KYC requirements AML, MiFID, FATCA/CRS and new technologies Edwin Somers, 28 March 2017

Transcription

1 KYC requirements AML, MiFID, FATCA/CRS and new technologies Edwin Somers, 28 March 2017

2 Contents I. MiFID/AssurMiFID KYC Requirements II. AML KYC-KYT Requirements III. FATCA/CRS IV. Credit mortgage directive V. Digital signature VI. Practical approach on KYC 2017 Deloitte Belgium 2

3 Customer Onboarding Customer Risk Assessment & Acceptance Key Principles (Assur)MiFID AML Digital signature? KYC FATCA/CRS Practical approach? MCD 2017 Deloitte Belgium 3

4 I. MiFID/AssurMiFID KYC Requirements 2017 Deloitte Belgium 4

5 Investment advice Types of advice (1/2) MiFID I Definition of investment advice: the provision of personal recommendations to a client, either upon its request or at the initiative of the bank, in respect of one or more transactions relating to financial instruments. Introduction of following subtypes of investment advice by FSMA (FSMA MiFID Cartography): Ad hoc advice: Investment advice with respect to one or more individual transactions. Structural advice: Investment advice using a portfolio approach rather than focusing on providing advice with respect to one or more individual transactions. Often, this service is subject to an investment advice agreement. MiFID II Definition of investment advice has not changed. However, introduction of new types of advice: Independent investment advice: Investment advice involving the assessment of a sufficient range of financial instruments available on the market which must be sufficiently diverse with regard to their type and issuers or product providers to ensure that the client s investment objectives can be suitably met and must not be limited to financial instruments issued or provided by: The firm itself or by entities having close links with it; or Other entities with which the firm has such close legal or economic relationships, such as contractual relationships, as to pose a risk of impairing the independent basis of the advice provided. Investment advice with periodical assessment of the suitability of the financial instruments recommended to that client: implies a review of the suitability of recommendations given, at least on an annual basis. The frequency of this assessment shall be increased depending on the risk profile of the client and type of financial instruments recommended. Obligation to enter into written basic agreement (durable medium) Deloitte Belgium 5

6 Investment advice Types of advice (2/2) Framework MiFID I FSMA Additional framework MiFID II Periodic assessment Structural Independent Investment Advice Ad hoc Non independent No periodic assessment Periodic assessment No periodic assessment 2017 Deloitte Belgium 6

7 Suitability assessment Information to be gathered Financial situation Investment objectives Knowledge and experience MiFID I and FSMA guidance: Source and extent of client s regular income Client s assets (including liquid assets, investments and real estate) Regular financial commitments (e.g. monthly mortgage payments) MiFID II: Client s ability to bear losses (consistent with his investment objectives) MiFID I and FSMA guidance: Investment horizon Risk appetite and client s risk profile Purpose of the investment MiFID II Risk tolerance MiFID I and FSMA guidance: Type of service, transaction and product with which the client is familiar When different products are grouped into one category, sufficient granularity is required (knowledge of one product may reasonably lead to knowledge of other products only if all of these products have similar features) No self-assessment by client, banks should verify sufficient knowledge of the relevant product specifications (risk, possible return, ) Nature, volume and frequency of transactions and the period during which these have been carried out Experience does not automatically lead to knowledge and vice versa Level of education and (former) profession 2017 Deloitte Belgium 7

8 Suitability assessment Accuracy of information Requirements under MiFID II (Level 2) Where a firm does not obtain the information required the firm shall not provide investment advice, or enter into transactions in the course of portfolio management, to the (potential) client. Firms may rely on the information provided by their clients or potential clients unless they are aware or ought to be aware that the information is manifestly out of date, inaccurate or incomplete. Firms must take reasonable steps to ensure that the information collected about their (potential) clients is reliable. This must include, but is not limited to, the following: a) Ensuring clients are aware of the importance of providing accurate and up-to-date information; b) Ensuring all tools, such as risk assessment profiling tools or tools to assess a client s knowledge and experience, employed in the suitability assessment process are fit-for-purpose and are appropriately designed for use with their clients, with any limitations identified and actively mitigated through the suitability assessment process; c) Ensuring questions used in the process are likely to be understood by clients, capture an accurate reflection of the client s objectives and needs, and the information necessary to undertake the suitability assessment; d) Taking steps, as appropriate, to ensure the consistency of client information, such as by considering whether there are obvious inaccuracies in the information provided by clients. Firms having an on-going relationship with the client, such as by providing an ongoing advice, shall have, and be able to demonstrate, appropriate policies and procedures to maintain adequate and up-to-date information about clients Deloitte Belgium 8

