are you ready for the 4th eu aml directive? · • are aml/ctf risks identified appropriately...

Are you ready for the 4th EU AML Directive?

Breakfast Seminar

25th April 2017

© CCL Limited 2014 © 2017 CCL Academy Limited

Agenda

Introduction - Peter Haines, Global Head of GRC, CCL Academy

Overview of the Final Published Guidance - Emma Gordon, Partner, Eversheds Sutherland

Implications For Business - Bruce Viney, Global Head of FCC, CCL Academy

What a Review of Your Existing AML Policies and Systems Should Include - Carwyn Evans, MD Consultancy Services, CCL Compliance

Technology in Compliance - A New Era Dawns - Mark Dunn, Head of Entity Due Diligence and Monitoring, LexisNexis

Q&A


Welcome

Peter HainesGlobal Head of GRC, CCL Academy

An overview

25 April 2017

Emma Gordon

Partner

4th EU Anti Money Laundering Directive

Eversheds Sutherland | 25 April 2017 |

• Risk-based approach

• Beneficial ownership

• Politically exposed persons (PEPs)

• Impact on UK firms

Overview of 4th EU Anti Money Laundering Directive

5

Outline

The 4th Money Laundering Directive

Risk-based approach


• Member States are required to commission national risk assessments

• Firms are required to conduct AML risk assessments of their business and develop risk-based policies

• 4AMLD acknowledges measures should be adjusted according to level of risk presented in specific jurisdictions and sectors; clarifies situations when simplified CDD will be appropriate

• Risks are to be considered in light of variables set out in Annexes to 4AMLD

• European Commission acknowledged in July 2016 that Member States are not required to include specific list of EDD measures in national regulations

The risk-based approach in 4AMLD

7The 4th Money Laundering Directive


• Automatic exemptions no longer available

• Simplified due diligence not exemption from CDD

• Extra-territoriality

• The future for 5AMLD:

• Amendments in 5AMLD include strengthening 4AMLD’s provisions on applying enhanced checks towards high-risk countries (including by clarifying the type of enhanced vigilance to be applied)

• 5AMLD takes steps to harmonise EDD measures at EU level to avoid or limit risk of forum-shopping between Member States

The risk-based approach in 4AMLD (cont’d.)

8The 4th Money Laundering Directive

Beneficial ownership


Changes to beneficial ownership regime

10

• 4AMLD increases transparency around beneficial ownership of companies and trusts

• Identification of beneficial owner(s):• adequate, accurate and current information

• made readily available to national authorities and “obliged entities” (4AML Directive term for “designated bodies”)

• Procedure when beneficial owners cannot be identified

• Central registers of beneficial owners for natural and legal persons, in addition to information on trusts

• Controversial requirement: the idea was not present in the initial proposed draft from Commission, and was added by European Parliament later



Changes to beneficial ownership regime (cont’d)

11

• Proposed amendments in 5AMLD intend to improve transparency of beneficial ownership information by clarifying or strengthening certain of its features:

• What is registered

• Where the beneficial ownership is registered; and

• Who may access the information

• Amendments include making certain beneficial ownership information public, although this requirement may be subject to registration and payment of a fee

• PSC register


Politically exposed persons


Politically exposed persons (PEPs)

13

• Further to the Application Report, 4AMLD incorporated FATF’s revised recommendations on PEPs

• Extended definition of PEPs; includes domestic individuals with prominent positions in home country

• Due diligence procedure for extended definition of PEPs

• HM Treasury guidance

• Extension of time for monitoring risk

• FCA consultation on PEP guidance


Impact on UK firms

eversheds-sutherland.com©2017 Eversheds LLPEversheds Sutherland (International) LLP is a limited liability partnership

Emma Gordon

One Wood StreetLondon

EC2V 7WS

Partner

[email protected]


Implications for Business

Bruce Viney

Global Head of FCC, CCL Academy

[email protected]


Are We Nearly There Yet?


