AuthorPeter Oakes is an experienced anti-financial crime, fintech and board director professional. Archives
April 2024
Categories
All
|
Back to Blog
The ASX Market Announcement says:
"EML PAYMENTS LIMITED (ASX: EML) ("EMU') refers to its request for a trading halt dated 17 May 2021. EML advises that its Irish regulated subsidiary, PFS Card Services (Ireland) Limited ('PCSIL'), has received correspondence from the Central Bank of Ireland ('CBI'), including a letter received on Friday 14 May 2021 (Australian time) raising significant regulatory concerns ('Correspondence'). The CBI is the relevant regulator in Ireland. The CBI's concerns relate to PCSIL's Anti-Money Laundering / Counter Terrorism Financing ('AML/CTF'), risk and control frameworks and governance. The Correspondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013. The Correspondence does not concern EML's Australian or North American operations, or the operations of PFS' UK subsidiary ('Prepaid Financial Services Limited' which is incorporated in England and regulated by the FCA), or EML's other Irish regulated subsidiary ('EML Money DAC')." ASX Announcement in PDF and at source.
0 Comments
Read More
Back to Blog
The Financial Times reported that "EU policymakers round on Lithuania for lax fintech oversight" (18 May 2021).
In response Lithuania’s central bank insisted it was not “asleep at the wheel” over its regulation of a local fintech, that prosecutors suspect was used to steal more than €100m from Wirecard before it collapsed, and called for greater global sharing of information on financial crime among supervisors. On 19 May, the Financial Times wrote "Lithuanian central bank rebuffs Wirecard criticism" (19 May 2021). Read more at FintechLithuania.com
Back to Blog
UK FCA Dear CEO Letter - Emoney Firms ensure customers understand how their money is protected18/5/2021 On Tuesday 18th May 2021, the UK Financial Conduct Authority issued a Dear CEO Letter to Electronic Money Institutions headed "Please act: ensure your customers understand how their money is protected."
You can read a copy of the letter here. Some interesting excerpts from the letter below: What is the UK FCA concerned about?:
Action expected of emoney firms by the FCA:
Note the FCA point that the communication to customer be separate from any other messaging or promotional activity. And that the FCA expects emoney firms to consider the appropriate method(s) of communication based on their business model and customer base, including any vulnerable customers. Why should emoney action the letter?: Because the FCA intend to follow up, with a sample of firms, to assess the actions taken. Contact the team at CompliReg if you require assistance. You can read a copy of the letter here.
Back to Blog
“At the heart of our plans are more harmonised rules and a new AML Authority at EU level. The idea is to have common standards, common application and common supervision of our rules. That is as it should be in a single market.” European Union Commissioner Mairead McGuinness gave a speech yesterday (Monday 17th March 2021) at AMLintelligence.com Boardroom Series. Like other non-executive directors of regulated companies (obliged entities/designated persons), I took the time to read through the speech. Issues which caught my eye, not relevant just for traditional financial services, but indeed innovate one like fintech, are: A) Introduction:
B) AML Package: "At the heart of our plans are more harmonised rules and a new AML Authority at EU level. The idea is to have common standards, common application and common supervision of our rules. That is as it should be in a single market." Firstly,
Secondly,
If you are wondering about the impact this will have on the director supervisor of the financial sector, this is what Ms Guinness said:
How will the new Authority be funded?:
Why does the new AML Authority come to life?:
C: Other AML action:
"So these are busy times in the AML field. I genuinely believe that the work that we are doing now will lay solid foundations for a robust EU anti-money laundering and counter-terrorist financing regime which will stand the test of time. It is an absolutely vital task. Copy of Speech is located here.
