Policies, procedures, processes and internal control measures: Comments and recommendations
Financial institutions should set up an efficient AML/CFTP organisation that is commensurate with their nature and size. Fulfilling this obligation is essential to ensure compliance with substantive AML/CFTP obligations such as the obligation to exercise due diligence on transactions and business relationships, to analyse atypical facts and transactions and report suspicions of ML/FT, as well as the obligations related to transfers of funds, embargoes and assets freezing, etc. For this purpose, the Anti-Money Laundering Law reinforces coherence between the substantive AML/CFTP provisions and the AML/CFTP organisation (see the Explanatory Memorandum of the Anti-Money Laundering Law for more information on this subject) (see the page “Main reference documents”).
This organisation should include adequate measures for performing an overall ML/FT risk assessment de BC/FT, but also use the results of this assessment as a basis for properly addressing the risks mapped (see point 1 below). It should comprise a set of internal policies, procedures and processes (see point 2) as well as an internal control system (see point 3).
However, in accordance with the principle of proportionality, the NBB could accept a simplified organisational structure (see point 4). Additionally, the AML/CFTP organisation is expected to be integrated harmoniously into the overall organisation of the financial institution (see point 5).
1. Links between the overall risk assessment and the organisation
The setting up of an adequate AML/CFTP organisation including all elements detailed below is closely linked to the overall risk assessment.
On the one hand, in order to perform an appropriate overall risk assessment within a financial institution, the objectives of this assessment should be clearly specified beforehand (internal policy aspect), the assessment should be performed in a sufficiently precise procedural framework and it should be subject to adequate internal controls to ensure the relevance and objectivity of its results in terms of mapping ML/FT risks and measuring their intensity.
On the other hand, the NBB expects financial institutions to base their AML/CFTP organisation, policies, procedures and internal control system as specified below on the results of their overall ML/FT risk assessment, which the entire AML/CFTP policy should address adequately and proportionately. Moreover, since these risks can evolve over time and their nature and size can be influenced by significant events, the overall risk assessment procedure should be updated periodically. When such an update reveals significant changes in the nature and/or intensity of previously mapped risks, the financial institution is required to examine whether its organisation, policies, procedures, processes and internal control system should be modified to adapt them to the changes found.
As a result, the NBB believes that financial institutions should consider it a top priority to set up an adequate and controlled organisational and procedural framework for the overall risk assessment, as this overall risk assessment is the essential basis for all other measures implemented in accordance with the legal and regulatory AML/CFTP requirements.
For further information on the content, preparation methodology and updating of the overall risk assessment, see the page “Overall risk assessment”.
2. AML/CFTP organisation
As regards their AML/CFTP organisation, financial institutions should define and implement (i) policies, (ii) internal procedures and (iii) implementation processes.
2.1. AML/CFTP policy
Article 8 of the Anti-Money Laundering Law requires financial institutions to develop and implement efficient and proportionate AML/CFTP policies first and foremost. These policies should establish the basic principles which should be complied with in the context of the financial institution’s activities and specified in detail in the internal procedures in order to be implemented effectively.
The NBB therefore expects each financial institution, by adopting its AML/CFTP policy in accordance with Article 8 of the Anti-Money Laundering Law, to clearly specify its self-imposed AML/CFTP objectives and the guidelines to be complied with when establishing internal procedures and processes (see below) in order to achieve these objectives. The AML/CFTP policy should cover the two aspects detailed below in particular:
- ML/FT risk management; and
- Customer acceptance.
The NBB expects from financial institutions that this policy is:
- formalised in a written document;
- validated by their board of directors;
- in accordance with the regulations in effect and with the changes made to them;
- proportionate and adapted to the nature and extent of their activities;
- distributed to all concerned staff (for example through a publication on the Intranet); and
- updated regularly (particularly following a change in the overall risk assessment).
This policy should also form a coherent whole with and be included completely or in summarised form in the integrity policy which is to be validated by the financial institution’s board of directors in accordance with the sectoral laws for prudential supervision. However, if the AML/CFTP policy is included completely in the institution’s integrity policy, the NBB asks that the former be easily identifiable within the latter. This policy should also form a coherent whole with and be included completely or in summarised form in the integrity policy which is to be validated by the financial institution’s board of directors in accordance with the sectoral laws for prudential supervision. However, if the AML/CFTP policy is included completely in the institution’s integrity policy, the NBB asks that the former be easily identifiable within the latter.
2.1.1. ML/FT risk management
The NBB expects financial institutions’ AML/CFTP policy to contain a section dedicated to ML/FT risk management which should cover three domains:
- the basic principles of the ML/FT risk-based approach chosen;
- the maximum ML/FT risk tolerance; and
- the guidelines to be followed when defining the ML/FT risk management procedures and measures and internal control measures.
The first part of the policy should establish the basis of the risk-based approach applied by the financial institution in accordance with Article 7 of the Anti-Money Laundering Law. This first part of the ML/FT risk management policy, which is obligatory for all managers, staff members, agents and representatives of the financial institution, should aim to raise the awareness of all these persons about the necessity of recognising the existence of the risks to which the financial institution is exposed, of measuring these risks in an objective and impartial manner and of implementing management and reduction measures that are proportionate and adapted to their size and nature. For this purpose, this first part of the ML/FT risk management policy should, in order to establish an adequate overall risk assessment procedure (see below), contain a general description of the risk variables to be taken into account and the basic principles to be followed in terms of risk factor mapping and analysis.
