Insolvency Oracle

Developments in UK insolvency by Michelle Butler


Leave a comment

Money Laundering Regulations 2017 – part 2: Customer Due Diligence and more

The objective of the MLR17 is “to make the financial system a hostile environment for illicit finance while minimising the burden on legitimate businesses”. The impact assessment shows a net direct cost to businesses of £5.2m pa… so don’t expect the MLR17 burden to be any lighter than their predecessor’s.

In this blog post, I summarise the key changes in the MLR17 affecting day-to-day activities, including:

  • Focussing the customer due diligence (“CDD”) more squarely onto risks
  • A need to refresh the risk assessment process
  • More than ID checks are required to complete CDD
  • How the impacts of the enlarged definition of a PEP can be managed
  • A simultaneous easing and toughening of the reliance provisions
  • Necessary additions to engagement letters and other letters to insolvents

My earlier blog post reviewing the MLR17’s effects on firms’ systems and controls can be found at: https://insolvencyoracle.com/2017/07/22/mlr17-part-1/

 

Customer Due Diligence: a clearer objective?

For most intents and purposes, the MLR07 CDD requirements boiled down to identifying and verifying identities. Ok, there was also the need for a risk-based assessment, but it seemed that the objective of this was only really to determine the extent of checks employed in the CDD process.

I think the MLR17 provide a welcome adjustment in the emphasis. For example, in setting out the enhanced due diligence (“EDD”) process, Reg 33 puts the risk assessment in the following context:

“When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk…”

This thought – that the focus of the risk assessment is to consider the risk that “a particular situation” gives rise to a high risk of money laundering or terrorist financing – is repeated elsewhere and emphasises the need to manage and mitigate the risk e.g. of becoming an unwitting “enabler”. Realistically, how far does simply identifying who we’re dealing with get us in this process?

I do understand that money launderers generally want to work under a cloak of anonymity, so getting to the root of who really is behind a company and in the process showing customers that we’re serious when we carry out CDD help manage and mitigate the risks: money launderers may go looking for a less diligent professional. But what really are the risks of the particular situation of an insolvency?

If we’re being appointed over a dead company with few assets, what are the risks of money laundering or terrorist financing? If there have been any such activities, they will only be historic, won’t they? There will be negligible, if any, risk that any such activities will continue under our watch. So in what ways can – or should – any risks be managed or mitigated? Increasing the extent of identity checks we carry out surely won’t help; it may only give us more information to add to a SAR, if we develop suspicions about past events.

Although the new CDD requirements of the MLR17 will be a pain to complete, I do think they get closer to the nub of the issue: what does the customer do and what do they want us to do for them? In so doing, it seems that the flipside is that, if we have a defunct “customer” who isn’t asking us to do anything risky, then we might find the CDD simpler.

I hasten to add that this post describes purely my own interpretation of the MLR17 (plus some input from Jo Harris). I would be surprised if the RPBs see all the requirements in the same light. Regrettably, it may be a long time before we learn how they think the regulations should be applied, but until they make their expectations clear, I am not sure we can be heavily criticised for trying to do our best.

 

First things first: the risk assessment

Like its predecessor, the MLR17 state that the extent of CDD measures must reflect the level of risk assessed. However, I think the MLR17 far more clearly explain how this risk should be assessed.

For instance, Reg 28(12) states that there are two factors involved:

  • the Reg 18 risk assessment – this is the business-wide risk assessment, which I covered in my last blog; and
  • an “assessment of the level of risk arising in any particular case” – I think this finally answers unequivocally the question of whether a risk assessment needs to be done on court appointments: surely a case-specific risk assessment must be done each time.

Although I think we all developed passable approaches to risk assessments under MLR07, I think that the MLR17 help us much more. Reg 28(13) lists the factors to consider for the risk assessment, but in particular I found Reg 33(6) valuable. This regulation lists potential flags of higher risks, setting them out nicely into three categories:

  • customer risk factors, e.g. where the business is cash intensive;
  • product, service, transaction or delivery channel risk factors, e.g. where payments are received from unknown or unassociated third parties; and
  • geographical risk factors.

