SolvencyTool logo
Home / Acts & Regulations / Solvency II Guidelines / Final Guidelines Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions The Risk Factors Guidelines

Final Guidelines Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions The Risk Factors Guidelines

Language: NL ES DA EN DE PT IT FR SV
Download PDF

JC 2017 37 26/06/2017

Final Guidelines

Joint Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions

The Risk Factors Guidelines

Contents

1. Executive summary 3
2. Background
and rationale		 5
3.
and		 Joint
guidelines
under
Articles
17
and
18(4)
of
Directive
(EU)
2015/849
on
simplified
enhanced
customer
due
diligence
and
the
factors
credit
and
financial
institutions
should
consider
when
assessing
the
money
laundering
and
terrorist
financing
risk
associated
with
individual
businessrelationships
and
occasional
transactions(the
Risk
Factors
Guidelines)		 7
Status of these joint guidelines 7
Reporting requirements 8
Title I – Subject matter, scope and definitions 9
Title II – Assessing and managing risk: general 11
Risk assessments: methodology and risk factors 12
Risk management: simplified and enhanced customer due diligence 23
Title III – Sector-specific guidelines 32
Chapter 1: Sectoral guidelines for correspondent banks 33
Chapter 2: Sectoral guidelines for retail banks 39
Chapter 3: Sectoral guidelines for electronic money issuers 46
Chapter 4: Sectoral guidelines for money remitters 52
Chapter 5: Sectoral guidelines for wealth management 57
Chapter 6: Sectoral guidelines for trade finance providers 61
Chapter 7: Sectoral guidelines for life insurance undertakings 66
Chapter 8: Sectoral guidelines for investment firms 73
Chapter 9: Sectoral guidelines for providers of investment funds 76
Title IV – Implementation 83
4. Accompanying
documents		 84
4.1. Impact assessment 84
4.2. Overview of questions for consultation 91
4.4. Feedback on the public consultation 93

1. Executive summary

On 26 June 2015, Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Directive (EU) 2015/849) entered into force. This Directive aims, inter alia, to bring European Union legislation in line with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation that the Financial Action Task Force (FATF), an international anti-money laundering standard setter, adopted in 2012.

In line with the FATF’s standards, Directive (EU) 2015/849 puts the risk-based approach at the centre of the European Union’s anti-money laundering (AML) and countering financing of terrorism (CFT) regime. It recognises that the risk of money laundering and terrorist financing (ML/TF) can vary and that Member States, competent authorities, and credit and financial institutions within its scope (‘firms’) have to take steps to identify and assess that risk with a view to deciding how best to manage it.

Articles 17 and 18(4) of Directive (EU) 2015/849 require the European Supervisory Authorities (ESAs) to issue guidelines to support firms with this task and to assist competent authorities when assessing the adequacy of firms’ application of simplified and enhanced customer due diligence measures. The aim is to promote the development of a common understanding, by firms and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied.

These guidelines set out factors firms should consider when assessing the ML/TF risk associated with a business relationship or occasional transaction. They also set out how firms can adjust the extent of their customer due diligence (CDD) measures in a way that is commensurate to the ML/TF risk they have identified. The factors and measures described in these guidelines are not exhaustive and firms should consider other factors and measures as appropriate.

These guidelines are divided into two parts:

  • Title II is general and applies to all firms. It is designed to equip firms with the tools they need to make informed, risk-based decisions when identifying, assessing and managing the ML/TF risk associated with individual business relationships or occasional transactions.
  • Title III is sector-specific and complements the general guidance in Title II. It sets out risk factors that are of particular importance in certain sectors and provides guidance on the risk-sensitive application of CDD measures by firms in those sectors.

These guidelines will help firms identify, assess and manage the ML/TF risk associated with individual business relationships and occasional transactions in a risk-based, proportionate and effective way. They also clarify how competent authorities in the EU expect firms to discharge their obligations in this field.

Neither these guidelines nor the Directive’s risk-based approach require firms to refuse to enter into, or terminate, business relationships with entire categories of customers that are associated with higher ML/TF risk.

