IPC CONFERENCE: INTERNATIONAL DEVELOPMENTS IN MONEY LAUNDERING AND INFORMATION EXCHANGE - 14TH MAY 2003
The Revised FATF 40 Recommendations
Colin Powell, Chairman, Jersey Financial Services Commission
Reasons for the review
The FATF 40 Recommendations on money laundering were last revised in 1996. Since then the FATF has undertaken regular annual typologies which highlighted new areas of risk of money laundering. The FATF has also engaged in a review of non-cooperative countries and territories which identified a number of issues which were not covered adequately by the existing Recommendations.
The FATF decided some two years ago that it was time to revise the 40 Recommendations. Last week at a Special Plenary the revised Recommendations were agreed, subject to reservations being entered by some countries on a few of the Recommendations. The intention is that the Recommendations will be formally adopted by the FATF at the June Plenary in Berlin. However, while the review can be considered effectively complete, the Recommendations must still be considered to be in draft and subject to some revision.
Scope of the 40 Recommendations
The revised 40 Recommendations start by defining the scope of the criminal offence of money laundering.
Each country is required to criminalise money laundering on the basis of the United Nations Convention on Transnational Organised Crime (the Palermo Convention) and the United Nations Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic substances (the Vienna Convention).
Each country is required to apply the crime of money laundering to all serious offences, with a view to including the widest range of predicate offences. Predicate offences may be described by reference to all offences, or to a threshold linked either to a category of serious offences or to the penalty of imprisonment applicable to the predicate offence (the threshold approach), or to a list of predicate offences (the list approach), or a combination of these approaches.
Whichever approach is adopted each country is expected at a minimum to include a range of offences within what are described as the designated categories of offences, listed in a glossary attached to the revised Recommendations.
The FATF is also recommending that predicate offences for money laundering should extend to conduct that occurs in another country, which constitutes an offence in that country, and which would have constituted a predicate offence had it occurred domestically. Countries are being strongly encouraged to extend this to situations where the only prerequisite is that the conduct would have constituted a predicate offence had it occurred domestically.
The revised 40 Recommendations apply to financial institutions and in certain circumstances to designated non-financial businesses and professions.
Financial institutions are defined as any person or entity who conducts as a business one or more of a list of thirteen activities or operations for or on behalf of a customer.
Designated non-financial businesses and professions covers casinos, real estate agents, dealers in precious metals, dealers in precious stones, accountants, lawyers and independent legal professionals, notaries and trust and company services providers.
Customer due diligence, suspicious transaction reporting, regulation and supervision
The FATF Revised Recommendations expand on the measures to be taken by financial institutions and the designated non-financial businesses and professions to prevent money laundering and terrorist financing. Particular weight is placed on customer due diligence, and in this respect the FATF has been greatly influenced by the Basel Committee on Banking Supervision's paper on Customer Due Diligence for Banks published in October 2001.
Customer due diligence and record keeping applies to all financial institutions and in relevant circumstances to the designated non-financial businesses and professions. For example the essential customer due diligence and record keeping requirements only apply to lawyers, accountants, and trust and company service providers when they prepare for and carry out transactions for their clients concerning certain listed activities.
The revised Recommendations call for all institutions to be required by law or regulation to undertake customer due diligence measures, including identifying and verifying the identity of their customers when -
- establishing business relations;
- carrying out occasional transactions:
(i) above the applicable designated threshold of 15,000 US Dollars; or
(ii) that are wire transfers in the circumstances covered by the interpretative note to Special Recommendation VII.
- there is a suspicion of money laundering or terrorist financing;
- the financial institution has doubts about the veracity or adequacy of previously obtained customer identification information.
The basic customer due diligence obligations should be set out in law or regulation. The more detailed elements could be covered either by law or regulation or by other enforceable means issued by a competent authority.
The customer due diligence measures to be taken are -
(a) identifying the customer and verifying that customer's identity using reliable, independent source documents, data or information;
(b) identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner such that the financial institution is satisfied that its knows who the beneficial owner is. For legal persons and arrangements this should include taking reasonable measures to understand the ownership and control structure of the customer;
[Legal persons refers to bodies corporate, foundations, anstalts, partnerships, or associations or any similar bodies that can establish a permanent customer relationship with a financial institution or otherwise owned property.
Legal arrangements refers to express trusts or other similar legal arrangements.
Beneficial owner is defined as the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.]
(c) obtaining information on the purpose and intended nature of the business relationship; and
(d) conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.
