Brokers Ireland Guidance On The Criminal Justice (Money Laundering And .

Transcription

Brokers Ireland Guidance on theCriminal Justice (Money Laundering and Terrorist Financing) Act 2010Criminal Justice (Money Laundering and Terrorist Financing (Amendment) Act2018andThe Central Bank of Ireland’s Anti-Money Laundering and Countering theFinancing of Terrorism Guidelines for the Financial Sector 2019SEPTEMBER 2019

What is Money Laundering?It is the process by which criminals conceal the true origin and ownership of the proceeds of drugtrafficking or other criminal activity.Stages of Money LaunderingThere are three stages in the money laundering process:1. Placement – this is the physical disposal of cash,2. Layering – the creation of complex layers which make tracking transactions difficult,3. Integration – absorbing the money back into the economy as legitimate money.The Offences Money laundering – the actual process of laundering money; Assisting a money launderer – assisting somebody who is trying to launder money; Failure to identify a client – take reasonable steps to identify the client; Failure to keep records – records must be retained for five years after the client’s lasttransaction, or the relationship with the client has ended; Failure to report – reports must be made to the firm’s Money Laundering Reporting Officer, whoin return makes a report to the Financial Intelligence Unit (FIU) and the Revenue Commissioners,if appropriate; Tipping off – this refers to tipping-off a potential money launderer that his/her activity has beenspotted; Failure to conduct, document, review and manage a business risk assessment; Failure to apply enhanced customer due diligence measures when dealing with customerestablished or residing in a high-risk third country; Failure to apply enhanced customer due diligence measures when there is reasonable groundsto believe that a customer is a Politically Exposed Person; Failure to apply enhanced customer due diligence measures where a business relationship ortransaction presents a higher degree of risk; Failure to investigate complex or unusually large transactions or unusual patterns oftransactions in greater detail and increase monitoring if they appear suspicious; Failure to adopt and document, review and manage internal policies, controls and proceduresand to train relevant staff.Maximum PenaltiesIndividuals and Corporate bodies can have sanctions imposed if they fail to comply with the law. Thisextends to insurance, investment, mortgage brokers and their employees. The maximum penaltiesare an ‘Unlimited Fine’ plus: Fourteen years in jail for money laundering or assisting a money launderer. Five years in jail for failure to identify, failure to keep records, failure to report or tipping-off.What is Terrorist Financing?A person commits the offence of ‘terror financing’ if they by any means, directly or indirectly provide,collect or receive funds intending that they be used or knowing that they will be used, in whole or inpart in order to carry out: An act of terrorism as defined by law, or An act intended to cause death or serious bodily injury to a civilian and the purpose of whichis, to intimidate a population or to compel a government or an international organisation todo or abstain from doing any act.It can also include colleting or receiving funds intending that they be used or knowing that they willbe used for the benefit of a terrorist group. An Garda Síochána can freeze and/or confiscate fundsused or allocated for use in connection with an offence of financing terrorism or funds that are theproceeds of such an offence.2

