Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
It should be made clear that the higher ML/TF risk countries could be lower risk than the high-risk ones identified by the EU. ‘Higher’ in this context should be read as being of greater risk that low or medium risk jurisdictions.
Para 12 e) - The use of video link or similar technology means in itself is a good use of technology to address the non-face-to-face relationship. Including the use of video-link or similar technological means as not recognised as face-to-face is outdated given the large proportion of financial services offered via the remote use of technology. As mentioned in the Statement by the FATF President on 1 April 2020 on COVID-19 and measures to combat illicit financing, the use of financial technology (Fintech) provides significant opportunities to manage some of the issues presented by COVID-19, including the non-traditional face to face contacts. In line with the FATF Standards, the FATF encourages the use of technology, including Fintech, Regtech and Suptech to the fullest extent possible. If there are residual risk concerns with the use of technology in these circumstances, we would suggest that that the guidance provide more clarity around this, and refers to existing guidance issued by the FATF in this regard.
New - We recommend including a definition of an ‘individual risk assessment’ in this section. We note that paragraph 1.2 (a) and 1.2 (b) of page 26 clarify this, however given the prevalence of these terms throughout the guidance, defining in this section would seem appropriate
Para 1.16 - Suggest amending the second sentence to ‘small firms…that have limited international or cross border or purely domestic exposure…’
Para 1.19 - In the funds industry the customer risk assessment is more likely to inform the business risk assessment as distinct from the converse. Factors considered in initial customer due diligence and to particular types of customer, products, services and delivery channels are informed by risk assessments of these specific factors which may then be factored into the holistic overall customer risk assessment which will consequently inform the overall business risk assessment.
Question 3 - Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
Para 2.4 e) - With respect to whether a PEP exercises significant control, the guidelines are silent on what is meant by ‘significant’. This is an area of considerable concern with disparate approaches applied. It would be helpful to include examples around what may constitute significant control.
Para 2.7 c) - worded too widely. The reference to ‘countries where groups committing terrorist offences are known to be operating, that are known to be sources of terrorist financing’ would include most countries in Western Europe. Just because a country suffers a terrorist attack should not result in it being treated as high risk. While we recognise that this is just a ‘risk factor’, it should be made clearer how this factor should be used. Its re-wording could be based on that in para 15.5 b) i).
Also, next to ‘close personal or professional links’, the following should be added for the sake of clarification: to the extent that such relationships become known to the obligor.
Para 2.9(c) – it now specifies that firms should consider the risk associated with countries and geographical areas to which the customer or the beneficial owner has ‘relevant personal or business links, or financial or legal interest’. Ordinarily, firms should be able to identify the countries and geographical areas in which a customer or its beneficial owner conducts business as part of their initial CDD and ongoing monitoring. However, identifying countries where the customer or its beneficial owner has relevant ‘personal or business links’ or ‘legal interests’ would largely depend on the firm’s screening and proactive search of the internet. These are likely to yield limited information of questionable veracity. Approaching customers directly for such information could raise suspicion, and customers having links to high risk countries and geographical areas may be unwilling to provide a full and transparent disclosure. To improve the clarity of regulatory expectations, more guidance would be useful. For example, including guidance on best practices and providing methods or examples would help firms to better assess and bolster their processes to identify such risks.
Para 2.10(d) - requires clarification. Rather than referring to situations where a customer is ‘a trust or any other type of legal arrangement’, or ‘has a structure or functions similar to trusts’, it should refer to ‘legal arrangements that has a structure or functions similar to trusts’.
Para 2.11(b) - The footnote 15 referenced is not cross-referenced appropriately.
Para 2.21 - Consistent with prior comment on the face-to-face definition, we would suggest that further guidance is provided given the prevalence of financial services being offered on this basis. The provision of services/products on a non-face-to-face basis in the funds industry, amongst others is, almost entirely on this basis and as such the lack of specific updated guidance acknowledging this in what is normalised for that industry is outdated. Suggest text to include ‘whether the firm considers there is a risk that the customer may have sought to avoid face-to-face contact deliberately, where it would be usual to provide the service/product on that basis’
Para 2.21 c) iii - With respect to the last sentence, the guidance restricts this application to only those circumstances where the intermediary is a branch or majority-owned subsidiary of another firm established in the Union etc. It does not include third countries identified by firms as low risk with regulations applicable no less robust than the EU. The addition of this is paramount to the funds industry where global distribution of the product including to low risk jurisdictions outside of the EU is commonplace.
Para 2.21, c) iv, d - The inclusion of text around the context of the CDD performed by the third party is unlikely to be shared and as such the firm would not be able to satisfy itself as to the appropriateness of the level of CDD applied on this basis. This text goes further than the directive and as such we would request its removal.
