In December 2017, the European Supervisory Authorities published a Report on draft Joint Regulatory Technical Standards (“RTS“) on the measures that credit and financial institutions should take to manage money laundering risk in their non-EU overseas branches and subsidiaries. The RTS focusses on the measures that EU firms must adopt when local law prevents their branches and subsidiaries sharing information with them for anti-money laundering purposes. To date, the draft RTS has received little attention, but it is potentially of significant importance to firms with branches and subsidiaries in non-EU jurisdictions with strict banking secrecy or data privacy requirements, as it may require them to adopt new monitoring strategies and arrangements. In this briefing we summarise the background to and requirements of the draft RTS.
1 CORPORATE CRIME BRIEFING GROUP-WIDE AML/CTF COMPLIANCE: NEW OBLIGATIONS FOR FIRMS WITH OVERSEAS BRANCHES AND SUBSIDIARIES? In December 2017, the European Supervisory Authorities published a Report on draft Joint Regulatory Technical Standards ("RTS") on the measures that credit and financial institutions should take to manage money laundering risk in their non-EU overseas branches and subsidiaries. The RTS focusses on the measures that EU firms must adopt when local law prevents their branches and subsidiaries sharing information with them for anti-money laundering purposes. To date, the draft RTS has received little attention, but it is potentially of significant importance to firms with branches and subsidiaries in non-EU jurisdictions with strict banking secrecy or data privacy requirements, as it may require them to adopt new monitoring strategies and arrangements. In this briefing we summarise the background to and requirements of the draft RTS. 1. Background: Group-wide compliance Under the Third Money Laundering Directive1 ("3MLD"), Member States were obliged, by Article 31, to require credit and financial institutions to apply "in their branches and majority-owned subsidiaries located in third countries measures at least equivalent to those laid down in [3MLD] with regard to customer due diligence and record keeping". Where the legislation of the third country did not permit the application of equivalent measures, firms were to inform their competent authorities and take unspecified "additional measures" to "effectively handle" the risk of money laundering or terrorist financing ("ML/TF"). The obligation was thus limited to requiring equivalence in relation to customer due diligence measures ("CDD") (including monitoring) and record-keeping. It was implemented in the UK by regulation 15 of the Money Laundering Regulations 2007 ("MLR 2007"). Under the Fourth Money Laundering Directive2 ("4MLD"), however, Member States must require firms to "implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes" which must be "implemented effectively" at branch 1 Directive 2005/60/EC of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing'. 2 Directive (EU) 2015/849 of the European Parliament and of the Council 'on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC'. 29 JANUARY 2018 London Table of Contents 1. Background: Group-wide compliance 2. The approach of the draft Regulation 3. What is required by the draft Regulation? 4. Conclusion 5. Contacts RELATED LINKS Herbert Smith Freehills Financial Services Regulation and Corporate Crime Notes Corporate Crime and Investigations CORPORATE CRIME BRIEFING HERBERTSMITHFREEHILLS 2 and subsidiary level (Article 31). Thus, the types of policies and procedures which must be rolled out group-wide has been extended. As before, where a third country's laws do not allow implementation of EU-equivalent measures, firms must ensure that their branches/subsidiaries apply additional measures to effectively handle the risk and inform their competent authorities (who are empowered to exercise additional supervisory actions – up to and including requiring the group to close down its operations in the third country). In the UK, the provisions of 4MLD referred to above are implemented by regulation 20 of the MLR 20173 , which require a relevant parent undertaking to, amongst other matters: • establish and maintain, throughout its group, policies, controls and procedures for data protection and sharing information with other group companies for ML/TF purposes; • ensure that information relevant to the prevention of ML/TF is shared as appropriate between group companies, subject to any restrictions on sharing information imposed by law; • "If any of the subsidiary undertakings or branches … are established in a third country which does not impose requirements to counter [ML/TF] as strict as those of the UK… ensure that those subsidiary undertakings and branches apply measures equivalent to those required by these Regulations, as far as permitted under the law of the third country"; and • Where the law of the third country does not permit the application of such equivalent measures, inform its supervisor and take additional measures to handle the risk of ML/TF. Importantly, by Article 45(6) of 4MLD, the European Supervisory Authorities ("ESAs") are required to develop a draft RTS specifying the type of "additional measures" credit and financial institutions4 should take in such circumstances. In July 2017, the ESAs consulted on those draft RTS. The draft has now been finalised and will be submitted to the Commission for approval. If adopted, it will be a Delegated Regulation, and therefore binding on firms. The Recitals to the draft Regulation set out that firms will be required to comply 3 months after it comes into force. As explained below, the draft Regulation has a significant focus on intra-group information-sharing and is quite prescriptive (and, in some respects, quite onerous) as to the steps firms must take when information-sharing is not possible. Firms with branches or majority-owned subsidiaries in non-EU jurisdictions which restrict the sharing of information about customers or SARs, or which prevent effective risk-assessment or record-keeping, may therefore be subject to new compliance requirements as a result. 