Advance Compliance & AML Seminar Yiannis Pettemerides - - PowerPoint PPT Presentation

Advance Compliance & AML Seminar

1

Yiannis Pettemerides yiannis.pettemerides@outlook.com

Introductions

• Who am I?
• Who are you?
• Aim/Objective?

2

Seminar Programme

• The Regulator (09:00-11:00)
• EU 4th AML Directive Main Changes (11:15-

13:15)

3

The Regulator

• What is Money Laundering

and Why you Need to Comply

• The Regulatory Authorities

Stance

• The Regulator’s Monitoring

Visit

• Onsite Inspections Common

Pitfalls

4

What is Money Laundering and Why you Need to Comply

5

What is Money Laundering and Why you Need to Comply

6

What is Money Laundering and Why you Need to Comply

7

What is Money Laundering and Why you Need to Comply

8

The Regulatory Authorities Stance

• The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007-2018

(2018 voted by Parliament on April 3 2018)

• The ESAs Guidelines on Anti-Money Laundering and Countering the Financing of Terrorism – 'The

Risk Factors Guidelines’ of 2018 (issued in January 4 2018 and required implementation by 26 June 2018)

• The Anti-Money Laundering CySEC Directive of 2016 (2018 updated new CySEC Directive expected

later in 2018)

• The Prevention and Suppression of Money Laundering Activities Directive to the Members of ICPAC
• f 2013 (2018 updated new ICPAC Directive expected later in 2018)
• The Prevention of Money Laundering and Terrorist Financing Directive to the Members of the CBA of

2015 (2018 updated new CBA Directive expected later in 2018)

9

The Regulatory Authorities Stance

• Costs of non-compliance are significantly higher than the costs
• f compliance
• Reputational risks both for entity and key management
• Licensing authorisations risks both for entity and key

management

• Name and shame both for entity and key management
• Heavy fines both for entity and key management
• Going concern considerations for the entity

10

The Regulatory Authorities Stance

• Commissioning of the AML offences is punishable on

conviction by 14 years imprisonment or a fine of up to €500.000 or both of these penalties, in the case of a person who knows that the property is proceeds from a predicate

• ffence, or
• by 5 years imprisonment or a fine of up to €50.000 or both of

these penalties, in the case of a person who ought to have known.

11

The Regulatory Authorities Stance

• 1. To request the entity to take such measures within a specific time as

the Regulator may decide, for the remedy of the situation.

• 2. After giving the entity the opportunity to be heard, to impose an

administrative fine of up to €1.000.000. In case the offence continues, to impose an additional fine of up to €1.000 per day for as long as the

• ffence continues. The Regulator may, at its discretion, publicise the

imposition of an administrative fine (4th AML Directive).

• 3. To amend or suspend or cancel the operation license of the entity.

12

The Regulatory Authorities Stance

• 4. To require the cessation or removal from his/her position, any

director, manager or officer, including the aml officer and the heads of internal audit and regulatory compliance, in the event that the breach was due to his/her own fault, wilful omission or negligence.

• 5. To impose the administrative penalty referred to in (2) above

to a director, manager or officer or any other person, in the event that the breach was due to his/her own fault, wilful

• mission or negligence.

13

The Regulator’s Monitoring Visit

• Expect a CySEC AML monitoring visit:

– HR Entities => Every year – MHR Entities => Every 2 years – MLR Entities => Every 3 years – LR Entities => Every 4 years

• Expect an ICPAC & CBA AML monitoring visit:

– Every 3 years

The Regulator’s Monitoring Visit

• 1 week to 4 weeks notice given; 1 day's notice given for special

cases (i.e. Panama Papers) or no notice at all (special investigations)

• Visit lasts for 1 to 2 days and involves a team of 1 to 3

reviewers

• 5 to 15 files review
• Exit meeting
• Findings’ letter and response from Entity for remediation for

any deficiencies identified – within 1 to 3 months

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– List of clients using the below format: ➢ Name of customer (physical person or legal entity) ➢ Commencement of business relationship (i.e. Letter of Engagement ASPs) ➢ Country of resident (for physical persons) ➢ Country of incorporation (for legal entities) ➢ Country of residence of BOs (for legal entities) ➢ Inclusion of customer/BO in the Panama Papers (yes/no)

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– List of clients using the below format: ➢ Business activities of customer (for physical persons: special notice for unemployed, student, retired) ➢ Description of business relationship ➢ Introduction of customer by an introducing agent (yes/no) ➢ High Net Worth Individuals - >Euro 3m (yes/no) ➢ Inclusion in Sanction Lists – EU/UN & US! (yes/no)

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– List of clients using the below format: ➢ AML Risk categorisation (High, Normal, Low) ➢ Reasoning if AML Risk is High ➢ Submission of Internal Suspicious Reports ➢ Submission of MOKAS Reports ➢ Reliance on Eligible Third Parties for EDD ➢ Customers and/or BOs convicted or with charges/investigation procedures against them for financial crime (yes/no)

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– List of clients using the below format: ➢ Total inflows of money/assets ➢ Total outflows of money/assets ➢ Confirmation that total inflows/outflows of money/assets is consistent to Economic Profile (yes/no) ➢ Amount of total cash transactions for the duration of the relationship

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– List of clients using the below format: ➢ Complete EDD data and information (yes/no) ➢ Complete construction of economic profile (yes/no)

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– AML Manual – BoD Minutes when AML issues have been discussed – MLCO Annual Report – IA Annual Report (only CySEC) – Group Structure – Organisational Chart – Trial Balance

The Regulator’s Monitoring Visit

• Deliverables requested to be send before the meeting:

– Monthly Prevention Statements (only CySEC) – RBSF – Internal Suspicious Reports – MOKAS Reports – Corporate Bank Accounts bank statements (sample) – Clients’ Money Bank Accounts bank statements (sample) – Administration rights in CRM (only CySEC)

The Regulator’s Monitoring Visit

• Monitoring Visits Scope:

– 2016 => Governance – 2017 => Client Acceptance – Identification & Verification – 2018 => Economic Profile & Transaction Monitoring & Ongoing Monitoring – 2019 => Tax Evasion & Funds for Legitimate Sources?

The Regulator’s Monitoring Visit

• TIP 1: Need to Show Effort & Development
• TIP 2: Unidentified Background Check Info is Critical Deficiency
• TIP 3: Show Constructive Approach - There is Always Room for

Development

• TIP 4: The Regulator is More Stressed than you are
• TIP 5: The Regulator Does Know Everything But Also Does Not

Know Nothing

• TIP 6: You Know Your Clients Better than the Regulator Will

Ever Know Them

The Regulator’s Monitoring Visit

• TIP 7: Be Honest & Transparent – Withholding Information or

Misleading the Regulator is a Critical Deficiency

• TIP 8: The Regulator Expectation is Not About You Being

Perfect but About Showing Efforts to Develop

• TIP 9: Package is “King” But Presentation is “King-Kong” – Both

Applicable for Being Organised & Being an Effective Communicator

• TIP 10: The Regulator is About First to Support You and Then

to Police You

The Regulator’s Monitoring Visit

• TIP 11: Put All Your Cards on the Table Early
• TIP 12: Take Time To Sit Before You Walk
• TIP 13: Put Yourself in the Regulator’s Shoes
• TIP 14: Address the Hard Stuff Up Front
• TIP 15: Be Prepared to be Challenged
• TIP 16: If a True Deficiency has been Identified, Concentrate on

the Plan to Remediate it and Not on the Argumentation

• TIP 17: Always be Professional Even if the Regulator Falls Short
• f it

The Regulator’s Monitoring Visit

• TIP 18: Do not be Aggressive But Also do not be Overly

Submissive – Hold your Ground If you Believe Your Right

• TIP 19: First Onsite Inspection is Mostly of Advisory Nature
• TIP 20: BoD Needs to be Involved and Available; Don’t Let the

Compliance Officer on its Own

Onsite Inspections Common Pitfalls

• AML Manual not tailored to the Company’s Circumstances and

the actual procedures in place

• Risk assessment superficial and not appropriate documented
• Failing to identify a client as PEP
• Failing to identify a client with a criminal record / adverse media
• Failing to identify a client in Sanction Lists (EU, UN, US)
• Not identifying and/or adequately establishing source of wealth

and source of funds

• No enhanced due diligence procedures performed

28

Onsite Inspections Common Pitfalls

• CDD Procedures not performed before the establishment of the

business relationship

• No ongoing monitoring performed
• No transactions monitoring performed
• No adequate CDD procedures performed when offering the ASP

