Belgian parent companies: Comments and recommendations
This page concerns the parent entities governed by Belgian law which are at the head of a group as defined in Article 4 (22) of the Anti-Money Laundering Law (see the Definitions page).
Although the AML/CFTP legislation and regulations are territorially applicable, the legal and reputational risk incurred by financial institutions that are part of a group and do not have an adequate AML/CFT policy is an overall risk that could affect the whole group, even in circumstances where the incident giving rise to the risk is limited to a single entity of the group.
Thus, the parent entity governed by Belgian law which is at the head of a group should coordinate the AML/CFTP policies of the group's operating entities, in order to ensure that the application of the different AML/CFTP legislations to which they are subject is carried out in a harmonious manner and to achieve an equal level of effectiveness of ML/FT prevention in all these entities. This involves developing AML/CFTP governance at group level and ensuring that a set of appropriate policies, procedures, implementation processes and internal control measures are adopted (see points 1 and 2 below). Where a group has branches or subsidiaries abroad, the parent entity should also ensure that each of the group's entities concerned complies fully with the locally applicable AML/CFTP legislation and regulations, on the one hand, and that the resulting level of requirements is at least equivalent to that required by Belgian legislation and regulations, on the other hand (see point 3 below).
Where the parent entity governed by Belgian law is itself a subsidiary of a parent company governed by Belgian law or by the law of another EEA country or a third country, the NBB considers that this parent entity governed by Belgian law fulfils its obligations defined in Article 13 of the Anti-Money Laundering Law and Articles 6 and 25 of the Anti-Money Laundering Regulation of the NBB by ensuring that the group policy defined by its own parent company and applicable to it:
- complies with Article 26 of the Anti-Money Laundering Regulation of the NBB (see in this respect the page Belgian subsidiaries and branches),
- enables it to comply with the statutory and regulatory obligations that apply to it as a parent entity governed by Belgian law, as well as with the recommendations set out below, and
- also applies to its own branches and subsidiaries.
If necessary, it should take appropriate additional measures to ensure that these conditions are met.
1. AML/CFTP governance at group level
In order to be able to coordinate the AML/CFTP policies at group level, the parent entity should implement an AML/CFTP governance system at group level that is proportionate to its size and ML/FT risk profile.
1.1. Role of the board of directors and the management committee of the parent entity of the group
The board of directors and the management committee of the parent entity of the group should implement a system for coordinating the management of ML/FT risks at group level.
Specifically, the parent entity's board of directors should notably (i) decide on the group's general ML/FT risk management strategy, (ii) validate the group's AML/CFTP policy and (iii) define a maximum ML/FT risk tolerance level for the group.
As for the management committee, it should in particular (i) set up an organisational and operational coordination structure at group level, (ii) validate the group's internal AML/CFTP procedures and ensure that these are consistent with the group's structure and with the size and characteristics of the financial institutions belonging to it, (iii) set up appropriate internal AML/CFTP control mechanisms at group level and (iv) regularly evaluate the effectiveness of the AML/CFTP policy at group level.
To this end, the management committee should formally entrust the senior officer responsible for AML/CFTP, designated in the parent entity in accordance with Article 9 §1 of the Anti-Money Laundering Law (see point 1 of the Governance page), with the highest responsibilities at group level on AML/CFTP policy and internal control. The management committee should also appoint an AMLCO at group level. In this respect, it is the responsibility of the parent entity to determine, based on the nature, size and ML/FT risk profile of the entity and of the group, taking into account the weight of the tasks to be performed and the availability condition set out in Article 9 §2 of the Anti-Money Laundering Law, whether the group-level AMLCO function can be performed effectively by the AMLCO appointed at the parent entity level (see point 2 of the Governance page) or whether a separate group-level AMLCO should be appointed. This decision should be communicated to the Bank in accordance with the instructions in point 3 of the Governance page and, if necessary, adjusted if the underlying elements should change.
