“For Insolvency Practitioners there is relatively little change” stated one RPB’s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs “will have wide-reaching changes for accountancy firms and IPs”. If two RPBs have such polar views on the overall impact of the new regs, this doesn’t bode well for a common approach to compliance with the MLR17.
I have great sympathy for the RPBs, though. The final regulations were only released late on Thursday 22 June and they came into force on Monday 26 June. They also contained some well-hidden changes from the draft regulations and there was no quick way of understanding their consequences. I suspect I was not the only one who spent their weekend scrutinising 116 pages of new legislation and thinking: this is an impossible task for us all!
In this first post on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR17”), I review the regulations’ impact on the systems involved in managing an insolvency practice:
- The different approaches expected of large and small firms
- The appointment of a new person responsible for compliance
- The need to screen relevant employees
- The independent audit function
- Drafting policies, controls and procedures
- The expanded syllabus for staff training
- Timely destruction of certain records
- Drafting a firm-wide risk assessment
- Seeking “approval” from your Supervisory Authority
The MLR17 can be found at: https://goo.gl/ei8ZB1
Some useful guides on the topic:
“Size and nature” matter
In six places, the MLR17 require relevant persons (i.e. those carrying out MLR17-regulated activities) to have regard to the size and nature of their business when seeking to comply with the regs. For example, Reg 19(2) requires relevant persons to adopt policies, controls and procedures that are “proportionate with regard to the size and nature of the relevant person’s business”.
Reg 21 states that, “where appropriate with regard to the size and nature of its business, a relevant person must:
- appoint one individual who is a member of the board of directors… or of its senior management as the officer responsible for the relevant person’s compliance with these Regulations;
- carry out screening of relevant employees..;
- establish an independent audit function…”
What are the RPBs’ expectations here? I cannot see any grey area in complying with Reg 21: either you endeavor to meet all (or some?) of these requirements or you determine that the measures are not appropriate having regard to the size and nature of your business. Where does the threshold between complying with Reg 21 and justifiably ignoring it lie?
I suspect that, at least in the short term, the regulators will say: you demonstrate to us how you’ve come to a conclusion. But they are the ones with the helicopter view of the profession(s) and they are the ones in direct contact with HM Treasury and all the other Supervisory Authorities. Can they not guide their regulated members?
To determine what is appropriate and proportionate, the MLR17 specifically refer to following guidance issued by the FCA or by any other Supervisory Authority or appropriate body and approved by HM Treasury. At present, all that IPs have is the 2008 CCAB Guidance, which I think is woefully inadequate in view of the shift from MLR07 to MLR17.
At the moment, different RPBs seem to be suggesting different expectations on compliance with Reg 21, which is not surprising given how swiftly the MLR17 were enacted. Whilst, understandably, the RPBs stick to the strict wording of Reg 21, they elaborate the idea with phrases such as:
- IPA: “Large firms must…”
- ICAS: “requirement for firms of a certain size…”
- ICAS: “requirements don’t apply to sole practitioners with no staff and no subcontractors”
- ICAEW: “Sole practitioners with no employees are exempt from this requirement”
Thus, it seems to me that all we can glean is that “large firms” definitely need to comply with these Reg 21 items, “sole practitioners with no employees” (and possibly no subcontractors either) do not, but everyone in between..? Your guess is as good as mine.
Reg 21: Infrastructure Changes
It is evident from the Reg 21 quote above that infrastructure changes are necessary for at least some firms:
- Board/senior level appointment of someone responsible for compliance
All three RPBs have asked to be informed of the appointment of such a person, as is required under the MLR17. Reg 21 also requires firms to notify their RPB of the identity of the first-appointed MLRO (I have not seen any RPB ask for this, so I assume MLR17-appointed MLROs are viewed as simply carrying on from their MLR07 appointment) and any change in identity of the MLRO or other Reg 21 appointed person within 14 days of the change.
This may be, but does not have to be, the same person who acts as MLRO, a position that is repeated in the MLR17. ICAS is calling this person the BSMLP (board or senior management level person) and ICAEW is calling them the MLCP (money laundering compliance person). The IPA has not given them a name.
“Relevant employees” are those involved in the firm’s compliance with the MLR17 as well as those “capable of contributing” to the identification, prevention, detection or risk-mitigation of money laundering or terrorist financing – so, for insolvency practices, I would think about all those working in compliance, cashiering, case administration and take-on. As employee-screening and staff-training are themselves MLR17 requirements, anyone involved in those activities would also be “relevant employees”.
The draft regs had included “agents” in this screening process, but “agents” were removed from the final version (which might explain why the IPA’s notice to members still referred, I think incorrectly, to screening agents).
“Screening” means “an assessment of the skills, knowledge and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual”. I suspect these items are generally covered in recruitment and appraisal processes, but they will need to be adequately documented in future specifically with the MLR17 in mind.
Reg 21 requires “relevant employees” to be screened, both before they are appointed and whilst so employed.
