(Part 2 of 2)
The EU’s Fourth Money Laundering Directive (MLD4) will be implemented in the UK by the end of this month and in the rest of the EU by the end of the year. On Monday we started with explaining the major changes in MLD4’s scope, sanctions and ultimate beneficial ownership policy – changes that will impact everyone in the payments industry. Today we move on to the significant updates MLD4 makes to the risk-based approach and talk about its upcoming amendments before thinking about what it all means for you.
Expansion of the risk-based approach:
MLD3 introduced the risk-based approach, or RBA, to customer due diligence when it was passed in 2005. But MLD4 further stresses its necessity and greatly strengthens RBA requirements.
Obliged entities will need to identify and assess risk, considering factors such as customers, countries or geographic areas, products, services, transactions or delivery channels. These risk assessments will need to be kept up-to-date and made available to regulators. Larger companies may also be required to commission an independent audit of their compliance procedures.
MLD4 also removes blanket exemptions that allowed automatic use of Simplified Due Diligence (SDD). To use SDD, firms must now actively demonstrate low risk and provide a robust rationale for its use. The expectation is that fewer customers will qualify for SDD and more will require either CDD or EDD.
The revised regulations also mandate that obliged entities have in place risk-based procedures to determine whether customers or ultimate beneficial owners are politically exposed persons (PEPs). They clarify that Enhanced Due Diligence (EDD) must always be applied to PEPs and that senior management approval is required to establish or continue a business relationship with a PEP. You should also be aware that both domestic and foreign PEPs are now covered under MLD4 (previously, domestic PEPs were not subject to EDD). EDD procedures must continue for at least 12 months after a PEP leaves office, although member states may impose a longer period.
Many companies in the payments industry deal with a high volume of relationships that need to be screened, and these companies have found it tough to reduce unnecessary false positives while still effectively identifying PEPs. Firms suffer through high false positive rates and damaging customer experiences—all while risking something slipping through the net—because many screening solutions fail to apply a risk-based approach to deciding a person’s level of political exposure and struggle to understand the nuances of different languages. As the scope of both PEPs and associated due diligence requirements widens under MLD4, firms without the right solution in place can expect these challenges to increase even further.
Despite only passing MLD4 a year ago, EU legislators are already looking to make some additions. These amendments will be formally proposed by the end of June 2016, but an implementation date hasn’t been set. The additions are expected to include:
- new rules to cover virtual currency, VC exchange platforms, prepaid cards, and possibly “wallet providers”
- the creation of central registers or data-retrieval systems for bank and payment accounts
- better data sharing between national Financial Intelligence Units within the EU
- rules to ensure that EDD checks are carried out for transactions with countries that pose high risks for terrorist financing – the EU will devise a “blacklist” of these countries later this year
What does it mean for you?
First and foremost, it is essential to understand the extent to which your firm will be impacted by MLD4’s scope changes. More companies will now be required to conduct EDD, and everyone will have to think about how their firm can implement a sufficient risk-based approach. Similarly, any firms dealing with e-money, virtual currency or prepaid instruments need to ensure their compliance procedures are up to code.
More generally, firms will be expected to have comprehensive and up-to-date information on their clients. Retrospective and manual analyses may not be effective enough to make sure nothing slips through the net. Automated solutions for real-time transaction monitoring, ongoing screening for sanctions, PEPs and adverse media, and electronic identity verification will become ever more vital tools for compliance officers who need to manage the increased regulatory burden while still doing their part to curb financial crime. The costs of failing to comply with AML policies are higher than ever, both in terms of sanctions for institutions and of the harm to society posed by financial crime. Everyone in the financial sector must work to fight these threats.