Para. 12 d), page 24 - This definition should be clarified. The 5MLD does require that countries identified as having strategic deficiencies in their AML/CFT regime, which pose a significant threat to the Union’s financial system (Article 9 of Directive (EU) 2015/849) should be deemed ‘high-risk third countries’ and have certain specific EDD measures. Financial institutions must therefore conduct country-specific risk assessments for any jurisdiction outside of the EU where such financial institutions do business and determine ‘Jurisdictions associated with higher ML/TF risk’ based on their assessment of risk factors. It would be useful to state that higher ML/TF risk countries could be lower risk than the high-risk ones identified by the EU.
Para 12 e), page 24 – ALFI would like to underline that the verification of the customer via video-link or similar technological means may actually mitigate risks in the context of non face-to-face relationships. The use of financial technology, including Regtech and Suptech to the fullest extent possible was supported by the FATF on the occasion of the COVID-19 crisis, as mentioned in the Statement by the FATF President on 1 April 2020 on COVID-19 and measures to combat illicit financing. We would suggest the Guidelines reflect this evolution and provide more precisions as to how to mitigate potential residual risks of such situations, among other by referring to the existing FATF guidance in this regard.
Para 12 i), page 24 – ALFI suggests to simplify the definition of “risk”. We suggest to define “Risk” as “the possibility of ML/TF taking place”. In fact, on one side there are quite often not sufficient statistical data in order to estimate the likelihood of money laundering or financing terrorism. On the other side, even a very low level of likelihood may cause severe impacts, e.g. in the case of financing terrorism. This definition would allow proportionate and practical risk assessments and not force firms to guess the likelihood of events.
Para 12 j), page 24 – ALFI recommends to use the same definition for “Risk appetite” as recommended by the Financial Stability Board in its “principles for an effective risk framework”. Risk appetite is defined as “the aggregate level and types of risk a financial institution is willing to assume within its risk capacity to achieve its strategic objectives and business plan.” A firm defines its risk appetite considering the different types of risks (country risk, client risk, product risk, etc…) and then aggregates them. The risk appetite statement is then “the articulation in written form of the aggregate level and types of risk that a financial institution is willing to accept, or to avoid, in order to achieve its business objectives”. It may be worth considering inserting the definition of risk appetite statement. In this sense, ALFI suggests to change under para 4.7 g) the term “risk appetite” to “risk appetite statement“.
As already stated in our joint ALFI/ABBL/ACA/ALCO Opinion paper issued on the occasion of the drafting of the current Joint Guidelines in January 2016, we generally consider that these guidelines are conducive to firms adopting risk-based, but not always proportionate AML/CFT policies and procedures. We observe that customer due diligence (“CDD”) measures are risk sensitive in line with the general rules set out in the Directive (EU) 2015/849 and Directive (EU) 2018/843.
Para 1.15, page 29 – The guidelines should give more clarity as to the circumstances in which it would be “unlikely” that a risk assessment meets the requirements of article 8 of Directive (EU)2015/849.
Para 1.16, Page 29 - For coherence purposes, we suggest to add the words “limited international or cross border” after the words “small firms that do not offer complex products or services and that have” .
Para 1.31e), page 31 – this paragraph brings the requirement to be aware of risks on the basis of information available in the media. However, we fear this could become a prescriptive guideline to consider such media source when assessing the AML risks. The wide number of media sources plays a big role on the difficulty of assessing the AML risks on this criterion. We believe that missing information published in one media should not engage the liability of the firms. Without challenging the work done by journalists, the question arises as to whether information published by media is always reliable. Moreover, relying on some information available in the media may be in clear contradiction with the fundamental legal principle of presumption of innocence if the information concerns a person only suspected of an offense but not sentenced yet.
We find it essential to stress that one factor as itself may not be sufficient to imply a higher risk.
We welcome the fact that the Guidelines makes a difference between the treatments of, on one hand, risks related to the terrorist financing, and on the other hand risks related to money laundering.
