FMA Guideline 2013/1 on the risk-based approach under due diligence law

Transcription

1 non-official translation FMA Guideline 2013/1 on the risk-based approach under due diligence law Guideline on the risk-based approach under the Law on Professional Due Diligence for the Prevention of Money Laundering, Organised Crime and Financing of Terrorism (Due Diligence Act; DDA) and the associated Due Diligence Ordinance (DDO). Reference: FMA Guideline 2013/1 Addressees: Publication: Persons subject to due diligence under Article 3(1) and (2) of the Due Diligence Act FMA website Issued: 4 March 2013 Entry into force: 4 March 2013 Last updated: 15 November 2017 Legal foundations: Article 2(1)(h) DDA in conjunction with Article 2 DDO Article 3(1) and (2) DDA Articles 5 to 7a DDA in connection with Articles 6 to 11a DDO Article 8 DDA in conjunction with Article 20 DDO Article 9 DDA in conjunction with Article 22 DDO Article 9a DDA in conjunction with Article 22a DDO Article 10 and Annex 1 DDA in conjunction with Article 22b DDO Article 11 and Annex 2 DDA in connection with Articles 2, 21, and 23 DDO Article 20 DDA in connection with Article 27 DDO Article 21 DDA in connection with Articles 30 et seq. DDO Article 14 DDO Article 18(2) and (3) DDO Article 23a DDO in conjunction with Annex 4 DDO Annex Landstrasse 109 Postfach Vaduz Liechtenstein Telefon Telefax info@fma-li.li

2 Contents 1. General remarks What does the risk-based approach mean? How should the risk-based approach be put into practice? Risk assessment under Article 9a DDA General remarks Content of the risk assessment Step 1: Risk analysis taking into account the relevant risk factors Factors for risk categorisation to be taken into account in particular (non-exhaustive list): Risk-reducing factors Risk-increasing factors Digression: Geographical factors Higher risks List A Lower risks List B List C Step 2: Assignment of business relationships and transactions to the risk categories Step 3: Definition of effective internal control and monitoring measures to reduce risks Examples of additional measures Documentation and updates of risk assessment Transitional provision Due diligence obligations Regular due diligence Requirements for identifying and verifying beneficial owners Requirements for the business profile General requirements Updates of business profile Plausibility check of information and documentation Requirements for monitoring the business relationship Media monitoring Transaction monitoring Simplified due diligence Enhanced due diligence Examples of risk categorisation and risk weighting Automatic cases of higher or high risks Politically exposed persons (PEPs) Former PEPs Correspondent banking relationships Complex structures and transactions States with strategic deficiencies Business Relationship Risk Assessment Tool for Service Providers for Legal Entities More information on the risk-based approach / 26

3 7. Amendments Entry into force Annex / 26

4 1. General remarks This Guideline is addressed to all persons subject to due diligence under Article 3(1) and (2) DDA and is intended to support them in implementing the risk-based approach in practice. Due to their activities, all persons subject to due diligence are exposed to a certain risk of being abused for purposes of money laundering or terrorist financing. In addition, their function and activities also enable them to identify suspicious factors in connection with the aforementioned risks. Consequently, due diligence in practice constitutes a central element of the system for preventing money laundering and terrorist financing. The risk-based approach, which is already well known in practice, has been continuously developed and expanded over the past few years with the specific aim of combating money laundering and terrorist financing and therefore plays an essential role. In short, implementation of the risk-based approach means that all addressees of this Guideline must identify and assess the risks to which they are exposed in the area of money laundering and terrorist financing and, based on the risks identified, take corresponding concrete and abstract measures to deal with the risks appropriately. Due to the individualised nature of the risk-based approach, no definitive rules can be established that cover all details. However, the Guideline does reflect the expectations of the FMA in connection with the practical approach to be taken by persons subject to due diligence. It also provides, as far as possible, "benchmarks" within which each individual approach must be designed, based on the individual risk exposure. 2. What does the risk-based approach mean? The risk-based approach is designed to ensure that measures to combat money laundering and terrorist financing are consistent with the identified risks. The available resources must be used in a targeted manner. Consequently, the greatest attention must also be paid to the area with the greatest risks. The effort involved in the fulfilment of due diligence obligations must therefore be proportionate to the potential risk. Implementation of the risk-based approach i.e. the concrete approach taken in practice is the responsibility of each person subject to due diligence and therefore requires that all persons subject to due diligence act on their own responsibility. Action must therefore be based on the nature of the person's business as well as the products and services offered, the business or client structure, and the associated risk potential. In addition, the risk-based approach is a flexible instrument for effectively combating the above-mentioned risks. This is the only way to respond effectively and quickly to changing trends and methods in the field of money laundering and terrorist financing. Consequently, both the underlying risk assessments and the associated measures must be appropriate to the current situation. 3. How should the risk-based approach be put into practice? The risk-based approach can be found in various parts of due diligence law and has to be implemented by all persons subject to due diligence. The most important provisions of the due diligence law in connection with the risk-based approach are described in detail below. 4 / 26

