The Cyprus Securities and Exchange Commission has published circular 319, partly in English, that describes the novel elements in its new Directive for the Prevention and Suppression of Money Laundering and Terrorist Finance.

The directive itself is in Greek and inaccessible to English readers. The circular, however, refers to new rules in the following categtories.

Obliged Entity

The term (which for some reason the circular describes as a definition) ‘financial organisation’ is replaced by the term ‘obliged entity.’ This term refers to the categories of persons that fall into the ambit of the directive.

Appointment of a board member

One member of each obliged entity’s board of directors should  be appointed as its "responsible person for the implementation of the legal framework related to the prevention and suppression of money laundering and terrorist finance." Information about this can be found in paragraph 5A of the directive.

Appointment of alternate AML compliance officer

The obliged entity should appoint temporarily an alternate AML compliance officer, when the AML compliance officer is absent. Paragraph 8 (which contains information regarding the alternate AML compliance officer’s appointment) of the directive does not apply when the AML compliance officer resigns from his position, because in such a case the obliged entity should appoint a new AML compliance officer.

Assessment of money laundering and terrorist financing risk

The obliged entity, when assessing  the risk of money laundering and terrorist finance taking place within its walls, should take into account (among other things) the European Union's "risk factor guidelines" and any guidelines issued by the Financial Action Task Force (FATF).

Third-party reliance

The obliged entity that relies on a third party (the circular does not say who the first and second parties are) for CDD or "customer due diligence" (a Basel Group term for "know your customer" controls) and identification procedures should apply the measures and procedures described in paragraph 25.

Types of document

According to paragraph 33, the obliged entity may collect original documents and true copies of the original documents. Additionally, as long as some conditions are met, it may use electronic means for the collection of data and information.

United Nations (UN) and European Union (EU) sanctions regimes

The obliged entity should apply the measures and procedures described in paragraph 36 for these.

Non-exhaustive list of factors and measures

The Fourth Appendix of the directive is a non-exhaustive list of: (a) factors of potentially higher risk that the obliged entity should take into account during its risk-based approach to compliance, and (b) "enhanced customer due diligence (ECDD, a term that the FATF introduced in 2012) measures, which ought to be applied in highly risky cases.

Application

All this applies to Cyprus investment firms, administrative service providers, Undertakings for the Collective Investment in Transferable Securities, management companies, Internally Managed Undertakings for the Collective Investment in Transferable Securities, Alternative Investment Funds and Internally Managed Alternative Investment Funds.

All amendements to the previous directive are published in the circular, but only in Greek.

The EU's risk factor guidelines

The EU published its so-called "risk factor guidelines" in accordance with Articles 17 and 18(4) of Directive (EU)2015/849 on the subject of "simplified and enhanced customer due diligence" (SCDD and ECDD, formerly known as SDD and EDD) in January last year. These are to guide firms as they assess the risks of being used by money launderers in business relationships and/or occasional transactions.

‘Source of funds’ means the origins of the funds involved in business relationships or occasional transactions. It includes both the activity that generated the funds, for example customers' salaries, plus the means through which customer’s funds have been transferred. ‘Source of wealth’ means the origin of the total wealth of customers, for example inheritance or savings. Both are factors.

The emphasis is on "obtaining a holistic view." The EU expects member-states to oblige their financial institutions to gather enough information to spot all relevant risk factors, including "EDD/extra due diligence" or "additional CDD measures," and assess those risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction. It warns that the risk factors listed in the guidelines are not exhaustive and that it does not expect firms to consider all risk factors in all cases. It wants them to keep their risk assessments up-to-date and under review. One of the sources of information on which firms should draw when considering the risks - the least important, if its appearence at the end of the list is anything to go by - is information obtained as part of the initial CDD process. The more important, or certainly more urgent ones, are the bulletins and diktats of various government agencies, notably risk assessments by the EU (this comes at the top), information from governments, such as their national risk assessments, policy statements, alerts and explanatory memoranda about laws; information from regulators, such as 'guidance' and the (in all cases arbitrary) reasons that they give for levying fines; information from the police and financial intelligence units (FIUs) such as threat reports, alerts and case studies.

"Product, service and transaction risk factors" include the consideration of whether a product favours anonymity; or allows payments from third parties that are either associated with the product nor identified upfront; or places no restrictions on turnover or cross-border transactions; or lending (including mortgages) is secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify.

