How are the UK's anti-money laundering regulations and practices compared with other countries?
The US and UK anti-money laundering laws and regulations compare favourably. However, there are areas where the two regimes differ and banks with group companies in both the United Kingdom and the United States should consider implementing group anti-money laundering policies that are consistent with the more rigorous of the two regimes, particularly with respect to customer due diligence and administering financial sanctions in relation to targeted individuals and entities.
Reporting and information-sharing processes must nevertheless follow local laws and procedures, and banking institutions should develop appropriate procedures to ensure that the requirements of both regimes are met, especially with respect to group clients and in situations where systems and controls are outsourced to another group company.
According to one recent survey nearly 85% of internationally active banks have a global anti-money laundering policy in place. However, ensuring the effective implementation of global policies at the domestic level is proving to be challenging, particularly where different regimes collide and impose conflicting obligations. The reporting obligation also extends to transactions that involve terrorist property or terrorist money and the proceeds of criminal activities committed overseas.
The US and UK anti-money laundering laws and regulations compare favourably in that both regimes stipulate extensive regulatory requirements for banking institutions to implement and maintain anti-money laundering procedures, which include:
- a customer due diligence programme;
- designation of an anti-money laundering compliance officer;
- development of an ongoing training programme for employees;
- audit procedures to test the effectiveness of the anti-money laundering programme; and
- suspicious activity reporting requirements.
There are, however, differences between the two regimes that mean that developing an anti-money laundering framework that is consistent with both UK and US requirements may not be as straightforward as it first seems. Some comparative and distinctive provisions of the regimes are considered below.
Special Measures and Sanctions
Both countries maintain special measures or sanctions that prohibit banks from transacting business with targeted individuals and entities. However, some of the special measures in force in the United States impose obligations that are not fully consistent with UK financial sanctions.
In the United States, the secretary of the treasury may impose special measures against specified foreign jurisdictions (ie, restrictions on establishing, maintaining, administering or managing a correspondent account for or on behalf of any banking institution in the targeted jurisdiction). Although UK anti-money laundering regulations target both individuals and entities as necessary, there is no precise equivalent to the US Section 311 special measures provisions.
As compared to the United Kingdom, the United States seems to implement more jurisdiction-based sanctions. The Burma sanctions currently in force in the United Kingdom target specific individuals and entities in Burma. The US sanctions are broader.
The list of targeted individuals and entities also appears to vary between the two countries. By way of example, US banks are prohibited from establishing a correspondent account for or on behalf of the Commercial Bank of Syria or VEF (a commercial bank in Latvia). In the United Kingdom, there are no similar corresponding sanctions with respect to these two banks.
Although a bank with offices or branches in both the United Kingdom and the United States may decide to comply with the financial sanctions of both jurisdictions, voluntary dual compliance regimens can give rise to competitive disadvantages. By way of example, once Latvia implements the EU Third Money Laundering Directive (assuming that it has not already done so), Latvian banking and financial institutions (including VEF) that are subject to the local anti-money laundering regime will generally be considered to be a low money laundering risk by UK banks. A voluntary adoption of the US Financial Crimes Enforcement Network (FinCEN) measures against VEF by a UK bank would therefore put the bank at a disadvantage because its competitors in the EU market may be more willing to engage VEF as a client in light of the simplified due diligence requirements.
Customer Due Diligence
In both the United Kingdom and the United States, banks are required to conduct customer due diligence and identification using risk-based assessments. Both countries also require similar identification documents to be obtained and prescribe similar verification methods.
However, there are several differences between the customer due diligence requirements of the two regimes, which are summarized below. In light of these variances, banks with offices or branches in both the United States and the United Kingdom might consider applying the higher standard of the two. This in turn would require the head office or parent bank to ensure that it maintains appropriate procedures to keep itself fully informed of the nature of the differences between the two regimes.
Differing levels of customer due diligence
In the United Kingdom, the Money Laundering Regulations 2007 prescribe a three-tiered, risk-based approach to customer due diligence, whereby the level of due diligence required is determined by reference to the money laundering or terrorist financing risk presented by the client.
These measures apply in all cases unless simplified or enhanced measures are applicable. Standard measures require a bank to:
- identify and verify its client’s identity;
- identify the beneficial owners (25%) and take adequate measures on a risk-sensitive basis to verify the beneficial owners’ identity; and
- obtain information on the purposes and intended nature of the business relationship.
The UK standard measures appear to be similar to the basic ‘know your customer’ requirements and customer identification programme prescribed by Section 326 of the USA PATRIOT Act for US banks. Like the United Kingdom, the United States takes a risk-based approach to customer due diligence. In the United States, however, the bank is not always required to identify the beneficial owners of a customer. Nevertheless, based on its risk assessment of a new customer account the bank may decide to obtain information about individuals with authority or control over such an account, including authorized signatories and beneficial owners.
