Insolvency Oracle

Developments in UK insolvency by Michelle Butler


Leave a comment

MLR19: as if we didn’t have enough to do already!

It took less than one month for the draft new Money Laundering Regs to come into force, but I struggle to see how many of the additional burdens loaded onto our shoulders have anything to do with minimising the risks of money laundering.

I realise that I can be guilty of seeing insolvency work as somehow special.  However, the inability or refusal of legislation drafters to recognise that insolvency office holders do not have client relationships with the entities/individuals over which they are appointed means that the ever-increasing AML burdens feel so pointless and nonsensical when it comes to IPs.

I wrote as much when I responded to HM Treasury’s consultation back in June 2019 and I was pleased to see that the ICAEW had responded with many of the same concerns, including that MLR-regulated people should not be burdened with a new requirement to report discrepancies to the Registrar of Companies (see below).  But of course, HM Treasury has been required to make these changes largely to stay in line with the EU’s Fifth Money Laundering Directive (“5MLD”), so inevitably there would be no special treatment for IPs.

The new Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (“MLR19”) can be found at http://www.legislation.gov.uk/uksi/2019/1511/contents/made and I think the Law Society’s summary at https://www.lawsociety.org.uk/policy-campaigns/articles/anti-money-laundering-guidance/ (scroll down for the 5MLD bit) is a particularly good one.

 

How Accurate are PSC Registers?

I have yet to meet anyone working in insolvency who thinks that the adoption of the new People with Significant Control (“PSC”) register was a good idea.  In the good old days, more often than not companies’ annual returns could be relied upon as a true record of shareholdings.  Now that the annual return has been replaced with the confirmation statement, we often don’t know where we are as regards shareholdings!  In addition, from what I’ve seen, many PSCs are incorrect – it seems that many directors or their agents have trouble with percentages (how difficult can it be to determine whether someone has a shareholding of “more than 50% but less than 75%”?!).

People with Significant Control include, not only 25%+ shareholders, but also anyone who otherwise exercises significant influence or control over the company.  Thus, the traditional formulaic approach to registering PSCs, which only ever seem to focus on 25%+ shareholders, does not take into consideration other signs of control, such as those exerted by shadow directors or those relinquished to the significant others of nominal shareholders.

With the abundance of PSC errors in mind, it seems to me that a new MLR19 requirement could add to IPs’ to-do list in a great deal of cases.

 

New Obligation to Inform the Registrar of Companies of Discrepancies

The MLR19 introduces to the MLR17 a new Regulation 30A, which requires relevant persons (i.e. IPs etc.) to:

“report to the registrar any discrepancy the relevant person finds between information relating to the beneficial ownership of the customer and… [that which] becomes available to the relevant person in the course of carrying out its duties under these Regulations.”

When might an IP discover a discrepancy?

One could argue that, as AML CDD should be completed right at the start of the engagement, we might not be certain that the register contains any discrepancy until we investigate the shareholdings, say, to draft a Statement of Affairs… and therefore knowledge of any such discrepancy does not become available “in the course of carrying out” AML duties, but rather it emerges after this point.  However, as the MLR17 require “ongoing monitoring”, such an argument is probably a little weak.

Companies House has provided guidance on reporting discrepancies on the register: https://www.gov.uk/guidance/report-a-discrepancy-about-a-beneficial-owner-on-the-psc-register-by-an-obliged-entity.

They have also provided an online form (https://www.smartsurvey.co.uk/s/report-a-discrepancy/), but, although they provide twelve categories of people who might use the form, insolvency practitioners are not listed *sigh*

 

What will RoC do with the information?

The MLR19 state that:

“the registrar must take such action as the registrar considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.”

So… an IP informs RoC that the PSC register is incorrect on a company in CVL, because someone is recorded as a between-50%-and-75%-shareholder when in fact they are the 100% shareholder.  Is it “necessary” for RoC to resolve this discrepancy?  In an insolvency, it will not make a darned bit of difference, will it?

 

So do IPs really need to inform RoC of the discrepancy?

If you want to comply with the MLR19/17, then yes you do.

Typical, isn’t it?  The Regs require IPs to go to the trouble of notifying RoC of pointless pieces of information, but the Regs give RoC a nice little get-out to avoid having to do anything about it.  What a waste of our time!

 

Widening the MLR-Regulated Net

The MLR19 captures some new businesses into the MLR-regulated net.  Most will only be relevant to IPs when they are appointed over entities/individuals who are trading in these areas – letting agents, art dealers, cryptoasset exchange and custodian wallet providers – but I wonder if the widened definition of “tax adviser” may capture more non-formal insolvency work carried out by IPs themselves.

