Upcoming developments in UK Economic Crime

At the beginning of a new year, it’s a good time to take stock of what’s coming up on the economic crime agenda in 2023.

Changes to the UK’s economic crime regulatory regime will have implications for most regulated firms, while regulators will likely continue to demonstrate their willingness to take robust action against those who are failing to meet the standard.

More broadly, Russia’s ongoing invasion of Ukraine will ensure that the sanctions compliance picture becomes increasingly complex, while significant forthcoming regulatory change promises to keep compliance teams busy in the cryptoasset industry.

On 1 September 2022, changes to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) took effect via an amending Statutory Instrument.

The key measures include:

• A new requirement for regulated firms to conduct business-wide proliferation financing risk assessments and maintain appropriate, controls and procedures for combatting proliferation financing activity.
• A broadening of the definition of a‘trust or company service provider’ (TCSP) to include firms which provide services relating to the formation of all types of business arrangement, including Limited Partnerships, and an expansion in the scope of TCSP due diligence obligations to include ‘one-off’ business relationships.
• A new power for supervisors to request suspicious activity reports from regulated entities.
• The implementation of the FATF ‘travel rule’ (with effect from 1 September 2023), which will extend elements of the existing information sharing regime for wire transfers to transfers of cryptoassets.

From 1 April 2023, the amended MLRs will also oblige firms to report ‘material’ discrepancies in beneficial ownership information at all stages of the customer lifecycle(i.e., on an ongoing basis), rather than just at onboarding. A material discrepancy will be newly defined to only include those discrepancies which may reasonably be considered linked to money laundering or terrorist financing, or to conceal details of the business of the customer. In addition, firms will be required to obtain an excerpt of the relevant register as part of the customer due diligence process.

Separately,changes to include certain trusts within the scope of discrepancy reporting requirements have now taken effect, and firms are required to obtain proof of a trust’s registration on the Trust Registration Service (TRS), and report discrepancies, prior to establishing a business relationship. From 1 April 2023, this obligation will also extend to all stages of the customer lifecycle.

All these changes to the MLRs should prompt firms to perform a gap analysis against their existing internal policies and processes.

While there is no requirement to conduct a standalone proliferation financing risk assessment, there should be a focus on ensuring existing business-wide risk assessments are sufficiently robust to account for proliferation financing risk (as it is now defined in the MLRs). Training and further guidance to staff will also likely be needed.

Firms should also be seeking to ensure their systems are appropriately calibrated to the new discrepancy reporting obligations. Cryptoasset firms captured by the new ‘travel rule’ will need to assess and understand the new requirements and explore possible technological solutions.

With the introduction of the ‘Economic Crime and Corporate Transparency Bill’ into Parliament, the UK Government has signalled that further, substantive regulatory reforms are coming.

As previously announced in the Queen’s Speech, the Bill would make long-awaited reforms to the operations of Companies House, including strengthening the integrity of its data holdings; introduce reforms to combat the abuse of limited partnerships; facilitate private sector information sharing; and strengthen law enforcement powers to seize cryptoassets.

A new and improved public/private Economic Crime Plan is also due soon, which could add further impetus to the UK’s efforts to combat economic crime.

These regulatory changes are taking effect against a backdrop of ongoing enforcement action. Recent, substantive Financial Conduct Authority (FCA) fines against NatWest, HSBC and Barclays highlight the consequences of failing to implement effective, proportionate, risk-based financial crime controls.

The findings of the FCA’s May 2021 ‘Dear CEO’ letter to retail banks remain instructive for firms seeking to level-up their financial crime compliance function.

Firms should continue to focus on ensuring that they have the appropriate governance and oversight structures in place (centred on clearly defined lines of responsibility between business and compliance functions); both business-wide and customer risk assessment processes are sufficiently detailed and tailored; customer due diligence processes are robust and adequately recorded; transaction monitoring systems are appropriately calibrated; and suspicious activity reporting processes are well-documented and understood.

In April, the FCA concluded a separate in-depth review of the financial crime controls at six (primarily digital) challenger banks, focusing on services offered to customers which are broadly equivalent to those offered by more traditional retail banks.

While the FCA found that technology allowed challenger banks to successfully onboard customers ‘at speed’, the review highlights only ‘limited differences’ in the risks faced by these firms. In several instances, the FCA found compliance programmes were not fit-for-purpose and highlighted key weaknesses in customer risk assessment, customer due diligence, transaction monitoring and suspicious activity reporting processes as areas of concern. Critically, the FCA flagged the ongoing need for controls to remain effective and for compliance functions to be adequately resourced as a bank grows.

Over the coming months, it is likely that the FCA will continue to leverage its investigatory powers via section 166 notices to explore and test the effectiveness of the financial crime controls of all relevant firms, including both traditional retail and challenger banks.

More broadly, the UK’s Russia sanctions regime continues to evolve at a rapid rate. While the pace of new designations has slowed somewhat since the initial days of the Russian invasion, firms continue to grapple with the increasing complexity of the regime and the often-opaque nature of Russia-related transactions.

A flurry of recent Office of Financial Sanctions Implementation (OFSI) General Licences and revised guidance, including the National Crime Agency’s ‘Red Notice’ on Russia-related sanctions evasion, has attempted to provide some additional clarity and flexibility for firms. However, OFSI’s recent switch to a ‘strict liability’ enforcement regime also underlines the ongoing need to be vigilant as the regulator may seek to take a more robust approach to enforcement.

Firms will need to continue to devote significant time and resources to ensuring that they are complying with their sanctions obligations – including requirements in other jurisdictions where payments have an EU or US nexus. They should be aware of the heightened risk of sanctions evasion, keep up horizon scanning, conduct training and awareness raising sessions for staff and ensure appropriate escalation channels are set up.

Cryptoasset firms also remain a constant focus of attention. A Treasury Select Committee inquiry is currently considering the future role of crypto assets in the UK. Cryptoasset exchanges and custodian wallet providers are now a ‘relevant firm’ for financial sanctions reporting purposes and the FCA continues to focus on the industry’s efforts to comply with AML/CTF requirements. That scrutiny will likely only continue to increase with the implementation of the travel rule and the introduction of new crypto seizure powers in the draft Economic Crime Bill.

If you have any questions or want to talk about any of the above in more detail, please don’t hesitate to contact us.