Ireland is, according to the European Commission’s ‘State of Play’ table of transposition, the last European Member to notify it of the passing of this important anti-financial crime law. Spain beat Ireland to the post upon notifying the Commission that the Spanish Congress passed transposing law on 22 April. However nothing is as clear as it first seems when it comes to how Member States transpose directives within the European Union. The Commission was forced to write to France on 3 June seeking France’s compliance with a previous court ruling which found it had not implemented ‘all the necessary measures to comply with Directive 2005/60/EC’.
Without mounting a defence of Ireland’s delay in transposing the Directive, we should acknowledge that a massive legislative agenda has confronted the government of late. We should also, in fairness, recognise the collective commitment of time devoted to the Act by staff at the Departments of Justice and Finance, the Financial Regulator and at other bodies and their dedication should not be overlooked.
Peter Oakes
When will the Act take effect?
At the time of writing, a commencement order bringing the whole or part of the Act into effect had not been signed by the Minister. On the day the Bill was passed by the Oireachtas, Wednesday 28 April, the Minister stated “At least three months notice would be given of the first commencement”. It now seems likely that, subject to Ministerial discretion, that some of or the entire Act will be implemented on and from Thursday 15 July. In addition another important component of the anti-financial crime jigsaw puzzle is yet to be put in firmly in place: that being the final versions of the core and sectoral guidelines which the financial services sector shall use to help operationally implement the new requirements. Thus far draft versions of the core and the majority of the proposed sectoral guidelines have found their way into the public domain.
Scope of the Act
Those familiar with the 1994 Criminal Justice Act (“1994 Act”) will note that the class of persons subject to anti-financial crime controls and procedures is more extensive under the Act. Whereas the 1994 Act used the term ‘designated bodies’, the new Act adopts the new term ‘designated persons’ which captures: credit institutions; financial institutions; auditors, external accountants or tax advisers; barristers, solicitors or notaries; trust or company service providers; property service providers; casinos; those who direct private members’ clubs; any person trading in goods who receives a cash payment greater than €15,000; and any other person prescribed by future regulations. There are certain exemptions provided in the Act which, where triggered, will exclude certain persons from the definition of designated person. Those in the financial services sector should pay careful attention to the definition of designated person. As in the past, it is likely that some businesses may mistakenly conclude that they are not subject to the Act simply because they are not authorised or regulated by the Financial Regulator. This is not the case. Ireland is home to many such businesses which although fall outside the scope of the Financial Regulator’s oversight in respect of their day-to-day business activities are in fact subject to the Act (and the 1994 Act) and must therefore comply with the following provisions:
• Perform appropriate Customer Due Diligence (CDD). As an industry we probably already tend to think of CDD in the terms required by the Act, i.e. standard, simplified and enhanced CDD. However it is likely that designated persons, competent authorities and advisers will struggle, at least initially with:
- the requirement to perform CDD before ‘establishing the business relationship with the customer’ test (there are certain exemptions in this area); and
- the requirement to take steps to determine whether a customer or a beneficial owner connected to the customer or service concerned residing outside of Ireland (my italics) is a politically exposed person (“PEP”), or an immediate family member, or a close associate of
a PEP.
• Identify and report transactions to both the Garda S�och�na and Revenue Commissioners where the designated person knows, suspects or has reasonable grounds to suspect (based on information obtained in the course of business) that another person has engaged in a money laundering or terrorist financing offence (for the purposes of this article, such reports are referred to as ‘SARs’). Readers should note that unlike the 1994 Act, the new Act is more onerous due to the inclusion of the words has reasonable grounds to suspect. Furthermore the requirement to report a SAR is not limited to designated persons but extends to its agents, employees, partners, directors, other officers and persons engaged under a contract of service with the designated person (“Connected Persons”). The persons appearing in italics are not referenced in the 1994 Act, particularly ‘agents’ of, and those ‘engaged under a contract for service’ with, a designated person. It is recommended that designated persons not only review their policies and procedures to ensure that new anti-financial crime obligations are addressed but that persons under their direction or control are properly instructed upon the designated person’s policies and procedures.
