 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
SP2 Firms must adopt a risk-based approach to these statements of principle and their requirements.
6 Risk-Based Approach (S10Q)
The level and intensity of any firm’s approach to the mitigation of the risks it faces must be based on a suitable methodology which address the issues and concerns that it faces. No two firms are the same and the scope of their risk mitigation programme must be determined, therefore, by the existing systems of control in place as well as a number of external factors that are borne to bear on the firm.
Whereas it was traditionally the case that a firm’s processes to mitigate risks were customer centric, this is no longer applicable as the complexity of the requirements have increased.
6.1 Risk Profiling a Business Relationship
R16 A risk-profile of a business relationship needs to take into consideration the following four risk elements that are present in every business relationship:
Together, the four risk elements above are combined to produce a risk-profile. It is the results of this risk profile and the firm’s risk appetite that will determine the intensity of the documentation and other process that will need to be obtained at the commencement of a business relationship or as an ongoing requirement.
Appendix 2 – Scoring Risk Elements contains an example of a simple risk rating process through which each of the above elements can be scored. It is up to each firm to decide the methodology to adopt and many firms already have more complex systems in place. The appendix, therefore, is only meant as an illustration for those firms seeking guidance as to how a simple rating methodology can be designed and implemented.
Appendix 3 - Obtaining a risk profile outlines how these elements could be combined in a simple risk-profiling approach that firms could adopt. How a firm goes about classifying and scoring each of these four types of risk is not a requirement of these Notes.
R17 A firm will need to be able to demonstrate that it has a methodology for assessing the risk profile of a business relationship, that this methodology is suitable for the size and nature of the firm’s business and that practice matches the methodology.
The FSC will be verifying that a methodology has been successfully designed and implemented through its on-site and risk-assessment supervisory processes.
6.2 The four elements of a risk-based approach
6.2.1 Customer Risk
This is the identification of the risk posed by the type of customer.
Each firm will have a different view of the type of customer that it wishes to service and those which it does not. That decision has normally already been made either tacitly or implicitly through the business plan, strategy of the firm or by the product range that it offers.
R18 These Notes require, that an assessment is conducted on the risk that different types of customers pose in relation to the threat that they will launder proceeds of crime, fund terrorist activity or be involved in other types of illicit activities. The intensity of the due diligence conducted on the individual must therefore increase with the perceived or potential threat posed by that business relationship.
6.2.1.1 Individuals
The threats posed by different types of individuals is mainly attributable to the nature of their economic activity or source of wealth. For example, the risk to a firm that a salaried employee whose only transactions through a business relationship are those derived from electronic payments made by his employer are going to be much lower than an individual whose transactions are cash based with no discernable source for this activity. The country in which the individual created, or sources, their income also needs to be considered in the overall threat environment.
Proof of identity ensures that the risks arising out of identity theft and other fraudulent activity are mitigated.
R19 Firms must include, in their methodology, a statement of the basis upon which business relationships with individuals will be scored in light of their source of income or wealth.
6.2.1.1.1 Known or Suspected Terrorists and individuals subject to sanctions or other economic measures
Individuals, charities, non-profit organisations or companies themselves may be associated with, or themselves be suspected or known to be, terrorists or involved with terrorist activities. Similarly, individuals may themselves be subject to sanctions or other international initiatives which may sometimes be linked to close family members.
Irrespective of the risk score of the customer obtained above, the firm is required to introduce enhanced due diligence checks on the customer the moment it knows or suspects that the customer falls into this category. (See section 6.2.4.3 for more information)
In many cases this will trigger a requirement to inform the authorities of the presence of these individuals.
The issue that concerns most firms is how to ensure that an individual who has already been through the application process is not then found to have been added to one of the list of names of known or suspected terrorists.
The list of known or suspected terrorists is published by various international as well as national agencies. Third party providers are also able to provide consolidated lists. A link to these lists is provided on the FSC’s web-site at http://www.fsc.gi/terrorism/names.htm.
! See 8.4 below for requirements in relation to named or suspected terrorists and Appendix 4 – Countries and territories with equivalent legal frameworks or those requiring enhanced due diligence for measures that need to be applied against undertakings and individuals subject to international sanctions.
6.2.1.1.2 Politically Exposed Persons (S10K)
The threat matrix in Figure
1 highlights that the biggest threat facing Gibraltar
is the risk that politically exposed persons (PEPs) use
The term “politically exposed persons” is defined in the 3MLD[7] as:
“natural persons who are or have been entrusted with prominent public functions and immediate family members known to be close associates of such persons.”
For these purposes;
[1] ‘natural persons who are or have been entrusted with prominent public functions’ shall include the following:
(a) heads of State, heads of government, ministers and deputy or assistant ministers;
(b) members of parliaments;
(c) members of supreme courts, of constitutional courts or of other high-level judicial bodies whose decisions are not subject to further appeal, except in exceptional circumstances;
(d) members of courts of auditors or of the boards of central banks;
(e) ambassadors, chargés d'affaires and high-ranking officers in the armed forces;
(f) members of the administrative, management or supervisory bodies of State-owned enterprises;
where these functions are performed or
have been appointed outside of
None of the categories set out in points (a) to (f) above shall be understood as covering middle ranking or more junior officials.
[2] ‘immediate family members’ shall include the following:
(a) a spouse;
(b) a partner considered by national law as equivalent to the spouse;
(c) children and their spouses or partners;
(d) parents.
[3] ‘persons known to be close associates’ shall include the following:
(a) any individual who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a person referred to in paragraph 1;
(b) any individual who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the benefit de facto of the person referred to in paragraph 1.
