As additional EU rules come into force requiring UK credit and financial institutions with branches and subsidiaries in third countries to identify local law conflicts with group-wide AML policies and procedures, Zia Ullah and Ruth Paley of Eversheds Sutherland LLP take a look at these new technical standards including application, scope, and FCA notification requirements.
Who is affected?
Earlier this year the EU Commission published a Delegated Regulation (DR) imposing new technical standards designed to mitigate money laundering (ML) and terrorist financing (TF) risk in third countries. These standards have specific application to regulated credit and financial institutions with branches or majority-owned subsidiaries operating outside of the EEA, and set out the additional measures such firms must make to their group-wide AML policies and procedures.
All UK ‘obliged entities’ as defined by the Fourth Money Laundering Directive (4MLD) – including credit and financial institutions – have been required to ensure group-wide application of anti-money laundering (AML) and counter-terrorist financing (CTF) policies and procedures (P&Ps) since 4MLD was transposed in the UK as the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
However, under the DR, which is applicable to the subset of credit and financial institutions and including e-money providers, payment institutions, investment firms, and AIFMs (affected firms), those firms must now consider whether they operate branches or majority owned subsidiaries (collectively local entities) in third countries that do not allow specific elements of group-wide policies due to local law.
The DR came into effect on 3 June 2019, and has been applicable since 3September. Having identified any local law conflicts that apply, many affected firms are now turning to the question of notification to the FCA, and the additional measures that must be implemented in order to mitigate any identified risks.
Where should affected firms start?
Firms should, by now, have taken steps to:
- review operations in non-EEA countries where they have local entities in order to identify any jurisdictions which restrict the UK entity’s ability to ensure group-wide application of AML/CTF P&Ps;
- take concerted action to mitigate the risk those restrictions pose; and
- notify the FCA of those restrictions, where identified, within 28 days.
How should affected firms carry out the initial review?
First, the affected firm has a general obligation in respect of each third country in which it has a local entity, requiring that, at a minimum, it must:
- assess the money laundering and terrorist financing risk to their group, and keep a record of that assessment, ensuring it is up to date, and retaining a copy of it so that it can be shared with the FCA;
- ensure that the risk identified in the risk assessment above is appropriately reflected in their group-wide AML and CTF P&Ps;
- obtain senior management approval at group level for both the risk assessment and for the AML/CTF P&Ps; and
- provide targeted training to relevant staff members in the third countries to enable them to identify ML/TF risk indicators, and ensure that such training is effective.
What are the additional measures?
Having undertaken the process referred to above, affected firms must apply additional measures to local entities wherever the restrictions of local laws in third countries do not allow the proper management of anti-money laundering and terrorist financing risk.
These additional measures are set out in Article 8 of the Regulation. Firms should consider these carefully and decide and record which measures are appropriate according to the risks identified. Examples of the additional measures that can be applied include ensuring that local entities:
- restrict the nature and type of financial products and services to those that present a low ML/TF risk and have a low impact on the group's overall risk exposure;
- are subject to enhanced reviews following a risk-based approach, including onsite checks or independent audits where appropriate;
- seek senior management approval for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher risk occasional transaction;
- establish source and, where applicable, the destination of funds to be used in the business relationship or occasional transaction;
- carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the local entities are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship;
- share with the UK entity underlying suspicious transaction report information that gives rise to knowledge, suspicion or reasonable grounds to suspect that ML/TF was being attempted or had occurred, including personal information (to the extent that this is possible under the third country's law);
- maintain effective systems and controls to identify and report suspicious transactions; and
- keep appropriate records on the risk profile and due diligence information related to their customers up to date and secure for as long as legally possible, and in any case for at least the duration of the business relationship.
The DR requires that if the implementation of these additional measures still does not lead to the effective management of ML/TF risk, the affected firm may request that the local entity ends the business relationship or does not carry out the occasional transaction, or it may close down some or all of the operations provided by that local entity.
Who needs to be notified? And when?
Wherever it is identified that the local laws of third countries restrict certain EU anti-money laundering and terrorist financing requirements, affected firms must notify the FCA without undue delay, but in any event within 28 days of identifying this issue. The requirements that can be restricted by local laws are set out in Articles 3 to 7 of the DR.
There is no prescribed format for the notification but it should contain clear information about the nature of the restriction and must include: (i) the name of the third country concerned; and (ii) how the implementation of the third country's law prohibits or restricts the application of P&Ps that are necessary to identify and assess the money laundering and terrorist financing risk associated with a customer.
As an adjunct to the notification, affected firms making such notifications will be expected under the DR to ensure that each local entity in respect of whom a restriction(s) has been identified both:
- determines whether consent from their customers and, where applicable, their customers' beneficial owners, can be used to legally overcome the restriction(s); and
- requires their customers and, where applicable, their customers' beneficial owners, to give consent to overcome the restriction(s) to the extent that this is compatible with the third country's law.