|
Improved cross-border compliance
The proposal for a Regulation on AML/CFT aims at improving cross-border situations. National rules on customer due diligence (including Know-Your-Customer) currently diverge from one EU country to another. This makes it more difficult for companies to operate cross-border. Therefore, with this proposal, the European Commission includes all rules that apply to the private sector in a Regulation, hence directly applicable (as opposed to directives). The organisation of the institutional AML/CFT systems at national level is left to the AML directive.
The proposal lays down more specific provisions on the identification of the customer and on the verification of the customer’s identity. The conditions for the use of eIDAS eID means are clarified. The new AML Authority is empowered to produce regulatory technical standards on the minimum datasets for identifying natural and legal persons -depending on the risk level. This will include simplified measures in case of low-risk situations. On the contrary, in situations that present a greater risk of money laundering, particularly rigorous customer identification and verification procedures are required. More details on this part can be found below.
The proposal also allows an obliged entity to rely on the customer information collected by other obligation entities. However, the obliged entity which chooses to rely on this information remains responsible.
The proposal further lays down a harmonised approach on the identification of beneficial owners. Beneficial owners are, in case of corporate entities, the natural person(s) who control(s), directly or indirectly, the corporate entity, either through an ownership interest or through control via other means.
The new Regulation will be applicable three years after its entry into force.
Extended list of obliged entities
The proposed Regulation expands the list of obliged entities to crypto asset service providers, crowdfunding platforms and migration operators. It also covers trust and company service providers.
The list is now the following one:
-credit institutions
-financial institutions
-the following natural or legal persons acting in the exercise of their professional activities:
-auditors, external accountants, and tax advisors
-notaries
-buying and selling of real property or business entities
-managing of client money, securities or other assets
-opening or management of bank, savings or securities accounts
-organisation of contributions necessary for the creation, operation or management of companies
-creation, operation or management of trust, companies, foundations, or similar structures
-trust or company service providers
-estate agents
-persons trading in precious metals and stones
-providers of gambling services
-crypto-asset service providers
-crowdfunding service providers other than those regulated by Regulation 2020/1503
-person trading or acting as intermediaries in the trade of works of art where the value of the transaction is at least 10 000 euros
-creditors for mortgage and consumer credits
-investment migration operators
When does customer due diligence apply?
Obliged entities shall apply customer due diligence measures when:
-establishing a business relationship
-involved or carrying out a transaction of at least 10 000 euros, whether that is one single operation or through linked transactions
-there is suspicion of money laundering or terrorist financing
-there are doubts about the veracity or adequacy of previously obtained customer identification data
-initiating or executing a transfer of crypto-assets exceeding 1 000 euros
Identification and verification of the customer’s identity (Art. 18)
As part of their due diligence obligations, obliged entities must verify the identity of their customers. Obliged entities shall obtain at least the following information:
(a) For a natural person:
-forename and surname
-place and date of birth
-nationality and, where applicable, national identification number
-usual place of residence and, where possible, the occupation, profession or employment status and the tax identification number
(b) For a legal entity:
-legal form and name
-address of the registered or official office and, if different, principal place of business, and country of incorporation
-names of legal representatives, registration number, tax identification number, Legal Entity Identifier
The Article also lays down the minimum datasets for trustees and other organisations that have legal capacity.
Obliged entities shall obtain the information, documents and data necessary for the verification of the customer and beneficial owner identity through:
-submission of the identity document, passport or equivalent and acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer
-use of electronic identification means and relevant trust services as set out in eIDAS
Obliged entities shall also determine whether the customer or beneficial owner of the customer is a politically exposed person.
Regulatory technical standards on the information necessary for the performance of customer due diligence (Art. 22)
Two years after the entry into force of the legislation, the AML Authority (AMLA) shall develop draft regulatory technical standards and submit them to the Commission for adoption. These standards will specify:
-the requirements to comply with Article 18 (identity verification), including minimum requirements in situations of lower risk
-the type of simplified due diligence measures which obliged entities may apply in situations of low risk
-the reliable and independent sources of information that may be used to verify the identification data of natural or legal persons
-the list of attributes which electronic identification means and relevant trust services must feature to fulfil the requirements and in case of standard, simplified and enhanced customer due diligence
Simplified customer due diligence (section 3)
If the business relationship or transaction presents a low degree of risk, obliged entities may apply the simplified customer due diligence measures, including:
-verify the identity of the customer and beneficial owner after the establishment of the business relationship
-reduce the frequency of customer identification updates
-any other simplified measures identified by AMLA
Enhanced customer due diligence (section 4)
On the contrary, some situations are considered “high risk”. The proposal gives details on how to assess whether a situation is high risk (e.g. transaction unusually large). In this case, obliged entities will have to apply enhanced customer due diligence measures including obtaining additional information on the customer and beneficial owner.
Outsourcing compliance
Obliged entities can outsource the tasks of performing customer due diligence to an agent or external service provider. For instance, this can be verification of identity.
AMLA will issue guidelines on the implementation of outsourcing.
Data protection
Obliged entities have the right to process special categories of personal data (GDPR) for the purposes of preventing money laundering and terrorist financing.
If you have any questions on this topic, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