The second part should specify maximum risk tolerance limits for each activity segment subject to ML/FT risk. This ML/FT risk strategy should be integrated in a coherent and harmonious manner (i) into the general risk appetite policy which is to be validated by the board of directors pursuant to the sectoral supervisory laws and, (ii) where appropriate, into the specific policy or policies on operational and reputational risk. Account should also be taken of the primary objective of the Anti-Money Laundering Law, i.e. reducing ML/FT risk within individual financial institutions as much as possible and requiring them to respond appropriately when this risk materialises, in order to prevent it from spreading throughout the financial sector and society in general.
The third part of the policy should contain a general description of (i) the manner in which the institution intends to manage each ML/FT risk mapped in the overall risk assessment, (ii) the link between the ML/FT risk management measures implemented within the financial institution and the maximum ML/FT risk tolerance policy, and (iii) the guiding principles for defining the internal control measures to be implemented to ensure the efficiency of the ML/FT risk management measures. This third part should include the reference framework to be used as a basis for establishing the internal risk-based procedures to be applied for identifying and verifying the identity of persons involved in business relationships or occasional transactions. In this regard, see the page “Object of the identification and identity verification” in particular.
This section of the AML/CFTP policy, which is dedicated to ML/FT risk management, should be integrated harmoniously with financial institutions’ existing risk management policies.
2.1.2. Customer acceptance
The customer acceptance policy is an extension of and forms a coherent whole with the ML/FT risk management policy. In terms of principles, it primarily aims to determine the conditions regarding the reduction of ML/FT risk which the financial institution imposes on itself for entering into a business relationship with its customers or to become involved in performing occasional transactions for its customers. This customer acceptance policy should enable institutions to adequately take into account the overall risk assessment and the diversity of the risks mapped in terms of nature and intensity. This diversity should also be reflected in the risk classification. The customer acceptance policy should thus enable institutions to define appropriate procedures and arrangements for entering into a business relationship with or performing transactions for these customers. It is important to note that the customer acceptance policy is essentially intended to serve as a framework for the decision-making process as regards the establishment of a business relationship or the execution of the occasional transaction and the nature and intensity of the due diligence measures to be implemented. However, these decisions may not result automatically from the customer acceptance policy, but require an individual risk assessment carried out in accordance with Article 19 of the Anti-Money Laundering Law that allows the possible specificities of each individual case to be taken adequately into account.
In concrete terms, the financial institution should specify the following in its customer acceptance policy, depending on the characteristics of the products and services offered by it and on the customers targeted by it:
- the general criteria for assigning new customers to different risk categories;
- the principles for the differentiated allocation of the power to decide to enter into the business relationship or perform the transaction desired by the customer to persons with an adequate hierarchical level for each risk category. In this regard, particular attention should be paid to the customers (i) who are considered to be posing a high risk pursuant to Article 19, § 2, of the Anti-Money Laundering Law, (ii) who are referred to in Articles 37 to 41 of the Law, (iii) who request the opening of numbered accounts or the conclusion of numbered contracts, and (iv) for whom no relevant information regarding their address or, where appropriate, the date and place of birth of their beneficial owner(s) could be collected; and
- the basic principles to be followed by the procedures implementing the mandatory provisions on financial embargoes that are applicable at the start of the relationship.
2.2. Internal procedures
On the basis of their AML/CFTP policy (see above), financial institutions are required to draft AML/CFTP procedures for their staff and agents.
The NBB particularly recommends developing procedures on at least the following subjects:
- overall risk assessment (see the page on this subject);
- customer and transaction due diligence measures (see the page on this subject);
- analysis of atypical facts and transactions and reporting of suspicions to CTIF-CFI (see the page on this subject);
- the measures required for compliance with the obligations related to financial embargoes and assets freezing and, where appropriate, with the European Regulation on transfers of funds (see the pages on these subjects);
- data and document retention and protection (see the pages on this subject: “Data and document retention” and “Personal data processing and protection”); and
- internal whistleblowing (see the page on this subject).
The NBB expects financial institutions’ AML/CFTP procedures to be
- formalised in writing;
- validated by their management committee (or their senior management if there is no such committee) or, in case of minor changes, by the senior officer responsible for AML/CFTP;
- in accordance with the regulations in effect and with the changes made to them;
- proportionate and adapted to the nature and extent of their activities;
- comprehensive, detailed and operational (where appropriate, specific procedures should be established for each activity);
- distributed to all concerned staff; and
- updated regularly (particularly following a change in the overall risk assessment).
2.2.1. Overall risk assessment procedure
Given the crucial role played by the overall risk assessment in the AML/CFTP system to be developed by financial institutions, the NBB believes they should consider it a top priority to each develop a robust procedural framework ensuring a high level of relevance and objectivity for the results of the assessment (also see Chapter 1. above).