9 Suitability assessment Responsibility Requirements under MiFID II (level 2) Responsibility Firms shall not create any ambiguity or confusion about their responsibilities in the process when assessing the suitability of investment services or financial instruments. When undertaking the suitability assessment, the firm shall inform (potential) clients, clearly and simply, that the reason for assessing suitability is to enable the firm to act in the client s best interest. Where investment advice is provided (in part) through a (semi-) automated system (so-called robo-advice ), the responsibility to undertake the suitability assessment shall lie with the firm providing the service and shall not be reduced by the use of an electronic system. Firms shall not discourage a (potential) client from providing the required information. Legal persons / joint accounts / representation Where a client is a legal person or a group of two or more natural persons or where one or more natural persons are represented by another natural person, the firm must establish and implement a policy as to who should be subject to the suitability assessment and how this assessment will be done in practice, including from whom information about knowledge and experience, financial situation and investment objectives should be collected. The firm must record this policy. Where a natural person is represented by another natural person or where a legal person has requested to be considered as professional client the financial situation and investment objectives shall be those of the legal person or, in relation to the natural person, the underlying client rather than of the representative. The knowledge and experience shall be that of the representative of the natural person or the person authorized to carry out transactions on behalf of the underlying client Deloitte Belgium 9

10 II. AML KYC-KYT requirements 2017 Deloitte Belgium 10

11 AML KYC-KYT requirements History of the regulation from 1988 to now U.N. Convention Fight against illicit traffic in narcotic drugs & psychotropic substances FATF First document on the 40 recommendations AMLD I First directive on prevention of the use of the financial system for the purpose of money laundering Belgian Law AML Transposition of AMLD I FATF Second document on the 40 recommendations AMLD II Second directive on prevention on the use of the financial system for the purpose of money laundering FATF FATF Third Nine special document recommendations on the 40 recommendations terrorist concerning financing AMLD III Third directive on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing FATF Fourth document on the recommendations AMLD IV Fourth directive on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing Action Plan In 2016, Proposition of AMLD V In 2017, Belgian Law AML (transposition of AMLD IV) 2017 Deloitte Belgium 11

12 II. AML KYC-KYT requirements 1. Enterprise-wide risk assessment & Risk based approach 2017 Deloitte Belgium 12

13 Enterprise-wide risk assessment AMLD IV RISK BASED APPROACH (Draft AML Act/AMLDIV) A risk based approach implies that, in a more clear way than before, all measures (organisation, business and transaction wise) should aim at avoid/minimalising the risk of being misused for money laundering or terrorism financing purposes. A risk based approach should enable financial institutions to take less profound measures in situations where the risk is limited. The resources that are redeemed, should be used for more profound measures in situations where the risk is higher. RAISE IN EFFICIENCY Profound and actual knowledge/insights in ML/FT risks required ENTERPRISE WIDE RISK ASSESSMENT (EWRA) 2017 Deloitte Belgium 13

14 Enterprise-wide risk assessment EWRA scheme Scope Inherent Risk Assessment Controls Assessment Residual Risk Action Plan and Reporting Define the scope and the structure of business areas to assess, including business units, legal entities, divisions, countries and regions Select risk areas and factors to assess and determine the inherent risk present in your business based on empirical data analysis and analytical techniques Assess design and operative effectiveness of mitigating controls based on selfevaluation questionnaires and document evidence of controls Highlight risk factors without sufficient mitigation and business areas posing the greatest risk and evaluate results against institution s risk appetite statement Develop action plan for underperforming controls based on identified gaps, create reporting and prepare documentation for audit/exam purposes Risk Factors and Measures Risk Factors Customers Products & Services Transactions Channels Geographies Other Qualitative Factors Measures Customer type Ownership structure Industry PEPs Length of relationship Customer Risk Rating (CRR) High degree of anonymity or limited High degree of currency or equivalents Facilitate payments to third parties Readily frequently more value from one jurisdiction to another Transactions processed on behalf of client s clients Account origination and servicing Account servicing Location of business Location of customers Origin / destination of transactions Recent / expected growth Mergers & acquisitions New products / services Indirect Sanctions risk 2017 Deloitte Belgium 14

15 Enterprise-wide risk assessment Key principles EWRA EWRA analyses: Clients Products and services offered Transactions Countries/geographical zones Annex draft law includes a list of potential lower/higher risks and risk variables (see next slides) Distribution channels EWRA needs: Involve the general risk assessment (documentation is key) Timely regularly updated Available for the competent authorities Demonstrate that measures and procedures are fit and proper for the reduce of risks regarding money laundering and terrorism financing EWRA can be used to justify the (level of) implemented measures and procedures 2017 Deloitte Belgium 15

16 Enterprise-wide risk assessment Examples 2017 Deloitte Belgium 16

17 Risk based approach (RBA) Key principles Key principles for a RBA: Policies, procedures, measures and controls to mitigate the ML/TF risks should be consistent with the risk assessment. Financial institutions should be able to prepare a customer risk profile. This will determine the level and type of ongoing monitoring and support the FI s decision whether to enter into, continue or terminate the business relationship normal, enhanced or exit measures; Banks should adjust the extent and depth of monitoring in line with their enterprise wide risk assessment (EWRA) and individual customer risk profiles; The Risk criteria and profiles must be reviewed periodically and review is needed when there are changes in circumstances or when relevant new threats emerge; The criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers must be properly documented and communicated to relevant personnel within the financial institution. This approach must be applied consistently Deloitte Belgium 17

