© RegSol 2019
A Guide to Money Laundering Reporting Officer Duties and Suspicious Activity Reporting
Judy de CastroLCOI/REGSOL CONSULTANT26th June 2019:
1
2
✓ Introduction
✓ What is the MLRO?
✓ Who should be the MLRO?
✓ MLRO Role: What should the MLRO Do?
✓ How does the MLRO do it: Human wit vs technology
✓ Why does the MLRO do it: detection of red flags
✓ Questions?
Session Agenda
© RegSol 2018
3
Combining over 20 years of consultancy experience:
RegSol Compliance Service Solutions
Consultancy▪ Multi-disciplinary onsite reviews ▪ Policies and Procedures▪ Risk Management▪ DPO Services (Data Protection
Officer)
Training▪ In-person (either inhouse or
offsite)▪ Self-paced online▪ Instructor-led Webinars
Areas of ExpertiseAML/CTFData Protection (GDPR)Consumer ProtectionInsurance Distribution Regulations
Regulatory Solutions▪ Authorisations (e.g. CBI)▪ Regulator visit preparation▪ Client Interaction
© RegSol 2018
4
What is the MLRO?
What do the Regulations Say?▪ Fitness & Probity Standards: CF2, PCF15“CF2: a person who is involved in ensuring, controlling or monitoring compliance with an institution’s obligations”
CJA 2018: Section 54 & 111s54“A designated person shall appoint a member of senior management with the primary responsibilities for the implementation and management of AML measures(...)if directed in writing to do so by the competent authority.” s111: “an offence under the Act by director, manager, secretary or other officer, that person is taken to have committed an offence and …punished accordingly”
Enforcement Action: Administrative Sanctions Procedure?• Inquiry • Prescribed Contravention/Settlement Agreement• Prohibition Notices• Sanctions © RegSol 2019
© RegSol 2019
5
CBI Enforcement News: Campbell O’Connor
▪ Fined €280,000
Breaches:▪ Failed to include Terrorist Financing in
Risk Assessment;
▪ Inadequate policies and procedures;
▪ Failed to provide its staff with appropriate STR training;
▪ Transaction Monitoring: Placed too much reliance on personal knowledge of customer;
▪ Third party reliance inadequate
6
Who should be the MLRO?
Fit, Proper And….?
▪ Seniority: Influence, authority and experience
▪ Expertise, knowledge and right skillset: know the regulations, understand the risks
▪ Visibility: accessible to staff, known as MLRO
▪ Autonomous and Independent: 2nd line of defence
▪ Adequately Resourced
© RegSol 2019
MLRO Expertise: Know the law
2005• 3rd EU AML
Directive
• Criminal Justice Act 1994
• Criminal Justice (Terrorist Offences) Act, 2005
2010• Criminal Justice
(ML & TF) Act 2010
2012● FATF
Recommendations 2012
2013● Criminal
Justice Act 2013
2015• 4th EU AML
Directive (25.06.2015)
2016•European Union
(AML: Beneficial Ownership of Corporate Entities) Regs 2016
7
MLRO Expertise: Know the law
2017● FATF Mutual ● Evaluation report:
Ireland
2018● 5th EU AML
Directive
● Criminal Justice (Corruption Offences) Act
2019● EU (AML:
Beneficial Ownership) Regs 2019
● Criminal Justice (ML and TF) (Amendment) Bill 2019.
2020● 5th EU AML
Directive transposed by 10.01.2020
● 6th EU AML Directive into national law by 3.12.2020.
2018 contd..