This internal procedure should at least include:
- a list of the relevant risk variables and factors taken into account and of the sources of quantitative and/or qualitative information for each of these factors used;
- the methodology for analysing risk factors, including any weightings;
- the procedure for the validation and adoption of the results of the overall risk assessment by the institution’s management committee or senior management;
- the procedure for informing the board of directors about the approved results of the overall risk analysis;
- the arrangements for updating the overall risk assessment, including during its periodic review or following significant events.
The overall risk assessment procedure should take particular account of high-risk cases for which the Anti-Money Laundering Law requires enhanced due diligence (see the page “Special cases of enhanced due diligence”).
2.2.2. Procedures relating to customer and transaction due diligence measures
Generally, internal procedures relating to customer and transaction due diligence measures should be a direct extension of the risk classification. Indeed, it should be recalled that financial institutions should be able to demonstrate for each of their risk categories that their internal procedures relating to due diligence measures are appropriate for mitigating the risks classified in this way, taking into account their nature and intensity.
Moreover, if the activities performed are diverse, it could also be appropriate for the financial institution, for risks of the same level and the same nature, to establish distinct due diligence procedures for each of its activities, to adequately take into account their specificities, notably in terms of their organisation within the financial institution. In such a case, however, the financial institution should ensure the overall coherence of its diverse due diligence procedures.
The internal procedures relating to customer and transaction due diligence measures should cover at least the elements listed below.
Attention should also be paid to the necessity for financial institutions to establish their internal procedures referred to here in compliance with the specific provisions of the Anti-Money Laundering Law regarding data retention and protection (see the pages “Data and document retention” and “Personal data processing and protection”) and with all other legislations and regulations applicable, such as those listed on the page “Due diligence requirements and compliance with other legislations”. As regards the latter aspect, financial institutions can nevertheless deem it preferable to establish specific internal procedures (see section 2.2.5. below).
A. Procedure for identifying and verifying the identity of customers, agents and beneficial owners
A.1. Exhaustive listing of the persons to be identified
To ensure that the legal identification and identity verification obligations are met for all persons involved in a business relationship or occasional transaction, the procedure for identifying and verifying the identity of these persons should specify the measures required to determine whether, in addition to the customer, there is a need to identify one or more of his agents and, where appropriate, one or more beneficial owners in accordance with legal provisions. For further information on this subject, see the page “Persons to be identified”.
A.2. General arrangements for identification and identity verification
This procedure should specify the measures required to identify these persons and verify their identity.
In this regard, particular attention should be paid to the fact that the previous anti-money laundering regulations specified in a uniform manner for each category of customers (natural persons, legal persons, legal arrangements) which data should be collected to meet the identification obligation, while Article 26, § 2, of the Anti-Money Laundering Law establishes the rules applicable in standard-risk situations, and § 3 of the same Article allows these requirements to be relaxed in low-risk situations (in compliance with the objective defined in § 1 of that Article) and § 4 requires them to be strengthened in high-risk situations.
As regards the obligation to verify the identity of the persons concerned, neither Article 27 of the Anti-Money Laundering Law nor the Anti-Money Laundering Regulation of the NBB contains a precise, uniform and prescriptive list of the supporting documents to be used. Article 27, § 1, of the Law requires the identification data collected to be checked against one or more “supporting documents or reliable and independent sources of information” through which these data can be confirmed, and explicitly authorises the use of certain electronic identification means for this purpose; the degree of certainty required as to the identity of the persons involved is to be determined according to the risk level identified in the case concerned, based on the individual risk assessment. § 2 of the same Article requires financial institutions to verify all identification data collected in standard-risk situations; § 3 allows them to reduce the amount of identification data to be collected in low-risk situations while § 4 requires them to not only verify all identification data collected in accordance with Article 26, §§ 2 and 4 of the Law, but also ensure with increased attention that the supporting documents or the reliable and independent sources of information used for the verification provide a high degree of certainty regarding the identity of the person concerned.
The introduction of the risk-based approach in the context of the obligations to identify and verify the identity of the persons concerned therefore requires financial institutions to give a detailed description in their internal procedures of the concrete measures to be taken to fulfil these obligations and to do so in a manner that is consistent with the result of their overall risk assessment and with their risk classification.
To this end, it could be useful for the part of the procedure for due diligence measures relating to the “Identification and verification of the identity of customers, agents and beneficial owners” to include a correlation table of the supporting documents or the reliable and independent sources of information accepted for each risk class, as well as a list of the circumstances in which certain supporting documents need not be submitted.
Additionally, the NBB expects this procedure to contain detailed information on the concrete arrangements for consulting the National Register and the register of beneficial owners (the “UBO register” created pursuant to Article 73 et seq. of the Anti-Money Laundering Law), as well as proof of registration of the relevant information in the said UBO register, which is to be collected in accordance with Article 29 of the Anti-Money Laundering Law, and the additional identification and identity verification measures to be adopted in accordance with the same Article when consulting the said UBO register.
For further details, see the page “Object of the identification and identity verification” in particular.
As regards the identification obligation, the procedure should recall the data legally required to be collected in standard-risk situations (Article 26, § 2, of the Anti-Money Laundering Law) and specify the measures to be taken when the address of the person to be identified cannot be determined.
