On 4th October 2019, the Joint Opinion of the European Supervisory Authorities on the risks of money laundering and terrorist financing affecting the European Union’s financial sector (“Joint Opinion”) was released. As a representative of fintech law firms in Lithuania, we would like to take a closer look at the main risks related to money laundering and terrorist financing (MT/TF), the nature of their emergence and the action plan how to mitigate these risks.
Risk arising from new technologies
In recent years, ongoing technological developments have opened new opportunities for FinTech and RegTech providers. However, most competent authorities (CAs) consider that FinTech and RegTech present ML/TF risks and vulnerabilities. The CAs have carried out a specific assessment on ML/TF risk associated with FinTech and identified the following risk-increasing factors:
- the provision of unregulated financial products and services that, as is also noticed by fintech law firms in Lithuania, do not fall within the scope of anti-money laundering and countering the financing of terrorism (AML/CFT) legislation;
- the quality of information gathered as part of the customer due diligence (CDD) process, particularly the application of incomplete or ineffective CDD measures;
- a lack of understanding by FinTech providers of their obligations under the AML/CFT legislation and the overall financial regulatory framework;
- different compliance cultures between supervised entities and new FinTech providers;
- increased use of new technologies to on‐board customers remotely, without putting in place proper safeguards, which could increase the firm’s exposure to cybercrime, including identity theft;
- an over‐reliance on outsourcing arrangements with FinTech firms, without putting in place proper oversight mechanisms.
Action plan: to mitigate the risks associated with new FinTech firms or to ensure firms using RegTech solutions meet their AML/CFT obligations, CAs should acknowledge the changing AML/CFT landscape. Based on the fact that, increasingly, more customers are on-boarded without face-to-face contact, CAs should familiarise themselves with these technological developments by engaging directly with providers and firms, even when they are not supervised entities.
Risks related to virtual currencies
Most CAs consider that VCs still give rise to ML/TF risks and they regard VCs as among the most important emerging risks present in almost all sectors for the following acknowledged reasons:
- a lack of knowledge and understanding by firms and CAs of these products and services, which prevents them from carrying out a proper impact assessment;
- a lack of straightforward regulation governing VCs and associated products and services;
- increased processing of transactions online, with only limited customer identification;
- and verification checks being carried out.
Action plan: as the use of virtual currencies is continually growing, the need to regulate this sector and associated businesses is noticed by the fintech law firms in Lithuania and continually discussed by the ESAs and the EU legislators. In April 2019, the European Commission confirmed that it is taking forward analytical work further to the January 2019 advice of the EBA and ESMA. At the same time, the ESAs are continuing their work to promote convergence in regulatory and supervisory approaches to virtual currencies.
In addition, the FATF has made further amendments to its Recommendations to cover virtual assets. Therefore, CAs should closely monitor any developments in this area and assess if any changes to the national legal and regulatory AML/CFT frameworks are required.
Risk arising from weaknesses in internal control
The fintech law firms in Lithuania agree that the concerns of the CAs are the effectiveness of policies and procedures related to record-keeping, identification and verification of customers, suspicious transaction reporting (STR) and quality of business-wide ML/TF risk assessments. These procedures were rated as poor or very poor by a number of CAs.
CAs are also concerned about the systems and controls put in place by firms for the identification and verification of beneficial owners, as they consider them inadequate. The ESAs consider that reliance on such registers for the purpose of identifying the beneficial owner is not warranted in all cases.
Instead, these registers are useful as an additional source of information when verifying the beneficial owner’s identity, but they cannot be the only source of information used for identification. For instance, in situations in which the ML/TF risk associated with a business relationship is increased.
Action plan: to mitigate the risks associated with the ineffective implementation of internal controls and the failure to adequately manage emerging risks, CAs should prioritize the setting of clear regulatory expectations in this field, including by referring to the ESAs’ risk factors guidelines. This may also include CAs focusing their supervisory activities on internal controls that safeguard firms from the highest ML/TF risks.
Risks arising from De-risking
As one of the fintech law firms in Lithuania, we clearly see the evidence that certain customers and customer groups are still prevented from obtaining financial services owing to risks presented by them, which is known as de-risking. As discussed in this Joint Opinion, such actions by firms may have an adverse effect, whereby these customers resolve to meet their financial needs through less reliable or unregulated means.
As a result, these transactions are not monitored and reported to the FIUs. National governments and CAs, therefore, need to do more to ensure that legitimate customers are not being denied access to the financial system unnecessarily, as such actions may have an adverse effect – instead of preventing ML/TF, firms may increase the overall internal market’s vulnerability to ML/TF risks.
Action plan: being one of fintech law firms in Lithuania, we support the opinion that CAs should work with firms and affected customers to identify solutions for making sure that AML/CFT measures do not unduly deny legitimate customers access to financial services.
In conclusion, it could be said that the most challenges related to the AML/CFT framework in the EU stem from the fact that AMLD4 is a minimum harmonization directive, which means that the ways that Member States transpose it in their legislation may differ.