Insolvency Oracle

Developments in UK insolvency by Michelle Butler

Tag Archives: MLR17


by Leave a comment

Checking PSCs: is it Pretty Silly Compliance?

A lot later than I’d hoped, here’s an article on some of the changes in the Money Laundering Regs that took effect on 1 April 2023.  I’ve also covered some anomalies in the PSC regime when compared with AML Beneficial Owners that could trip up the unwary.

In brief, this article explores:

  • At what points are we now required to check the PSC register?
  • What records are we now required to keep?
  • Does the change to reporting only “material” PSC discrepancies now give us a reason for not reporting in many instances?
  • Do PSC discrepancy reports need to be repeated if the discrepancy has not been fixed?
  • Does an insolvency office holder become a PSC?
  • When a PSC is not the same as an AML beneficial owner: (i) when the shareholder is a UK-registered company
  • When a PSC is not the same as an AML beneficial owner: (ii) when the shareholder has died
  • When a PSC is not the same as an AML beneficial owner: (iii) when the person exercises “significant”, but not “ultimate”, control

The Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 can be found at https://www.legislation.gov.uk/uksi/2022/860/contents/made

In this article, I refer to three useful pieces of Companies House guidance:

Reviewing PSCs as part of “ongoing monitoring”

When the MLR19 came out, several professional bodies queried the wording that appeared to suggest that a client’s PSCs were to be reviewed (and, if necessary, a PSC discrepancy report submitted) during the life of a business relationship.   It was felt that this put an unnecessary burden on AML-regulated businesses.  As a consequence and because it appeared that the MLR19 had gone further than had been originally planned, in 2020 the MLR17 were changed making it clear that a PSC review was required only when establishing the relationship at the start.

However, in 2021, HM Treasury consulted on the question: wouldn’t it be a good idea to review clients’ PSCs whenever ongoing monitoring is carried out during a relationship?

At that point of course, the fate was sealed.  So it came to pass: the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 reintroduced the need to review PSCs as part of ongoing monitoring.

How frequently should these reviews be carried out?

The MLR17 indicate that the primary purposes of “ongoing monitoring” are to examine whether a client’s activity is consistent with what the AML-regulated business expects it to be based on its knowledge and risk assessment and to ensure that the AML CDD measures remain up to date.

Neither the MLR17 nor the CCAB Guidance specify how frequently “ongoing monitoring” should be conducted.  As with most things AML, the MLR17 state that it needs to be done according to the assessed risk.  In a fairly recent ICAEW webinar directed at ICAEW members in general (c.1 hour into “Money Laundering Risks”, March 23), it was suggested that periodic routine ongoing monitoring might be done every year for high risk clients and every two or three years for low risk clients.

Of course, the mood music from the RPBs has been that insolvency is generally a high risk service, so IPs are unlikely to have any truly low risk clients when compared with accountants.  Therefore, in insolvencies, it seems to me sensible to tick the “ongoing monitoring” boxes at the time of each case review, but of course firms are free to establish policies setting out other timescales.

Do these reviews realistically achieve anything in insolvencies?

In almost all cases, I think not.  For example, you would not expect PSCs to change in a CVL.  The only cases where I can imagine a PSC ever changing are rescue Administrations or CVAs, but even then it would be very rare.  I guess potentially it could also happen in an MVL, although most shareholder-shifting occurs pre-liquidation.

I understand that part of the authorities’ concerns generally is that some fraudsters file director-appointment or PSC-registration documents on Companies House in order to build a false identity.  Although one would hope that directors would police their own company’s file at Companies House, AML-regulated businesses are also tasked with keeping the registers clean by means of these statutory PSC reviews and discrepancy reporting requirements.

But how likely is it that a fraudster is going to pick an insolvent company in order to build a false identity? 

Hopefully, the long-awaited Companies House reform measures via the Economic Crime and Corporate Transparency Bill, which is currently being considered by the House of Lords, will block the ability for fraudsters to abuse company files in this way in future.  But I suspect that this will not mean that the PSC requirements on professionals are lifted (sigh!).

HM Treasury micro-management: requirements on record-keeping

If the issue were just that we needed to check the PSC register at every ongoing monitoring point, I could just about live with that.  However, the amendments go further than this.  In a seemingly unprecedented demonstration of micro-management, we are now required to take a copy of the PSC register every time ongoing monitoring is carried out!

This is set out in new Regulation 30A(2A):

“When taking measures to fulfil the duties to carry out customer due diligence and ongoing monitoring of a business relationship.., a relevant person must also collect an excerpt of the register which contains full details of any information specified in paragraph (1A) which is held on the register at that time, or must establish from its inspection of the register that there is no such information held on the register at that time.”

But now we only need to report “material discrepancies”, right?

True, the regulators have highlighted this particular change as lessening the burden on us all.  But the small print suggests to me that little has changed in practice.

While the Regs have been changed so that only material discrepancies need to be reported, new Schedule 3AZA defines these as occurring where:

“… the discrepancy, by its nature, and having regard to all the circumstances, may reasonably be considered—

(a) to be linked to money laundering or terrorist financing; or

(b) to conceal details of the business of the customer.”

Companies House guidance on Reporting a Discrepancy points out that it is irrelevant whether there was an intention to conceal.

The Regs’ Schedule continues:

“Discrepancies listed in this paragraph are in the form of—

(a) a difference in name;

(b) an incorrect entry for nature of control;

(c) an incorrect entry for date of birth;

(d) an incorrect entry for nationality;

(e) an incorrect entry for correspondence address;

(f) a missing entry for a person of significant control or a registrable beneficial owner;

(g) an incorrect entry for the date the individual became a registrable person.”

In my experience, incorrect natures of control or entirely missing entries are the most obvious discrepancies, so these will continue to need to be reported. 

The Companies House guidance on Reporting a Discrepancy provides examples of discrepancies that would be considered “material” and it seems to me that only insignificant typos might not hit this threshold.  I guess, however, that we might also avoid reporting a discrepancy if someone is registered as a PSC when they are not one… although I wonder how the RPBs will view this.

What a faff!

What happens after a PSC discrepancy report is submitted?

Well, the Regs require Companies House to “take such action as [Companies House] considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner” (MLR17 Reg 30A(5)).  In practice this appears to mean that they will email the insolvency office holder and ask them to amend the company’s register.  Personally, I cannot see that there is a positive duty on an insolvency office holder to fix the register and, in any event, the PSC discrepancy report is only submitted on the basis of the IP’s knowledge; in many cases, the true facts of the situation may be less than certain.

