What are my obligations as a practitioner?
Practitioners should and indeed are obliged to consult guidance documents when considering their obligations. In Ireland see CCAB-I Anti Money Laundering Guidance for members TR01/2019 (updated March 2022).It contains detailed guidance including guidance on the summary paragraphs below. This guidance has been updated March 2022 to take account of the transposition of the fifth Anti Money laundering Directive.
Click here for Irish legislation on anti money laundering.
A brief review of some of the obligations is provided in the paragraphs below.
Firm wide business risk assessment
Firms must carry out and keep up to date a firm-wide business risk assessment under section 30 A of the CJA 2010 (as amended). The assessment should include consideration of the firm’s client base and the services it offers, the countries and geographical areas the firm operates in, the type of transactions carried out and the delivery channels used. For example, where the channel allows the service to be delivered without meeting the client face-to-face that might lead to a higher risk of exposure to money laundering.
The legislation also requires that firms have regard to any relevant information in national risk assessments. Click the link for Ireland’s latest national risk assessment .They must also have regard to any guidance on risk issued by the competent authority for the designated person. In addition to the CCAB-I Anti Money Laundering Guidance for members TR01/2019 (updated March 2022) referred to above, reference should be made to The Chartered Accountants Institute Risk Outlook January 2021 which assesses the circumstances where there might be a high risk of money laundering or terrorist financing in the accountancy sector.
The business risk assessment must be documented and approved by senior management. It should also be updated regularly.
Failure to comply with the obligations is an offence.
Individual risk assessments for clients
It is now a statutory requirement under section 30B of the CJA 2010 (as amended), to carry out a stand-alone risk assessment on each client to whom a firm provides an AML-regulated service. This is to determine the type of client due diligence to be applied to that client. The legislation details the matters the firm should have regard to such as
- its firmwide risk assessment;
- any national risk assessment;
- guidance from a competent authority;
- relevant risk variables including
- the purpose of the relationship;
- size and regularity of transactions;
- duration of the business relationship;
- the presence of certain factors scheduled in the legislation which might suggest a lower or higher risk;.
- In relation to this, practitioners should have regard to schedules 3 and 4 of the CJA 2010 (as amended).
Schedule 3 contains a non-exhaustive list of factors suggesting potentially lower risk. For example public companies subject to disclosure requirements or dealings with third countries having effective anti-money laundering (AML) or combatting financing of terrorism (CFT) systems might suggest a potentially lower risk.
Schedule 4 contains a non-exhaustive list of factors suggesting potentially higher risk. For example, a customer where the ownership structure of the company appears unusual or excessively complex given the nature of the company’s business or dealings in a country identified by credible sources as having significant levels of corruption or other criminal activity might suggest a potentially higher risk.
Customer Due Diligence (CDD)
The client risk assessment referred to above, carried out when providing AML-regulated services, will determine the extent of client due diligence measures to be applied. Under the legislation customer due diligence must be applied at different junctures; before the start of a new business relationship or before carrying out occasional transactions and at appropriate points during the lifetime of the relationship. CDD measures must be applied at any time where the relevant circumstances of a customer have changed, or where the risk of money laundering and terrorist financing warrants their application.
Since the Criminal Justice (Money laundering and Terrorist Financing (Amendment ) Act 2021 , customer due diligence measures must be applied, at any time when a designated person is obliged by law to contact a customer for the purposes of reviewing any relevant information relating to the beneficial owner connected with a customer, including where obliged to do so to seek information for tax purposes.
The standard procedures to be carried out in relation to Customer Due Diligence (often referred to as “standard” or “normal” due diligence) are set out in Section 33 of CJA 2010 as follows:
- identify the client, and verify the client’s identity on the basis of documents (whether or not in electronic form), or information that the firm has reasonable grounds to believe can be relied upon to confirm the identity of the client .
- identify any beneficial owner connected with the client or service concerned, and verify the beneficial owner’s identity. Since the CJA 2021 where a beneficial owner is a senior managing official of a legal entity, a designated person must take the necessary measures to verify the identity of that person and must keep records of the actions taken to verify the person’s identity including any difficulties encountered in the verification process.
- In the case of legal arrangements such as trusts or partnerships, the firm must understand the ownership and control structure of the entity or arrangement concerned.
- verify the identity and authority of persons purporting to act on behalf of the client.