Subject to any knowledge or suspicions of money laundering, UK banks are exempt from having to undertake standard customer due diligence for certain categories of client, product or transaction. Simplified customer due diligence may be applied where, for example, the client is a UK regulated financial institution that complies with the EU Third Money Laundering Directive or where the client is a UK public authority.
In the United States, there are certain categories of client, product or account for which banks need not apply customer identification procedures. Exempted clients include financial institutions regulated by a federal functional regulator, banks regulated by a state bank regulator, governmental agencies and instrumentalities and certain publicly traded companies. Additionally, the definition of 'customer' does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the customer. Customer identification programme rules also do not apply to:
- products or services for which a formal banking relationship is not established with a person, such as cheque cashing, funds transfer or the sale of a cheque or money order;
- any account that the bank acquires, including accounts as a result of a purchase of assets, acquisition, merger or assumption of liabilities; or
- accounts opened in order to participate in an employee benefit plan established under the Employee Retirement Income Security Act 1974.
Enhanced due diligence
Both the United Kingdom and the United States require enhanced due diligence to be applied in circumstances which by their nature present a higher risk of money laundering or support for terrorist financing.
Both regimes also prescribe specific circumstances in which enhanced customer due diligence must be applied. Banks in both the United States and the United Kingdom must apply enhanced customer due diligence with respect to (i) correspondent accounts for certain categories of higher-risk foreign bank, and (ii) politically exposed persons (PEPs). Unlike the US legislation, the UK regulations do not prescribe the enhanced due diligence measures that banks must apply in the former case. However, the Joint Money Laundering Steering Group Guidance Notes do provide some guidance on enhanced due diligence measures that banks may wish to maintain.
Additionally, UK banks are required to apply enhanced customer due diligence when the bank proposes to enter into a correspondent banking relationship with any institution from a non-EEA state on a risk-sensitive basis.
Private banking due diligence
Both the US and UK anti-money laundering regimes require banks to verify the identity of their private banking clients. However, as discussed below, the two regimes differ in a number of respects.
In the United States, specific due diligence requirements apply to 'private banking accounts' for non-US individuals with a minimum aggregate deposit of funds or assets of not less than $1 million. Banking services that are generally labelled private banking but do not require a minimum deposit of at least $1 million would be subject to due diligence under a risk-based approach, but are not subject to the due diligence requirements for private banking accounts. However, in the United Kingdom there is no de minimisdeposit requirement for private banking. The due diligence procedures for private banking clients must be applied to both local and overseas clients with which the bank proposes to establish a business relationship or undertake an occasional transaction of €15,000 or more.
Both countries set similar minimum due diligence requirements for private banking accounts, such as:
- establishing the identity of beneficial owners;
- ascertaining the source of funds, the purpose and expected use of the account; and
- monitoring the account on an ongoing basis.
However, in the United Kingdom, the 2007 regulations allow banks, in certain circumstances, to apply simplified customer due diligence measures, which in practice means not having to undertake customer due diligence with respect to the particular client, other than verifying that the client qualifies for simplified measures.
The definition of a 'beneficial owner' varies between the two regimes. In the United States a beneficial owner is an individual who has the ability to control, manage or direct the funds or assets in the account. In the United Kingdom, there is a 25% threshold. Thus, in the case of corporate entities, a beneficial owner is any individual who owns more than 25% of the shares or voting rights of the entity or who otherwise exercises control over the management of the entity. As a practical matter, this difference may not be significant since the United States also usually applies a 25% threshold to requirements.
Further, there does not appear to be a specific requirement in the United States to consider the application of enhanced customer due diligence measures where a client has not been physically present for identification purposes, as is the case in the United Kingdom.
Politically exposed persons
Both the United States and the United Kingdom have regulations with respect to identifying accounts for PEPs, which are to be applied on risk-assessed basis. In the United Kingdom, senior management approval is also required to accept a PEP account. In the United States, the Federal Financial Institutions Examination Council Bank Security Act/Anti-Money Laundering Examination Manual has noted that management should be involved in the decision to accept a PEP account.
The definitions of a 'PEP' in both the Untied States and the United Kingdom refer only to foreign PEPs and include immediate family members and close associates of PEPs. However, the definitions in each country also have some notable differences.
In the United States, ‘PEP’ is broadly defined and includes any current or former senior foreign government official, senior official of a major foreign political party or senior executive of a foreign government-owned commercial enterprise, or an entity that has been formed by or for the benefit of one of the foregoing.
In the United Kingdom, the definition of a 'PEP' has more specific parameters: a PEP is any individual who is or has been at any time in the preceding year entrusted with a prominent public function. The 2007 regulations provide specific categories of individuals that are categorized as PEPs, including heads of state, ministers and members of Parliament. Unlike in the United States, a PEP cannot be an entity.
