​I am glad to see that my data and that of the FIU matches for the years 2000, 2001, 2003 & 2004. For 2002 I have 4,390 v FIU figure of 4,397 and in for 2005 I have 10,735 v FIU figure of 9,698 (hardly material). Still I find this strange as my figures were sourced from Garda & FATF reports at the time.   When I published the 2020 figure of 28,865, that was based on the above Irish Times article which was published at least 10 days before the FIU publication which reported 29,631 (2.5% difference - or a rounding error!).

European Union, United Kingdom May 11 2021 by Gabriel Vedrenne, ACAMS

Banks and national regulators should adopt a more finely tuned, risk-based approach towards compliance and supervision to prevent the wholesale offloading of money services businesses and other categories of clients they view as inherently prone to illicit finance.

After publishing more than 400 pages of guidance this month to help financial institutions adopt a more nuanced system for evaluating financial crime-related risk, the European Banking Authority clarified Monday that its intent was to combat the now decade-long de-risking phenomenon, not exacerbate it.

“De-risking can be a legitimate risk management tool in some cases but it can also be a sign of ineffective ML/TF [money laundering and terrorist financing] risk management, with severe consequences,” the EBA said Monday. “It has become apparent that more comprehensive action is needed to address unwarranted de-risking.”

Since the beginning of March, the EBA has listed the threats of money laundering and other crimes affecting the European Union, issued new guidelines on key aspects of risk-based compliance and formally requested feedback on future guidance for risk-based supervision.

Nonprofit groups, especially those in warzones, and asylum seekers without standard due-diligence records, often lack financial services, but the impact of de-risking is much broader, the EBA claimed Monday. MSBs and other cash-intensive businesses also suffer from overly cautious banks, as do firms whose products facilitate anonymity, such as prepaid card providers.

Real estate companies struggle to open and maintain bank accounts, according to the EBA, as do cryptocurrency exchanges, e-money issuers and other firms in emerging sectors that banks perceive as having limited knowledge of anti-money laundering compliance.

“The EBA recalls that a proper risk assessment must include such considerations and cannot be a blind instrument used to get rid of risky clients,” Peter Oakes, former director of enforcement and AML at the Central Bank of Ireland, told ACAMS moneylaundering.com after reviewing Monday’s statement. “Financial institutions must be prepared to answer questions about it.”

Many banks in Europe have grown reluctant to handle the transactions that back remittances to the world’s poorest countries, and now even hesitate to serve real estate agents, soccer clubs, corporate services providers and other parties whose risks they consider unmanageable.

De-risking has also reached U.S. financial institutions and drawn the attention of the Treasury Department’s Financial Crimes Enforcement Network, which encouraged banks in guidance seven years ago to rethink any decision to shun the remittance industry.

“The Bank Secrecy Act does not require, and neither does FinCEN expect, banking institutions to serve as the de-facto regulator of the money services business industry any more than of any other industry,” FinCEN advised in 2014. “It is not possible for a bank to detect and report all potentially illicit transactions that flow through an institution.“

Reputations to consider

A mindset of corporate social responsibility has also led to the termination of accounts and services for companies in industries perceived as risky “from an environmental, security or health perspective,” such as tobacco, weapons and coal.

According to the EBA, this trend has had the perverse effect of encouraging rejected clients to turn to institutions in jurisdictions with lax AML supervision, or worse, to underground banks and other informal channels that operate beyond government supervision.

“The risk associated with individual business relationships may vary, even within one category,” the EBA warned Monday. “The application of a risk-based approach … does not require financial institutions to refuse, or terminate, business relationships with entire categories of customers that are considered to present higher ML/TF risk.”

National regulators should address the trend by improving their grasp of sectoral risks, and pay more attention to the affected industries to restore the trust of banks, the EBA recommended.

“This may include increased supervisory activities in the sector or additional guidance to the sector,” the regulator suggested. “Furthermore, the EBA encourages competent authorities that have not yet performed an assessment of de-risking in their jurisdictions to consider performing such an assessment.”

Several national regulators, including France’s Prudential Supervision and Resolution Authority and Britain’s Financial Conduct Authority, have sought to address de-risking through guidance, public statements and technology.