I found a useful exercise was to develop a list of questions that put many of the eighteen Reg 33(6) factors into a practical insolvency context. This generated several questions that were similar to the MLR07, but I discovered that the emphasis on whether ongoing insolvency engagements could lead to encounters with money launderers emerged strongly.

At the other end of the spectrum, Reg 37(3) is helpful in assessing cases for low risk. This regulation lists another fifteen indicators of potential low risk, categorised into the three headings above, some of which similarly can be converted into insolvency-relevant questions.

As the MLR17 are non-prescriptive however, the warning described at Regs 33(7) and 37(4) should be incorporated somewhere into the risk assessment:

“the presence of one or more risk factors may not always indicate that there is a high [or low] risk of money laundering or terrorist financing in a particular situation”

This will no doubt frustrate those that would much prefer a straightforward way to steer risk assessments to a definitive conclusion, but I think that this final sense-check is valuable, as it is impossible to squeeze all scenarios into a bundle of questions.

 

More steps in the process

The process no longer follows the formula: risk assessment + beneficial owner IDs = CDD. The MLR17 require other information to be examined. For example, Reg 28(3)(b) requires us to “take reasonable measures to determine and verify”:

  • “the law to which the body corporate is subject, and its constitution” (Reg 28(3)(b))
  • “the full names of the board of directors and the senior persons responsible for the operations of the body corporate” (Reg 28(3)(b))

Personally, I do wonder how these items can be “verified”, especially the full names of the senior persons – obtaining this information before engagement may be a struggle as it is.

The MLR17 also turn an eye toward a new person not covered by the MLR07: anyone who purports to act on behalf of the customer. Reg 28(10) requires that such a person be identified and their identity verified in all cases.

 

Enhanced Due Diligence

Continuing the theme of a better targeted approach, I like the way the EDD requirements no longer focus simply on increasing the extent of ID checks… although the downside is that the process has become more time-intensive for higher risk cases.

Reg 33(4) states that EDD measures must include:

  • “as far as reasonably possible, examining the background and purpose of the transaction, and
  • “increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.”

Also, Reg 33(5) states that EDD measures may include “among other things”:

  • “seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
  • “taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
  • “taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
  • “increasing the monitoring of the business relationship, including greater scrutiny of transactions.”

In an insolvency context, I think much of this can be translated into asking oneself: why does this “customer” want to take this step, does it seem logical in the circumstances or could it be a cover for something more sinister?

 

PEPs: are they high risk?

Well of course, in this non-prescriptive world, the answer to this question is always going to be: it depends.

The MLR17 have widened the definition of a PEP to encompass UK PEPs. Therefore, something that for most of us was little more than theoretic under the MLR07, likely will become more of a reality in future. However, PEPs are still likely to pop up only once in a blue moon, which makes it tricky to design systems to accommodate them without overcomplicating processes for the 99.9% of cases.

  • Additional steps for PEPs and PEP connections

In all cases where a PEP or PEP connection (i.e. family member or “known close associate” of a PEP) has been spotted, the MLR17 require the following steps:

  • Assess the associated risk level and tailor the due diligence measures accordingly;
  • Obtain approval from “senior management” in establishing or continuing the business relationship;
  • “Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person”; and
  • Conduct enhanced ongoing monitoring of any business relationship.

So what do you do if the daughter of a domestic Supreme Court judge wants you to help wind up her insolvent company? Does she really present a high risk? Do you really need to go through all those steps?

  • FCA enlightenment on UK PEPs

The FCA has produced some useful guidance on dealing with PEPs: https://goo.gl/WW2WY1

Understandably, the FCA emphasises the value of the first step: the risk assessment. Helpfully, the guidance states:

“A PEP who is entrusted with a prominent public function in the UK should be treated as low risk, unless a firm has assessed that other risk factors not linked to their position as a PEP mean they pose a higher threat”

This demonstrates to me the pointlessness of this MLR17 change wrapping in domestic PEPs: it has added to the nonsensical bureaucracy, as we now need to (i) note UK PEPs; (ii) consider whether they are low risk; (iii) decide in most cases that they are low risk; (iv) but nevertheless work through the other steps listed above.

