In 2017, the Money Laundering Regulations were updated and shortly afterwards OPBAS came into existence. OPBAS was set up to regulate the bodies that supervise the UK’s AML system, with the result that the ICAEW, IPA, etc now have a regulator looking specifically at how they review and enforce AML requirements. When the 2017 Regulations (The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017) were first enacted, and before OPBAS started to have an impact, Bill gave presentations at a number of training events and highlighted the main changes under the new Regulations. We also produced new AML case-based risk assessments for corporate and personal insolvencies and drafted a skeleton Whole Firm Risk Assessment (WFRA) that clients could use to produce their own WFRA, based on threats relevant to their business. Subsequent changes to the Regulations in early 2020 (Money Laundering and Terrorist Financing (Amendment) Regulations 2019) and the draft insolvency appendix to the CCAB AML Guidance made further changes to the required approach in insolvency appointments and may, with the benefit of hindsight, mark the time when the regulatory approach started to harden.
While some firms reacted well to the new requirements in 2017, carrying out and recording the WFRA, starting to build a Policies and Procedures Manual (PPM), etc., others were slow and even last year we were still receiving requests for help from some IPs who did not have a WFRA to produce to their regulator on a visit. Until late last year, we had not seen a lot of regulatory action in response to any deficiencies found on visits, but we tend to find out about such action after the clients have been visited, so changes may have been taking place earlier. Where matters were highlighted in earlier visits, they tended to note that a requirement needed to be addressed, but we did not see threats of regulatory action, and any criticism tended to take a broad-brush approach. Toward the end of last year, however, and early this year, we have seen a significant hardening in the approach and much more detail in both the criticism raised and the action required. It appears to us that the honeymoon period for compliance with the Money Laundering Regulations is now well and truly over. The regulators appear to be keen to show OPBAS that they are reviewing the requirements in detail, and also that they are prepared to take firm enforcement action.
Obviously, it would be inappropriate for us to comment on specific clients or reports, but a recent “Dear CEO” letter from the Irish Central Bank to non-bank entities caught in their AML regulation bears a strong resemblance to the sort of issues that we have seen the insolvency regulators picking up in their recent reviews. We have decided to use the points in the Irish letter to illustrate what you should be doing, and we have given examples at the end of each section to explain the potential regulatory action if you fail to comply with them. At the end of the article, we discuss possible action and suggest ways that we might be able to help, but first we have to explain the problem, in detail.
The Dear CEO letter sets out, “the key findings identified by the Central Bank in the course of supervisory engagements … and outlines the Central Bank’s expectations in relation to those findings …”. We have adapted their headings and content to fit a range of IP firms, rather than just the firms that the Central Bank of Ireland was talking to, and we have paraphrased the findings somewhat, but the main message of the points has been retained. We even used a bit of creative licence in places to adapt points that quoted Irish legislation to our Regulations.
Board/Management oversight and governance
- AML was not a regular feature of board/management meetings and records. AML only seemed to be mentioned when a regulatory visit was planned or regulatory correspondence was received.
- Companies, “failed to provide any detailed reporting to their Boards in order to allow robust challenge and discussion on AML”.
- Companies failed to comply with the legislation in a timely manner. Firms could not show that they knew when the requirements started to apply and when they changed.
- When outsourcing tasks, such as online due diligence, companies could not show that they knew enough about those sources, how they gathered data, how they operated, etc.
- Some companies had not appointed nominated officers (MLROs) or responsible officers (board level oversight of the AML function) and many of those recorded as nominated officers or responsible officers could not show that they had the extra knowledge of their role and responsibilities that the legislation requires.