“Tax adviser” has been newly defined as:

“a firm or sole practitioner who by way of business provides material aid, or assistance, or advice, in connection with the tax affairs of other persons”.

So… you help a company or an individual to agree a TTP with HMRC in order to avoid a formal insolvency process – does this now make you a “tax adviser”?

I appreciate that some firms already put all prospective new engagements through their AML CDD process whether or not they strictly fall as MLR-regulated engagements, but I suspect that just as many other firms do not.  Now they may have to think twice.

 

Training for “Agents”

The MLR19 widens the scope of those for whom a MLR-regulated firm is responsible for training.  As well as the MLR17’s “relevant employees”, now firms must train (and keep records of training) for:

“any agents it uses for the purposes of its business whose work is of a kind mentioned in paragraph (2)”, which covers any work relevant to the firm’s compliance with the MLR17 or which is otherwise capable of contributing to the identification or mitigation of the firm’s ML/TF risks or the prevention or detection of ML/TF to which the firm is exposed.

So… an IP instructs agents to sell an insolvent’s assets and to receive the proceeds of sale to pass on to the IP in due course.  It seems to me that, whether or not the sale transaction is caught by the MLR17*, the agents’ work could contribute to the IP’s ML/TF risks or exposure.  And… what about if you use ERA agents, who might come across ghost employees or illegal workers, surely those ERA agents also can affect your ML/TF risks and exposure?  Do the MLR19 capture these agents??

(* If you have not already read the CCAB’s draft insolvency guidance, I would recommend it – at http://ccab.org.uk/documents/20190830CCAB%20InsolvencyAppendixFDraft_18forHMT.pdf.  In brief, the draft guidance explains that only a Trustee in Bankruptcy sells their own assets – all other insolvency office holders act as agents – so, while a TiB must ensure that relevant asset purchasers are subject to AML CDD, no other office holders need “routinely” do so.  Personally, while I see the technical argument, I do wonder whether it reflects the spirit behind the Regs to allow an Administrator to sell a business for £1m without AML CDD, but to require a TiB to do AML checks on someone who wants to buy a bankruptcy asset for >€15,000.)

Jo and I have debated whether chattel agents etc. are truly agents: do they act under the IP’s delegated authority to enter into legal relations on the IPs behalf?  Even if this is a legal definition of “agent”, does this hold true for the application of the word in the MLR19?

The problem I have is that HM Treasury’s consultation was clearly not interested in agents in general.  The consultation document referred to networks of agents used in a Money Service Business, those involving “multi-layer arrangements with sub-agents who deal with frontline customers”.  But the MLR19 make no such distinction.

 

Prescriptive EDD for Transactions/Parties in High Risk Countries

The MLR17 already highlighted the need for EDD and enhanced ongoing monitoring where a business relationship or transaction involves someone in a “high-risk third country”.  The MLR19 have added (new Reg 33(3A)) six elements of EDD that “must” be included in these circumstances.

In the main, these new statutory requirements are not unusual.  They include: obtaining more information on the customer, their beneficial owner, the nature of the relationship or reason for the transaction, the source of funds/wealth, and getting senior management to approve the establishing or continuing of the business relationship.

The final requirement puzzled me, though:

“conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination”

Unless an office holder is trading (or is monitoring the trading of) the insolvent’s business, it is difficult to see how this works in an insolvency context.

Nevertheless, IPs’ systems may need to be changed in order to cover the newly-prescribed EDD and ongoing monitoring where someone established in a high risk third country is encountered.  For a more thorough explanation of this area, you may want to look at the Law Society’s guidance mentioned above.

 

Other Clarifications

The MLR19 include several other tweaks, which to be fair are valuable clarifications of the MLR17 and which may affect the finer points of some firms’ processes and templates.  Again, I’d recommend the Law Society’s guidance for a detailed summary.

Should IPs wait until the RPBs issue/endorse new guidance before we make changes?

The ICAEW has posted a summary of the changes primarily for accountants and has noted that the CCAB’s Guidance will be updated in due course (https://www.icaew.com/technical/legal-and-regulatory/anti-money-laundering/fifth-anti-money-laundering-directive-5mld).  The IPA doesn’t appear to have posted anything specific on the MLR19, but I expect that they too will look to the updated CCAB Guidance.  However, in light of the fact that the CCAB insolvency-specific guidance was not issued even in draft for over 2 years after the MLR17 came into force, I won’t be holding my breath.


