The UK’s impending exit from the EU brings with it many new decisions, functions, and costs for UK-based companies already operating in or considering a move into the bloc. As of January 1st, Great Britain will be considered a ‘third country’ in its relations with the EU, which will have significant implications for financial institutions and other reporting entities’ business models, structures, and compliance requirements.
Namely, companies must continue to meet national and EU Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations. The ability to ‘passport’ UK legislation and practices across the EU’s internal borders will no longer be available to UK firms, and in order to meet equivalent standards and regulations, businesses must fully prepare.
In this article Rayissa Armata, head of regulatory affairs at IDnow, looks at how companies must find suitable partners and make adjustments where they are needed.
While an EU member state, UK-based companies simply had to demonstrate compliance by following and adhering to EU AML and KYC regulations and law, even passporting into the EU. However, once the Brexit transition period ends the UK will no longer have access to simplified verification and enhanced due diligence checks will be required to fulfil newer AML amendments and requirements.
UK companies that onboard customers in the EU will be required to follow local laws and regulations specific to individual countries. In doing so, they will also have to ensure that no matter which country their customer is based in, their AML and KYC regulatory standards meet or exceed those of the UK.
The degree of change for many companies in Britain and Northern Ireland will depend on their current European footprint. For businesses that are obliged under AML law, notably in the banking, financial, insurances, mobility, telecoms, and online entertainment/gaming sectors, several factors will need to be taken into account in order to fully understand the scale and extent that Brexit will affect their business. These include:
- Loss of Passporting – the establishment of automatic cross border provisions and services
- Their Prudential Framework
- Revisions to capital structures
- Revisions to their legal entity structures
- How to implement and learn of different AML and KYC regulations – Data Protection
- Potential implications for holding or transferring data
- Legal arrangements
- Tax considerations
- Restructuring client relationships
Loss of Passporting
Passporting allows a financial entity to establish a branch in one EU member state in order to provide direct cross-border services across the European Economic Area (EEA). Supervision is primarily carried out by the home country unless specified.
After December 31st, authorisation requirements will need to be met under European and Member State law. This means that UK firms may need to get authorisation from competent authorities among EU member states to access the EU market (i.e. setting up subsidiaries). They will have to comply with both UK and host country regulation to conduct regulated activities, and EU firms, in turn, will need to become authorised by UK authorities to access the UK market.
Relocation, relocation, relocation
As third country status begins, the UK government will have to make significant efforts to develop new trade agreements with individual member countries. Cross-border entities may have to restructure, and UK entities are going to be impacted especially considering the UK’s strength in investment banking, where passporting has been critical across the EU.
These changes may require significant changes to an entity’s investments in capital, staff and infrastructure and as a consequence, banks may need to transfer parts of their UK based business to existing or new EU locations.
KYC Obligations: Meeting compliance requirements across EU AMLD5
For businesses in the banking and finance industry as well any entities obliged to follow AML laws, KYC screening is compulsory. Heavy fines and penalties leave little room for non-compliance, and obliged industries must have measures and procedures in place to meet these requirements.
Within Europe, national AML laws can vary and UK businesses must ensure they meet KYC procedures that are permissible in particular member states. Members follow a combination of guidelines established under the Financial Action Task Force (FATF) and implementation of AML Directives, the latest being AMLD5 and the upcoming AMLD6, and national AML Acts.
While the 5th Directive was implemented before the UK’s Brexit deadline, the UK will have to follow its own laws under its own authorities. This forces all compliance operations to understand what these differences are and how it will affect their corporations’ business obligations.
This year, the 5th Directive introduced changes across several EU member states, introducing stricter adherence for AML legislation, widening the types of institutions that must comply with AML law, amendments to the use of digital KYC solutions, and cross border services for trust services under the eIDAS Regulation.
Although the UK currently complies with legislation already in force within the EU and will need to implement the 5th AML Directive, member states and their regulators have variations in their interpretation of how the rules are applied in their jurisdictions. Corporations will need to review their existing structures and determine how they can continue to serve existing clients in the EEA.
Financial institutions routinely need to elevate their AML and KYC standards in order to satisfy various requirements. For some reporting entities, the differences in digital KYC compliance results in significant uplifts and requires new partners to meet such changes. (i.e. Video Identification in Germany vs automated KYC in UK).
Money laundering, terrorist financing, drug trafficking, and identity fraud continue to be real threats and efforts to combat these risks have become stricter and more focused. Dangers in using regulatory loopholes between member states existed prior to Brexit and could pose even greater risks if entities such as banks, financial institutions, online entertainments and e-commerce are not prepared.
Data Privacy and GDPR
The exchange of customer data between corporations in the UK and EU will mandate corresponding arrangements when it comes to data protection and privacy. The EU has stated it is willing to grant unimpeded access to UK-based financial corporations only if they are subject to equivalent privacy and data laws.
UK businesses operating in the bloc should consider how they will address data transfer in order to clarify any outstanding issues. Financial and other reporting institutions should ask themselves a number of questions:
- Can your existing customer data be transferred to a new jurisdiction or will a new KYC profile need to be created altogether?
- How will this impact your existing client relations?
- What are the costs involved to meet regulatory compliance?
Throughout this process, protecting the existing client experience should be of paramount importance and any refresh of client KYC data thanks to Brexit will be critical. A due diligence process that is cost-effective and ensures a secure and client-friendly process.
The critical role of the identity verification provider
Selecting the right identity verification partner for the post-Brexit journey is critical. An identity verification-as-a-service (IVaaS) provider that operates across Europe and that has software built on some of the strictest regulations, like those of Germany’s Federal Financial Supervisory Authority, can easily meet European regulations to onboard customers.
