As of the 27th November 2012, the AML/CFT unit of the Central Bank have conducted 75 inspections touching all regulated sectors. The unit undertook a combination of on-site visits and desktop reviews. The thematic inspections revealed “significantly lower level of compliance than was expected”. The main concern of the Central bank was that certain control failures were repeatedly identified among regulated institutions.
Key areas of Weakness
The key areas of weakness that were found were as follows:
• Board engagement on effectiveness of AML policies and procedures in the firm;
• Alignment of business models to achieve compliance
• Use of risk assessment and risk mitigants (controls in place to ensure compliance)
• Demonstrating compliance to the Central Bank including record retention
Key findings
Following the inspections the Central bank issued their key findings in the following areas:
• Governance
• Risk Assessment
• Policies and Procedures
• Training
• Customer Due Diligence
• Suspicious Transaction Reporting
These Key findings will now be analysed
Governance
The key point here is that governance comes from the top. Board and senior management must ensure on-going oversight of compliance with AML/CFT obligations. Firstly they should review and approve all AML/CFT policies and procedures and receive regular updates and reports on testing and compliance with obligations.
The Central Bank found that boards and senior management in regulated sectors were unable to demonstrate that:
• The implications of the 2010 Act on their business had been considered and business models aligned accordingly to ensure compliance
• They had appropriately prepared for commencement of the 2010 Act and allocated necessary resources • They had an appropriate governance framework to ensure on-going oversight of compliance by the firm with the 2010 Act
• They had awareness of potentially serious implications for the firm for failure to comply with the 2010 Act
Risk Assessment
The Central Bank noted many instances where firms had not prepared a risk assessment or had used a generic risk assessment. They were quite clear that generic policies and procedures were not sufficient. They have even used the example of a life insurance company using a credit institutions’ AML policies and procedures. In instances where firms had adopted a risk based approach to AML compliance, the Central Bank found that firms:
• Had not evaluated ML/TF risks pertinent to their business sector;
• Had not adopted appropriate risk mitigant plans to mitigate risks;
• Could not demonstrate to the Central Bank of Ireland
o How the firm evaluated the risk
o Risks pertinent to their sector
o Mitigating measures taken to reduce risks where they claimed to have done so
Policies and Procedures
The Central Bank of Ireland found that in many firms that there were material gaps in AML/CFT policies and procedures to prevent and detect ML/TF including incidences where firms had not implemented policies and procedures in practice.
They outlined that, at a minimum, policies and procedures must:
• Cover all areas of business activity;
• Address all aspects of compliance with Part 4 of the 2010 Act;
• Be appropriate to ML/TF risks associated with the nature of the firm’s business;
• Be clearly set out to enable staff to apply them in practice.
Training
The Central Bank of Ireland found that in many instances there were material gaps in the provision of AML/CFT training to all relevant staff in firms. All members of staff must receive instruction on the law and on-going training relating to AML/CFT. The Central Bank have stated that this must be done on an annual basis.
This annual training includes board members and senior management.
Staff training on the law is an obligation under the 2010 Act and is deemed essential in ensuring that senior management and board members are in a position to oversee compliance with the 2010 Act.
Customer due diligence (CDD)
The Central Bank pointed out that CDD obligations apply to new and existing customers and that firms were not verifying the identity of their customers in compliance with the 2010 Act. This must be done prior to the establishment of a business relationship or the provision of a service or where permitted as soon as practicable thereafter.
Where there were issues with CDD on existing customers, it was found that CDD remediation work was not being carried out in a systematic or comprehensive manner. The Central Bank stated that a trigger based approach to completion of CDD on existing customers may be acceptable for lower risk customers. An example of this is where customers seek new products or services.
However, while a trigger based approach may be acceptable, firms are expected to be able to demonstrate measures taken to verify identity were reasonable, risk-based and consistent. In particular, firms should be cognisant of the following:
• Carry out risk-based approach to review approach to CDD documentation
• Who are your high risk customers?
• Review those files to ensure CDD is adequate
• Trigger-based approach for low risk customers.
The other area of CDD that may need to be reviewed is where doubts arise as to the adequacy of previously obtained documentation. If there are reasonable doubts, then a remediation exercise needs to be undertaken.
The main maxim to take from this is ‘If it is not in writing, it does not exist’. You need to be able to demonstrate all of the above to the Central Bank of Ireland.
The following incidences were found in numerous institutions:
• Customers had failed to provide the firm with document/info required to complete CDD and the firm had failed to take the necessary measures as set out in the Act.
• Firms had applied simplified CDD to customers that did not meet the definition of a specified customer
• Firms had entered into arrangements with relevant third parties in circumstances where the requirements of the 2010 Act had not been met.
Suspicious Transaction Reporting
One of the major issues that the Central Bank of Ireland found was that Suspicious Transaction Reports not being made as soon as practicable after firms had formed a suspicion or acquired reasonable grounds to suspect that a person had been or was engaged in an offence of ML/TF. Once a firm has a reasonable suspicion that a transaction or activity is suspicious, and an appropriate investigation of the matter has been concluded, they should report this activity or transaction to the Garda Síochana and the Revenue Commissioners before continuing with the transaction.