Performance of obligations by third parties: Comments and recommendations by the NBB

Contents

1. Outsourcing of tasks of the AMLCO function

Insofar as the financial institution remains fully responsible for the AMLCO function, it could be permitted, pursuant to the principle of proportionality and/or for reasons of efficiency, to outsource the executive tasks of the AMLCO function that are assigned to it by the Anti-Money Laundering Law and the Anti-Money Laundering Regulation of the NBB, in full or in part to a third party or to another entity belonging to the same group.

1.1. General principles

As a reminder, a financial institution outsources (or subcontracts) a function when it concludes an agreement in any form with a service provider, on the basis of which the latter carries out a process or task that otherwise would be carried out by the financial institution itself. Outsourcing differs from consulting in that a consultant only provides an opinion to his client financial institution without carrying out the process or task concerned himself.

The use of outsourcing by a financial institution to fulfil its statutory and regulatory AML/CFTP obligations should in no way lessen the responsibility of the institution concerned to have an appropriate and efficient organisation and to fulfil its statutory and regulatory obligations in this regard, nor transfer this responsibility to the service provider.

Consequently, given the nature of the function of senior officer responsible for AML/CFTP of a financial institution governed by Belgian law or of a branch established in Belgium, as referred to in Article 9 §1 of the Anti-Money Laundering Law, the NBB considers that neither this function nor the tasks of this function should be outsourced to either a third party or to another entity belonging to the same group, where applicable. Indeed, all financial institutions governed by Belgian law and all branches established in Belgium should appoint an internal “senior officer responsible for AML/CFTP” or, pursuant to the principle of proportionality, a “senior officer acting as AMLCO” (see point 5 of the Governance page).

In this regard, the NBB stresses in particular that the power to take strategic decisions in relation to AML/CFTP should not be outsourced and should be exercised, depending on the nature of the decision and without prejudice to the application of the group policy (see the page Organisation and internal control in groups), by the management committee or senior management of the financial institution, its senior officer responsible for AML/CFTP, its head of the Compliance function (as hierarchical head of the AMLCO, when the latter is an “N-2” member of the Compliance function), its AMLCO or, as the case may be, its senior officer acting as AMLCO (where, for reasons of proportionality, use is made of the possibility to combine functions as provided for in Article 9 §3 of the Anti-Money Laundering Law).

This relates in particular to decisions concerning:

  • the validation of the overall risk assessment,
  • the internal AML/CFTP organisation,
  • the AML/CFTP policy of the financial institution,
  • the adoption of internal AML/CFTP procedures,
  • the individual risk assessment, the entry into the business relationship and the assignment of the risk profile,
  • the establishment of criteria to detect atypical transactions,
  • the reporting of suspicious transactions to CTIF-CFI,
  • the notifications of assets freezes to the FPS Finance,
  • etc.

Conversely, insofar as the financial institution remains fully responsible for the AMLCO function as mentioned above, it could be permitted, pursuant to the principle of proportionality and/or for reasons of efficiency, to outsource the executive tasks of the AMLCO function that are assigned to it by the Anti-Money Laundering Law and the Anti-Money Laundering Regulation of the NBB, under the conditions described below, in full or in part to a third party or to another entity belonging to the same group. This can include the following tasks:

  • the performance of ongoing supervision aimed at detecting atypical transactions or transactions carried out to or from persons or entities subject to asset freezing measures (N.B. The mere use, in this context, of external lists or databases does not formally fall under the definition of outsourcing, but constitutes a purchase of information. This use of external suppliers is without prejudice to the financial institution’s compliance with its statutory AML/CFT obligations. This implies, inter alia, that the financial institution should regularly monitor the quality of the purchased product and take appropriate remedial action if the quality of the product proves to be inadequate),
  • the analysis of atypical transactions in accordance with internal procedures,
  • the collection of any additional information,
  • the development of an opinion based on the above-mentioned analysis regarding the (non-)suspicious nature of the transaction under consideration,
  • etc

For small financial institutions or institutions with an inherently low exposure to ML/FT risk, outsourcing could be justified in particular by the application of the principle of proportionality (see point 5 of the page Governance). Outsourcing may also be justified, for financial institutions belonging to a group, on the grounds of optimisation of the management of the resources needed to perform this function in the various entities of the group (e.g. centralisation of certain IT tools in the parent company).

