14.5.2019 |
EN |
Official Journal of the European Union |
L 125/4 |
COMMISSION DELEGATED REGULATION (EU) 2019/758
of 31 January 2019
supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regard to regulatory technical standards for the minimum action and the type of additional measures credit and financial institutions must take to mitigate money laundering and terrorist financing risk in certain third countries
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (1), and in particular Article 45(7) thereof,
Whereas:
(1) |
Credit institutions and financial institutions are required to identify, assess and manage the money laundering and terrorist financing risk to which they are exposed, particularly when they have established branches or majority-owned subsidiaries in third countries or because they are considering whether to establish branches or majority-owned subsidiaries in third countries. Directive (EU) 2015/849 therefore sets standards for the effective assessment and management of money laundering and terrorist financing risk at group level. |
(2) |
The consistent implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures is key to the robust and effective management of money laundering and terrorist financing risk within the group. |
(3) |
There are, however, circumstances where a group operates branches or majority-owned subsidiaries in a third country whose law does not permit the implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures. This can be the case, for example, where the third country's data protection or banking secrecy law limits the group's ability to access, process or exchange information related to customers of branches or majority-owned subsidiaries in the third country. |
(4) |
In those circumstances, and in situations where the ability of competent authorities effectively to supervise the group's compliance with the requirements of Directive (EU) 2015/849 is impeded because competent authorities do not have access to relevant information held at branches or majority-owned subsidiaries in third countries, additional policies and procedures are required to manage money laundering and terrorist financing risk effectively. These additional policies and procedures may include obtaining consent from customers, which can serve to overcome certain legal obstacles to the implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures in third countries where other options are limited. |
(5) |
The need to ensure a consistent, Union level response to legal obstacles to the implementation of group- wide policies and procedures justifies the imposition of specific, minimum actions credit and financial institutions should be required to take in those situations. However, such additional policies and procedures should be risk-based. |
(6) |
Credit institutions and financial institutions should be able to demonstrate to their competent authority that the extent of additional measures they have taken is appropriate in view of the money laundering and terrorist financing risk. However, should the competent authority consider that the additional measures a credit institution or financial institution has taken are insufficient to manage that risk, the competent authority should be able to direct the credit institution or financial institution to take specific measures to ensure the credit institution's or financial institution's compliance with its anti-money laundering and countering the financing of terrorism obligations. |
(7) |
Regulation (EU) No 1093/2010 of the European Parliament and of the Council (2), Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3) and Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4) empower the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), respectively, to issue joint guidelines to ensure the common, uniform and consistent application of Union law. When complying with this Regulation credit institutions and financial institutions should take into account the joint guidelines issued in accordance with Article 17 and Article 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions and make every effort to comply with those guidelines. |
(8) |
The provisions of this Regulation should be without prejudice to the duty of competent authorities of the home Member State to exercise additional supervisory actions as stipulated in Article 45(5) of Directive (EU) 2015/849 in cases where the application of additional measures defined by this Regulation will prove insufficient. |
(9) |
The provisions of this Regulation should also be without prejudice to the enhanced due diligence measures credit institutions and financial institutions are required/obliged to take when dealing with natural persons or legal entities established in countries identified by the Commission as high risk pursuant to Article 9 of Directive (EU) 2015/849. |
(10) |
Credit institutions and financial institutions should be given sufficient time to adjust their policies and procedures in line with this Regulation's requirements. To this end, it is appropriate that the application of this Regulation be deferred by three months from the date on which it enters into force. |
(11) |
This Regulation is based on draft regulatory technical standards developed by the European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority), submitted to the Commission. |
(12) |
The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010, |
HAS ADOPTED THIS REGULATION:
Article 1
Subject matter and scope
This Regulation lays down a set of additional measures, including minimum action, that credit institutions and financial institutions must take to effectively handle the money laundering and terrorist financing risk where a third country's law does not permit the implementation of group-wide policies and procedures as referred to in Article 45(1) and (3) of Directive (EU) 2015/849 at the level of branches or majority-owned subsidiaries that are part of the group and established in the third country.
