The Draft CCAB Guidance is here!
The long-awaited draft CCAB guidance ‘Anti-Money Laundering and Counter-Terrorist Financing Guidance for the Accountancy Sector’ has now been published. In spite of, the January 2020 date on the front cover be assured that is was only published this month, on 4 September to be precise! As this will become the formal guidance against which an accountant’s compliance with the Money Laundering Regulations will be measured it requires approval from HM Treasury and this is still in progress. Until the guidance is approved by HM Treasury, who may well require changes, it cannot be considered final.
In this article we will examine some of the key changes, most of which we have already discussed to some extent when looking at the changes to the Regulations that came in on 10 January this year as a result of implementation of the 5th Money Laundering Directive.
Defined services
The draft guidance talks about defined services that is those services provided by accountants that bring them within regulation. The one area where this has changed is the inclusion of indirectly provided tax services.
We have received queries regarding this area, especially in relation to tax services provided online. The draft guidance specifically states that ‘where a business is providing tax services through virtual or automated services the business is providing defined services.’ Where the business is the provision of software only it will not be a defined service but as soon as there is some involvement in entry of data or advice on interpreting the output, it will become a defined service and therefore within the Regulations. It states that you should look at the amount of human input that is required once the software has been provided and gives the example of a business that develops software that identifies a contractor’s IR35 status and calculates the tax due. If the business supplies the software and that is all, it will not be a defined service. If it supplies the software and support on interpreting the output, it will be.
Reporting discrepancies in PSC information
As you are aware the amended Regulations brought in from 10 January 2020 the requirement, for companies and LLPs, to report discrepancies in what you know about your client and what is included in the PSC information included on the register at Companies House. This requirement will also come in for trusts from 10 March 2022 with the Trust Registration Scheme at HMRC.
The draft guidance brings in a new section looking at this reporting requirement.
It states that you are only required to report any discrepancy when you initially on board the client and do not need to monitor this on an ongoing basis. It also says that discrepancies should be reported as soon as reasonably practicable and interprets this as within 30 days. This may of course be subject to change by HM Treasury. If the client were to correct the position within those 30 days, there would be no requirement for a report. It does state, however, that if you interpret the discrepancy as in intentional choice to mislead consideration should be given to the veracity of other information provided by that client.
BOOMs
A new section has been added to the guidance dealing with BOOMs, Beneficial owners, officers and managers. (Managers are just those in a managerial position re AML such as the MLRO). This has not previously been dealt with in the guidance.
Definitions are provided of who would be a BOOMs. All BOOMs must be approved by their professional body and a part of this process is confirming that they are fit and proper and do not have unspent criminal convictions. As such all BOOMs should have undergone a basic DBS check which will be retained by the firm. If a BOOM is later convicted of an offence the professional body should be notified within 30 days. Any new BOOM should expect to submit evidence of their criminal record, or lack of one, in the form of a basic DBS check as a part of their application.
Risk assessment
There is no change to the risk-based approach however additional guidance has been issued and some new risk flags detailed. The guidance now talks in terms of ‘client activity’ and states that firms should have policies and procedures in place to monitor and scrutinise client activity to ascertain the risk of the client being involved in money laundering or terrorist financing activity. Firms should specifically consider whether the activity is unduly complex, disproportionately large or lacking in commercial rationale.
There is additional guidance looking at when firms introduce new services, products, business practices or technologies and the MLTF risks that might be associated with this. For example, we have worked with a number of firms that have offered probate as a new service or perhaps offer R&D tax consultancy. Where a new defined service is offered (one that is a regulated service) the risks of MLTF should be ascertained and the firm’s firmwide risk assessment should be amended accordingly. Where new business practices or technology are introduced the draft guidance states that you should consider how that might increase MLTF risk perhaps through enabling more anonymity and also consider what systems and procedures would be required to mitigate that risk.
A section has been added looking at where firms outsource their customer due diligence however our experience is that most firms are doing this for themselves.
Where firms deal with clients that are established in or transact with foreign countries the draft guidance now recognises that risk may be different for those firms that deal a lot with those countries and those that deal infrequently with them as the level of understanding of those jurisdictions may be different.
At a client level the draft guidance includes questions that must be considered as a part of the individual client risk assessment. These are:
- Why has the client chosen to use you?
- Has the client asked to engage with you in an unusual manner?
- Does the transaction align to the client’s normal business activities and planned strategies?
- Does the transaction make commercial sense?
- Is the identity of other parties to the transaction clear?