If the IP chooses not to amend the register, then the chances are that the discrepancy will remain.  I have seen that, in such cases, Companies House generally takes the view that they have taken the appropriate steps and so no more action is required.  Oh, the things we all do to comply with poorly thought-out legislation!

A welcome bit of pragmatism in the Companies House guidance

Of course, things tend to be different with a live client, such as those with accountants.  In those cases, when an accountant identifies a PSC discrepancy, it would be usual for them to get in touch with the client and encourage them to correct the discrepancy on the file.  Although this sometimes also happens pre-insolvency, in cases where the PSC discrepancy remains after the insolvency has begun, this gives rise to another issue when “ongoing monitoring” is carried out later.

Technically, the amended Regs don’t accommodate an uncorrected PSC discrepancy.  They would require you to submit a new PSC discrepancy report every time.

However, the Companies House guidance on Reporting a Discrepancy thankfully explains that they are not expecting a second discrepancy report if it has been reported previously.

Should the insolvency office holder be recorded as a PSC?

Interesting question, don’t you think?  Clearly, insolvency office holders exercise “significant influence or control”, so does this make them a PSC?  As their appointment doesn’t immediately affect the PSC register at Companies House, does this give rise to a material discrepancy to be reported during ongoing monitoring or a need to be registered as a PSC on appointment?

I strongly recommend the Companies House guidance on “Significant Influence or Control”.  It contains many nuggets helping to determine who might be a PSC.

It includes, at para 4.4, that anyone exercising a function under an enactment, e.g. “a Liquidator or receiver”, is not a PSC (provided that they only act in accordance with their statutory functions).

That’s one issue sorted, then.

When PSCs and Beneficial Owners differ

But there are other scenarios that can be confusing.  In most cases, identifying the PSCs is no different from identifying the beneficial owners for AML CDD purposes and this makes it relatively straightforward to spot any PSC discrepancies. 

But there are several situations in which the PSCs are not the same as the AML beneficial owners, so when staff are checking for PSC discrepancies it is valuable that they understand these anomalies.

When there is a UK-registered corporate shareholder

Sometimes, we come across the following scenario:

We’re probably all comfortable with the concept that the beneficial owners for AML CDD purposes are the two 50% shareholders at the top of the tree.  However, if the holding company is a UK-registered company, then the holding company is the one that should be registered as the operating company’s PSC.

There are other scenarios (i.e. not only UK-registered companies) where a 25%+ shareholder who is a legal entity should itself be registered as a PSC – see section 2.2. of the Companies House PSC guidance for companies.  But in other cases, the legal entity shareholder should not be registered as the PSC, but instead the individuals or entities up the shareholding tree need to be registered.

Where the shareholder has died

For AML CDD purposes, the MLR17 state (Reg 6(6)):

“In these Regulations, ‘beneficial owner’, in relation to an estate of a deceased person in the course of administration, means—

(a) in England and Wales and Northern Ireland, the executor, original or by representation, or administrator for the time being of a deceased person;

(b) in Scotland, the executor for the purposes of the Executors (Scotland) Act 1900”

However, the Companies House PSC guidance for companies states (para 7.7.1):

“In the unfortunate event that a PSC of your company is deceased, the PSC should remain on the PSC register until such time as their interest is formally transferred to its new owner. While an executor has fiduciary duties to the intended beneficiaries of the assets, the executor is are responsible for administering the estate according the wishes of the deceased. The deceased will therefore continue to be registrable until such time as the control passes to another person, such as an heir, who will exercise their influence and control over your company for themselves.”

In other words, for AML CDD purposes, the executor or administrator of a deceased person’s estate will be a beneficial owner, but for PSC purposes it will remain the deceased person.

The difference between “significant” and “ultimate” control

While we usually focus on the shareholders and directors when identifying the beneficial owners for AML CDD purposes, there is an additional woolly category (MLR17 Reg 5(1)(a)): those who “exercise ultimate control over the management” of the entity.

The PSC regime has a different measure.  As the name suggests, it is concerned with those who exercise significant, not ultimate, control.  I think that both the AML and PSC regimes require us to consider shadow directors, but other people may be a PSC but not a beneficial owner.

The Companies House guidance on “Significant Influence or Control” includes an interesting – and insolvency-relevant – example (para 4.10):

“Extra-ordinary functions of a person could result in them being considered to have significant influence or control:

A director who also owns important assets or has key relationships that are important to the running of the business (e.g. intellectual property rights), and uses this additional power to influence the outcome of decisions related to the running of the business of the company. This individual would not be able to rely on the excepted role of director to avoid being considered to exercise significant influence or control.”

This scenario – and indeed the existence of shadow directors – could make an IP’s life frustrating, I think.  Before appointment, you could identify someone exercising significant control in this way but who is not registered as a PSC at Companies House… so you submit a PSC discrepancy report.  Then, Companies House gets in touch with you after your appointment asking you to amend the register.  But at that point, the person no longer exercises significant control – ta daa!

Ok, I know, I would hope that the RPB would not take you to task for not submitting a PSC discrepancy report pre-appointment, but who knows?

The costs of compliance

IPs are well accustomed to investing time and effort in complying with what appear to be pointless requirements, so I’m sure that most will read this with a tired eye-rolling. 

Of course, all these additional duties need to be resourced and this costs firms – and therefore insolvent estates – more money.  However, it seems that the RPB/IS perceptions that some IPs charge excessive fees never change, regardless of the fact that year after year compliance duties increase.  This may only be another 10-minute task, but it all adds up, doesn’t it?


by Leave a comment

MLR19: as if we didn’t have enough to do already!

It took less than one month for the draft new Money Laundering Regs to come into force, but I struggle to see how many of the additional burdens loaded onto our shoulders have anything to do with minimising the risks of money laundering.

I realise that I can be guilty of seeing insolvency work as somehow special.  However, the inability or refusal of legislation drafters to recognise that insolvency office holders do not have client relationships with the entities/individuals over which they are appointed means that the ever-increasing AML burdens feel so pointless and nonsensical when it comes to IPs.