Article 2
General obligations for each third country
For each third country where they have established a branch or they are a majority owner of a subsidiary, credit institutions and financial institutions shall at least:
(a) |
assess the money laundering and terrorist financing risk to their group, record that assessment, keep it up to date and retain it in order to be able to share it with their competent authority; |
(b) |
ensure that the risk referred to in point (a) is reflected appropriately in their group-wide anti-money laundering and countering the financing of terrorism policies and procedures; |
(c) |
obtain senior management approval at group-level for the risk assessment referred to in point (a) and for the group-wide anti-money laundering and countering the financing of terrorism policies and procedures referred to in point (b); |
(d) |
provide targeted training to relevant staff members in the third country to enable them to identify money laundering and terrorist financing risk indicators, and ensure that the training is effective. |
Article 3
Individual risk assessments
1. Where the third country's law prohibits or restricts the application of policies and procedures that are necessary to identify and assess adequately the money laundering and terrorist financing risk associated with a business relationship or occasional transaction due to restrictions on access to relevant customer and beneficial ownership information or restrictions on the use of such information for customer due diligence purposes, credit institutions or financial institutions shall at least:
(a) |
inform the competent authority of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:
|
(b) |
ensure that their branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers' beneficial owners, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii); |
(c) |
ensure that their branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers' beneficial owners, to give consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law. |
2. Where the consent referred to in point (c) of paragraph 1 is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures, to manage the money laundering and terrorist financing.
Those additional measures shall include the additional measure set out in point (c) of Article 8 and one or more of the measures set out in points (a), (b), (d), (e) and (f) of that Article.
Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to in paragraphs 1 and 2, it shall:
(a) |
ensure that the branch or majority-owned subsidiary terminates the business relationship; |
(b) |
ensure that the branch or majority-owned subsidiary not carry out the occasional transaction; |
(c) |
close down some or all of the operations provided by their branch and majority- owned subsidiary established in the third country. |
3. Credit institutions and financial institutions shall determine the extent of the additional measures referred to in paragraphs 2 and 3 on a risk-sensitive basis and be able to demonstrate to their competent authority that the extent of additional measures is appropriate in view of the money laundering and terrorist financing risk.
Article 4
Customer data sharing and processing
1. Where a third country's law prohibits or restricts the sharing or processing of customer data for anti-money laundering and countering the financing of terrorism purposes within the group, credit institutions and financial institution shall at least:
(a) |
inform the competent authority of the home Member State without undue delay and in any case no later than 28 days after identifying the third country of the following:
|
(b) |
ensure that their branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers' beneficial owners, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii); |
(c) |
ensure that their branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers' beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law. |
2. In cases where consent referred to in point (c) of paragraph 1 is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures to manage risk. These additional measures shall include the additional measure set out in point (a) of Article 8 or the additional measure set out in point (c) of that Article. Where the money laundering and terrorist financing risk is sufficient to require further additional measures, credit and financial institutions shall apply one or more of the remaining additional measures set out in points (a) to (c) of Article 8.
3. Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to in paragraphs 1 and 2, it shall close down some or all of the operations provided by their branch and majority-owned subsidiary established in the third country.
4. Credit institutions and financial institutions shall determine the extent of the additional measures referred to in paragraphs 2 and 3 on a risk-sensitive basis and be able to demonstrate to their competent authority that the extent of additional measures is appropriate in view of the risk of money laundering and terrorist financing.
Article 5
Disclosure of information related to suspicious transactions
1. Where the third country's law prohibits or restricts the sharing of information referred to in Article 33(1) of Directive (EU) 2015/849 by branches and majority-owned subsidiaries established in the third country with other entities in their group, credit institutions and financial institutions shall at least:
(a) |
inform the competent authority of the home Member State without undue delay and in any case no later than 28 days after identifying the third country of the following:
|
(b) |
require the branch or majority-owned subsidiary to provide relevant information to the credit institution's or financial institution's senior management so that it is able to assess the money laundering and terrorist financing risk associated with the operation of such a branch or majority-owned subsidiary and the impact this has on the group, such as:
|
2. Credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures and the measures referred to in paragraph 1 to manage risk.
Those additional measures shall include one or more of the additional measures set out in points (a) to (c) and (g) to (i) of Article 8.