Moreover, the internal procedure should specify the additional identification data to be collected in high-risk situations (see Article 12, 3°, of the Anti-Money Laundering Regulation of the NBB).
If the financial institution decides to make use of the possibility to relax the obligation to identify persons involved in low-risk occasional transactions or business relationships, its internal procedure should also specify which identification data needs not be collected.
As regards the obligation to verify the identity of the persons involved, Article 12, 1°, of the Anti-Money Laundering Regulation of the NBB stipulates that the procedure should contain precise rules on the supporting documents or reliable and independent sources of information that are accepted by the financial institution for identity verification. It should be noted that, if the internal procedure authorises the use of new technologies as supporting documents or independent sources of information, this authorisation should be based on an objective and documented analysis of the reliability of this technology guaranteeing that its level of reliability is appropriate in view of the level and nature of the ML/FT risks associated with the business relationships or the occasional transactions in the context of which these technologies are used. This requirement obviously does not apply where one of the electronic identification means of which the use is explicitly authorised by Article 27, § 1, of the Anti-Money Laundering Law is involved.
For the development of this internal procedure, the NBB advises financial institutions to take particular account of the comments and recommendations mentioned on the page “Object of the identification and identity verification”.
In this regard, the internal procedure should list the supporting documents that can be accepted in standard-risk situations and the enhanced identity verification measures for persons involved in high-risk business relationships or occasional transactions. If the financial institution decides to make use of the possibility to relax the obligation to verify the identity of persons involved in low-risk occasional transactions or business relationships, its internal procedure should also specify which identification data needs not be verified.
A.3. Use of remote customer onboarding solutions
Where financial institutions use remote customer onboarding solutions as referred to in the EBA Guidelines of 22 November 2022, they should establish procedures to ensure compliance with customer due diligence requirements in such circumstances. In particular, these procedures should set out the following:
- requirements relating to the scope, steps and record-keeping of the pre-implementation assessment of the solution (see section 2.3.2 “Supporting documents and reliable and independent sources of information” of the page “Object of the identification and identity verificationv”);
- the general features and functioning of the solution;
- the situations in which the solution may be used, taking into account the risk factors identified in the overall risk assessment (see the page “Risk-based approach and overall risk assessment”) and the pre-implementation assessment of the solution (see section 2.3.2 “Supporting documents and reliable and independent sources of information” of the page “Object of the identification and identity verification”);
- the information and documents required to identify and verify the identity of the customer and the way in which customer information is collected and verified when onboarding customers remotely. The procedures should also set out what information is entered manually by the customer, captured automatically from documentation provided by the customer, and gathered using other internal or external sources of information;
- which steps of the remote customer onboarding process are fully autonomised and which require human intervention;
- the minimum situational and technical conditions required to ensure adequate functioning of the solution (e.g. the involvement of an employee of the financial institution in the remote customer onboarding process, or the unambiguous nature of the data collected);
- the measures taken to ensure that the images, videos, sounds and data collected by the solution are captured in a readable format and of sufficient quality so that the customer can be unambiguously identified;
- the controls in place to ensure that the first transaction with a newly onboarded customer is only carried out once all initial customer due diligence measures have been applied (see the page “Time of identification and identity verification”);
- the manner in which documents and information collected during the remote identification process are stored by the institution in order to comply with its legal obligations regarding data and document retention (see the page “Data and document retention”). The content of stored records, including images, videos, sounds and other relevant data, should be available in a format that allows for ex-post verifications and checks;
- where applicable, the remote customer onboarding functions and activities which will be carried out or performed by the financial institution on the one hand and by third parties or other external service providers on the other (see the page “Performance of obligations by third parties”);
- the control measures implemented to ensure that the solution complies with statutory and regulatory expectations at all times. This includes performing systematic quality checks (proportionate to the ML/FT risk to which the financial institution is exposed) on the accuracy and adequacy of the data collected as well as performing regular and ad hoc reviews in response to various circumstances, including changes in ML/FT risk exposure, detection of deficiencies in the solution, changes to the regulatory framework or an increase in fraud attempts;
- the remedial measures to be implemented when deficiencies or errors are detected in the solution that have an impact on its effectiveness. In particular, these measures should lead the financial institution to reassess the business relationships affected by the deficiencies or errors and, if necessary and taking into account this reassessment, to apply additional due diligence measures, to limit the transactions that can be carried out by the customers concerned, to reassess the risk profile of the business relationships concerned and, if necessary, to terminate the latter, in accordance with the Anti-Money Laundering Law. Financial institutions should be able to demonstrate to the NBB which reviews they carried out and the remedial steps they have taken to rectify any shortcomings identified throughout the lifetime of the solution. In addition, any suspicious transactions identified should be reported to CTIF-CFI;
- the procedure to be followed when, in particular for technical reasons, the solution does not offer a sufficient degree of reliability or, more generally, does not enable the financial institution to comply with its legal obligations to identify and verify the identity of customers;
- the induction and regular training programmes implemented to ensure staff awareness and up-to-date knowledge of the functioning of the solution, the associated risks and the policies and procedures aimed at mitigating these risks (see the page “Training and education of staff”).
