Is there the expectation that such consent clauses, under Article 4 of the Delegated Regulation, be incorporated into contracts on a go-forward basis from the date the Regulation entered into force (i.e. with new customers and existing customer contract renewals) or is there the expectation that all existing customer contracts will be remediated to meet this requirement? What approach should be used with former customers?
According to Article 4 of the EU Delegated Regulation 2019/758, branches and majority-owned subsidiaries (in third countries) of credit and financial institutions must attempt to obtain the consent of the customer where a third country's law prohibits or restricts the sharing or processing of customer data within the group for AML/CFT purposes.
It is unclear if the requirements in this Article are to be applied retroactively (e.g. via a remediation exercise) or only on a go-forward basis. It is also unclear if former customers are in scope (where the likelihood is high that consent could be rejected) and the term to implement the Delegated Regulation (3 months) is too short to get the consent of such customers.
Article 8 of Directive (EU) 2015/849 (AMLD) requires obliged entities to put in place and maintain policies and procedures to identify, assess and manage the Money Laundering (ML)/Terrorist Financing (TF) risk to which they are exposed.
ML/TF risk management is an ongoing process. Article 8 of the AMLD explicitly requires obliged entities' ML/TF risk assessments to be ‘kept up-to-date’. Further, Article 14(5) of the AMLD requires obliged entities to ‘apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis’.
Consequently, credit institutions and financial institutions should take steps to ensure that they comply with the legal AML/CFT obligations in relation to all business relationship, irrespective of when these business relationships commenced. When applying new AML/CFT controls to existing business relationships, credit institutions and financial institutions should take a risk-sensitive approach. For example, by extending new AML/CFT controls to ‘higher risk’ business relationships in the first instance.
Article 45 of the AMLD requires obliged entities that are part of a group to implement group-wide policies and procedures. These group-wide AML/CFT policies and procedures include policies and procedures for sharing information within the group for AML/CFT purposes. Sharing customer data within the group supports effective, ongoing ML/TF risk identification and management at the level of the group. It is also necessary to enable competent authorities effectively to supervise the group's compliance with the AMLD’s requirements.
Article 4 of the Commission Delegated Regulation (EU) 2019/758 sets out the requirements for credit institutions and financial institutions, that are part of a group, where a third country’s law limits the group's ability to access, process or exchange information related to customers of branches or majority-owned subsidiaries in the third country. This includes requiring customers and their beneficial owners to consent to their data being shared within the group.
In light of the considerations set out above, where the Delegated Regulation applies and where:
the credit institution or financial institution has to take steps to amend the customer’s contract in line with the provisions in Article 4(1)(c) of the Delegated Regulation. Until then, the credit institution or financial institution should follow the steps set out in Article 4(2) of the Delegated Regulation.