The ESAs publicly consulted on a version of these guidelines between 22 October 2015 and 22 January 2016. Respondents welcomed the draft guidelines and considered that they would support the development of an effective risk-based approach to AML/CFT across the EU. Some respondents raised concerns about the ability of national competent authorities to apply these guidelines in a consistent manner, stressed the need for the guidelines to be consistent with international AML/CFT standards and asked for clarification regarding the interaction of these guidelines with other provisions in Union law. These concerns have been addressed in these guidelines as appropriate.

These guidelines will apply by 26 June 2018.

Nextsteps

The ESAs will keep these guidelines under review and update them as appropriate. The first update is likely to occur once amendments to Directive (EU) 2015/849 have been agreed. The ESAs will consult on any changes made to the substance of these guidelines.

2. Background and rationale

On 26 June 2015, Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Directive (EU) 2015/849) entered into force. This Directive aims, inter alia, to bring European Union legislation in line with the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation that the FATF, an international AML/CFT standard setter, adopted in 2012.

In line with the FATF’s standards, Directive (EU) 2015/849 puts the risk-based approach at the centre of European Union’s AML/CFT regime. It recognises that the risk of ML/TF can vary and that Member States, competent authorities and obliged entities have to take steps to identify and assess that risk with a view to deciding how best to manage it.

For obliged entities, CDD is central to this process, for both risk assessment and risk management purposes. CDD means:

  • identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
  • identifying the customer’s beneficial owner and taking reasonable measures to verify their identity so that the obliged entity is satisfied that it knows who the beneficial owner is;
  • assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship; and
  • conducting ongoing monitoring of the business relationship. This includes transaction monitoring and keeping the underlying information up to date.1

Directive (EU) 2015/849 provides that obliged entities can determine the extent of these measures on a risk-sensitive basis. It also provides that where the risk associated with the business relationship or occasional transaction is low, Member States may allow obliged entities to apply simplified customer due diligence (SDD) measures instead. Conversely, where the risk associated with the business relationship or occasional transaction is increased, obliged entities must apply enhanced customer due diligence (EDD) measures. However, the Directive does not set out in detail how obliged entities should assess the risk associated with a business relationship or transaction, nor does it set out exactly what SDD and EDD measures entail.

The Directive therefore requires the ESAs to issue guidelines to competent authorities and firms on ’the risk factors to be taken into consideration and/or the measures to be taken’ in situations

1 Article 13(1) of Directive (EU) 2015/849.

where SDD or EDD measures are appropriate. These guidelines have to be adopted within two years of the Directive entering into force, that is, no later than 26 June 2017.

These guidelines will support the development of a common understanding, by firms and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied. They will help firms identify, assess and manage the ML/TF risk associated with individual business relationships and occasional transactions in a risk-based, proportionate and effective way.

Neither these guidelines nor the Directive’s risk-based approach require the wholesale exiting of entire categories of customers irrespective of the ML/TF risk associated with individual business relationships or occasional transactions.

Countering the financing of terrorism

Many of the CFT measures firms have in place will overlap with their AML measures. These may cover, for example, risk assessment, CDD checks, transaction monitoring, escalation of suspicions and liaison with the authorities. The guidance provided in these guidelines therefore applies to CFT as it does to AML, even where this is not explicitly mentioned.

There are, however, key differences between preventing money laundering and countering the finance of terrorism: the money launderer seeks to disguise the origins of illicit funds, while, in contrast, a person funding terrorism may also use legitimately held funds to pursue illegal aims. Firms should bear this in mind when assessing the risks posed to the firm by those funding terrorism.

A firm’s steps to counter the financing of terrorism will include its compliance with financial sanctions directed at people or organisations sanctioned for reasons related to terrorism. The European financial sanctions regime is not covered by Directive (EU) 2015/849 and compliance with this regime is not subject to a risk-based approach. It therefore falls outside the scope of these guidelines.

  1. Joint guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (the Risk Factors Guidelines)

Status of these joint guidelines

This document contains joint guidelines issued pursuant to Articles 16 and 56(1) of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC; Regulation (EU) No 1094/2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority); and Regulation (EU) No 1095/2010 establishing a European Supervisory Authority (European Securities and Markets Authority) (the European Supervisory Authorities (ESAs) Regulations). In accordance with Article 16(3) of the ESAs Regulations, competent authorities and financial institutions must make every effort to comply with the guidelines.

