Transcription
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015Practice Assurance and MoneyLaundering 2015 Update13th November 2015No responsibility for loss occasioned to any person acting or refraining from action as a result of thematerial in these notes can be accepted by the author or 2020 Innovation Training Limited2020 Innovation Training Limited 6110 Knights Court Solihull Parkway Birmingham Business Park Birmingham B37 7WYTel. 44 (0) 121 314 2020 Fax 44 (0) 121 314 4718 Email: info@the2020group.com Website:www.the2020group.comCan'November 2015Page 1
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015TABLE OF CONTENTSTABLE OF CONTENTS . 1QAD – PRACTICE ASSURANCE ESSENTIALS 2015 . 3DATA PROTECTION – THE NEXT BIG THING FOR PRACTICE ASSURANCE . 3The Data Protection Act (DPA) . 3Cyber Essentials . 4Use of cloud accounting packages. 5HMRC IT Advice . 5CLIENT MONEY . 6ANTI-MONEY LAUNDERING UPDATE & REFRESHER . 6Changes in responsibilities . 6Customer due diligence refresher . 7The use of electronic means of confirmation . 9On-going monitoring . 10Suspicious activity reports - refresher . 10Legal privilege. 11Suspicious activity reports - examples . 12DISTRIBUTABLE PROFIT . 13Meaning of ‘distribution’ . 13Profits available for distribution . 14Impact of new UK GAAP on distributable profit . 15BARCLAYS BANK PLC V GRANT THORNTON UK LLP (GT) – BANNERMAN WORKS!. 16Details of the case . 16Particulars of the claim. 16Bannerman and the decision . 16‘Disclaimer’ . 17SRA ACCOUNTANTS’ REPORT REQUIREMENTS RELAXED . 17Purpose of the accounts rules . 17First round of proposals . 18Recent changes to reporting requirements: phase one . 18Recent changes to reporting requirements: phase two . 19Implementation date: phase two . 19Phase three . 19Page 2November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015QAD – PRACTICE ASSURANCE ESSENTIALS 2015The ICAEW’s Quality Assurance Department (QAD) carried out over 2,000 PracticeAssurance reviews in 2014 and have recently published a report on their key findings,entitled “Practice Assurance Essentials 2015”.Similar to previous years the QAD have, in their report, concentrated on a few key areas togive firms guidance on how their processes might need improving.This year the QAD have focused on: Data protectionClient moneyAnti-money launderingThese notes look at these three areas separately.DATA PROTECTION – THE NEXT BIG THING FOR PRACTICEASSURANCEThe Data Protection Act (DPA)The ICAEW Quality Assurance Directive (QAD) has highlighted the need for firms to haveproper procedures to comply with the Data Protection Act and of course to ensure generallyhas sufficient back-ups and fail safes to mitigate the risk of downtime in their systemThe ICAEW’s view is that practically all firms of accountants will need to be registered withthe Information Commissioners as Data Controllers, and the QAD will check to ensure this isthe case.There is a self-assessment checklist on the ICO website firms can use to confirm theirregistration requirement and the registration process itself is completed on that ter/While it might come as a surprise to many that this area is so high up the list of topics, it isclear that most firms are heavily reliant on IT for all aspects of their practice, and yet manylack the skills to fully understand this area and so are often reliant on external consultantsand suppliers.The QAD highlight four key areas of best practice in their document:1. Review policies and procedures regularlyThe first point is to make sure you have policies and procedures! The bullet points belowshow the key points to include but these should be expanded to fit a firm’s actual attitude toitems such as USB storage, internet use and staff’s own devices connecting to the officenetwork. If the firm does not have suitable procedures in place, then where there is a loss ofdata, it can be very hard for a firm to discipline staff appropriately: data storage – use of external media such as USB drives and external hard drives;passwords and encryption of laptops and other devices such as USB drives andexternal hard drives;use of internet and social media (e.g. when, sites excluded, purpose and monitoring);email use (e.g. when, recipients excluded, purpose, content and monitoring);use of own devices (bring your own device – BYOD) such as tablets (are theysecure, password protected and able to be remotely wiped); anddata loss.November 2015Page 3
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 20152. Make sure data is secureWhile often the focus is on passwords, this is only part of the story. Few databreaches are from passwords being remotely hacked and other issues (as notedbelow) are equally as important: make sure client data is physically secure;make data transfers as secure as possible (this can be done with encryption,passwords or client portals);don’t put more than one set of data on a USB; andprotect data with up-to-date security, back it up and then test back-ups regularly.3. Use of third parties and cloud computingThe risks in this section could simply be from subcontractors accessing your network to workon client data, to third parties processing payroll for the firm, through to experts consulting onyour audit work. In all these cases, make sure the other party understands your data securitypolicies. If you transfer data to them, check they comply with the provisions