It is important to adjust the CDD measures of Guideline 4 applying for all firms when identifying and verifying information regarding beneficial ownership, as we believe further proportionality should be reflected in particular in cases of lower risk. In particular, customers with a shareholding of less than 25 % plus one share or an ownership interest of less than 25 % in the customer, we consider fall in a lower risk case, which is also in line with AMLD provisions and the FATF recommendations concerning the definition of beneficial ownership. This should therefore be reflected in a more proportionate way in the identification and verification measures. We therefore believe that a reference should be made to allow a fund manager to adjust the list of information and reduce the information required in those cases of customers below the 25% threshold to a subset of the information that is sufficient to ensure that the correct natural person is screened through (See suggestion for new para below) .
In the case of asset managers, it is important that this proportionality and adjusting measures for customers of lower risk applies both for investment funds and discretionary mandates.
Specific comments:
Para 4.7
Point d) does not reference a risk based approach or on a risk sensitive basis, verifying the beneficial owner. To align with paragraph 4.12 on page 46, bullet point d) should note the requirement around verifying beneficial owners is on a risk sensitive basis.
Para 4.12 (c)– goes too far in requiring firms to take ‘all necessary steps’ to verify the information provided by the customer to understand the customer’s ownership and control structure. Article 13(1)(b) of the Directive only requires firms to take reasonable steps to verify the customer’s identify and to take reasonable measures to understand the ownership and control structure of the customer. There is a significant difference between reasonable steps/measures and all necessary steps. The guidance should reflect what is actually required of firms under the Directive, not gold plate it. In this regard it is also difficult to see how firms, trying to follow Guideline 4.12 d) would take ‘all necessary steps’ ‘on a risk-sensitive basis’. Suggest to replace is with ‘all reasonable steps’.
Para 4.16 - should be reworded so that is clear that if a suspicion arises due to the ‘ownership and control structure’, or the firm suspects that the funds are the proceeds of crime (Article 33(1), then they should report to the FIU. As such the ‘and’ in line two should be an ‘or’. However, it is unclear where the responsibility to report suspicions arising from the ownership and control structure of a customer arises from. This should be clarified or removed. Also, suggest this guideline is amended as requirement to report suspicious transactions in Article 22 of 4AMLD is wider than if the firm has “reasonable grounds to suspect”. [Article 22(a) “by promptly informing the FIU, on their own initiative, where the institution or person covered by this Directive knows, suspects or has reasonable grounds to suspect that money laundering or terrorist financing is being or has been committed or attempted”]
Para 4.17 - now states that firms should pay particular attention to persons who may exercise ‘control through other means’ such as: through close family relationship or historical or contractual associations; or by using, enjoying or benefitting from the assets owned by the customer. Identifying persons who may exercise control in these ways can pose a challenge at the initial stages of CDD. The screening process would normally identify close associates, especially in relation to PEPs, but not the less tangible associations such as with people using or benefitting from the assets owned by the customer. Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of the relationship to ensure that the transactions being conducted are consistent with the firm’s knowledge of the customer, their business and risk profile would be more realistic measures.
Para 4.19 - also seems to go beyond what is required by the Directive. Article 13(1)(b) requires firms to ‘identifying the beneficial owner and taking reasonable measures to verify that person's identity’. Firms are not required to ‘make every effort’ to identify the beneficial owner. Again, the Guidelines should not go so substantially beyond the requirements of the Directive.
Para 4.25 - The senior managing official of a state owned entity will by definition be a PEP by virtue of their SOE position. However, the application of EDD should be based on the firms’ risk assessment regarding the factors determining the PEP status e.g. is the SMO a PEP purely on the basis of their SOE role or are they a PEP separate to this position. The former should not inform the application of EDD as a default. We therefore suggest the change below:
“Firms should also have due regard to the possibility that the senior managing official may be a PEP. Should this be the case, firms must could apply EDD measures to that senior managing official in line with Article 18 of Directive (EU) 2015/849 […]”
Para 4.26 - It is unclear what the term ‘remotely’ means versus electronically or documentary form.
Para 4.27 - The text provided is somewhat unclear and provides little in the way of clear guidance on what is meant by ‘degrees of reliability’. Suggest this is removed or greater clarity on its purpose is provided.
Para 4.38 c) - Unclear whether this requirement is about the application of enhanced due diligence (clarification of the origin of funds) also for non-risk customers.
New - Para 4.41 b) should be added as follows:
iii. In low risk situations, through the application of SDD in accordance with Para 4.41 , the quantity of information received for the purpose of identifying beneficial owners of customers, and proxies may be adjusted. For beneficial owners, this should only take place where no person holds [25%] or more of the shares or voting rights (direct or indirect) of the customer and the senior managing official(s) has/have been identified as the beneficial owner in accordance with Para 4.19 to 4.22.
This is necessary in order to set out standards relating specifically to the information to be collected relating to the beneficial owners of customers, as opposed to the customers themselves. With the guidelines granting flexibility in how to meet the requirements, national competent authorities will likely then converge in approach leading to the ideal situation of near uniformity of requiremenst. Failure in doing so would result in regulatory arbitrage.