Linkedin Post Here - https://www.linkedin.com/posts/peteroakes_virtualassets-finserv-regulation-activity-6800460598539816960-UBgz
Back to Blog
“We are constantly and decisively seeking to achieve the sector’s maturity. We require quality not only in the provision of services, but also in compliance with the legal requirements, and will do so in the future. The Bank of Lithuania has issued a Dear CEO letter to the managers of electronic money and payment institutions operating in Lithuania.
presenting its expectations on the improvement of governance and internal control as well as strengthening of compliance culture. “We are constantly and decisively seeking to achieve the sector’s maturity. We require quality not only in the provision of services, but also in compliance with the legal requirements, and will do so in the future. The rate of a company’s business expansion should correspond to its readiness to comply with operational requirements. Company managers are personally responsible for ensuring this compliance. In conducting financial market supervision, we will devote more attention to the assessment of the work and personal responsibility of the management,” said Jekaterina Govina, Director of the Financial Market Supervision Service of the Bank of Lithuania. More: https://www.lb.lt/en/news/bank-of-lithuania-presented-a-dear-ceo-letter-to-fintech-companies
Back to Blog
Minister McGrath publishes Ireland's General Scheme of Protected Disclosures (Amendment) Bill14/5/2021 The Minister for Public Expenditure and Reform, Mr Michael McGrath TD, today published the General Scheme of the Protected Disclosures (Amendment) Bill following approval by Government earlier this week. The purpose of this Bill is to provide for the transposition of the EU Whistleblowing Directive into Irish law. Ireland is one of just 10 EU Member States to already have comprehensive legal protections for whistleblowers in the form of the Protected Disclosures Act. The Act will be amended to give effect to the Directive and to further enhance and strengthen the protections it provides. This means that, volunteers, unpaid trainees, board members, shareholders and job applicants will all come within the scope of the Protected Disclosures Act for the first time. Private sector organisations with 50 or more employees will be required to establish formal channels and procedures for their employees to make protected disclosures, just like the public sector. Published Scheme available here Source: www.gov.ie/en/press-release/d263a-minister-mcgrath-publishes-general-scheme-of-protected-disclosures-amendment-bill/# "The measures will also give added confidence to the whistleblower that they will not be forced to prove that they were penalised for doing the right thing. The full Bill will now be drafted and I look forward to bringing it through the Oireachtas in due course. In the meantime I look forward to hearing the views of Oireachtas colleagues and key stakeholders on the General Scheme of the Bill being published today."
Back to Blog
Less than a week ago there was no readily accessible and publicly available data (in one spot) for historic figures on the number of money laundering suspicious transaction reports in Ireland. To assist my GRC network which ask me regularly about such data, I put out a few posts on Linkedin, including this one - https://bit.ly/3o8JvCt. I received some responses and comments politely querying the accuracy of my figures. In reply I posted the underlying sources, being the Garda (Irish Police) / FIU Ireland and Financial Action task force. At the time, the only available data for 2020 was by journalist Conor Lally, at the Irish Times in his article of 4 May 2021. Jump forward to today (or perhaps it was yesterday as there is no date), the Financial Intelligence Unit in Ireland published the above image and a three (3) page report providing details on STRs Received (2000-2020). If you visit that site and the data does not appear, no problem, I have uploaded the file here. I am glad to see that my data and that of the FIU matches for the years 2000, 2001, 2003 & 2004. For 2002 I have 4,390 v FIU figure of 4,397 and in for 2005 I have 10,735 v FIU figure of 9,698 (hardly material). Still I find this strange as my figures were sourced from Garda & FATF reports at the time. When I published the 2020 figure of 28,865, that was based on the above Irish Times article which was published at least 10 days before the FIU publication which reported 29,631 (2.5% difference - or a rounding error!). Thanks to Steven Meighan for his LinkedIN post yesterday (11 May 2021) and previous engagement on money laundering STRs. A good thing about Linkedin is that it gets people engaged & often leads to great outcomes, like the publishing by the FIU / Garda of such comprehensive data for the first time in one consolidated document and easily accessible. We all now have an agreed historical set of facts and figures, and given it is published by FIU Ireland, it's official data. Other areas of the FIU release which caught my eye are:
Back to Blog
“The EBA recalls that a proper risk assessment must include such considerations and cannot be a blind instrument used to get rid of risky clients,” Peter Oakes, former director of enforcement and AML at the Central Bank of Ireland, European Union, United Kingdom May 11 2021 by Gabriel Vedrenne, ACAMS