However, the NBB draws attention to the fact that outsourcing within a group, by a subsidiary to its registered office or to another subsidiary of the group to which it belongs (intragroup outsourcing), is subject to the same requirements as outsourcing to an external service provider. Financial institutions making use of intragroup outsourcing should in particular take the measures necessary to identify and manage any conflicts of interest that could arise from such an outsourcing agreement. The group’s parent entity should:

  1. ensure that the relevant entities establish an inventory of instances of intra-group AML/CFT outsourcing specifying which task relates to which legal entity, and make this inventory regularly available for consultation; and
  2. ensure that intra-group outsourcing does not adversely affect the compliance of each of its subsidiaries, branches or other forms of establishment with AML/CFT obligations.

Similarly, given the territorial scope of the AML/CFTP legislation and regulations (for more information on the scope, see the page Scope), the transfer of tasks of the AMLCO function by a branch of a financial institution governed by the law of another EEA country or of a third country to its registered office or to another branch of the legal entity to which it belongs, should be considered outsourcing and therefore meet the prudential requirements in this regard.

Consequently, in the aforementioned cases of outsourcing and when the financial institution is a credit institution, investment firm, payment institution or electronic money institution, the Guidelines of the European Banking Authority of 25 February 2019 and Circular NBB_2019_19 of 19 July 2019 on outsourcing apply.

The NBB considers that the same principles also apply to the outsourcing of tasks of the AMLCO by life insurance companies.    

As regards European financial institutions that carry out activities in Belgium through (tied) agents or distributors established there, all principles and recommendations included in this Chapter apply mutatis mutandis to the outsourcing of tasks of the “central contact point” to be appointed (see Article 15 of the Anti-Money Laundering Law and the page on central contact points.

The NBB also points out that, since the tasks of the AMLCO fall under the internal control functions of the financial institutions, these tasks should be considered “critical or important functions” within the meaning of paragraph 24(b) of the aforementioned Guidelines of the European Banking Authority, unless the financial institution has been able to demonstrate beforehand that a failure in the performance of the outsourced tasks will not impair the efficiency of the internal control performed by the AMLCO.

Attention is also drawn to the fact that, with regard to critical or important functions (see above), the outsourcing of tasks related to AML/CFTP to service providers established in third countries should be subject to additional safeguard measures in order to ensure that the outsourcing does not, as a result of the location of the service provider, disproportionally increase the risk of non-compliance with the statutory and regulatory requirements or of inefficient performance of the outsourced tasks, nor hinders the supervisory authority’s capacity to effectively exercise its supervisory power with regard to the service provider.

The NBB also stresses that the use of outsourcing should not be so extensive as to lead to the creation of “empty shells” in terms of AML/CFTP. As a result, any financial institution outsourcing tasks of the AMLCO should take care to internally maintain, in addition to the decision-making power (see above), the effective power to manage outsourced tasks. This implies that the outsourcing financial institution should itself implement appropriate measures to monitor the outsourced tasks and remedy any shortcomings and deficiencies found. For this purpose, each outsourcing financial institution should in particular be able to demonstrate that it has sufficient internal resources to effectively exercise its decision-making power, its monitoring of the outsourced tasks and, where appropriate, its remediation obligation.

These principles also apply in case of outsourcing of due diligence obligations. For the performance of due diligence obligations, please refer to the section on the performance of due diligence obligations by third parties below.

