Background

On 14 May 2019 Commission Delegated Regulation (EU) 2019/758 (the "Regulation") was published in the Official Journal of the European Union. The Regulation supplements the Fourth EU Money Laundering Directive ("the Fourth Directive") and will apply from 3 April 2019.

The Fourth Directive requires credit and financial institutions to implement group-wide anti-money laundering and counter-terrorist financing ("AML/CTF") policies and procedures, including policies and procedures for sharing information within the group. These policies and procedures must be implemented effectively at the level of branches and subsidiaries outside the EU ("third countries").

Where branches or subsidiaries are located in third countries in which local law does not permit the application of some or all of the group's AML/CTF policies, for example because the sharing of customer information within the group conflicts with local data protection or banking secrecy requirements, then additional measures are required to be taken to effectively handle the resultant money-laundering or terrorist financing risk.

The Fourth Directive delegated authority to the European Commission to adopt regulatory technical standards specifying what additional measures are required to be taken. These regulatory technical standards are now set out in the Regulation.

Scope

The Regulation sets out the type of additional measures and minimum actions which are required to be taken where the local law of a third country does not permit the implementation of group-wide AML/CTF policies and procedures. For example, where the sharing of customer-specific information within the group conflicts with local data protection or banking secrecy requirements.

General obligations applicable to each third country

For every third country in which a credit or financial institution has established a branch or subsidiary it is required to:

(a) assess AML/CTF risk, record it and keep it up-to-date;

(b) reflect that risk assessment in its group-wide AML/CTF policies and procedures;

(c) obtain senior management approval at group level for the risk assessment and updated policies and procedures; and

(d) provide targeted, effective AML/CTF training to relevant staff in the third country.

Individual AML/CFT risk assessments

Where the law of a third country restricts or prohibits the application of group policies and procedures to adequately assess customer risk the credit or financial institution is required to:

(1) inform the competent authority of its home state within 28 days of the name of the third country and how the third country's law prohibits or restricts the application of the policies and procedures;

(2) determine whether customer consent may be used to overcome the restrictions;

(3) ensure that their branch or subsidiary in the third country requires its customers to give consent to overcome the restrictions to the extent it is legally possible; and

(4) where consent is not feasible, take additional AML/CTF measures including one or more of the measures at (a) to (c) and (g) to (i) in the section below headed "The Additional Measures".

Customer data sharing or processing

Where the law of a third country restricts or prohibits the sharing or processing of customer data within the group for AML/CTF purposes, the credit or financial institution is required to take the same steps described above, save that the additional measures to be taken in the event that consent is not feasible shall in these circumstances include the measures at either (a) or (c) in the section below headed "Additional Measures". Also, where the AML/CTF risk is deemed sufficiently high to require further measures, then one or more of the remaining measures at (a) to (c) must be applied.

Record keeping

Where the third country's laws restrict or prohibit the application of adequate AML/CTF record-keeping measures, the credit or financial institution is required to take the same steps described above, save that the additional measures to be taken in the event that consent is not feasible shall in these circumstances include one or more of the measures below at (a) or (c) and (j) below.

Disclosure of information related to suspicious transactions

Where the law of a third country restricts or prohibits the sharing of information in relation to suspicious transactions within the group, the credit or financial institution is required to:

(1) inform the competent authority of its home state within 28 days of the name of the third country and how the third country's law prohibits or restricts the application of the policies and procedures;

(2) require the branch or subsidiary to provide relevant information to group senior management so that it is able to assess the risk (e.g. the number of suspicious transactions reported and data on the relevant circumstances); and

(3) take additional measures to include one or more of the measures at (a) to (c) and (g) to (i) below.

Transfer of customer data to the EU

Where the law of a third country restricts or prohibits the transfer of data related to customers of the third country branch or subsidiary within the group for the purpose of AML/CTF supervision, the credit or financial institution is required to:

(1) inform the competent authority of its home state within 28 days of the name of the third country and how the third country's law prohibits or restricts the application of the policies and procedures;

(2) carry out enhanced reviews, including where appropriate onsite checks or independent audits and provide the findings to its home state competent authority upon request;

(3) require the branch or subsidiary to provide regular relevant information to group senior management, including at least:

a. the number of high risk customers and the reasons they are high risk; and

b. the number of suspicious transactions identified and the circumstances giving rise to the suspicion; and make that information available to the home state competent authority upon request.

The Additional Measures

The additional measures set out in the regulation which are required to be taken in the circumstances described above are as follows:

(a) restricting the nature and type of financial products provided by the branch/subsidiary;

(b) ensuring other entities in the same group do not rely on customer due diligence carried out by the branch/subsidiary;

(c) carrying out enhanced reviews, including onsite checks and independent audits;

(d) ensuring approval from group senior management is sought for higher risk transactions;

(e) ensuring the branch/subsidiary determines the source and destination of funds;

(f) ensuring the branch/subsidiary carries out enhanced ongoing AML/CTF monitoring;

(g) ensuring the branch/subsidiary shares underlying suspicious transaction report information with the group including the facts and documents giving rise to the suspicion;

(h) carrying out enhanced ongoing monitoring of any customer of the branch/subsidiary or the customer's beneficial owner who has been the subject of suspicious transaction reports made by other group entities;

(i) ensuring the branch/subsidiary has effective systems and controls are in place for identifying and reporting suspicious transactions;

(j) ensuring the branch/subsidiary keeps customer risk profiles and due diligence information up to date and secure as long as legally possible.

Conclusion

It should be noted that most third countries' legal systems will not prevent groups from implementing group-wide AML/CTF policies and procedures, in which case the additional measures set out in the Regulation will not be required. However, unless or until the European Supervisory Authorities produce a list of relevant third countries, then it will be up to each individual group to make its own determination.

Where additional measures under the Regulation are required to be taken then the extent of such measures needs to be determined upon a risk-sensitive basis and the group needs to be able to demonstrate to its competent authority that the extent of the measures is appropriate. If the AML/CTF risk cannot be effectively managed by applying the additional measures then some or all of the operations of the branch or subsidiary are required to be closed down.

The Regulation will apply from 3 September 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.