Supervisory powers, measures and policy of the NBB: Comments and recommendations by the NBB

1. Role of the NBB in AML/CFT

The provisions governing the NBB's competence in the area of AML/CFT are laid down in Articles 85 to 98/1 of the Anti-Money Laundering law. 

Pursuant to this Law, the NBB is responsible in particular for monitoring compliance by financial institutions (as defined on this website) with their European and national obligations relating to the fight against money laundering and terrorist financing (AML/CFT), as well as with their obligations with regard to assets freezes and transfers of funds.

The NBB exercises off-site supervision (for example by examining the reportings received from financial institutions) and on-site controls. 

The NBB’s Sanctions Committee has the power to take administrative sanctions where a financial institution violates a legislative or regulatory provision whose compliance is monitored by the NBB (see the page "Administrative sanctions").

2. Supervisory powers and measures of the NBB

The NBB's supervisory powers and measures in the area of AML/CFT are specified in Articles 91 to 98/1 of the Anti-Money Laundering Law. In accordance with these provisions, the NBB may:

  • “request any information and any document”, in any form whatsoever, and in particular any information on the organisation, operation, situation and transactions of the financial institutions (including information about the relationships between a financial institution and its customers, to the extent necessary for exercising its supervision);

The NBB uses this power in particular to require financial institutions subject to its supervision to provide it with the information and reports detailed on the page "Reporting by financial institutions".

  • conduct on-site inspections and take cognizance of and copy, on the spot, any data and any document, file or record, and have access to any computer system to verify compliance with the Law and to verify the appropriate nature of the management structures, the administrative organisation, the internal control and the ML/FT risk management policies;
  • task the statutory auditor or accredited auditor for the financial institution with preparing special reports relating to compliance by the latter (including any branches it may have abroad) with the applicable AML/CFT provisions or relating to the enforcement of the NBB’s orders;

The NBB may thus rely on the cooperation of the statutory auditor or accredited auditor of the financial institution (or of an ad hoc accredited auditor that the NBB appoints if the institution concerned is not required to appoint one), in particular for monitoring the proper implementation of an action plan drawn up following an on-site inspection or recommendations issued following a specific or horizontal supervisory action, or for confirmation that the information which the institution is required to communicate to it is complete, correct and established in accordance with the relevant rules.

It should also be noted that, like the laws organising prudential supervision, the Anti-Money Laundering Law provides that inspection reports, any special reports which may be requested from the statutory auditor or accredited auditor and, more generally, all documents coming from the NBB which it specifies are confidential may not be disclosed by the financial institutions without the NBB’s express authorisation, under penalty of the sanctions provided for in Article 458 of the Criminal Code.

Where the NBB’s controls lead to the identification of shortcomings on the part of a financial institution, the NBB may order it:

  • to comply with specific AML/CFT obligations imposed on it pursuant to the applicable provisions (for example, due diligence requirements provided for in Book II of the Anti-Money Laundering Law, or obligations imposed by the binding provisions relating to financial embargoes);
  • to comply with a requirement imposed by the NBB pursuant to the aforementioned provisions (for example, ad hoc or regular communication of information or documents of any kind);
  • to comply with the requirements imposed by the NBB as conditions to a decision taken pursuant to the same provisions (for example, the requirement that the AMLCO of the financial institution has his position in the organisation chart of this financial institution modified in order to satisfy the obligation of independence referred to in Article 9 of the Anti-Money Laundering Law, or follows a specific training course in order to satisfy the obligation of expertise laid down in the same Article 9);
  • to make the necessary adjustments, or to replace certain persons so that its management structures, internal organisation and policies/procedures and processes are in line with the NBB's expectations.

The NBB may, where a financial institution fails to comply with its order by the deadline set and provided that the financial institution has been able to defend its case:

  • publish the breaches found and the fact that the obliged entity has not complied with the order issued to it;
  • impose a penalty payment on it which may not be less than EUR 250 nor more than EUR 50 000 per calendar day, nor, in total, more than EUR 2 500 000. The Anti-Money Laundering Law provides that the amount of the penalty is determined, where appropriate, taking into account a series of relevant circumstances listed therein, such as the gravity and the duration of the breaches, the degree of responsibility of the financial institution involved, its financial strength, or its level of cooperation with the supervisory authorities.

Finally, if the NBB finds that the situation has not been remedied by the deadline it has set, the Law provides for a gradual system of measures that can be taken: appointment of a special commissioner in addition to the management bodies, replacement of the statutory governing body, temporary suspension of all or part of the business, withdrawal of the authorisation and prohibition on providing services in Belgium. In urgent cases, or where the seriousness of the facts so justifies, the NBB may take such measures without previously issuing an order, provided that the financial institution has been able to defend its case.

The Anti-Money Laundering Law provides that the aforementioned measures taken by the NBB (as well as any appeals in relation thereto and the outcome thereof) are, on the one hand, brought to the attention of the ESAs, in particular the EBA, and, on the other hand, published, in principle nominatively, on the NBB's website for a period of at least five years. This publication must include at least information on the type and nature of the breach, as well as the identity of the natural and legal persons responsible. In view of the specific nature of certain measures imposed by the NBB, the decision whether or not to publish, or to publish anonymously, is taken by the NBB taking into account the proportionate nature of the publication as well as the risk for the financial institution concerned and for the stability of the financial markets.

