On November 11th, 2021, the Central Bank of Ireland (“CBI”), published the Anti-Money Laundering Bulletin (the “Bulletin”). The Bulletin focuses on funds and their fund management companies (collectively, “Firms”). The CBI has identified several areas where Firms must introduce enhancements in order to ensure they can sufficiently demonstrate compliance with the requirements of the Criminal Justice Act (Money Laundering and Terrorist Financing) 2010 to 2021 (“CJA”). These areas include:
- Corporate Governance
- Business Risk Assessment
- Outsourced Activities
- Customer Due Diligence
Section 54 of the CJA sets out requirements for Firms to have appropriate governance and effective risk and control functions in place. Additionally, Chapter 6 of the CBI’s Anti-Money Laundering and Countering the Financing of Terrorism Guidelines for the Financial Sector (the “Guidelines”) sets out further details relating to anti-money laundering, countering the financing of terrorism, and financial sanctions (“AML/CFT/FS). Firms are expected to appoint sufficiently senior and experienced personnel to implement, manage and oversee the control framework.
The CBI expects the following in relation to Firms’ governance arrangements:
- Boards should be able to evidence effective governance and oversight of the Firm’s AML/CFT/FS framework;
- Where warranted by the nature, scale and complexity of the activities, Firms should appoint a member of senior management with primary responsibility for implementing, managing and overseeing the AML/CFT/FS framework;
- Firms should appoint a Compliance Officer at management level in order to manage and monitor compliance with the Firm’s internal AML/CFT/FS policies, controls and procedures (if warranted by the nature, scale and complexity of a Firm);
- Firms must implement a robust assurance testing framework to assess the effectiveness of their AML/CFT/FS control framework;
- The Board and/or Committee minutes must accurately record discussion and challenges regarding AML/CFT/FS matters.
Business Risk Assessments
Section 30A of the CJA requires Firms to conduct a Business Risk Assessment, while Chapter 4 of the Guidelines also sets out certain expectations, such as conducting a Business Risk Assessment tailored to the business and sector risk. In addition, the National Risk Assessment highlighted specific complexities and outsourcing of AML/CFT/FS activities as presenting increased money laundering and terrorist financing (“ML/TF”) risk for the funds sector. The aim of the National Risk Assessment is to identify, understand and assess the money laundering and terrorist financing risks faced by Ireland and will lay the ground for strengthening the Irish AML/CFT regime.
Furthermore, distributor and sub-distributor relationships were identified as increasing ML/TF risk exposure due to the increase in complexity of business activities
The CBI expects Firms to demonstrate that the Business Risk Assessment has been tailored to the risk of both its sector and its business. Firms are expected to refer to the National Risk Assessment, the Guidelines and the European Banking Authority Risk Factor Guidelines when assessing risk in their Business Risk Assessment.
The CBI expects that:
- Firms must have a Business Risk Assessment which documents the assessment of inherent ML/TF and financial sanction (“FS”) risk, effectiveness of the AML/CFT/FS control framework and details of the overall residual risk;
- Firms clearly outline the approach taken to assess each area of ML/TF & FS risk in their Business Risk Assessment which is subject to regular review, update and approval;
- Firms must complete a full assessment of inherent risks which must include an assessment of the ML/TF & FS risks that have been identified as presenting heightened risk for this sector including, but not limited to, customer (complex ownership structures), product, service, distribution, outsourcing, geographic and transaction risks;
- Firms must demonstrate that their AML/CTF/FS framework includes:
- The implementation of controls that are in line with the scale, complexity and risk of the Firm’s business activities; and
- A process to evaluate and measure the effectiveness of the ML/TF/FS controls implemented.
- The Business Risk Assessment must be subject to regular reviews and approval by an appropriate member of senior management;
- The Firm’s Board must review and approve the Business Risk Assessment at least on an annual basis;
- The Business Risk Assessment must include an assessment of Financial Sanctions exposure and Terrorist Financing risk
- Irish, European and International guidance must be documented in the Business Risk Assessment
Firms must demonstrate robust oversight of all AML/CFT/FS activities outsourced to third parties in order to ensure full compliance with the requirements of the CJA.
The CBI expects Firms to have robust processes and procedures in place to oversee the AML/CFT/FS activities that have been outsourced to third parties, including intra-group entities. The CBI expects:
- Firms to ensure that formalised and comprehensive outsourcing arrangements are in place to govern outsourced AML/CFT/FS activities with third parties. The arrangements should clearly outline the respective parties’ responsibilities and deliverables and should be subject to regular review;
- Firms to ensure that they have appropriate processes in place to effectively monitor AML/CFT/FS activities undertaken by outsourced parties; and
- Where a Firm is relying on an outsourced party to perform AML/CFT/FS activities as part of its control framework, the Firm must ensure that those activities:
- Are subject to testing in order to assess the effectiveness and the application of third-party AML/CFT/FS policies and procedures;
- Have been tailored to ensure the Firm meets its obligations under the CJA and the Firm’s obligations in respect of financial sanctions; and
- Are being performed to a level in line with the ML/TF risk identified in the Firm’s Business Risk Assessment.
Customer Due Diligence (“CDD”)
The CBI has stated that the major concern in this area was non-compliance with Section 33(6) of the CJA which requires all Firms to ensure that all CDD is in place prior to processing transactions, including initial subscriptions. Chapter 5 of the Guidelines sets out the CBI’s expectations in more detail.
The CBI expects that:
- CDD policies and procedures have been implemented by the Firm and Outsourced Service Providers (“OSPs”) which:
- Explicitly document the Firm’s approach to identification and verification (where applicable) of customers;
- Have been tailored to the requirements of the CJA; and
- Are reviewed, updated and approved in a timely manner to reflect any legislative changes and regulatory guidance and that this can be demonstrated by, for example, version control.
- Appropriate controls have been implemented to ensure that transactions cannot occur until full CDD documentation and information is in place that meets the requirements of Section 33(6) of the CJA;
- There is sufficient oversight of the CDD activities undertaken by OSPs on their behalf, including, but not limited to:
- Sufficient sample testing arrangements are in place to ensure that the appropriate CDD measures have been adopted to meet the requirements of the CJA 2010; and
- That OSPs are fully adhering to the requirements of Section 33 (6) of the CJA 2010.
KB Associates has reviewed the Bulletin and will carry out a review to ensure that all our clients are meeting the CBI’s expectations.
Download a copy of Central Bank of Ireland Anti-Money Laundering Bulletin – November 2021