Primary tabs

Finance Denmark

As available local guidances have differences the added guidance on business-wide risk assessments will be likely helpful in harmonising the practises and achieving a good dialogue with the different supervisors.

1.16-1.17 regarding proportionality and implementation of a business-wide risk assessment and 1.18 ” Firms should use the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures”.
Comment: It would be helpful if the guidance could further specify the expectations on the firm to appropriately act upon the update of a business-wide risk assessment.
It may be interpreted as all measures, at all levels, which the firm takes to mitigate risk should be justified by one document. As the statement is rather wide by nature, clarity on the types of “procedures” which, at a minimum, merits an update/review following the business-wide risk assessment would be very helpful. (Similar to the new guidelines 1.12-1.14 which specify the sources of information firms should use to inform their business-wide risk assessment.) Providing clarity on the procedures a firm should update will have a direct impact on the firm’s ability appropriately act upon the results of its business-wide risk assessment. For example, the guidance does not mention the link between the business-wide risk assessment and the efficient allocation of resources.
In addition, similar to the FATF guidance on Risk Assessment (Feb 2013) section 1.4, the guidance could expand to cover who is the user of the ML/TF risk assessment. “The form, scope and nature of ML/TF risk assessments should ultimately meet the needs of its users/…/”. The business-wide risk assessments should primary meet the needs of e.g. senior management and the firm’s regulators. The primary users of the business-wide risk assessment are not operational staff, however they will benefit from the results via from example, the firms awareness and/or targeted training.

1.4 is new and states that firms need to record and document their business-wide risk assessments as well as any changes made to the risk assessment in a way that makes it possible for the firm and for competent authorities to understand how it was conducted and why it was conducted in a particular way.
Comment: It would be helpful to provide further guidance on minimum record keeping requirements as we foresee this to be an issue with different regulators.

2.11c states that firms should consider “the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight”, meaning the effectiveness of the AML/CFT measures and not the prudential side, from our understanding. If we consider the different listed examples of “credible and reliable sources”, in most cases there will only be one report available about the measures, not several, for the follow-ing reasons:
 A country will only be assessed by the FATF or an FSRB (not both),
 The IMF do not, on an ongoing basis, undertake country specific reports, besides the FSAP assessment (or DAR, which is published as an FATF re-port). The FSAP assessment does not consider the AML-CFT area, as this is assessed by the International Standard setter of the AML-CFT area (as recognized globally at both country level and by a number of inde-pendent organs (e.g. G20 and the UN)) = the FATF.

Comment: We seek clarification on the sources to consider when assessing country-specific risks. In our view, either the para should be revised to mention “one or more credible and reliable source” or other examples should be added to the subparagraph.
2.9(c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘financial or legal interest’;
Comment: The addition of 2.9c may be unhelpful if added in the way it is current-ly phrased. It is important that it can be made clear what is meant by “personal and business links, or financial and legal interests” and how these are thought to impact risk. Additionally, the guidelines should allow flexibility on how to take these risks into account. This is important to avoid the expectation that they be-come another standard item of CDD information to be collected, and to avoid customer risk assessment methodologies producing some unhelpful outcomes. For example, domestic customers with family members that were born in high risk countries being rated higher risk.

2.5a Adverse media reports
Comment: Adverse media is a key risk factor that should be considered as part of CDD activities and we welcome the guidelines on this. However, the EBA should be aware that there are jurisdictions, e.g. Finland, that does not allow this today.

2.21(a)(i),”considered whether there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity”
Comment: It would be helpful here to clarify that this guideline only applies where a face to face channel was available to the customer, and where the specific circumstances of the customer make it potentially unusual or suspicious that they have declined a face to face meeting. In today’s digital world, an in-creasing number of customer meetings are taking place in other channels than physical meetings (face-to-face) and there must not be a tick-the-box require-ment to always consider this as suspicious.
4.7 firms are supposed to clearly define at what point a series of one-off transac-tions amount to a business relationship.
Comment: From our perspective it would be beneficial if the competent author-ities have the same rules, so we do not have different rules in different jurisdic-tion. E.g. in Sweden the SFSA has stated that 12 transactions during a 12-month period will normally constitute a business relationship, while the Danish FSA does not have similar guidelines.

4.9 “Firms should carefully balance the need for financial inclusion with the need to mitigate ML/TF risk”.
Comment: This is a difficult balance that banks today are doing their best to manage. It would be more helpful to get clearer guidance of where to draw the line between inclusion and financial crime prevention, if authorities today think that banks have a too narrow (or too wide) definition of what to allow for. 4.9 should either be removed or further specified.

