Money Laundering - Are you at risk?
Interim Partners and the Institute of Interim Management recently co-hosted an evening seminar to provide an Introduction to the Money Laundering Regulations 2007 (MLR). This is important legislation which will affect a significant number of Interims, and as the penalties for non-compliance can include criminal convictions entailing unlimited fines and/or prison sentences, it cannot be ignored.
The principal speaker for the evening was Tom Brass, Deputy Chairman of the IIM, who has followed the progress of this legislation from its initial beginnings as an EU draft Directive in early 2004, through to its implementation into UK law on 15 December 2007. There follows a summary of Tom's presentation.
Background
Part of the Government's strategy in countering crime is to detect, deter and disrupt the perpetrators by attacking the transactions which they need to undertake to walk away from a crime with 'clean' money. This strategy also addresses terrorist financing - money is often raised in a friendly country, and then moved to, and spent in, the country where the terrorist act takes place.
Contrary to the public perception, money laundering is not just about serious organised crimes such as drugs/people trafficking, arms smuggling, and so on. It also covers all 'acquisitive' crime, from simple street mugging, through theft, burglary, robbery and mugging, to the more 'white collar' crimes of fraud and forgery, bribery and corruption, tax evasion and false accounting.
The fact that certain Interims are now within the MLR does not mean that they are suspected of participating in criminal activities or of being terrorists. Far from it - they are included in the MLR because their business activities as Interims put them in responsible positions at their clients, where they are able to recognise potentially criminal transactions and blow the whistle to law enforcement. Whilst there are criminal penalties in the MLR for Interims to fall foul of, they are there as 'back stop' for use by the regulators against those who persistently ignore, or fail to take seriously, their obligations to help law enforcement in this way. The penalties are not there as a stick to be used by the regulators just because they can.
The Regulated and their Regulators
Interims who fall under the MLR are those who, on a business to business basis, are accountancy services providers (ASPs) or are Trust & Company Service Providers (TCSPs):
- ASPs are those who provide accountancy services or tax advice to the client, regardless of seniority. Accountancy services include bookkeeping, preparing management/financial accounts, business plans, profit/cash budgets or forecasts, due diligence, transaction advice etc. You do not have to be professionally qualified to provide these services.
- TCSPs are those who act as a director or quasi-director (ie as a de facto or shadow director) in any capacity at the client - all disciplines count, whether financial or non-financial (so CEO, CFO, sales/marketing, HR, IT, production, logistics/distribution, etc are all included).
- You also fall within the TCSP definition if you act as company secretary, even if not a director.
If you fall under the MLR because you are an ASP or a TCSP, you will be supervised for compliance by a regulator. If you operate through a firm (usually a company (PSC)), it is the firm which is supervised, not you.
The general rule is that if you carry on business as an ASP or TCSP, you must make adequate arrangements to register for supervision, or you will be trading unlawfully - which carries a penalty of an unlimited fine and/or two years in prison. Such arrangements will depend on your circumstances, as follows:
- If you are a member of an approved professional accountancy body and are subject to its practice assurance arrangements because you have a practising certificate, it will be that body which acts as supervisor and you do not need to take further steps on registration. That said, if you operate through a firm, it would be wise to ensure that the relevant body recognises that not only you, but also your firm, is subject to its practice assurance scheme.
- If you are a member of a professional body but you do not currently have a practising certificate and so are not subject to practice assurance, you should nevertheless be able to contract in to its money laundering supervision arrangements on a voluntary basis, if you so wish. If however you decide not to contract in to your professional body's arrangements, you will, by default, be subject to supervision by HMRC.
- If you or, if relevant, your firm are not subject to supervision by a professional body, you are by default regulated by HM Revenue & Customs (HMRC) and must register with them.
For TCSPs (but not ASPs), the process for registering with HMRC includes a 'fit & proper' test. This is not a test of competence, but looks at a series of negative tests. If it is your PSC which is supervised, the 'fit & proper' test is applied to those responsible for the direction and control of the PSC (principally, the directors and shareholders).
Forms to register (MLR 100 and MLR 101, together with explanatory notes) can be downloaded from the HMRC MLR website www.hmrc.gov.uk/mlr.
As mentioned, you must have adequate arrangements in place for supervision before you commence an assignment as an ASP or a TCSP, else you will be trading unlawfully. Bearing in mind the 'lead time' to achieve registration (45+ days in the case of HMRC), a protective registration may be advisable, because a client won't want to wait for you to achieve registration before you start your assignment.
There is a dispensation for those TCSPs already in business on 15 December 2007, in that they may continue trading until such time as their application for registration has been dealt with by HMRC, provided the application has been received by HMRC before 1 April 2008.
There is a more generous dispensation for ASPs, in that they must be registered by 1 October 2008 or within 6 months of commencing trading. ASPs who also act as company secretaries should note that this activity makes them a TCSP, so they must comply with the shorter TCSP deadline.
Obligations under the MLR
The principal obligations (other than registration) under the MLR require those subject to the MLR to establish risk-based policies and procedures to achieve certain objectives. For Interims who are ASPs/TCSPs, the key objectives are:
- Customer due diligence (CDD)
- Ongoing monitoring of customer transactions
- Keeping records of CDD and monitoring for the life of the relationship, plus 5 years
- Training yourself and, in the case of firms, your staff in relevant law and in the methodologies used by money launderers/terrorism financiers
- Reporting suspicious transactions on a timely basis to the Serious Organised Crimes Agency (SOCA) - via the firm's money laundering reporting officer (MLRO), in the case of a firm.
