ICQ Log - Financial Crime

All Change for Financial Crime Compliance Practitioners

 

Last Updated: 10 September 2021

As everyone who is currently involved in a compliance-related function is aware, financial regulation continues apace and 2021 is proving to be an especially busy year for compliance professionals who work in the Anti Money Laundering/Countering the Financing of Terrorism (AML/CFT) space. Examples of recent changes and announcements include:

As everyone who is currently involved in a compliance-related function is aware, financial regulation continues apace and 2021 is proving to be an especially busy year for compliance professionals who work in the Anti Money Laundering/Countering the Financing of Terrorism (AML/CFT) space. Examples of recent changes and announcements include:

  1. The European Banking Authority (EBA) updated risk factor guidelines were published in March 2021;
  2. The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”) which transposed Directive 2018/843 (5AMLD) into Irish law and the European Union (Anti-Money Laundering: Beneficial Ownership of Trusts) Regulations 2021 were commenced in April 2021;
  3. The EBA analysis of Reg Tech was published in June 2021; and
  4. The updated AML/CFT Guidelines for the Financial Sector were published by the Central Bank of Ireland (CBI) in June 2021 following the 2021 Act (the “New Guidelines”); and
  5. The European Union (EU) announced plans to introduce a new AML/CFT regulation which will include directly applicable rules for Member States, a directive which will revoke Directive 2015/849 (4AMLD) and a new EU AML Authority to be established. 

This article specifically focuses on key elements within the New Guidelines and seeks to provide guidance to the reader in terms of their implementation and ongoing compliance. As with the inaugural CBI Guidelines of September 2019, the New Guidelines detail the CBI’s expectations in relation to how designated persons (Designated Persons) comply with their obligations as set out in Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 - 2021 (CJA 2010). Unlike the 2019 Guidelines, the New Guidelines did not require public consultation as the updates were not considered to be material.

Of special note is the introduction within the New Guidelines of the potential requirement for a Designated Person to have a member of senior management be nominated as accountable for the implementation, management, and oversight of compliance with AML/CFT measures. This is discussed in more detail within the Governance section below. Other highlights and material changes are set out within this article. They are intended to support the compliance professional as they seek to assess the potential impact of the 2021 Act and the New Guidelines on their respective institutions.

Governance

The Governance section within the New Guidelines has been extensively updated, highlighting the CBI’s expectation that the Board demonstrate effective governance and oversight of the AML/CFT Framework and details expectations in relation to the Business Risk Assessment, approval of policies, reporting lines and board meetings. The CBI expects that Designated Persons appoint a member of senior management to the role of “Member of Senior Management” (MoSM) with primary responsibility for implementing, managing, and overseeing compliance with AML/CFT measures, where such an appointment is proportionate to the nature, scale, and complexity of a Designated Person’s activities. The intention is to avoid treating AML/ CFT issues as low priority. Where the inherent AML/CFT risk of the Designated Person is high, that Designated Person should consider if that MoSM should sit on the Board. The Board should ensure that the MoSM has adequate knowledge, skills and experience regarding the identification, assessment, and management of the Money Laundering/Terrorist Financing (ML/TF) risks, and the implementation of AML/CFT policies, controls, and procedures, in addition to a good understanding of the Designated Person’s business model and the sector in which the Designated Person is operating, and the extent to which this business model exposes the Designated Person to ML/TF risks. 

Where a Designated Person does not appoint a MoSM, that Designated Person is required to document the rationale for not appointing such an individual. The CBI can instruct the Designated Person to appoint such an individual should it see fit. The MoSM has primary responsibility for the implementation and management of AML/CFT measures in accordance with the CJA 2010. Accordingly, they should ensure that the Board is aware of the impact of ML/TF risks on the activities of the Designated Person. Underpinning the ability of the MoSM in successfully discharging their responsibilities, Designated Persons are required to appoint an individual at management level to monitor and manage compliance with, and the internal communication of, the Designated Person’s internal AML/CFT policies, controls, and procedures, to be called a “Compliance Officer” where appropriate having regard to the nature, scale, and complexity of the Designated Person’s activities. Where a Designated Person does not appoint a Compliance Officer, that Designated Persons must document its rationale for such not doing so. The CBI may direct the Designated Person to appoint such an individual.

