Having recently conducted a number of anti-money laundering, counter financing of terrorism and financial sanctions (“AML/CFT/FS”) supervisory engagements with Funds and Fund Management Companies (“Firms”), the Central Bank of Ireland (“CBI”) has published a bulletin (the “Bulletin”) which details its findings and expectations across the following key areas:

  1. Corporate Governance;
  2. AML/CFT/FS Business Risk Assessment;
  3. Outsourced AML/CFT/FS Activities; and
  4. Customer Due Diligence.

While the Bulletin focusses on issues in the Funds sector, the CBI has clarified that it expects all firms, irrespective of their sector, to critically assess their AML/CFT/FS frameworks against the CBI expectations as set out in the Bulletin. The CBI has indicated that it will continue to conduct supervisory engagements with Firms and expects Firms to be in a position to demonstrate that they have reviewed the findings and expectations detailed in the Bulletin against their AML/CFT/FS frameworks and have taken steps to remediate any identified gaps/weaknesses.

We have included a summary below of the key CBI findings for each area together with details of the key CBI expectations. We have also set out some suggested next steps for Firms in order to address the CBI's expectations.

A. Corporate Governance

Key Findings

The CBI identified a lack of oversight by Firms of their AML/CFT/FS framework including:

  1. A failure to accurately reflect the consideration of AML/CFT/FS matters at a board level in the minutes of the meetings of the board of directors (the “Board”);
  2. A failure to demonstrate that Firms were actively ensuring that management information was being provided on a regular basis to enable informed decision-making in relation to the AML/CFT/FS framework;
  3. A failure to demonstrate that appropriate action was taken to address identified deficiencies in the AML/CFT/FS framework in a timely manner;
  4. A failure to demonstrate that the Compliance Officer presented an annual Compliance Officer report to the Board; and
  5. A failure to demonstrate that a comprehensive assurance testing programme was in place, to ensure effective and independent testing of the AML/CFT/FS framework.

Key CBI Expectations

The CBI expects Firms to ensure that the AML/CFT/FS framework is appropriately governed and operating effectively by addressing the following:

  1. The Board should evidence effective governance and oversight of the Firm's AML/CFT/FS framework;
  2. Where warranted by the nature, scale and complexity of a Firm's activities, Firms should appoint a member of senior management with primary responsibility for implementing, managing and overseeing the AML/CFT/FS framework;
  3. Where warranted by the nature, scale and complexity of a firm's activities, Firms should appoint an individual at management level (the “Compliance Officer”) to monitor and manage compliance with, and the internal communication of, the Firm's internal AML/CFT/FS policies;
  4. Firms must implement an assurance testing framework to assess the effectiveness of their AML/CFT/FS control framework;
  5. The Board and, where appropriate, the member of senior management, should have sufficient oversight so as to ensure timely resolution of AML/CFT/FS issues and matters requiring remediation; and
  6. AML/CFT/FS matters are subject to robust discussion and challenge at an appropriately senior level and that those discussions are accurately recorded in minutes of Board meetings and/or committee meeting minutes.

B. AML/CFT/FS Business Risk Assessments

The CBI identified deficits in both the design and implementation of AML/CFT/FS Business Risk Assessments (“BRA”).

Key Findings

  1. Failure to implement a BRA and / or failure to document the methodology employed for the BRA;
  2. . Failure to accurately reflect the inherent money laundering and terrorist financing (“ML/TF”) risks associated with the sector, such as the impact of distributor arrangements and the use of outsourcing arrangements;
  3. Failure to demonstrate that processes were in place to measure the effectiveness of the AML/CFT/FS controls implemented to mitigate the inherent risks identified; and
  4. Failure to demonstrate that TF had been considered as part of the BRA.

