14/03/2019 1 Mirko Rapa PwC Customer Due Diligence 14 March 2019 2 Purpose of CDD Components of CDD CDD for different legal structures Agenda: 1 2
14/03/2019
1
Mirko Rapa
PwC
Customer Due Diligence
14 March 2019
2
Purpose of CDD
Components of CDD
CDD for different legal
structures
Agenda:
1
2
14/03/2019
2
Customer Due Diligence (CDD)
Purpose
3
• Determine who the customer and beneficial owner is
• Verify whether the person is who he purports to be
• Determine whether such person is acting on behalf of a
third party
• Establish the purpose and intended nature of the
business relationship
• Monitor such business relationship on an ongoing basis
Why the need of CDD measures?
4
CDD measures assist subject persons in:
• Determining whether a customer falls within acceptable
risk parameters
• Sufficiently understand the business profile in order to
identify those transactions that fall outside this profile
• Form an opinion on ML/FT suspicions when necessary
• Providing the FIAU with timely and accurate
information on customers and/or their activities
3
4
14/03/2019
3
Who is the customer?
5
• A person (whether legal or natural);
• who seeks to form a business relationship (i.e. a
potential customer); or
• with whom a business relationship is formed (i.e. an
existing customer); or
• for whom an occasional transaction is carried out.
Who is the Beneficial Owner
6
• The Beneficial Owner (BO) is any natural person or persons
who ultimately own or control the customer and, or the
natural person or persons on whose behalf a transaction
or activity is being conducted, and ... ’
• BO must be a natural person
• There may be more than one BO
5
6
14/03/2019
4
When should CDD measures be
applied?
7
• When establishing a business relationship
• When carrying out an occasional transaction
• When the subject person has knowledge or suspicion of proceeds
of criminal activity, ML/FT, regardless of any derogation, exemption
or threshold that would otherwise be applicable
• To existing customers, at appropriate times and on a risk-sensitive
basis, including at times when the subject person becomes aware that
the relevant circumstances surrounding a business relationship have
changed
• When doubts arise about the veracity or adequacy of previously
obtained customer identification information
Business relationship vs Occasional
Transaction
8
- A business, professional or commercial relationship between two or more
persons;
- At least one of which is acting in the course of either relevant financial
business or relevant activity; and
- Which has, or is expected to have at the time when the contact is
established, an element of duration.
Any transaction or service carried out or provided by a subject person for his
customer, other than a transaction or service carried out or provided within a
business relationship and includes:
(a) A transaction amounting to €15,000 or more, carried out in a single
operation or in several operations which appear to be linked …
Business
relationship
Occasional
transaction
7
8
14/03/2019
5
CDD obligations in case of VFA Issuers
9
• The transactions between VFA Issuers and their customers are
not expected to have an element of duration (as they are
limited to the acquisition of VFAs in the course of an IVFAO).
• Such transaction is not deemed to present the elements
necessary to constitute a ‘business relationship’ between the
two parties and is to be treated as an ‘occasional transaction’
• It is important to note that in this case no thresholds will be
applicable and AML/CFT obligations would be applicable at all
times
• Definition of “Occasional transaction” in the PMLFTR has been
recently updated to take this into account
The first step of CDD?
10
9
10
14/03/2019
6
11
Customer Risk
Assessment
Why carry out a customer risk
assessment?
12
• Through the customer risk assessment (CRA), a VFA Issuer
will be able to:
✓better understand the source and level of risk it is
being exposed to; and
✓mitigate the same through the application of its
AML/CFT measures, policies, controls and procedures.
11
12
14/03/2019
7
Customer Risk Assessment
13
Customer risk Product/service risk
Interface risk Geographical risk
Level of CDD
Specific to VFA Issuers
14
• Customer provides insufficient, incomplete or suspicious information or
information that cannot be verified
• Use of proxies, unverifiable IP address or geographical location, disposable email
address or mobile number, ever changing devices used to conduct transactions
• Unusual patterns of transaction activity (e.g. volumes, velocity, structuring to
avoid detection/reporting obligations, source, destination)
• The potential for cybercriminals to launch ransom-ware attacks in light of the
combination of decentralisation and anonymity
• Accepting higher risk digital currencies which reduce traceability and allow for
anonymity, thus increasing the chance that they were used for illicit activity (e.g.