of the DPA.So, do these third parties have backups? Do they use passwords and encryptions? Do theycopy data to unsecure locations like DropBox, USB memory sticks or smart phones?If the firm uses the cloud for storing client data or is considering it: make sure your clients understand and agree to the arrangement;check the third party has appropriate security in place to comply with the DPA; andcheck if the data is going to be stored outside the EEA. If so you may need additionalcontractual confirmation that their security is adequate.4. Make sure your staff understand the firm’s policies and proceduresAs this is such a key area of most business, the ICAEW recommend that staff (andprincipals!) are trained in, and confirm their understanding of, the firm’s procedures. The firmcould also carry out regular monitoring reviews and the ICAEW helpsheet and ems-compliance-review-pas4-hs10Note that for sole practitioners with no staff, QAD do mention the need for an alternate whocan access client data in case you are incapacitated. This is a valid point as it would beimpossible for an alternate to run a practice if they could not access key informationregarding the firm’s clients.The ICAEW website contains more information ionCyber EssentialsIn conjunction with the government, the ICAEW has launched a guide and industry markcalled Cyber Essentials to help UK businesses protect themselves.Cyber Essentials aims at the most basic technical controls (five in total) and is really astarting point for cyber security. It doesn’t supersede other standards, such as ISO27001,but is a base level of cyber hygiene which all businesses should have in place. It won’tPage 4November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015prevent all security breaches, but it will raise the bar significantly for many firms who arecurrently very vulnerable.It incorporates a ‘badge’ system to demonstrate compliance with the controls. To get aCyber Essentials badge, a business fills in a questionnaire on the controls, which is thenvalidated by a qualified professional. This badge can provide differentiation and competitiveadvantage to businesses, and help build trust and confidence in the digital economy.The government has no intention to make it a legal requirement - instead, they are focusingon market incentives to drive adoption. In particular, they are looking for the standard to bedriven down supply chains and, to this end, they will make it mandatory for companiesbidding for government contracts, where it is ‘proportionate and relevant’. So, while it is not alegal requirement, it could become a pre-requisite for doing business in many supply chains.The guide can be found uploads/attachment data/file/317480/CyberEssentials Summary.pdfThe launch article and links to consultants who assess compliance in this area can be HallUse of cloud accounting packagesMany firms uses cloud based accounting packages such as QuickBooks or ZERO for clientbookkeeping. However before starting to work with QuickBooks or ZERO the firm shouldconfirm where it holds data.If the data is held outside the EEA then the firm should change its registration with the DataCommissioner to include worldwide transfers or check that it has a worldwide registration.Many firms have a DP licence that only permits data to be transferred within the EEA.The firm should also then confirm with QuickBooks/ZERO/anyone else they use that itcomplies with the UK Data Protection Regulations and obtain a Safe Harbour agreement.(QuickBooks should be able to supply this easily when asked as other firms have obtainedit).The firm should then amend its engagement information so that clients are aware where thedata is held. The IT Faculty of the ICAEW are working on a help sheet in this area but thiswill not be out until at least September 2015 and even then might not include engagementletter wording.HMRC IT AdviceWhen considering the firms IT policies generally the firm should take note of the latestadvice from HMRC. It is firstly saying that firms should ensure they use their own login toaccess HMRC online service and not the client’s.Then it is advising firms to keep their HMRC agent login details secure and update themperiodically. A particular risk in this area are the firm’s procedures when a member of staffleaves, if that member of staff would have had access to the firm’s agent login details.November 2015Page 5
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015CLIENT MONEYThe QAD start of by reminding members that tax refunds handled by the firm are clients’money, and that the clients’ money regulations apply.If clients’ money is held then the firm needs to have an appropriate clients’ money bankaccount. This must have the word ‘client’ in the title and the bank must confirm they areholding it in trust for clients.Here are the ‘useful reminders’ that the QAD include in their report. Make sure you have done money laundering checks for clients who you hold moneyfor.If you take fees from your clients’ money account, you must have consent or 30 daysmust have passed since you gave them an invoice.If you hold more than 10,000 for one client for more than 30 days, you must open aseparate designated account.In general, you will have to pass any interest to your client.The clients’ money account should not incur bank charges.Pay mixed monies into the client account first.You