AMLG1200 - Guidance for all sectors: Legislation
2. Legislation
The Payer) Regulations provide the legislative framework for the registration and supervision of businesses that fall within the scope of the Regulations.
The Regulations are regularly updated by amendment regulations, and you should ensure that you are aware of any such amendments.
This guidance focuses mainly on the Regulations, but you should ensure you are aware of other UK legislation covering anti money laundering and counter-terrorist financing which includes, among others:
- Proceeds of Crime Act 2002 - Part 7 which sets out the principal money laundering offences and a reporting regime that makes it an offence to fail to disclose knowledge or suspicion of money laundering.
- Terrorism Act 2000 - Part 3 sets out the principal terrorist financing offences and contains a reporting regime that makes it an offence to fail to disclose knowledge or suspicion of terrorist financing.
- Anti-Terrorism Crime and Security Act 2001 - allows for the seizure of terrorist cash.
- Data Protection - The Data Protection Act 2018 and the General Data Protection Regulation (GDPR), governs the processing of information relating to individuals, including obtaining, holding, using, or disclosing of the information.
Personal data obtained by a business under the Regulations may only be processed for the prevention of money laundering, terrorist financing, or proliferation financing unless use of the data is allowed by other legislation or after obtaining the consent of the data subject.
You must provide new customers with a statement that personal data received will only be used for the purposes of preventing money laundering, terrorist financing or proliferation financing and provide them with the information as required under Article 13 of the GDPR. The information you must provide includes:
- The identity and contact details of the controller and the controller’s representative if they have one.
- The contact details of the data protection officer if you have one.
- Why you are processing the personal data, including the legal basis.
- Who will receive the personal data?
- Whether you intend to transfer the personal data outside of the UK, and if so, whether they have appropriate safeguards.
- How long you will store the personal data.
- The existence of the right to request access to and deletion of personal data, including data portability.
- The right to complain to the Information Commissioners Office.
- Whether providing the personal data is a statutory or contractual obligation and the possible consequence of failing to provide it.
- The existence of any automated decision making, including profiling.
- The processing of personal data for the performance of a task carried out in the public interest in accordance with these Regulations includes where it is lawful and necessary for the prevention of money laundering and terrorist financing or proliferation financing.