Finally, where the NBB, in the context of its supervisory mission at a financial institution, identifies any breaches of the provisions of the Law relating to the limitation of the use of cash which are subject to the criminal sanctions provided for in Article 137, 1°, of the Anti-Money Laundering Law and which falls within the supervisory competence of the FPS Economy, it notifies the latter as soon as possible.

In order to ensure the consistency between AML/CFT supervision and general prudential supervision, most of the provisions of the Anti-Money Laundering Law conferring the supervisory and enforcement powers referred to above on the NBB have been aligned with the corresponding provisions of the prudential laws.

3. Organisation of AML/CFT supervision within the NBB

Since January 2016, AML/CFT supervision is organised around two teams:

  • a specialised team ("the AML/CFT Group"), whose purpose is mainly:
    • to perform the tasks related to the development, with the assistance of the legal service, of the AML/CFT supervisory policy, and
    • to exercise off-site supervision of all financial institutions subject to supervision (cross-sectoral competence); and
  • the inspection services, which remain responsible for the on-site AML/CFT controls.

In carrying out its tasks, the AML/CFT Group works closely together with the NBB services responsible for general prudential supervision and with the European Central Bank acting as the prudential supervisory authority under the Single Supervisory Mechanism, in order to maintain the overall consistency of the supervisory actions with regard to each of the financial institutions subject to supervision.

4. Risk-based supervisory methodology and policy

In accordance with Articles 7 and 87 of the Anti-Money Laundering Law, the NBB is required to implement a risk-based approach in the exercise of its AML/CFT supervisory powers.

Based on its practical experience with risk-based supervision in this area, the ESAs Guidelines dated 7 April 2017 on risk-based supervision, as well as various guidance documents published by FATF in this area, including the "FATF Guidance dated 23 October 2015 for a Risk-Based Approach: Effective Supervision and Enforcement by AML/CFT Supervisors of the Financial Sector and Law Enforcement", the NBB has formalised its risk-based supervisory policy in the area of AML/CFT. The purpose of this supervisory policy is:

  • to base the exercise of its supervisory powers on an assessment of the level and nature of the ML/FT risks associated with each financial institution subject to supervision, taking into account its specific characteristics ("risk profiles");
  • to implement differentiated off-site supervisory actions for each financial institution according to the risk profile assigned to it;
  • to ensure consistency between the off-site supervisory actions, on the one hand, and the controls carried out on site (inspections), on the other;
  • to provide a framework for implementing the principle of equal treatment of financial institutions with regard to supervision, notwithstanding the differentiation of individual supervisory actions according to risk.

It should be stressed, however, that this formalisation of the risk-based supervisory policy does not introduce a new approach, but rather clarifies the framework for the implementation of supervisory actions that were already previously based on risk assessment. 

The NBB's supervisory policy thus clarifies the objectives of the supervision and defines, in general terms, the differentiated risk-based supervisory actions to be taken to achieve those objectives.

The principles underlying this supervisory policy can be summarised as follows.

This policy is based primarily on an individual assessment of the ML/FT risks to which each financial institution is exposed ("risk profiles").

In order to provide a frame of reference allowing a consistent attribution of the individual risk profiles to all the financial institutions falling within its supervisory powers, the NBB has carried out a sectoralrisk assessment (SRA) aimed at determining in a generic manner the level of ML/FT risk associated with the various categories of financial institutions falling within its powers. In order to achieve an adequate level of granularity in this document, the NBB has carried out this exercise by distinguishing between the risks associated with the various financial activities carried out by the institutions subject to its supervision. This sectoral risk assessment also enables the NBB to contribute, through its assessment of the vulnerability to money laundering risks of the various categories of financial institutions subject to its supervision, to the national assessment of money laundering risks carried out by the body tasked with coordinating the fight against the laundering of money of illicit origin.

While the sectoral risk assessment constitutes an important frame of reference, the assignment of an adequate risk profile to each financial institution also requires full account to be taken of the specific characteristics of each of them. To this end, the attribution of the risk profile is based on the analysis of all available information concerning each financial institution, in particular the information obtained from each financial institution through the periodic AML/CFT questionnaire and its overall risk assessments and the AMLCO's annual report. Information relating to the results of previous supervisory actions, both off-site and on-site (inspections), information obtained, where applicable, from other AML/CFT supervisory authorities or from the competent prudential supervisory authorities in the framework of both national and international cooperation, information that may be communicated by CTIF-CFI, or any other relevant information that may be obtained from reliable external sources, are also taken into account.

The analysis of all this information aims at measuring, on the one hand, the inherent risks that appear to be associated with the activities carried out by each financial institution (taking into account risk factors relating to the characteristics of the customers, the products and services offered, the distribution channels used, and the geographical areas with which the financial institution comes into contact through its activities. On the other hand, the analysis aims to assess the measures taken to reduce and manage these risks, both in terms of their compliance with applicable legal and regulatory requirements and in terms of their effectiveness and efficiency.