● Criminal Justice (ML & TF) (Amendment) Act 2018
● 6th EU AML Directive
8
© RegSol 2019
▪ 4th EU AML Directive Changes:▪ Statutory obligation to carry out Business Risk Assessment
▪ Simplified Due Diligence “rules based approach” effectively Abolished
▪ Enhanced CDD regime: domestic PEPs and Higher risk country accounts
▪ Countries of Equivalence List Abolished
CJ(ML&TF)(Amend.) Act 2018 was signed into law in November 2018
Consolidated version of the 2010 Act is available here:
http://revisedacts.lawreform.ie/eli/2010/act/6/revised/en/html
9
MLRO regulatory updates: 2018 Act
© RegSol 2019
In response to terrorist attacks and high profile ML Cases: 5th EU Directive Proposed changes:
▪ Crypto-currencies/virtual currencies and Letting Agentsobliged entities
▪ Greater powers for Financial Intelligence Units: transparency of financial transactions
▪ Centralised Beneficial Ownership Registers
▪ Clarification of PEPs: Member states to produce official lists▪ Traders in art (galleries and auction houses) <€10,000 or more
obliged entities10
MLRO Regulatory Updates: 5th Directive
© RegSol 2019
6th tttt
11
MLRO Regulatory Updates: 6th Directive
▪ 6th EU AML Directive Changes in response to legislative discrepancies:
▪ Unified and harmonised list of predicate offences (22 in total incl. cybercrime, environmental, direct/indirect tax crimes)
▪ More ML Offences to capture enablers: aiding, abetting, attempting to commit an offence of ML
▪ Extension of liability to legal persons (extended to corporates incl. lack of supervision/control/directing mind has made possible the offence)
▪ Increased international cooperation for swift prosecution in EU multi-jurisdictions and centralise prosecution in single member state
▪ Tougher punishments (permanent ban from doing business; conviction increased from minimum 1 to 4 years prison sentence)
▪ Requirement for dual criminality for specified offences
© RegSol 2019
12
s.7 – Understand the Offence of Money Laundering
© RegSol 2019
13
s.13– Understand the Offence of Terrorist Financing
© RegSol 2019
14
Knowledge of AML Media trends:
● Kinahan cartel figure held in
probe into money laundering
Independent 4th June 2019 : Rolex watches, SUVs
and designer clothes seized in morning raids
● Irish Examiner 22 Jan 2019-Four people questioned in connection with the
suspected funding of IS groups in Syria in
what senior sources described as a “very significant” terror financing operation.
Gardaí investigating suspected
terrorist financing arrest four people
in Dublin
International hotel chain 'unwittingly accepted millions of euro in Irish drug money'
© RegSol 2019
15
Knowledge of AML Media Trends
16
MLRO Role: What should the MLRO DO?
What are the Central Banks Expectations?
▪ Governance structures : clear roles & reporting line to Committee/Board
▪ MLRO role clearly defined and documented;
▪ 2nd line of defence-Active MLRO engagement in the monitoring and management of ML/TF risk: ML/TF risk assessment; Good quality MI: SMART
▪ Regular assessment and evaluation of regulatory changes (consideration of industry developments)
▪ Perform compliance monitoring reviews to test controls, agree recommendations with Management
© RegSol 2019
17
MLRO Role: What should the MLRO do?
What are the Central Bank’s Findings ?
➢Lack of a permanent MLRO/Head of Compliance with responsibility for AML/CTF exposes AML/CTF infrastructure to:
● lack of oversight when acquiring a book of business: remediation plans● lack of process improvement● pause of existing projects & loss of institutional memory● lack of training tailored to risk staff face● issues with compliance/AML staff retention
➢Where an MLRO has not been appointed by the firm, the Central Bank may, under Section 54 (8), direct the firm to do so.
© RegSol 2019
● Board● Risk Assessment● Policies ● Record Keeping
Training● Ongoing Monitoring● Outsourcing
18
How does the MLRO Do it?
Human Wit? Technology?
● Risk Assessment● Record Keeping● Ongoing Monitoring● Training
© RegSol 2019
▪ At the very least on an annual basis, the Board should commission a report from its MLRO which:✔assesses compliance with the Act; and issues recommendations
✔provides regulatory updates and industry developments
✔provides the number of STR reports, sanctions matches made by staff
✔reports on Training statistics and MI on PEPs, High risk accounts linking in with BRA
✔Remediation projects and statistics on legacy businesses
▪ Why? The firm's senior management consider the report; and they take any necessary action to remedy deficiencies identified by the report.