18 Risk based approach A model for a risk-based approach Template - For Illustration Purposes Only Segmenting client portfolio according to the Risk Matrix 2017 Deloitte Belgium 18

19 Risk based approach RBA Visual Template - For Illustration Purposes Only 2017 Deloitte Belgium 19

20 II. AML KYC-KYT requirements 2. Onboarding a. Customer Risk Assessment & Acceptance 2017 Deloitte Belgium 20

21 Customer Onboarding Customer Risk Assessment & Acceptance Key Principles CURRENT REGIME Financial institutions are required to develop and implement a clear policy to identify the ML/FT risk profile of customer and to ensure the application of risk sensitive customer due diligence and ongoing monitoring measures ( the Customer Acceptance Policy ). Components: Allocation of the authority to allow the establishment of a business relationship; Risk factors on the basis of which customers must be divided into risk groups ( customer ML/FT risk assessment ); Description of the customer due diligence measures and ongoing monitoring measures that must be applied for each risk group; Description of the situations in which deviations from the normal rules are allowed and the conditions for such deviations; Overview of the circumstances under which the financial institution would not accept a new business relationship or terminate an existing one (for example shell banks and financial institutions servicing such banks). Ensure compliance with financial sanctions & embargoes Deloitte Belgium 21

22 Customer Onboarding Customer Risk Assessment & Acceptance Key Principles CURRENT REGIME The Customer Acceptance Policy as driver for customer due diligence and ongoing monitoring Customer Due Diligence Collecting the information required to perform the customer ML/FT risk assessment. Customer Acceptance Policy Determines the extent and depth of customer due diligence and ongoing monitoring. Ongoing Monitoring Keeping the information on which the risk assessment is based up-to-date; Detection changes in risk factors Deloitte Belgium 22

23 Customer Onboarding Customer Risk Assessment & Acceptance Risk Assessment CURRENT REGIME Customer should be defined into risk groups based on objective risk criteria. Two types of risk criteria: Obligatory risk factors, i.e. risk factors indicating an increased ML/FT risk that are defined in the legislation; Entity specific risk criteria, i.e. ML/FT risk factors defined based on the activities of the institution. Obligatory risk factors and entity specific risk factors should be combined to form risk categories and be aligned with risk factor for the entity/group level ML/FT risk assessment. Basis for the decision whether to establish or maintain a business relationship. The outcome of risk assessment determines the extent of the customer due diligence and ongoing monitoring measures to be applied: The extent of the measures that are applied must be increased where the ML/FT risks associated with a business relationship are higher; The extent of the measures that are applied may be decreased where the ML/FT risks associated with a business relationship are lower (to the extent allowed by law). The customer risk assessment needs to be kept up-to-date during the business relationship to ensure alignment between the ML/FT risk associated with business relationships and the extent and depth of the preventive measures being applied Deloitte Belgium 23

24 Customer Onboarding Customer Risk Assessment & Acceptance Risk Assessment CURRENT REGIME Obligatory risk factors for increased ML/FT risk Customer Risk Factors: The customer was not physically present for identification purposes The customer was not physically present for identification purposes and has been identified based on a copy of an identification document The customer is a PEP or a related person A beneficial owner of the customer is a PEP or a related person The identify of a beneficial owner of the customer could not verified and/or it was not possible to gather information about the place of birth, date of birth and/or address of the beneficial owner Entity specific risk factors for increased ML/FT risk (illustration) Customer Risk Factors: Non-resident customer The activities of a customer carry an increased ML/FT risk (incl. customer base and business) The profile of a customer is unusual taking into account the characteristics of the usual customer of the financial institution A customer does not comply with its AML/CFT obligations and/or has an inadequate AML/CFT programme A customer or a beneficial owner of a customer is subject to financial sanctions Unusually or excessively complex ownership or control structure given the nature of the company s business Product, service, transaction or delivery channel risk factors: The customer requests wealth management services The customer requests the opening of a numbered account Provision of cross-border correspondent banking services to financial institutions established in third countries Geographical risk factors: The customer is established or has his place of residence in a jurisdiction that is considered by the FATF as High-risk or non-cooperative or to which an FATF call to action applies Product, service, transaction or delivery channel risk factors: A customer wishes to use a product or service with a high inherent ML/FT risk Non-face-to-face service delivery Geographical risk factors: The customer is established or has his place of residence in a jurisdiction: Subject to sanctions, embargoes or similar measures Regarded by credible sources as not having effective AML/CFT systems Identified by credible sources as having significant levels of corruption or other criminal activity Providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country 2017 Deloitte Belgium 24

