• PRO
  • Events
  • About Blog Popular
  • Login
  • Register
  • PRO
  • Resources
    • Latest updates
    • Q&A
    • In-depth
    • In-house view
    • Practical resources
    • FromCounsel New
    • Commentary
  • Research tools
    • Global research hub
    • Lexy
    • Primary sources
    • Scanner
    • Research reports
  • Resources
  • Research tools
  • Learn
    • All
    • Webinars
    • Videos
  • Learn
  • Experts
    • Find experts
    • Influencers
    • Client Choice New
    • Firms
    • About
    Introducing Instruct Counsel
    The next generation search tool for finding the right lawyer for you.
  • Experts
  • My newsfeed
  • Events
  • About
  • Blog
  • Popular
  • Find experts
  • Influencers
  • Client Choice New
  • Firms
  • About
Introducing Instruct Counsel
The next generation search tool for finding the right lawyer for you.
  • Compare
  • Topics
  • Interviews
  • Guides

Analytics

Review your content's performance and reach.

  • Analytics dashboard
  • Top articles
  • Top authors
  • Who's reading?

Content Development

Become your target audience’s go-to resource for today’s hottest topics.

  • Trending Topics
  • Discover Content
  • Horizons
  • Ideation

Client Intelligence

Understand your clients’ strategies and the most pressing issues they are facing.

  • Track Sectors
  • Track Clients
  • Mandates
  • Discover Companies
  • Reports Centre

Competitor Intelligence

Keep a step ahead of your key competitors and benchmark against them.

  • Benchmarking
  • Competitor Mandates
Home

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Register now for your free, tailored, daily legal newsfeed service.

Questions? Please contact [email protected]

Register

CORPORATE CRIME BRIEFING: GROUP-WIDE AML/CTF COMPLIANCE: NEW OBLIGATIONS FOR FIRMS WITH OVERSEAS BRANCHES AND SUBSIDIARIES?

Herbert Smith Freehills LLP

To view this article you need a PDF viewer such as Adobe Reader. Download Adobe Acrobat Reader

If you can't read this PDF, you can view its text here. Go back to the PDF .

European Union January 29 2018

CORPORATE CRIME BRIEFING

GROUP-WIDE AML/CTF COMPLIANCE: NEW OBLIGATIONS FOR FIRMS WITH OVERSEAS BRANCHES AND SUBSIDIARIES?

In December 2017, the European Supervisory Authorities published a Report on draft Joint Regulatory Technical Standards ("RTS") on the measures that credit and financial institutions should take to manage money laundering risk in their non-EU overseas branches and subsidiaries. The RTS focusses on the measures that EU firms must adopt when local law prevents their branches and subsidiaries sharing information with them for anti-money laundering purposes. To date, the draft RTS has received little attention, but it is potentially of significant importance to firms with branches and subsidiaries in non-EU jurisdictions with strict banking secrecy or data privacy requirements, as it may require them to adopt new monitoring strategies and arrangements. In this briefing we summarise the background to and requirements of the draft RTS.

1. Background: Group-wide compliance

29 JANUARY 2018

London

Table of Contents

1. Background: Group-wide compliance

2. The approach of the draft Regulation

3. What is required by the draft Regulation?

4. Conclusion 5. Contacts

RELATED LINKS

Herbert Smith Freehills

Under the Third Money Laundering Directive1 ("3MLD"), Member States were obliged, by Article 31, to require credit and financial

Financial Services Regulation and Corporate Crime Notes

institutions to apply "in their branches and majority-owned subsidiaries located in third countries measures at least equivalent

Corporate Crime and Investigations

to those laid down in [3MLD] with regard to customer due diligence

and record keeping". Where the legislation of the third country did not permit the application of equivalent

measures, firms were to inform their competent authorities and take unspecified "additional measures" to

"effectively handle" the risk of money laundering or terrorist financing ("ML/TF").

The obligation was thus limited to requiring equivalence in relation to customer due diligence measures ("CDD") (including monitoring) and record-keeping. It was implemented in the UK by regulation 15 of the Money Laundering Regulations 2007 ("MLR 2007").

Under the Fourth Money Laundering Directive2 ("4MLD"), however, Member States must require firms to "implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes" which must be "implemented effectively" at branch

1 Directive 2005/60/EC of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing'.

2 Directive (EU) 2015/849 of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC'.

1

CORPORATE CRIME BRIEFING

HERBERTSMITHFREEHILLS

and subsidiary level (Article 31). Thus, the types of policies and procedures which must be rolled out group-wide has been extended.

