result management system report for college project
finance_conference_-_compliance_combined.ppt
1. Compliance Agenda
Overview of Compliance
Lukasz Bohdan - Director of Assurance
Money Laundering and Sanctions
Briget Midwinter – Chief Cashier
Tax Compliance
Sally McKinlay – Head of Tax
2. How can we solve an
issue like compliance?
Finance Conference
Lukasz Bohdan
Director of Assurance
24 November 2021
3. 1. Do we really have an issue and need to do something about it?
2. How can we tackle it: suggested approach and principles to guide
the work
3. We need to work together and prioritise what needs to be done
4. Emerging list of priorities
5. Next steps
Outline
4. We don’t truly understand the extent of the problem as our reporting and
assurance arrangements are underdeveloped but based on what we do
know…
• In some, although important (!) areas the University* is not compliant
with the law (e.g. GDPR, H&S) and its own policies and does not follow
current good practice (e.g. counter-fraud, whistleblowing), consequently:
• We are sitting on a number of risks which expose the University to a range
of significant/unpalatable consequences (see next slide)
What’s the issue we are trying to address?
* Here the University means the Group, i.e.
including subsidiary companies
5. Financial losses
(regulatory fines,
compensation,
loss of grant funding)
Reputational
damage
Corporate and
personal liability
Impact on
recruitment and
retention
Management time
and costs of
investigations,
disciplinary
processes etc.
Uninsurable risk
and/or higher
insurance
premiums
Not able to meet
funders’
requirements
Regulatory
intervention (e.g.
ICO, CMA)
Major Incident
So what if we do nothing? Some
consequences…
6. Some suggested principles to guide this work
• Risk-based approach – focus on mitigating the greatest risks first, but mindful of the need to:
– work in partnership and distribute the necessary work between the centre v. divisions/departments/faculties
– consider other workload impacts on divisions and departments and timetable work accordingly
– start with the areas where there is support for action
• Doing it with you, not to you – engaging with divisions, departments faculties and services. Where possible use the existing
fora for engagement
• Make best use of resources – look at end to end processes and respective roles of central functions, divisions,
departments/ faculties
• Don't let the perfect be the enemy of the good – informed by good practice, but pragmatic, proportionate solutions that fit
the Oxford’s context
• Subsidiarity – issues tackled at the lowest possible level
• Minimum standards – balance between consistency and local discretion
What are we going to do about this? Develop a
prioritised programme of work, mindful of
other competing demands
7. Registrar’s SLT agreed the following criteria
• Known high risk (on the University Risk Register or Principal Committees’/Divisional
Risk Registers and/or identified through internal audit/ other assurance work – e.g.
GDPR
• Divisional/departmental priority / support to tackle – e.g. GDPR, CoI, Export Controls
• Divisional/departmental capacity to tackle – i.e. absolute headroom and picking the
right time so this work fits around other things already going on
We need to work together and prioritise…
8. Risk, Compliance and Assurance areas in need of development
– with University-wide impact
Area Priority Impact on departments
/ divisions
International Collaboration, Security and Export Controls M-H L
Research funders’ conditions H H
Fraud, Anti-Bribery, Money Laundering, Whistleblowing H L
Health and Safety H H
Conflicts of Interest M L-M
GDPR H M-H
Research with people ? ?
Fundraising/donations ? ?
Global mobility – tax etc. ? ?
Cyber security H L-M
Business continuity (enabler) M M
Risk management (enabler) H L
9. • Core compliance: fraud, anti-bribery, Conflicts of Interest
• Data protection: actions in response to audit findings and priorities agreed with
Divisions
• Health and Safety: implementation of H&S Review recommendations
So where do we focus first…
10. • Central functions/services (e.g. Safety Office, Compliance) centres of excellence:
strategy; framework; policies; facilitate prioritisation; templates, guidance, step-by-step
protocols; support with low-frequency, high complexity cases; supporting central
governance (Committees); develop materials. Capability building and professional
networks. Commission, deploy and operate IT systems/tools. Making sure right
information is on the website/SharePoint etc. Then flow through:
• Divisions: leadership, support, conduit between the centre and departments/ faculties.
Division-specific centres of excellence Assurance over departmental/faculty activities.
Manage the complete picture of demand coming from ‘the centre’
• Departments/Faculties: local leadership: setting expectations; dealing with case work
(low complexity, high volume); investigations etc.
Roles and Responsibilities – all tiers part of a
seamless, networked whole..
