New AML/CFT Law published in Belgian Official Journal
On 6 October 2017, the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and the restriction on the use of cash has been published in Belgian Official Journal. This law implements the 4th AML Directive into Belgian legislation.
Regulatory Newsflash | 9 October 2017
- Risk Based Approach based on an Enterprise Wide Risk Assessment
- Customer Due Diligence
- Next steps
The Law of 18 September 2017 will have considerable impact on how financial institutions will deal with their AML/CFT approach.
In this Newsflash, we will give a short overview of the most important elements of the new Law affecting the approach and practice of financial institutions towards AML/CFT.
Risk Based Approach (“RBA”) based on an Enterprise Wide Risk Assessment (“EWRA”)
Although most financial institutions already take into account specific AML/CFT risks, the new Law goes a step further by setting the Risk Based Approach as the corner stone for setting up each single piece of the institution’s AML/CFT framework.
A RBA as requested by the new Law implies that, in a more clear way than before, all measures (organisation, business and transaction wise) should aim at avoiding /mitigating the risk of being misused for ML/FT purposes. The RBA should therefore enable financial institutions to take less profound measures in situations where risks are limited. The resources that are redeemed should be used for more profound measures in situations where risks are higher.
The set-up of the institution’s RBA should be based on an actual and profound knowledge and understanding of its ML/FT risks. Therefore, institutions are required to set-up and perform a general AML/CFT risk assessment (“Enterprise Wide Risk Assessment” – “EWRA”) at the level of their entity. This EWRA should be documented, be based on actual data and take into account the entities’ customers products and services offered, transactions, countries/geographical zones and distribution channels. More detailed guidance on appropriate business linked risk factors can be found in the European Supervisory Authorities (ESA’s) Risk Factors Guidelines (see our regulatory newsflash of 6 July 2017).
The EWRA and the way the results are reflected in the RBA should be updated regularly and kept available for the institution’s regulator. It should be seen as a general risk assessment and not be confused with the risk assessment performed at the level of the individual customer when performing the customer due diligence and onboarding process.
Customer Due Diligence (“CDD”)
Based on the RBA, the new Law will have considerable impact on the CDD to be performed on individual customers (onboarding and review of existing customers):
Customer risk level
- Introduction of (non-exhaustive) lists of risk variables and risk factors that need to be taken into account when determining the ML/FT risk profile of the customer (and consequently the extent of the customer due diligence measures to be applied).
- Existing exemptions for simplified identification (financial institutions, listed entities, public authorities,…) are no longer included: Simplified CDD can only be applied after an individual assessment of the concerned risks.
Ultimate Beneficial Owners (“UBOs”)
- Strengthened definition for UBOs of companies (>25% control/ownership only considered as an indication of UBO, management only considered as UBO if no other UBO can be found,…)
- Detailed definition for UBOs of trusts, foundations, associations,…
- UBO identification will require a clear view on the ownership/control structure of the legal entity
- Introduction of a requirement to set up a central public register for UBO’s by the Treasury department of the FPS Finance. Practical details for the set-up of this register will be elaborated by royal decree. It is expected that the UBO Register will be operational by the summer of 2018. However the new Law states that entities cannot rely only on the information in the register for the identification and verification. Additional measures remain necessary.
Definition of Politically Exposed Persons (“PEPs”)
- Extended definition including, amongst other, domestic PEPs.
Appropriate level of CDD
- The appropriate level of CDD measures (simplified, normal or enhanced) will need to be determined taking into account the institution’s RBA. More detailed guidance on appropriate simplified and enhanced CDD measures can be found in the ESA’s recently published final Guidelines on simplified and enhanced CDD (see our regulatory newsflash of 6 July 2017)
- Next to measures identified by the institutions in setting up their RBA, specific enhanced CDD measures are set by the new Law for the following possible risks:
- Correspondent relationships
- Customers where the identity is verified during the business relationship (and not before)
- Customers settled or residing in third countries considered as high risk by EU and FAT
- Specific cases related to Serious fiscal fraud whether organised or not (link to specific countries)
Driven by the RBA, the new Law extends and strengthens the requirements for the institution’s AML/CFT organisational framework.