Services of Directorship and/or Bank Administration (i.e. AML CDD responsibility not only between the Firm and the client but also between the client and their clients)

29

Onsite Inspections Common Pitfalls

• Only collecting CDD documents and economic profile information

without any assessment of reasonableness

• Not adequate disposition of internal suspicious reports raised and

decision not to report to MOKAS

• No list of declined/terminated relationships
• Low number of Internal Suspicious & MOKAS Reports
• Reporting of Sanction Individuals only to MOKAS and not to the

Ministry of Finance (Directorate of Administration and Finance - sanctionsunit@mof.gov.cy)

30

EU 4th AML Directive Main Changes

• 4th AML Directive (Cyprus Law

03 April 2018)

• 5th AML Directive (Cyprus Law by

10 January 2020)

• 6th AML Directive (Currently

discussed at the EU Level)

31

EU 4th AML Directive Main Changes

• Beneficial Owners:

– In respect of corporate entities, the definition of the ultimate beneficial owner is further specified as “a natural person who ultimately holds a shareholding, controlling interest or ownership interest over 25% of the shares or the voting rights in a corporate entity”. – There may be cases where no natural person can be identified as the one who ultimately owns or has control over a legal entity. In such exceptional cases,

• bliged entities, having exhausted all other means of identification, and provided

there are no grounds for suspicion, may consider the senior managing official to be the beneficial owner.

32

EU 4th AML Directive Main Changes

• Creation of National Central Register:

– As per the new Directive, Member States will be required to hold satisfactory, accurate and current information on the beneficial owners of all corporate and

• ther legal entities incorporated within their territory in a National Central

Register (Need to be kept for 10 years after the Company has been Struck-off). – Obliged entities subject to the Directive, competent authorities and the Financial Intelligence Units will be able to access these interconnected Registers as well as any person or organization demonstrating "a legitimate interest," a term which is not defined and most certainly will raise issues in the future. – The name, the month and the year of birth, the nationality, the country of residence, the nature extent and the beneficial interest held, are some of the information that could be provided.

33

EU 4th AML Directive Main Changes

• Emphasis on a risk-based approach:

– The word risk appears 149 times in the 4th AML Directive, compared with 36 times in the 3rd AML

• Directive. This is not a coincidence. The Directive puts a heavy emphasis on employing a risk-

based approach to money laundering at every level. It directs states to commission national risk assessments, firms to develop risk-based policies, and practitioners to conduct CDD in a risk- based manner. – The current regulations already incorporate a risk-based approach, but the new Directive goes even further and it seems to require more documentation of the risk assessment. For firms this means:

• Requirement to demonstrate and document that risk assessments are conducted and kept up to date, taking into

account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels

• Written money laundering policies and procedures that take the firm’s risk assessment into consideration
• Internal audit teams, where necessary, to test the internal policies, controls and procedures
• Training on how to conduct a risk-based CDD and ongoing monitoring

34

EU 4th AML Directive Main Changes

• High Risk Categorisation:

– PEPs – High Risk Third Countries (FATF Non-Cooperating & Closely Monitored Jurisdictions, EU High Risk Third Countries, EU Non-Cooperative Tax Jurisdictions)

• EEA AML Equivalent Countries (i.e. White List) scrapped

– Complex or unusual structures/transactions, or unusual patterns of transactions that have no economic and lawful purpose – Other High Risk as per Supervised Entity’s assessment (Expected)

35

EU 4th AML Directive Main Changes

• Other Types Categorisations:

– Non face to face – High Net Worth Individuals (Physical Persons or BOs with more than 3m Euros Net Worth) – Convicted Customers / Customers with charges or investigation procedures against them – Customers in EU, UN, (US) Sanctions Lists – POAs – Cash Transactions – Directorship and/or Bank Administration Services (ASPs)

36

EU 4th AML Directive Main Changes

• PEPs:

– Enhancing in the definitions of PEPs – Enhancing in the definitions of PEPs’ Family Members – Enhancing in the definitions of PEPs’ Close Associates – Enhancing in the definitions of PEPs time limit when the ceased from a political position – Of particular importance is the fact that the Directive prohibits the refusal of conducting business relationships with individuals solely because of the fact that they are considered to be politically-exposed persons as this is against the Directive’s objectives and purposes. The Directive clearly states that PEPs shall not be stigmatised as being involved in criminal activities.

37

EU 4th AML Directive Main Changes

• Low Risk Clients:

– Under the Third Directive and the current Money Laundering Regulations, firms are able to automatically apply simplified CDD in a number of circumstances. – Under the 4th AML Directive, firms can use these circumstances as part of a justification for simplified due diligence after conducting a risk analysis. However, the exemption from enhanced CDD is not automatic, and the decision to apply simplified CDD should be backed up by documentation. – In other words, the decision to apply simplified customer due diligence measures shall be justified and supported by relevant documentation as the blanket approach, according to which all customers get into one category, will not be applicable.

38

EU 4th AML Directive Main Changes

• Expands beyond the EU Borders:

– Firms with majority-owned subsidiaries located in other countries where the minimum AML requirements are less strict than those of the Member State must implement the requirements of the Member State at those subsidiaries.

39

EU 4th AML Directive Main Changes

• Third Parties CDDs Reliance:

– The AML Directive forbids reliance on third parties having their place of business in high-risk third countries

40

EU 4th AML Directive Main Changes

• Tax Crimes:

– a provision of particular importance in the Directive, from now on, tax crimes (relating to both indirect and direct taxes) will be considered as “criminal activities” and will be punishable as predicate offences for money laundering.

41

EU 4th AML Directive Main Changes

• Responsible Party:

– The new directive states that the individual ultimately responsible for compliance should be a board member with sufficient influence to be able to make recommendations and drive change where required.

42

EU 4th AML Directive Main Changes

• Fines:

– One of the most significant changes under the 4th AML Directive is the imposition of even stricter penalties on obliged entities that are in breach of their obligations under the Directive. According to article 59, maximum administrative pecuniary penalties of at least twice the benefit obtained from the breach can be imposed on obligated entities that are in breach where the benefit is determinable, or at least 1.000.000 Euros. – Moreover, in cases relating to financial institutions or credit institutions maximum administrative pecuniary penalties of at least 5.000.000 Euros or 10%

• f the total annual turnover can be applicable

43

EU 5th AML Directive Main Changes

• Enhance the powers of EU Financial Intelligence Units and facilitating their

increasing transparency on who really owns companies and trusts by establishing beneficial ownership registers;

• Prevent risks associated with the use of virtual currencies for terrorist financing and

limiting the use of pre-paid cards;

• Improve the safeguards for financial transactions to and from high-risk third

countries;

• Enhance the access of Financial Intelligence Units to information, including

centralised bank account registers.

• Ensure centralised national bank and payment account registers or central data

retrieval systems in all Member States.

44

EU 5th AML Directive Main Changes

• Member States should ensure that registers of ultimate beneficial owners of

companies and other legal entities become accessible to the general public (but not the register of ultimate beneficial owners of trusts, which will still require demonstration of a legitimate interest);

• AML regime is extended to additional service providers such as electronic wallet

providers, virtual currency exchange service providers, and art dealers, plus further specifications regarding the scope of application of the Fifth AML Directive with respect to tax advisors and estate agents are provided;

• Threshold for identifying holders of prepaid cards is lowered to €150;
• Member States will have to implement enhanced due diligence measures to

monitor suspicious transactions involving high-risk countries more strictly.

• Beneficial owners to be identified, back to more than 10% for High Risk Clients.

45

EU 6th AML Directive Main Changes

• Expected to define all 22 predicate offences and impose greater obligations on firms

to implement monitoring systems that detect proceeds that may be linked to these criminal offences.

• Will also provide a comprehensive definition of money laundering, and Member

States of the EU covered by the Directive must implement effective, consistent and disincentivised criminal sanctions.

• Predicate offences committed in another Member State or third country must be

illegal in both the home country and the other respective jurisdiction.

• Members of the European Parliament have suggested a minimum prison sentence
• f five years should be imposed for serious money laundering offences.

Additionally, MEPs would like to have convicted criminals of money laundering

• ffences banned from being employed in the public sector.

46

EU 6th AML Directive Main Changes

• Facilitating, supporting and attempting to commit an offence of money laundering will

also be illegal under proposals for the 6MLD.