11. • Further engagement with Divisions, HAFs DAs and local champions to fine-tune the approach and agree timing
and priorities
• Pilot/implement the approach:
Tackle one issue a term (e.g. aspects of GDPR; export controls): first, the ‘centre’ develops the framework, tools,
templates, training etc. Next, take advice and test/pilot with a small group of departmental/faculty reps. Then, the
following term, we ask departments/ faculties/ services to tackle the issue (with the Divisions acting as a conduit,
supporting the work ). Enabled by:
– Engagement with HAFs, local champions and senior academics (e.g. via Divisional Registrars and Divisional
GPCs)
– Upskilling people on the ground: professional networks; training; coaching etc.
– Termly ‘push’ with supporting materials (e.g. template emails, case studies etc.)
– Better processes and systems
Next steps
12. 1. Do you agree with the diagnostic and the need for change?
2. Do you have any comments on the approach?
Q&A
15. Money Laundering
Definition of Money Laundering:
– “Exchanging money or assets that were obtained criminally, for money or other
assets that are ‘clean’. The clean money or assets don’t have an obvious link
with any criminal activity. Money Laundering also includes money that’s used
to fund terrorism, however it is obtained.”
Legislation:
– Proceeds of Crime Act 2002 (amended by Serious Organised Crime and
Police Act 2005)
– Terrorism Act 2000 (amended by Anti-Terrorism Crime and Security Act 2001,
and Terrorism Act 2006)
– Money Laundering Regulations 2017
– Criminal Finances Act 2017
18. What to look out for…
• Large cash payments
• Complex company structures/shell companies
• Having paid up front, student then withdraws and asks for a
refund, possibly to a different account
• Overpayment received, then a refund requested
• Unexpected cash payments direct to the bank
• Payments to/from ‘high risk’ countries
• Children/relatives of PEPs or sanctioned individuals
• Lack of supporting documentation/due diligence
• Payments from seemingly unrelated 3rd parties
19.
20. Risk mitigation measures
• Reject cash for student/course fees/invoices etc.
• Only accept payment by electronic means (e.g. bank to
bank transfer, or credit card etc.), a method with a
transparent and readily identifiable audit trail
• Always verify source and evidence of the origins of
funds
• Apply Enhanced Due Diligence when funds originate
from (unknown) third parties, or through shell
companies etc.
• Extreme care when dealing with refund requests
22. 22
Which countries should
we be concerned about in
relation to sanctions?
ⓘ Start presenting to display the poll results on this slide.
23. Sanctioned countries
BROAD SANCTIONS
• North Korea – banks will not facilitate any payments (directly
or indirectly) to/from
Iran – have to seek permission from the bank prior to
making or receiving a payment. Unlikely to be approved.
NARROW SANCTIONS
• Other countries – Seek advice before making or receiving a
payment: Cuba, Syria, Crimea, Venezuela, Sudan,
• Care needed: Russia, Afghanistan, Myanmar, Belarus (and
others)
24.
25. Due diligence
“Due diligence is the investigation or exercise of care that a
reasonable business or person is normally expected to take
before entering into an agreement or contract with another
party”
Should be undertaken when accepting
• Donations
• Research
• Student/Course Fees
• Taking on new customers/suppliers (KYC)
See AML web page https://finance.admin.ox.ac.uk/anti-money-laundering-guidance
26. University responsibilities
• Customer/supplier ID procedures (KYC) – due diligence
• Reporting suspicious activity
• Policies/procedures in place
• Maintain suitable transaction records
• Effective internal controls in place
• Appropriate training for staff
• Awareness – spreading the word
27. Where we are now
• Money Laundering Guidance available on web
– https://finance.admin.ox.ac.uk/anti-money-laundering-guidance
• Due diligence on donations/research sponsors
• RCA Network
• Reacting to Barclays’ requests for information
• Students - Financial Declaration form
• PWC Internal Audit
30. The Brief
“Update on emerging risks including an overview of the approach
being taken by the University to manage compliance issues, and a
focus on tax compliance, money laundering and sanctions.”
31. The Tax agenda
• Tax strategy
• Tax fraud – Criminal Finances Act
• The University tax compliance list
• VAT compliance
• Imports/Exports
• Global Mobility
32. The Tax Strategy
Tax Strategy – been through Finance Committee and GPC – annual process
https://finance.admin.ox.ac.uk/files/taxstrategy2021pdf
The Tax Strategy has four core objectives:
(1) To comply with mandatory tax, compliance and reporting requirements;
(2) To manage the tax risks and opportunities arising from routine operations;
(3) To support furtherance of the University’s charitable objectives.