19
MLRO Duties: MLRO Board Report
© RegSol 2019
20
MLRO Duties -Risk Assessment: Legal Obligation
© RegSol 2019
21
MLRO Duties: Risk Assessment
(a)National Risk Assessment(b)Guidance from a Competent Authority(c)EBA, ESMA or EIOPA Guidance, where relevant (EC Supranational Risk
Assessment 2017)
The Business Risk Assessment MUST be:✓ Documented✓ Kept up to date with product developments, regulatory change✓ Approved by Board/SMT and documented in Board Reports on Annual basis✓ Made available to Competent Authority
FAILURE = OFFENCE
22
MLRO Duties: Policies & Procedures
MLRO oversight in Partnership with Business Heads?
● Maintain a detailed suite of AML/CFT policies, supplemented by guidance and supporting procedures to demonstrate compliance with legal and regulatory requirements;
● Evidence of formal review and approval, (at least annually,) at appropriate levels;
● Policies and procedures reviewed/updated in response to events or emerging risks;
● Readily available to all staff, staff receive training on procedures and procedures are fully implemented and adhered to;
● Independent review and testing.
© RegSol 2019
23
MLRO Duties: Training
The LawSection 54 (6) requires designated persons to ensure staff are instructed on ML/TF law and provided with ongoing training OFFENCE for failures to comply
Main CBI Findings?● Failure to demonstrate effective monitoring Plan in place to verify all staff are trained:
○ Board○ Senior Management○ High Risk Staff○ New Starters (induction)
● Lack of Tailored, Up to date & Regular Training● Adequate records & course material readily available on request
(completion log)
© RegSol 2019
© RegSol 2019
24
MLRO Duties: Training Checklist
➢ Training Policy & annual training plan approved by Board➢ Risk Assessment of Staff➢Design Training programmes/courses specific to risk ➢ Consider basic Computer based training for all staff on annual basis, to include
internal SAR form and suspicious reporting internal procedures & TIMELINES➢ Consider Advanced classroom training for client facing staff➢ Consider Specific SAR training for staff in vulnerable positions➢ Consider Corporate AML training for Directors and Senior Management team➢ Consider Training for Outsourced functions➢ Implement an induction programme for new starters➢ Involve staff in review of training material➢ Tracking attendance rates to completion and escalate statistics to Board➢ Accurate record keeping of completion dates, types of courses, staff members and
course material
© RegSol 2019
25
MLRO Duties: Record Keeping
▪ Business Risk Assessment▪ Reliance on Third Parties▪ CDD documents must be kept for
5 years from date of (i) ceasing of services or (ii) date of last transaction (sec 55(4)(a) Act)
▪ Transaction documents/records must be kept for 5 years following the date transaction is completed or terminated (sec 55(4)(c) Act)
▪ Information on whether the Designated Person has had business relationship with a person in last 5 years
▪ Training Records
▪ Suspicious Activity Logs and all related data to evidence timelines and decision-making processes
▪ Assurance/Audit testing
▪ Board Minutes (PEP, BRA Approval etc )
▪ Ongoing Monitoring
26
MLRO Duties: Ongoing Monitoring
Key Areas? Monitoring and rationale for setting thresholds
● Examination of background and purpose of certain transactions
● The Act of 2010 is amended by the insertion of the following section after section 36:
“36A. (1) A designated person shall, in accordance with policies and procedures adopted in
accordance with section 54, examine the background and purpose of all complex or unusually
large transactions, and all unusual patterns of transactions, which have no apparent economic
or lawful purpose.
● (2) A designated person shall increase the degree and nature of monitoring of a business
relationship in order to determine whether transactions referred to in subsection (1) appear
suspicious.”
A designated person who fails to comply with this section commits an offence and is liable—
● (a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months (or
both), or
● (b) on conviction on indictment, to a fine or imprisonment for a term not exceeding 5 years (or
both).”.© RegSol 2019
When to apply ongoing monitoring
➔Section 35(3) : reasonably warranted by the risk of ML/TF;➔Section 37 (c) : apply enhanced monitoring of PEPs➔Section 38 (f) : apply measures to certain correspondent
banking relationships➔Section 38 A: high risk third countries➔Section 39 : cases of heightened risk per Risk Assessment
DO triggers identify suspicious activity?