I wrote as much when I responded to HM Treasury’s consultation back in June 2019 and I was pleased to see that the ICAEW had responded with many of the same concerns, including that MLR-regulated people should not be burdened with a new requirement to report discrepancies to the Registrar of Companies (see below).  But of course, HM Treasury has been required to make these changes largely to stay in line with the EU’s Fifth Money Laundering Directive (“5MLD”), so inevitably there would be no special treatment for IPs.

The new Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (“MLR19”) can be found at http://www.legislation.gov.uk/uksi/2019/1511/contents/made and I think the Law Society’s summary at https://www.lawsociety.org.uk/policy-campaigns/articles/anti-money-laundering-guidance/ (scroll down for the 5MLD bit) is a particularly good one.

How Accurate are PSC Registers?

I have yet to meet anyone working in insolvency who thinks that the adoption of the new People with Significant Control (“PSC”) register was a good idea.  In the good old days, more often than not companies’ annual returns could be relied upon as a true record of shareholdings.  Now that the annual return has been replaced with the confirmation statement, we often don’t know where we are as regards shareholdings!  In addition, from what I’ve seen, many PSCs are incorrect – it seems that many directors or their agents have trouble with percentages (how difficult can it be to determine whether someone has a shareholding of “more than 50% but less than 75%”?!).

People with Significant Control include, not only 25%+ shareholders, but also anyone who otherwise exercises significant influence or control over the company.  Thus, the traditional formulaic approach to registering PSCs, which only ever seem to focus on 25%+ shareholders, does not take into consideration other signs of control, such as those exerted by shadow directors or those relinquished to the significant others of nominal shareholders.

With the abundance of PSC errors in mind, it seems to me that a new MLR19 requirement could add to IPs’ to-do list in a great deal of cases.

New Obligation to Inform the Registrar of Companies of Discrepancies

The MLR19 introduces to the MLR17 a new Regulation 30A, which requires relevant persons (i.e. IPs etc.) to:

“report to the registrar any discrepancy the relevant person finds between information relating to the beneficial ownership of the customer and… [that which] becomes available to the relevant person in the course of carrying out its duties under these Regulations.”

When might an IP discover a discrepancy?

One could argue that, as AML CDD should be completed right at the start of the engagement, we might not be certain that the register contains any discrepancy until we investigate the shareholdings, say, to draft a Statement of Affairs… and therefore knowledge of any such discrepancy does not become available “in the course of carrying out” AML duties, but rather it emerges after this point.  However, as the MLR17 require “ongoing monitoring”, such an argument is probably a little weak.  (UPDATE 12/08/21: The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 revised this requirement in October 2020 so that the duty to report PSC discrepancies only arises when the discrepancy is identified “when establishing a business relationship with the customer”.  BUT HMT has just issued a consultation (https://www.gov.uk/government/consultations/amendments-to-the-money-laundering-terrorist-financing-and-transfer-of-funds-information-on-the-payer-regulations-2017-statutory-instrument-2022) that proposes to turn this back into an ongoing obligation!)

Companies House has provided guidance on reporting discrepancies on the register: https://www.gov.uk/guidance/report-a-discrepancy-about-a-beneficial-owner-on-the-psc-register-by-an-obliged-entity.

They have also provided an online form (https://www.smartsurvey.co.uk/s/report-a-discrepancy/), but, although they provide twelve categories of people who might use the form, insolvency practitioners are not listed *sigh*

What will RoC do with the information?

The MLR19 state that:

“the registrar must take such action as the registrar considers appropriate to investigate and, if necessary, resolve the discrepancy in a timely manner.”

So… an IP informs RoC that the PSC register is incorrect on a company in CVL, because someone is recorded as a between-50%-and-75%-shareholder when in fact they are the 100% shareholder.  Is it “necessary” for RoC to resolve this discrepancy?  In an insolvency, it will not make a darned bit of difference, will it?

 

So do IPs really need to inform RoC of the discrepancy?

If you want to comply with the MLR19/17, then yes you do.

Typical, isn’t it?  The Regs require IPs to go to the trouble of notifying RoC of pointless pieces of information, but the Regs give RoC a nice little get-out to avoid having to do anything about it.  What a waste of our time!

Widening the MLR-Regulated Net

The MLR19 captures some new businesses into the MLR-regulated net.  Most will only be relevant to IPs when they are appointed over entities/individuals who are trading in these areas – letting agents, art dealers, cryptoasset exchange and custodian wallet providers – but I wonder if the widened definition of “tax adviser” may capture more non-formal insolvency work carried out by IPs themselves.

“Tax adviser” has been newly defined as:

“a firm or sole practitioner who by way of business provides material aid, or assistance, or advice, in connection with the tax affairs of other persons”.

So… you help a company or an individual to agree a TTP with HMRC in order to avoid a formal insolvency process – does this now make you a “tax adviser”?

I appreciate that some firms already put all prospective new engagements through their AML CDD process whether or not they strictly fall as MLR-regulated engagements, but I suspect that just as many other firms do not.  Now they may have to think twice.

Training for “Agents”

The MLR19 widens the scope of those for whom a MLR-regulated firm is responsible for training.  As well as the MLR17’s “relevant employees”, now firms must train (and keep records of training) for:

“any agents it uses for the purposes of its business whose work is of a kind mentioned in paragraph (2)”, which covers any work relevant to the firm’s compliance with the MLR17 or which is otherwise capable of contributing to the identification or mitigation of the firm’s ML/TF risks or the prevention or detection of ML/TF to which the firm is exposed.

So… an IP instructs agents to sell an insolvent’s assets and to receive the proceeds of sale to pass on to the IP in due course.  It seems to me that, whether or not the sale transaction is caught by the MLR17*, the agents’ work could contribute to the IP’s ML/TF risks or exposure.  And… what about if you use ERA agents, who might come across ghost employees or illegal workers, surely those ERA agents also can affect your ML/TF risks and exposure?  Do the MLR19 capture these agents??

(* If you have not already read the CCAB’s draft insolvency guidance, I would recommend it – at http://ccab.org.uk/documents/20190830CCAB%20InsolvencyAppendixFDraft_18forHMT.pdf.  In brief, the draft guidance explains that only a Trustee in Bankruptcy sells their own assets – all other insolvency office holders act as agents – so, while a TiB must ensure that relevant asset purchasers are subject to AML CDD, no other office holders need “routinely” do so.  Personally, while I see the technical argument, I do wonder whether it reflects the spirit behind the Regs to allow an Administrator to sell a business for £1m without AML CDD, but to require a TiB to do AML checks on someone who wants to buy a bankruptcy asset for >€15,000.)