 

1.2. Practical arrangements for the implementation of the outsourcing process

The outsourcing of tasks of the AMLCO function to a service provider requires the following conditions to be met:

  1. The decision to outsource should be preceded by a documented analysis to identify the risks that would be associated with this outsourcing, including the risks related to the use of new technologies in this context, in order to define the measures to be implemented to manage and reduce these risks.
  2. The decision to outsource should be duly justified in the light of the objectives pursued, clearly indicating whether it is taken pursuant to the principle of proportionality and/or whether it aims to ensure an optimal allocation of AML/CFTP resources throughout the group to which the financial institution concerned belongs.
  3. The financial institution which outsources tasks of the AMLCO function entrusts its AMLCO or, where appropriate, its senior officer acting as AMLCO with:
    • monitoring the service provider's performance to ensure that the outsourcing effectively enables the financial institution to comply with all its statutory and regulatory AML/CFTP obligations,
    • periodically and occasionally testing and monitoring the service provider for compliance with the obligations under the outsourcing agreement, and
    • reporting on the outsourcing to the management committee (or, where applicable, to the senior management) and to the board of directors as part of the AMLCO’s annual report or whenever circumstances require, in particular so that any necessary remediation measures are implemented as soon as possible.
      When the financial institution makes use of the possibility to combine the function of senior officer with the AMLCO function, in accordance with Article 9 §3 of the Anti-Money Laundering Law, the NBB recommends that this senior officer acting as AMLCO be assisted in carrying out these specific tasks by a contact person who is a staff member of the financial institution and who has the knowledge and expertise required for this purpose. Where such a contact person has not been designated, the financial institution should be able to demonstrate that its senior officer acting as AMLCO is effectively able to perform these specific tasks alone.
  4. The financial institutions referred to in the aforementioned Guidelines of the European Banking Authority of 25 February 2019 on outsourcing arrangements are required to enter the outsourcing agreements relating to tasks of the AMLCO function in the registry of outsourcing arrangements, and keep these entries up-to-date, within the time frame and according to the rules set out in those Guidelines. The institution should be able to submit the whole or specific sections of this registry to the NBB at its first request, in accordance with Article 91 of the Anti-Money Laundering Law.
  5. The financial institution should ensure that a proper framework is established for outsourcing, in accordance with the prudential rules in force in this area (for credit institutions and stockbroking firms: the aforementioned Guidelines of the European Banking Authority of 25 February 2019 on outsourcing arrangements and Circular NBB_2019_19; for insurance companies: Circular NBB_2016_31; for payment institutions and electronic money institutions: the aforementioned Guidelines of the European Banking Authority of 25 February 2019 on outsourcing arrangements and Circular NBB_2019_19; for settlement institutions: Circular PPB_2007_5). This implies in particular that:
    • the outsourcing complies with the financial institution’s outsourcing policy;
    • the decision to outsource is subject to a prior analysis in accordance with the aforementioned Guidelines of the European Banking Authority;
    • the financial institution verifies, prior to the conclusion of the outsourcing agreement, the proposed subcontractor’s professional integrity, AML/CFTP expertise, knowledge of the Belgian statutory and regulatory framework and effective availability, throughout the duration of the outsourcing agreement, for performing the tasks of the AMLCO that will be outsourced to him; the required availability of the subcontractor should be determined on the basis of a reasonable assessment, using objective and relevant criteria, of the working time which will be required for the complete and timely performance of the outsourced tasks with a high quality standard;
    • the outsourcing arrangements, including a precise list of the tasks assigned to the subcontractor and the procedures to be followed by the subcontractor in carrying out those tasks, and the arrangements for the regular monitoring by the financial institution of the completeness, timeliness and quality of the services provided by the subcontractor, are laid down in writing (the service level agreement);
    • the service level agreement explicitly states whether or not the subcontractor is authorised to make use of sub-outsourcing and, if so, it specifies the precise arrangements thereof;
    • the financial institution ensures that the outsourcing agreement contains the necessary explicit provisions to prevent this agreement from obstructing the control tasks of the financial institution's internal audit, compliance and AMLCO functions, or the NBB's exercise of its AML/CFTP off-site control and on-site inspection powers, in accordance with the Anti-Money Laundering Law.
  6. The financial institution allocates adequate and sufficient resources to monitor, under the responsibility of the AMLCO or, as the case may be, of the senior officer acting as AMLCO, the subcontractor's performance, particularly in terms of completeness, timeliness and quality of the tasks performed. Regarding customer data, the AMLCO and the supervisor should have access rights to the service provider’s systems/databases.
  7. The financial institution is able to promptly take adequate and effective remediation measures in the event of subcontractor shortcomings and, where applicable, to terminate the outsourcing agreement without delay in the event of serious failings on the part of the subcontractor, without such termination jeopardising the continuity of the relevant tasks of the AMLCO function.