In both the United States and the United Kingdom, a bank may make arrangements with another financial institution or other third party to perform some or all elements of the bank’s customer identification procedures, provided that certain conditions are met. However, there are some differences between the two regimes in respect of the conditions that must be satisfied.
In the United States, there is a difference between ‘reliance’ on another financial institution and the delegation to third parties, such as agents or service providers, of some or all elements of customer identification. US banks may ‘rely’ on financial institutions that are subject to a rule implementing the anti-money laundering programme requirements of the Bank Secrecy Act and are regulated by a federal functional regulator, provided that the reliance is reasonable and the other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its anti-money laundering programme and will perform the specified requirements of the bank’s customer identification programme. The bank will not be held responsible for the failure of the financial institution adequately to fulfil the bank’s customer identification programme responsibilities under such arrangements. On the other hand, if a bank delegates responsibilities to a third party, it remains ultimately responsible for the third party’s compliance with the requirements of the bank’s customer identification programme.
In the United Kingdom, banks can delegate (but not ‘rely’ in the US sense) its customer identification programme and customer due diligence responsibilities to a wide group of third parties. UK banks can delegate such responsibilities to financial institutions, auditors, insolvency practitioners, external accountants, tax advisers or independent legal professionals that are subject to and supervised for compliance with the 2007 regulations, the Third Money Laundering Directive or equivalent requirements. In the United Kingdom, the third party must specifically consent to the delegation and must comply with the prescribed record-keeping requirements. However, the bank remains liable under the 2007 regulations for compliance with customer due diligence measures despite its delegation of due diligence to a third party.
When clients are introduced between different parts of the same banking group, group companies should be able to rely on identification procedures conducted by that part of the group which first dealt with the client, as long as the group entity that carried out the customer due diligence measures satisfied the relevant jurisdictional requirements.
Suspicious Activity Reporting
Both countries have prescribed procedures for reporting suspicious activity. In the United Kingdom, banks are required to make a report in respect of information that comes to them within the course of their banking business in circumstances where they know or suspect, or have reasonable grounds to know or suspect, that another person is engaged in a money laundering or terrorist financing offence.
In the United States, the suspicious activity reporting requirements are more limited and generally apply to activities involving funds or assets meeting specified dollar thresholds. Banks are required to file suspicious activity reports with respect to:
- criminal violations involving insider abuse in any amount;
- criminal violations aggregating $5,000 or more where a suspect can be identified;
- criminal violations aggregating $25,000 or more regardless of a potential suspect;
- transactions conducted or attempted by, at or through the bank (or an affiliate) and aggregating $5,000 or more if the bank or affiliate knows, suspects or has reason to suspect that the transaction:may involve potential money laundering or other illegal activity (eg, terrorist financing);is designed to evade the Bank Secrecy Act or its implementing regulations; orhas no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, where the bank knows of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.
Banks with offices and branches in both the United States and the United Kingdom will need to ensure that employees who work with dual clients are aware of the wider scope of the UK reporting obligations, and should consider implementing intra-group reporting procedures for group clients so as to ensure that the appropriate regulatory authorities are notified of suspicious activities in accordance with local jurisdictional requirements.
Both the United Kingdom and the United States require banks to implement procedures for sharing information with appropriate regulatory authorities and law enforcement when requested to do so. However, US banks generally must be able to provide information in respect of accounts maintained or transactions conducted by the subject during the preceding 12 months and transactions conducted on behalf of, or with, a named subject during the preceding six months (unless a different time period is indicated in the information request). UK banks need to be able to confirm only whether they have had a business relationship with the subject during the preceding five years and the nature of that relationship.
Both the United States and the United Kingdom allow banks to share information with other financial institutions that are subject to anti-money laundering programme requirements if the purpose of sharing information is to identify and report activities that may involve possible terrorist financing activity or money laundering. However, in the United Kingdom, a bank may provide information only to another bank. In the United States, a bank may provide information to any financial institution, as defined in the Bank Secrecy Act, that is required by federal regulation to establish and maintain an anti-money laundering programme. Therefore, information can be shared with a wider range of financial institutions in the United States.
In this regard, banks with offices and branches in both the United States and the United Kingdom will need to ensure that appropriate safeguards are in place so that information in respect of group clients is not inadvertently disclosed to other financial institutions. Were this to happen in the United Kingdom, a bank might be in breach of other laws prohibiting ‘tipping off’.
In the United States, in order to share information, the participating parties must first file an annual notice with FinCEN. In the United Kingdom, there is no corresponding notification requirement, but both parties must be subject to equivalent duties with respect to professional confidentiality and protection of personal data.
