The European Banking Authority (EBA) has played a pivotal role in shaping the European Union’s (EU) Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) landscape. Its Guidelines on risk factors, as amended by Guidelines EBA/GL/2023/03, provide a robust framework for financial institutions to assess and mitigate the risks associated with money laundering and terrorist financing.
While these guidelines are not legally binding in Cyprus, they offer best practices and recommendations that can be incorporated into internal compliance programs.
However, as highlighted in the recent CYSEC Circular C656, there have been instances where Regulated Entities in Cyprus have failed to adequately consider the EBA Guidelines when conducting customer AML/CFT risk assessments. This oversight is in violation of paragraph 12(4) of the Directive (CySEC Circular C276), which requires Regulated Entities to take into account the EBA’s Risk Factors Guidelines.
This article of mine will delve into the key provisions of these guidelines, exploring their significance for compliance, and discussing potential challenges and areas for further development.
The EBA Guidelines: A Framework for Risk Assessment
The EBA Guidelines offer a comprehensive approach to risk assessment, requiring financial institutions to consider a wide range of factors when evaluating the potential for money laundering and terrorist financing. These factors encompass client characteristics, geographical considerations, product and service offerings, and distribution channels. By identifying and assessing these risks, institutions can tailor their customer due diligence (CDD) measures to mitigate the likelihood of being exploited for illicit activities.
While these guidelines primarily focus on individual business relationships and occasional transactions, they can also be applied, with necessary adjustments, to assess AML/TF risk across the entire business, in line with Article 8 of Directive (EU) 2015/849
The EBA Guidelines are addressed to credit and financial institutions as defined in Directive (EU) 2015/849, as well as competent authorities responsible for supervising these firms’ AML/CFT compliance. Competent authorities should use these guidelines when assessing the adequacy of firms’ risk assessments and AML/CFT policies and procedures.
Key Provisions of the Guidelines
Risk Factor Identification The Guidelines provide a non-exhaustive list of risk factors that institutions should consider. These factors include but are not limited to:
- Client characteristics:
- Jurisdiction of incorporation
- Nature of business
- Level of political exposure
- Beneficial ownership structure
- Geographic location
- Geographical considerations:
- Country risk assessments
- Sanctions regimes
- Corruption levels
- Political instability
- Product and service offerings:
- High-risk products (e.g., cash-intensive products, virtual currencies)
- Complex transactions
- Cross-border activities
- Distribution channels:
- Correspondent banking relationships
- Third-party service providers
- Online and digital channels
Risk Assessment and Categorization The Guidelines require institutions to assess and categorize the AML/CFT risk associated with each business relationship or occasional transaction. This involves weighing the various risk factors and determining the overall level of risk. The identified risk level will then inform the appropriate CDD measures to be applied.
Customer Due Diligence Measures The Guidelines outline simplified and enhanced CDD measures based on the identified risk level. Simplified measures may suffice for low-risk relationships, while enhanced measures are required for high-risk relationships. These measures include:
- Obtaining identification information
- Verifying the identity of beneficial owners
- Understanding the purpose of the business relationship
- Conducting ongoing monitoring of the relationship
Sector-Specific Guidelines The Guidelines also provide sector-specific guidance for certain types of financial institutions. For instance, asset management companies and financial investment advisors are subject to specific requirements related to their discretionary portfolio management and investment advisory activities.
The EBA Guidelines on risk factors play a crucial role in strengthening AML/CFT compliance within the EU. By providing a comprehensive framework for risk assessment and CDD, these guidelines help to protect the financial system from the illicit activities of money launderers and terrorist financiers. While the Guidelines present challenges and require careful implementation, they are a valuable tool for institutions seeking to enhance their compliance programs and mitigate risks.
To sum up, by providing a comprehensive approach to risk assessment, encompassing client characteristics, geographical considerations, product and service offerings, and distribution channels, the EBA Guidelines equip financial institutions with the tools to tailor their customer due diligence measures effectively. This risk-based approach allows for more efficient allocation of resources, focusing enhanced measures on high-risk relationships while applying simplified procedures to lower-risk scenarios.
The sector-specific guidance offered within these guidelines further enhances their utility, recognizing the unique challenges faced by different types of financial institutions. For instance, asset management companies and financial investment advisors benefit from tailored requirements that address the specific risks associated with their activities.
FOOTNOTES:
Cyprus Securities and Exchange Commission, Common weaknesses/deficiencies and good practices identified during the inspections performed in relation to the prevention of money laundering and terrorist financing (CYSEC Circular C656, 8 August 2024) <https://www.cysec.gov.cy/CMSPages/GetFile.aspx?guid=c072b120-80a9-4b5f-a75e-7dd324a656c9> accessed 27 August 2024
European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority, ‘Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (“The ML/TF Risk Factors Guidelines”), repealing and replacing Guidelines JC/2017/37’ (1 March 2021), <https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2023/EBA-GL-2023-03/1061654/Guidelines%20ML%20TF%20Risk%20Factors_conslidated.pdf.pdf?retry=1> accessed 27 August 2024
Cyprus Securities and Exchange Commission, The Application of the Risk Factors Guidelines (CYSEC Circular C 276, 17 July 2018), <https://www.cysec.gov.cy/CMSPages/GetFile.aspx?guid=75b303a2-3c99-408f-9404-56b18c8b83bf accessed 27 August 2024