• 6MLD will be comprehensive in that it is expected to include measures to extend

criminal liability to organisations, such as companies or partnerships.

• If an organisation is criminally convicted of a money laundering offence, the directive

will also make possible the conviction of relevant individuals within the organisation; thus, the failure to appropriately supervise any individual who may amass criminal liability to the organisation will be a corporate offence.

• The sanctions for those that are convicted of money laundering include the possible

prohibition from public welfare benefits for four years, a temporary or permanent ban from conducting business, a compulsory winding-up of the organisation and a temporary or permanent closure of business units through which the offences were committed.

47

Risk Based Approach – Framework

• Emphasis on a risk-based approach:

– The word risk appears 149 times in the 4th AML Directive, compared with 36 times in the 3rd AML Directive. This is not a coincidence. The Directive puts a heavy emphasis on employing a risk-based approach to money laundering at every level. It directs states to commission national risk assessments, firms to develop risk-based policies, and practitioners to conduct CDD in a risk-based manner.

48

Risk Based Approach – Framework

• Emphasis on a risk-based approach:

– The current regulations already incorporate a risk-based approach, but the new Directive goes even further and it seems to require more documentation of the risk assessment. For firms this means:

• Requirement to demonstrate and document that risk assessments are conducted and kept

up to date, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels

• Written money laundering policies and procedures that take the firm’s risk assessment into

consideration

• Internal audit teams, where necessary, to test the internal policies, controls and procedures
• Training on how to conduct a risk-based CDD and ongoing monitoring

49

Risk Based Approach – Framework

• The ESAs Guidelines on Anti-Money Laundering and Countering the

Financing of Terrorism – 'The Risk Factors Guidelines’ of 2018 (issued in January 4 2018 and required implementation by 26 June 2018)

50

Risk Based Approach - Background

• The Financial organisation applies appropriate measures and

procedures, on a risk based approach, so as to focus its effort in those areas where the risk of ML/TF appears to be higher (e.g. high risk clients)

• A risk assessment needs to be prepared and maintained by the entity
• The entity should assess and identify the products offered and are

considered of higher AML/TF risk

51

Risk Based Approach - Background

• Adequate controls should be implemented to prevent AML from clients

to whom high risk products are provided

• Complexity of group structure is taken into consideration for client risk

categorisation purposes

• The risk of tax evasion should be adequately covered in the entity's

policies and procedures and adequate controls should be in place to mitigate such risk

52

Risk Based Approach - Background

• Customers should be risk categorized
• The entity should identify the risks it faces, and should design and

implement appropriate measures and procedures for the correct management and mitigation

• The MLCO should consult data, information and reports that are

published in relevant international organisations (e.g. FATF, etc.) in performing its risk based approach

53

Risk Based Approach - Background

• A risk-based approach:

– recognises that the money laundering or terrorist financing threat varies across clients, countries, services and financial instruments; – allows firms to differentiate between clients in a way that matches the risk of their particular business; – allows firms to apply their own approach in the formulation of policies, procedures and controls in response to the firm’s particular circumstances and characteristics; – helps to produce a more cost effective system; and – promotes the prioritisation of effort and actions of the firm in response to the likelihood of money laundering or terrorist financing occurring through the use of services provided by the firm.

54

Risk Based Approach - Background

• In assessing the most cost effective and proportionate way to manage the money

laundering and terrorist financing risks faced by the firm, a risk-based approach involves the following steps:

– identifying and assessing the money laundering and terrorist financing risks emanating from particular clients, services and geographical areas of operation of the firm and its clients; – managing and mitigating the assessed risks by the application of appropriate and effective measures, procedures and controls; – continuous monitoring and improvements in the effective operation of the policies, procedures and controls; – documenting, in appropriate manuals and policies, the procedures and controls to ensure their uniform application across the firm.

55

Risk Based Approach - Background

• Consideration of these risk types should enable the firm to draw up a simple matrix
• f characteristics of the client or service which are considered to present a higher

than normal risk, and those which present a normal risk. Some clients may be considered to present a lower than normal risk, through long association and detailed knowledge, or on account of their status (e.g. listed, regulated, or government entities).

• This matrix can then be incorporated into client acceptance procedures, and as the

first step of the client due diligence process, it allows a money laundering or terrorist financing risk level to be assigned to ensure appropriate, but not excessive, client due diligence work is carried out.

• Enhanced due diligence should be carried out for those clients that are determined

to be higher risk.

56

Risk Based Approach - Background

• Business-wide risk assessments should help firms understand where they are

exposed to ML/TF risk and which areas of their business they should prioritise in the fight against ML/TF. To that end, and in line with Article 8 of Directive (EU) 2015/849, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their

• customers. The steps firms take to identify and assess ML/TF risk across their

business must be proportionate to the nature and size of each firm. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.

57

Risk Based Approach - Background

• Firms should note that the risk factors listed in these

guidelines are not exhaustive, and that there is no expectation that firms will consider all risk factors in all cases.

• Firms must keep their risk assessment up to date and

under review.

58

Risk Based Approach - Background

• Firms should note that the following risk factors are not

exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.

59

Risk Based Approach - Background

• When identifying ML/TF risks associated with a business

relationship or occasional transaction, firms should consider relevant risk factors including who their customer is, the countries or geographical areas they

• perate in, the particular products, services and

transactions the customer requires and the channels the firm uses to deliver these products, services and transactions.

60

Risk Based Approach - Background

• Firms should note that the application of a risk-based

approach does not of itself require them to refuse, or terminate, business relationships with entire categories

• f customers that they associate with higher ML/TF risk,

as the risk associated with individual business relationships will vary, even within one category.

61

Risk Based Approach – Sources of Information

• Where possible, information about these ML/TF risk

factors should come from a variety of sources, whether these are accessed individually or through commercially available tools or databases that pool information from several sources. Firms should determine the type and numbers of sources on a risk-sensitive basis

62

Risk Based Approach – Sources of Information

• Firms should always consider the following sources of information:

– the European Commission’s supranational risk assessment; – information from government, such as the government’s national risk assessments, policy statements and alerts, and explanatory memorandums to relevant legislation; – information from regulators, such as guidance and the reasoning set out in regulatory fines; – information from Financial Intelligence Units (FIUs) and law enforcement agencies, such as threat reports, alerts and typologies; and – information obtained as part of the initial CDD process.

63

Risk Based Approach – Sources of Information

• Other sources of information firms may consider in this context may include, among others:

– the firm’s own knowledge and professional expertise; – information from industry bodies, such as typologies and emerging risks; – information from civil society, such as corruption indices and country reports; – information from international standard-setting bodies such as mutual evaluation reports

• r legally non-binding blacklists;

– information from credible and reliable open sources, such as reports in reputable newspapers; – information from credible and reliable commercial organisations, such as risk and intelligence reports; and – information from statistical organisations and academia.

64

Risk Based Approach – Weighting Risk Factors

• Firms should take a holistic view of the ML/TF risk factors they have

identified that, together, will determine the level of ML/TF risk associated with a business relationship or occasional transaction.

• As part of this assessment, firms may decide to weigh factors differently

depending on their relative importance.

• When weighting risk factors, firms should make an informed judgement about

the relevance of different risk factors in the context of a business relationship

• r occasional transaction. This often results in firms allocating different

‘scores’ to different factors; for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek.

65

Risk Based Approach – Weighting Risk Factors

• Ultimately, the weight given to each of these factors is likely to vary from product to product

and customer to customer (or category of customer) and from one firm to another. When weighting risk factors, firms should ensure that: – weighting is not unduly influenced by just one factor; – economic or profit considerations do not influence the risk rating; – weighting does not lead to a situation where it is impossible for any business relationship to be classified as high risk; – the provisions of Directive (EU) 2015/849 or national legislation regarding situations that always present a high money laundering risk cannot be over-ruled by the firm’s weighting; and – they are able to over-ride any automatically generated risk scores where necessary. The rationale for the decision to over-ride such scores should be documented appropriately.

66

Risk Based Approach – Weighting Risk Factors

• Where a firm uses automated IT systems to allocate overall risk scores to

categorize business relationships or occasional transactions and does not develop these in house but purchases them from an external provider, it should understand how the system works and how it combines risk factors to achieve an overall risk score. A firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of ML/TF risk and it should be able to demonstrate this to the competent authority.

