EU pushes ‘AML compliance without borders’

Proposed EU AML standards are set to raise the compliance benchmark for global financial institutions and place a spotlight on the challenges of implementing global AML programmes. Specifically, the new rules will require firms to (i) take immediate action to identify countries in which they operate outside the EU where local laws and regulations conflict with the firm’s group-wide policies, (ii) perform a tailored assessment of the resulting risks to the group, and (iii) implement additional measures to mitigate those risks, take steps to restrict product and service offerings, and/or exit client relationships.     

What are the obligations?

The EU’s Fourth Money Laundering Directive (4MLD) (which Member States were required to transpose into national law by 26 June 2017) requires financial institutions to implement policies and procedures to guard against money laundering and terrorist financing. What is new is that the AML/CFT procedures must be carried out at a group level. In practice, this means any parent entity located within the EU must ensure that its policies, controls and procedures apply to all of its non-EU subsidiaries and branches.       

If a group operates outside the EU (in a Third Country), and the domestic law of that country inhibits group-wide AML/CFT Procedures (for example, because the sharing of customer information within the group would conflict with the local data protection or bank secrecy laws), the firm must take additional steps to manage the risk of non-compliance with the EU standard. The European Supervisory Authorities recently published draft standards setting out the steps that firms should take to comply with the Third Country requirements of 4MLD.  

What do the standards require?

For each Third Country, firms must:    

1. Maintain an up-to-date and tailored AML/CFT risk assessment;  

2. Ensure that identified risks are appropriately reflected in regularly-updated group-wide AML/CFT procedures;    

3. Obtain senior management approval at group level for both the risk assessment and group-wide policies; and   

4. Provide targeted and effective training to employees in the Third Country to enable them to identify red flags.    

Where the domestic law in a Third Country prohibits or restricts either (a) the implementation of policies and procedures to address risks associated with a customer relationship or occasional transactions performed by a customer, (b) customer data sharing or processing, or (c) record keeping procedures, firms must:   

• Inform their home regulator within 28 days of the prohibition or restriction; and
• Seek consent from customers, subject to local laws, to get around the prohibition or restriction.  

Where it is not possible for customers to give their consent to share or process their data, firms must take additional measures, including: 

• Restricting the nature and type of products and services to those that present a low money laundering risk; 
• Conducting enhanced customer due diligence, monitoring, onsite checks and independent audits;  
• Ensuring that senior management approves higher risk business in the Third Country; and 
• Ensuring that Third Country operations have effective systems and controls to identify and report suspicious transactions.   

Where the additional measures above do not manage risks effectively, firms must terminate the customer relationship, refuse to carry out occasional transactions by the customer that are deemed risky, or cease some or all of their operations in the relevant Third Country.        

Three Things Financial Institutions Should Do in Early 2018 

1. Start scoping and planning now.  Firms will have just three months to update their global AML/CFT program once the European Commission approves the new standards. As a preliminary step, firms should identify the Third Countries relevant to them and the appropriate people to engage in their organisation.

2. Engage stakeholders. Firms should engage legal, compliance, front-office and senior management teams at both group and local levels. They may also consider creating a working group to address the new rules.      

3. Identify and assess local laws in light of group policies. Firms should undertake jurisdiction specific AML/CTF analysis to identify potential tensions between their group policy and the local legal system.    

The draft standards can be found here. 

Co-authored with Jonathan Ware (Senior Associate, Washington, DC).