Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
We suggest including the obligation to have the documents available in a digital manner and at least in an English version, in addition to the adjustments of the Draft Guidelines.
We experience many international banks have branches located in various countries. For example, at branches from international banks located in the Netherlands, the relevant documents are neither in Dutch nor in English, and in some instances the documents are only available in hard copy.
Not having an English and/or a digital version available either undermines or delays the understanding of the quality and completeness of the documents by the firms and competent authorities. Due to the obvious international characteristic of combatting Financial Crime and we consider it would be reasonable to require these documents to be digital and in English.
2. In relation to Guideline 1.7:
We would recommend to not include a strict timeline of each calendar year for every firm but include a more flexible timeframe based on the size and complexity of the firms’ business.
The outcome of this business-wide risk assessment should naturally result in the implementation of appropriate measures against these newly identified risks in the systems and controls. Depending on how complex the system and control framework of the firm in question, an obligation to perform the assessment every year could result in an inequitable burden on larger firms. On the other hand, the business-wide risk assessment should not become a mere formality since we feel the assessment update and implementation of the assessment outcome are to be considered part of the required end-to-end process and feedback loop.
3. In relation to Guideline 1.9
We suggest to provide more clarity regarding what kind of measures, according to this guideline, are expected from firms.
The type of engagement suggested under sub c) seems like a commitment outside of the firm’s control. For a firm to fulfill this commitment, it would depend on the cooperation of the other parties involved. It is also not clear to us how compliance with this guideline could be measured.
4. In relation to Guideline 1.27:
We recommend, to ensure clarification, that there are minimum standards that nevertheless need to be met. One way in which we feel this can be done is by referring to Guideline 1.21-1.22.
We recommend clarifying whether Guideline 2.7 a) should be considered as an illustration of how firms could better identify terrorist financing risks, or alternatively as a minimum standard firms’ should meet. If the latter applies, we recommend specifying what level of investigations is being expected from the firms. We suggest to not require firms to conduct research on whether there is a personal or professional link to the account owner, but to require them to respond when red flags indicate these links.
The identification of persons living with or having a relationship with a person included in the in guideline 2.7 a) mentioned list is complex. The most obvious way to identify these persons is with joint account holders and (potentially) specific Transaction Monitoring business rules to detect such persons through transactional behavior. Under the section titled, ‘Rationale’ it is stated that Guideline 2.7 has been added to help firms to better identify the risk factors associated with the nature and behavior of a customer or a beneficial owner’s nature that could point out to increase terrorist financing risk. Without aforementioned clarifications, we believe this objective is not fully reached.
We suggest to clarify the phrasing of words in 4.12 (c) and 4.13 and to use more definitive language.
With more complete clarity, potential confusion with respect to the guidelines for beneficial ownership verification can be prevented. This also prevents varying interpretations and enables a consistent application of the guidelines.
2. In relation to Guideline 4.12c:
First we suggest in the example reference should be made to additional sources of verifiable documentation / use of electronic validation and remove the reference to beneficial ownership registries.
Second, we suggest to adjust the words ‘should consider’. The use of the words ‘should consider’ in 4.12(c) leads the reader to believe that beneficial ownership registries could be used as part of verification, whereas it does not mention other reliable methods of verification such as verifiable documentation / use of electronic validation.
This is important because obtaining documentary evidence/using electronic validation systems are the most common and more reliable methods to identify and verify beneficial ownership and should be mentioned in the first instance.
3. In relation to Guideline 4.13:
We suggest to adjust the word ‘may’. With respect to the use of central beneficial ownership registries, 4.13 states that ‘firms may have to take additional steps to identify and verify the beneficial owner’. The use of the word ‘may’ is not definitive and thus does not make clear that reliance on a UBO register alone is not permissible and thus other sources will need to be consulted as part of verification.
The EU AML Directives make it clear that beneficial ownership registries cannot be relied upon. It is also widely acknowledged that across member states, the information submitted to the registries is not, in most cases, subject to central review and validation to ensure accuracy. Therefore, in order to align to the requirements of the EU AML Directives and ensure reliance is not erroneously placed on registries, we suggest that the language used in guideline 4.13 is made more definitive to ensure This text is unequivocal to this effect.
