CCAB anti-money laundering guidance gets an update
Julia Penny looks at the main areas of change in the new CCAB anti-money laundering guidance and the updates that these will necessitate on your own policies and procedures.
The Consultative Committee of Accounting Bodies (CCAB) is responsible for producing the anti-money laundering and terrorist financing (MLTF) guidance for the accountancy sector. This guidance is then approved by HM Treasury and once approved must be taken into account by the courts when considering if an individual or business has breached the Regulations. The latest Treasury approved guidance is that from March 2018, but on 4 September 2020, a draft version of updated guidance was published.
This revised version takes account of changes made by the 5th Money Laundering Directive (5MLD), which mostly took effect on the 10 January 2020. However, the CCAB has also taken the opportunity to update elements of the guidance to make it easier to read and to highlight areas that need more attention.
One of the biggest areas of change is the addition of Section 5.6 on the responsibility to report discrepancies in the information held on the Persons of Significant Control (PSC) register to Companies House. The draft guidance sets out that if a material discrepancy is found between the information that the firm finds when carrying out its initial customer due diligence (CDD), and that held on the PSC register it must report to Companies House as soon as reasonably practicable.
The draft guidance has stated that this means within 30 days, but this period could change following Treasury approval as it is not mentioned in the existing government guidance. However, if the client corrects the PSC within 30 days of the discrepancy being found, the draft guidance states that the firm does not have to report to Companies House. Whilst this seems a logical exemption, to limit the work required by Companies house and firms, it could change or be removed following Treasury approval.
Importantly it appears that there will only be a requirement to report discrepancies when CDD is performed when taking on a new client and not every time CDD is refreshed. This will help considerably in alleviating the work required, as updates of CDD might not routinely include consideration of the PSC register. However, there is a chance that this requirement will change once the final Treasury approved version is issued.
It should also be noted that an equivalent requirement will exist for registrable trusts, which will take effect from 10 March 2022. The report of any discrepancy must be made to the Trust Registration Service (TRS), which HMRC are currently working on updating to allow relevant non-taxable trusts to be registered. Due to these updates it is vital that you finish any part-completed registrations before 23 September 2020.
Defined services mean those that are covered by the money laundering regulations. The list of such services was expanded by 5MLD, though mostly this does not affect accountants. However, one area that has changed is that the definition of tax advice has been expanded. It now includes both direct and indirect provision of material aid, assistance or advice, including specific tax advice, completing or submitting tax returns and advice on whether something is liable to tax or on the amount of tax due.
Whilst this is unlikely to impact accountants very much, as in most cases their work will already be defined services, it may impact those they work with. For instance, the draft guidance sets out information describing when software providers might be considered to be providing tax services. This is likely to become increasingly relevant as artificial intelligence (AI) and other software developments provide services which accountants traditionally delivered.
Beneficial owners, officers and managers, (BOOMs)
Rules requiring MLTF supervisors, primarily the professional bodies, to ensure that all those who are BOOMs of the firm have not been convicted of a relevant offence took effect in June 2018. However, it was not covered in the CCAB guidance. The draft now includes an explanation of a BOOM and the fact that BOOMs should expect to submit evidence of their criminal record (a basic DBS check) to their MLTF supervisor. If you are a BOOM and haven’t yet obtained a DBS check then you should do so now.
Risk assessment procedures
Regulated firms must ensure that any new products, services or ways of operating are considered in terms of their impact on MLTF risks before being implemented. So, if a firm is about to start offering probate services, or changing all operations to be remote and not face-to-face, for example, a renewed risk assessment must be carried out and appropriate controls put in place. With the current Covid restrictions, changes in methods of operating could easily trigger this requirement.
Firms must ensure they inform data subjects of the information that will be collected from them as part of CDD and why it is collected. This information must not be used for other purposes unless the express consent of the data subjects is received. This may be easily done when providing a checklist of appropriate identity documents, for example.
Electronic identity checks
It has been made clearer that electronic identity verification can be used as long as it is reliable. It is regarded as such if it is secure from fraud and misuse and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity. Electronic ID is therefore now also listed as an example source of verification, along with passports and photo card driving licences etc.
Client risk assessment
During identification and risk assessment further questions must be considered. These include, among other things, considering:
- Why the client has selected you?
- Whether the client has asked to engage with you in an unusual manner?
