Financial monitoring: new rules

24.07.2020

On May 22, 2020 the new Regulation on Carrying out of Financial Monitoring by Banks, approved by the NBU Resolution No.65 (the “Regulation 2020”), came into force substituting the previous Regulation No.417 that had been in effect since June 26, 2015 and introducing new requirements to carrying out of financial monitoring by banks.

Meanwhile the Regulation on the Procedure for Analysis and Verification of Documents (information) Related to Currency Operations, approved by the NBU Resolution No.8 dated January 2, 2019, which applies not only to banks but also to non-banking financial institutions and postal operators, remains in force which governs the matters of verification of legality of currency operations.

The main changes and novelties introduced by the Regulation 2020 are outlined below.

 

Risk-oriented approach in the light of new indicators

The risk-oriented approach in verification of financial transactions was introduced in early 2019 by the Law of Ukraine “On Currency and Currency Operations”. A novelty of the Regulation 2020 (Annex 20) is a list of 73 indicators of suspicious financial operations to be used in verifying all banking transactions.

Indicators are divided into three main objects of examination:

  • discrepancies between the legal and factual status of the client;
  • peculiarities of the client’s behavior in his/her interactions with the bank;
  • deviation of the form and purpose of financial operation from the “ordinary” activity of the client.

 

The infographics on the indicators can be found at the link.

 

Implementation of enhanced (EMPV) and simplified (SMPV) measures of proper verification of the client

The Bank is obliged to apply the EMPV in case of detection of financial operation which has with at least one of the following indicators:

  • is complex;
  • is unusually large;
  • is conducted in an unusual way;
  • has no obvious economic or legitimate purpose;
  • contradicts the information on the client’s planned usage of banking services as was received from the client during establishment of the purpose and nature of business relations.

 

EMPV can be carried out by way of:

  1. increasing the number and frequency of inspections of the client’s financial transactions;
  2. collection of additional information about the client and business relations with the client;
  3. visiting of the client’s venue by the bank’s employee in order to find out whether the information received was true;
  4. setting restrictions / limits on the use of the bank’s services or products by the client;
  5. obtaining permits (from the bank’s management – for establishing business relationship with the client; and from an authorized employee or the bank’s management – for conducting certain operations).

 

During the implementation of EMPV the bank chooses the type of measures required depending on the revealed risks inherent to the business relationship with the client (or to financial transaction if no business relationship is being established), and which is proportional to such risks.

 

SMPV, instead, can be applied to the clients of the following profile:

  • individuals who make regular payments for housing and communal services for small amounts;
  • persons who use bank accounts mainly for salaries, scholarships, pensions or other social benefits;
  • individuals who carry out ordinary financial transactions for reasonable amounts;
  • issuers that, in accordance with the laws or the terms of public offering of shares on internationally recognized stock exchanges, are obliged to publicly disclose information about the ultimate beneficial owners (the “UBO”), or which are subsidiaries or representative offices of such issuers;
  • business entities who are: engaged in ordinary business activities, pay their taxes, whom the bank does not suspect of legalization (laundering) of proceeds of crime (money laundering, terrorist financing and/or financing the proliferation of weapons of mass destruction, hereinafter referred to as “ML/TF”), business relationships with whom do not show signs of risk criteria, and whose financial transactions do not contain indicators of suspicious financial transactions as established by the bank, etc.

 

The forms of SMPV can be, in particular:

  • reducing the frequency and scope of actions to monitor business relations and collect additional information on business relations;
  • postponing of verification of the client after opening an account, but before the first financial transaction;
  • using of simplified verification models;
  • reducing the amount of additional information requested;
  • using of information from the Unified State Register (USR) as a satisfactory source for establishing the ultimate beneficial owners, etc.

 

Such clients will not be obliged to provide a large number of documents when establishing business relationship with the bank as a subject of initial financial monitoring (hereinafter – «SIFM»).

 

Shell companies

A legal entity participating in a financial transaction (whether, a correspondent bank, or the bank of a counterparty, or the counterparty itself) can be recognized a  shell company if according to the official and open sources such company is being identified as related to terrorism or other illegal activities, or even if such sources “only” disclose some reputational, registration (for example, repeated changes of UBOs or management) or operational (for example, lack of assets necessary for carrying out the company’s activity) risks.