67

Risk Based Approach - Monitoring

• Firms should keep their assessments of the ML/TF risk associated with individual

business relationships and occasional transactions as well as of the underlying factors under review to ensure their assessment of ML/TF risk remains up to date and relevant. Firms should assess information obtained as part of their ongoing monitoring of a business relationship and consider whether this affects the risk assessment.

• Firms should also ensure that they have systems and controls in place to identify

emerging ML/TF risks and that they can assess these risks and, where appropriate, incorporate them into their business-wide and individual risk assessments in a timely manner.

68

Risk Based Approach - Monitoring

• Examples of systems and controls firms should put in place to identify emerging

risks include:

– Processes to ensure that internal information is reviewed regularly to identify trends and emerging issues, in relation to both individual business relationships and the firm’s business. – Processes to capture and review information on risks relating to new products. – Engagement with other industry representatives and competent authorities (e.g. round tables, conferences and training providers), and processes to feed back any findings to relevant staff. – Establishing a culture of information sharing within the firm and strong company ethics.

69

Risk Based Approach - Monitoring

– Processes to ensure that the firm regularly reviews relevant information sources, in particular:

• regularly reviewing media reports that are relevant to the sectors or jurisdictions in which the firm is

active;

• regularly reviewing law enforcement alerts and reports;
• ensuring that the firm becomes aware of changes to terror alerts and sanctions regimes as soon as they
• ccur, for example by regularly reviewing terror alerts and looking for sanctions regime updates; and
• regularly reviewing thematic reviews and similar publications issued by competent authorities.

70

Risk Based Approach - Monitoring

• Examples of systems and controls firms should put in place to ensure their

individual and business-wide risk assessments remains up to date may include:

– Setting a date on which the next risk assessment update will take place, for example on 1 March every year, to ensure new or emerging risks are included in risk assessments. Where the firm is aware that a new risk has emerged, or an existing one has increased, this should be reflected in risk assessments as soon as possible. – Carefully recording issues throughout the year that could have a bearing on risk assessments, such as internal suspicious transaction reports, compliance failures and intelligence from front office staff.

71

Risk Based Approach - Monitoring

• Firms should record and document their risk assessments of business

relationships, as well as any changes made to risk assessments as part of their reviews and monitoring, to ensure that they can demonstrate to the competent authorities that their risk assessments and associated risk management measures are adequate.

72

Risk Based Approach – Identification: Customer Risk Factors

• When identifying the risk associated with their customers, including their

customers’ beneficial owners, firms should consider the risk related to:

– the customer’s and the customer’s beneficial owner’s business or professional activity; – the customer’s and the customer’s beneficial owner’s reputation; and – the customer’s and the customer’s beneficial owner’s nature and behavior.

73

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or a customer’s beneficial owner’s business or professional activity include:

– Does the customer or beneficial owner have links to sectors that are commonly associated with higher corruption risk, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement? – Does the customer or beneficial owner have links to sectors that are associated with higher ML/TF risk, for example certain Money Service Businesses, casinos or dealers in precious metals? – Does the customer or beneficial owner have links to sectors that involve significant amounts of cash?

74

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or a customer’s beneficial owner’s business or professional activity include:

– Where the customer is a legal person or a legal arrangement, what is the purpose of their establishment? For example, what is the nature of their business? – Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or beneficial owner? Where a customer or their beneficial owner is a PEP, firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849.

75

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or a customer’s beneficial owner’s business or professional activity include:

– Does the customer or beneficial owner hold another prominent position or enjoy a high public profile that might enable them to abuse this position for private gain? For example, are they senior local or regional public officials with the ability to influence the awarding of public contracts, decision-making members of high-profile sporting bodies or individuals who are known to influence the government and other senior decision-makers? – Is the customer a legal person subject to enforceable disclosure requirements that ensure that reliable information about the customer’s beneficial owner is publicly available, for example public companies listed on stock exchanges that make such disclosure a condition for listing?

76

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or a customer’s beneficial owner’s business or professional activity include:

– Is the customer a credit or financial institution acting on its own account from a jurisdiction with an effective AML/CFT regime and is it supervised for compliance with local AML/CFT obligations? Is there evidence that the customer has been subject to supervisory sanctions or enforcement for failure to comply with AML/CFT obligations or wider conduct requirements in recent years? – Is the customer a public administration or enterprise from a jurisdiction with low levels of corruption? – Is the customer’s or the beneficial owner’s background consistent with what the firm knows about their former, current or planned business activity, their business’s turnover, the source of funds and the customer’s or beneficial owner’s source of wealth?

77

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owners’ reputation:

– Are there adverse media reports or other relevant sources of information about the customer, for example are there any allegations of criminality or terrorism against the customer or the beneficial owner? If so, are these reliable and credible? Firms should determine the credibility of allegations on the basis of the quality and independence of the source of the data and the persistence of reporting of these allegations, among

• ther considerations. Firms should note that the absence of criminal convictions alone

may not be sufficient to dismiss allegations of wrongdoing. – Does the firm know if the customer or beneficial owner has been the subject of a suspicious transactions report in the past?

78

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owners’ reputation:

– Has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have reasonable grounds to suspect that the customer or beneficial owner or anyone publicly known to be closely associated with them has, at some point in the past, been subject to such an asset freeze? – Does the firm have any in-house information about the customer’s or the beneficial

• wner’s integrity, obtained, for example, in the course of a long-standing business

relationship?

79

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

– Does the customer have legitimate reasons for being unable to provide robust evidence

• f their identity, perhaps because they are an asylum seeker?5

– Does the firm have any doubts about the veracity or accuracy of the customer’s or beneficial owner’s identity? – Are there indications that the customer might seek to avoid the establishment of a business relationship? For example, does the customer look to carry out one transaction or several one-off transactions where the establishment of a business relationship might make more economic sense?

80

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

– Is the customer’s ownership and control structure transparent and does it make sense? If the customer’s ownership and control structure is complex or opaque, is there an obvious commercial or lawful rationale? – Does the customer issue bearer shares or does it have nominee shareholders? – Is the customer a legal person or arrangement that could be used as an asset-holding vehicle? – Is there a sound reason for changes in the customer’s ownership and control structure?

81

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

– Does the customer request transactions that are complex, unusually or unexpectedly large or have an unusual or unexpected pattern without an apparent economic or lawful purpose or a sound commercial rationale? Are there grounds to suspect that the customer is trying to evade specific thresholds such as those set out in Article 11(b) of Directive (EU) 2015/849 and national law where applicable? – Does the customer request unnecessary or unreasonable levels of secrecy? For example, is the customer reluctant to share CDD information, or do they appear to want to disguise the true nature of their business?

82

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

– Can the customer’s or beneficial owner’s source of wealth or source of funds be easily explained, for example through their occupation, inheritance or investments? Is the explanation plausible? – Does the customer use the products and services they have taken out as expected when the business relationship was first established? – Is the customer a non-profit organisation whose activities could be abused for terrorist financing purposes?

83

Risk Based Approach – Identification: Customer Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

– Where the customer is a non-resident, could their needs be better serviced elsewhere? Is there a sound economic and lawful rationale for the customer requesting the type of financial service sought? Firms should note that Article 16 of Directive 2014/92/EU creates a right for customers who are legally resident in the Union to obtain a basic payment account, but this right applies

• nly to the extent that credit institutions can comply with their AML/CFT obligations.

84

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• When identifying the risk associated with countries and geographical areas, firms

should consider the risk related to:

– the jurisdictions in which the customer and beneficial owner are based; – the jurisdictions that are the customer’s and beneficial owner’s main places of business; and – the jurisdictions to which the customer and beneficial owner have relevant personal links.

85

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Firms should note that the nature and purpose of the business relationship will
• ften determine the relative importance of individual country and geographical risk

factors; for example:

– Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant. – Where funds are received from, or sent to, jurisdictions where groups committing terrorist offences are known to be operating, firms should consider to what extent this could be expected to or might give rise to suspicion, based on what the firm knows about the purpose and nature of the business relationship. – Where the customer is a credit or financial institution, firms should pay particular attention to the adequacy of the country’s AML/CFT regime and the effectiveness of AML/CFT supervision.

86

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Firms should note that the nature and purpose of the business relationship will
• ften determine the relative importance of individual country and geographical risk

factors; for example:

– Where the customer is a legal vehicle or trust, firms should take into account the extent to which the country in which the customer and, where applicable, the beneficial

• wner are registered effectively complies with international tax transparency

standards.

