Recently introduced anti-money laundering requirements mean that a designated person needs to ensure that it puts the “risk-based approach” at the centre of its compliance efforts. Each designated person will need to review and update its policies and procedures to reflect this.
The Criminal Justice (Money Laundering and Terrorist Financing)(Amendment) Act 2018 (the “2018 Act”) transposes the EU’s fourth Money Laundering Directive (“MLD4”) into Irish law by amending the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 and 2013 (collectively, as amended, the “2010 Act”).
Among other things, a firm within scope of the AML requirements (each, a “Firm”) must adopt a business risk assessment, update its approach to customer due diligence (“CDD”) and review its policies and procedures to take account of the new framework. Certain Firms will also need to register with the Central Bank of Ireland.
The Business Risk Assessment
Each Firm must complete and maintain an up-to-date business risk assessment which identifies and assesses the money laundering and terrorist financing (“ML/TF”) risks involved in carrying out its business activities. The business risk assessment must have regard to the National Risk Assessment and relevant guidance. In addition, the assessment must take into account certain risk factors. These include:
- the Firm’s type of customers;
- the products and services the Firm provides;
- the countries and geographical areas in which the Firm’s customers are located;
- the types of transactions that the Firm carries out; and
- the delivery channels that the Firm uses.
The business risk assessment must be approved by the Firm’s senior management.
Customer Due Diligence
The 2018 Act places the risk-based approach at the heart of CDD. A Firm must use its business risk assessment to determine the extent of measures to be taken for CDD purposes, as well as certain other criteria. A Firm may need to change its CDD processes to take account of this.
More generally, a Firm must assess each client to determine the appropriate level of due diligence to apply. In particular, there is no white list of entities that are automatically subject to simplified due diligence and each Firm will need to review its policies and procedures to reflect this. Each Firm must also ensure that it applies enhanced due diligence to domestic politically exposed persons (“PEPs”) as well as to business relationships with customers established or residing in a high-risk third country.
The 2018 Act includes a number of new definitions. In particular, it significantly expands the definition of a beneficial owner in relation to trusts and each Firm must ensure that this new definition is reflected in its CDD policies and procedures. The 2018 Act also introduces new definitions of the terms “monitoring”, and “senior management”. It defines “monitoring” to include ensuring that documents, data and information on customers are kept up to date in accordance with the relevant Firm’s policies and procedures. It defines “senior management” to include, in some cases, non-board members. Again these changes may need to be reflected in Firms’ policies and procedures.
Policies and Procedures
The 2018 Act contains more granular requirements in relation to anti-money laundering policies and procedures and each Firm must ensure that its policies and procedures reflect these requirements. In essence this means that each Firm must review its policies and procedures to ensure that they reflect: a) the various changes introduced by the 2018 Act, some of which are outlined above, and b) the new requirements relating to policies and procedures themselves. In particular, policies and procedures may need to be updated to reflect:
- how the firm intends to mitigate risks factors relating to ML/TF;
- measures to keep documents and information relating to risk assessments up-to-date; and
- internal systems and controls to identify emerging risks and keep business-wide risk assessments up-to-date.
Certain non-regulated Firms must now register with the Central Bank of Ireland (“Central Bank”) for anti-money laundering purposes. The registration requirement applies, for the most part, to Firms that fall within the definition of a "financial institution" set out in the 2010 Act and that are not otherwise authorised or licensed by, or registered with, the Central Bank. Generally, it affects any Firm that carries on the activities listed at points 2 – 12, 14 and 15 of Schedule 2 of the 2010 Act when acting in Ireland in the course of business carried on by the Firm in Ireland, subject to certain exemptions. For further information, see our briefing here.