Since 2011, the Central Bank of Ireland has collected more data on the operational risks of affected businesses through its “Probability Risk and Impact SysteM,” or PRISM, and by requiring financial technology-centric firms, also known as fintechs, to provide more details on their business models than other regulated institutions.

But the extent of de-risking varies greatly across Europe, said Oakes, now a consultant in Dublin.

“Data is the key, and not everyone collects and analyzes the same amount at the same level,” Oakes said. “As EU institutions operate within a framework aimed at reducing regulatory arbitrage and supervisory divergence, it is only a matter of time before uniform operational rules emerge for the entire bloc, even more with regards to the plan to create an EU-wide supervisor.”

In the interim, the EBA encouraged banks to find a path to engage with high-risk clients, such as by adjusting the level and intensity with which they monitor them, or by offering them only basic financial products and services to reduce their exposure to financial crime.

De-risking has also appeared on the agenda of the Financial Action Task Force, which sets global AML standards. The intergovernmental group launched an initiative last month to study and mitigate the consequences of incorrect implementation of its recommendations for a risk-based approach.

Source: https://www.lexology.com/library/detail.aspx?g=4e1d9412-d4d5-475d-8cbf-ca0c0fcf4681

See also - ​https://www.lexology.com/library/detail.aspx?g=eef962ad-80bc-43ed-aece-5c19595ad4a9

The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II. 

1. Governance – Deficient control and risk management frameworks:

Varying levels of maturity were observed with respect to firms’ governance, control and risk
management frameworks. Supervisors observed weaknesses with respect to:

• i. The absence of formalised algorithm governance documentation;
• ii. The lack of local entity autonomy evidenced through minimal Board involvement in the
• setting or challenging of the key controls and in the oversight of the development of trading
• algorithms;
• iii. The absence of regular, formalised reporting to the Board in relation to algorithms; and
• iv. The significant reliance placed on Group resources without an appropriate level of
• formalised Group reporting lines.

The Central Bank considers the maintenance of a robust algorithmic governance and oversight
framework to be of paramount importance in enabling firms to identify, monitor and mitigate the
risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part
of its overall governance framework and decision-making framework, an investment firm should
have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit.


2. Development and Testing - Lack of formal documentation with respect to development,
testing and deployment processes:
Supervisors observed strong development, testing and deployment controls. However, significant
disparities were identified between firms with respect to the level of detail pertaining to
documentation on development, testing and deployment processes most notably:

• i. Firms were unable to provide sufficient detail with respect to their testing environments
• and how the parameters detailed in Article 5 of RTS 6 were embedded.
• ii. There is a lack of adequate information in relation to testing environments used to assess
• the performance of algorithms including assurance that trading algorithms:
• (ii) a. would not contribute to disorderly trading conditions;
• (ii) b. can continue to work effectively in stressed market conditions; and,
• (ii) c. where necessary under those conditions, can be disabled without contributing to
• disorderly trading.
• iii. Where firms are part of larger groups, it was noted that strong reliance was placed on Group entities. While outsourcing the development of trading algorithms is permitted under MiFID II, the investment firms deploying trading algorithms must fully understand the development and testing processes and the subsequent controls required. Outsourcing arrangements must be supported by appropriate documentation at local entity level with respect to the development, testing and deployment processes, be subject to regular review by the appropriate control function and consider the parameters detailed in Article 5 of RTS6.

3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence:
While it was evident that certain firms had appropriately skilled and resourced second lines of
defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence
model”. It is important that firms have a robust model in place, with clear delineation between each
line i.e. the business, the risk management functions and the internal audit function. Supervisors
observed:

• i. A blurring of lines between the first line, where the operation and implementation of risk management occurs, and second line management of risk, responsible for oversight of risk management, creating concerns around independence and appropriate separation of duties;
• ii. Within the second line, a lack of clarity between the roles and responsibilities of Risk and Compliance, in some instances, may increase the likelihood for risks to go unidentified or identified risks to go unaddressed;
• iii. An absence of a formalised plan regarding the steps taken by the Head of Compliance or first line in the event that the kill switch has been activated; and
• iv. As required under Article 9 of RTS6, all firms are required to conduct annual self-assessments and produce subsequent validation reports. Supervisors observed three common areas not sufficiently addressed by the majority of firms within the self-assessment:

:

• (iv) a. The adequacy of governance arrangements;
• (iv) b. The lack of appropriate detail with respect to testing methodologies applied and
• testing environments used; and
• (iv) c. A lack of clarity with regard to the third line of defence and the role of Internal Audit in the self-assessment and validation process. As per Article 9(3) of RTS 6, Internal Audit should play a key role in the oversight of the self-assessment and validation process to ensure that the governance and conclusions reached are valid.