February 2017 Joint opinion on the risks of ML and TF in the EU

FS - FS is vulnerable to Money Laundering abuse due to:

Systems and Controls

• Individual business relationships too close and personal

• Policies generally ok but implementation poor

• CDD as a box ticking exercise

Risk Assessments

• Inadequate risk assessments due to lack of knowledge and experience

• Insufficient understanding of products and services risk

• Failure to understand risks of products and services

• Staff failing to identify higher risk factors

European Supervisory Authorities – Warning


Joint opinion on the risks of ML and TF in the EU FS:

Staff issues• Low priority for senior management

• Remuneration focused on profit not compliance

• Insufficient awareness and expertise

• Inadequate training

• Staff not following procedures

Other• Lack of senior management buy in

• Increased competition from foreign internet platforms with inadequate AML and CTF controls

• High risk transactions being driven underground

• Lack of access to law enforcement intelligence

• Regulatory arbitrage - Seeking authorisation in less stringent states

• Compliance cost is challenging for small firms

European Supervisory Authorities – Warning


Many tier 1 firms have most of these controls in place already

But they are clearly not working as needed

Two clear (big) actions are needed:

1. Ensure that all policies, procedures and controls meet the requirements of

the Directive

2. Ensure all staff have the knowledge, skills and attitude to ensure correct

and complete application of these.

So….Are We Nearly There Yet?


Risk - 139:36

The biggest challenge lies in understanding risk

Ensure policies, procedures and controls define risk and the CDD categories and actions required

Have a clear, usable framework for risk identification

Ensure controls support these

Remuneration linked to compliance as well as profit

Train staff effectively, often and measurably

Be clear risk is an ongoing exercise

Audit the application of risk measurement and related CDD actions


Risk

CDD systems need to reflect the risks of:

• Customer type

• Geographic area

• Products

• Services

• Transaction types

• Delivery channels

This means risk analyses must be carried out across these

areas for all businesses

Outcomes of the risk analyses must be incorporated into the

CDD controls


Risk

Existing clients need to be reassessed against the new risk

criteria

Monitoring systems and parameters may need to be

recalibrated

Procedures/controls must ensure large and unusual

transactions are identified and thoroughly investigated

Existing clients need to be reassessed against the change of

scope, e.g. Gambling services


Beneficial Owners

Must ensure accurate, adequate and current information on

Beneficial Owners

Onboarding procedures need to ensure complete and accurate

unwrapping.

Complex unwrapping passed to a specialist unit?

Procedures and controls must identify and reject shell

companies


PEPs

Controls must be in place to identify PEPs and those associated

with them.

Some banks have set up a ‘High Risk Persons Unit’:

• PEPs are sufficiently important and complex to require own unit

• PEPs are identified at onboarding

• All associated persons are correctly identified

• PEPs are continually tracked against clients and cross matched

• A PEP register is maintained and linked to the Beneficial Owner register

• PEP status is monitored and the register kept up to date


PEPs

Need appropriate measures for approval of business involving

PEPs

Training

• All relevant staff must understand, apply and follow up on CDD issues

relating to PEPs


Other

Tax evasion

• Tax evasion as a new predicate offence

• Policies etc. need to reflect this.

• Training on how to identify tax evasion; red flags etc.

Audit

• Depending on size and nature of business

• An independent audit function

• Used to check, verify and instigate corrections


AML Directive 5

An amending directive

Instigated due to 2016 terror attacks and Panama papers

The amendments will strengthen the following points:

• Designate virtual currency exchange platforms as obliged entities

• Set lower maximum transaction limits for certain pre-paid instruments

• Enable FIUs to request information on money laundering and terrorist financing from

any obliged entity

• Enable FIUs and competent authorities to identify holders of bank and payment

accounts

• Harmonise the EU approach towards high-risk third countries

• Improve access to beneficial ownership information

• Other minor changes


People – The Fundamental Control

The only control that really matters are people

All other controls are designed and implemented by people

People are the primary control failure point

Three key drivers for people:

• Training

• Remuneration

• Internal ethics (conduct)


People – The Fundamental Control – Training

The Directive requires that staff be adequately and regularly trained

Training must itself be risk-based

It must be timely

It must be targeted to need

Focus must be on behaviour

It must be effective and measured

It must be a priority

Box ticking training leads to box ticking compliance


People – The Fundamental Control – Remuneration And Conduct

Remuneration must reward compliant behaviour

And not reward non compliant behaviour

Wrongly focused remuneration undermines compliance controls

Right conduct is essential

This must be clearly defined in the organisation

Senior management must be seen to embody this

Regular and frequent reinforcement of good conduct is essential.


So… Are We Nearly There Yet?

FIs must ensure that they have met all the immediate

requirements

The impact on business of AML D 4 (and 5) is more than just

putting the controls in place

How these controls actually work will be the acid test

Much more needs to be done to focus on the people requirements


Training Support

If you need help with training your team on changes as a result of

the implementation of the 4th EU AML Directive, or more generally

in relation to Financial Crime Prevention contact CCL Academy’s

training team:

[email protected]

www.cclacademy.co.uk

0207 638 9830

© CCL Limited 2014 © 2017 CCL Compliance Limited

What a Review of Your Existing AML Policies and Systems Should Include

Carwyn Evans

MD Consultancy Services, CCL Compliance

[email protected]


How To Structure Your Review

Any firm subject to significant change in legislation or

regulation should conduct a thorough review, analysing the

impact of those changes on the business.

Your review should include the following elements:

Gap Analysis

Review of P&Ps

Assess RBAGroup companies

and reliance

Training


Gap Analysis

Begin your review with a Gap analysis, by assessing the impact that MLD4

will have on your business.

Understand your current state and define your target state by mapping your

current systems and controls against the coming legislation and regulations.

Some of the potential gaps to consider:

• Do your policies and procedures align with the new requirements?

• Are AML/CTF risks identified appropriately within your business?

• How will correspondent banking relationships impact my firm?

• Are your customers appropriately risk profiled, and thus managed accordingly?

• Does your current MI suite provide timely and relevant data to management?

• Is your training programme adequate for the forthcoming regime?

• Do you have sufficient resources to manage the key risk areas facing your business?


Policies And Procedures

Your policies and procedures need to be up to date without erroneous

references.

They must be risk sensitive in order to align with the risk-based approach.

Update the revised definitions within MLD4.

Update the SAR requirements in your documentation.

Ensure the PEP definitions and processes are aligned.

Policies and procedures should be approved and supported by senior

management in order to be implemented effectively.

Ensure that data retention processes are aligned with the 5 year retention

requirements

Ensure that all relevant staff have access to the policies and procedures.


Risk-based Approach

Your AML and CTF risk management framework should be subject to periodic

effectiveness reviews, which can also tie in with your preparedness for

MLD4.

Revisit your business risk assessment to ensure that it matches your

business and that it captures any changes to products or customers outlined

in MLD4.

Review your customer risk assessment, including risk scoring methodology

and override mechanisms.

Consider how the inclusion of domestic PEPs impact your existing controls.

Devise a sensible and appropriate risk-based monitoring programme.

Assign achievable periods for risk-based ongoing CDD.


Group Companies and Reliance

Consider whether your firm has any subsidiaries or branches that will get drawn into the equivalence requirements.

Review your distribution channels for incidence of referral customers from third parties.

Where you rely on 3rd parties, including Group members, to carry out your CDD for your customers, ensure that their standards and controls are equivalent to MLD4.

Also ensure that you can obtain the CDD information from the 3rd

party in a timely manner.

Where 3rd party reliance is in place, implement periodic supervision of the 3rd party and the effectiveness of its control provision.