! Without prejudice to the application, on a risk-sensitive basis, of enhanced customer due diligence measures, where a person has ceased to be entrusted with a prominent public function for a period of at least one year, firms shall not be obliged to consider such a person as politically exposed.
The concerns relating to this type of risk are mitigated by having adequate processes through which a firm can determine the source of income or wealth.
Specific risk based measures need to be adopted to reduce the risks inherent in dealing with PEPs.
R20 The systems of control that firms must adopt to reduce the risks associated with establishing and maintaining business relationships with PEPs are that:
a. The firm must establish and document a clear policy and internal guidelines, procedures and controls regarding such business relationships;
b. Maintain an appropriate risk management system to determine whether a potential customer or an existing customer is a PEP;
c. Decisions to enter into business relationships with PEPs to be taken only by senior management;
d. Business relationships which are known to be related to PEPs must be subject to proactive monitoring of the activity on such accounts.
! The monitoring of the accounts is necessary so that any changes are detected, and consideration can be given as to whether such change suggests corruption or misuse of public assets. This includes close scrutiny of receipts of large sums from government bodies, state owned activities, or governments and central bank accounts. See Section 7.8 for more information on the monitoring requirements under the Notes.
See section 6.2.4.2 for more requirements on PEPs re Country Risk.
6.2.1.2 Legal Entities
Corporate structures, trusts and partnerships are recognised internationally as vehicles through which opacity in financial transactions can easily be introduced. This can be used by criminals to add layers between a criminal activity and those benefiting from the same.
Additionally, facilities which add layers of complexity, e.g. nominee shareholdings, declarations of trust, powers of attorney have their place in legal structures, tax and estate planning scenarios but are just as attractive to criminals for the same reasons.
! Firms must recognise the risks that facilities which add complexity or opacity to a legal entity pose to their business and have adequate systems of control to ensure that these risks are properly mitigated.
As with other legal forms, legal entities may come in a variety of different shapes and sizes but their economic activity will be much more varied.
Firms need to include in their risk assessment process a recognition of the risk posed by the economic activity being conducted through the legal entity.
It is evident that in order for the above requirement to be effective, a firm must have sufficient information about the client companies and its activities, in so far as it is appropriate for the services being provided to it. (See Section 7.7.2 on the requirements in relation to the documentation in relation economic activity.)
Legal entities do not run themselves, they are directed by their directors and controlled by its members and beneficial owners or its assets controlled by the trustees. The influence that these persons can have on the client company/trust or partnership is just as an important factor in the risk assessment process as the entity’s activities.
! Firms must ensure that the risks posed by the beneficial owners, officers, shareholder, trustees, settlors and managers of a legal entity are reflected in the risk profile of the client company.
6.2.1.2.1 Publicly listed companies
No further steps to verify identity over and above usual commercial practice, will normally be required where the applicant for business is known to be a listed company whose securities are admitted to trading on a regulated market within the meaning of Directive 2004/39/EC in one or more Member States and listed companies from third countries which are subject to disclosure requirements consistent with Community legislation.
6.2.1.2.2
Gibraltar
or EU Credit or Financial Institutions (S10(G))[8]
Verification of identity is not required when there are reasonable grounds for believing that the applicant for business is itself a financial institution in Gibraltar or an EU country, and is thus subject to the Money Laundering Directive. What constitutes reasonable grounds is not defined, but these might mean ensuring that the credit or financial institution does actually exist (e.g. that it is listed in the Bankers’ Almanac, or is a member of a regulated or designated investment exchange); and that it is also regulated. In cases of doubt, the relevant regulator’s list of institutions can be consulted. Additional comfort can also be obtained by obtaining from the relevant institution evidence of its authorisation to conduct financial and/or banking business.
For
Unregulated
6.2.2 Product Risk
This is the risk posed by the product proposition itself. Some products are inherently less attractive to criminals than others whilst others are the most favoured.
R21 Firms must document their product range against the perceived attraction for these to be used for criminal activity and implement systems of control to mitigate or reduce these risks.
Figure 8 in Appendix 2 – Scoring Risk Elements shows a sample risk scoring scale for Product Risk which firms may wish to consider.
6.2.2.1 Anonymous Accounts/Products that offer a layer of opacity
Because one of the primary aims of a criminal is to create as much distance between himself, the criminal act and the proceeds from that act that anonymous accounts/business relationships or facilities which allow the customers to establish a business relationship using false or fictitious names are specifically prohibited.
R22 Other than in the case of e-money products which meet the criteria in 6.2.2.7.4 below, firms may not permit their products to be used using obviously fictitious names or where the customer’s name is not identified.
! There are many circumstances where a firm may not want to include the customer’s name or details on the account name or customer file in order to provide a level of privacy within the organisation itself. However, this does not mean that the customer is not known to the firm and these details may be kept in a more secure environment within the firm itself. The due diligence records of that customer must, however, be made available to the senior management, MLRO, enforcement agencies and the regulators, should this be required.
6.2.2.2 Bank accounts
The range of bank accounts offered by modern financial institutions can be varied and the characteristics of each type of bank account may increase the risk posed to the firm.
At the lowest end of the risk spectrum will be pass-book type accounts that require the customer to be physically present to make withdrawals and where there are no third party payments permitted. The highest risk bank account will be those where the account can be accessed and operated on-line and through which third party payments can be effected.
The risks associated with the interface risk, particularly on-line transactions, are dealt with in 6.2.3.6 below.
