The latest AML Bulletin from the Central Bank of Ireland is focused on transaction monitoring and highlights the interconnected nature of anti-money laundering (AML) requirements. The Bulletin sets out the outcomes from a recent series of inspections and outlines the Central Bank's current regulatory expectations in relation to transaction monitoring. The key aspects of the Central Bank's observations in this regard are discussed below.
Notable outcomes from inspections
Interconnectivity of requirements
The Central Bank's Anti-Money Laundering Division identified failures to feed the outcomes from risk assessments into the transaction monitoring controls deployed by financial institutions. Insufficient testing of transaction monitoring controls, and the configuration of automated transaction monitoring controls were also noted.
The Central Bank identified failures by the Board and Senior Management to take appropriate measures to address weaknesses that had been identified with transaction monitoring processes during assurance testing and reviews undertaken by firms' Compliance and/or Internal Audit functions.
Dealing with unusual activity
Where unusual activity has been detected, the inspections noted time delays in reviewing and assessing same which resulted in subsequent delays in reporting suspicious transactions to the relevant authorities. There were also instances identified where roles, responsibilities and procedures for the monitoring and investigation of potentially suspicious activity were not documented. The need for such documentation arises under AML legislation and under industry-specific frameworks such as CRD IV for credit institutions and MiFID II for investment firms, as two examples.
Tailored and responsive controls
The Central Bank identified that certain institutions did not have a mechanism for making prompt adjustments to transaction monitoring controls to reflect any new risks or potential new risks, such as those arising from the COVID-19 pandemic.
Automated transaction monitoring solutions which are not designed for the specific business of the institution was also expressed as a concern for the Central Bank. The regulator noted that in some instances, inspections found that there was no assessment as to the technology's adequacy in relation to business-specific risks. Another concern expressed with such solutions is that the Money Laundering Reporting Officer (MLRO) may not always have input into the governance or management of the solution and may not have the ability to request changes to the controls that are necessary to respond to evolving risks. The operating parameters of the technology may also not have been reviewed, tested or updated in light of changes to the business risk assessment.
Generic automated monitoring thresholds across varying product, service, or customer types which do not reflect the nuances of expected transaction patterns were also noted by the AML inspectors.
The use of 'sample based' approaches to transaction monitoring was also noted and the regulator is concerned that this approach limits the ability to detect unusual patterns of transactions.
Control framework for transaction monitoring
The Central Bank noted that there were instances of insufficient technological resources to ensure that all customers are in scope and accurate customer and transactional data is captured for transaction monitoring purposes. Inspections found errors and control failures in the adjudication of alerts and generic and insufficient detail given in the rationale used to address those alerts. In some cases there was a failure to maintain audit trails to fully reflect the review of transaction monitoring alerts.
Some colour on what 'good' looks like arising from the inspections is also set out in the Bulletin, with an emphasis on the individual financial institution's business activities and the customer profile. The Central Bank indicates that controls should be tailored to the firm's business risk assessment and the customer risk assessment. The need for connectivity between customer due diligence, transaction monitoring and suspicious transaction reporting is also emphasised by the regulator.
Although an automated system for transaction monitoring will not always be appropriate for certain financial service providers, the Central Bank states that an automated system is desirable. Where the MLRO determines that an automated system is not necessary the Central Bank expects this decision to have taken account of the ability of a manual system to detect suspicious transactions and unusual patterns of transactions. The decision to maintain a manual system should be documented and approved by senior management within the institution. Additionally, the controls should be documented in the policies and procedures and included in the risk assessment.
The Central Bank notes that where a financial service provider utilises an automated transaction monitoring solution, the MLRO should not place absolute reliance on it and employees should still be aware of the need to conduct manual identification of any suspicious activity.
The Central Bank also notes that controls should be reviewed on an ongoing basis and the Central Bank expects the operational tolerances of automated systems to be scrutinised also. Where changes are required to address evolving risks and risk indicators, there should be a mechanism for the MLRO to do so. This is particularly important for those MLRO's utilising proprietary or third party technology. Such technology should be subject to a full assessments of its suitability for the specific business and jurisdiction in which it is operating.
The use of technology for AML is a key regulatory concern and is noted in the Central Bank's priorities for 2020. Other AML priorities include a supervisory focus on risk assessments and compliance with the 2019 Guidelines and the supervision of Virtual Asset Service Providers.
An interesting aspect of the Bulletin is the focus on governance, with the Central Bank commenting on failures by the Board to respond to compliance and audit findings. In our interactions with clients and regulators we are seeing an increasing tendency to view regulatory issues as governance failings. The European Banking Authority is currently consulting on updated Internal Governance Guidelines (closing date 31 October 2020). An interesting feature of the new proposals is the further integration of AML as a key aspect of the governance of credit institutions.
The specific mention by the Central Bank of senior management failing to take appropriate measures in relation to transaction monitoring echoes the regulatory focus on individual accountability. Proposals for a new individual accountability framework includes conduct standards for all staff and a Senior Executive Accountability Regime which would involve responsibilities being mapped to executives within financial institutions for which they will be accountable to the regulator.
The individual accountability framework is currently undergoing pre-legislative scrutiny and is listed in the current legislative programme. The Criminal Justice (Money Laundering & Terrorist Financing) (Amendment) Bill 2020 (the 2020 Bill) has been published and is currently before Dáil Éireann. The 2020 Bill transposes many of the elements of the Fifth Anti-Money Laundering Directive that was due to be transposed by 10 January 2020.
Financial institutions are expected to be able to demonstrate a consideration of the 2019 Guidelines. The Central Bank also expects financial service providers to record their responses to the issues raised in the Bulletin. MLRO's will be conscious to plan for the implementation of the legal requirements contained in the 2019 Bill and will be feeding in to the financial institution's wider preparation for the individual accountability framework.