The Guidelines also incorporate expectations set out in recent Central Bank publications and in guidelines from the European Supervisory Authorities, most notably the Central Bank's Anti-Money Laundering Bulletin on transaction monitoring from October 2020 and the EBA's Risk Factor Guidelines.
In addition to the revisions that were anticipated (such as the inclusion of virtual asset service providers within the scope of the Guidelines and some refinement relating to customer due diligence procedures and beneficial ownership), the Guidelines contain some new messages and points of emphasis on topics such as governance and consumer protection.
In this article, we examine some of the key features of the revised Guidelines.
The broader Central Bank focus on customer protection is reflected in a new section on de-risking in the context of risk management, which provides that a firm should not decide to terminate or limit business relationships with customers unless the firm has fully considered applying enhanced due diligence (EDD) to reduce the money laundering/terrorist financing (ML/TF) risk.
If EDD does not sufficiently reduce the ML/TF risk, the firm should document the rationale for terminating a business relationship or limiting services in order that such decisions can be reasonably justified. This should include an analysis of the ML/TF risks, the additional measures considered and why they were insufficient to reduce the risk. This focus on the customer is carried through to the revisions on customer due diligence (CDD), where firms are asked to exhaust all possible avenues before taking actions that might disadvantage a customer whilst balancing their obligation to protect the integrity of the financial system from ML/TF.
Business Risk Assessment
The Central Bank's messaging on the importance of rigour in the conduct of the Business Risk Assessment is echoed in the Guidelines. The Business Risk Assessment should be tailored to the firm's business and, where it is part of a group-wide assessment, the firm should consider whether the group-wide assessment sufficiently addresses the individual firm's risk exposure. The Guidelines specifically state that generic Business Risk Assessments are unlikely to meet the requirements of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (the CJA 2010).
The Guidelines also expand on how the Business Risk Assessment should be conducted in order to address the ML/TF risks to which the firm is exposed resulting from the nature and complexity of the firm's business. In preparing their assessments, firms are required to have regard to the National Risk Assessment for Ireland on ML/TF, any guidance issued by the Central Bank and any Guidelines issued by the European Supervisory Authorities. The Business Risk Assessment should identify the risks and outline where resources should be prioritised in order to counter those risks. When documenting the Business Risk Assessment, firms should record changes so that the rationale for these can be understood by both the firm and the Central Bank.
Customer/Transaction Risk Assessment
Additional guidance is provided on the ML/TF risk arising from the business relationship with a customer or the performance of occasional transactions (the Customer/Transaction Risk Assessment). Firms must identify ML/TF risks related to entering into, or maintaining, a business relationship, or carrying out occasional transactions, and the due diligence information required by firms should be determined by the level of risk presented.
The Guidelines now specifically call out the connection between the Business Risk Assessment and the Customer/Transaction Risk Assessment. The Business Risk Assessment should be used to inform the firm's approach to CDD measures being applied to an individual customer or occasional transaction.
There is also considerable additional detail on identifying TF risks, including in relation to certain not-for-profit organisations.
Identifying and verifying beneficial owners
The Guidelines now have greater detail on a firm's obligations in relation to beneficial ownership. In particular, the Guidelines outline the implications for a firm where the customer's senior managing officials have been listed as the beneficial owners. The Guidelines stipulate that firms, in complying with their obligations to identify and verify the identity of a customer’s beneficial owners, and in circumstances where senior managing officials have been listed as a customer’s beneficial owners, should establish whether their customer "has in fact exhausted all possible means to identify their beneficial owners". Customers may now need to provide firms with more detailed documentation relating to the processes they employed in identifying their beneficial owners.
It is interesting to compare this with the wording of the CJA 2010, where the requirement is that the designated person "shall take the necessary measures to verify the identity of that person and shall keep records of the actions taken to verify the person’s identity including any difficulties encountered in the verification process".
Beneficial ownership registers
The Guidelines also capture amendments to the CJA 2010 brought about by the 2021 Act, which require designated persons to ascertain that information concerning the beneficial ownership of the customer has been entered in the relevant beneficial ownership register prior to establishing a business relationship.
The Guidelines state that, where a firm is "unable to confirm" that the beneficial ownership information has been entered in the register, it "should be aware" of its obligations under section 33(8) of the CJA 2010. This provision instructs firms not to provide a service, or carry out any transactions, and to discontinue a business relationship in circumstances where the firm has been unable to identify and/or verify the identity of its customer's beneficial owners as a result of any failure on the part of the customer to provide the firm with documents or information required.
Where a firm avails itself of the exception to the 'prior to' requirement – namely, by allowing an account to be opened with a customer before ascertaining that beneficial ownership information has been entered in the register – the Guidelines prescribe that no transactions in connection with the account should be carried out "until it is established that the beneficial ownership information is entered into the relevant beneficial ownership register".
