On 16 December, 2020, the Central Bank of Ireland (CBI) issued a “Dear CEO” letter to Schedule 2 Firms concerning its findings as regards the compliance of such firms with Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) obligations.
The CBI has indicated that the letter serves two purposes; firstly, it provides an overview of findings identified by the CBI in the course of supervisory engagements with registered Schedule 2 Firms since January 2020, and secondly, it sets out the expectations of the CBI in relation to Schedule 2 Firms.
Schedule 2 Firms comprise unregulated firms which carry out certain financial services activities from an Irish base (e.g. corporate lending, financial leasing and other activities specified in Schedule 2 of the Criminal Justice Act 2010). Such firms have been required to be registered with the CBI for AML/CFT purposes since 2018.
The CBI has highlighted that it expects the CEO of each Schedule 2 Firm to bring the letter to the attention of the Firm's Board and/or relevant committees and that it expects Firms to take appropriate action to deal with the issues addressed in the letter.
Appendix A to the letter sets out the details of the CBI findings and expectations. Below we consider some of those key findings and expectations.
CBI's Key Findings and Expectations
- Board oversight and scrutiny: The CBI states that it is critical that the Firm's Board receive and challenge regular reporting in order to have robust oversight of all AML/CFT risks facing the Firm and to ensure that all requirements are met in a timely manner. AML/CFT and financial sanctions (FS) must be a regular agenda item at board meetings.
- Outsourcing: Firms are also reminded that where AML/CFT activities are outsourced, these arrangements must be formally documented and subject to strong ongoing oversight by the Firm through assurance testing. The CBI found that Firms often failed to have the necessary processes in place to ensure outsourcing arrangements were appropriately documented, sufficiently detailed and/or kept up to date. Firms must be in a position to evidence that they are actively monitoring the progress of any management action points resulting from reviews conducted.
- Roles and responsibilities of MLRO and other key individuals: The roles and responsibilities of a firm's Board, Senior Management and MLRO regarding key elements of the firm's AML/CFT & FS framework should be clearly defined and documented. The CBI found that firms had not always formally documented the responsible role or individual for AML/CFT & FS within the firm. In other instances, the MLRO could not demonstrate sufficient knowledge of AML/CFT & FS. The MLRO must have a direct reporting line and access to the Board providing sufficiently detailed reports on a frequent basis.
- AML/CFT Risk Assessment: The CBI found multiple failings as regards the AML/CFT risk assessment. Firms must determine the AML/CFT risks facing their business as a whole. Where a Firm relies on a third party or parent entity to conduct a risk assessment on its behalf, it must relate to the risk and controls associated with the Firm and not solely those associated with the third party or parent entity. Firms must document their consideration of the AML/CFT & FS risks pertaining to their particular services/products, customers, jurisdictions and distribution channels, mindful of the nature, scale and complexity of the firm's business model. The business wide AML/CFT risk assessment must be reviewed at least annually. The consideration and approval by the firm's Board of this AML/CFT risk assessment must be formally evidenced.
- AML/CFT & FS Policies & Procedures: Firms must have their own AML/CFT & FS policies and procedures in place and cannot rely on those of the outsourced third party service providers. Such policies and procedures in place must be appropriately tailored to and reflect the specific customers and business activities and the associated risks inherent to the firm and must be up to date (i.e. subject to review on at least an annual basis but updated and reviewed more frequently as and when required). Firms must be able to satisfactorily evidence consideration and approval of such policies and procedures by their Boards and/or Senior Management.
- Customer Due Diligence: The CBI found that Firms were often not conducting CDD on the correct entities. For example, in the case of SPVs engaged in lending, some Firms were conducting CDD on the borrower of the SPV but not on the loan noteholder, whilst other Firms were conducting CDD on the loan noteholders and not the borrower. The CBI expects Firms to consider the ML/TF & FS risk arising from both loan noteholders and borrowers and to conduct appropriate due diligence on each of them in accordance with the level of risk.
- Politically Exposed Persons (PEPs) and FS: Firms should ensure appropriate policies and procedures are in place to identify and escalate PEP and FS alerts. This should include the process and the appropriate reporting lines to be followed in the event of an FS or PEP being identified. Where screening tools are relied upon, firms should ensure appropriate oversight and ongoing assurance testing and monitoring is in place to ensure the tools are fit for purpose.
- Suspicious Transaction Reporting (STR): Firms should have sufficiently detailed policies and procedures relating to STR to assist staff members in fulfilling their obligations and escalating suspicions. Employees should be made aware of the escalation process, including the personnel to whom suspicions should be raised/reported. Where third parties are being relied upon to provide AML/CFT & FS services, Firms should ensure the third party is subject to the appropriate level of oversight. The levels of STRs being made by a Firm should be regularly reported to the Board. Firms should ensure that they are registered, and familiar with, (1) the goAML system; and (2) Revenue‘s Online Service (ROS), so as to ensure that STRs can be submitted in a timely manner.
- Training: Training materials should be tailored to the activities of the Firm and should be reflective of the standards and practices that the firm should be exhibiting to meet their obligations. Training processes should be reviewed to ensure that the appropriate level of training is being received by all staff. Firms must give consideration as to the necessity for bespoke training for customer facing staff, directors and senior management of the Firm. Training materials should be kept up to date and in line with legislative requirements.
Warning of enforcement action
The Dear CEO Letter warns Firms that the CBI will continue to conduct supervisory engagements with Schedule 2 Firms throughout 2021. The CBI expects Firms to review the content of the letter and to retain evidence of any assessment conducted by the Firm.
The letter also reminds Firms that a breach of the AML/CFT & FS legislation may result in significant criminal or administrative sanctions and that the CBI is prepared to use the full range of its regulatory tools where firms do not comply with their AML/CFT & FS obligations. This includes, where necessary, the pursuit of enforcement action against firms.
It is imperative that the Board and Senior Management of Schedule 2 Firms closely review the letter and that they ensure that all necessary steps to ensure ongoing compliance have been taken.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.