On 2 October 2020 the Central Bank of Ireland (Central Bank) published the sixth issue of its Anti-Money Laundering Bulletin, focusing on transaction monitoring.
The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (the Act) requires a designated person to monitor customer transactions in order to identify transactions that may be suspicious in nature. The Act further specifies that the intensity of the monitoring should increase with the complexity and scale of the transactions in question so that the risk of money laundering/terrorist financing is factored into the transaction monitoring process.
The Central Bank's bulletin highlights the importance of transaction monitoring, which the Central Bank states will continue to be a key focus area in its ongoing supervision of compliance by designated persons with anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements.
The bulletin sets out the Central Bank's findings following supervisory engagements across multiple credit and financial institutions, and also sets out the Central Bank's expectations with regard to the application of transaction monitoring controls.
The Central Bank's Findings
In the course of carrying out inspections, the AML Division of the Central Bank observed certain common failings in the area of transaction monitoring, namely:
- failure to use the business risk assessment and customer risk assessments to configure appropriate transaction monitoring controls;
- insufficient testing of transaction monitoring controls, and the configuration of automated transaction monitoring controls, by second or third lines of defence;
- failure by the Board and Senior Management to take appropriate measures to address weaknesses identified with the transaction monitoring process;
- failure to document procedures for the monitoring and the investigation of potentially suspicious activity, including clear assignment of roles and responsibilities;
- inordinate time delays in reviewing and assessing unusual activity resulting in delays in filing suspicious transaction reports;
- lack of mechanism for prompt adjustment to transaction monitoring controls to reflect new risks or potential new risks (e.g. new threats from COVID-19 pandemic);
- the use of generic monitoring thresholds across varying product, service or customer types;
- the implementation of a sample based approach to transaction monitoring which limits the ability to detect unusual patterns of transactions;
- placing reliance on an automated transaction monitoring
- an adequacy assessment in relation to the firm's specific risks is not completed;
- the firm has no input into the governance or management of the solution;
- scenarios, rules and thresholds not regularly reviewed and tested; and
- the firm cannot request changes to the configurations of the controls as necessary; and
- failure to implement a robust AML/CFT control framework for the transaction monitoring process, including insufficient technological resources and failure to maintain audit trails.
Expectations of the Central Bank
Following on from its findings, the Central Bank outlines its expectations in relation to transaction monitoring. Firms are asked to note the following:
- In order for transaction monitoring controls to be effective, they must detect what suspicious activity looks like in the context of the firm's business activities and its specific customer profile(s).
- Transaction monitoring controls should be tailored to the firm's business risk assessment and to the customer risk assessment.
- An automated transaction monitoring solution is desirable and in many cases will be necessary. Any decision to use a manual process must be based upon a full assessment of the ability of the manual controls to detect suspicious transactions, including unusual patterns of transactions, and should be documented and approved by senior management.
- Firms should not place absolute reliance on automated solutions and employees need to be aware of the need to manually identify any transactional activity which may be suspicious.
- The adequacy of the controls should be subject to regular review to ensure that they continue to detect identified and emerging risks.
- There should be a mechanism for making changes to the controls to take into account altering risks and new risk indicators, such as those arising from the COVID–19 pandemic.
- When using an automated solution a full assessment as to its suitability for the risks inherent to the designated person's specific business must be completed. The designated person should be able to effect changes to the configuration of the transaction monitoring controls as necessary, and the controls should reflect the risks identified in the firm's business and customer risk assessments.
- The Central Bank expects there to be connectivity between a designated person's customer due diligence, transaction monitoring and suspicious transaction reporting processes.
If you have any queries about the information contained in this article, please contact the authors or your usual Dillon Eustace contact.
The Central Bank's bulletin can be accessed here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.