On 23 June 2021, the Central Bank of Ireland ("CBI") published revised Anti-Money Laundering and Countering the Financing of Terrorism Guidelines for the Financial Sector (the "Updated Guidelines"). The publication of the Updated Guidelines follows the enactment of the Criminal Justice (Money Laundering and Terrorist Financing)(Amendment) Act 2021 (the "2021 Act") as part of the transposition of the 5th Anti-Money Laundering Directive ("5AMLD") and expands the scope of the Updated Guidelines to also apply to virtual asset service providers ("VASPs").

Please see our previous briefings for further information on the changes introduced by the 2021 Act and the VASP registration regime.

The following is a summary of the new information and guidance included by the CBI in the Updated Guidelines.

Governance

Board Responsibility

The Updated Guidelines note the CBI's expectation that the board of directors (the "Board") of a credit institution, financial institution or VASP (each a "Firm" and together referred to as "Firms") demonstrates effective governance and oversight of a Firm's anti-money laundering/ countering the financing of terrorism ("AML/CFT") compliance framework. The Updated Guidelines list a number of steps that the Board should take in order to meet the necessary standard of governance and oversight.

Appointment of Member of Senior Management with responsibility for AML/CFT Matters

The Updated Guidelines emphasise the CBI's expectation that a member of Senior Management should be appointed to take responsibility for AML/CFT matters (where proportionate to the nature, scale and complexity of the Firm's activities) and that the tasks and roles for which the individual is responsible should be clearly identified. "Senior Management" is defined in section 24 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended) (the "CJA 2010") as "an officer or employee with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the board of directors".

The Updated Guidelines note that a lack of engagement by a Firm's Senior Management in AML/CFT issues can encourage a culture that neglects compliance with AML/CFT obligations.

While many Firms will already have appointed a member of Senior Management with responsibility for AML/CFT matters, the CBI's renewed focus on the topic in the Updated Guidelines means that Firms should review their current arrangements to ensure they meet the CBI's expectations.

Appointment of Compliance Officer

The Updated Guidelines note the CBI's expectation that Firms appoint a member of staff at management level to monitor and manage compliance with, and the internal communication of the Firm's AML/CFT policies and procedures (where proportionate to the nature, scale and complexity of the Firm's activities) (the "Compliance Officer").

The Updated Guidelines note that the Compliance Officer should have an independent reporting line to the Board and that at all times the Compliance Officer should have unrestricted and direct access to all information necessary to effectively perform their role.

Money Laundering Reporting Officer (MLRO)

The CBI has included a note in the Updated Guidelines recognising the custom and practice that has emerged of describing a member of staff with AML/CTF responsibilities as a Firm's MLRO, notwithstanding the absence of a definition of MLRO in Irish legislation.

The CBI notes that Firms may, depending on the nature, scale and complexity of a Firm's activities, structure their internal AML/CFT governance framework so that a person who has been designated internally as an MLRO may also be the person that is appointed as the Compliance Officer, where the Firm had previously made such an appointment.

Whistleblowing

The Updated Guidelines refer to the obligation of Firms introduced by the European Union (Money Laundering and Terrorist Financing) Regulations 2019 to establish procedures to allow for the internal reporting of contraventions of the CJA 2010. The Updated Guidelines note that Firms may comply with their obligations in this regard by:

  • incorporating reporting of contraventions of the CJA 2010 as a feature of existing whistleblowing policies;
  • creating an independent internal reporting framework with clear procedures allowing staff to make disclosures anonymously; and
  • providing training to staff with regard to identifying and making such disclosures.

Beneficial Ownership - Verification

The Updated Guidelines note that where a customer's beneficial owner is its senior managing official(s) (e.g. directors), Firms are required to take the necessary measures to verify the identity of those senior managing officials and retain records of the actions taken to verify the identity of those individuals, including any difficulties encountered in the verification process.

The Updated Guidelines also note that Firms should, where senior managing officials have been listed as the customer's beneficial owners, establish whether the customer has in fact exhausted all possible means to identify their beneficial owner(s). As such, Firms will be expected to look behind the customer's identification of senior managing officials as beneficial owners.

In keeping with a change introduced by the 2021 Act, the Updated Guidelines note that, prior to the establishment of a business relationship, Firms are required to confirm that information concerning the beneficial ownership of a customer is entered in the applicable registers. The Updated Guidelines also acknowledge that Firms may allow an account to be opened by its customer prior to confirming that the required information has been entered on the relevant register. This is on the proviso that no transactions are carried out by or on behalf of the customer or beneficial owner on that account until customer due diligence is complete.

Risk Management

In recent years, risk management and risk assessments in the context of AML/CFT have been key areas of focus for the CBI. In keeping with this trend, the Updated Guidelines contain a number of updates in relation to risk management, including:

De-risking: Before taking a decision to terminate a business relationship due to the existence of AML/CFT issues, Firms should consider whether it is possible for them to apply additional enhanced AML/CFT measures to reduce the risk and allow the business relationship to continue. Where a Firm concludes that it is necessary for a particular business relationship to be terminated, the decision-making process should be accurately documented.

Risk Assessments: The Updated Guidelines further emphasise the requirement for firms to complete a:

  • Business Risk Assessment to assess the AML/CFT risk which they are exposed to resulting from the nature and complexity of the firm's business; and
  • Customer / Transaction Risk Assessment to assess the AML/CFT risk resulting from a firm entering into a business relationship with a particular customer or performing an occasional transaction.

Risk Factors: The Updated Guidelines introduce a list of factors that may indicate an increased risk of terrorist financing.

Transaction Monitoring

The Updated Guidelines contain a new section focusing on transaction monitoring which notes that:

  • Transaction monitoring should be tailored to detect suspicious activity in the context of the Firm's business activities by aligning the transaction monitoring controls with the Firm's risk assessments;
  • Firms should ensure that their customer identification and verification processes are interconnected with their transaction monitoring and suspicious transaction reporting ("STR") processes;

STRs

The Updated Guidelines note that STRs must be filed with FIU Ireland through the GoAML application and through the Revenue Commissioners online service (ROS). The Updated Guidelines also give guidance on how to prepare a sufficiently detailed and effective STR (e.g. clarifying reasons for suspicion, providing reasonable details of the transaction, providing accurate customer details).

Compliance with Data Protection

A topic that was highlighted in the Data Protection Commission's Annual Report for 2020 was balancing compliance with the requirements of AML/CFT law with the principles of data processing under data protection law. The Updated Guidelines note that Firms should ensure that such processing is necessary and proportionate in order to comply with their AML/CFT obligations.

Next Steps

Following the publication of the Updated Guidelines, all Firms should review and consider the impact of the Updated Guidelines and the transposition of 5AMLD on their existing AML/CFT compliance frameworks to ensure ongoing compliance with their obligations. In particular, VASPs will need to ensure that the Updated Guidelines are considered when devising their AML/CFT policies and procedures.

How can Walkers help?

The Walkers Regulatory Team are ready to assist clients by reviewing existing AML/CFT policies and procedures and advising on any actions that may need to be taken to ensure compliance following the transposition of 5AMLD and the publication of the Updated Guidelines. The Walkers Regulatory Team are also ready to advise VASPs in relation to the development and implementation of their AML/CFT compliance frameworks and can assist VASPs in registering with the CBI. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.