Money laundering and financing of terrorism have become a source of major risks in business operations over recent years. On one hand, businesses are exposed to the risk that their services may be used for money laundering, and on the other hand they are increasingly targeted by strict AML regulations, where noncompliance can carry stiff sanctions.
So there is no way out for businesses: they must include anti money laundering as an element of their compliance system. But as it turns out, appropriate implementation of an AML system is not limited to introducing standard AML procedures at the organisation. That is important, but is not the most important element of the system. Below we discuss three specific challenges we often encounter when advising businesses on implementation of AML procedures.
Scope of entities covered by AML
Determining whether a given business falls under the AML Act (i.e. must apply a number of duties provided for in the act) is the first step in building an organisation’s AML strategy. In most cases this is easy. The categories of entities subject to the act, known as obligated institutions, is expressly stated in the act. But sometimes classification of particular entities is not obvious. For example, some entities operating on the financial services market may not fall among institutions such as banks, payment institutions or insurers. Then it is important to examine the somewhat overlooked category of financial institutions which covers many unregulated businesses operating on the financial market. Another example is entities operating on the gaming market, which may fall under the AML regime due to recently introduced AML provisions concerning virtual currencies (e.g. to the extent they are involved in the exchange of virtual tokens within games).
In practice we often encounter businesses that limit the implementation of an AML system in their organisation to adoption of an AML procedure focusing on compliance with the formal requirements for identifying customers and beneficial owners. Paradoxically, overconcentration on these elements can reduce the likelihood of uncovering money laundering or financing of terrorism.
Any effective AML system has three key elements:
- Profiled analysis of risk, reflecting the specifics of the organisation, its customers, and the market—first it is essential to identify key areas of AML risks in the organisation’s operations
- Current monitoring of customers’ transactions—only grasping certain trends and anomalies will allow suspicious transactions to be identified
- Ensuring the flow of information within the organisation—often suspicious activity can be identified only by juxtaposing several factors or bits of information deriving from various areas of the organisation.
An AML system that overlooks these three elements may prove entirely ineffective.
This is undoubtedly the least obvious risk. Even though AML regulations apply to many categories of businesses, there are others that formally are not covered by the AML Act. We observe more and more businesses from this group striving to keep up with trends by attempting to construct various types of AML procedures voluntarily. But this cautious approach generates a serious risk of violating regulations on protection of personal data. It should be borne in mind that collecting and processing customer data (often an element of such voluntary AML procedures) must have a solid legal basis and be kept to a minimum. Entities subject to the AML regulations have it relatively easier in this respect, as these regulations provide an express basis for them to process personal data. Undertakings not formally subject to the AML regime must therefore be particularly cautious in processing data within their own AML procedures.
Krzysztof Wojdyło, adwokat, New Technologies practice, Wardyński & Partners