EFAMA agrees with the concept of a risk-based adjustment of the remaining measures that are additional to those corresponding to the minimum action to be taken. This is in line with the 4th Anti-Money Laundering Directive and the FATF Recommendations.

Apart from what foreseen in Article 3 it should be also mentioned that any entity located in a third-country should identify and perform a gap analysis of the group policies and procedures against the third-country legal requirements and report on the outcome. This may be contained under Article 4 1) b.

EFAMA also considers that in some cases the resultant ML/TF risk for the group and its entities may be difficult to be efficiently dealt with, given the lack of national provisions that allow to monitor and encounter such risks. For instance, in relation to minimum sanctions screening measures, certain sanction regimes on criminal activities may not be applicable in a third country in which the entity of a group operates. For this reason, given the fact that different sanction regimes may be applicable to a group, EFAMA thinks that these should not be part of the minimum actions listed in article 3.

The compliance officer employed by a branch or a majority-owned subsidiary in a third country should always be able to perform individual ML/TF risk assessment at the local level on the basis of the global standards of the group’s policies.

EFAMA would propose the following measures by way of statistical reporting on a monthly basis:
a. Number of PEPs
b. Number of high risk customers
c. Number of suspicious transactions
d. Number of STRs filed
e. Number of blocked accounts
f. Number of blocked transactions for ML/TF reasons

No further minimum action is recommended.

EFAMA agrees with what is proposed in Article 5 on the minimum action and additional measures. Moreover, we consider that in the case of a customer and a beneficial owner that already has business relations with an entity of the same group located in another jurisdiction, the branch or majority-owned subsidiary should be able to leverage the KYC due diligence already performed by the other entity, following the consent of the client and the beneficial owner.

EFAMA would add to the proposed measures a monthly reporting on the number of clients and / or beneficial owners, who refused to provide their KYC documentation.

EFAMA would suggest that in the cases foreseen in Article 7, what should be done is an AML/CTF risk assessment of the customer on an annual basis. Moreover, the parent company’s AML/CTF Risk Assessment should include the scenarios of this assessment.

In the case of customers in a third country with such data transfer limitations, it would be difficult for them to meet the conditions to be classified as Low Risk. In those cases it is important to have a risk identification framework and a proper setup for assessing and mitigating the identified risk.

EFAMA considers that the scenarios proposed are exhaustive and there are no further scenarios to be addressed. We would like, however, to raise the point of the on-going screening ‎of the employees, which may be considered in some jurisdictions as abusive under privacy law, even if it is complying with national law during the recruitment process.

There are several jurisdictions where the banking secrecy or data protection laws may prevent the application of group wide policies and procedures, such as Singapore, Taiwan, Cayman Islands, Switzerland, Lichtenstein, Curacao, to name a few countries. In Cayman Island it is a criminal offence to transfer data without the consent of the data subject.

We agree with Option 3 being the most appropriate option. By identifying different situations, there is more room to end up with more targeted and therefore more efficient measures.