The common AML weaknesses identified by FIAU visits at Notaries Public
12 July 2021
John Caruana
Author:
12 July 2021
Notaries Public are considered as a ‘subject person’ under the Prevention of Money Laundering and Funding of Terrorism Regulation since they may provide a ‘relevant activity’ as defined by the same regulation. Notaries Public have a lot of importance to the Maltese Anti-Money Laundering regime, since they are considered as one of the most prominent gate keepers on the island. With the National Risk Assessment, Moneyval and the FATF flagging issues with tax evasion, pressure is building up on Notaries Public to meet their legal obligations under AML laws and regulations.
Since 2020 to date, the FIAU published 7 administrative measures in relation to Notaries Public. Some of these administrative measures also involved an administrative penalty. Without going into the merit on whether the respective Notary Public, some of which are mentioned in the reports due to the fine exceeding EUR50,000, have truly been in breach of regulation, the article will examine the findings published by FIAU within these 7 reports with the aim to assist similar Notaries Public to self-examine their internal AML processes and take action if required. One should also note that some of the penalties published are being appealed in court.
What were the main failures or issues found?
The main failures identified were:
Failure to provide requested information to FIAU in a timely manner
Issues related to the Business Risk Assessment
Issues related to the Customer Risk Assessment (AML Risk Model)
Issues related to the Customer Acceptance Policy
Issues related to the identification and verification of customers
Issues related to policies and procedures
Issues related to Country Risk Assessments
Failure to provide the requested information to FIAU in a timely manner
The regulation clearly states that a subject person shall provide the requested information to the FIAU in a timely manner and within specific deadlines, some of which may be very short term. The FIAU will be testing the Notary Public’s internal processes, including record keeping, to ensure that he or she is following regulation related to record keeping, especially when it comes to the obligation to keep records for 5 years following the end of the occasional transaction or business relationship.
There were instances where the FIAU noted that requests were not honoured, which indicates the possibility that the Notary Public did not have in place organised filing of customer files or records. The organisation of customer files is of utmost importance for any subject person. The files should be available to the subject person and the MLRO, who can easily provide such information to Authorities upon request. This is also helpful when it comes to filing the yearly Risk Evaluation Questionnaire (REQ). The upkeep of an active and inactive client list is also considered a must. The Notary Public shall therefore ensure that such list is kept updated when a ‘relevant activity’ is provided.
Issues related to the Business Risk Assessment
A common issue across all subject persons seems to be in relation to the Business Risk Assessment (BRA). The BRA is an important document and should not be considered as an ‘over-the-shelf’ document provided by a third party. When performing BRAs as independent and outsourced consultants, we analyse the business-specific risks that the Notary Public is exposed to.
The FIAU reports indicated that in some cases the BRA was inexistant and some of the Notaries Public did not even know that they are required to have this in place. In other cases, the BRA lacked the required information and certain weaknesses were identified within the same.
Through our experience as AML consultants, we experienced similar shortcomings across the industry. The main issues are usually related to either not having a BRA in place or having a very weak BRA. The BRA should be detailed depending on the size and activity of the business. Nevertheless, the BRA should always contain at least:
A description of the business and its activity
Identification of all the ML/FT risks the business is exposed to
Identification of the mitigation techniques applied to mitigate against such risks
The testing of the mitigation level
Numerical and statistical figures of the Notary Public’s customers (and past customers)
Definition of how the inherent risk is being calculated, including the interpretation of the statistical figures which indicates the likelihood of a scenario taking place and the impact of such scenario on the business
Calculation of Inherent and Residual risk
Concluding remarks.
Issues related to the Customer Risk Assessment (CRA) / Risk Model
The FIAU identified issues with several reports on Notaries Public when it comes to the Customer Risk Assessment. In certain cases the FIAU flagged that a CRA was not being conducted, in other cases certain weaknesses were identified within the risk model of the Notary Public.
Apart from being a legal obligation to have a CRA and apply the same on all customers, the Notary Public should understand the importance of such application. Without a CRA in place, the Notary Public can never apply a risk-based approach, meaning that precious resources will not be focused when and where required.