27
Ongoing Monitoring Triggers Events:
Non-transactional trigger events:
• Material change in ownership and/or management structure; • Re-classification of the jurisdiction where the respondent institution is located;
Identification of a PEP relationship; • Identification of adverse media on the respondent institution.
Transaction trigger events:
• Transaction Monitoring rules and parameters specific and tailored to risk profile
• Transaction monitoring rules set my Compliance/MLRO and approved by Board• Consider customer profile, including income and investment amounts vs actual
activity, patterns, source of wealth etc• Consider data capture and data quality
28
Central Bank Findings
• Inadequate controls to ensure all customers are subject to regular screening or monitoring on a regular basis
• Inadequate assurance testing around criteria used for triggers to ensure transaction monitoring process identifies suspicious activity
• Failure to use known information regarding customers to identify potential suspicious activity
• Failure to place risk assessment output into triggers
29
© RegSol 2019
30
Financial Sanctions Regime
Legal obligations:
● Prohibit making funds available, directly or indirectly to or for the benefit of
individuals or entities listed on a Sanctions List
● Prohibit specific trade / financial transactions with certain countries
● Freeze all funds and economic resources of persons and entities on sanctions
lists
● Report to the relevant competent authority (the Central Bank of Ireland) in
respect of financial sanctions matches and any freezing of accounts or
transactions**In the event that a customer is matched to either the EU terrorist lists or UN terrorist lists, MLRO should file an
STR immediately with the Financial Intelligence Unit in the Garda National Economic Crime Bureau and not
carry out any service or transaction in respect of the account until the report has been made.
31
Frequency of Screening and Investigation/Escalation:
Financial Sanctions
▪ Designated senior person/MLRO responsibility for Sanctions investigation and Escalation
▪ Include in BRA▪ Beware of processing USD transactions- OFAC US sanctions apply▪ Screening system appropriate to size, scale and complexity▪ Screening new customers, their transactions/payments, beneficial owners
at onboarding and then on a regular basis▪ Determine procedures for matches, false positives, investigation and
reporting to MLRO
© RegSol 2018
© RegSol 2019
32
Suspicious Activity Reporting: Legal Obligation
S.41 & s.42 CJ, S. 54 (3)(ML&TFO) ACT 2010 as amended
▪ You MUST report to the Gardai and Revenue Commissioners ‘As soon as Practicable’ where you:
■ Know, suspect or have reasonable grounds to suspect■ on the basis of information obtained in the course of carrying on business as
a designated person■ that another person has been or is engaged in an offence of money
laundering or terrorist financing
© RegSol 2019
Timing:➔“As soon as practicable”- Delays in reporting a suspicions may
result in the loss of evidence and assist the person who is alleged to have committed the offence
MLRO Controls:➔Maintain Internal SAR/STR Register or log & evidence/rationale of
reporting/investigation process➔Internal SAR/STR Form/procedures available to all staff➔SAR/STR Training for all staff➔Consider automated transaction monitoring systems to identify Red
Flags
33
Internal Controls for STRs/SARs
© RegSol 2019
34
Suspicious Activity/Transaction Reporting: goAML
● Section 42 of the CJA 2010, provides that reports in relation to money
laundering and terrorist financing suspicions should be made to FIU Ireland
and to the Revenue Commissioners.
● From June 2017, reporting to the FInancial Intelligence Unit (FIU) must be
made via goAML
● Firms should ensure that they are registered with goAML as STRs cannot be
submitted via goAML unless the firm has previously registered.
● The Revenue Commissioners will accept a printed copy of the STR submitted
on goAML which should be posted to the relevant address.