- Whether the transaction appears to align to the client’s normal business or planned strategy?
- Whether the transaction makes commercial sense?
- Whether there is a lack of documentation?
- Whether payment is in large amounts of cash or electronic currency?
If you use forms to help complete the risk assessment process these will need updating for the changes.
Enhanced due diligence (EDD)
As well as these additional questions, which help determine the level of client risk, Appendix D now has additional high-risk factors as follows:
- The customer is a third country national applying for residence rights or citizenship in an EEA state in exchange for transfers of capital or various other investments (sometimes referred to as golden visas).
- There is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory and other items related to protected species, items of archaeological historical and religious significance, or of a rare scientific value.
As before, firms must take into account at least all of the high-risk factors in Appendix D when making their assessment of whether enhanced due diligence (EDD) is required, so any forms will need updating.
More specifically, EDD requirements have been expanded and now include extra checks for clients that are higher risk due to connections with high-risk third countries, including information on the source of wealth. Senior management approval will also now be required for such clients, in the same way that approval must be sought to act for a PEP. (Talking of PEPs there is now a list of UK PEP functions as part of the Regulations).
Additionally, EDD is now required when a transaction is complex, or unusually large, or there is an unusual pattern of transactions which have no apparent economic or legal purpose. Previously there was an ‘and’ separating these features, so now any of them being present, rather than all of them being present, triggers a requirement for enhanced due diligence.
Verification of beneficial owners for companies has now been clarified somewhat. The Regulations state that this must be on a risk-sensitive basis, but the draft guidance now states that that where risk is normal the identity of the director who is the key client contact should be verified. Additional directors should potentially have their identity verified for high-risk clients. In all cases the regulated business should consider the risk of identity theft and false documents.
This might cause firms to want to update their procedures to reduce current requirements if they are generally checking all or most directors’ identity information. Bear in mind that you will need to justify the change, if the guidance has not yet been Treasury approved.
This must now include all agents, as well as relevant employees, such as subcontractors, who are working in a similar manner to staff. Alternatively, agents can supply evidence of their own training, to prevent them having to undertake such training multiple times.
Suspicious Activity Report (SAR)
Not much has changed with respect to SARs but interestingly the guidance now highlights that you do not have to suspect your client of money laundering for a SAR to be needed. Whilst the information must come to you in the course of your work in a regulated business, it might be a suspicion of a third party’s fraud, tax evasion or other money laundering offence. This has been emphasised as there was concern that some practitioners may have misunderstood their reporting obligations, as the rules have not altered.
The other area of change with regard to SARs is a switch in terminology from requests for “consent” to requests for a “DAML” – a defence against money laundering. Whilst the terminology that the National Crime Agency (NCA) uses changed some time ago, the guidance still referred to a request for consent, so this is a sensible update. DAML requests are made where there is a risk that the firm might become involved in a money laundering arrangement, for instance when making a SAR in connection with a planned transfer of client assets. In these cases, it is vital that assets are not transferred unless and until the NCA gives consent for this to happen.
There is also an additional reasonable defence excuse, for not making a SAR, albeit subject to Treasury approval. This means that if a SAR is not made, because it is clear that a UK law enforcement agency is already aware of all the relevant information that the business holds or all the relevant information is entirely in the public domain, this may be regarded as a reasonable excuse for not making a report. Note that it will still be better to make a report if you have suspicions, as you may not be fully aware of what the authorities know or don’t know and it is only the courts that can ultimately decide if an excuse is reasonable.
Conclusion and action
Despite the length of this article there is still more detail in the draft guidance itself that firms will need to consider. Until the guidance is Treasury approved, firms may prefer to make only draft changes to their own policies and procedures and to delay training until the final outcome is known. However, given that the 5th money laundering directive took effect back in January, procedures do at least need to have been updated for those headline changes.
If you do not have in-house expertise dealing with your policies and procedures then either consider using an external consultant or purchase a reputable MLTF system to ensure that your policies and procedures, including the forms you use to assess risk and gather identity information, are updated appropriately.
You might also be interested in
Julia Penny is the principal of JS Penny Ltd which provides technical and training consulting on anti-money laundering procedures, auditing and financial reporting. Julia is a member of ICAEW Board and Council, chair of the ICAEW Ethics Advisory Committee and past chair of the ICAEW...