There can be similarities between the movement of terrorist property and the laundering of criminalproperty. However, there are two major differences between terrorist property and criminal propertymore generally: Often only small amounts are required to commit individual terrorist acts, and Terrorists can be funded from legitimately obtained income and it is therefore difficult toidentify the stage at which legitimate funds become terrorist property used for terroristfinancing.Why do Intermediaries have responsibilities?The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended 2018,applies to mortgage, investment and life Intermediaries. Intermediaries who fall under the scope ofthe Legislation are deemed to be “Designated persons”.Non-life intermediaries are outside the scope of the requirements. However, they are expected to bemindful of other legislation that would apply such as Financial Sanctions, and to have controls andprocedures in place to detect and prevent financial crime, and as a result, to report suspicioustransactions. Staff would need to be trained also in this regard. See Appendix 1.The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended 2018,introduced the concept of a risk based approach to managing and mitigating money laundering andterrorist financing risks faced by the designated person. Designated persons are required to have thenecessary procedures and record keeping processes in place to comply with the legislation.Intermediaries are required to carry out customer due diligence: prior to establishing a business relationship with the customer. prior to carrying out an occasional transaction or service for a customer; prior to carrying out any service for a customer, if, having regard to the circumstances, the firmhas reasonable grounds to suspect that the customer is involved in, or the service, transactionor product sought by the customer is for the purpose of ML/TF; prior to carrying out any service for a customer where the firm has reasonable grounds to doubtthe veracity or adequacy of documents; and at any time, including where the relevant circumstances of a customer have changedWhat does identification mean?Personal customers:Identification of a personal customer is the process whereby a designated person obtains from acustomer the information necessary for it to identify the customer. The identity of an individual has anumber of aspects at any point in time, all of which must be obtained by the designated person:a)b)c)name (which may change due to particular events);address (which is likely to change from time to time); anddate of birth (which is a constant).Where a person purports to act on behalf of a customer, a designated person will be obliged to verifya) the identity of that person, andb) that they are authorised to so act.3

Legal persons and arrangements:IdentifyWho to identify:Customer legal personorarrangementLegal person orarrangementCustomer legal personorarrangementDirectors (or theequivalent in forexample;Partnerships andunincorporatedbusinesses, Clubs,Societies, PublicSector bodies.)How to identify:Obtain informationfrom the customer orfrom reliable,independent source on:i) name, legal formand proof of existence;ii) the powers thatbind and regulate thelegal person orarrangement;iii) the address of theregistered office(where applicable) andmain place of business;andiv) the nature of thebusiness and itsownershipHow to verify:This could generally besatisfied byeither A search of the relevantcompany or otherregistry (where thenecessary informationis publicly accessibleand considered by theDesignated Person tobe current and reliable);or A copy, as appropriateto the nature of theentity, of the certificateof incorporation, acertificate of goodstanding, a partnershipagreement, a deed oftrust, or other officialdocumentation provingthe name, form andcurrent existence of thecustomer. In cases regarded bythe Designated Personas higher risk, use ofmore than one source ofinformation may bewarranted.Identify the directorsThis could generally beof the legal person orsatisfied by eithertrustees of a trust (or obtaining a copy of theother equivalent personsannual auditedfor other forms of legalaccounts listingentity or arrangement).directors (where theThisnecessary information isinformation can bepublicly accessible andprovided by theconsidered by thecustomer or obtainedDesignated Person to befrom a reliable,current and reliable); orindependent source. relevant and up-to-datelegal opinion from areliable sourcedocumenting duediligence conducted,including in relation toinformation ondirectors; or obtaining information4

Customer legal personorarrangementAuthorisedsignatoryfrom relevant companyor another registry suchas the CRO or knownforeign equivalent; or as warranted by therisk, verify one or moredirectors in line withrequirements forpersonal customersIdentify the signatoriesIn accordance with normalby reference to thebusiness practice and asduly-approvedwarranted by the risk ofmandate provided by themoney laundering orcustomer interrorist financing, verifyrelation to thethe personal identity ofoperation of theone or more of thebusiness relationship.signatories in line with therequirements for personalcustomers. Verification ofauthorised signatoriesmay not be required wherea sufficient number ofdirectors have beenverified in accordancewith requirementsBusiness Risk AssessmentThe 2018 Act introduces a requirement for designated persons to conduct a ‘business riskassessment’ to identify and assess the risks.A business risk assessment should consist of two distinct but related steps: Identifying ML and TF risks relevant to a Firm’s business; and Assessing the identified ML and TF risks in order to understand how to mitigate those risks.Firms should rely on their assessment of the risks inherent in their business to inform their riskbased approach to the identification and verification of an individual customer. This in turn shoulddrive the level and extent of due diligence appropriate to that customer. A business risk assessmentwill assist firms to understand where they are exposed and which areas, they should prioritise tocombat ML/TF.Various specified risk factors must be taken into account: the type of customer, products andservices, countries or geographical areas, type of transactions, delivery channels. When drafting andcarrying out a business risk assessment, firms should use various sources, such as Communications issued by FIU Ireland; Risk Factors contained in Schedule 3 and 4 of the CJA 2010; Guidance, circulars and other communication from the Central Bank and other relevantregulatory bodies; Information from industry bodies; EU Measures, including financial sanctions and designation of high-risk countries; Information from international institutions and standard setting bodies relevant to ML/TFrisks (e.g. UN, IMF, Basel, FATF); and5

