Understanding the latest JMLSG Consultation: Key updates and implications for AML/CTF compliance

On 28 January 2025, the Joint Money Laundering Steering Group (JMLSG) launched a consultation on proposed revisions to Part 1 of its Guidance. These updates reflect the ongoing changes in AML and CTF requirements, helping firms remain equipped to tackle emerging risks and meet regulatory expectations.

The JMLSG has proposed enhancements to its Guidance to be more prescriptive regarding intra-group/group company outsourcing, applying customer due diligence (CDD) to group companies, and court appointed deputies and intermediaries acting on behalf of customers. The inclusion of additional examples and scenarios enhances the clarity of Part 1 of the JMLSG Guidance in order to assist firms in achieving regulatory compliance in these areas.  

The proposed changes, while not groundbreaking, will be very useful for firms that outsource within their group or deal with court-appointed deputies and intermediaries acting on behalf of customers. These changes provide guidance for firms to ensure they have the appropriate controls in place and apply the appropriate level of due diligence in these instances. The JMLSG is providing additional context to help firms easily adhere to regulatory obligations, which is a positive development.

The full consultation can be found on the JMLSG website, where you’ll find four documents highlighting the proposed tracked changes. The JMLSG is accepting comments on the planned updates until 28th March 2025.  Comments can be made via email to caroljsmit@jmlsg.org.uk.

Below we have outlined the key proposed changes and practical takeaway questions, in order of their appearance in Part 1 of the JMLSG Guidance.

Chapter 2 – Internal Controls

Addition of three new paragraphs in relation to intra-group and group companies under 2.22-2.24:

At the end of Chapter 2, there are proposed updates outlining a firm’s required internal controls when outsourcing within the firm’s group or group companies.

1. 2.22: UK firms must ensure compliance with all UK AML, CTF, and sanctions obligations where there are UK branches or UK subsidiaries. This includes addressing intra-group and external outsourcing arrangements relevant to the firm’s financial crime systems and controls.

   o   How does your firm ensure compliance with UK AML, CTF, and sanctions obligations, when outsourcing within your group?

2. 2.23: The MLRO or SMF17 must have the authority to take necessary actions when material AML/CTF risks arise in intra-group or group company outsourcing arrangements.

   o   Consider your firm’s delegation process with intra-group or group company outsourcing arrangements. How is the MLRO’s authority clearly defined, communicated and documented?

3. 2.24: Firms outsourcing activities to other group companies or headquarters should ensure that risk-based mechanisms, such as service level agreements, are implemented to address AML/CTF risks. JMLSG provide 5 examples where this would be expected, including reporting AML/CTF management information (e.g. KPIs, KRIs), information on AML/CTF training, details of compliance monitoring/testing or audits and escalation protocols.

o   How does your firm implement risk-based mechanisms within intra-group or group company relationships? How could these controls be strengthened?

Chapter 5 – Customer due diligence

The proposed revisions include four new paragraphs in Chapter 5, relating to group companies, local authorities and professional deputies and intermediaries.

Application of CDD measures:

Proposed new paragraphs under 5.3.138A and 5.3.138B relate to regulated financial services firms subject to ML Regulations (or equivalent) and the appropriate level of due diligence to apply to group companies.

1. 5.3.138A: A risk-based approach should determine the level of CDD to be applied in the establishment of business relationships or occasional transactions with another regulated firm in the same group. SDD may be applied where the group company is subject to the MLRs or equivalent.

2. 5.3.138B: If a group company in a non-equivalent or high-risk third country follows group-wide policies equivalent to the UK MLRs, the extent of CDD/EDD measures could consider factors such as the nature of its activities and the associated risks.

o   How does your firm currently apply due diligence to group companies?

o   Consider your firm’s approach to determining the appropriate level of CDD for business relationships or transactions with other regulated firms within the same group. How clearly is the risk-based approach justified and documented?

Other considerations

Court of Protection orders and court-appointed deputies:

Proposed revisions to this section go further to outline CDD measures applied to court-appointed deputies and professional power of attorneys, providing firms with an outline of how to approach the due diligence of these individuals.

In instances where local authorities and professional deputies are appointed by the Court of Protection (or equivalent in Scotland and Northern Ireland), firms should:

1. Verify the deputy’s identity and authority,

2. Take a risk-based and anti-fraud approach to verify the identity and authority of authorised officers (where nominated),

3. Apply this approach to newly appointed deputies handling account closures.

In the above instances, and for professional power of attorneys (e.g. solicitors), due diligence should be conducted on the individual’s professional capacity rather than personal capacity, unless their personal capacity is considered relevant.

• What processes does your firm have in place for applying CDD to court-appointed deputies and professional power of attorneys?

• How do you ensure that you satisfy your obligations while considering potential customer vulnerability?

Multipartite relationships, including reliance on third parties - (ii) Where the intermediary is the agent of the customer.

This section of the Guidance relates to instances where intermediaries are agents of the customer, and details firm’s due diligence obligations in these instances.

1. 15.6.36: This new paragraph outlines a firm’s requirement to clearly identify and document who their customer is and which underlying parties they have a business relationship with, ensuring they apply risk-based CDD measures to the appropriate parties.

2. 5.6.38: Paragraph 5.6.38 outlines a firm’s obligation to carry out CDD measures when taking instructions from or acting on behalf of an underlying customer. The proposed revision includes an additional sentence, noting that simplified due diligence may be applied where the underlying party is a low risk customer of the firm.

• What is your firm’s process for identifying and documenting customers and underlying parties?

• How is the appropriate level of due diligence of intermediaries determined?

• In the instance of mutual parties, how do you currently consider their risk rating in determining the level of due diligence to apply?

For more insights follow us on LinkedIn, sign up to receive our regulatory gap analysis templates direct to your inbox, Regulatory gap analysis templates — Avyse Partners  or contact us at contact@avyse.co.uk.