Does the term of outsourcing (paragraphs 12 and 26) of EBA GL/2019/02 include performing of customer due diligence by third parties under Section 4 of the AMLD4, i.e. whether or not the application of GL/2019/02 to Performance by third parties would be in violation of the AMLD4?
Paragraph 12 of EBA /GL/2019/02 defines outsourcing as an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.
Paragraph 28 of EBA /GL/2019/02 stipulates what should not be consider as outsourcing.
Additionally, paragraph 33 of EBA /GL/2019/02 regulates that institutions and payment institutions, taking into account the principle of proportionality, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements.
Paragraph 26 of EBA/GL/2019/02 regulates that institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself.
However, Section 4 of the AMLD4 regulates performance by third parties and Article 29 of the AMLD4 stipulates that Section 4 shall not apply to outsourcing or agency relationships where, on the basis of a contractual arrangement, the outsourcing service provider or agent is to be regarded as part of the obliged entity.
Recital 35 AMLD4 clarifies that, in order to avoid repeated customer identification procedures, leading to delays and inefficiency in business, it is appropriate, subject to suitable safeguards, to allow customers whose identification has been carried out elsewhere to be introduced to the obliged entities. Where an obliged entity relies on a third party, the ultimate responsibility for customer due diligence should remain with the obliged entity to which the customer is introduced. The third party, or the person that has introduced the customer, should also retain its own responsibility for compliance with AMLD4, including the requirement to report suspicious transactions and maintain records, to the extent that it has a relationship with the customer that is covered by AMLD4.
Recital 36 AMLD4 clarifies that in the case of agency or outsourcing relationships on a contractual basis between obliged entities and external persons not covered by AMLD4, any AML/CFT obligations upon those agents or outsourcing service providers as part of the obliged entities could arise only from the contract between the parties and not from AMLD4. Therefore the responsibility for complying with AMLD4 should remain primarily with the obliged entity.
Additionally, in EBA Report on potential impediments to the cross-border provision of banking and payment services (part 5. AML/CFT) it is stated that: "AMLD4 allows institutions to place reliance on third parties to fulfil certain CDD obligations. However, some Member States have limited the use of third party reliance through their national legislation by, for example, requiring that the third parties comply with the same requirements as those applicable domestically, or that an initial identification of a customer which was carried out by a third party is not older than 24 months. The AMLD4 is clear that this arrangement should not be confused with outsourcing, which is governed by a contractual relationship between the parties".
The definition of “Outsourcing” in the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) does not include the performance by third parties under Chapter II, Section 4 of Directive (EU) 2015/849 (AMLD).
This is in line with Article 29 AMLD, which states that its section 4 on third party performance does not apply to outsourcing or agency relationships where, on the basis of a contractual arrangement, the outsourcing service provider or agent is to be regarded as part of the obliged entity.
In an outsourcing arrangement, the service provider:
• may or may not be a supervised entity;
• does not have a business relationship with the customer;
• applies CDD measures to the customer on the institution’s behalf and in line with the institution’s own procedures and instructions.
By contrast, in a third party reliance scenario, the third party:
• is subject to requirements consistent with those set out in the AMLD, and is supervised for compliance with these requirements;
• has their own business relationship with the customer, which is independent from the business relationship the relying institution has with the customer;
• applies CDD measures to the customer in line with its own processes in compliance with its own AML/CFT obligations.
This means that the measures institutions should take to comply with their legal and regulatory obligations on outsourcing will differ from those they should take to comply with Section 4 of the AMLD, and that consequently, the application of EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) is not sufficient, per se, to satisfy the conditions for third party reliance set out in the AMLD.
For guidance on the factors financial institutions should consider when assessing whether a third party is ‘reliable’ for the purpose of Section 4 of the AMLD, reference should be made to Guideline 2.21 of the EBA’s Guidelines on Money Laundering and Terrorist Risk Factors (EBA/GL/2021/02).
Paragraph 115 of the EBA Report on potential impediments to the cross-border provision of banking and payment services, October 2019, is also relevant in this context.