Other credible and reliable sources that can be accessed individually or throughcommercially available databases or tools that are determined necessary by a firm on a risksensitive basis.The business risk assessment must be documented and must be available to the relevant competentauthority upon request. Where a firm decides to apply a different standard of CDD measures incircumstances where it believes, following a risk assessment, that a lower level of ML/TF riskapplies, the firm should document its rationale for this. This should assist a firm in demonstrating tothe Bank that is has complied with its obligations under the CJA2010 and CJA2018(as amended).Firms should ensure that they have systems and controls in place to identify emerging ML/TF risksand that they can assess these risks and, where appropriate, incorporate them into their businessrisk assessments. Accompanying customer due diligence measures should also be amendedaccordingly.The business risk assessment must be reviewed and managed at regular, predefined intervals and itmust be approved by Senior Management (or equivalent*). See Appendix 2 for a template businessrisk assessment. In addition, Senior Management must review and approve the methodology usedfor undertaking the firm’s business risk assessment.Systems and controls should be put in place to ensure the individual and business risk assessmentsremain up to date. Examples include: Setting a timeline on which the next risk assessment updatewill take place, to ensure changing, new or emerging risks are included in risk assessments. Wherethe firm is aware that a new risk has emerged, or an existing one has increased, this should bereflected in risk assessments as soon as possible;Carefully recording issues throughout the year that could have a bearing on risk assessments, suchas: Internal suspicious transaction reports; Compliance failures and intelligence from front office staff; or Any findings from internal/external audit reports;Like the original risk assessments, any update to a risk assessment and adjustment ofaccompanying CDD measures should be documented, proportionate and commensurate to theML/TF risk.Firms should consider the outcomes of their own business risk assessments and whether thefrequency and content of AML/CFT training provided is adequate for levels of ML/TF risks faced bythe firm.Firms should also ensure the business risk assessment takes into account their obligations underfinancial sanctions regulations.*Or equivalent means in the case of a Sole Trader/One director companies/Partner of the business,its Principal.6

How the risk assessment affects customer due diligenceIn deciding the level of customer due diligence (CDD) to be applied, intermediaries, whenundertaking a transaction/entering a business relationship, must consider a number of factors,including: the relevant business risk assessment, the purpose of an account/relationship, the levelof assets deposited/the size of the transaction and the regularity of transactions/duration of thebusiness relationship.Legislation allows designated persons to apply aspects of the customer due diligence requirementson a risk-sensitive basis depending on:a) The nature of the product being sold;b) The delivery mechanism or distribution channel used to sell the product;c) The profile of the customer; andd) The customer’s geographical location and source of funds.The majority of focus is on risks from a product led perspective; however, there are situations wherethe delivery mechanism may add to the product risk. This is particularly the case with regard to nonface to face sales.(A) Product RiskThe nature of the product being sold is usually the primary driver of the risk assessment. The risks tobe considered would include the level of transparency the product affords, the complexity of theproduct, and its value or size. Characteristics such as where product features are defined andrestricted; where the policy will only pay out on a verifiable event such as death or illness or wherethe policy is only accessible after years of contributions would mean that generally these types ofproducts are standard. A small number of products such as single premium investment bonds dofeature increased flexibility. This should be acknowledged in the application of the risk-basedapproach. The firm’s business risk assessment should be updated to capture any risks relating tonew products.(B) Distribution Risk (which may alter the risk profile)The risks to be considered would include the extent that the business relationship is conducted on anon-face to face basis, and any introducers or intermediaries the business may use and the nature oftheir relationship with the firm.“Face to Face” with no facility to take copies of IDWhere the interaction with the customer is on a face to face basis, the designated person shouldhave sight of the original document(s) and appropriate details should be recorded. Where thecustomer is visited at his/her home address, the designated person should make a detailed recordof the visit. This would include, for example, taking details of passport or driving license numbers.Brokers Ireland recommends that in such scenarios, the customer is requested to forward a copy ofthe relevant ID and that it is cross referenced with the details which were recorded at the point ofsale.“Non-face to face”The extent of the customer due diligence in respect of non face-to-face customers will depend on thetype of product or service requested and the assessed money laundering risk presented by thecustomer. Where the customer is not physically present (eg. by post, telephone or over the internet)for identification purposes, additional measures should be undertaken to establish the customer’sidentity. Examples of additional measures include:7