Training

Training is a crucial element of controlling the risk of money

laundering and financing of terrorism.

Review the training programme within your organisation:

• Is it aligned with the MLD4 requirements?

• Does it include up to date definitions and references to the correct

regulations and legislation?

• Is the training risk-based enough?

• Is the training material tailored to the recipients?

• Consider whether firm-wide training is required to help embed the revised

AML control framework

• Do customer-facing employees need specific procedural training or

workshops?

• What should be the frequency of training?


Implementation Support

CCL’s team of expert compliance consultants can help your firm

by:

• Conducting a full review of your control framework

• Reviewing and updating your documentation

• Reviewing your policies and procedures

To discuss your Firm’s requirements contact Carwyn Evans,

[email protected], 0207 638 9830

Technology in compliance – a new era dawns

Insights into advancements in compliance technology

Mark Dunn

Segment Leader, Entity Due Diligence & Monitoring

LexisNexis Business Insight Solutions

43LexisNexis Business Insight Solutions

Entity Due Diligence and MonitoringTechnology to mitigate increasing business risks



World’s Biggest Banks Fined $321

Billion Since Financial CrisisBloomberg, March 2, 2017

British banks handled vast sums of

laundered Russian money The Guardian, March 20, 2017

Mitigating reputational risk


USA - “Comprehensive due diligence demonstrates a

genuine commitment to uncovering and preventing FCPA

violations.” A Resource Guide to the U.S. Foreign Corrupt

Practices Act (US DoJ, SEC)UK - “Most firms failed to demonstrate adequate systems and

controls for assessing bribery and corruption risks in relation

to dealing with and monitoring third party relationships, such

as relationships with agents or introducers.” Thematic Review

(UK Financial Conduct Authority,)

USA - “An effective risk management process throughout

the life cycle of the relationship includes…proper due

diligence in selecting a third party.” Extract from Third-Party

Relationships Risk Management Guidance (US OCC)

UK - “The commercial organisation applies due diligence

procedures, taking a proportionate and risk based

approach, in respect of persons who perform or will

perform services for or on behalf of the organisation, in

order to mitigate identified bribery risks.” Extract from

Bribery Act 2010 Guidance (UK Ministry of Justice)

UK - “Reasonable procedures for undertaking due diligence

on potential projects, acquisitions, business partners, agents,

representatives, distributors, sub-contractors and suppliers”Extract from Deferred Prosecution Agreements Code of Practice

(UK Serious Fraud Office, Crown Prosecution Service)

UK - “Due diligence processes and reporting are essential

management tools that improve risk identification and long-

term social, environmental as well as financial performance”Transparency in Supply Chains etc. A practical guide

(Guidance issued under section 54(9) of the Modern Slavery Act

2015) (UK Home Office)

JAPAN - “Management thereof comply with requirements

for due diligence and continuous monitoring as specified”Extract from Comprehensive Guidelines for Supervision of

Financial Instruments Business Operators, etc. (Securities

Business Division, Supervisory Bureau, Financial Services Agency)

JAPAN - “Execution of due diligence regarding a joint

venture partner company” Extract from Anti-Corruption

Guidance (Japan International Cooperation Agency)

AUSTRALIA - “The body corporate proves that

it exercised due diligence to prevent the

conduct, or the authorisation or permission. ”Extract from Criminal Code Act 1995 (ComLaw)

BRAZIL - “To decrease the chances that the company may

become involved in cases of corruption or fraud in tenders

and contracts, depending on the actions of third parties, it is

important to adopt appropriate checks for contracting and

supervising suppliers, service providers, intermediaries and

associates, among others, primarily in situations of high risk to

integrity” Extract from Brazil Clean Company Act Integrity Program

Guidelines for Private Companies (Merrill Brink translation)