(4) To communicate and coordinate with HMRC, where appropriate
33. The Tax Fraud – Criminal Finances Act
Tax Fraud Policy – approved by GPC
https://finance.admin.ox.ac.uk/criminal-finances-act-
2017#collapse2172066
Self-assurance questionnaire – please be aware
Training video
https://finance.admin.ox.ac.uk/criminal-finances-act-old#tab-1165416
34. The University’s central compliance list
• VAT returns – VAT group and single registrations
• Corporation Tax returns – 33 annual returns (inc LLPs and JVs)
• SDLT returns (land acquisitions)
• International payrolls (currently 8 soon to be 11)
• UK payroll – Charlie Morgan and his team
35. VAT compliance – an opportunity
• Robust financial systems – changes put through Oracle
• Legislation changes and case law develops
• HMRC rulings – opportunities
For example:
- Definition of medical substances used for medical research
- Software used for medical research
36. Imports/Exports – big issue
Imports increased to £24m per annum
Exports increased to £9.2m per annum
Freight agents struggling with the volume
Many errors being processed by agents
Practical guidance
37. A Brief Recap
• International working refers to University staff who conduct their
work – for all or part of the time – overseas, including: fieldwork and
research, working remotely, sabbaticals, etc.
• It is important the University (and its staff) are compliant with laws
and regulations in the overseas location. This includes, but is not
limited to:
• Immigration
• Tax
• Social security
• Employment Law
• Pensions
• Insurance
38. University Policy
• The University has had a policy in place to manage International
Working requests since March 2021
• The fundamental aim of the policy is to ensure departments with
overseas staff are fully compliant across our key risks areas
• Approval is required from the Head of Department or Head of
Division before the arrangement goes ahead
• There is a 90-day threshold, minimal action is required below this
threshold for practicality reasons but departments should still be
wary of the potential risks
• The policy criteria considers different scenarios and some common
tax and social security exemptions (such as the ‘183 day rule’)
39. New Shadow Payrolls
Where an overseas tax and/or social security obligation exists, often
the University will be required to register a ‘shadow payroll’ in that
country to facilitate contributions. The payroll does not deliver any net
pay to the employee.
Active
• Australia
• Belgium
• France
• Germany (x2)
• Netherlands
• Norway
• Spain
Setup in Process
• Austria
• Ireland
• Italy
• Sweden
• USA
No Payroll Required*
• India
• Japan
• Malta
• New Zealand
• Switzerland
• Etc…
Today: do we agree it’s worth tackling it; and
Broad approach
It will only work if we work collaboratively
Assurance Directorate: framework; facilitate prioritisation; templates, guidance, step-by-step protocols; support with low-frequency, high complexity cases; supporting central governance (Audit and Scrutiny Committee etc.); develop materials. Making sure right information is on the website. ‘Connect the dots’ at the centre and streamline/integrate processes. Then flow through:
Divisions: leadership; support; conduit between the centre and departments/ faculties. Manage the complete picture of demand coming from ‘the centre’. Support piloting solutions.
Departments/Faculties: local leadership: setting expectations; dealing with case work; investigations etc.
Other central services: engagement via the Risk, Compliance, Assurance Network to align solutions and streamline the ‘asks’ of the frontline; investment in supporting systems (e.g. IT); support with tackling root causes of issues and with the change programme (e.g. Focus)
BRIDGET
Concealing = knowing or suspecting a case of money laundering, but concealing or disguising its existence.
Arranging = becoming involved in an arrangement to launder money, or assisting in money laundering.
Acquisition, use of possession = benefiting from money laundering by acquiring, using or possessing the property concerned.
3rd party offence = failure to disclose one of the 3 offences detailed above.
Associated offences –
Failure to apply customer due diligence
Failure to apply ongoing monitoring
Failure to keep required records
Continuing with a relationship despite being able to apply due diligence
Disclosing information to a person, which is likely to prejudice a money laundering investigation (i.e. tip off)
Prejudicing an investigation
Some sectors/businesses are seen as at higher risk, and are therefore regulated and monitored e.g.
*Financial & credit businesses including currency exchange offices / cheque cashers / money transmitters;
*Estate Agency
*Accountancy
*Casinos
Also, High value dealers who accept cash > €15k in exchange for goods.
The University is not in a regulated sector, so is not monitored by a supervisory authority. Although not regulated by ML Regulations, we should still be aware of and alert to the risks and take appropriate precautions.
Recent FOI Request – > A Times article on Universities potentially laundering £m’s
REPUTATION IS PARAMOUNT
BRIDGET
Some sectors/businesses are seen as at higher risk, and are therefore regulated and monitored e.g.