Paragraphs 2.3 (page 32) and 2.9 (page 37) : these paragraphs imply that a risk assessment should also be done on the beneficial owners, which goes further than the article 8 of the 4th AML Directive, which focuses on the customers themselves.
Paragraph 2.5c), page 34 - One of the risk factors is set out as the firm knowing if the customer or the beneficial owner has been subject to a suspicious activity report in the past. However a time limit is not given. We believe that “five years” should be added to this risk factor so as to foresee a time limit. The existence of a maximum time period would also be in compliance with the data protection rules, according to which no time limit is incompatible with the protection of the personal data, as well as with the requirement foreseen in article 40 of Directive 2015/849.
Paragraph 2.6 c), page 34: this paragraph mentions “indications that the customer might seek to avoid the establishment of a business relationship”. We suggest that this part be clarified, as we do not see how the fact of not establishing a business relationship would indicate an AML risk.
The same paragraph, indent e) refers to customers issuing bearer shares. We propose to specify that the issuance of bearer shares to hide beneficial ownership presents a risk in itself. While an indication of a maximum percentage of bearer shares may not be appropriate, we wonder whether or not this statement could be linked to the concept of beneficial ownership. We also propose that the “asset holding vehicles” under Paragraph 2.6f) be defined.
Paragraph 2.6l), page 35 - It is questioned whether or not a non-resident customer could be provided with better service somewhere else. However, we do not understand the logic of linking this question to the non-residency of clients, as the same comment might apply to the resident clients. Such criteria based on the residence of an EU client is in any case not in compliance with the EU basic principles of non-discrimination, freedom of movement, free provision of services and free movement of capital.
Para 2.7 c), page 36 - The text should be more precise. Indeed, the reference to ‘countries where groups committing terrorist offences are known to be operating, that are known to be sources of terrorist financing’ could mean that this includes most countries in Western Europe. The fact that a country experiences a terrorist attack should not result in it being automatically treated as high risk.
Para 2.9(c), page 37 – Firms should identify the countries and geographical areas in which a customer or its beneficial owner conducts business as part of their initial CDD and ongoing monitoring. However, requesting them to consider the risk associated with countries and geographical areas to which the customer or the beneficial owner has ‘relevant personal or business links, or financial or legal interest’ means that they can only rely on screening and doing research on the internet, which is not necessarily a guarantee of reliable information. Moreover some customers having links to high risk countries and geographical areas may be reluctant to providing details as well. We would suggest that more guidance is provided in this regard.
Para 2.10(d), page 37 – We would suggest to amend the sentence as follows: ‘legal arrangement that has a structure or functions similar to trusts’.
Paragraph 2.11, page 37 - The Joint Guidelines assume an equivalence between the FATF itself and its regional bodies. We would like this statement to be clearly stated by the Joint Guidelines, as a matter of principle and in the interest of legal certainty.
Para 2.11(b), page 38 - The text of footnote 15 is missing.
Para 2.21, page 41 – See our comment above regarding the face-to-face definition.
Para 2.21, c) iv, d, page 42 – it must be noted that it would be difficult for the firm to satisfy itself that the level of CDD applied by the third party is commensurate to the ML/TF risk associated with the business relationship. In our view this requirement goes further than the directive.
We consider that these guidelines are conducive to competent authorities effectively monitoring firms’ compliance with applicable AML/CFT requirements in relation to individual risk assessments and the application of both simplified and enhanced customer due diligence measures. It’s crucial to be able to understand what the risks of money laundering are in order to adapt CDD measures to different situations. This requires determining the areas where the risk is higher whilst applying enhanced due diligence and giving the possibility to apply simplified due diligence when risks are lower.