6.2.2.3 Correspondent Banking Relationships
Correspondent banking relationships create a risk that the other bank’s customers may be using that bank to launder funds. It is not necessarily possible to conduct due diligence on that bank’s customer base and as such, these relationships require additional care and attention to guard against becoming unwilling participants in this activity.
R23 The following controls need to be implemented for correspondent banking relationships;
a. A firm must not maintain relationships with shell banks that have no physical presence in any country or with correspondent banks that permit their accounts to be used by such banks.
b. A firm must gather sufficient information about a respondent institution to understand fully the nature of their business
c. Senior management approval must be obtained prior to establishing new correspondent relationships.
d. The firm must assess the respondent institution’s anti-money laundering and terrorist financing controls.
e. The relationship and its transactions must be subject to annual reviews by senior management. The volume and nature of transactions flowing through correspondent accounts with institutions from high risk jurisdictions, or those with material deficiencies should be monitored against expected levels and destinations, and any material variances should be explored.
f. The respective responsibilities for each institution must be properly documented.
g. The firm must be able to demonstrate that the information described above is held for all existing as well as new correspondent relationships.
! The firm must determine, from publicly available sources, the reputation of that institution and quality of supervision, including whether it has been subject to a money laundering or terrorist financing investigation or regulatory action.
! Staff dealing with correspondent banking accounts should be trained to recognise high risk circumstances, and be prepared to challenge correspondents over irregular activity, whether isolated transactions or trends, submitting a suspicion report where appropriate.
6.2.2.3.1 Payable through accounts
A payable-through account is generally an account through which banks extend payment facilities to the customers of other institutions, often foreign banks. Because “payable trough accounts” pose an additional risk, the following must also be satisfied:
R24 The firm must verify that the respondent bank has verified the identity of and have performed on-going due diligence on the customers having direct access to accounts of the correspondent and that it is able to provide relevant customer identification data to the firm, upon request.
R25 Institutions must terminate the accounts of correspondents who fail to provide satisfactory answers to reasonable enquiries including, where appropriate, confirming the identity of customers involved in unusual or suspicious transactions.
6.2.2.4 Powers of Attorney
R26 The authority to deal with assets under a power of attorney constitutes a business relationship and therefore firms must establish the identities of holders of powers of attorney, the grantor of the power of attorney and third party mandates where control of the legal entity’s assets is exercisable by that power of attorney.
! Records of all transactions undertaken in accordance with the power of attorney should be kept in accordance with the provisions of these Notes.
! Because enduring general powers of attorney pose additional risks to firms these should not generally be accepted by firms unless there are compelling reasons for their issuance in the first place.
6.2.2.5 Bearer Instruments
Bearer shares and share warrants to bearer can provide a significant level of anonymity, which may be abused by those seeking to use companies for a criminal purpose. Furthermore, fictitious bearer instruments can be used to perpetrate fraud. There are, however, legitimate reasons for the use of bearer shares and their issue is permitted in many jurisdictions. Firms are required to have adequate and properly documented due diligence policies and procedures in place to ensure that their issue is controlled effectively to prevent abuse. Where a company has issued share warrants to bearer these must be kept immobilised under the control of a licensee. This is because the Guidance Notes cannot be complied with and due diligence in accordance with the Guidance Notes cannot be carried out, where beneficial ownership can change without the knowledge of the licensee.
R27 Where a transaction involves bearer instruments, verification evidence must be obtained for the following transactions-
• bearer shares converting to registered form;
• surrender of coupons for payment of dividend, bonus, or capital event.
! The middle market price quoted in the Financial Times, Bloomberg or Reuters etc on the day of receipt should normally be used to establish share value.
R28 In the case of transfers from bearer to registered shares, evidence of identity of the registered holder must be obtained in line with the procedures set out in these Notes.
!
The submission of coupons in exchange for a
cheque in payment of dividends, bonuses or capital events, does not require the
identity of the owner to be verified unless the value of the cheque is in excess
of €15,000, and the requested payee is not a
6.2.2.6 Wire Transfers
Investigations of major money laundering cases over the last few years have shown that criminals make extensive use of electronic payment and message systems. The rapid movement of funds between accounts in different jurisdictions increases the complexity of investigations. In addition, investigations become even more difficult to pursue if the identity of the original ordering customer or the ultimate beneficiary is not clearly shown in an electronic payment message instruction.
For the purposes of this part, the following definitions shall apply:
‘payer’ means either a natural or legal person who holds an account and allows a transfer of funds from that account, or, where there is no account, a natural or legal person who places an order for a transfer of funds;
‘payee’ means a natural or legal person who is the intended final recipient of transferred funds;
‘payment service provider’ means a natural or legal person whose business includes the provision of transfer of funds services;
‘intermediary payment service provider’ means a payment service provider, neither of the payer nor of the payee, that participates in the execution of transfers of funds;
‘transfer of funds’ means any transaction carried out on behalf of a payer through a payment service provider by electronic means, with a view to making funds available to a payee at a payment service provider, irrespective of whether the payer and the payee are the same person;
‘batch file transfer’ means several individual transfers of funds which are bundled together for transmission;
‘unique identifier’ means a combination of letters, numbers or symbols, determined by the payment service provider, in accordance with the protocols of the payment and settlement system or messaging system used to effect the transfer of funds.
R29
The requirements of this section of the Notes
apply to transfers of funds, in any currency, which are sent or received by a
payment service provider established in
[1] carried out using a credit or debit card, provided that:
(a) the payee has an agreement with the payment service provider permitting payment for the provision of goods and services; and
(b) a unique identifier, allowing the transaction to be traced back to the payer, accompanies such transfer of funds.
[2] using electronic money except where the amount transferred exceeds €1,000.