25 Customer Onboarding Customer Risk Assessment & Acceptance Risk Assessment NEW Introduction of (non-exhaustive) lists of: Risk Variables; and Risk Factors. that need to be taken into account when determining the ML/FT risk profile of the customer (and consequently the extent of the customer due diligence measures to be applied). Risk variables: The purpose of an account or relationship; The level of assets to be deposited by the customer or the size of transactions undertaken; The regularity or duration of the business relationship Deloitte Belgium 25

26 Customer Onboarding Customer Risk Assessment & Acceptance Risk Factors NEW Factors and types of evidence of potentially lower risk Customer Risk Factors: Public companies listed on a stock exchange and subject to disclosure requirements, which impose requirements to ensure adequate transparency of beneficial ownership Public administrations or enterprises Customers that are resident in geographical areas of lower risk Product, service, transaction or delivery channel risk factors: A pension, superannuation or similar scheme that provides retirement benefits to employees Products where the risks of money laundering and terrorist financing are managed by other factors such as purse limits or transparency of ownership Geographical risk factors: Member States Third countries having effective AML/CFT systems Third countries identified by credible sources as having a low level of corruption or other criminal activity Third countries which, on the basis of credible sources such as mutual evaluations, detailed assessment reports or published follow-up reports, have requirements to combat money laundering and terrorist financing consistent with the revised FATF Recommendations and effectively implement those requirements Factors and types of evidence of potentially higher risk Customer Risk Factors: The business relationship is conducted in unusual circumstances Customers that are resident in geographical areas of higher risk Legal persons or arrangements that are personal asset-holding vehicles Companies that have nominee shareholders or shares in bearer form The ownership structure of the company appears unusual or excessively complex given the nature of the company's business Product, service, transaction or delivery channel risk factors: Products or transactions that might favour anonymity Non-face-to-face business relationships or transactions, without certain safeguards, such as electronic signatures Payment received from unknown or unassociated third parties New products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products Geographical risk factors: Countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective AML/CFT systems Countries identified by credible sources as having significant levels of corruption or other criminal activity Countries subject to sanctions, embargos or similar measures issued by, for example, the Union or the United Nations Countries providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country 2017 Deloitte Belgium 26

27 II. AML KYC-KYT requirements 2. Onboarding b. Customer Due Diligence 2017 Deloitte Belgium 27

28 Customer Due Diligence Overview Performance of customer due diligence ( CDD ): Identification and verification of identity on the basis of information obtained from a reliable and independent source for: Customers; Representatives; Ultimate Beneficial Owners (UBO s); Beneficial Owners of life insurance contracts and other investment insurances. Obtain information on the characteristics of the client and the purpose and intended nature of the business relationship; Perform ongoing monitoring proportional to risk. Existing exemptions for identification no longer included only risk based / simplified CDD The extent of the customer due diligence measures to applied may be adjusted in line with the ML/FT risk associated with a individual business relationship: Basic customer due diligence; Simplified customer due diligence - the extent of the measures that are applied may be decreased where the ML/FT risks associated with a business relationship are lower; Enhanced customer due diligence - the extent of the measures that are applied must be increased where the ML/FT risks associated with a business relationship are higher Deloitte Belgium 28

29 Customer Due Diligence Identification requirements Principle: Collection of relevant information which makes it possible to distinguish them with sufficient certainty from other persons (taking into account the risk level of the customer). Client Type Required Identification information Natural Person Full name Date & Place of birth Address of the place of residence (to the extent possible) Powers of representation (in case of a representative) Legal Entity Full legal name and legal form Address of the registered office Names of the directors Powers of representation Trusts or other similar legal constructions Full (legal) name of the customer Trustees, founders, protectors (if any) see UBO s Powers to bind the trust or similar legal construction Further information by regulation (existence, nature, purpose, the manner in which the customer is managed) Beneficiary of a life insurance contract Beneficiary is mentioned in contract: full name Beneficiary is indicated as category / description: entity collects all information necessary to identify the beneficiary at the moment of pay-out 2017 Deloitte Belgium 29

30 Customer Due Diligence General Requirements Verification Requirement Verify the correctness and trustworthiness of the provided identification information by comparing this information with information contained in documents from a reliable source. Key attention points: Taking into account the risk level of the customer: Low risk information to be verified can be limited (but sufficient certainty regarding knowledge of client); High risk all information needs to be verified. Identification & verification at distance to be included in Regulation Deloitte Belgium 30