Joint guidelines set out the ESAs’ view of appropriate supervisory practices within the European System of Financial Supervision or of how Union law should be applied in a particular area. Competent authorities to whom the joint guidelines apply should comply by incorporating them into their supervisory practices as appropriate (e.g. by amending their legal framework or their supervisory processes), including where the joint guidelines are directed primarily at institutions.

Reporting requirements

In accordance with Article 16(3) of the ESAs Regulations, competent authorities must notify the relevant ESA of whether they comply or intend to comply with these joint guidelines, or otherwise of reasons for non-compliance, [two months after the publication of all translations on the ESAs’ websites]. In the absence of any notification by this deadline, competent authorities will be considered by the relevant ESA to be non-compliant. Notifications should be sent to [compliance@eba.europa.eu, compliance@eiopa.europa.eu and compliance@esma.europa.eu] with the reference ‘JC/GL/2017/34’. A template for notifications is available on the ESAs’ websites. Notifications should be submitted by persons with appropriate authority to report compliance on behalf of their competent authorities.

Notifications will be published on the ESAs’ websites, in line with Article 16(3).

Title I – Subject matter, scope and definitions

Subject matter

    1. These guidelines set out factors firms should consider when assessing the money laundering and terrorist financing (ML/TF) risk associated with a business relationship or occasional transaction. They also set out how firms should adjust the extent of their customer due diligence (CDD) measures in a way that is commensurate to the ML/TF risk they have identified.
    1. These guidelines focus on risk assessments of individual business relationships and occasional transactions, but firms may use these guidelines mutatis mutandis when assessing ML/TF risk across their business in line with Article 8 of Directive (EU) 2015/849.
    1. The factors and measures described in these guidelines are not exhaustive and firms should consider other factors and measures as appropriate.

Scope

    1. These guidelines are addressed to credit and financial institutions as defined in Article 3(1) and 3(2) of Directive (EU) 2015/849 and competent authorities responsible for supervising these firms’ compliance with their anti-money laundering and counterterrorist financing (AML/CFT) obligations.
    1. Competent authorities should use these guidelines when assessing the adequacy of firms’ risk assessments and AML/CFT policies and procedures.
    1. Competent authorities should also consider the extent to which these guidelines can inform the assessment of the ML/TF risk associated with their sector, which forms part of the risk-based approach to supervision. The ESAs have issued guidelines on risk-based supervision in accordance with Article 48(10) of Directive (EU) 2015/849.
    1. Compliance with the European financial sanctions regime is outside the scope of these guidelines.

Definitions

  1. For the purpose of these guidelines, the following definitions shall apply:

• ‘Competent authorities’ means the authorities competent for ensuring firms’ compliance with the requirements of Directive (EU) 2015/849 as transposed by national legislation.2

9

2 Article 4(2)(ii), Regulation (EU) No 1093/2010; Article 4(2)(ii), Regulation (EU) No 1094/2010; Article 4(3)(ii), Regulation (EU) No 1093/2010.

  • ‘Firms’ means credit and financial institutions as defined in Article 3(1) and (2) of Directive (EU) 2015/849.
  • ‘jurisdictions associated with higher ML/TF risk’ means countries that, based on an assessment of the risk factors set out in Title II of these guidelines, present a higher ML/TF risk. This term includes, but is not limited to, ‘high-risk third countries’ identified as having strategic deficiencies in their AML/CFT regime, which pose a significant threat to the Union’s financial system (Article 9 of Directive (EU) 2015/849).
  • ‘Occasional transaction’ means a transaction that is not carried out as part of a business relationship as defined in Article 3(13) of Directive (EU) 2015/849.
  • ‘Pooled account’ means a bank account opened by a customer, for example a legal practitioner or notary, for holding their clients’ money. The clients’ money will be commingled, but clients will not be able directly to instruct the bank to carry out transactions.
  • ‘Risk’ means the impact and likelihood of ML/TF taking place. Risk refers to inherent risk, that is, the level of risk that exists before mitigation. It does not refer to residual risk, that is, the level of risk that remains after mitigation.
  • ‘Risk factors’ means variables that, either on their own or in combination, may increase or decrease the ML/TF risk posed by an individual business relationship or occasional transaction.
  • ‘Risk-based approach’ means an approach whereby competent authorities and firms identify, assess and understand the ML/TF risks to which firms are exposed and take AML/CFT measures that are proportionate to those risks.
  • ‘Source of funds’ means the origin of the funds involved in a business relationship or occasional transaction. It includes both the activity that generated the funds used in the business relationship, for example the customer’s salary, as well as the means through which the customer’s funds were transferred.
  • ‘Source of wealth’ means the origin of the customer’s total wealth, for example inheritance or savings.