Key CBI Expectations

  1. Firms should document the methodology employed for the BRA and prepare a BRA which includes an assessment of the inherent ML/TF/ FS risk, an assessment of the effectiveness of the AML/CFT/FS control framework and details of the overall residual risk;
  2. The BRA should include an assessment of the known ML/TF/FS risks that have been identified as presenting heightened risk for the sector, including distribution risk and outsourcing risk;
  3. Firms must demonstrate that they have implemented an AML/CFT/FS framework, to mitigate the risk of ML/TF/FS;
  4. The BRA should be subject to regular review and approval by a member of senior management and the Board should review and approve the BRA on an annual basis, at a minimum;
  5. The BRA should include an assessment of FS exposure and TF risk; and
  6. The BRA should encompass review and consideration of Irish, European and International guidance in relation to ML/TF/FS risk (for example, Risk Factor Guidelines issued by the European Supervisory Authorities).

C. Outsourcing

The CBI notes that while Firms have flexibility to outsource AML/CFT/FS activities to third parties, they retain ultimate responsibility for ensuring full compliance with the Firm's legal AML/CFT/FS obligations.

Key Findings

  1. Failure to demonstrate that appropriate arrangements were in place (for examples, SLAs), to govern the outsourced AML/CFT/FS activities and a failure to subject outsourcing arrangements to regular review and assessment at a senior level;
  2. Lack of available management information and key performance indicators (“KPIs”) in relation to the AML/CFT/FS activities and processes undertaken by outsourced service providers (“OSPs”);
  3. Of particular concern was OSPs not being subject to regular and comprehensive due diligence reviews that include a review and sample testing of the OSP's procedures and processes and insufficient oversight of technological solutions utilised by OSPs for the purpose of activities such as PEP and FS screening and transaction monitoring.

Key CBI Expectations

  1. Formalised and comprehensive outsourcing arrangements should be in place to govern outsourced AML/CFT/FS activities with third parties which clearly outline the respective parties' responsibilities and deliverables under those arrangements and should be subject to regular review;
  2. Firms are to ensure that they have appropriate processes in place to effectively monitor AML/CFT/FS activities undertaken by OSPs such as robust assurance testing, KPIs and monitoring the effectiveness of technological solutions used by OSPs; and
  3. Where a Firm is relying on an OSP's AML/CFT/FS policies and procedures to perform AML/CFT/FS activities on its behalf, the Firm should test such activities to ensure the effectiveness and the application of the OSP's AML/CFT/FS policies and procedures and should ensure the activities are being performed to a level commensurate with the level of ML/TF risk as identified in the Firm's BRA.

D. Customer Due Diligence (“CDD”)

The CBI identified particular concerns regarding compliance with Section 33(6) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended (“CJA 2010”) which requires that all CDD is in place prior to processing transactions, including initial subscriptions.

Key Findings

  1. Failure to implement effective CDD control frameworks, to ensure customers are fully identified and verified (where applicable) prior to processing transactions;
  2. Failure to have adequate processes in place to review OSP CDD procedures, where customer CDD activities were outsourced to an OSP to ensure that CDD being carried out by the OSP adhered to the CJA 2010;
  3. CDD policies and procedures lacked details such as the timeframe in which CDD must be completed by the OSP and the Firm's approach to meet the requirements of Section 33(6).

Key CBI Expectations

  1. Firms and OSPs should implement policies and procedures, which explicitly document the Firm's approach to identification and verification of customers and should be reviewed, updated and approved to reflect legislative and regulatory guidance;
  2. Firms should implement controls, to ensure that transactions cannot occur until all CDD documentation and information is in place to meet the requirements of Section 33(6) of the CJA 2010;
  3. Firms should ensure there is sufficient oversight of the CDD activities, undertaken by OSPs on their behalf.

Next Steps

  1. The Bulletin should be brought to the attention of the Board by summarising the key issues in the Bulletin and detailing the next steps in the critical assessment of the firm's AML/CFT/FS framework against the Bulletin;
  2. A gap analysis should be conducted to assess each of the issues raised in the Bulletin against the firm's AML/CFT/FS framework;
  3. In the event that the gap analysis highlights any weaknesses in the firm's AML/CFT/FS framework, a time-bound remediation plan should be designed and implemented to address such weaknesses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.