Address by Director of Enforcement, Derville Rowland, to IBEC Seminar

23 June 2015 Speech
I intend speaking to you this morning about recent developments in the area of Anti-Money Laundering and emerging themes from recent inspections conducted by the Central Bank.

I will briefly discuss the role of the Central Bank in AML, the AML framework and the drivers of AML regulation in Ireland. I will then touch on a number of priority issues for the Central Bank and outline some of the concerns of the Central Bank.

The Central Bank is the competent authority for the monitoring of credit and financial institutions for compliance with Irish anti-money laundering and countering the financing of terrorism laws. These two areas are generally referred to as AML and I will refer to both as AML for the purposes of this morning’s seminar.

To carry out its role as competent authority for AML compliance, a specialist AML Division was established within the Enforcement Directorate after the passing of the Criminal Justice Act in 2010. The Central Bank is responsible under the 2010 Act for the monitoring of credit and financial institutions to ensure compliance with AML laws. In addition to monitoring for AML compliance, the Central Bank also has a statutory obligation to take measures that are reasonably necessary to ensure compliance with AML requirements. This can be in the form of correction measures such as risk mitigation plans and, in certain circumstances sanctions may be imposed.

The supervisory work of the specialist AML Division complements the work of the prudential and conduct supervisors and leverages off the work conducted by those divisions. In its supervisory and enforcement role, the Central Bank adopts a risk based approach to supervision that focuses resources where the greatest risk lies while also ensuring that an appropriate level of supervisory coverage is in place across the remaining population of credit and financial institutions.

I will move on now to touch on the AML framework and what are the key drivers of AML regulation in Ireland.

We are all well aware that AML regulation and compliance obligations have increased greatly in recent years. This has placed an ever increasing onus on both regulators and industry to keep up with developments in AML oversight and implementation and to ensure that we are all complying with our obligations. It is recognised that there are a number of challenges common to industry and regulators in the area of AML. The regulatory framework for AML is continuing to evolve at the international and domestic levels with the focus shifting from ensuring that the financial sector has preventative measures in place to ensuring that those preventive measures are effective. This involves applying AML preventive measures commensurate with risks and reporting suspicious transactions.

The genesis of the AML compliance framework was driven originally by international efforts to prevent the proliferation of organised crime and drug trafficking.

In the late 90s and early 2000s, the international focus on terrorist attacks led to an increased emphasis on terrorist financing which was incorporated into the AML framework. Recently, increased attention is being directed towards targeted financial sanctions namely; specific sanctions introduced to prevent terrorist financing and the proliferation of weapons of mass destruction.

The international effort to prevent money laundering and terrorist financing is driven by an international organisation called the Financial Action Task Force - FATF. The FATF standards are incorporated within its 40 recommendations that member countries are obliged to adhere to. To ensure compliance is taking place, the FATF operates a peer review process where countries are evaluated through aperiodic assessment process. Ireland is a member of the FATF and I will move on to discuss shortly the forthcoming review of Ireland.

The legal framework for AML in Ireland is set out in the Criminal Justice (Money Laundering and Terrorist Financing) Act. This Act was introduced to implement EU AML Directives of which there have been four to date - the 4th Directive only having been introduced only this month. There is a two year transposition time period for the Directive that would bring it up to June 2017. The Department of Justice has responsibility for the transposition and it is not yet known when the Directive will be transposed in Ireland. There are a number of changes contained in the 4th Directive including the introduction of a central register for beneficial owners, the inclusion of domestic PEPs (politically exposed persons) and an even greater focus on the need for a risk based approach to both supervision and compliance measures.

I will now briefly set out some of the important issues we see in AML.

The FATF review in 2016

As a member of the FATF, Ireland is subject to being assessed and we are due to undergo the 4th Round of Assessment in 2016. The forthcoming assessment will be quite a challenge for the country as the FATF method of assessment has changed under this Round. During the assessment, the FATF assessment team will not only be assessing whether Ireland is “technically” compliant with the 40 recommendations or standards set by it but also how “effective” is the country, i.e. how well does the country (including supervisors and industry) understand the money laundering and terrorist financing risks faced and how effective are the steps being taken to prevent or mitigate those risks.

The effectiveness module will be the focus of the onsite inspection and will involve assessors meeting with both regulators and industry, along with other stakeholders. The measurement of effectiveness is a new approach in any peer review (not just FATF) and it is presenting quite a challenge for countries to achieve positive ratings. Given the increased focus on the outcome of FATF reviews by other member states, international organisations such as the IMF, rating agencies and international investors, it is in all our interests, both regulators and industry, to ensure that we receive as positive a review as possible in 2016.

 

A Risk based Approach

At the centre of AML regulation is the need for proper risk assessments to be conducted and implemented effectively with participants having a clear understanding of the risks faced and ensuring that those risks are mitigated. The Central Bank adopts a risk based approach in supervising credit and financial institutions on a risk sensitive basis. There is an expectation by the Central Bank that industry would also conduct their own risks assessments, prioritise resources towards higher risk areas without ignoring other risk areas and, take the necessary steps to ensure that they comply with their statutory obligations to ensure that general risks are mitigated. It is important to stress that while a risk based approach should be adopted, there are certain legal obligations under the 2010 Act that are mandatory and cannot be ignored on a risk sensitive basis.
Some of you may be aware that steps are currently being taken at the national level to prepare a National Risk Assessment (NRA). This involves a wide range of stakeholders and the Central Bank providing input into the NRA. Once completed, industry will have to incorporate the findings of the NRA into their own risk assessments.