87

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying the effectiveness of a

jurisdiction’s AML/CFT regime include:

– Has the country been identified by the Commission as having strategic deficiencies in its AML/CFT regime, in line with Article 9 of Directive (EU) 2015/849? Where firms deal with natural or legal persons resident or established in third countries that the Commission has identified as presenting a high ML/TF risk, firms must always apply EDD measures.

88

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying the effectiveness of a

jurisdiction’s AML/CFT regime include:

– Is there information from more than one credible and reliable source about the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight? Examples of possible sources include mutual evaluation reports by the Financial Action Task Force (FATF) or FATF-style Regional Bodies (FSRBs) (a good starting point is the executive summary and key findings and the assessment of compliance with Recommendations 10, 26 and 27 and Immediate Outcomes 3 and 4), the FATF’s list of high-risk and non- cooperative jurisdictions, International Monetary Fund (IMF) assessments and Financial Sector Assessment Programme (FSAP) reports. Firms should note that membership of the FATF or an FSRB (e.g. Moneyval) does not, of itself, mean that the jurisdiction’s AML/CFT regime is adequate and effective.

89

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying the level of terrorist financing

risk associated with a jurisdiction include:

– Is there information, for example from law enforcement or credible and reliable open media sources, suggesting that a jurisdiction provides funding or support for terrorist activities or that groups committing terrorist offences are known to be operating in the country or territory? – Is the jurisdiction subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation issued by, for example, the United Nations or the European Union?

90

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying a jurisdiction’s level of

transparency and tax compliance include:

– Is there information from more than one credible and reliable source that the country has been deemed compliant with international tax transparency and information sharing standards? Is there evidence that relevant rules are effectively implemented in practice? Examples of possible sources include reports by the Global Forum on Transparency and the Exchange of Information for Tax Purposes of the Organisation for Economic Co-operation and Development (OECD), which rate jurisdictions for tax transparency and information sharing purposes; assessments of the jurisdiction’s commitment to automatic exchange of information based on the Common Reporting Standard; assessments of compliance with FATF Recommendations 9, 24 and 25 and Immediate Outcomes 2 and 5 by the FATF or FSRBs; and IMF assessments (e.g. IMF staff assessments of offshore financial centres).

91

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying a jurisdiction’s level of

transparency and tax compliance include:

– Has the jurisdiction committed to, and effectively implemented, the Common Reporting Standard on Automatic Exchange of Information, which the G20 adopted in 2014? – Has the jurisdiction put in place reliable and accessible beneficial ownership registers?

92

Risk Based Approach – Identification: Countries and Geographical Areas Risk Factors

• Risk factors firms should consider when identifying the risk associated with the level
• f predicate offences to money laundering include:

– Is there information from credible and reliable public sources about the level of predicate offences to money laundering listed in Article 3(4) of Directive (EU) 2015/849, for example corruption, organised crime, tax crime and serious fraud? Examples include corruption perceptions indices; OECD country reports on the implementation of the OECD’s anti-bribery convention; and the United Nations Office

• n Drugs and Crime World Drug Report.

– Is there information from more than one credible and reliable source about the capacity of the jurisdiction’s investigative and judicial system effectively to investigate and prosecute these offences?

93

Risk Based Approach – Identification: Products, Services and Transactions Risk Factors

• When identifying the risk associated with their products, services or transactions,

firms should consider the risk related to:

– the level of transparency, or opaqueness, the product, service or transaction affords; – the complexity of the product, service or transaction; and – the value or size of the product, service or transaction.

94

Risk Based Approach – Identification: Products, Services and Transactions Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

product, service or transaction’s transparency include:

– To what extent do products or services allow the customer or beneficial owner or beneficiary structures to remain anonymous, or facilitate hiding their identity? Examples

• f such products and services include bearer shares, fiduciary deposits, offshore vehicles

and certain trusts, and legal entities such as foundations that can be structured in such a way as to take advantage of anonymity and allow dealings with shell companies or companies with nominee shareholders. – To what extent is it possible for a third party that is not part of the business relationship to give instructions, for example in the case of certain correspondent banking relationships?

95

Risk Based Approach – Identification: Products, Services and Transactions Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

product, service or transaction’s complexity include:

– To what extent is the transaction complex and does it involve multiple parties or multiple jurisdictions, for example in the case of certain trade finance transactions? Are transactions straightforward, for example are regular payments made into a pension fund? – To what extent do products or services allow payments from third parties or accept

• verpayments where this is would not normally be expected? Where third party

payments are expected, does the firm know the third party’s identity, for example is it a state benefit authority or a guarantor? Or are products and services funded exclusively by fund transfers from the customer’s own account at another financial institution that is subject to AML/CFT standards and oversight that are comparable to those required under Directive (EU) 2015/849?

96

Risk Based Approach – Identification: Products, Services and Transactions Risk Factors

• Risk factors that may be relevant when considering the risk associated with a

product, service or transaction’s complexity include:

– Does the firm understand the risks associated with its new or innovative product or service, in particular where this involves the use of new technologies or payment methods?

97

Risk Based Approach – Identification: Products, Services and Transactions Risk Factors

• Risk factors that may be relevant when considering the risk associated with a product,

service or transaction’s value or size include: – To what extent are products or services cash intensive, as are many payment services but also certain current accounts? – To what extent do products or services facilitate or encourage high-value transactions? Are there any caps on transaction values or levels of premium that could limit the use of the product or service for ML/TF purposes?

98

Risk Based Approach – Identification: Delivery Channel Risk Factors

• When identifying the risk associated with the way in which the customer obtains

the products or services they require, firms should consider the risk related to:

– the extent to which the business relationship is conducted on a non-face-to- face basis; and – any introducers or intermediaries the firm might use and the nature of their relationship with the firm.

99

Risk Based Approach – Identification: Delivery Channel Risk Factors

• When assessing the risk associated with the way in which the customer obtains the

products or services, firms should consider a number of factors including:

– Is the customer physically present for identification purposes? If they are not, has the firm used a reliable form of non-face-to-face CDD? Has it taken steps to prevent impersonation or identity fraud? – Has the customer been introduced by another part of the same financial group and, if so, to what extent can the firm rely on this introduction as reassurance that the customer will not expose the firm to excessive ML/TF risk? What has the firm done to satisfy itself that the group entity applies CDD measures to European Economic Area (EEA) standards in line with Article 28 of Directive (EU) 2015/849?

100

Risk Based Approach – Identification: Delivery Channel Risk Factors

• When assessing the risk associated with the way in which the customer obtains the

products or services, firms should consider a number of factors including:

– Has the customer been introduced by a third party, for example a bank that is not part of the same group, and is the third party a financial institution or is its main business activity unrelated to financial service provision? What has the firm done to be satisfied that:

• the third party applies CDD measures and keeps records to EEA standards and that it is

supervised for compliance with comparable AML/CFT obligations in line with Article 26 of Directive (EU) 2015/849;

• the third party will provide, immediately upon request, relevant copies of identification and

verification data, inter alia in line with Article 27 of Directive (EU) 2015/849; and

• the quality of the third party’s CDD measures is such that it can be relied upon?

101

Risk Based Approach – Identification: Delivery Channel Risk Factors

• When assessing the risk associated with the way in which the customer obtains the

products or services, firms should consider a number of factors including:

– Has the customer been introduced through a tied agent, that is, without direct firm contact? To what extent can the firm be satisfied that the agent has obtained enough information so that the firm knows its customer and the level of risk associated with the business relationship? – If independent or tied agents are used, to what extent are they involved on an ongoing basis in the conduct of business? How does this affect the firm’s knowledge of the customer and ongoing risk management?

102

Risk Based Approach – Identification: Delivery Channel Risk Factors

• When assessing the risk associated with the way in which the customer obtains the

products or services, firms should consider a number of factors including:

– Where a firm uses an intermediary:

• Are they a regulated person subject to AML obligations that are consistent with those of Directive

(EU) 2015/849?

• Are they subject to effective AML supervision? Are there any indications that the intermediary’s

level of compliance with applicable AML legislation or regulation is inadequate, for example has the intermediary been sanctioned for breaches of AML/CFT obligations?