 

Updated rules for interactions with politically exposed person(s) (PEP)

Each bank should develop internal procedures in order to identify whether the client belongs to the category of PEP – and Regulation 2020 has somewhat narrowed the restrictions associated with them. For example, instead of the term “public figures” and their “relatives” the Regulation 2020 uses the terms “politically exposed persons” and “family members”. At the same time, the list of persons recognized as members of PEP families was reduced – sisters, brothers, grandmothers, grandfathers, grandchildren, great-grandchildren, great-grandfathers and great-grandmothers have been excluded. In addition, from now on only foreign and international public figures must be included in the high-risk category. In other cases determination of the risk level of the client will depend on the person’s position, and the scope and type of services such person receives. If the PEP ceases to perform significant public functions (note that the term of such functions is no longer limited to the most recent three years) the bank is obliged to continue to take into account its ongoing risks for at least 12 months and to take measures stipulated by the Law of Ukraine “On counteracting legalization (laundering) of proceeds of crime (money laundering, terrorist financing and/or financing the proliferation of weapons of mass destruction” (the “Law on Counteracting ML/TF”) as long as the bank has not ascertained the absence of such risks.

 

Introduction of video verification

From now on banks will be able to verify a person via video connection. This procedure is equivalent to verification in person and must meet the following basic requirements:

  • the authorized employee of the bank must be in a room with conditions for obtaining good quality audiovisual information;
  • in case of interruption for any reason the procedure must be repeated in full;
  • video verification shall be performed in such a way so that to make it impossible for other clients of the bank and any third parties to overlook the process;
  • the video verification record must contain the fact of the person’s consent to the video verification;
  • photofixation of the person is obligatory (in particular, with his/her own identification document);
  • an employee of the bank must affix a qualified electronic signature to the received electronic copies of documents, and the procedure shall be completed by entering of a one-time password (otp) by the person undergoing video verification.

 

The Bank shall have discretion to choose software for remote identification data сapturing.

 

Instrument of reliance

The Regulation 2020 allows SIFM to obtain and use information on: (a) customer identification and verification; (b) identification of the  clients’ UBOs and verification of their identity; (c) the purpose and nature of the business relationship with the client from a third party (the “third party“).

The third party shall comply with the following requirements:

  1. it must either be a SIFM or have a similar status under the laws of its country, and must not be a shell company;
  2. the country of its registration or licensing must follow the FATF recommendations;
  3. it must have established direct business relationship with the client in respect of whom the information is being provided, without the involvement of, or reliance on, other persons.

 

It is not necessary to comply with the above requirements if the third party and such SIFM belong to one group, but in such case they must: (a) comply with common group rules on ML/TF counteraction, including requirements for proper customer verification and documents safekeeping, and such rules comply with FATF recommendations, and (b) be under the consolidated supervision of the relevant ML/TF counteraction supervisory authority. It is not yet clear how the requirement to be under consolidated supervision should be interpreted in the context of an international financial group (and EU directives) –  it is quite obvious that the NBU does not exercise such supervision over foreign members of the group and has a limited number of agreements with banking regulators from other countries.

The Bank independently decides whether to use the instrument of reliance. In addition, a contract must be concluded with the third party providing the information. Prior to its conclusion the bank must carry out a preliminary analysis of the reliability of such a third party.

The introduction of instrument of reliance, for example, will help to optimize the process of identification and verification by transferring the requested information to a Ukrainian bank directly from a foreign servicing bank, if a potential client of a Ukrainian bank continually operates abroad.

 

Use of agents

Apart from the instrument of reliance, banks may now instruct representatives acting on behalf of the bank (agents) on the basis of an agreement to identify and verify customers and clients’ representatives (Annex 10 to the Regulation 2020). An agent may be a person of any organizational form located in any country.

Prior to deciding to cooperate with the agent, the bank must carry out a preliminary analysis of its reliability in the manner prescribed by the bank’s internal documents on ML/TF counteraction, in particular, the bank should determine: the presence / absence of a potential agent (being whether an individual or a manager of the legal entity) in the list of terrorists, the sanctioned list of the National Security and Defense Council of Ukraine; presence / absence of criminal record on  the agent (individual or a manager of the legal entity); presence / absence of existing restrictions / prohibitions of the agent’s right to engage in certain activities in accordance with the court judgment, until the conviction is expunged or revoked; and other information provided for by the Regulation 2020 and internal documents of the bank.

 

Information exchange with SIFM

The NBU has clarified the responsibilities of the bank employee who is responsible for financial monitoring and the procedure for providing information to the State Financial Monitoring Service of Ukraine (Annex 15 to the Regulation 2020). In addition to informing about transactions that are subject to mandatory monitoring, transactions that are subject to internal monitoring and suspicious transactions, banks will now report to the State Financial Monitoring Service of Ukraine on discrepancies between the information about the UBOs contained in the state register and actually detected during the inspection. The information must be provided no later than 10 working days of the month following the month in which the discrepancies were detected.

 

The ultimate beneficiary owners (UBO) identification requirements have been updated

The bank may no longer rely only on the USR when identifying the client’s UBOs, but must use all available information, including the one received from foreign state register and demand it from the client. The requirements for the identification of UBOs shall be met by the bank subject to risk-oriented approach, taking into account the risk criteria established by it (Annex 19 to the Regulation 2020). Based on the data analysis the bank shall evaluate the risk level of the client as low, medium or high, which in turn may give ground for application of EMPV to such client.

