\u201cFor Insolvency Practitioners there is relatively little change\u201d stated one RPB\u2019s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs \u201cwill have wide-reaching changes for accountancy firms and IPs\u201d.\u00a0\u00a0 If two RPBs have such polar views on the overall impact of the new regs, this doesn\u2019t bode well for a common approach to compliance with the MLR17.<\/p>\n
I have great sympathy for the RPBs, though. The final regulations were only released late on Thursday 22 June and they came into force on Monday 26 June. They also contained some well-hidden changes from the draft regulations and there was no quick way of understanding their consequences. I suspect I was not the only one who spent their weekend scrutinising 116 pages of new legislation and thinking: this is an impossible task for us all!<\/p>\n
In this first post on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (\u201cMLR17\u201d), I review the regulations\u2019 impact on the systems involved in managing an insolvency practice:<\/p>\n
The MLR17 can be found at: https:\/\/goo.gl\/ei8ZB1<\/a><\/p>\n Some useful guides on the topic:<\/p>\n \u00a0<\/strong><\/p>\n \u201cSize and nature\u201d matter<\/strong><\/p>\n In six places, the MLR17 require relevant persons (i.e. those carrying out MLR17-regulated activities) to have regard to the size and nature of their business when seeking to comply with the regs. For example, Reg 19(2) requires relevant persons to adopt policies, controls and procedures that are \u201cproportionate with regard to the size and nature of the relevant person\u2019s business\u201d.<\/p>\n Reg 21 states that, \u201cwhere appropriate with regard to the size and nature of its business, a relevant person must:<\/p>\n What are the RPBs\u2019 expectations here? I cannot see any grey area in complying with Reg 21: either you endeavor to meet all (or some?) of these requirements or you determine that the measures are not appropriate having regard to the size and nature of your business. Where does the threshold between complying with Reg 21 and justifiably ignoring it lie?<\/p>\n I suspect that, at least in the short term, the regulators will say: you demonstrate to us how you\u2019ve come to a conclusion. But they are the ones with the helicopter view of the profession(s) and they are the ones in direct contact with HM Treasury and all the other Supervisory Authorities. Can they not guide their regulated members?<\/p>\n To determine what is appropriate and proportionate, the MLR17 specifically refer to following guidance issued by the FCA or by any other Supervisory Authority or appropriate body and approved by HM Treasury. At present, all that IPs have is the 2008 CCAB Guidance, which I think is woefully inadequate in view of the shift from MLR07 to MLR17.<\/p>\n At the moment, different RPBs seem to be suggesting different expectations on compliance with Reg 21, which is not surprising given how swiftly the MLR17 were enacted. Whilst, understandably, the RPBs stick to the strict wording of Reg 21, they elaborate the idea with phrases such as:<\/p>\n Thus, it seems to me that all we can glean is that \u201clarge firms\u201d definitely need to comply with these Reg 21 items, \u201csole practitioners with no employees\u201d (and possibly no subcontractors either) do not, but everyone in between..? Your guess is as good as mine.<\/p>\n <\/p>\n Reg 21: Infrastructure Changes<\/strong><\/p>\n It is evident from the Reg 21 quote above that infrastructure changes are necessary for at least some firms:<\/p>\n All three RPBs have asked to be informed of the appointment of such a person, as is required under the MLR17. Reg 21 also requires firms to notify their RPB of the identity of the first-appointed MLRO (I have not seen any RPB ask for this, so I assume MLR17-appointed MLROs are viewed as simply carrying on from their MLR07 appointment) and any change in identity of the MLRO or other Reg 21 appointed person within 14 days of the change.<\/p>\n This may be, but does not have to be, the same person who acts as MLRO, a position that is repeated in the MLR17. ICAS is calling this person the BSMLP (board or senior management level person) and ICAEW is calling them the MLCP (money laundering compliance person). The IPA has not given them a name.<\/p>\n \u201cRelevant employees\u201d are those involved in the firm\u2019s compliance with the MLR17 as well as those \u201ccapable of contributing\u201d to the identification, prevention, detection or risk-mitigation of money laundering or terrorist financing \u2013 so, for insolvency practices, I would think about all those working in compliance, cashiering, case administration and take-on. As employee-screening and staff-training are themselves MLR17 requirements, anyone involved in those activities would also be \u201crelevant employees\u201d.<\/p>\n The draft regs had included \u201cagents\u201d in this screening process, but \u201cagents\u201d were removed from the final version (which might explain why the IPA\u2019s notice to members still referred, I think incorrectly, to screening agents).<\/p>\n \u201cScreening\u201d means \u201can assessment of the skills, knowledge and expertise of the individual to carry out their functions effectively and the conduct and integrity of the individual\u201d. I suspect these items are generally covered in recruitment and appraisal processes, but they will need to be adequately documented in future specifically with the MLR17 in mind.<\/p>\n Reg 21 requires \u201crelevant employees\u201d to be screened, both before they are appointed and whilst so employed.