Responsibility for the prevention of ML/FT
Next to the existing AML Reporting Officer (AMLRO or “AML Compliance Officer” as it is now called in the Explanatory Memorandum to the new Law), a responsible person has also to be designated at the level of the Executive Committee. This person will be appointed as final responsible person for AML/CFT and will make sure that the effective management takes the necessary AML/CFT responsibilities.
The new law lists a minimal set of required internal measures and control procedures including such as risk management models, client acceptance policy, policies and procedures, internal controls,…
Whistle Blowing mechanisms
Internal (to the AML responsible persons – see above) and external (to the concerned authorities) whistle blowing mechanisms should be installed related to violations of the applicable requirements.
The period for keeping the required data will be gradually extended from the existing 5 year period to 10 years as from 2020 (7/8/9 years in respectively 2017/2018/2019). Furthermore, after this time period, the concerned data need to be erased.
The new Law will apply 10 days after its publication. Existing Royal Decrees and FSMA/NBB Regulations and Circular Letters will still apply as far as compatible with the new Law and upon their replacement (gradually expected by the end of the year).
In order to further implement the new Law, the NBB will take following regulatory initiatives.
NBB Regulation replacing the actual CBFA AML/CFT Regulation of 23 February 2010
This Regulation will mainly develop the organisational requirements and is expected in the upcoming weeks.
NBB Circular Letter regarding the implementation of the new Law
In this Circular Letter, the NBB will request entities to carry out the following 3 tasks:
- Elaborate and perform an EWRA
- Perform a gap analysis comparing the actual control framework with the requirements of the new AML/CFT Law
- Develop an implementation action plan (based on EWRA and action plan)
EWRA, gap analysis and action plan should be made available for the NBB. This Circular Letter is expected in the upcoming weeks.
NBB Circular Letter replacing the actual CBFA AML/CFT Circular Letter of 6 April 2010
This Circular Letter will give a further overview and background of the applicable AML/CFT requirements. This Circular Letter is expected by the summer of 2018.
Summary – practical implementation for the institutions
Risk identification and awareness as starting point
In order to be able to build their own RBA, firms need to have a clear, consistent, documented and data driven view on their ML/FT risks.
A tailor made Risk Based Approach
All policies, procedures, processes controls,… should be risk based taking into account the necessary granularity at the level of the firm.
Need to optimise the management of the onboarding and review processes
Strengthened definitions and CDD requirements will impact risk categories and the review of existing customers (adapted definition of UBOs, inclusion of domestic PEPs,…). More detailed CDD information and documentation requirements will lead to longer and more thorough onboarding process, more review and analysis, etc.
A data driven model
More detailed customer and transaction information requirements and a closer follow-up of the client will lead to a considerable increase in available data. Therefore, data management will become key in the new AML/CFT framework (data driven enterprise wide risk assessment, follow-up of customer data, enhanced record keeping requirements,…). Moreover, the availability of more data will also put transaction monitoring standards to a next level.
Further digitalisation and the possible use of new data techniques could be envisaged to streamline the AML/CFT processes.
Documentation is key
The policy, process and control framework (including analysis, risk assessment process,…) should be documented in detail, including evaluation, updates, validation and decision-making. Also the practical application of this framework (client acceptance, internal investigations, alert handling,…) will need to be fully and consistently documented.
To have a better view on the impact of the new Law for your particular institution, on how to set up and perform a practical and effective AML/CFT Gap Analysis or Enterprise Wide Risk Assessment and/or to build a risk based approach tailored to the risk level and appetite of the specific financial institution and in line with the requirements of the new AML Law, you can always contact our dedicated specialists (contact details – see enclosed).