SWEDEN - “Companies shall have knowledge

of, and when needed, perform a due diligence

review and verify the integrity of agents and

other cooperation partners before agreements

are executed or other forms of cooperation

commenced.” Extract from Code of Business

Conduct (The Swedish Anti-Corruption Institute)

SWITZERLAND - “Particular due diligence has

to be applied for the selection and assignment

of local agents.” Extract from Preventing

corruption – Information for Swiss businesses

operating abroad (State Secretariat for Economic

Affairs (SECO))

NEW ZEALAND - “Due diligence is an

important part of good corporate governance

and as such, due diligence with respect to

corruption prevention will often form part of an

organisation’s wider due diligence model” Extract from Saying No to Bribery and Corruption - A

guide for New Zealand Businesses (Ministry of

Justice)

Mitigating regulatory risk


Transparency InternationalCorruption Perceptions Index (January 2017)

Perceived as

high risk

Strategic

Ensure ongoing business process efficiency and support effective

execution of business strategy to sustain competitive edge

Mitigating financial and strategic risk

Real GDP GrowthIMF Data Mapper (October)

High growth

Financial

Mitigate the risks of financial penalties, debarment and loss of

business


How does RegTech help?Evolving technology to drive compliance

efficiencies


Efficiency and collaborationTechnology that allows more efficient methods of sharing information

Feedback Statement: Call for input on supporting the development and adopters of RegTech

(Financial Conduct Authority, July 2016)

Alternative reporting methods

Technology that allows data to be provided (or taken) in a different

way.

The cloud/cloud computing

On-demand computing services delivered over the Internet.

Online platforms

Technology that helps different parties communicate.

Shared utilities

Technology that allows firms to share services (such as a Know Your

Customer utility) via the cloud and/or online platforms. Shared

solutions can reduce the burden and regulatory costs for the industry

by increasing scalability and flexibility.

RegTech Primary Themes




Semantic tech and data point models

Technology that converts regulatory text into a programming

language

Application Programme Interface (API)

Technology that allows systems to interact consistently, in

this case over the internet.

Shared data ontology

A formal naming and definition of the types, properties, and

interrelationships of entities.

Robo-Handbook

A more interactive FCA Handbook better tailored to the

firm’s permissions could make compliance and reporting

requirements clearer.

Integrate, standardise and understand Technology that drives efficiencies by closing the gap between

intention and interpretation





Big data analytics

Advanced analytics solutions that can interpret vast amounts of

structured and unstructured data that could be stored in ‘data lakes’

(storage repositories).

Modelling/visualisation technology

Technology that allows the simulation of actions and interactions to

assess their effects on the system as a whole.

Risk and compliance monitoring

Technology that allows an always-on, non-invasive surveillance of

transactions, behaviour and communications.

Machine learning and cognitive technology

Technology that learns from data and pattern recognition to refactor /

change algorithms (e.g. artificial intelligence).

Predict, learn and simplify Technology that simplifies data, allows better decision making and

the creation of adaptive automation





Blockchain/distributed ledger

This securely records and encrypts verified data that can be

safely shared across a network held in a distributed database.

Biometrics

Technology that measures and analyses people’s physical and

behavioural characteristics.

Inbuilt compliance

Regulatory requirements can be coded into automated rules

applied when relevant.

System monitoring and visualisation

Technology that captures and traces all messages created by

systems and their interactions.

New directions Technology that allows regulation and compliance processes

to be looked at differently



Entity Due Diligence and

MonitoringAligning resources to risk assessment and mitigation


Develop a consistent and efficient process


• Customer risk factors (A, B, C)

• Countries and geographic areas factors

• Products, services and transactions risk factors

• Delivery Channel Risk Factors

Aligning technology resources to risk assessment

Extract: JMLSG Guidance :2017 REVISION Draft/14 March 2017 (Consultation closes 28th April, 2017)

(Joint Money Laundering Steering Group, March 2017)

A. Business or professional activity

For example: Does the customer or beneficial

owner have links to sectors that are associated

with higher corruption risk, such as

construction, pharmaceuticals and healthcare,

arms trade and defence, extractive industries

and public procurement?