Para 4.46 – Enhanced Due Diligence 4.46 describes the specific cases that firms must always treat as high risk, quoting Articles 20-24 of 4MLD. Articles 20-24 refer to Enhanced Due Diligence and do not specifically prescribe a high risk rating. Particularly in the case of PEPs, it is important that firms have the ability to apply risk ratings to PEPs given the different risks associated with PEPs displaying differing risk attributes. Whilst acknowledging that EDD must always be applied, this should not consequently default to a high risk rating with certain categories of customer such as PEPs, but to be evaluated in concrete case by case.
Para 4.57 - States that firms should carefully assess the risk associated with business relationships and transactions where the customer maintains close personal or professional links with a high risk third country, or the beneficial owner(s) maintain(s) close personal or professional links with a high risk third country. As with 4.17, ordinarily, firms should be able to identify the countries and geographical areas in which the customer and beneficial owner conducts business as part of their initial CDD and ongoing monitoring. However, to ascertain countries to which the customer or the beneficial owner has relevant ‘personal or professional links’ would largely depend on the firm’s screening and proactive search of the internet. These are likely to yield only limited and possibly inaccurate information. The other source of information would be approaching the customer directly. To avoid raising suspicion, however, customers having links to high risk countries and geographical areas may be unwilling to provide a full and transparent disclosure. To improve the clarity of regulatory expectations, more guidance would be useful. For example, guidance on best practices and providing methods or examples would help firms to better asses and bolster their processes to identify such risks. Or the following should be added for the sake of clarification: to the extent that such relationships become known to the obligor.
Para 4.60 & 4.61 - Whilst a firm must apply EDD measures where it identifies unusual transactions or patterns of transactions, it may through its investigations satisfy itself that the transaction(s) does not give my to any ML / TF concerns in which case 4.61(b) should not be mandatory. Firms should have discretion to determine whether or not it is appropriate to conduct such enhanced monitoring of the relationship in accordance with 4.61(b). The inclusion of the ‘must’ to include increased monitoring is overly prescriptive. In certain circumstances the EDD applied may include enhanced monitoring however other forms of EDD may be more appropriate. Suggest the text is amended to include those items under 4.61 as examples.
Para 15.3 (c) - As the unusual aspects of mirror trades or transactions are difficult to assess, we suggest to delete ‘That appear unusual’.
Para 15.3 (d) - All structured products should not be considered as a factor of increasing risk. Suggest to delete.
Para 15.4 – Suggest to change the wording into:
15.4. The following factors may contribute to reducing risk:
a) The product, service or entity is subject to mandatory transparency and/or disclosure requirements.
b) The regulated services
Para 15.5 c) - the range of businesses which would indicate that a customer is higher risk seems excessive. 5MLD includes some industries or activities in Annex III point 2(f): oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species. But these are indicators that a product, service, transaction or delivery channel may be higher risk, not that a customer is. There is no mention, in the amended Directive, of any of the following indication a higher customer risk: construction, pharmaceuticals and healthcare, the extractive industries or public procurement. We see no reason why these should be singled out as indicators of higher customer risk. The AML/CFT risk presented by the pharmaceutical and healthcare industries may be distinct from the nature of risk associated with arms trade or the cash-intensive construction businesses. Therefore, each sector or industry associated with higher risk of financial crime should be assessed individually depending on the firm’s business and the underlying business relationship.
Specific suggestions:
15-5 b) iii. - The fact that the customer is regulated decreases the risks, but being unregulated does not involve a specific risk increase. Suggest deletion
15-5 b) v. - Suggest removing “holds another prominent position”, as it is impossible to check
15-5 c) - Suggest removing “pharmaceuticals and healthcare”
15-6 - Suggest adding to the list: “d) listed companies in an EEA jurisdiction or equivalent”
Para - 15.7 c) includes the fact that a trading venue has members or participants located in high-risk jurisdictions as an indicator of higher risk for a distribution channel. Firms using trading venues would not be aware of all other users, nor of where they may be located. As such, this risk should be re-worded so say: ‘The firm is aware that the trading venue has members or participants located in high-risk jurisdictions.’
Para 15-9 - This point should remove the mention of MiFiD and EMIR, as it can be confusing. Investment firms always use all information available.
Para 15-11 a) We suggest removing this point, as shown in the article 100 of FATF (2018), Guidance for a Risk-Based Approach for the Securities Sector:
“Art. 100. While a detailed analysis of the wide variety of intermediary and customer relationships that occurs in the securities sector is beyond the scope of this Guidance, a brief discussion of the distribution of investment funds may illustrate some common themes and concerns. In this context, the CDD measures an investment fund should take will depend on how the ultimate customer invests in the fund. Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer. Where an intermediary is treated as the investment fund’s customer, the investment fund may not have visibility on the intermediary’s underlying customers. This includes not having comprehensive identification nor transaction related information on the customers of the intermediary in cases such as, for example, where the intermediary nets all of its customers’ orders and submits a single net order to the investment fund each day.”
