ICQ Log -  Financial Crime: 5th Money Laundering Directive

Dear CEO Letter - Schedule 2 Firms

Last Updated: 10 September 2021

The Central Bank of Ireland (“CBI”) issued a “Dear CEO Letter” in December 2020 (the “Letter”), outlining the anti-money laundering/terrorist financing (“AML/CTF”) compliance issues that firms who are designated as ‘Schedule 2 firms’ must adhere to and monitor on an ongoing basis. Schedule 2 firms would include, for example, Irish SPVs that are involved in activities such as lending, debt factoring or finance leasing, unregulated lenders and others.

The Letter also sets out the CBI’s findings from its supervisory engagements with firms in accordance with Part 4 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (the “2010 Act”), which includes conducting inspections and holding ad hoc meetings with registered firms, as well as the CBI’s expectations in this regard. The CBI’s expectations addressed to Schedule 2 firms are, in our experience, entirely consistent with the regulator’s approach to AML/ CTF compliance in other sectors and for compliance professionals with responsibility for AML/CTF nothing contained in the Letter will be a surprise.

Board Oversight and Governance

As with many “Dear CEO” letters, the CBI’s first observation was addressed to boards. This is particularly relevant for the SPVs which were the focus of the CBI’s review given that these vehicles have no staff so it falls on the boards to ensure compliance. Firms are expected to ensure that AML/CTF is a regular agenda item at board meetings, and ensure a framework is in place to identify and adopt updates in the relevant legislation for ongoing compliance. It is not mandatory for a Schedule 2 firm to appoint a Money Laundering Reporting Officer but it is considered to be best practice. If appointed, they (or their equivalent who has been clearly allocated AML responsibilities by the firm) should actively report to the Board on a frequent basis. It is recommended that this would include on relevant outsourced arrangements, where the Board does not have direct oversight, and the firm must be able to evidence that they are monitoring the progress of management action points arising from these arrangements. It may be that contracts with service providers will need to be revised to provide the support necessary to meet the applicable AML/CTF obligations.

Risk Assessments

Where a firm relies on a third party, or another entity within a group of companies, to carry out its AML/CTF business wide risk assessment on its behalf, it must relate to risks and controls associated with the firm specifically, rather than focus on those of the wider group. The objective should be a focussed risk assessment not a generic one. This risk assessment should be refreshed annually, and approval by the board must be formally evidenced.

Policies and Procedures

Firms must ensure to have documented AML/CTF policy and procedures in place, that are tailored to the specific business activities and associated risk factors of the firm, and which are consistent with Irish legislative requirements. Similar to the point on risk assessments, this finding comes from the CBI finding too many firms using “cookie cutter” precedents derived from group with not enough adapted to the specific circumstances of the Schedule 2 firm itself.

Customer Due Diligence (“CDD”)

Firms must consider the identity of their customers and must conduct appropriate due diligence in accordance with the level of risk involved with their customers. The Letter noted that many firms were inconsistent in determining who were their customers. This comment seemed particularly focussed on firms that raise capital from investors through loan notes and then subsequently lend that capital to third party borrowers as part of an investment strategy. There are broad obligations in Section 54 of the 2010 Act to prevent and detect money laundering and terrorist financing but the detailed due diligence obligations in section 33 only apply to customers. It is critical for firms to correctly distinguish between customers and others in order to correctly understand their obligations under the 2010 Act.

Politically Exposed Persons (“PEPs”) and Financial Sanctions (“FS”)

Firms should ensure that the policies and procedures are in place to identify and escalate PEP and FS alerts, including the process and appropriate reporting lines to be followed. Where screening tools are relied upon, firms should ensure appropriate oversight and ongoing assurance testing and monitoring is in place to ensure they are fit for purpose. Suspicious Transaction Reporting (“STR”) Firms should ensure their policies and procedures include details for the escalation of suspicions, including the personnel to whom suspicions should be raised / reported. If AML responsibilities are outsourced to third parties, the firm should ensure the third party is subject to the appropriate level of oversight. The level of STRs being made by the firm should be regularly reported to the Board of Directors.

Training

Training materials should be tailored to the business of the firm and be reflective of the standards and practices the firm should be exhibiting to meet its obligations. These materials should be kept up-to-date and in line with Irish legislative requirements.

Conclusion

The focus of the CBI’s guidance and expectations in the Letter centres around Irish SPVs, who have registered as Schedule 2 firms and have failed to put in place bespoke AML policies and procedures, an AML business-wide risk assessment, or relevant tailored outsourcing agreements for AML. Firms using generic, ‘off the shelf,’ policies and outsourcing agreements fail to take into account the specific business activities and risk factors faced by the firm, and will face CBI scrutiny in the event of any investigation conducted following registration as a Schedule 2 firm. These firms should carefully take time to design more tailored AML compliance arrangements prior to registration with the CBI, and ensure these arrangements are updated and under constant review. For SPVs the support of third party service providers will undoubtedly be critical in enabling boards to demonstrate compliance in a way which meets the expectations of the CBI.

