EU Commission clarification on group-wide AML policies
27 August 2019
In June, the EU Commission published a ‘Delegated Regulation’ regarding regulatory technical standards to further mitigate money laundering and terrorist financing risk in third countries. The Standards apply specifically to credit and financial institutions which have branches and/or majority-owned subsidiaries operating outside of the EEA, clarifying the additional measures such firms must make to their group-wide AML policies and procedures. The Regulation came into effect on 3rd June 2019, and will apply firms from 3rd September.
The Fourth Money Laundering Directive (“4MLD”) had already made it a requirement for obliged entities to have group-wide policies and procedures to counter the risk of money laundering and terrorist financing. However, the latest supplement to the Directive states that should a firm have branches or subsidiaries in third countries that does not allow specific elements of group-wide policies due to local law, the UK firm must employ ‘additional measures’.
Third Country Risk Assessment
For each branch and/or majority-owned subsidiary a firm has established in a third country, credit and financial institutions should, at a minimum:
- assess the money laundering and terrorist financing risk to their group, record that assessment, keep it up to date and retain it in order to be able to share it with their competent authority;
- ensure such risks are reflected appropriately in their group-wide AML policies and procedures;
- obtain senior management approval at group-level for both the group-wide AML policies and procedures and risk assessment; and
- provide bespoke training to relevant staff members in the third country to assist them in identifying relevant money laundering and terrorist financing risks.
The ‘Delegated Regulated’ also goes on to note that should local law restrict certain EU AML requirements, such as:
- collating customer information for the purpose of completing CDD;
- sharing suspicious transaction information across the group;
- transferring customer information to the EEA for intention of AML;
- putting in place record keeping requirements;
then the UK regulated institution must notify the FCA within 28 days of identifying this. When informing the FCA, the Firm will need to explain how the implementation of the third country’s law prohibits or restricts the application of certain AML measures.
As always, the FCA will look to firms to be able to demonstrate that they have taken a risk based approach in the additional measures they will implement, which is proportionate to the money laundering and terrorist financing risk. The Regulation does provide guidance on what measures regulated firms should take on branches or subsidiaries (“local entities”) based in third countries:
- limiting the products and services offered to customers
- preventing reliance being placed on the CDD applied by the local entity
- completing on-site visits to be satisfied that the local entity is effectively identifying, assessing and managing its risk
- obtaining senior management approval for higher risk business relationships at the local entity
- determining the source, and if applicable destination, of funds to be used in the business relationship
- conducting enhanced ongoing monitoring on the business relationship until they are reasonably satisfied they understand the risk associated with the business relationship
- sharing with the group information underlying suspicious transactions, including personal information to the extent possible under local law
- carrying out enhanced ongoing monitoring on any customers, and if applicable beneficial owner, which have been subject to a suspicious transaction report by other entities within the group
- implementing effective systems and controls in place to identify and report suspicious transactions
- keeping the risk profile and due diligence information on their customers up to date and secure as long as legally possible, and in any case at least during the business relationship
Should firms not be able to effectively manage the money laundering and terrorist financing risks by implementing such ‘additional measures’, then the Firm must request the local entity to terminate the business relationship or not carry out the occasional transaction; or close down some or all of the operations provided by the branch and/or majority-owned subsidiary based in a third country.
Should you feel as though you require assistance, please do not hesitate to contact Fiona Raistrick or Michael Knight-Robson.