[3] carried out by means of a mobile telephone or any other digital or Information technology device, when such transfers are pre-paid and do not exceed €150.
[4] carried out by means of a mobile telephone or any other digital or IT device, when such transfers are post-paid and meet all of the following conditions:
(a) the payee has an agreement with the payment service provider permitting payment for the provision of goods and services;
(b) a unique identifier, allowing the transaction to be traced back to the payer, accompanies the transfer of funds; and
(c) the payment service provider is subject to the obligations set out in 3MLD.
[5] within
(a) the payment service provider of the payee is subject to the obligations set out in 3MLD;
(b) the payment service provider of the payee is able by means of a unique reference number to trace back, through the payee, the transfer of funds from the natural or legal person who has an agreement with the payee for the provision of goods and services; and
(c) the amount transacted is €1,000 or less.
[6] where the payer withdraws cash from his or her own account;
[7] where there is a debit transfer authorisation between two parties permitting payments between them through accounts, provided that a unique identifier accompanies the transfer of funds, enabling the natural or legal person to be traced back;
[8] where truncated cheques are used;
[9] to
public authorities for taxes, fines or other levies within a
[10] where both the payer and the payee are payment service providers acting on their own behalf.
R30 Where both the payment service provider of the payer and the payment service provider of the payee are situated in the European Community, transfers of funds shall be required to be accompanied only by the account number of the payer or a unique identifier allowing the transaction to be traced back to the payer.
If so requested by the payment service provider of the payee, the payment service provider of the payer shall make available to the payment service provider of the payee complete information on the payer, within three working days of receiving that request.
R31 Transfers of funds where the payment service provider of the payee is situated outside the European Community shall be accompanied by complete information on the payer.
1. Complete information on the payer shall consist of his name, address and account number.
2. The address may be substituted with the date and place of birth of the payer, his customer identification number or national identity number.
3. Where the payer does not have an account number, the payment service provider of the payer shall substitute it by a unique identifier which allows the transaction to be traced back to the payer.
4. The payment service provider of the payer shall, before transferring the funds, verify the complete information on the payer on the basis of documents, data or information obtained from a reliable and independent source.
5. In the case of transfers of funds from an account, verification may be deemed to have taken place if:
(a) a payer’s identity has been verified in connection with the opening of the account and the information obtained by this verification has been stored in accordance with the obligations set out in these notes; or
(b) the payer is a relevant financial business.
R32 Without prejudice to the requirement to apply due diligence measures when money laundering or terrorist financing is known or suspected, in the case of transfers of funds not made from an account, the payment service provider of the payer shall verify the information on the payer only where the amount exceeds €1,000, unless the transaction is carried out in several operations that appear to be linked and together exceed €1,000.
R33 The payment service provider of the payer shall for five years keep records of complete information on the payer which accompanies transfers of funds.
R34 In the case of batch file transfers from a single payer where the payment service providers of the payees are situated outside the Community, the requirements in R31 shall not apply to the individual transfers bundled together therein, provided that the batch file contains that information and that the individual transfers carry the account number of the payer or a unique identifier.
6.2.2.6.1 Obligations On The Payment Service Provider Of The Payee
R35 The payment service provider of the payee shall detect whether, in the messaging or payment and settlement system used to effect a transfer of funds, the fields relating to the information on the payer have been completed using the characters or inputs admissible within the conventions of that messaging or payment and settlement system. Such provider shall have effective procedures in place in order to detect whether the following information on the payer is missing:
(a) for transfers of funds where the payment service provider of the payer is situated in the Community, the information required under R30;
(b) for transfers of funds where the payment service provider of the payer is situated outside the Community, complete information on the payer as referred to in Requirement R31, or where applicable, the information required under R38; and
(c) for batch file transfers where the payment service provider of the payer is situated outside the Community, complete information on the payer as referred to in R34 in the batch file transfer only, but not in the individual transfers bundled therein.
6.2.2.6.2 Transfers of funds with missing or incomplete information on the payer
R36 If the payment service provider of the payee becomes aware, when receiving transfers of funds, that information on the payer required under this section of the notes is missing or incomplete, it shall either reject the transfer or ask for complete information on the payer and on a risk based-approach decide whether a report to GFIU should be made.
R37 Where a payment service provider regularly fails to supply the required information on the payer, the payment service provider of the payee shall take steps, which may initially include the issuing of warnings and setting of deadlines, before either rejecting any future transfers of funds from that payment service provider or deciding whether or not to restrict or terminate its business relationship with that payment service provider. The payment service provider of the payee shall report that fact to the GFIU.
6.2.2.6.3 Technical Limitations
R38
Where the payment service provider of the payer
is situated outside the Community and the intermediary payment service provider
is situated within
(a) Unless the intermediary payment service provider becomes aware, when receiving a transfer of funds, that information on the payer required under these Notes is missing or incomplete, it may use a payment system with technical limitations which prevents information on the payer from accompanying the transfer of funds to send transfers of funds to the payment service provider of the payee.
(b) Where the intermediary payment service provider becomes aware, when receiving a transfer of funds, that information on the payer required under these Notes is missing or incomplete, it shall only use a payment system with technical limitations if it is able to inform the payment service provider of the payee thereof, either within a messaging or payment system that provides for communication of this fact or through another procedure, provided that the manner of communication is accepted by, or agreed between, both payment service providers.
(c) Where the intermediary payment service provider uses a payment system with technical limitations, the intermediary payment service provider shall, upon request from the payment service provider of the payee, make available to that payment service provider all the information on the payer which it has received, irrespective of whether it is complete or not, within three working days of receiving that request.
