Over the last 10 months, JWG’s CDMG has covered – in depth – the incoming Anti-Money Laundering Directive IV (AMLD IV). AMLD IV focuses on the risk profiles of clients and monitoring or reporting them accordingly.
On 21 October, ESMA published a Joint Consultation Paper on simplified and enhanced due diligence, detailing the factors that firms should consider when assessing the risk of money laundering (ML) and terrorist financing (TF). The European Supervisory Authority (ESA) invited comments on all proposals put forward in the paper. Comments and questions need to be submitted by 22 January 2016. Below is a summary of the 89-page document.
It is clear that firms, if they have not already done so, will need to implement or update internal procedures, policies and infrastructure. As a result, legal, compliance, tech and ops will all be busy ensuring that suitable systems, controls and policies are in place to meet the demands of the AMLD IV risk assessment framework.
Assessing and managing risk
Firms should undertake the following assessments to manage ML and TF risks associated with businesses:
- Business-wide assessments: these should help firms understand business exposures and identify which areas to prioritise when tackling ML and TF. In addition, a risk assessment should be undertaken for the products and services offered and the jurisdictions in which they operate.
- Customer due diligence: firms should use the business-wide risk assessment to decide on the level at which they will undertake customer due diligence. Initial due diligence should include the assessment of risk sensitive measures, including identifying beneficial ownership and/or legal representatives and satisfaction on the verification of the customer and their identity.
It is suggested that firms should adjust their due diligence processes on a risk sensitive basis. When risks are increased, firms should have a trigger mechanism in place that initiates enhanced due diligence processes.
It is recommended that firms take a holistic approach when looking at the risk profile of clients and put in place the required monitoring and review processes. Firms should examine transactions and the source of funds and must keep all documentation up to date.
Firms are required to identify risk in relation to the customer and the jurisdictional risk profile.
When identifying risk, firms should consider the European Commission’s supranational assessment, information from the government and regulators and reports from the Financial Intelligence Units. In addition, firms should draw upon their own intelligence and that of industry bodies and undertake analysis using social media, the internet, news and commercial organisations and academic institutions.
Firms assessing a customer should take into consideration beneficial owners, their business or professional activity, reputation, nature and behaviour. In addition, political connections should be examined for the client and beneficial owners, as well as reviewing all those clients that fall under the definition of being a politically exposed person.
Firms need to pay attention to the location where the clients are resident and the level of risk each jurisdiction poses in terms of ML, TF and corruption.
Furthermore, a firm should be comfortable with the veracity of the information provided and be able to support their decision. Additionally, firms will have to create triggers to detect transactions and information that go beyond set thresholds.
It is recommended that firms are aware of, and take into account, the level of secrecy that a client demands, and be content that the level demanded is viewed as being reasonable.
Product and service risk assessment
Firms should take in account a number of factors concerning the products and services offered and their associated risks. These factors include:
- The level of transparency or opaqueness
- The complexity
- The value or size
- The extent to which they allow anonymity.
In addition, firms will need to take into account and assess the delivery channel of the product and the associated risk. Risk factors include whether the delivery is operated on a face-to-face basis and whether intermediaries were used.
When weighting risk factors, firms need to make an informed and substantiated judgement. Weighting can be made on a case-by-case basis or act as a general weighting to a specific area of the risk assessment. Ultimately, due to the characteristics of each firm being quite different, weighting will likely be applied on a client-by-client, product-by-product or firm-by-firm basis.
SDD or EDD
Firms may adjust the amount, timing and type of each or all of the CDD measures in a way that is commensurate to the low risk identified.
SDD may be applied in circumstances that provide limited opportunity for ML or TF. Measures undertaken include the verification of the customers, beneficial ownership arrangements, transactions thresholds and a general risk profile assessment.
Firms may apply EDD when a higher risk is posed, and these measures should be implemented in addition to SDD. Indicators of when to apply EDD include when the client falls under the definition of a PEP, when there is a relationship with a non-EEA country, when there is a relationship with a high risk country or when a product or transaction allows for high anonymity and/or is complex, large or there exists an unusual transaction pattern.
This only scratches the surface of the 89-page document. What can be ascertained from the above summary is that firms need to ensure that they implement the most suitable risk assessment policies and procedures in accordance with their own characteristics. In addition, firms need to ensure that they have the appropriate measures and triggers for when to downgrade or upgrade the level of due diligence, and ensure that they can adequately substantiate their decisions to the regulator.
Essentially, the risk assessment framework is not a ‘one size fits all’ but instead will need to be tailor-made in a way that is both flexible and robust.