The Criminal Justice Act (CJA) 2021 became effective on 23rd April 2021 with the transposition of the 5th Anti-Money Laundering Directive (5MLD) into Irish Law.
This blog seeks to look at the changes 5MLD will now have on Irish firms and how they can overcome the challenges which may be presented in the transition period.
What significant changes does 5MLD bring to the CJA 2021?
Customer Due Diligence (CDD) – As an addendum to the 4MLD, a designated person must take necessary measures to verify the identity of a beneficial owner of a Trust, ICAV and a Company. This information must be entered into the Central Register of Beneficial Ownership (Home – RBO) prior to a business relationship being established.
While a customer account may be opened prior to verifying the identity of a beneficial owner, no transactional activity may commence.
Additional Risk Factors – The CJA 2010 details a list of risk factors which suggest potentially higher risk, for example, businesses that are cash intensive and non-resident customers.
The introduction of 5MLD expands on this list of risk factors to include:
- Transactions related to oil, arms, precious metals, tobacco products, cultural artefacts, items of religious, historical or cultural importance,
- Non face-to-face business relationships or transactions, and
- A third country national customer applying for residence rights in the State in exchange for investment in corporate entities in the State, purchase of property or government bonds.
Firms must update and enhance risk assessments undertaken to ensure they are catering for the additional risk elements detailed above. There is also a requirement to review their identification and verification controls to ensure the increasing provision of services on a non face-to-face basis is risk mitigated appropriately.
A company’s need to understand the nature and purpose of a customer’s transaction at the onboarding stage and on an ongoing basis is vital when assigning appropriate levels of ongoing monitoring. Clients should be re risk assessed where necessary with consideration to the updated risk factors highlighted in 5MLD.
EU High Risk Third Countries – Enhanced Due Diligence measures must be carried out on customers operating in high-risk countries, identified by the EU as having shortcomings in their AML/CFT controls.
5MLD lists additional KYC information which must be collected when servicing clients residing in these countries. EDD must be carried out at the onboarding stage and importantly, additional information collected must be utilised to effectively monitor these high-risk clients on an ongoing basis. Event driven triggers, transaction monitoring and periodic review and update of a client’s KYC information provide evidence of a firm’s risk-based approach. Extra EDD measures undertaken by firms must be detailed clearly within their policies and reflected in risk assessments undertaken by the firm.
Politically Exposed Persons (PEP) – With a broadening to the definition of what constitutes a PEP, we encourage firms to revisit their policy regarding the risk associated with their PEP clients and the ongoing monitoring they are subject to. Member states are required to maintain a list of ‘prominent public functions’. While individual names are not provided on this list as that could be subject to regular change, the list can act as assistance to firms to identify functions which can bring about higher levels of risk.
Virtual Asset Service Providers (VASP) – The transposition of 5MLD into Irish law means that cryptoasset firms must register with the Central Bank of Ireland (CBI) and will be governed by the same Anti-Money Laundering and Counter Financing of Terrorism laws which regulate banks and other Financial Institutions.
VASPs operating in Ireland prior to 23rd April 2021 had 3 months to submit their application to the CBI. Firms that did not submit their application by 23rd June 2021 are not be able to operate until an application is made and accepted.
Firms which now seek to start operating as a VASP in Ireland (after 23rd April) must register first with the CBI.
VASPs now in scope of the CJA 2021 are considered a designated person and as such must build or enhance their AML/CFT framework and focus on a risk-based approach when conducting business. The firm must carry out AML risk assessments which can identify key risks the firm may be subject to. This risk assessment should be used to drive customer due diligence practices and bring about enhancements to the firm’s AML systems and controls. The firm is required to verify the identity of its customer and UBOs where necessary. Transactions and customers must be monitored on a risk basis. Polices and procedures must be documented, approved and utilised and staff must be effectively trained to understand how the firm is susceptible to financial crimes, and their regulatory obligation to report potentially suspicious behaviour.
For firms enhancing their current practices to comply with the transposition of 5MLD or those building frameworks to ensure they are compliant with the updated CJA 2021, we recommend the firm seeks to implement a strong culture of compliance and an understanding that AML risks must be given appropriate consideration when revising the business strategy or creating new products. We recommend firms build out their Business Wide AML Risk Assessment and use this document as a cornerstone to identify assess the potential risks to the firm.
For advice on transposing 5MLD into your AML framework, or assistance with cryptoasset applications, our team of experts are here to assist.