new danish anti-money laundering act in · pdf file · 2017-06-23new danish...
TRANSCRIPT
1
New Danish Anti-Money Laundering Act in brief
On 2 June 2017, the Danish parliament, Folketinget, adopted the new Danish Anti-Money Laundering (AML) Act (hvidvaskloven), which takes effect from 26 June 2017. The Act implies a number of minor and major amendments to the existing regulations, including a transmission from a rule-based to a risk-based approach, and the foreign currency exchange services be-coming subject to an authorisation requirement. The next pages give you a brief overview of the new rules and the most important amendments caused by the new AML Act.
Contents
Introduction 3
The requirements of the Danish AML Act in a nutshell 7
From rule-based to risk-based approach 8
From identification procedures to customer due diligence 11
Overview of the most important amendments 12
For more information 17
2
3
Introduction
The new Danish AML Act implements the last parts of the fourth Anti-Money Laundering Directive 2015/849/EU (AMLD IV) and takes effect on 26 June 2017. The Act implies a series of amendments to the applicable legislation, including in particular the rules governing foreign currency exchange services and compliance with the AML Act.
The objectives of the Danish AML Act and the AMLD IV are to introduce new regulatory measures that will strengthen the efforts against criminals’ illegal use of Danish legal entities and the financial system for the purposes of money laundering and terrorist financing. The objectives also include measures to secure and uphold the integrity of the financial system. Figure 1 illustrates the objectives of the new Act and its target audience.
Figure 1. The underlying political issues and target audience
Underlying political issues Target audience
To strengthen con-certed action against money laundering and terrorist financing
To secure and uphold the integrity of the financial system
To minimise practical possibility of money laundering and terrorist financing
To give response to the most recent terrorist attacks
Financial institutions
Gambling operators
Lawyers, real-estate agents, accountants, providers of special
services
4
Figure 2. Historical overview of EU acts and instruments
First Anti-Money Laundering Directive
91/308/EEC
199110 June
Second Anti-Money Laundering Directive
2001/97/EC
20014 December
Third Anti-Money Laundering Directive
2005/60/EC
20061 August
First Fund Transfer Regulation
2006/1781/EC
200615 November
Second Fund Transfer Regulation
2015/847/EU
201520 Maj
Fourth Anti-Money Laundering Directive
2015/849/EU
201520 Maj
”Fifth Anti-Money Laundering
Directive” (proposal)
2017[ ]?
The European rules on prevention of money laundering and terrorist financing date back to 1991, when the first Anti-Money Laundering Directive was tabled. Since then, this Directive and its implementation have been subject to regular updating and revision, as illustrated by Figure 2.
The ongoing process of reviewing has led to a steady increase in the extent and scope of the rules, as illustrated by Figure 3. As it is, the rules on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing have never been as extensive as they are today. A fact that appears to be in direct contrast to the primary objective of the new AML Act; a change from the rule-based approach to the risk-based approach.
Figure 3. Developments in the scope and extent of the EU acts and instruments
First Anti-Money Laundering Directive
AML Directive
Fund Transfer Regulation
The three level-2 Regulations of the AML Directive
Second Anti-Money Laundering Directive
Third Anti-Money Laundering Directive and
First Fund Transfer Regulation
Fourth Anti-Money Laundering Directive and
Second Fund Transfer Regulation
0
10
20
30
40
50
60
70
80
90
6 pages 6 pages
22 pages
9 pages
45 pages
18 pages
? pages
5
The AML proposal has undergone a long process, giving rise to numerous responses as well as questions to the Minister for Industry, Business and Financial Affairs. Moreover, the legislative process has also been marked by the changing nature of statutory requirements and the introduction of new requirements, such as the authorisation requirement for foreign currency exchange services. This process is reflected by the timeline in Figure 4.
Figure 4. Timeline of the Danish legislative process
20171 June
2nd readingSubmitted to Folketinget
201613 October
20168 November
201722 February
201710 May
201719 May
201730 May
201713 February
201721 April
201716 May
201724 May
1st proposed amendment
3rd proposed amendment
5th proposed amendment
7th proposed amendment
White Paper6th proposed amendment
4th proposed amendment
2nd proposed amendment
1st readingDraft bill (pre-consultation)
3rd reading and adoption
201614 July
20172 June
6
The AMLD IV and the Danish implementation have been drawn up based on the recommendations of the Financial Action Task Force (FATF). Figure 5 provides an overall illustration of the AML regime. The dark blue colour indicates the legal acts (and recommendations) finally published, the blue colour indicates the legal acts that have been published but are subject to changes, and the light-blue colour indicates the legal acts that need to be redrafted.