• Are they based in a jurisdiction associated with higher ML/TF risk? Where a third party is based in

a high-risk third country that the Commission has identified as having strategic deficiencies, firms must not rely on that intermediary. However, to the extent permitted by national legislation, reliance may be possible provided that the intermediary is a branch or majority-owned subsidiary

• f another firm established in the Union, and the firm is confident that the intermediary fully

complies with group- wide policies and procedures in line with Article 45 of Directive (EU) 2015/849.

103

Risk Based Approach – High Risk Clients

• HIGH RISK CLIENTS (minimum) - (Not ALL Automatic in 4th AML Directive):

– i. Non face to face customers (Not Automatic in 4th AML Directive), – ii. Accounts in the names of companies whose shares are in bearer form (Not Automatic in 4th AML Directive), – iii. Trusts accounts (Not Automatic in 4th AML Directive), – iv. Client accounts’ in the name of a third person (Not Automatic in 4th AML Directive), – v. Electronic gambling /gaming through the internet (Not Automatic in 4th AML Directive), – vi. Customers from high risk countries: FATF & EU HR & EU TAX (4th AML Directive), – vii. Politically exposed persons’ (4th AML Directive), – viii. Complex Structures/Transactions (4th AML Directive) – ix. Other High Risk as per Supervised Entity’s assessment (4th AML Directive)

104

Risk Based Approach – Low Risk Clients

• LOW RISK CLIENTS (Not Automatic in 4th AML Directive):

– i. Credit or financial institution covered by the EU Directive, – ii. Credit or financial institution carrying out one or more of the financial business activities as these are defined in Section 2 of the AML Law and which is situated in a country outside the EEA, which in accordance with a decision of the Advisory Authority for Combating Money Laundering and Terrorist Financing, imposes requirements equivalent to those laid down by the EU Directive and it is under supervision for compliance with those requirements, – iii. Listed companies whose securities are admitted to trading on a regulated market in a country

• f the European Economic Area or in a third country which is subject to disclosure requirements

consistent with community legislation, – iv. Domestic public authorities of countries of the EEA.

105

Risk Based Approach – Normal Risk Clients

• NORMAL RISK CLIENTS (Not Automatic in 4th AML Directive): :

– Everyone else

106

Risk Based Approach - PEPs

• PEPs (CRITICAL in 4th AML Directive):

– Politically exposed person’ means a natural person who is or who has been entrusted with prominent public functions and includes the following:

• (a) heads of State, heads of government, ministers and deputy or assistant ministers;
• (b) members of parliament or of similar legislative bodies;
• (c) members of the governing bodies of political parties;
• (d) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the

decisions of which are not subject to further appeal, except in exceptional circumstances;

• (e) members of courts of auditors or of the boards of central banks;
• (f) ambassadors, chargés d'affaires and high-ranking officers in the armed forces;
• (g) members of the administrative, management or supervisory bodies of State-owned enterprises;
• (h) directors, deputy directors and members of the board or equivalent function of an international
• rganisation;
• (i) Mayors.

107

Risk Based Approach - PEPs

• PEPs (CRITICAL in 4th AML Directive):

– No public function referred to in points (a) to (i) shall be understood as covering middle-ranking

• r more junior officials;

– It must be noted that in the both the FATF and the 4th EU AML Directive, immediate family members and close associates of PEP’s are equally considered as PEP’s by virtue of their relationship with a PEP. – The 4th EU AML Directive provides a definition for both family members and close associates as follows: Paragraph 10 of Article 3: ‘family members’ includes the following:

• (a) the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person;
• (b) the children and their spouses, or persons considered to be equivalent to a spouse, of a politically

exposed person;

• (c) the parents of a politically exposed person;

108

Risk Based Approach - PEPs

• PEPs (CRITICAL in 4th AML Directive): :

– 4th EU AML Directive, Paragraph 11 of article 3: ‘persons known to be close associates’ means:

• (a) natural persons who are known to have joint beneficial ownership of legal entities or legal

arrangements, or any other close business relations, with a politically exposed person;

• (b) natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is

known to have been set up for the de facto benefit of a politically exposed person.

– Time limit of PEP status:

• According to the 4th EU AML Directive, article 22, where a politically exposed person is no longer

entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, obliged entities shall, for at least 12 months, be required to take into account the continuing risk posed by that person and to apply appropriate and risk-sensitive measures until such time as that person is deemed to pose no further risk specific to politically exposed persons.

109

Risk Based Approach – Equivalent Jurisdictions

• EEA AML Equivalent (NOT APPLICABLE in 4th AML Directive):

– Australia – Brazil – Canada – Hong Kong – India – Japan – South Korea – Mexico – Singapore – Switzerland – South Africa – The United States of America

110

Risk Based Approach – HR Countries

• FATF Countries (CRITICAL in 4th AML Directive):

– Non-cooperating jurisdictions: ➢ North Korea ➢ Iran – Closely monitored jurisdictions: ➢ Ethiopia ➢ Pakistan ➢ Serbia ➢ Sri Lanka ➢ Syria ➢ Trinidad and Tobago ➢ Tunisia ➢ Yemen

111

Risk Based Approach – High Risk Countries

• EU High Risk Third Countries (CRITICAL in 4th AML Directive):

– Afghanistan – Bosnia and Herzegovina – Ethiopia – Guyana – Iran – Iraq – Lao PDR – North Korea – Sri Lanka – Syria – Trinidad and Tobago – Tunisia – Uganda – Vanuatu – Yemen

112

Risk Based Approach – HR Countries

• EU Non-cooperative Tax Jurisdictions (CRITICAL in 4th AML Directive):

– American Samoa – Guam – Namibia – Palau – Samoa – Trinidad and Tobago – US Virgin Islands

113

Risk Based Approach – HR Countries

• Complex Structures/Transactions (CRITICAL in 4th AML Directive):

– Use of foreign accounts of companies or group of companies with complicated

• wnership structure which is not justified based on the needs and economic

profile of the customer.

114

Risk Based Approach

Quiz 1:

• Mr George W Bush, has approached you and also

met in person as to become your client.

• All relevant CDD procedures have been performed

and found adequate.

• Mr Bush used to be the President of the US until

2009 and does not have any other political appointments since then.

• Are you allowed to accept him as a client?
• If Yes, What AML Risk Classification (H/M/L) and

Why?

115

Risk Based Approach

Quiz 2:

• Mr Peter Brown, has approached you and also met in

person as to become your client.

• All relevant CDD procedures have been performed

and found adequate.

• Mr Brown used to be a member of parliament of

Luxemburg until 2016 and does not have any other political appointments since then.

• Are you allowed to accept him as a client?
• If Yes, What AML Risk Classification (H/M/L) and

Why?

116

Risk Based Approach

Quiz 3:

• Mr Yang Kim, has approached you and also met in

person as to become your client.

• All relevant CDD procedures have been performed

and found adequate.

• Mr Kim is from North Korea and also identified by

your background check that his in the UN/EU/US Sanctions Lists.

• Are you allowed to accept him as a client?
• If Yes, What AML Risk Classification (H/M/L) and

Why?

117

Risk Based Approach

Quiz 5:

• Mr Georgiev Korikov, has approached you and also met in

person as to become your client.

• All relevant CDD procedures have been performed and

found adequate.

• Ms Korikov is the current CEO of the EU subsidiary of VTB

Bank.

• From the background check performed it has been

identified that the Russian parent VTB Bank is listed on the EU/UN/US Sanction Lists.

• Are you allowed to accept him as a client?
• If Yes, What AML Risk Classification (H/M/L) and Why?

118

Risk Based Approach

Quiz 5:

• Mr Peter Thomas, has approached you and also met in

person as to become your client.

• All relevant CDD procedures have been performed and

found adequate.

• From the background check performed it has been

identified that in 2005 he has been sentenced to jail for 5 years in the UK for tax evasion, money laundering and embezzlement.

• Are you allowed to accept him as a client?
• If Yes, What AML Risk Classification (H/M/L) and Why?

119

Risk Based Approach

Quiz 4:

• Ms Tereza May, has approached you and also met in

person as to become your client.

• All relevant CDD procedures have been performed and

found adequate.

• Ms May is the current Prime Minister in the UK but

since you have met her in person is thus not considered Non-Face-To-Face client for your risk assessment.

• Are you allowed to accept her as a client?
• If Yes, What AML Risk Classification (H/M/L) and Why?

