Primary tabs

International Financial Data Services Limited

Yes – we believe by adding detail and giving examples to the requirements set out in Directive (EU) 2015/849 that the guidelines are conducive to firms adopting risk-based, proportionate and effective AML/CFT policies and procedures.

Below, we have given some comments on specified paragraphs which we request to be taken into consideration.

General: Although the paper is intended to focus on “simplified and enhanced risk”, it would be useful to reference and contrast with “standard risk” so that the reader has a more complete view of the CDD approach.

Paragraph 17: “Firms should note that the following risk factors are not exhaustive, nor is there an expectation that firms should consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that unless required by Directive (EU) 2015/849 or national legislation, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.”

We support this approach as we agree it is not reasonable to expect firms to consider all risk factors outlined in paragraph 18 – 21 for each customer relationship. We note the reference to EU 2015/849 and suggest that it would be useful to clarify whether the information relating to the risk factors listed in Annex 1, Annex II and Annex III is required to be obtained and assessed for each customer relationship. We suggest that, unless required by national legislation, that similarly it would not be reasonable to expect firms to obtain and assess information for all the Annex 1, Annex II and Annex III risk factors. Firms should, as part of their holistic risk-based methodology, determine which factors should be assessed for different customer and risk scenarios.

We would also consider that it would be useful to distinguish processes for new customers from existing customers in the guidelines. It is likely that some of the risk factors would not have been obtained for existing customers and we suggest that the decision on whether to correspond with customers to obtain the additional information should be made on as part of a firm’s overall risk-based approach.

Given the number of customers serviced by the European financial services industry, corresponding with each to obtain additional information would be an enormous task and lead to significant additional costs which ultimately would need to be passed onto the consumer.

It would be appropriate for you to undertake a cost benefit analysis before finalising the guidelines; local regulators often do this to demonstrate that regulation is proportionate.

Paragraph 18: “When identifying the risk associated with their customers, including their customers’ beneficial owners, firms should consider the risk related to…..”

We believe that this sentence should be amended by replacing “should” with “may”. For example, we do not believe that the collection of the specified information should be required where it has been assessed that simplified due diligence is appropriate.

Paragraph 20: “Are there suggestions that the customer or beneficial owner has been subject to a suspicious activity report in the past”.

The word “suggestions” is imprecise, we recommend that this bullet is deleted and the first bullet is expanded to reference “adverse reports or information from media or other credible sources about the customer or beneficial owner of the customer”.

Paragraph 22: “Firms should consider the risk related to … c) the jurisdiction to which the customer or beneficial owner has relevant personal links.”

It is difficult to see how the “personal links” of customers and beneficial owners to jurisdictions could be identified by firms. This also does not seem to be an appropriate information requirement where customers have been assessed as standard or simplified risk.

Paragraph 23: “Firms should note that Directive (EU) 2015/849 does not recognise ‘equivalence’ of third countries and that European Member States’ list of equivalent jurisdictions is no longer being maintained. To the extent permitted by national legislation, firms should be able to identify lower risk jurisdictions in line with Annex II of Directive (EU) 2015/849.”

We agree that it is relevant to reference the discontinuation of the “European Member States’ list of equivalent jurisdictions” (although we would have preferred for the list to continue to have been maintained).

We believe that greater clarity could be given on circumstances where third countries could be considered to be low risk and consistent with EEA countries.

In places, the Guidelines appear to suggest that all third countries should automatically be treated as higher risk than EEA countries; we believe that some third countries can be treated as equivalent risk to EEA countries after appropriate risk assessment by the obliged entity.

We note that Annex II, Article 26 of (EU) 2015/849 (“performance by third parties” appears to suggest that third countries could be seen as consistent to an EEA jurisdiction if they:
“(a) apply customer due diligence requirements and record-keeping requirements that are consistent with those laid down in this Directive; and
(b) have their compliance with the requirements of this Directive supervised in a manner consistent with Section 2 of Chapter VI.”

As a lesser point, “country” appears to be used interchangeably with “jurisdiction”, we believe that one term should be used throughout to improve clarity.

Paragraph 23: “Is the jurisdiction a known tax haven, secrecy haven or offshore jurisdiction?”

The sentence may be interpreted as implying that offshore jurisdictions, by their nature, are higher risk, further clarity on this point would be helpful.

