The Cyprus Securities and Exchange Commission and the Central Bank of Cyprus continue to remind all regulated entities of their obligations to comply with the adopted joint guidelines issued by the European Supervisory Authorities (the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority) (“the ESAs”) on the practical application of Directive (EU) 2015/849 (“the Directive”) on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. It was generally recognised that uncertainty on the part of obliged entities about applying the directive to day-to-day transactions had made the due diligence process little more than a box-ticking exercise. The guidelines, which were issued under the requirements of articles 17 and 18(4) of the Directive seek to remedy this. Member states were required to apply the guidelines by 26 June 2018.
The guidelines are addressed to credit and financial institutions as defined in articles 3(1) and 3(2) of the Directive and competent authorities responsible for supervising their compliance with anti-money laundering and counterterrorist financing obligations. The guidelines are divided in two parts. Title II comprises general guidelines applicable to all entities, and Title III deals with issues relating to specific sectors such as correspondent banks, retail banks and electronic money issuers.
The guidelines emphasise the need for obliged entities to identify the risks they face based on multiple factors, including the nature and identity of the client, the services the client requires and the region the client operates in. To gather the requisite information, obliged entities should refer to reliable sources such as the European Commission’s supranational risk assessment, the relevant regulators and media reports of money laundering incidents. In order to facilitate the identification of risk, the guidelines include a long, non-exhaustive list of factors to be considered. The guidelines make clear that the presence of isolated risk factors does not necessarily move the relationship into a higher or lower risk category, and that a holistic view must be taken of all the relevant factors.
Among the risk factors to be considered are the nature of the business activity of the client or its ultimate beneficial owner (“UBO”), its reputation and its behaviour. Certain business activities, such as casinos, are inherently higher-risk, and others may put the UBO in a position of power that can be abused for personal gain. Media and press reports of incidents connected to money laundering and terrorism financing, such as freezing of assets due to administrative or criminal proceedings will be relevant, and reports of such matters involving persons who are connected in any way with the client may also be relevant. Additionally, because the behaviour of the client cannot be determined before engaging in a business relationship, it is essential for obliged entities to have an understanding of the ownership structure and whether it makes commercial and legal sense, of the sources of funds and wealth and whether they can be explained, of the connections between current and past business activities, or whether reluctance to disclose certain information may be due to a legitimate reason, for example being an asylum seeker.
The guidelines also note that the jurisdiction in which the client is based, operates and has personal links will be relevant. For example, increased vigilance is required if activities involve countries that are associated with terrorist activities. If funds are generated abroad, the effectiveness of the legal system of the country concerned and the adequacy of its safeguards against money laundering and terrorist financing are relevant. The mutual evaluation reports issued by the Financial Action Task Force are a valuable source of information in this regard.
The client’s business activity is of paramount importance. Obliged entities must consider the level of transparency of the transaction facilitated, its complexity and value. If the transaction is opaque and complex, or cash-intensive, it becomes difficult to identify the individuals behind the transaction or to track the funds.
Once the risks have been identified they must be assessed using a risk-based approach, taking account of all relevant factors. The risk assessment should not be influenced by the potential profitability of the relationship or similar economic factors and shall must not result in a situation where no client or business relationship is classified as a high risk. Where the Directive specifies that a situation is by nature of high risk (for example where the client is a politically exposed person (“PEP”)), the obliged entity must adopt the same risk category.
Obliged entities which use software for assessing risk must be aware of the way the software operates and how it weighs the various risk factors. The entity must be able to demonstrate that the level of risk allocated to each client or business relationship by the software is consistent with its own understanding of money laundering and terrorist financing risk. If the entity overrides the risk categorisation given by the software it must provide an explanation and justification for its decision.
By assessing the risk that they are exposed to, entities will be better able to focus on mitigating the risk by applying the relevant customer due diligence, based on the assessed risk. If the risk is low, simplified customer due diligence with less detailed less information or less frequent updating of records, is appropriate. Nevertheless, the customer due diligence must be sufficiently effective to recognise any suspicious factors as soon as they occur, and immediate attention is required if there is evidence of activities that are inconsistent with the low risk rating. Simplified customer due diligence is inappropriate if there are any doubts regarding the accuracy of the information obtained.
Conversely, when the risk associated with a specific client or transaction is high, enhanced customer due diligence must be applied over and above that set out in the Directive. This may involve obtaining additional information about the UBO, their family members and their past and present activities, or increasing the frequency of reviews. As noted earlier, the Directive includes a list of factors which, if present, automatically result in the transaction being classified as high risk, namely:
- where the client is a PEP;
- where the entity enters into a correspondent relationship with a respondent institution from a non-EEA state;
- where the client is established in a high risk third country; and
- where the transaction is complex, unusually large and has no clear economic rationale.
In such cases, enhanced customer due diligence must be applied. For example, if the client is a PEP, the source of wealth and source of funds must be identified and verified, senior management approval must be obtained prior to creating or continuing the business relationship and enhanced ongoing monitoring of transactions must be undertaken. Enhanced customer due diligence must be also applied to family members and close associates of the PEP. Entities must also ensure that they have effective means to identify transactions that are complex, unusually large in relation to the size of the client or its business activities or have no economic or legal rationale. If such transactions are identified, the entity must undertake frequent monitoring and enhanced customer due diligence in order to determine whether the transaction is suspicious or not and give an explanation as to the purpose of the transactions that took place.