Money laundering: the Fourth way
Despite some timetable slippage, it is worth reviewing your firm's anti-money laundering systems ahead of the pending Fourth Directive
Although solicitors will be aware that there is a Fourth EU Money Laundering Directive on the way, they may be unclear as to the current position, how it may affect their practice, and most importantly, what steps they should take now and over the next 18 months.
This article provides an update as to the latest position, the timetable and the provisions that are likely to impact solicitors.
The original expectation had been that the final text of the directive would be adopted before the European elections in May 2014. However, it was clear from the European Parliament vote on 11 March 2014 that the directive would not be finalised until the second half of 2014 at the earliest.
Following the European elections, the trilogue negotiations between the Parliament, the European Commission and the Council of Ministers are expected to start in September 2014. Once the directive is adopted, member states will have a maximum of two years in which to transpose the directive into national legislation.
The UK timetable
HM Treasury will consult on how to implement the directive in the UK, probably in late 2014 or early 2015. The consultation will include draft regulations and any proposed amendments to the legislation. Once the responses have been considered, we will see the final wording of the regulations and legislation.
It is anticipated that the new regulations will come into force in late 2015 or early 2016. This will ensure that the new provisions are in place before the Financial Action Task Force (FATF) mutual evaluation review of the UK in spring 2016. The mutual evaluation reviews are conducted by FATF to assess the levels of implementation of the FATF recommendations, providing an in-depth description and analysis of each country’s system for preventing criminal abuse of the financial system. This round of evaluations will focus more heavily than in the past on the effectiveness of a country’s systems and controls.
Why is a Fourth Directive necessary?
One of the main drivers for the Fourth Directive was the issue of the revised FATF recommendations in February 2012. Many of the provisions in the directive are simply implementing the recommendations.
However, the European Commission was concerned that the Third Money Laundering Directive had been implemented inconsistently across the EU. A study ordered by the Commission and undertaken by Deloitte provided a detailed assessment of how the Third Directive had been implemented. It highlighted a range of issues, including those which created particular problems for businesses operating cross-border.
The main objectives of the directive are to strengthen the internal market by reducing complexity across borders, to safeguard the interests of society from criminality and terrorist acts, to safeguard the economic prosperity of the European Union by ensuring an efficient business environment and to contribute to financial stability by protecting the soundness, proper functioning and integrity of the financial system. Those objectives can be achieved by ensuring consistency between the EU approach and the international one, ensuring consistency between national rules as well as flexibility in their implementation, and ensuring that the rules are risk focused and are able to be adjusted to address new emerging threats.
What are the changes?
While it is helpful to understand the background and the context of the Fourth Directive, the real concern of solicitors is how will the directive affect them, their clients, their employees and their practices.
The Fourth Directive will replace the Third Directive and will retain many of the provisions with which legal practices are already familiar. Although changes will be required to systems and controls, solicitors are unlikely to need to make as many changes as were necessary to comply with the Third Directive.
The key points are:
- the introduction of written risk assessments;
- additional requirements for policies and procedures;
- changes to the customer due diligence (CDD) requirements;
- beneficial ownership registers.
Written risk assessments
Key to the risk based approach is the identification, understanding and mitigation of the money laundering and terrorist financing risks faced by member states and by businesses including legal practices.
The National Risk Assessment in the UK is already underway, and indeed solicitors have been asked to complete a questionnaire to contribute to that exercise. The advantage is that we will then have a clear picture of the risks for the UK, which can then be used to inform a firm’s own risk assessment. The results of the National Risk Assessment are expected during 2014.
There is currently a proposal for a supra-national risk assessment to be produced by the European Commission within one year from the date of entry into force of the directive. That assessment would be made available to help member states and businesses in the regulated sector to identify, manage and mitigate money laundering and terrorist financing risks at national level.
Although reg 20 of the Money Laundering Regulations 2007 already requires firms to undertake a risk assessment, there is no obligation to produce a written risk assessment. It is arguable that, for any risk assessment to be effective, it does need to be in writing.
The Fourth Directive will require firms to take appropriate steps to identify and assess their money laundering/terrorist financing risks, taking into account risk factors including customers, countries or geographic areas, products, services, transactions or delivery channels. There is a proportionality test.
The risk assessment must be documented, kept up-to-date and made available to the regulator on request.
Policies and procedures
The next step, having assessed the risks for your firm, is to implement policies, controls and procedures to mitigate and manage effectively those risks. The policies, controls and procedures should be proportionate to the nature and size of the firm.
The policies and procedures should include the same provisions as are set out in reg 20, with some additions.
Compliance management is included, and depending on the size and nature of the business, that will include the appointment of a compliance officer at management level.
Employee screening is also included, although this is obviously good practice at present. The Action Fraud website (www.actionfraud.police.uk) highlights the need to "know your employee” and examines some of the risks: for example, the Information Commissioner suggests that 80% of all data breaches involve employees in some way. There is further advice on how to manage and mitigate the risk of employee fraud from the Chartered Institute of Personnel and Development, as well as guidance from the Fraud Advisory Panel.
The policies and procedures should also include, when appropriate with regard to the size and nature of the business, an independent audit function to test the internal policies etc. Many larger firms will already have such a function in place, and there is no indication in the directive what size of business would require an independent audit function. However, firms may wish to consider the value of some form of independent audit function.
