39.—(1) A relevant person may rely on a person who falls within paragraph (3) (“the third party”) to apply any of the customer due diligence measures required by regulation 28(2) to (6) and (10) [F1, or to carry out any of the measures required by regulation 30A,] but, notwithstanding the relevant person's reliance on the third party, the relevant person remains liable for any failure to apply such measures.
(2) When a relevant person relies on the third party to apply customer due diligence measures [F2or carry out any of the measures required by regulation 30A] under paragraph (1) it—
(a)must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) [F3and regulation 30A] in relation to the customer, customer's beneficial owner, or any person acting on behalf of the customer;
(b)must enter into arrangements with the third party which—
(i)enable the relevant person to obtain from the third party immediately on request copies of any identification and verification data and any other relevant documentation on the identity of the customer, customer's beneficial owner, or any person acting on behalf of the customer;
(ii)require the third party to retain copies of the data and documents referred to in paragraph (i) for the period referred to in regulation 40.
(3) The persons within this paragraph are—
(a)another relevant person who is subject to these Regulations under regulation 8;
(b)a person who carries on business in an EEA state other than the United Kingdom who is—
(i)subject to the requirements in national legislation implementing the fourth money laundering directive as an obliged entity (within the meaning of that directive), and
(ii)supervised for compliance with those requirements in accordance with section 2 of Chapter VI of the fourth money laundering directive; or
(c)a person who carries on business in a third country who is—
(i)subject to requirements in relation to customer due diligence and record keeping which are equivalent to those laid down in the fourth money laundering directive; and
(ii)supervised for compliance with those requirements in a manner equivalent to section 2 of Chapter VI of the fourth money laundering directive;
(d)organisations whose members consist of persons within sub-paragraph (a), (b) or (c).
(4) A relevant person may not rely on a third party established in a country which has been identified by the European Commission as a high-risk third country in delegated acts adopted under Article 9.2 of the fourth money laundering directive, and for these purposes “high-risk third country” has the meaning given in regulation 33(3).
(5) Paragraph (4) does not apply to a branch or majority owned subsidiary of an entity established in an EEA state if all the following conditions are met—
(a)the entity is—
(i)subject to requirements in national legislation implementing the fourth money laundering directive as an obliged entity (within the meaning of that directive); and
(ii)supervised for compliance with those requirements in accordance with section 2 of Chapter VI of the fourth money laundering directive;
(b)the branch or subsidiary complies fully with procedures and policies established for the group under Article 45 of the fourth money laundering directive.
(6) A relevant person is to be treated by a supervisory authority as having complied with the requirements of paragraph (2) if—
(a)the relevant person is relying on information provided by a third party which is a member of the same group as the relevant person;
(b)that group applies customer due diligence measures, rules on record keeping and programmes against money laundering and terrorist financing in accordance with these Regulations, the fourth money laundering directive or rules having equivalent effect; and
(c)the effective implementation of the requirements referred to in sub-paragraph (b) is supervised at group level by—
(i)an authority of an EEA state other than the United Kingdom with responsibility for the functions provided for in the fourth money laundering directive; or
(ii)an equivalent authority of a third country.
(7) Nothing in this regulation prevents a relevant person applying customer due diligence measures [F4, or carrying out any of the measures required by regulation 30A,] by means of an agent or an outsourcing service provider provided that the arrangements between the relevant person and the agent or outsourcing service provider provide for the relevant person to remain liable for any failure to apply such measures.
(8) For the purposes of paragraph (7), an “outsourcing service provider” means a person who—
(a)performs a process, a service or an activity that would otherwise be undertaken by the relevant person, and
(b)is not an employee of the relevant person.
Textual Amendments
F1Words in reg. 39(1) inserted (6.10.2020) by The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/991), regs. 1(2), 4(3)(a)
F2Words in reg. 39(2) inserted (6.10.2020) by The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/991), regs. 1(2), 4(3)(b)(i)
F3Words in reg. 39(2)(a) inserted (6.10.2020) by The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/991), regs. 1(2), 4(3)(b)(ii)
F4Words in reg. 39(7) inserted (6.10.2020) by The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/991), regs. 1(2), 4(3)(c)