On 23. February 2022, the FMA has published its updated circulars on the prevention of money laundering and terrorist financing. The amendments affect all four circulars, i.e., that on due diligence, risk analysis, internal organization and reporting requirements.
The main changes at a glance:
- Introduction of a Know-Your-Customer's-Customer Principle (KYCC) when obtaining information on the purpose and nature of the business relationship as well as the verification of the origin of funds.
- New requirement to audit the use of funds as part of the continuous monitoring of business relationships to prevent terrorist financing.
- Clarifications on the identification and verification of the beneficial owner of private equity funds.
- Clarification of the due diligence requirements with regard to the compliance package.
- Adaptation of circulars to include due diligence requirements to be met by service providers in relation to virtual currencies.
- Adaptation of the circular on risk analysis to the current national risk analysis.
In this article we have summarized all the main changes for you in a compact way.
Background to the update of the FMA circulars
The amendment of the FMA Circulars became necessary due to changes in the legal situation (in particular the Compliance Package and the amended Money Laundering Act). Furthermore, the new EBA guidelines on risk factors from 1. March 2021 as well as the national risk analysis from May 2021 will be taken into account. Finally, the circulars were supplemented with requirements for service providers in relation to virtual currencies, which the FMA has been required to supervise since January 2020.
For financial market participants subject to the Financial Market Money Laundering Act (FM-MLA), this results in numerous innovations that may trigger an adjustment of their internal strategies, systems and procedures to combat money laundering and terrorist financing.
We will first present all significant changes regarding the FMA Circular on due diligence requirements. Below you will find the most important changes to the other circulars (risk analysis, internal organization, reporting requirements).
Know Your Customer's Customer (KYCC)
First of all, the most important change from our point of view: According to the FMA, in individual cases, i.e. depending on the risk of the client or the transaction, obligated persons must also obtain information and, if necessary, documents on material business partners and other relevant contractual parties of the client. This information should then be documented as part of a KYC profile of the client.
The aim of obtaining "KYCC" information is to gather information on the legal origin of the funds used or to obtain information on the legal origin of the funds used. Identify and investigate anomalies.
In contrast to the consultation draft, the final circular contains examples on the application of the KYCC principle:
- The first example is a corporate client of a credit institution exporting goods to a high-risk country. Before establishing a business relationship with such a customer, the institution should obtain information on the customer's business activities and business environment. In the course of this, it is also necessary to obtain information on the client's significant business partners and thus on the legal origin of the funds used in the business relationship, and/or. to research.
- As a second example, a customer relationship of a credit institution with a natural person who sells a property is given. If certain risk factors are present (very high or non-standard purchase price, complex construction, unusual method of payment, etc), the FMA believes that merely presenting the purchase agreement will not be sufficient. In the cases mentioned, it should be necessary to collect further information on the legal origin of the funds used and thus on the "business partner" of the customer (idF buyer). at least to be researched.
Overall, the probative value of the information resp. Orient documents to the respective risk of the client or the transaction. The higher the risk of the client or the transaction, the stricter the requirements with regard to informative value / independence of information or. obtain documents on the client's significant business partners or other relevant contractual parties.
We take a critical view of the obligation to obtain KYCC information, as there is no legal basis for such a requirement. Even in European law and the FATF Recommendations, one searches in vain for indications of a KYCC principle. It is also not clear in which "individual cases" this obligation should be applicable. Further clarification by the FMA would have been desirable here.
Ultimately, this raises serious constitutional, data protection and civil law concerns. It therefore remains to be seen what concrete requirements the FMA will impose on the KYCC principle in supervisory practice and whether these requirements will stand up to scrutiny by the courts.
Specifics on the origin of funds test
The statements in the previous Due Diligence Circular on the verification of the origin of funds were quite concise and often caused discussions in practice.
The FMA now clarifies that in the course of the origin of funds audit and also in the course of continuous monitoring, it should be questioned and documented where the client got its assets from. The customer may have either generated the assets himself or received them from third parties (e.g. in the case of purchase or gift agreements). According to the FMA, if the customer's assets come from third parties, it may be necessary in the case of high-risk customers or transactions to identify the source of funds by providing additional information or, if necessary,. Checking the plausibility of documents (in each case from an independent source).
