Cybercriminals take advantage of faults in security and identity verification in online gambling in order to create fake profiles, divert funds and play using fraudulent means
Among the main measures recently adopted by the European Union (EU) is the publication of a new “Regulatory Technical Standards” (RTS) document specifying the measures that EU institutions must implement to address money laundering and terrorist financing risks for subsidiaries or branches established in non-EU countries. The EU has been publishing news on compliance with the Prevention of Money Laundering (AML) rules, most of which are enforcement actions and updates to the rules.
The new EU rules: Additional requirements and measures
The Regulatory Technical Standards Paper (RTS) applies to financial institutions where a subsidiary or branch establishedin a non-EU country is prohibited from applying the policies that its EU parent company has put in place to comply with EU regulations.
The requirements of the 5AMLD (5th Anti Money Laundering Directive) already require group policies for all obliged entities to address money laundering and terrorist financing risks, including data protection and data exchange policies and procedures. The same rules should apply to group entities operating outside the European Economic Area (EEA), to the extent permitted by local law.
The new EU rules also specify a number of “additional measures” that credit and financial institutions should take if deemed necessary. However, for all non-EEA countries in which they have local entities (which are branches or majority-owned subsidiaries), these institutions must:
- Assess the money laundering and terrorist financing risk to their group in that country, record that assessment in writing, keep it up to date and retain it.
- Ensure that the risk assessment is adequately reflected in their group-wide AML/CFT policies and procedures.
- Obtain senior management approval at group level for the risk assessment and the resulting policies and procedures.
- Provide specific training to non-EEA officials to enable them to identify risk indicators and ensure that the training is effective.
These general obligations appear to duplicate measures already required by the groups to assess and manage the risk of money laundering and terrorist financing. However, they require firms to ensure that they have sufficiently considered the specific risk posed by the non-EEA country and the impact on the group as a whole.
New challenges arise in the implementation of the future standard
Some institutions may find it difficult to fully implement the procedures in subsidiaries established outside the European Union as a result of third country laws, such as data protection or banking secrecy laws that prohibit the exchange of information. The Commission’s RTS aims to combat this problem by imposing additional obligations on EU credit and financial institutions. These obligations include conducting a comprehensive money laundering and terrorist financing risk assessment in the relevant third country and providing specific training to staff members, where appropriate, or seeking the direct consent of customers to provide information in circumstances where conducting a risk assessment would otherwise be unlawful. Where neither measure is possible, the institution may be required to terminate the relevant business relationship or transaction.
Regulated entities should consider the requirements of local law for policies and procedures that may impede or conflict with the requirements necessary to identify and assess AML/CFT, including the following:
- The use of customer and beneficial owner information for customer due diligence (CDD).
- The sharing or processing of customer data for AML/CFT purposes.
- The exchange of information on suspicious transaction reports with other entities in the group.
- The transfer of customer data to the EEA for the purpose of AML/CFT monitoring.
- The establishment of record-keeping measures equivalent to money laundering rules.
Under 5AMLD, Member States and ESAs (European Space Agency) assessing whether non-EEA countries hinder the proper application of group-wide policies should expressly take into account any legal constraints, including:
- Data protection
- Other restrictions limiting the exchange of information.
The issue at hand is of great importance and cannot go unnoticed. Failure to comply with these directives can result in substantial fines, negative publicity and reputational damage. It is therefore essential to understand the scope and obligations of these requirements.
As we have seen, the European Union is stepping up its efforts in the fight against money laundering. It is only a matter of time before scrutiny of all financial institutions will increase and by then, if a proper compliance programme has not been followed, it will be too late. To avoid any problems, compliance programmes must be implemented that are particularly streamlined and robust.