Finance Norway is supportive of more tailored guidance for the NPO sector.
The guidance contained in para. no. 9 and 10 is helpful, but also rather general. The general impression is that this guidance is best suited for well-established international NPO’S. For smaller, newly established organizations the guidelines give relatively modest added value.
It should be clarified that not all listed factors in guideline no. 10 are necessary to assess in all cases. Measures need to be targeted and risk based.
In the view og Finance Norway, it should be stressed that there is a clear expectation that the authorities work to raise the level of awareness among NPO’s and contribute to clarifying what the requirements are from an AML/CFT-perspective. This means contributing to clarifying for the NPO-sector that access to financial services is subject to a strict legal framework, and financial institutions have legal obligations to prevent that they are misused for criminal purposes. To fulfill this obligation the customer (NPO) must be able to provide the necessary, verified information, so that the financial institution can fulfill its legal obligations.
The risk factors mentioned in para. no. 10 j)-i) does give limited guidance on what the NPOs in this category could do to reduce the risk in their operations and also be able to provide the necessary information to a financial institution in the context of a (potential) customer relationship.
Para. no. 12 is rather general. It would be beneficial if this guideline could be elaborated/clarified.
Section 5 - Guidelines on policies and controls for the effective management of ML/TF risks when providing access to financial services
For the sake of clarity, it should be mentioned explicitly in the guidelines that they do not concern the obligations of a financial institution to refuse or terminate customer relationships when CDD requirements under EU law cannot be fulfilled.
The guidelines should not make reference to individual customers in the context of de-risking. For individual customer EU law has established requirements, cf. i.a. 4TH AML Directive, Art. 14. De-risking is in our understanding related to the phenomenon of refusal of services for groups/categories of customers.
In para. No. 10 the wording “..legitimate access to financial services” is to wide. The services in question are “basic services” in our understanding Para. 10 should be revised in light of this.
In Para. 11, it should be made clear that a customer could be refused if it is not possible to assess how risk can be mitigated.
Para. 14 does not cover the issue of GDPR and data minimization. This aspect should be expressly covered.
Para. 15: An impression is created that CDD measures should be less strict for “basic accounts”. This cannot be correct in our view.
Para. 19 concerns institutions policies and procedures where traditional forms of identity documentation is not available. On this matter clear guidance from appropriate authorities is also necessary.
Given the already existing procedures for complaints for consumers, it is not clear what the added value of this paragraph is. We would propose to delete para. 22.