It is important to adjust the CDD measures of Guideline 4 applying for all firms when identifying and verifying information regarding beneficial ownership, as we believe further proportionality should be reflected in particular in cases of lower risk. In particular, this should apply to the requirements for the identification and the assessment of the beneficial owner. The difficulties for professionals are multiple, as firms do not have in various cases any direct link to the beneficial owner. We therefore support EFAMA’s following position in this regard: customers with a shareholding of less than 25 % plus one share or an ownership interest of less than 25 % in the customer should fall in a lower risk case, which is also in line with AMLD provisions and the FATF recommendations concerning the definition of beneficial ownership. This should therefore be reflected in a more proportionate way in the identification and verification measures. (see proposal below, new paragraph 4.41 b)).
Para 4.7 d), page 45 – Reference should be made to paragraph 4.12 d) to reflect the risk sensitivity of the requirements regarding the verification of beneficial owners.
Para 4.12 (c), page 46– Article 13(1)(b) of the Directive only provides for firms to take reasonable steps to verify the customer’s identify and to take reasonable measures to understand the ownership and control structure of the customer. In our view the guidance goes beyond this requirement. We therefore suggest to replace the words “all necessary steps” by the words “all reasonable steps”.
Para 4.16, page 47 – In order to reflect the formulation of Article 33 (1) of 4AMLD, the ‘and’ in line two should be an ‘or’. We have doubts however as to whether this rule applies to suspicions arising from the ownership and control structure of a customer as such.
Para 4.17, page 47 - Identifying persons who may exercise control by other means via close family relationships, historical or contractual associations or using/enjoying/benefiting from the assets of the customer can prove difficult at the initial stages of CDD. Close associates, in the case of PEPs, can only be reasonably identified. We support EFAMA’s view that ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of the relationship would be more realistic measures.
Para 4.19 , page 47– This paragraph goes beyond the requirement contained in Article 13(1)(b) of the Directive, which provides that customer due diligence measures shall comprise ‘identifying the beneficial owner and taking reasonable measures to verify that person's identity’ (…).
Para 4.25, page 48 – The Joint Guidelines should confirm that so-called "indirect PEPs", i.e. PEP sitting on the Board and acting as Director of a corporate or public or governmental body, are out of scope and should not be subject to EDD, except in situations where the PEP has full power to manage at his own discretion the corporate entity or the governmental body considered. This may be controlled in the articles of the corporation or signatory powers of the entity.
Para 4.26 – What does “remotely” mean?
Para 4.27 – We would welcome clarifications and guidance on the notion of “degrees of reliability”.
We would support EFAMA’s suggestion to add a new - Para 4.41 b) as follows, in order to set out standards relating specifically to the information to be collected relating to the beneficial owners of customers, as opposed to the customers themselves:
iii. In low risk situations, through the application of SDD in accordance with Para 4.41 , the quantity of information received for the purpose of identifying beneficial owners of customers, and proxies may be adjusted. For beneficial owners, this should only take place where no person holds [25%] or more of the shares or voting rights (direct or indirect) of the customer and the senior managing official(s) has/have been identified as the beneficial owner in accordance with Para 4.19 to 4.22.
Para 4.46 – Enhanced Due Diligence 4.46 describes the specific cases that firms must always treat as high risk, quoting Articles 20-24 of 4MLD. Articles 20-24 refer to Enhanced Due Diligence and do not specifically prescribe a high risk rating. Particularly in the case of PEPs, it is important that firms have the ability to apply risk ratings to PEPs given the different risks associated with PEPs displaying differing risk attributes. Whilst acknowledging that EDD must always be applied, this should not consequently default to a high risk rating with certain categories of customer such as PEPs.
Para 4.57, page 57 – Please see our comment above regarding Para 4.17.
Para 4.60 & 4.61, page 57 and 58 – We would recommend not to modify the existing text of paragraph 4.60 (old paragraph 56), which provides that where a firm detects transactions that are unusual and the firm is not aware of an economic rationale or lawful purpose or doubts the veracity of the information it has been given, it must apply EDD measures. Firms should be able to assess whether to perform such enhanced monitoring of the relationship in accordance with 4.61(b).
