The Fourth EU Money Laundering Directive ("4MLD") was finally transposed into Irish law with the enactment on 14 November 2018 of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (the "Act").
The Act, which was commenced on 26 November 2018, amends the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 to incorporate the requirements of 4MLD into the existing legislative framework. The amendments which are of key relevance to funds (and their administrators) include the introduction of requirements around business risk assessments, customer due diligence and transaction monitoring.
Conducting Business Risk Assessments
The Act requires a designated person ("DP") to conduct a business risk assessment to identify and assess the risks of money laundering and terrorist financing ("ML/TF"). This assessment must be conducted having regard to the European Supervisory Authorities' Risk Factor Guidelines on Anti-Money Laundering and Countering the Financing of Terrorism (the "ESA Guidelines") which applied from June 2018, any Central Bank guidelines and the National Risk Assessment ("NRA"). We understand that the Central Bank will be introducing guidelines to complement the Act and intends to consult with industry on these guidelines before the end of 2018.
The following minimum prescribed risk factors must be considered when conducting a business risk assessment:
- investor type;
- delivery channel; and
- transaction type.
Any other (non-prescribed) risk factors that are particular to the business/product must also be taken into account.
The risk assessment must be:
- kept up-to-date in line with business developments within the fund and any changes in risk categories;
- approved by senior management, i.e. the fund board; and
- adequately documented with appropriate records being maintained for provision on request to the Central Bank.
A key impact of this provision is the requirement to apply the business risk assessment when determining the extent of customer due diligence measures to be undertaken.
Customer Due Diligence ("CDD")
In addition to CDD being carried out prior to the establishment of a business relationship/conducting a transaction for a customer, CDD must be carried out at any time where the risk of ML/TF warrants it. This includes situations where the relevant circumstances of a customer have changed.
Under the previous anti-money laundering regime there were some exemptions for specified customers and specified products from the CDD requirements which meant that simplified, rather than standard, CDD measures could be applied. These exemptions are no longer available and simplified CDD measures can now only be applied where a business risk assessment has been carried out and it has been found that the relationship/transaction falls into a lower risk category. Any decision to apply simplified CDD measures must be made on the basis of the business risk assessment and other risk variables, including at a minimum the:
- purpose of the account/relationship;
- level of assets/size of transaction; and
- high/low risk factors prescribed in the legislation.
Lower risk factors include:
- the customer is a plc and subject to disclosure requirements;
- the customer is EU resident, or resident in a third country deemed to have effective anti-money laundering and countering the financing of terrorism (AML/CFT) systems.
Higher risk factors include:
- non-face-to-face business relationships/transactions;
- non-resident customer and/or resident in a high-risk jurisdiction.
Any decision to apply simplified CDD measures must be sufficiently documented.
Enhanced CDD must be applied where the business relationship/transaction presents a higher degree of risk of ML/TF, such as in the case of Politically Exposed Persons (PEPs). The Act extends the enhanced CDD requirements to Irish resident PEPs. Enhanced CDD is therefore required on Irish PEPs and senior management approval will be required before establishing or continuing the relationship with the Irish PEPs.
There must also be sufficient monitoring of business relationships/ transactions to detect suspicious transactions.
The Act requires a DP to monitor any business relationship it has with a customer (to the extent warranted by the risk of ML/TF) and also introduces a definition of "monitoring". Therefore, in the context of the business relationship between a DP and its customer, "monitoring" means that the DP must on an ongoing basis scrutinise transactions and the source of wealth/funds for those transactions to determine whether the transactions are consistent with the DP's knowledge of the:
- customer's business/pattern of transactions; and
- customer's risk profile as determined by the business risk assessment.
Monitoring also means ensuring that the documents, data and information on customers are kept up-to-date in accordance with the DP's policies and procedures.
The Act also provides that a DP must, in accordance with its policies and procedures, examine the background and purpose of all complex or unusually large transactions and all unusual patterns of transactions, which have no apparent economic or lawful purpose; and the DP should increase the degree and nature of monitoring to determine whether these transactions appear suspicious. Failure to do so is an offence.
The area of suspicious transaction reports (STRs) has been identified by the Central Bank as one of its key AML/CFT priorities for 2019 and has advised firms that it would like to see further importance placed on recognising the need to file STRs promptly with both the Gardaí (the relevant Financial Intelligence Unit for Ireland) and the Irish Revenue Commissioners.
The requirements introduced by the Act enhance the existing risk-based approach to AML/CFT. As such, the new requirements do not represent a fundamental shift from the existing framework and the Central Bank has stated that it therefore expects firms to reflect the changes in their risk management frameworks and bring their risk assessments and policies and procedures in line with these requirements. Therefore, funds and/or their management companies should:
- review their AML/CFT policy to ensure it meets the requirements of the Act;
- ensure they are conducting business risk assessments, having regard to the ESA Guidelines, together with other guidance, including the NRA for Ireland;
- appropriately document any decision to use simplified CDD;
- ensure processes are in place to monitor business relationships;
- determine how their administrators are complying with the requirements; and
- update their policies and procedures to ensure alignment with the requirements.
For more information on the key changes introduced by the Act for other regulated financial service providers and other designated persons operating in the financial services sector, read the briefing by our Financial Regulation Group here.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.