In applying each of the customer due diligence measures institutions may determine the extent of such measures on a risk sensitive basis depending on the type of customer, business relationship or transaction. The measures that are taken should be consistent with any guidelines issued by competent authorities. For higher risk categories institutions should perform enhanced due diligence. In certain circumstances where there are low risks countries may decide that institutions can apply reduced or simplified measures.
Where institutions are unable to comply with the customer due diligence requirements for identification and verification they should not open an account, commence business relations or perform the transaction; or should terminate the business relationship and consider making a suspicious transactions report in relation to the customer.
In addition to the revised recommendations the FATF has produced interpretative notes for some of the Recommendations, and the points that follow draw on both the Recommendations and the interpretative notes.
Customer due diligence and tipping off
If an institution forms a suspicion that transactions relate to money laundering or terrorist financing, they should take into account the risk of tipping off when performing the customer due diligence process. If an institution reasonably believes that performing the CDD processes will tip off the customer or potential customer, it may choose not to pursue that process and should file an STR. Institutions should ensure that their employees are aware of and sensitive to these issues when conducting customer due diligence.
Customer due diligence and legal persons and arrangements
When performing customer due diligence through identification and verification in relation to legal persons or arrangements, institutions
(a) verify that any person purporting to act on behalf of the customer is so authorised, and identify that person;
(b) identify the customer and verify its identity - the type of measures that would be normally needed to satisfactorily perform this function would require obtaining proof of incorporation or similar evidence of the legal status of the legal person or arrangement, as well as information concerning the customer's name, legal form, address, directors, and provisions regulating the power to bind the legal person or arrangement;
(c) identify the beneficial owners, including forming an understanding of the ownership and control structure, and take reasonable measures to verify the identity of such persons. The types of measures that would normally be needed to satisfactorily perform this function would require identifying the natural persons with a controlling interest and identifying the natural persons who comprise the mind and management of the legal person or arrangement. Where the customer or beneficial owner is a public company that is subject to regulatory disclosure requirements, it is not necessary to seek to identify and verify the identity of all the shareholders of that company.
The relevant information or data required to carry out (a), (b) and (c) above may be obtained from a public register, from the customer or other reliable sources.
Reliance on identification and verification already performed
The customer due diligence measures set out in the Recommendations do not imply that institutions have to repeatedly identify and verify the identity of each customer every time that a customer conducts a transaction. An institution is entitled to rely on the identification and verification steps that it already has undertaken unless it has doubts about the veracity of that information. Examples of situations that might lead an institution to have such doubts could be where there is a suspicion of money laundering in relation to that customer, or where there is a material change in the way that the customer's account is operated which is not consistent with the customer's business profile.
Timing of verification
Institutions are expected to verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers. However countries may permit financial institutions to conduct the verification as soon as reasonably practicable following the establishment of the relationship where the money laundering risks are effectively managed and subsequently where this is essential not to interrupt the normal conduct of business.
The type of circumstances where it would be permissible for verification to take place after the establishment of the business relationship would include non face to face business, securities transactions and life insurance business.
With non face to face business the FATF states that institutions should refer to the Basel Report on Customer Due Diligence for Banks (section 2.2.6) for specific guidance on examples of risk management measures for non face to face business.
Financial institutions will also need to adopt risk management procedures with respect to the conditions under which a customer may utilise that business relationship prior to verification. These procedures should include a set of measures such as a limitation of the number, types and/or amount of transactions that can be performed and the monitoring of large or complex transactions being carried out outside of expected norms for that type of relationship.
Requirements to identify existing customers
Institutions are expected to apply the customer due diligence requirements to existing customers on the basis of materiality and risk, and should conduct due diligence on such existing relationships at appropriate times. The FATF indicate that for existing customers the principles set out in the Basel report on Customer Due Diligence for Banks should serve as guidance when applying customer due diligence processes to institutions engaged in banking activity, which it is stated could be applied to other financial institutions where relevant.
Simplified or reduced customer due diligence measures
The general rule is that customers must be subject to the full range of customer due diligence measures, including the requirement to identify the beneficial owner. Nevertheless there are circumstances where the risk of money laundering or terrorist financing are lower, where information on the identity of the customer and the beneficial owner of a customer is publicly available, or where adequate checks and controls exist elsewhere in national systems. In such circumstances the FATF states that it could be reasonable for a country to allow its institutions to apply simplified or reduced customer due diligence measures when identifying and verifying the identity of the customer and the beneficial owner.
