Wednesday 14 February 2018

A Quick Update on AML Activity

The FCA has a guide for small firms on dealing with and mitigating the risk  of Financial Crime. It can be  found here . In it they provide examples of good practice for sanctions systems and controls. 

The FCA has previously carried out a thematic review on financial services firms’ approach to UK financial sanctions where it found that many small firms were unaware of the financial sanctions regime and those who were aware had misconceptions about it. It is my understanding that the FCA are now doing another review on the theme, presumably as a follow up.
They have suggested that it is useful to consider the following facts about financial sanctions:
  • Standard anti-money laundering checks do not screen clients against the HM Treasury (HMT) list. Firms should not confuse HMT’s financial sanctions regime with anti-money laundering procedures.
  • Financial sanctions apply to all transactions, there is no minimum financial limit.
  • Politically Exposed Persons (PEPs) are not necessarily financial sanction targets.
  • Most listed individuals and entities are aware that they are on the HMT list, which is publicly available. The issue of ‘Tipping off’ (as set out in the Proceeds of Crime Act 2002) should therefore not generally arise.
  • HMT’s financial sanction regime is not the same as FCA enforcement action. HMT is responsible for implementing, administering and enforcing compliance with the financial sanctions regime.
The FCA have  indicated that is good practice to check:
  • your existing clients against HMT’s list
  • all new customers prior to providing any services or transactions
  • any updates to the HMT list
  • any changes to your client’s details (this would only really apply to a mortgage broker where the client has come back for a new product)
Final points to note are that  even providing financial advice can be a breach. It is good practice to include directors, beneficial owners of corporate customers in your checks where applicable.

Posted by at No comments:

Tuesday 13 February 2018

Are your clients Policially Exposed Persons?

There is, as a matter of routine and almost without fail, regular suggestion in the press about corruption amongst persons who hold public office or who act in forms of public capacity, whether this include heads of state, politicians or even senior managers in charitable institutions. Why only this week I was reading.....

It is pretty obvious that one of a number of popular destinations for overseas PEPs is the UK where funds obtained by dubious means can be used for investments in property, school fees for children and all those many other things that are associated with a lavish way of living.

As a mortgage broker, you are now required to conduct enhanced due diligence on politically exposed persons (PEPs). Although technically, you are not covered by the FCA handbook on Money Laundering, there is an expectation and indeed in all truth an insistence that as a part of your systems and controls for mitigating the risk of financial crime, you will be  addressing this issue.

You should be  aware that the FCA appear to be  conducting some form of thematic review on anti money laundering  activity in small firms and that this is a part of the scope of that review. Lenders, who do have a specific obligation under the ML Handbook also have a significant interest in how you deal with this matter when introducing business to them.

Firstly, who is a PEP?

A PEP is someone who  within the previous 12 months has been entrusted by :-
  • a state other than the UK
  • a community institution, or
  • an international body,
and who fulfils one of the following public roles:
  • heads of state, heads of government, ministers and deputy or assistant ministers
  • Members of Parliament
  • members of supreme courts, or constitutional courts or of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstances
  • members of courts of auditors or of the boards of central banks
  • ambassadors, chargés d’affairs and high ranking officers in the armed forces
  • members of the administrative, management or supervisory bodies of state-owned enterprises
PEPs will also include this person's family members and known close associates.

PLEASE NOTE THAT A UK MP IS NOT A POLITICALLY EXPOSED PERSON despite what you might think and their own credibility and public performances. If they are doing something wrong and it is illegal, then they are a criminal. If it is morally reprehensible then they are presumably something else. But they are not a PEP.

What do you need to do about PEPs?

Once you have established that you are dealing with a PEP, regardless of the size of your firm, you need to carry out the following:-
  • have senior management approval for establishing a business relationship with a PEP
  • take adequate measures to establish the source of wealth and source of funds which are involved in the business relationship or occasional transaction
  • conduct enhanced ongoing monitoring of the business relationship

What does this mean in practice for a small firm?

Even if you are the only person in the firm, you should ensure that the client file indicates clearly that the person is a PEP and that the controller of the firm ( i.e. it may be  you) has authorised the transaction to proceed. There is no prescribed text but a date of action would also be  useful.

You should also make sure that you are absolutely clear about where funds are coming from and where income that is stated has been  derived. Third party evidence is good as long as it is valid and doesn't raise worries in its own right (e.g. a bank statement from a sanctioned country should raise alarms).