 4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and
post-trade controls:
The presence of extensive pre and post-trade controls was evident during this Thematic Review
however:

• i. These were not formally reflected in the firms’ policies and procedures, where supervisors identified a lack of adequate documentation regarding these controls and calculation of associated limits.
• ii. Firms did not demonstrate appropriate compliance with Article 15 of RTS 6 with respect to the documentation of the application and usage of appropriate limits. This information must be formally documented within the firms’ algorithmic governance documentation.

Firms must have in place appropriate pre and post-trade controls that are commensurate to the
nature, scale and complexity of the entity and ensure that these controls are appropriately
documented.

Actions
As a result of the findings of this thematic review, the Central Bank has engaged with the
investment firms where specific concerns have been identified, issuing risk mitigation programmes
to address these specific issues.

The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this
letter, where applicable and take all remedial action necessary to ensure that they have the
appropriate control and oversight in place with respect to algorithmic trading and that the
requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in
conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the 
assessment of suitability of members of the management body and key function holders ; EBA
Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for
Discussion.

The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks
arising from algorithmic trading and will have regard to the contents of this letter when conducting
future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with
the regulatory requirements associated with algorithmic trading, the Central Bank may, in the
course of future supervisory engagement, or when exercising its supervisory and/or enforcement
powers in respect of such non-compliance, have regard to the consideration given by a firm to the
matters raised in the letter. 

Background:

​ The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms
undertaking algorithmic trading have incorporated within their risk management and control
frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“)
supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide
background to our assessment, highlight the key findings of this review and outline the expectations
of the Central Bank in relation to the governance, testing and controls surrounding algorithmic
trading.

Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms,
information technology (“IT”) systems and processes. In recent years, a number of significant
algorithmic trading failures have resulted in substantial losses, fines and reputational damage for
firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to
ensure risk management and control frameworks in respect of algorithmic trading are
appropriately embedded and are operating to a high standard. RTS 6 provides a framework to
mitigate these, and other risks, through the requirement to maintain effective systems, procedures,
arrangements and controls.

This thematic review focused on the five principal areas underpinned by the requirements set out
in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and
Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management.

The Central Bank noted many positive practices, including the presence of experienced, competent
professionals across the first and second lines of defence, in addition to a comprehensive suite of
controls in terms of monitoring, development, testing and deployment of trading algorithms.
Notwithstanding this, supervisors also identified varying levels of maturity and a number of
concerns across governance, control and risk management frameworks of in scope entities. A full
list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from
the review include: 

​An over-reliance on service providers with a lack of demonstrable autonomy at regulated
entity level. This was evidenced through a distinct absence of entity Board oversight in
setting or challenging the key controls and in the oversight of the development of trading
algorithms.
ii. Insufficient formality with respect to key documentation. This was evidenced through a
lack of appropriate documentation in relation to algorithmic trading controls and
procedures. This speaks to this sector being at the early stages of maturity and also the
extent to which firms leverage Group documentation, where relevant, which creates a
possibility that entity specific risk may be overlooked.
iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate
delineation between the “Three Lines of Defence”. This is a consequence of a combination
of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the
non-specific nature for managing risks associated with algorithmic trading in certain firms.
These do not align with a comprehensive and effective implementation of the requirements set out
in RTS 6. 

Summary
Virtual Asset Service Providers (VASPs) operating in Ireland now need to demonstrate that they are compliant with the provisions of the 5th Money Laundering Directive (AMLD5) which recently came into effect on Friday 23rd April 2021.  

Preceding that date CompliReg, together with Fintech Ireland, hosted a webinar for VASPs, e-money and payments firms.  Details of that event here.  Given the demand from the audience, CompliReg and Fintech Ireland are hosting another Roundtable on the topic on Thursday 6th May - ROUNDTABLE: So, you want to be a Virtual Asset Service Provider?