5 4. Risk assessment under Article 9a DDA 4.1 General remarks The starting point for the implementation of the risk-based approach is the risk assessment conducted by the person subject to due diligence, which was newly introduced in 2017 as part of the revision of the Due Diligence Act (Article 9a DDA). According to this provision, the persons subject to due diligence must determine and assess the risks confronting them in respect of money laundering and the financing of terrorism. This requirement largely corresponds to the previously existing obligations with regard to individual risk categorisation. The risk assessment must be carried out individually by each person subject to due diligence. A general risk assessment for an entire industry or professional group is generally not sufficient due to the heterogeneity of the persons subject to due diligence and the clients. The reason for this is that even within a professional group, different business models are used or the client base is different. Only in exceptional cases, in which the general sectoral risk is considered to be low in principle, does the FMA consider a sector assessment to be sufficient. 4.2 Content of the risk assessment The risk assessment includes an individual risk analysis. Based on this risk analysis, the business relationships and transactions must then be classified according to the determined risk. In addition, appropriate internal measures must be defined in order to adequately counter the identified risks. First of all, persons subject to due diligence must prepare an individual risk analysis. This means that the products and services offered with specific reference to the use of new technologies as referred to in Article 9(2) DDA as well as the individual client structure of the person subject to due diligence must be analysed. Annexes 1 and 2 of the Due Diligence Act must be taken into account in the risk analysis. Furthermore, the relevant risk factors from the corresponding Risk Factors Guidelines of the European Supervisory Authorities (JC GL 2017/37) are to be used at the latest as of their entry into force on 26 June 2018 (see also the relevant FMA communications referring to the ESA guidelines as of their entry into force: With regard to the use of the ESA Risk Factors Guidelines, it should be noted that both the general chapter and the relevant sectoral chapter must be taken into account. Where there are discrepancies between the ESA Risk Factors Guidelines and this FMA Guideline, the requirements of the FMA Guideline take precedence in their capacity as the country-specific implementation of the ESA Guidelines. In addition, the relevant sectoral and product risks determined as part of the national risk analysis must also be taken into account once the analysis is published. Depending on the time of the first publication of the national risk analysis, the national risk analysis must be taken into account in the risk assessment no later than one year after it is published. The same applies to the publication of changes to the national risk analysis. Once the risk analysis has been carried out, the individual business relationships and transactions must then be classified according to the identified risks so that it is clear to the persons responsible (e.g. client advisor, compliance, auditors, etc.) which measures are to be taken in each individual case. Based on the risk analysis, suitable internal control and monitoring measures must also be defined to reduce these risks. On the one hand, these measures both simplified and enhanced relate to the scope of fulfilment of due diligence obligations (e.g. scope of the business profile, scope and frequency of updating of the documentation, the level of threshold values for monitoring etc.), and on the other hand to 5 / 26

6 the specific design of the internal organisation (e.g. scope of internal instructions, naming of different persons for internal functions, etc.). The concrete design and, above all, the scope and level of detail of the risk assessment must be proportionate to the nature and size of the person subject to due diligence. In concrete terms, this means that the risk assessment of those persons subject to due diligence which, for instance, have very few or no employees and only a few clients or offer few services can be reduced to a minimum. In this sense, the FMA's expectations regarding the scope and degree of detail of risk assessment, for example in banks and trust companies, are higher than in the case of other persons subject to due diligence such as insurance brokers, asset managers, persons trading in goods or real estate agents. The individual case is decisive. In exceptional cases, a sectoral assessment may be sufficient. 4.3 Step 1: Risk analysis taking into account the relevant risk factors (Annexes 1 and 2 DDA, ESA Risk Factors Guidelines, national risk analysis) First of all, the identification of potential risks is crucial in preparing the risk assessment. This involves determining which risk factors are relevant for the person subject to due diligence due to the business activity or business policy and client structure. Both risk-increasing and risk-reducing factors must be taken into account. Enhanced due diligence must be applied automatically in cases with higher risks as defined by law (Article 11(4) to (6) DDA). It is irrelevant in this regard whether the person subject to due diligence has identified factors and possible indicators of a potentially lower risk in the context of an individual risk assessment of the business relationship. In addition to the cases of higher risk defined by law, the persons subject to due diligence must in particular, when preparing the risk assessment, take into account the factors and possible indicators of a potentially lower risk and measures for the application of simplified due diligence set out in Annexes 1 and 2 of the Due Diligence Act, as well as on a supplemental basis the ESA Risk Factors Guidelines 1 (at the latest from their entry into force on 26 June 2018). Similarly, the results of the national risk analysis must be observed no later than one year after their publication. 1 The Risk Factors Guidelines of the European Supervisory Authorities must be applied by the EU/EEA countries. As is the case for all guidelines of the European Supervisory Authorities, the "comply or explain" principle applies, which is why the FMA must notify the three European Supervisory Authorities of compliance. 6 / 26