The FMA clarifies that obtaining a contract without additional information or documents on the origin of assets is not sufficient in every case. This again addresses the KYCC principle. The insurance industry rightly stated during the consultations that a means test is not feasible in practice. Finally, the customer himself is subject to data protection or data security. other confidentiality obligations with respect to its client.
In terms of further innovations, it should be noted that the circular lists risk factors that can be used in the plausibility check of transactions and the extent of documentation of the check of the origin of funds. These risk factors include the duration of the business relationship, the amount and number of transactions, the customer's risk rating, assets and financial situation, payment history, etc. The focus should not only be on the risk of the customer, but also on the risk of the individual transaction, so that suspicious transactions with customers in the standard risk should also be subjected to an in-depth review.
Tightening of continuous monitoring of business relationships: Verification of the use of funds
What is new is that, according to the FMA, an audit of the use of funds may also be required in addition to the audit of the origin of funds as part of continuous monitoring. The background to this is that, unlike money laundering, funds used to finance terrorism can also come from legal sources.
Therefore, risk-based information on the intended use of the business relationship or. of the transaction must be obtained and subjected to a plausibility check. Obligated persons may not rely exclusively on verbal customer statements, but must also obtain conclusive, up-to-date documents on the purpose of use.
In our opinion, this requirement is excessive, as there is no legal basis for the verification of the use of funds. It is also questionable how an audit of the use of funds can be implemented in practice. In the course of the consultation, market participants rightly pointed out that there are hardly any possibilities to verify the information provided by the client and to obtain evidence on the intended use of the funds.
Furthermore, the FMA clarifies that the basis of continuous monitoring is the complete and meaningful collection and recording of all relevant KYC information of the client. Depending on the risk in question, the customer's business model, payment behavior, key business partners and transactions, as well as information on products and deliveries are to be recorded. If there is a corresponding indication of risk, the obligated party must be able to trace the reasons for which which business or contractual partner of the customer receives transactions or commissions them.
Facilitation of the verification of the beneficial owner
The legal changes to the compliance package make it easier to identify and verify beneficial owners, which are now also taken into account in the FMA circular. Thus, obligated persons may determine and verify the beneficial owners of their clients on a risk-oriented basis by means of an extended extract and the documents contained in a complete compliance package. However, you have to make sure that the documents in the compliance package are sufficient in combination with the information at hand. If an obligated party comes to the conclusion that additional information and documents are required, these must be obtained. Thus, there must be no indications that could cast doubt on the accuracy of the notification or the accuracy and completeness of the documents contained in the compliance package.
In the circular, the FMA also emphasizes the change service pursuant to section 9 para 9 WiEReG. This allows obligated parties to be informed automatically when a change in the beneficial ownership of a customer occurs. The use of this change service can significantly increase the timeliness of the beneficial ownership data stored at the obligated party, which is why its use is recommended in practice.
Apart from these facilitations, however, the Circular clarifies that no risk-based approach to beneficial ownership verification is provided for legal entities. The scope of the verification steps is therefore the same at all levels and each individual intermediary must always be verified on the basis of conclusive documents. At the beginning of a new business relationship with a legal entity, it is mandatory to obtain an extract from the register of beneficial owners (see Article 7 para 1 FMLA).
A completely new section has been added on determining and verifying the identity of the beneficial owner in case constellations in which a private equity fund appears in the chain of ownership. Several persons may be involved in the provision of a private equity fund, e.g., an AIFM, "general partner," fund initiator, advisors, investors, etc. Depending on the individual case, it may therefore be the case that several persons exercise (joint) control iSd WiEReG vis-A-vis the private equity fund.
An important source of information for the fulfillment of the due diligence obligations are the contracts and ancillary agreements from which the rights and obligations of the persons involved arise.
What must service providers observe with regard to virtual currencies??
In response to the growing interest in virtual currencies, the FMA has amended all circulars to include the due diligence obligations of service providers in relation to virtual currencies. The FMA Circular on Due Diligence now contains a separate section on the requirements and the procedure for their registration.
Also for service providers in relation to virtual currencies, the due diligence requirements of the FMLA must be applied not only when a permanent business relationship is established, but also in the case of occasional transactions, the amount of which is at least EUR 15.000 or an equivalent value of the virtual currencies.