The next few pages give you a brief description of and insight into the essence of the amendments to the state of the law as a consequence of the new regime.
Figure 5. Overall view of the new AML regime
FATF’s 40 Recommendations
Level 1Second Fund Transfer Regulation
(direct application)
Level 2Identification of high-risk
third countries (direct application)
The Executive Order on Registration
The Executive Order on Reporting to SEIC
The Executive Order on Exempted Legal Entity
The Executive Order on Payment Services and
Electronic Cash
The Danish FSA’s new Guidelines on the Danish AML Act
Level 3Guidelines on risk-based supervision
(to be issued by the ESAs)
The Danish AML Act
Level 3Guidelines on risk factors(to be issued by the ESAs)
Level 2Third countries
(direct application)
Level 2 RTS central contact point
(direct application)
Level 1 Fourth Anti-Money Laundering Directive
(implementation requirement)
7
The requirements of the Danish AML Act in a nutshell
Generally, the legal entities subject to the Danish AML Act must know their customers and the latter’s purposes of the business relationships. If the legal entity becomes suspicious of it being misused for money laundering or terrorist financing, the legal entity must scrutinise the matter more closely and, ultimately, notify the Danish Public Prosecutor for Serious Economic and International Crime (SEIC).
To ensure that the legal entities covered by the AML Act know their customers, the legal entities must perform certain customer due diligence measures. Such measures include the legal entities requesting their customers to produce various kinds of proof of identity, such as a copy of a passport or a Danish health care reimbursement card. Satisfacti-on of the due diligence requirement depends on how certain the legal entity is of the customer’s identity and whether the legal entity is able to verify the customer’s identify.
If the legal entity has a suspicion of being misused for money laundering or terrorist financing by a customer, the entity must immediately scrutinise the matter more closely. An example of such suspicious behaviour would be if the custo-mer acts in a manner that is atypical to what would be normal.
If the entity is unable to disprove its suspicion, SEIC must be notified immediately for the matter to be scrutinised more closely.
In general, the Danish FSA is the supervisory authority ensuring compliance with the rules, whereas SEIC conducts scrutiny of the matters notified and brings actions against the natural persons and legal entities laundering money and/or financing terrorists. Moreover, SEIC is also in charge with bringing actions against legal entities that are subject to the AML Act but fail to comply with the requirements or fail to document their compliance.
Figure 6 illustrates the requirements of the new AML Act.
Figure 6. The AML requirements in a nutshell
If suspicion, increase monitoring
If continued suspicion, report
to SEIC
Know and understand
your customer
Legal entity X
SEIC investigates and takes legalaction
against breach
Scrutinise and monitor the
customer relationship
The Danish FSAconducts supervision
8
From rule-based to risk-based approach
One of the major changes in the new AML Act is that the regulations are changed from being primarily based on rules to being based on risk assessment and monitoring. The object of this changed approach is to ensure increasingly targeted and effective efforts to prevent money laundering and terrorist financing.
By changing the approach, the legislator expects to create a more flexible system, which enables the legal entities to focus on their resources in the relevant risk areas. Accordingly, the legal entities covered by the AML Act must indivi- dually ”assess whether a business relationship may be categorised as being a low-risk, medium-risk or high-risk relationship.”
The legal entities will therefore be given the task to identify and manage the risks of them being misused for money laundering and terrorist financing. The legal entities will also get the chance of prioritising their resources and allocat- ing them to the areas entailing increased risk.
This is done by assessing risk in two steps: an overall risk assessment of the legal entity as such and a specific risk assessment of the individual customer. The overall risk assessment must form the basis of the legal entity’s precautio-nary measures against being misused for money laundering and terrorist financing. The risk assessment itself is based on the supranational, national and sector-specific risk assessments prepared by the European Commission, SEIC and the Danish FSA. The legal entity may also incorporate its own experience in the risk assessment. Figure 7 illustrates this risk assessment method.
