CORPORATE CRIME BRIEFING
GROUP-WIDE AML/CTF COMPLIANCE: NEW OBLIGATIONS FOR FIRMS WITH OVERSEAS BRANCHES AND SUBSIDIARIES?
In December 2017, the European Supervisory Authorities published a Report on draft Joint Regulatory Technical Standards ("RTS") on the measures that credit and financial institutions should take to manage money laundering risk in their non-EU overseas branches and subsidiaries. The RTS focusses on the measures that EU firms must adopt when local law prevents their branches and subsidiaries sharing information with them for anti-money laundering purposes. To date, the draft RTS has received little attention, but it is potentially of significant importance to firms with branches and subsidiaries in non-EU jurisdictions with strict banking secrecy or data privacy requirements, as it may require them to adopt new monitoring strategies and arrangements. In this briefing we summarise the background to and requirements of the draft RTS.
1. Background: Group-wide compliance
29 JANUARY 2018
London
Table of Contents
1. Background: Group-wide compliance
2. The approach of the draft Regulation
3. What is required by the draft Regulation?
4. Conclusion 5. Contacts
RELATED LINKS
Herbert Smith Freehills
Under the Third Money Laundering Directive1 ("3MLD"), Member States were obliged, by Article 31, to require credit and financial
Financial Services Regulation and Corporate Crime Notes
institutions to apply "in their branches and majority-owned subsidiaries located in third countries measures at least equivalent
Corporate Crime and Investigations
to those laid down in [3MLD] with regard to customer due diligence
and record keeping". Where the legislation of the third country did not permit the application of equivalent
measures, firms were to inform their competent authorities and take unspecified "additional measures" to
"effectively handle" the risk of money laundering or terrorist financing ("ML/TF").
The obligation was thus limited to requiring equivalence in relation to customer due diligence measures ("CDD") (including monitoring) and record-keeping. It was implemented in the UK by regulation 15 of the Money Laundering Regulations 2007 ("MLR 2007").
Under the Fourth Money Laundering Directive2 ("4MLD"), however, Member States must require firms to "implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes" which must be "implemented effectively" at branch
1 Directive 2005/60/EC of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing'.
2 Directive (EU) 2015/849 of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC'.
1
CORPORATE CRIME BRIEFING
HERBERTSMITHFREEHILLS
and subsidiary level (Article 31). Thus, the types of policies and procedures which must be rolled out group-wide has been extended.
As before, where a third country's laws do not allow implementation of EU-equivalent measures, firms must ensure that their branches/subsidiaries apply additional measures to effectively handle the risk and inform their competent authorities (who are empowered to exercise additional supervisory actions up to and including requiring the group to close down its operations in the third country).
In the UK, the provisions of 4MLD referred to above are implemented by regulation 20 of the MLR 20173, which require a relevant parent undertaking to, amongst other matters:
establish and maintain, throughout its group, policies, controls and procedures for data protection and sharing information with other group companies for ML/TF purposes;
ensure that information relevant to the prevention of ML/TF is shared as appropriate between group companies, subject to any restrictions on sharing information imposed by law;
"If any of the subsidiary undertakings or branches ... are established in a third country which does not impose requirements to counter [ML/TF] as strict as those of the UK... ensure that those subsidiary undertakings and branches apply measures equivalent to those required by these Regulations, as far as permitted under the law of the third country"; and
Where the law of the third country does not permit the application of such equivalent measures, inform its supervisor and take additional measures to handle the risk of ML/TF.
Importantly, by Article 45(6) of 4MLD, the European Supervisory Authorities ("ESAs") are required to develop a draft RTS specifying the type of "additional measures" credit and financial institutions4 should take in such circumstances. In July 2017, the ESAs consulted on those draft RTS. The draft has now been finalised and will be submitted to the Commission for approval. If adopted, it will be a Delegated Regulation, and therefore binding on firms. The Recitals to the draft Regulation set out that firms will be required to comply 3 months after it comes into force.
As explained below, the draft Regulation has a significant focus on intra-group information-sharing and is quite prescriptive (and, in some respects, quite onerous) as to the steps firms must take when information-sharing is not possible. Firms with branches or majority-owned subsidiaries in non-EU jurisdictions which restrict the sharing of information about customers or SARs, or which prevent effective risk-assessment or record-keeping, may therefore be subject to new compliance requirements as a result.
2. The approach of the draft Regulation
The ESAs Final Report on the draft RTS states that the ESAs are seeking to foster a consistent and harmonised approach to identifying and managing ML/TF risk arising from operations in third countries. The need for robust scrutiny of business relationships with customers in secrecy jurisdictions is also said to have been highlighted by firms' alleged complicity in facilitation of tax crimes, and failures to implement effective AML/CTF controls.