7 Neither the annexes to the Due Diligence Act nor the factors contained in the ESA Risk Factors Guidelines are exhaustive. Moreover, not all factors are relevant for all sectors. The FMA therefore expects that, in order to ensure an appropriate implementation of the risk assessment, both the general factors and those relevant to the sector are taken into account appropriately in the risk assessment. Further consideration of additional factors that go beyond the ESA and FMA specifications is therefore not absolutely necessary. In addition to an overall consideration of the risk factors, an appropriate risk weighting must also be carried out in the risk analysis. As a rule, a single risk factor on its own does not require assignment to a higher or lower risk category; in each case, the overall assessment is relevant. In general, the relevant risk factors are divided into the following four main categories, which must be taken into account when preparing the risk assessment: client-specific factors; product-related factors; distribution-related factors; and geographical factors Factors for risk categorisation to be taken into account in particular (non-exhaustive list): Risk-reducing factors Domicile of all beneficial owners and any recipients of a distribution under Article 7a DDA or beneficiaries under Article 7b DDA in an EU/EEA Member State or in a third country with low geographical risk (see "Digression: Geographical factors"); registered office of the fund's depositary in an EU/EEA Member State or equivalent third country (see FMA equivalence list); no involvement of legal entities serving private asset management; frequent contact with the effective contributor of assets or beneficial owners; no involvement of sensitive sectors; minor value assets; 7 / 26

8 low annual transaction volume; extensive information on the purpose, background, and beneficial ownership of the business relationship; use of specific products or services such as: o pension schemes, o pension plans, or o financial inclusion products; establishment or representative office in the countries of domicile of the beneficial owners or employees from the respective regions who have the necessary language skills as well as the necessary political, sociocultural, and regulatory background knowledge about the countries of origin of the beneficial owners Risk-increasing factors Domicile of a beneficial owner, a recipient of a distribution under Article 7a DDA, or a beneficiary under Art. 7b DDA in a third country with higher geographical risk (see "Digression: Geographical factors"); registered office of the fund's depositary outside the EU/EEA area or in a non-equivalent third country (see FMA equivalence list); involvement of legal entities serving private asset management; rare contact with the effective contributor of assets or beneficial owners; involvement of sensitive sectors such as: o commodities sector, o gambling sector, o arms sector, or o generally cash-intensive sectors; high value assets; high annual transaction volume; cash-intensive business relationship; limited information on the purpose, background, and beneficial ownership of the business relationship; use of specific products or services such as: o bearer securities, o nominee functions, o individual signatory rights of external third parties at governing body level and/or bank level (from the perspective of persons subject to due diligence under Article 3(1)(k) DDA), or o special and/or general powers of attorney (from the perspective of persons subject to due diligence under Article 3(1)(k) DDA). 8 / 26

9 4.4 Digression: Geographical factors Higher risks Annex 2 Section A(c) of the Due Diligence Act lists geographical factors and possible geographical indicators of a potentially higher risk. These cover: states with strategic deficiencies (Article 2(1)(u) DDA) and other states identified by credible sources, such as mutual evaluations, detailed assessment reports, or published follow-up reports, as not having adequate systems for the prevention of money laundering and terrorist financing; third countries identified by credible sources as having significant levels of corruption or other criminal activity; countries that are subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations; countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country. In assessing geographical risk, it is particularly important to consider the domicile of the beneficial owners, the recipients of a distribution under Article 7a DDA, and the beneficiaries under Art. 7b DDA (see Annex 2 Section A(a)(2) DDA). In connection with the above-mentioned geographical risks, the FMA refers in particular to the following publications: Transparency International Corruption Perceptions Index (the FMA assumes a higher risk for third countries with a score of less than 50 points) List of states affected by UN or EU sanctions FATF high-risk and non-cooperative jurisdictions (states with strategic deficiencies) (see also Annex 4 DDO) Terrorist safe havens US Department of State List A (higher geographical risks according to Annex 2 Section A(c) DDA) The FMA provides the persons subject to due diligence with a list of states which consolidates the abovementioned publications. This list is updated when warranted: List A (higher geographical risks according to Annex 2 Section A(c) DDA) Lower risks Annex 1 Section A(c) of the Due Diligence Act lists geographical factors and possible geographical indicators of a potentially lower risk: EEA Member States; third countries identified by credible sources as having a low level of corruption or other criminal activity; third countries which, on the basis of credible sources such as mutual evaluations, detailed assessment reports, or published follow-up reports, have requirements for the prevention of money laundering and terrorist financing consistent with the 2012 FATF Recommendations and effectively implement those requirements. Here again, the domicile of the beneficial owners, the recipients of a distribution under Article 7a DDA, and of beneficiaries under Article 7b DDA must be taken into account (see Annex 1 Section A(a)(3) DDA. 9 / 26