120

Client Acceptance – Identification & Verification

• Client Acceptance:

– Identification & Verification – Customer Due Diligence (CDDs) – Enhanced Due Diligence (EDDs)

121

Client Acceptance – Identification & Verification

• Who is the client to identify/verify?
• When identification/verification needs to be performed?
• Verification Documents Format – Original or Certified True Copies
• Language of Documents – Greek or English or Summary Translation

(not true/full translation)

• Identification of Documents Expiration
• Simplified Due Diligence (SDD) vs Regular Customer Due Diligence

(CDD) vs Enhanced Due Diligence (EDD)

122

Client Acceptance – Identification & Verification

• Simplified Due Diligence (SDD):

– To the extent permitted by national legislation, firms may apply SDD measures in situations where the ML/TF risk associated with a business relationship has been assessed as low. SDD is not an exemption from any

• f the CDD measures; however, firms may adjust the amount, timing or

type of each or all of the CDD measures in a way that is commensurate to the low risk they have identified.

123

Client Acceptance – Identification & Verification

• Enhanced Due Diligence (EDD):

– Firms must apply EDD measures in higher risk situations to manage and mitigate those risks appropriately. EDD measures cannot be substituted for regular CDD measures but must be applied in addition to regular CDD measures.

124

Intermediary Shareholder(s) Identification & Verification – Legal Entity

• 1. INDERMEDIARY SHAREHOLDERS - GROUP STRUCTURE (Only

shareholding to be validated – Different approach to the CBC Directive)

125

Company Identification & Verification – Legal Entity

• 1. REGISTERED NAME
• 2. TRADE/BRAND NAME(S)
• 3. INTERNAL IDENTIFICATION CODE(S)
• 4. INCORPORATION COUNTRY
• 5. COMPANY’S HOUSE REGISTRAR

NUMBER

• 6. COMPANY HOUSE GOOD

STANDING

• 7. REGISTERED ADDRESS
• 8. BUSINESS ADDRESS ( < 6 months)
• 9. CONTACT DETAILS
• 10. RISK DATABASE SEARCH
• 11. BUSINESS PROFILE SUMMARY
• 12. HIGH RISK CATEGORISATION AND

REASONING

• 13. DATE OF CDD FINALISATION
• 14. DATE OF ACCOUNT OPENING

126

Shareholder(s) Identification & Verification – Physical Person

• 1. NAME OF BO(S) (>25% OR MANAGING

DIRECTOR IF IT CANNOT BE ESTABLISHED

• 4th AML DIRECTIVE – Different

approach to the CBC Directive & the 5th AML Directive)

• 2. DATE OF BIRTH
• 3. PLACE OF BIRTH
• 4. PASSPORT/ID NUMBER
• 5. NATIONALITY
• 6. RESIDENTIAL ADDRESS (< 6 months)
• 7. CONTACT DETAILS
• 8. RISK DATABASE SEARCH
• 9. OCCUPATION / EMPLOYMENT / OTHER

BUSINESS ACTIVITIES

127

Director(s) Identification & Verification - If Physical Person

• 1. NAME OF DIRECTOR (S)
• 2. DATE OF BIRTH
• 3. PLACE OF BIRTH
• 4. PASSPORT/ID NUMBER
• 5. NATIONALITY
• 6. RESIDENTIAL ADDRESS ( < 6 months)
• 7. CONTACT DETAILS
• 8. RISK DATABASE SEARCH
• 9. OCCUPATION / EMPLOYMENT / OTHER

BUSINESS ACTIVITIES NOTE: Not applicable for the ASPs Own Authorised Persons Register

128

Director(s) Identification & Verification - If Legal Entity

• 1. REGISTERED NAME
• 2. TRADE/BRAND NAME(S)
• 3. INCORPORATION COUNTRY
• 4. COMPANY’S HOUSE REGISTRAR

NUMBER

• 5. COMPANY HOUSE GOOD STANDING
• 6. REGISTERED ADDRESS
• 7. CONTACT DETAILS
• 8. RISK DATABASE SEARCH
• 9. BUSINESS PROFILE SUMMARY

NOTE: Not applicable for the ASPs Own Authorised Persons Register

129

Investment/Financial Funds/Firms (i.e. Manager, Advisor, Administrator, Custodian, etc.) Identification & Verification - Legal Entity

SAME AS DIRECTOR(S) IDENTIFICATION & VERIFICATION - IF LEGAL ENTITY, PLUS: 1. LICENCE VERIFICATION: Ensure that the client is licensed by a competent authority of EEA or equivalent jurisdiction (i.e. online verification from the competent authority website or obtain the license verification/agreement issued by the competent authority). If the client is licensed by a competent authority in a Non-EEA or equivalent jurisdiction, then in addition to the above, also

• btain direct verification of licensing evidence from a reliable independent source.

2. PROFESSIONAL REGISTRATION: If the client is licensed by a competent authority in a Non-EEA or equivalent jurisdiction, then ensure that the professional registration is with a competent authority, which performs aml/cft regulation and supervision to its registered members.

130

Authorised Signatory(ies) Or Agent(s) Or Introducer(s) Identification & Verification – If Legal Entity Or If Physical Person

SAME AS DIRECTOR(S) IDENTIFICATION & VERIFICATION - IF LEGAL ENTITY, PLUS: SAME AS DIRECTOR(S) IDENTIFICATION & VERIFICATION - IF PHYSICAL PERSON, PLUS: 1. ADDITIONAL INFO IF IT IS A CLIENT INTRODUCER: Indicate name and authority (i.e. entity employee, approved IB, etc). Ensure the client introducer is within the list of authorised introducers. 2. AGREEMENT DOCUMENTATION: Ensure that there is a formal signed agreement in place (i.e. power-of-attorney authorisation, agency, brokerage introducing, etc).

131

EDD Additional Procedures (Any of the below) – Non Face to Face

• Confirmation Letter from an EEA/Equivalent Credit/Financial Institution confirming name

and address

• Reference Letter from an EEA/Equivalent Third Person (Accountant, Lawyer, Service

Provider)

• Independently Verified Phone confirmation (i.e. electronic verification solution)
• Independently Verifies Mail confirmation (i.e. electronic verification solution, Registered

Post)

• Certification of identity and residence documents from an EEA/Equivalent Credit/Financial

Institution

• 1st Deposit from an EEA/Equivalent Credit Institution (Payment Institutions considerations)
• Communication via Video Call (< 2,000 Euros)

132

EDD Additional Procedures – PEPs

• Defining the reason the client is a PEP and the additional risk the Firm will be

exposed to

• Senior Management (Board Member) approval is obtained and forwarded to the

AML Officer before the establishment of the business relationship or if a PEP re- classification is considered

• Account is subject to Annual Ongoing Monitoring
• Assessment of business reputation (i.e. Reference Letter from an EEA/Equivalent

Third Person - Accountant, Lawyer, Service Provider)

• Establishment of Economic Profile (publicly available data, reliable & independent

data)

133

EDD Additional Procedures – High Risk Countries

• Defining the reason the client coming from a High Risk Country and the additional

risk the Firm will be exposed to

• Senior Management (Board Member) approval is obtained and forwarded to the

AML Officer before the establishment of the business relationship or if a PEP re- classification is considered

• Account is subject to Continuous Ongoing Monitoring
• Assessment of business reputation (i.e. Reference Letter from an EEA/Equivalent

Third Person - Accountant, Lawyer, Service Provider)

• Establishment of Economic Profile (publicly available data, reliable & independent

data)

134

EDD Additional Procedures – Complex Structures/Transactions

• If the client belongs to a complex group structure, ensure that there are additional monitoring

procedures and assessments in place for mitigating this risk (i.e. business relationship within the group assessment, business transactions within the group assessment, etc).

• In addition, in case the complex group structure was created for tax reasons , obtain explanations

and any evidence for the tax advice taken ,such as correspondence with the tax advisor. Be cautious with the timing of the tax advice to ensure it is recent and reasonable ,i.e. it takes into consideration all relevant ,new tax legislation and also the latest business circumstances of the group.

• Take reasonable and adequate measures to understand the background and purpose of

complex transactions, for example by establishing the source and destination of the funds or finding

• ut more about the customer’s business to ascertain the likelihood of the customer making such

transactions.

• Monitor the business relationship and subsequent transactions more frequently and with greater

attention to detail. A firm may decide to monitor individual transactions where this is commensurate to the risk it has identified.

