Central Bank of Ireland Issues Revised AML and CFT Guidelines: Key Changes
06 Jul 2021
On 23 June 2021, the Central Bank of Ireland ("CBI") published revised Guidelines on Anti-Money Laundering ("AML") and Countering the Financing of Terrorism ("CFT") (the "Guidelines"), in response to the enactment of the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 ("CJA 2021"), which transposed the fifth AML Directive EU/2018/843 ("5MLD") into Irish law.
What are the key changes?
The revisions reflect the further transposition of 5MLD and bring the Guidelines in line with current CBI expectations in relation to designated persons' ("firms") existing obligations under the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ("CJA 2010").
Amendments Based on the Transposition of 5MLD
- Section 5.2.1 (Documentation and Information): The CJA 2021 broadens the source of information which can be used by a firm to identify and verify a customer’s and their beneficial owner’s (where applicable) identity, with the explicit recognition of information obtained through relevant trust services as specified in Regulation (EU) No 910/2014 (the "eIDAS Regulation").
- Section 5.2.2 (Beneficial Ownership): The CJA 2021 requires firms to verify and document the identity of beneficial owners, or the senior managing official listed as a customer's beneficial owner, and any difficulties encountered in establishing the identity. Prior to the establishment of such a business relationship, firms must confirm that the relevant beneficial owner information has been entered into the applicable beneficial ownership register before any transactions are conducted on behalf of the customer or the beneficial owner.
- New Section 5.2.3 (Beneficial Ownership Registers): The Guidelines explain the firm's obligation to keep an internal register of beneficial ownership information, which is separate to the requirement to provide the same information to the relevant central beneficial ownership register established by the Member States. Senior managing officials should only be listed as beneficial owners when all possibilities have been exhausted to identify natural persons as beneficial owners or if there is any doubt whether the identified natural person is in fact the beneficial owner.
- Section 5.6.4 (Enhanced On-going monitoring of Politically Exposed Persons ("PEPS")): Changes introduced by 5MLD include the requirement to continue to apply enhanced due-diligence ("EDD") measures to a customer who is a PEP for as long as is reasonably required until the customer is deemed to no longer pose a risk.
- Section 5.9 (EDD in relation to High-Risk Third Countries and other High-Risk Situations): The CJA 2021 amends article 38A (1) CJA 2010 to include more detailed requirements to be applied as EDD for customers established or residing in a high-risk third country. These are countries identified by the European Commission as having strategic deficiencies in their AML / CFT regimes.
Internal Governance Requirements
The CBI has made a number of key changes to Chapter 6 on 'Governance', placing the main focus on the board's responsibility in ensuring effective governance and AML / CFT compliance. The Guidelines now differentiate between the tasks of the appointed member of senior management and the compliance officer, and no longer subsume it all under the more generally used term of the Money Laundering Reporting Officer ("MLRO"). The Guidelines now also include a description of the obligation in section 54 (6A) CJA 2010 that firms must have clear internal procedures in place to report contraventions of the CJA 2010 and lists examples of appropriate measures.
- New Section 6.3 (Member of Senior Management): Section 54(8) CJA 2010 delegates the discretion to require the appointment of a member of senior management whose primary responsibility is implementing, managing and overseeing compliance with AML/CFT measures to the competent authorities. The CBI uses this discretion under its Guidelines and expects firms to appoint a member of senior management, or give reasons as to why such an appointment is not necessary. A newly inserted section 6.3.1 explains the tasks and roles of the member of senior management.
- New Section 6.4 (Compliance Officer): The Guidelines rename the function of the MLRO as compliance officer. Firms are obliged to appoint a member of staff at management level to monitor and manage compliance with, and the internal communication of, the firm’s internal AML / CFT policies, controls and procedures, and should refer to this position as "Compliance Officer", who has an independent reporting line to the board pursuant to section 54(7) CJA 2010. If the firm does not appoint such a position, the CBI reserves the right under 54 (7) CJA 201 to direct the firm to do so.
- Section 6.7 (Policies and Procedures): The European Union (Money Laundering and Terrorist Financing) Regulations 2019 introduced a new obligation under section 54(6A) CJA 2010 to have a whistleblowing policy in place. The Guidelines instruct firms to clearly document the procedures to enable the internal reporting of contraventions of the CJA 2010. Measures include an independent internal reporting framework allowing for anonymous reporting and staff training on compliance with this reporting obligation.
- Additional Guidance on Records and Documenting Compliance: The Guidelines showcase the CBI's continued application of its "show me don't tell me" approach and focus on evidence of firms' having applied AML / CFT requirements, and retaining records as evidence of compliance. Examples include: documenting the weighting of risk factors in the context of a business relationship or transaction and the rationale for applying EDD, and the retention of evidence of matters requiring senior management approval under the CJA 2010 – which must be kept in line with the firm's record retention policy.
- Section 1.3 (Data Protection): The Guidelines have been updated to specify that the processing of personal data for the purposes of complying with an AML / CFT obligation must be "necessary and proportionate" (reflecting obligations under the General Data Protection Regulation).