4. In relation to Guideline 4.17:
We suggest to include further criteria or issue more complete guidance to determine whether someone who is benefiting from the assets, truly is a controller ‘through other means’.
Although we appreciate the underlying rationale and intention for documenting this, we consider that in practice it would be very difficult for a firm to determine whether someone who is benefiting from the assets, truly is a controller ‘through other means’, both during onboarding process and throughout a business relationship. Given no criteria are provided in the draft document, we assume firms would be expected to determine their own criteria. Without further criteria or more complete guidance, we feel the current articulation of guideline 4.17 could inadvertently result in firms overlooking this example.
5. In relation to Guideline 4.20:
First, we suggest to supplement point 4.20(b) with a clarification for the reader that, in case suspicion should arise, the firm should halt and potentially reconsider onboarding the customer. Such as:
Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF (in instances where suspicion does arise, the firm should halt and potentially reconsider the onboarding of a customer and file a suspicious activity report if required);
Second, we suggest to introduce, in section 4.20b), non-exhaustive examples of what type of situations could fall under this specification.
Section 4.20b) indicates the situations when a senior managing official can be identified in place of a beneficial owner. We understand that 4.20b) infers that a firm can only continue to identify the senior managing official if there are no suspicions on the failure to identify the true beneficial owner. It is however not completely clear that, in case suspicion should arise, the onboarding of the customer should stop and no senior managing official needs to be identified given a suspicious activity report needs to be filed.
From our experience, firms in practice find it very challenging to determine when it is plausible for a beneficial owner to not be identified that does not give rise to suspicion (aside from instances when there is no beneficial owner owning over 25% of the shares), and as such, do not often use this derogation permitted in the Directive. Introducing non-exhaustive examples into this section regarding what type of situations could fall under this specification would be beneficial for firms.
6. In relation to Guideline 4.31:
We suggest to replace the words ‘Electronic means of identification’ by ‘non-face to face situations’.
This sentence could be confusing to the reader and we believe the use of words ‘Electronic means of identification’ have been used in error and instead should state ‘non-face to face situations’.
7. In relation to Guideline 4.55:
We suggest to include wording to point out that the aspects mentioned under 4.55 a) to e) are not exhaustive and that member states may have defined their own criteria which may go further than this. As a result, firms should also be encouraged to refer to their own member state requirements and guidance.
Given that the EU Directives enable flexibility in transposition into member state legislation, it should be noted that member states have their own definitions on what situations are classed as meeting criteria for a business relationship that is ‘involving a high-risk third country’ (for example in the UK, legislation also states that a legal person with a principal place of business in a high- risk third country would also be applicable for EDD application).
Since preparing our response, on the 7th of May 2020 the European Commission has released its action plan on furthering the fight against money laundering and terrorist financing which includes plans to increase the high risk third country list (to match the FATF list) and also potentially amend the requirement to be regulation rather directive in order to avoid member states implementing this inconsistently.
We believe the threshold of being ‘sufficient’ is too vague and could leave room for too much differentiation and interpretation between the firms and local competent authorities.
For example, guidance could be given about the accessibility of the documents or Suggested record keeping duration which may or may not be subject to GDPR considerations.
We feel it will be useful to include additional clarification in this guideline.
From the current wording, we feel it is unclear whether the effectiveness of controls have to be tested regularly, and if so by whom (for example the 1st/2nd line of defense) In addition, we feel it will be useful to clarify whether there is an expectation that financial crime controls need to be included in considerations of the scope of internal audit plans.
We feel it is useful to clarify whether these requirements are also subject to the annual review as referenced in Guideline 1.7.
We feel the relation between Guideline 1,7 and Guideline 8 is not sufficiently clear. This response relates to Guideline 8 in general and not only to the amendments proposed in this consultation paper.
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
N/AQuestion 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
1. In relation to Guideline 1.4:We suggest including the obligation to have the documents available in a digital manner and at least in an English version, in addition to the adjustments of the Draft Guidelines.