Anti-money laundering and terrorist financing laws
Pursuant to 18 USC Sections 1956 and 1957, the Department of Justice can bring criminal actions for money laundering or terrorist financing. A person convicted of money laundering can face a fine of up to $500,000 or up to 20 years in prison. Any property involved or traceable to the criminal proceeds is subject to forfeiture under 18 USC Sections 981 and 982. In addition, banks can lose their charter or licence, and bank employees can be terminated and barred from the banking industry if they are convicted of money laundering or terrorist financing.
Violations of the Banking Security Act and its implementing regulations
Banks and bank employees can face civil and criminal penalties for violations of the Bank Security Act and its implementing regulations. Criminal penalties can be imposed against banks or bank employees pursuant to 31 USC Section 5322 for wilful violations that can result in a criminal fine of up to $250,000, up to five years in prison or both. If the violation is committed while violating another US law or as part of a pattern of criminal activity involving more than $100,000, the person is subject to a fine of up to $500,000, up to 10 years' imprisonment or both. A bank that violates certain Banking Security Act provisions - such as due diligence for private banking and correspondent banking accounts involving foreign persons, prohibition on correspondent accounts with foreign shell banks or Section 311 special measures - can receive a criminal fine up to the greater of twice the amount of the transaction or $1 million. In addition, criminal penalties can be imposed under 31 USC Section 5324 for structuring transactions to evade Banking Security Act reporting requirements, either through failure to report or through filing reports that contain a material omission or misstatement of fact.
Pursuant to 31 USC Section 5321 and 12 USC Section 1818(i), the federal banking agencies and FinCEN can impose civil monetary penalties against a bank for violations of the Banking Security Act and its implementing regulations. Banks that fail to comply with Bank Secrecy Act or anti-money laundering requirements can be subject to enforcement actions from federal and state regulators. In general, deficiencies in a bank’s Banking Security Act and anti-money laundering compliance programme would typically be identified during regulatory examinations of banks and set forth in the examination report or through some other supervisory communication. If a bank does not correct previously reported deficiencies, the regulators may take more formal enforcement actions such as formal written agreements, cease and desist orders and orders assessing civil monetary penalties. The form of enforcement action in a particular case will depend on:
- the degree and severity of the weaknesses or deficiencies;
- the capability and cooperation of the bank’s management; and
- the regulator’s confidence that the bank will implement appropriate and timely corrective action.
Breach of the financial sanctions legislation
Any person who makes any funds, economic resources or financial (or related) services available directly or indirectly to or for the benefit of persons listed on a relevant sanctions list is guilty of a criminal offence and may be fined or imprisoned. The maximum term of imprisonment is currently seven years. Where a bank is guilty of an offence under the relevant financial sanctions legislation and that offence is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, manager, secretary or other similar officer of the bank, or any person who was purporting to act in any such capacity, that person as well as the bank is guilty of that offence and is liable to imprisonment and/or a fine.
Breach of the 2007 regulations
Failure to comply with the 2007 regulations may result in criminal penalties of up to two years' imprisonment and unlimited fines (Part 5 of the regulations). Civil penalties may also be imposed as an alternative to criminal penalties. If the bank is guilty of an offence under the regulations and the offence is held to have been committed with the consent or connivance of an officer of the bank (eg, a director, manager, secretary, chief executive or member of the management committee) or is held to be attributable to any neglect on that officer’s part, the officer as well as the bank is guilty of an offence and subject to possible fines and/or imprisonment.
Breach of Proceeds of Crime Act 2002 and Terrorism Act 2000
If a bank or officer of the bank is found guilty of the offence of actual money laundering under the Proceeds of Crime Act 2002 or the Terrorism Act 2000, the maximum penalty is 14 years’ imprisonment and/or an unlimited fine. The maximum penalty for offences falling under either act for failure to disclose a knowledge or suspicion of money laundering, 'tipping off' or destroying or disposing of relevant documents is five years’ imprisonment, an unlimited fine or both.
Breach of senior management systems and controls
The Financial Services Authority can require a bank to pay a fine. In extreme cases the authority can cancel the bank’s authorization and therefore its ability to carry on business. The authority can also remove an individual from his or her position at the bank and prohibit the individual from carrying out functions in relation to any other banks or regulated entities. The authority can also issue private warnings. The form of action will depend on the relevant circumstances, such as:
- whether other enforcement action has already been taken;
- whether the breach was deliberate or reckless;
- the duration and frequency of the breach; and
- any remedial steps the bank has taken in respect of the breach.
The United Kingdom and the United States have similar enforcement powers in relation to cancelling a bank’s authorization or licence to carry on business. Both jurisdictions allow for criminal as well as civil penalties, although these appear to have wider potential applicability in the United States as they may be imposed against bank employees generally whereas the UK penalties are limited to officers of the bank. The length of imprisonment and amount of fines vary between the United States and the United Kingdom.