135

EDD Additional Procedures – Bearer Shares

• Obtain the bearer share certificate(s) under the custody of the client. If not available

then obtain the confirmation from a bank operating in the EEA that it has under its

• wn custody the bearer share certificate(s) and that in the case of transferring their
• wnership to another person, the entity will be informed accordingly.
• Obtain the annual written confirmation from the introducer or the client's

director(s) if an introducer does not exist, confirming that the capital base/shareholding structure remain the same. Note: Bearer Shares are no longer legal in the EU

136

EDD Additional Procedures – Clients Holding Client Accounts/Omnibus

• Ensure that the Client is subject to mandatory professional registration. Ensure that

the professional registration is with a competent authority, which performs aml/cft regulation and supervision to its registered members.

• Ensure that an assessment has been performed of the CDD procedures employed

by the Client and that they are in line with the relevant EU AML legislation. A record

• f the assessment should be prepared and kept in a separate file.
• Request from the Client to make immediately available data, information and

documents obtained as a result of the application of the procedures establishing identity and customers due diligence measures. Must request from the Client to forward immediately to them, copies of these documents and relevant information

• n the identity of customer or the beneficial owner which the Client party collected

when applying the above procedures and measures.

137

EDD Additional Procedures – Gambling And E- Gambling Services

• Senior Management approval is obtained and forwarded to the AML Officer before the

establishment of the business relationship

• Account is subject to Annual Ongoing Monitoring
• Ensure that the client is licensed by a competent authority of EEA or equivalent jurisdiction (i.e.
• btain a copy of the license issued by the competent authority, which needs to be verified either

directly from the relevant supervisory/regulatory authority or from other independent and reliable sources.

• If the client is a service provider such as a payment provider or a software house or a card acquirer

that provides services to gambling/ e-gambling companies ,the Entity should ensure that such services are only offered to licenced gambling/ e-gambling companies. In addition the entity should

• btain the group structure and economic profile of the client. The entity should obtain the

agreement between the service provider and the gambling /e-gambling company.

138

EDD Additional Procedures – Tax Evasion

• Ensure that supporting evidence was obtained by the Entity for mitigating the risk of

a client performing tax evasion (i.e. settlement of tax responsibilities, most recent tax return, etc).

• In addition, ensure that the client 's tax ID (Company, Directors, Shareholders) was
• btained and also that it was stated whether the client took any advice about tax

planning.

139

EDD Additional Procedures – Cash Transactions

• Document method and type of cash transaction (i.e. bank over the counter cash deposit/withdrawal,

entity over the counter cash deposit/withdrawal).

• Identify jurisdiction of the bank branch, that the cash transaction took place.
• Obtain and perform the documents/assessment/correspondence and ensure that they have

confirmed/assessed the source of cash for the specific transaction.

• Obtain and identify any other relevant evidence/information that justify the specific cash

transactions.

• Ensure that the economic profile of the client justifies transactions in cash. (i.e.
• ccupation/employer/other-activities in which they receive significant receipts in cash, jurisdictions

with limited or no banking services, source of funds and source of wealth that justifies cash transactions). Ensure consistency of the economic profile of the client and the assessment made by the entity regarding the specific transaction.

140

EDD Additional Procedures – Cash Transactions

• Document final assessment conclusion (i.e. no further measures to be taken,

issuance of Internal Suspicious Report, MOKAS report etc).

• Ensure that the same monitoring procedures are followed for all cash transactions,

irrespectively of the client risk categorization (i.e. high/medium/low).

• Document in the Monthly Prevention Statements of the specific client cash

transaction is above 10,000 Euros (cumulatively).

141

EDD Additional Procedures – Trusts

• CDDS need to be performed for all: Trustee, UBO, Settlor, Protector.
• SAME AS DIRECTOR(S) IDENTIFICATION & VERIFICATION - IF LEGAL ENTITY, PLUS:
• SAME AS DIRECTOR(S) IDENTIFICATION & VERIFICATION - IF PHYSICAL PERSON,

PLUS:

• Purpose of establishing the trust
• Type of trust (ex. fixed/discretionary, purpose trust)
• Extracts from trust agreement
• Cyprus Trusts Registry: Ensure that the trust (if it is a Cypriot trust) is registered at

the CySEC’s Trust Registry or the Trust Registries of ICPAC/BAR (if applicable)

142

Client Acceptance – Economic Profile & Transaction Monitoring & Ongoing Monitoring

• Client Acceptance:

– Economic Profile – Transactions Monitoring – Ongoing Monitoring

143

Economic Profile

• PRINCIPAL ACTIVITIES: Ensure the principal activities of the company are

verified/consistent to government authorities official documents (i.e. Memorandum and Articles of Association, Audited Financial Statements) and these are consistent (and if not then adequately disposed) with the company’s economic profile quantitative information (i.e. source of funds, source of wealth, size of income, size

• f wealth, expected turnover, etc).
• COUNTRY(IES) OF ACTIVITIES: Ensure the country(ies) of activities are consistent

(and if not then adequately disposed) with the client identification documents (i.e. nationality, residential address, etc).

144

Economic Profile

• PURPOSE OF A/C OPENING (NATURE OF TRANSACTION): Ensure the purpose of A/C
• pening (nature of transaction) country(ies) is consistent with the entity's trading

products /services offered.

• SOURCE(S) OF FUNDS: Ensure the source(s) of funds is consistent (and if not then

adequately disposed) with the client economic profile qualitative information (i.e. principal activities, etc). Source of funds means the origin of the funds involved in a business relationship or occasional transaction. It includes both the activity that generated the funds used in the business relationship, for example the customer’s salary ,as well as the means through which the customer's funds were transferred. This corresponds to total assets yearly movements for Companies.

145

Economic Profile

• SOURCE(S) OF WEALTH: Ensure the source(s) of wealth is consistent (and if not then

adequately disposed) with the client economic profile qualitative information (i.e. principal activities, etc). Source of wealth means the origin of the customer’s total wealth, for example inheritance or savings. This corresponds to total assets for

• Companies. Note that as per the Directive DI144-2007-08(B) of 2016 paragraph

21,the source of wealth is not a requirement for the economic profile construction , however, it is required as part of additional data necessary for the management and mitigation of risks as per paragraph 14(2)(c) of the Directive.

146

Economic Profile

• SIZE OF INCOME: Ensure the size of income is consistent (and if not then adequately

disposed) with the client economic profile qualitative information (i.e. principal activities, etc).

• SIZE OF WEALTH: Ensure the source(s) of funds is consistent (and if not then

adequately disposed) with the client economic profile qualitative information (i.e. principal activities, etc).

• EXPECTED TURNOVER: Ensure the expected turnover is consistent (and if not then

adequately disposed by the entity) with the client economic profile qualitative information (i.e. principal activities, etc). Turnover means the total inflows and total

• utflows.

147

Economic Profile

• DEPOSITS/INCOMING FUNDS: Bank country location (i.e. EEA/non-EEA), Bank A/C

number, Institution Name, Beneficiary, etc). Mean of deposit transfer (i.e. cash, bank wire, processing/electronic-money transfer). Ensure if a processing/electronic- money transfer company (i.e. Safecharge, PayPal, Skrill, etc) is used, that the entity (ASP) can establish the initial bank identity/information.

• WITHDRAWALS/OUTGOING TRANSFERS: Bank country location (i.e. EEA/non-EEA),

Bank A/C number, Institution Name, Beneficiary, etc). Mean of withdrawal transfer (i.e. cash, bank wire, processing/electronic-money transfer). Ensure if a processing/electronic-money transfer company (i.e. Safecharge, PayPal, Skrill, etc) is used, that the entity (ASP) can establish the initial bank identity/information.

148

Transactions Monitoring

• Economic Profile Initially Set Quantitative Variables Vs Actual Trading Transactions
• Monitoring on a Continuous Basis
• Thresholds Usage
• Evidence Requirements for High Risk Clients, Significant Variances (irrespective of

Risk Category), Unreasonable Profile (irrespective of Risk Category)

• ASPs – Directorships and/or Bank Administration Additional Considerations (Source
• f Funds of clients of our clients is CRITICAL)
• Automated vs Manual Transactions Monitoring Considerations

149

Ongoing monitoring

• Duration (Requirements & Industry Practice) for CDDs & EDDs ONLY:

– PEPs & HR Countries & Complex Structures/Transactions – Annually – Other High Risk – Every 2 years – Normal Risk – Every 3 years – Low Risk – Every 4 years

• Economic Profile / Transaction Monitoring – On a Continuous Basis
• No need to be as detailed as the initial acceptance

150