“Supervisors and regulatory bodies are adapting to the challenges of modern regulation, and ComplyPortal’s Director, Luis Parra, shares his advice for how regulated firms can adapt and keep up with these changes.”

By now, ‘fintech’ and ‘regtech’ have become familiar terms within and even beyond the world of financial services—but how familiar are you with ‘Suptech’? Short for ‘Supervisory technology’, suptech is a term that covers the use of technology to support and assist regulatory agencies in their supervisory function. Just as regtech and fintech solutions help businesses and consumers optimise tasks and workflows, suptech works in a similar way to make supervision more efficient and effective—and regulated entities must adapt in order to keep up.

Be it access to or management of data, automation, data analysis, or simply the speed that comes with digitising previously manual operations, suptech is creating new standards of supervision and regulation. Using technology allows supervisors to monitor and review the actions of regulated entities in greater detail and at a faster pace. Suptech applications can sift through thousands of regulatory filings and identify potential supervisory issues, whereas it is impossible for supervisors to review each one closely. This enriched capability and insight means firms will be under the microscope like never before, and without equivalent digital solutions of their own, there is a chance they could be caught on the back foot.

With regulators increasingly turning to data- and technology-driven supervision, firms must adapt at pace in order to avoid falling behind on compliance demands. Fortunately, it is easier than ever for firms to find the right regtech solution for their needs. There are a plethora of options available on the market; the key is choosing a solution which can be tailored to your firm’s needs and is supported by compliance experts for the most up-to-date information.

While this level of change in regulation and compliance might be alarming, it should also be viewed as an opportunity. January is often a time spent reflecting and acting on new ways of operating, either personally or professionally. What better time to review your internal compliance processes and assess if they are ready for the challenges of a new year and a more digital age of compliance and regulation?

Discover how ComplyPortal can help you adapt to new and future challenges at: https://complyportal.uk/modules

Find Luis’s previous blog post here: Practical Tips for Implementing Compliance Software

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!

On 1 March 2021, the EBA published its final report setting out revised guidelines on customer due diligence (CDD) and the factors credit and financial institutions should consider when assessing money laundering (ML) and terrorist financing (TF) risk associated with business relationships and occasional transactions under Articles 17 and 18(4) of Fourth Money Laundering Directive (EU 2015/849) (MLD4).

MLD4 and a risk-based approach

The anti-money laundering directives are the key pieces of legislation which make up the current European Union anti-money laundering (AML) and counter-terrorist financing (CTF) regime. MLD4 placed a risk-based approach at the center of the regime. As the risk of ML and TF can vary, a risk-based approach helps to manage that risk effectively. MLD4 was required to be transposed into national law by 26 June 2017.

Guidelines

The greater emphasis in MLD4 on a risk-based approach meant that there was a greater need for guidance for National Competent Authorities (NCAs) and firms. Under MLD4, the European Supervisory Authorities (ESAs) were required to issue guidelines by 26 June 2017, addressed to NCAs and firms, on the risk factors firms should take into consideration and the measures they should take in situations where simplified or enhanced customer due diligence (CDD) would be appropriate. The aim was to promote a common understanding, by firms and competent authorities, of what the risk-based approach to AML/CFT entails and how it should be applied.

The Final Guidelines (JC/2017/37) were published on 26 June 2017. The guidelines have applied since 26 June 2018. Guidelines are addressed to NCAs and firms and their purpose is to clarify the supervisory expectations and to enhance the convergence of supervisory practices. Although they are non-binding, NCAs and firms to whom guidelines are addressed are expected to comply with them (on a “comply or explain” basis).

MLD5 and ESA ongoing work

On 19 June 2018, the Fifth Money Laundering Directive (EU 2018/843) (MLD5) entered into force. MLD5 was required to transpose into national law by 10 January 2020. MLD5 amended MLD4 to strengthen the fight against terrorist finance and ensure the increased transparency of financial transactions. As a result, the Guidelines needed to be updated to take account of the new legal framework. At the same time, the ESAs’ ongoing work on ML/TF risk highlighted several areas where significant differences continued to exist in firms’ approaches to AML/CFT.