Para 16-3 b) This paragraph should only apply to those AIFs with a small number of investors – it is highly unlikely that in the case of AIFs sold to a large number of investors any of those would solely exercise control over the fund.
Para 16-3 c) – Suggest to delete the references ‘ access to such funds is often easy and relatively quick to achieve’. The medium- to long-term nature of the investment can contribute to limiting the attractiveness of these products for money laundering purposes.
Para 16-4 - Suggest removing the mention to guidelines 14, as not applying to funds and fund managers.
Para 16-5 b) – Suggest removing the entire paragraph. The possibility to redeem fund shares is a central right of investors in a fund, and without incurring in significant administrative costs. This is key for the business model of asset managers, and it should not be connected with an increased risk factor.
Para 16-7 b) – as our previous response, the meaning of this guideline should be clarified.
Para 16-9 – This should be extended to government agencies in non-EU jurisdictions which the firm assesses as having AML/CFT controls no less robust than Directive (EU) 2015/849.We also suggest adding ’listed companies’.
Para 16-10a) - we disagree that the distribution network as such can limit the fund’s oversight of its business relationships and restrict its ability to monitor transactions. The fund’s manager applies its own diligence at the intermediary level and such an understanding of the distribution network applies for any type of distribution channel. The use of a distribution network wouldn’t increase the risk of ML/TF per se.
16-11 a) We suggest changing this point to: “The fund admits only a designated type of low-risk investor, such as regulated firms investing as a principal (e.g. life companies), corporate pension schemes or listed companies.”
Para 16-12 a) We suggest changing this point to:
“The customers’ or beneficial owners’ funds have been generated located in jurisdictions associated with higher ML/TF risk, in particular those associated with higher levels of predicate offences to money laundering.”
Para 16.13 – the word ‘investor’ in line 6 should actually be ‘customer’, as it is the customer who should be asked to declare whether they are investing on behalf of someone else’s behalf: the investor.
Para 16.17 - There is a mismatch in the scope of this section with 16.20: the SDD measures set out in 16.20 may be applied to intermediaries in third country jurisdictions with AML law no less strict than the EU AML Directive, whereas 16.17 is to apply to all intermediaries in third countries. It seems to close off the ability to apply the simpler measures set out in 16.20 to intermediaries in third country jurisdictions with equivalent AML laws. This is undesirable. From an asset management standpoint, it is key to be able to rely on those provisions. It would be preferable for the requirements in that section to explicitly refer to higher risk situations, not all third county intermediaries. The additional wording ‘and has established a relationship similar to correspondent banking with the fund or the fund’s manager’ needs to be clarified. Is this a sub-category of intermediary or merely explanatory? Reference to 8.14-8.17: in particular the requirements in 8.17 e) do not translate very easily to intermediaries investing in funds. Specific guidance, rather than reference to section 8, would be preferable. It should make clear what steps are expected in addition to those set out in 16.20
Para 16.20 – this wording is particularly problematic because the identification of beneficial owners targets your customer and not your customer’s customer (except in payable through accounts where the provision for ‘conducts the transaction on their behalf’ kicks in). It is important to clearly differentiate the two but at the same time keep the risk mitigation tool.
Suggested change
16.20 (…) ‘The fund or fund manager should also take risk sensitive measures to identify, and where relevant, verify the identity of, the investors underlying customers of the financial intermediary that invest in the fund, as these investors customers may increase the implied risk associated with could be beneficial owners of the funds invested through the intermediary’. To the extent permitted by national law, in low-risk situations, Funds or fund managers may apply SDD measures similar t those described in Title I of these guidelines, subject to the following conditions:’.
16.20 e) It needs clarification as access to customer’s customers files is not permitted under data protection & bank secrecy regulations in most countries. For this reason, we would suggest the following change: “The fund or fund manager has taken risk-sensitive steps to be satisfied that the intermediary will provide, where relevant, CDD information and documents on the underlying investors upon request in a reasonable manner and timeframe immediately upon request, for example by including relevant provisions in a contract with the intermediary or by sample-testing the intermediary’s ability to provide CDD information upon request.
Para 16.22 - It is unclear to us whether this paragraph applies only to scenario d (under guideline 16.14) or under any other situation. This needs to be clarified.
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
Para 12 d) – this definition should be clarified. The 5MLD does require that countries identified as having strategic deficiencies in their AML/CFT regime, which pose a significant threat to the Union’s financial system (Article 9 of Directive (EU) 2015/849) should be deemed ‘high-risk third countries’ and have certain specific EDD measures. This leaves firms to determine ‘Jurisdictions associated with higher ML/TF risk’ based on their assessment of risk factors.It should be made clear that the higher ML/TF risk countries could be lower risk than the high-risk ones identified by the EU. ‘Higher’ in this context should be read as being of greater risk that low or medium risk jurisdictions.