Background
AMLD5 aims to remove the anonymity from the process of providing virtual asset based services.  This applies to any organisation which provides exchange services between fiat and virtual currencies, as well between virtual assets or custodian wallet providers; bringing them into the scope of the EU’s anti-money laundering and counter-terrorist financing (‘AML/CFT’) framework.

The 2021 Act
The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the "Act") amends the current Irish AML/CTF legislation, which started life a decade ago through the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended).

New Definitions relating to Virtual Assets
The Act contains the following new definitions:

Designated Persons
The Act brings VASPs within the meaning of "designated person" (equivalent to an "obliged entity" under EU anti-money laundering law). The relevant obligations (Relevant Obligations) of designated persons under the Irish AML regime can be summarised as follows:

• Business Risk Assessment

Must carry out regular business risk assessments to identify and assess the risks of money laundering and terrorist financing involved in carrying on the designated person's business activities.

• Carry out Customer Due Diligence

An obligation to carry out due diligence to verify its customer's identity.

• Apply Business Risk Assessment when carrying out customer due diligence

Must apply the business risk assessment when deciding what level of due diligence is necessary for any given customer.  In certain circumstances, a designated person will be required to carry out enhanced due diligence.

• Suspicious Transaction Reporting

An obligation to report to the FIU, Ireland and the Revenue Commissioners, any suspicious transaction, (or suspicious activities which may be covering up, or preparing for suspicious transactions).

• Adopt internal policies

Must adopt internal policies, controls and procedures in relation to the designated person's business to prevent and detect the commission of money laundering and terrorist financing.

Requirement to Register
The Act requires that a person shall not carry-on business as a Virtual Asset Service Provider unless the person has successfully registered with the Central Bank of Ireland (Central Bank). This is a registration for AML/CFT purposes only. A firm currently authorised by the Central Bank under a different regime which is also acting as a Virtual Asset Service Provider will still be required to register as a VASP.

Whilst there is a three-month transitional period for VASPs to conclude the registration process the Act, which commenced operation on Friday 23rd April (commencement date), other than section 8 of the Act which commenced on Saturday 24th April, applies as of the commencement date.  This means that regardless of an existing VASP having three months to register, the VASP must comply with the Act on and from the commencement date. This means that VASPs availing of the transition period must comply on and from 23rd April with the Relevant Obligations listed above.

The Act sets out the high-level details of the registration process, and the grounds under which the Central Bank may refuse to register a VASP. These grounds include:

• the Central Bank has reasonable grounds to be satisfied that the applicant’s principal officers or beneficial owners are not fit and proper persons to run a business of this nature;
• the applicant has failed to satisfy the Central Bank that its business risk assessment, policies and procedures are adequate or fit for purpose;
• the applicant has failed to satisfy the Central Bank that it has in place the resources, procedures and arrangements for the provision of the business of a virtual asset service provider and the performance of activities, taking into account the nature, scale and complexity of its business and all the obligations that the provider has to comply with as a designated person; and
• the applicant has failed to demonstrate, that it can manage and mitigate the risks of engaging in activities that involve the use of anonymity-enhancing technologies or mechanisms and other technologies that obfuscate the identity of the sender, recipient, holder or beneficial owner of a virtual asset.

Preparation
The Central Bank’s website contains useful information for those requiring registration as a VASP, including the Criminal Justice Act* (as at commencement date), Guidelines on Fitness & Probity of Principal Officers/Beneficial Owners, and links to the AML/CFT Registration Form.  The Central Bank will not accept a registration application until the applicant has been through the pre-registration and has obtained a Central Bank Institution Number.

The Central Bank has also indicated that its current graduated approach to AML/CFT supervision will apply equally to VASPs, meaning that firms which present a higher risk of money laundering and/or terrorist financing will be subject to higher intensity and intrusive supervisory measures than those presenting a lower risk.

Next Steps
As many VASPs shall become designated persons for the first time, they should review their AML/CTF frameworks, their Relevant Obligations, legislation and guidance now.  Given that the Act has now commenced in operation, applicants should submit a Pre-Registration Information Form to the Central Bank to request a Central Bank Institution Number as soon as possible.

