The 4th Anti-Money Laundering Directive comes in 26 June, but what does that mean for the financial services and accountancy sectors in Ireland? Jane Jee explains.
The 4th Anti-Money Laundering Directive (4MLD) is designed to bring about a more demanding risk-based approach to the prevention of money laundering and is due to come into effect on 26 June across all EU Member States.
The need to pay attention to the regulations extends beyond the Money Laundering Reporting Officer (MLRO) and also lands on the desks of directors to senior management, i.e. “an officer or employee with specific knowledge of the institution’s exposure to money laundering and sufficient seniority to make decisions affecting risk exposure”.
Customer due diligence
Regulated entities must provide evidence that their organisation has taken a risk-based decision to mitigate money laundering while considering three factors: customer, product geography and the relationships involved.
4MLD is generally less prescriptive than previous directives in an effort to force companies to make a thorough risk assessment themselves (rather than a tick box approach). However, one area is more prescriptive - ongoing monitoring and frequency of reviews required. Once is never enough!
Simplified due diligence (SDD)
The change in SDD is subtle, but significant. The concept of ‘simplified due diligence’ is tightened, with no blanket application and clear documented evidence required as to the basis of the ‘low risk’ categorisation.
Now there is a specific requirement that says information held on beneficial owners needs to be adequate, accurate and current. That review you did at the beginning of the relationship 18 months ago will no longer be enough.
Politically exposed persons now include domestic persons and this holds true for 18 months after they have held office, instead of the current 12 months.
What happens if they fail?
The interesting definition comes from understanding what constitutes failure. There are no prescriptive descriptions of what fines – or even jail sentences – should be implemented. Regulators will determine that.
However, recent history can tell us a lot about how the UK's Financial Conduct Authority (FCA), For example, might react to failure.
A global bank was fined in 2015 for poor handling of financial crime risks. This was not because the transactions involved criminal activity or terrorist financing, but rather:
‘While the FCA makes no finding that the Transaction, in fact, involved financial crime, the circumstances of the Transaction gave rise to a number of features which, together with the PEP status of the individuals, indicated a higher level of risk. [The bank] applied a lower level of due diligence than its policies required for other business relationships of a lower risk profile. [The bank] did not follow its standard procedures, preferring instead to take on the clients as quickly as possible and thereby generated …. millions in revenue.’
Here, the regulator underlined that, at all times, firms need to have effective risk systems and procedures in place, which are clearly followed and demonstrate complete client risk analysis. This includes collecting and verifying identity documentation and monitoring, and regularly reviewing relationships and transactions. It should be clear that merely risk-profiling, including sanctions and PEP-checking, is not sufficient.
Fines are not limited to companies: in October 2016, the FCA fined not only a bank, but also its MLRO, preventing the individual from working again as an MLRO or in a compliance function.
So how do you not fail? Ask these questions:
- As a senior manager /MLRO /director, are you confident that your policies and procedures are sufficient to meet the regulator's requirements?
- Is there confidence that customer due diligence and enhanced due diligence is undertaken in a way that ensures that proper contextual risk evaluations are done with complete and up-to-date information?
- Is the information continually updated to ensure decisions are made on transactions? Are business relationships correctly monitored?
- Are there clear records of the information collected, when and how decisions were made?
- Is the basis upon which risk-assessment and consequent decisions were made clearly documented?
You must answer these to ensure your success and compliance.
The new legislation will possibly slow new business and could be costly unless technology is used to help gather information to assess the risk posed by a customer. This is where regulation technology can assist.
Jane Jee is the CEO of RegTech firm, Kompli-Global.