The Minister said that the reason this is done in regulations is because telling a bank how to do its due diligence is too detailed for primary legislation. But he is rather overstating the case, because Regulation 18 of the 2017 money laundering regulations says that, “A relevant person”—this would be the bank—
“must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”.
The first requirement there is:
“In carrying out the risk assessment required under paragraph (1), a relevant person must take into account … information made available to them by the supervisory authority”,
under Regulation 17. If you go back, you find that the supervisory authority has to take notice of what the Treasury and the Home Office have said. So this is a cascade that automatically updates. If there is a new risk, the Government identify it, along with mitigating measures, and tell the supervisors, which devise ways to update the information for their sectors. Then the onus is still on the individual businesses to work out how to do this. Yes, there is a list of factors to include, but it is within the power of the Government to say, “This is an extra factor; it does not even need any legislation”. However, it embeds the duties of the Government to have a position and to come out with their reports and then the duties of the supervisors. None of that is definitely retained, because everything to do with this money laundering directive can be rubbed out. So it is not about the excruciating detail that the Minister says it is—the excruciating detail comes from the supervisors.