Being within the AML/CTF framework will surely bring benefits such as greater confidence to end-users (i.e., customers – individuals and corporates) of VASPs and hopefully, more banking partners will consider opening up their services to VASPs particularly ahead of the proposed Markets in Crypto Assets Regulation 2020/0265.

Support Available
As with any new process, it can appear complex and daunting until you have been through it a few times.  Thankfully help is at hand through CompliReg.  If you would like to setup an initial discussion to discuss your requirements, please check out our page and complete the enquiry form at  https://complireg.com/vasp.html. Stephen Fletcher or Peter Oakes will get back to you ASAP.  Our details at https://complireg.com/team.html.
 
This document (and any information accessed through links in this document) is for guidance purposes only and does not constitute legal advice.  CompliReg does not provide legal services.  Where legal services are required, CompliReg works with a select number of law firms.  If you are a law firm and wish to be considered for our panel, please contact [email protected].

UPDATE: The law commenced operation on Friday 23rd April 2021. See Stephen Fletcher's blog of Saturday 1 May 2021 for further details

Below is my linkedin post of 16 April 2021.

​I have been asked to put a copy of the consolidation online.  We spent a lot of time preparing the consolidation and are happy to share the below slideshow.  If you would like a copy of the document in pdf which you can copy, paste and search within, please email [email protected] and we will inform of the costs and email. 

"Some comments on the updated Irish #moneylaundering and #terroristfinancing legislation.

Linkedin Post:

What: Ireland signed into law the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The 2021 Act (No. 3 of 2021) makes a number of changes to the 2010 Act (No. 6 of 2010)

When: 18 March 2021. Legislation passed by Oireachtas & signed into Law by the President of Ireland

Action: It’s time to update your #Compliance & #FinancialCrime Risk Frameworks, Risk Assessments, Policies, Manuals & Procedures. So what areas of the the 2010 Act impacted by the changes in March do you need to know and consider taking into account to update your compliance documents? See the comments section below where I've listed the areas from the 2010 Act impacted by the 2021 Act.

How: Contact the team at CompliReg. We are undertaking several reviews of policies, procedures and manuals in light of the recent changes made to Irish AML/CTF law. We have tracked the changes in our consolidation of the 2010 Act up until and including Act No 3 of 2021. Contact the team at [email protected] with your business contact details for a discussion of a review.

We'll be sending a copy of our up-to-date consolidated version of the 2010 Act to our clients this week."  Post at https://www.linkedin.com/feed/update/urn:li:activity:6788600737791303680/ 

CompliReg's Peter Oakes has again being recognised as a leading fintech consultant for 2021 following his listing in 2020. 

Chambers and Partners released its Fintech Rankings for Ireland in January 2021.  Peter is the only individual / boutique professional services firm (CompliReg) to be ranked along side some of Ireland's largest consulting firms.

In research carried out by Chambers and Partners, Peter's clients and fintech industry experts informed the researchers that:

• Peter is high-profile, he has very strong governance capabilities and is very good for a regulated FinTech company.
• his area of expertise is in licensed applications with the Central Bank. He can explain what is required in black and white from the regulator but also what is left unsaid.
• Peter would be my first port of call for any FinTech looking to obtain an e-money licence.
• Peter's reputation really helps; he's top of the list of local Dublin-based regulatory consultants.

Reach to Peter for assistance and advice via the details on our contact page.

Further reading:

• See Peter's entry at Chambers & Partners here
• See Peter's entry alongside larger consulting brands here
• See details of Peter's 2020 recognition here ​

Ireland's Minister of State for Financial Services, Credit Unions, and Insurance Seán Fleming TD today (Thursday 11th February) launches the Ireland for Finance Action Plan for 2021 following Cabinet approval.

The 2021 Action Plan has four priority areas; Sustainable Finance, Diversity, Regionalisation, and Digital Finance. It contains 16 new measures to build on the resilience shown by the IFS sector over the last year. 

​Read Fintech Ireland's Blog here

CompliReg's Peter Oakes talks on the hot topic of #bitcoin and #cryptoassets / #digitalassets for Fintech Ireland with Will Goodbody of RTE - Video and Post here

Central Bank publishes “Dear CEO” letter to Schedule 2 firms on low level of compliance with Anti-Money Laundering and Counter Financing of Terrorism obligations

• Findings include overall lack of compliance by Schedule 2 Firms with AML/CFT obligations
• Boards fail to demonstrate responsibility for ensuring the implementation and ongoing oversight of AML/CFT control framework
• Central Bank will use all means to identify unregistered firms and take appropriate action

The Central Bank has today (16 December 2020) published the outcome of supervisory engagements undertaken in respect of Schedule 2 Firms to assess compliance with their obligations under Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010).