We would like to point out in particular that, according to the FMA, the Money Transfer Regulation "applies equally to the transfer of virtual currencies". In our opinion, the Money Transfer Regulation does not apply to virtual currencies. The Money Transfer Regulation explicitly applies only to transfers of funds from or to (intermediary) payment service providers (Art 2 para 1 Money Transfer Regulation). "Transfer of funds" is defined in this context as a transaction "which is carried out … with the aim of providing a beneficiary … with an amount of money" (Art 3 Z 9 Money Transfer Regulation). Virtual currencies do not fall under the term "amount of money" according to Art 3 Z 8 Money Transfer Regulation in connection with Art 4 Z 15 Directive 2007/64/EC. This includes banknotes, coins, scriptural money and e-money, but not virtual currencies. Despite corresponding criticism during the consultation phase, however, the FMA has not changed this point.
In the FMA's view, this means that obligated parties (but de facto only service providers in relation to virtual currencies are affected) must obtain information and conclusive evidence as to who is the owner of the relevant sender or. recipient wallet is. This is to ensure traceability of virtual currency transactions and reduce anonymous transactions.
The FMA further provides guidance on how service providers must comply with general due diligence requirements with respect to virtual currencies. Thus, the following documents and information can be obtained as proof of origin of funds: Excerpt from the customer wallet, historical mapping of virtual currency purchases and sales, resp. Receipts received at ATMs, evidence of mining activity and virtual currencies generated, and transaction histories.
Furthermore, the FMA clarifies that both fiat money transactions and transactions with virtual currencies must be appropriately reviewed within the scope of continuous transaction monitoring. In the case of virtual currency transactions, monitoring by means of an IT-supported system is generally required in addition to the manual monitoring activities to be provided for.
In our opinion, employees should be made aware of these innovations in training sessions and internal work instructions and processes should also be adapted accordingly.
FMA Circular on Risk Analysis
The FMA Circular on Risk Analysis now takes into account the current national risk analysis from May 2021. By way of introduction, it provides a list of the currently significant predicate offences, methods and threats with regard to money laundering and terrorist financing. In this context, the most common methods used for money laundering are cryptocurrencies, money mules (illegal financial agents), hawala (informal transaction system for remittances to home countries) and forgery of documents.
Also new is the overview of the results of the national risk analysis in relation to the individual sub-sectors of the financial sector (cf. para. 26).
The FMA also clarifies that the EBA ML/TF Risk Factors Guidelines must be taken into account when preparing the risk analysis at the enterprise level and that the current supranational risk analysis of the European Commission also provides valuable input for the definition and analysis of relevant risk factors.
In addition, new risk factors relating to customers, products, services, transactions or sales channels have been added to the risk analysis at the individual customer level.
The circular also contains risk factors for determining and analyzing risks in the area of virtual currencies. In our opinion, these changes should be taken into account at the latest in the course of the next update of the company's internal risk analysis.
FMA circular internal organization
In the FMA Circular on Internal Organization, it was added that obligated parties must provide for regular audits of the area of prevention of money laundering and terrorist financing by the internal audit department or by an independent body. by an independent body. If the regular audit does not take place at least annually, appropriate measures must be taken to compensate for the lack of a regular audit. This includes, for example, quarterly meetings with internal audit, performance of various audit procedures, etc.
The scope of the audit by the internal audit or. The examination by an independent body can be based on the type and scope of the business activity as well as the size of the obligated party. This also applies to branches of credit institutions from the EEA region with their registered office in Austria.
FMA Circular Reporting Obligations
The FMA Circular Reporting Obligations has been comprehensively expanded to include anomalies regarding business relationships, transactions and operations involving virtual currencies. These anomalies are particularly relevant for service providers related to virtual currencies or business models involving virtual currencies.
Furthermore, there are additions to the categories of predicate offences and the elements of the new money laundering offence, which must be taken into account in the course of suspicious activity reports pursuant to section 16 FMLA. Obligated entities should include these requirements in their policies in order to keep them up-to-date.
What we can do for you?
With our comprehensive know-how in the area of prevention of money laundering and terrorist financing, we can competently support you in the adaptation of AML policies or AML procedures. internal work instructions and employee manuals, the risk analysis and the associated processes to the new requirements. We look forward to your inquiry.