A financial institution intending to outsource tasks of the AMLCO function should notify the NBB.

Any financial institution outsourcing or intending to outsource such tasks should also compile a dossier to demonstrate that it has taken the measures required to comply with all the conditions listed above. This dossier should be available for submission to the NBB at its first request.

2. Performance of due diligence obligations by third parties

In addition to the cases in which financial institutions outsource tasks of the AMLCO function (see the section on the outsourcing of tasks of the AMLCO function), they may also rely on third parties to fulfil their statutory and regulatory due diligence obligations with regard to AML/CFTP.

This refers to the use of third parties to fulfil the obligations to identify and verify the identity of customers, their agents and their beneficial owners, as well as the obligations to identify the customer's characteristics and the purpose and nature of the business relationship or occasional transaction (in this respect, see also the EBA Guidelines of 22 November 2022 on the use of remote customer onboarding solutions, in particular §§ 46 to 49 thereof). For agents or subcontractors, this outsourcing can also include the obligation of due diligence on business relationships and occasional transactions and the obligation to detect atypical facts and transactions (see below).

 

In this regard, a distinction can be made between two types of situations in which different rules apply:

  • the use of an agent or subcontractor: in such cases, the agent or subcontractor fulfils the due diligence obligations in the name of and on behalf of the financial institution, in accordance with the financial institution’s procedures and instructions; and
  • the use of a “third-party business introducer”: in such cases, the third-party business introducer is himself subject to the due diligence obligations imposed by the Anti-Money Laundering Law and fulfils them according to his own procedures.

2.1. Use of an agent or subcontractor

Where a financial institution uses an agent or a subcontractor for the purposes listed above, this person participates in the fulfilment, in the name of and on behalf of the financial institution, of the due diligence obligations imposed on it by the Anti-Money Laundering Law.

The financial institution should therefore set out in writing the procedures to be implemented and ensure that they are adequately monitored. In this respect, Article 19 of the Anti-Money Laundering Regulation of the NBB stipulates that financial institutions which make use of agents or subcontractors to enter into or maintain business relationships with customers or carry out occasional transactions on behalf of them should set out in writing to these intermediaries the procedures to be implemented for identifying and verifying the identity of the persons involved, in compliance with the Law and the Regulation, and that they should ensure that these procedures are complied with.

Furthermore, Article 20 of the Anti-Money Laundering Regulation of the NBB specifies that, if the agents or subcontractors are in direct contact with customers, these procedures should cover:

  • appropriate criteria enabling them to detect atypical transactions; and
  • the procedure to be followed to subject these transactions to a specific analysis under the responsibility of the AMLCO in order to determine whether these transactions can be suspected of being linked to ML/FT.

The agents and subcontractors operate under the supervision and responsibility of the financial institution.

In this regard, please refer to the section on the outsourcing of tasks of the AMLCO function (see the section on the outsourcing of tasks of the AMLCO function) of this AML site, which specifies the actual principles and arrangements to be complied with by the outsourcing. In line with these principles and arrangements, it should be noted in particular that, when a financial institution outsources tasks in relation to the due diligence obligations imposed on it by the Anti-Money Laundering Law:

  1. this outsourcing should not lessen the responsibility of the institution concerned to fully meet its statutory and regulatory obligations, nor transfer this responsibility to the agent or subcontractor;
  2. the outsourcing should not pertain to the power to make AML/CFTP strategic decisions, particularly the adoption of AML/CFTP procedures to be complied with by the agent or subcontractor, the decision to enter into a business relationship or assign a risk profile to a customer, the decision to report suspicious transactions to CTIF-CFI or to notify the FPS Finance of assets freezes, etc.;
  3. the financial institution is required to implement appropriate measures to monitor the tasks performed by the agent or subcontractor, in order to detect any shortcomings or deficiencies therein, and should be able to promptly take adequate and effective remediation measures in the event of agent or subcontractor shortcomings and, where applicable, to terminate the agency or outsourcing agreement without delay in the event of serious failings, without such termination jeopardising the continuity of the tasks assigned to the agent or subcontractor;
  4. etc.