Virtual Asset Services Providers – 5AMLD

The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Bill 2020 (the “Bill”) is expected to become law at the beginning of April (at the time of writing the precise date was not clear). The purpose of the Bill is to give effect to certain parts of the 5th Anti-Money Laundering Directive (Directive (EU) 2018/843) (“AMLD5”), and to transpose those parts into national law. Notably, the Bill proposes to bring virtual asset service providers (“VASPs”) within the scope of Ireland’s AML regime for the first time and also creates a bespoke regulatory framework for such firms. These changes, including the definition of “Virtual Asset Service Provider” used in the Bill, go further than the minimum requirements of AMLD5 and seeks to bring Irish law on VASPs into line with the FATF Recommendations on the regulation of virtual asset service providers first published in June 2019.

The Bill introduces a number of new definitions into the existing AML regime, such as:

1 Virtual Asset, meaning a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes, but does not include digital representations of fiat currencies, securities or other financial assets;

2 Virtual Asset Service Provider, meaning a person who by way of business carries out one or more of the following activities for, or on behalf of, another person: • exchange between virtual assets and fiat currencies; • exchange between one or more forms of virtual assets; • transfer of virtual assets, that is to say, conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another; and/or • participation in, and provision of, financial services related to an issuer’s offer or sale of a virtual assert or both; • but does not include a designated person that is not a financial or credit institution and that provides virtual asset services in an incidental manner and is subject to supervision by a national competent authority, other than the CBI; and

3 Custodian Wallet Provider, meaning an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.

Section 25 of the Bill will seek to insert a Section 106E into the 2010 Act, requiring VASPs to register with the CBI for AML purposes in order to carry on activities as a VASP, such as an exchange between virtual assets and fiat currencies or acting as a custodian wallet provider. This will mean that the VASP or Custodian Wallet Provider will be subject to the same AML requirements as other designated persons, such as monitored transactions and customer due diligence.

Other relevant provisions

Section 106F of the Bill provides that a firm carrying out virtual asset services immediately prior to the enactment of the provisions will be taken to be registered to carry on such services until the CBI is in a position to grant / refuse an application to register the firm, provided that the firm seeks registration for AML purposes no later than 3 months following the enactment of these provisions. This “grandfathering” allows existing VASPs to continue to provide these virtual asset services following the passage of the Bill into law, without any business interruption suffered by the firm before the CBI’s acceptance of the its registration.

The Bill also outlines the factors the CBI may consider in deciding to refuse a firm’s registration application. These include a failure to satisfy the CBI: of the firm’s ability to comply with its obligations as a designated person; the firm will have in place sufficient resources and procedures to carry on business as a VASP; and the firm can manage and mitigate the risks of engaging in activities that involve the use of anonymity enhancing technologies or mechanisms that obfuscate the identity of the sender, recipient, holder or beneficial owner of a virtual asset.

Furthermore, a registered VASP will be required to include a regulatory disclosure statement in all of its advertisements for services, stating that the holder of the registration is registered and supervised by the CBI for anti-money laundering and countering the financing of terrorism purposes only.

Who does the registration requirement apply to?

Section 106E of the Bill extends the registration obligation to “all persons carrying on business” as a VASP. Interestingly, the Bill does not make any express exception for firms that may already be authorised by the CBI under other legislative frameworks (for example as e-money institutions or payment institutions). Accordingly, until the CBI issues guidance on the registration requirement following the entry of the Bill into law, it is unclear if the CBI will seek only to require otherwise unregulated firms to register as VASPs under this new framework.

Other Developments

The developments proposed by the Bill comes at a time of other significant regulatory developments for cryptoasset service providers in the European Union. In September 2020, the European Commission published its proposal for the establishment of an EU-level regime for crypto-assets, the Market in Crypto-Assets Regulation (“MiCA”). MiCA will seek to bring all crypto-assets within the remit of EU financial services regulation for the first time. This regime will likely involve the creation of a more formal authorisation process for unregulated subsidiaries that are providing virtual asset services, and importantly, enable the passporting of these rights across the EEA. It is therefore likely that many firms requiring registration as a VASP under Irish law will eventually seek to obtain an authorisation under the more useful MiCA framework once it is finalised at EU level in the coming years.

Author: Joe Beashel

Regulatory Risk Management Partner at Matheson

Author: Karen Reynolds

Partner and Co-Head of the Regulatory and Investigations Team, Matheson 

< Back to all Log Posts

ICQ Spring Edition 2021

This article was taken from the Compliance Institute's ICQ Autumn Edition 2021