We experience many international banks have branches located in various countries. For example, at branches from international banks located in the Netherlands, the relevant documents are neither in Dutch nor in English, and in some instances the documents are only available in hard copy.
Not having an English and/or a digital version available either undermines or delays the understanding of the quality and completeness of the documents by the firms and competent authorities. Due to the obvious international characteristic of combatting Financial Crime and we consider it would be reasonable to require these documents to be digital and in English.
2. In relation to Guideline 1.7:
We would recommend to not include a strict timeline of each calendar year for every firm but include a more flexible timeframe based on the size and complexity of the firms’ business.
The outcome of this business-wide risk assessment should naturally result in the implementation of appropriate measures against these newly identified risks in the systems and controls. Depending on how complex the system and control framework of the firm in question, an obligation to perform the assessment every year could result in an inequitable burden on larger firms. On the other hand, the business-wide risk assessment should not become a mere formality since we feel the assessment update and implementation of the assessment outcome are to be considered part of the required end-to-end process and feedback loop.
3. In relation to Guideline 1.9
We suggest to provide more clarity regarding what kind of measures, according to this guideline, are expected from firms.
The type of engagement suggested under sub c) seems like a commitment outside of the firm’s control. For a firm to fulfill this commitment, it would depend on the cooperation of the other parties involved. It is also not clear to us how compliance with this guideline could be measured.
4. In relation to Guideline 1.27:
We recommend, to ensure clarification, that there are minimum standards that nevertheless need to be met. One way in which we feel this can be done is by referring to Guideline 1.21-1.22.
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
In relation to Guideline 2.7:We recommend clarifying whether Guideline 2.7 a) should be considered as an illustration of how firms could better identify terrorist financing risks, or alternatively as a minimum standard firms’ should meet. If the latter applies, we recommend specifying what level of investigations is being expected from the firms. We suggest to not require firms to conduct research on whether there is a personal or professional link to the account owner, but to require them to respond when red flags indicate these links.
The identification of persons living with or having a relationship with a person included in the in guideline 2.7 a) mentioned list is complex. The most obvious way to identify these persons is with joint account holders and (potentially) specific Transaction Monitoring business rules to detect such persons through transactional behavior. Under the section titled, ‘Rationale’ it is stated that Guideline 2.7 has been added to help firms to better identify the risk factors associated with the nature and behavior of a customer or a beneficial owner’s nature that could point out to increase terrorist financing risk. Without aforementioned clarifications, we believe this objective is not fully reached.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
1. In relation to both Guideline 4.12c and 4.13:We suggest to clarify the phrasing of words in 4.12 (c) and 4.13 and to use more definitive language.
With more complete clarity, potential confusion with respect to the guidelines for beneficial ownership verification can be prevented. This also prevents varying interpretations and enables a consistent application of the guidelines.
2. In relation to Guideline 4.12c:
First we suggest in the example reference should be made to additional sources of verifiable documentation / use of electronic validation and remove the reference to beneficial ownership registries.
Second, we suggest to adjust the words ‘should consider’. The use of the words ‘should consider’ in 4.12(c) leads the reader to believe that beneficial ownership registries could be used as part of verification, whereas it does not mention other reliable methods of verification such as verifiable documentation / use of electronic validation.
This is important because obtaining documentary evidence/using electronic validation systems are the most common and more reliable methods to identify and verify beneficial ownership and should be mentioned in the first instance.
3. In relation to Guideline 4.13:
We suggest to adjust the word ‘may’. With respect to the use of central beneficial ownership registries, 4.13 states that ‘firms may have to take additional steps to identify and verify the beneficial owner’. The use of the word ‘may’ is not definitive and thus does not make clear that reliance on a UBO register alone is not permissible and thus other sources will need to be consulted as part of verification.
The EU AML Directives make it clear that beneficial ownership registries cannot be relied upon. It is also widely acknowledged that across member states, the information submitted to the registries is not, in most cases, subject to central review and validation to ensure accuracy. Therefore, in order to align to the requirements of the EU AML Directives and ensure reliance is not erroneously placed on registries, we suggest that the language used in guideline 4.13 is made more definitive to ensure This text is unequivocal to this effect.