In the cases referred to in paragraphs (a) and (b) above, the intermediary payment service provider shall for five years keep records of all information received.
6.2.2.7 Reduced due diligence measures
Irrespective of the
size and nature of the transactions and the exemptions set out below, identity
must be verified in all cases where money laundering or terrorist is known,
believed or suspected.
The obligation to maintain procedures for obtaining evidence of identity is general, but Section 10G set out a number of exemptions and concessions.
6.2.2.7.1 One-Off Transactions: Single or Linked (S10B(b))
Some products may be innocuous enough not to attract a risk to the firm if conducted as a single transaction. These may be of low value or a low risk product. However when made in multiples, these transactions could be seen as a conduit through which criminals could layer or integrate proceeds of criminal activity into the system.
! Verification of identity is not normally needed in the case of a single one-off transaction when payment by, or to, the applicant is less than €15,000.
! For the purpose of these Guidance Notes, transactions that are separated by an interval of three months or more need not, in the absence of specific evidence to the contrary, be treated as linked.
R39 Section 11(5) requires that identification procedures should be undertaken for linked transactions that together exceed the exemption limit, i.e. where in respect of two or more one off transactions:
a. it appears at the outset to a person handling any of the transactions that the transactions are linked and that the aggregate amount of these transactions will exceed €15,000; or
b. at any later stage, it comes to the attention of such a person that the transactions are linked, and that the €15,000 limit has been reached.
! In respect of Bureaux de Change and Money Transmission services this level is reduced to €5,000.
R40 Firms must implement systems of control to be able to identify where one or more “one-off” transactions are linked to the same person.
The requirement to aggregate linked transactions is designed to identify people who might structure their dealings to avoid the identification procedures. It is not meant to cause inconvenience for genuine business transactions. There is clearly no need to count both ends of the same transaction, e.g. a purchase and a subsequent sale.
R41 Where a series of one-off transactions are linked and this gives rise to a suspicion or knowledge of money laundering or terrorist financing, this must be reported.
6.2.2.7.2 Small Insurance Contracts
Sub-section 10G(7)(a) 7 (b) provides that identification procedures can be waived for insurance business in respect of which :
· a premium is payable in one instalment of an amount not exceeding €2,500; or,
· a regular premium is payable and where the total payable in respect of any one calendar year does not exceed €1,000.
6.2.2.7.3 Policies of insurance in connection with a pension scheme
Section 10G(7)(c) provides that no steps are necessary to obtain evidence of a person's identity in respect of a policy of insurance in connection with a pension scheme taken out by virtue of a person's contract of employment, or occupation where the policy:
i contains no surrender clause; and
ii may not be used as collateral for a loan.
A 'policy of insurance' includes any contract, which secures any benefit in respect of occupational or personal pension schemes, effected with an insurance company authorised to conduct long-term insurance business. The exemption extends to personal pension arrangements, both for self-employed and employees (whether or not both the employee and the employer contribute).
6.2.2.7.4 E-Money
Due diligence need not be conducted where the following conditions are met[9];
1. In the case where the e-money device cannot be recharged, the maximum amount stored in the device is no more than €250; or
2. If the e-money device can be recharged, a limit of €2500 is imposed on the total amount transacted in a calendar year.
The exception to the above is where an amount of €1000 or more is redeemed in that same year at the request of the electronic money holder, pursuant to Regulations 39 to 44 of the Financial Services (Electronic Money) Regulations 2011 in which case Customer Due Diligence must be conducted.
6.2.3 Interface Risk
This is the risk that the firm faces as a result of the mechanism through which the business relationship is commenced and transacted.
Where it is physically possible to verify a customer’s likeness to documents evidencing identity this will also help to satisfy or mitigate the customer risk as well as the interface risk. Receiving instructions through face to face contact will also enable a firm to address any concerns the front-line staff may have about any proposed transaction which can reduce the number of suspicions. Transactions conducted on-line, for example, removes the human element and firms must therefore build a degree of artificial intelligence and monitoring over such activity that would produce the same or better results.
Figure 10 demonstrates how a firm may adopt a simple rating scale to identify the risks associated with the interface risk.
R42 Firms must document how they mitigate or reduce the risks posed by each of the delivery mechanisms through which their product(s) are delivered.
6.2.3.1 Face to Face (S10I)
It is recognised that where a customer makes face-to-face contact with a firm, this may be perceived to lower the risk to the firm. Not only does this present an opportunity for the firm’s staff to verify that the likeness of the person in front of them physically matches that of the documents being presented to support this but is also an opportunity for staff to identify any inconsistencies, etc.
Where the customer also has to give instructions in person, e.g. by having to present a pass-book or produce identity before a transaction takes place the potential risk to the firm is considerably reduced.
6.2.3.2 Non-face-to-face
Any mechanism through which the customer is allowed to interact with a firm in a non-direct manner increases the firms exposure to risk. Not only does this allow for third parties to have access to assets or property through impersonation but also disguise the true owner of that property by, for example, provision of false identification documentation.
! Firms must put into place systems of control that appropriately address the risks posed by non-face to face contact for customers either at the opening of the business relationship or through the operation of that relationship.
R43 Additional controls are required in respect of non face-to-face customers; for example, applying one or more of the following measures of control:
a. Ensuring that the customer’s identity is established by additional documents, data or information; or
b. Supplementary measures to verify the documents supplied, or requiring an eligible introducer to certify the customer identification documents be required; or
c. Ensuring that the first payment of the operation is carried out through an account in the customer’s name at a credit institution[10]; or
d. Landline telephone contact with the customer on a number which has been verified; or
e. Sending information or documents required to operate the business relationship to a physical address that has been verified.
