Speed Read: Jonathan Fisher QC discusses the changes to risk assessment and the introduction of the independent audit function effected by the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Money laundering reporting officers and nominated officers operating within the regulated sector will need to understand and appropriately incorporate these two important aspects into their broader anti-money laundering and counter terrorist financing policies and procedures.
As regulators intensify their focus on the proper discharge of money laundering obligations involving customer due diligence (CDD) by the regulated sector, the changes introduced by the new Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (likely to be known as the Money Laundering Regulations 2017 (“MLR 2017”)) are of great importance. This is particularly true for money laundering reporting officers and nominated officers within the meaning of Part 7 of the Proceeds of Crime Act 2002.
Risk assessment by the firm or business
One of the key changes effected by regulation 18 of the MLR 2017 relates to the requirement on firms and businesses operating within the regulated sector to identify and assess the risks of money laundering and terrorist financing to which its business is subject. This is easier said than done, since to be able to undertake this task, the risk assessor needs to have a sound grasp of the ways in which criminals can use the firm’s services when handling the proceeds of their crimes. Criminals may range from organised criminals who are laundering the proceeds of drug trafficking and the like to white collar criminals who have paid or received bribes, committed fraud, breached economic sanctions, or indulged in a spot of insider dealing. It follows that a firm or business operating in the regulated sector may be vulnerable to money laundering or terrorist financing in a myriad of different ways. Regulation 18(4) of the MLR 2017 requires a written record to be made of all steps undertaken by a firm in the identification and assessment of its money laundering and terrorist financing risk.
Pursuant to regulation 19(1)(a) of the MLR 2017, the firm’s risk assessment of its vulnerability must inform the development of its policies, controls and procedures which have been devised to mitigate and manage effectively the risks of money laundering and terrorist financing. Moreover, under the regulation 21(c) of the MLR 2017, having regard to the size and nature of the firm’s business, a firm is now required to establish an independent audit function with responsibility to examine and evaluate the effectiveness of the firm’s policies, controls, and procedures, to make recommendations about them, and to monitor compliance with them.
The quality of the firm’s risk assessment is therefore critical, because when it comes to an individual fee earner who is obligated to apply CDD measures, regulation 28(12) of the MLR 2017 requires the fee earner’s assessment of the money laundering or terrorist financing risk posed by the customer or client or the transaction in question to reflect, amongst other things, the level of risk which his or her firm has identified in the firm’s risk assessment. In other words, the generality of the risk assessment performed by the firm in respect of its vulnerability to money laundering or terrorist financing serves to inform the particularity of risk assessment undertaken by the fee earner in relation to the customer or client in question. In some large firms and businesses, the development of a risk profile for a customer or client is prepared by dedicated specialists in a risk / compliance department. The risk profile assists the fee earner in his dealings with the customer or client, and his assessment of whether any grounds for suspecting money laundering or terrorist financing has arisen. Medium sized and small sized firms may not be able to afford this luxury and in this situation, it is vital that the firm’s risk assessment is sufficiently comprehensive to provide a sound framework for the fee earner’s risk assessment of a customer or client to be informed and effective.
The requirement for a firm to prepare an assessment of the risks of money laundering and terrorist financing to which its business is subject, and establish an independent auditing function, is not an example of the UK gold-plating the money laundering regulations as in the past. The requirement is squarely established in Article 8(1) and 8(4)(b) of the EC Fourth Directive on Money Laundering 2015/849 agreed on 20 May 2015. The obligation will not evaporate post-Brexit. The EC Fourth Directive took its cue from Recommendation A1 and Recommendation 18 of the Financial Action Task Force’s Revised Recommendations published in February 2012. The Interpretive Guidance to Recommendation A1 stipulates that firms and business must perform their own risk assessments, and the need for an independent audit function to test the customer due diligence functions is articulated in paragraph 1 of the Interpretative Guidance to Recommendation 18.
How is the firm’s risk assessment to be made?