As for Paragraph 8.13, we question why CDD questionnaires would not help correspondents comply with their CDD obligations. As these questionnaires aim at assessing the AML framework of respondent banks, we question why they are no longer considered as being part of the respondent’s assessment. Professionals extensively use these questionnaires. We recommend that under this point it is clarified what is likely to help correspondents comply with their CDD obligations.
Under Paragraph 8.17b), firms are obliged to assess the quality of supervision. For this purpose the firms may consult FATF reports. However Joint Guidelines should nevertheless consider that some countries have not been evaluated by FATF recently and provide more practical guidance on this matter.
Para 16.3 a) – We do not agree that the access to retail funds “is often easy”, as access to such financial instruments does often happen via regulated financial institutions.
Retail funds are usually internationally distributed through intermediaries are one or several layers in between the investment fund and the end investor.
Para 16-9 – We would suggest to extend this paragraph to government agencies in non-EU jurisdictions which the firm assesses as having AML/CFT controls no less robust than Directive (EU) 2015/849 and add listed companies as well.
We recommend to clarify what is meant by the “customer is an institutional investor whose status has been verified by an EEA government agency”.
16-11 a) We suggest to add listed companies.
Para 16.13 – the word ‘investor’ in line 6 should actually be ‘customer’.
Para 16.14 – The definitions of customers should be aligned:
Regarding point a):
Why doesn’t the definition state “a natural or legal person who directly purchases units of or shares in a fund on their own account, and not on behalf of other, underlying investors” as opposed to “natural or legal person who is registered in the fund’s share/units register in its own name“?
For the definition of who is the customer under point a), why does it matter whether or not the person acts on his own behalf or not? Would he not act on its own behalf, he would still be considered as the customer and the underlying person as the UBO.
Regarding point b):
Same comment as under point a:
b) a firm that, as part of its economic activity, is registered in the fund’s share/units register and exercises control over the investment for the ultimate benefit of one or more third parties who do not control the investment or investment decisions;
Regarding point d)
“a firm’s customer, for example a financial intermediary’s customer, where the firm is not registered in the fund’s share/units register (e.g. because the investment fund uses a financial intermediary to distribute fund shares or units, and the investor purchases units or shares through the firm and is registered in the fund’s share/units register)”
Does it means that the firm, who acts on behalf of an underlying customer, is not a customer of the Fund?
Para 16.17 and 16.20 - There seems to be a mismatch between this paragraph and paragraph 16.20, to the extent the SDD measures set out in 16.20 may be applied to intermediaries in third country jurisdictions with AML requirements no less robust than the EU AML Directive, whereas 16.17 seems to apply EDD to all third-country intermediaries having established a relationship similar to correspondent banking. The reference on intermediaries should also include 8.18 and 8.19 rather than stopping at 8.17 for consistency. There is no specific reason to be more restrictive in this chapter when applying measures to respondents.
We suggest to change para 16.20 as follows:
“(…) The fund or fund manager should also take risk sensitive measures to identify, and where relevant verify the identity of customers of the financial intermediary that invest in the fund, as these customers may increase the implied risk associated with the intermediary. Funds or fund managers may apply SDD measures similar to those described in Title I of these guidelines, subject to the following conditions:”
We also consider that the obligation outlined in indent e) to “take risk-sensitive steps to be satisfied that the intermediary will provide the CDD information and documents on the underlying investors immediately upon request” is not achievable in a certain number of jurisdictions where the funds are distributed, in particular for data protection and bank secrecy reasons. We would therefore support EFAMA’s suggestion to reformulate the text as follows:
“The fund or fund manager has taken risk-sensitive steps to be satisfied that the intermediary will provide, where relevant, CDD information and documents on the underlying investors upon request in a reasonable manner and timeframe, for example by including relevant provisions in a contract with the intermediary or by sample-testing the intermediary’s ability to provide CDD information upon request.”
Para 16.22 – It should be clarified whether this paragraph relates to the scenario described in paragraph 16.14d) or to any other type of situation.