"Third countries" for these purposes are non-EU countries where local law "prohibits or restricts the implementation of some or all of the group-wide policies and procedures...put in place to comply with [4MLD]...including data protection policies and procedures for sharing information within the group for AML/CTF purposes..."5.
The draft RTS sets out minimum actions firms should take to address the risk posed in such circumstances.
The approach of the draft RTS is to impose a number of general obligations which firms must take in relation to all identified third countries, and then to focus on different areas of AML/CTF compliance: customer-level assessment of ML/TF risk, CDD measures, reporting of suspicious transactions, the sharing of information with supervisors, and record-keeping. In each case, the RTS either prescribes the measures firms must take where local law restricts compliance, or provides a 'pick list' of options to manage the relevant ML/TF risk.
3 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692. 4 The regulation 20 group-wide obligations apply to all firms in the UK regulated sector, but the RTS apply only to credit and financial institutions. 5 For the avoidance of doubt, this is distinct from the concept of high risk third countries, which are required to be identified by the Commission
pursuant to Article 9 of 4MLD.
2
CORPORATE CRIME BRIEFING
HERBERTSMITHFREEHILLS
The RTS does not address the identification of which countries are "third countries", but clearly this will be a necessary first step for firms and, indeed, would in any event be required in order to comply with regulation 20 of the MLR 2017. To be clear, when used in the RTS, the term "third countries" does not mean all non-EU countries. Instead, firms will need to determine whether local law prevents any of their branches or majority-owned subsidiaries applying relevant group-wide policies and procedures, including in relation to information sharing which are then in "third countries" for the purpose of the RTS and take the relevant prescribed "additional measures", depending on the area of impediment.
Some respondees to the ESAs earlier consultation asked for a list of third countries to be published. The ESAs have declined for now, but have said they will consider whether it is possible to do so in the future. The ESAs Final Report does state that, in 2015, enquiries with supervisors, competent authorities and stakeholder groups did not suggest that there were cases where local laws prohibited the application of group-wide AML/CTF controls but that some respondents pointed out that firms' perception of data protection and banking secrecy laws stood in the way of exchanging customer data.
3. What is required by the draft Regulation?
As explained above, the draft RTS set out certain minimum steps that firms must take in relation to branches/subsidiaries in third countries, which in a number of cases include exploring whether customer consent could overcome legal obstacles to information-sharing. Where this is not feasible, "additional measures" to manage the AML/CTF risk are specified.
The ESAs Final Report makes clear that there is no expectation that firms will take all additional measures in all cases it will be down to each firm to determine the type and extent of measures needed to manage ML/TF risk. The draft RTS also makes clear that the extent of additional measures should be determined on a risk-sensitive basis, and their appropriateness should be capable of being demonstrated by the firm to its supervisor.
In the table below, we summarise the relevant mitigating steps, and the prescribed actions if these cannot be utilised to effectively manage the enhanced AML/CTF risk. Please refer to the later table for a fuller description of the Article 9 measures referred to below.
Article 3
4
Issue
Control
What if risk cannot be effectively managed?
General firms must take Assess the resultant ML/TF risk to the
N/A
at least these measures for
group, record that assessment, keep it up
all "third countries" (i.e.
to date, and ensure it is reflected in group-
countries where local law
wide AML/CTF policies and procedures
prohibits application of
some element of group-
wide policies and procedures 6)
Senior management at group level approve risk assessment and group-wide policies and procedures
Targeted training to relevant staff members
in the third country to enable them to
identify ML/TF risk indicators
Local law prohibits/restricts the identification and assessment of ML/TF risk associated with particular business relationships or transactions, due to restrictions on access to
Inform competent authority ("CA") within 28 Terminate the
days
business
Determine whether customer/UBO consent would overcome the issue; if so, require such consent if allowed under local law
relationship or ensure the transaction is not carried out; or
Where consent is not a feasible solution,
Close down some or
6 For these purposes, the relevant benchmark is the firm's own group-wide AML/CTF policies and procedures, not the requirements of 4MLD.
3
CORPORATE CRIME BRIEFING
HERBERTSMITHFREEHILLS
CDD or beneficial ownership ("UBO") information, or restrictions on the use of such information for CDD purposes
take the following Art.9 measures:
o (c) [enhanced review of branch/sub]; and
o one or more of: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance], (d) [senior management approval for higher risk relationships], (e) [branch/sub diligence on SOF], (f) [branch/sub enhanced monitoring]
all operations in the third country.