Leave a comment

Money Laundering Regulations 2017 – part 2: Customer Due Diligence and more

The objective of the MLR17 is “to make the financial system a hostile environment for illicit finance while minimising the burden on legitimate businesses”. The impact assessment shows a net direct cost to businesses of £5.2m pa… so don’t expect the MLR17 burden to be any lighter than their predecessor’s.

In this blog post, I summarise the key changes in the MLR17 affecting day-to-day activities, including:

  • Focussing the customer due diligence (“CDD”) more squarely onto risks
  • A need to refresh the risk assessment process
  • More than ID checks are required to complete CDD
  • How the impacts of the enlarged definition of a PEP can be managed
  • A simultaneous easing and toughening of the reliance provisions
  • Necessary additions to engagement letters and other letters to insolvents

My earlier blog post reviewing the MLR17’s effects on firms’ systems and controls can be found at: https://insolvencyoracle.com/2017/07/22/mlr17-part-1/

 

Customer Due Diligence: a clearer objective?

For most intents and purposes, the MLR07 CDD requirements boiled down to identifying and verifying identities. Ok, there was also the need for a risk-based assessment, but it seemed that the objective of this was only really to determine the extent of checks employed in the CDD process.

I think the MLR17 provide a welcome adjustment in the emphasis. For example, in setting out the enhanced due diligence (“EDD”) process, Reg 33 puts the risk assessment in the following context:

“When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk…”

This thought – that the focus of the risk assessment is to consider the risk that “a particular situation” gives rise to a high risk of money laundering or terrorist financing – is repeated elsewhere and emphasises the need to manage and mitigate the risk e.g. of becoming an unwitting “enabler”. Realistically, how far does simply identifying who we’re dealing with get us in this process?

I do understand that money launderers generally want to work under a cloak of anonymity, so getting to the root of who really is behind a company and in the process showing customers that we’re serious when we carry out CDD help manage and mitigate the risks: money launderers may go looking for a less diligent professional. But what really are the risks of the particular situation of an insolvency?

If we’re being appointed over a dead company with few assets, what are the risks of money laundering or terrorist financing? If there have been any such activities, they will only be historic, won’t they? There will be negligible, if any, risk that any such activities will continue under our watch. So in what ways can – or should – any risks be managed or mitigated? Increasing the extent of identity checks we carry out surely won’t help; it may only give us more information to add to a SAR, if we develop suspicions about past events.

Although the new CDD requirements of the MLR17 will be a pain to complete, I do think they get closer to the nub of the issue: what does the customer do and what do they want us to do for them? In so doing, it seems that the flipside is that, if we have a defunct “customer” who isn’t asking us to do anything risky, then we might find the CDD simpler.

I hasten to add that this post describes purely my own interpretation of the MLR17 (plus some input from Jo Harris). I would be surprised if the RPBs see all the requirements in the same light. Regrettably, it may be a long time before we learn how they think the regulations should be applied, but until they make their expectations clear, I am not sure we can be heavily criticised for trying to do our best.

 

First things first: the risk assessment

Like its predecessor, the MLR17 state that the extent of CDD measures must reflect the level of risk assessed. However, I think the MLR17 far more clearly explain how this risk should be assessed.

For instance, Reg 28(12) states that there are two factors involved:

  • the Reg 18 risk assessment – this is the business-wide risk assessment, which I covered in my last blog; and
  • an “assessment of the level of risk arising in any particular case” – I think this finally answers unequivocally the question of whether a risk assessment needs to be done on court appointments: surely a case-specific risk assessment must be done each time.

Although I think we all developed passable approaches to risk assessments under MLR07, I think that the MLR17 help us much more. Reg 28(13) lists the factors to consider for the risk assessment, but in particular I found Reg 33(6) valuable. This regulation lists potential flags of higher risks, setting them out nicely into three categories:

  • customer risk factors, e.g. where the business is cash intensive;
  • product, service, transaction or delivery channel risk factors, e.g. where payments are received from unknown or unassociated third parties; and
  • geographical risk factors.

I found a useful exercise was to develop a list of questions that put many of the eighteen Reg 33(6) factors into a practical insolvency context. This generated several questions that were similar to the MLR07, but I discovered that the emphasis on whether ongoing insolvency engagements could lead to encounters with money launderers emerged strongly.

At the other end of the spectrum, Reg 37(3) is helpful in assessing cases for low risk. This regulation lists another fifteen indicators of potential low risk, categorised into the three headings above, some of which similarly can be converted into insolvency-relevant questions.

