Explanatory Memorandum to the Anti-Money-Laundering Law of 18 September 2017 - Article 19
In practice, due diligence measures could often in the past be wrongly perceived as measures limited to the identification and knowledge of the customer (measures which are commonly known as ‘KYC’ or ‘Know Your Customer’). However, the general due diligence obligations do appear to be far broader and must be understood as a coherent set of measures that aim to enable the obliged entities to identify suspicious transactions that must be reported to the CTIF-CFI. This is why draft Article 19, § 1 starts by recalling that the general due diligence obligations entail three separate obligations:
- The obligation to identify and check the identity of the clients and beneficiaries of life insurance policies, as well as, where applicable, that of their agents and beneficial owners (the obligation to identify and verify the identity which is explained in detail in section 2); the notion of ‘life insurance’ is defined in Article 4, 25°, as a life insurance policy within the meaning of those that fall under class 21 as referred to in Annex II of the Law of 13 March 2016 on the legal status and supervision of insurance or reinsurance companies, but also all insurance policies that fall under another insurance class (especially those that fall under classes 23, 25, 26 or 27) where the investment risk is borne by the policy-holders;
- The obligation to assess the customer’s characteristics and the purpose and intended nature of the business relationship (or of the occasional transaction) and, where applicable, to obtain additional information for this purpose (the obligation to identify the customer’s characteristics and the purpose and intended nature of the business relationship, which is explained in detail in section 3); and
- The obligation to perform ongoing due diligence as regards the business relationships and transactions; this obligation has two sides: careful examination of transactions carried out over the course of the business relationship; and updating the data held (the obligation of ongoing due diligence, which is explained in detail in section 4).
These three due diligence obligations are already set out in the Law of 11 January 1993, but in a more fragmented way. Moreover, considerably unequal importance is placed on this aspect: barely one paragraph mentions the obligation to identify the purpose and intended nature of the business relationship, in an Article that is otherwise focused on the identification of customers (Article 7). The draft Law aims to rationalise the way of presenting the three due diligence obligations and to emphasise that there are indeed three separate obligations, each of which is subject to its own rules and each of which the obliged entities have to comply with.
Article 19, § 2 transposes Article 13, paragraph 2 of Directive 2015/849, pursuant to which the risk-based approach applies to each of the general due diligence obligations. This entails a substantial review introduced by the Directive, which brings European legislation into line with Recommendation 10 of the FATF. Henceforth, all due diligence measures applied by an obliged entity, including the measures to identify customers, their agents and beneficial owners, and to verify their identity, must be taken by virtue of the assessment of ML/TF risks conducted by this entity vis-à-vis each business relationship or occasional transaction. This assessment, which is called an ‘individual risk assessment’ is therefore a key aspect of the system introduced by the draft Law.
The individual risk assessment entails the obliged entity analysing the ML/TF risks associated with a particular customer, taking into account two types of aspects:
- all information acquired by the obliged entity during the performance of its due diligence obligations. More particularly: the information regarding the identity of the customer, the customer’s agents and beneficial owners, the information regarding the characteristics of the customer and the purpose and intended nature of the business relationship (or the transaction concerned) as well as all other information acquired as part of ongoing due diligence. This is information which allows an understanding of the specific characteristics of the customer and of the business relationship or transaction concerned;
- the conclusions from the general risk assessment conducted pursuant to Article 16 of the draft Law, as well as the variables taken into consideration in this general risk assessment such as, in particular, the factors indicating a higher or lower risk, as referred to in Annexes II and III of the draft Law, but also the relevant conclusions from the report drawn up by the European Commission and the coordinating bodies, and the national risk assessment (see comment on Article 16). By way of reminder, the general risk assessment is a business-wide assessment, which is more objective than the individual assessment, which is specific to a particular customer. The general assessment entails the obliged entity determining the risks to which it is objectively exposed, taking into account its activities and the manner in which it conducts them (type of customer, geographical area, etc.). In practice, the general risk assessment determines the general theoretical framework within which the individual risk assessment should take place.
It should also be noted that Chapter 2 of this Title identifies situations in which the risk should in any case be deemed high, and in which the specific enhanced due diligence measures, as listed in the aforementioned Chapter 2, are consequently required. Without prejudice to the application of these specific measures, the obliged entities must also take into account these specific situations when they conduct an individual assessment of the risks associated with their customers.
After completion of the individual assessment, each customer is attributed a high, standard or low risk profile. Based on its general risk assessment, the obliged entity may need to further subdivide the categories of high risks and low risks to ensure the pertinence of the due diligence measures that apply to each risk profile.
By virtue of the risk-based approach, this risk profile will be decisive for:
- acceptance or refusal of a customer, in accordance with the customer acceptance policy defined by the obliged entity;
- the quantity of information necessary to identify the persons referred to in the Law, and the extent of the measures to be taken to verify this identity;
- the extent of the measures to be taken to understand the characteristics of the customer and the purpose and intended nature of the business relationship (or the transaction) concerned;
- the extent of the measures to be taken for ongoing due diligence, especially as regards examination of the transactions executed.
Where obliged entities come to the conclusion as part of their individual risk assessment that there is a high risk, they are required to apply stricter due diligence measures. These enhanced due diligence measures are set out in the entity’s policies and internal control. The situation is different in the case of low risk. In that case, it is up to each obliged entity to decide whether the simplified due diligence measures apply for low risk, or whether the standard measures continue to apply. This ab initio (rather than case-by-case) decision must be justified and any simplified due diligence measures must be laid down in the policies and internal control measures.
Obliged entities must at all times be able to demonstrate to the supervisory authorities that the due diligence measures they apply are appropriate in light of the ML/TF risks they have identified in their individual risk assessment.