Figure 7. Source and methodology requirements in the new Danish AML Act
The European CommissionSupra-national
risk assessment 1
2
3
SEICNational
risk assessment
The Danish FSASector-specific
risk assessment
Legal entity XRisk assessment
according to business model
Identify
Which source? Which methodology?
Assess
Manage
9
Figure 8. Illustration of potential risk factors *
Customers Geography Delivery channel Products Services Business sector Other risk
factors
Very highrisk
PEPs, customers with connections to increased high-risk
sectors
Iran and North Ko-rea as well as other identified high-risk
countries
Delivery without physical contact and no specific security
measures
Very high com-plexity and low transparency
Very high com-plexity and low transparency
Foreign exchange bureaus, money
transfers
Often atypical transactions
High riskHigh-risk customer
segments and Danish PEPs
Countries known for widespread
corruption
Introduction through third
party without direct contract
High-value products
Private BankingFinancial institu-
tions and gambling operators
Business model facilitates anonymity
Medium risk ”Ordinary” customers
Countries not known for wide-
spread corruption or a high level of
terrorist financing
Delivery channel neither increases nor reduces risk
Products that have neither a high level nor a low level of transparency and
volume
Services that have neither a high level nor a low level of transparency and
volume
Electronic payment services
Business model entails neither reduced nor
increased risk
Low risk
Legal entities sub-ject to supervision or publicly listed
companies
EU countries, EEA countries and third countries with a low level of corruption
Direct delivery, but limited contact with
customer
Low-value products
Simple servicesLawyers and accountants
Business model facilitates easy identification of
customers
Very low risk Public authorities
In particular risk-free EU countries, EEA countries and
third countries
Delivery impedes the option of using the service for the purpose of money
laundering
Very low complexity and high trans-
parency
Very low complexity and high trans-
parency
Life insurance and pension funds
Business model entails the lowest
risk level at all
Factor
Risk
* See Annex 2 (reduced risk) and Annex 3 (increased risk) of the Danish AML Act
The legal entity performs a risk assessment of its customers on the basis of the overall risk assessment. This risk assessment is a specific assessment and will depend on the overall risk assessment and the nature of the recognised risk factors.
Figures 8 and 9 provide you with an overview of the potential risk factors and their impact on the customer due diligence. To cut a long story short, the higher the risk a customer may pose, the more certain must the legal entity be that the customer is in fact who the customer claims to be, and that the actual purpose of the business transaction is what the customer has stated.
10
Figure 9. The risk assessment’s impact on KYC procedures
Risk Requirements for KYC procedures Possible calibration of KYC procedures
Very high Procedures always subject to stricter requirements (ss 17-20)• Additional verification of customer ID• Additional information from the customer• Additional monitoring of the customer relationship
High Procedures always subject to stricter requirements (ss 17-20)• Additional verification of customer ID• Additional monitoring of the customer relationship
Medium Procedures subject to ordinary requirements (ss 10-16) • Standard procedures
Low Procedures subject to easier requirements (s. 21)• Eased process of verification of customer ID• Less detailed information required from the customer• Less strict monitoring of the customer relationship
Very low Procedures subject to easier requirements (s. 21)
• Eased process of verification of customer ID• Customer ID may be obtained at a later point• Less detailed information required from the customer• Less strict monitoring of the customer relationship
11
From identification procedures to customer due diligence
The general objective of the customer due diligence measures is to ensure that the legal entity knows who its customer is and the customer’s purpose of the business relationship. The idea is that being familiar with their customers’ identi- ties and purposes will facilitate the legal entities’ ability to identify suspicious behaviour and transactions.
With the new AML Act it is clarified that legal entities must comply with the customer due diligence requirement throughout the entire course of a business relationship. The customer due diligence must be performed on the estab- lishment of the business relationship and must be updated at regular intervals based on a risk assessment.
Customer due diligence comprises requirements for:
• Verification of the identity information obtained on natural persons and beneficial owners • Identification of a legal entity’s ownership and control structures• Identification and verification of information obtained on the purpose of the customer’s business relationship.
This is a continuation of applicable law, but the former requirements for identification procedures entailed a mis-apprehension of the requirement for continuous customer due diligence to be carried out by the legal entity. This specific requirement is illustrated by Figure 10.