If a PEP is low risk, then how practically should we work through the other steps? The FCA suggests:

  • “Senior management” approval need not be at board level; it could be the MLRO.
  • “Take less intrusive and less exhaustive steps” to establish the sources of wealth and of funds; “only use information available to the institution… and do not make further inquiries of the individual unless anomalies arise”.
  • Ongoing monitoring could be, “for example, only where it is necessary to update customer due diligence information or where the customer requests a new service or product”.

Oh well, that’s alright then! Thank you FCA, for bringing a note of reasonableness to the proceedings.

Of course, if a PEP is considered high risk – based, as the FCA points out, on who they are, where they are, and what they want from you – it is only right that additional measures are applied. But, I think that, unless you work in a market that means you encounter PEPs relatively frequently, other than ensuring that staff are alert to the complications arising from PEPs and giving them a place to go when one is spotted, practically on a day-to-day basis there is little point in layering on procedures to deal with PEPs.

 

Reliance on other people’s due diligence: made easier or tougher?

On the one hand, relying on another MLR-regulated person’s customer due diligence checks has been made easier. There is no longer a two-tier supervisory body system, which under the MLR07 meant that an ICAEW-licensed IP could be relied upon, but an IPA-licensed IP could not. Now, the work of any MLR-regulated persons (e.g. including casinos), as well as some overseas equivalents, may be relied upon.

However, there is one new requirement that almost entirely negates this advantage: Reg 39(2) states that the person seeking to rely on another:

“must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) in relation to the customer, customer’s beneficial owner, or any person acting on behalf of the customer”

In other words, you must obtain from the person on whom you are seeking to rely all the information that you would otherwise gather yourself to complete customer due diligence. It also doesn’t avoid the need to carry out a risk assessment or deal with ongoing monitoring. So what is the point of relying on someone else to do some of the work for you, especially when you remain liable for any failure of the relied-on person to conduct appropriate due diligence? You might as well collect the due diligence information yourself, mightn’t you?

 

Additions to engagement letters… and more?

Reg 41(4) states that;

“Relevant persons must provide new customers with the following information before establishing a business relationship or entering into an occasional transaction with the customer:

(a) the information specified in paragraph 2(3) in Part 2 of Schedule 1 to the Data Protection Act 1998 (interpretation of data protection principles);

(b) a statement that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under paragraph (3).”

In other words, the required information is:

  • The identity of the data controller;
  • The identity of any representative nominated by the data controller; and
  • The purposes for which the data are intended to be processed (including the statement required by Reg 41(4)(b) above).

Complying with this requirement seems fairly straightforward when appointments are preceded with an engagement letter to the insolvent/MVL-seeker: the above information likely would feature in the engagement letter.

  • Is a bankrupt a “new customer”?

What if there is no engagement letter with the “customer”? Does this requirement still apply in bankruptcies, compulsory liquidations and creditor-led Administrations?

Who is the customer in a court or creditor-led process? The old CCAB guidance states: “In the context of insolvency work, the person or entity entering into the business relationship is considered to be the insolvent.” Although I think this was generally accepted and just-about manageable for the MLR07, the shoe-horning of regulations designed for a client-provider relationship into an insolvency context becomes a little more painful with the MLR17.

Are we really expected to view a bankrupt as a “new customer” for the purposes of Reg 41(4)? Do we really need to provide them with the above information? I guess we can add the information to our on-appointment letters to insolvents, but we cannot write to them before establishing the business relationship, i.e. before being appointed as office holder, can we?

Ah but doesn’t the CCAB Guidance give us a back-stop guide of 5 working days after appointment to complete the due diligence? This is true, but this provision related to the timescale for completing the CDD in view of the fact that the MLR07 had stated that in some circumstances the due diligence could be completed as soon as practicable after first contact – a concession that is repeated in the MLR17 – but we’re not talking about the due diligence process here. The MLR17 do not provide an asarp exception to providing the above information before establishing the business relationship, so I cannot see a practical way for us to comply with Reg 41(4) in most court or creditor-led appointments.

