Compliance
Wij gebruiken te pas en te onpas Engelse woorden in het bedrijfsleven. Compliance of ‘Nakoming van wet en regelgeving’ is een steeds belangrijker begrip in datzelfde bedrijfsleven aan het worden.
Door druk op overheidsbudgetten en de toename van criminele geldstromen (denk aan extasy in Noord-Brabant, check de koppen hier, hier en/of hier) wordt dit voor ieder bedrijf een risico. Hoe voorkom je witwassen, nou ja, denk in ieder geval na over compliance, maar beter nog doe er iets aan……..
Reputatie gaat te paard en komt te voet…..
Hier een aantal ‘tools’ en dat gaat nu verder in het Engels omdat de literatuur daar veel breder gedragen is en we ook in Nederland vooral internationaal bezig zijn en dus dit soort beleid meteen in het Engels beschikbaar willen hebben.
Pas op – dit is een generiek en beperkt voorbeeld, maatwerk naar lokale wetgeving en overige (toezichthouders)regels blijft steeds noodzakelijk!
Compliance in financial services
Before the rise of the digital economy, protecting customer assets and information required only physical barriers and computer firewalls. Today, money, and the data associated with it is moved around the globe in milliseconds, often without human interaction—adding several layers of complexity. Banks, insurance companies, and other financial service firms need to make sure that their technology gives their customers what they want while addressing security concerns and complying with regulations.
Companies in the financial services industry are responsible for holding and managing their customers’ money and financial information. They must comply with federal, state, and local regulations that govern nearly every aspect of the industry to ensure that financial data is as secure as possible.
Customers have unprecedented access to their financial information on a variety of devices, which also invites risk. Protecting customer data from fraud and complying with government regulations while also making financial products and services more convenient and intuitive to use is no easy feat. Adding to this complex challenge is adaptation to ever-evolving threats from criminals.
Governments around the world are responding to this trend by updating existing laws, regulations, and technology standards, and enacting new ones to accommodate a rapidly evolving digital economy.
The continuing ability of the financial industry to attract legitimate customers with funds and assets that are clean and untainted by criminality depends, in large part, upon the reputation of an industry as a sound, well-regulated industry. Any business that assists in laundering the proceeds of crime, or financing of terrorism, whether:
- with knowledge or suspicion of the connection to crime; or
- acting without regard to what it may be facilitating through the provision of its products or services
will face the loss of its reputation, risk the loss of its licence1 or other regulatory sanctions (where regulated and supervised), damage the integrity of the financial industry as a whole, and may risk prosecution for criminal offences.
Anti-money laundering and countering of terrorism
Many countries have in place a framework of anti-money laundering legislation and for the countering of terrorism.
Each person carrying on a financial services business in or from within a country, or a Country corporate or other legal person registered in the Country carrying on a financial services business anywhere in the world (further relevant person) in Country must recognise the role that it must play in protecting itself, and its employees, from involvement in money laundering and the financing of terrorism, and also in protecting the Country’s reputation of probity.
The key to the prevention and detection of money laundering and the financing of terrorism lies in the implementation of, and strict adherence to, effective systems and controls, including sound customer due diligence (“CDD”) measures based on international standards.
An Anti-money Laundering / Countering the Financing of Terrorism Handbook (AML/CFT Handbook) is therefore implemented in a business to establish standards which match international standards issued by the Financial Action Task Force (the “FATF”). An AML/CFT Handbook also has regard to the standards promoted by the Basel Committee on Banking Supervision (the “Basel Committee”), International Organisation of Securities Commissions (“IOSCO”) and the International Association of Insurance Supervisors (the “IAIS”). The AML/CFT Handbook takes account of the requirements of European Union (the “EU”) legislation to counter money laundering and the financing of terrorism and its application of standards set by the FATF.
In an AML/CFT Handbook references should be included to the laws and regulations in a country regarding Financing of terrorism and Money laundering.