The policies adopted must be written down, as must the facts and rationale for all decisions taken in accordance with them. This will be your defence against prosecution if anything goes wrong - under a risk-based approach, the authorities expect instances of failure, but will only excuse them if they can be shown to have occurred despite a well-reasoned policy to assess and manage the money laundering risk which has been followed in practice.
For the Interim, the 'customer' to be subjected to CDD and ongoing monitoring is the end user client, not any intermediary Provider agency. The purpose of CDD and ongoing monitoring is to be reasonably satisfied that clients are who they say they are, to know whether they are acting on behalf of one or more other third parties, and to assist relevant law enforcement agencies, by providing available information on customers or suspicious transactions. Best practice suggests that appropriate CDD probably includes:
-
For individuals, establish and verify their identity, date of birth and current address by reference to independent documentation (eg passports, utility bills etc)
- For companies, check their registration at the registry, establish the names of current directors and consider verifying the identities (as for individuals) at least of those who control bank accounts/assets, establish the group structure, establish the identity of every person who is an ultimate beneficial owner of more that a 25% interest (so if the shares are held by a trust, you need to know who the trust beneficiaries are).
The MLR set out various occasions when CDD must be carried out, which include when the client relationship is established, and when money laundering is suspected. If the client is unwilling to provide whatever information is thought by you to be necessary in the circumstances for adequate CDD, the MLR require you to 'walk away' and consider making a report to SOCA.
CDD of individuals can be carried out electronically from information held on third party databases rather than by inspection of documents, and this can be done by an agent paid for by you, and acting on your behalf. If CDD is done electronically, the individual's permission is not required under Data Protection legislation, but they must be informed. It is probably sufficient to include a clause in the assignment contract to the effect that you are subject to the MLR and may be required to obtain evidence of identity of some or all of the board members from time to time.
Where a client is introduced to you by someone else who is also regulated, CDD as to identity already carried out by that third party can be relied on by you if:
- The third party consents, and
- The third party is listed in Reg 17(2).
It should be specifically noted that this list does not include Providers even though they are also regulated, so an Interim will have to duplicate work already done if he/she is introduced to a client by a Provider.
Even if a third party can be relied on, you retain liability for achieving CDD in respect of your client, so you must be able to arrange for production of the CDD records by the third party, if required by law enforcement.
The MLR recognise that there are certain circumstances where it may be permissible to do simplified due diligence, and circumstances where enhanced due diligence should be performed:
- SDD is usually suitable where you are dealing with a listed company or UK/EU public body, but you should check the MLR to ensure the conditions are satisfied
- EDD requires extra procedures where the client is not physically present to be identified, or where a nonUK/EU Politically Exposed Person (PEP) is involved. In the latter case, particular care must be taken to identify the PEP's source of wealth and/or funds, to ensure it has not come as a result of corrupt practices or other criminal activity.
Reporting to SOCA
If you know, suspect, or have reasonable grounds to know or suspect that a person is engaged in money laundering and/or terrorist financing, you must make a report as soon as practicable to SOCA. The persons about whom you are required to make report, if relevant, are not limited to the directors of the client, or indeed to the client - they can include anyone, provided the information comes to you in the course of your business dealings.
Suspicions are more that mere speculation ("he is a scrap dealer, all scrap dealers are criminals, he is a criminal" is not suspicion). However, provided you have a basis for your suspicions, you do not need to identify the crime or gather sufficient evidence to enable it to be proved in a court of law - that is for law enforcement once you have made your report. The 'reasonable grounds' test in the reporting requirement means that you cannot turn a blind eye where a reasonable person would have suspicions - and if you do turn a blind eye, you may become implicated in the transactions as having aided and abetted it.
If you are a sole trader with no employees or associates, you report direct to SOCA. If you operate through a firm, you must appoint someone internally to be your MLRO; the reporting line then becomes member of staff with suspicion>MLRO>SOCA.
Suspicious Activity Reports (SARs) to SOCA can be made in hard copy using their forms, but SOCA prefers electronic reporting using SAR Online (www.ukciu.gov.uk/saronline.aspx).
If a suspicious transaction is being planned or is ongoing when you find out about it, when you make your SAR to SOCA, you may ask SOCA for consent to allow it to proceed. SOCA will not volunteer consent unless you ask. If you ask for consent, SOCA has seven days in which to refuse consent, and if you hear nothing in that time, consent it deemed to be granted. If SOCA denies consent in the seven day period, the authorities then have a further 31 days in which to take action; if you hear nothing during the 31 days, again consent is deemed to have been given. The granting of consent is a defence to a charge of money laundering against you on the grounds that you aided and abetted the transaction. If consent is not granted, you must not do anything to assist in the transaction, and you should consider whether you should resign from the assignment.
After you have made a SAR to your MLRO or to SOCA, you must not tip the relevant person off that a report has been made about them. You should not therefore tell anyone that the report has been made, in case the news gets back to the person via a third party. The offence of tipping off is narrow - you can say to the person, "I think this is wrong"; you can't say, "I think this is wrong and I've reported it to SOCA."
Disclaimer
This summary is intended only as background information and should not be relied on as an accurate or full statement of the relevant law. More detailed guidance notes (MLR 8) have been prepared by HMRC, and these are available from its MLR website referred to earlier.
Points of detail should always be confirmed or clarified by reference to the relevant law - principally the Money Laundering Regulations 2007, the Proceeds of Crime Act 2002, and the Terrorism Act 2000, as amended - and legal advice obtained where necessary.
© IIM 2008