AML Update: New Irish Act comes into force
The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 has been signed, transposing most of the Fourth Money Laundering Directive (MLD4) into Irish law. MLD4, and the Irish Act, represent a continuing shift towards a more risk-based approach to targeting money laundering (ML) and terrorist financing (TF).
This Briefing highlights the key changes introduced by the new Act for regulated financial service providers (RFSPs) and other designated persons operating in the financial services sector.
The Act was signed into law on 14 November 2018, and all but one provision was commenced with effect from 26 November 2018. It transposes the remainder of MLD4 into Irish law by amending the existing Irish Act (the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010).
The key changes are in the areas of risk assessments, due diligence, policies and procedures, and enforcement.
Announcing the commencement of the Act on 23 November, the Minister for Justice and Equality commented that the new Act “…is really important. Money laundering is a crime that helps serious criminals and terrorists to function, destroying lives in the process. Criminals seek to exploit the EU’s open borders and this EU-wide measure is really important for that reason. I and my Government colleagues are committed to systematically tackling corruption and organised crime.”
While MLD4 does not create new categories of “designated persons”, crucially the Act includes a requirement that certain financial institutions who:
- act in the State, in the course of business carried on by them in the State; but
- are not already authorised by, licensed to carry on activities by, or
registered with, the Central Bank under other legislation,
register with the Central Bank. The new Act provides that the name, address, and details of activities carried on should be provided to the Central Bank in accordance with a procedure to be specified by it. The Central Bank published its procedure and guidance on 27 November 2018 (see here) and we are publishing a separate briefing on that specific development.
Designated Persons must conduct Business Risk Assessments
A designated person is now under a statutory obligation to carry out a Business Risk Assessment to establish the ML/TF risk involved in its business.
Various factors must be taken into account, such as its customer base, the products and services that it offers, the countries/regions in which it operates, transaction types, delivery channels, and any additional risk factors prescribed by the Minister for Justice from time to time. It must also take account of any guidance issued by the relevant competent authority, the National Risk Assessment (see our briefing on the National Risk Assessment here) and (where it is a bank or a financial institution) any guidelines issued by the European Supervisory Authorities (ESAs).
The Business Risk Assessment must be approved by senior management, must generally be documented, and must be kept up-to-date. A record of the Assessment must be made available on request to the relevant competent authority.
Business Risk Assessments and Customer Due Diligence (CDD)
When carrying out CDD, a designated person must assess the ML/TF risk posed by the customer/transaction by reference to various matters, including its Business Risk Assessment.
It must also take account of competent authority guidance, the National Risk Assessment, and any guidelines issued by the ESAs.
The purpose of the account/relationship must also be considered, together with the volume of assets to be deposited by the customer or the size of the intended transaction, and the frequency of transactions or duration of the business relationship.
The Act sets out, at Schedule 3, a non-exhaustive list of factors that might indicate a lower risk of ML/TF. Schedule 4 contains a non-exhaustive list of factors that might indicate a higher risk. These must also be taken into account.
The designated person is only required to document the above customer assessment where required to do so by its competent authority, however, it would be prudent for an institution to document that assessment even if not strictly required to do so.
Timing of CDD
The Act has introduced an additional timing requirement for CDD – CDD must now be carried out at any time that it is warranted by the risk of ML/TF, including where the customer’s circumstances have changed.
If the customer is acting through an agent, the designated person must now verify that the agent is authorised to so act, and apply CDD measures to that agent.
Designated persons will be allowed to carry out simplified CDD where the customer or business area presents a lower degree of risk (the threshold is whether a “reasonable person” would make that assessment). As mentioned earlier in this briefing, Schedule 3 to the Act contains a non-exhaustive list of factors that might indicate a lower risk of ML/TF. Any decision must be recorded, and there must be ongoing monitoring of the transactions and the relationship. The concept of “monitoring” is more prescriptive in the Act, covering scrutinising transactions to see if they align with the designated person’s knowledge of the customer, and ensuring that documents, data and customer information is kept up-to-date.
The obligation to carry out enhanced CDD now applies to politically-exposed persons (PEPs) resident in Ireland, as well as to PEPs outside of Ireland. Specific steps must also be taken where the PEP is a beneficiary of a life assurance policy. In making an assessment, the threshold will be that of a “reasonable person”.
A designated person will have to carry out enhanced CDD when dealing with a customer residing or established in a high-risk third country, or where a relationship or transaction presents a higher degree of risk, unless the customer is part of a designated person’s group, where the designated person is established in an EU Member State and the customer complies with group-wide policies and procedures adopted in accordance with MLD4.
A designated person will now be required to look into “complex or unusually large” transactions, or “unusual patterns of transactions” in greater detail, and increase monitoring if they appear suspicious. As mentioned above, the concept of “monitoring” is more prescriptive in the Act, covering scrutinising transactions to see if they align with the designated person’s knowledge of the customer, and ensuring that documents, data and customer information is kept up-to-date.
Life Assurance Policies
Additional requirements have been imposed regarding the identification of the beneficiaries of life assurance policies and other investment-related assurance policies.
To date, banks have been allowed to open accounts for customers before verifying their identity provided that no transactions are carried out on those accounts until verification has taken place. From now on, this right is extended to financial institutions, and to accounts that permit transactions in transferable securities.
