The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 (the "Amendment Act") transposes the majority1 of the Fourth Money Laundering Directive (EU) 2015/849 ("4MLD") into Irish law.
The Amendment Act came into force on 26 November 2018. It updates the current Irish framework of legislation for the prevention of the use of the financial system for the purpose of money laundering or terrorist financing ("ML/TF"). Irish anti-money laundering ("AML") and counter terrorist financing ("CTF") legislation is now contained in the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2018 (the "CJAs").
This update summarises the key changes under the Amendment Act and how it affects Designated Persons2.
The scope of Designated Person has not been expanded in the Amendment Act. Accordingly, any person or entity that was deemed to be a Designated Person under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 shall continue to be a Designated Person and is required to comply with the new requirements of the Amendment Act.
New Registration Requirements for AML Purposes
The Amendment Act requires certain financial institutions to register for AML purposes with the Central Bank of Ireland ("Central Bank").
From 26 November 2018, financial institutions that offer any of the services set out at Schedule 2 of the Amendment Act, act in the State, in the course of business carried on in the State and are not otherwise authorised or licensed to carry on business by the Central Bank will need to register with the Central Bank.
Information on the type of financial institution that will need to register, including how to register with the Central Bank, can be read here.
Business Risk Assessment
Designated Persons are required to perform a business risk assessment to identify and assess the risks of ML/TF inherent in carrying out their business activities. This must consider factors including: (i) type of customer; (ii) type of product; (iii) geographical risk; (iv) type of transaction; (v) delivery channel; and (vi) other risks.
When carrying out the business risk assessment, each Designated Person must pay due regard to the National Risk Assessment, any guidance on risk issued by the relevant competent authority (i.e. the Central Bank) and any guidelines issued by the European Banking Authority, the European Securities and Markets Authority or the European Insurance and Occupational Pensions Authority (together the European Supervisory authorities ("ESAs")) in accordance with 4MLD.
The business risk assessment must be documented, kept up-to-date and approved by the Designated Person's senior management.
While this is new, there was formerly a requirement for Designated Persons to have policies and procedures for the assessment and management of ML/TF risks and relevant Irish AML guidance provided additional detail on the risk assessment framework. Therefore, many Designated Persons will already have a documented risk assessment within their AML policies and procedures.
Policies and Procedures
The Amendment Act prescribes a detailed list of elements to be covered in a Designated Person's internal policies, controls and procedures, including the following new elements:
- How the Designated Person identifies, assesses, mitigates and manages the risks of ML/TF;
- Its customer due diligence ("CDD") measures;
- Procedures to monitor transactions and relationships;
- Suspicious transactions reporting;
- Record keeping;
- Document retention;
- Systems and controls to identify emerging risks; and
- Ongoing compliance controls in support of the policies, controls and procedures.
The policies, controls and procedures adopted must be approved by the Designated Person's senior management and kept up-to-date.
Designated Persons that operate branches, subsidiaries or are otherwise established elsewhere must ensure that such branch/subsidiary/establishment adopts its AML/CTF policies and procedures on a group wide basis.
Risk based approach to CDD
A range of changes have been made on how Designated Persons should establish and verify the identity of their customers (i.e. perform CDD), mandating a greater focus on the assessment of risk of ML/TF:
- Designated Persons must identify and assess the risks of ML/TF when carrying out CDD. This must include having regard to the business risk assessment and any relevant "risk variables" as prescribed in the Amendment Act.
- Designated Persons, as well as carrying out CDD on the customer and any connected beneficial owner, must now also carry out CDD on the person representing the customer.
Under the previous framework, there were exemptions in place and simplified due diligence could be applied automatically to "specified customers", for example, financial institutions, listed companies and public bodies. These exemptions are no longer available and it will be necessary to perform a risk assessment on each investor to determine its risk rating and level of CDD to
- Subject to certain exceptions, enhanced CDD is to be applied to customers in high-risk third countries and where relationships/transactions present a higher degree of risk of ML/TF.
- Designated Persons, in addition to bank accounts, can now open "an account that permits transactions in transferable securities" before carrying out CDD, provided CDD is completed before transactions in that account are carried out.