There are a lot of provision an AML/CFT Handbook has to cover, among others items such as:
- An AML/CFT Code of Practice
- Corporate governance
- Under the general heading of corporate governance, this section considers:
- Board responsibilities for the prevention and detection of money laundering and financing of terrorism;
- requirements for systems and controls, training and awareness; and
- the appointment of a Money Laundering Compliance Officer (the “MLCO”) and Money Laundering Reporting Officer (the “MLRO”).
- An AML/CFT Handbook describes a relevant person’s general framework to combat money laundering and financing of terrorism as its “systems and controls”. The AML/CFT Handbook refers to the way in which those systems and controls are implemented into the day-to-day operation of a relevant person as its “policies and procedures”.
- Corporate governance
- Definition of Financial Services Business
- Risk Based Approach
- Equivalence of Requirements in Other Countries and Territories
However here we primarily deal with the outcome of such policies:
- Client acceptance due diligence – which explains the basis for finding out identity and obtaining evidence of identity;
- Third party reliance – which considers the circumstances in which reliance might be placed on another party to have applied identification measures; and
- Enhanced CDD – which explains the application of enhanced CDD measures (including the case of a customer that is assessed as presenting a higher risk) and simplified identification measures, and
- On-going monitoring – consisting of:
- Scrutinising transactions undertaken throughout the course of a business relationship; and
- Keeping documents, data or information up to date and relevant.
Obligation to find out identity and obtain evidence of identity
- Determining that a customer is the person that he, she, or it claims to be is a combination of being satisfied that:
- a person exists – on the basis of information found out; and
- the customer is that person – by collecting from reliable and independent source documents, data or information, satisfactory confirmatory evidence of appropriate components of the customer’s identity.
- Evidence of identity can take a number of forms. In respect of individuals, much weight is placed on identity documents and these are often the easiest way of providing evidence as to someone’s identity. It is, however, possible to be satisfied as to a customer’s identity by obtaining other forms of confirmation, including independent data sources, E-ID and, in appropriate circumstances, written assurances from obliged persons.
- When obtaining evidence of identity, a relevant person will need to be prepared to accept a range of documents.
- Requirements for identification measures are not summarised in here. In short, identification measures must establish the persons who are concerned with a legal arrangement, and each beneficial owner and controller of a customer who is a legal person (each further referred to as a ‘person to identify‘).
- Under AML/CFT procedures a relevant person must determine whether a customer is acting for a legal arrangement, and, if so, identify the legal arrangement.
- Where a customer is acting for a legal arrangement, AML/CFT procedures require the customer, e.g. the trustee of a trust or general partner of a limited partnership, to be identified.
- AML/CFT procedures require the identity of each ‘person to identify’ (see above) to be found out and evidence of identity obtained, i.e.:
- In the case of a trust, the settlor.
- In the case of a trust, the protector.
- Having regard to risk, a person that has a beneficial interest in the legal arrangement, or who is the object of a trust power in relation to a trust.
- Any other individual who otherwise exercises ultimate effective control over the third party.
- In respect of each ‘person to identify’ (see above) who is not an individual, AML/CFT procedures require each individual who is that person’s beneficial owner or controller to be identified.
Find Out Identity and Obtain Evidence: Individuals
The following paragraphs apply to situations where an individual is the customer or where the customer is more than one individual, such as a husband and wife opening a joint account.
The provisions also apply to situations where an individual is:
- A person connected to a legal arrangement, because of a requirement in AML/CFT procedures to identify each person who falls within AML/CFT procedures, and each individual who is that person’s beneficial owner or controller;
- The beneficial owner or controller of a customer, because of a requirement in AML/CFT procedures to identify the individuals who are the customer’s beneficial owners or controllers;
- Acting on behalf of a customer (e.g. is acting according to a power of attorney, or has signing authority over an account) because of a requirement in AML/CFT procedures; or
- A third party on whose behalf a customer is acting, because of a requirement in AML/CFT procedures to identify the individuals who are the third party’s beneficial owners or controllers.