As before, where a third country's laws do not allow implementation of EU-equivalent measures, firms must ensure that their branches/subsidiaries apply additional measures to effectively handle the risk and inform their competent authorities (who are empowered to exercise additional supervisory actions up to and including requiring the group to close down its operations in the third country).

In the UK, the provisions of 4MLD referred to above are implemented by regulation 20 of the MLR 20173, which require a relevant parent undertaking to, amongst other matters:

establish and maintain, throughout its group, policies, controls and procedures for data protection and sharing information with other group companies for ML/TF purposes;

ensure that information relevant to the prevention of ML/TF is shared as appropriate between group companies, subject to any restrictions on sharing information imposed by law;

"If any of the subsidiary undertakings or branches ... are established in a third country which does not impose requirements to counter [ML/TF] as strict as those of the UK... ensure that those subsidiary undertakings and branches apply measures equivalent to those required by these Regulations, as far as permitted under the law of the third country"; and

Where the law of the third country does not permit the application of such equivalent measures, inform its supervisor and take additional measures to handle the risk of ML/TF.

Importantly, by Article 45(6) of 4MLD, the European Supervisory Authorities ("ESAs") are required to develop a draft RTS specifying the type of "additional measures" credit and financial institutions4 should take in such circumstances. In July 2017, the ESAs consulted on those draft RTS. The draft has now been finalised and will be submitted to the Commission for approval. If adopted, it will be a Delegated Regulation, and therefore binding on firms. The Recitals to the draft Regulation set out that firms will be required to comply 3 months after it comes into force.

As explained below, the draft Regulation has a significant focus on intra-group information-sharing and is quite prescriptive (and, in some respects, quite onerous) as to the steps firms must take when information-sharing is not possible. Firms with branches or majority-owned subsidiaries in non-EU jurisdictions which restrict the sharing of information about customers or SARs, or which prevent effective risk-assessment or record-keeping, may therefore be subject to new compliance requirements as a result.

2. The approach of the draft Regulation

The ESAs Final Report on the draft RTS states that the ESAs are seeking to foster a consistent and harmonised approach to identifying and managing ML/TF risk arising from operations in third countries. The need for robust scrutiny of business relationships with customers in secrecy jurisdictions is also said to have been highlighted by firms' alleged complicity in facilitation of tax crimes, and failures to implement effective AML/CTF controls.

"Third countries" for these purposes are non-EU countries where local law "prohibits or restricts the implementation of some or all of the group-wide policies and procedures...put in place to comply with [4MLD]...including data protection policies and procedures for sharing information within the group for AML/CTF purposes..."5.

The draft RTS sets out minimum actions firms should take to address the risk posed in such circumstances.

The approach of the draft RTS is to impose a number of general obligations which firms must take in relation to all identified third countries, and then to focus on different areas of AML/CTF compliance: customer-level assessment of ML/TF risk, CDD measures, reporting of suspicious transactions, the sharing of information with supervisors, and record-keeping. In each case, the RTS either prescribes the measures firms must take where local law restricts compliance, or provides a 'pick list' of options to manage the relevant ML/TF risk.

3 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692. 4 The regulation 20 group-wide obligations apply to all firms in the UK regulated sector, but the RTS apply only to credit and financial institutions. 5 For the avoidance of doubt, this is distinct from the concept of high risk third countries, which are required to be identified by the Commission

pursuant to Article 9 of 4MLD.

2

CORPORATE CRIME BRIEFING

HERBERTSMITHFREEHILLS

The RTS does not address the identification of which countries are "third countries", but clearly this will be a necessary first step for firms and, indeed, would in any event be required in order to comply with regulation 20 of the MLR 2017. To be clear, when used in the RTS, the term "third countries" does not mean all non-EU countries. Instead, firms will need to determine whether local law prevents any of their branches or majority-owned subsidiaries applying relevant group-wide policies and procedures, including in relation to information sharing which are then in "third countries" for the purpose of the RTS and take the relevant prescribed "additional measures", depending on the area of impediment.

Some respondees to the ESAs earlier consultation asked for a list of third countries to be published. The ESAs have declined for now, but have said they will consider whether it is possible to do so in the future. The ESAs Final Report does state that, in 2015, enquiries with supervisors, competent authorities and stakeholder groups did not suggest that there were cases where local laws prohibited the application of group-wide AML/CTF controls but that some respondents pointed out that firms' perception of data protection and banking secrecy laws stood in the way of exchanging customer data.

3. What is required by the draft Regulation?

As explained above, the draft RTS set out certain minimum steps that firms must take in relation to branches/subsidiaries in third countries, which in a number of cases include exploring whether customer consent could overcome legal obstacles to information-sharing. Where this is not feasible, "additional measures" to manage the AML/CTF risk are specified.

