Central Bank Report on Anti-Money Laundering/Countering the Financing of Terrorism and Financial Sanctions Compliance in the Irish Banking Sector
Central Bank Report on Anti-Money Laundering/Countering the Financing of Terrorism and Financial Sanctions Compliance in the Irish Banking Sector
1. Background to the Report
The Central Bank of Ireland (CBI) has published its Report on Anti-Money Laundering/Countering the Financing of Terrorism and Financial Sanctions Compliance in the Irish Banking Sector. The Report sets out the deficiencies identified by the CBI in respect of five specific areas, along with its expectations, to further compliance in this area. The CBI expects all financial and credit institutions to consider the issues set out in the Report and to use these to develop their Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) and Financial Sanctions (FS) frameworks accordingly. While this Report deals only with the Irish banking sector, the CBI would hope that all financial and credit institutions would apply the issues raised.
2. Key Findings set out in the Report
The Report is broken down into five key areas, namely:
(a) Governance and Compliance;
(b) Customer Due Diligence;
(c) EU Financial Sanctions;
(d) Identification and Escalation of Suspicious Transactions; and
(e) Testing of AML/CTF and FS systems
Some of the inadequacies that have been identified by the CBI for each of these areas are discussed below.
2.2. Governance & Compliance
According to section 54(1) of the CJA 2010, banks must adopt policies and procedures to prevent and detect the commission of Money Laundering/Financing Terrorism (ML/FT). Some inadequacies detected by CBI under the remit of Governance & Compliance, along with its expectations for improvement include the following:
- Incomplete and not sufficiently detailed risk assessments, which are not being reviewed and approved periodically. In some cases, risk assessments do not adequately record risks and are often just a once off exercise.
CBI expects that risk assessments would include the identification and analysis of ML/FT risks and that these assessments should be consistent across all business units. Identified risks should carry a risk rating and should identify gaps with action plans to address such gaps. Importantly risk assessment process should be overseen by the MLRO and cover all aspects of the Criminal Justice Act) 2010 (CJA).
- Policies and procedures are not subject to regular review and some are not sufficiently documented to demonstrate where current policies are appropriate and effective to manage such risks. Some contain out of date information and have not been fully implemented across the whole business.
CBI expects that policies and procedures would be readily available to all staff. They should have clearly defined processes and should be reviewed regularly to respond to events or emerging risks. They should also be subject to independent review and training.
- Training records were not sufficient to show who had completed training. Not all Board Members had completed on-going AML/CFT training.
CBI would expect that training would be provided for all new hires and on an (at least) annual basis thereafter for all staff. Training content should be updated on a regularly basis and it should include an exam or assessment. Training records should be maintained.
2.3. Customer Due Diligence (CDD)
Banks are required to identify and verify customers before the establishment of a business relationship or carrying out a transaction or service. Some of the deficiencies identified in current due diligence processes are as follows:
- In terms of on-going monitoring of customers, there is often a failure to update CDD information and reassess the risk. There is insufficient guidance on the frequency with which CDD information should be renewed. Procedures lack clarification on how to handle the identification and approval process for continuing a relationship with a newly identified politically exposed person (PEP).
CBI expects that there would be a daily screening of all customers to identify new PEPs. There should be in place a system where high risk customers are reviewed on a regular basis. Customer contact should be used as an opportunity to update CDD information.
- In the context of on-boarding new customers, risk assessment is based on subjective questions, which in turn leads to inconsistency. Policies do not include the requirement to verify and identify Source of Funds and Source of Wealth. There has been a failure to apply Enhanced Due Diligence (EDD) to high risk customers.
CBI expects that EDD would be applied to customers deemed to be higher risk. Customer and beneficial owner's identification and verification procedures should include operational requirements for on-boarding. There should be policies set, which would deal with the circumstances under which the bank will not accept a new business relationship or would terminate an existing one.
2.4. EU Financial Sanctions
FS are generally implemented into Irish law autonomously at EU level. Banks must ensure that they comply with all applicable FS. CBI assessed the banks' compliance with FS, making the following observations:
- Policies and procedures do not provide enough detail to gauge the banks' compliance programme requirements. None of the banks conducted FS screening of the full customer database against the full FS list on a regular basis. Banks were not always screening persons or entities associated with sanctioned persons. IT assurance testing rarely took place.
CBI expects that the Banks' FS policies and procedures will address these issues in the future.
2.5. Identification and Escalation of Suspicious Transactions
Section 42(1) of CJA 2010 requires a designated person who knows, suspects or has reasonable grounds to suspect that a person is engaged in a suspicious transaction, to report this to An Garda Siochána and Revenue Commissioners as soon as practicable. Some of the deficiencies identified are as follows:
- Failure to report as soon as practicable, failure to document the process of block an account or freezing a transaction on receipt of a court order. There were instances where there were not adequate resources to meet the amount of alerts and suspicious transaction reports generated.
CBI expects that policies in the Bank would provide employees with a description of their obligations to report. The process of investigating and determining whether to report a suspicious transaction should be completed by a centralised unit, to ensure a consistent process. If suspicion is not reported, the reasons for not doing so should be documented.
2.6. Testing of AML/CFT and Financial Sanctions Systems
Given that Banks use systems to facilitate the management and monitoring of ML/TF risks and Financial Sanctions, it is important that these systems are operating correctly and effectively. The key deficiencies identified are as follows:
- Banks only performed very limited IT assurance testing on systems and controls.
CBI expects that firms conduct regular IT assurance testing in relation to general controls relating to the use of automated AML/CTF/FS systems, controls relating to transaction monitoring, controls relating to screening and filtering systems and case management systems, controls relating to case management systems and controls relating to data sources to feed AML/CFT and Financial Sanctions systems.
3. Conclusion
Domhnall Cullinan, head of Anti-Money Laundering at the CBI noted that 'satisfactory processes and controls were found in place in areas. However, the number and nature of issues identified suggests that more work is required in Ireland to effectively manage Money Laundering and Terrorist Financing risk'. The CBI would hope that its observations and expectations would be taken on board by all financial and credit institutions in Ireland, in order to enhance their AML/CFT and FS frameworks.
For further information please contact Kevin Allen, Partner, Financial Regulation.
Date published: 26 February 2015