Telephone contact with the customer prior to the commencement of the business relationshipon a home or business number which has been verified (electronically or otherwise) or awelcome call to the customer before the business relationship starts, using it to verifyadditional aspects of personal identity information that have been previously provided duringthe setting up of the account; Communicating with the customer at an address that has been verified (such communicationmay take the form of a direct mailing of account opening documentation to him which, in full orin part, may be required to be returned, completed or acknowledged without alteration); Verify information on documents received, for e.g. in relation to a utility bill forwarded; crosscheck against a bank statement narrative relating to entries from the utility bill provided orcross check salary details appearing on a recent bank or building society statement verifyingthe individual‘s employer as previously notified;Third Party RelianceThe primary responsibility for supervising intermediaries lies with the Central Bank of Ireland;however, Product Providers, as a third party, retain responsibility for ensuring that customer duediligence obligations have been met by the Intermediary. Product Providers are legally obliged,where an intermediary fails to meet the customer due diligence requirements, to report this to theCentral Bank of Ireland.In order to comply with the Third Party Reliance requirements, Product Providers depending on theirinternal processes may require either:1. Copies of all underlying documentary evidence from the intermediary for applicable products.or2. Confirmation of Verification of Identity where the Product Provider has the right of audit toensure that the intermediary has the necessary documented evidence**In practice, providers require copies of the underlying documentary evidence.(C) Customer RiskIn order to assess the level of customer due diligence to be applied, firms must identify and assessthe ML/TF risk in relation to a customer or particular transaction. The risks to be considered wouldinclude the customer’s and their beneficial owner’s business or professional activity, their reputationand their nature and behaviour.(D) Country or Geographical RiskThe level of risk, and therefore the level of due diligence to be applied depends on the jurisdiction inwhich the customer and its beneficial owners are based, where their main place of business islocated, and whether they are within the EU or in a Third Country.Customer Due Diligence (CDD)In determining the level of due diligence to be applied, firms should take into account the relevantbusiness risk assessment, the purpose of the relationship, the size of the transaction, and any riskfactors contained within Appendices 4 and 5. The firm is to document their rationale for choosingthe level of due diligence, and retain their rationale in accordance with their policies andprocedures. Before the establishment of the business relationship, or the carrying out of the firsttransaction, firms are required to identify and verify customers and where applicable beneficialowners.8

