As many as 3 new communications from the GIIF on the application of AML

The GIIF has been inundating us with AML-related communications lately, specifically, on one day (14.01.2022) it published 3 of them. Below is our subjective summary and observations on the content of the communications in terms of the activities of factoring companies and their obligations under anti-money laundering (AML) regulations.

# Announcement No. 35 – On Group-wide AML/CFT procedures and the use of third parties in applying financial security measures.

In this communiqué, the GIIF responds to concerns in the area of AML/CFT inside obligated institutions that are members of a group and with the use of third-party services. What we think is important:

1. The obligation to be subject to the group procedure referred to in Article 51(1) of the AML Law covers only situations where the group includes at least 2 entities subject to AML/CFT obligations. This position negates the prudential view that the group procedure should cover all group entities, regardless of their status from the perspective of AML/CFT regulations.
2. The GIIF, following the guidance of the Explanatory Note to FATF Recommendation 19, recognizes that the group procedure should also include provisions for: (i) the creation of internal policies and procedures to ensure high standards for hiring employees, (ii) an ongoing employee training program, and (iii) the appointment of an independent group audit to test the various elements of the group entities' AML system.

3. Obligated institutions that use third parties in the application of financial security measures must constantly monitor changes in the lists of high-risk countries maintained by the FATF and the EC.
4. The agreement with the third party should include mechanisms that (i) adequately protect the processing of personal data that are transferred and, (ii) make it possible to ensure the promptness of the transfer of data when the primary communication path between the obligated institution and the third party fails, and, (iii) secure the communication channel against hacking attacks.
5. An obliged institution wishing to use such services will have to make its own equivalence assessment (a list of third countries other than an EU member state with an AML system equivalent to the EU); However, it may use, on a subsidiary basis, reports prepared by the FATF and related organizations that assess the AML supervisory systems in place in each country.

# Announcement 36 – on risk assessment of the obliged institution

1. The GIIF drew attention to the relationship between risk assessments stating that the overall risk assessment affects the individual risk assessment and vice versa. IOs, when identifying and assessing the risks of a specific business relationship or an occasional transaction, should use the information and conclusions resulting from the overall risk assessment. Conclusions from conducting individual risk assessments should influence ongoing updates to the overall risk assessment.
2. Best practices (UKNF Position regarding risk assessment of an obligated institution dated 15/04/2020) despite being addressed to obligated institutions subject to the supervision of the FSC (e.g., banks). can be applied to all IO, proportionate to their nature and size, z Adapting the resulting conclusions to the scope and nature of the conducted business.
3. The GIIF warned, that the use of designs general risk assessments (examples available from open sources) without carefully tailoring them to the specific and individual nature and scope of the business exposes the obligated institution to the charge of failure to comply with a statutory obligation. It is worth noting that it is possible to identify completely different risks related to money laundering and terrorist financing in the case of obliged institutions conducting activities even within a similar scope. In the Communiqué, the GIIF used the example of an IO establishing relations during a face-to-face meeting with a client and remotely (virtual office).

# Announcement No. 37 On the principles of noting discrepancies between the information collected in the CRBR and the information on the customer's beneficial owner established by the obliged institution

A very welcome and timely topic, after all, related to the autumn amendment of the AML, which has spoiled the blood of many compliance officers.