must reconcile the individual client ledgers to the bank reconciliation at leastevery five weeks.You must do an annual compliance review.You must know where your bank trust letter is.More about the rules, can be found, at icaew.com/regulations, and there is a helpsheet witha compliance review checklist at icaew.com/clientmoneyANTI-MONEY LAUNDERING UPDATE & REFRESHERIt has been a quiet time in the world of anti money laundering legislation. There have beenno significant changes for a number of years. The most up to date guidance remains theCCAB guidance:TECH 04/08 ANTI-MONEY LAUNDERING GUIDANCE FOR THE ACCOUNTANCYSECTORThis is intended to be a refresher taking into account the latest thinking on anti-moneylaundering legislation, in so far as it effects the accountancy sector.Changes in responsibilitiesHaving said that, there have been some recent changes in AML responsibilities: On 7 October 2013 the Serious Organised Crime Agency ceased to exist and itsresponsibilities have been taken over by the newly formed National Crime Agency.The process for reporting suspicious activities remains the same, with over 99% ww.ukciu.gov.uk/saronline.aspx. From 1 April 2014 the Office of Fair Trading has ceased to exist. Its AMLresponsibilities have been split between HMRC and the Financial Conduct Authority(FCA), with HMRC taking over responsibility for surveyors and estate agents. FCAPage 6November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015takes over supervision of Consumer Credit Providers. The Joint Money LaunderingSteering Group has published guidance for Consumer Credit Providers which can ce-for-consumer-creditproviders.Customer due diligence refresherWhat most accountants might refer to as identifying the client or know your client, iscustomer due diligence from a money laundering perspective.In customer due diligence the following need to be obtained: Evidence of the existence of the entity (company, charity, trust etc). A full list of the principals, being the individuals who manage the entity (directors,trustees etc). On a risk basis, verify the identity of a sample of principals. A full list of any individuals who are beneficial owners, being: those who own orcontrol (directly or indirectly) more than 25% of the entity (25% or more for trusts);anyone who otherwise exercises control over the management of the entity; andanyone on whose behalf the entity operates.A risk based approachThe legislation and related guidance require the work to be targeted on a risk basis. Whererisk is perceived to be higher the customer due diligence will be in more depth andinformation obtain might be of a higher quality or in a greater quantity.Note: Accountancy firms are frequently criticised by monitoring units for not following a riskbased approach.Any risk based system will take into account: the service being provided,the nature of the client andthe jurisdictions in which the client/owners/principal/other advisors operateThe approach that a firm takes will vary depending upon its size and structure, services thatit supplies and the type of clients that it expects to deal with. One firm might have a 20 pageform and a three stage client acceptance process another might have a risk assessment tickbox: low - medium – high. Both might be appropriate to the firm’s respective circumstances.November 2015Page 7
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015Risk based evidence – the guidanceThe following is an extract for TECH 04/08 which is useful in understanding how to apply arisk based approach. The following shows what evidence might be obtained in relation to anindividual. (The guidance contains similar guidance for companies etc in appendix 5B)Proper customer due diligencePage 8November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015Customer due diligence is more that just identifying the client by obtaining the aboveinformation. It should include obtaining a more fully rounded view of them and their affairs.This is needed to assist with the risk assessment process as well making it easier to identifymoney laundering. After all, if the advisor understands the individual or the entity well then itis easier to see when something is not right.TECH 04/08 also includes this useful list of prompts to assist with this process:The use of electronic means of confirmationElectronic client identification is not a client due diligence ‘silver bullet’. These subscriptionservices, usually accessed online, can be very useful but the firm has to take responsibilityfor its own anti-money laundering procedures and cannot just ‘sub it out’.The firm must consider the nature of the system that it is using so as to understand itseffectiveness. Tech 04/08 suggests that the firm consider:November 2015Page 9