Jo and I have debated whether chattel agents etc. are truly agents: do they act under the IP’s delegated authority to enter into legal relations on the IPs behalf?  Even if this is a legal definition of “agent”, does this hold true for the application of the word in the MLR19?

The problem I have is that HM Treasury’s consultation was clearly not interested in agents in general.  The consultation document referred to networks of agents used in a Money Service Business, those involving “multi-layer arrangements with sub-agents who deal with frontline customers”.  But the MLR19 make no such distinction.

Prescriptive EDD for Transactions/Parties in High Risk Countries

The MLR17 already highlighted the need for EDD and enhanced ongoing monitoring where a business relationship or transaction involves someone in a “high-risk third country”.  The MLR19 have added (new Reg 33(3A)) six elements of EDD that “must” be included in these circumstances.

In the main, these new statutory requirements are not unusual.  They include: obtaining more information on the customer, their beneficial owner, the nature of the relationship or reason for the transaction, the source of funds/wealth, and getting senior management to approve the establishing or continuing of the business relationship.

The final requirement puzzled me, though:

“conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination”

Unless an office holder is trading (or is monitoring the trading of) the insolvent’s business, it is difficult to see how this works in an insolvency context.

Nevertheless, IPs’ systems may need to be changed in order to cover the newly-prescribed EDD and ongoing monitoring where someone established in a high risk third country is encountered.  For a more thorough explanation of this area, you may want to look at the Law Society’s guidance mentioned above.

Other Clarifications

The MLR19 include several other tweaks, which to be fair are valuable clarifications of the MLR17 and which may affect the finer points of some firms’ processes and templates.  Again, I’d recommend the Law Society’s guidance for a detailed summary.

Should IPs wait until the RPBs issue/endorse new guidance before we make changes?

The ICAEW has posted a summary of the changes primarily for accountants and has noted that the CCAB’s Guidance will be updated in due course (https://www.icaew.com/technical/legal-and-regulatory/anti-money-laundering/fifth-anti-money-laundering-directive-5mld).  The IPA doesn’t appear to have posted anything specific on the MLR19, but I expect that they too will look to the updated CCAB Guidance.  However, in light of the fact that the CCAB insolvency-specific guidance was not issued even in draft for over 2 years after the MLR17 came into force, I won’t be holding my breath.


by Leave a comment

Money Laundering Regulations 2017 – part 2: Customer Due Diligence and more

The objective of the MLR17 is “to make the financial system a hostile environment for illicit finance while minimising the burden on legitimate businesses”. The impact assessment shows a net direct cost to businesses of £5.2m pa… so don’t expect the MLR17 burden to be any lighter than their predecessor’s.

In this blog post, I summarise the key changes in the MLR17 affecting day-to-day activities, including:

  • Focussing the customer due diligence (“CDD”) more squarely onto risks
  • A need to refresh the risk assessment process
  • More than ID checks are required to complete CDD
  • How the impacts of the enlarged definition of a PEP can be managed
  • A simultaneous easing and toughening of the reliance provisions
  • Necessary additions to engagement letters and other letters to insolvents

My earlier blog post reviewing the MLR17’s effects on firms’ systems and controls can be found at: https://insolvencyoracle.com/2017/07/22/mlr17-part-1/

 

Customer Due Diligence: a clearer objective?

For most intents and purposes, the MLR07 CDD requirements boiled down to identifying and verifying identities. Ok, there was also the need for a risk-based assessment, but it seemed that the objective of this was only really to determine the extent of checks employed in the CDD process.

I think the MLR17 provide a welcome adjustment in the emphasis. For example, in setting out the enhanced due diligence (“EDD”) process, Reg 33 puts the risk assessment in the following context:

“When assessing whether there is a high risk of money laundering or terrorist financing in a particular situation, and the extent of the measures which should be taken to manage and mitigate that risk…”

This thought – that the focus of the risk assessment is to consider the risk that “a particular situation” gives rise to a high risk of money laundering or terrorist financing – is repeated elsewhere and emphasises the need to manage and mitigate the risk e.g. of becoming an unwitting “enabler”. Realistically, how far does simply identifying who we’re dealing with get us in this process?

I do understand that money launderers generally want to work under a cloak of anonymity, so getting to the root of who really is behind a company and in the process showing customers that we’re serious when we carry out CDD help manage and mitigate the risks: money launderers may go looking for a less diligent professional. But what really are the risks of the particular situation of an insolvency?

If we’re being appointed over a dead company with few assets, what are the risks of money laundering or terrorist financing? If there have been any such activities, they will only be historic, won’t they? There will be negligible, if any, risk that any such activities will continue under our watch. So in what ways can – or should – any risks be managed or mitigated? Increasing the extent of identity checks we carry out surely won’t help; it may only give us more information to add to a SAR, if we develop suspicions about past events.

Although the new CDD requirements of the MLR17 will be a pain to complete, I do think they get closer to the nub of the issue: what does the customer do and what do they want us to do for them? In so doing, it seems that the flipside is that, if we have a defunct “customer” who isn’t asking us to do anything risky, then we might find the CDD simpler.

I hasten to add that this post describes purely my own interpretation of the MLR17 (plus some input from Jo Harris). I would be surprised if the RPBs see all the requirements in the same light. Regrettably, it may be a long time before we learn how they think the regulations should be applied, but until they make their expectations clear, I am not sure we can be heavily criticised for trying to do our best.

 

First things first: the risk assessment

Like its predecessor, the MLR17 state that the extent of CDD measures must reflect the level of risk assessed. However, I think the MLR17 far more clearly explain how this risk should be assessed.

For instance, Reg 28(12) states that there are two factors involved:

  • the Reg 18 risk assessment – this is the business-wide risk assessment, which I covered in my last blog; and
  • an “assessment of the level of risk arising in any particular case” – I think this finally answers unequivocally the question of whether a risk assessment needs to be done on court appointments: surely a case-specific risk assessment must be done each time.