The "Dear CEO" letter*, outlines the Central Bank’s expectations of firms in relation to Anti-Money Laundering/Counter Financing of Terrorism (AML/CFT) and Financial Sanctions (FS) requirements and details follow-up actions to be taken by CEOs and Boards in response to the findings outlined.

The examination, which comprised of both inspections and review meetings, found an overall lack of compliance across all areas of the AML/CFT control framework. There is also poor understanding of the requirements from Board and senior management levels, including at those firms who outsourced their AML/CFT and FS activities to third parties.

The examination identified a number of failings across Schedule 2 Firms, including:

1. Board Oversight and Governance - failure to demonstrate Boards had taken responsibility for the implementation and ongoing oversight of AML/CFT and FS in a number of firms. In many instances, AML/CFT and FS was only included on the Board’s agenda following notification from the Central Bank of the upcoming supervisory engagement exercise.
2. Money Laundering/Terrorist Financing Risk Assessment - lack of ongoing and comprehensive assessment and documentation of ML/TF risks that are specific to each firm’s consumers and business activities. In a number of instances, this was exacerbated by reliance on ‘off the shelf’ risk assessment frameworks.
3. Anti-Money Laundering/Counter Financing of Terrorism Policies and Procedures - failure to put in place and implement firm-specific AML/CFT and FS policies and procedures, and failure to review and update these on an ongoing basis.

Director of Enforcement & Anti-Money Laundering, Seána Cunningham said: “The Central Bank expects all firms to be alert to the risks that money laundering and criminal financial activities may pose to their customers and business, and the wider integrity of the Irish financial system. This requires CEOs and Boards to have in-depth knowledge and understanding of their Anti-Money Laundering and Counter Financing of Terrorism obligations. It is also essential to have the necessary control framework in place to ensure protection of their business and customers.

“Our supervisory engagements revealed a low level of compliance with the AML/CFT control framework requirements. The culture and tone of any organisation is set from the top. It therefore rests with the Board of these firms to ensure that the necessary AML/CFT governance, risk assessment, policies and procedures, training and awareness are embedded throughout the organisation. While some firms may choose to outsource AML/CFT activities to third party service providers, Boards cannot outsource the responsibility for compliance.

“We will continue to engage directly with those firms where compliance weaknesses and failures have been identified to ensure that they are addressed. We also require all firms to review the content of this letter to ensure that they assess their own compliance with the issues identified.

“We are also taking this opportunity to remind all firms to assess their activities to determine if they are required to register with us under Schedule 2. Firms who fail to register are at risk of significant criminal and/or administrative sanctions. In 2021, the Central Bank will use all means available to identify those firms not registered and take appropriate action.”

ENDS
Notes to Editor

• The Central Bank of Ireland is the competent authority for monitoring the compliance of credit and financial institutions with Part 4 of the CJA 2010, and with taking measures that are reasonably necessary to secure such compliance. Entities engaged in activities outlined under Schedule 2 of the CJA 2020, herein referred to as ‘Schedule 2 Firms’ have been obliged to comply with Part 4 of the CJA 2010 since its implementation in 2010. On 26 November 2018, Section 108A of the CJA 2010 introduced a statutory requirement for Schedule 2 Firms to register with the Central Bank, where such firms are not otherwise authorised or licensed to carry on business by the Central Bank. Details on the registration process is available on the Central Bank website.
• The definition of “financial institutions” in the CJA 2010 includes entities that carry out one or more of the activities specified in Schedule 2 of the CJA 2010, hereto referred to as Schedule 2 Firms, Subject to limited exceptions as set out in the definition of “financial institution” in s24, and in s25(4) of the CJA 2010. Firms engaged in such activities are required to register with the Central Bank pursuant to section 108A of the CJA 2010.

Further information
Media Relations: [email protected] / 01 224 6299
Ewan Kelly: [email protected] / 01 224 6269