This process leads to an individual assessment of residual ML/FT risks, which results in the attribution to each financial institution of the risk profile ("High Risk", "Medium High Risk", "Medium Low Risk" or "Low Risk") that is deemed to be the most appropriate. It should be noted that these risk profiles are attributed according to a methodology that ensures consistency, not only within each sector subject to supervision (credit institutions, life insurance companies, stockbroking firms, payment institutions and electronic money institutions), but also at the cross-sectoral level.

To allocate these risk profiles, the NBB has developed IT tools for collecting and analysing information, that it refines whenever necessary.

Based on the risk-based supervisory policy adopted by the NBB, each of the four risk profiles that can be attributed to financial institutions is associated with a differentiated level of supervision ("Intensive", "Reinforced", "Ordinary" or "Light"). Each of these levels of supervision leads to the application of off-site supervisory measures that are differentiated in terms of their intensity, their frequency, and the nature and objective of the supervision.

Intensity of supervision

The risk profile assigned to each financial institution determines the degree of verification of information and the intensity of the supervision that will be exercised. Thus, the higher the level of risk, the more intrusive the supervisory methods must be. 

With regard to financial institutions with a "low" or "medium low" level of risk, supervisory actions may generally be based on the "standard" information which financial institutions are required to transmit to the NBB (replies to the periodic questionnaire, AMLCO activity report, summary of the overall risk assessment, etc. – see the page “Reporting by financial institutions”), which can be analysed remotely. 

On the other hand, in the case of financial institutions with a "medium high" or "high" level of risk, supervisory actions may give rise to additional requests for more detailed information. For example, these financial institutions may be asked to provide the NBB with samples of individual customer files or samples of their transactions to enable it to carry out spot checks.

Depending on the needs, the desk-based supervision is supplemented by meetings with management, compliance officers, AMLCOs or other members of staff, and/or by an on-site control (other than inspections) in order to analyse the information and ensure the relevance of the findings and the adequacy of the recommended remedial measures and their implementation schedule. 

Differentiating the intensity of supervision according to the risk profile also makes it possible to shortlist financial institutions with the highest risks with a view to formal on-site inspections. 

Frequency of supervision

Without prejudice to supervisory actions to be carried out outside the ordinary supervisory schedule due to event-driven situations, the frequency of supervisory actions will vary according to the risk profile.

Nature and purpose of supervision

With regard to financial institutions with a “low” or “medium low” risk, standardised supervisory actions will generally be carried out in order to provide an overall assessment of the level of compliance and effectiveness of the AML/CFT mechanisms implemented. However, if this overall assessment of the situation reveals that the risk that the financial institution subject to supervision could be used for money laundering or terrorist financing purposes is higher than initially thought, more targeted supervisory actions will be taken.

These standardised actions are essentially based on the use of the risk assessment and supervisory tools which the NBB has developed itself. It should be noted that the identification of vulnerabilities through this standardised approach leads to the adoption of specific remedial measures, and may also result in a change in the risk profile allocated to the financial institution concerned.

In the case of financial institutions with a “medium high” or “high” level of risk, a standardised assessment of the overall situation of the financial institution must be carried out, but it must be supplemented by targeted and thematic actions, and/or actions focusing on specific, individualised points of attention, specifically taking into account the individual characteristics of each financial institution, in particular the activities carried out, the characteristics of the customers, the size, the complex internal organisation structure, etc. Such actions typically cover clearly delineated topics. 

Depending on the needs, these supervisory actions may concern either financial institutions that can be grouped in a single cluster (based on the similarities in the most significant risks they are exposed to), or individual financial institutions.

With regard to targeted and thematic inspections, carrying out parallel missions at several similar financial institutions may reinforce the validity of the conclusions of the respective missions by comparing their situation with that of all the institutions included in the cluster (benchmarking). This supervisory technique may also help to ensure equal treatment of financial institutions in the context of risk-based supervision. It also enables the NBB to refine, if necessary, the information it publishes on its website dedicated to AML/CFT, for example by publishing the general conclusions of its thematic mission ("lessons learned", "good practices", etc.), or by amending its recommendations for the purpose of clarification or greater precision. The risk-based supervisory policy confirms that such actions should be implemented as a priority with regard to those financial institutions under supervision that present a “high” or “medium high” level of risk. The topics to be examined as part of this type of supervision will be selected on the basis of their relevance to the institutions included in the cluster or to the financial sector as a whole, taking into account the developments within this sector, the emergence of new forms of risks or vulnerabilities, or an upward reassessment, in the light of experience, of the impact of pre-existing risks or vulnerabilities.

In addition to "standardised" and "thematic" supervisory actions, financial institutions with a “medium high” or “high” level of risk are also subject to "individualised" actions to deepen the knowledge of the risks and vulnerabilities that are specific to them individually, to identify any shortcomings and weaknesses in their measures to manage and mitigate these risks and vulnerabilities, and to ensure that these shortcomings and weaknesses are adequately addressed.

 

Disclaimer: This English text is an unofficial translation and may not be used as a basis for solving any dispute