Commission Delegated Regulation (EU) 2019/758 of 31 January 2019 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regard to regulatory technical standards for the minimum action and the type of additional measures credit and financial institutions must take to mitigate money laundering and terrorist financing risk in certain third countries (Text with EEA relevance.)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (1), and in particular Article 45(7) thereof,

Whereas:

(1) Credit institutions and financial institutions are required to identify, assess and manage the money laundering and terrorist financing risk to which they are exposed, particularly when they have established branches or majority-owned subsidiaries in third countries or because they are considering whether to establish branches or majority-owned subsidiaries in third countries. Directive (EU) 2015/849 therefore sets standards for the effective assessment and management of money laundering and terrorist financing risk at group level.

(2) The consistent implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures is key to the robust and effective management of money laundering and terrorist financing risk within the group.

(3) There are, however, circumstances where a group operates branches or majority-owned subsidiaries in a third country whose law does not permit the implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures. This can be the case, for example, where the third country's data protection or banking secrecy law limits the group's ability to access, process or exchange information related to customers of branches or majority-owned subsidiaries in the third country.

(4) In those circumstances, and in situations where the ability of competent authorities effectively to supervise the group's compliance with the requirements of Directive (EU) 2015/849 is impeded because competent authorities do not have access to relevant information held at branches or majority-owned subsidiaries in third countries, additional policies and procedures are required to manage money laundering and terrorist financing risk effectively. These additional policies and procedures may include obtaining consent from customers, which can serve to overcome certain legal obstacles to the implementation of group-wide anti-money laundering and countering the financing of terrorism policies and procedures in third countries where other options are limited.

(5) The need to ensure a consistent, Union level response to legal obstacles to the implementation of group- wide policies and procedures justifies the imposition of specific, minimum actions credit and financial institutions should be required to take in those situations. However, such additional policies and procedures should be risk-based.

(6) Credit institutions and financial institutions should be able to demonstrate to their competent authority that the extent of additional measures they have taken is appropriate in view of the money laundering and terrorist financing risk. However, should the competent authority consider that the additional measures a credit institution or financial institution has taken are insufficient to manage that risk, the competent authority should be able to direct the credit institution or financial institution to take specific measures to ensure the credit institution's or financial institution's compliance with its anti-money laundering and countering the financing of terrorism obligations.

(7) Regulation (EU) No 1093/2010 of the European Parliament and of the Council (2), Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3) and Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4) empower the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA), respectively, to issue joint guidelines to ensure the common, uniform and consistent application of Union law. When complying with this Regulation credit institutions and financial institutions should take into account the joint guidelines issued in accordance with Article 17 and Article 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions and make every effort to comply with those guidelines.

(8) The provisions of this Regulation should be without prejudice to the duty of competent authorities of the home Member State to exercise additional supervisory actions as stipulated in Article 45(5) of Directive (EU) 2015/849 in cases where the application of additional measures defined by this Regulation will prove insufficient.

(9) The provisions of this Regulation should also be without prejudice to the enhanced due diligence measures credit institutions and financial institutions are required/obliged to take when dealing with natural persons or legal entities established in countries identified by the Commission as high risk pursuant to Article 9 of Directive (EU) 2015/849.

(10) Credit institutions and financial institutions should be given sufficient time to adjust their policies and procedures in line with this Regulation's requirements. To this end, it is appropriate that the application of this Regulation be deferred by three months from the date on which it enters into force.

(11) This Regulation is based on draft regulatory technical standards developed by the European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority), submitted to the Commission.

(12) The European Supervisory Authorities have conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the opinion of the Banking Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010,

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter and scope

This Regulation lays down a set of additional measures, including minimum action, that credit institutions and financial institutions must take to effectively handle the money laundering and terrorist financing risk where a third country's law does not permit the implementation of group-wide policies and procedures as referred to in Article 45(1) and (3) of Directive (EU) 2015/849 at the level of branches or majority-owned subsidiaries that are part of the group and established in the third country.

Article 2

General obligations for each third country

For each third country where they have established a branch or they are a majority owner of a subsidiary, credit institutions and financial institutions shall at least:

(a) assess the money laundering and terrorist financing risk to their group, record that assessment, keep it up to date and retain it in order to be able to share it with their competent authority;

(b) ensure that the risk referred to in point (a) is reflected appropriately in their group-wide anti-money laundering and countering the financing of terrorism policies and procedures;

(c) obtain senior management approval at group-level for the risk assessment referred to in point (a) and for the group-wide anti-money laundering and countering the financing of terrorism policies and procedures referred to in point (b);

(d) provide targeted training to relevant staff members in the third country to enable them to identify money laundering and terrorist financing risk indicators, and ensure that the training is effective.

Article 3

Individual risk assessments

(b) ensure that their branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers' beneficial owners, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii);

(c) ensure that their branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers' beneficial owners, to give consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law.

Those additional measures shall include the additional measure set out in point (c) of Article 8 and one or more of the measures set out in points (a), (b), (d), (e) and (f) of that Article.

Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to in paragraphs 1 and 2, it shall:

(a) ensure that the branch or majority-owned subsidiary terminates the business relationship;

(b) ensure that the branch or majority-owned subsidiary not carry out the occasional transaction;

(c) close down some or all of the operations provided by their branch and majority- owned subsidiary established in the third country.

Article 4

Customer data sharing and processing

(b) ensure that their branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers' beneficial owners, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii);

(c) ensure that their branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers' beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law.

Article 5

Disclosure of information related to suspicious transactions

Those additional measures shall include one or more of the additional measures set out in points (a) to (c) and (g) to (i) of Article 8.

Article 6

Transfer of customer data to Member States

Where the third country's law prohibits or restricts the transfer of data related to customers of a branch and majority-owned subsidiary established in a third country to a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, credit institutions and financial institutions shall at least:

(b) carry out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively implements group-wide policies and procedures and that it adequately identifies, assesses and manages the money laundering and terrorist financing risks;

(c) provide the findings of the reviews referred to in point (b) to the competent authority of the home Member State upon request;

(e) make the information referred to in point (d) available to the competent authority of the home Member State upon request.

Article 7

Record-keeping

(b) establish whether consent from the customer and, where applicable, their beneficial owner, can be used to legally overcome restrictions or prohibitions referred to in point (a)(ii);

(c) ensure that their branches or majority-owned subsidiaries that are established in the third country require customers and, where applicable, their customers' beneficial owners, to provide consent to overcome restrictions or prohibitions referred to in point (a)(ii) to the extent that this is compatible with the third country's law.

Article 8

Additional measures

Credit institutions and financial institutions shall take the following additional measures pursuant to Article 3(2), Article 4(2), Article 5(2) and Article 7(2) respectively:

(a) ensuring that their branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided by the branch of majority-owned subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group's risk exposure;

(b) ensuring that other entities of the same group do not rely on customer due diligence measures carried out by a branch or majority-owned subsidiary established in the third country, but instead carry out customer due diligence on any customer of a branch or majority-owned subsidiary established in third country who wishes to be provided with products or services by those other entities of the same group even if the conditions in Article 28 of Directive (EU) 2015/849 are met;