Banks and national regulators should adopt a more finely tuned, risk-based approach towards compliance and supervision to prevent the wholesale offloading of money services businesses and other categories of clients they view as inherently prone to illicit finance. After publishing more than 400 pages of guidance this month to help financial institutions adopt a more nuanced system for evaluating financial crime-related risk, the European Banking Authority clarified Monday that its intent was to combat the now decade-long de-risking phenomenon, not exacerbate it. “De-risking can be a legitimate risk management tool in some cases but it can also be a sign of ineffective ML/TF [money laundering and terrorist financing] risk management, with severe consequences,” the EBA said Monday. “It has become apparent that more comprehensive action is needed to address unwarranted de-risking.” Since the beginning of March, the EBA has listed the threats of money laundering and other crimes affecting the European Union, issued new guidelines on key aspects of risk-based compliance and formally requested feedback on future guidance for risk-based supervision. Nonprofit groups, especially those in warzones, and asylum seekers without standard due-diligence records, often lack financial services, but the impact of de-risking is much broader, the EBA claimed Monday. MSBs and other cash-intensive businesses also suffer from overly cautious banks, as do firms whose products facilitate anonymity, such as prepaid card providers. Real estate companies struggle to open and maintain bank accounts, according to the EBA, as do cryptocurrency exchanges, e-money issuers and other firms in emerging sectors that banks perceive as having limited knowledge of anti-money laundering compliance. “The EBA recalls that a proper risk assessment must include such considerations and cannot be a blind instrument used to get rid of risky clients,” Peter Oakes, former director of enforcement and AML at the Central Bank of Ireland, told ACAMS moneylaundering.com after reviewing Monday’s statement. “Financial institutions must be prepared to answer questions about it.” Many banks in Europe have grown reluctant to handle the transactions that back remittances to the world’s poorest countries, and now even hesitate to serve real estate agents, soccer clubs, corporate services providers and other parties whose risks they consider unmanageable. De-risking has also reached U.S. financial institutions and drawn the attention of the Treasury Department’s Financial Crimes Enforcement Network, which encouraged banks in guidance seven years ago to rethink any decision to shun the remittance industry. “The Bank Secrecy Act does not require, and neither does FinCEN expect, banking institutions to serve as the de-facto regulator of the money services business industry any more than of any other industry,” FinCEN advised in 2014. “It is not possible for a bank to detect and report all potentially illicit transactions that flow through an institution.“ Reputations to consider A mindset of corporate social responsibility has also led to the termination of accounts and services for companies in industries perceived as risky “from an environmental, security or health perspective,” such as tobacco, weapons and coal. According to the EBA, this trend has had the perverse effect of encouraging rejected clients to turn to institutions in jurisdictions with lax AML supervision, or worse, to underground banks and other informal channels that operate beyond government supervision. “The risk associated with individual business relationships may vary, even within one category,” the EBA warned Monday. “The application of a risk-based approach … does not require financial institutions to refuse, or terminate, business relationships with entire categories of customers that are considered to present higher ML/TF risk.” National regulators should address the trend by improving their grasp of sectoral risks, and pay more attention to the affected industries to restore the trust of banks, the EBA recommended. “This may include increased supervisory activities in the sector or additional guidance to the sector,” the regulator suggested. “Furthermore, the EBA encourages competent authorities that have not yet performed an assessment of de-risking in their jurisdictions to consider performing such an assessment.” Several national regulators, including France’s Prudential Supervision and Resolution Authority and Britain’s Financial Conduct Authority, have sought to address de-risking through guidance, public statements and technology. Since 2011, the Central Bank of Ireland has collected more data on the operational risks of affected businesses through its “Probability Risk and Impact SysteM,” or PRISM, and by requiring financial technology-centric firms, also known as fintechs, to provide more details on their business models than other regulated institutions. But the extent of de-risking varies greatly across Europe, said Oakes, now a consultant in Dublin. “Data is the key, and not everyone collects and analyzes the same amount at the same level,” Oakes said. “As EU institutions operate within a framework aimed at reducing regulatory arbitrage and supervisory divergence, it is only a matter of time before uniform operational rules emerge for the entire bloc, even more with regards to the plan to create an EU-wide supervisor.” In the interim, the EBA encouraged banks to find a path to engage with high-risk clients, such as by adjusting the level and intensity with which they monitor them, or by offering them only basic financial products and services to reduce their exposure to financial crime. De-risking has also appeared on the agenda of the Financial Action Task Force, which sets global AML standards. The intergovernmental group launched an initiative last month to study and mitigate the consequences of incorrect implementation of its recommendations for a risk-based approach. Source: https://www.lexology.com/library/detail.aspx?g=4e1d9412-d4d5-475d-8cbf-ca0c0fcf4681 See also - https://www.lexology.com/library/detail.aspx?g=eef962ad-80bc-43ed-aece-5c19595ad4a9
Back to Blog
The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II.
