In this last episode of season 3 we turn our attention to conducting the business (or enterprise) wide risk assessment. Why and how figure prominently.
We also look at the main elements of the soon to be introduced (as at 08/10/2020) Money Laundering and Terrorist Financing (Amendments) Regulations 2019.
Follow us on LinkedIn at https://www.linkedin.com/company/the-dark-money-files-ltd/ on Twitter at https://twitter.com/dark_files or see our website at https://www.thedarkmoneyfiles.com/
In this last episode of season 3 we turn our attention to conducting the business (or enterprise) wide risk assessment. Why and how figure prominently.
We also look at the main elements of the soon to be introduced (as at 08/10/2020) Money Laundering and Terrorist Financing (Amendments) Regulations 2019.
Follow us on LinkedIn at https://www.linkedin.com/company/the-dark-money-files-ltd/ on Twitter at https://twitter.com/dark_files or see our website at https://www.thedarkmoneyfiles.com/
spk_1: 0:08
way. Welcome to the 13th final episode of Season three of the Door Money Falls, in which we shine a light into a murky world. I'm Ray Blake and With Me is my co host Friend of business partner Grand Barrow Hologram Hala. Right before the Christmas break, Graham we spent two episodes looking at how banks go about determining financial crime risk ratings for their clients.
spk_0: 0:33
We did, and we saw the various attributes that are taken into account to determine whether any given client represents an elevated for natural crime risk to the bank on. We saw how the bank would divide its client base into different tears off risk, which would typically bay high, medium and low.
spk_1: 0:51
Yes, and they would then use this to apply a risk based approach, concentrating their resources at the riskier end of the classifications.
spk_0: 1:01
Absolutely right, Ray on. We introduce right at the end of the last episode the concept of the business wide risk assessment that banks need to prepare, which will underlie many aspects of their client risk rating. And today we're going to be talking about the
spk_1: 1:16
great, But I think after we've done that, we might usefully spend a bit of time reflecting on the new UK anti money laundering regulations that were passed by Parliament just before Christmas. There are just a few points that will have quite wide and immediate application for our UK listeners in particular. So heads up might not go amiss.
spk_0: 1:35
Good Cool, Rae. Let's have a look at those
spk_1: 1:38
first, though, the business wide risk assessment. Now this is a requirement from the money laundering regulations that isn't affected by the new amendments. Right?
spk_0: 1:47
That's absolutely right by. In fact, it's one of the three high level risk assessments that are required.
spk_1: 1:53
Oh, yeah, there's, ah, national risk assessment to be prepared by government, isn't there?
spk_0: 1:58
Yeah, which in the UK is handled by the Treasury and the Home Office together.
spk_1: 2:03
And the output from that allows the government to consider the adequacy of current legal and regulatory rules and powers on DH to allocate a risk based budget two different threats at a national level,
spk_0: 2:14
absolutely on DH. Then there's the risk assessment by super visibly authorities, which assesses the risks that they have responsibility for in the light of the government's assessment and other relevant international reports and guidelines
spk_1: 2:29
okay, Yeah, as well as the firms they supervise and the risks they present, together with emerging risks and changes in industry that might have an impact
spk_0: 2:38
spot on.
spk_1: 2:39
So then we come to the firm's own risk assessment on the basic requirement is that the firm quotes must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its businesses subject.
spk_0: 2:54
That's really quite a wide in a high level briefings that,
spk_1: 2:58
yes, it is crime
spk_0: 3:00
eyes there any more detailed and, hopefully helpful requirement?
spk_1: 3:04
Well, there is a bit gore. Well, the regulations state that when deciding what steps unnecessary, the firm must take into account the size and nature of its business.
spk_0: 3:15
Good idea. Does it say How know Graeme Oh, anything else?
spk_1: 3:20
Yes, It says the firm must take into account any relevant information made available by the regulator from its own assessment, and that it must consider risk factors, including those relating to its customers, the country's or geographical areas in which it operates its products and services. It's transactions and its delivery channels.
spk_0: 3:41
Oh, that sounds like quite a familiar list, right?
spk_1: 3:44
Well, indeed, it's similar to the different factors that contribute to the client risk assessment for each individual client. But we're looking through a different lens here. We're looking at these factors as they apply to the whole firm overall.
spk_0: 3:58
Okay, so if we look at products, for example, when we look at this from a client perspective, what products that client is using will have a bearing on their financial crime risk. But which products carry? What sorts of risks is a matter for the firm wide risk assessment. And that needs to be done first so that we can look at the products used by each of our clients and understand their individual risks.
spk_1: 4:21
So let's look at an example. Graham Att. One bank that I'm a customer off. I hold just the savings account. So how would the bank look at my product risk?