Para 12 e) - The use of video link or similar technology means in itself is a good use of technology to address the non-face-to-face relationship. Including the use of video-link or similar technological means as not recognised as face-to-face is outdated given the large proportion of financial services offered via the remote use of technology. As mentioned in the Statement by the FATF President on 1 April 2020 on COVID-19 and measures to combat illicit financing, the use of financial technology (Fintech) provides significant opportunities to manage some of the issues presented by COVID-19, including the non-traditional face to face contacts. In line with the FATF Standards, the FATF encourages the use of technology, including Fintech, Regtech and Suptech to the fullest extent possible. If there are residual risk concerns with the use of technology in these circumstances, we would suggest that that the guidance provide more clarity around this, and refers to existing guidance issued by the FATF in this regard.
New - We recommend including a definition of an ‘individual risk assessment’ in this section. We note that paragraph 1.2 (a) and 1.2 (b) of page 26 clarify this, however given the prevalence of these terms throughout the guidance, defining in this section would seem appropriate
Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
Para 1.15 - The use of the word ‘unlikely’ is unclear. The guidelines should provide greater certainty. Suggest that the text is amended to include a stronger statement that firms should ensure they are satisfied that the risk assessment model used by their firm is not generic and that the firm can demonstrate the specific needs and business model of the firm have been taken into account in the assessment.Para 1.16 - Suggest amending the second sentence to ‘small firms…that have limited international or cross border or purely domestic exposure…’
Para 1.19 - In the funds industry the customer risk assessment is more likely to inform the business risk assessment as distinct from the converse. Factors considered in initial customer due diligence and to particular types of customer, products, services and delivery channels are informed by risk assessments of these specific factors which may then be factored into the holistic overall customer risk assessment which will consequently inform the overall business risk assessment.
Question 3 - Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
Para 2.4 e) - With respect to whether a PEP exercises significant control, the guidelines are silent on what is meant by ‘significant’. This is an area of considerable concern with disparate approaches applied. It would be helpful to include examples around what may constitute significant control.
Para 2.7 c) - worded too widely. The reference to ‘countries where groups committing terrorist offences are known to be operating, that are known to be sources of terrorist financing’ would include most countries in Western Europe. Just because a country suffers a terrorist attack should not result in it being treated as high risk. While we recognise that this is just a ‘risk factor’, it should be made clearer how this factor should be used. Its re-wording could be based on that in para 15.5 b) i).
Also, next to ‘close personal or professional links’, the following should be added for the sake of clarification: to the extent that such relationships become known to the obligor.
Para 2.9(c) – it now specifies that firms should consider the risk associated with countries and geographical areas to which the customer or the beneficial owner has ‘relevant personal or business links, or financial or legal interest’. Ordinarily, firms should be able to identify the countries and geographical areas in which a customer or its beneficial owner conducts business as part of their initial CDD and ongoing monitoring. However, identifying countries where the customer or its beneficial owner has relevant ‘personal or business links’ or ‘legal interests’ would largely depend on the firm’s screening and proactive search of the internet. These are likely to yield limited information of questionable veracity. Approaching customers directly for such information could raise suspicion, and customers having links to high risk countries and geographical areas may be unwilling to provide a full and transparent disclosure. To improve the clarity of regulatory expectations, more guidance would be useful. For example, including guidance on best practices and providing methods or examples would help firms to better assess and bolster their processes to identify such risks.
Para 2.10(d) - requires clarification. Rather than referring to situations where a customer is ‘a trust or any other type of legal arrangement’, or ‘has a structure or functions similar to trusts’, it should refer to ‘legal arrangements that has a structure or functions similar to trusts’.
Para 2.11(b) - The footnote 15 referenced is not cross-referenced appropriately.
Para 2.21 - Consistent with prior comment on the face-to-face definition, we would suggest that further guidance is provided given the prevalence of financial services being offered on this basis. The provision of services/products on a non-face-to-face basis in the funds industry, amongst others is, almost entirely on this basis and as such the lack of specific updated guidance acknowledging this in what is normalised for that industry is outdated. Suggest text to include ‘whether the firm considers there is a risk that the customer may have sought to avoid face-to-face contact deliberately, where it would be usual to provide the service/product on that basis’
Para 2.21 c) iii - With respect to the last sentence, the guidance restricts this application to only those circumstances where the intermediary is a branch or majority-owned subsidiary of another firm established in the Union etc. It does not include third countries identified by firms as low risk with regulations applicable no less robust than the EU. The addition of this is paramount to the funds industry where global distribution of the product including to low risk jurisdictions outside of the EU is commonplace.
Para 2.21, c) iv, d - The inclusion of text around the context of the CDD performed by the third party is unlikely to be shared and as such the firm would not be able to satisfy itself as to the appropriateness of the level of CDD applied on this basis. This text goes further than the directive and as such we would request its removal.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
Question 4 - Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?It is important to adjust the CDD measures of Guideline 4 applying for all firms when identifying and verifying information regarding beneficial ownership, as we believe further proportionality should be reflected in particular in cases of lower risk. In particular, customers with a shareholding of less than 25 % plus one share or an ownership interest of less than 25 % in the customer, we consider fall in a lower risk case, which is also in line with AMLD provisions and the FATF recommendations concerning the definition of beneficial ownership. This should therefore be reflected in a more proportionate way in the identification and verification measures. We therefore believe that a reference should be made to allow a fund manager to adjust the list of information and reduce the information required in those cases of customers below the 25% threshold to a subset of the information that is sufficient to ensure that the correct natural person is screened through (See suggestion for new para below) .
