The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (the "Act") transposes the majority1 of the Fourth Money Laundering Directive (EU) 2015/849 ("4MLD") into Irish law.
The Act came into force on 26 November 2018. It updates the current Irish framework of legislation for the prevention of the use of the financial system for the purpose of money laundering or terrorist financing ("ML/TF"). Irish anti-money laundering ("AML") and counter terrorist financing ("CTF") legislation is now contained in the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2018 (the "CJAs").
This update summarises the key changes under the Act and how it affects Irish authorised investment funds (both UCITS and AIFs, irrespective of their legal form).
The main theme of 4MLD is the concept of the risk-based approach.
Business Risk Assessment
"Designated Persons"2 are required to perform a business risk assessment to identify and assess the risks of ML/TF involved in carrying out their business activities. This must consider factors including: (i) type of customer; (ii) type of product; (iii) geographical risk; (iv) type of transaction; (v) delivery channel; and (vi) other risks.
When carrying out the business risk assessment each Designated Person must pay due regard to the National Risk Assessment, any guidance on risk issued by the relevant competent authority (i.e. the Central Bank of Ireland (the "Central Bank")) and any guidelines issued by the European Banking Authority, the European Securities and Markets Authority or the European Insurance and Occupational Pensions Authority (together the European Supervisory authorities ("ESAs")) in accordance with 4MLD.
The business risk assessment must be documented, kept up-to-date and approved by the Designated Person's senior management.
While this is new, there was formerly a requirement (in section 54) for Designated Persons to have policies and procedures on the assessment and management of ML/TF risks and relevant Irish AML guidance provided additional detail on the risk assessment framework. Therefore, many funds will already have a documented risk assessment within their AML policy and procedures.
Policies and Procedures
The Act prescribes a detailed list of elements to be covered in a Designated Person's internal policies, controls and procedures, including the following new elements:
- How the firm identifies, assesses, mitigates and manages the risks of ML/TF;
- Its customer due diligence ("CDD") measures;
- Procedures to monitor transactions and relationships;
- Suspicious transactions reporting;
- Record keeping;
- Document retention;
- Systems and controls to identify emerging risks; and
- Ongoing compliance controls in support of the policies, controls and procedures.
The policies, controls and procedures adopted must be approved by the Designated Person's senior management and kept up-to-date.
For firms that operate branches, subsidiaries or are otherwise established elsewhere must ensure that such branch/subsidiary/establishment adopts its AML/CTF policies and procedures on a group wide basis.
Risk based approach to CDD
A range of changes have been made on how Designated Persons should establish and verify the identity of their customers (i.e. perform CDD), mandating a greater focus on the assessment of risk of ML/TF:
- Designated Persons must identify and assess the risks of ML/TF when carrying out CDD. This must include having regard to the business risk assessment and any relevant "risk variables" as prescribed in the Act.
- Designated Persons, as well as carrying out CDD on the customer and any connected beneficial owner, must now also carry out CDD on the person representing the customer.
- Under the former framework, there were exemptions in place and simplified due diligence could be applied automatically to "specified customers", for example, financial institutions, listed companies and public bodies. Under section 34A, these exemptions have fallen away and a risk assessment will need to be performed on each investor to determine their risk rating and level of CDD to be applied.
- Subject to certain exceptions, enhanced CDD is to be applied to customers in high-risk third countries and where relationships/transactions present a higher degree of risk of ML/TF.
- Section 33(6) is a facilitative provision (extending beyond bank accounts under the former regime) whereby Designated Persons can open "an account that permits transactions in transferable securities" before carrying out CDD, provided CDD is completed before transactions in that account are carried out.
Designated Persons must monitor business relationships to the extent reasonably warranted by the risk of ML/TF. Such monitoring activity shall include scrutinising transactions and the source of wealth and source of funds to determine if they are consistent with the customer, their business patterns and risk profile.
Designated Persons must undertake (i.e. re-do) CDD at any time where customers' circumstances have changed, where the risk of ML/TF warrants it.
Designated Persons are also required to examine the background and purpose for (i) all complex or unusually large transactions; and (ii) all unusual patterns of transactions which have no apparent economic or lawful purpose, in order to determine whether they appear suspicious.
Politically Exposed Persons
The Act has extended the definition of a politically exposed person or PEP to include domestic PEPs. Previously the requirement to apply enhanced CDD measures only applied to PEPs residing outside Ireland.
Third Country Equivalency and Reliance
The former "whitelist" of third country jurisdictions deemed to have equivalent AML/CTF systems has fallen away. Instead, third country jurisdictions which have deficiencies in their national AML/CTF regimes that pose significant threats to the EU's financial system (high-risk third countries) have been identified in Commission Delegated Regulation (EU) 2016/1675. All investors and beneficial owners from these jurisdictions are now subject to enhanced CDD.
The Act has expanded the scope for Designated Persons to rely on third parties to carry out CDD on their behalf to those located outside EU Member States. Such third parties must be a branch or majority-owned subsidiary of a Designated Person based in the EU and must comply with group-wide policies and procedures.
Central Bank and ESA Guidance
The Central Bank has indicated that it will shortly be issuing new AML guidelines supplementing the CJAs. The guidelines will be issued initially in draft form, as part of a consultation process before year end.
The guidelines will replace the Department of Finance 2012 "Core Guidelines".
The ESAs published their AML/CTF Guidelines on 26 June 2017, which promote a common understanding of the risk based approach and how it should be applied.
The Fifth Money Laundering Directive (EU) 2018/843 ("5MLD") which amends 4MLD came into force on 9 July 2018. EU Member States have to transpose it into national law by 10 January 2020. Some of the changes include, improving cooperation between EU financial intelligence units and widening the access rights to the central beneficial ownership registers of companies (including other legal entities) and trusts. When transposing 5MLD, Member States have the option of imposing restrictions on access in cases where there is a risk of fraud, violence or intimidation.
How Maples can help
Maples are assisting clients in considering measures that investment firms, UCITS and AIFs should take to ensure compliance with the Act.
In most cases, this will include:
- Conducting a gap analysis and a review of existing written AML/CTF policies including any existing documented risk assessment;
- A review of internal controls and the AML/CTF procedures framework; and
- Engaging with administrators on funds' behalf to ensure that policies and operational processes at delegate level are being enhanced where required to comply with the new requirements.
Should you have any questions or would like to discuss the above, please contact your usual Maples and Calder contact.
1 The Act does not transpose Article 30 of 4MLD on beneficial ownership requirements. The European Union (Anti-Money Laundering; Beneficial Ownership of Corporate Entitles) Regulations 2016 since 15 November 2016 requires companies and other legal entities incorporated in Ireland to have an internal beneficial ownership register. MLD4 also requires the establishment of a central register of beneficial ownership – this has not yet been implemented in Ireland.
2 This collective term in the CJAs identifies entities that are subject to the CJAs. This includes "Collective Investment Undertakings" which in turn, under the Act, now includes specifically: (i) UCITS; (ii) AIFs; (iii) UCITS management companies; and (iv) AIFMs.