The nature of the customer is a risk factor and this includes customers who are not 'resident.' Here the paper states: "Banks should note that article 16 of [the Payment Accounts Directive of 2014] creates a right for every consumer who is legally resident in the European Union to obtain a basic bank account, although the right to open and use a basic payment account applies only to the extent that banks can comply with their AML/CFT obligations and does not exempt banks from their obligation to identify and assess money-laundering risk, including the risk associated with the customer not being a resident of the member-state in which the bank is based. The EU frowns on HNW customers with income and/or wealth from highly risky sectors such as arms, the extractive industries, construction, gambling or private military contractors, customers about whom credible allegations of wrongdoing have been made, customers who expect unusually high levels of confidentiality or discretion, customers whose spending or transactional behaviour makes it difficult for bankers to "establish normal or expected patterns of behaviour," customers with high public profiles, politically-exposed persons/PEPs, and customers who ask financial firms for help with the provision of products or services by third parties without a clear business or economic rationale. If a customer or a customer’s beneficial owner is a PEP, the firm in question must always apply EDD.

The customer’s behaviour is another factor. He might be reluctant to provide CDD information, or seem to avoid face-to-face contact deliberately or submit evidence of identity in a non-standard form for no apparent reason. His behaviour or transaction volume might not be in line with somebody-or-other's expectations, or be incompatible with the information that he provided when opening his account. The customer’s behaviour might be unusual, for example if he unexpectedly and without reasonable explanation accelerates an agreed repayment schedule, by means either of lump-sum repayments or by early termination; or if he deposits or demands a payout of high-value bank notes without apparent reason; or if he increases activity after a period of dormancy; or makes transactions that appear to have no economic rationale.

Country risk is a factor, with the EU using such vague phrases as "jurisdictions associated with higher ML/TF risk," "an AML/CFT [anti-money-laundering and countering-the-financing-of-terrorism] regime that is not less robust than that required under Directive (EU) 2015/849," "jurisdictions known to provide funding or support for terrorist activities," and so on.

Distribution channels contain risk factors as well. These are:

• non-face-to-face business relationships, where no adequate additional safeguards – for example electronic signatures, electronic identification certificates issued in accordance with Regulation EU (No) 910/2014 [on electronic identification and trust services for electronic transactions in various parts of the EU] and anti-impersonation fraud checks – are in place;
• reliance on a third party’s CDD measures in situations where the bank does not have a long-standing relationship with the referring third party; and
• new delivery channels that nobody has tested yet.

Risk factor guidelines for wealth managers

The EU defines wealth management (which it says is also known as private banking) as the provision of banking and other financial services to high-net-worth individuals and their families or businesses. Clients of wealth management firms can expect dedicated relationship management staff to provide them with tailored services that might cover banking (e.g. current accounts, mortgages and foreign  exchange), investment management and advice, fiduciary services, safe custody, insurance, family office services, tax/estate planning and associated facilities, including legal support. Many of the features that the EU associates with wealth management (such as wealthy and influential clients; very high-value transactions and portfolios; complex products and services, including tailored investment products; and an expectation of confidentiality and discretion) are, in its eyes, "indicative of a higher risk for money laundering relative to those typically present in retail banking." It is noteworthy that in these guidelines the EU, unlike HM Government in the UK, views private banking and retail banking as two separate things.

The following factors may contribute to a rise in risk.

• Customers asking for large amounts of cash or other physical stores of value such as precious metals. With the status of crumbling fiat currencies to protect, governments all over the world but especially in the EU are waging what the media often calls "the bankster war on cash." Governments also view the owning of gold with increasing suspicion and hostility, as it is a true store of value and therefore anathema to the ever-debasing currencies that they propagate.
• Transactions of very high value.
• Financial arrangements involving jurisdictions that someone - presumably anyone in power in any EU state at the time - associates with high ML/TF risk (firms should  pay particular attention to countries that have a culture of banking secrecy or that do not comply with international tax transparency standards).
• Lending (including mortgages) secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify.
• The use of complex business structures such as trusts and private investment vehicles, particularly where the identity of the ultimate beneficial owner may be unclear.
• Business taking place in more than one country, particularly when it involves more than one provider of financial services.
• Cross-border arrangements in which assets are deposited or managed at another financial institution, either of the same financial group or outside the group, particularly if the other financial institution is in a jurisdiction that someone-or-other (presumably someone official) associates with higher ML/TF risk. Firms should pay special attention to jurisdictions "with higher levels of predicate offences," whatever that means, or with weak AML/CFT regimes (which includes all of them, although the EU - unlike the United Nations - does not make this obvious point) or weak tax-transparency standards.

Other subjects

The guidelines also contain rules for life insurers and investment managers, especially discretionary fund managers or DFMs, and the providers of investment funds.