The ESAs Final Report makes clear that there is no expectation that firms will take all additional measures in all cases it will be down to each firm to determine the type and extent of measures needed to manage ML/TF risk. The draft RTS also makes clear that the extent of additional measures should be determined on a risk-sensitive basis, and their appropriateness should be capable of being demonstrated by the firm to its supervisor.

In the table below, we summarise the relevant mitigating steps, and the prescribed actions if these cannot be utilised to effectively manage the enhanced AML/CTF risk. Please refer to the later table for a fuller description of the Article 9 measures referred to below.

Article 3

4

Issue

Control

What if risk cannot be effectively managed?

General firms must take Assess the resultant ML/TF risk to the

N/A

at least these measures for

group, record that assessment, keep it up

all "third countries" (i.e.

to date, and ensure it is reflected in group-

countries where local law

wide AML/CTF policies and procedures

prohibits application of

some element of group-

wide policies and procedures 6)

Senior management at group level approve risk assessment and group-wide policies and procedures

Targeted training to relevant staff members

in the third country to enable them to

identify ML/TF risk indicators

Local law prohibits/restricts the identification and assessment of ML/TF risk associated with particular business relationships or transactions, due to restrictions on access to

Inform competent authority ("CA") within 28 Terminate the

days

business

Determine whether customer/UBO consent would overcome the issue; if so, require such consent if allowed under local law

relationship or ensure the transaction is not carried out; or

Where consent is not a feasible solution,

Close down some or

6 For these purposes, the relevant benchmark is the firm's own group-wide AML/CTF policies and procedures, not the requirements of 4MLD.

3

CORPORATE CRIME BRIEFING

HERBERTSMITHFREEHILLS

CDD or beneficial ownership ("UBO") information, or restrictions on the use of such information for CDD purposes

take the following Art.9 measures:

o (c) [enhanced review of branch/sub]; and

o one or more of: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance], (d) [senior management approval for higher risk relationships], (e) [branch/sub diligence on SOF], (f) [branch/sub enhanced monitoring]

all operations in the third country.

5 Local law prohibits/restricts Inform CA within 28 days

Close down some or

the sharing or processing of Attempt consent solution as above

all operations in the

customer data for AML/CTF Where consent is not feasible, take the

purposes within the group

following Art.9 measures:

third country.

o (a) [restrict services offered by branch/sub to low risk] or (c) [enhanced review of branch/sub]; and

o if the ML/TF risk is sufficient, one or more of the remaining measures at: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance] or (c) [enhanced review of branch/sub]

6 Local law prohibits/restricts Inform CA within 28 days

Close down some or

the sharing or processing of Branch/subsidiary to provide information to

information about

the firm's senior management so it can

suspicions that funds are

assess ML/TF risk and impact on the

criminal property or related

group, eg the number of SARs in a period,

to TF within the group

and aggregate statistical data on reasons

all operations in the third country.

for suspicion; and

Take one or more of the Art.9 measures:

(a) [restrict services offered by branch/sub

to low risk], (b) [no intra-group reliance], (c)

[enhanced review of branch/sub], (g) [share

information which led to SAR], (h) [enhance

monitoring of customer/UBO subject of

SAR] or (i) [branch/sub reporting systems].

7 Local law prohibits/restricts Inform CA within 28 days

Not specified.

the transfer of data relating to customers of the branch/subsidiary to a member state for AML/CTF supervision purposes

Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits, to be sure branch/subsidiary effectively implements group-wide policies and procedures and

adequately assesses/manages ML/TF risk

branch/subsidiary to provide relevant MI to

firm's senior management, including:

number of high risk customers; aggregate

information on reasons for high risk (eg

PEP status); number of SARs; aggregate

statistical data on reasons for suspicion

findings of review, and MI, to be provided

4

CORPORATE CRIME BRIEFING

HERBERTSMITHFREEHILLS

to competent authority on request.

8 Local law prohibits/restricts Inform CA within 28 days record-keeping equivalent Attempt consent solution as per (4)

Not specified.

to 4MLD standards

above

Where consent is not feasible, take one or

more of the Art.9 measures at: (a) [restrict

services offered by branch/sub to low risk],

(b) [no intra-group reliance], (c) [enhanced

review of branch/sub] or (j) [branch/sub up-

to-date data at least during relationship].