*Financial & credit businesses including currency exchange offices / cheque cashers / money transmitters;
*Estate Agency
*Accountancy
*Casinos
Also, High value dealers who accept cash > €15k in exchange for goods.
The University is not in a regulated sector, so is not monitored by a supervisory authority. Although not regulated by ML Regulations, we should still be aware of and alert to the risks and take appropriate precautions.
Recent FOI Request – > A Times article on Universities potentially laundering £m’s
REPUTATION IS PARAMOUNT
Concealing = knowing or suspecting a case of money laundering, but concealing or disguising its existence.
Arranging = becoming involved in an arrangement to launder money, or assisting in money laundering.
Acquisition, use of possession = benefiting from money laundering by acquiring, using or possessing the property concerned.
3rd party offence = failure to disclose one of the 3 offences detailed above.
Associated offences –
Failure to apply customer due diligence
Failure to apply ongoing monitoring
Failure to keep required records
Continuing with a relationship despite being able to apply due diligence
Disclosing information to a person, which is likely to prejudice a money laundering investigation (i.e. tip off)
Prejudicing an investigation
Red Flags for Potential Financial Crime & Money Laundering – how would we spot it?
A person or business/company makes a large cash payment and/or donation to the University with little due diligence or information as to the background of the donor/remitter and his/her/its Source of Funds.
Use of complex company structures/shell companies to pay university fees.
Similarly, where a student applies for and pays the entire tuition/course fees in full and upfront only to withdraw from the course close to the start date or very soon after, requesting a refund of fees.
Unusual/unexplained/unexpected large payments (particularly in cash) being paid directly into the University’s bank account purporting to be tuition fees for a student.
As an extension of the above, payments received in cash via the branch network, without prior arrangement/notification, especially a branch some distance from the location of the University.
Unexpected/unscheduled overpaying of university course fees then seeking a refund of the overpayment
Individuals or Businesses doing work for or tendering for contracts without the necessary paperwork e.g. to evidence their details or credentials.
Suppliers significantly undercutting on job tenders or under invoicing on contracted works.
Children of Politically Exposed Persons or Sanctioned Individuals
Anyone seeking anonymity/undue secrecy
Uncooperative/reluctant when asked for information
NEED TO MAKE SURE THE PEOPLE WE ARE TRANSACTING WITH ARE WHO THEY PURPORT TO BE, AND NOT INDIVIDUALS WITH CRIMINAL INTENT
First introduced by the US in 1812 when at war with Britain! Have featured in their foreign policy ever since..
Broad sanctions = very limited (if any) transactions allowed
Narrow – tend to me individuals or Organisations within the country, sometimes Govt officials/ & relatives etc.
Have to withhold processing any payment until we receive written consent from Barclays.
Moveable feast according to what’s going on in the World!
Imposed by US Govt. UK banks are required to comply.
Due diligence is the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party
Staying compliant with sanctions regulations is complex and more challenging than ever
A Beauty retailer was fined $1m for importing false eyelashes from China, when it came to light that the sourced materials were from North Korea.
Demonstrates the Need to understand the supplier chain and exactly who our customers/suppliers are
How can we ensure we are not unwittingly receiving funds from or making payments to, a sanctioned country (even if indirectly)
Due diligence / KYC:
Required to gather knowledge about a potential customer (student in this case) before entering into a business relationship. Includes –
Who the customer is
Purpose/intended nature of the business relationship
Customer’s source of funds
If applicable, who owns or controls the business
Satisfactory evidence of ID must be obtained. For 3rd parties/agents evidence will include letters or documents proving name, address & relationship.
Employees: Potentially any member of staff could be committing an offence under the money laundering laws if they suspect money laundering or if they become involved in some way and do nothing about it.
If you suspect money laundering, it must be disclosed as soon as possible.
Individuals can be held personally liable to prosecution for failure to do so.
Risk compliance & assurance network
Not collecting sufficient information, or doing any checks
BRIDGET
BRIDGET
Suspicious activities also include:
Lack of proper paperwork
New customer or business partner not known to the University/It is not clear who owns the business
Reluctance/unwillingness to provide requested information
Agents who do not follow normal procedures/unclear relationship to the customer
High Risk Countries (from FATF web-site – Financial Action Task Force)
Afghanistan / Bosnia & Herzegovina / Guyana / Iran / Iraq / Laos / North Korea / Syria / Uganda / Vanuatu / Yemen NOTE THAT THERE IS ALSO A LIST OF COUNTRIES WITH CURRENT SANCTIONS/EMBARGOES IN PLACE
https://www.gov.uk/guidance/sanctions-embargoes-and-restrictions