A common mechanism adopted by many firms is to permit the use of certified customer identification documents provided in lieu of having had sight of the originals.
R44 In drawing up the list of persons approved to certify identification documents for a firm, the Money Laundering Reporting Officer (MLRO) will need to provide documentary evidence of the following:
i. adheres to ethical and/or
professional standards; and
ii. is readily contactable;
and
! There is obviously a wide range of documents which might be provided as evidence of identity. It is for each firm to decide the appropriateness of any document in the light of other procedures adopted. However, particular care should be taken in accepting documents which are easily forged or which can be easily obtained using false identities.
6.2.3.3 Introducers (S10N)
R45 The ultimate responsibility for meeting the customer identification requirements for introduced business lies with the senior management of the firm[11].
Every institution must retain adequate documentation to demonstrate that its KYC procedures have been properly implemented, and that it has carried out the necessary verification itself.
There are, however, certain circumstances in which it may be possible for institutions to rely on KYC procedures carried out by third parties. Whereas the procedures listed below refer to the obtaining and verification of original documentation:
R46 None of the provisions for dealing with introducers exempt institutions from the requirement to have copies of all documentation in their possession, or to have ready access to the original documentation.
Introductions from
Intermediaries
R47 Where a business relationship is being instituted the institution is obliged to carry out KYC procedures on any client introduced to it by a third party unless the third party is an eligible introducer able to provide the institution with copies of all documentation required by the institution’s KYC procedures.
R48 To be an eligible introducer, a third party must meet ALL FOUR of the following conditions;
a.
it must be regulated by the FSC, or an
equivalent institution if it carries on business outside
b. it must be subject to the 3MLD or equivalent legislation,
c.
it must be based in
d.
there must be no secrecy or other obstacles
which would prevent the
! A firm must be able to demonstrate, for each person that they have defined as an “eligible introducer”, how the above four conditions are met.
In
Where an introducer satisfies the definition of eligible introducer, a firm may place reliance upon the KYC procedures of the eligible introducer, and simply obtain copies of the relevant documentation rather than be required to see the original documentation. Exemptions for postal applications do not apply in these circumstances.
Where reliance is to be placed on an eligible introducer, the introducer must complete and return to the firm, the certificate in Appendix 5 – Introducer Certificates. Copies of all the necessary documentation must also be immediately supplied. The documentation must be the same as the firm would require to satisfy its own KYC procedures. A business relationship may not be commenced until the completed Introducer’s Certificate has been received together with the copies of the required documentation.
Introduction of
One-Off Transactions from Overseas
Where an applicant for business who is effecting a one-off transaction is introduced by an overseas branch or subsidiary in the same group as the firm, or by another EU financial institution, or a regulated institution from a country with an effective AML/CFT regime, Section 14(1)(a-c) provides that the institution need not verify identity even if the transaction exceeds €15,000, as long as the introducer has provided the name of the customer and given the firm a written assurance that evidence of identity has been taken and recorded. This assurance can be given separately by the introducer for each new customer, or by way of a written general assurance. However, the Section 14(1)(c) exemption is only applicable provided condition (ii) of 14(i)(c) is fulfilled, namely that there are reasonable grounds for believing that the non-Gibraltar introducer:
· acts in the course of a business in relation to which an overseas regulatory authority exercises regulatory functions; and
· the introducer will supply, upon request, the underlying identification documents without delay upon request; and
· is based, or incorporated in, or formed under the law of, a country other than an EU member state in which there are in force provisions at least equivalent to those required by 3MLD, particularly in respect of verification of identity and record keeping; or
·
operates under a rigorous group policy in
accordance with
! A firm must be able to demonstrate that these four conditions have been met.
This exemption applies only to one-off transactions. If the person being introduced is forming a business relationship with the firm, then the firm must obtain the evidence of identity.
6.2.3.4 Intermediary’s Client Accounts (S10G(4))
An intermediary is different from an introducer.
An intermediary plays an active role in the financial affairs of the underlying customer, for example, a stock broker whereas the function of an introducer is merely to introduce business to a firm. The distinction is very important when considering the requirements under these Notes.
Stockbrokers, fund managers, solicitors, accountants, estate agents and other intermediaries frequently hold funds on behalf of their clients in "client accounts" opened with institutions. Such accounts may be pooled or omnibus accounts holding the funds of many clients, or they may be opened specifically for a single client or for a number of clients, either undisclosed to the firm or identified for reference purposes only.
Generally, the applicant for business will be the intermediary and there is no requirement to look behind that but in certain circumstances, the Sections require the firm not only to verify the identity of the intermediary, but also to look through him to his underlying clients[12]. The Sections in this area are complex. Basically, there are four scenarios:
i The
intermediary is itself a regulated
ii The intermediary is itself a firm of EU solicitors or accountants but subject to the Sections only in respect of their relevant financial business. Client accounts held by institutions for solicitors and accountants will generally be pooled or omnibus accounts, and will contain funds connected with activities that are not relevant financial business. Verification of the identity of the underlying clients related to these transactions will not have been undertaken in accordance with the Sections. Protection under legal privilege precludes institutions from securing any information about the underlying clients. Similarly, an accountant's professional code of conduct will generally preclude the firm from divulging information to institutions concerning their underlying clients. It will therefore not be possible for an institution to establish the identity of the person(s) for whom a solicitor or accountant is acting. However this need not preclude an institution from making reasonable enquiries about transactions passing through client accounts that give cause for concern, or from reporting those transactions if suspicions cannot be allayed. In the event that a money laundering enquiry concerns a client account, the law enforcement agencies will seek information directly from the intermediary.