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015Does the system draw on multiple sources? - A single source, for example, the ElectoralRoll, is usually not sufficient. Also, a system should ideally use both positive and negativedata. Positive data are those that verify details such as name, permanent address, date ofbirth and so on. Negative data refer to known incidents of fraud, including identity fraud. Adatabase that draws together both positive and negative data will provide a more completepicture of the client.Are the sources checked across a period of time? - Systems that do not regularly updatetheir data are generally prone to more inaccuracies than those that do. Some data must, bytheir nature, be regularly updated, eg permanent addresses or credit histories.Are there regular tests to ensure the integrity of data? - Database systems should havebuilt-in, qualitative tests that ensure the integrity of data. The system should be transparentenough to allow user to understand what checks are performed, what their outcomes are,and what bearing they have on the integrity of the data.Risk based due diligenceDo not forget that customer due diligence must be risk based. The quantity and quality ofevidence obtained will necessarily vary form case to case. Firms and Individuals will have touse judgment to decide how electronic confirmations might be supplemented.On-going monitoringThe records of customer due diligence need to be kept up to date, on an on-going basis.This includes: Updating the risk assessmentChecking to ensure that new owners/principals/etc have been properly identifiedUpdating evidence of address etcChecking that all other customer due diligence information is still current and up todateHow often this is done and what triggers the update is a judgement that each firm needs tomake. It is not unusual for accountancy firms to do this annually, as most accountancy andtax services recur each year.Suspicious activity reports - refresherThe legislation requires that relevant businesses report knowledge or suspicion of moneylaundering. There are a number of criteria that apply before a suspicious activity report isrequired. A report is only required if all the following conditions apply: You must know, or suspect, or have reasonable grounds for knowing or suspecting,that another person (the alleged offender) was engaged in money laundering. It isirrelevant whether this alleged offender is a client of yours or not. The information or other matter on which your knowledge or suspicion was based, orwhich gave you reasonable grounds for such knowledge or suspicion, came to you inthe course of a business in the regulated sector (i.e. at work). So there is no duty toreport, for example, gossip overheard in the pub on Saturday night. You can identify the alleged offender or the whereabouts of any of the launderedproperty, or you believe, or it is reasonable to expect you to believe, that theinformation or other matter will or may assist in identifying the alleged offender or thewhereabouts of any of the laundered property. So a client telling you at work thatPage 10November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015someone broke into his business and stole some computers does not require areport. The information was not received in privileged circumstances. This is a critical point.Many firms still don’t understand the privilege exemption. See below. If the offence took place overseas then it was not exempt. To be exempt then it musthave been legal in the country in which it occurred and if it had happened in the UKthe maximum penalty must be less than 12 months in jail.Money laundering is dealing with criminal property, which is the benefit of criminal conduct.But only where the alleged offender knows or suspects he is getting such a benefit.You must report knowledge or suspicion of money laundering or terrorist financing to yourMLROYou must not ‘tip off’ nor prejudice an investigation.Legal privilegeAccountants are now subject to the same reporting requirements as lawyers, for moneylaundering reporting purposes, in respect of information received under privilegedcircumstances.With effect from 21 February 2006, s.330(6) was amended by The Proceeds of Crime Act2002 and Money Laundering Regulations 2003 (Amendment) Order 2006 so as to extendthis reporting exemption to a new but limited category of advisers: “other relevantprofessional advisers”. Relevant professional advisers are defined in the legislation as: an accountant, auditor or tax adviser who is a member of a professional body whichis established for accountants, auditors or tax advisers (as the case may be); andwhich makes provision for testing the competence of those seeking admission to membership of such abody as a condition for such admission; and imposing and maintaining professional and ethical standards for its members, aswell as imposing sanctions for non-compliance with those standards.If a relevant professional adviser considers that the information or other matter on which hisor her knowledge or suspicion is based came to him or her in privileged circumstances, he orshe must apply the privileged circumstances exemption in s 330 (6) (unless the crime/fraudexception applies) and so has no discretion to make a money laundering report. This meansthat the relevant professional adviser could find themselves in a situation where he or shemight wish to make a report but is prevented from doing so by the privileged circumstancesexemption.For the privileged circumstances set out in s 330 (10) (a) and (b) to apply, the followingconditions need to exist: there needs to be a confidential communication (written or oral) between the relevantprofessional adviser and his client, or a representative of the client, in which the clientseeks or the relevant professional adviser gives legal advice;that communication must take place within the confines of a professional relationshipbetween them; andNovember 2015Page 11