© RegSol 2019
35
Go AML
● Allows for transaction
reports/documentation to be
uploaded
● Requires detailed information on
customer, addresses,
transactions, currencies,
amounts, passport numbers
● Requires details on reasons for
suspicion
● GoAML message board alerts
users if their report has been
accepted or rejected
© RegSol 2019
➔Consider attempted AND completed transactions➔No minimum monetary threshold for reporting, no amount too low➔Appropriate to service, product, customer➔Consider geographic spread➔Consider transactional history and third party payments➔High Risk Jurisdictions➔Refusal to provide customer due diligence documentation or
providing forged documentation
36
Detection of Red Flags: Suspicious Activity
© RegSol 2019
37
Detection of Red Flags: Suspicious Activity
• Level of investment in multiple or single product(s) doesn’t match client's economic profile
• Client wants to use CASH for a large transaction
• A customer purchases products with termination features without concern for the product’s investment performance
• Client accepts very unfavourable conditions unrelated to his or her health or age
• A customer purchases a product that appears outside the customer’s normal range of financial wealth or estate planning needs
© RegSol 2019
38
Detection of Red Flags: Suspicious Activity
• Client has small policies or transactions based on regular payment structure then makes a sudden request to purchase a substantial policy with a lump sum premium
• Client proposes to purchase an insurance product using a cheque drawn on an account other than his or her personal account and no obvious link to third party account
• Overpayment of a policy premium with a subsequent request to refund the surplus to a third party
© RegSol 2019
39
Detection of Red Flags: Suspicious Activity
• The first (or single) premium is paid from a bank account outside the country
• Client shows more interest in the cancellation or surrender of an insurance/investment contract than in the long-term results of investments or the costs associated with termination of the contract
• Client cancels investment or insurance soon after purchase
• Early redemption takes place in the absence of a reasonable explanation or in a significantly uneconomic manner
• Series of small claims below premium amount
© RegSol 2019
▪ Reports made in good faith are freed from all statutory, contractual or other confidentiality restrictions
▪ But malicious or reckless reports are not
▪ It is very important therefore that reporting procedures and decisions taken are documented
40
Confidentiality
© RegSol 2019 41
SAR/STR Output: Statistics (2017) - AMLCU
© RegSol 2019 42
SAR/STR Output: Statistics
© RegSol 2019 43
SAR/STR Output: Results (FATF MER 2017)
© RegSol 2019 44
SAR/STR Output:Results?
© RegSol 2019
45
Tipping Off
Ensure staff understand their obligations in this regard and this is present in training and procedural material:
Section 49 provides for two separate but related offences being where the firm knows or suspects on the basis of information learned during the course of carrying on business as a firm:
▪ the firm shall not make any disclosure that would be likely to prejudice an investigation that may be conducted following the making of a report under Chapter 4;
▪ investigation is being contemplated or is being carried out into whether an offence has been committed, the firm shall not make any disclosure that is likely to prejudice the investigation.
© RegSol 2019
46
CBI Risk Factors
● Inadequate practices in operation around identification and escalation of
suspicious transactions:
● Weaknesses in the processes and procedures associated with STRs,
including: -
■ Deficiencies in internal record keeping;
■ Insufficient or no evidence on files of the assessment and adjudication
performed by the MLRO or MLRO delegate on the rationale for
discounting suspicions or for making an STR to the Authorities;
■ Staff not receiving an acknowledgment of having raised a suspicion to
the MLRO;
■ Lack of detail of report to authorities, dates, amounts, reasons for
suspicions omitted
© RegSol 2019
47
CBI Risk Factors
● Unexplained delays in suspicions being reviewed and determined by the
MLRO or defined timelines not considered “as soon as practicable”; and -
● Case management of STRs conducted manually by firms, without sufficient
audit trails in place to evidence decisions made and actions taken.
● Policies and procedures did not sufficiently outline the internal suspicious
transaction reporting process or tipping off;
● Discrepancies between actual procedures and operational practices e.g. non-
use of internal reporting forms;
● No audit trail or on-going monitoring process in place to assist in identifying
where ML/TF concerns may have arisen in relation to specific policyholders;
● Lack of assurance testing performed on the STR process.
● Lack of training to make staff aware of reporting obligations and procedures
Contact Us:
RegSol IrelandPh 01 539 4884 [email protected]
Web: Tweet:www.RegSol.ie @RegSolIreland
AML | Consumer Protection | Data Protection | Authorisations48