- Independent audit function
Two questions came immediately to my mind: how independent is “independent” and what constitutes an “audit”?
- What is an “audit”?
Reg 21 describes it as entailing the following:
- An examination and evaluation of the adequacy and effectiveness of the policies, controls and procedures adopted (see below)
- recommendations in relation to those policies, controls and procedures; and
- monitoring compliance with those recommendations.
This sounds very much like the process followed for the ICAEW’s Insolvency Compliance Reviews. Indeed, the ICAEW believes that firms’ money laundering compliance reviews, which they should already be performing, address the MLR17 requirement. ICAS is awaiting confirmation on how their current compliance review requirement stacks up against this audit requirement. The IPA has not made any comment, although I cannot see that the self certification process bears any resemblance to what is required here.
- How independent is “independent”?
As far as I can see, the ICAEW is the only RPB that has made any comment: “you should make sure that your Money Laundering Compliance Principal is responsible for performing this review”. The Law Society explains: “the regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed”. It seems to me, therefore, that if the “MLCP” is heavily involved in, say, the customer due diligence process, then they might not be the right person for the job.
Reg 19: Policies, Controls and Procedures
I’ll skip through this section quickly, not because it is unimportant – I accept that it is vital and I suspect it will feature heavily in monitoring visits – but because it is so dull! Sorry, it had to be said.
All firms will need to maintain written policies, controls and procedures covering pretty-much all relevant areas of compliance with the MLR17. I think that anyone drafting these would do well to tick off every Reg 19 item plus carry out an overall sense-check, much as we would double-check a SIP16 Statement.
These policies, controls and procedures must also:
- be approved by the firm’s “senior management” (defined, I think quite widely, in Reg 3);
- be regularly reviewed and updated, with all changes made being documented in writing; and
- be communicated within the firm, with such steps taken (and steps to communicate any changes) being documented in writing.
Regs 19 and 20 adds further requirements for firms with overseas subsidiaries or branches.
Reg 24: Staff Training
Of course, the MLR07 required regular staff training, so have things changed under the MLR17?
Setting aside the vague “size and nature” references to what “appropriate measures” might look like, the material changes are that:
- measures must include making relevant employees aware of, not only the usual MLR matters, but also of “the requirements of data protection, which are relevant to the implementation of these Regulations”
Data protection newly features elsewhere in the MLR17, most practically around record-keeping (see below) and in the client take-on process (which I will cover in a future blog), although it would also be relevant to make employees aware of the principles around handling personal data gathered for the purposes of complying with the MLR17 (Reg 41).
- a written record must be maintained of the “measures taken” and “in particular, of the training given”.
I’m sure we’re used to documenting evidence that staff have completed regular MLR training, but the above quote indicates that we should document other measures taken to make staff aware, perhaps for example the receipt of induction training, staff handbooks and manuals.
Reg 40: Record-Keeping
Although the MLR17 have retained the MLR07’s basic standard of 5 years for record-keeping, there is a problematic change in emphasis.
Both MLRs require customer due diligence records to be retained for “at least” 5 years, but the MLR17 require any personal data contained in these records to be deleted after 5 years from the completion of an occasional transaction or the end of the business relationship. The MLR17 also put the same record-keeping requirements on documents to support transactions that are the subject of customer due diligence measures or ongoing monitoring.
Although there are some exceptions to this deletion requirement, e.g. where the records need to be retained for legal proceedings, this could add a burden to firms whose systems are set up to store records to a 6- or 10-year standard. To be fair though, the data protection principles have for a long time now included that personal data should not be kept for longer than is necessary, so the implementation of smarter archiving practices may be long overdue.
Reg 18: the Relevant Person’s Risk Assessment
Personally, I think this Reg may present the greatest challenge: a relevant person must “take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”. This is not referring to the risk assessment carried out as part of the customer due diligence process. This is a risk assessment of the relevant person’s business, i.e. where do the risks lie in the work undertaken by the IP?
- What is the purpose of this risk assessment?
It needs to feed into:
- the design and maintenance of the policies, procedures and controls;
- decisions regarding employee-screening and the independent audit function; and
- the extent of customer due diligence measures taken in each case, including (but not only) whether enhanced or simplified due diligence should apply.
The MLR17 state that relevant persons must provide their risk assessment to their Supervisory Authority on request. Supervisory Authorities must review firms’ risks assessments (on a risk-based approach) and the IPA has stated that it will be reviewed as part of routine monitoring visits.
- How do you write the risk assessment?
The IPA and the ICAEW direct members to the CCAB’s current Guidance: https://goo.gl/LBgRKX. It’s true, Section 4 of the Guidance provides some pointers, but personally I think the Guidance is showing its age, as the MLR17 add more to the statutory list of risk factors that you need to consider than are covered by the Guidance. Therefore, if you do refer to the Guidance, I would also recommend cross-checking against Reg 18 itself to make sure that you have captured everything relevant.