Where the management committee is informed, e.g. by members of the board of directors, the senior officer responsible for AML/CFTP or the group-level AMLCO, of supervisory activities carried out by a supervisor in group entities or of deficiencies identified in the course of such activities, it should ensure that the subsidiary or branch implements remedial measures in a timely and effective manner.
1.2. Group-level AMLCO
Group-level AMLCOs have the following tasks:
- coordinate and supervise the drafting, in accordance with the principles defined at group level, and the effective implementation by each entity of the group of internal procedures for the overall assessment of the ML/FT risks to which it is exposed;
- organise the centralisation of the results of risk assessments carried out at local level in order to have a good knowledge and understanding of the nature, intensity and location of the ML/FT risks to which the group as a whole is exposed. In this respect, the parent entity of the group should take into account, in its ML/FT risk management system at group level, both the individual risks of the various entities of the group and their possible interrelations that could have a significant impact on group-wide risks. In this respect, particular attention should be paid to the risks to which the group's branches or subsidiaries established in non-equivalent third countries or third countries presenting a high ML/FT risk are exposed (see below);
- taking into account the knowledge of the ML/FT risks to which the group is exposed, coordinate the definition of the AML/CFTP policies and procedures of the different entities of the group with a view to ensuring consistency and a high level of effectiveness of prevention measures throughout the group. In this respect, the group-level AMLCO should ensure that local policies and procedures not only guarantee compliance with the AML/CFTP legislations and regulations applicable to each entity of the group individually, but also aim, more broadly, to identify, control and reduce local ML/FT risks in a manner consistent with the principles applicable in this respect throughout the group;
- coordinate the activities of the various local AMLCOs in the group’s operational entities in order to ensure their coherence;
- monitor branches and subsidiaries established in third countries for compliance with EU rules on AML/CFT, in particular where requirements to prevent ML/FT are less stringent than those in applicable EU texts;
- establish group-wide policies, procedures and measures, particularly regarding data protection and intra-group information exchange related to AML/CFTP in accordance with national statutory provisions;
- ensure that group entities have adequate procedures for reporting suspicious transactions and that they properly share information, including information that a suspicious transaction has been reported (without prejudice to any existing national confidentiality requirements).
There should be a direct reporting line between the AMLCO of a subsidiary or branch and the group-level AMLCO.
The group-level AMLCO should issue an activity report at least once a year and submit it to the group’s management committee and board of directors. In addition to the topics mentioned in point 2.5 ‘Activity report by the AMLCO’ of the Governance page, the group-level AMLCO’s report should devote special attention to the aspects raised by the AMLCOs of the branches and subsidiaries, as mentioned in point 4 of the AMLCO activity report template. The Bank expects a single activity report to be prepared, covering topics at both the parent entity and group levels; this activity report should be prepared by the AMLCO at parent entity level and the group-level AMLCO - each in terms of their responsibilities - if these functions are performed by different persons (see point 1.1 in this regard).
The coordination at group level should not affect the legal capacity of subsidiaries and branches to meet their statutory and regulatory obligations applicable at local level and the capacity of the management bodies of these entities to manage their local AML/CFTP policy.
1.3. Intra-group outsourcing
The local rules on outsourcing should be respected when AMLCO functions of local entities are outsourced in their entirety to the group-level AMLCO located in the parent company. Without prejudice to these rules, the parent entity of the group should (i) also establish an inventory of cases of intra-group AML/CFTP outsourcing, in order to determine which function relates to which legal entity and (ii) ensure that intra-group outsourcing does not compromise the compliance of each subsidiary with its AML/CFTP obligations. See in this respect item 3 of the Governance page.
2. Policies, procedures, processes and internal control measures at group level
In order to be able to coordinate the group's AML/CFTP policies, the parent entity should define and implement a set of (i) policies, (ii) internal procedures, (iii) implementation processes and (iv) internal control measures. These policies, procedures, processes and internal control measures should be proportionate to the size and the AML/CFTP risk profile of the group.