In the case of asset managers, it is important that this proportionality and adjusting measures for customers of lower risk applies both for investment funds and discretionary mandates.
Specific comments:
Para 4.7
Point d) does not reference a risk based approach or on a risk sensitive basis, verifying the beneficial owner. To align with paragraph 4.12 on page 46, bullet point d) should note the requirement around verifying beneficial owners is on a risk sensitive basis.
Para 4.12 (c)– goes too far in requiring firms to take ‘all necessary steps’ to verify the information provided by the customer to understand the customer’s ownership and control structure. Article 13(1)(b) of the Directive only requires firms to take reasonable steps to verify the customer’s identify and to take reasonable measures to understand the ownership and control structure of the customer. There is a significant difference between reasonable steps/measures and all necessary steps. The guidance should reflect what is actually required of firms under the Directive, not gold plate it. In this regard it is also difficult to see how firms, trying to follow Guideline 4.12 d) would take ‘all necessary steps’ ‘on a risk-sensitive basis’. Suggest to replace is with ‘all reasonable steps’.
Para 4.16 - should be reworded so that is clear that if a suspicion arises due to the ‘ownership and control structure’, or the firm suspects that the funds are the proceeds of crime (Article 33(1), then they should report to the FIU. As such the ‘and’ in line two should be an ‘or’. However, it is unclear where the responsibility to report suspicions arising from the ownership and control structure of a customer arises from. This should be clarified or removed. Also, suggest this guideline is amended as requirement to report suspicious transactions in Article 22 of 4AMLD is wider than if the firm has “reasonable grounds to suspect”. [Article 22(a) “by promptly informing the FIU, on their own initiative, where the institution or person covered by this Directive knows, suspects or has reasonable grounds to suspect that money laundering or terrorist financing is being or has been committed or attempted”]
Para 4.17 - now states that firms should pay particular attention to persons who may exercise ‘control through other means’ such as: through close family relationship or historical or contractual associations; or by using, enjoying or benefitting from the assets owned by the customer. Identifying persons who may exercise control in these ways can pose a challenge at the initial stages of CDD. The screening process would normally identify close associates, especially in relation to PEPs, but not the less tangible associations such as with people using or benefitting from the assets owned by the customer. Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of the relationship to ensure that the transactions being conducted are consistent with the firm’s knowledge of the customer, their business and risk profile would be more realistic measures.
Para 4.19 - also seems to go beyond what is required by the Directive. Article 13(1)(b) requires firms to ‘identifying the beneficial owner and taking reasonable measures to verify that person's identity’. Firms are not required to ‘make every effort’ to identify the beneficial owner. Again, the Guidelines should not go so substantially beyond the requirements of the Directive.
Para 4.25 - The senior managing official of a state owned entity will by definition be a PEP by virtue of their SOE position. However, the application of EDD should be based on the firms’ risk assessment regarding the factors determining the PEP status e.g. is the SMO a PEP purely on the basis of their SOE role or are they a PEP separate to this position. The former should not inform the application of EDD as a default. We therefore suggest the change below:
“Firms should also have due regard to the possibility that the senior managing official may be a PEP. Should this be the case, firms must could apply EDD measures to that senior managing official in line with Article 18 of Directive (EU) 2015/849 […]”
Para 4.26 - It is unclear what the term ‘remotely’ means versus electronically or documentary form.
Para 4.27 - The text provided is somewhat unclear and provides little in the way of clear guidance on what is meant by ‘degrees of reliability’. Suggest this is removed or greater clarity on its purpose is provided.
Para 4.38 c) - Unclear whether this requirement is about the application of enhanced due diligence (clarification of the origin of funds) also for non-risk customers.
New - Para 4.41 b) should be added as follows:
iii. In low risk situations, through the application of SDD in accordance with Para 4.41 , the quantity of information received for the purpose of identifying beneficial owners of customers, and proxies may be adjusted. For beneficial owners, this should only take place where no person holds [25%] or more of the shares or voting rights (direct or indirect) of the customer and the senior managing official(s) has/have been identified as the beneficial owner in accordance with Para 4.19 to 4.22.
This is necessary in order to set out standards relating specifically to the information to be collected relating to the beneficial owners of customers, as opposed to the customers themselves. With the guidelines granting flexibility in how to meet the requirements, national competent authorities will likely then converge in approach leading to the ideal situation of near uniformity of requiremenst. Failure in doing so would result in regulatory arbitrage.