Simplified or reduced customer due diligence measures could apply to the following types of customers -
- financial institutions - where they are subject to requirements to combat money laundering and terrorist financing consistent with the FATF Recommendations and are supervised for compliance with those controls;
- public companies that are subject to regulatory disclosure requirements;
- government administrations or enterprises.
Simplified or reduced customer due diligence measures could also apply to the beneficial owners of pooled accounts held by designated non financial businesses or professions provided that those businesses or professions are subject to requirements to combat money laundering and terrorist financing consistent with the FATF Recommendations and are supervised for compliance with those controls. Banks should also refer to the Basel CDD Paper which provides specific guidance concerning situations where an account holding institution may rely on a customer that is a professional financial intermediary to perform the customer due diligence on his or its own customers (i.e. the beneficial owners of the bank account). Where relevant the CDD Paper could also provide guidance in relation to similar accounts held by other types of financial institutions.
Each country could also decide whether financial institutions could apply these simplified measures only to customers in its own jurisdiction or allow them to do for customers from any other jurisdiction that the original country is satisfied is in compliance with and has effectively implemented the FATF Recommendations.
Enhanced customer due diligence
The FATF has identified higher risk areas where additional measures should be applied. There are specific recommendations relating to politically exposed persons, cross border correspondent banking and other similar relationships, and non face to face business relationships or transactions. For politically exposed persons institutions are expected to -
- have appropriate risk management systems to determine whether the customer is a politically exposed person;
- obtain senior management approval for establishing business relationships with such customers;
- take reasonable measures to establish the source of wealth and source of funds; and
- conduct enhanced ongoing monitoring of the business relationship.
Use of third parties
The FATF revised recommendations state that countries may permit financial institutions to rely on intermediaries or other third parties to perform the identification and verification requirements provided that certain criteria are met. However where such reliance is permitted the ultimate responsibility for customer identification and verification remains with the institution relying on the third party.
Designated non-financial business and professions also may rely on third parties, provided the conditions in the Recommendation are met, and that the third party is an entity that is regulated and supervised for compliance with the FATF Recommendations on customer due diligence and record keeping.
The criteria that should be met are that -
- an institution relying on a third party should immediately obtain the necessary information concerning customer identification and verification. Institutions should take adequate steps to assure themselves that copy of the identification data and other relevant documentation relating to the customer due diligence requirements will be made available from the third party upon request without delay;
- the institution should satisfy itself that the third party is regulated and supervised for, and has measures in place to comply with customer due diligence obligations in line with the FATF Recommendations on customer due diligence and record keeping.
It is left to each jurisdiction to determine in which countries and jurisdictions the third parties that meet the conditions can be based, having regard to information available on jurisdictions that do not adequately apply the FATF Recommendations.
The FATF Recommendations extend to the designated non-financial businesses and professions the existing requirement that financial institutions maintain, for at least five years, all necessary records on transactions, both domestic or international, to enable them to comply swiftly with information requests from the competent authorities. Such records must be sufficient to permit reconstruction of individual transactions (including the amounts and types of currency involved if any) so as to provide, if necessary, evidence for prosecution of criminal activity.
All institutions should be required to keep records on the identification data obtained through the customer due diligence process (e.g. copies or records of official identification documents like passports, identity cards, driving licences or similar documents), account files and business correspondence for at least five years after the business relationship is ended.
The identification data and transaction records should be available to domestic competent authorities upon appropriate authority.
The FATF Recommendations require that all institutions pay special attention to all complex, unusual large transactions, and all unusual patterns for transactions which have no apparent economic or visible lawful purpose. The background and purpose of such transactions should, as far as possible, be examined, the findings established in writing, and be available to help competent authorities and auditors.
Reporting of suspicious transactions
The Recommendations relating to the reporting of suspicious transactions apply to all financial institutions. They also apply to designated non financial businesses and professions subject to certain qualifications.
For lawyers, notaries and independent legal professionals, and accountants, the requirement to report is only in respect of suspicious transactions when, on behalf of or for a client, they engage in a financial transaction in relation to the same activities that are covered by the customer due diligence and record keeping requirement; that is -
- buying and selling of real estate;
- managing of client money, securities or other assets;
- management of bank, savings or securities accounts;
- organisation of contributions for the creation, operation or management of companies;
- creation, operation or management of legal persons or arrangements, and buying and selling of business entities.
For accountants it is further stated that countries are strongly encouraged to extend the reporting requirement to the rest of accountants' professional activities, including auditing.