Title II – Assessing and managing risk: general

    1. These guidelines come in two parts. Title II is general and applies to all firms. Title III is sector-specific. Title III is incomplete on its own and should be read in conjunction with Title II.
    1. Firms’ approach to assessing and managing the ML/TF risk associated with business relationships and occasional transactions should include the following:
    • Business-wide risk assessments.

Business-wide risk assessments should help firms understand where they are exposed to ML/TF risk and which areas of their business they should prioritise in the fight against ML/TF. To that end, and in line with Article 8 of Directive (EU) 2015/849, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their customers. The steps firms take to identify and assess ML/TF risk across their business must be proportionate to the nature and size of each firm. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.

• Customer due diligence.

Firms should use the findings from their business-wide risk assessment to inform their decision on the appropriate level and type of CDD that they will apply to individual business relationships and occasional transactions.

Before entering into a business relationship or carrying out an occasional transaction, firms should apply initial CDD in line with Article 13(1)(a), (b) and (c) and Article 14(4) of Directive (EU) 2015/849. Initial CDD should include at least risk-sensitive measures to:

  • i. identify the customer and, where applicable, the customer’s beneficial owner or legal representatives;
  • ii. verify the customer’s identity on the basis of reliable and independent sources and, where applicable, verify the beneficial owner’s identity in such a way that the firm is satisfied that it knows who the beneficial owner is; and
  • iii. establish the purpose and intended nature of the business relationship.

Firms should adjust the extent of initial CDD measures on a risk-sensitive basis. Where the risk associated with a business relationship is low, and to the extent permitted by national legislation, firms may be able to apply simplified customer due diligence measures (SDD). Where the risk associated with a business relationship is increased, firms must apply enhanced customer due diligence measures (EDD).

• Obtaining a holistic view.

Firms should gather sufficient information to be satisfied that they have identified all relevant risk factors, including, where necessary, by applying additional CDD measures, and assess those risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction. Firms should note that the risk factors listed in these guidelines are not exhaustive, and that there is no expectation that firms will consider all risk factors in all cases.

• Monitoring and review.

Firms must keep their risk assessment up to date and under review.3 Firms must monitor transactions to ensure that they are in line with the customer’s risk profile and business and, where necessary, examine the source of funds, to detect possible ML/TF. They must also keep the documents, data or information they hold up to date, with a view to understanding whether the risk associated with the business relationship has changed.4

Risk assessments: methodology and risk factors

    1. A risk assessment should consist of two distinct but related steps:
    • a) the identification of ML/TF risk; and
    • b) the assessment of ML/TF risk.

Identifying ML/TF risk

    1. Firms should find out which ML/TF risks they are, or would be, exposed to as a result of entering into a business relationship or carrying out an occasional transaction.
    1. When identifying ML/TF risks associated with a business relationship or occasional transaction, firms should consider relevant risk factors including who their customer is, the countries or geographical areas they operate in, the particular products, services and transactions the customer requires and the channels the firm uses to deliver these products, services and transactions.

Sources of information

  1. Where possible, information about these ML/TF risk factors should come from a variety of sources, whether these are accessed individually or through commercially available tools or databases that pool information from several sources. Firms should determine the type and numbers of sources on a risk-sensitive basis.