You have to keep records to show that you are considering AML at a strategic level. The identity and reporting lines of the appointed nominated officer and/or responsible officer should be set out in writing and they should be specifically trained. If they are, they will know that they have to keep detailed records of their ongoing risk assessment and monitoring of the firm’s AML systems, with regular reports to the Board and evidence of discussions aimed at constant improvement. The bank’s letter says “Firms must have a framework in place for monitoring and identifying updates to legislation that are applicable to the firm and must have a process in place to ensure timely updates to their AML framework to ensure compliance with these updates”. If you employ external resources, you have to be able to demonstrate knowledge and control appropriate to the task. If they are an online due diligence agency, you need to ask them about their sources and methods. We are sure that the major providers will either have FAQs on their website covering this off, or will has a stock response to call on if you contact them. If they are advisors drafting documents and systems, you should have clear lines of authority and evidence of reports to make sure that the work is sufficiently specific to your firm’s circumstances, with an opportunity for the management to require changes and discuss any findings.
Risk Assessment
Risk Assessment
- Some firms did not have a Whole Firm Risk Assessment (WFRA). Many of those that did could not provide any evidence of when it was created, any ongoing review, any resultant changes, etc.
- Some firms could not show that they had undertaken specific risk assessments for each client or transaction and if they had, they could not show that they were done on first contact or at least before the establishment of a business relationship.
- Some firms used firm-wide or even external risk levels, without showing that they were relevant to the firm, its clients, or transactions.
You should have designed a WFRA in 2017. You should be able to show when it was first drafted, what changes you have made, why those changes were made, with evidence of both board/management approval of the changes and staff training and other measures to communicate the changes to employees and sub-contractors as appropriate. You should be able to show that you have conducted case-based risk assessments on first contact. If documents and processes have changed, you should have records of the changes, why they were made, and how they were approved and communicated within the firm. You have to complete your case based risk assessments and related due diligence on first contact and keep evidence that you have done so. If you use external checks, you have to find out how they arrive at their scores and check that they are suitable in the context of your WFRA.
Policies and Procedures
- Some firms did not have evidence of their policies and procedures.
- Some firms relied on external policies and procedures but could not show how they were relevant to their WFRA.
- Some firms had a policies and procedures manual, but it was based on an external standard and not sufficiently tailored to fit their WFRA.
Customer Due Diligence
- The deficiencies found tended to be case-specific
- Some firms applied an exception without justifying it.
If you consider that anything other than high risk and enhanced due diligence is appropriate in the circumstances of the case, you should have a detailed justification on the case file.
PEP and Sanctions checks
- These tended to be brief, with little evidence of how staff should react in the case of a positive finding.
- Firms often relied on external checks, without finding out what data sources the external provider relied on for their checks.
You should have clear policies around the approach that should be taken if a PEP is identified on a case, or if anyone related to the case appears on a sanctions list. If you intend to rely on searches conducted by an external agency, as mentioned above, you should ask them about their sources and methods.
SAR submissions
Training
Commentary and Conclusion
The Dear CEO letter is almost identical to the sort of issues that we have seen the insolvency regulators raising in England, Wales and Northern Ireland. The comments we have put in each section tell you what you have to do. We quite understand if you react in horror at the amount of additional work you will have to carry out and the cost you will incur.
Unfortunately, that is the inevitable consequence of having OPBAS regulating our regulators on one specific area. Their focus is entirely on AML and they make no allowances for the wider issues that arise in insolvencies. You can be sure, however, that the penalty for failing to bring your AML policies, procedures and systems up to the required standard will be, in comparison to normal insolvency regulation, extreme. Fines are likely to be based on those handed out to financial institutions as punishments, with professional consequences for breaching the Ethical Code.
We usually promote a pragmatic approach to compliance within principles-based regulation. That approach simply won’t work with AML and we will soon start to see fellow professionals suffering the consequences if there isn’t a significant change of approach.
If you want to know just how bad it is in the context of your firm, we now have a checklist that we can work through to test your current set-up. We can complete the review for you remotely, and we are prepared to do so at a reduced daily rate because you have to do a lot of the preparatory work. The pre-review list of documents that you have to pull together is enormous. We still have to do our regular review work, so our capacity to help is limited, but if you are interested, please email bill@complianceoncall.co.uk and he will let you know a bit more about the cost and possible timing.
