AuthorPeter Oakes is an experienced anti-financial crime, fintech and board director professional. Archives
April 2024
Categories
All
|
Back to Blog
"On the whole, I agree with you that there is a limited amount of directorships that can be held with a job being well done." This is around minutes 55-57 (around 2:25pm-2:27pm) at https://media.heanet.ie/page/0382d466362a4d90b07d8e7d7f27fdd9
0 Comments
Read More
Back to Blog
How much does an #antimoneylaundering governance investigation cost a #fintech?
Previously noted that Australian EML doesn't expect a #moneylaundering compliance investigation (no allegation of money laundering) into one of its recently acquired Irish acquisitions (PFS Card Services Ireland Limited acquired in a deal worth up to €216.9m) to exceed AUD 2million / €1.27mn this Australian financial year which ends 30 June. However it cannot forecast the cost going into the next nor subsequent years. See https://lnkd.in/eg2cm82 (see previous blogs here). Well, it looks likely the costs may go higher if a class action by Shine Lawyers begins to bite, with the Aussie law firm looking for investors who bought shares between December 19, 2020, and May 17, 2021, to join its class action. The law firm says: * “EML did not request a trading halt for almost four days after learning of these concerns and then took another 48 hours to inform the market,” says Australian law firm * “When shareholders invest their money into a company, they do so with the belief that that company will comply with its continuous disclosure obligations. * “Our claim will allege that EML failed in its obligations, significantly impacting share prices for thousands of investors.” Read more by Sean Pollock at https://lnkd.in/efTj2dU Linkedin Post - https://www.linkedin.com/posts/peteroakes_antimoneylaundering-fintech-moneylaundering-activity-6809752916379922432-wNal
Back to Blog
EML Payments Money Laundering Governance Investigation to cost less than $2mn this financial year10/6/2021 In my previous post on EML Payments (EML) (see here) we noted that EML had advised that its Irish regulated subsidiary, PFS Card Services (Ireland) Limited ('PCSIL'), had received correspondence from the Central Bank of Ireland ('CBI'), including a letter received on Friday 14 May 2021 (Australian time) raising significant regulatory concerns ('Correspondence'). The CBI's concerns relate to PCSIL's Anti-Money Laundering / Counter Terrorism Financing ('AML/CTF'), risk and control frameworks and governance. The Correspondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013.
A few days ago, EML provided the Australian Stock Exchange with a trading update. The trading update also included its Quarter 3 FY2021 update in which EML confirmed: "Current Status:
Communication:
Business Impact:
Some observations:
Further reading - EML Payments Q3 FY21 Trading Update June 2021 (dated 7 June 2021)
Back to Blog
Received a letter from the Central Bank of Ireland's Anti-Money Laundering Division headed "AML Risk Evaluation Questionnaire (‘REQ’) Notification to [Name of Regulated Firm] (or ‘the firm’) to submit an REQ on an Annual Basis." last month with a return date this month? If so you are not alone.
The letter reminds that credit and financial institutions are required to have anti-money laundering (AML) and countering financing of terrorism (CFT) preventive measures to ensure compliance with the Criminal Justice (Money and Terrorist Financing) Acts 2010 to 2021, a well as reminding of the obligation to comply with EU Council Regulations setting out financial sanctions (‘FS’) measures. The CBI has established the REQ to seek information regarding individual firms’ exposure to Money Laundering / Terrorist Financing risks and also the AML/CFT compliance framework. Firms are being informed to submit the REQ in the specified format via the CBI's Online Reporting System on an ANNUAL BASIS within the time period specified on ONR. The CBI has informed firms that "for 2021, this deadline for the submission of the REQ return is 18 June 2021". Not only is the form detailed, and there are a few potential ways of interpreting some of the questions, or at least their interaction with other questions, but importantly for Boards of Directors note: i) Statement of Compliance: "... the REQ includes a statement to be signed by the firm confirming compliance with the firm’s AML/CFT/FS obligations. This statement if [sic] compliance should be signed and dated by a person who is duly authorised to do so by the Board (or equivalent). Ideally this person will have responsibility for AML/CFT/FS within the firm." NB this person doesn't need to be in a PCF role, but the CBI expect them to be of sufficient seniority within the firm to provide the confirmation sought. ii) Record Retention: "A record of the person who signed the statement of compliance must be formally noted in the Board minutes (or equivalent) when it is brought forward for consideration. The original signed and dated hard copy of the statement of compliance and the accompanying REQ is required to be kept on file and made available for review by the Central Bank on request." Need assistance with your risk assessment? Get in contact with us at the details here. Further reading: Risk Evaluation Questionnaire ('REQ') Return Building upon the obligations of credit and financial institutions under the CJA 2010, the Central Bank has developed a REQ in order to seek information regarding individual firms' exposure to ML / TF risks and also their AML / CFT compliance framework. Firms selected by the Central Bank to submit an REQ are required to submit the REQ in the specified format, through the Central Bank's Online Reporting System ('ONR'), within the time period specified on ONR. The minimum frequency that a firm will be required to submit an REQ is predicated on the level of ML/TF risk presented by the firm, either by virtue of its business model and/or the sector into which it falls (for further information on the frequency of submission please see the Table: AML/CFT Minimum Supervisory Engagement Model on the Central Bank AML / CFT Supervision Tab).