 

2.2. Use of a third-party business introducer

Using a third-party business introducer differs from using an agent or a subcontractor in that the third-party business introducer does not primarily act in the name of and on behalf of the institution on the basis of a mandate received from the latter. As the third-party business introducer is himself subject to identical or equivalent due diligence obligations, in accordance with the Anti-Money Laundering Law or with a comparable law of another country, he primarily performs his customer due diligence obligations according to his own procedures, independently of the financial institution. He then submits the result of his own due diligence obligations to the financial institution to which he introduces his customer, enabling that financial institution to take this result into consideration for the fulfilment of its own due diligence obligations and avoiding, to the extent possible, the same due diligence obligations being fulfilled twice.

For instance, when a customer applies for a mortgage loan with a credit institution which requires a life insurance contract to be concluded and used as collateral, the insurance company may make use of the identification and identity verification performed by the credit institution for its own purposes, to fulfil its own obligations to identify and verify the identity of its customer and, where appropriate, of his agents and beneficial owners. In this context, the credit institution acts as a “third-party business introducer” for the insurance company.

Another common example of the use of a third-party business introducer is when a life insurance company uses the result of the due diligence obligations fulfilled by an insurance intermediary in accordance with its own relevant statutory and regulatory obligations.

2.2.1. Due diligence obligations for which a third-party business introducer may be used

Pursuant to Article 42 of the Anti-Money Laundering Law, obliged entities may rely on third-party business introducers to fulfil the following general due diligence obligations:

  • the identification and identity verification obligations (Articles 26 to 32);
  • the obligation to identify the customer's characteristics and the purpose and nature of the business relationship (Article 34);
  • the obligation to update the information (Article 35 §1(2))

These also include the obligations relating to the collection and verification of the information necessary to fulfil the due diligence obligation with regard to occasional transactions and transactions carried out during the business relationship. However, this obligation of due diligence on occasional transactions and business relationships may not be fulfilled by third-party business introducers.

2.2.2. Authorised third-party business introducers

In accordance with Article 43 of the Anti-Money Laundering Law, the following third-party business introducers may be used:

1° the obliged entities referred to in Article 5;

2° the obliged entities within the meaning of Article 2 of Directive 2015/849 that are governed by the law of another Member State;

3° the obliged entities within the meaning of Article 2 of Directive 2015/849 that are governed by the law of a third country and that:

  • are subject to statutory or regulatory customer due diligence obligations and record-keeping requirements that are consistent with those laid down in Directive 2015/849; and
  • have their compliance with these statutory or regulatory obligations supervised in a manner consistent with the requirements set out in Chapter VI, Section 2 of Directive 2015/849.

The notion of “third-party business introducer” has thus been expanded compared to its description in Article 10 of the Law of 11 January 1993, as any obliged entity can now act as third-party business introducer, and no longer only the entities listed in the law. Given that, due to the developments in European legislation, the Anti-Money Laundering Law no longer stipulates that the King should draw up a list of “equivalent third countries”, each obliged entity wishing to use a third-party business introducer governed by the law of a third country should verify whether the statutory and regulatory provisions and the supervision imposed on the third party meet the equivalence conditions described above.

In contrast, Article 43 §2 of the Anti-Money Laundering Law prohibits obliged entities from using third-party business introducers established in high-risk third countries. However, the second subparagraph of §2 provides for an exception to this prohibition. Obliged entities may rely on their own branches and majority-owned subsidiaries or on those of other entities in their group, even if they are established in a high-risk third country, if the three conditions listed in the second subparagraph of Article 43 §2 of the Anti-Money Laundering Law have been met. It should be noted that all - direct or indirect - branches and subsidiaries are considered eligible, provided they are covered by the group policy. 

