As announced back in January 2019, the delegated regulation regarding third countries was finally published.
Now that the regulatory item was brought to publication its effect will start on 3rd September 2019.
This new rules, bring the obligation to terminate or reject relationships, to refrain from executing transactions or to close business activities when benches and subsidiaries registered under third country jurisdictions cannot report relevant information on clients in order to identify the AML risk of such relationships.
As an alternative when such entities are limited by local regulation related to professional or banking secrecy or data protection rules to sharing the relevant information , the EU 2019/758 states:
- the obligation to inform Member State authorities within 28 days (from the moment that the entity became aware or the situation), the name of the country, the reason why the group-wide procedures cannot be fully applied,
- to collect consent from data subjects, and clients in order to facilitate the sharing of relevant KYC, AML, risk and transactional information, or (when consent cannot be collected given a statutory reason)
- to comply with some the following:
- ensure that the activity of the branch or subsidiary has a low impact in the group risk exposure.
- ensure that no reliance exist upon the due diligence measures taken by the entity located in the third country.
- carrying out enhanced reviews, including but not limited to on-site inspections or independent specific audits in order to be satisfy with the application of group-wide procedures and the compliance with group -wide requirements.
- ensure that higher risk relationships/transactions are subject to senior management approval.
- ensure that source of funds and destination of funds of the transactions is appropriately determined prior execution of transactions.
- ensure that enhanced and ongoing monitoring is performed in compliance with group-wide policies and procedures.
- ensure that information regarding suspicious activity reports is shared at group level, and that transactional information, rationales for suspicion and relevant facts, in accordance with applicable rules and regulations.
- ensure that enhanced actions, monitoring and enhanced due diligence are applied to customers subject to previous suspicion.
- ensure that the entity located on the third country, holds, maintain and continuously analyse transactions in order to identify suspicious activity using relevant tools and systems.
- ensure that risk assessments at all level are up-to-date and informed with accurate information, which allows immediate variation of risk when applicable.
In addition to such requirements; equivalent document retention policies should be applied and training/awareness programs existing and effective.
When after assessing the different elements of cooperation; the Financial or credit institution considers that the understanding of risk cannot be achieved, closing the branch should be considered as per the regulation.
Countermeasures as on-site inspection and independent AML/KYC audits may be risk mitigations points.