Increasing Challenges for the MLRO
The introduction of the new Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) has undoubtedly presented the MLRO with a number of new challenges, which unfortunately are very easy to miss. More than that, even after the publication of these new regulations, there were other notices and other changes to legislation to which I believe little or no focus is being given.
Let us have a brief look at the main challenges being face by the MLRO.
1. Implementing Procedures still not updated
Although it has been now nearly six months from the date of publication of the new PMLFTR, the FIAU has not yet issued the updated Implementation Procedures(IP). This means that in certain circumstances the current IP is not in tune with the PMLFTR. The FIAU acknowledged this situation and in fact in their circular of the 21st December 2017 it was stated as follows: ‘where conflicts arise between the provisions of the PMLFTR 2017 and the Implementing Procedures the PMLFTR 2017 shall prevail.’ Fine – but let us just consider one simple example. The new PMLFTR are completely silent on a non- face to face relationship. The IP goes into very specific details on the approach taken when dealing with a non- face to face application. Considering therefore, that the new PMLFTR will prevail, a Subject Person may therefore be at a loss on how to deal with a non- face to face application.
2. Simplified Due Diligence
Under the old PMLFTR, the application of Simplified Due Diligence (SDD), was clearly established under regulation 10. Under the new PMLFTR, in terms of Regulation 10 (1) (b), it is now the obligation of the Subject Person to determine whether SDD can be applied. At the same time Regulation 10 (2) does not give an exemption of customer due diligence measures. I have strong doubts on how many Subject Persons have now internally adopted a document to record their own SDD approach.
3. Adopting a Risk Based Approach
No doubt the main big change brought by the new legislation is the introduction of the Risk Based Approach (RBA). Regulation 5 clearly states that the internal assessment of the RBA must be properly documented and the FIAU can at any time request a copy of this document. The signal here is that one expects more off- site monitoring from the FIAU. Documenting a RBA is not an easy task. Initially a clear risk appetite framework must be established, and a risk framework modelled on the four risk pillars (customer, product, jurisdiction and delivery channel) put in place providing suitable scoring criteria in order to determine the applicable risk tier being applied for each client. In addition to this, the RBA must also document the process of on going monitoring of all client relationships. The solution is to automate this process as otherwise it would be rather messy to keep adequate control. The Supervisory Guidance paper issued jointly by the FIAU and the MFSA on 2nd February 2018 cannot be ignored. While it is stated that this is not a binding document, nonetheless it is a clear indication that a risk policy at entity level should be prepared.
4. Monitoring Role
In terms of PMLFTR Regulation 5 (5), a Subject Person must also appoint a person of a managerial grade whose duties ‘shall include the monitoring of the day-to -day implementation, measures and controls and procedures adopted under this regulation.’ The reference is being made to Regulation 5, which is Risk Assessment. To be fair, in another part of the Regulations, it is stated that the MLRO can be the person who assumes this monitoring function. The Subject Person must now clearly establish who is the person being appointed with this monitoring responsibility. Is it the MLRO or will the Subject Person appoint another member of management to have this oversight function? It is not unclear on whether this function can be outsourced. Since the Regulations are silent on this, the conclusion is that it is not.
5. Internal Audit
Another new measure introduced by the PMLFTR is that of setting up an independent audit mechanism. While no exemptions are in place, the regulations say that a Subject Person should ‘implement where appropriate with regard to the size and nature of the business, an independent audit function to test the internal measures, policies controls and procedures.’ For entities subject to a license condition (such as Banks) this part of the Regulations is nothing new, but otherwise it offers a strong challenge to other Subject Persons. One would expect that the new IP, when published, would throw more light on this part of the Regulations. For example, how can size and nature of business be determined? Is it a question of number of clients or number of transactions? Again, when we refer to ‘size’ do we have to keep in mind the size of the transactions? And what about ‘nature’ of the business? Are there some subject persons who are may be considered as being more exposed to risk and therefore in view of their ‘nature of business’ they are expected to have in place a stronger independent audit function?
6. Enabling Powers Act
This act has been revised in May 2018 and hardly any noise heard. The previous regulations under the main act (subsidiary regulation 365.01) are now repealed, as the ‘old regulations’ are now practically embedded under the main legislation. What is now of major importance for a Subject Person is that in terms of Article 17 (6) of this Act, a Subject Person is required to regularly check the EU and UN sanction lists and ’have in place and effectively implement internal controls and procedures to ensure compliance arising from this act and any relevant European Union or United Nations resolutions.’
Obviously, there are fines for breaches of this Act.