Against this background, what exactly does the law require of a regulated sector firm in the preparation of its risk assessment? Some guidance is offered in regulation 18(2)(b) of the MLR 2017 but it is very high-level. In carrying out the risk assessment a firm must consider risk factors relating to its customers, the countries, or geographic areas in which it operates, its products or services, its transactions, and its delivery channels. In passing, the mandatory nature of the instruction is noted. But how is the firm to know the nature and extent of the risk posed by these risk factors? The MLR 2017 envisage that the firm may be assisted by considering information made available by the supervisory authorities. Regulation 17(9) of the MLR 2017 provides that if information from a risk assessment performed by a supervisory authority would assist a firm operating in the sector to carry out its own money laundering or terrorist financing risk assessment, the supervisory authority must, where appropriate, make that information available unless to do so would be incompatible with restrictions on sharing information under the data protection legislation.
Information from Government authorities is likely to be limited
One of the key difficulties for government agencies is the significant deficit in their levels of knowledge about how sophisticated money laundering is committed when the financial markets are involved. In one of the key findings in the UK’s National Risk Assessment (“NRA”) of Money Laundering and Terrorist Financing published in October 2015, HM Treasury and the Home Office acknowledged that there were significant intelligence gaps in relation to “high-end” money laundering. This type of laundering is particularly relevant to major frauds and serious corruption, where the proceeds are often held in bank accounts, real estate, or other investments, rather than in cash. The NRA judges the threat in the banking sector to be significant, since around 60% of current money laundering cases being investigated by HMRC have funds initially moved through banks. The intelligence picture in other areas – such as high value dealers, gambling, and new payment methods – was judged to be mixed. Helpfully, the Law Society of England and Wales publishes updates on emerging money laundering techniques where solicitors can be vulnerable, but it is almost alone amongst the supervisory authorities. Much more information needs to be disseminated by government agencies and the supervisory authorities. If the current government emphasis on the importance of co-operation between the public sector and the private sector is to have meaning, the enforcement agencies need to understand that the flow of information is a two-way street.
What information is available to a MLRO / nominated officer?
More likely, if a firm’s policies, controls, and procedures are to pass muster, the firm’s money laundering reporting officer / nominated officer will need to supplement the guidance as to risk factors contained in the MLR 2017 and made available by the supervisory authorities with some extensive research of his or her own. The typology and sector-specific reports published by the Financial Action Task Force (FATF) are a good starting place. In addition, a money laundering reporting officer / nominated officer can consult the evaluations of money laundering and terrorist financing regimes operated by its member countries which the FATF publishes on a regular basis. However, to satisfy the regulatory requirement much more will need to be done. Money laundering reporting officers / nominated officers will need to digest reports prepared by, amongst other organisations, FATF-Style Regional Bodies (“FSRB’s”) and annual reports prepared by the Council of Europe’s Moneyval, mining them for information about how certain types of business can be used for money laundering and terrorist financing purposes, and which jurisdictions are considered more vulnerable than others, depending upon the identity of the client and the nature of the business in question. The United States Central Intelligence Agency publishes a World Factbook, and some useful information is available on the Anti-Money Laundering Forum operated by the International Bar Association. In addition, there is a huge amount of information available on the internet which money laundering reporting officers / nominated officers can access. For example, there are publicly available indices from HM Treasury’s Office of Financial Sanctions Implementation, Transparency International’s Corruption Perception Index, the Foreign and Commonwealth Officer’s Human Rights Reports, and UK Trade and Investment’s pages on overseas country risk and quality of regulation. The European Commission is also in the process of compiling a list of high risk countries with strategic deficiencies in anti-money laundering and count-terrorist financing systems. The money laundering reporting officer / nominated officer, or appropriate compliance team member, can review this information, mining it for relevant material which will inform the firm’s consideration as to whether the risk of money laundering and terrorist financing inherent in the type of work undertaken and the country with which it is associated, is low, medium, or high.