<\/p>\n Two questions came immediately to my mind: how independent is \u201cindependent\u201d and what constitutes an \u201caudit\u201d?<\/p>\n Reg 21 describes it as entailing the following:<\/p>\n This sounds<\/em> very much like the process followed for the ICAEW\u2019s Insolvency Compliance Reviews. Indeed, the ICAEW believes that firms\u2019 money laundering compliance reviews, which they should already be performing, address the MLR17 requirement. ICAS is awaiting confirmation on how their current compliance review requirement stacks up against this audit requirement. The IPA has not made any comment, although I cannot see that the self certification process bears any resemblance to what is required here.<\/p>\n As far as I can see, the ICAEW is the only RPB that has made any comment: \u201cyou should make sure that your Money Laundering Compliance Principal is responsible for performing this review\u201d. The Law Society explains: \u201cthe regulations do not state that the independent audit function has to be external to your firm, but it should be independent of the specific function being reviewed\u201d. It seems to me, therefore, that if the \u201cMLCP\u201d is heavily involved in, say, the customer due diligence process, then they might not be the right person for the job.<\/p>\n <\/p>\n Reg 19: Policies, Controls and Procedures<\/strong><\/p>\n I\u2019ll skip through this section quickly, not because it is unimportant \u2013 I accept that it is vital and I suspect it will feature heavily in monitoring visits \u2013 but because it is so <\/em>dull! Sorry, it had to be said.<\/p>\n All <\/em>firms will need to maintain written policies, controls and procedures covering pretty-much all relevant areas of compliance with the MLR17. I think that anyone drafting these would do well to tick off every Reg 19 item plus carry out an overall sense-check, much as we would double-check a SIP16 Statement.<\/p>\n These policies, controls and procedures must also:<\/p>\n Regs 19 and 20 adds further requirements for firms with overseas subsidiaries or branches.<\/p>\n <\/p>\n Reg 24: Staff Training<\/strong><\/p>\n Of course, the MLR07 required regular staff training, so have things changed under the MLR17?<\/p>\n Setting aside the vague \u201csize and nature\u201d references to what \u201cappropriate measures\u201d might look like, the material changes are that:<\/p>\n Data protection newly features elsewhere in the MLR17, most practically around record-keeping (see below) and in the client take-on process (which I will cover in a future blog), although it would also be relevant to make employees aware of the principles around handling personal data gathered for the purposes of complying with the MLR17 (Reg 41).<\/p>\n I\u2019m sure we\u2019re used to documenting evidence that staff have completed regular MLR training, but the above quote indicates that we should document other measures taken to make staff aware, perhaps for example the receipt of induction training, staff handbooks and manuals.<\/p>\n <\/p>\n Reg 40: Record-Keeping<\/strong><\/p>\n Although the MLR17 have retained the MLR07\u2019s basic standard of 5 years for record-keeping, there is a problematic change in emphasis.<\/p>\n Both MLRs require customer due diligence records to be retained for \u201cat least\u201d 5 years, but the MLR17 require any personal data contained in these records to be deleted after 5 years from the completion of an occasional transaction or the end of the business relationship. The MLR17 also put the same record-keeping requirements on documents to support transactions that are the subject of customer due diligence measures or ongoing monitoring.<\/p>\n Although there are some exceptions to this deletion requirement, e.g. where the records need to be retained for legal proceedings, this could add a burden to firms whose systems are set up to store records to a 6- or 10-year standard. To be fair though, the data protection principles have for a long time now included that personal data should not be kept for longer than is necessary, so the implementation of smarter archiving practices may be long overdue.<\/p>\n <\/p>\n Reg 18: the Relevant Person\u2019s Risk Assessment<\/strong><\/p>\n Personally, I think this Reg may present the greatest challenge: a relevant person must \u201ctake appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject\u201d. This is not referring to the risk assessment carried out as part of the customer due diligence process. This is a risk assessment of the relevant person\u2019s<\/em> business, i.e. where do the risks lie in the work undertaken by the IP?<\/p>\n It needs to feed into:<\/p>\n The MLR17 state that relevant persons must provide their risk assessment to their Supervisory Authority on request. Supervisory Authorities must review firms\u2019 risks assessments (on a risk-based approach) and the IPA has stated that it will be reviewed as part of routine monitoring visits.<\/p>\n The IPA and the ICAEW direct members to the CCAB\u2019s current Guidance: https:\/\/goo.gl\/LBgRKX<\/a>. It\u2019s true, Section 4 of the Guidance provides some <\/em>pointers, but personally I think the Guidance is showing its age, as the MLR17 add more to the statutory list of risk factors that you need to consider than are covered by the Guidance. Therefore, if you do <\/em>refer to the Guidance, I would also recommend cross-checking against Reg 18 itself to make sure that you have captured everything relevant.