How regulated businesses should approach MLD4.
Jane Jee, CEO of Kompli-Global Limited, outlines the changes in the EU’s 4th Anti-Money Laundering Directive (MLD4), and looks at the questions that regulated businesses need to ask themselves to ensure they are compliant.
The 4th Anti-Money Laundering Directive (MLD4) is designed to bring about a more demanding risk-based approach to the prevention of money laundering and is now in effect after implementation across all EU Member States on June 27 2017.
The need to pay attention to the regulations extends beyond the Money Laundering Reporting Officer (MLRO) and directors to ‘senior management’, i.e. “an officer or employee with specific knowledge of the institution’s exposure to money laundering or terrorist financing risk and sufficient seniority to make decisions affecting risk exposure”.
Customer due diligence (CDD)
Regulated entities must evidence that your organisation has taken a risk based decision to mitigate Money Laundering and Terrorist financing – considering 3 factors: the customer, the product, and the geography and relationships involved.
MLD4 is generally less prescriptive than previous directives in order to force companies to make a thorough risk assessment themselves (rather than adopt a tick box approach). However, one area is more prescriptive: the ongoing monitoring and the frequency of reviews required – once is never enough.
Simplified due diligence (SDD)
The change in SDD is subtle, but significant. The concept of simplified due diligence is tightened, with no blanket application and clear documented evidence required as to the basis of the ‘low risk’ categorisation.
Now there is a specific requirement that information held on beneficial owners needs to be adequate, accurate and current. That review you did at the beginning of the relationship 18 months ago will no longer be enough.
PEPs now include domestic persons and this holds true for 18 months after they have held office, instead of the current 12.
What happens if they fail?
The interesting definition comes from understanding what constitutes failure. There are no prescriptive descriptions of what fines or even jail sentences should be implemented – regulators will determine that.
However, recent history can tell us a lot about how the FCA might react to failure.
A global bank was fined in 2015 for poor handling of financial crime risks. This was not because the transactions involved criminal activity or terrorist financing, but rather:
While the FCA makes no finding that the Transaction, in fact, involved financial crime, the circumstances of the Transaction gave rise to a number of features which, together with the PEP status of the individuals, indicated a higher level of risk. [The bank] applied a lower level of due diligence than its policies required for other business relationships of a lower risk profile. [The bank] did not follow its standard procedures, preferring instead to take on the clients as quickly as possible and thereby generated … millions in revenue.”
Here, the regulator underlined that, at all times, firms need to have effective risks systems and procedures in place, which are clearly followed and demonstrate complete client risk analysis. This includes collecting and verifying identity documentation and monitoring and regularly reviewing relationships and transactions. It should be clear that merely risk profiling, including sanctions and PEP-checking, is not sufficient.
Fines are not limited to companies, either: in October 2016, the FCA fined not only a bank, but also its MLRO, preventing the individual from working again as an MLRO or in a compliance function.
How do you not fail?
As a senior manager/MLRO/Director, are you confident that your policies and procedures are sufficient to meet the regulator’s requirements?
Is there confidence that CDD and SDD is undertaken in a way that ensures that proper contextual risk evaluations are taken with complete and up to date information? Is the information continually updated to ensure decisions are made on transactions, and are business relationships correctly monitored?
Are there clear records of the information collected, and when and how decisions were made? Is the basis upon which risk assessment and consequent decisions were made clearly documented?
The new legislation will slow the taking-on of clients and will be costly unless technology is used to help gather information to assess the risk posed by a customer. This is where regulation technology can assist.
This article first appeared in FX-MM