Linkedin Post: https://www.linkedin.com/posts/peteroakes_antimoney-aml-cft-activity-6808437129467756546-vRba
Back to Blog
The ASX Market Announcement says:
"EML PAYMENTS LIMITED (ASX: EML) ("EMU') refers to its request for a trading halt dated 17 May 2021. EML advises that its Irish regulated subsidiary, PFS Card Services (Ireland) Limited ('PCSIL'), has received correspondence from the Central Bank of Ireland ('CBI'), including a letter received on Friday 14 May 2021 (Australian time) raising significant regulatory concerns ('Correspondence'). The CBI is the relevant regulator in Ireland. The CBI's concerns relate to PCSIL's Anti-Money Laundering / Counter Terrorism Financing ('AML/CTF'), risk and control frameworks and governance. The Correspondence states that the CBI is minded to issue directions to PCSIL pursuant to section 45 of the Central Bank (Supervision and Enforcement) Act 2013. The Correspondence does not concern EML's Australian or North American operations, or the operations of PFS' UK subsidiary ('Prepaid Financial Services Limited' which is incorporated in England and regulated by the FCA), or EML's other Irish regulated subsidiary ('EML Money DAC')." ASX Announcement in PDF and at source.
Back to Blog
The Central Bank of Ireland has released a Dear CEO letter setting out findings under four headings and expected Actions following a Thematic assessment of Algorithmic Trading Firms’ compliance with RTS 6 of MIFID II.
1. Governance – Deficient control and risk management frameworks: Varying levels of maturity were observed with respect to firms’ governance, control and risk management frameworks. Supervisors observed weaknesses with respect to:
The Central Bank considers the maintenance of a robust algorithmic governance and oversight framework to be of paramount importance in enabling firms to identify, monitor and mitigate the risks associated with algorithm trading strategies. Firms are reminded RTS 6 requires that as part of its overall governance framework and decision-making framework, an investment firm should have a clear and formalised governance arrangement, including clear lines of accountability, effective procedures for the communication of information and a separation of tasks and responsibilities. These arrangements should ensure reduced dependency on a single person or unit. 2. Development and Testing - Lack of formal documentation with respect to development, testing and deployment processes: Supervisors observed strong development, testing and deployment controls. However, significant disparities were identified between firms with respect to the level of detail pertaining to documentation on development, testing and deployment processes most notably:
3. Risk Measurement and Control - Lack of clearly defined Three Lines of Defence: While it was evident that certain firms had appropriately skilled and resourced second lines of defence, a number of firms demonstrated an absence of a formalised “Three Lines of Defence model”. It is important that firms have a robust model in place, with clear delineation between each line i.e. the business, the risk management functions and the internal audit function. Supervisors observed:
4. Trade Lifecycle Management – Lack of appropriate documentation with respect to pre and post-trade controls: The presence of extensive pre and post-trade controls was evident during this Thematic Review however:
Firms must have in place appropriate pre and post-trade controls that are commensurate to the nature, scale and complexity of the entity and ensure that these controls are appropriately documented. Actions As a result of the findings of this thematic review, the Central Bank has engaged with the investment firms where specific concerns have been identified, issuing risk mitigation programmes to address these specific issues. The Central Bank requires all firms engaging in algorithmic trading to consider the contents of this letter, where applicable and take all remedial action necessary to ensure that they have the appropriate control and oversight in place with respect to algorithmic trading and that the requirements within RTS 6 of MIFID II are being fully adhered to. This letter should be read in conjunction with the joint ESMA and European Banking Authority (“EBA”) Guidelines on the assessment of suitability of members of the management body and key function holders ; EBA Guidelines on internal governance; and the Central Bank’s Outsourcing: Findings & Issues for Discussion. The Central Bank will continue to assess whether firms have taken sufficient steps to reduce risks arising from algorithmic trading and will have regard to the contents of this letter when conducting future supervisory engagement. Furthermore, in circumstances of non-compliance by any firm with the regulatory requirements associated with algorithmic trading, the Central Bank may, in the course of future supervisory engagement, or when exercising its supervisory and/or enforcement powers in respect of such non-compliance, have regard to the consideration given by a firm to the matters raised in the letter. Background: The Central Bank of Ireland (“Central Bank”) undertook a thematic review to assess how firms undertaking algorithmic trading have incorporated within their risk management and control frameworks the requirements set out in Regulatory Technical Standard C(2016) 4478 (“RTS 6“) supplementing Directive 2014/65/EU (“MIFID II”). The purpose of this letter is to provide