31 Customer Due Diligence UBO s Current regime General definition Ultimate beneficial owners (UBO) of customers = the natural person(s): For whose account a customer carries out a transaction or establishes a business relationship; or Who ultimately own or control a customer. New regime General definition Extended Definition UBO s = the natural person(s): For whose account a transaction is carried out or a business relationship established: persons who benefit from the transaction/relation and who have the power to decide on the transaction/relation or on the modalities of these; or Who ultimately own or control a customer, representative or beneficiary of life insurance contracts or other investment insurance contracts. UBO s of clients who are companies: Natural persons who own or control directly or indirectly more than 25% of the shares or voting rights (this is 25% + 1 share/voting right) of a customer; Natural persons who, without controlling or owning more than 25% of the shares or voting rights, have de facto control of a customer; Natural persons who, without having the power to represent the client in its relations with the financial institutions, are a member of the management bodies of the client. UBO s of companies: Natural persons who own or control directly or indirectly a sufficient percentage of the shares ore voting rights: >25% (directly) is considered as an indication of a sufficient percentage; Clarification on indirectly ownership/control: Control of a corporate entity which holds a shareholding of 25% plus one share or an ownership interest of more than 25% in the customer is considered as an indication of indirect ownership. This will also be the case where the shareholding or ownership interest is held by multiple corporate entities which are under the control of the same natural person. Natural person(s) who have control by any other means; Natural person(s) member of the management of the company in case all other means cf. above are exhausted Deloitte Belgium 31

32 Customer Due Diligence UBO s Current regime UBO s of customers who are legal entities (other than companies) and legal arrangements without legal personality: Where the future beneficiaries have already been determined, the natural person(s) who is (are) the beneficiary(ies) of 25% or more of the property of the legal entity or legal arrangement; Where the natural persons who are beneficiaries of the legal entity or legal arrangement have yet to be determined, the class of persons determined in abstracto in whose main interest the legal entity or legal arrangement is set up or operates. In these cases, a broad description of the class of persons who stand to benefit is sufficient so that the financial institution understands who the persons are who benefit; The natural person(s) who exercise(s) control over 25% or more of the property of the legal entity or legal arrangement, incl. persons who have a significant influence on the management of the legal entity or legal arrangement and natural persons who, without having the power to represent the client in its relations with the financial institutions, are a member of the management bodies of the client. New regime UBO s of trusts Founder(s); Trustee(s); Protector (if any); Beneficiaries (if not identified yet group of persons in whose main interest the trust is set up or operates); All other natural person(s) who are (in)direct owner or have control by any other means. UBO s of foundations, VZW/ASBL and legal constructions comparable to trusts Natural persons with comparable functions / positions as for the trusts Deloitte Belgium 32

33 Customer Due Diligence UBO s Current regime Identification of UBO s: Required Information: Name; Surname; Date of birth (to the extent possible); Place of birth (to the extent possible); Address of the place of residence (to the extent possible). Customers that are legal entities or legal arrangements without legal personality are legally required to provide financial institutions with the necessary information about their beneficial owners. New regime Identification of UBO s: Cf. current regime. UBO identification includes a view on the ownership / control of the customer / representative (reasonable measures). Risk based approach. Introduction of a requirement for to set up a central public register for UBO s: Access for financial institutions; Obliged entities may not rely exclusively on the central register to comply with CDD requirements. When it is not possible to collect information about date of birth, place of birth and/or address of the place of residence this should be taken into account when determining the customer ML/FT risk profile. Exception for listed companies (client/owner) Deloitte Belgium 33

34 Customer Due Diligence UBO s Current regime Verification of UBO s: Verify whether the information with regard to which natural persons are UBO is correct: Identification of UBO s is the responsibility of financial institutions; Reliance on information provided by customers insofar this information can be considered as pertinent and trustworthy; Scrutinize the information provided based on official documentation (including the documents obtained during the identification of the client) and other documents that are considered as trustworthy. Verification waterfall: To the extent possible, the verification of the correctness and trustworthiness of the provided identification information with respect to the identified UBO s must be performed in the same manner as the identity verification of customer-natural persons; If not possible the verification should be attempted using other documents from a reliable source (such as: annual reports, notarized deeds, ); In case the verification of the provided information is not possible using the above measures financial institutions must document the measures that have been taken to try to verify the information. New regime Verification of UBO s: Cf. current regime. Verification of UBO s cf. verification of customer (to be considered as an obligation of result? quid Circular letter). Introduction of a requirement for to set up a central public register for UBO s: Access for financial institutions; Obliged entities may not rely exclusively on the central register to comply with CDD requirements. Financial institutions must refuse to enter into a business relationship with a client when they suspect that the customer for trying to hide the identity of an UBO is providing information that is not pertinent and/or trustworthy. The CTIF-CFI should also be notified in case there is suspicion that money laundering or the financing of terrorism is being attempted Deloitte Belgium 34

35 Customer Due Diligence UBO - Changes NEW Introduction of a requirement for Member States to set up a central public register for UBO s. Introduction of waterfall regime for the identification of UBO s of companies: The natural person(s) who hold the position of senior managing officials must only be considered as beneficial owners when: It was not possible to identify the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership; There is doubt that the persons identified are the UBO s. Requirement to document the actions taken to identity the beneficial ownership. Clarification of who should be considered as the UBO s of trusts. Clarification of what constitutes an indication of indirect ownership Deloitte Belgium 35