• Adopt policies and procedures to prevent and detect the commission of, based upon the assessment and management of the risks, money laundering and terrorist financing. It is not possible to explore the extent of the new risk-based regime in this article, however designated persons should note that they are required to demonstrate the performance of a risk assessment and effective management of risk at the following levels:
- firm level,
- business divisional level,
- geographic level,
- customer level; and
- product/service level.
• Keep evidence not just of CDD performed and the history of services/transactions carried out for a customer for the relevant five (5) year periods, but also of the procedures applied.
• Not disclose to any person that a SAR has been reported where the disclosure is likely to prejudice an investigation. Looking at the relevant provisions it seems clear that the intention of the Oireachtas is for the ‘non-disclosure’ rule to apply to both internal reports (e.g. one received by the MLRO from a staff member) and external reports (i.e. those filed with the Garda and Revenue). To occasion a breach, the disclosing person must have knowledge of or suspect that a SAR has been filed. The Act contains a separate provision which prohibits designated persons who know or suspect that an investigation is being carried out (or is being contemplated) disclosing their knowledge or suspicion where the disclosure is likely to prejudice the investigation. The reference to designated person includes the persons defined above as “Connected Persons”. The Act recognises that certain disclosures should be permitted and these types of disclosures provide a defence to an alleged breach.
Examples of permitted disclosures include:
- a disclosure to a competent authority (such as the Financial Regulator);
- a disclosure permitted by a relevant direction received from the Garda or ordered by the District Court;
- a disclosure within the same undertaking;
- a disclosure between credit institutions;
- a disclosure between financial institutions;
- a disclosure between legal advisers; and
- a disclosure between a credit institution to another credit institution within the same group of companies (the same applies as between financial institutions within the same group).
There is no easy way around the Act other than to read it. Indeed in the words of one barrister and former senior Garda Bureau of Fraud Investigation officer “designated persons should read the Act and then read it again!”
Guidance Notes
The Act is far more prescriptive than the Directive which it transposes. A number of industry practitioners, advisers and regulators have wondered aloud whether any form of guidelines is necessary based both upon the prescriptive nature of the Act and the fact that designated persons will apply policies and procedures on a risk-based approach. Be that as it may, section 107 of the Act provides for the Minister of Justice, after consulting the Minister for Finance, to approve guidelines to guide designated persons on the application of Part 4 (but not the whole) of the Act. The statutory direction in the Act is far more encompassing than that provided in the 1994 Act. Guidelines issued under the Act may be taken into account by a court when deciding if a defendant took “all such reasonable steps and exercised all such due diligence” when seeking to comply with Part 4. In any event the range of matters the court will soon be able to take into account when evaluating a person’s defence extends past the guidelines issued by the Minister.
At the time of writing this article draft copies of the core guidance and also some sectoral guidance (banks, insurers, credit unions and the investment funds industry) appear on the Financial Regulator’s website (and also www.antimoneylaundering.ie). Industry is facing the real likelihood that the Act will take effect a good time before guidance is settled and approved by the Minister. Although we are not in an ideal situation, financial firms have enjoyed advanced notice of the sweeping changes for a considerable period of time starting from the publication of the Directive itself as well as the publication of the Scheme, Bill and most recently the Act. A draft of the core guidelines has been available since March 2010 and a large number of firms have been privy to early drafts of sectoral guidance too. Additionally the United Kingdom’s guidelines, which are based on the Directive, have been freely available for many years. Our industry is not alone in this endeavour and the challenges presented: indeed new classes of designated persons, not previously designated bodies, such as trust and company service providers have no proposed guidelines.