iii The intermediary is a regulated financial institution from a country that is outside the EU but has an effective AML/CFT regime . The Sections specify that in such a case, the requirement to take reasonable measures can be satisfied by obtaining from the account holder a general undertaking in writing that he has obtained and recorded evidence of the identity of any client whose funds he deposits in the account.
iv The intermediary is from a country without an effective AML/CFT regime . Where the intermediary is not from an jurisdiction with an effective AML/CFT regime it is clear that the exemptions provided for in Section 10G of the Crime (Money Laundering and Proceeds) Act do not apply and as a result, there is a requirement to verify the identity of the underlying customers. The firm may not rely on the general assurance from the intermediary that KYC has been conducted by them.
R49 In order to meet the criteria in paragraphs (i) to (iii) above the firm will need to establish and demonstrate that;
·
The intermediary
is conducting a relevant financial business[13];
and
·
It is
supervised for that activity[14];
and
·
It is
based, or incorporated in, or formed under the law of, a country other than an
EU member state in which there are in force provisions at least equivalent to
those required by 3MD, particularly in
respect of verification of identity and record keeping[15];
and
·
That
the underlying identification documentation can be made available immediately,
upon request[16].
6.2.3.4.1 Client accounts operated by regulated firms
! Client accounts operated by regulated firms are those operated by regulated firms on behalf of a customer, a client company or pooled clients. For these, firms must ensure that due diligence information is sought and maintained on all persons who are signatories to client accounts.
A bank account opened in the name of the client company but whose signatories are the firm’s own corporate director companies is not subject to any form of exemption from the due diligence requirements.
In the case of pooled client accounts these are subject to various provisions regarding their operation by the regulated firm itself. There is no requirement to conduct due diligence on every client for which transactions are put through the pooled client account (and should be treated as if it was an account to whom 6.2.3.4(i) above applies). However, because of the very nature of a pooled client account, it would be extremely unusual for it to become overdrawn. Where unusual activity occurs this need not necessarily trigger a suspicion but would require that additional monitoring and investigation be conducted of the transactions that led to the unusual event taking place. Should the investigations and enquiries made not prove satisfactory then a report as required under Chapter VIII should be made.
6.2.3.5 The “Postal” Concession
Where a customer would normally be required to produce evidence of identity before transacting business (whether directly or introduced by an intermediary).
! Where it is reasonable in all the circumstances for payment to be made by post, or electronically, or for the details of the payment to be given by telephone, then if payment is to be made from an account held in the customer's name (or jointly with one or more other persons) at an authorised financial or credit institution, identification requirements may be waived.
The postal concession can be used without additional
identity verification for mail-shot, off the page, coupon business, or business
placed over the telephone. However, in such cases a record should be maintained
indicating how the transaction arose and detailing the
Whilst a payment can be made directly between accounts with credit institutions or by cheque or debit card, the accepting institution must be able to confirm that the account is held in the sole or joint name(s) of the investor. (Payments to or from a joint account, where only one party is involved in the transactions, are not regarded as third party payments.)
If a firm relying on the concession has grounds to believe that the identity of the customer has not previously been verified by the credit institution on which the payment has been drawn, then taking a risk-based approach, additional measures to verify identity must be sought.
R50 The concession for postal/coupon business does not apply where;
a. initial or future payments can be received from third parties;
b. cash withdrawals can be made, other than by the investors themselves on a face-to-face basis where identity can be confirmed, e.g. passbook accounts where evidence of identity is required for making withdrawals;
c. redemption or withdrawal proceeds can be paid to a third party or to a bank account that cannot be confirmed as belonging to the investor, other than to a personal representative named in the Grant of Probate or Letters of Administration on the death of the investor.
R51 The following repayment restrictions must exist for the postal concession to apply:
a. repayments made to another institution must be subject to confirmation from the receiving firm that the money is either to be repaid to the investor or reinvested elsewhere in the investor’s name;
b. repayments made by cheque must be sent either to the named investor’s last known address and crossed “account payee only”, or to the investor’s bank with an instruction to credit the named investor’s account;
c. repayments via BACS should ensure that the stipulated account is in the name of the investor;
It should not be
possible to change the characteristics of products or accounts at a future date
to enable payments to be received from, or made on behalf of, third parties.
6.2.3.6 On-line and internet access
On-line payment systems, internet access to operate accounts and web-based marketing and promotion have significantly increased the risks of money laundering to any firm offering such services.
The risks increase from the lowest for an “image advertisement web-page” through to the highest where the firm allows customers to make payments to third parties etc.
Some firms may permit the establishment of the business relationship to be conducted entirely through the use of the internet.
R52 Where a firm relies on electronic verification of customer identification documentation, its records must clearly demonstrate the basis on which these were effected and these must be in accordance with the risk-based approach and other requirements of these Notes.
R53 Where a firm permits payment processing to take place via on-line services these must be subjected to the same monitoring requirements as the rest of the activities of the institution and subject these to the same risk based methodology.
6.2.4 Country Risk
Country risk is used to describe the risk posed to the firm by the geographic providence of the economic activity of the business relationship. This is wider than just the country of residence of the customer and will, for example, include where the client company is trading.
R54 Firms must assess and document the risks posed by different countries and territories, or classes of countries and territories, and what additional systems of control it will implement to mitigate these risks.