3. Where credit institutions and financial institutions cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to in paragraphs 1 and 2, they shall close down some or all of the operations provided by their branch and majority-owned subsidiary established in the third country.
4. Credit institutions and financial institutions shall determine the extent of the additional measures referred to in paragraphs 2 and 3 on a risk-sensitive basis and be able to demonstrate to their competent authority that the extent of additional measures is appropriate in view of the risk of money laundering and terrorist financing.
Article 6
Transfer of customer data to Member States
Where the third country's law prohibits or restricts the transfer of data related to customers of a branch and majority-owned subsidiary established in a third country to a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, credit institutions and financial institutions shall at least:
(a) |
inform the competent authority of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:
|
(b) |
carry out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively implements group-wide policies and procedures and that it adequately identifies, assesses and manages the money laundering and terrorist financing risks; |
(c) |
provide the findings of the reviews referred to in point (b) to the competent authority of the home Member State upon request; |
(d) |
require the branch or majority-owned subsidiary established in the third country regularly to provide relevant information to the credit institution's or financial institution's senior management, including at least the following:
|
(e) |
make the information referred to in point (d) available to the competent authority of the home Member State upon request. |
Article 7
Record-keeping
1. Where the third country's law prohibits or restricts the application of record-keeping measures equivalent to those specified in Chapter V of Directive (EU) 2015/849, credit institutions and financial institutions shall at least:
(a) |
inform the competent authority of the home Member State without undue delay and in any case no later than 28 days after identifying the third country of the following:
|
(b) |
establish whether consent from the customer and, where applicable, their beneficial owner, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii); |
(c) |
ensure that their branches or majority-owned subsidiaries that are established in the third country require customers and, where applicable, their customers' beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law. |
2. In cases where consent referred to in point (c) of paragraph 1 is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures and the measures referred to in paragraph 1 to manage risk. These additional measures shall include one or more of the additional measures set out in points (a) to (c) and (j) of Article 8.
3. Credit and financial institutions shall determine the extent of the additional measures referred to in paragraph 2 on a risk-sensitive basis and be able to demonstrate to their competent authority that the extent of additional measures is appropriate in view of the risk of money laundering and terrorist financing.
Article 8
Additional measures
Credit institutions and financial institutions shall take the following additional measures pursuant to Article 3(2), Article 4(2), Article 5(2) and Article 7(2) respectively:
(a) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided by the branch of majority-owned subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group's risk exposure; |
(b) |
ensuring that other entities of the same group do not rely on customer due diligence measures carried out by a branch or majority-owned subsidiary established in the third country, but instead carry out customer due diligence on any customer of a branch or majority-owned subsidiary established in third country who wishes to be provided with products or services by those other entities of the same group even if the conditions in Article 28 of Directive (EU) 2015/849 are met; |
(c) |
carrying out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively identifies, assesses and manages the money laundering and terrorist financing risks; |
(d) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country seek the approval of the credit institution's or financial institution's senior management for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher risk occasional transaction; |
(e) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country determine the source and, where applicable, the destination of funds to be used in the business relationship or occasional transaction; |
(f) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the branches or majority-owned subsidiaries are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship; |
(g) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country share with the credit institution or financial institution underlying suspicious transaction report information that gave rise to the knowledge, suspicion or reasonable grounds to suspect that money laundering and terrorist financing was being attempted or had occurred, such as facts, transactions, circumstances and documents upon which suspicions are based, including personal information to the extent that this is possible under the third country's law; |
(h) |
carrying out enhanced ongoing monitoring on any customer and, where applicable, beneficial owner of a customer of a branch or majority-owned subsidiary established in the third country who is known to have been the subject of suspicious transaction reports by other entities of the same group; |
(i) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country has effective systems and controls in place to identify and report suspicious transactions; |
(j) |
ensuring that their branches or majority-owned subsidiaries that are established in the third country keep the risk profile and due diligence information related to a customer of a branch or majority-owned subsidiary established in the third country up to date and secure as long as legally possible, and in any case for at least the duration of the business relationship. |
Article 9
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 3 September 2019.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 31 January 2019.
For the Commission
The President
Jean-Claude JUNCKER
(1) OJ L 141, 5.6.2015, p. 73.
(2) Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12).
(3) Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48).
(4) Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010, p. 84).