The Compliance Officer should:

  1. Have sufficient and appropriate AML/CFT knowledge and expertise, including knowledge of the applicable legal and regulatory AML/CFT framework, and the implementation of AML/CFT policies, controls, and procedures;
  2. Enjoy the autonomy, authority, and influence within the Designated Person to allow them to discharge their duties effectively;
  3. Provide effective challenge within the Designated Person on AML/ CFT matters when necessary;
  4. Retain the capabilities, capacity, and experience to oversee the identification and assessment of suspicious transactions and to report/liaise with the relevant authorities where necessary in relation to such transactions; and
  5. Maintain sufficient knowledge and understanding of the ML/TF risks, trends, and issues to which the Designated Person is exposed, with relevant experience regarding the identification, assessment, and management of such ML/TF risks. Given that one on the tasks of the MoSM is to ensure the Compliance Officer has adequate resources, information, and experience to perform their role, the CBI expects that the roles of MoSM and Compliance Officer should be performed by two separate individual

The CBI also notes that the term “Money Laundering Reporting Officer” or “MLRO” has been used to describe employees with certain responsibilities relating to AML/CFT obligations and that while the term is not defined in Irish legislation, such a person may also be the Compliance Officer. This might be considered an effective rebrand of the MLRO function.

Risk Management

The New Guidelines introduced a new section titled, “de-risking”, that is, Designated Persons should not apply a default “zero tolerance” approach or terminate business relationships with customers or entire categories of customers i.e., without considering whether enhanced measures could be applied on a risk-based approach to reduce the AML/CFT risk. The application of such measures may allow the continuation of the business relationship, or the provision of a particular financial product or service to a customer. In line with CBI communiqués and public statements, the New Guidelines require that Designated Persons should ensure that their Business Risk Assessment is tailored specifically to their business and that it takes account of factors and risks specific to their business. Where the Business Risk Assessment is drawn up as part of a group-wide risk assessment, consideration must be given as to whether the group-wide risk assessment is sufficiently granular and specific to reflect the business and the risks to which it is exposed. A generic Business Risk Assessment that has not been adapted to the specific needs and business model of a Firm is unlikely to meet regulatory obligations or the expectations of the CBI. The New Guidelines also include other risk-related changes of note, including:

  1. Clarification on terrorist financing indicates that Designated Persons must consider information on a jurisdiction from law enforcement or credible and reliable media sources when considering the terrorist financing risk associated with that jurisdiction;
  2. guidelines on risk factors associated with the customer or beneficial owner’s behaviour, which could be an indicator of ML/TF risk; and • the Customer Risk Assessment process should be reviewed on a regular basis and kept up to-date to ensure all relevant risk factors are identified.
  3. Customer Due Diligence The Customer Due Diligence section has been updated primarily with respect to Beneficial Ownership requirements, PEPs, and High Risk Third Countries. These updates are summarised below.

Customer Due Diligence

The Customer Due Diligence section has been updated primarily with respect to Beneficial Ownership requirements, PEPs, and High Risk Third Countries. These updates are summarised below.

Beneficial Ownership

The requirement to identify and verify customers and where applicable beneficial owners at any time where the Designated Person is obliged by virtue of any enactment or rule of law to contact a customer for the purposes of reviewing any relevant information relating to the beneficial owner connected with the customer;

an obligation on a Designated Person to ensure that beneficial owner of the customer has been entered into the applicable beneficial ownership register, if applicable, prior to conducting any transactions, including the receipt of any funds, on the behalf of the customer and/or Beneficial Owner;

where the Beneficial Owner is the senior managing official, Designated Persons are required to take the necessary measures to verify the identity of that individual and retain records of the actions taken to verify that individual’s identity including any difficulties encountered in the verification process; o in cases where the senior managing officials have been listed as the Beneficial Owners, Designated Persons are required to establish whether the customer in question has in fact exhausted all possible means to identify their Beneficial Owner(s);

Designated Persons are required to maintain their own lists of documentation which should remain current and appropriate and consider, evolving internal processes and any relevant external or environmental factors e.g., a pandemic; and

sources of information which can be used to identify and verify a customer’s identity to explicitly include information from relevant trust services as specified in the eIDAS Regulation.