2. The approach of the draft Regulation The ESAs Final Report on the draft RTS states that the ESAs are seeking to foster a consistent and harmonised approach to identifying and managing ML/TF risk arising from operations in third countries. The need for robust scrutiny of business relationships with customers in secrecy jurisdictions is also said to have been highlighted by firms' alleged complicity in facilitation of tax crimes, and failures to implement effective AML/CTF controls. "Third countries" for these purposes are non-EU countries where local law "prohibits or restricts the implementation of some or all of the group-wide policies and procedures…put in place to comply with [4MLD]…including data protection policies and procedures for sharing information within the group for AML/CTF purposes…"5 . The draft RTS sets out minimum actions firms should take to address the risk posed in such circumstances. The approach of the draft RTS is to impose a number of general obligations which firms must take in relation to all identified third countries, and then to focus on different areas of AML/CTF compliance: customer-level assessment of ML/TF risk, CDD measures, reporting of suspicious transactions, the sharing of information with supervisors, and record-keeping. In each case, the RTS either prescribes the measures firms must take where local law restricts compliance, or provides a 'pick list' of options to manage the relevant ML/TF risk. 3 The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692. 4 The regulation 20 group-wide obligations apply to all firms in the UK regulated sector, but the RTS apply only to credit and financial institutions. 5 For the avoidance of doubt, this is distinct from the concept of high risk third countries, which are required to be identified by the Commission pursuant to Article 9 of 4MLD. CORPORATE CRIME BRIEFING HERBERTSMITHFREEHILLS 3 The RTS does not address the identification of which countries are "third countries", but clearly this will be a necessary first step for firms and, indeed, would in any event be required in order to comply with regulation 20 of the MLR 2017. To be clear, when used in the RTS, the term "third countries" does not mean all non-EU countries. Instead, firms will need to determine whether local law prevents any of their branches or majority-owned subsidiaries applying relevant group-wide policies and procedures, including in relation to information sharing – which are then in "third countries" for the purpose of the RTS – and take the relevant prescribed "additional measures", depending on the area of impediment. Some respondees to the ESAs earlier consultation asked for a list of third countries to be published. The ESAs have declined for now, but have said they will consider whether it is possible to do so in the future. The ESAs Final Report does state that, in 2015, enquiries with supervisors, competent authorities and stakeholder groups did not suggest that there were cases where local laws prohibited the application of group-wide AML/CTF controls – but that some respondents pointed out that firms' perception of data protection and banking secrecy laws stood in the way of exchanging customer data. 3. What is required by the draft Regulation? As explained above, the draft RTS set out certain minimum steps that firms must take in relation to branches/subsidiaries in third countries, which in a number of cases include exploring whether customer consent could overcome legal obstacles to information-sharing. Where this is not feasible, "additional measures" to manage the AML/CTF risk are specified. The ESAs Final Report makes clear that there is no expectation that firms will take all additional measures in all cases – it will be down to each firm to determine the type and extent of measures needed to manage ML/TF risk. The draft RTS also makes clear that the extent of additional measures should be determined on a risk-sensitive basis, and their appropriateness should be capable of being demonstrated by the firm to its supervisor. In the table below, we summarise the relevant mitigating steps, and the prescribed actions if these cannot be utilised to effectively manage the enhanced AML/CTF risk. Please refer to the later table for a fuller description of the Article 9 measures referred to below. Article Issue Control What if risk cannot be effectively managed? 3 General – firms must take at least these measures for all "third countries" (i.e. countries where local law prohibits application of some element of groupwide policies and procedures6 ) • Assess the resultant ML/TF risk to the group, record that assessment, keep it up to date, and ensure it is reflected in groupwide AML/CTF policies and procedures • Senior management at group level approve risk assessment and group-wide policies and procedures • Targeted training to relevant staff members in the third country to enable them to identify ML/TF risk indicators N/A 4 Local law prohibits/restricts the identification and assessment of ML/TF risk associated with particular business relationships or transactions, due to restrictions on access to • Inform competent authority ("CA") within 28 days • Determine whether customer/UBO consent would overcome the issue; if so, require such consent if allowed under local law • Where consent is not a feasible solution, • Terminate the business relationship or ensure the transaction is not carried out; or • Close down some or 6 For these purposes, the relevant benchmark is the firm's own group-wide AML/CTF policies and procedures, not the requirements of 4MLD. CORPORATE CRIME BRIEFING HERBERTSMITHFREEHILLS 4 CDD or beneficial ownership ("UBO") information, or restrictions on the use of such information for CDD purposes take the following Art.9 measures: o (c) [enhanced review of branch/sub]; and o one or more of: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance], (d) [senior management approval for higher risk relationships], (e) [branch/sub diligence on SOF], (f) [branch/sub enhanced monitoring] all operations in the third country. 5 Local law prohibits/restricts the sharing or processing of customer data for AML/CTF purposes within the group • Inform CA within 28 days • Attempt consent solution – as above • Where consent is not feasible, take the following Art.9 measures: o (a) [restrict services offered by branch/sub to low risk] or (c) [enhanced review of branch/sub]; and o if the ML/TF risk is sufficient, one or more of the remaining measures at: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance] or (c) [enhanced review of branch/sub] • Close down some or all operations in the third country. 