New AML/CFT Law voted in Belgian Parliament
On the last session before the summer leave (20 July 2017) the Belgian Parliament voted the new anti-money laundering and financing of terrorism Law implementing the 4th AML Directive into Belgian legislation (“new Law”). After the King’s signature, the text will be published in the Belgian Official Journal.
Regulatory Newsflash | 27 July 2017
- Next steps
- Practical implementation for the institutions
- Interested in further information?
- This article in PDF
In this newsflash we will give a short overview of the most important elements of the new Law affecting the approach and practice of financial institutions towards AML/CFT.
Risk Based Approach (“RBA”) based on an Enterprise Wide Risk Assessment (“EWRA”)
Although most financial institutions already take into account specific AML/CFT risks, the new Law goes a step further by setting the Risk Based Approach (“RBA”) as the corner stone for setting up each single piece of the institution’s AML/CFT framework.
A RBA as requested by the new Law implies that, in a more clear way than before, all measures (organisation, business and transaction wise) should aim at avoiding /mitigating the risk of being misused for ML/FT purposes. The RBA should therefore enable financial institutions to take less profound measures in situations where the risk is limited. The resources that are redeemed, should be used for more profound measures in situations where the risk is higher.
The set-up of the institution’s RBA should be based on an actual and profound knowledge and understanding of its ML/FT risks. Therefore institutions are required to set-up and perform a general factors AML/CFT risk assessment (“Enterprise Wide Risk Assessment” – “EWRA”). This EWRA should be documented, based on actual data and take into account the entities’ customers products and services offered, transactions, countries/geographical zones and distribution channels. More detailed guidance on appropriate business linked risk factors can be found in the European Supervisory Authorities (ESA’s) Risk Factors Guidelines (see our regulatory newsflash of 6 July 2017).
The EWRA and the way the results are reflected in the RBA should be updated regularly and kept available for the institution’s regulator. It should be seen as a general risk assessment and not be confused with the risk assessment performed at the level of the individual customer when performing the customer due diligence and onboarding process.
Customer Due Diligence (“CDD”)
Based on the RBA, the new Law will have considerable impact on the CDD to be performed on individual customers (onboarding and review of existing customers).
Customer risk level
- Introduction of (non-exhaustive) lists of risk variables and risk factors that need to be taken into account when determining the ML/FT risk profile of the customer (and consequently the extent of the customer due diligence measures to be applied).
- Existing exemptions for simplified identification (financial institutions, listed entities, public authorities,…) no longer included: Simplified CDD can only be applied after an individual assessment of the concerned risks.
Ultimate Beneficial owners (“UBOs”)
- Strengthened definition for UBOs of companies (>25% control/ownership only considered as an indication of UBO, management only considered as UBO if no other UBO can be found,…).
- Detailed definition for UBOs of trusts, foundations, associations, …
- UBO identification will require a clear view on the ownership/control structure of the legal entity
- Introduction of a requirement to set up a central public register for UBO’s by the Treasury department of the FPS Finance. Practical details for the set-up of this register will be elaborated by royal decree. However as specific requirements will be further developed by the future 5th AML/CFT Directive, the final operational realization of the UBO Register will take some time.
Definition of Politically Exposed Persons (“PEPs”)
- Extended definition including, amongst other, domestic PEPs.
Appropriate level of CDD
The appropriate level of CDD measures (simplified, normal or enhanced) will need to be determined taking into account the institution’s RBA. More detailed guidance on appropriate simplified and enhanced CDD measures can be found in the European Supervisory Authorities (ESA’s) recently published final Guidelines on simplified and enhanced CDD (see our regulatory newsflash of 6 July 2017).
Next to measures identified by the institutions in setting up their RBA, specific enhanced CDD measures are set by the new Law for the following possible risks:
- Correspondent relationships;
- Customers where the identity is verified during the business relationship (and not before);
- Customers settled or residing in third countries considered as high risk by EU and FATF;
- Specific cases related to Serious fiscal fraud whether organised or not (link to specific countries).
Driven by the RBA, the new Law extends and strengthens the requirements for the institution’s AML/CFT organisational framework.
Responsibility for the prevention of ML/FT
Next to the existing AML Reporting Officer (AMLRO or “AML Compliance Officer” as it is now called in the Explanatory Memorandum to the new Law), a responsible person has also to be designated at the level of the Executive Committee. This person will be appointed as final responsible person for AML/CFT and will make sure that the effective management takes the necessary AML/CFT responsibilities.
The new law lists a minimal set of required internal measures and control procedures including such as. risk management models, client acceptance policy, policies and procedures, internal controls, …
Whistle Blowing mechanisms
Internal (to the AML responsible persons – see nr. 1. Of this paragraph) and external (to the concerned authorities) whistle blowing mechanisms should be installed related to violations of the applicable requirements.
The period for keeping the required data will be gradually extended from the existing 5 year period to 10 years as from 2020 (7/8/9 years in respectively 2017/2018/2019). Furthermore, after this time period, the concerned data need to be erased.
The new Law will apply 10 days after its publication. Existing Royal Decrees and FSMA/NBB Regulations will still apply as far as compatible with the new Law and upon their replacement (gradually expected by the end of the year).
In the meantime, institutions will need to prepare themselves and start the first phase of the implementation of the new requirements. To this extend, the NBB will require the institutions to carry out the following 3 steps:
- Elaborate and perform an EWRA
- Perform a gap analysis comparing the actual control framework with the requirements of the new AML/CFT Law
- Develop an implementation action plan (based on EWRA and action plan)
Summary – Practical implementation for the institutions
Risk identification and awareness as starting point
In order to be able to build their own RBA, firms need to have a clear, consistent, documented and data driven view on their ML/FT risks.
A tailor made Risk Based Approach
All policies, procedures, processes controls,… should be risk based taking into account the necessary granularity at the level of the firm.
Need to optimize the management of the onboarding and review processes
Strengthened definitions and CDD requirements will impact risk categories and the review of existing customers (adapted definition of UBOs, inclusion of domestic PEPs,…). More detailed CDD information and documentation requirements will lead to longer and more thorough onboarding process, more review and analysis, etc.
A data driven model
More detailed customer and transaction information requirements and a closer follow-up of the client will lead to a considerable increase in available data. Therefore data management will become key in the new AML/CFT framework (data driven enterprise wide risk assessment, follow-up of customer data, enhanced record keeping requirements…). Moreover the availability of more data will also put transaction monitoring standards to a next level.
Further digitalization and the possible use of new data techniques could be envisaged to streamline the AML/CFT processes.
Documentation is key
The policy and process framework (including analysis, risk assessment process…) should be documented in detail, including updates, validation and decision making. Also the practical application of this framework (client acceptance, internal investigations, alert handling…) will need to be fully and consistently documented.
Interested in further information?
To have a better view on the impact of the new Law for your particular institution, on how to set up and perform a practical and effective AML/CFT Gap Analysis or Enterprise Wide Risk Assessment and/or to build a risk based approach tailored to the risk level and appetite of the specific financial institution and in line with the requirements of the new AML Law, you can always contact our dedicated specialists (contact details – see in the enclosed PDF).