Although many controls (like the risk assessment, the customer due diligence, the transaction monitoring, the escalation of suspicions and liaison with the authorities) are in common, there are key differences between preventing the Money Laundering (ML) and the Financing of Terrorism (FT): the money launder seeks to disguise the origins of illicit funds, while a person funding terrorism may also use legitimately-held funds to pursue illegal aims.
In October 2013 the European Supervisory Authorities (ESAs = EBA + EIOPA + ESMA) published a preliminary report on the Risk-Based Supervision (RBS) of Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT).
Later, on the 20th of May 2015, the European Parliament and the Council issued the Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of Money Laundering (ML) and Financing of Terrorism (FT). The directive makes clear that a Risk-Based Supervision helps in managing those risks and sets out a number of requirements to be met by the competent authorities when applying the RBS; it also requires the ESAs to issue guidelines on both the characteristics of the RBS and the steps to be taken when conducting the supervisions. The directive requires the ESAs to issue guidelines on the risk factors to be considered by the firms and on the measures they should take to adjust the due diligence.
In response to this, on the 21st of October 2015, the joint committee of the ESAs launched a public consultation, that closes the 22nd of January 2016, on two guidelines on the AML and CFT:
- the consultation paper on the Risk-Based Supervision Guidelines is addressed to competent authorities responsible for supervising the compliance of credit and financial institutions where the AML/CFT obligations are applicable. The Guidelines specify the characteristics of a risk-based approach and the actions to be taken to ensure that the allocation of resources is appropriate for the level of ML and FT risk;
- the consultation paper on the Risk-Factors Guidelines is addressed to both competent authorities and credit and financial institutions. Competent authorities can understand how to assess the adequacy of the ML/TF risk assessment and of the controls on credit and financial institutions; the latter can understand how to make informed decisions on the management of individual business relationships and occasional transactions. The guidelines specify the risk factors to consider when assessing ML and FT and the adjustments to make (if any) to the due diligence measures.
The Risk-Based Supervision Guidelines are designed to foster a consistent and effective supervisory within the EU and are based on the same approach already described in the preliminary report of 2013. They set out high-level principles complemented with sufficient details to achieve a supervisory convergence while leaving rooms to the authorities to adjust their approach to be in line with the laws and regulations of their financial sector. The guidelines may create one-off costs for the authorities that do not have a RBS in place or wish to review it and, consequently, for the supervised firms. These costs are unlikely to be significant. After the assessments, firms whose risk profile is heightened will be subject to a more sever supervisory, while firms whose risk profile is lowered will be subject to less sever supervisory than the current. As the latter are likely to be far more numerous than the former, the application of these guidelines will generate a net benefit for the financial sector as a whole.
In line with the interpretation given by the Financial Action Task Force (FATF), the guidelines describe the RBS as a cyclical process, where the competent authorities may group less risky firms into clusters to consider as a single subject of assessment:
- step 1: authorities obtain information on both domestic and foreigners ML/FT threats which affect the relevant markets. The extent of information should be proportionate to the nature and size of the subject of assessment. Competent authorities should exchange information with each others.
- step 2: authorities use these information to get a holistic view of the risk associated to each subject of assessment. An overall risk profile is assigned to the subject. To facilitate comparisons, it is worthy to define different categories of risk profile (low, medium, high) and a professional judgment is needed to validate the results.
- step 3: authorities plan supervisory activities for each subject of assessment, allocating resources based on the risk assessment of step 2; they decide the focus, depth, duration and frequency of on/off-site activities, and the need of technical expertise
- step 4: authorities carry out periodic reviews of their risk assessments, to ensure they are up to date with enough resources allocated.
The Risk-Factors Guidelines are drafted to be consistent with the existing international standards: this ensure the compliance of both authorities and firms while fostering the consistent application of a risk-based approach across the EU. They have to be adopted within two years of the Directive entering in force, that is no later than 26 June 2016. The guidelines apply to all firms (sector specific guidelines are supplemented) and provide information on what they need to consider when determining the level of ML/FT risks, and which type of Due Diligence (Simplified or Enhanced) is more appropriate. The guidelines allow firms to adopt policies and procedures that are proportionate to the nature, scale and complexity of their activities, with a net impact of costs that is likely to be close to zero. On the other hands, authorities will have to review their existing regulatory guidelines and this will produce one-off costs, that are largely absorbed by the ones arising from the implementation of the national legislations that transpose Directive (EU) 2015/849.
As pointed out in these guidelines, to manage the ML/FT risks, firms should
- perform a business-wide risk assessment (proportionate to the nature and size of each firm) to understand whether they are exposed and which area of their business should be prioritized;
- use the above findings to define the appropriate level and type of Customer Due Diligence (CDD) they will apply to individual business relationship and occasional transactions
- ensure they have systems and controls in place capable of identifying emerging ML/TF risks and cooperate with other representative from the industry to establish a culture of information sharing and company ethics.
The risk factors to be considered in the risk assessment can be broadly classified in:
- customer risk factors
- countries and geographic areas risk factors
- products, services and transaction risk factors
- delivery channel risk factors
and the information about them should come from a variety of sources (like the European Commission, the National governments, the regulators, the Financial Intelligence Units, the industries bodies, the media sources, the commercial and statistical organizations and academia). The risk factors can be weighted differently depending on their relative importance and they can therefore vary from product to product or customer to customer and from one firm to another. Expert judgement plays a key role.
The CDD consist in identifying the customer and its beneficial owner, verifying their identities, establishing the purpose and intended nature of the business relationship and conducing a periodic monitoring. As stated by the Directive, and Enhanced CDD should be applied in case the customer is a Politically Exposed Person, the firm enters into a relationship with a respondent institution of non-EEA states or in high risk third countries and in case the transaction are complex, unusually large or have no obvious economic or lawful purpose.
Finally, the supplementary guidelines organized per type of business cover: correspondent and retail banks, electronic money issuers, money remitters, wealth management, trade finance providers, life insurance undertakings, investment managers and providers of investment funds.