Monero, Dash, Zcash etc.)
13
14
14/03/2019
8
Carrying out the CRA
15
• When assessing the risks posed by a customer, the subject
person should consider all risk factors that are known and
ensure that all of these factors are included in the
customer’s risk profile, taking care to ensure that any
mitigating factors applied are fully documented
• A subject person must be able to objectively and
reasonably justify a Customer Risk Assessment
classification and document those justifications
How does the CRA impact on CDD?
16
• VFA Issuers are allowed to determine, on a risk-sensitive
basis, the extent and timing of CDD measures to be
applied in relation to the customer
• This is dependent on the outcome of the CRA
• VFA Issuers should be able to demonstrate to the FIAU
that the extent and timing of CDD measures applied by
them on the customer is appropriate in view of the risks
of ML/FT posed by the occasional transaction
15
16
14/03/2019
9
17
Measure for ‘normal’ risk customers
Low
risk
Hig
h r
isk
EDD
SDD
Components of CDD
18
KYCID&
VCDD
17
18
14/03/2019
10
Overview of KYC elements
19
• KYC goes beyond establishing personal details
• Enables subject persons to establish the business and
risk profile of the applicant for business
• Information that is relevant for this purpose:
✓ Nature & details of the
business/occupation/employment of the applicant
✓ Source of wealth
✓ Expected source and origin of funds to be used in the
business relationship
✓ Anticipated level and nature of the activity to be
undertaken through the business relationship
VFA Issuers - KYC elements
20
• Determine whether the person requesting the service is acting on
behalf of another person and, if so, identify both persons, and
take reasonable measures to verify their identity
• Consider:
• from where customer instructions are being received;
• the source of funds;
• the destination of funds;
• payment references or rationale that do not appear to relate to
the purported customer; and
• any unusual delay in answering questions due to the
purported customer having to refer to a third party
19
20
14/03/2019
11
VFA Issuers - KYC elements
21
• A VFA Issuer cannot undertake an occasional
transaction unless it has identified and verified the true
identity of the customer and its beneficial owners where
applicable; and
• The policies and procedures in place should give the VFA
Issuer assurance that the information that it obtains and
retains for the purpose of CDD is accurate and is
sufficient to withstand independent challenge
Identification and Verification
22
• Identification takes place by obtaining a set of personal details
• There are standard set of details to be obtained depending on whether
an individual or a legal entity is being identified
• Verification takes place by making reference to documents, data or
information obtained from a reliable and independent source
• The source has to be independent i.e. the source used to verify the
customer’s identity details should not be the customer himself
• A source is reliable if it is reputable and is trusted by the subject
person to provide extensive and sufficiently accurate data or
information to verify the identity of the customer
21
22
14/03/2019
12
Verification
23
• Where verification is carried out by making reference to and viewing in
person any of the applicable documents, subject persons are required
to:
✓ keep the original itself, where this is possible; or
✓ keep a true copy of the original document on file or in electronic
form
• The copy of the original document viewed for identity verification
purposes has to be:
✓ dated; and
✓ certified as a true copy by an officer or employee of the subject
person
Retaining scanned copies
24
• Scanned copies of the original documents can be retained using
electronic systems which are able to meet all the following criteria.
