On May 22, 2020 the new Regulation on Carrying out of Financial Monitoring by Banks, approved by the NBU Resolution No.65 (the “Regulation 2020”), came into force substituting the previous Regulation No.417 that had been in effect since June 26, 2015 and introducing new requirements to carrying out of financial monitoring by banks.
Meanwhile the Regulation on the Procedure for Analysis and Verification of Documents (information) Related to Currency Operations, approved by the NBU Resolution No.8 dated January 2, 2019, which applies not only to banks but also to non-banking financial institutions and postal operators, remains in force which governs the matters of verification of legality of currency operations.
The main changes and novelties introduced by the Regulation 2020 are outlined below.
Risk-oriented approach in the light of new indicators
The risk-oriented approach in verification of financial transactions was introduced in early 2019 by the Law of Ukraine “On Currency and Currency Operations”. A novelty of the Regulation 2020 (Annex 20) is a list of 73 indicators of suspicious financial operations to be used in verifying all banking transactions.
Indicators are divided into three main objects of examination:
The infographics on the indicators can be found at the link.
Implementation of enhanced (EMPV) and simplified (SMPV) measures of proper verification of the client
The Bank is obliged to apply the EMPV in case of detection of financial operation which has with at least one of the following indicators:
EMPV can be carried out by way of:
During the implementation of EMPV the bank chooses the type of measures required depending on the revealed risks inherent to the business relationship with the client (or to financial transaction if no business relationship is being established), and which is proportional to such risks.
SMPV, instead, can be applied to the clients of the following profile:
The forms of SMPV can be, in particular:
Such clients will not be obliged to provide a large number of documents when establishing business relationship with the bank as a subject of initial financial monitoring (hereinafter – «SIFM»).
A legal entity participating in a financial transaction (whether, a correspondent bank, or the bank of a counterparty, or the counterparty itself) can be recognized a shell company if according to the official and open sources such company is being identified as related to terrorism or other illegal activities, or even if such sources “only” disclose some reputational, registration (for example, repeated changes of UBOs or management) or operational (for example, lack of assets necessary for carrying out the company’s activity) risks.
Updated rules for interactions with politically exposed person(s) (PEP)
Each bank should develop internal procedures in order to identify whether the client belongs to the category of PEP – and Regulation 2020 has somewhat narrowed the restrictions associated with them. For example, instead of the term “public figures” and their “relatives” the Regulation 2020 uses the terms “politically exposed persons” and “family members”. At the same time, the list of persons recognized as members of PEP families was reduced – sisters, brothers, grandmothers, grandfathers, grandchildren, great-grandchildren, great-grandfathers and great-grandmothers have been excluded. In addition, from now on only foreign and international public figures must be included in the high-risk category. In other cases determination of the risk level of the client will depend on the person’s position, and the scope and type of services such person receives. If the PEP ceases to perform significant public functions (note that the term of such functions is no longer limited to the most recent three years) the bank is obliged to continue to take into account its ongoing risks for at least 12 months and to take measures stipulated by the Law of Ukraine “On counteracting legalization (laundering) of proceeds of crime (money laundering, terrorist financing and/or financing the proliferation of weapons of mass destruction” (the “Law on Counteracting ML/TF”) as long as the bank has not ascertained the absence of such risks.
Introduction of video verification
From now on banks will be able to verify a person via video connection. This procedure is equivalent to verification in person and must meet the following basic requirements:
The Bank shall have discretion to choose software for remote identification data сapturing.
Instrument of reliance
The Regulation 2020 allows SIFM to obtain and use information on: (a) customer identification and verification; (b) identification of the clients’ UBOs and verification of their identity; (c) the purpose and nature of the business relationship with the client from a third party (the “third party“).
The third party shall comply with the following requirements:
It is not necessary to comply with the above requirements if the third party and such SIFM belong to one group, but in such case they must: (a) comply with common group rules on ML/TF counteraction, including requirements for proper customer verification and documents safekeeping, and such rules comply with FATF recommendations, and (b) be under the consolidated supervision of the relevant ML/TF counteraction supervisory authority. It is not yet clear how the requirement to be under consolidated supervision should be interpreted in the context of an international financial group (and EU directives) – it is quite obvious that the NBU does not exercise such supervision over foreign members of the group and has a limited number of agreements with banking regulators from other countries.
The Bank independently decides whether to use the instrument of reliance. In addition, a contract must be concluded with the third party providing the information. Prior to its conclusion the bank must carry out a preliminary analysis of the reliability of such a third party.
The introduction of instrument of reliance, for example, will help to optimize the process of identification and verification by transferring the requested information to a Ukrainian bank directly from a foreign servicing bank, if a potential client of a Ukrainian bank continually operates abroad.
Use of agents
Apart from the instrument of reliance, banks may now instruct representatives acting on behalf of the bank (agents) on the basis of an agreement to identify and verify customers and clients’ representatives (Annex 10 to the Regulation 2020). An agent may be a person of any organizational form located in any country.