A.4. Specific measures for identifying and verifying the identity of agents
For agents, identification and identity verification rules identical to those imposed with regard to customers (see A.2. above) should apply and the internal procedure should provide for special rules to ascertain their powers of representation in accordance with Article 12, 4°, of the Anti-Money Laundering Regulation of the NBB.
A.5. Measures to gain insight into the ownership and control structure of the customer or agent that is a society, a legal person, a foundation, a fiducie, a trust or a similar legal arrangement
In accordance with Article 12, 5°, of the Anti-Money Laundering Regulation of the NBB, the procedure should contain specific rules for gaining insight into the ownership and control structure of the customer or agent that is a society, a legal person, a foundation, a fiducie, a trust or a similar legal arrangement.
A.6. Specific measures for identifying and verifying the identity of beneficial owners
In accordance with Article 12, 6°, of the Anti-Money Laundering Regulation of the NBB, the internal procedure should provide for precise rules regarding the measures to be taken to identify and verify the identity of the beneficial owners (i) of customers, (ii) of the agents of customers or (iii) of the beneficiaries of life insurance contracts. This procedure should also specify the measures to be taken if a beneficial owner’s date and place of birth or address cannot be determined.
If the internal procedure provides for the use of the central register of beneficial owners referred to in Article 73 of the Anti-Money Laundering Law or of the equivalent registers held in other countries of the EEA or in third countries, it should also specify which additional measures, proportionate in view of the identified risk level, are required in accordance with Article 29 of the Anti-Money Laundering Law.
A.7. Delayed identification and verification of the identity of the persons concerned
If the financial institution decides to make use of the possibility provided for in Article 31 of the Anti-Money Laundering Law to delay the verification of the identity of persons involved in a business relationship in compliance with the conditions laid down in that Article, the internal procedure should contain a precise and limitative list of the circumstances in which this possibility can be used, as well as of the measures needed to perform the verification as soon as possible after first contact with the customer.
A.8. Inability to fulfil the obligations to identify and verify the identity of persons involved in a business relationship or an occasional transaction
Considering that it is prohibited to enter into a business relationship or perform an occasional transaction exceeding the thresholds defined by the Law when the persons involved cannot be identified and/or have their identity verified in accordance with the legal provisions (Article 33 of the Anti-Money Laundering Law) and given the legal obligation to conduct a special investigation in such situations to determine whether a suspicion should be reported to CTIF-CFI, the internal procedure should specify the measures to be taken by staff members or independent agents in contact with customers to take note of such situations and report them to the AMLCO for the purposes of the investigation required by Article 46 of the Anti-Money Laundering Law.
B. Customer acceptance procedure
B.1. Collection of relevant information on the characteristics of the customer and on the purpose and nature of the business relationship or the occasional transaction
The internal procedure should list the relevant information to be obtained, depending on the risk classification, to identify the customer’s characteristics and the purpose and nature of the business relationship or the occasional transaction.
For further information, see the page “Identification of the customer's characteristics and of the purpose and nature of the business relationship or the occasional transaction”.
B.2. Individual risk assessment
The internal procedure should define the methodology followed to perform the individual assessment of the risks associated with the business relationship or occasional transaction concerned, in accordance with Article 19 of the Anti-Money Laundering Law.
In this regard, the internal procedure should establish the arrangements for the analysis of all information collected on the customer and the intended business relationship or occasional transaction in order to determine for each specific case which risk class defined following the overall risk analysis is appropriate to ensure that the most relevant due diligence measures are applied to the business relationship or the occasional transaction, taking into account its characteristics or special features.
For further information, see the page “Individual risk assessment”.
B.3. Customer acceptance
Based on the individual risk analysis, the customer acceptance procedure should organise, in compliance with the customer acceptance policy, the decision-making process of the financial institution for entering into a business relationship with the customer or performing the intended occasional transaction.
In particular, the procedure should determine, depending on the ML/FT risk established on the basis of the individual risk assessment, the hierarchical level of the persons who - alone or together - are authorised to decide to enter into a relationship or perform a transaction. Where appropriate, it should also determine the AMLCO’s involvement in this decision-making process and the verifications required prior to the decision.
When deciding to accept a customer, the customer’s special requests should be taken into account. For instance, if the customer’s request involves opening a numbered account or concluding a numbered contract, the customer acceptance procedure should specify, in accordance with Article 11 of the Anti-Money Laundering Regulation of the NBB, the conditions under which this account can be opened or this contract concluded as well as the terms of operation. However, these conditions and terms are without prejudice to the legal and regulatory obligations to exercise due diligence on business relationships and occasional transactions. For further information, see the page “Anonymous or numbered accounts and contracts”.
C. Procedure for due diligence on business relationships and occasional transactions
C.1. Update of the identification and verification of the identity of customers, agents and beneficial owners and information on the characteristics of the customer and on the purpose and nature of the business relationship
The internal procedure should specify the circumstances in which the identification and verification of the identity of persons involved in a business relationship (customer, agents and beneficial owners) and/or the collection of information on the characteristics of the customer and/or on the purpose and nature of the business relationship should be repeated in accordance with Article 35, § 1, 2°, of the Anti-Money Laundering Law in order to update the data held by the financial institution. It should also determine, according to the risk, the time limit within which this update and a new individual risk assessment should be performed. For further details, see the page “Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions”.