2.2.3. Concrete rules for using a third-party business introducer

In accordance with Article 44 §1 of the Anti-Money Laundering Law, financial institutions that rely on a third-party business introducer should demand that the latter immediately provide it with the information on the identity of the customer and, where appropriate, of his agents and beneficial owners, as well as on the customer’s characteristics and on the purpose and intended nature of the business relationship, which results from the due diligence requirements performed by the third-party business introducer in accordance with Article 42 of the Law or with the equivalent provisions of the foreign legislation to which he is subject.

Obliged entities using a third-party business introducer should also take appropriate measures to enable the third-party business introducer to, immediately and at first request, send them a copy of the supporting documents or of the reliable sources of information he used to verify the identity of the customer and, where appropriate, of his agents and beneficial owners.

Conversely, Article 44 §2 of the Anti-Money Laundering Law stipulates that financial institutions acting as third-party business introducers should immediately provide the relevant information and, without delay and at first request, the copies of the supporting documents used to verify this data, particularly, where appropriate, information obtained:

  • through the use of electronic identification means such as those provided or recognised within the authentication service, confirming the identity of persons online, or
  • through relevant trust services referred to in the eIDAS Regulation.

For example, where an insurance broker acts as an intermediary for a customer taking out life insurance, he should immediately provide the customer’s identification data and, without delay and at first request, the copies of the supporting documents used.

Obliged entities may accept the results of the due diligence obligations performed by a third-party business introducer situated in an EEA country or in a third country, even when the data or supporting documents used for the identification or identity verification differ from those required by the Belgian law or its implementing measures.

Furthermore, Article 21 of the Anti-Money Laundering Regulation of the NBB provides that the intervention of a third-party business introducer in accordance with Article 42 of the Anti-Money Laundering Law is subject to the condition that the internal procedures of the financial institution stipulate:

1° that the financial institution verifies beforehand and keeps the documents on which it has based its verification that the third-party business introducer meets, where appropriate, the conditions laid down in Article 43 §1 (3) and §2 (2nd subparagraph) of the Money Laundering Law;

2° that the third-party business introducer undertakes, in writing, beforehand to:

  1. a) immediately provide the financial institution with the information concerning the identity of the customers that will be introduced and, where appropriate, of their agents and beneficial owners, concerning the customer’s characteristics and the purpose and intended nature of the business relationship, that is necessary for fulfilling the due diligence requirements conferred upon them in accordance with Article 42 of the Anti-Money Laundering Law;
  2. b) provide the financial institution, without delay and at first request, with a copy of the supporting documents or of the reliable sources of information he used to verify the identity of customers and, where appropriate, of their agents and beneficial owners.

It should be stressed, however, that when a financial institution uses a third-party business introducer, the former’s responsibility is not shifted to the latter. As a result, financial institutions using third-party business introducers should implement appropriate internal control measures enabling them to ensure that the identification data collected by third-party business introducers and the verifications performed by them with regard to this data are adequate and sufficient to enable this financial institution to comply fully with its relevant statutory and regulatory obligations . Should this not be the case, the financial institution should supplement the due diligence obligations or even perform them again.

In this respect, it should be noted in particular that the third-party business introducer, on the one hand, and the financial institution to which the customer is introduced, on the other, may assign different risk profiles to that same customer when justified. Where the customer has been assigned a lower risk profile by the third-party business introducer than by the financial institution, the latter should ensure that the due diligence obligations performed by the third-party business introducer are nevertheless sufficient to fulfil its own obligations.

For example, if the third-party business introducer was able to relax his due diligence obligations because he deemed the risk level low, the financial institution could be required to supplement the due diligence obligations or even perform them again if it did not itself assign a low risk profile to this customer or if its internal procedures do not allow the due diligence obligations to be relaxed. The same applies when the financial institution, as opposed to the third-party business introducer, assigns a high risk profile to the customer, in which case it is legally obliged to perform the enhanced due diligence obligations that have not been performed by the third-party business introducer.

Disclaimer: This English text is an unofficial translation and may not be used as a basis for resolving any dispute.