10 List B (FMA list of third countries whose requirements are consistent with the 2012 FATF Recommendations and which effectively implement those requirements) Taking into account the country assessments conducted by the FATF and the FATF-style regional bodies (in Q1/2018), the FMA issues a list of those third countries which can be assumed to have well-functioning systems for the prevention of money laundering and terrorist financing or whose requirements for the prevention of money laundering and terrorist financing are consistent with the 2012 FATF Recommendations 2012 and where these requirements are effectively implemented (cf. Annex 1 (A)(c)(2) and (4) DDA). In the case of third countries that are on this list but have a higher risk of corruption or terrorist financing or are affected by sanctions, embargoes, or similar measures, an overall assessment of the risks must be made (example: State X is on the equivalence list, but has a higher risk of corruption according to the Corruption Perceptions Index). In these cases, the existence of the latter risks (corruption risk, terrorist financing risk, sanctions) will generally be more important than the fact that the requirements for the prevention of money laundering and terrorist financing in the state concerned are consistent with the 2012 FATF Recommendations and that these requirements are effectively implemented in accordance with the country assessment reports. If a person tries to abuse a Liechtenstein financial intermediary for the purpose of money laundering or terrorist financing, it is evidently not the weak points in the prevention of money laundering and terrorist financing in the person's country of residence (identified in the country assessment reports) that are exploited, but rather potential weak points in the country in which that person is trying to establish a business relationship. Against this background, compliance with international standards in the country of residence is usually of secondary importance. A potentially low or potentially higher risk of corruption, terrorist financing, or other criminal activities, as well as sanctions and embargoes in the country of residence, must therefore be given greater weight overall. On the other hand, the FMA assumes that the automatic exchange of information in tax matters (AEOI) significantly increases the transparency of legal entities and accounts of which natural persons are beneficial owners, thus reducing the potential for abuse of money laundering and terrorist financing to a certain extent. From the FMA's point of view, therefore, it can be considered a risk-reducing circumstance if all beneficial owners of a business relationship are disclosed in accordance with the definition of beneficial owner according to Level 2 in the context of automatic exchange of information (AEOI) (this presupposes that the respective countries of residence are AEOI partner countries). Persons subject to due diligence are free to decide whether they want to take account of this risk-reducing factor risk-reducing factors may be taken into account, while risk-increasing factors must be taken into account List C (FMA list of equivalent third countries) In addition to the aforementioned List B, the FMA publishes a separate List C (in Q1/2018), which is relevant for assessing the equivalence of third countries only in the following cases: Article 14(1)(b) DDA (delegation), Article 24a DDO (outsourcing), Article 9(b) DDO (confirmations of authenticity), and Article 22b DDO (simplified due diligence for funds) The main difference to List B is that, in the above-mentioned cases, the persons subject to due diligence may rely on List C irrespective of any other geographical risks (e.g. risk of corruption). 10 / 26

11 The applicability of delegation rules, simplified due diligence for funds, and the other above-mentioned provisions is therefore not called into question by the existence of other geographical risks. According to the wording of the above-mentioned provisions (delegation, outsourcing, confirmations of authenticity, funds), the assessment of equivalence must be based solely on whether both the due diligence and record-keeping requirements as well as the supervision meet the requirements laid down in the 4th EU Anti-Money Laundering Directive. Should a country classified as equivalent be removed from the equivalence list at a later date, Article 22b DDO may no longer be used only in the case of new fund subscriptions. However, this change does not mean that existing fund subscriptions by institutions from that third country must be processed in accordance with the normal due diligence requirements. Until publication of List C (in Q1/2018), the persons subject to due diligence may continue to make reference to the third countries named in FMA Communication 1/2012: FMA Communication 1/ Step 2: Assignment of business relationships and transactions to the risk categories In order for the risk assessment to be applicable in practice, persons subject to due diligence must assign the individual business relationships and transactions to the identified risks. This classification must be made by means of a risk categorisation system. Only through such categorisation and classification or labelling of the business relationships can the responsible employees apply the measures envisaged in the risk assessment. The risk categorisation is intended to ensure a sensible implementation and application of the risk-based approach and must therefore include a gradation so that it does not miss the mark. A single risk category for all business relationships makes no sense and runs counter to the basic idea of the risk-based approach. In addition, the legislative power has already defined the category of higher risks, which in practice must be distinguished from "regular risks" in terms of the measures to be applied. This makes clear that the enhanced measures must be applied in addition to the regular measures. The determination of the number of categories is left to the persons subject to due diligence. The more risk categories are defined, the better the individual measures can be tailored to the respective risks. There can be no category with "zero risk". In this context, the FMA recommends in general that four categories be selected as follows: Low risks (simplified due diligence, Article 10 DDA) Normal risks (regular due diligence) Higher risks (enhanced due diligence under Article 11(1) DDA, individual risks) High risks (enhanced due diligence obligations under Article 11(4) to (6) DDA, automatic cases of enhanced due diligence) It is the responsibility of the individual person subject to due diligence to further expand or limit the 4-stage categorisation proposed by the FMA, depending on the nature and scope of the business activity (e.g. higher and high risks may be combined into a single category). Documentation and implementation in practice of the categorisation must be traceable. The classification of individual transactions refers to those sectors that typically carry out only occasional transactions and to those for which the establishment of a business relationship is an exceptional case (e.g. persons trading in goods, agents of payment service providers, etc.). 11 / 26