The current text also requires businesses to obtain approval from senior management for the policies and procedures to be put in place and to monitor and enhance measures taken where appropriate. This may be a useful requirement to ensure that senior management understand what the MLRO is trying to achieve and why, and should help to embed the compliance culture.
Solicitors are likely to be relieved that the main changes to CDD relate to simplified due diligence (SDD) and enhanced due diligence (EDD). There is a possible change in relation to ongoing monitoring which could see the removal of the words "where necessary" in relation to source of funds.
It is worth noting the recent proposal that firms will, when undertaking due diligence in relation to clients and beneficial owners, be required to verify that any person purporting to act on behalf of the client is so authorised, and shall be required to identify and verify the identity of that person. This has always been seen as good practice.
The original text saw the removal of all of the SDD exemptions, on the basis that they were too permissive and lenient. A number of exemptions have reappeared, for example businesses which are subject to requirements under the directive and which have effectively implemented those requirements.
The significant "reappearance" is the “pooled client account” provision. The amendments which have survived the committee and the Parliament vote maintain the status quo. This means that financial services institutions are able to apply simplified CDD to the third party beneficial owners of pooled client accounts held by solicitors, provided the information on the identity of the beneficial owners is available on request. It is hoped that the exemption will survive the further negotiations.
Where there is no blanket exemption, firms will have to assess clients as lower risk on a case-by-case basis, bearing in mind the risk factors relating to client and product, service, transaction or delivery channel as set out in annex II of the directive.
The most significant EDD change is the introduction of domestic PEPs (politically exposed persons), for example MPs, judges, high ranking armed forces officers. The EDD requirements in the current text are broadly the same as for foreign PEPs, i.e. the need to determine whether the client or the beneficial owner of the client is a PEP, obtain senior management approval, establish the source of wealth and source of funds and conduct enhanced ongoing monitoring. As with foreign PEPs, the provisions will apply to family members and known close associates. The requirement for enhanced measures to apply for at least 12 months after a PEP leaves office may be increased to 18 months.
Beneficial ownership registers
The most controversial and contentious requirement in the current text is the obligation for member states to maintain publicly available ultimate beneficial ownership (UBO) registers for both corporate entities and trusts.
At European level, there continues to be disagreement regarding public UBO registers. The UK Government is in favour of public registers for companies but not for trusts, while other member states oppose public UBO registers of any kind.
It is clear that this is an issue that will be discussed during the trilogue negotiations and therefore the final position is uncertain.
Under the current proposals, companies and trusts will be required to maintain adequate, accurate, current and up-to-date information on the company or trust and the beneficial owners. Information will have to be transmitted to a public central register which will be interconnected and accessible by supervisors/regulators and regulated businesses.
The information that companies will need to transmit will include the key identifiers, powers, directors, details of beneficial owners and contact details. The information that trusts will need to transmit will include the identity of the settlor, the trustees, the protector, and the beneficiaries or class of beneficiaries. There may also be a requirement to publish the trust deed and letter of wishes, subject to data protection issues.
The Department of Business, Innovation & Skills recently published its response to the consultation "Transparency & Trust” about enhancing the transparency of beneficial ownership. The proposals will require detailed information to be published on the beneficial owners of companies, but where companies have trusts as beneficial owners, only the names of the trustees will need to be publicly disclosed. Primary legislation is required to implement the proposals, as announced in the Queen's speech.
What should solicitors do next?
Although the final text will not be available for some time, this is an ideal opportunity to review current systems and assess whether they are working.
Solicitors may be concerned that there is a degree of complacency within their practices. Perhaps the CDD documents are given a cursory glance; perhaps the copies are not legible; perhaps the client risk assessment is haphazard; and perhaps there is a tendency to overlook the importance of ongoing monitoring.
Although the risk assessment is required by reg 20, it would be prudent for the MLRO to review the assessment to ensure that it covers all the practice’s risks and review how the practice will manage and mitigate those risks. The MLRO should start to think about what changes will be required by the revised regulations.
By reviewing the effectiveness of your current systems and whether your staff understand not only what they are supposed to be doing but why, you will be able to see what improvements are required to ensure compliance at present and identify what changes you will need to make in the future. If you think about how you will identify domestic PEPs and what systems you will put in place so that EDD is undertaken, you will be able to plan the changes. You may wish to investigate electronic verification, in which case the implementation process will take some time.
Your policies and procedures will need to be effective and proportionate, and include the additional requirements in relation to screening of employees. Firms should consider whether there is a need for a compliance officer at management level and an internal audit function, depending on the size and nature of the business. You will need to plan to provide training for employees on the changes to your policies and on the new regulations.
Although there will be amendments to the current text, there will be a Fourth Directive, there will be increased transparency regarding beneficial owners, there will be enhanced due diligence for domestic PEPs, and there will be a requirement for a written risk assessment. There is also concern, as evidenced by the proposal in the Serious Crime Bill, that solicitors are not taking AML as seriously as they should.
Consequently, preparing now for the Fourth Directive is not a waste of time. A well managed legal practice should be reviewing the effectiveness of its current systems, preparing for the CDD changes, assessing the likely impact of beneficial owner registers, updating their risk assessments and keeping up to date with information from the Law Society of Scotland, to protect the firm, the partners and the employees.
Alison Matthews is director of Alison Matthews Consulting Ltd and author of the AML toolkit published by the Law Society of England & Wales