The latest edition of the EU’s Anti-Money-Laundering Directive requires firms to not only comply with the new regulations, but also to justify their approach to compliance. The Fourth Anti-Money-Laundering Directive (AML4) recasts the existing Third Anti-Money-Laundering Directive (Directive 2005/60/EU) and the corresponding Implementing Directive (Commission Directive 2006/70/EC). It takes into account the 40 new recommendations adopted by the Financial Action Task Force.
AML4 has been transposed into UK law as the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. The scope of obliged entities now includes providers of gambling services, traders accepting cash payments above €10,000 and occasional transactions that constitute a transfer of funds – including money remittances – exceeding €1,000. Failure to comply will be extremely costly. Fines for financial or credit institutions will be up to €5m or up to 10% of a holding company’s annual turnover. And this does not take account of the inevitable reputational damage that would follow.
The biggest challenge arising from wider legislative measures is ensuring that robust data is maintained, that the business is able to produce this data in a format that meets all the differing reporting requirements and that it has the ability to monitor and comply with differing timetables for submission.
Implementation in the UK has increased the requirement for reporting and robust data gathering by all firms, not just those directly affected by the directive. The implementation of the people with significant control, or PSC, Register in 2016 applied to all UK companies registered in the UK. Another factor to consider is the emphasis on documentation and evidence – it is not enough to implement the changes if the firm’s documentation is inadequate.
So what are the main challenges faced by UK businesses looking to ensure compliance with AML4? It requires firms to be more thorough in adopting and documenting a risk-based approach, placing emphasis on customer due diligence and the vetting of politically exposed persons. Organisations must be able to provide evidence of why they have chosen either enhanced due diligence or simplified due diligence when on-boarding and monitoring customers.
Some of the changes – such as the requirement for a whole firm risk evaluation – will use data firms already have and may already have been dealt with as part of wider risk management processes. The identification of specific risk factors that must be covered means any existing processes will almost certainly need to be changed and that process will take time.
The previous requirements have been replaced with an even more risk-based approach. While this has its merits, it still means firms have to refine their policies, pass the message on to staff and support the procedures they put in place. “There are areas where the 2017 regulations are more prescriptive on client due diligence requirements, but we wouldn’t expect these to lead to large scale ‘de-risking’ by accounting firms,” clarifies David Stevens, integrity and law manager, ICAEW technical strategy department.
For those firms navigating overseas structures where ownership arrangements (and language) can differ from the UK, it is important that those involved in identifying the client and beneficial interests understand the local structure and the impact of any nuances from the UK framework. In addition, confirmation statements only showing percentage bands of significant control can make ascertaining effective control percentages problematic when looking at a multi-layered group structure.
Will the directive increase the costs associated with client due diligence?As institutions are required to provide evidence of why, in every case, simplified customer due diligence was chosen, they will have to look closely at their corporate structures. This may affect the duration of the client on-boarding processes and require additional investment in the know-your-client, or KYC, process.
The extension of politically exposed persons to include domestic individuals will increase the numbers for whom enhanced due diligence will be required. The requirement to identify politically exposed persons will almost certainly require firms to subscribe to a suitable database. Although small/sole practitioners can still take a risk- based approach to identifying PEPs.
Changing policies and procedures is a time-consuming process and the extension of situations in which enhanced due diligence will be required is unlikely to lead to a reduction in cases where enhanced due diligence is undertaken.
However, it is expected that – as with current AML and KYC processes – although many firms will still carry out paper checks, much of the compliance with new processes (including training) will be performed electronically and through industry standardised online processes if appropriate.
While enhanced due diligence when examining clients who are local politically exposed persons can lead to increased costs, as transparency rules have evolved so too have the automated solutions that enable businesses to meet due diligence requirements. Similarly, applying risk-based and case-specific determinations of whether simplified due diligence is sufficient need not be a costly exercise, provided businesses have in place risk assessment tools and procedures that enable them to determine which entities merit a closer look.
So, are more clients likely to be declined by professional services firms? AML4 is likely to benefit those who are employed in the professional services sector and have in-depth understanding of the various legislative changes and their application as well as providers of systems, tools and experience to support them, whether in-house or as external consultant/service providers.
There are also a number of technology firms developing systems that will be able to maintain data for their clients, which can then be submitted in the relevant format for differing jurisdictions, regulators or purposes.
Opinion is divided over whether the current changes will result in more clients being declined. Some experts observe that firms already conduct significant checks in the higher risk areas to avoid any possible involvement with individuals who may be involved in money-laundering activities and there is also the view that although the directive should increase the numbers of potential clients rejected, competent professionals should already know their client and be aware of those that are unsuitable.
The extent to which the necessity for an independent audit function to look at AML policies and procedures creates new business opportunities depends on the definition of “independent” adopted by the business.
The requirement for an independent audit function is proportionate to the size and nature of the firm, recognising that many smaller firms will not necessarily have an internal audit department, nor regular “cold” reviews. However, cold review programmes can be extended to include AML if they don’t already and these are often carried out by other accounting firms.
Some firms will seek to use their own in-house resources to perform most, if not all, of this review, while others will use the opportunity to obtain the truly independent view that external resources provide. The latter will seek the focus and expertise of those who can benchmark their efforts (and the legal and regulatory requirements) against whole sectors and industries.
Additional regulatory requirements and compliance inevitably create business opportunities for accounting and other professional firms in the form of training, compliance systems design, prevention of non-compliance and investigation of suspected compliance failure. Many regulated businesses will include increasingly rigorous AML reviews as part of their annual and periodic auditing, which will increase the cost of those services. Those businesses that wait for the risk and threat of non-compliance to become more immediate before taking action will discover that the cost of sorting out such problems in terms of professional fees will be of a far higher order than the normal cost of ongoing compliance reviews.