5 Local law prohibits/restricts Inform CA within 28 days
Close down some or
the sharing or processing of Attempt consent solution as above
all operations in the
customer data for AML/CTF Where consent is not feasible, take the
purposes within the group
following Art.9 measures:
third country.
o (a) [restrict services offered by branch/sub to low risk] or (c) [enhanced review of branch/sub]; and
o if the ML/TF risk is sufficient, one or more of the remaining measures at: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance] or (c) [enhanced review of branch/sub]
6 Local law prohibits/restricts Inform CA within 28 days
Close down some or
the sharing or processing of Branch/subsidiary to provide information to
information about
the firm's senior management so it can
suspicions that funds are
assess ML/TF risk and impact on the
criminal property or related
group, eg the number of SARs in a period,
to TF within the group
and aggregate statistical data on reasons
all operations in the third country.
for suspicion; and
Take one or more of the Art.9 measures:
(a) [restrict services offered by branch/sub
to low risk], (b) [no intra-group reliance], (c)
[enhanced review of branch/sub], (g) [share
information which led to SAR], (h) [enhance
monitoring of customer/UBO subject of
SAR] or (i) [branch/sub reporting systems].
7 Local law prohibits/restricts Inform CA within 28 days
Not specified.
the transfer of data relating to customers of the branch/subsidiary to a member state for AML/CTF supervision purposes
Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits, to be sure branch/subsidiary effectively implements group-wide policies and procedures and
adequately assesses/manages ML/TF risk
branch/subsidiary to provide relevant MI to
firm's senior management, including:
number of high risk customers; aggregate
information on reasons for high risk (eg
PEP status); number of SARs; aggregate
statistical data on reasons for suspicion
findings of review, and MI, to be provided
4
CORPORATE CRIME BRIEFING
HERBERTSMITHFREEHILLS
to competent authority on request.
8 Local law prohibits/restricts Inform CA within 28 days record-keeping equivalent Attempt consent solution as per (4)
Not specified.
to 4MLD standards
above
Where consent is not feasible, take one or
more of the Art.9 measures at: (a) [restrict
services offered by branch/sub to low risk],
(b) [no intra-group reliance], (c) [enhanced
review of branch/sub] or (j) [branch/sub up-
to-date data at least during relationship].
The Article 9 measures are as follows:
(a) Restrict the nature and type of financial products/services provided by the branch/subsidiary to those which present a low ML/TF risk and have a low impact on group's ML/TF exposure
(b) Ensure other group entities do not rely on CDD carried out by branch/subsidiary full CDD to be conducted, rather than intra-group reliance
(c) Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits to be satisfied the branch/subsidiary effectively identifies, assess and manages ML/TF risk
(d) Firm's senior management to approve branch/subsidiary's higher risk business relationships or higher risk occasional transactions
(e) Branch/subsidiary to determine source and where applicable destination of funds to be used in business relationship or occasional transaction
(f) Enhanced ongoing monitoring of relationship by branch/subsidiary, including transaction monitoring, until branch/subsidiary is reasonably satisfied it understands ML/TF risk
(g) Branch/subsidiary to share with firm information underlying the SAR (which gave rise to the suspicion), eg facts, transactions, circumstances, documents, including personal information where possible
(h) Enhanced ongoing monitoring on customer/UBO of the branch/subsidiary who is known to have been the subject of SARs by other group entities
(i) Branch/subsidiary to have effective systems and controls to identify and report SARs
(j) Branch/subsidiary to keep risk profile and CDD information up to date and secure as long as legally possible and in any case for duration of business relationship.
5
CORPORATE CRIME BRIEFING
HERBERTSMITHFREEHILLS
4. Conclusion
Whilst this may at first glance appear to be a somewhat niche topic, the practical implications for credit and financial institutions are obvious.
Many firms will not be affected by the new RTS either because their EU entities do not have overseas branches or subsidiaries, or because those branches and subsidiaries are not in third countries. For example, a bank in a non-EU jurisdiction (eg. in the US) which has sister subsidiaries in the UK and in a secrecy jurisdiction would not be covered by the RTS although, if the sister subsidiaries have common clients, the logic underlying the RTS would suggest that it would be sensible to consider, in the firm's risk assessment, whether any AML/CTF risk is posed by information-sharing difficulties and, if so, how that will be managed.
Firms that may be affected by the RTS may wish to start considering how they will approach the new requirements in particular, assessing whether they have branches and subsidiaries in "third countries" (as defined), what blocks there are to group-wide compliance, the ML/TF risk to which this gives, and whether customer consent is a feasible solution to address any risks arising and facilitate compliance with 4MLD/the MLR 2017. There may also be existing elements of firms' AML/CTF control framework which address some or all of the "additional measures" described above.
The trend to encourage greater information sharing, cooperation between supervisors and law enforcement agencies, and transparency of UBO information is something that will have greater prominence under the Fifth Money Laundering Directive in due course. It appears that firms will remain at the forefront of the challenge of reconciling data privacy and bank secrecy obligations, and the need to manage ML/TF risk.
