Regulation
Is your compliance compliant?
By Dale Cruz,
Partner EY
As compliance teams struggle to manage the ongoing workload from the Fourth Money Laundering
Directive, how do they ensure their systems are up to scratch?
External validation can be a great opportunity to calibrate internal controls and processes. The directive requires firms to have an internal audit function that
determines the need for independent audits.
An independent AML/CFT audit ensures that businesses keep on track and prioritise change and implementation addressing new risks identified. It can be carried out by internal staff members providing the individuals involved in the audit team are independent of the compliance function and sufficiently competent to undertake the work. The difficulty faced by smaller organisations is that this kind of expertise is generally only available within the compliance function. In places like Gibraltar, this is very common and so the only option is to outsource this to an external firm.
The outsourced firm would carry out an assessment of compliance with the Regulations and of effectiveness of controls. It can also highlight changes in regulations which may affect risk ratings, and therefore require changes in the mitigations and controls. The reach is both broad and deep and the implications for an independent audit, significant. Interestingly, the requirement to undertake an audit is determined by each firm on a risk based approach and should be assessed at least annually as to the frequency and scope.
Not all entities are captured. The entities captured by the GFSC are as follows:
l All financial institutions (FI) as defined in Section 7 of POCA 2015 which include Banks, Electronic Money Institutions, Life Assurance Companies, Investment Firms, and DLT Providers.
l Relevant Financial Businesses as defined in Section 9 of POCA 2015, which are not FIs, such as real estate agents, exchange
bureaus, accounting and audit firms if they have: five or more full time employees or have a turnover of £1,000,000 or more.
l Trust and Company Service Providers if they have 50 or more trusts under management or have 100 or more companies under management.
The GFSC guidance states this as an expectation but a clear inference could be drawn from this ‘expectation’ to need if the
firm is operating with a coherent risk assessment that includes on-going monitoring of risk exposure to risk appetite and all within the demands of the Fifth AML Directive. In short, to know what has changed and what impact this might have on how the firm operates.
What’s next?
No sooner does the Fourth Money Laundering Directive become embedded in the financial system than a fifth looms large on the horizon.
Although not considered as extensive as the Fourth Directive, which required a wholesale change in how businesses approach money laundering, it does continue the focus on the risk elements. In fact, the Fifth Directive constitutes a series of amendments to the structure of the Fourth Directive which adds a range of additional provisions. These focus on enhanced powers for direct access to information and increased transparency around beneficial ownership information and trusts. There are three key developments on the fourth
directive that have direct implications for risk: 1. Regulation of virtual currencies and
pre-paid cards to prevent terrorist financing 2. The improvement of safeguards for financial transactions to and from high risk
countries 3. Ensuring centralised national bank and
payment account registers, or central data retrieval systems, are accessible in all member states
The final text was published in June of 2018 and it allowed EU member states 18 months to transpose this into law. Some states moved quickly but some have lagged behind only completing this work in December. The implementation is in three key stages. The first two were on 10th January for the set up of Beneficial ownership for corporates. The 10th March will be for the set up of Beneficial ownership of trusts.
The third key date to be aware of is 10th September when automated centralised mechanisms should be set up to allow identification of those who hold, or control, payment accounts and bank accounts.
What this means for business is a sharper focus on risk and the need to treat risk as live and an on-going concern. Firms have always known that risk management and client relationships are not a one-off function but what the Fifth Directive seeks to achieve is the cementing of those processes, i.e. having processes in place to facilitate continual screening and monitoring of all relationships.
All in all we are seeing increasing transparency of beneficial ownership, tighter controls for high risk countries, clarification of PEPs etc and so the element of assessing and enacting an independent audit looks less like an expectation and more like an essential function of a firm’s risk management.
www.ey.com/gi
8	Gibraltar International
www.gibraltarinternational.com