Appendix 4 – Countries and territories with equivalent legal frameworks or those requiring enhanced due diligence contains various lists which can assist a firm in taking a view as to the equivalence of a jurisdiction or when enhanced due diligence needs to be conducted on business emanating from certain jurisdictions. Figure 11 demonstrates how a firm may use this information to produce a risk rating scale to address country risk.
6.2.4.1 The “Effectiveness” test
The Notes make a number of references to countries or territories which operate an effective AML/CFT regime. Business emanating from these jurisdictions carry a lower risk as it is inferred that these have already been subjected to stringent measures and systems of controls that will have addressed the money laundering or financing of terrorism risks.
Conversely, doing business with a country which does not have an effective AML/CFT regime increases the risk to the firm that the customer’s business may be involved in illicit activities.
Firms however, need to take their own view on how the effectiveness test will be conducted. It is anticipated that with the transposition, across the EU, of the 3MLD that the Commission will produce a list of such countries and the criteria under which this assessment will be made[17]. Until such a time, the following guidance is provided to firms operating under these Notes.
R55 In making a determination of an effective AML/CFT regime the following three factors have to be taken into consideration:
6.2.4.1.1 Legal Framework
Given that each country will transpose AML/CFT requirements in accordance with their own judicial and legal systems there is no one legislative model against which it would be possible to verify that effective legislative provisions to those of Gibraltar have been included in that country’s statute books.
!
However, it is generally accepted that all
countries within the EU will transpose the provisions of the 3rd
Money Laundering Directive (2005/60/EC) to the same standard as in
! Firms need to take into account that some of the more recent members of the EU may have not given effective transposition to the Directive and may have merely given legislative effect to its requirements. For this reason, firms will also need to consider the FATF and IMF reports on each country has given effect to the legal framework.
Guernsey, Jersey and the
6.2.4.1.2 Enforcement and Supervision
The effectiveness of the judicial, law enforcement and administrative functions is a crucial element of as without the proper enforcement of the legal provisions the legislation is ineffective.
In order to assist firms in taking a view of the effectiveness of a jurisdiction’s enforcement and supervisory powers both the FATF and IMF publish regular reports on the evaluation of a jurisdiction’s compliance with the FATF recommendations.
These reports are available on-line and should be subject to review by a firm in order to assess the risk posed to the firm. These reports can be downloaded from the following addresses;
FATF Reports : http://www.fatf-gafi.org
IMF Reports : http://www.imf.org/external/country/index.htm
6.2.4.1.3 International Co-operation
An essential requirement in combating money laundering and the financing of terrorism is that law enforcement agencies are able to co-operate fully and extensively. Launderers and terrorist financers will therefore seek jurisdictions where this lack of cooperation assists their aims.
R56 Firms must guard against customers or introductions from countries where the ability to co-operate internationally is impaired either via failings in the judicial or administrative arrangements and subject these business relationships to enhanced due diligence requirements.
R57 FATF maintain a list of Non-Cooperative Countries and Jurisdictions (see Appendix 4 – Countries and territories with equivalent legal frameworks or those requiring enhanced due diligence). Firms must take additional measures with transactions of business relationships whose source of funds derives from NCCT or sanctioned countries and territories.
! Firms must, however, ensure that they understand the basis under which a country has been removed from the list as it may be the case that the removal is based on an undertaking to correct deficiencies as opposed to actual correction of the deficiency.
6.2.4.2 Countries with a high propensity for corruption
R58 Firms whose policy includes the acceptance of Politically Exposed Persons (PEPs) as customers need to take additional measures to mitigate the additional risk that the firm is exposed to from such persons originating in countries with a high propensity for bribery and corruption. This includes
a. conducting and documenting an assessment of the countries which are more vulnerable to corruption; and
b. the application of additional monitoring over customers from high risk countries whose line of business is more vulnerable to corruption (e.g. oil or arms sales).
Transparency International publishes a Corruption Perception Index which is available at www.transparency.org. This publication may be a useful reference to firms in assessing the risk of corruption posed by different countries.
6.2.4.3 Sanction Countries
In addition to the above, a number of countries and territories, as well as undertakings and individuals connected to them, are subject to sanctions and other measures which requires institutions to take action to prohibit;
§ the export of goods to those countries or territories
§ the transfer of technology
§ the facilitation of technical assistance
§ the facilitation of funds.
In certain circumstances, institutions are required to freeze funds from designated undertakings and/or individuals.
As the legislation prohibits the above unless a licence has been granted, institutions may find themselves participants in arrangements which breach these provisions, through the activities of their customers, and as such must take the necessary measures to ensure that these sanctions are not being breached.
These restrictions are imposed under the Export Control Act 2005 and various Orders made there under. At present the Orders that are in force are;
§ Export Control (Sanctions Etc) Order 2005 and
§ Export Control (Sanctions Etc) Order 2006.
For country specific data please refer to Appendix 4 – Countries and territories with equivalent legal frameworks or those requiring enhanced due diligence.
Further legislative provisions exist which impose restrictions on carrying out transactions with Countries/Territories and designated undertakings and/or individuals. For example,
§
The
§
Institutions should ensure that the provisions of these statutory instruments are not being breached through the activities of their customers.
[7] Article 3(8) of 3MLD
[8] Article 11(1) of 3MLD
[9] Article 11(5)(d) or 3MLD
[10] Article 13(2) of 3MLD.
[11] Article 14 of 3MLD.
[12] Article 11(2)(b) of 3MLD.
[13] Article 16(1)(a) of 3MLD
[14] Article 16(1)(b) of 3MLD
[15] Article 16(1)(b) of 3MLD
[16] Article 17 & 18 of 3MLD
[17] Article 40(1) of 3MLD