PEPs and High Risk Third Countries

  1. The is an obligation for Designated Persons to continue to apply Enhanced Due Diligence and a Politically Exposed Person (PEP) status to a relationship until the individual is no longer deemed to pose a risk, arising from their previous PEP status; and
  2. The requirement for Designated Persons to apply additional due diligence measures where the customer is established or residing in High-Risk Third Countries i.e., those countries identified by the European Commission as having strategic deficiencies in their AML/CFT regimes.

Transaction Monitoring

Transaction monitoring has been included as a new section to incorporate the CBI’s expectations. Compliance professionals should already be aware of most of the regulatory expectations in this area as they were previously communicated by the CBI in an AML Bulletin issued in October 2020.

Designated persons are required to monitor customer transactions to identify transactions which may be suspicious in nature. The systems used, whether manual or automated, should be tailored to the Designated Persons Business Risk Assessment and the nature, scale, and complexity of the business. The intensity of monitoring should increase with the ML/TF risk associated with the customer or transaction. The information a Designated Person holds on their customers should be connected, sufficient and current to determine whether transactional activity is suspicious.

The New Guidelines detail the CBI’s expectations that Designated Persons should:

  1. Have a formalised mechanism in place around making changes to controls as required e.g., new risk factors and risk indicator
  2. Assess that any transaction monitoring system outsourced to a third party is adequate to mitigate their inherent AML/CFT risk; and
  3. Ensure employees are aware of the need to manually identify any transactional activity, which may be suspicious and not to place sole reliance on automated systems e.g., enhance AML/CFT training.

It is expected that the CBI will consider Transaction Monitoring for future thematic inspections.

Training

The New Guidelines include details on additional training which should be provided to employees in relation to AML/CFT, specifically that Designated Persons should ensure that all employees, directors, and agents are trained in the Designated Person’s Business Risk Assessment and how it affects their daily work. Each of these groups should also be made aware of the Designated Person’s internal reporting procedures in respect of contraventions of CJA 2010. Reporting of Suspicious Transactions.

The New Guidelines remind Designated Persons that Suspicious Transaction Reports (STRs) must only be submitted to the Revenue Commissioners using the Revenue Commissioners’ Online Service (ROS). Usefully, the New Guidelines include examples of poor quality STRs which have been submitted to FIU Ireland to highlight that STRs should be sufficiently detailed to assist the authorities in their review and investigation. It should be noted that there are no changes to filing of STRs via goAML with the Financial Intelligence Unit (the Garda National Economic Crime Bureau).

Conclusion

The New Guidelines are to be welcomed by compliance professionals given they provide an expanded and updated insight into CBI expectations. The elements of Customer Due Diligence that have been expanded upon, not least the elements relating to verification of Beneficial Owners, will require tailoring and process enhancements by Designated Persons to ensure compliance with requirements. In conclusion, the authors wish to highlight that the CBI expect Designated Persons of a sufficient size and complexity to identify a MoSM with primary responsibility for implementing, managing, and overseeing compliance with AML/CFT measures which will require Designated Persons to redesign governance structures. Any individual nominated for the MoSM role will be personally responsible for a Designated Person’s compliance with their obligations under CJA 2010. Those individuals will have to examine if they wish to be held accountable for AML/CFT; are sufficiently qualified or able to discharge the responsibilities arising and how they interact with the Compliance Officer. It might be that Future Enforcement Actions taken by the CBI for AML/CFT shortcomings include the actions taken against the relevant MoSM given accountability of the role in overseeing the effective mitigation of the AML/CFT risk arising

Lawyer Photo

Author: David Kearney

Deputy MLRO and AML Compliance Manager at AIB Merchant Services

Linkedin
Lawyer Photo

Author: Saibh Naughton

MLRO & Operational Compliance Manager at LGT Fund Managers (Ireland) Limited

Linkedin

< Back to all Log Posts

ICQ Autumn Edition 2021

This article was taken from the ACOI's ICQ Autumn Edition 2021

View all previous editions of ICQ