The EBA’s new role

Since 1 January 2020, the responsibility to produce these guidelines (and to update them) has been passed to the European Banking Authority (EBA), by virtue of Article 3(3) of the Omnibus Directive amending Article 17 of MLD4, giving the EBA powers to lead, co-ordinate and monitor efforts to strengthen AML and CTF measures across the EU in respect of financial institutions.

The EBA launched a consultation on a revised version of the guidelines on 5 February 2020 proposing changes to reflect MLD5, as well as concerns identified by the ESAs.

The revised guidelines

On 1 March 2021, the EBA published its final revised guidelines.

General Guidelines

The EBA has provided more details to existing central parts of the guidelines, as well as adding new guidance on emerging risks:

• business-wide and individual ML/TF risk assessments;
• customer due to diligence measures including the identification of the beneficial owner and
• enhanced due diligence in relation to high risk third countries;
• TF risk factors; and
• emerging risks, such as the use of innovative solutions for CDD purposes.

High risk third countries

The revised Guidelines require firms to carefully assess the risks associated with business relationships and transactions where the customer is known to maintain close personal or professional links with a high-risk third country, or beneficial owner(s) is/are known to maintain close personal or professional links with a high-risk third country.

Beneficial ownership

Under the revised guidelines, when discharging their obligations set out in Article 13(1)(b) of MLD4 to understand the customer’s ownership and control structure, firms should:

• ask the customer who their beneficial owners are;
• document the information obtained; and
• then take all necessary and reasonable measures to verify the information: to achieve this, firms should consider using beneficial ownership registers where available.

Beneficial ownership registers – Firms should be mindful that using information contained in beneficial ownership registers does not, in itself, fulfil their duty to take adequate and risk-sensitive measures to identify the beneficial owner and verify their identity. Firms may have to take additional steps to identify and verify the beneficial owner, specifically where the risk associated with the business relationship is increased or where the firm has doubts that the person listed in the register is the ultimate beneficial owner.

Control through other means – Firms should also take reasonable measures to understand the customer’s ownership and control structure. The measures firms take to understand the customer’s ownership and control structure should be sufficient so that the firm can be reasonably satisfied that it understands the risk associated with different layers of ownership and control. In particular, firms should be satisfied that, the customer’s ownership and control structure are not unduly complex or opaque; or complex or opaque ownership and control structures have a legitimate legal or economic reason.

Firms should pay particular attention to persons who may exercise ‘control through other means. Examples of ‘control through other means’ firms should consider include:

• control without direct ownership, for example through close family relationships, or historical or contractual associations;
• using, enjoying or benefiting from the assets owned by the customer;
• responsibility for strategic decisions that fundamentally affect the business practices or general direction of a legal person.

Identifying the customer’s senior managing officials – Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:

• They have exhausted all possible means of identifying the natural person who ultimately owns or controls the customer;
• Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and
• They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.

De-risking

EBA also reiterates that there is no requirement for financial institutions to discontinue services to entire categories of customers that they associate with higher ML/TF risk (so-called ‘de-risking’). Instead, firms should balance the need for financial inclusion with the need to mitigate and manage ML/TF risk.

The EBA had launched a separate Call for Input in 2020, to understand why financial institutions choose to de-risk and therefore exacerbate financial exclusion, instead of managing the risks associated with certain sectors or categories of customers. The Call for Input received more than 300 responses by the deadline in September 2020 and the EBA is assessing the implications for its policy development in this area. The feedback gathered from this Call will potentially feed into other EBA outputs.

Electronic identification

Where a business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms should take adequate measures to be satisfied that the customer is who he claims to be and assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk. The use of electronic means of identification does not of itself give rise to increased ML/TF risk, especially where these electronic means provide a high level of assurance.

Moreover, MLD4 is technology neutral and firms may choose to use electronic or documentary means, or a combination thereof, to evidence their customers’ identity. Firms that use or intend to use innovative technological means for identification and verification purposes should assess the extent to which the use of innovative technological solutions can address, or might exacerbate, the ML/TF risks, particularly in non-face to face situations. Firms that use an external provider, rather than develop their own innovative solution in-house, remain ultimately responsible for meeting their CDD obligations.