Finding out Identity
A relevant person may demonstrate that it has found out the identity of an individual who is a customer AML/CFT procedures where it collects all of the following:
- Legal name, name(s) currently used, any former legal name(s) (such as maiden name), and name(s) formerly used.
- Principal residential address.
- Date of birth.
- Place of birth.
- Nationality.
- Sex.
- Government issued personal identification number or other government issued unique identifier.
However, in the case of a lower risk relationship, a relevant person may demonstrate that it has found out the identity of an individual who is a customer under AML/CFT procedures where it collects the following: legal name, any former names (such as maiden name) and any other names used; principal residential address; and date of birth.
Obtaining Evidence of Identity
Evidence of identity may come from a number of sources, including:
- Original documents
- Certified copies of documents
- External data sources
- E-ID
These sources may differ in their integrity, reliability and independence. For example, some identification documents are issued after due diligence on an individual’s identity has been undertaken, for example passports and national identity cards; others are issued on request, without any such checks being carried out. A relevant person should also recognise that some documents are more easily forged than others. Similarly, some smart phone or tablet applications may not sufficiently mitigate the risks inherent in using such technology and a relevant person will need to ensure that its CDD systems and controls include measures specifically designed to do so.
Additionally, documents incorporating photographic confirmation of customer identity provide a higher level of assurance that an individual is the person who he or she claims to be.
Where a relevant person is not familiar with the form of the evidence obtained, appropriate measures may be necessary to satisfy itself that the evidence is genuine.
Where evidence of identity obtained subsequently expires, e.g. a passport, national identity card, or driving licence, it is not necessary to obtain further evidence under identification measures set out in AML/CFT procedures.
All key documents (or parts thereof) obtained as evidence of identity must be understandable (i.e. in a language understood by the employees of the business), and must be translated into English by trustworthy translators.
All elements of Identity
- A current passport or copy of such a passport certified by a suitable certifier – providing photographic evidence of identity.
- A current national identity card or copy of such a national identity card certified by a suitable certifier – providing photographic evidence of identity.
- A current driving licence or copy of such a driving licence certified by a suitable certifier – providing photographic evidence of identity – where the licensing authority carries out a check on the holder’s identity before issuing.
Residential Address
- Correspondence from a central or local government department or agency (e.g. States and parish authorities).
- A letter of introduction confirming residential address from: (i) a relevant person that is regulated by the Commission; (ii) a person carrying on a financial services business which is regulated and operates in a well-regulated country or territory; or (iii) a branch or subsidiary of a group headquartered in a well-regulated country or territory which applies group standards to subsidiaries and branches worldwide, and tests the application of, and compliance with, such standards.
- A bank statement or utility bill.
- A tenancy contract or agreement.
Obtaining Evidence of Identity – Independent Data Sources
Independent data sources can provide a wide range of confirmatory material on a customer, and are becoming increasingly accessible, for example, through improved availability of public information (registers of electors and telephone directories – to the extent permitted by data protection legislation) and the emergence of commercially available data sources such as those provided by data services providers, e.g. credit reference agencies and business information service providers.
Where a relevant person is seeking to obtain reliable and independent evidence of identity using an independent data source, whether by accessing the source directly or by using a data services provider, an understanding of the depth, breadth and quality of the data or information is important in order to determine that the source does in fact provide satisfactory evidence of identity and that the process of obtaining evidence is sufficiently robust to be relied upon.
Obligation to Find Out Identity and Obtain Evidence: Legal Persons
Jurisdictions recognise a number of distinct forms of legal person, in particular: the company; the foundation; the limited liability partnership; the separate limited partnership; and the incorporated limited partnership.
The following provisions apply to situations where a legal person is the customer.
The provisions will also assist with the identification of ultimate beneficial owners and controllers and will be relevant in situations where a legal person is:
- A person connected to a legal arrangement, because of a requirement in AML/CFT procedures to identify each person who falls within AML/CFT procedures and each individual who is that person’s beneficial owner or controller;
- The owner or controller of a customer, because of a requirement in AML/CFT procedures to identify the individuals who are the customer’s beneficial owners or controllers;
- Acting on behalf of a customer (e.g. is acting according to a power of attorney, or has signing authority over an account); or
- third party on whose behalf a customer is acting, because of a requirement in AML/CFT procedures to identify the individuals who are the third party’s beneficial owners or controllers.