1. Governance – Deficient control and risk management frameworks: Varying levels of maturity were observed with respect to firms’ governance, control and risk management frameworks. Supervisors observed weaknesses with respect to:
The Central Bank considers the maintenance of a robust algorithmic governance and oversight framework to be of paramount importance in enabling firms to identify, monitor and mitigate the risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part of its overall governance framework and decision-making framework, an investment firm should have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit. 2. Development and Testing - Lack of formal documentation with respect to development, testing and deployment processes: Supervisors observed strong development, testing and deployment controls. However, significant disparities were identified between firms with respect to the level of detail pertaining to documentation on development, testing and deployment processes most notably:
3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence: While it was evident that certain firms had appropriately skilled and resourced second lines of defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence model”. It is important that firms have a robust model in place, with clear delineation between each line i.e. the business, the risk management functions and the internal audit function. Supervisors observed:
4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and post-trade controls: The presence of extensive pre and post-trade controls was evident during this Thematic Review however:
Firms must have in place appropriate pre and post-trade controls that are commensurate to the nature, scale and complexity of the entity and ensure that these controls are appropriately documented. Actions As a result of the findings of this thematic review, the Central Bank has engaged with the investment firms where specific concerns have been identified, issuing risk mitigation programmes to address these specific issues. The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this letter, where applicable and take all remedial action necessary to ensure that they have the appropriate control and oversight in place with respect to algorithmic trading and that the requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the assessment of suitability of members of the management body and key function holders ; EBA Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for Discussion. The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks arising from algorithmic trading and will have regard to the contents of this letter when conducting future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with the regulatory requirements associated with algorithmic trading, the Central Bank may, in the course of future supervisory engagement, or when exercising its supervisory and/or enforcement powers in respect of such non-compliance, have regard to the consideration given by a firm to the matters raised in the letter. Background: The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms undertaking algorithmic trading have incorporated within their risk management and control frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“) supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide background to our assessment, highlight the key findings of this review and outline the expectations of the Central Bank in relation to the governance, testing and controls surrounding algorithmic trading. Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms, information technology (“IT”) systems and processes. In recent years, a number of significant algorithmic trading failures have resulted in substantial losses, fines and reputational damage for firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to ensure risk management and control frameworks in respect of algorithmic trading are appropriately embedded and are operating to a high standard. RTS 6 provides a framework to mitigate these, and other risks, through the requirement to maintain effective systems, procedures, arrangements and controls. This thematic review focused on the five principal areas underpinned by the requirements set out in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management. The Central Bank noted many positive practices, including the presence of experienced, competent professionals across the first and second lines of defence, in addition to a comprehensive suite of controls in terms of monitoring, development, testing and deployment of trading algorithms. Notwithstanding this, supervisors also identified varying levels of maturity and a number of concerns across governance, control and risk management frameworks of in scope entities. A full list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from the review include: An over-reliance on service providers with a lack of demonstrable autonomy at regulated entity level. This was evidenced through a distinct absence of entity Board oversight in setting or challenging the key controls and in the oversight of the development of trading algorithms. ii. Insufficient formality with respect to key documentation. This was evidenced through a lack of appropriate documentation in relation to algorithmic trading controls and procedures. This speaks to this sector being at the early stages of maturity and also the extent to which firms leverage Group documentation, where relevant, which creates a possibility that entity specific risk may be overlooked. iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate delineation between the “Three Lines of Defence”. This is a consequence of a combination of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the non-specific nature for managing risks associated with algorithmic trading in certain firms. These do not align with a comprehensive and effective implementation of the requirements set out in RTS 6.
