What’s the deal? UK AML law after exit day

British Flag

Speed read: Anita Clifford examines the changes to the UK AML regime to come into effect after the UK departs from the EU.

The uncertainty surrounding the UK’s departure from the EU has meant myriad contingency plans have been developed by government and business alike. In the anti-money laundering arena, efforts are well underway to minimise the impact of a UK departure. Draft regulations were approved by Parliament in November 2018 and will come into force on exit day. The EU Exit Regulations amend The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) which transposed the EU’s Fourth Money Laundering Directive (4MLD) into UK law on 26 June 2017. They ensure the continuation of the AML obligations once 4MLD ceases to be enforceable in the UK subject to some subtle differences.

Enhanced due diligence

On paper at least, customers in EEA and third countries are to be equalised. Presently, Regulation 33 of MLR 2017 obliges a regulated person to undertake enhanced customer due diligence where a relationship is established with a person in a high-risk third country. An exception is where the customer is a subsidiary or branch of an EEA entity. On exit day, the carve-out will be broadened to include customers who are subsidiaries of an entity in a third country with AML laws and supervision equivalent to that provided for in 4MLD. In practice, it can be expected that the difference will be in name only. Few countries outside of the EU have AML frameworks with CDD and supervision requirements equal to that in 4MLD no matter how tough they may be. Ascertaining whether a jurisdiction has an equivalent framework is also challenging. Under the EU’s Third Money Laundering Directive (3MLD), there was an EU white list of equivalent jurisdictions but that list was rescinded when 4MLD came into force and the EU moved to publishing ‘high risk’ jurisdiction lists only. The change was directed at encouraging individualised country-specific risk assessments which lies at the heart of 4MLD. If, however, the concept of an equivalent jurisdiction is to regain significance in the UK under the EU Exit Regulations, consideration should turn to the UK publishing its own list to assist regulated persons in practice.

Simplified due diligence

In the context of simplified due diligence, a customer being resident or established in an EEA state will no longer be a low-risk geographical factor once the UK leaves the EU. Instead, it is a customer’s residence or establishment in the UK which will be a low risk indicator for the purposes of subsequent simplified due diligence. Other low risk indicators remain the same, including that the customer is resident or established in a third country with effective AML systems and/or a third country identified by ‘credible sources’ as having a low level of corruption.

Third-party reliance

Under Regulation 39, a regulated person may rely on CDD conducted by a person carrying on business in an EEA state where there is a clear agreement in place to do so. The duty to conduct CDD remains non-delegable. Reliance can continue after exit day. Regulation 39(3) already contemplates a regulated UK business relying on CDD conducted by a business in a ‘third country’ that is subject to equivalent AML requirements and supervision.

Enforcement cooperation

Law enforcement cooperation is where the changes are most likely to be felt. 4MLD introduced a beneficial ownership of trusts register to the UK. Presently, HMRC is obliged under Regulation 45 to ensure that the NCA are able to use the information, if considered appropriate, to further AML supervision and investigations in other EEA states. Once the UK leaves the EU, HMRC is no longer so obliged. It only ‘may’ ensure that the information is available to the NCA where they receive a request from an EEA state.

Group-wide AML policies

UK parent companies will no longer need to ensure that subsidiaries and branches in an EEA state apply the law of that state which implements 4MLD. Currently, pursuant to Regulation 20(2), UK parent undertakings must ensure compliance with domestic AML law where a subsidiary or branch is in an EEA state that has implemented 4MLD. Following departure, the AML laws to be followed by branches and subsidiaries abroad will be entirely UK-centric. To the extent that local law allows, parent companies must ensure that subsidiaries and branches in third countries apply measures equivalent to those in MLR 2017. This is likely to be welcome news for UK parent companies. AML policies and procedures set in the UK can be implemented group-wide without the need to adjust for domestic AML requirements.


The changes to be introduced by the EU Exit Regulations will not significantly alter the UK approach to CDD but are a step back for enforcement cooperation. The key difference for regulated firms is that EEA states will fall within the category of a third country for AML purposes. That said, the EU Exit Regulations recognise that there is possibly lower risk where a customer is resident or carries on business in a country which has transposed 4MLD or has an ‘equivalent’ framework. UK guidance on exactly which countries have an equivalent framework or how to ascertain if a framework is equivalent would assist. In absence, factors relevant to whether or not a jurisdiction has achieved equivalence have been articulated by the European Banking Authority[1] and include –

  • whether the jurisdiction is the subject of credible open-source information suggesting funding or support for terrorist activities or major money laundering deficiencies
  • whether the jurisdiction is subject to financial sanctions imposed by the UK, EU or UN
  • whether the jurisdiction has beneficial ownership registers
  • reports on the extent to which predicate money laundering offences arise in the jurisdiction such as drug trafficking, corruption and tax evasion, the outcome of recent FATF evaluations
  • the degree to which the jurisdiction has implemented the Common Reporting Standard on Automatic Exchange of Information relating to the sharing of tax information.

In the coming months, it will be prudent for regulated firms to review their AML policies. A customer’s nexus to an EEA state, for example, will no longer be a low risk indicator as prescribed under MLR 2017. Changes such as this should be reflected in internal policies and understood by regulated employees. Although the amendments in practice might be slight, procedures will have to be updated so that they are departure ready.

[1] European Banking Authority, ‘The Risk Factor Guidelines’ available at https://esas-joint-committee.europa.eu/Publications/Guidelines/Guidelines%20on%20Risk%20Factors_EN_04-01-2018.pdf at page 12.