 

Not written with IPs in mind

The MLR17 repeat their predecessor’s deficiency in demonstrating ignorance of the mechanisms of the insolvency regime. I have always objected to the assumption that the insolvent is an IP’s “customer”, especially when I remember that technically under the MLR07/17 an IP is only carrying out regulated activities when s/he is formally appointed. Further questions about the drafter’s knowledge came to my mind when I read the new definition of an IP in the MLR17: not only an individual, but also “any firm… who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986” – that would be a clever trick!

In my view, the MLRs’ concept of a “business relationship” also has never really worked: what “business relationship” does the IP form with the insolvent when s/he takes office? And the suggestion that an IP engages in an “occasional transaction” when s/he sells an insolvent’s assets is another cruelty on the English language: is it the insolvent or the IP that is carrying out the transaction? An “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, but the IP is considered to have a “business relationship” with the insolvent, so where does the asset sale fit in?

Is there no useful guidance for IPs? In my view, the CCAB Guidance touches on insolvency far too lightly and the Insolvency Service’s and R3’s Guidance notes are showing their age; both have the air of guidance written when the MLR07 were little more than theory. Let’s hope that we will one day receive some authoritative guidance that demonstrates a proper and practical understanding of how the MLR17 should be applied to the insolvency regime.

Advertisements


1 Comment

Money Laundering Regulations 2017 – Part 1: Infrastructure Changes

 

“For Insolvency Practitioners there is relatively little change” stated one RPB’s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs “will have wide-reaching changes for accountancy firms and IPs”.   If two RPBs have such polar views on the overall impact of the new regs, this doesn’t bode well for a common approach to compliance with the MLR17.

I have great sympathy for the RPBs, though. The final regulations were only released late on Thursday 22 June and they came into force on Monday 26 June. They also contained some well-hidden changes from the draft regulations and there was no quick way of understanding their consequences. I suspect I was not the only one who spent their weekend scrutinising 116 pages of new legislation and thinking: this is an impossible task for us all!

In this first post on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR17”), I review the regulations’ impact on the systems involved in managing an insolvency practice:

  • The different approaches expected of large and small firms
  • The appointment of a new person responsible for compliance
  • The need to screen relevant employees
  • The independent audit function
  • Drafting policies, controls and procedures
  • The expanded syllabus for staff training
  • Timely destruction of certain records
  • Drafting a firm-wide risk assessment
  • Seeking “approval” from your Supervisory Authority

The MLR17 can be found at: https://goo.gl/ei8ZB1

Some useful guides on the topic:

 

“Size and nature” matter

In six places, the MLR17 require relevant persons (i.e. those carrying out MLR17-regulated activities) to have regard to the size and nature of their business when seeking to comply with the regs. For example, Reg 19(2) requires relevant persons to adopt policies, controls and procedures that are “proportionate with regard to the size and nature of the relevant person’s business”.

Reg 21 states that, “where appropriate with regard to the size and nature of its business, a relevant person must:

  1. appoint one individual who is a member of the board of directors… or of its senior management as the officer responsible for the relevant person’s compliance with these Regulations;
  2. carry out screening of relevant employees..;
  3. establish an independent audit function…”

What are the RPBs’ expectations here? I cannot see any grey area in complying with Reg 21: either you endeavor to meet all (or some?) of these requirements or you determine that the measures are not appropriate having regard to the size and nature of your business. Where does the threshold between complying with Reg 21 and justifiably ignoring it lie?

I suspect that, at least in the short term, the regulators will say: you demonstrate to us how you’ve come to a conclusion. But they are the ones with the helicopter view of the profession(s) and they are the ones in direct contact with HM Treasury and all the other Supervisory Authorities. Can they not guide their regulated members?

To determine what is appropriate and proportionate, the MLR17 specifically refer to following guidance issued by the FCA or by any other Supervisory Authority or appropriate body and approved by HM Treasury. At present, all that IPs have is the 2008 CCAB Guidance, which I think is woefully inadequate in view of the shift from MLR07 to MLR17.