CDD involves more than just verifying the identity of a customer. Firms should collect and assess allrelevant information in order to ensure that the firm: Knows its customers, persons purporting to act on behalf of customers and their beneficialowners, where applicable; Knows what it should expect from doing business with them; and Is alert to any potential ML/TF risks arising from the relationship.CDD should comprise of the following:a) Identifying the customer & verifying the customer’s identity on the basis of documentationreceived.b) Identifying, where applicable, the Beneficial owner* and taking adequate and risk basedmeasures to verify his identity so that the designated person is satisfied as to the identity of thebeneficial owner.c) Obtaining information on the purpose and intended nature of the business relationship.d) Conducting ongoing monitoring of the business relationship.*Beneficial Owner is defined as any individual who ultimately owns or controls the customer and/oron whose behalf a transaction or activity is conducted.Beneficial owner, in relation to a body corporate, is any individual who (other than a company havingsecurities listed on a regulated market) ultimately owns or controls, whether through direct or indirect ownership or control(including through bearer shareholdings), more than 25 per cent of the shares or votingrights of the body; or otherwise exercises control over the management of the body.Beneficial owner, in relation to a partnership, means any individual who ultimately is entitled to or controls, whether the entitlement or control is direct or indirect,more than a 25 per cent share of the capital or profits of the partnership or more than 25 percent of the voting rights in the partnership; or otherwise exercises control over the management of the partnershipBeneficial owner, in relation to a trust means any individual who ultimately is any individual who is entitled to a vested interest in the trust property may beconsidered a beneficial owner. Additionally, settlors, trustees and protectors of a trust maynow also be considered beneficial owners. The threshold of 25 per cent ownership no longerapplies.Therefore, firms must identify all beneficial owners, where applicable, and verify the identity of thebeneficial owners and the procedures to be applied in these circumstances.There are three categories of customer due diligence (CDD) Simplified Due diligence applies to low risk customers and product. Enhanced Due Diligence applies to High Risk Third Countries, Relationship/transactionpresents higher risk & Politically Exposed Persons. Standard Due Diligence must be applied to all remaining customers and products.In addition to the requirement under the 2010 Act that customer due diligence be carried out atparticular times, the 2018 Act adds that CDD must be executed at any time, including situationswhere the relevant circumstances of a customer have changed, where the risk of moneylaundering/terrorist financing warrants its application.9

The firm is required to review and update the firm’s documented customer due diligence procedureto ensure that: It comprehensively details the firm’s obligations as a designated person in its ownright reflective of current AML/CFT legislative and regulatory requirements; and it reflects thecustomer due diligence the firm undertakes in practice.A client risk assessment form is recommended to be completed to assess the risk per transaction –See Appendix 31. Simplified Due Diligence (SDD)Designated persons will be allowed to carry out SDD where the customer or business area isconsidered to be low risk. SDD can only be applied where a designated person has identified in itsbusiness risk assessment, an area of lower risk into which the relationship or transaction falls, andthe relationship or transaction concerned can reasonably be considered to be low risk. Please seeAppendix 4 and Appendix 5 for a list of factors suggesting potentially lower and higher risk. Prior toapplying SDD measures, firms are required to conduct appropriate testing to satisfy themselves thatthe customer, business relationship or transaction qualifies for the simplified measures.Examples of products which may fall into the simplified customer due diligence category are: Protection Policies with annual premium of less than 1000 Pension Business (except ARF and AMRF)Note: Intermediaries must at all times take into account the type of customer, countries orgeographical areas, transactions and delivery channels and document the rationale for categorisingthese products as lower risk for the purposes of applying CDD.Where this section is applied, the reasons for its application and the evidence on which it was basedmust be recorded and the business relationship and transactions must be monitored to enable thedesignated person to detect unusual or suspicious transactions.Important: There is no exemption from the obligation to verify identity where there is a suspicion thata transaction involves money laundering or terrorist financing or where there is doubt about theveracity or accuracy of documents previously obtained from the client.2. Enhanced Due Diligence (EDD)In circumstances in which a firm has determined that a customer or business scenario presents ahigher ML/TF risk, EDD measures should be applied. For example, has adequate information beenobtained? If not, firms should seek additional documentation which may include establishing acustomer’s source of wealth/source of funds. EDD measures cannot be substituted for CDDmeasures but must be applied in addition to them.1) High risk third countriesA designated person is required to apply enhanced customer due diligence measures whendealing with a customer established or residing in a high-risk third country. There is anexemption that applies when the customer is a branch or majority-owned subsidiary of adesignated person established in the European Union which complies with the group’s groupwide policies and procedures. These cases must be dealt with using a risk-based approach.2) Relationship/transactions which present a higher risk3) Politically Exposed Persons (PEPs)A Politically Exposed Person (PEP) is an individual who is or has been entrusted with a prominentpublic function. Many PEPs hold positions of influence and as a result carry a greater risk, if theirinfluence is abused for the purpose of money laundering, corruption or bribery. In addition to10