C.2. Existing customers
The NBB also draws attention to the fact that the provisions of the Anti-Money Laundering Law and Regulation of the NBB not only apply to the business relationships or the occasional transactions which financial institutions conclude with new customers, but also - without a transitional period - to the ongoing business relationships entered into with customers before the entry into force of these new legal and regulatory provisions.
The NBB therefore expects financial institutions to reassess the business relationships they entered into before the entry into force of the Anti-Money Laundering Law and Regulation of the NBB based on the criteria defined in their customer acceptance policy, prioritising business relationships considered a high risk before this reassessment.
For this purpose and following the reassessment, financial institutions are expected to:
- specify in their internal procedures which method is used to assign an appropriate risk class to each business relationship with existing customers in accordance with their risk classification, based on the information available at that moment on the customer and the business relationship;
- update the information held on business relationships with existing customers when previously fulfilled due diligence requirements are insufficient, taking into account the new risk class assigned to the business relationship.
Based on this reassessment, financial institutions can, where appropriate, take one of the measures provided for in Article 15 of the Anti-Money Laundering Regulation of the NBB.
C.3. Due diligence with regard to business relationships and transactions
In accordance with Article 35, § 1, 1°, of the Anti-Money Laundering Law, the internal procedure should define the measures to be taken by persons who are in direct contact with customers or instructed with carrying out their transactions in order to comply with the obligation to exercise due diligence on business relationships and occasional transactions and to detect atypical facts and transactions. These measures should take into account the level and nature of the risks associated with the business relationship or the occasional transaction concerned as shown by the individual risk assessment and, in particular, the cases in which enhanced due diligence is required by the Anti-Money Laundering Law. For further information, see the page “Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions”.
This procedure should include:
- a list of the criteria enabling persons who are in direct contact with customers or instructed with carrying out their transactions to detect atypical facts and transactions (see Article 16, 1°, of the Anti-Money Laundering Regulation of the NBB);
- the procedure required to subject these transactions to a specific analysis under the responsibility of the AMLCO in accordance with Article 45, § 1, of the Law in order to determine whether these transactions can be suspected of being linked to money laundering or terrorist financing (see Article 16, 2°, of the Anti-Money Laundering Regulation of the NBB);
- the initial procedure for validating the monitoring system referred to in Article 17 of the Anti-Money Laundering Regulation of the NBB and the procedure for periodically reviewing the relevance of this system in order to adapt it if necessary;
- where appropriate, the procedure for monitoring transactions when it is decided to use a non-automated monitoring system.
2.2.3. Procedure for analysing atypical facts and transactions, reporting suspicions to CTIF-CFI and processing requests for information addressed by CTIF-CFI to the financial institution
The procedure for analysing atypical facts and transactions and reporting suspicions to CTIF-CFI should cover at least the following:
1) it should contain a detailed description of the process for the analysis to be performed by or under the authority of the AMLCO:
- a) of the internal reports relating to situations in which the obligations to identify and verify the identity of the persons involved cannot be fulfilled (see the procedures in A.8. above);
- b) of the internal reports relating to detected atypical facts and transactions which staff members, agents or distributors are required to submit to the AMLCO in accordance with the procedure for due diligence on business relationships and transactions (see the procedure in C.2. above);
- c) of the alerts generated by the monitoring system for business relationships and occasional transactions that is referred to in Article 17 of the Anti-Money Laundering Regulation of the NBB;
to determine whether there is a suspicion of ML/FT within the time limit required by the Law;
2) it should contain a detailed description of the process by which the AMLCO processes requests for information addressed by CTIF-CFI to the financial institution, so he can answer them within the time limit required;
3) if these processes imply the involvement of staff members who are not part of the compliance function, of agents or distributors of the financial institution, the procedure should clearly specify the specific responsibility of these persons in this context and their obligation to cooperate fully and without delay on the analysis of the transactions concerned or on the collection and transmission of the information required;
4) it should explicitly state that the AMLCO, in accordance with the provisions of the Anti-Money Laundering Law, is competent – in principle but not exclusively – to decide whether there is a suspicion of ML/FT and, as a result, holds the autonomous power to report a suspicion to CTIF-CFI and answer the latter’s requests for additional information;
5) it should explicitly state that the financial institution's managers, staff members, agents or distributors are legally prohibited, subject to the exceptions provided for in the Anti-Money Laundering Law, from informing the customer or third parties that information is, will be or has been transmitted to CTIF-CFI, or that transactions of the customer are or have been considered atypical and are or have been analysed for that reason;
6) it should outline and specify, in the specific context of the financial institution, which measures are taken to ensure the protection of reporting persons in accordance with Article 57 of the Anti-Money Laundering Law.
For further information, see the pages “Analysis of atypical facts and transactions”, “Reporting of suspicions”, “Prohibition of disclosure” and “Protection of reporting persons”.