Although I think we all developed passable approaches to risk assessments under MLR07, I think that the MLR17 help us much more. Reg 28(13) lists the factors to consider for the risk assessment, but in particular I found Reg 33(6) valuable. This regulation lists potential flags of higher risks, setting them out nicely into three categories:

  • customer risk factors, e.g. where the business is cash intensive;
  • product, service, transaction or delivery channel risk factors, e.g. where payments are received from unknown or unassociated third parties; and
  • geographical risk factors.

I found a useful exercise was to develop a list of questions that put many of the eighteen Reg 33(6) factors into a practical insolvency context. This generated several questions that were similar to the MLR07, but I discovered that the emphasis on whether ongoing insolvency engagements could lead to encounters with money launderers emerged strongly.

At the other end of the spectrum, Reg 37(3) is helpful in assessing cases for low risk. This regulation lists another fifteen indicators of potential low risk, categorised into the three headings above, some of which similarly can be converted into insolvency-relevant questions.

As the MLR17 are non-prescriptive however, the warning described at Regs 33(7) and 37(4) should be incorporated somewhere into the risk assessment:

“the presence of one or more risk factors may not always indicate that there is a high [or low] risk of money laundering or terrorist financing in a particular situation”

This will no doubt frustrate those that would much prefer a straightforward way to steer risk assessments to a definitive conclusion, but I think that this final sense-check is valuable, as it is impossible to squeeze all scenarios into a bundle of questions.

 

More steps in the process

The process no longer follows the formula: risk assessment + beneficial owner IDs = CDD. The MLR17 require other information to be examined. For example, Reg 28(3)(b) requires us to “take reasonable measures to determine and verify”:

  • “the law to which the body corporate is subject, and its constitution” (Reg 28(3)(b))
  • “the full names of the board of directors and the senior persons responsible for the operations of the body corporate” (Reg 28(3)(b))

Personally, I do wonder how these items can be “verified”, especially the full names of the senior persons – obtaining this information before engagement may be a struggle as it is.

The MLR17 also turn an eye toward a new person not covered by the MLR07: anyone who purports to act on behalf of the customer. Reg 28(10) requires that such a person be identified and their identity verified in all cases.

 

Enhanced Due Diligence

Continuing the theme of a better targeted approach, I like the way the EDD requirements no longer focus simply on increasing the extent of ID checks… although the downside is that the process has become more time-intensive for higher risk cases.

Reg 33(4) states that EDD measures must include:

  • “as far as reasonably possible, examining the background and purpose of the transaction, and
  • “increasing the degree and nature of monitoring of the business relationship in which the transaction is made to determine whether that transaction or that relationship appear to be suspicious.”

Also, Reg 33(5) states that EDD measures may include “among other things”:

  • “seeking additional independent, reliable sources to verify information provided or made available to the relevant person;
  • “taking additional measures to understand better the background, ownership and financial situation of the customer, and other parties to the transaction;
  • “taking further steps to be satisfied that the transaction is consistent with the purpose and intended nature of the business relationship;
  • “increasing the monitoring of the business relationship, including greater scrutiny of transactions.”

In an insolvency context, I think much of this can be translated into asking oneself: why does this “customer” want to take this step, does it seem logical in the circumstances or could it be a cover for something more sinister?

 

PEPs: are they high risk?

Well of course, in this non-prescriptive world, the answer to this question is always going to be: it depends.

The MLR17 have widened the definition of a PEP to encompass UK PEPs. Therefore, something that for most of us was little more than theoretic under the MLR07, likely will become more of a reality in future. However, PEPs are still likely to pop up only once in a blue moon, which makes it tricky to design systems to accommodate them without overcomplicating processes for the 99.9% of cases.

  • Additional steps for PEPs and PEP connections

In all cases where a PEP or PEP connection (i.e. family member or “known close associate” of a PEP) has been spotted, the MLR17 require the following steps:

  • Assess the associated risk level and tailor the due diligence measures accordingly;
  • Obtain approval from “senior management” in establishing or continuing the business relationship;
  • “Take adequate measures to establish the source of wealth and source of funds which are involved in the proposed business relationship or transactions with that person”; and
  • Conduct enhanced ongoing monitoring of any business relationship.

So what do you do if the daughter of a domestic Supreme Court judge wants you to help wind up her insolvent company? Does she really present a high risk? Do you really need to go through all those steps?

  • FCA enlightenment on UK PEPs

The FCA has produced some useful guidance on dealing with PEPs: https://goo.gl/WW2WY1

Understandably, the FCA emphasises the value of the first step: the risk assessment. Helpfully, the guidance states:

“A PEP who is entrusted with a prominent public function in the UK should be treated as low risk, unless a firm has assessed that other risk factors not linked to their position as a PEP mean they pose a higher threat”

This demonstrates to me the pointlessness of this MLR17 change wrapping in domestic PEPs: it has added to the nonsensical bureaucracy, as we now need to (i) note UK PEPs; (ii) consider whether they are low risk; (iii) decide in most cases that they are low risk; (iv) but nevertheless work through the other steps listed above.

If a PEP is low risk, then how practically should we work through the other steps? The FCA suggests:

  • “Senior management” approval need not be at board level; it could be the MLRO.
  • “Take less intrusive and less exhaustive steps” to establish the sources of wealth and of funds; “only use information available to the institution… and do not make further inquiries of the individual unless anomalies arise”.
  • Ongoing monitoring could be, “for example, only where it is necessary to update customer due diligence information or where the customer requests a new service or product”.

Oh well, that’s alright then! Thank you FCA, for bringing a note of reasonableness to the proceedings.

Of course, if a PEP is considered high risk – based, as the FCA points out, on who they are, where they are, and what they want from you – it is only right that additional measures are applied. But, I think that, unless you work in a market that means you encounter PEPs relatively frequently, other than ensuring that staff are alert to the complications arising from PEPs and giving them a place to go when one is spotted, practically on a day-to-day basis there is little point in layering on procedures to deal with PEPs.

 

Reliance on other people’s due diligence: made easier or tougher?

On the one hand, relying on another MLR-regulated person’s customer due diligence checks has been made easier. There is no longer a two-tier supervisory body system, which under the MLR07 meant that an ICAEW-licensed IP could be relied upon, but an IPA-licensed IP could not. Now, the work of any MLR-regulated persons (e.g. including casinos), as well as some overseas equivalents, may be relied upon.