Other considerations relate to whether intermediaries are being used and if so whether they are being used to obscure beneficial ownership.
New individual customer high risk factors have been added. These are:
Customer risk factors
- The customer is a beneficiary of a life insurance policy;
- The customer is a third country national who is applying for residence rights or citizenship of an EEA state in exchange for transfers of capital, purchase of a property, government bonds or investment in that EEA state.
Product and services risk factors
- There is a transaction related to oil, arms, precious metals, tobacco products, cultural artefacts, ivory and other items related to protected species, and other items of archaeological, historical, cultural and religious significance or of a rare scientific value.
Customer Due Diligence
One small but significant change in the new draft guidance is that when looking at monitoring the client relationship it states this ‘must’ be done rather than firms ‘will be expected to undertake’ it. It is clear that ongoing monitoring is essential and there is no room for interpretation now it must be done.
The guidance has been updated to reflect the changes that came in in January 2020. Where there are no interpretation details I am not going to go into any detail here as we have dealt with these in previous newswires. They include details of what is to be done where the ultimate beneficial owner is not known and you treat the most senior person responsible for operations as the beneficial owner and the enhanced due diligence required where the client is established in or transacts with high risk jurisdictions.
The guidance has also been updated to reflect the fact that electronic data is now an acceptable means of verification provided it is sufficiently robust, secure and free from fraud or misuse.
One of the key changes in the guidance is to provide clarification as to what level of verification is acceptable when looking at a company or LLP and the directors within that entity. The guidance suggests that for normal risk clients you only need verify the director who is the key client contact and that verification of additional directors should be undertaken for higher risk entities. You would still need a complete list of the directors it is the verification that is potentially reduced in volume. It will be interesting to see if this is changed after the HM Treasury review.
Similarly, verification of beneficial owners should be undertaken on a risk-based basis.
Reporting
Much of the guidance on reporting remains unchanged. There is however emphasis in this draft guidance that it is not only issues to do with your clients that are to be reported. If you come across money laundering or terrorist financing, during your work in providing defined services, no matter who it involves you should report.
There is a little more guidance on what constitutes a suspicion. The guidance reads “suspicion does not require document-based evidence, it may be a particular fact pattern, a series of red flags or general observations that cause concern.”
The other change in the reporting sections is to move from talking about ‘consent’ reports to DAML reports. DAML stands for Defence against Money Laundering. This terminology replaced the old consent regime and has been adopted in the guidance. DAML only applies to the three primary money laundering offences, it does not apply to tipping off and failure to report. Whilst most DAML requests will be either granted or denied the NCA have introduced a third category of response which is that they will neither grant or refuse a DAML request. The draft guidance states that if you receive a neither granted or refused response you should consider carefully how you wish to proceed with the activity that is flagged up as of concern. You may wish to consult with your professional body or take legal advice before proceeding.
Unlike training, with reporting, per the draft guidance, it will be up to firms to determine whether they expect subcontractors to follow their reporting policies and procedures. They should however make their expectations known to the subcontractors.
Record keeping
As before customer due diligence records must be kept for five years after the end of the business relationship or after an occasional transaction. At the end of that period the draft guidance emphasises that the records must be destroyed unless there is a valid basis for retaining them. Firms will need to ensure that they have procedures in place for identifying records that should be destroyed.
Training
The sections regarding training have been updated to reflect the need for agents i.e. subcontractors to be included within your training programme and assessment of the adequacy of training undertaken.
An agent is defined as “any person who, whilst not an employee of the business, is engaged to carry out work or provide services on its behalf. In general, an agent is likely to carry out such work or services under the supervision of the business. The work or services will be closely integrated with those carried out by the business itself. The agent will frequently be working closely with employees of the business.” So, it is clear that this will include sub-contractors working for the firm and you will need to ensure that they are included within your training programme or can prove that they have done adequate training elsewhere.
The draft guidance reiterates that training needs to be given commensurate with the work undertaken and that one size will not realistically fit all. So, the firm might provide different training for the support team and the audit team for example.
There is also a specific requirement now that training should cover:
- The requirement for customer due diligence and ongoing monitoring;
- When to make an internal report and how to do so;
- How to deal with client activity that might be related to money laundering or terrorist financing.
Customer due diligence and data protection
Guidance has been added regarding data protection requirements and due diligence. It states that data subjects must be made aware of the data that will be collected about them and why. Firms must not use this data for any other purpose without the client’s permission or as required by law.