2.2.4. Procedure for monitoring transfers of funds and financial embargoes and implementing assets freezing measures
The procedure(s) for monitoring transactions in view of the obligations relating to transfers of funds, financial embargoes and assets freezing should cover at least the following:
1) as regards the rules on financial embargoes and assets freezing:
- they should organise the process for the analysis, initial validation and periodic review of the transaction monitoring system implemented, in accordance with Article 23 of the Anti-Money Laundering Regulation of the NBB;
- they should specify the terms for the regular update of the lists of persons subject to measures relating to financial embargoes and assets freezing that are used by the transaction monitoring system implemented;
- they should provide for a precise and detailed organisation of the process whereby alerts generated by the transaction monitoring system are analysed as soon as possible under the responsibility of the AMLCO to verify their relevance;
- if alerts are proven to be relevant, the procedures should provide for a precise and detailed organisation:
- of the process for the immediate freezing of the assets concerned;
- of the procedure for notifying assets freezing to the competent service of the FPS Finance; and
- of the investigation of the transaction concerned and, where appropriate, of the business relationship in the context of which the transaction took place, to be carried out under the responsibility of the AMLCO to determine whether they also raise suspicions of ML/FT (see section 2.2.3. above).
For further information, see the page “Financial embargoes and assets freezing”.
2) as regards the rules on transfers of funds:
- the internal procedures should organise the process for the analysis, initial validation and periodic review of the transaction monitoring system implemented, in accordance with Article 23 of the Anti-Money Laundering Regulation of the NBB;
- they should organise the analysis and decision-making process with regard to the measures to be taken in accordance with Articles 7 and 8, § 1, of the European Regulation on transfers of funds if the financial institution operates as payment service provider of the beneficiary, and with Articles 11 and 12, § 1, if the financial institution operates as intermediary payment service provider when the transaction monitoring system implemented by it detects the receipt of a transfer of funds not accompanied by the full information required on the payer and the payee;
- they should organise the process for detecting payment service providers of payers or intermediary payment service providers of received transfers of funds who repeatedly fail to provide the information required on the payer or the payee , as well as the decision-making process for the measures to be taken in such cases in accordance with Articles 8, § 2, and 12, § 2, of the European Regulation on transfers of funds;
- they should organise the process for the investigation by the AMLCO of transfers of funds received without the information required in accordance with Articles 9 and 13 of the European Regulation on transfers of funds, to determine whether there are suspicions of ML/FT (see section 2.2.3. above);
For further information, see the page “Transfers of funds”.
2.2.5. Procedure for data and document retention and protection
If the aspects on the data and document retention and protection are not incorporated in the internal procedures listed above, the financial institution should establish a specific procedure for this matter. In any case, these internal procedures should at least cover the items mentioned on the pages “Data and document retention” and “Personal data processing and protection”.
The NBB notes in this regard that the copy of the supporting documents which the financial institution has used to identify the identity of the customer or his agent can be stored on an electronic device that can also be used for retention purposes. The same retention obligations apply to documents which the institution has used to verify the identity of beneficial owners or, failing that, to the justification for why this verification was not reasonably possible.
Additionally, the procedure for data and document retention and protection should list the information and documents to be retained, the retention period and the time when the retention period starts, as well as the modalities for the deletion of personal data at the end of the retention period. This procedure should ensure the confidentiality of the documents (storage, persons with access to them, etc.) and, to that end,
describe the terms for accessing the data contained therein, even if an external service provider is used to archive these data. The NBB urges financial institutions to implement mechanisms for accessing customer records that are adapted to their organisation and enable the stakeholders competent with regard to AML/CFTP to obtain them as soon as possible, particularly in order to answer requests for additional information from CTIF-CFI.
2.2.6. Internal whistleblowing procedure
In accordance with Article 10 of the Anti-Money Laundering Law, the financial institution should establish an internal whistleblowing procedure to enable its staff or agents or distributors to report non-compliance with the obligations set out in the Anti-Money Laundering Law to the senior officer responsible for AML/CFTP and the AMLCO. For further information, see the page “Internal whistleblowing”.
2.3. Implementation process
To be efficient, the AML/CFTP organisation should be supported by a set of IT tools and implementation/control processes.
2.3.1. At the level of the persons who are in direct contact with customers or instructed with carrying out their transactions
The financial institution should establish a database of customers, agents and beneficial owners that enables concrete compliance with the customer due diligence obligations. This database should contain all information provided for in the procedure for the identification of customers, agents and beneficial owners and should be consistent with the customer acceptance procedure.
In accordance with Article 16 of the Anti-Money Laundering Regulation of the NBB, the AMLCO should submit written rules to the persons who are in direct contact with customers or instructed with carrying out their transactions, including (i) the appropriate criteria that enable them to detect atypical facts and transactions and (ii) the procedure required to submit the transactions to the AMLCO so he can perform a specific analysis and determine whether these transactions can be suspected to be linked to ML/FTP. In this context, a communication channel should be opened between the staff concerned and the AMLCO, enabling the former to submit internal reports on suspicious transactions and non-identifiable persons to the latter.