However, there is one new requirement that almost entirely negates this advantage: Reg 39(2) states that the person seeking to rely on another:

“must immediately obtain from the third party all the information needed to satisfy the requirements of regulation 28(2) to (6) and (10) in relation to the customer, customer’s beneficial owner, or any person acting on behalf of the customer”

In other words, you must obtain from the person on whom you are seeking to rely all the information that you would otherwise gather yourself to complete customer due diligence. It also doesn’t avoid the need to carry out a risk assessment or deal with ongoing monitoring. So what is the point of relying on someone else to do some of the work for you, especially when you remain liable for any failure of the relied-on person to conduct appropriate due diligence? You might as well collect the due diligence information yourself, mightn’t you?

 

Additions to engagement letters… and more?

Reg 41(4) states that;

“Relevant persons must provide new customers with the following information before establishing a business relationship or entering into an occasional transaction with the customer:

(a) the information specified in paragraph 2(3) in Part 2 of Schedule 1 to the Data Protection Act 1998 (interpretation of data protection principles);

(b) a statement that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing, or as permitted under paragraph (3).”

In other words, the required information is:

  • The identity of the data controller;
  • The identity of any representative nominated by the data controller; and
  • The purposes for which the data are intended to be processed (including the statement required by Reg 41(4)(b) above).

Complying with this requirement seems fairly straightforward when appointments are preceded with an engagement letter to the insolvent/MVL-seeker: the above information likely would feature in the engagement letter.

  • Is a bankrupt a “new customer”?

What if there is no engagement letter with the “customer”? Does this requirement still apply in bankruptcies, compulsory liquidations and creditor-led Administrations?

Who is the customer in a court or creditor-led process? The old CCAB guidance states: “In the context of insolvency work, the person or entity entering into the business relationship is considered to be the insolvent.” Although I think this was generally accepted and just-about manageable for the MLR07, the shoe-horning of regulations designed for a client-provider relationship into an insolvency context becomes a little more painful with the MLR17.

Are we really expected to view a bankrupt as a “new customer” for the purposes of Reg 41(4)? Do we really need to provide them with the above information? I guess we can add the information to our on-appointment letters to insolvents, but we cannot write to them before establishing the business relationship, i.e. before being appointed as office holder, can we?

Ah but doesn’t the CCAB Guidance give us a back-stop guide of 5 working days after appointment to complete the due diligence? This is true, but this provision related to the timescale for completing the CDD in view of the fact that the MLR07 had stated that in some circumstances the due diligence could be completed as soon as practicable after first contact – a concession that is repeated in the MLR17 – but we’re not talking about the due diligence process here. The MLR17 do not provide an asarp exception to providing the above information before establishing the business relationship, so I cannot see a practical way for us to comply with Reg 41(4) in most court or creditor-led appointments.

 

Not written with IPs in mind

The MLR17 repeat their predecessor’s deficiency in demonstrating ignorance of the mechanisms of the insolvency regime. I have always objected to the assumption that the insolvent is an IP’s “customer”, especially when I remember that technically under the MLR07/17 an IP is only carrying out regulated activities when s/he is formally appointed. Further questions about the drafter’s knowledge came to my mind when I read the new definition of an IP in the MLR17: not only an individual, but also “any firm… who acts as an insolvency practitioner within the meaning of section 388 of the Insolvency Act 1986” – that would be a clever trick!

In my view, the MLRs’ concept of a “business relationship” also has never really worked: what “business relationship” does the IP form with the insolvent when s/he takes office? And the suggestion that an IP engages in an “occasional transaction” when s/he sells an insolvent’s assets is another cruelty on the English language: is it the insolvent or the IP that is carrying out the transaction? An “occasional transaction” is defined as “a transaction which is not carried out as part of a business relationship”, but the IP is considered to have a “business relationship” with the insolvent, so where does the asset sale fit in?

Is there no useful guidance for IPs? In my view, the CCAB Guidance touches on insolvency far too lightly and the Insolvency Service’s and R3’s Guidance notes are showing their age; both have the air of guidance written when the MLR07 were little more than theory. Let’s hope that we will one day receive some authoritative guidance that demonstrates a proper and practical understanding of how the MLR17 should be applied to the insolvency regime.


by 1 Comment

Money Laundering Regulations 2017 – Part 1: Infrastructure Changes

 

“For Insolvency Practitioners there is relatively little change” stated one RPB’s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs “will have wide-reaching changes for accountancy firms and IPs”.   If two RPBs have such polar views on the overall impact of the new regs, this doesn’t bode well for a common approach to compliance with the MLR17.

I have great sympathy for the RPBs, though. The final regulations were only released late on Thursday 22 June and they came into force on Monday 26 June. They also contained some well-hidden changes from the draft regulations and there was no quick way of understanding their consequences. I suspect I was not the only one who spent their weekend scrutinising 116 pages of new legislation and thinking: this is an impossible task for us all!

In this first post on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR17”), I review the regulations’ impact on the systems involved in managing an insolvency practice:

  • The different approaches expected of large and small firms
  • The appointment of a new person responsible for compliance
  • The need to screen relevant employees
  • The independent audit function
  • Drafting policies, controls and procedures
  • The expanded syllabus for staff training
  • Timely destruction of certain records
  • Drafting a firm-wide risk assessment
  • Seeking “approval” from your Supervisory Authority

The MLR17 can be found at: https://goo.gl/ei8ZB1

Some useful guides on the topic:

 

“Size and nature” matter

In six places, the MLR17 require relevant persons (i.e. those carrying out MLR17-regulated activities) to have regard to the size and nature of their business when seeking to comply with the regs. For example, Reg 19(2) requires relevant persons to adopt policies, controls and procedures that are “proportionate with regard to the size and nature of the relevant person’s business”.

Reg 21 states that, “where appropriate with regard to the size and nature of its business, a relevant person must:

  1. appoint one individual who is a member of the board of directors… or of its senior management as the officer responsible for the relevant person’s compliance with these Regulations;
  2. carry out screening of relevant employees..;
  3. establish an independent audit function…”

What are the RPBs’ expectations here? I cannot see any grey area in complying with Reg 21: either you endeavor to meet all (or some?) of these requirements or you determine that the measures are not appropriate having regard to the size and nature of your business. Where does the threshold between complying with Reg 21 and justifiably ignoring it lie?

I suspect that, at least in the short term, the regulators will say: you demonstrate to us how you’ve come to a conclusion. But they are the ones with the helicopter view of the profession(s) and they are the ones in direct contact with HM Treasury and all the other Supervisory Authorities. Can they not guide their regulated members?