that, any close business associates or family member of these people may also be deemed asbeing a risk and therefore could also be added to the PEP list.Enhanced due diligence measures that previously applied only to PEPs resident outside ofIreland now also apply to PEPs resident in Ireland. Examples of PEPs are: Senior official of a major political party Senior official in the executive, legislative, administrative, military, or judicial branch ofa government Senior executive of a government owned commercial enterprise or corporation. Any individual known to be a personal or professional associate of a PEP An immediate family member of a PEP; e.g. spouse, parents, siblings, children.Firms should note that PEP status itself is intended to apply higher vigilance to certain individualsand put those individuals that are customers or beneficial owners into a higher risk category. It isnot intended to suggest that such individuals are involved in suspicious activity.Life Assurance Policies/PEPsAdditional requirements are imposed regarding the identification of the beneficiaries of lifeassurance policies and other investment-related assurance policies. Specific steps must be takenwhere the PEP is a beneficiary of a life assurance policy. If a designated person knows or hasreasonable grounds to believe that a beneficiary of a life assurance or other investment-relatedassurance policy or a beneficial owner of the beneficiary concerned, is a Politically Exposed Person,or an immediate family member or a close associate of a Politically Exposed Person, it shall:a) inform Senior Management or its equivalent before pay-out of policy proceeds andb) conduct enhanced scrutiny of the business relationship with the policyholderThe firm must outline what process it has in place to demonstrate how it is meeting its obligations asto how it assesses it’s customer base to determine whether a customer is /has become a PEP or isan immediate family member, or close associate, of a PEP at onboarding and during the course ofthe business relationship.The domestic insurance sector has a very low exposure to Politically Exposed Persons. Also, themajority of products sold by insurers do not lend themselves to moving the proceeds of corruption.Therefore, it is likely that the number of customers meeting the high-risk criteria is very low and thosethat are identified as PEPs is lower still.Designated persons must have processes in place prior to establishing a business relationship witha customer to determine whether the person may be deemed a “PEP”. In practice, designatedpersons should take steps to establish whether the person is deemed to be politically exposed. Theidentification of a customer as a PEP is not in itself cause for suspicion, but does requires anenhanced level of due diligence. See Appendix 6Firms should put appropriate policies and procedures in place to determine: if a customer or beneficiary is a PEP at onboarding or if a customer becomes a PEP during the course of the business relationship with the firm.Firms should note that new and existing customers may not initially meet the definition of a PEP, butmay subsequently become one during the course of a business relationship with the firm. On thisbasis, firms should undertake regular and on-going screening of their customer base and thecustomers’ beneficial owners (where relevant), to ensure that they have identified all PEPs. Thefrequency of PEP screening should be determined by the firm’s approach documented with theirbusiness wide risk assessment.11

3. Standard Due Diligence (SDD)The purpose of the following section is to give guidance to members on how to apply CDD measurestaking into account the product characteristics. Members are required to take into account all riskfactors relating to their customers, countries or geographical areas, products and services,transactions and delivery channels and document this in their

The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended 2018, applies to mortgage, investment and life Intermediaries. Intermediaries who fall under the scope of the Legislation are deemed to be "Designated persons". Non-life intermediaries are outside the scope of the requirements.