Where a PEP has been identified however, you should also be  undertaking a greater level of scrutiny. Looking around the internet for the individual may turn up some evidence as may a search on the web site of the organisation that has entrusted responsibility to the person.

There are also other plausibility approaches to take. Given that the issues around mortgages will normally relate to income and deposit money, these should be  interrogated fully.  A full audit trail on deposit monies should be  sought. Reviews for suspicious transactions should be made on bank statements and. if sound don't forget to SAR (Suspicious Activity Reports to the National Crime Agency (NCA)). Does the income of the individual support the lifestyle evident in the bank statements that you have available. Are there any other assets of concern in the background?

A check on the HM Treasury Sanctions List would be  mandatory in any case but I just state the obvious because it is not always so.

Finally on this point is the matter of proportionality and risk. if you are operating in a market that is home grown and local to you, where you know most of your clients and they either live within a stone's throw or they are past clients who have  moved away from the area, then the risk of exposure to PEPs is relatively low. However , it is never absent and you should always be on your guard against unusual or unexplained external contacts particularly introducers from outside of your normal area.

If on the other hand you work in a niche that involves persons of non-UK origin or deals with highly paid employees of non-UK businesses or foreign governments or NGOs for example, then the risk of exposure is greater and you need to make sure that you are on permanent and heightened alert.

So how to you spot a PEP?

Ok, so all seems most obvious so far but the bit that everyone seems to skirt around is how to spot a PEP?

There are a number of providers out in the marketplace that specify that they check various lists of PEPs although I am not sure how such lists are complied or who is accountable for them.

In my opinion, the easiest way to find out is to ask the applicants if they are PEPs. I don't necessarily think that it is of value to ask the question, Are you or anyone in your close family or associates, a Politically Exposed Person. It may simply provide a self fulfilling answer.

However, fact finding should be sufficiently robust to ask a number of questions such as:-

Do you, or anyone in your immediate family, hold any position with any of the following organisations (Such as a state other than the UK, a community institution, or an international body)?

 If so, obtain Name and contact details on the entity.

What is the exact nature of your relationship with the entity above? 

 Here you  should obtain in their own words the role that they carry out , their remuneration and contact point to obtain verification. If another member of the family is involved then obviously you need the nature of the applicants relationship with that person.

This information should be clearly evidenced on file together with a note from the firms controller to authorise  the transaction to proceed.

PLEASE NOTE: I use the term fact finding. I am aware that some fact finds provided by various systems do not include such questions but that is not relevant. What is relevant is that in your own fact finding  and know you customer KYC activity, you record that you have asked and that you have gathered any relevant details.
Posted by at No comments:

Monday 12 February 2018

GDPR - Are you sending personal information outside the EEA?


Just a brief note on one possible concern about GDPR and personal data passing outside the European Economic Area(EEA).



You have to ask yourself a simple question. Does anything I do result in personal information belonging to someone else ( e.g. clients) being passed outside the confines of the EEA?



Whilst most of us will answer almost immediately that it does not, you should consider again. What are your suppliers up to? In particular what are your email servers and data back up services up to. Are you sure that stuff isn’t going to the USA or even Afghanistan for that matter? After all, we talk about storage in the Cloud but hopefully none of us actually believe that it is somewhere in the ky above! Wherever it is, you can be  certain that it sits on a storage device in a country somewhere.



Data Protection Principle 8 , which applies now by the way and not just when GDPR comes in,  states the following:-



Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.



Exactly what constitutes adequate levels pf protection is down to the European Commission. As far as I can establish, the European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as providing adequate protection.  Adequacy talks are ongoing with Japan and South Korea.



I do not know at the time of writing whether this list is up to date as the EU source document was in fact undated.

For most firms, the most likely area of risk is the USA, partly because of giants like Microsoft, Apple  and many social network sites. These guys have probably all subscribed to the Privacy Shield Framework. (Microsoft, Apple and Facebook have for example.)

The risk is to establish whether in the secret machinations of data manipulation, any suppliers of yours are using countries other than those above ( or in the USA, using firms that are not within the Privacy Shield Framework). How do you do that, you ask them or you check on the Privacy Shield web site


The law states that you cannot send personal data to countries outside the EEA that are not recognised by the EU Commission or in the case of the USA under the Privacy Shield Framework. ( A word of warning, the previous framework, Safe Harbor, was thrown out by the courts in 2016 and is no longer acceptable.)

GDPR will bring this legal requirement further into play and so as a part of your preparation for GDPR, you need to give this matter a little consideration.


Posted by at No comments:
Subscribe to: Posts (Atom)