Paragraph 30: “What has the firm done to satisfy itself that the group entity applies CDD measures to EEA standards in line with Article 28 of Directive (EU) 2015/849, for example has it considered the findings of relevant internal audit reports? “

We recommend that a more appropriate example would be “for group compliance to confirm that they are comfortable for the firm to rely on the group entity”. It would be uncommon for one group entity to gain access to another group entity’s internal audit reports.

Paragraph 42: We note the references to “beneficial owner” in the paragraph. Is it accepted that beneficial owners may not be identified under a simplified customer due diligence approach?

Paragraph 49: “where the risk associated with the PEP relationship is particularly high”.
It may be useful to give examples of when the PEP relationship would be considered to be particularly high, given that enhanced risk is assigned to all PEPs.

Paragraph 206: “The following factors may indicate lower risk:
• the customer is an institutional investor whose status has been verified by an EEA government agency, e.g. a government-approved pensions scheme;
• the customer or investor is a regulated financial intermediary in an EEA country.”

We note the references to “EEA”. In line with our previous comment, we believe that it would be useful to replace with “EEA country or a third country which has been assessed by the obliged entity as operating consistent AML / CTF controls and regulatory supervision”.

Paragraph 209: “The following factor may indicate higher risk:
• investors’ funds have been generated in high risk jurisdictions, in particular those associated with higher levels of predicate offences to money laundering.”

The meaning of this sentence appears unclear, does it relate to “investors’ monies” rather than “investors’ funds”.

For balance it may be useful to indicate that where investors’ funds have been generated in low risk jurisdictions – this may indicate lower risk.

Paragraph 210: “obtaining additional customer information during identification, such as occupation, level of assets, information available in public databases, the Internet, background and business objectives, information on the reasons for the proposed transactions; “

Clearly not all information contained in internet is reliable and we suggest that “The internet” is replaced with information from “media and other credible sources”.

Paragraph 211: To the extent permitted by national legislation and provided that the funds are being transferred to or from an account held in the customer’s name at an EEA credit institution, examples of SDD measures firms may apply include using the source of funds or the destination of funds to meet some of the CDD requirements.

With reference to the definition in paragraph 8 “Source of funds” may be seen as a high requirement for SDD, unless it is anticipated in some cases that this may substantially fulfil the CDD requirements.

Paragraph 212 - 215: Intermediaries: It is unclear whether these sections also apply to nominee shareholders. If it does apply this should be stated (nominee shareholders are not used by funds to distribute fund shares).

We would recommend that the Guidelines acknowledge that use of nominee shareholders in investment funds is a very common practice and does not necessarily indicate “higher risk”. (With reference to Paragraph 21, we agree that in other industries, nominee shareholders may indicate higher risk).

Paragraph 213: We note the references to “EEA jurisdiction”. In line with our previous comments, we believe that it would be useful to replace with “EEA country or a third country which has been assessed by the obliged entity as operating consistent AML / CTF controls and regulatory supervision”.

With reference to the “intermediary’s ability to provide CDD upon request”, this may require some changes to disclosure laws in some jurisdictions. These are the intermediary’s customers rather than the direct customers of the fund.

Paragraph 215: In line with our previous comments, we do not believe that a third country location should automatically prohibit SDD being applied to an intermediary if it has been assessed by the obliged entity that the third country is operating consistent AML / CTF controls and regulatory supervision. Given the reference to reliance on third parties as per article 25 of Directive (EU) 2015/849, this would appear to be an inconsistency with the third country consistency references in Article 26.

Examples of possible “full CDD” measures could be given to improve clarity.
We believe that the guidelines are conducive to competent authorities monitoring of firms’ compliance.

We welcome the preparation of pan-European Guidelines in this area and we believe that the joint ESA’s should, as much as possible, seek to ensure that the Guidelines are implemented and interpreted in a consistent way across jurisdictions.

Lack of jurisdictional consistency on AML / CTF matters can cause complexity and confusion to international investors and may lead to a situation where they favour one jurisdiction over another due to a perceived lighter burden for provision of information and documentation.
We support the current approach in Title II as it improves clarity of requirements for each business section. We believe that a legally-driven classification of the various sectors would be less easy to follow.
International Financial Data Services Limited