To determine what is appropriate and proportionate, the MLR17 specifically refer to following guidance issued by the FCA or by any other Supervisory Authority or appropriate body and approved by HM Treasury. At present, all that IPs have is the 2008 CCAB Guidance, which I think is woefully inadequate in view of the shift from MLR07 to MLR17.

At the moment, different RPBs seem to be suggesting different expectations on compliance with Reg 21, which is not surprising given how swiftly the MLR17 were enacted. Whilst, understandably, the RPBs stick to the strict wording of Reg 21, they elaborate the idea with phrases such as:

  • IPA: “Large firms must…”
  • ICAS: “requirement for firms of a certain size…”
  • ICAS: “requirements don’t apply to sole practitioners with no staff and no subcontractors”
  • ICAEW: “Sole practitioners with no employees are exempt from this requirement”

Thus, it seems to me that all we can glean is that “large firms” definitely need to comply with these Reg 21 items, “sole practitioners with no employees” (and possibly no subcontractors either) do not, but everyone in between..? Your guess is as good as mine.

 

Reg 21: Infrastructure Changes

It is evident from the Reg 21 quote above that infrastructure changes are necessary for at least some firms:

  • Board/senior level appointment of someone responsible for compliance

All three RPBs have asked to be informed of the appointment of such a person, as is required under the MLR17. Reg 21 also requires firms to notify their RPB of the identity of the first-appointed MLRO (I have not seen any RPB ask for this, so I assume MLR17-appointed MLROs are viewed as simply carrying on from their MLR07 appointment) and any change in identity of the MLRO or other Reg 21 appointed person within 14 days of the change.

This may be, but does not have to be, the same person who acts as MLRO, a position that is repeated in the MLR17. ICAS is calling this person the BSMLP (board or senior management level person) and ICAEW is calling them the MLCP (money laundering compliance person). The IPA has not given them a name.

  • Employee-screening

“Relevant employees” are those involved in the firm’s compliance with the MLR17 as well as those “capable of contributing” to the identification, prevention, detection or risk-mitigation of money laundering or terrorist financing – so, for insolvency practices, I would think about all those working in compliance, cashiering, case administration and take-on. As employee-screening and staff-training are themselves MLR17 requirements, anyone involved in those activities would also be “relevant employees”.

The draft regs had included “agents” in this screening process, but “agents” were removed from the final version (which might explain why the IPA’s notice to members still referred, I think incorrectly, to screening agents).

“Screening” means “an assessment of the skills, knowledge and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual”. I suspect these items are generally covered in recruitment and appraisal processes, but they will need to be adequately documented in future specifically with the MLR17 in mind.

Reg 21 requires “relevant employees” to be screened, both before they are appointed and whilst so employed.

  • Independent audit function

Two questions came immediately to my mind: how independent is “independent” and what constitutes an “audit”?

  • What is an “audit”?

Reg 21 describes it as entailing the following:

  1. An examination and evaluation of the adequacy and effectiveness of the policies, controls and procedures adopted (see below)
  2. recommendations in relation to those policies, controls and procedures; and
  3. monitoring compliance with those recommendations.

This sounds very much like the process followed for the ICAEW’s Insolvency Compliance Reviews. Indeed, the ICAEW believes that firms’ money laundering compliance reviews, which they should already be performing, address the MLR17 requirement. ICAS is awaiting confirmation on how their current compliance review requirement stacks up against this audit requirement. The IPA has not made any comment, although I cannot see that the self certification process bears any resemblance to what is required here.

  • How independent is “independent”?

As far as I can see, the ICAEW is the only RPB that has made any comment: “you should make sure that your Money Laundering Compliance Principal is responsible for performing this review”. The Law Society explains: “the regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed”. It seems to me, therefore, that if the “MLCP” is heavily involved in, say, the customer due diligence process, then they might not be the right person for the job.

 

Reg 19: Policies, Controls and Procedures

I’ll skip through this section quickly, not because it is unimportant – I accept that it is vital and I suspect it will feature heavily in monitoring visits – but because it is so dull! Sorry, it had to be said.

All firms will need to maintain written policies, controls and procedures covering pretty-much all relevant areas of compliance with the MLR17. I think that anyone drafting these would do well to tick off every Reg 19 item plus carry out an overall sense-check, much as we would double-check a SIP16 Statement.

These policies, controls and procedures must also:

  • be approved by the firm’s “senior management” (defined, I think quite widely, in Reg 3);
  • be regularly reviewed and updated, with all changes made being documented in writing; and
  • be communicated within the firm, with such steps taken (and steps to communicate any changes) being documented in writing.

Regs 19 and 20 adds further requirements for firms with overseas subsidiaries or branches.

 

Reg 24: Staff Training

Of course, the MLR07 required regular staff training, so have things changed under the MLR17?

Setting aside the vague “size and nature” references to what “appropriate measures” might look like, the material changes are that:

  • measures must include making relevant employees aware of, not only the usual MLR matters, but also of “the requirements of data protection, which are relevant to the implementation of these Regulations”

Data protection newly features elsewhere in the MLR17, most practically around record-keeping (see below) and in the client take-on process (which I will cover in a future blog), although it would also be relevant to make employees aware of the principles around handling personal data gathered for the purposes of complying with the MLR17 (Reg 41).

  • a written record must be maintained of the “measures taken” and “in particular, of the training given”.

I’m sure we’re used to documenting evidence that staff have completed regular MLR training, but the above quote indicates that we should document other measures taken to make staff aware, perhaps for example the receipt of induction training, staff handbooks and manuals.

 

Reg 40: Record-Keeping

Although the MLR17 have retained the MLR07’s basic standard of 5 years for record-keeping, there is a problematic change in emphasis.

Both MLRs require customer due diligence records to be retained for “at least” 5 years, but the MLR17 require any personal data contained in these records to be deleted after 5 years from the completion of an occasional transaction or the end of the business relationship. The MLR17 also put the same record-keeping requirements on documents to support transactions that are the subject of customer due diligence measures or ongoing monitoring.

Although there are some exceptions to this deletion requirement, e.g. where the records need to be retained for legal proceedings, this could add a burden to firms whose systems are set up to store records to a 6- or 10-year standard. To be fair though, the data protection principles have for a long time now included that personal data should not be kept for longer than is necessary, so the implementation of smarter archiving practices may be long overdue.