6 Local law prohibits/restricts the sharing or processing of information about suspicions that funds are criminal property or related to TF within the group • Inform CA within 28 days • Branch/subsidiary to provide information to the firm's senior management so it can assess ML/TF risk and impact on the group, eg the number of SARs in a period, and aggregate statistical data on reasons for suspicion; and • Take one or more of the Art.9 measures: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance], (c) [enhanced review of branch/sub], (g) [share information which led to SAR], (h) [enhance monitoring of customer/UBO subject of SAR] or (i) [branch/sub reporting systems]. • Close down some or all operations in the third country. 7 Local law prohibits/restricts the transfer of data relating to customers of the branch/subsidiary to a member state for AML/CTF supervision purposes • Inform CA within 28 days • Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits, to be sure branch/subsidiary effectively implements group-wide policies and procedures and adequately assesses/manages ML/TF risk • branch/subsidiary to provide relevant MI to firm's senior management, including: number of high risk customers; aggregate information on reasons for high risk (eg PEP status); number of SARs; aggregate statistical data on reasons for suspicion • findings of review, and MI, to be provided • Not specified. CORPORATE CRIME BRIEFING HERBERTSMITHFREEHILLS 5 to competent authority on request. 8 Local law prohibits/restricts record-keeping equivalent to 4MLD standards • Inform CA within 28 days • Attempt consent solution – as per (4) above • Where consent is not feasible, take one or more of the Art.9 measures at: (a) [restrict services offered by branch/sub to low risk], (b) [no intra-group reliance], (c) [enhanced review of branch/sub] or (j) [branch/sub upto-date data at least during relationship]. • Not specified. The Article 9 measures are as follows: (a) Restrict the nature and type of financial products/services provided by the branch/subsidiary to those which present a low ML/TF risk and have a low impact on group's ML/TF exposure (b) Ensure other group entities do not rely on CDD carried out by branch/subsidiary – full CDD to be conducted, rather than intra-group reliance (c) Carry out enhanced reviews, including, where commensurate with risk, onsite checks or independent audits to be satisfied the branch/subsidiary effectively identifies, assess and manages ML/TF risk (d) Firm's senior management to approve branch/subsidiary's higher risk business relationships or higher risk occasional transactions (e) Branch/subsidiary to determine source and where applicable destination of funds to be used in business relationship or occasional transaction (f) Enhanced ongoing monitoring of relationship by branch/subsidiary, including transaction monitoring, until branch/subsidiary is reasonably satisfied it understands ML/TF risk (g) Branch/subsidiary to share with firm information underlying the SAR (which gave rise to the suspicion), eg facts, transactions, circumstances, documents, including personal information where possible (h) Enhanced ongoing monitoring on customer/UBO of the branch/subsidiary who is known to have been the subject of SARs by other group entities (i) Branch/subsidiary to have effective systems and controls to identify and report SARs (j) Branch/subsidiary to keep risk profile and CDD information up to date and secure as long as legally possible and in any case for duration of business relationship. CORPORATE CRIME BRIEFING HERBERTSMITHFREEHILLS 6 4. Conclusion Whilst this may at first glance appear to be a somewhat niche topic, the practical implications for credit and financial institutions are obvious. Many firms will not be affected by the new RTS – either because their EU entities do not have overseas branches or subsidiaries, or because those branches and subsidiaries are not in third countries. For example, a bank in a non-EU jurisdiction (eg. in the US) which has sister subsidiaries in the UK and in a secrecy jurisdiction would not be covered by the RTS – although, if the sister subsidiaries have common clients, the logic underlying the RTS would suggest that it would be sensible to consider, in the firm's risk assessment, whether any AML/CTF risk is posed by information-sharing difficulties and, if so, how that will be managed. Firms that may be affected by the RTS may wish to start considering how they will approach the new requirements – in particular, assessing whether they have branches and subsidiaries in "third countries" (as defined), what blocks there are to group-wide compliance, the ML/TF risk to which this gives, and whether customer consent is a feasible solution to address any risks arising and facilitate compliance with 4MLD/the MLR 2017. There may also be existing elements of firms' AML/CTF control framework which address some or all of the "additional measures" described above. The trend to encourage greater information sharing, cooperation between supervisors and law enforcement agencies, and transparency of UBO information is something that will have greater prominence under the Fifth Money Laundering Directive in due course. It appears that firms will remain at the forefront of the challenge of reconciling data privacy and bank secrecy obligations, and the need to manage ML/TF risk. 5. Contacts Susannah Cogman, Partner T +44 20 7466 2580 firstname.lastname@example.org Daniel Hudson, Partner T +44 20 7466 2470 email@example.com Elizabeth Head, Senior associate T +44 207466 6443 firstname.lastname@example.org If you would like to receive more copies of this briefing, or would like to receive Herbert Smith Freehills briefings from other practice areas, or would like to be taken off the distribution lists for such briefings, please email email@example.com. © Herbert Smith Freehills LLP 2017 The contents of this publication, current at the date of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on the information provided herein. 10/45284411_1 7