The Reg 18 risk factors that you need to consider (although there could be others) are:
- your “customers”;
- the countries or geographic areas in which you operate;
- your products or services;
- the transactions you engage in or handle; and
- your delivery channels.
The task requires some lateral thinking to see these risk factors through an IP’s eyes, but I think it is a valuable exercise: one of the problems with MLR07 is that it all became process-driven, it soon boiled down to ticking boxes seemingly with the sole purpose of confirming identities. I think these new regs are an opportunity for us to take a fresh look at the risks: in what areas of our work are we most – and least – likely to encounter money laundering or terrorist financing? What services or transactions could be attractive – or prohibitive – to potential money launderers? Simply considering these questions could help us and staff to be more alert to strange potential clients, behaviours or requests.
Admittedly, this still doesn’t help much in drafting the risk assessment. If it is any consolation, the ICAEW has stated that, as the risk assessment will depend on the size and nature of your firm, the overall risk assessment of a small firm “may be quite succinct”.
Reg 26: Seeking the Approval of the Supervisory Authorities
The MLR17 give the Supervisory Authorities a great deal of new work to do. (I wonder how all this extra work is going to be paid for..?) For example, they need to conduct their own risk assessment and must create risk profiles of their members to inform their monitoring activities.
Reg 26 creates a whole new “approval” process, not only for licensed IPs, but also for firms’, beneficial owners, officers and managers (which include MLROs). The Supervisory Authority’s approval must be granted unless the person has been convicted of a “relevant offence” (Schedule 3 to the MLR17 lists 35 such offences).
- What if we’re not yet “approved”?
Those requiring approval can act as IPs, beneficial owners, officers or managers of relevant firms provided that they apply for approval before 26 June 2018. Although Reg 26(4) states that “a relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless they have been approved or have applied for approval and the application has not yet been determined”, my enquiries to the main RPBs suggest that they are not viewing this provision as being triggered until 26 June 2018 (and who can blame them, given the lack of notice we have all had?!), i.e. provided that we take steps before 26 June 2018 to become approved, there should be nothing to worry about.
Indications from the main RPBs are that the approval application process will become clear around licence-renewal time.
- Who is my Supervisory Authority?
Under the MLR07, I think the answer to the above question gradually became clear. The MLR07 had stated that each professional body was the Supervisory Authority for relevant persons regulated by it. Therefore, for example, if I held my insolvency licence with the ICAEW, but I was also an ordinary member of the IPA, the ICAEW would be my Supervisory Authority, as ordinary membership of the IPA carries no real regulation with it (I just need to make sure I comply with the membership rules).
However, the MLR17 introduced a small but significant change. Reg 7(1)(b) states that:
“each of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it”.
Therefore, it seems to me that, under the above scenario, I would now have two Supervisory Authorities. I suspect there are lots of members of professional bodies who look to a different body to act as its regulator, especially considering the wide range of activities falling under the MLR17.
Whilst having two Supervisory Authorities is nothing new (as IPA-licensed IPs working in an accountancy practice know well), I think that these developments – the widened scope from solely regulated members to members generally, the introduction of new approval processes (which may require applications to more than one body?) and the additional expensive burdens falling on Supervisory Authorities – may lead members to question the value of paying annual subs to more than one body.
Alternatively, perhaps we will get some clarification on the interaction of multiple Supervisory Authorities. Both MLRs encourage cooperation between bodies so that regulatory efforts are not duplicated, but we have seen little such cooperation to date.
Your to-do list
In summary, I think you might tackle the practice-level changes brought about by the MLR17 as follows (depending, of course, on what is proportionate and appropriate with regard to the size and nature of the business):
- Document the appointment of a principal as the person responsible for the firm’s MLR17 compliance and inform your Supervisory Authority/Authorities of the appointment
- Create/refresh the firm-wide risk assessment based on Reg 18
- Create/revisit policies, controls and procedures for meeting all aspects of the MLR17 based on Reg 19 (including revised due diligence measures etc., which I have not covered above) and document their approval by the firm’s senior management
- Included in (3) should be incorporation of MLR-specific assessments in staff recruitment and appraisal processes per Reg 21
- Also included in (3) should be a revisit of the firm’s archiving processes to ensure that due diligence documentation is held in line with Reg 40
- Carry out a staff training session to communicate 2, 3, 4 and 5 above and retain evidence of who has received what training and what new documentation
- Schedule a review of the procedures etc. (the “independent audit”) for a few months after the new processes have been rolled out
- Ensure that the annual and induction MLR staff training provisions reflect the MLR17, including relevant data protection matters; if a suitable product is available (and if (6) above did not update staff on the MLR17 changes), consider running it early for existing staff
Although this is a meaty to-do list already, I have not even started on the MLR17 changes impacting on our day-to-day business, such as the customer due diligence measures and ongoing monitoring.
In my next post, I will examine the changes from an engagement basis.