<\/p>\n The Reg 18 risk factors that you need to consider (although there could be others) are:<\/p>\n The task requires some lateral thinking to see these risk factors through an IP\u2019s eyes, but I think it is a valuable exercise: one of the problems with MLR07 is that it all became process-driven, it soon boiled down to ticking boxes seemingly with the sole purpose of confirming identities. I think these new regs are an opportunity for us to take a fresh look at the risks: in what areas of our work are we most \u2013 and least \u2013 likely to encounter money laundering or terrorist financing? What services or transactions could be attractive \u2013 or prohibitive \u2013 to potential money launderers? Simply considering these questions could help us and staff to be more alert to strange potential clients, behaviours or requests.<\/p>\n Admittedly, this still doesn\u2019t help much in drafting the risk assessment. If it is any consolation, the ICAEW has stated that, as the risk assessment will depend on the size and nature of your firm, the overall risk assessment of a small firm \u201cmay be quite succinct\u201d.<\/p>\n <\/p>\n Reg 26: Seeking the Approval of the Supervisory Authorities<\/strong><\/p>\n The MLR17 give the Supervisory Authorities a great deal of new work to do. (I wonder how all this extra work is going to be paid for..?) For example, they need to conduct their own risk assessment and must create risk profiles of their members to inform their monitoring activities.<\/p>\n Reg 26 creates a whole new \u201capproval\u201d process, not only for licensed IPs, but also for firms\u2019, beneficial owners, officers and managers (which include MLROs). The Supervisory Authority\u2019s approval must be granted unless the person has been convicted of a \u201crelevant offence\u201d (Schedule 3 to the MLR17 lists 35 such offences).<\/p>\n Those requiring approval can act as IPs, beneficial owners, officers or managers of relevant firms provided that they apply for approval before 26 June 2018. Although Reg 26(4) states that \u201ca relevant firm must take reasonable care to ensure that no-one is appointed, or continues to act, as an officer or manager of the firm unless they have been approved or have applied for approval and the application has not yet been determined\u201d, my enquiries to the main RPBs suggest that they are not viewing this provision as being triggered until 26 June 2018 (and who can blame them, given the lack of notice we have all had?!), i.e. provided that we take steps before 26 June 2018 to become approved, there should be nothing to worry about.<\/p>\n Indications from the main RPBs are that the approval application process will become clear around licence-renewal time.<\/p>\n Under the MLR07, I think the answer to the above question gradually became clear. The MLR07 had stated that each professional body was the Supervisory Authority for relevant persons regulated<\/em> by it. Therefore, for example, if I held my insolvency licence with the ICAEW, but I was also an ordinary member of the IPA, the ICAEW would be my Supervisory Authority, as ordinary membership of the IPA carries no real regulation with it (I just need to make sure I comply with the membership rules).<\/p>\n However, the MLR17 introduced a small but significant change. Reg 7(1)(b) states that:<\/p>\n \u201ceach of the professional bodies listed in Schedule 1 is the supervisory authority for relevant persons who are members of it, or regulated or supervised by it\u201d.<\/p>\n Therefore, it seems to me that, under the above scenario, I would now have two<\/em> Supervisory Authorities. I suspect there are lots of members of professional bodies who look to a different body to act as its regulator, especially considering the wide range of activities falling under the MLR17.<\/p>\n Whilst having two Supervisory Authorities is nothing new (as IPA-licensed IPs working in an accountancy practice know well), I think that these developments \u2013 the widened scope from solely regulated members to members generally, the introduction of new approval processes (which may require applications to more than one body?) and the additional expensive burdens falling on Supervisory Authorities \u2013 may lead members to question the value of paying annual subs to more than one body.<\/p>\n Alternatively, perhaps we will get some clarification on the interaction of multiple Supervisory Authorities. Both MLRs encourage cooperation between bodies so that regulatory efforts are not duplicated, but we have seen little such cooperation to date.<\/p>\n <\/p>\n Your to-do list<\/strong><\/p>\n In summary, I think you might tackle the practice-level changes brought about by the MLR17 as follows (depending, of course, on what is proportionate and appropriate with regard to the size and nature of the business):<\/p>\n \u00a0<\/strong><\/p>\n More Changes<\/strong><\/p>\n Although this is a meaty to-do list already, I have not even started on the MLR17 changes impacting on our day-to-day business, such as the customer due diligence measures and ongoing monitoring.<\/p>\n In my next post, I will examine the changes from an engagement<\/em> basis.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" \u201cFor Insolvency Practitioners there is relatively little change\u201d stated one RPB\u2019s notice to members on the Money Laundering Regulations 2017, but another RPB stated that the new regs \u201cwill have wide-reaching changes for accountancy firms and IPs\u201d.\u00a0\u00a0 If two RPBs … Continue reading \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n