12 4.6 Step 3: Definition of effective internal control and monitoring measures to reduce risks Based on the risk assessment, appropriate internal control and monitoring measures must then be defined in order to reduce the identified risks. This means that the individual due diligence obligations (Article 5(1) DDA) must be structured in a manner appropriate to the risk, and the plausibility check and documentation (Article 20 DDA) in connection with the fulfilment of due diligence obligations must correspond to the respective risk. Furthermore, the structure of the internal organisation must also take account of the individual risk (Article 21(2) DDA) Examples of additional measures Apart from the additional measures listed in Annex 2 Section B of the Due Diligence Act, the measures mentioned in the ESA Risk Factors Guidelines are also considered. Additional measures therefore generally include increased vigilance in dealing with the business relationship, more detailed monitoring of transactions, the application of stricter rules in identifying and verifying the identity of the contracting party and the beneficial owners (e.g. utility bill, confirmation of residence, inspection of supplementary deeds, receipt of assets via an EU/EEA or equivalent third country account, etc.), the application of stricter rules for verifying the origin or background of the assets contributed (e.g. tax return and other (third-party) supporting documents) and correspondingly more extensive documentation. In addition to this, see also the comments below on due diligence obligations Documentation and updates of risk assessment The risk assessment must be documented and kept up to date. It should be noted that the corresponding classification of business relationships and transactions must also take account of the current risk situation. It must therefore be checked periodically whether the risk assessment is up to date and whether the defined measures are appropriate. An update must be carried out at least every three years and, additionally, also in the case of relevant changes to the client structure or business activities of the person subject to due diligence, as well as in the case of new sector-specific results from the national risk analysis that are relevant for the risk assessment. The update based on the results of the national risk analysis must be carried out no later than one year after publication. The FMA understands a relevant change to the client structure or business activities to include, for example: a noticeable increase or decrease in (new) clients, usually from a specific country or region, in relation to the total number of business relationships; the provision of new products and services; but also considerably increased specific product/service requests from clients. The person subject to due diligence must therefore assess, based on practical experience, whether both the risk analysis and the defined measures and the classification of the business relationships are still up to date and appropriate. The form of the documentation (physical or electronic) is in principle left to the person subject to due diligence. The risk assessment can therefore be structured as part of the internal instructions or processed in another suitable internal document. What is decisive is that the documentation is designed in such a way that it enables expert third parties to make a reliable judgement about the individual risk situation of the person subject to due diligence and the associated measures. 12 / 26

13 In addition to the individual design of the due diligence obligations, the risk assessment also serves as a basis for inspections and must therefore be made available to the auditors when inspections are carried out. As part of the inspections, the risk assessment is checked both for compliance with the legal requirements and for appropriateness. It must be possible for a third party to trace which factors influence the overall risk assessment in which way Transitional provision In accordance with the transitional provisions of the Due Diligence Act (LGBl No. 161), the risk assessment pursuant to Article 9a DDA, including the associated classification of new business relationships, must be completed by 1 March All business relationships that already existed on 1 September 2017 (date of entry into force of LGBl No. 161) must be classified by 1 June Due diligence obligations In the Due Diligence Act, the risk-based approach is reflected in particular by distinguishing between regular, simplified, and enhanced due diligence. In the following, only those provisions are discussed which require interpretation in connection with due diligence. 5.1 Regular due diligence (Article 5 DDA) Fulfilment of the regular due diligence obligations is governed in principle by the Due Diligence Act (Articles 5 to 11 DDA) and the Due Diligence Ordinance (Articles 6 to 11a and Articles 20 to 23 DDO). However, on the basis of the experience gained in recent years, it has become clear that communication of the FMA's expectations is both meaningful and necessary in this area as well, in order to ensure appropriate application of the risk-based approach. 5.2 What are the requirements for identifying and verifying beneficial owners? (Articles 2(1)(e), 7, and 7a DDA in conjunction with Article 3 DDO) According to Articles 7 and 7a of the Due Diligence Act, the identity of the beneficial owner must be verified by means of risk-based and adequate measures. In individual cases, measures must be taken that are likely to persuade the person subject to due diligence as to who is the actual beneficial owner. In any case, the person subject to due diligence must understand and document the ownership and control structure of a business relationship. See also the explanations in FMA Communication 2015/7 2 on questions relating to the identification of beneficial owners under the Due Diligence Act. 5.3 What are the requirements for the business profile? (Article 8 DDA in conjunction with Article 20 DDO) General requirements The business profile is the basis for the continuous monitoring of a business relationship and must therefore contain sufficient information to ensure adequate monitoring. The business profile must contain at least the information required under Article 20 DDO and must take into account the individual circumstances and risks of a business relationship / 26