Para 4.46 – Enhanced Due Diligence 4.46 describes the specific cases that firms must always treat as high risk, quoting Articles 20-24 of 4MLD. Articles 20-24 refer to Enhanced Due Diligence and do not specifically prescribe a high risk rating. Particularly in the case of PEPs, it is important that firms have the ability to apply risk ratings to PEPs given the different risks associated with PEPs displaying differing risk attributes. Whilst acknowledging that EDD must always be applied, this should not consequently default to a high risk rating with certain categories of customer such as PEPs, but to be evaluated in concrete case by case.
Para 4.57 - States that firms should carefully assess the risk associated with business relationships and transactions where the customer maintains close personal or professional links with a high risk third country, or the beneficial owner(s) maintain(s) close personal or professional links with a high risk third country. As with 4.17, ordinarily, firms should be able to identify the countries and geographical areas in which the customer and beneficial owner conducts business as part of their initial CDD and ongoing monitoring. However, to ascertain countries to which the customer or the beneficial owner has relevant ‘personal or professional links’ would largely depend on the firm’s screening and proactive search of the internet. These are likely to yield only limited and possibly inaccurate information. The other source of information would be approaching the customer directly. To avoid raising suspicion, however, customers having links to high risk countries and geographical areas may be unwilling to provide a full and transparent disclosure. To improve the clarity of regulatory expectations, more guidance would be useful. For example, guidance on best practices and providing methods or examples would help firms to better asses and bolster their processes to identify such risks. Or the following should be added for the sake of clarification: to the extent that such relationships become known to the obligor.
Para 4.60 & 4.61 - Whilst a firm must apply EDD measures where it identifies unusual transactions or patterns of transactions, it may through its investigations satisfy itself that the transaction(s) does not give my to any ML / TF concerns in which case 4.61(b) should not be mandatory. Firms should have discretion to determine whether or not it is appropriate to conduct such enhanced monitoring of the relationship in accordance with 4.61(b). The inclusion of the ‘must’ to include increased monitoring is overly prescriptive. In certain circumstances the EDD applied may include enhanced monitoring however other forms of EDD may be more appropriate. Suggest the text is amended to include those items under 4.61 as examples.
Question 15: Do you have any comments on the proposed amendments to Guideline 15 for investment firms?
Question 15 - Do you have any comments on the proposed amendments to Guideline 15 for investment firms?Para 15.3 (c) - As the unusual aspects of mirror trades or transactions are difficult to assess, we suggest to delete ‘That appear unusual’.
Para 15.3 (d) - All structured products should not be considered as a factor of increasing risk. Suggest to delete.
Para 15.4 – Suggest to change the wording into:
15.4. The following factors may contribute to reducing risk:
a) The product, service or entity is subject to mandatory transparency and/or disclosure requirements.
b) The regulated services
Para 15.5 c) - the range of businesses which would indicate that a customer is higher risk seems excessive. 5MLD includes some industries or activities in Annex III point 2(f): oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species. But these are indicators that a product, service, transaction or delivery channel may be higher risk, not that a customer is. There is no mention, in the amended Directive, of any of the following indication a higher customer risk: construction, pharmaceuticals and healthcare, the extractive industries or public procurement. We see no reason why these should be singled out as indicators of higher customer risk. The AML/CFT risk presented by the pharmaceutical and healthcare industries may be distinct from the nature of risk associated with arms trade or the cash-intensive construction businesses. Therefore, each sector or industry associated with higher risk of financial crime should be assessed individually depending on the firm’s business and the underlying business relationship.
Specific suggestions:
15-5 b) iii. - The fact that the customer is regulated decreases the risks, but being unregulated does not involve a specific risk increase. Suggest deletion
15-5 b) v. - Suggest removing “holds another prominent position”, as it is impossible to check
15-5 c) - Suggest removing “pharmaceuticals and healthcare”
15-6 - Suggest adding to the list: “d) listed companies in an EEA jurisdiction or equivalent”
Para - 15.7 c) includes the fact that a trading venue has members or participants located in high-risk jurisdictions as an indicator of higher risk for a distribution channel. Firms using trading venues would not be aware of all other users, nor of where they may be located. As such, this risk should be re-worded so say: ‘The firm is aware that the trading venue has members or participants located in high-risk jurisdictions.’
Para 15-9 - This point should remove the mention of MiFiD and EMIR, as it can be confusing. Investment firms always use all information available.
Para 15-11 a) We suggest removing this point, as shown in the article 100 of FATF (2018), Guidance for a Risk-Based Approach for the Securities Sector:
“Art. 100. While a detailed analysis of the wide variety of intermediary and customer relationships that occurs in the securities sector is beyond the scope of this Guidance, a brief discussion of the distribution of investment funds may illustrate some common themes and concerns. In this context, the CDD measures an investment fund should take will depend on how the ultimate customer invests in the fund. Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer. Where an intermediary is treated as the investment fund’s customer, the investment fund may not have visibility on the intermediary’s underlying customers. This includes not having comprehensive identification nor transaction related information on the customers of the intermediary in cases such as, for example, where the intermediary nets all of its customers’ orders and submits a single net order to the investment fund each day.”