• The system used has to:
✓ automatically record data so as to allow the subject person to
determine the officer who would have scanned the document;
✓ automatically record the date and time of the scanning of the
document; and
✓ have safeguards so as not to allow any of the data referred to in the
previous two points from being altered, amended or tampered with
23
24
14/03/2019
13
Retaining scanned copies
25
• Utility bills, bank statements or other documents may be received or
retrieved by customers through electronic means
• Hence customers may provide print-outs of such documents or relay
them electronically
• Subject persons should take risk-based measures to determine the
reliability of such documents (such as verifying the existence of the
utility company through open sources)
• Subject person’s officials receiving such documents should date them
or else retain a copy of the email through which they were received
Authenticity checks
26
• Particular care should be taken to ensure that the documents
obtained are authentic and have not been forged or tampered with
• FIAU IPs provide guidance on:
✓ Checks that may be carried out to verify the authenticity of
identification documents
✓ The use of open sources of information to assist in carrying out
authenticity checks which check the algorithms used to
generate passport numbers to check the validity of passports
of any country which issues machine-readable passports
25
26
14/03/2019
14
PwC
ID&V - Individuals
• Identify by obtaining:
- Official full name
- Place and date of birth
- Permanent residential address
- Identity reference number
- Nationality
• Verify the identity by means of :
- A valid unexpired passport
- A valid unexpired national or other
government-issued identity card, or
- A valid unexpired driving licence
• Verify the residential address by means
of :
- A recent statement from a recognised
credit institution
- A recent utility bill
- Correspondence from a central or local
government authority, department or
agency
- A record of a visit to the address by a
senior official of the subject person
- Any government-issued document
obtained to verify the identity, where a
clear indication of the residential
address is provided
- Any other document specified in the
sectoral implementing procedures
issued by the FIAU
27
PwC
VFA Issuers – other considerations
• Obtain the address of the wallet/account number to be
used by the customer to either receive the VFA being
acquired or to transfer VFAs to the VFA Issuer (as payment
for the VFAs being acquired through the IVFAO)
• Prior to accepting any VFAs originating from the wallet
address indicated by the customer, the VFA Issuer is to
verify that the said wallet actually belongs to its
customer
• The same is true with respect to the wallet address to
which any VFAs are to be transferred by the VFA Issuer,
with the VFA Issuer having to verify the wallet
address/account number prior to transferring any VFAs
28
27
28
14/03/2019
15
29
Back to the
Beneficial Owner
30
• Ownership of
shares or
voting rights
• Control
through
other means
• Senior
managing
officials
• Settlor
• Trustee(s)
• Protector
(w/a)
• Beneficiaries
/ class of
• Other
natural
persons
exercising
control
• Persons
holding
equivalent
or similar
positions to
those
referred to
in trusts
Defining the BO in more detail
Body
Corporat
e
Trust Foundatio
n
29
30
14/03/2019
16
31
Defining the BO in more detail
Tier 1
Direct or indirect ownership:
• 25%+1 or more of the shares
• more than 25% of the voting rights
• an ownership interest of more than
25%
Including through bearer share
holdings
Tier 2 Control via other means
Tier 3 Senior managing officials
PwC
ID&V – Companies
• Identify by obtaining:
- the company’s official full name
- the company’s registration number
- the company’s date of incorporation
or registration
- the company’s registered address or
principal place of business
• Verify by means of :
- the certificate of incorporation
- a certificate of good standing (which is
not older than three (3) months)
- a company registry search
- the most recent version of the
Memorandum and Articles of
Association or other constitutive
document
- audited financial statements, annual
returns, and/or tax returns for the
previous or current year, and/or
- bank statements which are not older
than six (6) months
32
31
32
14/03/2019
17
ID&V – Companies (cont.)
33
• Understand the ownership and control structure
• Identify directors (as per individual or corporate)
• Identify and verify the ultimate beneficial owners
• In case of listed entities, identification and verification of
the entity only are required
PwC
ID&V – Trusts
• Identify by obtaining:
- The full name of the trust
- the nature, object and purpose
of the trust (e.g. discretionary
trust, testamentary trust, bare
trust)
- the country of administration and
the proper (or applicable) law
- in jurisdictions where the trust
has legal personality, the
registration number, if applicable
• Verify by means of :
- either requesting a copy of the
trust instrument from the trustee
(if possible, bearing in mind that
trusts typically relate to rather
personal or private matters), or
- an extract of the relevant parts
of the trust instrument
- Alternatively, verification can be
carried out by obtaining a signed
declaration by the trustee
34
33
34
14/03/2019
18
PwC
ID&V – Trusts
• Identify and verify the beneficial
owners:
- The settlor
- the trustee or trustees
- the protector, members of a
supervisory council, guardian or
enforcer where applicable
- the beneficiaries or the class of
beneficiaries as may be
applicable
- any other natural person
exercising ultimate control over
the trust by means of direct or
indirect ownership or by other
means
• Important :
- Not to confuse the term ‘beneficial
owners’ with the term ‘beneficiaries’
of the trust
- The latter term covers exclusively
those persons who can benefit from
the structure (whether actually or
potentially) while for AML/CFT
purposes the beneficial owners
(opposite list)
- Moreover, it is equally important to
note that the beneficiaries of a trust,
where present, may not be named in
the trust deed itself
35
PwC
ID&V – Partnership
• Identify by obtaining:
- The partnership’s official full
name
- the partnership’s registration
number
- the partnership’s date of
incorporation or registration
- the partnership’s registered
address or principal place of
business
• Verify by means of :
- The certificate of incorporation
- a good standing certificate (which is
not to be older than three (3)
months)
- a registry search
- the most recent version of the
partnership agreement or other
constitutive document
- audited financial statements, annual
returns, and/or tax returns for the
previous or current year
- bank statements which are not older
than six (6) months
36
35
36
14/03/2019
19
ID&V – Partnerships (cont.)
