMs do not meet fit and proper test requirements.

Letting Agents and Art Market Participants

NB: In the case of Letting Agents, to the extent they are not supervised by a relevant professional body.

On 10 January 2020, HMRC noted "While all firms must be fully compliant with the new requirements from 10 January, HMRC will take into account the short lead-in time businesses have had to implement all the new requirements in assessing the response to any non-compliance" and "HMRC will assess each case on its own merits."

Letting Agents and Art Market Participants are also subject to Regulation 26 BOOM approval requirements. A transitional provision allows a person to act in such a capacity for a newly regulated business, if they make an application for approval by 10 January 2021.

Regulation 58 requires HMRC to apply the 'fit and proper’ test when assessing applicants, including whether an applicant (or any BOOM) has adequate skills and experience and has acted and may be expected to act with probity.

For insight into HMRC’s approach to conducting the fit and proper test – See ‘Guidance’

Maintain a risk-based AML Framework

No anti-money laundering or counter terrorist financing (‘AML/CTF’) framework can guarantee complete protection against, or prevention of risk. The framework which is best suited to ‘Enterprise A’, may have some similarities and differences, to ‘Enterprise B’.

The framework arrangements which best suits your organisation’s needs should include:

  • Governance - Senior management risk-appetite, risk ownership and accountability (e.g. by Board member or other individual with authority, expertise and resource), with supporting activity endorsed by the Board or equivalent senior management body:
  • Specific appointments -
    1. Regulated firms must appoint a Nominated Officer – Responsible for being aware of any suspicious activity in the business that might be linked to money laundering or terrorist financing, and where necessary, to report it to the National Crime Agency.
    2. FCA regulated firms must appoint an individual as Money Laundering Reporting Officer (‘MLRO’), who might also be the Nominated Officer. MLRO responsibilities are set out in the FCA Handbook (see: SYSC 3.2.6I)
  • Group or firm-wide Policy - With due consideration of legal and regulatory risk in the operating environment, including the countries in and through which business is done (e.g. if transacting in U.S. Dollar, you should take account of U.S. sanctions enforced by OFAC)
  • Risk-based control environment - Design and implement a suitable control framework, which reflects assessed risk and is appropriately resourced to promote an effective anti-money laundering culture, to ensure compliance with policy and supporting procedure(s)
  • Training and Awareness - Development of appropriate training content and ensuring coverage of key AML/CTF risk in the operating environment. Content should, as a minimum cover:
    1. Policy, procedure and supporting guidance
    2. Risk-based training of relevant staff and any agents used to support delivery of regulated activity (e.g. generic for all staff, with additional focused content for staff in higher-risk roles’)
    3. Minimum standards for third-party providers and/or key outsource relationships, where applicable, on your organisation’s AML/CTF requirements
  • Compliance monitoring - Controls testing and assurance must be included, to provide assurance or insight for senior management on compliance with policy and procedure
  • Reporting - An internal mechanism accessible to all staff, so as to be able to report any AML/CTF suspicion identified in regulated activity to the Nominated Officer.
  • Record Keeping - Covering the retention and storage of customer due diligence information, transactions, employee & agents training, service agreements with outsource providers, suspicious activity reports, etc.

For more on our AML services - See AML Services