2.1. Risk assessment at group level
It is recommended that the AML/CFTP organisation of the group provides appropriate measures to centralise the results of the overall risk assessments of the different entities of the group at parent entity level. This centralisation should enable the parent entity to know and understand the nature, intensity and location of the ML/FT risks to which the group as a whole is exposed, also taking into account possible interrelations between the ML/FT risks to which different entities of the group are exposed and which may have an impact on the group, in order to adequately respond to the BC/FT risks to which the group is exposed.
2.2. AML/CFTP policy of the group
The group-wide AML/CFTP policy includes the fundamental principles to be followed within the group to ensure proper coordination of the measures taken to prevent the ML/FT risk to which the group is exposed. This policy should cover four aspects:
- ML/FT risk assessment at group level;
- customer acceptance;
- information sharing within the group; and
- data protection.
2.2.1. ML/FT risk assessment at group level
One of the key points for effective and relevant management of ML/FT risks within the group is the implementation of consistent AML/CFTP standards throughout the group. It is therefore important that each group develops a general policy for the management of the group's ML/FT risks which provides a framework for the specific ML/FT risk management policies applicable in each entity of the group. The latter should implement the standards applicable throughout the group at the level of the entity concerned and ensure their effectiveness, even when local specificities or specificities related to the activities carried out also need to be taken into consideration.
The ML/FT risk management policy at group level should include at least:
- The main principles of the risk-based approach to be implemented throughout the group. These main principles should cover at least (i) uniform rules for the elaboration of global risk assessments in the operational entities and (ii) standard risk criteria on which the risk-based approach developed at local entity level is based;
- The maximum level of ML/FT risk tolerance for the group;
- Guidelines to be followed in managing the AML/CFTP policies at local level. These guidelines include in particular:
- criteria to ensure an equivalent level of customer and transactions due diligence and diligence with regard to the analysis of atypical transactions. These standards should concern at least:
- the essential rules of the system for monitoring business relationships and transactions, and
- the procedural rules for the analysis and the follow-up to be given, on the basis of that analysis, to the atypical operations detected;
- the main principles to be followed in the organisation of the AML/CFTP policy to be implemented throughout the group. Such measures include in particular:
- the implementation of an adequate organisation, taking into account in particular the principle of separation of functions,
- the implementation of procedures laid down in accordance with the essential principles defined at group level,
- information exchange and feedback to local entity management bodies, and
- the effective inclusion of the control of AML/CFTP aspects in the scope of the internal audit.
- criteria to ensure an equivalent level of customer and transactions due diligence and diligence with regard to the analysis of atypical transactions. These standards should concern at least:
2.2.2. Customer acceptance within the group
The risk-based approach applied by each entity of the group to identify customers, verify their identity, know customers characteristics, know the purpose and nature of business relationships, and to accept customers should be defined in accordance with the statutory and regulatory provisions applicable to the entity concerned and taking into account the specific features of the activities it carries on.
Nevertheless, the rules for the risk-based approach implemented by the various entities should be coordinated at group level in order to guarantee consistency throughout the group and to ensure that each entity of the group imposes on itself the required level of rigour in collecting and verifying the information required for consistent application of the customer acceptance policy.
Thus, the parent entity of the group is expected to define a group policy for customer acceptance in order to guarantee a consistent assessment of the risks that customers may represent, regardless of the group entity with which they wish to enter into a relationship.
This customer acceptance policy of the group should contain:
- general risk criteria for classifying customers by risk category; and
- procedural rules relating to the examination of applications and the decision to enter into a relationship with customers, depending on the level of risk that these customers are likely to present.
2.2.3. Information sharing within the group
The exchange of information between the group entities is essential for the full effect of the group's AML/CFTP policy.
In view of the specific nature of this information, the NBB expects financial institutions to allow only the AMLCO or members of its team to transmit and/or have access to the exchanged customer information.