A Customer Risk Assessment should have at least 4 main pillars, namely,
Customer Risk
Service Risk
Channel Risk
Jurisdiction Risk
Whilst some CRAs will have these in place, in some cases we examined as independent consultants, the logic or application of such model had issues. One must highlight the importance of having a working and balanced CRA. If your CRA has issues, this would result in:
Incorrect statistics
Incorrect risk assessments
Incorrect REQ
Incorrect BRA
Incorrect application of Enhanced Due Diligence
Other indirect issues
Furthermore, FIAU also noted in some cases where Jurisdiction Risk Assessments were not being performed. This is a regulatory obligation for Notaries Public to have in place, especially if they are exposed to third countries. The Jurisdiction Risk Report will identify in detail the risk of such jurisdiction and how such risk will be reflected within the Notary’s CRA.
We therefore encourage Notaries Public to revisit their CRA and ensure this is in line with regulation as there will be a ripple effect should an issue is identified within such CRA.
Issues related to Client Acceptance Policies & other AML Policies and Procedures
Another set of shortcomings and/or breaches identified by the FIAU during their compliance visits at Notaries Public were related to policies and procedures, including the Client Acceptance Policy. Having written policies and procedures in place is not only a regulatory obligation, but it protects your business from human error or misunderstanding of internal processes.
The AML Manual should identify not only the usual definitions of the regulation, but also the internal processes the Notary Public has in place on a daily basis. Thus, it is important that the AML Manual is not an off-the-shelf purchase, but it reflects the Notary Public’s real processing and is updated as required.
The Client Acceptance Policy is also of fundamental importance to all subject persons, especially Notaries Public. The policy should identify which customers the Notary will accept, others that EDD will always be applied, and other types of customers that will always be rejected.
For example, the Client Acceptance Policy should identify whether the Notary Public shall accept a customer who has been found guilty of a criminal offense. Will the Notary Public deal with customers who are exposed to adverse media? Will the Notary public deal with PEPs? Will the Notary Public service customers found guilty of a financial crime? Or will the Notary Public service a customer currently being investigated by an Authority or the police? These are sample questions that should be tackled through such Client Acceptance Policy. Such policy should also clearly define the Customer Risk Assessment of the Notary Public amongst other matters as clearly defined by the implementing procedures (part 1).
Issues related to the identification and verification of customers
Apart from being a legal obligation to identify and verify customers and their UBOs who are being provided a relevant activity, one needs to appreciate the importance of such identification and ‘knowing your customer’. Only through such process the Notary Public can understand the risks that he or she is being exposed to if servicing such customer. Throughout their reports, the FIAU identified weaknesses in this area, where in some cases the Notary Public failed to understand and examine the corporate structure behind a corporate customer.
Issues related to the identification of agents and ensuring these are authorised to represent the customer were also identified. Furthermore, a common issue identified was in relation to the Source of Funds and Source of Wealth of the customers and/or the UBOs. Understanding the source of funds and the source of wealth is part of the KYC that is required for the Notary Public to establish a profile on the customer and understand whether such profile makes sense with the purchase or sale of property being undertaken. Issues in relation to purchase with cash was also identified in one of the cases. In such a case, the Notary Public failed to establish the source of funds from such cash transaction, which by nature is a high-risk type of transaction.
Conclusion
One may visit the FIAU’s website to analyse in more detail these findings, by clicking on https://fiaumalta.org/enforcement-process/#Administrative-Measures. As noted earlier in this article, Notaries Public are considered as gate keepers when it comes to AML/CFT. Money Launderers usually use immovable property as part of their strategy to launder money being derived from financial crime. It is only through effective AML/CFT procedures that these ML/FT risks would be identified, mitigated and minimised at such an early stage, that is, before the transaction to transfer immovable property (or similar types of assets) is concluded.
If you are a Notary Public and have concerns about your AML obligations, feel free to contact our dedicated team of AML Professionals, in strict confidence, to discuss further. You may contact us on compliance@radixmalta.com.