14 The degree of detail depends on the individual risk classification of the business relationship. This means that the higher the risk of a business relationship, the more information must be available about the business relationship. In any case irrespective of the risk the person subject to due diligence must, on the basis of the information provided, be able to identify any deviations or anomalies in relation to past experience with the client and the client's business relationship. In this context, the specific description of the economic background and the origin of the contributed assets plays a key role. Only a complete picture of the background of the business relationship enables the person subject to due diligence to identify connections with money laundering, predicate offences of money laundering, organised crime, or terrorist financing. In addition, the business profile must be sufficiently informative so that expert third parties for example within the scope of a due diligence inspection are also able to identify any anomalies in connection with executed transactions and so on after mere consultation of the business profile. The business profile must enable the person subject to due diligence to identify deviations or anomalies in relation to past experience with the client. For example, if it is possible to subsume every conceivable transaction under a business profile because the specifications in the profile are too generic, this is not sufficiently detailed. This is the case, for example, if an extremely indeterminate amount (e.g. CHF 50,000 to CHF 1 million) is stated with regard to the inflow/outflow of assets. As a general rule, it is certainly possible and useful to specify a certain bandwidth, provided that the profile is sufficiently informative in context. Accordingly, the bandwidth provided must also be sufficiently informative. In any case, it is crucial that the expected inflows and outflows are in line with the economic background of the contributor of the assets and with the information in the profile. Overly general information about the intended use without further specification (e.g. "expenses") is also considered too indeterminate. Information about the origin of the assets that is not sufficiently informative is also considered to be inadequate. For example, it is not enough to simply state that the assets have been generated by "business activity" without providing further information on this activity. A mere statement that the client is a "pensioner" without further information on the origin of the assets (e.g. due to long-standing business relationships established before retirement) is also considered to be insufficient. The scope of the available information is decisive in individual cases. The profile should generally be more detailed with the increasing risk of the business relationship. Especially in cases of higher risk, it is necessary to further verify the plausibility of the client's information in the business profile, for example by obtaining (third-party) supporting documents. There are no specific formal requirements for the creation of the business profile. However, all relevant information must be collected and presented coherently in the due diligence documents. It is not enough if the relevant information can be found in various documents; instead, the business profile must be prepared in a way that is suitable for continuous monitoring and comprehensible to third parties. In addition, the business profile must be complete, dated, and signed, and the creator of the business profile must be identifiable to an external third party Updates of business profile The frequency of updates to the business profile likewise depends on the risk. In any case, any changes relevant to the business profile or monitoring of the business relationship must be recorded. In this context, there is an active obligation of the persons subject to due diligence to verify and update the entire portfolio of business relationships. The persons subject to due diligence must therefore regularly check whether all information and data to be collected within the scope of the business profile under Article 20 DDO still correspond to the actual circumstances. 14 / 26

15 For that reason, the business profile must be reviewed at individually defined, risk-appropriate intervals to ensure that it is up to date and adjusted if necessary. The frequency of the updates must be set out in the internal instructions or individual risk assessment (Article 31(2)(c bis ) DDO). In cases of higher or high risks, the active review of the business profile must take place at least every one to two years, and in the case of regular risks at least every three to five years. In the case of low risks, the profile must be updated as warranted (e.g. when an "alert" is generated in the monitoring system). The specification of the update intervals is subject to known changes to the business profile. Known information that deviates from the existing business profile must therefore be taken into account immediately in the business profile. When implemented in practice, the active obligation to review the business profile means that in the context of a client consultation, for example, questions must be asked specifically as to whether the information in the business profile (including beneficial ownership) still corresponds to the current circumstances. As a rule, the person subject to due diligence is already in a position to identify and document changes promptly on the basis of past knowledge of the client and generally close and regular client contact. The update must be documented or recorded internally in accordance with Article 20(3) DDO. Provided that no changes are made when checking the need for an update, this result must be documented at least in the form of a short note or indication of the review. There is no explicit formal requirement in this respect. A short memorandum on the client consultation or a current dated printout of the profile are considered sufficient, as long as they contain the relevant information Plausibility check of information and documentation With regard to the information in the business profile, the plausibility check of this information plays a key role. Not all information and responses received from the client may be accepted without verification. The scope of plausibility checks and the associated documentation in individual cases depends on the individual risk of the business relationship. In connection with the clarification of the contributed assets, the following documents in particular may be of relevance by way of example: supplementary deeds and other documents relating to the beneficiary rules certificates of inheritance purchase contracts proof of income tax returns employment contracts extracts from the Land Register donation agreements loan agreements decisions on dividend distributions annual financial statements account statements confirmations of winnings (gambling) all other documents relating to the execution of legal transactions etc. 15 / 26