Question 16: Do you have any comments on the proposed amendments to Guideline 16 for providers of investment funds and the definition of customer in this Guideline?
Para 16.3 a) – as already outlined in our previous response, this guideline continues to be based on a wrong premise: it is not ‘easy’ to invest in and redeem a retail fund, in the sense of escaping AML obligations. The customer would have to complete an application form, provide original identification evidence, and transfer funds from a bank account in their own name to the fund’s bank account. In order to transfer the holding to another party the customer would need to sign a transfer out form, both parties would need to be fully identified and go through watchlist screening. Such a transfer, especially after a short holding period, would be likely to trigger suspicion, and therefore, a SAR.Para 16-3 b) This paragraph should only apply to those AIFs with a small number of investors – it is highly unlikely that in the case of AIFs sold to a large number of investors any of those would solely exercise control over the fund.
Para 16-3 c) – Suggest to delete the references ‘ access to such funds is often easy and relatively quick to achieve’. The medium- to long-term nature of the investment can contribute to limiting the attractiveness of these products for money laundering purposes.
Para 16-4 - Suggest removing the mention to guidelines 14, as not applying to funds and fund managers.
Para 16-5 b) – Suggest removing the entire paragraph. The possibility to redeem fund shares is a central right of investors in a fund, and without incurring in significant administrative costs. This is key for the business model of asset managers, and it should not be connected with an increased risk factor.
Para 16-7 b) – as our previous response, the meaning of this guideline should be clarified.
Para 16-9 – This should be extended to government agencies in non-EU jurisdictions which the firm assesses as having AML/CFT controls no less robust than Directive (EU) 2015/849.We also suggest adding ’listed companies’.
Para 16-10a) - we disagree that the distribution network as such can limit the fund’s oversight of its business relationships and restrict its ability to monitor transactions. The fund’s manager applies its own diligence at the intermediary level and such an understanding of the distribution network applies for any type of distribution channel. The use of a distribution network wouldn’t increase the risk of ML/TF per se.
16-11 a) We suggest changing this point to: “The fund admits only a designated type of low-risk investor, such as regulated firms investing as a principal (e.g. life companies), corporate pension schemes or listed companies.”
Para 16-12 a) We suggest changing this point to:
“The customers’ or beneficial owners’ funds have been generated located in jurisdictions associated with higher ML/TF risk, in particular those associated with higher levels of predicate offences to money laundering.”
Para 16.13 – the word ‘investor’ in line 6 should actually be ‘customer’, as it is the customer who should be asked to declare whether they are investing on behalf of someone else’s behalf: the investor.
Para 16.17 - There is a mismatch in the scope of this section with 16.20: the SDD measures set out in 16.20 may be applied to intermediaries in third country jurisdictions with AML law no less strict than the EU AML Directive, whereas 16.17 is to apply to all intermediaries in third countries. It seems to close off the ability to apply the simpler measures set out in 16.20 to intermediaries in third country jurisdictions with equivalent AML laws. This is undesirable. From an asset management standpoint, it is key to be able to rely on those provisions. It would be preferable for the requirements in that section to explicitly refer to higher risk situations, not all third county intermediaries. The additional wording ‘and has established a relationship similar to correspondent banking with the fund or the fund’s manager’ needs to be clarified. Is this a sub-category of intermediary or merely explanatory? Reference to 8.14-8.17: in particular the requirements in 8.17 e) do not translate very easily to intermediaries investing in funds. Specific guidance, rather than reference to section 8, would be preferable. It should make clear what steps are expected in addition to those set out in 16.20
Para 16.20 – this wording is particularly problematic because the identification of beneficial owners targets your customer and not your customer’s customer (except in payable through accounts where the provision for ‘conducts the transaction on their behalf’ kicks in). It is important to clearly differentiate the two but at the same time keep the risk mitigation tool.
Suggested change
16.20 (…) ‘The fund or fund manager should also take risk sensitive measures to identify, and where relevant, verify the identity of, the investors underlying customers of the financial intermediary that invest in the fund, as these investors customers may increase the implied risk associated with could be beneficial owners of the funds invested through the intermediary’. To the extent permitted by national law, in low-risk situations, Funds or fund managers may apply SDD measures similar t those described in Title I of these guidelines, subject to the following conditions:’.
16.20 e) It needs clarification as access to customer’s customers files is not permitted under data protection & bank secrecy regulations in most countries. For this reason, we would suggest the following change: “The fund or fund manager has taken risk-sensitive steps to be satisfied that the intermediary will provide, where relevant, CDD information and documents on the underlying investors upon request in a reasonable manner and timeframe immediately upon request, for example by including relevant provisions in a contract with the intermediary or by sample-testing the intermediary’s ability to provide CDD information upon request.
Para 16.22 - It is unclear to us whether this paragraph applies only to scenario d (under guideline 16.14) or under any other situation. This needs to be clarified.