Ireland's banking regulator, the Central Bank of Ireland (CBI), recently levied a substantial fine on a major Irish banking institution by way of sanction for breach of anti-money laundering/counter terrorist financing requirements (AML). AML has consistently been a primary focus of the CBI's supervisory functions in recent years, including annual themed inspections across the industry to check AML compliance. With the impending implementation in June 2017 of the EU's Fourth Anti-Money Laundering Directive (4AMLD), compliance with AML will continue to be a key issue for banks and financial institutions in Ireland.
As is well known by now 4AMLD will, among other things, introduce a risk-based approach to customer due diligence. Institutions must take steps to identify and assess AML risks inherent in their business. Automatic exemptions from the need to carry out customer due diligence will no longer apply. The regulated entity's policies and approach to risk-assessment will be of central importance to its ability to demonstrate to the CBI that its risk-based approach is consistent with the new regime. Compliance measures, therefore, must be bespoke to the business.
4AMLD's risk-based approach is part of a growing trend in financial regulation to place the onus on the regulated entity effectively to police its own activities for the benefit of the regulator. Existing examples of this trend include the obligation on a regulated entity to report material breaches of regulatory requirements, an obligation (when required by the regulator) to appoint (and pay for) an expert third party to report on the institution's compliance and governance, and in general to take a more proactive approach to compliance than previously. The new regime requires much more than ticking the box: the institution must anticipate problems before situations are encountered.
Ireland has already implemented 4AMLD's requirement on legal entities and trusts to enquire into and record beneficial ownership. For banks and other financial institutions, the risk-based approach to customer due diligence will present very important challenges. 4AMLD provides little by way of a template to structure compliance procedures for peripheral cases. Inevitably, it is only when something goes wrong that an institution's policies may come under intense scrutiny. In those circumstances the institution will effectively bear the onus of proving to the regulator that its systems were appropriately designed to meet the situation. This means, therefore, that the institution's policies must be robust and at the same time comprehensive and adaptable to unusual situations.