Back to Blog
Summary Virtual Asset Service Providers (VASPs) operating in Ireland now need to demonstrate that they are compliant with the provisions of the 5th Money Laundering Directive (AMLD5) which recently came into effect on Friday 23rd April 2021. Preceding that date CompliReg, together with Fintech Ireland, hosted a webinar for VASPs, e-money and payments firms. Details of that event here. Given the demand from the audience, CompliReg and Fintech Ireland are hosting another Roundtable on the topic on Thursday 6th May - ROUNDTABLE: So, you want to be a Virtual Asset Service Provider? Background AMLD5 aims to remove the anonymity from the process of providing virtual asset based services. This applies to any organisation which provides exchange services between fiat and virtual currencies, as well between virtual assets or custodian wallet providers; bringing them into the scope of the EU’s anti-money laundering and counter-terrorist financing (‘AML/CFT’) framework. The 2021 Act The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the "Act") amends the current Irish AML/CTF legislation, which started life a decade ago through the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended). New Definitions relating to Virtual Assets The Act contains the following new definitions: Designated Persons
The Act brings VASPs within the meaning of "designated person" (equivalent to an "obliged entity" under EU anti-money laundering law). The relevant obligations (Relevant Obligations) of designated persons under the Irish AML regime can be summarised as follows:
Requirement to Register The Act requires that a person shall not carry-on business as a Virtual Asset Service Provider unless the person has successfully registered with the Central Bank of Ireland (Central Bank). This is a registration for AML/CFT purposes only. A firm currently authorised by the Central Bank under a different regime which is also acting as a Virtual Asset Service Provider will still be required to register as a VASP. Whilst there is a three-month transitional period for VASPs to conclude the registration process the Act, which commenced operation on Friday 23rd April (commencement date), other than section 8 of the Act which commenced on Saturday 24th April, applies as of the commencement date. This means that regardless of an existing VASP having three months to register, the VASP must comply with the Act on and from the commencement date. This means that VASPs availing of the transition period must comply on and from 23rd April with the Relevant Obligations listed above. The Act sets out the high-level details of the registration process, and the grounds under which the Central Bank may refuse to register a VASP. These grounds include:
Preparation The Central Bank’s website contains useful information for those requiring registration as a VASP, including the Criminal Justice Act* (as at commencement date), Guidelines on Fitness & Probity of Principal Officers/Beneficial Owners, and links to the AML/CFT Registration Form. The Central Bank will not accept a registration application until the applicant has been through the pre-registration and has obtained a Central Bank Institution Number. The Central Bank has also indicated that its current graduated approach to AML/CFT supervision will apply equally to VASPs, meaning that firms which present a higher risk of money laundering and/or terrorist financing will be subject to higher intensity and intrusive supervisory measures than those presenting a lower risk. Next Steps As many VASPs shall become designated persons for the first time, they should review their AML/CTF frameworks, their Relevant Obligations, legislation and guidance now. Given that the Act has now commenced in operation, applicants should submit a Pre-Registration Information Form to the Central Bank to request a Central Bank Institution Number as soon as possible. Being within the AML/CTF framework will surely bring benefits such as greater confidence to end-users (i.e., customers – individuals and corporates) of VASPs and hopefully, more banking partners will consider opening up their services to VASPs particularly ahead of the proposed Markets in Crypto Assets Regulation 2020/0265. Support Available As with any new process, it can appear complex and daunting until you have been through it a few times. Thankfully help is at hand through CompliReg. If you would like to setup an initial discussion to discuss your requirements, please check out our page and complete the enquiry form at https://complireg.com/vasp.html. Stephen Fletcher or Peter Oakes will get back to you ASAP. Our details at https://complireg.com/team.html. This document (and any information accessed through links in this document) is for guidance purposes only and does not constitute legal advice. CompliReg does not provide legal services. Where legal services are required, CompliReg works with a select number of law firms. If you are a law firm and wish to be considered for our panel, please contact office@complireg.com. |