3 Article 8(2) of Directive (EU) 2015/849.

4 Article 13(1)(d) of Directive (EU) 2015/849.

    1. Firms should always consider the following sources of information:
    • the European Commission’s supranational risk assessment;
    • information from government, such as the government’s national risk assessments, policy statements and alerts, and explanatory memorandums to relevant legislation;
    • information from regulators, such as guidance and the reasoning set out in regulatory fines;
    • information from Financial Intelligence Units (FIUs) and law enforcement agencies, such as threat reports, alerts and typologies; and
    • information obtained as part of the initial CDD process.
    1. Other sources of information firms may consider in this context may include, among others:
    • the firm’s own knowledge and professional expertise;
    • information from industry bodies, such as typologies and emerging risks;
    • information from civil society, such as corruption indices and country reports;
    • information from international standard-setting bodies such as mutual evaluation reports or legally non-binding blacklists;
    • information from credible and reliable open sources, such as reports in reputable newspapers;
    • information from credible and reliable commercial organisations, such as risk and intelligence reports; and
    • information from statistical organisations and academia.

Risk factors

  1. Firms should note that the following risk factors are not exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.

Customer risk factors

    1. When identifying the risk associated with their customers, including their customers’ beneficial owners,5 firms should consider the risk related to:
    • a) the customer’s and the customer’s beneficial owner’s business or professional activity;
    • b) the customer’s and the customer’s beneficial owner’s reputation; and
    • c) the customer’s and the customer’s beneficial owner’s nature and behaviour.
    1. Risk factors that may be relevant when considering the risk associated with a customer’s or a customer’s beneficial owner’s business or professional activity include:
    • Does the customer or beneficial owner have links to sectors that are commonly associated with higher corruption risk, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement?
    • Does the customer or beneficial owner have links to sectors that are associated with higher ML/TF risk, for example certain Money Service Businesses, casinos or dealers in precious metals?
    • Does the customer or beneficial owner have links to sectors that involve significant amounts of cash?
    • Where the customer is a legal person or a legal arrangement, what is the purpose of their establishment? For example, what is the nature of their business?
    • Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or beneficial owner? Where a customer or their beneficial owner is a PEP, firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849.
    • Does the customer or beneficial owner hold another prominent position or enjoy a high public profile that might enable them to abuse this position for private gain? For example, are they senior local or regional public officials with the ability to influence the awarding of public contracts, decision-making members of high-profile sporting bodies or individuals who are known to influence the government and other senior decision-makers?
    • Is the customer a legal person subject to enforceable disclosure requirements that ensure that reliable information about the customer’s beneficial owner is publicly

5 For guidance on risk factors associated with beneficiaries of life insurance policies, please refer to Title III, Chapter 7.

14

available, for example public companies listed on stock exchanges that make such disclosure a condition for listing?

  • Is the customer a credit or financial institution acting on its own account from a jurisdiction with an effective AML/CFT regime and is it supervised for compliance with local AML/CFT obligations? Is there evidence that the customer has been subject to supervisory sanctions or enforcement for failure to comply with AML/CFT obligations or wider conduct requirements in recent years?
  • Is the customer a public administration or enterprise from a jurisdiction with low levels of corruption?
  • Is the customer’s or the beneficial owner’s background consistent with what the firm knows about their former, current or planned business activity, their business’s turnover, the source of funds and the customer’s or beneficial owner’s source of wealth?
    1. The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owners’ reputation**:**
    • Are there adverse media reports or other relevant sources of information about the customer, for example are there any allegations of criminality or terrorism against the customer or the beneficial owner? If so, are these reliable and credible? Firms should determine the credibility of allegations on the basis of the quality and independence of the source of the data and the persistence of reporting of these allegations, among other considerations. Firms should note that the absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.
    • Has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have reasonable grounds to suspect that the customer or beneficial owner or anyone publicly known to be closely associated with them has, at some point in the past, been subject to such an asset freeze?
    • Does the firm know if the customer or beneficial owner has been the subject of a suspicious transactions report in the past?
    • Does the firm have any in-house information about the customer’s or the beneficial owner’s integrity, obtained, for example, in the course of a long-standing business relationship?
    1. The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:
    • Does the customer have legitimate reasons for being unable to provide robust