Figure 10. From identification procedures to customer due diligence
Phase 1
Obtain information
Phase 2
Verifyinformation
Phase 3
Identity proven
Why does your customer act in a particular way?
What are your
customer’s intentions?Who is
your customer?
Know Your CustomerIdentification procedures
12
Overview of the most important amendments
To help you get an overview of the most important amendments to the Danish AML Act, Figure 11 explains the various elements by means of a traffic-light chart.
Figure 11. Traffic-light chart of amendments to the new Danish AML Act
Risk-based approach Whistle-blower scheme Money transfer
KYC – new customers Compliance documentation Data processing
Ongoing KYC procedures Employee screening Training and instruction
Politically exposed persons
Foreign currency exchange services
Cash-payment threshold and counterfeit money
Organisational requirements Cross-border activities
The following pages complement the traffic-light signal with a few comments on the most important amendments to the individual areas of the new AML Act.
Signal Explanation
Will have significant impact
Will have impact
Will have no impact
13
Subject Analysis Signal
• A change in standards and procedures from a rule-based approach to a risk-based approach.
• Extensive changes to the description of the risk assessment. • The preparation of risk assessments will be extended significantly
as a result of the new requirements. • The risk assessment creates the basis for the legal entity’s
customer due diligence procedures and for the risk assessment procedures applicable to its individual customers.
• Increased documentation requirements based on supranational, national and sector-specific risk assessments.
• Unlike today, the risk assessment may not be based on assump- tions, only on documented facts and circumstances.
• The supervisory authorities will have authority to punish legal entities for failing to produce a satisfactory and well-documented risk assessment of their activities.
• The overall risk assessment must form the basis for drawing up the customer due diligence measures and the risk assessment procedures applicable to the individual customers.
• A change in standards and procedures from identification proce-dures to customer due diligence.
• If circumstances require strict customer due diligence measures, the legal entity must not rely on a third party to obtain the requisite customer information.
• The group of third parties from which information may be ob-tained will be extended to include not only financial institutions, but every legal entity covered by the AML Act, as well as certain third-country legal entities subject to similar requirements.
• New requirements lay down that natural persons must be informed of the rules governing the protection of their personal data.
• Changes with regard to identification and verification of beneficial owners of legal entities and of ownership and control structures.
• It is stressed that KYC procedures must be carried out on any relevant changes in the customer’s situation.
• Introduction of a mandatory requirement for regular, new KYC procedures (including low-risk customers).
• The awareness obligation becomes part of the scrutiny obligation. • The scrutiny obligation is supplemented with a requirement for
monitoring obligation • The one-year requirement relative to the maximum penalty for
the underlying offence will be removed subject to the disclosure obligation towards SEIC.
• Financial institutions will have to assume additional responsibili- ties in the form of settlement requirements pertaining to customer relationships.
Risk-based approach
Know Your Customer (KYC) – new customers
Ongoing KYC procedures
14
Subject Analysis Signal
• Compared with the existing AML Act, the definition of PEPs will be extended to include members of the governing bodies of political parties and of international organisations.
• Moreover, it will no longer be significant whether a PEP is a resident of Denmark or of another country.
• The Minister for Industry, Business and Financial Affairs has been charged with keeping and publishing a record listing the Danish PEPs.
• A PEP’s customer relationship with financial institutions, mort-gage credit institutions, investment firms, payment services and electronic cash providers, investment management companies, AIFMs, Danish UCITs, AIFs, etc. is subject to approval by the AML officer.
• The customer relationship is no longer subject to approval by the senior day-to-day management on its establishment.
• The AML officers in financial institutions must be authorised to make decisions on behalf of the legal entity in the area of anti- money laundering.
• The AML officer’s decision-making powers must include decisions in respect of approval of (i) policies, business procedures, control measures, etc., (ii) business relationships customers posing increased risk, such as PEPs and (iii) establishment of correspon-dent banking relationships.
• Action must be taken to ensure that the AML officer has ade- quate knowledge of risks posed by the legal entity in terms of money laundering and terrorist financing and their impact on the risk exposure.
• According to the Danish FSA, this operational task is relocated from the day-to-day management to the AML officer, thus questioning to which part of the organisation the AML officer belongs.