Finding Out Identity – Legal Person that is a Company
A relevant person may demonstrate that it has found out the identity of a company which is a customer under AML/CFT procedures where it collects all of the following:
- Name of company.
- Any trading names.
- Date and country of incorporation/registration.
- Official identification number.
- Registered office address.
- Mailing address (if different).
- Principal place of business/operations (if different).
- Names of all directors.
A relevant person may demonstrate that it has found out the identity of a person who is the customer’s beneficial owner or controller under AML/CFT procedures where it finds out the identity of persons holding a material controlling ownership interest in the capital of the company (through direct or indirect holdings of interests or voting rights) or who exert control through other ownership interests, e.g. shareholders’ agreements, power to appoint senior management, or through holding convertible stock or any outstanding debt that is convertible into voting rights.
To the extent that there is doubt as to whether the persons exercising control through ownership are beneficial owners, or where no person exerts control through ownership, a relevant person may demonstrate that it has found out the identity of a person who is the customer’s beneficial owner or controller under AML/CFT procedures where it finds out the identity of those who exercise control through other means, e.g. those who exert control through personal connections, by participating in financing, because of close and intimate family relationships, historical or contractual associations or as a result of default on certain payments.
Where no person is otherwise identified under this section, a relevant person may demonstrate that it has found out the identity of a person who is the customer’s beneficial owner or controller under AML/CFT procedures where it finds out strategic decision-taking powers or have and exercise executive control through senior management positions, e.g. directors1).
This information may be provided by the company.
In any case where a person identified under the first two section is not an individual, a relevant person may demonstrate that it has identified each individual who is that person’s beneficial owner or controller under AML/CFT procedures where it has identified:
- Each individual with a material controlling ownership interest in the capital of the company (through direct or indirect holdings of interests or voting rights) or who exerts control of the company through other ownership means.
- To the extent that there is doubt as to whether the individuals exercising control through ownership are beneficial owners, or where no individual exerts control through ownership, any other individual exercising control over the company through other means.
- Where no individual is otherwise identified under this section, individuals who exercise control of the company through positions held (who have and exercise strategic decision-taking powers or have and exercise executive control through senior management positions).
In the case of a lower risk relationship, directors who have and exercise authority to operate a business relationship or one-off transaction will be those who exercise control through positions held.
For lower risk relationships, a general threshold of (for example) 25% is considered to indicate a material controlling ownership interest in the capital of a company. Where the distribution of interests is uneven the percentage where effective control may be exercised (a material interest) may be less than 25% when the distribution of other interests is taken into account, i.e. interests of less than 25% may be material interests
Obtaining Evidence of Identity – Legal Person that is a Company
A relevant person may demonstrate that it has obtained evidence under AML/CFT procedures that is reasonably capable of verifying that a company which is a customer to be identified is who the company is said to be where the evidence covers all of the following components of identity:
- Name of company.
- Date and country of incorporation/registration.
- Official identification number.
- Registered office address.
- Principal place of business/operations (where different to registered office).
However, in the case of a lower risk relationship, a relevant person may demonstrate that it has obtained evidence under AML/CFT procedures that is reasonably capable of verifying that a company which is a customer to be identified is who the company is said to be where the evidence covers the following components of identity: name of company; date and country of incorporation/registration; and official identification number.
A relevant person may demonstrate that it has obtained evidence under AML/CFT procedures that is reasonably capable of verifying that a company which is a customer to be identified is who the company is said to be where it obtains two or more sources of evidence (one or more source(s) for lower risk customers):
- Certificate of incorporation (or other appropriate certificate of registration or licensing) or copy of such a certificate certified by a suitable certifier.
- Memorandum and Articles of Association (or equivalent) or copy of such documents certified by a suitable certifier.
