The Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2018 has been signed, transposing most of the Fourth Money Laundering Directive (MLD4) into Irish law. MLD4, and the Irish Act, represent a continuing shift towards a more risk-based approach to targeting money laundering (ML) and terrorist financing (TF).
This Briefing highlights the key changes introduced by the new Act for regulated financial service providers (RFSPs) and other designated persons operating in the financial services sector.
The Act was signed into law on 14 November 2018, and all but one provision was commenced with effect from 26 November 2018. It transposes the remainder of MLD4 into Irish law by amending the existing Irish Act (the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010).
The key changes are in the areas of risk assessments, due diligence, policies and procedures, and enforcement.
Announcing the commencement of the Act on 23 November, the Minister for Justice and Equality commented that the new Act "...is really important. Money laundering is a crime that helps serious criminals and terrorists to function, destroying lives in the process. Criminals seek to exploit the EU's open borders and this EU-wide measure is really important for that reason. I and my Government colleagues are committed to systematically tackling corruption and organised crime."
While MLD4 does not create new categories of "designated persons", crucially the Act includes a requirement that certain financial institutions who:
act in the State, in the course of business carried on by them in the State; but are not already authorised by, licensed to carry on activities by, or registered with, the Central Bank under other legislation, register with the Central Bank. The new Act provides that the name, address, and details of activities carried on should be provided to the Central Bank in accordance with a procedure to be specified by it. The Central Bank published its procedure and guidance on 27 November 2018 (see here) and we are publishing a separate briefing on that specific development.
Designated Persons must conduct Business Risk Assessments
A designated person is now under a statutory obligation to carry out a Business Risk Assessment to establish the ML/TF risk involved in its business.
Various factors must be taken into account, such as its customer base, the products and services that it offers, the countries/regions in which it operates, transaction types, delivery channels, and any additional risk factors prescribed by the Minister for Justice from time to time. It must also take account of any guidance issued by the relevant competent authority, the National Risk Assessment (see our briefing on the National Risk Assessment here) and (where it is a bank or a financial institution) any guidelines issued by the European Supervisory Authorities (ESAs).
The Business Risk Assessment must be approved by senior management, must generally be documented, and must be kept up-to-date. A record of the Assessment must be made available on request to the relevant competent authority.