New AML/CFT Law voted in Belgian Parliament has been saved
In this newsflash we will give a short overview of the most important elements of the new Law affecting the approach and practice of financial institutions towards AML/CFT.
Risk Based Approach (“RBA”) based on an Enterprise Wide Risk Assessment (“EWRA”)
Although most financial institutions already take into account specific AML/CFT risks, the new Law goes a step further by setting the Risk Based Approach (“RBA”) as the corner stone for setting up each single piece of the institution’s AML/CFT framework.
A RBA as requested by the new Law implies that, in a more clear way than before, all measures (organisation, business and transaction wise) should aim at avoiding /mitigating the risk of being misused for ML/FT purposes. The RBA should therefore enable financial institutions to take less profound measures in situations where the risk is limited. The resources that are redeemed, should be used for more profound measures in situations where the risk is higher.
The set-up of the institution’s RBA should be based on an actual and profound knowledge and understanding of its ML/FT risks. Therefore institutions are required to set-up and perform a general factors AML/CFT risk assessment (“Enterprise Wide Risk Assessment” – “EWRA”). This EWRA should be documented, based on actual data and take into account the entities’ customers products and services offered, transactions, countries/geographical zones and distribution channels. More detailed guidance on appropriate business linked risk factors can be found in the European Supervisory Authorities (ESA’s) Risk Factors Guidelines (see our regulatory newsflash of 6 July 2017).
The EWRA and the way the results are reflected in the RBA should be updated regularly and kept available for the institution’s regulator. It should be seen as a general risk assessment and not be confused with the risk assessment performed at the level of the individual customer when performing the customer due diligence and onboarding process.
Customer Due Diligence (“CDD”)
Based on the RBA, the new Law will have considerable impact on the CDD to be performed on individual customers (onboarding and review of existing customers).
Customer risk level
- Introduction of (non-exhaustive) lists of risk variables and risk factors that need to be taken into account when determining the ML/FT risk profile of the customer (and consequently the extent of the customer due diligence measures to be applied).
- Existing exemptions for simplified identification (financial institutions, listed entities, public authorities,…) no longer included: Simplified CDD can only be applied after an individual assessment of the concerned risks.
Ultimate Beneficial owners (“UBOs”)
- Strengthened definition for UBOs of companies (>25% control/ownership only considered as an indication of UBO, management only considered as UBO if no other UBO can be found,…).
- Detailed definition for UBOs of trusts, foundations, associations, …
- UBO identification will require a clear view on the ownership/control structure of the legal entity
- Introduction of a requirement to set up a central public register for UBO’s by the Treasury department of the FPS Finance. Practical details for the set-up of this register will be elaborated by royal decree. However as specific requirements will be further developed by the future 5th AML/CFT Directive, the final operational realization of the UBO Register will take some time.
Definition of Politically Exposed Persons (“PEPs”)
- Extended definition including, amongst other, domestic PEPs.
Appropriate level of CDD
The appropriate level of CDD measures (simplified, normal or enhanced) will need to be determined taking into account the institution’s RBA. More detailed guidance on appropriate simplified and enhanced CDD measures can be found in the European Supervisory Authorities (ESA’s) recently published final Guidelines on simplified and enhanced CDD (see our regulatory newsflash of 6 July 2017).
Next to measures identified by the institutions in setting up their RBA, specific enhanced CDD measures are set by the new Law for the following possible risks:
- Correspondent relationships;
- Customers where the identity is verified during the business relationship (and not before);
- Customers settled or residing in third countries considered as high risk by EU and FATF;
- Specific cases related to Serious fiscal fraud whether organised or not (link to specific countries).
Driven by the RBA, the new Law extends and strengthens the requirements for the institution’s AML/CFT organisational framework.
Responsibility for the prevention of ML/FT
Next to the existing AML Reporting Officer (AMLRO or “AML Compliance Officer” as it is now called in the Explanatory Memorandum to the new Law), a responsible person has also to be designated at the level of the Executive Committee. This person will be appointed as final responsible person for AML/CFT and will make sure that the effective management takes the necessary AML/CFT responsibilities.
The new law lists a minimal set of required internal measures and control procedures including such as. risk management models, client acceptance policy, policies and procedures, internal controls, …
Whistle Blowing mechanisms
Internal (to the AML responsible persons – see nr. 1. Of this paragraph) and external (to the concerned authorities) whistle blowing mechanisms should be installed related to violations of the applicable requirements.
The period for keeping the required data will be gradually extended from the existing 5 year period to 10 years as from 2020 (7/8/9 years in respectively 2017/2018/2019). Furthermore, after this time period, the concerned data need to be erased.