- Latest audited financial statements or copy of such statements certified by a suitable certifier.
A relevant person may also demonstrate that it has obtained evidence under AML/CFT procedures that is reasonably capable of verifying that a company which is a customer is who the company is said to be where the data or information comes from an independent data source or (in the case of a principal place of business) personal visit to that address. An independent data source may include a company registry search, which confirms that the company is not in the process of being dissolved, struck off, wound up or terminated.
Where a director holds this role by virtue of his employment by (or position in) a business that is a regulated company services provider, a relevant person may demonstrate that it has taken reasonable measures to find out the identity of that person and to obtain evidence under AML/CFT procedures where it obtains the following:
- the full name of the director; and
- an assurance from the trust and company services provider that the individual is an officer or employee.
Timing of Identification Measures During Business Relationship – Obtaining Evidence
In the course of a business relationship between a relevant person and a trustee, a relevant person may demonstrate that it has obtained evidence that is reasonably capable of verifying the identity of each beneficiary with a vested right where:
- it does so at the time of, or before, distribution of trust property or income; and
- it is satisfied that there is little risk of money laundering or financing of terrorism occurring as a result of obtaining evidence after entitlement is conferred.
In the course of a business relationship between a relevant person and a trustee, a relevant person may demonstrate that it has obtained evidence that is reasonably capable of verifying the identity of a beneficiary or person who is the object of a trust power where it does so at the time that the person is identified as presenting a higher risk.
In the case of a business relationship between a relevant person and a foundation, a relevant person may demonstrate that it has obtained evidence that is reasonably capable of verifying the identity of each beneficiary entitled to benefit under the foundation where:
- it does so at the time of, or before, distribution of property or income; and
- it is satisfied that there is little risk of money laundering or financing of terrorism occurring as a result of obtaining evidence after conferring entitlement.
In the course of a business relationship between a relevant person and a foundation, a relevant person may demonstrate that it has obtained evidence that is reasonably capable of verifying the identity of any beneficiary or person in whose favour the council may exercise discretion under the foundation where it does so at the time that the person is identified as presenting a higher risk.
Timing for “Existing Customers”
FATF Recommendation 10 states that “financial institutions” should be required to apply that Recommendation (which deals with CDD measures) to “existing customers” on the basis of materiality and risk, and should conduct CDD measures on such existing relationships at appropriate times. This is based on the presumption that identification measures applied historically to existing customers will have been less effective than those to be applied in line with FATF Recommendation 10.
For the purposes of the AML/CFT procedures, an existing customer means a business relationship established throught the existance of a business relationship and which continues.
For the avoidance of doubt, the identification measures (finding out identity and obtaining evidence) to be applied to existing customers include the collection of information that is necessary to assess the risk that a business relationship involves money laundering or financing of terrorism (in line with AML/CFT procedures).
In line with AML/CFT procedures, identification measures must always be applied to an existing customer as soon as a relevant person suspects money laundering or financing of terrorism.
A relevant person may meet its obligation to apply identification measures by placing reliance on an obliged person.
Failure to Complete Identification Measures
Where identification measures cannot be completed, a relevant person must not establish a business relationship or carry out a one-off transaction. In the case of an established customer, the relationship must be terminated.
The timing of the termination of an established relationship will depend upon the underlying nature of the business relationship. For example, whereas a bank can close an account relatively easily and return deposited funds to a customer, it may be problematical to affect a compulsory redemption of a holding of units in a collective investment scheme, particularly where it is closed ended, or where valuation dates are infrequent.
Wherever possible, a relevant person should return assets or funds directly to the customer.
In a case where a customer requests that assets or funds be transferred to an external party, a relevant person should assess whether this provides grounds for knowledge or suspicion, or reasonable grounds for knowledge or suspicion, of money laundering or financing of terrorism.
Where contact has been lost with a customer so that it is not possible to complete termination of a business relationship, assets or funds held should be “blocked” or placed on a “suspense” account until such time as contact is re-established.
Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance ComplianceCompliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance Compliance