36 Customer Due Diligence Politically Exposed Persons (PEPs) Current Regime Natural persons who are or have been entrusted with prominent public functions (such as heads of State, heads of government, ministers and deputy or assistant ministers, members of parliaments, members of the administrative, management, supervisory bodies of State-owned enterprises or prominent public functions exercised at EU or international level) and that are living abroad; Immediate family members of natural persons who are or have been entrusted with prominent public functions (such as the spouse, parents, children, ); Persons known to be close associates of natural persons who are or have been entrusted with prominent public functions (such as any natural person who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a person). New Regime Extended definition, now includes: Domestic natural persons who are or have been entrusted with prominent public functions; Members of legislative institutions comparable to parliaments; Members of the governing bodies of political parties; Directors, deputy directors and members of the board or equivalent function of an international organization Deloitte Belgium 36

37 Customer Due Diligence Characteristics of the customer / Purpose and intended nature of the business relationship Take appropriate measures to gather further insight on: The characteristics of the customer, required to perform the client acceptation rules and the ongoing monitoring (business relationships and transactions); PEP status; Information in relation to the purpose and intended nature of the business relationship Deloitte Belgium 37

38 II. AML KYC-KYT requirements 3. Ongoing monitoring of business relationships and transactions 2017 Deloitte Belgium 38

39 Ongoing monitoring of business relationships and transactions General requirements Ongoing monitoring consists of two components: 1. Ongoing monitoring of transactions: Scrutiny throughout the course of that relationship to ensure that the transactions being conducted are consistent with the financial institution's knowledge of the customer, his business and risk profile. 2. Ongoing monitoring of business relationships: Identification of changes to the customer profile and ensuring the documents, data or information held are kept up-to-date. The extent and depth of the ongoing monitoring of business relationships and transactions must be aligned with the ML/FT risks associated with the business relationship as determined via the customer ML/FT risk assessment and the entity-level risk assessment. Enhanced monitoring must be applied for higher risk situations, while financial institutions may decide to reduce the frequency and intensity of the monitoring where risks are lower. Criteria that are defined for the purpose of detecting atypical transactions must take into account the customer ML/FT risk profile Deloitte Belgium 39

40 Ongoing monitoring of business relationships and transactions Ongoing monitoring of business relationships Two requirements: 1. Customer information and customer profile need to be updated when there are indications that it is no longer up-to-date; 2. Periodic risk-based validation of customer information. The customer ML/FT risk profile must be reviewed taking into account the updated information. When required, additional due diligence measures need to be applied. Methods to be used: Periodically request customers to validate correctness and pertinence of the customer information being held; Periodic screening of customer databased to detect PEPs and relevant persons and other high-risk clients. Enhanced monitoring must be applied for higher risk situations, while financial institutions may decide to reduce the frequency and intensity of the monitoring where risks are lower. Examples of risk-based ongoing monitoring measures: Monitoring in high risk situations: daily transaction monitoring, frequent analysis of information, shorter periods for customer profile reviews and actualization, considering the destination of funds, establishment of red flags based on typologies reports, reporting of monitoring results to senior management, etc.; Monitoring in lower risk situations: thresholds for monitoring, longer periods for customer profile reviews and actualization, lower frequency of transaction monitoring, 2017 Deloitte Belgium 40

41 III. FATCA/CRS 2017 Deloitte Belgium 41

42 Foreign Account Tax Compliance Act (FATCA) General FATCA is an American Law to combat tax evasion and money laundering worldwide Tax transparency framework Since 23 April 2014 Belgium has an agreement with the US to comply with FATCA Responsibility for the identification and the reporting of such accounts lays with the Financial Institutions (FI) Financial institutions have to report to the FPS Finance FPS Finance informs the Internal Revenue Service (IRS) A FI can rely on a third party service provider to fulfil its obligations under the legislation, but the obligations remain the responsibility of the FI and so any failure will be seen as a failure of the FI 2017 Deloitte Belgium 42

43 Foreign Account Tax Compliance Act (FATCA) US persons Purpose: identify and report US reportable accounts, being accounts of US persons, or Passive NFFE (Non-Financial Foreign entity) with one or more controlling persons who are specified as a US-person FATCA indicia for a US-person: A persons with a US-passport A US-resident A person born in the US A person owning a property in the US A person performing periodic transfers to the US A proxy holder with a US-address In-care or hold-mail address in the US A US company A company with (a) US person(s) as UBO s If a person is identified as a US-person, the FI is required to obtain a US Taxpayer Identification Number (TIN) of the US person 2017 Deloitte Belgium 43