- New Section 4.1.1 (De-Risking): Firms must employ individual risk assessments of customers and financial products in the risk-based approach to their AML / CFT obligations, instead of a "zero tolerance" approach whereby entire categories of the business relationship are terminated. Firms should consider whether they can apply additional enhanced measures to reduce ML / TF risk before terminating the relationship, in a measure described as "de-risking". Only when the firm has come to the conclusion that no additional enhanced measures will sufficiently reduce the M L/ TF risk, can the business relationship be terminated. This must be documented alongside an analysis of the ML / TF risk, additional measures considered and the rationale as to why they were deemed insufficient.
- Section 4.2 (Risk Assessment): Firms are required to carry out a business risk assessment and a customer / transaction risk assessment pursuant to the provisions of section 30A and 30B of the CJA 2010. This requires firms to collate sufficient information on ML / TF risks of customers and transactions prior to entering into a business relationship and identify the ML / TF risks the firm is exposed to. The Guidelines clarify that the risk inherent to the business should dictate the risk-based approach to identify and verify individual customers, which in turn will affect the level and extent of due diligence for that particular customer or transaction.
- Section 4.4.3 (Customer’s or Beneficial Owner’s Nature and Behaviour): The Guidelines incorporate an extensive list of risk factors associated with the customer or beneficial owner’s nature or behaviour, which can indicate an increased ML / TF risk.
- Section 4.5.4 (Level of Jurisdiction's TF Risk): The Guidelines clarify that when firms are assessing a jurisdiction's TF risk, they must also now consider information on the jurisdiction from law enforcement or credible and reliable open media sources.
- Section 4.7.1 (How the Business Relationship is conducted): When assessing the channel or distribution risk the firm must consider the extent that the business relationship is conducted on a non-face to face basis. The Guidelines emphasise that customers who deliberately avoid face-to-face contact for reasons other than convenience or incapacity should be flagged as a potential risk factor.
- Section 5.2 (Customer Due Diligence ("CDD")): The Guidelines now include the requirement to perform a CDD where a firm is obliged by virtue of any enactment or rule of law to contact a customer to review any relevant information relating to the beneficial owner connected with the customer. In addition, while the Guidelines still do not contain a prescribed list of CDD documents, due to the risk-based approach, it now includes the requirement to keep the firm's own list of CDD information and documents up to date including for any relevant "external or environmental factors (e.g. pandemic)".
- Section 5.3.2 (Transaction Monitoring): The Guidelines introduce a new section dedicated solely to the CBI's expectations on firms' transaction monitoring. Customer transactions must be monitored to identify suspicious transactions, which firms can do through the means of transaction monitoring controls. These transaction monitoring controls should be commensurate to the firm's business activities, specific customer profiles and so be able to detect what suspicious activity looks like in the context of the firm’s business activities and the firm’s specific customer profiles. The business risk assessment can be utilised to determine the appropriate transaction monitoring for the specific firm. The Guidelines showcase the merits of an automated versus a manual transaction monitoring system and give guidance on how to choose the appropriate control mechanism. Firms should also ensure the connectivity between customer identification and verification, transaction monitoring and Suspicious Transaction Reports ("STR") process.
- Section 7.5 (Making Suspicious Transaction Reports): Examples of poor quality STR have now been updated in the Guidelines. An obligation has been introduced to submit STRs to the Irish Revenue Commissioners using Revenue’s Online Service ("ROS") only, so that all firms must be registered for ROS. Firms should note that under section 42(11) CJA 2021, Ireland's Financial Intelligence Unit is now obliged to provide timely feedback on a submitted STR.
- Section 8 (Training): This details the employee training that the CBI expects firms to conduct. This must include training on the firm's business risk assessment and how it affects their daily work, the firm's internal reporting procedures, in particular the whistleblowing policy and escalation procedures.
Next Steps for Firms
There are a number of material changes which are not directly connected to the transposition of 5MLD into Irish law. The CBI has availed of the opportunity to update its guidance to reflect its expectations of firms in terms of best practice to manage ML / TF risk, retaining records and evidence of processes and compliance, oversight and governance and individual accountability of a specified person for AML / CFT (in addition to the board's ultimate collective responsibility). Firms will need to review their existing governance arrangements, processes (including training) and policies to ensure they comply with the Guidelines.
Further Information on our Irish Financial Services Regulatory Group, and the services we provide is available on our website page and in our brochure.
If you would like further information, please liaise with your usual Maples Group contact or one of the members of our Irish Financial Services Regulatory Group.
Our Financial Services Regulatory group in Ireland comprises of leading lawyers and experienced industry professionals with a wealth of experience in advising clients on regulatory requirements and how to manage regulatory risk within their business. Our highly technical team deliver pragmatic and solutions-focused advice to our clients.
T: +353 1 619 2023
T: +353 1 619 2125
T: +353 1 619 2122
Senior Regulatory Executive Dublin
T: +353 1 619 2158