Though the UK left the European Union earlier this year, financial institutions must still meet national and EU Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.
Rayissa Armata is Head of Regulatory Affairs at IDnow, an identity verification platform. Here she shares her views on what Brexit and KYC compliance means for UK financial services firms operating in Europe.
When the UK left the European Union on 1st January 2021, it became considered a ‘third country’ in its relations with the EU, and as such, it has brought significant implications for financial institutions and other reporting entities’ business models, structures, and compliance requirements. Namely, companies must continue to meet national and EU Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations.
While an EU member state, UK-based companies simply had to demonstrate compliance by following and adhering to EU AML and KYC regulations and law, even passporting into the EU. However, once the Brexit transition was completed on 31st December 2020, the UK lost its status as a member of the EU. This loss of status has removed the UK’s access to simplified verification procedures, and enhanced due diligence checks will be required to fulfil newer AML amendments and requirements.
For UK companies that onboard customers in the EU, they are now required to acquire a license in an EU member state, to follow local laws, and comply with regulations specific to individual countries. In so doing, they will also have to ensure that, no matter which country their customer is based, their AML and KYC regulatory standards must meet or exceed those of the UK.
Additionally, for many UK companies, the degree of change after Brexit is governed by their current European footprint. For businesses that are obliged under AML law, notably in the banking and financial sectors, several factors must be taken into account in order to fully understand the extent that Brexit will affect their business. The silver lining here is that the UK possesses high AML/KYC standards, so the effort to conform to EU member state rules should not be incredibly challenging for well-run companies.
In the lead up to Brexit, businesses had to consider several factors which would affect their operations from the 1st of January 2021. For the financial services sector, the main changes were the loss of passporting, which removed the ability of UK firms to operate in the EU and vice-versa; the compliance of new regulatory requirements, including the implementation of AML / KYC regulations; relocation and data protection processes.
Passporting no longer available
Traditionally, passporting allows a financial entity to establish a branch in one EU member state in order to provide direct cross-border services across the European Economic Area (EEA) as outlined by EU law. Supervision is primarily carried out by the home country unless specified.
Following 31st December, however, the use of passporting no longer applies to the UK. As such, authorisation requirements will need to be met under European and member state law.
UK firms may need to get authorisation from competent authorities among EU member states to access the EU market (i.e. setting up subsidiaries). They will have to comply with both UK and host country regulation to conduct regulated activities. Likewise, EU firms will need to become authorised by UK authorities to access the UK market and will have to comply with AML regulatory requirements dictated locally. We do caution UK and EU businesses who engage in cross-border licensing partnerships to verify the reputation of the counterpart firm before any agreement.
The UK government will have to make significant efforts to develop new trade agreements with individual member countries. Cross-border entities may have to restructure, and UK entities are going to be impacted especially considering the UK’s strength in investment banking, where passporting has been critical across the EU.
These changes may require significant changes to an entity’s investments in capital, staff and infrastructure, and as a consequence, banks may need to transfer parts of their UK-based business to existing or new EU locations.
Correspondingly, EU-based businesses that wished to operate within the UK, had to build some presence there. This can be particularly challenging for small and growing businesses in the fintechs and cryptocurrency sectors.
KYC Obligations: Meeting Compliance Requirements Across EU AMLD5
For businesses in the banking/finance industry KYC screening is compulsory. Heavy fines leave little room for non-compliance, and obliged industries must have procedures in place to meet these requirements.
Within Europe, national AML laws can vary, and UK businesses must ensure they can meet KYC procedures that are permissible in a particular member state. Member states follow a combination of guidelines established under the Financial Action Task Force (FATF), implementation of AML Directives, the latest being AMLD5 and the upcoming AMLD6, and national AML Acts.
The AMLD5 and AMLD6 aim to bring greater uniformity in AML / KYC Compliance within the EU. While the 5th Directive was implemented before the UK’s Brexit deadline, the UK will have to follow its own laws under its own authorities. This forces all compliance operations to understand what these differences are and how it will affect their corporations’ business obligations.
Last year, the 5th Directive introduced changes across several EU member states, introducing stricter adherence for AML legislation, widening the types of institutions that must comply with AML law, amendments to the use of digital KYC solutions, and cross border services for trust services under the eIDAS Regulation.
Although the UK currently complies with the legislation in force within the EU and will need to implement the 5th AML Directive, member states and their regulators have variations in their interpretation of how the rules are applied in their jurisdictions. Corporations will need to review their existing structures and determine how they will be able to continue to serve existing clients in the EEA regions.
For example, financial institutions routinely need to elevate their AML/KYC standards in order to satisfy various requirements. For some reporting entities, the differences in digital KYC compliance results in significant uplifts and requires new partners to meet such changes.
In the UK automated solutions to perform electronic identity verification are accepted. In contrast, in countries like Germany the regulator – BaFin – dictates the use of Video-based solutions to verify identities remotely.
Recently, member states including France, Spain, Portugal, Switzerland, Lichtenstein, and the Nordic countries are either evaluating or allowing hybrid identity verification solutions for AML/KYC application. We see a clear trend across Europe to establish similar requirements and regulations in order to maintain secure digital interactions.
Data Privacy and GDPR
The agreed deal between the UK and the EU allows for the free flow of personal data for a period of six months after the transition period expires – this is until the end of June 2021.
During this time, it is expected that the European Commission will either issue an adequacy decision in relation to the UK or provide guidance on what actions should be taken. The UK is hoping that the European Commission approves the former.
In relation to transfers of personal data outside the UK, the UK government has stated that transfers of data from the UK to the countries from the EU/EEA Economic area are permitted and the Information Commissioner’s Office (ICO) has stated that it will be kept under review.
Since the UK has given adequacy to the EU, EU countries will not need to make any changes to data protection processes when handling data coming from the UK. However, this will be different for UK companies. After the end of June, UK companies may need to change processes if the EU does not provide adequacy status in return.
The exchange of customer data between corporations in the UK and EU will mandate corresponding arrangements when it comes to data protection and privacy.
UK businesses operating in the EU should consider how they will address data transfer in order to clarify any outstanding issues. For example, financial and other reporting institutions should ask themselves:
- Can your existing customer data be transferred to a new jurisdiction or will a new KYC profile need to be created altogether?
- How will this impact your existing client relations?
- What are the costs involved to meet regulatory compliance? 4. Will your firm be ready to make any necessary changes by June 2021?
Protecting the existing client experience should be of paramount importance and any refresh of client KYC data due to the UK exit from the EU will be critical. A due diligence process that is cost-effective and ensures a client-friendly process must be secure.