As the MLR17 are non-prescriptive however, the warning described at Regs 33(7) and 37(4) should be incorporated somewhere into the risk assessment:

“the presence of one or more risk factors may not always indicate that there is a high [or low] risk of money laundering or terrorist financing in a particular situation”

This will no doubt frustrate those that would much prefer a straightforward way to steer risk assessments to a definitive conclusion, but I think that this final sense-check is valuable, as it is impossible to squeeze all scenarios into a bundle of questions.

 

More steps in the process

The process no longer follows the formula: risk assessment + beneficial owner IDs = CDD. The MLR17 require other information to be examined. For example, Reg 28(3)(b) requires us to “take reasonable measures to determine and verify”:

  • “the law to which the body corporate is subject, and its constitution” (Reg 28(3)(b))
  • “the full names of the board of directors and the senior persons responsible for the operations of the body corporate” (Reg 28(3)(b))

Personally, I do wonder how these items can be “verified”, especially the full names of the senior persons – obtaining this information before engagement may be a struggle as it is.

The MLR17 also turn an eye toward a new person not covered by the MLR07: anyone who purports to act on behalf of the customer. Reg 28(10) requires that such a person be identified and their identity verified in all cases.

 

Enhanced Due Diligence

Continuing the theme of a better targeted approach, I like the way the EDD requirements no longer focus simply on increasing the extent of ID checks… although the downside is that the process has become more time-intensive for higher risk cases.

Reg 33(4) states that EDD measures must include:

  • “as far as reasonably possible, examining the background and purpose of the transaction, and
  • “increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.”

Also, Reg 33(5) states that EDD measures may include “among other things”:

  • “seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
  • “taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
  • “taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
  • “increasing the monitoring of the business relationship, including greater scrutiny of transactions.”

In an insolvency context, I think much of this can be translated into asking oneself: why does this “customer” want to take this step, does it seem logical in the circumstances or could it be a cover for something more sinister?

 

PEPs: are they high risk?

Well of course, in this non-prescriptive world, the answer to this question is always going to be: it depends.

The MLR17 have widened the definition of a PEP to encompass UK PEPs. Therefore, something that for most of us was little more than theoretic under the MLR07, likely will become more of a reality in future. However, PEPs are still likely to pop up only once in a blue moon, which makes it tricky to design systems to accommodate them without overcomplicating processes for the 99.9% of cases.

  • Additional steps for PEPs and PEP connections

In all cases where a PEP or PEP connection (i.e. family member or “known close associate” of a PEP) has been spotted, the MLR17 require the following steps:

  • Assess the associated risk level and tailor the due diligence measures accordingly;
  • Obtain approval from “senior management” in establishing or continuing the business relationship;
  • “Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person”; and
  • Conduct enhanced ongoing monitoring of any business relationship.

So what do you do if the daughter of a domestic Supreme Court judge wants you to help wind up her insolvent company? Does she really present a high risk? Do you really need to go through all those steps?

  • FCA enlightenment on UK PEPs

The FCA has produced some useful guidance on dealing with PEPs: https://goo.gl/WW2WY1

Understandably, the FCA emphasises the value of the first step: the risk assessment. Helpfully, the guidance states:

“A PEP who is entrusted with a prominent public function in the UK should be treated as low risk, unless a firm has assessed that other risk factors not linked to their position as a PEP mean they pose a higher threat”

This demonstrates to me the pointlessness of this MLR17 change wrapping in domestic PEPs: it has added to the nonsensical bureaucracy, as we now need to (i) note UK PEPs; (ii) consider whether they are low risk; (iii) decide in most cases that they are low risk; (iv) but nevertheless work through the other steps listed above.

If a PEP is low risk, then how practically should we work through the other steps? The FCA suggests:

  • “Senior management” approval need not be at board level; it could be the MLRO.
  • “Take less intrusive and less exhaustive steps” to establish the sources of wealth and of funds; “only use information available to the institution… and do not make further inquiries of the individual unless anomalies arise”.
  • Ongoing monitoring could be, “for example, only where it is necessary to update customer due diligence information or where the customer requests a new service or product”.

Oh well, that’s alright then! Thank you FCA, for bringing a note of reasonableness to the proceedings.

Of course, if a PEP is considered high risk – based, as the FCA points out, on who they are, where they are, and what they want from you – it is only right that additional measures are applied. But, I think that, unless you work in a market that means you encounter PEPs relatively frequently, other than ensuring that staff are alert to the complications arising from PEPs and giving them a place to go when one is spotted, practically on a day-to-day basis there is little point in layering on procedures to deal with PEPs.