The Central Bank's expectations on transaction monitoring, as set out in the AML Bulletin of October 2020, are replicated in the Guidelines. Firms must have controls in place to monitor customer transactions in order to identify suspicious transactions. These controls should be effective and should detect transactions that are suspicious in the context of the firm's business activities and customer profiles, as identified by the Business Risk Assessment and Customer/Transaction Risk Assessment.
The Guidelines also reiterate the Central Bank's preference for automated transaction monitoring alongside an awareness by employees of the ongoing need to manually identify suspicious transactions. Automated systems should be regularly reviewed to ensure that the thresholds, rules and scenarios are tailored to identified and emerging risks. There should be a facility for changing the controls to meet the risks and automated solutions should be fully assessed for suitability to the firm's specific business.
Enhanced due diligence (EDD)
The Guidelines now advise firms to ensure that they clearly document the rationale for applying EDD. The Guidelines give additional detail on EDD related to high-risk countries and high-risk situations, which is in line with recent changes to the CJA 2010.
We await further guidance, expected to issue from the Department of Finance, on applying EDD to politically exposed persons (PEPs), their family members and their close associates.
The Central Bank's emphasis on robust governance and the importance of oversight by boards and senior management in AML/CFT compliance is clearly reflected in the new Guidelines. A new, sweeping definition of 'Board' has been introduced in the Glossary. For the purposes of AML/CTF compliance, 'Board' means "a Firm’s Board of Directors within the State, or where no such Board exists, such other management body or bodies within the State, which set the Firm’s strategy, objectives and overall direction, and which oversee and monitor management decision-making, and include the person or persons who effectively direct the business of the Firm". There is also further prescriptive guidance on what good governance looks like from a Board perspective.
Member of Senior Management
The Central Bank "notes and understands that a custom and practice has evolved in Ireland of using the term “MLRO” to describe a member of staff with certain responsibilities relating to a Firm’s AML/CFT obligations, notwithstanding that this term is not defined in Irish legislation". In a notable change from the 2019 Guidelines, the updated Guidelines eschew the term 'MLRO' in favour of adhering to the terminology of "member of senior management" used in the CJA 2010.
The Central Bank expects firms to appoint a member of senior management with primary responsibility for overseeing AML/CFT compliance, where this is proportionate to the nature, scale and complexity of the firm's activities. The Central Bank is explicit in its preference for the appointment of such senior management, where this is appropriate, describing it as "a key measure in order to protect the financial system by ensuring that Firms do not attach low priority to AML/CFT issues". The Guidelines also note that "[a] lack of buy-in or understanding of AML/CFT matters at Senior Management level can result in a corporate culture that pursues profits at the expense of a robust compliance framework that is backed by sufficient resources and training".
There is extensive guidance on the tasks and role of the senior manager with responsibility for AML/CTF, including approving the Business Risk Assessment, approving the firm's AML control framework and overseeing the compliance officer, where applicable. Where firms do not make such an appointment, the Guidelines require the firm to "record in detail its rationale for such decision" and ensure ongoing AML/CFT compliance. The Central Bank may also exercise its statutory power to direct a firm to make such an appointment.
The Guidelines also expand on the role of the Compliance Officer and what it entails. The Compliance Officer should be a member of management, as distinct from senior management. They should have an independent reporting line to the Board and have unrestricted and direct access to all information that is necessary, in the opinion of the Compliance Officer, to effectively perform their role.
The Guidelines note, however, that firms may, depending on the nature, scale and complexity of their activities, structure their internal AML/CFT governance framework so that the same person is performing the roles of both MLRO and Compliance Officer. Where a firm opts not to appoint a compliance officer, it should document this decision, the rationale for it and be mindful of the Central Bank's power to direct it to appoint a compliance officer.
Addressing the requirement for firms to have appropriate procedures in place for employees to report contraventions of the CJA 2010 through a "specific, independent and anonymous channel" (the 'whistleblowing' provision), the Guidelines specify that firms should clearly document the procedures in place to allow contraventions of the CJA 2010 to be reported internally. This should be documented in either the firm's AML/CFT policies, or in more general compliance policies and procedures.
The Guidelines clarify that it is acceptable to utilise existing whistleblowing or 'speak up' policies for this purpose. Firms should also provide training to all staff on their AML/CFT internal reporting procedures. Unfortunately, the Guidelines do not give any examples of what form these whistleblowing channels might take, or how the criteria of specificity, independence and anonymity are to be achieved in practice.
Suspicious Transaction Reports (STRs)
The Guidelines follow the new procedure whereby STRs can be submitted to the Revenue Commissioners using Revenue Online Service (ROS) only; paper copies should no longer be posted. The Guidelines also expand on the examples of poor quality STRs, which will be helpful to firms in assessing or improving their reports.
The data protection statement in the introductory paragraphs to the Guidelines now includes an additional line, which addresses the need for firms to align their AML processes with the principles of data protection law: "When processing personal data for the purposes of complying with an AML/CFT obligation, Firms should ensure that such processing is necessary and proportionate in order to comply with their AML/CFT obligations".
The full implications of these changes will need to be tested in practice. We will continue to update you with additional insights as our experience and understanding of the Guidelines evolves.