The Bank does not have to inform the SIFM about the discrepancies identified in the data on UBOs:

  • of an issuer that is obliged to publicly disclose information about the UBOs (as a matter of law or due to public offering of shares or in connection with the admission of shares to trading on internationally recognized exchanges), or a subsidiary or representative office of such issuer; or
  • if the internal documents of the bank provide for smaller shareholding or voting rights by an individual (as a criteria of exercising decisive influence on the activities of a legal entity) subject to the simultaneous fulfillment of the following requirements: (1) UBO directly or indirectly owns a share of less than 25% of the authorized capital or voting rights of the legal entity, and (2) UBO does not exercise decisive influence on the legal entity’s activities pursuant to the Law on Counteracting ML/TF.

 

Informing about violation of financial monitoring requirements

Under the new rules banks must ensure the functioning of communication channels through which bank employees can inform the bank’s responsible persons (whistle-blowing), including the chairman of the bank, in oral and written form about possible violations of the laws or internal procedures by other employees. The bank may also establish procedure for submission of such notifications by other persons (clients, contractors, potential accomplices to violations).

In contrast to informing the NBU and the SIFM, the above procedure is a right, and not an obligation of the person who has revealed the violation.

 

Detailization of measures that apply to foreign financial institutions-correspondents

During establishing correspondent relations with international financial institutions Ukrainian banks should make sure that such foreign financial institutions are subject to similar financial monitoring requirements as applicable to Ukrainian banks. In general, the bank should be guided by a risk-oriented approach when verifying information provided by a foreign institution or obtained from any other source.

In cases when a high risk is detected, the bank should consider the possibility of visiting the premises of the correspondent institution to ensure that such institution has an appropriate ML/TF risk management system. Risk reduction factors have also been detailed, such as belonging of the bank and the correspondent institution to the same control group for ML/TF counteraction or limitation of the scope of activities with such an institution.

 

Monitoring during funds transfers

The NBU has established detailed requirements (mostly of a technical nature) for the procedure of financial monitoring that shall accompany funds transfers. Monitoring procedures are considered sufficient if they ensure:

  • detection of missing, incomplete or meaningless information about the payer or recipient of funds;[[1]](https://www.integrites.com/publications/financial-monitoring-new-rules/#_ftn2)
  • the possibility of simultaneous online monitoring (before crediting funds to the recipient’s account) and further monitoring (after crediting funds to the recipient’s account) of funds transfer ;
  • immediate informing of the responsible employee about the coincidence with the indicators of online monitoring.

 

The mentioned indicators of online monitoring of information about the payer or payee should include exceeding the transfer threshold amount established by the bank (taking into account the average values ​​of ordinary transfers in the bank during the day); availability of negative information about the SIFM from which the transfer has arrived; connection of the transfer with the jurisdiction where FATF recommendations are not being followed, etc.

 

Asset (un)freezing procedure 

The NBU has obligated the banks to automate procedures for detecting, freezing and unfreezing assets related to terrorism and terrorist financing, proliferation of weapons of mass destruction and its financing. Banks shall also develop screening indicators for detection of relatedness with the persons on terrorists list[[2]](https://www.integrites.com/publications/financial-monitoring-new-rules/#_ftn3), shall monitor the revealed data matches, and regularly review the effectiveness of monitoring, in particular by reviewing existing system settings and analyzing cases of technical failures over certain time periods.

If the system automatically detects the relatedness of a party of a financial transaction with persons who are included in the list of terrorists and provided there are no sufficient information that could confirm or refure this fact, the bank may demand additional information (within three days from the date of detection – for transactions within Ukraine, and within five days – for cross-border financial transactions). If no additional information is obtained, the bank shall freeze the assets.

 

Risk management system inadequacy

The bank’s risk management system is considered inadequate provided there are (1) numerous financial transactions for large amounts which are suspected of using the bank for ML/TF or committing another crime, and which are resulting from non-compliance with ML/TF counteraction measures and (2) at least one of the features provided for in paragraph 74 of Section IV of the Regulation 2020, for example:

  • violation of the requirements for comprehensive assessment / reassessment of ML/TF risks of the bank, documenting its results, monitoring measures and maintaining the risk profile of the bank up-to-date;
  • absence of a proper system for detection of clients’ UBOs;
  • taking measures which are disproportionate to the identified risks;
  • untimely identification of problems and shortcomings by the internal audit; or
  • improper documenting of employees’ actions.

 

 


1 – Updated requirements to the list of data on the payer and payee – see Article 14 of the Law on Counteracting ML/TF

2 – List of persons connected with terrorist activities or in respect of whom the international sanctions have been applied is formed in accordance with the procedure established by the Cabinet of Ministers of Ukraine and shall be published on the official website of the specially authorized body