On 11 July 2022, the Central Bank issued a bulletin to virtual asset service providers (VASPs) outlining its regulatory expectations and setting out recurring weaknesses in, VASP registrations.
As is the case for all regulated entities, the Central Bank
expects that VASPs have the necessary risk culture
and appropriate risk and control frameworks to minimize the risk of
criminals using their products or services to launder money or
finance terrorism.
When assessing a VASP registration application, the Central Bank
must be satisfied that the applicant's AML/CFT policies and
procedures are robust enough to effectively combat money laundering
and terrorist financing risks associated with its business
model.
Please see our briefing here for further information on the VASP
registration process and obligations under the Anti-Money
Laundering and Countering the Financing of Terrorism (AML/CTF)
frameworks.
Applications Phase
Expectation - The Central Bank expects
applicant firms to consider its guidance documents and reminds them
of the option to attend a pre-application meeting.
Weakness - In certain instances, firms did not
fulfil requirements for information and documentation. For example,
policies were submitted without accompanying procedures, or an
internal risk register was submitted in place of a documented risk
assessment.
Assessment Phase
1) Risk Assessment
Expectation – The firm's AML/CFT risk
assessment must focus on specific risks arising from a firm's
business model and drive that firm's AML/CFT control framework.
Robust controls must be implemented to mitigate and manage the
identified risks.
Weakness – AML/CFT risks specific to the
firm, and the firm's activities and consumers were not assessed
or documented. There was a failure by firms to demonstrate how
residual risk ratings were determined for each risk factor.
Information in National Risk Assessment or CBI guidance was not
considered (e.g. guidance on inherent risk factors such as Nature,
Scale, Complexity, Geographical Risk, Products and Services risk)
when documenting the firm's risk assessment.
2) Policies and Procedures
Expectation – The firm should maintain a
documented suite of AML/CFT policies and procedures, which are
supplemented by guidance and accurately reflect operational
practices. The policies and procedures should also demonstrate
consideration of and compliance with Irish legal and regulatory
requirements.
Weakness – Some policies and procedures
submitted referred to legislative frameworks in other
jurisdictions. In many instances, while policies were submitted,
the procedures that detail how the firm implemented the policies
were not provided.
3) Customer Due Diligence
Expectation – Firms should know their
customers, persons purporting to act on behalf of customers and
beneficial owners. Firms must also have enhanced due diligence
procedures for dealing with politically exposed persons
(PEPs).
Weakness - Insufficient information on the purpose
and intended nature of the business relationship with a customer
before establishing the relationship together with a failure to
document screening processes for PEP's and PEP approval
processes within the firm.
4) Financial Sanctions
Expectation – The Central bank expects
firms to have an effective screening system appropriate to the
nature, size and risk of their business. Firms must follow clear
escalation procedures in the event of a positive match.
Weakness – Failure to document a process to
screen for financial sanctions and steps to be taken in the event
of a financial sanctions hit.
5) Outsourcing
Expectation – Where an Irish registered
VASP outsources its AML/CFT functions, a documented agreement must
clearly define the outsourcing service provider's obligations.
The VASP should also maintain evidence of sufficient oversight. For
more information on Central Bank outsourcing guidance, please see
our briefing here.
Weakness – Several applicant firms did not
submit their policies on outsourcing or service level agreements or
demonstrate sufficient oversight of the outsourced activities or
provide evidence of assurance testing.
6) PCFs
Expectation – Individual Questionnaires
(IQs) for each proposed Pre-Approval Controlled Function (PCF) role
holder to be submitted as soon as practical.
Weakness – A failure to or delay in
submitting IQs for each PCF role holder.
7) Presence in Ireland
Expectation – The Central Bank expects at least one senior management employee to be located physically in Ireland.
Comment
While the observations of the Central Bank are focused primarily on VASPs, the expectations outlined together with the weaknesses observed are equally applicable to all firms seeking authorisation as a regulated entity and where such firms are obliged to have in place, an effective anti-money laundering and terrorist financing regime.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.