Another issue to note, in the opinion of the author, is that some key differences exist between the current draft Irish core guidelines and the revised UK (and the Luxembourg) guidance. Some of these differences favour Ireland (such as the proposed ability to rely upon internet produced bank statements and utility bills to verify identity) but may cause concern to other EU countries. There is also one instance in the current draft guidelines which appears unhelpful vis-�-vis the corresponding section in the UK guidance relating to a recommendation about verifying the natural person beneficial owner of a body corporate. No doubt these particular areas will either be addressed or confirmed as the guidelines continue towards approval.
Firms which are not part of the private groups which have generously sponsored the drafting of proposed guidelines should contact the Financial Regulator with their comments.
Supervision and Enforcement
In keeping with Matthew Elderfield’s (Head of Financial Regulation/CEO, Central Bank/Financial Regulator) recently coined mantra of “risk-based supervision with a credible threat of enforcement”, the regulator has sent a clear signal to the market about the importance of anti-financial crime controls by establishing its AML Unit within the Enforcement Department. A number of personnel have been assigned to the AML Unit and the Financial Regulator is continuing its recruitment drive in this area. Should the regulator seek to emulate the actions of the Financial Services Authority, which has executed a serious amount of enforcement actions against credit and financial institutions (including against an Irish bank) for anti-money laundering failures, then the Irish financial services sector will be in for a rough ride. The boards of directors and MLROs might harbour similar concern should the Financial Regulator follow the FSA’s approach of imposing fines upon individuals (the FSA has sanctioned one managing director and two MLROs) and it recently charged a former stockbroker with a money laundering offence. The fines imposed on the managing director and MLROs related to their personal failure to fulfil regulatory duties to oversee the implementation and monitoring of their personal and their employers’ AML obligations. It is not just the Financial Regulator which may sanction a (financial services type) designated person.
The Garda may prosecute the legal entity and, under section 111 of the Act, the directors, managers, company secretaries and officers (and those purporting to be such persons) where he/she consented, connived or was wilfully neglectful in respect of the offence committed by their company. The same applies in the case of unincorporated designated persons, such as partners in a partnership.
It might be convenient to dismiss the likelihood of a section 111 offence, but before we do we should note that similar type offences were prosecuted in 2008 against banks in France and their senior executives. Although some of the prosecutions were unsuccessful bear in mind the direct and indirect cost arising from a prosecution (or an administrative sanction) and whether the perceived damage to one’s reputation can ever be really recovered from (it sits forever on the internet and in the databases of all those AML software products). The prosecutions arose from what is known as the “Sentier 2” case. Although some executives were found not guilty, the National Bank of Pakistan was found guilty and two of its executives were convicted and given two year suspended jail sentences.
Another area which certain industry firms and the Financial Regulator must grapple with is the regulator’s AML/CTF supervision of designated persons not otherwise subject to the Financial Regulator’s conduct of business requirements. This will arise because a number of firms not authorised or regulated by the Financial Regulator will be ‘financial institution(s)’ as defined in the Act. This will be a novel experience for both the designated person and the Financial Regulator being the competent authority. One can already imagine the perplexities that such a hybrid regulatory role may cause. For example the Financial Regulator will be entitled to review the activities and records of the designated person, including transaction records, which could lead to non-AML questions over which the regulator may have no jurisdiction.
The success or otherwise of the new Act shall come down to not only legal interpretations but also applying the Act and the guidelines in an open, transparent and common sense manner. A greater relationship will be forged between regulated persons and the Financial Regulator, robust governance frameworks will need to be adopted by boards and independent thinking robust MLRO professionals with strong commercial capabilities will be required. Of course none of this is free. The costs to the industry, directly and indirectly, will be measured in the tens of millions of euros and probably closer to one hundred million euros based upon international experience. It will be difficult to quantify the costs with any great certainty - not only because of the nature of indirect costs but also because changes to practices and procedures do not happen overnight. The longer firms take to implement the necessary changes the greater the costs will be: not just in financial terms but societal costs too. We should always bear in mind that the objective of the Act is to further reduce the likelihood that designated persons will be used as conduits for, in the apt words of Lord Justice Longmore of the Court of Appeal (England and Wales), the ‘evil of money laundering.’