4. In relation to Guideline 4.17:
We suggest to include further criteria or issue more complete guidance to determine whether someone who is benefiting from the assets, truly is a controller ‘through other means’.
Although we appreciate the underlying rationale and intention for documenting this, we consider that in practice it would be very difficult for a firm to determine whether someone who is benefiting from the assets, truly is a controller ‘through other means’, both during onboarding process and throughout a business relationship. Given no criteria are provided in the draft document, we assume firms would be expected to determine their own criteria. Without further criteria or more complete guidance, we feel the current articulation of guideline 4.17 could inadvertently result in firms overlooking this example.
5. In relation to Guideline 4.20:
First, we suggest to supplement point 4.20(b) with a clarification for the reader that, in case suspicion should arise, the firm should halt and potentially reconsider onboarding the customer. Such as:
Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF (in instances where suspicion does arise, the firm should halt and potentially reconsider the onboarding of a customer and file a suspicious activity report if required);
Second, we suggest to introduce, in section 4.20b), non-exhaustive examples of what type of situations could fall under this specification.
Section 4.20b) indicates the situations when a senior managing official can be identified in place of a beneficial owner. We understand that 4.20b) infers that a firm can only continue to identify the senior managing official if there are no suspicions on the failure to identify the true beneficial owner. It is however not completely clear that, in case suspicion should arise, the onboarding of the customer should stop and no senior managing official needs to be identified given a suspicious activity report needs to be filed.
From our experience, firms in practice find it very challenging to determine when it is plausible for a beneficial owner to not be identified that does not give rise to suspicion (aside from instances when there is no beneficial owner owning over 25% of the shares), and as such, do not often use this derogation permitted in the Directive. Introducing non-exhaustive examples into this section regarding what type of situations could fall under this specification would be beneficial for firms.
6. In relation to Guideline 4.31:
We suggest to replace the words ‘Electronic means of identification’ by ‘non-face to face situations’.
This sentence could be confusing to the reader and we believe the use of words ‘Electronic means of identification’ have been used in error and instead should state ‘non-face to face situations’.
7. In relation to Guideline 4.55:
We suggest to include wording to point out that the aspects mentioned under 4.55 a) to e) are not exhaustive and that member states may have defined their own criteria which may go further than this. As a result, firms should also be encouraged to refer to their own member state requirements and guidance.
Given that the EU Directives enable flexibility in transposition into member state legislation, it should be noted that member states have their own definitions on what situations are classed as meeting criteria for a business relationship that is ‘involving a high-risk third country’ (for example in the UK, legislation also states that a legal person with a principal place of business in a high- risk third country would also be applicable for EDD application).
Since preparing our response, on the 7th of May 2020 the European Commission has released its action plan on furthering the fight against money laundering and terrorist financing which includes plans to increase the high risk third country list (to match the FATF list) and also potentially amend the requirement to be regulation rather directive in order to avoid member states implementing this inconsistently.
Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
In relation to Guideline 5.2:We believe the threshold of being ‘sufficient’ is too vague and could leave room for too much differentiation and interpretation between the firms and local competent authorities.
For example, guidance could be given about the accessibility of the documents or Suggested record keeping duration which may or may not be subject to GDPR considerations.
Question 6: Do you have any comments on Guideline 6 on training?
N/AQuestion 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?
In relation to Guideline 7.1:We feel it will be useful to include additional clarification in this guideline.
From the current wording, we feel it is unclear whether the effectiveness of controls have to be tested regularly, and if so by whom (for example the 1st/2nd line of defense) In addition, we feel it will be useful to clarify whether there is an expectation that financial crime controls need to be included in considerations of the scope of internal audit plans.
Question 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?
In relation to Guideline 8:We feel it is useful to clarify whether these requirements are also subject to the annual review as referenced in Guideline 1.7.
We feel the relation between Guideline 1,7 and Guideline 8 is not sufficiently clear. This response relates to Guideline 8 in general and not only to the amendments proposed in this consultation paper.