When risk is low, simplified due diligence may be applied. This means that the measures laid out in section 33 and 35 of the 2010 Act are not required to be applied. Firms are still required to document its risk assessment and should also reassess this risk assessment periodically. Where circumstances arise that indicate a risk level greater than low applies, the firm should update their CDD accordingly.
Business relationships-beneficial owners
In the case of business relationships, section 35 of the CJA Act 2010 (as amended) provides that before the establishment of the business relationship the designated person must obtain information on the purpose and intended nature of it and must continue to monitor it afterwards. Further, since the CJA 2021, all designated persons must obtain information on the beneficial ownership if the beneficial owner of the customer is an express trust, is entered in the central register of beneficial ownership of companies and industrial and provident societies, or is entered in the central register of beneficial ownership of Irish collective asset-management vehicles, credit unions and unit trusts. The designated person must not engage in that business relationship until the relevant information is obtained. There is an exception that a financial institution may open an account ahead of obtaining the information but cannot allow any transactions on that account.
Where, in obtaining the above information, the firm identifies a discrepancy between information on a central beneficial ownership register and the beneficial ownership identified by the firm, the firm has a reporting requirement to the relevant registrar. Further, where non-compliance with the central register filing requirements is identified, a reporting requirement exists. For further information see for example FAQ 15 of the FAQs on the RBO website for companies and industrial and provident societies.
For more detailed information on the area of beneficial ownership please see our dedicated beneficial ownership page and please also see section 6 of CCAB-I Anti Money Laundering Guidance for members TR01/2019 (updated March 2022).
Enhanced CDD
The legislation provides for enhanced CDD in certain circumstances. Amongst other scenarios, where a firm identifies that a client is higher risk, enhanced CDD should be applied. Factors which suggest a potentially higher level of risk are set out in schedule 4 of the CJA 2010. For example, business that are cash intensive and circumstances where the ownership structure appears unnecessarily complex may be higher risk.
In 2021, a new high risk factor was added to schedule 4 as follows- “the customer is a third country national who applies for residence rights or citizenship in the State in exchange for capital transfers, purchase of property or government bonds or investment in corporate entities in the State.”
Politically exposed persons (PEP)
A designated person is required to take steps prior to establishing a business relationship or carrying out an occasional transaction, to determine if a customer, or a beneficial owner connected with the customer or service, is a politically exposed person or an immediate family member, or a close associate, of one. The legislation describes what a politically exposed person is. Please also refer to the CCAB-I Anti Money Laundering Guidance for members TR01/2019 (updated March 2022) for guidance in this area. The definition of a PEP is broadened by the CJA 2021 to include any individual performing a "prescribed function". Under the CJA 2010 (as amended) “prescribed” means prescribed by the Minister (for Justice Equality and Law Reform ) by regulations made under that Act.
Senior management must approve before a relationship with a PEP is established and the designated person must determine the source of wealth and the source of funds and must apply enhanced monitoring of the business relationship with the customer. Also, if a designated person knows or has reasonable grounds to believe that a beneficial owner connected with a customer or with a service sought by a customer, is, or has become, a politically exposed person or an immediate family member or close associate of one, the designated person must apply the enhanced due diligence measures in relation to the customer concerned.
The period of enhanced supervision of Politically Exposed Persons (PEP), which was 12 months after they cease to hold a prominent public function, is extended in the CJA 2021.It permits a designated person to continue monitoring someone who was previously a PEP as long as is reasonably required to take into account the continuing risk posed by that person and until such time as that person is deemed to pose no further risk specific to politically exposed persons.
The CJA 2021 empowers the Minister for Justice, with the consent of the Minister for Finance, to issue guidelines to the competent authorities, in respect of functions in the State that may be considered to be prominent public functions. In January 2023 the Irish Minister for Justice, with the consent of the Minister for Finance issued Politically Exposed Persons (PEP ) Guidelines under section 37(12) of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 giving more detail of those functions in the State that may be considered to be prominent public functions for the purposes of the CJA 2010 (as amended). This will assist firms to identify domestic Politically Exposed Persons (PEPs) when conducting their AML risk assessment. Please also refer to the European Commission publication of November 2023 which contains a full list of PEPs for EU countries.
If the person fails to provide documentation or information needed, then the relationship or service must be discontinued until provided.