16 Alternatively or on a supplemental basis, own research in publicly available sources can also be carried out. The extent to which such research is useful and sufficient depends on the risk of the business relationship. In cases of low risks, there are in principle no additional expectations regarding the plausibility of the information received, beyond the minimum content of the business profile. In connection with the plausibility check of information received, third-party supporting documents are generally more conclusive than those produced by the client. Therefore, third-party supporting documents should ideally be obtained as part of the plausibility checks. Supporting documents from the client (balance sheets, invoices, loan agreements, project descriptions, etc.) can also be used for plausibility checks, but these must be examined more critically. In connection with the necessary plausibility checks, it is crucial that the person subject to due diligence understands the meaning and purpose of the transactions and that they conform to the information in the business profile. Any documents or research results which have served to check plausibility must be included in the due diligence file. In the case of a plausibility check by means of supplementary deeds or comparable documents relating to beneficiary rules, mere inspection of such a document without making a copy is sufficient on an exceptional basis, in light of the sensitive nature of these documents. In such cases, the FMA expects the examination to be carried out in accordance with the principle of dual control and with appropriate documentation to be included in the due diligence file (date, persons inspecting the documents, contents of the documents inspected). For plausibility documents other than those mentioned above, mere inspection is not considered sufficient. Accordingly, the persons subject to due diligence involved in the business relationship must include them in the due diligence file. The extent to which plausibility documents must be obtained retroactively in order to update the profile depends on the individual case and the corresponding risk categorisation. The persons subject to due diligence must have at least enough information and documents at their disposal to be convinced that they know the source of the assets and that the plausibility of the source can be verified. Furthermore, persons subject to due diligence must be able to adequately monitor the business relationship. See also the comments below on enhanced due diligence and simplified due diligence What are the requirements for monitoring the business relationship? (Article 9 DDA in conjunction with Article 22 DDO) The persons subject to due diligence must ensure continuous, risk-appropriate monitoring of all business relationships. The course of the business relationship and the processing of transactions must be consistent with the knowledge of the person subject to due diligence concerning the client and the client's business relationship and, consequently, with the business profile. As is the case for other due diligence obligations, monitoring must be carried out in accordance with the risk categorisation. This means that in the case of a high or higher risk, continuous monitoring must be carried out more closely and in more detail than in the case of regular or even low risk. However, monitoring must always be carried out continuously and at regular intervals. Common sense plays an important role in monitoring the relationship, as well as in all other areas where the risk-based approach is used, given that individual experience with a business relationship or client is of primary importance. Changes in behaviour or deviations from typical behaviour patterns of the client must always be observed, and changes relating to the information in the business profile must always be verified through active enquiries. 16 / 26