At the moment, different RPBs seem to be suggesting different expectations on compliance with Reg 21, which is not surprising given how swiftly the MLR17 were enacted. Whilst, understandably, the RPBs stick to the strict wording of Reg 21, they elaborate the idea with phrases such as:

  • IPA: “Large firms must…”
  • ICAS: “requirement for firms of a certain size…”
  • ICAS: “requirements don’t apply to sole practitioners with no staff and no subcontractors”
  • ICAEW: “Sole practitioners with no employees are exempt from this requirement”

Thus, it seems to me that all we can glean is that “large firms” definitely need to comply with these Reg 21 items, “sole practitioners with no employees” (and possibly no subcontractors either) do not, but everyone in between..? Your guess is as good as mine.

 

Reg 21: Infrastructure Changes

It is evident from the Reg 21 quote above that infrastructure changes are necessary for at least some firms:

  • Board/senior level appointment of someone responsible for compliance

All three RPBs have asked to be informed of the appointment of such a person, as is required under the MLR17. Reg 21 also requires firms to notify their RPB of the identity of the first-appointed MLRO (I have not seen any RPB ask for this, so I assume MLR17-appointed MLROs are viewed as simply carrying on from their MLR07 appointment) and any change in identity of the MLRO or other Reg 21 appointed person within 14 days of the change.

This may be, but does not have to be, the same person who acts as MLRO, a position that is repeated in the MLR17. ICAS is calling this person the BSMLP (board or senior management level person) and ICAEW is calling them the MLCP (money laundering compliance person). The IPA has not given them a name.

  • Employee-screening

“Relevant employees” are those involved in the firm’s compliance with the MLR17 as well as those “capable of contributing” to the identification, prevention, detection or risk-mitigation of money laundering or terrorist financing – so, for insolvency practices, I would think about all those working in compliance, cashiering, case administration and take-on. As employee-screening and staff-training are themselves MLR17 requirements, anyone involved in those activities would also be “relevant employees”.

The draft regs had included “agents” in this screening process, but “agents” were removed from the final version (which might explain why the IPA’s notice to members still referred, I think incorrectly, to screening agents).

“Screening” means “an assessment of the skills, knowledge and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual”. I suspect these items are generally covered in recruitment and appraisal processes, but they will need to be adequately documented in future specifically with the MLR17 in mind.

Reg 21 requires “relevant employees” to be screened, both before they are appointed and whilst so employed.

  • Independent audit function

Two questions came immediately to my mind: how independent is “independent” and what constitutes an “audit”?

  • What is an “audit”?

Reg 21 describes it as entailing the following:

  1. An examination and evaluation of the adequacy and effectiveness of the policies, controls and procedures adopted (see below)
  2. recommendations in relation to those policies, controls and procedures; and
  3. monitoring compliance with those recommendations.

This sounds very much like the process followed for the ICAEW’s Insolvency Compliance Reviews. Indeed, the ICAEW believes that firms’ money laundering compliance reviews, which they should already be performing, address the MLR17 requirement. ICAS is awaiting confirmation on how their current compliance review requirement stacks up against this audit requirement. The IPA has not made any comment, although I cannot see that the self certification process bears any resemblance to what is required here.

  • How independent is “independent”?

As far as I can see, the ICAEW is the only RPB that has made any comment: “you should make sure that your Money Laundering Compliance Principal is responsible for performing this review”. The Law Society explains: “the regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed”. It seems to me, therefore, that if the “MLCP” is heavily involved in, say, the customer due diligence process, then they might not be the right person for the job.

 

Reg 19: Policies, Controls and Procedures

I’ll skip through this section quickly, not because it is unimportant – I accept that it is vital and I suspect it will feature heavily in monitoring visits – but because it is so dull! Sorry, it had to be said.

All firms will need to maintain written policies, controls and procedures covering pretty-much all relevant areas of compliance with the MLR17. I think that anyone drafting these would do well to tick off every Reg 19 item plus carry out an overall sense-check, much as we would double-check a SIP16 Statement.

These policies, controls and procedures must also:

  • be approved by the firm’s “senior management” (defined, I think quite widely, in Reg 3);
  • be regularly reviewed and updated, with all changes made being documented in writing; and
  • be communicated within the firm, with such steps taken (and steps to communicate any changes) being documented in writing.