background to our assessment, highlight the key findings of this review and outline the expectations of the Central Bank in relation to the governance, testing and controls surrounding algorithmic trading. Algorithmic trading gives rise to significant risks stemming from potential failures of algorithms, information technology (“IT”) systems and processes. In recent years, a number of significant algorithmic trading failures have resulted in substantial losses, fines and reputational damage for firms globally. This demonstrates a clear need for all entities engaging in algorithmic trading to ensure risk management and control frameworks in respect of algorithmic trading are appropriately embedded and are operating to a high standard. RTS 6 provides a framework to mitigate these, and other risks, through the requirement to maintain effective systems, procedures, arrangements and controls. This thematic review focused on the five principal areas underpinned by the requirements set out in RTS 6 of MIFID II: (i) Governance; (ii) Development & Testing; (iii) Risk Measurement and Control; (iv) Processes and Controls; and (v) Trade Lifecycle Management. The Central Bank noted many positive practices, including the presence of experienced, competent professionals across the first and second lines of defence, in addition to a comprehensive suite of controls in terms of monitoring, development, testing and deployment of trading algorithms. Notwithstanding this, supervisors also identified varying levels of maturity and a number of concerns across governance, control and risk management frameworks of in scope entities. A full list of the practices observed are noted in Appendix 1 of this letter. The key concerns arising from the review include: An over-reliance on service providers with a lack of demonstrable autonomy at regulated entity level. This was evidenced through a distinct absence of entity Board oversight in setting or challenging the key controls and in the oversight of the development of trading algorithms. ii. Insufficient formality with respect to key documentation. This was evidenced through a lack of appropriate documentation in relation to algorithmic trading controls and procedures. This speaks to this sector being at the early stages of maturity and also the extent to which firms leverage Group documentation, where relevant, which creates a possibility that entity specific risk may be overlooked. iii. A lack of clearly defined roles and responsibilities, and in particular a lack of appropriate delineation between the “Three Lines of Defence”. This is a consequence of a combination of (i) the scale of certain firms, (ii) the maturity of risk management frameworks and (iii) the non-specific nature for managing risks associated with algorithmic trading in certain firms. These do not align with a comprehensive and effective implementation of the requirements set out in RTS 6.
Back to Blog
Summary Virtual Asset Service Providers (VASPs) operating in Ireland now need to demonstrate that they are compliant with the provisions of the 5th Money Laundering Directive (AMLD5) which recently came into effect on Friday 23rd April 2021. Preceding that date CompliReg, together with Fintech Ireland, hosted a webinar for VASPs, e-money and payments firms. Details of that event here. Given the demand from the audience, CompliReg and Fintech Ireland are hosting another Roundtable on the topic on Thursday 6th May - ROUNDTABLE: So, you want to be a Virtual Asset Service Provider? Background AMLD5 aims to remove the anonymity from the process of providing virtual asset based services. This applies to any organisation which provides exchange services between fiat and virtual currencies, as well between virtual assets or custodian wallet providers; bringing them into the scope of the EU’s anti-money laundering and counter-terrorist financing (‘AML/CFT’) framework. The 2021 Act The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the "Act") amends the current Irish AML/CTF legislation, which started life a decade ago through the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (as amended). New Definitions relating to Virtual Assets The Act contains the following new definitions: Designated Persons
The Act brings VASPs within the meaning of "designated person" (equivalent to an "obliged entity" under EU anti-money laundering law). The relevant obligations (Relevant Obligations) of designated persons under the Irish AML regime can be summarised as follows:
Requirement to Register The Act requires that a person shall not carry-on business as a Virtual Asset Service Provider unless the person has successfully registered with the Central Bank of Ireland (Central Bank). This is a registration for AML/CFT purposes only. A firm currently authorised by the Central Bank under a different regime which is also acting as a Virtual Asset Service Provider will still be required to register as a VASP. Whilst there is a three-month transitional period for VASPs to conclude the registration process the Act, which commenced operation on Friday 23rd April (commencement date), other than section 8 of the Act which commenced on Saturday 24th April, applies as of the commencement date. This means that regardless of an existing VASP having three months to register, the VASP must comply with the Act on and from the commencement date. This means that VASPs availing of the transition period must comply on and from 23rd April with the Relevant Obligations listed above. The Act sets out the high-level details of the registration process, and the grounds under which the Central Bank may refuse to register a VASP. These grounds include:
