AML compliance at Irish fund firms in lamentable state, says Central Bank

Chris Hamblin

27 November 2015

The international reach and scale of these firms underscore the importance of risk assessments of high quality which allow fund firms to inform themselves of, and to mitigate and manage, all relevant categories of risk in accordance with s54(1) Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended by the Criminal Justice Act 2013), which obliges them to adopt policies and procedures to prevent and detect the commission of money-laundering and terrorist finance. The Central Bank, the sector's regulator, expects a fund and its fund service provider(s) to work closely with each other to ensure that this happens. It also calls on all Irish fund firms to read the report and to use its conclusions.

Risk assessment: not a one-off task

In carrying out risk assessments, the Central Bank expects firms to:

undertake and keep a record of a ML/TF risk assessment of their businesses that includes all risk categories (e.g. geographic risk, product/service risk, investor risk and channel/distribution risk);
keep a record of the underlying methodology, assumptions and risk ratings they use;
devise appropriate controls to offset any risks they identify and align these controls to (and embed them in) operational procedures;
identify gaps, with action plans to close them;
name the parties responsible for undertaking the resulting actions;
review their risk assessments and subject them to approval at board meetings at least once a year;
use those risk assessments to influence their approach to managing "ML/TF risk" (i.e. the risk that they might be unwitting vehicles for these financial crimes); and
review the risk assessments and update them in line with business developments and changes in the risk categories.

In reality, the firms are failing to appreciate that their duty to perform risk assessments is not a one-off or ad hoc exercise and should be used to influence their 'risk appetites' and/or decisions about whether to update policies, procedures and mitigating controls. The bank's report goes on to say that “risk assessments are not reviewed and approved periodically and risk categories (such as country/geographic risk, investor risk etc.) are not reviewed in line with business changes or developments.” The report does not say that this happens only at some firms, leaving it open for the reader to speculate that such bad habits are universal.

'Reliance'

This is certainly inferred in the section on the practice at fund firms of delegating 'know your customer' duties to third-party firms, or 'reliance' as it is known in the AML trade. Section 40(5) Criminal Justice Act ensures that any firm that relies on a relevant third party to take KYC measures for it remains liable for that firm's failures – a universal rule.

The Central Bank found some inadequacies here, including:

the documented arrangements in place between the average firm and a relevant third party not specifically acknowledging that the firm is relying on the third party to complete its KYC exercises;
documented arrangements in place between a firm and a relevant third party that contain clauses restricting the provision of such documents; and
relevant third parties and arrangements not being monitored regularly through sample testing and assurance testing, for example through requests for a representative sample of KYC documents or information to test quality and reliability.

When firms indulge in 'reliance,' the Central Bank expects them to sign agreements with the relevant third parties in which those third parties consent formally to being relied on and promise, without any restriction, to provide the firms with underlying KYC documents upon request. No signed agreement can contain any conditional language that might result in the inability of such a handover. Examples of such conditional language include “subject to regulatory request” and “to the extent permissible by law.”

Each fund firm's statement of policies and procedures, moreover, should set out its strategy with regard to the identification, assessment, selection and monitoring of third-party relationships, including the frequency of testing performed on such third parties. The firm must only rely on the relevant third party to carry out CDD measures required by sections 33 (entitled “identification and verification of customers and beneficial owners”) and section 35(1), which pertains to special measures applying to business relationships. When a fund firm routinely relies on checks carried out by a third party, it ought to conduct regular assurance testing to ensure that it can retrieve data quickly if needs be. There should be no gaps in investor records which cannot be readily explained.

The identification of suspicious transactions

Firms are obliged to report their suspicions about transactions to the police Financial Intelligence Unit and the Revenue Commissioners; the report makes it clear that they are not doing so in large enough numbers or in an organised enough way.

The Bank found few documented policies and procedures for investigating and reporting suspicious transactions identified by firm's directors and/or employees, with reliance instead being placed solely on the policies and procedures of the outsourced service providers.
It found weaknesses in the processes and procedures associated with STRs, including deficiencies in internal record-keeping, the documenting of the rationale for discounting suspicions or for making an STR, failure to use internal reporting forms, staff not receiving an acknowledgment of having raised a suspicion and unexplained delays in suspicions being reviewed and determined by the money-laundering reporting officers.
Firms are not reviewing and validating systems that monitor investor transactions to ensure they are meaningful and effective, in particular where systems are generating a low level of alerts.
They are not keeping records of the continuous transaction-monitoring process, nor are they sticking to their own internal procedures for doing so.
They have also failed to set up written procedures regarding the potential need to report a suspicion in the event that an investor does not provide KYC documents or information.

Terrorist finance

On the subject of whether fund firms are obeying Ireland's terrorist finance reporting laws, which date from 2005, the report is strangely silent. It satisfies itself by mentioning that in the event that an investor is matched to either the European Union's terrorist lists or the United Nations' terrorist lists, each firm should send the authorities an STR immediately and not carry out any service or transaction in respect of the account until it has done so, whereupon the police can tell it what to do next.

The same reticence attends the Bank's musings over EU financial sanctions, such as those against Russia. It contents itself with mentioning its desire for fund firms to devise and follow policies, procedures, systems and controls help them comply, for example in the implementation of appropriate sanctions screening mechanisms and procedures for the escalation and management of any potential matches.