spk_0: 4:32
Well, Ray, first of all, they'd have to of undertaken a firm wide risk assessment and assessed the financial crime risk arising from all aspects of their business. Now, in the light of this, they'd have looked at their deposit account offering and determine the specific financial crime risk that could result from its use, and that would be different for different banks, of course.
spk_1: 4:52
But why would it? Graham on deposit account is a deposit account, isn't it?
spk_0: 4:56
Well, not necessarily Ray. I mean, for instance, there are instant access deposit accounts that allow third party payments to be made from them effectively. You could write cheques
spk_1: 5:08
well. That would increase the financial crime risks. Obviously,
spk_0: 5:11
yes it would. And the makeup of the bank's account holders would have an impact to, for example, or a significant proportion of the based overseas are their minimum or maximum deposits are their joint accounts. And if there are, what are the rules around days?
spk_1: 5:29
Oh, yes, that could be important. If a married couple have a joint deposit account, that's one thing. But if two unrelated people hold one jointly, it could be a way to covertly transfer funds. If one makes a large deposit that the other can then withdraw, it
spk_0: 5:44
will. Exactly so the firm needs to look at its products terms, and any vulnerabilities are indeed protections that those create.
spk_1: 5:52
Then, armed with the understanding from this assessment, the bank would say that it's deposit account had, let's say, a medium level of risk.
spk_0: 5:59
Yes, so that when the bank came to look at the client risk assessment for, say, Ray Blake, they would have a clear understanding of how he's using a deposit account contributed to his overall financial crime list to the bank.
spk_1: 6:13
I got it. I can see why the bank needs to undertake its business way to risk assessment and how this supports the client risk assessments it subsequently makes.
spk_0: 6:22
So let's look at how a bank would, based on the quite sparse guidance in the law, go about conducting its business wide risk assessment.
spk_1: 6:31
Yeah, let's I suppose the first point is that it's going to require input from people across the business, not just the compliance or FC team.
spk_0: 6:39
Oh, absolutely, right. Right
spk_1: 6:41
now I've seen a FC Departments use workshops and one toe while engagement with business contributors, often in combination.
spk_0: 6:48
Yeah, the one thing that unifies all approaches is that they are based around quite tight on DH focused agendas. You don't want to waste the business contributors time, but you also want to make sure you walk away from the meeting with the information you actually need to help you perform the incest mint.
spk_1: 7:06
So what would that agenda look like Graham?
spk_0: 7:08
Well, right, noting will be the same. But let's look at an example or to let's say, your meeting business representatives from a specialist a part of the bank's. So, for instance, the structured finance Department.
spk_1: 7:20
Okay, Graham, let's go with that. I'd want to understand from them. Ah, who? Their typical client. So where those clients are based on what types of client needs the department meets and what restrictions there are on what they can do and what they can't do.
spk_0: 7:37
Yeah, absolutely. I think it also want to understand their key processes, at least to the extent you can identify financial crime vulnerabilities. You'd want to know about current market trends and those they foresee developing on any product and process changes. They're planning to exploit these trends
spk_1: 7:56
now in the FC team, particularly if you have a compliance remit to you'll know a lot about this already grown when
spk_0: 8:03
you well, you'd hope so, Ray. But the business unit will always gnome or they have to. To be able to do their jobs on the interviews or workshops are a way of eliciting any important details. You're not aware of that are relevant to the financial crime risks.
spk_1: 8:18
I can see that. So, actually, the best way might be as a f. C. To document your understanding of this team and its activities. Then take this to the workshop and ask, Well, what have we missed?
spk_0: 8:30
Yeah, I've seen it done that way, and that can be very effective.
spk_1: 8:34
So would you do something similar across all business units?
spk_0: 8:38
Yes, all relevant ones, Ray. But you also want to look at functions to, like tea or legal or HR
spk_1: 8:45
on. Why's that, Graham?
spk_0: 8:47
Well, because each of those functions could have financial crime risks to let me think about HR, for example, their recruitment procedures might be vulnerable to a financial criminal gaining employment within the firm.
spk_1: 9:00
So the assessment needs to be genuinely firm wide, doesn't it?
spk_0: 9:04
Yes, it does, right? There's no point in just fixing sub off the leak in your boat.
spk_1: 9:10
Good point. Are we interested at this stage in inherent risks or residual risks?
spk_0: 9:16
Well, now, that's a great question, Ray, But before we answer, do you want to define what those terms mean before we look at them?
spk_1: 9:23
Okay, sure. Inherent risks of those that exist in an uncontrolled environment. So if we completely ignore any controls that were in place, one of the risks, we would say, Whereas if we take into account the controls that we've got in place, these might knock out some or even all, of the inherent risks. So what we're left with after the controls are taken into account is the residual risk.