Designated Persons must monitor business relationships to the extent reasonably warranted by the risk of ML/TF. Such monitoring activity shall include scrutinising transactions and the source of wealth and source of funds to determine if they are consistent with the customer, its business patterns and risk profile.
Designated Persons must undertake (i.e. re-perform) CDD at any time where customers' circumstances have changed, where the risk of ML/TF warrants it.
Designated Persons are also required to examine the background and purpose for (i) all complex or unusually large transactions; and (ii) all unusual patterns of transactions that have no apparent economic or lawful purpose, in order to determine whether they appear suspicious.
Politically Exposed Persons
The Amendment Act has extended the definition of a politically exposed person or PEP to include domestic PEPs. Previously the requirement to apply enhanced CDD measures only applied to PEPs residing outside Ireland.
Third Country Equivalency and Reliance
The former "whitelist" of third country jurisdictions deemed to have equivalent AML/CTF systems has fallen away. Instead, third country jurisdictions that have deficiencies in their national AML/CTF regimes that pose significant threats to the EU's financial system (high-risk third countries) have been identified in Commission Delegated Regulation (EU) 2016/1675. All investors and beneficial owners from these jurisdictions are now subject to enhanced CDD.
The Amendment Act has expanded the scope for Designated Persons to rely on third parties to carry out CDD on their behalf to those located outside EU member states. Such third parties must be a branch or majority-owned subsidiary of a Designated Person based in the EU and must comply with group-wide policies and procedures.
Central Bank and ESA Guidance
The Central Bank has indicated that it will shortly be issuing new AML guidelines supplementing the CJAs. The guidelines will be issued initially in draft form, as part of a consultation process before year end.
The guidelines will replace the Department of Finance 2012 "Core Guidelines".
The ESAs published their AML/CTF Guidelines on 26 June 2017, which promote a common understanding of the risk based approach and how it should be applied.
Other Notable Changes
- Previously only banks and financial institutions were required to have systems in place to enable them to respond quickly to queries from An Garda Síochána with respect to any business relationship held within the previous six years; this has been extended to all Designated Persons and the time period has been reduced to five years. An Garda Síochána will be authorised to oblige a Designated Person to keep these records beyond the five year period if they are required for the investigation or prosecution of ML/TF.
- The defence of 'all reasonable steps' having been taken to avoid the commission of an offence has been introduced as a new defence to AML crimes.
- The penalties that can be imposed by the Central Bank in respect of AML breaches have been increased.
The Fifth Money Laundering Directive (EU) 2018/843 ("5MLD") which amends 4MLD came into force on 9 July 2018. EU member states are obliged to transpose it into national law by 10 January 2020. Some of the changes include improving cooperation between EU FIUs and widening the access rights to the central beneficial ownership registers of companies (including other legal entities) and trusts. When transposing 5MLD, EU member states have the option of imposing restrictions on access in cases where there is a risk of fraud, violence or intimidation.
How Maples Can Help
Maples are assisting clients in considering measures that Designated Persons should take to ensure compliance with the Amendment Act.
In most cases, this will include:
- Assisting with registration of relevant financial institutions with the Central Bank;
- Conducting a gap analysis and a review of existing written AML/CTF policies including any existing documented risk assessment;
- A review of internal controls and the AML/CTF procedures framework; and
- Providing training and advice with regards to ML/TF compliance.
1 The Amendment Act does not transpose Article 30 of 4MLD on beneficial ownership requirements. The European Union (Anti-Money Laundering; Beneficial Ownership of Corporate Entitles) Regulations 2016 have, since 15 November 2016, required companies and other legal entities incorporated in Ireland to have an internal beneficial ownership register. MLD4 also requires the establishment of a central register of beneficial ownership – this has not yet been implemented in Ireland.
2 The definition of "Designated Person" includes credit and financial institutions, auditors, relevant independent legal professionals, trust or company service providers, property service providers, persons who provide gambling activities and persons trading in goods that involve cash transactions of at least €10,000. The definition of financial institutions has been updated in the Amendment Act for consistency with EU regulations.
3 With the exception that any person trading in goods that involve cash transactions of at least €10,000 is now included as a Designated Person, lowering the previous threshold from €15,000.