Third Party Reliance
The circumstances in which a designated person can rely on a third party to carry out CDD have been expanded to provide that (if certain conditions are met) a designated person can also rely on a third party established in a third country if it is a branch or majority-owned subsidiary of a designated person established in the EU.
A designated person will not be required to carry out various CDD measures in respect of electronic money payment instruments if certain conditions are met.
Policies, controls and procedures
Matters to be included
The Act broadens the list of matters which must be included in a designated person’s ML/TF policies, controls and procedures, including measures to be taken to prevent emerging risks, and ongoing updates to Business Risk Assessments. Those policies, controls and procedures must be approved by senior management and must be kept under review. Any guidelines issued by the relevant competent authority must be taken into account. The relevant competent authority may require that a designated person appoint a compliance officer, designate a member of senior management as having overall responsibility for implementing and managing AML measures, and require that an independent external audit be carried out of a designated person’s ML/TF policies, controls and procedures.
Groups of companies are now required to have group-wide policies and procedures for preventing and detecting ML/TF which must be implemented by any designated person within the group.
If an Irish company is a designated person and operates a branch, majority-owned subsidiary or establishment outside the State, it must ensure that branch/subsidiary/establishment adopts and applies the group-wide policies and procedures. If that branch/subsidiary/establishment is in another EU Member State, the designated person must ensure that branch/subsidiary/establishment complies with the local laws that transpose MLD4. If the branch/subsidiary/establishment is in a third country with less strict laws that do not enable compliance with the group-wide policies and procedures, it must apply additional measures to effectively manage ML/TF risk, apply Irish ML/TF measures, and notify the competent authority. Suspicious transaction reports must be shared with the group, subject to the restrictions around tipping-off.
OTHER NOTABLE CHANGES
The conditional ban on banks entering into correspondent banking relationships with banks outside the EU has been extended to financial institutions.
The prohibition on a bank entering into a correspondent relationship with a shell bank has been extended so that it now applies to all financial institutions.
Financial Intelligence Units (FIUs)
The new Act also deals with the role of Ireland’s FIU (which is part of An Garda Síochána), in particular its powers to receive and analyse information, access the central registers of beneficial ownership of corporates and trusts, request information from competent authorities, the Revenue Commissioners, and the Minister for Employment Affairs and Social Protection, and share information with other FIUs across the EU.
Designated persons will be required to report transactions connected with high-risk third countries to the FIU and to the Revenue Commissioners.
One of the defences (disclosures within an undertaking or group) to the offence of “tipping off” has been broadened to include branches and majority-owned subsidiaries of banks and financial institutions, provided that the institutions in question were complying with group policies and procedures.
An Garda Síochána will be allowed require a designated person to keep CDD records beyond the current 5-year period if they are required for the investigation or prosecution of ML/TF. Thereafter, the designated person must delete those records.
Responding to Queries
Until now, banks and financial institutions were required to have systems in place that enabled them to respond quickly to queries from An Garda Síochána regarding business relationships within the previous 6 years. That requirement has now been extended to all designated persons, but the time period has been reduced to 5 years.
The increased penalties that can be imposed by the Central Bank in respect of AML breaches by RFSPs are as shown in Fig. 1 (see page 4).
Taking All Reasonable Steps
It will now be a defence to offences under Part 4 (Provisions relating to finance services industry, professional services providers and others) of the 2010 Act as amended by the new Act to show that the person charged with the offence took all reasonable steps to avoid committing the offence.
A note on beneficial ownership
The provisions of MLD4 dealing with the beneficial ownership of corporates were transposed into Irish law in November 2016. Irish corporates were required to put in place registers of their beneficial ownership from that date.
|Breach by designated person (individual):||Greater of:
2 x amount of benefit derived from breach
|Breach by designated person (body corporate or unincorporated body):||Greatest of:
2 x amount of benefit derived from breach
10% of turnover for last complete financial year
|Breach by person involved in management of bank or financial institution:||Greater of:
2 x amount of benefit derived from breach
|Breach by person involved in management of RSFP other than bank or financial institution:||Greater of:
2 x amount of benefit derived from breach
Further Irish regulations dealing with the central register of beneficial ownership (which will be operated by the Companies Registration Office) are expected by the end of 2018. The Fifth Money Laundering Directive (MLD5) amends the requirements regarding the timing for the central register, and access to that register. For further information on the MLD4 and MLD5 rules regarding the beneficial ownership of corporates, please read our briefings:
AML Update: New rules on information about the beneficial ownership of corporates by individuals (November 2016)
AML Update: MLD5 has been agreed (May 2018)
AML Update: MLD5 published in Official Journal; new time-frames confirmed
The provisions of MLD4 and MLD5 dealing with the beneficial ownership of trusts are also being managed separately by the Department of Finance.
Competent authorities are expected to begin to publish guidance for relevant designated persons. We expect the Central Bank to publish its guidance shortly.
In the meantime, designated persons should immediately progress the following:
- Conducting and documenting a Business Risk Assessment
- Refreshing internal polices, controls and procedures to reflect the new requirements
- Updating internal AML training manuals and materials
- Carrying out Customer Risk Assessments when new products or services are being provided (to new or existing customers)