1. The GIIF recognizes, that From the point of view of the obligations imposed on the obliged institution, it would be wrong to Relying solely on information from the CRBR. Simplifying, it looks like the GIIF is simply trying to convey that IO:
2. It should verify entries in the CRBR;
3. It should verify the documents that are the basis for entries in the CRBR (articles of association, list of shareholders, extract from the National Court Register, extract from the foreign equivalent of the National Court Register);
4. The process of noting discrepancies and providing information to the competent authority in the context of fulfilling obligations related to the application of financial security measures ( 61a(1) of the AML Act) - the GIIF indicated and briefly described the full cycle of activities (application of the measure-> identification -> ownership and control structure -> determination and recording of discrepancies -> taking action to clarify the reasons for discrepancies -> confirmation of recorded discrepancies -> preparation of justification -> transmission of verified notification with justification to the authority).
5. Take action to clarify the causes of discrepancies The GIIF understands quite broadly (Examples: contact the customer, explain the customer's determination of the beneficial owner, explain the customer's determination of the ownership and control structure, explain whether the obligated institution's determination of the beneficial owner and the customer's ownership and control structure was correct, explain for what reason the customer considered the person to be the beneficial owner, gather new information and documents);
6. Even more broadly, the GIIF understands the rationale for the discrepancy, here one gets the impression that the GIIF simply wants to receive "on a platter" a ready-made product.
7. The definition of a beneficial owner is open-ended and the enumeration is exemplary. The GIIF draws attention to need to establish phys. exercising direct or indirect control over the customer through the powers it has, which arise from legal or factual circumstances, enabling it to exert decisive influence on activities or actions taken by the company. This means entering a difficult legal sphere of arrangements that requires a great deal of knowledge, inquisitiveness and experience, e.g.: determining shareholding rights, option rights; determining personal rights; verifying whether management agreements have been entered into; trying to determine whether there is a fiduciary agreement (in case of a desire to hide BR).
8. For example, the GIIF points out that failure to take into account a shareholder's shareholding rights in a particular case may result in a failure to establish one of the BRs, which will amount to a improper application of a financial security measure. That is ... the IO must reach out to assess the shareholder preference. Here, sometimes you can't do without a lawyer / compliance officer.
9. Interestingly, according to the GIIF, because of the sanction of a fine of up to PLN 1,000,000 (Article 153(1) of the AML Act), IOs should assume that... clients have taken a diligent approach to setting BRs and should not assume in advanceThat customers made mistakes when reporting BR information to the CRBR 😊. Any ambiguity should be removed due to financial security measures.
10. The GIIF also raised the issue of factual discrepancies vs. apparent discrepancies (Article 61a(1) of the AML Act). In the opinion of the GIIF, the regulations being introduced are aimed at ensuring on the part of the IO a minimum of The level of commitment to clarify the discrepancies identified, which is designed to separation cases factual discrepancies, resulting from the presence of incorrect data in the CRBR, from apparent discrepancies. An apparent discrepancy may occur, for example, when a correct entry is made in the CRBR, indicating a change in the owner of a legal entity, in a situation where such a change has not yet been recorded in the KRS.
11. Failure to report BR information to CRBR is treated as a discrepancy (in the opinion of the GIIF, this equates to a declaration that the individual is not a BR of an entity required to report information to the CRBR).
12. Noting discrepancies does not rely solely on a simple and mechanical comparison of the information collected from the CRBR with a copy of the client's KRS.. Considering time required for disclosure in the KRS excerpt and potentially occurring deficiencies or errors in the client's KRS excerpt (for example, missing entry of the client's share amount, misspelled name, obvious typos) the obliged institution should verify other documents - For example, the company's articles of association or an agreement to transfer ownership of the company's shares.
13. Possible information about doubts about persons reporting to the CRBR is not covered by the obligation referred to in Article 61a of the AML Law. However, the identification of such doubts should be taken into account as part of the application of financial security measures. That is... it is not necessary to notify that in our opinion the wrong person has made a report to the CRBR, but it is necessary to identify this doubt.
14. The GIIF's position is that it is undesirable for IOs to report to the GIIF (i) clerical errors in the CRBR, (ii) inaccuracies in the client's KRS transcript (for example, an immaterial error in the value of the client's shares), (iii) failure to report information in the CRBR by entities not required to do so (for example, an ordinary association), (iv) information about inaccuracies that do not affect the determination of BR (for example, failure to enter the beneficiary's second name) (v) unverified information on discrepancies, or without justification, or with "perfunctory justification." That is, the GIIF, rather, is counting on specific "ready-made" information.
15. Determine the differences between the information collected in the CRBR and the information in the client's KRS extract is not a premise that in every situation will entail the obligation to apply Article 41 of the Law AML. In a situation where it is not possible to apply a financial security measure involving the identification of the beneficial owner, verification of his identity, and determination of the ownership and control structure of the customer, then the IO does not establish business relations / does not conduct transactions / terminates business relations.
16. The GIIF also cautions that violations of duties related to determining, noting discrepancies and undertaking verification, substantiation and reporting activities may indicate the improper application of a financial security measurereferred to in Article 34(1)(2) of the AML Act. Obtaining by the GIIF about the occurrence of such cases may involve taking against the obliged institution control activities.