17 5.3.5 Media monitoring Continuous monitoring at the risk-based level must also take into account media reports about clients that are relevant from the perspective of due diligence. Media reports are relevant in particular if the client is mentioned in connection with money laundering, predicate offences of money laundering, or organised crime. Insofar as such reports give rise to suspicion, these suspicions must be investigated in accordance with Article 9(4) DDA. If the suspicion cannot be dispelled, it must be examined whether there is an obligation to report in accordance with Article 17 DDA. The necessity and frequency of monitoring depends on the risk of the business relationship. Automated, computer-aided systems (e.g. Worldcheck, Faktiva, Pythagoras, etc.) are particularly suitable for media monitoring. However, it should be noted that many commercial providers only offer checks against PEP databases and sanction lists. It must be ensured that checks against media reports are also included. In the FMA's view, appropriate media monitoring is ensured if the notifications generated by the computer-aided monitoring system are checked for relevance and, if they are found to be relevant, are investigated accordingly. The frequency of the tests must be traceable for third parties. The absence of relevant media reports need not be documented separately when computer-aided systems are used. If no IT monitoring systems are used, the media monitoring requirement may also be met by conducting regular own research in publicly available sources (e.g. Google). The performance of the checks must be documented. If there are no relevant reports on a business relationship, a corresponding note must be made or a printout of the first page of hits should be included in the files, in order to reduce one's own culpability. 5.4 Transaction monitoring The time intervals at which non-banks must obtain transaction records (daily, monthly or quarterly statements) and the threshold at which transaction monitoring is carried out must be specified by the person subject to due diligence in internal instructions or in the risk assessment for each risk category. The person subject to due diligence must be aware of the risks in connection with a business relationship and must set up monitoring accordingly. In any case, the timing of obtaining transaction records must be proportionate to the individual risk. The risk-based approach deliberately does not set out a uniform procedure, but rather leaves it to the own responsibility of the persons subject to due diligence to make appropriate use of their resources. It would therefore be misguided in practice and would run counter to the basic idea of the risk-based approach if all transactions were monitored to the same extent. The circumstances and aspects of the individual business relationship must always be taken into account, so that enhanced or reduced monitoring of the business relationship can be implemented in individual cases. It should also be noted that monitoring must be carried out in a timely manner, i.e. without delay. This means that clarifications of transactions must be carried out directly after receipt of the transaction records without unnecessary delay. Further details are provided in the sector-specific instructions of the FMA. The process for monitoring the business relationship must be regulated appropriately in the internal instructions or individual risk assessment and brought to the attention of the employees concerned for daily use. In cases where investigations (simple or special) are required, the persons subject to due diligence must obtain and verify the plausibility of the information that allows them to make an adequate assessment of the background. Statements made by the client during the specific investigation of a transaction must be checked for plausibility. It is important to note that not every statement by the client can be accepted as is and without verification. Accordingly, depending on the case in question, documents must be obtained that support the statement. The results of the investigations must be documented and included in the due diligence file. 17 / 26

18 5.5 Simplified due diligence (Article 10 in conjunction with Annex 1 DDA, Articles 18(2) and 22b DDO) Simplified due diligence obligations may be applied only if the persons subject to due diligence have identified a low risk of money laundering, organised crime, and terrorist financing in their risk assessment and have ensured that the business relationship or transaction concerned is indeed associated with a low risk. Pursuant to Article 27(1)(c bis ) DDO, application of simplified due diligence must be documented in the due diligence files or in other suitable internal documents (risk matrix or list of mandates). Annex 1 of the Due Diligence Act contains factors and possible indicators of a potentially lower risk. On a supplemental basis, the ESA Risk Factors Guidelines must be taken into account. At this point it should be noted that even in the area of simplified due diligence, all due diligence obligations under Article 5(1)(a) to (d) DDA must be fulfilled. Only their scope or timing may vary, depending on the risk in question. The application of simplified due diligence is therefore no exception to the fulfilment of due diligence obligations. With regard to the specific structuring of simplified due diligence in light of risk-appropriate monitoring, it is essential that simplified due diligence be structured at least in such a way that the persons subject to due diligence are in a position to identify unusual or suspicious transactions in order to be able to issue a suspicious transaction report if necessary. As already explained, the persons subject to due diligence must in each individual case ensure that there is actually a low risk. Consequently, in cases of high and higher risks (legally as well as individually defined cases), the application of simplified due diligence is ruled out per se. The FMA believes that in principle, the examination required under Article 10(2) DDA as to whether there are actually low risks associated with the business relationship or transaction should not be subject to excessively high demands in the cases referred to in Article 22b DDO. For this reason, in the case of attorney escrow accounts referred to in Article 22b(4) DDO, for example, a corresponding confirmation by the lawyer concerned will normally suffice. An active review of the circumstances must be carried out when warranted (see also the comments above on the business profile). Relevant, commonly known information must be taken into account in any case. See also the comments above on risk assessment. 5.6 Enhanced due diligence (Article 2(1)(h), Article 11, and Annex 2 DDA in conjunction with Articles 2 and 23 DDO) In cases of enhanced due diligence provided for by law (Article 11(4) to (6) DDA), there is no discretion with regard to the application of enhanced due diligence. There is a certain leeway only with regard to the type and scope of the measures to be applied, provided that certain measures are not already mandatory by law (e.g. Article 11(4) and (4a) DDA in the case of PEPs). Enhanced due diligence obligations must be applied in addition to the regular due diligence obligations and must in any case have an intensifying effect on the scope of the measures to be applied. With regard to specific measures, those in Annex 2 Section B of the Due Diligence Act and the ESA Risk Factors Guidelines must be taken into account. However, persons subject to due diligence are free to lay down further effective enhanced measures in their risk assessment or internal instructions. Pursuant to Article 27(1)(c bis ) DDO, application of enhanced due diligence must be documented in the due diligence files or in other suitable internal documents (risk matrix or list of mandates). 18 / 26