Regs 19 and 20 adds further requirements for firms with overseas subsidiaries or branches.

 

Reg 24: Staff Training

Of course, the MLR07 required regular staff training, so have things changed under the MLR17?

Setting aside the vague “size and nature” references to what “appropriate measures” might look like, the material changes are that:

  • measures must include making relevant employees aware of, not only the usual MLR matters, but also of “the requirements of data protection, which are relevant to the implementation of these Regulations”

Data protection newly features elsewhere in the MLR17, most practically around record-keeping (see below) and in the client take-on process (which I will cover in a future blog), although it would also be relevant to make employees aware of the principles around handling personal data gathered for the purposes of complying with the MLR17 (Reg 41).

  • a written record must be maintained of the “measures taken” and “in particular, of the training given”.

I’m sure we’re used to documenting evidence that staff have completed regular MLR training, but the above quote indicates that we should document other measures taken to make staff aware, perhaps for example the receipt of induction training, staff handbooks and manuals.

 

Reg 40: Record-Keeping

Although the MLR17 have retained the MLR07’s basic standard of 5 years for record-keeping, there is a problematic change in emphasis.

Both MLRs require customer due diligence records to be retained for “at least” 5 years, but the MLR17 require any personal data contained in these records to be deleted after 5 years from the completion of an occasional transaction or the end of the business relationship. The MLR17 also put the same record-keeping requirements on documents to support transactions that are the subject of customer due diligence measures or ongoing monitoring.

Although there are some exceptions to this deletion requirement, e.g. where the records need to be retained for legal proceedings, this could add a burden to firms whose systems are set up to store records to a 6- or 10-year standard. To be fair though, the data protection principles have for a long time now included that personal data should not be kept for longer than is necessary, so the implementation of smarter archiving practices may be long overdue.

 

Reg 18: the Relevant Person’s Risk Assessment

Personally, I think this Reg may present the greatest challenge: a relevant person must “take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”. This is not referring to the risk assessment carried out as part of the customer due diligence process. This is a risk assessment of the relevant person’s business, i.e. where do the risks lie in the work undertaken by the IP?

  • What is the purpose of this risk assessment?

It needs to feed into:

  • the design and maintenance of the policies, procedures and controls;
  • decisions regarding employee-screening and the independent audit function; and
  • the extent of customer due diligence measures taken in each case, including (but not only) whether enhanced or simplified due diligence should apply.

The MLR17 state that relevant persons must provide their risk assessment to their Supervisory Authority on request. Supervisory Authorities must review firms’ risks assessments (on a risk-based approach) and the IPA has stated that it will be reviewed as part of routine monitoring visits.

  • How do you write the risk assessment?

The IPA and the ICAEW direct members to the CCAB’s current Guidance: https://goo.gl/LBgRKX. It’s true, Section 4 of the Guidance provides some pointers, but personally I think the Guidance is showing its age, as the MLR17 add more to the statutory list of risk factors that you need to consider than are covered by the Guidance. Therefore, if you do refer to the Guidance, I would also recommend cross-checking against Reg 18 itself to make sure that you have captured everything relevant.

The Reg 18 risk factors that you need to consider (although there could be others) are:

  • your “customers”;
  • the countries or geographic areas in which you operate;
  • your products or services;
  • the transactions you engage in or handle; and
  • your delivery channels.

The task requires some lateral thinking to see these risk factors through an IP’s eyes, but I think it is a valuable exercise: one of the problems with MLR07 is that it all became process-driven, it soon boiled down to ticking boxes seemingly with the sole purpose of confirming identities. I think these new regs are an opportunity for us to take a fresh look at the risks: in what areas of our work are we most – and least – likely to encounter money laundering or terrorist financing? What services or transactions could be attractive – or prohibitive – to potential money launderers? Simply considering these questions could help us and staff to be more alert to strange potential clients, behaviours or requests.

Admittedly, this still doesn’t help much in drafting the risk assessment. If it is any consolation, the ICAEW has stated that, as the risk assessment will depend on the size and nature of your firm, the overall risk assessment of a small firm “may be quite succinct”.