The NBB considers that exchange of information within the group is particularly desirable with a view to:
- consistently implementing the ML/FT risk assessment obligations in the different entities of the group;
- implementing the group's customer acceptance policy (in particular with a view to identifying customers who enter into business relationships or carry out transactions through various entities of the group);
- consistently exercising due diligence towards customers, business relationships and transactions, taking into account, in particular, all business relationships and transactions entered into by the same customer with various entities of the group;
- analysing detected atypical transactions in order to meet the statutory obligations to report suspicions, and to ensure an appropriate follow-up of these reports within the group (cf. Article 56 §2 (1) and (2) of the Anti-Money Laundering Law).
Article 13 §1 of the Anti-Money Laundering Law specifies that, when required for the prevention of ML/FT, the following relevant information must be shared in particular between group entities:
- information on the identity and the characteristics of the customers;
- information on the identification of the agents and beneficial owners, where applicable;
- information relating to the purpose and nature of the business relationship;
- information on the transactions;
- and unless otherwise indicated by CTIF-CFI (or by another FIU where applicable), information on suspicious transaction reports involving the customers.
It is also recalled that Article 56 §2 (1) and (2) of the Anti-Money Laundering Law authorises, under the conditions specified therein, the disclosure of suspicious transaction reports and the sharing of information relating thereto (in particular, analyses that may lead to or have lead to identifying these transactions as suspicious) within groups of financial institutions (see the page Prohibition of disclosure). The NBB recommends to make use of this authorisation whenever relevant in order to achieve optimal effectiveness of the ML/FT prevention within the group. However, given the particularly sensitive nature of this information, it should be ensured that it is shared in accordance with terms and conditions providing satisfactory guarantees with regard to the confidentiality and use of the information shared, including guarantees to prevent disclosure thereof. Thus, this information should only be forwarded to those persons in the group who are in charge of AML/CFT and for whom this information may be useful in the performance of their tasks and responsibilities in this area, and this information should be exchanged via secure channels.
2.2.4. Data protection
Since the exchange of information within the group described above will generally involve the transmission, between the entities of the group, of personal data concerning the customers, the framework for this exchange should be defined in compliance with the statutory provisions on the protection of personal data that are applicable. It is therefore important to ensure that these information flows comply with Regulation 2016/679 of 27 April 2016 on the protection of personal data ("GDPR"). Account should be taken of the conditions under which, in accordance with the said Regulation, the transmission of information to subsidiaries and branches located in EEA countries, as well as the additional conditions to which the said Regulation subjects the transmission of information to entities located in third countries.
2.3. Internal procedures of the group
Based on its group AML/CFTP policy, the parent company of a group should ensure that each entity of the group has established and effectively implements all required internal AML/CFTP procedures.
2.4. Implementation process at group level
To effectively coordinate the AML/CFTP policies applicable at local level, the group-level AMLCO should have at its disposal an IT tool to effectively implement information sharing on the AML/CFTP aspects within the group.
2.5. Internal control measures within the group
The group's parent entity should ensure that internal control measures are adopted to ensure that the AML/CFTP policies that are implemented within the group's various operating entities are applied harmoniously and consistently. These mechanisms inter alia involve the regular performance of internal AML/CFTP audits by the internal audit function of the group.
Furthermore, if the group includes subsidiaries or branches abroad (EEA or third countries), the parent entity should ensure, if necessary through on-site controls conducted by its internal audit function, that these subsidiaries and branches actually have the required administrative organisation and internal control, not only to comply with local AML/CFTP legislation, but also with the various above-mentioned standards defined at group level.
3. Application of local legislation by branches and subsidiaries established abroad
The provisions of the Anti-Money Laundering Law and the Anti-Money Laundering Regulation of the NBB have a territorial scope. They therefore do not apply to branches and subsidiaries of a Belgian parent entity that are established abroad. However, pursuant to the same principle of territoriality, these branches and subsidiaries are subject to the statutory and regulatory AML/CFTP provisions of their country of establishment.
In this respect, a distinction can be made depending on whether the subsidiary or branch is located in an EEA country or in a third country.
