On 16 December 2020, the Central Bank of Ireland (“CBI”) issued a "Dear CEO" letter (the “Letter”) highlighting anti-money laundering (“AML”) compliance issues that Irish SPVs that are Schedule 2 Firms (so-called because they carry out one or more of the activities specified in Schedule 2 of the Criminal Justice Act 2010) should be monitoring with care. Schedule 2 Firms would include, for example, Irish SPVs that are involved in activities such as lending, debt factoring or finance leasing.
Appendix A to the Letter sets out the CBI’s findings, as well as its expectations, in various categories.
Board Oversight and Governance
Firms should be able to demonstrate that AML is a regular agenda item at meetings of the board of directors (the “Board”) and that they have a framework in place for monitoring and identifying updates to relevant legislation. They must have a process in place to ensure timely updates to their framework to ensure on-going compliance.
When outsourcing any AML activities, firms must have written agreements clearly setting out the obligations and responsibilities of the parties, including of the Board. The Board must be able to demonstrate that it has full oversight of outsourced activities and ensure that the Money Laundering Reporting Officer (“MLRO”) appointed must have a direct reporting line and access to the Board providing sufficiently detailed reports on a frequent basis. Firms must also be in a position to evidence that they are actively monitoring the progress of any management action points resulting from reviews conducted.
AML Business-wide Risk Assessment
Where a firm relies on a third party (or parent entity) to conduct its AML business-wide risk assessment on its behalf, it must relate to the risk and controls associated with the firm itself and not solely those associated with the third party (or parent entity).
Firms must document their consideration of the money laundering (“ML”) / terrorist financing (“TF”) and financial sanctions (“FS”) risks pertaining to their specific business, being mindful of the nature, scale and complexity of their business.
The AML business-wide risk assessment must be reviewed at least annually. The consideration and approval by the firm’s Board of this AML business-wide risk assessment must be formally evidenced.
AML Policies and Procedures
Firms must ensure that the AML / counter financing of terrorism (“CFT”) policies and procedures in place are tailored to and reflect the specific customers and business activities and the associated risks inherent to the firm and consistent with Irish legislative requirements.
Firms must ensure that policies and procedures are subject to review on at least an annual basis and are updated and reviewed more frequently as and when required.
Consideration and approval of the AML / CFT and FS policies and procedures by the Board must be satisfactorily evidenced.
Customer Due Diligence
Firms must consider the identity of their customers. The Letter seems to suggest that “loan noteholders” may be customers of a firm, and that firms must consider AML risk arising from loan noteholders and borrowers and must conduct appropriate due diligence in accordance with the level of risk. The suggestion that “loan noteholders” may be customers of a firm is likely to cause much confusion, as most firms will view their customers as the entities to whom they have advanced loans. Firms should ensure customer due diligence policies and procedures are appropriate, up-to-date and in-line with Irish legislative obligations.
Politically Exposed Persons (“PEPs”) and FS
Firms should ensure appropriate policies and procedures are in place to identify and escalate PEP and FS alerts, including the process and appropriate reporting lines to be followed. Where screening tools are relied upon, firms should ensure appropriate oversight and ongoing assurance testing and monitoring is in place to ensure they are fit for purpose.
Suspicious Transaction Reporting (“STR”)
Firms should have sufficiently detailed policies and procedures to assist officers in fulfilling their obligations and escalating suspicions, including the personnel to whom suspicions should be raised / reported.
Where third parties are being relied upon to provide AML and FS services, the firm should ensure the third party is subject to the appropriate level of oversight.
The levels of STRs being made by the firm should be regularly reported to the Board.
Training
Training materials should be tailored to the activities of the firm and should be reflective of the standards and practices that the firm should be exhibiting to meet its obligations.
Training processes should be reviewed to ensure that the appropriate level of training is being received by all staff and directors, consideration is required as to the necessity for bespoke training for customer facing staff, directors and senior management of the firm.
Training materials should be kept up-to-date and in line with Irish legislative requirements.
Conclusion
The focus of the Letter, insofar as it applies to SPVs, is clearly on those Irish SPVs who have registered with the CBI without having taken the appropriate time and consideration to put in place tailored and bespoke AML policies and procedures, an AML business-wide risk assessment, and relevant tailored outsourcing agreements on AML beforehand. Firms who use generic documents which are not adequately tailored to the specific AML risks arising from their particular business model will face many of these criticisms if they register and are then inspected by the CBI. Our advice is that each Schedule 2 firm should carefully take time to design and implement bespoke AML compliance arrangements prior to or at the time of registering with the CBI and that such arrangements are kept up-to-date and under constant review. Matheson has assisted a large number of clients to do this during 2020 and can advise you on the many issues to be considered and best practice in this area.
For further information, please contact Alan Keating, Joe Beashel, Christian Donagh, Turlough Galvin, or your usual Matheson contact.