At the end of February 2023, the ACPR (Autorité de Contrôle Prudentiel et de Résolution) issued a new reprimand and sanction for breaches of obligations AML-CFT (Lutte Contre le Blanchiment et le Financement du Terrorisme), resulting in a €1 million fine and the non-anonymization of the offender in the publication, i.e. non-estimable reputational damage.
As usual, an analysis of these sanctions provides a reminder of regulatory obligations, and even clarifies certain points to avoid any misinterpretation. Here is a summary of the main grievances of this sanction.
When do these obligations come into play?
Customer knowledge must be acquired both before and during the business relationship.
At all times, regulated professionals must be able to :
- identify their customers (including Beneficial Owners for legal entities),
- collect information and supporting documents relating to the purpose and nature of the business relationship, or any other relevant information, particularly in view of the customer's level of risk.
Examples of supporting documents: identity papers, Kbis, proof of income and/or source of funds, articles of association...
A point often forgotten by taxable persons is that customer knowledge must be updated even if the customer is "inactive"!
APS notice:
In addition to the daily update of lists of sensitive persons, the regular updating of customer files ensures better data quality and therefore better detection of sensitive persons.
AML-CFT tools should filter and analyze your entire customer portfolio on a daily basis. This automated screening should then highlight only new alerts or alerts that have undergone a major change. For the sake of productivity, previously decided alerts that have not undergone a major change should not be resubmitted to the decision of an operator/analyst AML-CFT.
To streamline your customer/entry process, detection tools must be able to integrate with your digital and CRM processes, and respond instantly if there is the slightest suspicion about your prospect. In this way, you can adapt your process by requesting additional information and supporting documents without delay.
The screening tool must also guarantee traceability of all management actions and any supporting documents filed.
Regarding the information to be collected, the ACPR in a previous sanction (see our article here), had "strongly advised" (not to say "imposed") in addition to names, to enter :
- Date of birth (or at least year of birth)
- Country of birth
Reporting companies can also use a detection tool to enrich customer data by retrieving and verifying Beneficial Owners and/or the Representatives of legal entities. The tool must also be able to define the mandatory properties of a customer record before screening it.
How do you manage Pays risks?
In imposing these sanctions, the ACPR refers to undetected country risks with regard to customers' nationalities or countries of residence. The ACPR bases its position on the following lists:
- European Union's PTHR (Third Party High Risk Countries) list
- FATF (Financial Action Task Force) grey list
APS notice:
The AML-CFT detection tool must include the detection of high-risk countries with a fine granularity of configuration. First, define which of your customers' properties may generate a risk (nationality, country of birth, country of residence, tax country, etc.). Then, define several levels of risk for each risky country (moderate vigilance, reinforced vigilance, embargo).
Which lists should you use PEP ?
In this sanction, the ACPR criticizes the regulated professional for failing to detect certain Politically Exposed Persons and/or their close relations. As a result, the professional failed to apply additional vigilance measures to these customers.
The professional cleared his name by pointing out that the incriminated PEP did not appear on private supplier lists and/or that their role was not clearly defined as that of a PEP.
The ACPR reminds us that each reporting organization must ensure the relevance and reliability of the lists used. The ACPR also implies that it is entirely possible to use internal lists to complete the system.
In the end, however, the ACPR acknowledges that this type of "failure" occurs only occasionally with external list providers and therefore considers that this reproach is minimal and does not represent a shortcoming in the detection system of PEP.
APS notice:
As far as roles are concerned, the definition of a PEP has recently been refined by the French Ministry of the Economy. See our article: https://www.ap-solutions.io/definition- PEP-nationale/
It is essential to carry out searches with approximate spelling. In general, the tolerance threshold for Sanctions and Asset Freezes remains low, which increases the number of alerts. In the case of Politically Exposed Persons (PEPs), their close relations (RCAs) and/or Persons with a Bad Reputation (Adverse Media), the thresholds can be increased (but without reaching "strict matching" or simili) in order to limit the number of alerts.
As a reminder, in terms of AML-CFT, the regulated professions have obligations to achieve results in terms of detecting persons under sanction and/or asset freeze. The detection tool used must therefore be capable of using lists from private suppliers, as well as internal lists.
And what about reputational risks / Adverse Media?
This is one of the first times that the ACPR has criticized problems in detecting people with bad reputations. The ACPR indicates several types of "bad press", such as :
- Receiving stolen goods,
- Indictment (what about the presumption of innocence in France?),
- Convictions,
- Links with the financing of terrorism (on the borderline with the obligation of result of sanctions and the Assets Freeze).
The ACPR also states, and this is unprecedented, that a customer handling crypto-assets must be detected!
Here again, the reporting professional indicated that the information was not present in the lists provided by external service providers. The ACPR merely pointed out that, in some cases, knowledge of these misdeeds was widely known, and that the reporting organization should therefore have applied a high level of risk to these customers, even without detection of their tool.
APS notice:
In some cases, the tool used may fail to detect certain sensitive individuals due to the lists used. The tool must offer the possibility of defining decisions, risk level, vigilance level... concerning the customer file, in complete independence from the screening result.
What are the procedures for different levels of vigilance?
In this sanction, the ACPR criticizes two main procedures omitted for customers under complementary or reinforced vigilance:
- How often customer information is updated
Validation by a member of the executive body (or a member authorized by the executive body)
APS notice:
As regards the frequency with which customer files need to be updated, we've already touched on the subject in the section above entitled "When do these obligations apply?
Distinct monitoring procedures are expected for different levels of risk. A high-risk individual should not be subject to the same KYC constraints as a low-risk individual. This lack of distinction has already been criticized by the ACPR.
What's more, in high-risk situations, the acceptance of a customer must follow a decision-making process that includes decision-makers. The tool must therefore be able to define a workflow and a set of actions to be carried out according to the decisions and/or vigilance level of a customer file.