 

Reg 18: the Relevant Person’s Risk Assessment

Personally, I think this Reg may present the greatest challenge: a relevant person must “take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject”. This is not referring to the risk assessment carried out as part of the customer due diligence process. This is a risk assessment of the relevant person’s business, i.e. where do the risks lie in the work undertaken by the IP?

  • What is the purpose of this risk assessment?

It needs to feed into:

  • the design and maintenance of the policies, procedures and controls;
  • decisions regarding employee-screening and the independent audit function; and
  • the extent of customer due diligence measures taken in each case, including (but not only) whether enhanced or simplified due diligence should apply.

The MLR17 state that relevant persons must provide their risk assessment to their Supervisory Authority on request. Supervisory Authorities must review firms’ risks assessments (on a risk-based approach) and the IPA has stated that it will be reviewed as part of routine monitoring visits.

  • How do you write the risk assessment?

The IPA and the ICAEW direct members to the CCAB’s current Guidance: https://goo.gl/LBgRKX. It’s true, Section 4 of the Guidance provides some pointers, but personally I think the Guidance is showing its age, as the MLR17 add more to the statutory list of risk factors that you need to consider than are covered by the Guidance. Therefore, if you do refer to the Guidance, I would also recommend cross-checking against Reg 18 itself to make sure that you have captured everything relevant.

The Reg 18 risk factors that you need to consider (although there could be others) are:

  • your “customers”;
  • the countries or geographic areas in which you operate;
  • your products or services;
  • the transactions you engage in or handle; and
  • your delivery channels.

The task requires some lateral thinking to see these risk factors through an IP’s eyes, but I think it is a valuable exercise: one of the problems with MLR07 is that it all became process-driven, it soon boiled down to ticking boxes seemingly with the sole purpose of confirming identities. I think these new regs are an opportunity for us to take a fresh look at the risks: in what areas of our work are we most – and least – likely to encounter money laundering or terrorist financing? What services or transactions could be attractive – or prohibitive – to potential money launderers? Simply considering these questions could help us and staff to be more alert to strange potential clients, behaviours or requests.

Admittedly, this still doesn’t help much in drafting the risk assessment. If it is any consolation, the ICAEW has stated that, as the risk assessment will depend on the size and nature of your firm, the overall risk assessment of a small firm “may be quite succinct”.

 

Reg 26: Seeking the Approval of the Supervisory Authorities

The MLR17 give the Supervisory Authorities a great deal of new work to do. (I wonder how all this extra work is going to be paid for..?) For example, they need to conduct their own risk assessment and must create risk profiles of their members to inform their monitoring activities.

Reg 26 creates a whole new “approval” process, not only for licensed IPs, but also for firms’, beneficial owners, officers and managers (which include MLROs). The Supervisory Authority’s approval must be granted unless the person has been convicted of a “relevant offence” (Schedule 3 to the MLR17 lists 35 such offences).

  • What if we’re not yet “approved”?

Those requiring approval can act as IPs, beneficial owners, officers or managers of relevant firms provided that they apply for approval before 26 June 2018. Although Reg 26(4) states that “a relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless they have been approved or have applied for approval and the application has not yet been determined”, my enquiries to the main RPBs suggest that they are not viewing this provision as being triggered until 26 June 2018 (and who can blame them, given the lack of notice we have all had?!), i.e. provided that we take steps before 26 June 2018 to become approved, there should be nothing to worry about.

Indications from the main RPBs are that the approval application process will become clear around licence-renewal time.

  • Who is my Supervisory Authority?

Under the MLR07, I think the answer to the above question gradually became clear. The MLR07 had stated that each professional body was the Supervisory Authority for relevant persons regulated by it. Therefore, for example, if I held my insolvency licence with the ICAEW, but I was also an ordinary member of the IPA, the ICAEW would be my Supervisory Authority, as ordinary membership of the IPA carries no real regulation with it (I just need to make sure I comply with the membership rules).

However, the MLR17 introduced a small but significant change. Reg 7(1)(b) states that:

“each of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it”.

Therefore, it seems to me that, under the above scenario, I would now have two Supervisory Authorities. I suspect there are lots of members of professional bodies who look to a different body to act as its regulator, especially considering the wide range of activities falling under the MLR17.

Whilst having two Supervisory Authorities is nothing new (as IPA-licensed IPs working in an accountancy practice know well), I think that these developments – the widened scope from solely regulated members to members generally, the introduction of new approval processes (which may require applications to more than one body?) and the additional expensive burdens falling on Supervisory Authorities – may lead members to question the value of paying annual subs to more than one body.

Alternatively, perhaps we will get some clarification on the interaction of multiple Supervisory Authorities. Both MLRs encourage cooperation between bodies so that regulatory efforts are not duplicated, but we have seen little such cooperation to date.

 

Your to-do list

In summary, I think you might tackle the practice-level changes brought about by the MLR17 as follows (depending, of course, on what is proportionate and appropriate with regard to the size and nature of the business):

  1. Document the appointment of a principal as the person responsible for the firm’s MLR17 compliance and inform your Supervisory Authority/Authorities of the appointment
  2. Create/refresh the firm-wide risk assessment based on Reg 18
  3. Create/revisit policies, controls and procedures for meeting all aspects of the MLR17 based on Reg 19 (including revised due diligence measures etc., which I have not covered above) and document their approval by the firm’s senior management
  4. Included in (3) should be incorporation of MLR-specific assessments in staff recruitment and appraisal processes per Reg 21
  5. Also included in (3) should be a revisit of the firm’s archiving processes to ensure that due diligence documentation is held in line with Reg 40
  6. Carry out a staff training session to communicate 2, 3, 4 and 5 above and retain evidence of who has received what training and what new documentation
  7. Schedule a review of the procedures etc. (the “independent audit”) for a few months after the new processes have been rolled out
  8. Ensure that the annual and induction MLR staff training provisions reflect the MLR17, including relevant data protection matters; if a suitable product is available (and if (6) above did not update staff on the MLR17 changes), consider running it early for existing staff

 

More Changes

Although this is a meaty to-do list already, I have not even started on the MLR17 changes impacting on our day-to-day business, such as the customer due diligence measures and ongoing monitoring.

In my next post, I will examine the changes from an engagement basis.