Very soon after the election, we expect the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to be enacted...

The biggest change to AML in a decade

Very soon after the election, we expect the “Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 to be enacted.

As yet, they are still in draft form and subject to change. Much of the 2007 regulations remain intact, however, there are considerable amendments and additions and below are highlighted those most relevant to lawyers. Risk Assessment

Each firm will have to prepare a risk assessment. This will involve taking reasonable steps to identify and assess the risks your firm faces, and keeping a written and up to date record of those steps you have taken.

When compiling your risk assessment, you should consider:

  • Who your clients are
  • Where your clients, or their funds are coming from
  • The services you are providing to your clients
  • How you provide services to your clients
  • Size and nature of your business

Whilst it is not possible to prevent entirely the risk of being targeted by criminals, having a robust risk assessment will justify the steps you took.

Policies, controls and procedures You must establish and maintain policies, controls and procedures to mitigate and manage the risks which you have identified in your risk assessment. They need to be proportionate to the size and nature of your business.

Your policies must provide for the scrutiny of complex and unusually large transactions. This means each matter will need to be risk assessed. You should consider the due diligence information which has been obtained, and the nature of the instructions. The main question that lawyers need to ask themselves is does the transaction make sense?

Internal Controls

The internal controls which you must implement will depend on your assessment of the size and nature of your business. You may need to

  • Appoint an individual who is on the board, or equivalent as the officer who is responsible for compliance with the regulation
  • Carry out screening of relevant employees and agents.
  • Establish an independent audit function to examine the effectiveness of the policies


The training you provide must now also include training on Data Protection and the obligation to train extends to agents.

Customer Due Diligence (CDD)

CDD is not just required at the beginning of a relationship with the client, but also must be applied when you become aware of changes in the circumstances of an existing customer.

There are some important additions to the 2007 regulations in relation to a body corporate, namely

  • The memorandum of association.
  • Where the client is beneficially owned by another person you must now also to verify the identity of the beneficial owner.
  • Where the beneficial owner is a legal person, you also need to understand the ownership and control structure of the beneficial owner.
  • These requirements will not be satisfied by relying only on the register of people with significant control.
  • If the person instructing you is acting on behalf of a client, you must verify that person

It is also important to note that the definition of beneficial owner of a trust has been extended to now include settlor, the trustees, the beneficiaries or class of beneficiaries and any individual who has control of the trust.

Enhanced Customer Due Diligence (EDD)

The Regulations are more prescriptive as to when EDD measures need to be applied. You must apply EDD when the case is high risk. When assessing whether a matter is high risk, you must consider regulation 33(6) including amongst others, customer, service and geographical risk factors. EDD means examining the purpose of the transactions and increasing the frequency of monitoring. You may also seek further independent verification of the information you have been provided, take more steps to understand the ownership and financial situation or to ensure the instructions fit the client’s business.

PEP definition

This has changed to include domestic PEPs and widened to include members of governing bodies of political parties and on the board of international organisations.

Simplified Due Diligence (SDD) and Pooled Client Accounts.

In relation to the client account, banks can apply SDD provided that

  • The firm presents a low degree of risk, and
  • Information on the identity of the person on whose behalf monies are held in the PCA are available on request and within 2 working days

You will need to ensure that you have explained to the client that, if the bank requests information about who you hold funds for, you will be required to provide that information. The client needs to consent to that.

Data Protection

You must provide new clients with a statement that any personal data received will only be processed for AML and CTF purposes. Data must be retained for 5 years following the end of the business relationship but then deleted unless you are required to keep it by law, or the data subject has given express consent for its retention. You will need to ensure that you have the client’s express consent to keeping the data for longer than 5 years. ‘The Biggest Change to AML in a Decade’ is a series of short succinct articles which looks at some of the main issues directly affecting solicitors. Whilst the final regulations are yet to be finalised, it is clear, that in a relatively short period of time, solicitors firms will need to make a number of changes to their policies and procedures to comply. To stay up to do date with the latest developments and to receive the latest articles in this series, email or visit

About Amy Bell

Amy Bell is Risk Management Consultant for Lockton, award winning providers of effective risk management solutions. With over 12 years’ experience advising law practices across the UK and globally, Amy helps firms to adapt to the changing legal landscape and how to adopt best practice in implementing compliance procedures. Through consultancy with partners, Amy provides training and support for everyone in the firm to help understand compliance and how to apply risk management principles to improve client service and deliver maximum efficiency.

She is the Chair of the Law Society’s Money Laundering Task Force, where she represents the Solicitors profession at Government and in Europe. She is also the author of the Law Society’s Anti-Bribery Toolkit.

To learn out more about Lockton’s Risk Management Training and Consultancy services please visit