 

Reliance on other people’s due diligence: made easier or tougher?

On the one hand, relying on another MLR-regulated person’s customer due diligence checks has been made easier. There is no longer a two-tier supervisory body system, which under the MLR07 meant that an ICAEW-licensed IP could be relied upon, but an IPA-licensed IP could not. Now, the work of any MLR-regulated persons (e.g. including casinos), as well as some overseas equivalents, may be relied upon.

However, there is one new requirement that almost entirely negates this advantage: Reg 39(2) states that the person seeking to rely on another:

“must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) in relation to the customer, customer’s beneficial owner, or any person acting on behalf of the customer”

In other words, you must obtain from the person on whom you are seeking to rely all the information that you would otherwise gather yourself to complete customer due diligence. It also doesn’t avoid the need to carry out a risk assessment or deal with ongoing monitoring. So what is the point of relying on someone else to do some of the work for you, especially when you remain liable for any failure of the relied-on person to conduct appropriate due diligence? You might as well collect the due diligence information yourself, mightn’t you?

 

Additions to engagement letters… and more?

Reg 41(4) states that;

“Relevant persons must provide new customers with the following information before establishing a business relationship or entering into an occasional transaction with the customer:

(a) the information specified in paragraph 2(3) in Part 2 of Schedule 1 to the Data Protection Act 1998 (interpretation of data protection principles);

(b) a statement that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under paragraph (3).”

In other words, the required information is:

  • The identity of the data controller;
  • The identity of any representative nominated by the data controller; and
  • The purposes for which the data are intended to be processed (including the statement required by Reg 41(4)(b) above).

Complying with this requirement seems fairly straightforward when appointments are preceded with an engagement letter to the insolvent/MVL-seeker: the above information likely would feature in the engagement letter.

  • Is a bankrupt a “new customer”?

What if there is no engagement letter with the “customer”? Does this requirement still apply in bankruptcies, compulsory liquidations and creditor-led Administrations?

Who is the customer in a court or creditor-led process? The old CCAB guidance states: “In the context of insolvency work, the person or entity entering into the business relationship is considered to be the insolvent.” Although I think this was generally accepted and just-about manageable for the MLR07, the shoe-horning of regulations designed for a client-provider relationship into an insolvency context becomes a little more painful with the MLR17.

Are we really expected to view a bankrupt as a “new customer” for the purposes of Reg 41(4)? Do we really need to provide them with the above information? I guess we can add the information to our on-appointment letters to insolvents, but we cannot write to them before establishing the business relationship, i.e. before being appointed as office holder, can we?

Ah but doesn’t the CCAB Guidance give us a back-stop guide of 5 working days after appointment to complete the due diligence? This is true, but this provision related to the timescale for completing the CDD in view of the fact that the MLR07 had stated that in some circumstances the due diligence could be completed as soon as practicable after first contact – a concession that is repeated in the MLR17 – but we’re not talking about the due diligence process here. The MLR17 do not provide an asarp exception to providing the above information before establishing the business relationship, so I cannot see a practical way for us to comply with Reg 41(4) in most court or creditor-led appointments.

 

Not written with IPs in mind

The MLR17 repeat their predecessor’s deficiency in demonstrating ignorance of the mechanisms of the insolvency regime. I have always objected to the assumption that the insolvent is an IP’s “customer”, especially when I remember that technically under the MLR07/17 an IP is only carrying out regulated activities when s/he is formally appointed. Further questions about the drafter’s knowledge came to my mind when I read the new definition of an IP in the MLR17: not only an individual, but also “any firm… who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986” – that would be a clever trick!

In my view, the MLRs’ concept of a “business relationship” also has never really worked: what “business relationship” does the IP form with the insolvent when s/he takes office? And the suggestion that an IP engages in an “occasional transaction” when s/he sells an insolvent’s assets is another cruelty on the English language: is it the insolvent or the IP that is carrying out the transaction? An “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, but the IP is considered to have a “business relationship” with the insolvent, so where does the asset sale fit in?

Is there no useful guidance for IPs? In my view, the CCAB Guidance touches on insolvency far too lightly and the Insolvency Service’s and R3’s Guidance notes are showing their age; both have the air of guidance written when the MLR07 were little more than theory. Let’s hope that we will one day receive some authoritative guidance that demonstrates a proper and practical understanding of how the MLR17 should be applied to the insolvency regime.