Preparation The Central Bank’s website contains useful information for those requiring registration as a VASP, including the Criminal Justice Act* (as at commencement date), Guidelines on Fitness & Probity of Principal Officers/Beneficial Owners, and links to the AML/CFT Registration Form. The Central Bank will not accept a registration application until the applicant has been through the pre-registration and has obtained a Central Bank Institution Number. The Central Bank has also indicated that its current graduated approach to AML/CFT supervision will apply equally to VASPs, meaning that firms which present a higher risk of money laundering and/or terrorist financing will be subject to higher intensity and intrusive supervisory measures than those presenting a lower risk. Next Steps As many VASPs shall become designated persons for the first time, they should review their AML/CTF frameworks, their Relevant Obligations, legislation and guidance now. Given that the Act has now commenced in operation, applicants should submit a Pre-Registration Information Form to the Central Bank to request a Central Bank Institution Number as soon as possible. Being within the AML/CTF framework will surely bring benefits such as greater confidence to end-users (i.e., customers – individuals and corporates) of VASPs and hopefully, more banking partners will consider opening up their services to VASPs particularly ahead of the proposed Markets in Crypto Assets Regulation 2020/0265. Support Available As with any new process, it can appear complex and daunting until you have been through it a few times. Thankfully help is at hand through CompliReg. If you would like to setup an initial discussion to discuss your requirements, please check out our page and complete the enquiry form at https://complireg.com/vasp.html. Stephen Fletcher or Peter Oakes will get back to you ASAP. Our details at https://complireg.com/team.html. This document (and any information accessed through links in this document) is for guidance purposes only and does not constitute legal advice. CompliReg does not provide legal services. Where legal services are required, CompliReg works with a select number of law firms. If you are a law firm and wish to be considered for our panel, please contact office@complireg.com.
Back to Blog
UPDATE: The law commenced operation on Friday 23rd April 2021. See Stephen Fletcher's blog of Saturday 1 May 2021 for further details Below is my linkedin post of 16 April 2021. I have been asked to put a copy of the consolidation online. We spent a lot of time preparing the consolidation and are happy to share the below slideshow. If you would like a copy of the document in pdf which you can copy, paste and search within, please email office@complireg.com and we will inform of the costs and email. "Some comments on the updated Irish #moneylaundering and #terroristfinancing legislation. Linkedin Post: What: Ireland signed into law the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021 (the “2021 Act”). The 2021 Act (No. 3 of 2021) makes a number of changes to the 2010 Act (No. 6 of 2010) When: 18 March 2021. Legislation passed by Oireachtas & signed into Law by the President of Ireland Action: It’s time to update your #Compliance & #FinancialCrime Risk Frameworks, Risk Assessments, Policies, Manuals & Procedures. So what areas of the the 2010 Act impacted by the changes in March do you need to know and consider taking into account to update your compliance documents? See the comments section below where I've listed the areas from the 2010 Act impacted by the 2021 Act. How: Contact the team at CompliReg. We are undertaking several reviews of policies, procedures and manuals in light of the recent changes made to Irish AML/CTF law. We have tracked the changes in our consolidation of the 2010 Act up until and including Act No 3 of 2021. Contact the team at office@complireg.com with your business contact details for a discussion of a review. We'll be sending a copy of our up-to-date consolidated version of the 2010 Act to our clients this week." Post at https://www.linkedin.com/feed/update/urn:li:activity:6788600737791303680/
Back to Blog
Central Bank publishes “Dear CEO” letter to Schedule 2 firms on low level of compliance with Anti-Money Laundering and Counter Financing of Terrorism obligations
The Central Bank has today (16 December 2020) published the outcome of supervisory engagements undertaken in respect of Schedule 2 Firms to assess compliance with their obligations under Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (CJA 2010). The "Dear CEO" letter*, outlines the Central Bank’s expectations of firms in relation to Anti-Money Laundering/Counter Financing of Terrorism (AML/CFT) and Financial Sanctions (FS) requirements and details follow-up actions to be taken by CEOs and Boards in response to the findings outlined. The examination, which comprised of both inspections and review meetings, found an overall lack of compliance across all areas of the AML/CFT control framework. There is also poor understanding of the requirements from Board and senior management levels, including at those firms who outsourced their AML/CFT and FS activities to third parties. The examination identified a number of failings across Schedule 2 Firms, including:
