Delay in implementation of Third Money Laundering Directive will be a challenge for designated bodies. Policy makers in this, as in any other area, must ensure that industry is fully informed of its obligations in sufficient time to allow industry to plan to meet its obligations.

The Third Money Laundering Directive (Directive 2005/60/EC) and implementing measures (Directive 2006/70/EC) (the "Directive") are due to be implemented in Ireland on 15 December 2007.

The Directive is designed to consolidate the existing regime and introduce new anti-money laundering and counter-terrorist financing requirements ("AML/CTF") across the European Union.

The Department of Finance, along with the Department of Justice, have confirmed that the new legislation will not be published until mid to late January. We understand that there will be a period of consultation before the legislation is finalised which might not be until March next.

Although the requirement to implement procedures to prevent and detect both money laundering and the financing of terrorism are not new, the Directive will introduce some important changes to that regime which will require careful planning from affected firms, (referred to in Irish legislation as "designated bodies").

It is important to note the Directive's requirement that the board of directors of each designated body must be able to demonstrate that they have "adequate and proportionate policies and procedures of customer due diligence, reporting, record keeping, internal control, risk assessment, risk management, compliance management and communication". It takes time to put these processes and procedures in place and the delayed implementation will no doubt be welcomed by designated bodies although it may lead to some confusion where for example, a designated body has clients in Member States that have implemented the Directive and as such are expecting the new regime to apply.

Application of a risk based approach

The Directive uses the terminology "Customer Due Diligence" ("CDD") which is the term used to describe the process whereby designated bodies form a reasonable belief as to the true identity of each customer, the type of business it is involved in and the transactions the customer is likely to make. Designated bodies will need to have processes and procedures in place which will collect a range of information sufficient to allow that firm to identify and verify each customer, take reasonable measures to identify and verify the beneficial owner (see below), and obtain additional information to understand the customer's circumstances and business, including the level and nature of the transactions. There will also be a requirement to monitor customer's transactions on an ongoing basis. The Directive permits a new "reasonable risk-based approach" to its obligations which means that designated bodies must identify the criteria to assess what potential anti-money laundering / counter-terrorist financing ("AML/CTF") risks their business face. Risks include customer risk and product or services risk as well as country or geographical risk. Each can be weighted against the firm's exposure to those categories and appropriate and proportionate measures taken to address the risks. In addition to an up front assessment, designated bodies will be required to monitor customer accounts and transactions on an ongoing basis.

Controls will need to be designed to meet these risks, the nature of which will depend upon a variety of factors such as the nature, size and complexity of the firm's business, the diversity of its operations, the customer and product profile and the sales and distribution channels used.

Beneficial Ownership

The term "beneficial owner" is defined under Article 3(6) of the Directive and incorporates the FATF definition of a beneficial owner as the natural person who ultimately has ownership and control of the company or person on whose behalf the activity or control is being conducted. The Directive clarifies that ownership and control of a company is suggested as a 25 per cent shareholding (plus one share) or the person otherwise exercises control over the management of a legal entity. The draft guidance notes suggest that unless the circumstances of the relationship indicate that more stringent measures should be undertaken, the identity of the beneficial owner may be confirmed by the customer themselves.

This requirement to ascertain the beneficial owner will not apply to companies listed on EU/EEA stock exchanges or other exchanges that are subject to disclosure requirements consistent with Community legislation or subject to equivalent international standards.

Ongoing Monitoring Checks

Designated bodies will be required to adopt a continuous CDD or customer monitoring checks to assess their AML/CTF risks and to decide how best to manage them. The Directive does not require or expect that continuous monitoring must involve a complex set of procedures to be put in place. The methods chosen will have regard to the services they provide, their customer base and their area of operations and services.

Conclusion

The Directive will significantly change the current anti-money laundering regime in Ireland. New requirements to identify the beneficial owner of a customer and to undertake ongoing monitoring will require the updating of existing systems, processes and procedures. Senior management, compliance officers, legal teams, operational and training functions will need to be engaged in the implementation of these new requirements.

As in any change process implementation, a gap analysis will need to be prepared comparing the new requirements against the current processes out of which an implementation plan can be drawn up. The new risk based approach will necessitate an analysis of each firm's business from an AML/CTF perspective which analysis will need to be documented and maintained. Where judgments are made as to the nature of a risk and the appropriate mitigation this judgement will need to be documented and reviewed. External advisors might need to be consulted when such judgements are being made. Ultimately, any compliance procedures adopted will need to be approved by the board of directors so they will need to be robust and complete and capable of being audited.

We think that implementation of the Directive will be a challenge for designated bodies. Policy makers in this, as in any other area, must ensure that industry is fully informed of its obligations in sufficient time to allow industry to plan to meet its obligations. Although we regret the delay in implementation we welcome the opportunity the delay will afford designated bodies to better understand their obligations and thereby plan more effectively for implementation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.