spk_0: 9:50
Good explanation and understanding. Both of these is important to meet the letter of the law. Your assessment needs to understand the inherent risks at a minimum. But understanding your controls and how effective they are is clearly crucial to defending the bank against financial crime threats.
spk_1: 10:07
Yes, on the extent and distribution of residual risk needs to reflect your financial crime. Risk appetite, I guess.
spk_0: 10:14
Absolutely right. This is clearly a very detailed assessment on banks usually try to arrive at quantitative measurement frameworks to make it understandable and usable. But there needs to be a good quality of understanding across the peace, too.
spk_1: 10:29
Okay, then. So you've produced a business wide risk assessment that's gonna let you consider what controls you have in place on what additional controls you need to think about. It's also going to help you rate the financial crime risks of different products, channels and so on, which then feeds into your client risk rating approach. It's also going to help you to find your financial crime. Am I and reporting, isn't it?
spk_0: 10:53
Yes, it is. It will guide the FC department and senior management of the bank of what they should be keeping a close eye on on. That's going to drive reporting. And am I? As you mentioned, it's also going to be a useful cheque for the firm's financial crime risk appetite.
spk_1: 11:09
Brilliant. And this isn't a one time thing, Graham. Is it
spk_0: 11:13
no raid? The assessment ought to be refreshed on a regular basis to pick up on all the changes that might alter the picture.
spk_1: 11:20
Well, I think that's a pretty good introduction to this important aspect of affirms defences. There's a lot of excellent guidance on doing this practically in the Wolfsburg groups. 2015 f A Q. On risk assessments, and we'll put a link to that on our Web site. For those who are interested, shall we move on to the updated regulations now? Graham
spk_0: 11:43
Yeah, let's do that. This will mostly concern our UK listeners, although frankly, similar changes are being affected or are supposed to be being affected right across the EU and e. A to comply with the fifth anti money laundering directive.
spk_1: 11:58
Indeed, the U. K's version is set out in a statutory instrument that snappily titled the Money Laundering and Terrorist Financing Brackets. Amendment Bracket Regulations 2019.
spk_0: 12:12
Well, it does what it says on the tin, right? Well,
spk_1: 12:15
quite so. I've reviewed the instrument to pick out the key relevant changes.
spk_0: 12:20
Oh, well done.
spk_1: 12:22
Well, I consider taking it one for the team. Graham, given that the regulations come into force on the 10th of January 2020 For the most part, I thought we should cover it in this episode.
spk_0: 12:34
Well, that sounds like a very good idea.
spk_1: 12:37
Shall I run through the key points?
spk_0: 12:39
Oh, please do
spk_1: 12:41
Well, first of all, some more people and things come into scope off the regulations, so letting agents art market participants, crypto ASA exchange providers and custodian wallet providers now find themselves regulated
spk_0: 12:58
quite right, too. On DH, there's an extension for auditors and tax advisers. I think isn't there?
spk_1: 13:04
Yes. And what constitutes giving tax advice is widened considerably along the lines of the Criminal Finances Act
spk_0: 13:12
on DH. What's the main impact of this or off those people affected, Right?
spk_1: 13:16
Mostly for the new people now in regulation, it's gonna be the requirement to undertake customer due diligence. So, for instance, a letting agent for the first time has a legal duty to apply cdd both to the renter and to the person letting the land provided the term or rent passes a minimum threshold. Well,
spk_0: 13:38
that seems reasonable.
spk_1: 13:41
There's some new definitions around Elektronik Identity verification two, Which is the law catching up with technology. But there's a much bigger change that relates to due diligence. Oh yeah, there's a whole new chapter in the regulation now about reporting discrepancies in registers.
spk_0: 13:57
Ah, yeah, Now this is going to be big.
spk_1: 14:00
It certainly is. Firms now have a duty when collecting beneficial ownership information to cheque this against the official register.
spk_0: 14:08
Now that's companies house in the UK.
spk_1: 14:11
Yeah, quite so on DH, where there is a discrepancy. The firm's duty is to report this discrepancy to the register in the UK. As you say to companies House
spk_0: 14:20
to be clear, Ray, this is just information relating to the beneficial ownership of the Yep.
spk_1: 14:26
Yes, it is. Graham, on DH. There's an exemption as well From reporting where the information is covered by legal privilege.
spk_0: 14:32
Okay, on what does the register have to do with these reports?