Director of Enforcement & Anti-Money Laundering, Seána Cunningham said: “The Central Bank expects all firms to be alert to the risks that money laundering and criminal financial activities may pose to their customers and business, and the wider integrity of the Irish financial system. This requires CEOs and Boards to have in-depth knowledge and understanding of their Anti-Money Laundering and Counter Financing of Terrorism obligations. It is also essential to have the necessary control framework in place to ensure protection of their business and customers. “Our supervisory engagements revealed a low level of compliance with the AML/CFT control framework requirements. The culture and tone of any organisation is set from the top. It therefore rests with the Board of these firms to ensure that the necessary AML/CFT governance, risk assessment, policies and procedures, training and awareness are embedded throughout the organisation. While some firms may choose to outsource AML/CFT activities to third party service providers, Boards cannot outsource the responsibility for compliance. “We will continue to engage directly with those firms where compliance weaknesses and failures have been identified to ensure that they are addressed. We also require all firms to review the content of this letter to ensure that they assess their own compliance with the issues identified. “We are also taking this opportunity to remind all firms to assess their activities to determine if they are required to register with us under Schedule 2. Firms who fail to register are at risk of significant criminal and/or administrative sanctions. In 2021, the Central Bank will use all means available to identify those firms not registered and take appropriate action.” ENDS Notes to Editor
Further information Media Relations: media@centralbank.ie / 01 224 6299 Ewan Kelly: ewan.kelly@centralbank.ie / 01 224 6269
Back to Blog
Some choice headlines in the papers about Brexit in the past week as we - according to Brexit Ireland's countdown to Brexit clock - just little more than 33 days before 11p.m. (UK time) on Thursday 31st December 2020 when the Brexit transition period ends with no deal on financial services in sight. This week sees the EU negotiating team returning to London after face-to-face talks came to end more than a week ago after Mr Bariner's team was hit by a case of Covid. They will be greeted by headiness such as: UK dismisses ‘derisory’ EU fishing offer ahead of last-ditch trade talks; Europe’s finance sector hits ‘peak uncertainty’ over Brexit; and The City braces for Brexit. There is no equivalence regime provided for within either EMD2 (electronic money institutions) or PSD2 (payments services institutions)! One thing we are still very surprised by is the many in #fintech, #techfin and indeed #finserv (and scarily their advisers) who think that recent news on 'equivalence' deals are applicable to all UK #finserv which passport across the European Union / EEA. The announcement on Monday 23rd November by the European Commission was simply and specifically about European regulators finalising a late change seeking to avoid chaos in £15tn of derivatives contracts held between UK and EU counterparties. Then on Wednesday 25th, they insisted outposts of EU banks in London would have to trade certain derivatives in the EU. Back in August 2020 the European Parliament reminded that "Equivalence decisions are a unilateral decision by the Commission. The Commission ultimately exercises its discretion as conferred upon it by the “empowerment” given in EU sectoral legislation.'' BUT MORE IMPORTANTLY "The Commission also enjoys discretion to withdraw equivalence decision. The equivalence frameworks in force do not provide as such specific procedures for monitoring, reviewing or amending equivalence decisions." There are no equivalence provisions in EU bank, payments nor electronic money directives, and the equivalence provision in MiFiD doesn't apply to retail investment services. See the below table on the 'Role of equivalence in key EU banking and financial services legislation' for confirmation. The upshot is that if you are a UK authorised payments institution or electronic money intuition, come Thursday 31st December 2020 when your ability to passport across the whole of European Economic Area comes to an end, so too does your business model unless you have obtained an authorisation in an EU/EEA state. There are are other options available but we'll leave that for another article. If you are a regulated fintech looking for a home post #brexit contact https://complireg.com/authorisations.html. Read our Fintech Authorisation Guides published jointly by CompliReg and Fintech Ireland on the authorisation process. And check out the 'Why Ireland for Fintech' brochure. Why Ireland for your regulated fintech?
“From January 1st, EU rules will apply to UK firms wishing to operate in the EU. UK firms will lose their financial passport: it’ll be anything but business as usual for them. This means they will have to adhere to individual home-state rules in each and every member state,” the official said. Further reading:
26 November 2020 - Move to EU or face disruption, City of London is warned
27 August 2019 - "Third country equivalence in EU banking and financial regulation"
29 July 2019 - Financial services: Commission sets out its equivalence policy with non-EU countries 12 July 2017 - "Third-country equivalence in EU banking legislation"
|