Monitoring

Firms should put in place systems and controls to keep their assessments of the ML/TF risk associated with their business, and with their individual business relationships under review to ensure that their assessment of ML/TF risk remains up to date and relevant. The level, frequency and intensity of monitoring may be adjusted in a way that is commensurate to the ML/TF risk associated with the customer or the transactions. In high-risk situations, firms should consider whether enhanced ongoing monitoring of the relationship would be appropriate, including increasing the frequency of reviews to be satisfied that the firm continues to be able to manage the risk associated with the individual business. The guidelines list additional enhanced due diligence measures that may be of particular relevance in different sectors.

Sector-specific Guidelines

In addition, since the first publication of these Guidelines in 2017, the financial sector has evolved and existing and emerging risks have been identified. Therefore, new sectoral guidelines need to be included so as to tackle the specific AML/CFT risks of those sectors and to promote convergence in relation to the following sectors:

• crowdfunding platforms
• corporate finance
• account information service providers (AISPs)
• payment initiation services providers (PISPs), and
• firms providing activities of currency exchanges offices.

Next steps and Timing of application of revised guidelines

The guidelines will be translated into the official EU languages and published on the EBA website and will apply three months after publication in all EU official languages. Upon the date of application, the original guidelines will be repealed and replaced with the revised guidelines.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!

While Europe’s financial institutions are struggling to absorb the shock caused by the COVID-19 pandemic, security risks and the frequency of Information and Communications Technology (ICT) and security-related incidents (including cyber incidents) are rising, which, in turn, has the potential to adversely impact financial institutions’ operational functioning.

The financial sector’s increasing digitalisation and the growing interconnectedness between financial institutions and third parties make financial institutions’ operations vulnerable to internal and external ICT and security risks that could potentially compromise their viability. As a result, sound ICT and security risk management are key for a financial institution to achieve its strategic, corporate, operational and reputational objectives.

For this reason, the European Banking Authority (EBA) issued its Guidelines on ICT and security risk management which entered into force on 30 June 2020. These guidelines set out EBA’s expectations on how financial institutions should manage the internal and external ICT and security risks.

Do you meet the requirements?

• Financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management and mitigation of ICT and security risks through an independent and objective control function, appropriately segregated from ICT operations processes and not responsible for any internal audit, and an independent internal audit function.
• Maintain up-to-date inventories of business functions and assess the operational risks related to ICT and the security risks and determine what measures are required to mitigate the identified risks.
• Requirements to implement effective information security measures, including having an information security policy in place; establishing, implementing and testing information security measures; and establishing a training programme for all staff and contractors.
• Requirements for ICT operations management including requirements to improve, when possible, the efficiency of ICT operations; implement logging and monitoring procedures for critical ICT operations; maintain an up-to-date inventory of ICT assets; monitor and manage the life cycle of ICT assets; and implement backup plans and recovery
• Requirements for ICT project and change management, including the acquisition, development and maintenance of ICT systems and services.
• Business continuity management and developing response and recovery plans, including testing, and their consequent updating based on the test results. Ensure effective crisis communication measures in place so that all relevant internal and external stakeholders can be informed in a timely manner.

If you don’t know where to start and are uncertain as to the security risks that exist in your organisation and how they should be identified and controlled, we are here to help you.

For more insight on compliance technology options and benefits, visit https://complyportal.uk/modules/ and find out how our straightforward, comprehensive compliance technology solution can help you and your organisation.

About ComplyPortal:

First developed in 2011 by compliance professionals for compliance officers, ComplyPortal offers workflow, automation, and several modules to help firms with control and regulatory compliance monitoring.

ComplyPortal simplifies financial services regulatory compliance management on an easy-to-use cloud-based comprehensive compliance platform. It enables compliance officers, risk officers and senior management to keep track of their firm’s regulatory responsibilities and workflows. Our platform includes the following modules, among others:

• Monitoring: a year-round schedule pre-populated with monitoring questionnaires to ease compliance processes.
• Registers: lists controlled by the Compliance officer, but easy for staff to view.
• Risk: map and control risk areas to effectively identify and manage risk for your firm.
• eKYC solution: perform comprehensive searches, including client identity verification, document authenticity, and more for a comprehensive KYC and AML approach

CLICK HERE TO GET STARTED!