Through the Circular, CySEC informs the Regulated Entities that the Joint Committee of the three ESAs, launched on 31.05.17 a public consultation on draft RTS specifying how credit and financial institutions should manage ML and TF risks where a third country’s law prevents, the implementation in their branches or majority-owned subsidiaries of group-wide policies and procedures on anti-ML and countering TF.
The said RTS have been drafted in accordance with Article 45(6) of Directive (EU) 2015/849, which requires the ESAs to develop draft RTS that set out steps, that third countries not able to implement AML/CFT policies and procedures should take, to manage the resulting ML/TF risk to which they are exposed. These RTS are part of the ESAs’ wider work on fostering a common approach to AML/CFT and will contribute to creating a level playing field across the Union’s financial sector.
Particularly, Article 8 of the Directive (EU) 2015/849, requires obliged entities to put in place and maintain AML/CFT policies and procedures to assess and manage effectively the ML/TF risks to which they are exposed. Where they are part of a group, these AML/CFT policies and procedures have to be applied at group-level. This can be challenging where branches or majority-owned subsidiaries are located in a third country, outside of the European Economic Area (EEA), with less stringent AML/CFT requirements.
Most third countries’ legal systems will not prevent groups from implementing group-wide AML/CFT policies and procedures that are stricter than national legislation requires. However, the implementation of a third country’s law may at times not permit the application of some or all parts of a group’s AML/CFT policies and procedures. This can be the case, for example, when the sharing of customer-specific information within the group conflicts with local data protection or banking secrecy requirements and limits a credit or financial institution’s ability to understand who their customers are. Restrictions on obtaining and processing customer data can also facilitate tax crimes, as highlighted in the context of the ‘Panama Papers’.
In such cases, credit and financial institutions must take effective steps to handle the resultant ML/TF risk. These include obtaining consent from customers to overcome restrictions on the ability to share and process customer data, carrying out enhanced reviews to be satisfied that branches and majority-owned subsidiaries in those jurisdictions are able to adequately assess and manage ML/TF risk and restricting the ability of other entities in the same group to rely on customer due diligence measures carried out by a branch or majority-owned subsidiary in those jurisdictions.
CySEC’s expects that: The Regulated Entities were highly encouraged to voluntarily respond to the abovementioned Consultation Paper on draft Joint RTS on the measures credit institutions and financial institutions shall take to mitigate the risk of ML and TF where a third country’s law does not permit the application of group-wide policies and procedures; using the consultation form on EBA’s website by 11.07.17.