spk_1: 14:37
Well, it has to. And I'm quoting, take such action as the registrar considers appropriate to investigate and if necessary, resolved the discrepancy in a timely manner. Unquote,
spk_0: 14:49
where does this leave the bank? You have to complete this due diligence before transacting for a client. Do they have to wait for the registry to resolve the discrepancy before they could take on the client?
spk_1: 15:01
Well, they probably want to take legal guidance on this ground, but I'd say not provided they can satisfy themselves of the veracity of the information they hold.
spk_0: 15:12
Okay. But usually the way that established that veracity, we wouldn't necessarily agree with this, but would be to cheque. The register agrees with what the client has told them.
spk_1: 15:22
What true? That they can obtain other evidence like shareholder decorations in audited accounts, for example, once they're sure they have the correct version and that the registry records were incorrect. I think they should have confidence in taking the client on while the registry investigates. But they want to keep very good records of how they satisfied themselves sufficiently. If they do
spk_0: 15:43
that, Yeah, I'd say so in a way. Right? This is really no different from the current status quo rather than there's a legal requirement to do it. But obviously a firm should always be checking their records in this house and reacting if there are discrepancies accordingly.
spk_1: 16:00
Yeah, yeah, I think you're absolutely right. As you say, the legal requirement adds a wrinkle to it.
spk_0: 16:05
It certainly does
spk_1: 16:06
okay elsewhere in the amendments, there's some helpful clarification on the need to conduct e d D. Where high risk third countries were involved. The 2017 regulations said she needed to apply quotes in any business relationship or transaction with a person established in a high risk third country unquote.
spk_0: 16:25
Yeah, I remember.
spk_1: 16:28
Well, now there are two points of clarification on this. The 1st 1 is that transactions will be caught when either of the parties is established in the high risk that country.
spk_0: 16:38
Okay, it makes sense. Onda second clarification.
spk_1: 16:42
Well, this is interesting. The new amendments defined what being established in a country actually means it says that for a business, it's where you're incorporated or have your principal place of business. If you're a regulated firm, it's where your principal regulator is on for an individual. It's where your resident? No, necessarily where you were born.
spk_0: 17:03
Okay, now that's important. That banks, usually as we saw, link their country risk score for a client to more factors than that. They look at where a corporate client does business, for example, not just where it is headquartered. And for an individual that look, ATT, nationality as well as residents have based their country risk on the highest risk off those countries.
spk_1: 17:24
And to be clear, they can and should continue doing that. But just in the case where this short list of defined very high risk countries air involved, their requirement to conduct a TT is driven by a smaller set of factors.
spk_0: 17:38
Okay, but there's nothing to stop firms choosing to do Edie in a wider range of situations.
spk_1: 17:43
Oh, no, nothing at all on. For most banks, it won't be worth the operational expense of adding more complexity to this
spk_0: 17:50
agreed good on. There's more on 80 day isn't there.
spk_1: 17:55
Yes, there is. The new regulation spells out certain minimum points that DD must cover, and it's the's A obtaining additional information on the customer and on the customers. Beneficial owner. Be obtaining additional information on the intended nature of the business relationship. See obtaining information on the source of funds and source of wealth of the customer and of the customers. Beneficial Owner Day. Obtaining information on the reasons for the transactions. E Obtaining the approval of senior management for establishing or continuing the business relationship. And finally, f conducting enhanced monitoring of the business relationship by increasing the number and timing of controls applied and selecting patterns of transactions that need further examination
spk_0: 18:46
or cannot pretty comprehensive. Now most banks are going to be doing most of this already there, aren't they?
spk_1: 18:52
Yes, but now the requirement is so explicit. Graham, I suspect firms will be checking their e t d templates tto be sure they have it all covered.
spk_0: 19:00
I agree. Write anything else we should know about in the new regulations
spk_1: 19:04
at Well, Graham, I've read all 37 glorious pages of it on. I reckon we've covered the main relevant items
spk_0: 19:11
Well, thank you for that. With that done, I think we should celebrate reaching the end of our third seas of the podcast, Ray.
spk_1: 19:20
Oh, yes. Our first episode came out almost exactly a year ago on the sixth of January 2019. And this's our 40th episode.
spk_0: 19:29
Have they said it would last?
spk_1: 19:33
Well, we started it as a bit of a sideline. It has quickly become the most important thing we do That said we have an incredibly busy January, eh? So we're going to take a shortish pause before we dive back and kick off season
spk_0: 19:46
for yes. We expect to have the first episode of season for with you by the end of January. But between now and then, we're going to take a little break. I'm
spk_1: 19:56
looking forward to
spk_0: 19:57
er episode on the right. Yes, Graham. Thank you. Weigh. If you would like to listen to future episodes, please subscribe through iTunes, Spotify or your normal podcast provider Psych