4.10 regarding that ”firms should put in place appropriate and risk-sensitive policies and procedures to ensure that their approach to applying CDD measures does not result in unduly denying legitimate customers access to financial services. Where a customer has legitimate and credible reasons for being unable to provide traditional forms of identity documentation, firms should consider mitigating ML/TF risk in other ways”.
Comment: In the Nordic countries, private individuals do as a rule have means of secure identification. There may be temporary exceptional cases (theft, accident) where this is not possible.
The difficulties come with immigration of individuals who come from jurisdictions where ID systems are not so secure or where the individual did not manage to bring its ID into the country. It is already a difficult balance for banks to know when to allow these customers in, while securing that society is not put at risk by financial crime or terrorist financing.
To ensure financial inclusion, we would ask for additional clarification and guidance by local authorities of which types of ID should be acceptable for which level of service.

Comments on use of innovative technology/ non face-to face (4.32-4.37):
It is important that use of digital technologies and innovative technology is not prevented by too tight rules on face-to-face identification. The rules should be for cases where a customer - for no legitimate and credible reason – does not want to present himself. This is also the way we read the EBA guidelines, hence they are fine as now formulated.

4.38 and 4.39 set out the measures firms should take to establish the nature and the purpose of the business relationship.
Comment: It would be helpful if the guidelines could clarify that the measures / steps taken by firms to understand these points can be achieved by other methods than just collecting this from the customer as part of CDD. For example in some circumstances it may be possible for a firm to define the acceptable purpose and nature of its relationships within its own terms & conditions and fair usage policies, agreed with its customers.

4.55 states that measures in accordance with article 18 a (1) shall always be applied where a business relationship or transaction involves a high risk third country. The definition of a business relationship or transaction always involves a high risk third country is the following: a) if the funds were generated in a high risk third country; b) the funds are received from a high risk third country; c) the destination of funds is a high risk third country; d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; or e) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.
Comment: Guidelines regarding high-risk third countries are helpfully clarifying the AMLD5 requirements. We welcome this guidance.

4.74 a) states that “…Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased;”
Comment: Regarding proposals to include real-time monitoring as a tool for higher-risk transactions, this is in practise not realistic today and the guidelines should be changed to be more aspirational than mandatory. Real time monitor-ing occurs in Fraud and in Sanctions Transactions screening and for AML purpos-es, only for certain types of customer transactions. Transaction Monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore it is not always possible to determine potentially suspicious activity from a single trans-action as it is dependent on the specific circumstance or scenario that has gen-erated the alert. Larger banks processes and monitors approximately 2bn trans-actions annually with approximately 250000 thousand alerts generated from the automated transaction monitoring system. These alerts are handled, investigat-ed, discounted or ultimately filed as Suspicious Activity Reports.

When considering the potential volumes involved, the design and implementa-tion of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution. There is an aspiration in the industry to have sophisticated real-time, intelligent monitor-ing systems that could detect and stop payments with high precision but today, an automatic system that would halt transactions if indicators show potential suspicion, could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose). Finance Denmark is happy to sup-port the development of EBA and industry thinking in this space.
(see also 8:25: “… Real-time monitoring of transactions is one of the EDD measures banks should consider in situations where the ML/TF is particularly increased...”)
8.25 c) states that “…Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased;”
See comment on 4.74 above.
13:20 “…banks should consider whether performing more thorough due diligence checks on the transaction itself and on other parties to the transaction (including non-customers) would be appropriate.”
13:21 “Checks on other parties to the transaction…”
Comment: Collecting the proposed information about the other parties in the transaction, which could be the customer’s customers, would be challenging and in many cases impossible. Trade Finance is typically a paper-based opera-tion in which the bank receives documents regarding the export/import transac-tion (bills of lading, invoices, packing lists etc.) and checks whether they comply with the agreed terms and international standards. Collecting information re-garding also the other parties in the transaction, besides the customer of the bank, would increase the complexity.
13:22 ”Checks on transactions…”
Comment: The draft guidelines propose that checks on transactions may include using professional judgement to consider whether the pricing of goods makes commercial sense and checking that the weights and volumes of goods being shipped are consistent with the shipping method. In our view, it would in prac-tice not be realistic to do these checks in the daily Trade Finance operations. It would also require a significantly different skill-set and build-up of competences and expertise in Trade Finance officers.
Section 20.7.b (Assessments of the integrity of directors, shareholders, and other parties with significant involvement in the customer’s business and the corporate finance transaction).
Comment: the requirement should be clarified and/or re-worded to only cover adverse media screening.

Section 20.7.c (Verification of the identity of other owners or controllers of a cor-porate entity)
Comment: The requirement should be clarified as it is unclear what is meant by ‘other owners’

Section 20.7.e (Establishing the financial situation of the corporate client)
Comment: This requirement should be clarified, what is meant by it?

Section 20.7.i (When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place)
Comment: ‘confirming’ should be replaced by ‘assessing’
Finance Denmark