 

Reg 26: Seeking the Approval of the Supervisory Authorities

The MLR17 give the Supervisory Authorities a great deal of new work to do. (I wonder how all this extra work is going to be paid for..?) For example, they need to conduct their own risk assessment and must create risk profiles of their members to inform their monitoring activities.

Reg 26 creates a whole new “approval” process, not only for licensed IPs, but also for firms’, beneficial owners, officers and managers (which include MLROs). The Supervisory Authority’s approval must be granted unless the person has been convicted of a “relevant offence” (Schedule 3 to the MLR17 lists 35 such offences).

  • What if we’re not yet “approved”?

Those requiring approval can act as IPs, beneficial owners, officers or managers of relevant firms provided that they apply for approval before 26 June 2018. Although Reg 26(4) states that “a relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless they have been approved or have applied for approval and the application has not yet been determined”, my enquiries to the main RPBs suggest that they are not viewing this provision as being triggered until 26 June 2018 (and who can blame them, given the lack of notice we have all had?!), i.e. provided that we take steps before 26 June 2018 to become approved, there should be nothing to worry about.

Indications from the main RPBs are that the approval application process will become clear around licence-renewal time.

  • Who is my Supervisory Authority?

Under the MLR07, I think the answer to the above question gradually became clear. The MLR07 had stated that each professional body was the Supervisory Authority for relevant persons regulated by it. Therefore, for example, if I held my insolvency licence with the ICAEW, but I was also an ordinary member of the IPA, the ICAEW would be my Supervisory Authority, as ordinary membership of the IPA carries no real regulation with it (I just need to make sure I comply with the membership rules).

However, the MLR17 introduced a small but significant change. Reg 7(1)(b) states that:

“each of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it”.

Therefore, it seems to me that, under the above scenario, I would now have two Supervisory Authorities. I suspect there are lots of members of professional bodies who look to a different body to act as its regulator, especially considering the wide range of activities falling under the MLR17.

Whilst having two Supervisory Authorities is nothing new (as IPA-licensed IPs working in an accountancy practice know well), I think that these developments – the widened scope from solely regulated members to members generally, the introduction of new approval processes (which may require applications to more than one body?) and the additional expensive burdens falling on Supervisory Authorities – may lead members to question the value of paying annual subs to more than one body.

Alternatively, perhaps we will get some clarification on the interaction of multiple Supervisory Authorities. Both MLRs encourage cooperation between bodies so that regulatory efforts are not duplicated, but we have seen little such cooperation to date.

 

Your to-do list

In summary, I think you might tackle the practice-level changes brought about by the MLR17 as follows (depending, of course, on what is proportionate and appropriate with regard to the size and nature of the business):

  1. Document the appointment of a principal as the person responsible for the firm’s MLR17 compliance and inform your Supervisory Authority/Authorities of the appointment
  2. Create/refresh the firm-wide risk assessment based on Reg 18
  3. Create/revisit policies, controls and procedures for meeting all aspects of the MLR17 based on Reg 19 (including revised due diligence measures etc., which I have not covered above) and document their approval by the firm’s senior management
  4. Included in (3) should be incorporation of MLR-specific assessments in staff recruitment and appraisal processes per Reg 21
  5. Also included in (3) should be a revisit of the firm’s archiving processes to ensure that due diligence documentation is held in line with Reg 40
  6. Carry out a staff training session to communicate 2, 3, 4 and 5 above and retain evidence of who has received what training and what new documentation
  7. Schedule a review of the procedures etc. (the “independent audit”) for a few months after the new processes have been rolled out
  8. Ensure that the annual and induction MLR staff training provisions reflect the MLR17, including relevant data protection matters; if a suitable product is available (and if (6) above did not update staff on the MLR17 changes), consider running it early for existing staff

 

More Changes

Although this is a meaty to-do list already, I have not even started on the MLR17 changes impacting on our day-to-day business, such as the customer due diligence measures and ongoing monitoring.

In my next post, I will examine the changes from an engagement basis.