In due course, we may be able to provide some training modules that could help staff in certain roles, but you will need to build on them to recognise and address the threats identified in your own WFRA.
One thing that we have offered to do for our clients is to act as a collecting point for information about possible red flags and indicators of potential money laundering and terrorist financing. We have asked them to tell us their war stories, telling us the circumstances in which they found money laundering or terrorist financing and what brought it to their attention. Obviously, we don’t want names, dates, or any information that would identify cases or individuals. We will collate the information and prepare an ever-expanding list of possible red flags, which we will update when we send round updates to our clients.
On that cheery note, we wish you all the best for what promises to be a very busy year, although subject to a considerable degree of uncertainty as the pandemic rolls on. Please continue to follow the guidance and keep safe, so that we can meet up again on the other side of the lockdown.
SAR submissions
- Firm’s policies tended to be brief and high-level, lacking detailed instruction for staff and others on the importance of SARs and how to complete them.
- Some firms did not say who their nominated and/or responsible officers were in their policy and procedures, so staff did not know who to contact if they had a reportable matter.
- There was insufficient evidence of the Board/senior management considering SAR statistics.
Training
- This is worth quoting verbatim from the letter, “Training materials were not tailored to the activities of the firm. In most instances, training was outsourced to a third party provider and a generic training course was provided to staff. This did not include any reference to the risks associated with the firm itself or include any specifics relating to the firm, such as what might be considered a red flag in the context of customer transactions or what staff should do in the event of identifying a potentially suspicious transaction.”
- In some instances, the same training was given to directors and staff in customer-facing roles, and nominated/responsible officers, without recognising the significance of their role in the process.
- Training materials were not always up to date with relevant legislation and regulatory guidance.
Commentary and Conclusion
The Dear CEO letter is almost identical to the sort of issues that we have seen the insolvency regulators raising in England, Wales and Northern Ireland. The comments we have put in each section tell you what you have to do. We quite understand if you react in horror at the amount of additional work you will have to carry out and the cost you will incur.
Unfortunately, that is the inevitable consequence of having OPBAS regulating our regulators on one specific area. Their focus is entirely on AML and they make no allowances for the wider issues that arise in insolvencies. You can be sure, however, that the penalty for failing to bring your AML policies, procedures and systems up to the required standard will be, in comparison to normal insolvency regulation, extreme. Fines are likely to be based on those handed out to financial institutions as punishments, with professional consequences for breaching the Ethical Code.
We usually promote a pragmatic approach to compliance within principles-based regulation. That approach simply won’t work with AML and we will soon start to see fellow professionals suffering the consequences if there isn’t a significant change of approach.
If you want to know just how bad it is in the context of your firm, we now have a checklist that we can work through to test your current set-up. We can complete the review for you remotely, and we are prepared to do so at a reduced daily rate because you have to do a lot of the preparatory work. The pre-review list of documents that you have to pull together is enormous. We still have to do our regular review work, so our capacity to help is limited, but if you are interested, please email bill@complianceoncall.co.uk and he will let you know a bit more about the cost and possible timing.
In due course, we may be able to provide some training modules that could help staff in certain roles, but you will need to build on them to recognise and address the threats identified in your own WFRA.
One thing that we have offered to do for our clients is to act as a collecting point for information about possible red flags and indicators of potential money laundering and terrorist financing. We have asked them to tell us their war stories, telling us the circumstances in which they found money laundering or terrorist financing and what brought it to their attention. Obviously, we don’t want names, dates, or any information that would identify cases or individuals. We will collate the information and prepare an ever-expanding list of possible red flags, which we will update when we send round updates to our clients.
On that cheery note, we wish you all the best for what promises to be a very busy year, although subject to a considerable degree of uncertainty as the pandemic rolls on. Please continue to follow the guidance and keep safe, so that we can meet up again on the other side of the lockdown.