One obvious resource for a money laundering reporting officer / nominated officer sits within the firm itself. As firms increasingly focus the delivery of their services in specialist areas, the firm’s fee earners should be well placed to contribute to the firm’s risk assessment. This will be true across the regulated sector. Just as a solicitor specialising in the financing of energy transactions will be aware of the extent of corruption and bribery within this sector, an estate agent with a practice based in Kensington will be highly cognisant of the risks of money laundering which purchases by Eastern European oligarchs and politically exposed persons pose. As a starting point for assessing the risks of money laundering and terrorist financing in a business operating in the regulated sector, the money laundering reporting officer / nominated officer could begin the process of risk assessment by embarking on the process of self-assessment. As a practical suggestion, money laundering reporting officers / nominated officers could invite key fee earners to complete a questionnaire to elicit information about the nature of their customers and clients, the type of services which the fee earners provide, and the geographic areas in which they operate. The money laundering reporting officer / nominated officer would use the responses as the basis for discussion with the fee earners and this would inform the preparation of the firm’s risk assessment.
Assessing risk on rationally defensible criteria
Where a firm develops its risk assessment in this way, and includes in its policies, controls and procedures provisions which detail how the risk is to be managed, the requirement in regulation 19(3)(a) of the MLR 2017 to include risk management practices will be satisfied. Interestingly, this requirement falls short of the requirement set out in Article 8(4) of the EC Fourth Directive on Money Laundering which specifically refers to “the development of internal policies, controls, and procedures, including model risk management practices …” Although the reference to “model” risk management practices is not something which appears in the Financial Action Task Force Revised Recommendations, larger businesses operating in the regulated sector will ignore this requirement at their peril. Reliance on qualitative expert judgment when developing risk assessments continues to be valid, but there is an inherent subjectivity in this approach and there is a danger that it could be regarded as self-serving if challenged by a regulator in a case where a less obvious risk of money laundering or terrorist financing was not identified. The EC Fourth Directive on Money Laundering is seeking to encourage firms and businesses operating in the regulated sector to apply a more sophisticated approach, by making use of quantitively derived models which allocate risk scores calculated by algorithms which have been developed from analysis of AML scenarios and typologies. Management consultancies have developed a variety of model risk management practices for application in anti-money laundering and counter-terrorist financing cases. The application of model risk management in the assessment of money laundering and terrorist financing vulnerability will also assist a firm or business in the regulated sector when seeking to demonstrate that its risk assessment policies are effective pursuant to the independent audit requirement introduced in regulation 21(c) of the MLR 2017. There is, however, an important caveat which must be borne in mind. As the Joint Money Laundering Steering Group (“JMLSG”) has cautioned, “where a firm uses automated systems purchased from an external provider to allocate overall risk scores to categories business relationships or occasional transactions, it should understand how such systems work and how it combines risk factors to achieve an overall risk score.” The JMLSG adds that “a firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of the [money laundering and terrorist financing] risk, and it should be able to demonstrate this to the [regulator] if necessary.”
As a cheaper alternative to acquiring a scoring system from an external provider, it is open to money laundering reporting officers / nominated officers to develop their own scoring system. This would involve allocating scores to different risk factors based on information available internally and externally such as the nature of the client, the type of transaction involved, and the geographical location in which it is taking place. As an example of the flexibility inherent in the allocation of scores, the JMLSG notes that “firms may decide that a customer’s personal links to a jurisdiction associated with higher [money laundering and terrorist financing risk] is less relevant in the light of the features of the product they seek.”
It is unclear exactly what is required of a firm or business operating in the regulated sector to establish an independent audit function. By introducing a requirement for the audit function to be independent, the person undertaking this responsibility should be unconnected with the implementation or operation of the firm’s anti-money laundering and counter-terrorist financing compliance programme. The JMLSG suggests that the task could be undertaken “by, for example, an internal audit function (where one is established), external auditors, specialist consultants or other qualified parties”. Presumably, this also includes lawyers with specialist knowledge in the field.