2.3.2. At the level of the AMLCO
In accordance with the Anti-Money Laundering Regulation of the NBB and taking into account the institution’s characteristics, the AMLCO should at least have the following IT processes and systems:
- permanent electronic access to the database of customers, agents and beneficial owners;
- a monitoring system enabling the detection of atypical facts and transactions which, as the case may be, might not have been detected by the persons who are in direct contact with customers or instructed with carrying out their transactions (Article 17 of the Anti-Money Laundering Regulation of the NBB). For further information on this system, see the page “Analysis of atypical facts and transactions”;
- a monitoring system guaranteeing compliance (i) with the provisions of the European Regulation on transfers of funds and (ii) with the binding provisions on financial embargoes. For further information on this system, see the pages “Transfers of funds” and “Financial embargoes and assets freezing”;
- an IT process enabling rapid asset freezing;
- an electronic data storage and archiving system (or a paper-based system for very small financial institutions) which can be used for registering the measures implemented to fulfil the due diligence obligations and the obligations to analyse atypical facts and transactions, report suspicions, comply with the provisions of the European Regulation on transfers of funds and with the binding provisions on financial embargoes;
- if certain tasks of the AMLCO are outsourced, a process to follow up on these tasks and on the quality of the service provider’s performance.
3. Internal control measures relating to AML/CFTP (including expectations with regard to the internal audit function)
Pursuant to the Anti-Money Laundering Law, financial institutions should implement an internal control system to monitor compliance with AML/CFT procedures. This internal control system should be proportionate to the nature and extent of the financial institution’s activities. This system, which may take multiple forms, should also be adapted to the risk classification established by the financial institution.
The internal control system should cover all activities that could potentially expose the financial institution to ML/FT risks and should apply to the entire AML/CFTP system. It should contain the following:
- the checks relating to the activities of the operational (commercial, management) services and departments;
- the checks relating to the activities of the AMLCO (including his role as person reporting to CTIF-CFI) and, where appropriate, those of his team; and
- the AML/CFTP checks relating to third-party business introducers or subcontractors (agents).
As such, financial institutions are expected to periodically and permanently monitor all persons active in the field of AML/CFTP within the institution.
The periodic checks can take place on various occasions and, in that regard, take the following forms:
- annual assessment of the financial institution’s governance or internal control system by its management committee;
- annual assessment of the proper functioning of the financial institution’s compliance function by its board of directors;
- monitoring missions carried out by the compliance function, for example with regard to the checks conducted by the operational services or to the use of outsourcing;
- audit missions relating to the AML/CFTP system carried out by internal audit; etc.
For the first two types of checks, the NBB urges financial institutions to ensure that the report submitted to it by the management committee and the board of directors specifically targets the management of the AML/CFTP system and enables the identification of weaknesses in this area and the adoption of corrective measures.
As regards the monitoring missions carried out by the compliance function, the NBB expects the monitoring plans of financial institutions’ compliance functions to cover all AML/CFTP obligations.
As regards the AML/CFTP missions of the internal audit function, the NBB expects from financial institutions that their audit planning takes into account the results of the overall AML/CFTP risk assessment. For instance, the NBB considers it standard practice to have all aspects of the AML/CFTP process audited approximately every three years for institutions that have a standard or high ML/FT risk profile based on their overall risk assessment, and approximately every five years for institutions that have a low risk profile. This standard should be interpreted as being without prejudice to any important events that would require such an audit before the end of the usual periodic time limit (for example in case of a legislative change).
In general, the NBB highlights the fact that this site’s pages related to operational AML/CFTP obligations (for example Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions, Analysis of atypical facts and transactions, Reporting of suspicions, etc.) also contain certain recommendations of the NBB on internal control and internal audit. See the pages on these topics for further information.
4. Application of the principle of proportionality
The Anti-Money Laundering Law and its explanatory memorandum clearly state that the AML/CFTP organisation to be implemented should be proportionate to the nature and size of the entity concerned.
In practice, this principle of proportionality should primarily be reflected in the level of sophistication of the internal procedures to be adopted and may justify the merging of multiple internal procedures into a single procedure.
It could also be reflected in the possibility to forgo, under the conditions set out in the Regulation of the NBB, the use of IT tools for transaction monitoring, in favour of more manual and less sophisticated systems. See in this regard the page “Due diligence on business relationships and occasional transactions and detection of atypical facts and transactions”.
Although the AML/CFTP organisation requirements apply in all cases, their intensity may vary depending on the scale of the underlying ML/FT risk. As a result, the NBB expects large financial institutions with diversified activities to have more sophisticated and detailed procedures than small financial institutions that are involved in less complex activities and are only exposed to a low ML/FT risk, which can have much more succinct and simple internal procedures.
5. Other prudential organisational rules to be complied with
The specific AML/CFT related governance requirements should be integrated harmoniously into all prudential governance rules applicable to the different sectors concerned. For instance, the sectoral prudential rules on organisational structure, task allocation, management of conflicts of interest, consistency of policies and internal procedures, information reporting and internal control should be complied with in the context of ML/FT risk management.
Disclaimer: This English text is an unofficial translation and may not be used as a basis for resolving any dispute.