Real Estate under the anti-money laundering spotlight

Real Estate under the anti-money laundering spotlight

The latest UK Anti-Money Laundering (“AML”) National Risk Assessment (2020) assessed the UK’s property sector as high risk for money laundering (“ML”). It attributes this to certain attributes and features of the real estate (“RE”) sector, individuals engaging with the sector and transactions undertaken within it, for example:

• RE transactions frequently involve the transfer of large volumes of money, potentially across jurisdictional borders;
• The individuals instructing RE transactions often have access to considerable private or public funds; and
• RE transactions are likely to involve other parties (or “gatekeepers”) such as lawyers, notaries and accountants who may abuse their professional status to mask illicit activity.

The RE sector therefore faces multifaceted challenges when it comes to ML prevention. To tackle these, Estate Agents have long been subject to UK Money Laundering Regulations (“MLRs”), and Lettings Agents were more recently brought into scope in January 2020. In addition, professional services providers (including lawyers and accountants) also fall within the regulatory perimeter.

On 26^th July, the Financial Action Task Force (“FATF”) published new Risk-Based Approach for the Real Estate Sector to support the RE sector and those which support it in understanding their risk exposures and develop mitigating controls. This guidance is intended to act as a call to action for all parties who engage in RE transactions to strengthen their ML prevention frameworks and ultimately bolster the UK’s national AML strategy.

Key aspects of a successful risk-based approach (“RBA”)

The FATF guidance provides comprehensive details pertaining to “what good looks like” with respect to applying an RBA to AML compliance in the RE sector, and it would be advisable for those involved in RE transactions to digest its contents.

The below sections contain a summary of the critical elements of a RE sector RBA, and key considerations for Heads of Compliance, Money Laundering Reporting Officers (“MLROs”) and others in Financial Crime Compliance roles with respect to their AML frameworks. 

1. Risk assessment

Firstly, it emphasises the importance of a robust firm-wide ML risk assessment, which is arguably the cornerstone to the success of a firm’s RBA.

A firm’s firm-wide ML risk assessment should:

1. Be tailored to the size, scale and nature of the firm;

2. Explicitly consider wider inputs, such as the UK National Risk Assessment and, at minimum, cover the following inherent risks:

• Geography risks – including the jurisdictions within which the firm operates as well as the jurisdictions associated with the firm’s client’s;
• Customer risks – including factors such as Politically Exposed Persons (“PEPs”) within beneficial ownership structures); and
• Transactional risks – including the funding of RE transactions and face-to-face vs remote delivery channels

3. Be formally documented and approved by the Board/Senior Management and actively inform business decision-making, such as determining resource needs for control enhancements or identifying de-risking opportunities.

2. Due diligence

Based on its firm-wide ML risk assessment, the firm should determine its risk appetite and monitor business activity against this to remain within the parameters which it sets. This may include setting out types of business which may be prohibited (for example, where a sanctions nexus is identified or certain customer types).

Firms should also assess the risks posed by its customers on a case-by-case basis to inform the level of mitigating controls which need to be applied, commensurate to the risks posed in each case. Typically, a tiered approach to due diligence controls is most effective, whereby the greatest focus is placed on relationships which present a higher level of risk as follows:

Level of mitigating controls	Considerations
Customer Due Diligence (“CDD”)	A standard level of due diligence (often termed CDD”) should be applied to customers which pose a regular level of risk. This must include identifying and verifying both the customer and its beneficial owner(s) as well as establishing the nature and purpose of the business relationship.
Simplified Due Diligence (“SDD”)	In customer relationships where the Firm has deemed a lower level of risk is present, SDD may be applied. However, the protocols governing the application of SDD must be clearly documented in the firm’s policies and procedures. Also, the firm must also ensure that SDD customers are not exempt from Suspicious Activity Reporting (“SARs”).
Enhanced Due Diligence (“EDD”)	If a customer presents a higher risk of ML, EDD measures should be applied to mitigate the elevated level of risk. Situations where this may be warranted include where: Customers have links to high risk jurisdictions; Have complex ownership structures; Have PEP connections; and/or Virtual assets (“VAs”) are being used in the RE transaction. In these instances, firms should seek to gain more information and evidence to satisfy themselves that the customer (including beneficial owner(s)) and flow of funds is legitimate, and gain Senior Management sign off for commencement and continuation of the business relationship.

This assessment should be undertaken at the commencement of a business relationship, and also at regular intervals throughout the customer lifecycle depending on the risk posed by the relationship. If at any point there is a material change which acts as a trigger event (such as a change in beneficial ownership or identification of a PEP connection), the relationship should undergo re-risk rating and the level of due diligence applied going forwards may change as a result of this.

3. Roles and responsibilities

In order to effectively implement its RBA framework, it’s important for both the Business and Compliance to be fully engaged in the anti-financial crime agenda. The Business should be empowered and equipped to own their risk and be responsible for executing against AML procedures. Meanwhile, Compliance should actively monitor and guide the Business.

Staff should receive tailored and regular training to enable them to undertake their role. This should focus on their legal obligations, as well as containing practical and risk-focussed guidance.

4. Governance and oversight

It is vital for RE firms to implement appropriate governance structures and escalation channels to facilitate oversight and challenge with respect to higher risk relationships/situations, including PEPs and SARs. These should include active involvement of the Board/Senior Management in the Firm’s AML agenda, reinforced with strong and consistent tone from the top.

5. Policies and procedures

AML processes should be clearly documented (in the form of policies and procedures) as well as regularly assessed/evaluated to give the firm comfort with respect to their operating effectiveness. Where gaps or weaknesses are identified, these should be appropriately escalated for remedial action to be decided.

Policies and procedures should be subject to regular review and refresh, and should be approved by the Board/Senior Management.

Key questions for RE firms to be asking themselves

There is undoubtedly a lot to think about for firms involved in RE transactions in terms of AML compliance. Some non-exhaustive questions for consideration for Heads of Compliance, MLROs and other Financial Crime Compliance professionals may include:

1. Firm-wide ML risk assessment

• Is my risk assessment documented?
• Does it take into account the holistic range of inherent risks which my business faces as well as an assessment of the effectiveness of the controls I have in place?
• Is it signed off by senior management and used to inform business decision-making?​

2. Risk appetite

• Have I defined/documented my risk appetite statement, including prohibited business which sits outside of this?
•  How do I monitor adherence to my defined risk appetite?

3. Other risk assessments

• Have I developed other risk assessments, particularly to risk-rate customers to inform the level of due diligence applied?
•  How do I ensure that higher risk attributes, such as PEPs and sanctions nexuses, are promptly identified and appropriately handled?

4. Due diligence

• Have I developed clear and comprehensive due diligence procedures which set out the varying standards and requirements depending on the risk rating of the customer which I am doing business with?
•  Do these procedures include steps to be taken at onboarding as well as throughout the relationship?

5. Roles and Responsibilities

• Is an appropriate individual appointed to undertake AML roles, such as the MLRO and Nominated Officer (“NO”)?
• Are my escalation channels clearly defined so that staff understand when to escalate and Senior Management are actively engaged in AML governance and oversight​?

6. Training

• Are my staff equipped to understand their legal obligations and risk exposures to the business to enable them to undertake business within the parameters of the defined risk appetite? 
•  How do I determine which staff need which training, and how do I monitor that such training is undertaken in a timely manner?

7. Framework

• Are my processes and controls distilled into clear and accessible policies and procedures?
• Are these policies and procedures regularly reviewed and refreshed, and signed off by Senior Management?
• Does my Compliance function actively monitor and evaluate the Business with respect to the AML framework?