• Generally, the AML officer is placed in the First Line, however, in small financial institutions, the officer may be found in the Second Line (compliance), provided action is taken to ensure that another person exercises control over the AML officer.
• Non-financial legal entities covered by the AML Act must make arrangements under which their employees have the opportunity through separate, independent channels to report breach or potential breach of this Act and any rules issued pursuant to the Act. This requirement applies only to legal entities employing more than five persons.
• Legal entities may not expose their employees to any unfair treatment or disadvantageous consequences as a result of the employee having reported the legal entity’s breach or potential breach of the AML Act to a supervisory authority, a whistleblower scheme set up in the legal entity or SEIC.
Politically exposed persons (PEPs)
Organisational requirements
Whistle-blower scheme
15
Subject Analysis Signal
• The legal entities must prepare a general assessment of the risk of the legal entity being misused for the purpose of money laundering or terrorist financing. This requirement is currently contained in the guidelines, but will be incorporated into the AML Act in the future.
• The description of the risk assessment has been subject to exten-sive changes. Consequently, the preparation of risk assessments has been extended significantly as a result of the new require-ments.
• If the legal entity fails to prepare a satisfactory risk assessment, taking into account all risks and all parts of its business, it may receive punishment.
• Legal entities must draw up policies and business procedures for their employee screening.
• The legal entities must lay down procedures to ensure that they discover whether a potential or existing employee has any possible criminal history that may pose a risk of misuse of the employee’s position.
• A new requirement is imposed on legal entities under which they must obtain authorisation from the Danish FSA to offer foreign currency exchange services in Denmark.
• Such entities must meet the following criteria: - Their registered office must be based in Denmark - Management and owners must be fit and proper - Procedures and control measures must be established - The legal entity must not previously have committed a criminal offence that justifies an imminent risk of misuse of the autho- risation. • Legal entities currently registered with the Danish Business
Authority may postpone their application for authorisation from the Danish FSA until 31 December 2017.
• Legal entities carrying on activities in another EU or EEA country must make sure that the entities established abroad comply with national legislation.
• Legal entities which form part of a group must share information with the other legal entities in the group if there are grounds for suspecting that customer funds derive from proceeds of criminal activity or are connected with terrorist financing.
• The current exception applying to money transfers to non-profit organisations will not be continued.
Compliance documentation
Employee screening
Foreign currency exchange services
Cross-border activities
Money transfer
16
Subject Analysis Signal
• Legal entities will be given the option of disclosing information to supervisory authorities for legal enforcement purposes.
• Legal enforcement purposes include prevention of, investigation of, detection of and prosecution for criminal behaviour as well as preventive protection from threats against the security of (public) life and property.
• Information may be shared with branches and majority-owned subsidiaries located in third countries, provided that such branches and majority-owned subsidiaries fully comply with the group’s policies and procedures.
• Pursuant to a new requirement, legal entities must ensure that relevant employees and management also receive satisfactory training and instruction in data protection rules.
• The training sessions must instruct the employees in how to comply with the data protection rules governing the legal entity.
• The new AML Act continues to stipulate that any trader or retailer not covered by the scope of the Act may not receive cash pay-ments of DKK 50,000 or more.
• Furthermore, any legal entity whose activities involve the handling and dispensing of notes and coins to the public is under an obli-gation to withdraw such notes and coins from circulation if there is any reason to believe that they are forged.
Data processing
Training and instruction
Cash-payment threshold and counterfelt money
17
Bech-Bruun is a market-oriented law firm offering specialist services. With our wide range of products, we serve a large section of the Danish corporate sector, the Danish public sector as well as international enterprises.
With the help of more than 500 talented employees and some of the most recognised and experienced experts in the business, we customise solutions to our clients, embracing all of our business areas. Our goal is to strengthen our clients’ businesses and help them outperform their competitors.
If you have any questions, please do not hesitate to contact us.
David MoalemPartnerT +45 72 27 33 24E [email protected]
Lars Lindencrone PetersenPartnerT +45 72 27 35 35E [email protected]
Kristoffer Probst LarsenJunior associateT +45 72 27 35 64E [email protected]
Nikolai Villumsen Junior associateT +45 72 27 35 49E [email protected]
For more information