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015 the communication must relate to legal advice (i.e. advice concerning the rights,liabilities and obligations or remedies of the client under the law).Examples where relevant professional advisers might frequently fall within privilegedcircumstances as regards legal advice privilege include: advice on taxation matters, where the tax adviser is giving advice on theinterpretation or application of any element of tax law and in the process is assistinga client to understand his tax position;advice on the legal aspects of a take-over bid, for example on points under theCompanies Act legislation;advice on duties of directors under the Companies Act;advice to directors on legal issues relating to the Insolvency Act 1986, e.g. on thelegal aspects of wrongful trading; andadvice on employment law.The above sets out the basis legal privilege when legal advice is being provided. Legalprivilege can also exist for litigation services.For more guidance see ICAEW Technical Releases.Suspicious activity reports - examplesThe following examples are taken from Practice Note 12, which is guidance to auditors. Thefact that the guidance is written for auditors is not particularly relevant, because the AMLlegislation will apply in an identical way throughout the accountancy sector.Offences that indicate dishonest behaviour (for example, overpayments not returned)Some customers of the audit client have overpaid their invoices and some have paid twice.The auditor discovers that the audit client has a policy of retaining all overpayments bycustomers and crediting them to the profit and loss account if they are not claimed within ayear.The auditor considers whether the retention of the overpayments might amount to theft bythe audit client from its customer. If so, the client will be in possession of the proceeds of itscrime, a money laundering offence.In the case of minor irregularities where there is nothing to suggest dishonest behaviour, (forexample where the client attempted to return the overpayments to its customers, or if theoverpayments were mistakenly overlooked), the person making the report may be satisfiedthat no criminal property is involved and therefore a report is not required.If there are no such indications that the company has acted honestly, the auditor concludesthat the client may have acted dishonestly. Following the firm’s procedures, which take intoaccount the SOCA (now NCA) guidance about minor irregularities where dishonestbehaviour is suspected, and about multiple suspicions of limited intelligence value whicharise during the course of one audit, the auditor must make a report to the MLRO but may doso at the end of the audit, briefly describing the situation and any other matters of limitedintelligence value.Page 12November 2015
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015Offences that involve saved costs (for example, environmental offences)The client has a factory that manufactures some of the goods sold in its retail business. Inthe course of reviewing board minutes, the auditor discovers that the client has beendisposing of waste from the factory without a proper licence. There are concerns thatpollutants from the waste have been leaking into a nearby river. The client is currently indiscussion with the relevant licensing authorities to try to get proper authorisation.The auditor has reasonable grounds to suspect that the client may have committed offencesof disposing of waste without the relevant licence and of polluting the nearby river. The clienthas saved the costs of applying for a licence. It is also apparent that its methods of disposingof the waste are cheaper than processing it properly. These saved costs may represent thebenefit of the client’s crime. The client is in possession of the benefit of a crime and theauditor therefore suspects that it has committed a money laundering offence.The firm’s procedures take into account the SOCA (now NCA) guidance which states that inthe case of regulatory matters, where the relevant government agency is already aware ofan offence which also happens to be an instance of suspected money laundering, a limitedintelligence value report can be made. A limited intelligence value report can also be madewhere the only benefit from criminal conduct is in the form of cost savings.The authorities are aware of the licensing issue and the pollution of the nearby river. As theonly benefit to the company is in the form of cost savings, the auditor decides to include thismatter in the limited intelligence value report to the MLRO at the end of the audit.Alternatively, if the client has accrued for back licence fees, fines and/or restitution costs,there may be no remaining proceeds to the original offence and therefore no need to report.DISTRIBUTABLE PROFITWith the new UK GAAP beginning to bite, many companies are turning their attention to theimpact that the transition across to FRS 102/FRS 102 with reduced disclosure/FRS 105 willhave on previously reported financial information. Recogniti
PRACTICE ASSURANCE AND MONEY LAUNDERING UPDATE 2015 November 2015 Page 3 QAD - PRACTICE ASSURANCE ESSENTIALS 2015 The ICAEW's Quality Assurance Department (QAD) carried out over 2,000 Practice Assurance reviews in 2014 and have recently published a report on their key findings, entitled "Practice Assurance Essentials 2015".