The Article 9 measures are as follows:

(a) Restrict the nature and type of financial products/services provided by the branch/subsidiary to those which present a low ML/TF risk and have a low impact on group's ML/TF exposure

(b) Ensure other group entities do not rely on CDD carried out by branch/subsidiary full CDD to be conducted, rather than intra-group reliance

(c) Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits to be satisfied the branch/subsidiary effectively identifies, assess and manages ML/TF risk

(d) Firm's senior management to approve branch/subsidiary's higher risk business relationships or higher risk occasional transactions

(e) Branch/subsidiary to determine source and where applicable destination of funds to be used in business relationship or occasional transaction

(f) Enhanced ongoing monitoring of relationship by branch/subsidiary, including transaction monitoring, until branch/subsidiary is reasonably satisfied it understands ML/TF risk

(g) Branch/subsidiary to share with firm information underlying the SAR (which gave rise to the suspicion), eg facts, transactions, circumstances, documents, including personal information where possible

(h) Enhanced ongoing monitoring on customer/UBO of the branch/subsidiary who is known to have been the subject of SARs by other group entities

(i) Branch/subsidiary to have effective systems and controls to identify and report SARs

(j) Branch/subsidiary to keep risk profile and CDD information up to date and secure as long as legally possible and in any case for duration of business relationship.

5

CORPORATE CRIME BRIEFING

HERBERTSMITHFREEHILLS

4. Conclusion

Whilst this may at first glance appear to be a somewhat niche topic, the practical implications for credit and financial institutions are obvious.

Many firms will not be affected by the new RTS either because their EU entities do not have overseas branches or subsidiaries, or because those branches and subsidiaries are not in third countries. For example, a bank in a non-EU jurisdiction (eg. in the US) which has sister subsidiaries in the UK and in a secrecy jurisdiction would not be covered by the RTS although, if the sister subsidiaries have common clients, the logic underlying the RTS would suggest that it would be sensible to consider, in the firm's risk assessment, whether any AML/CTF risk is posed by information-sharing difficulties and, if so, how that will be managed.

Firms that may be affected by the RTS may wish to start considering how they will approach the new requirements in particular, assessing whether they have branches and subsidiaries in "third countries" (as defined), what blocks there are to group-wide compliance, the ML/TF risk to which this gives, and whether customer consent is a feasible solution to address any risks arising and facilitate compliance with 4MLD/the MLR 2017. There may also be existing elements of firms' AML/CTF control framework which address some or all of the "additional measures" described above.

The trend to encourage greater information sharing, cooperation between supervisors and law enforcement agencies, and transparency of UBO information is something that will have greater prominence under the Fifth Money Laundering Directive in due course. It appears that firms will remain at the forefront of the challenge of reconciling data privacy and bank secrecy obligations, and the need to manage ML/TF risk.

 

Herbert Smith Freehills LLP - Susannah Cogman, Daniel Hudson and Elizabeth Head

Back Forward
  • Save & file
  • View original
  • Forward
  • Share
    • Facebook
    • Twitter
    • Linked In
  • Follow
    Please login to follow content.
  • Like
  • Instruct

add to folder:

  • My saved (default)
  • Read later
Folders shared with you

Filed under

  • European Union
  • Banking
  • White Collar Crime
  • Herbert Smith Freehills LLP

Topics

  • Money laundering

Popular articles from this firm

  1. UK employment law reform proposals - Queen’s Speech, data protection reform, labour market review, and other announcements *
  2. Sustainability changes to MiFID - Practical implications for firms *
  3. Snapshot: anticompetitive unilateral conduct in the pharmaceutical sector in European Union *
  4. In brief: anticompetitive agreements in the pharmaceutical sector in European Union *
  5. FinTech Global FS Regulatory Round-up - w/e 17 June 2022 *

If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].

Powered by Lexology

Related practical resources PRO

  • How-to guide Source of Wealth and Source of Funds: navigating the challenges
  • How-to guide How-to guide: How to conduct an organisation-wide assessment of money laundering and terrorist financing risk
  • Checklist Checklist: Staff awareness and training to prevent money laundering and terrorist financing

Related research hubs

  • Money laundering
  • European Union
  • White Collar Crime
  • Banking
Back to Top
Resources
  • Daily newsfeed
  • Commentary
  • Q&A
  • Research hubs
  • Learn
  • In-depth
  • Lexy: AI search
Experts
  • Find experts
  • Legal Influencers
  • Firms
  • About Instruct Counsel
More
  • About us
  • Blog
  • Events
  • Popular
Legal
  • Terms of use
  • Cookies
  • Disclaimer
  • Privacy policy
Contact
  • Contact
  • RSS feeds
  • Submissions
 
  • Login
  • Register
  • Follow on Twitter
  • Follow on LinkedIn

© Copyright 2006 - 2022 Law Business Research

Law Business Research