Financial institutions (including regulated entities such as credit institutions, investment firms, payment and e-money institutions, investment funds and fund managers and also 'Schedule 2' registered firms) and other 'designated persons' for the purposes of anti-money laundering ("AML") legislation are now required to implement whistleblowing procedures.

The European Union (Money Laundering and Terrorist Financing) Regulations 2019 (the "Regulations") amend the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the "2010 Act") to implement into Irish law Article 61(3) of the Fourth Money Laundering Directive (Directive 2015/849).

The Regulations became applicable on 18 November 2019 and so impacted firms should review their AML and whistleblowing arrangements immediately to ensure that these are appropriate.

Who? What? When?
Designated persons under the 2010 Act (e.g. regulated financial institutions, 'Schedule 2' firms and other in-scope persons) Procedure for employees (or comparable persons) to report breaches of the 2010 Act internally through a specific, independent and anonymous channel From 18 November 2019

The Regulations also:

  • Include provisions regarding senior managers and/or beneficial owners of auditors, external accountants, tax advisers, independent legal professionals or property service providers who have been convicted of certain offences (including under the 2010 Act); and
  • Require competent authorities to undertake risk-based AML supervision, to ensure their employees and officers have access to 'relevant information' on AML risks, to ensure supervisory functions are exercised independent of other functions, and to cooperate with competent authorities in other EU member states.

What are the whistleblowing obligations on in-scope entities?

Entities are required to implement appropriate procedures for their employees, or persons in a comparable position, to report a contravention of the 2010 Act internally through a specific, independent and anonymous channel, proportionate to the nature and size of the designated person concerned. Thus, firms should consider their business model and adopt an appropriate whistleblowing framework. While such frameworks will be bespoke to individual firms, certain factors are relevant to the analysis, including:

Whether the entity has an existing whistleblowing framework in place

  • Certain regulatory regimes (including MiFID II, CRD IV and the UCITS Directive, as implemented in Ireland) include provisions requiring relevant entities to implement whistleblowing procedures relating to breaches of the relevant regulations. The Central Bank (Supervision and Enforcement) Act 2013 (the "2013 Act") provides protections for persons making disclosures in good faith to the Central Bank of Ireland ("CBI") in relation to breaches of financial services legislation or codes made thereunder (including the 2010 Act). Protection may also be available for a disclosure made under the Criminal Justice Act 2011 (the "2011 Act").
  • The Protected Disclosures Act 2014 (the "2014 Act") provides protections for workers who report what they reasonably believe to be a 'relevant wrongdoing' which came to their attention in connection with their employment (see Walkers advisory here). While private entities are not required to have a whistleblowing policy under this legislation, many entities have thought it prudent to implement policies in line with the guidance contained in the Code of Practice on Protected Disclosures Act 2014 ("Code of Practice").
  • Ireland is required to transpose the Directive of the European Parliament and of the Council on the protection of persons who report breaches of Union law (the "Whistleblowing Directive") within the next two years. The Whistleblowing Directive makes it mandatory for companies with over 50 employees to establish internal channels and procedures for reporting and following-up on reports of breaches of EU law. This requirement will apply to entities of any size falling under EU law, including relating to financial services and the prevention of money-laundering and terrorist financing. Precisely how and when Ireland will amend the 2014 Act to give effect to the Whistleblowing Directive remains to be seen, but even private entities who already follow the Code of Practice will be required to implement more onerous protected disclosure procedures when the Whistleblowing Directive is transposed into Irish law.

It should be possible for firms to leverage existing whistleblowing frameworks in complying with the Regulations, provided that reports regarding AML contraventions are appropriately escalated.

Whether the entity is subject to mandatory reporting obligations

Once information has been received, entities will need to take appropriate next steps. This will include investigating the issue and considering any relevant mandatory reporting obligations for the entity, where required. For example, entities might consider:

  • The Central Bank (Supervision and Enforcement) Act 2013 (Section 48(1)) (Investment Firms) Regulations 2017, which place broad CBI notification requirements on investment firms, including for any breach of financial services legislation.
  • The 2011 Act, which can require reporting to the Garda Síochána, in relation to a relevant offence (which includes offences under the 2010 Act) under certain circumstances.
  • If the entity is a regulated financial service provider, its financial services authorisation or licence may contain firm-specific reporting obligations.
  • The CBI's Administrative Sanctions Procedure Sanctions Guidance (November 2019), which makes clear that an important sanctioning factor will be the conduct of a regulated entity after a contravention including "how quickly, effectively and completely the regulated entity brought the contravention to the attention of the Central Bank or any other relevant regulatory authority".

Individuals within regulated financial service providers may be under an obligation to report breaches of financial services legislation directly. The 2013 Act obliges all pre-approval control function holders to disclose to the CBI any information relating to any breaches of financial services legislation that they believe will be of material assistance to the CBI, unless they have a reasonable excuse not to do so.

Integrated whistleblowing and mandatory reporting procedures will help firms to ensure that all information received by senior management via whistleblowing procedures is acted on appropriately. Staff training will be important to ensure employees and others are aware of their and the firm's obligations, as well as the reporting mechanisms available.

What steps should in-scope entities take?

At a minimum, we would expect the following steps to be prudent following the commencement of the Regulations:

  • Review any existing whistleblowing framework and consider in light of the additional obligations imposed by the Regulations;
  • Review AML policies and procedures to ensure that the additional obligations imposed by the Regulations are incorporated; and
  • Ensure that all relevant staff are fully informed of and trained in how to implement and manage the additional whistleblowing obligations and that, along with the board, they receive training on the firm's AML obligations.

Walkers can assist affected firms with the incorporation of these AML whistleblowing obligations into their compliance frameworks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.