B. Reputation

For example: Are there any adverse media

reports or other relevant information sources

about the customer? For example, are there

any allegations of criminality or terrorism

against the customer or their beneficial

owners?

C. Nature and behavior

For example: Is the customer’s ownership and

control structure transparent and does it make

sense? If the customer’s ownership and control

structure is complex or opaque, is there an

obvious commercial or lawful rationale?


Risk

Assessment

Due Diligence Resources

Low

Hig

h

Hig

h

Individual

Subscription Services

Aggregated

subscription services

Outsourced solutions

Proprietary/Integrated solutions

Aligning technology resources to risk assessment


Due Diligence Tasks

Anti-Money Laundering

Anti-Bribery & Corruption

Supplier Risk Management

Mergers & Acquisitions

Sponsor/Donor

Customer due

diligence

Third-party due

diligence

Supplier due

diligence

M&A due

diligence

Third=party due

diligence

Identity

VerificationVerify individual’s identity ��

Corporate

Registers

Verify company keydata, management

team, corporate and ownership structure��

Sanctions & Warnings

Check and monitor if company,

subsidiaries, directors or owners are

sanctioned or on regulatory or law

enforcement watch lists

��

Politically Exposed

Persons

Check and monitor if directors or owners

are PEPs with government connections at

risk of corruption

��

Negative NewsCheck and monitor reputation risk against

media archives��

LegalCheck for any legal cases that flag

potential risks ��

Aligning technology resources


Checklist

1. Set clear requirements and objectives and define ROI

2. Try before you buy (trial/test/compare/benchmark)

3. Prepare for change (scaleable, flexible tech/integration)

4. Leverage integration and customisation options

5. Consider level of IT commitment needed

6. Consider local language availability

7. Ensure sufficient training and support available

8. Generate management intelligence and audit data

9. Build in regular reviews with business stakeholders

10. Build in regular reviews with vendors

Third-party due diligenceWork towards a consistent and efficient due diligence

process

Develop a consistent process


Resources

Pop by our stand downstairs to pick up your free copy of our AML Directive, Beneficial Ownership, or Cloud outsourcing whitepapers.


We help our customers mitigate business risks, meet their strategic

goals and regulatory requirements.

Our due diligence solutions are efficient, flexible and cost-effective.

We deliver interconnected and flexible product modules aligned to

the customer workflow including:

• PEP, watch list and negative news screening

• Enhanced due diligence and reporting

• Media monitoring of supply-chain and third-party risk (PESTLE)

• Outsourced due diligence, compliance and risk advisory

• Content integration and data feeds into proprietary systems

Contact us for a free trial or demonstration of our compliance and due diligence solutions:

0207 400 2809 / www.bis.lexisnexis.co.uk / [email protected]

LexisNexis Business Insight Solutions

61LexisNexis Business Insight SolutionsFor further information, please contact us on: t +971 4 323 0800 e [email protected] www.cclacademy.com

Thank you for attendingClick to edit Master title styleQuestions for the Panel?

Peter Haines - Global Head of GRC, CCL Academy

Emma Gordon - Partner, Eversheds Sutherland

Bruce Viney - Global Head of FCC, CCL Academy

Carwyn Evans - MD Consultancy Services, CCL Compliance

Mark Dunn - Head of Entity Due Diligence and Monitoring,

LexisNexis

For further information, please contact us on: t +971 4 323 0800 e [email protected] www.cclacademy.com

Thank you for attendingClick to edit Master title style

w: http://bis.lexisnexis.co.uk/

e: [email protected]

w: www.cclacademy.co.uk

e: [email protected]

Thank you for attending

are you ready for the 4th eu aml directive? · • are aml/ctf risks identified appropriately...

Documents