 

Reporting Suspicious Transactions

The reporting of Suspicious Transaction Reports by designated persons is a primary obligation set out in the 2010 Act. The reporting of detailed and timely STRs to both the Gardaí and the Revenue Commissioners is of central importance in preventing money laundering and terrorist financing. The information contained in the STR that may seem quite innocuous to the person providing the information may turn out to be invaluable intelligence for the Gardaí or Revenue at either prompting or progressing an investigation into criminal activity.

Customer Due Diligence obligations

The 2010 Act sets out clear CDD obligations:

  • The requirement to carry out CDD is not on a risk sensitive basis, it must be carried out at the commencement of the business relationship or at such other time as permitted by the Act;
  • It is also clear from the legislation that CDD documentation must be adequate and if not there must be steps to obtain adequate documentation or information; again this is not predicated on the risk of money laundering/terrorist financing;
  • The need to have adequate documentation or information applies to pre-1995 customers;
  • Documentation or information must be kept up to date. There is not a definitive time period on this point; it is to be determined on a case by case basis as circumstances differ;
  • Documentation must be retained during the business relationship and for 5 years afterwards, and
  • Where a customer does not provide CDD documentation/information that is required under the Act, the firm must cease providing services while the CDD information is outstanding and ultimately discontinue the business relationship if the customer fails to comply.

De-Risking

The issue of de-risking is a growing concern internationally. De-risking occurs when financial institutions deny or restrict entire classes of customers from access to financial services without taking into account, seriously and comprehensively, their level of risk or risk mitigation measures for individual customers within a particular sector.

It may be because the cost of compliance outweighs the business benefit or that a particular business relationship is seen as too risky. This has the potential to push certain business and customers into unregulated or less regulated channels thereby reducing financial sector transparency and raising financial crime risk, which then in turn erodes the integrity of the international financial system, and may actually impede the effective implementation of AML/CFT measures.

The Imposition of Sanctions

From a regulatory perspective, the Central Bank wants to see compliance with the CJA 2010 and where non-compliance is apparent seeks remediation to be undertaken. However, in certain circumstances it is necessary to impose sanctions. When imposing sanctions for AML breaches, it is necessary for the Central Bank to impose sanctions that are effective, proportionate and dissuasive in the context of the AML breaches. Recent sanctions demonstrate the seriousness with which the Central Bank views AML breaches.

I now move on to some recent supervisory findings.

The Central Bank has recently published sectoral reports arising out of inspections of the banks and credit unions. Both reports have been published on the Central Bank’s website. The reports contain the keys findings of the inspections and the issues that arose.

In the Banking sector, some of the key findings were:

  • Risk assessments were incomplete, at too high a level and did not effectively consider relevant AML risks;
  • There was a failure to include AML reviews in annual monitoring and internal audit plans;
  • Deficiencies existed in the PEPs process;
  • Non-adherence to stated AML policies;
  • Shortcomings in training to board and committee members, as well as enhanced training for staff in key AML/CFT and FS roles, and
  • Concerns around automated screening of customer databases for financial sanctions purposes.

A report on the Credit Union sector found that:

  • Failure to conduct adequate AML risk assessments of the business;
  • Inadequate AML policies, procedures and systems and controls in place;
  • Failure to ensure the provision of appropriate training to board members, staff and volunteers at all levels, and
  • Inconsistent and/or undocumented approaches for the reporting of Suspicious Transaction Reports to An Garda Síochána and the Revenue Commissioners.

 

Both reports clearly set out the expectations of the Central Bank in respect of the key areas tested. However, in summary the Central Bank expects that:

  • Firms conduct a comprehensive AML risk assessment of their business;
  • The outcome of this assessment and required controls is embedded in the business via documented policies and procedures;
  • Training is provided to all staff to enable them to discharge their obligations;
    There is robust testing of adherence to and effectiveness of the firm’s policy and procedures and that, and
  • The overall AML framework, risk assessment, procedures etc. are regularly reviewed and updated as required, to ensure that they continue to address any emerging AML risks or changes to the firm’s business and risk profile.

Engagement by the Central Bank with Industry

It is important as regulator that we engage with industry and provide guidance and constructive feedback.

AML guidance comes from both the domestic, EU and international sources. Under the 4th Directive, the European Supervisory Authorities will be publishing in the coming month’s guidance papers on Risk Factors and Risk Based Supervision. These papers are due to go to public consultation and the Central Bank has contributed to the content and structure of these papers. This guidance will be important for both regulators and industry as it will further expand on risk factors that are sector specific and detail how supervision is to be conducted. Under the 4th Directive, we will all be obliged to adhere to these guidelines on a “comply or explain” basis.

The Central Bank has increased recently its engagement with industry. The publication of sectoral reports is one way that we do this and it is planned to publish further reports on other sectors. We have also been engaging with MLROs in credit and financial institutions on a bilateral basis over the last number of months and we will continue to do so. Guidance has also been updated on both the AML and Financial Sanctions pages of the Central Bank website. For the public, information is now included in our “Anti-Money Laundering Explained” page. There is also a “Terrorist Financing Explained” page. For industry, we have been publishing guidance documents on AML. The Financial Sanctions pages on the website have also been updated. We are now publishing on our website daily updates from the EU and UN sanctions lists. We have also published industry specific information on financial sanctions on the website along with a Frequently Asked Questions (FAQ) document.

Conclusion

The efforts of the Central Bank are focused on ensuring that there is an understanding of money laundering and terrorist financing risks among our regulated population and that there are steps taken to mitigate those risks. We are mandated to ensure compliance with AML regulations and to ensure that the appropriate measures are taken by industry to ensure compliance.

Finally, it is important to recognise that, in an area such as AML, we will be most effective when we work together. The Central Bank’s interest is ensuring that there is effective supervision and compliance taking place. Both industry and regulators must work together to ensure that our shared goal of preventing money laundering and terrorist financing is fulfilled.