44 Foreign Account Tax Compliance Act (FATCA) US persons How to identify? Indicia search: searching for indicia by reference to documentation or information held or collected in accordance with maintaining or the opening of an account Self-certification: from an accountholder or a controlling person of a NFFE where applicable - W9 for US persons (request for Taxpayer Identification Number TIN) - W-8BEN, W-8BENE, W-8IMY, etc. for non-us persons Information in possession of the FI or publicly available information (for entities only): public information can be used to determine the FATCA status of an entity account holder Evidence Self-certification (IRS forms W8/W9 or similar agreed forms) Acceptable document delivery (certificate of residence, valid identification issued by authorised government, financial statement, third party credit report, document referenced in the Belgian attachment to the QI agreed as accepted, such as e-id, drivers license, etc.) 2017 Deloitte Belgium 44

45 Common Reporting Standard (CRS) General Developed by the Organisation for Economic Co-operation and Development (OECD) on request of the G20 Call on jurisdiction to obtain information from their financial institutions and automatically exchange that information with other jurisdictions on an annual basis. CRS sets out: Financial account information to be exchanged Financial institutions required to report Different types of accounts and tax payers covered Common due diligence procedures to be followed The four key parts: A model Competent Authority Agreement (CAA), providing the international legal framework for the automatic exchange of CRS information Common Reporting Standards Commentaries on the CAA and CRS CRS xml Scheme User Guide 2017 Deloitte Belgium 45

46 Common Reporting Standard (CRS) Timeline and framework 2013: Request G20 to OECD to develop a reporting standard 2016: 87 jurisdictions have signed agreement on CRS 2018: Remaining 34 jurisdictions will share CRS information on fiscal year : OECD Council approved CRS on July 14; Mutual Agreement between Belgium and competent authorities on CRS in October 2017: First 53 jurisdictions will share CRS information on fiscal year 2016 (including Belgium) Framework Directive 2014/107/EU of 9 December 2014 amending Directive 2011/16/EU as regards mandatory automatic exchange of information in the field of taxation Regulation (EU) 2015/2378 of the Commission of 15 December 2015 laying down detailed rules for implementing certain provisions of the Council Directive 2011/16/EU on administrative cooperation in the field of taxation and repealing Implementing Regulation (EU) No 1156/2012 Act of 16 December 2015 arranging the information sharing on financial accounts by the financial institutions and the FPS Finance, in the framework of automatic exchange of information on international level and for tax purposes Other documents OECD Convention on Mutual Administrative Assistance in Tax Matters Multilateral Competent Authority Agreement on Automatic Exchange of Financial Account Information 2017 Deloitte Belgium 46

47 Common Reporting Standard (CRS) Overview 2017 Deloitte Belgium 47

48 Common Reporting Standard (CRS) Reporting Financial Institutions Reporting Financial Institution = the institutions which are required to collect and report the information on CRS Conditions (all should be fulfilled): Entity Located in a participating jurisdiction for tax purposes (entities and branches) Financial institution Not exempted as a non-reporting Financial Institution (FI exempted due to a low risk of being used to evade tax) Reporting FI Depository Institutions (savings banks, commercial banks, savings and loan associations and credit unions) Custodial institutions (custodian banks, brokers and central securities depositories) Investment entities (entities investing, reinvesting or trading in financial instruments, portofolio management or investing, administering of managing financial assets) Specified insurance companies (most life insurance companies) Non-reporting FI Governmental entities and their pension funds International organisations Central Banks Certain Retirement Funds Qualified Credit Card Issuers Exempt Collective Investment Vehicles Trustee Documented Trusts Other low-risk Financial Institutions 2017 Deloitte Belgium 48

49 Common Reporting Standard (CRS) Financial Accounts Reporting Financial Institution should review Financial accounts to identify whether any of them need to be reported to the tax authority Financial account = account maintained by a Financial Institution Excluded account = financial accounts that are seen to have a low risk on tax evasion (A participating jurisdiction can define other excluded accounts) Financial accounts Depository accounts Custodial accounts Equity and debt interests Cash value insurance contracts an annuity contracts Non-reportable accounts Retirement and pension accounts Non-retirement tax-favoured accounts Term life insurance contracts Estate accounts Escrow accounts Depository accounts due to not-returned overpayments Other low-risk excluded accounts 2017 Deloitte Belgium 49

50 Common Reporting Standard (CRS) Reportable Accounts A Financial Institution should review its financial accounts to identify whether any of them are Reportable accounts on which they must report Reportable account: = account held by one or more reportable persons, being persons resident for tax purposes in a country engaged for CRS; or = account held by a Passive non-financial entity (NFE) with one or more controlling persons that is a reportable person. Due diligence procedures 2017 Deloitte Belgium 50

51 Common Reporting Standard (CRS) Due diligence procedures General rule: Rely on information the FI has on file* Request additional information relevant to tax compliance General rule: Rely on information the FI has on file and publicly available information* Request additional information relevant to tax compliance * If insufficient information is available, the FI must contact the client for additional information 2017 Deloitte Belgium 51

