On 19 July, the Central Bank of Ireland (CBI) registered Gemini Digital Asset Limited as a Virtual Asset Service Provider (VASP) for anti-money laundering and countering the financing of terrorism (AML) purposes, the first such registration since VASPs were brought within the scope of Irish AML legislation in April 2021.
This milestone for the industry in Ireland follows the publication by the CBI on 11 July of an AML bulletin aimed at assisting firms applying for registration and identifying common weaknesses in applications submitted to date (the Bulletin).
Since 23 April 2021, VASPs have been required to comply with a range of obligations under Irish AML legislation, including the requirement to register with the CBI for AML purposes.
For a registration to be successful the CBI, in making their assessment, must be satisfied that:
- the firm's AML policies and procedures are effective in combatting the money laundering and terrorist financing risks associated with its business model; and
- the firm's management and beneficial owners are fit and proper.
The Bulletin outlines the CBI's observations following its assessment of applications for VASP registrations and sets out a number of recurring weaknesses identified where the CBI has stated it was not satisfied with the level of information and documentation provided by applicant firms.
Set out below is a summary of the CBI's key observations.
The CBI stated that it has received several incomplete applications which could not progress to the assessment phase. Common errors included firms providing AML/CFT policies but not procedural documents and firms submitting internal risk registers instead of a documented risk assessment.
The CBI noted that the majority of firms that provided incomplete applications did not avail of the pre-application meeting.
AML Risk Assessment
The CBI expects that an applicant firm, in conducting their AML risk assessment, will focus on the specific money laundering and terrorist financing risks arising from the firm's business model. This assessment should drive the firms AML control framework to ensure controls are in place to mitigate and manage the specific risks identified.
Firms are expected to document how they had determined the inherent risk and, following consideration of the firm's control environment, the residual risk rating for each of the risk factors set out in the legislation. Firms are also expected to consider the National Risk Assessment and the CBI's AML guidance.
Policies and Procedures
The CBI expects firms to maintain a detailed and documented set of policies and procedures reflecting operational practices and demonstrating consideration of all legal and regulatory requirements applicable in Ireland. The CBI found many policies and procedures referred to legislative frameworks in jurisdictions where parent/group entities were situated.
Detailed policies and procedures relating to customer due diligence, transaction monitoring, suspicious transaction reporting, financial sanctions, record keeping, training and assurance testing are required.
Customer Due Diligence
The Bulletin highlights several issues in relation to customer due diligence (CDD) including a failure to demonstrate compliance with the obligation to obtain information on the purpose and intended nature of the business relationship with a customer and a failure to show how screening for politically exposed persons (PEPs) is conducted and how PEP customers are managed. A lack of policies and procedures with regard to the refresh of CDD documentation was also noted.
Financial Sanctions Screening
The CBI expects firms to have effective financial sanctions screening systems in place, appropriate to the nature, size and risk of their business. Firms should also have clear procedures in place in the event of a positive match or ‘hit'.
The CBI observed that several firms failed to document the frequency or method of their screening and the steps that they would take in case of a financial sanctions hit.
Firms are permitted to outsource AML functions but remain ultimately responsible for compliance with their AML obligations. Firms are expected to have a documented agreement in place that clearly defines obligations of the outsource service provider as well as displaying sufficient oversight on the outsourced activity.
The CBI observed that several firms did not include their outsourcing policies or submit service level agreements with their applications and a number of firms failed to demonstrate sufficient oversight of their outsourced activities or failed to provide evidence of appropriate assurance testing of the outsourced activities.
Substance in Ireland
The CBI expects firms to have sufficient substance in Ireland before being authorised or registered in Ireland. VASPs are expected to employ at least one employee in a senior management role located physically in Ireland, who will act as the contact person for engagement with the CBI.
An application may also be refused where the firm is organised in such a manner that it is not capable of being regulated to the satisfaction of the CBI.
Applicants for VASP registrations should carefully consider the information contained in the Bulletin. It is recommended that applicant firms conduct a robust money laundering and terrorist financing risk assessment as a starting point. The firm's internal controls, policies and procedures should reflect the results of that risk assessment.
Applicants should then avail of the pre-application meeting with the CBI. This allows the CBI to gain an understanding of the firm's business model and provides an opportunity for the CBI to address any concerns at an early stage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.