In the case of trust and company service providers they are required to report suspicious transactions when carrying out activities that are listed in the glossary attached to the Recommendations, but without the restriction to financial transactions as in the case of lawyers and accountants.
The FATF in the interpretative note for the Recommendation relating to suspicious transaction reporting states that suspicious transactions should be reported by institutions regardless of whether they are also thought to involve tax matters. Countries should take into account that, in order to deter financial institutions from the reporting of suspicious transaction, money launderers may seek to state inter alia that their transactions relate to tax matters.
It is for each jurisdiction to determine the matters that will fall under legal professional privilege or professional secrecy. This would normally cover information lawyers, notaries or legal professionals receive from or obtain through one of their clients:
(a) in the course of ascertaining the legal position of their client, or
(b) in performing their task of defending or representing their client in, or concerning judicial, administrative, arbitration or mediation proceedings.
Where accountants are subject to the same obligations of secrecy or privilege, then they are also not required to report suspicious transactions.
Countries may allow lawyers, notaries, independent legal professionals and accountants to send their suspicious transaction reports to their appropriate self regulatory organisations, provided there are appropriate forms of cooperation between the organisations and the Financial Intelligence Unit.
The FATF recommend that institutions, their directors, officers and employees should be prohibited by law from disclosing the fact that an STR or related information is being reported to the Financial Intelligence Unit. For the purpose of this recommendation, where lawyers, notaries, independent legal professionals and accountants acting as independent legal professionals should be entitled to dissuade a client from engaging in illegal activities this would not amount to tipping off.
The FATF recommends that all institutions should develop programmes against money laundering and terrorist financing. These programmes should include -
(a) the development of internal policies, procedures and controls, including appropriate compliance management arrangements and adequate screening procedures to ensure high standards when hiring employees;
(b) an ongoing employee training programme;
(c) an audit function to test the system.
However the type and extent of measures to be taken for each of the requirements set out in this recommendation should be appropriate having regard to the risk of money laundering and terrorist financing and the size of the business. It is also stated that for financial institutions, compliance management arrangements should include the appointment of a compliance officer at a management level.
All institutions are expected to give special attention to business relations and transactions with persons, including companies and financial institutions, from countries which do not or insufficiently apply the FATF Recommendations. Whenever these transactions have no apparent economic or visible lawful purpose, their background and purpose should, as far as possible be examined, the findings established in writing and be available to help competent authorities.
All institutions should ensure that the principles mentioned are also applied to branches and majority owned subsidiaries located abroad, especially in countries which do not or insufficiently apply the FATF Recommendations, to the extent that local applicable laws and regulations permit. When local applicable laws and regulations prohibit this implementation, competent authorities in the country of the parent institution should be informed by the financial institutions that they cannot apply the FATF Recommendations.
Some other measures to deter money laundering and terrorist financing
Countries should ensure that effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, are available to deal with natural or legal persons covered by the Recommendations that fail to comply with anti money laundering or terrorist financing requirements.
Countries should consider applying the FATF Recommendations to businesses and professions other than those designated in the Recommendations that pose a money laundering or terrorist financing risk.
Countries should not approve the establishment or accept the continued operation of shell banks. Financial institutions should refuse to enter into, or continue, a correspondent relationship with shell banks. Financial institutions should also guard against establishing relations with respondent foreign financial institutions that permit their accounts to be used by shell banks.
The FATF continues to include recommendations relating to the movement of cash. The FATF called for countries to encourage further the development of modern and secure techniques of money management that are less vulnerable to money laundering.
Regulation and supervision
The FATF recommend that countries should ensure that financial institutions are subject to adequate regulation and supervision and are effectively implementing the FATF Recommendations. Competent authorities also should take the necessary legal or regulatory measures to prevent criminals or their associates from holding or being the beneficial owner of a significant or controlling interest or holding a management function in a financial institution.
For financial institutions subject to the Core Principles, the regulatory and supervisory measures that apply for prudential purposes and which are also relevant to money laundering should apply in a similar manner for anti money laundering and terrorist financing purposes.
Other financial institutions should be licensed or registered and appropriately regulated, and subject to supervision or oversight for anti money laundering purposes, having regard to the risk of money laundering or terrorist financing in that sector. At a minimum, businesses providing a service of money or value transfer, or of money or currency changing should be licensed or registered, and subject to effective systems for monitoring and ensuring compliance with national requirements to combat money laundering and terrorist financing.