37
• Understand the ownership and control structure
• Identify the persons vested with administration and
representation of the partnership
• Identify and verify the ultimate beneficial owners
• In case of a foundation or association, same procedure
applicable to a partnerships applies
Inability to Complete CDD Measures
38
• Where it proves impossible to complete the CDD
measures, the VFA Issuer is not to:
✓allow any activity of any kind by the VFA holder or
provide any other service to the VFA holder, and
✓on-board the customer
• If it has already done so, the VFA Issuer is to:
✓either close the VFA holder’s profile or to keep it
deactivated in its entirety, and
✓determine whether it is necessary to lodge a STR with
the FIAU
37
38
14/03/2019
20
Inability to Complete CDD Measures
39
• Where in these circumstances:
✓ the VFA Issuer is in possession of funds or assets belonging to the VFA
holder which may have been received in advance for the acquisition of VFAs,
and
✓ there no grounds to suspect ML/FT, or
✓ the transaction has not been suspended by the FIAU or by operation of the
law, nor is there an attachment or freezing order,
the VFA Issuer is to remit the funds or assets to the same source and through the
same channels used to receive them (after having considered whether there is any
other legal impediment to their remittance)
• To the extent possible, the VFA Issuer should indicate in any transaction script
that the funds or assets are being returned due to the inability to complete CDD
AML/CFT Audit
40
• In line with Regulation 5(5)(d) of the PMLFTR, subject persons are to
implement, where appropriate with regard to the nature and size of its
business, an independent audit function to test its internal measures,
policies, controls and procedures
• Given the nature of the business undertaken by VFA Issuers, the FIAU
considers that an audit of a VFA Issuer’s measures, policies, controls and
procedures should be carried out at least annually once the IVFAO has
commenced until it is exhausted
• This audit should be carried out by a party which is external to the VFA
Issuer (as well as to the group which the VFA Issuer may form part of) to
ensure independence
39
40
14/03/2019
21
AML/CFT Audit (cont.)
41
• Such an AML/CFT audit, must also be carried out upon any material
changes/enhancement to the AML/CFT programme or at such more
frequent intervals as may be directed by the FIAU
• The purpose of an AML/CFT audit is to serve as a systematic check of the
VFA Issuer’s AML/CFT systems and controls and the end result should be
a written report on whether:
✓the VFA Issuer’s AML/CFT programme is fit for purpose and compliant
with the obligations of the VFA Issuer under the applicable AML/CFT
framework;
✓the AML/CFT systems and controls were adequate and effective
throughout the audit period; and
✓any changes are required
AML/CFT Audit
42
• The AML/CFT auditor engaged by the VFA Issuer should be proficient
in the PMLFTR, the Implementing Procedures and the sector-
specific Implementing Procedures, and should also possess
technological expertise specific to the system used by the VFA
Issuer in the performance of its AML/CFT obligations
• Where the AML/CFT auditor and the Systems Auditor appointed by the
VFA Issuer in terms of the MFSA’s VFA Rules for VFA Issuers are
separate, and since it is likely that most VFA Issuers will rely on
technology to perform their AML/CFT obligations, it is advisable that
the AML/CFT auditor liaises with the Systems Auditor so as to
obtain an in-depth understanding of the functionalities and
capabilities of the system and therefore be in a better position to test
their effectiveness
41
42
14/03/2019
22
Mirko Rapa
PwC
Thank You
43
43