High risk third countries
The CJA 2021 now includes a specific list of enhanced due diligence measures that the designated person is required to apply when dealing with a customer established, or residing, in a high-risk third country.
With certain exceptions a designated person is required to obtain additional information on:
- The customer and on the beneficial owner,
- The intended nature of the business relationship,
- Their sources of funds and sources of wealth, and
- The reasons for the intended or performed transactions.
The designated person must obtain senior management approval for establishing or continuing the business relationship and must conduct enhanced monitoring of the business relationship by increasing the number and timing of controls applied and selecting patterns of transactions that need further examination.
High-risk third country is defined in section 24 of the 2010 Act .Jurisdictions that are identified by the EU as having strategic deficiencies in their AML/CFT regimes can be found here. Reference can also be made to countries identified by Financial Action Task Force (FATF) high-risk jurisdictions.
Relationships with a higher degree of risk
The legislation provides for enhanced customer due diligence for “higher risk” relationships where, having regard to matters assessed in the individual risk assessment, a reasonable person would determine that the business relationship or transaction presents a higher degree of risk of money laundering or terrorist financing.
Failure to comply with the provisions for customer due diligence and enhanced due diligence can lead to fines, or imprisonment, or both, for the designated person.
What do you need to do at your firm: Policies, Controls, Procedures (PCPs)
All accountancy firms are required to have up to date internal policies, controls and procedures in place to protect against money laundering and terrorist financing. The CJA 2010 (as amended) places certain requirements on accountancy firms regarding record keeping, procedures and training. The specific statutory requirements about what a firm’s PCPs should cover are listed in section 54 of the CJA 2010 (as amended).
The internal policies, controls and procedures include dealing with the following:
- Identifying, assessing ,mitigating and managing risk factors,
- Customer due diligence measures,
- Monitoring transactions and business relationships,
- Identifying and scrutinising large/complex transactions, unusual patterns of transactions ,
- Under the CJA 2021 a designated person will be required , in accordance with adopted policies and procedures to examine the background and purpose of all transactions that are complex, are unusually large, are conducted in an unusual pattern, or do not have an apparent economic or lawful purpose,
- measures to be taken to prevent the use for money laundering or terrorist financing of transactions or products that could favour or facilitate anonymity,
- measures to be taken to prevent the risk of money laundering or terrorist financing through technological developments,
- reporting :Internal and external reporting (see our "Reporting Requirements" page for further details on external reporting),
- record keeping,
- keeping documents and information up to date,
- internal systems and controls to identify emerging risks and keep business wide risk assessments up to date,
- monitoring and managing compliance with, and the internal communication of, these policies, controls and procedures.
The policies procedures and controls must have regard to any guidance issued by the competent authority. They must be approved by senior management and kept under review and up to date. (It is recommended that a written record of this exercise is maintained).
There is a statutory obligation under section 54(6) that the designated person ensures that persons involved in the conduct of the designated person’s business are instructed on the law relating to money laundering and terrorist financing and provided with ongoing training on identifying a transaction or other activity that may be related to money laundering or terrorist financing, and on how to proceed once such a transaction or activity is identified.
Since the European Union (Money Laundering and Terrorist Financing) Regulations 2019 (578/2019), a designated person must have in place appropriate procedures for reporting of a contravention internally through a specific, independent and anonymous channel, proportionate to the nature and size of the designated person concerned.
Insights from Professional Standards on AML deficiencies
The Institute’s professional standards board in its annual reports on anti-money laundering provide some insight into anti money laundering deficiencies in firms which it has inspected which might be helpful for the reader to review .
In its AML supervision report 22/23 the most common findings related to breach were no or inadequate documented policies & procedures, inadequate documentation of CDD, no or inadequate CDD procedures, no ongoing CDD monitoring, no or inadequate client risk assessment or a record missing, no/inadequate periodic review of compliance with AML regs, no or inadequate training, no or inadequate firm-wide risk assessment.
In the Professional Standards Board annual report 2021 common issues identified through PSD’s supervisory activities in recent years include a firm not documenting a firm wide risk assessment or the risk assessment requires improvement ,firm’s AML policies and procedures requiring improvement ,on-going customer due diligence not carried out on all clients of firm ,verification of identity of client not carried out ,conclusion following the firm's risk assessment of its clients not documented, up to date AML training not undertaken and annual money laundering compliance review not completed, or not effective.