Prior to deciding to cooperate with the agent, the bank must carry out a preliminary analysis of its reliability in the manner prescribed by the bank’s internal documents on ML/TF counteraction, in particular, the bank should determine: the presence / absence of a potential agent (being whether an individual or a manager of the legal entity) in the list of terrorists, the sanctioned list of the National Security and Defense Council of Ukraine; presence / absence of criminal record on the agent (individual or a manager of the legal entity); presence / absence of existing restrictions / prohibitions of the agent’s right to engage in certain activities in accordance with the court judgment, until the conviction is expunged or revoked; and other information provided for by the Regulation 2020 and internal documents of the bank.
Information exchange with SIFM
The NBU has clarified the responsibilities of the bank employee who is responsible for financial monitoring and the procedure for providing information to the State Financial Monitoring Service of Ukraine (Annex 15 to the Regulation 2020). In addition to informing about transactions that are subject to mandatory monitoring, transactions that are subject to internal monitoring and suspicious transactions, banks will now report to the State Financial Monitoring Service of Ukraine on discrepancies between the information about the UBOs contained in the state register and actually detected during the inspection. The information must be provided no later than 10 working days of the month following the month in which the discrepancies were detected.
The ultimate beneficiary owners (UBO) identification requirements have been updated
The bank may no longer rely only on the USR when identifying the client’s UBOs, but must use all available information, including the one received from foreign state register and demand it from the client. The requirements for the identification of UBOs shall be met by the bank subject to risk-oriented approach, taking into account the risk criteria established by it (Annex 19 to the Regulation 2020). Based on the data analysis the bank shall evaluate the risk level of the client as low, medium or high, which in turn may give ground for application of EMPV to such client.
The Bank does not have to inform the SIFM about the discrepancies identified in the data on UBOs:
Informing about violation of financial monitoring requirements
Under the new rules banks must ensure the functioning of communication channels through which bank employees can inform the bank’s responsible persons (whistle-blowing), including the chairman of the bank, in oral and written form about possible violations of the laws or internal procedures by other employees. The bank may also establish procedure for submission of such notifications by other persons (clients, contractors, potential accomplices to violations).
In contrast to informing the NBU and the SIFM, the above procedure is a right, and not an obligation of the person who has revealed the violation.
Detailization of measures that apply to foreign financial institutions-correspondents
During establishing correspondent relations with international financial institutions Ukrainian banks should make sure that such foreign financial institutions are subject to similar financial monitoring requirements as applicable to Ukrainian banks. In general, the bank should be guided by a risk-oriented approach when verifying information provided by a foreign institution or obtained from any other source.
In cases when a high risk is detected, the bank should consider the possibility of visiting the premises of the correspondent institution to ensure that such institution has an appropriate ML/TF risk management system. Risk reduction factors have also been detailed, such as belonging of the bank and the correspondent institution to the same control group for ML/TF counteraction or limitation of the scope of activities with such an institution.
Monitoring during funds transfers
The NBU has established detailed requirements (mostly of a technical nature) for the procedure of financial monitoring that shall accompany funds transfers. Monitoring procedures are considered sufficient if they ensure:
The mentioned indicators of online monitoring of information about the payer or payee should include exceeding the transfer threshold amount established by the bank (taking into account the average values of ordinary transfers in the bank during the day); availability of negative information about the SIFM from which the transfer has arrived; connection of the transfer with the jurisdiction where FATF recommendations are not being followed, etc.
Asset (un)freezing procedure
The NBU has obligated the banks to automate procedures for detecting, freezing and unfreezing assets related to terrorism and terrorist financing, proliferation of weapons of mass destruction and its financing. Banks shall also develop screening indicators for detection of relatedness with the persons on terrorists list[](https://www.integrites.com/publications/financial-monitoring-new-rules/#_ftn3), shall monitor the revealed data matches, and regularly review the effectiveness of monitoring, in particular by reviewing existing system settings and analyzing cases of technical failures over certain time periods.
If the system automatically detects the relatedness of a party of a financial transaction with persons who are included in the list of terrorists and provided there are no sufficient information that could confirm or refure this fact, the bank may demand additional information (within three days from the date of detection – for transactions within Ukraine, and within five days – for cross-border financial transactions). If no additional information is obtained, the bank shall freeze the assets.
Risk management system inadequacy
The bank’s risk management system is considered inadequate provided there are (1) numerous financial transactions for large amounts which are suspected of using the bank for ML/TF or committing another crime, and which are resulting from non-compliance with ML/TF counteraction measures and (2) at least one of the features provided for in paragraph 74 of Section IV of the Regulation 2020, for example:
1 – Updated requirements to the list of data on the payer and payee – see Article 14 of the Law on Counteracting ML/TF
2 – List of persons connected with terrorist activities or in respect of whom the international sanctions have been applied is formed in accordance with the procedure established by the Cabinet of Ministers of Ukraine and shall be published on the official website of the specially authorized body