Certain businesses (“relevant persons”) are regulated under the Money Laundering Regulations 2007. Those Regulations transposed the Third Money Laundering Directive into UK law. Relevant persons may, in discharging the legal requirements, source a range of services from third parties.
Firms can, and typically do, subcontract a range of functions, buying in either expertise or access to information from specialist sources. Large retail firms also use information from consumer credit bureaux to help automate their customer identification and verification checks.
Relevant persons may rely on certain other regulated persons to carry out customer due diligence. In all of these cases relevant persons remain legally liable for the discharge of the responsibilities placed on them under the Money Laundering Regulations 2007.
Personal data obtained by relevant persons as a result of checks made under the Regulations are subject to the Data Protection Act, which places a number of requirements on those persons to safeguard those data. This means, for example, that businesses have to keep personal information secure, and ensure it is fairly and lawfully processed.
Regulators (including professional bodies) will also apply a variety of other safeguards to relevant persons who they supervise for money laundering and other purposes in order to monitor compliance with these requirements and relevant guidance.