Countries are asked to ensure that designated non-financial businesses and professions are subject to effective systems for monitoring and ensuring their compliance with requirements to combat money laundering and terrorist financing. This should be performed on a risk sensitive basis. This may be performed by a government authority or by an appropriate self regulatory organisation provided that the SRO can ensure that its members comply with their anti money laundering obligations.
The competent authorities are expected to establish guidelines and provide feed back which will assist financial institutions and designated non financial businesses and professions in applying national measures to combat money laundering and terrorist financing and in particular to detect and report suspicious transactions. When considering the feedback that should be provided countries should have regard to the FATF Best Practice Guidelines on Providing Feedback to Reporting Financial Institutions and Other Persons.
Transparency of legal persons and trusts
The FATF include two recommendations relating to legal persons and to legal arrangements.
Countries are expected to take measures to prevent the unlawful use of legal persons by money launderers. In particular countries should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities. The FATF also states that countries could consider to facilitate access to beneficial ownership and control information to financial institutions undertaking the requirements of Customer Due Diligence.
On bearer shares the FATF recommends that countries that have legal persons that are able to issue bearer shares should take appropriate measures to ensure that they are not misused for money laundering and be able to demonstrate the adequacy of these measures.
Countries are expected to take measures to prevent the unlawful use of legal arrangements such as express trusts by money launderers. In particular, countries should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries that can be obtained or accessed in a timely fashion by competent authorities. As with legal persons the FATF also states that countries could consider to facilitate access to beneficial ownership and control information to financial institutions undertaking the requirements of customer due diligence.
Institutional and other measures necessary in anti-money laundering and anti-terrorist financing systems
The FATF recommend that countries should establish a Financial Intelligence Unit that serves as a national centre for the receiving (and as permitted, requesting) analysis and dissemination of suspicious transaction reports and other information regarding potential money laundering or terrorist financing.
Countries are also expected to ensure that designated law enforcement authorities have responsibility for money laundering and terrorist investigations. Countries are encouraged to support and develop, as far as possible, special investigative techniques suitable for the investigation of money laundering such as controlled delivery, undercover operations and other relevant techniques.
When conducting investigations of money laundering and underlying predicate offences countries are expected to be able to obtain documents and information for use in those investigations, and in prosecutions and related actions. This should include powers to use compulsory measures for the production of records held by financial institutions and other persons, for the search of persons and premises, and for the seizure and obtaining of evidence.
Supervisors are expected to have adequate powers to monitor and ensure compliance by financial institutions with requirements to combat money laundering, including the authority to conduct inspections. They should be authorised to compel production of any information from financial institutions that is relevant to monitoring such compliance, and to impose adequate administrative sanctions for failure to comply with such arrangements.
Each country is expected to provide all its competent authorities involved in combating money laundering and terrorist financing with adequate financial, human and technical resources.
Countries are expected to ensure that policy makers, the FIU, law enforcement and financial supervisory authorities have effective mechanisms in place which enable them to cooperate, and where appropriate coordinate domestically with each other concerning the development or implementation of policies or activities to combat money laundering or terrorist financing.
Countries are expected to ensure that their competent authorities can review the effectiveness of their systems to combat money laundering systems by maintaining comprehensive statistics or matters relevant to the effectiveness and efficiency of such systems.
Countries are expected to rapidly, constructively and effectively provide the widest possible range of mutual legal assistance in relation to money laundering and terrorist financing investigations, prosecutions and related proceedings.
In addition countries are expected to ensure that their competent authorities provide the widest possible range of international cooperation to their foreign counterparts. There should be clear and effective gateways to facilitate the prompt and constructive exchange directly between counterparts, either spontaneously or upon request, of information relating to money laundering and/or the underlying predicative offences. Exchanges should be permitted without unduly restrictive conditions. In particular -
- competent authorities should not refuse a request for assistance on the sole ground that the request is also considered to involve fiscal matters;
- countries should not invoke laws that require financial institutions to maintain professional secrecy or confidentiality as a ground for refusing to provide cooperation;
- competent authorities should be able to conduct enquiries; and where possible investigations; on behalf of foreign counterparts.
Where the ability to obtain information sought by a foreign competent authorities is not within the mandate of its counterpart, countries are also encouraged to permit a prompt and constructive exchange of information with non-counterparts. Cooperation with foreign authorities other than counterparts could occur directly or indirectly. When uncertain about the appropriate avenue to follow, competent authorities should first contact their foreign counterparts for assistance.
Countries should establish controls and safeguards to ensure that information exchanged by competent authorities is used only in an authorised manner, consistent with their obligations concerning privacy and data protection.
13th May 2003
<< Back to contents