EU: Tighter AML regulations for financial institutions with non-EU subsidiaries
The EU has been releasing a lot of news about Anti-Money Laundering (AML) compliance, and much of it is enforcement actions and regulatory updates. One action was the EU releasing a new “Regulatory Technical Standards Paper (RTS)” specifying the measures that EU institutions should take to handle money laundering and terrorist financing risks for subsidiaries or branches established in non-EU countries.
New requirements and additional measures
The RTS applies to financial institutions where a subsidiary or branch established in a non-EU country is prohibited from implementing policies that its EU parent company has put in place to comply with EU regulations.
Requirements under 5AMLD already call for group-wide policies for all obliged entities to address money laundering and terrorist financing risks, including data protection and sharing policies and procedures. The same standards should apply to group entities operating outside the European Economic Area (EEA), to the extent that local law allows.
The new EU rules also specify a range of “additional measures” that credit and financial institutions must take if they are deemed necessary. However, for all non-EEA countries where they have local entities (that are branches or majority owned subsidiaries), these institutions must:
- Assess the money laundering and terrorist financing risk to their group in that country, record that assessment in writing, keep it up to date and retain it
- Ensure that the risk assessment is reflected appropriately in their group-wide AML/CTF policies and procedures
- Obtain senior management approval at the group level for the risk assessment and resulting policies and procedures
- Provide targeted training to staff members in the non-EEA country to enable them to identify risk indicators and ensure that the training is effective
These general obligations may seem to duplicate steps already required at the group level to assess and manage money laundering and terrorist financing risk. However, they require companies to ensure that they have sufficiently considered the specific risk posed by the non-EEA country and the impact on the group as a whole.
Challenges in implementing the new standard
Certain institutions may struggle to fully implement procedures in subsidiaries established outside the EU as a result of third-country laws, such as data protection or banking secrecy laws that prohibit sharing of information. The Commission’s RTS aims to combat this problem by imposing additional obligations on EU credit and financial institutions. These obligations include carrying out a thorough risk assessment of money laundering and terrorist financing risks in the relevant third country and providing targeted training to members of staff where applicable, or seeking direct consent from customers to provide information in circumstances where carrying out a risk assessment would otherwise be unlawful. In the event that neither course of action is possible, the institution may be obliged to terminate the relevant business relationship or transaction.
Obliged entities should examine local law requirements for policies and procedures that potentially impede or conflict with the necessary requirements to identify and assess AML/CFT, including the following:
- The use of customer and beneficial ownership information for customer due diligence (CDD)
- The sharing or processing of customer data for AML/CTF purposes
- The sharing of information on suspicious transaction reports with other entities in the group
- The transfer of customers’ data to the EEA for the purpose of AML/CTF supervision
- The establishment of record-keeping measures equivalent to the money laundering regulations
What’s on the horizon?
Under 5AMLD, member states and ESAs assessing whether non-EEA countries hinder proper implementation of group-wide policies must expressly take into account any legal constraints, including: (1) secrecy, (2) data protection, and (3) other constraints limiting the exchange of information.
It’s vital to understand the reach and obligations of these requirements; failure to adhere to these directives can result in substantial fines, negative publicity and reputational damage. Altogether, it appears that the EU is doubling down on its AML efforts and will increase scrutiny on all financial institutions, and it’s vital that compliance programs be especially streamlined and robust.