52 Common Reporting Standard (CRS) Due diligence procedures New individual account of a reportable person A self-certification on the tax residency from the account holder is required If a self-certification establishes that the account holder is resident for tax purposes in a reportable jurisdiction, then it is a reportable account Participating jurisdictions are expected to provide information to assist tax payers to determine their residence(s) for tax purposes To be valid it should be: Signed by the account holder Dated Include name, residence address, jurisdiction(s) of residence for tax purpose, TIN(s) and date of birth New entity account of a reportable person A self-certification by the account holder is required To be valid it should be: Signed by a person authorised to sign on behalf of the entity Be dated include the account holders name, address, jurisdiction(s) of residence for tax purposes and TIN(s) There may be no reason to believe the self-certification is incorrect The check must also be perform for all controlling persons, if they are a reportable person, they should fill in a self-declaration as well There may be no reason to believe the self-certification is incorrect 2017 Deloitte Belgium 52

53 Common Reporting Standard (CRS) Reporting Information that should be reported: Identification information in order to identify the account holder (name, address, jurisdiction of residence, TIN(s), date of birth, place of birth) Account information to identify the account and where it is held (account number, name and identification of reporting financial institution, account balance/value) (for some types of accounts, more information is needed) Financial information in relation to the activity taking place in the account and the account balance Identify account & compliance risk Reporting must be done as of the end of the relevant calendar year (or other appropriate reporting period) 2017 Deloitte Belgium 53

54 IV. Credit mortgage directive 2017 Deloitte Belgium 54

55 Credit mortgage directive General Framework Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 KYC requirements within the framework of credit worthiness assessment Information on consumer s income and expenses, and other financial and economic circumstances Necessary, sufficient & proportionate Can be obtained from internal/external source, incl. client, credit intermediary and appointed representative Information shall be verified, incl. independently verifiable documentation when necessary If information is incomplete => no ground for termination If information was withheld or falsified knowingly => ground for termination Creditors should have access to databases for assessing the creditworthiness of consumers, and for monitoring consumers compliance with the credit obligations over the life of the credit agreement 2017 Deloitte Belgium 55

56 V. Digital signature 2017 Deloitte Belgium 56

57 Digital signature General Framework: eidas Regulation: Regulation 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC Book XII, article 24 and further of Code Economic Law Electronic identification = the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person 1) Electronic signature Pin-code Password Scanned signature 2) Advanced electronic signature Asymmetric encryption 3) Qualified signature e-id Acceptable in the context of article 1322 Civil Code (a deed) No final answer yet, however accepted in case of necessity 2017 Deloitte Belgium 57

58 Digital signature General Identification: e-id includes identification information: Full name Address Date of birth Place of birth Etc. Verification: e-id includes digital certificates for the verification of the identity; they can be used in combination with the pin-code Authentication certificate: verifies/confirms identity Signature certificate: digital signature Reading of e-id Import identification and verification data in data systems 2017 Deloitte Belgium 58

59 VI. Practical Approach on KYC 2017 Deloitte Belgium 59

60 KYC Overview (Assur)MiFID (Identification Financial situation Investment objectives Knowledge & experience AML (Identification Financial situation Intended nature of business Client characteristics FATCA (Identification Tax residency TIN number CRS (Identification Tax residency TIN number MCD (Identification Financial situation 2017 Deloitte Belgium 60

61 KYC Challenges Thomson Reuters KYC survey (2016) Increased costs and complexity of KYC and CDD Lengthening KYC procedures (Onboarding time for new clients is rising) Lack of skilled people and appropriate technology to perform KYC activities Increased internal resources working on KYC Difficulty to deal with ongoing regulatory and legislative change Risks related to regulatory fines and cost of remediation Potential damage to brand and reputation 2017 Deloitte Belgium 61

62 The cost of KYC Counterparty onboarding and initial risk assessment Risk based due diligence Oversight and reporting Ongoing monitoring and Ongoing due diligence Front Office Back Office People Compliance The cost of KYC? Specialist support Technical support Counterparty risk level Low Medium High Counterparty type INDIV CORP INDIV CORP INDIV CORP Infrastructure & Technology Inhouse External KYC onboarding XX EUR XX EUR XX EUR XXX EUR XX EUR XX EUR KYC maintenance XX EUR XX EUR XX EUR XX EUR XX EUR XX EUR Legal, Reputation, Commercial, 2017 Deloitte Belgium 62

63 KYC optimization Still some questions Utilities Interoperability Regulator Trust Standardisation of quality Managed Services Data Ownership BAU / Remediation Information Security 2017 Deloitte Belgium 63

64 Compliance Officer A hard job? 2017 Deloitte Belgium 64

65 Contact details Edwin Somers Director Risk Advisory Governance, Risk & Regulation Phone: Mobile: Deloitte Belgium 65