Mitigation of AML/CFT risks in third countries: Recently published EU Delegated Regulation provides measures financial institutions must take in respect of their third country branches and subsidiaries has been saved
Mitigation of AML/CFT risks in third countries: Recently published EU Delegated Regulation provides measures financial institutions must take in respect of their third country branches and subsidiaries
16 May 2019
Regulatory News Alert
Context and objectives
On 14 May 2019, the final text of the Commission Delegated Regulation (EU) 2019/758 of 31 January 2019 was published in the Official Journal of the EU (“Regulation)”.
The Regulation supplements Directive (EU) 2015/849 (the Anti-Money Laundering Directive – AMLD) with regard to regulatory technical standards (RTS) for the minimum action credit and financial institutions must take to mitigate money laundering (ML) and terrorist financing (TF) risk in third countries where they have established a branch or a majority-owned subsidiary.
Furthermore, the Regulation specifies a set of additional measures these institutions must take to effectively handle these risks where a third country’s law does not permit the implementation of group-wide policies and procedures at the level of third-country branches or majority-owned subsidiaries.
To ensure a consistent, EU-wide response to legal obstacles to the implementation of group-wide policies, the Regulation imposes specific minimum actions on credit and financial institutions, which they will have to take to mitigate the risks of ML and TF in third countries.
For each third country where they have established a branch or a majority-owned subsidiary, credit and financial institutions must regularly assess such ML and TF risks and ensure an appropriate reflection of the respective risks in group-wide AML policies.
In addition, institutions are required to obtain senior management approval at a group level for the risk assessment and AML policies and provide targeted trainings to relevant staff members in the respective third country.
Individual assessment and additional measures
Where the third country laws prohibit or restrict:
- The application of group-wide AML policies
- Transfer of customer/beneficial owner data
- Disclosure of suspicious transactions
- Application of equivalent record-keeping measures
In these cases, institutions must inform their competent authority no later than 28 calendar days and require customer/beneficial owner consent for the access to / transfer of data (where relevant) to overcome such restrictions or take additional measures (on a risk-sensitive basis).
In situations where the ability of competent authorities to supervise the group's compliance with AMLD is impeded because of a lack of access to relevant information, institutions are required to carry out enhanced reviews (including onsite checks or independent audits), to be satisfied that the branch or subsidiary effectively implements group-wide policies.
In such circumstances, the branch or a subsidiary established in the third country should regularly provide the institution with the additional relevant information (such as the number of high-risk customers and the number of identified suspicious transactions as well as reasons for such classifications).
When required in accordance with the Regulation (and to the extent defined on a risk-sensitive basis), institutions shall take the following additional measures:
- Ensure that the nature and type of financial products/services provided by the third country branch or subsidiary is restricted to those with low ML and TF risk profile
- Ensure that other entities of the same group do not rely on customer due diligence measures carried out by a third country branch or a subsidiary, but instead carry out their own due diligence on any customer of such branch or subsidiary
- Carry out enhanced reviews (including onsite checks or independent audits), to be satisfied that the branch or a subsidiary effectively identifies and manages the ML and TF risks
- Obtain approval from institution's senior management for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher risk occasional transaction
- Determine source and, where applicable, the destination of funds to be used in the business relationship or occasional transaction
- Ensure ongoing monitoring (including an enhanced monitoring on any customer who is subject of suspicious transaction reports by other entities of the same group) and internal reporting of suspicions
- Ensure effective risk identification and control systems are in place in respective third countries (including record keeping requirements)
In any case, where institutions cannot effectively manage the ML and TF risk by applying the appropriate measures, they shall terminate respective business relationships or close down the operations in the third country altogether.
A grace period of three months has been granted to the credit and financial institutions to adjust their policies and procedures in line with the Regulation's requirements. Thus, the new framework will be fully applicable from 3 September 2019.
How can Deloitte help?
In this rapidly evolving crossroads between regulations, Deloitte can help you stay ahead of the game with our Kaleidoscope Regulatory Watch services, which monitors and analyzes upcoming changes.
Deloitte’s AML/CTF advisory specialists and dedicated services will also help you design and implement your renewed business strategy in light of the future evolution of the AML/CFT framework.
Deloitte AML services:
- AML/KYC Remediation Plan
- AML/CTF Training
- AML/CTF policy, procedure, and process design or review
- DKYC: externalizing KYC processes