3.1. Branches and subsidiaries established in another EEA country
Where subsidiaries or branches are established in another EEA country, Article 13 §2 of the Anti-Money Laundering Law provides that such subsidiaries and branches are required to ensure compliance with the national provisions of that other country transposing Directive 2015/849. However, with a view to the sound management of ML/FT risks, the Belgian parent entity of a group should also ensure that these subsidiaries and branches also comply with the group's AML/CFTP policies.
3.2. Branches and subsidiaries established in a third country
Where subsidiaries or branches are established in third countries, Article 13 §3 of the Anti-Money Laundering Law makes a distinction according to whether or not the third country is considered equivalent:
- In case of a third country imposing minimum AML/CFTP obligations at least as strict as those provided for in the Anti-Money Laundering Law, the Belgian parent entity should ensure that its subsidiaries and branches established in that third country comply with the national AML/CFTP provisions of that third country. The Belgian parent company should also ensure that these subsidiaries and branches comply with the group's AML/CFTP policies.
- In case of a third country imposing minimum AML/CFT obligations which are less strict than those provided for in the Anti-Money Laundering Law, the Belgian parent company should ensure that its subsidiaries and branches concerned apply the obligations set out in the Belgian Anti-Money Laundering Law (including data protection obligations, as far as the law of the third country allows). In concrete terms, this means that branches and subsidiaries of Belgian groups should apply measures complementary to those provided for locally to deal effectively with ML/FT risks. In addition, the Belgian parent company should also ensure that these branches and subsidiaries fully comply with the group-wide policies and procedures. If local legislation precludes the application of these stricter regulations, the parent company should take appropriate measures, in accordance with the provisions of Commission Delegated Regulation (EU) 2019/758 of 31 January 2019 on the one hand, and inform the NBB, on the other.
Where a financial institution carries out transactions or maintains business relations with natural or legal persons or with legal arrangements, such as trusts or fiducies, which are established in a high-risk third country, the first subparagraph of Article 38 of the Anti-Money Laundering Law requires it to implement enhanced due diligence measures (see the page High-risk third countries). Where a Belgian parent entity has established a branch or subsidiary in such a country, it should in principle require that subsidiary or branch, pursuant to the second subparagraph of Article 13 §3 of the Anti-Money Laundering Law, to implement such enhanced due diligence measures with regard to all its own local customers.
The NBB considers that the correct application of the above-mentioned statutory obligations implies that the Belgian parent entity which plans to establish a branch or subsidiary in a third country carries out or has carried out a detailed and reliable legal analysis of the statutory and regulatory framework in the field of AML/CFTP and other related matters (in particular the protection of personal data and privacy) which is in force in the host country, in order to determine whether this statutory framework can be considered equivalent or, if not, to identify the local law provisions that are less stringent than those laid down under Belgian law and to determine which additional obligations should be imposed by the parent entity on its subsidiary or branch established in the third country concerned. Moreover, as the locally applicable statutory framework is likely to evolve over time, the NBB considers that parent entities should have appropriate "regulatory due diligence" mechanisms in order to be rapidly informed of any relevant legislative or regulatory changes in third countries in which subsidiaries or branches of the group are established. It is their responsibility to update their above-mentioned legal analyses on this basis in order, if necessary, to rapidly adopt appropriate measures with regard to their subsidiaries and branches concerned if these statutory or regulatory changes require so. The NBB expects the Belgian parent entities to be able to provide it, on first request, with a copy of their updated legal analyses concerning each of the third countries in which subsidiaries and branches of the group are established, and to demonstrate to it that the additional measures imposed on them are appropriate to achieve a level of requirements equivalent to that provided for by Belgian legislation.
Finally, in accordance with Article 14 of the Anti-Money Laundering Law, it is recalled that financial institutions may never open a branch or representative office in countries designated by the King pursuant to Article 54 of the Law.
Disclaimer: This English text is an unofficial translation and may not be used as a basis for resolving any dispute.