New financial monitoring: Who should hide, and who should adapt

Primary financial monitoring entities should reassess their work according to new criteria

Anton Marynych, Lead Legal Counsel at Nota Group 10 march 2023, 08:30

Photo: https://pixabay.com/

While the Ukrainian army is defending our borders, the state is strengthening legislation and regulations to prevent and combat money laundering, terrorist financing and proliferation of weapons of mass destruction. Such steps are dictated not only by national security, but also by the protection of the interests of citizens, society, and the state. The main document in this area is the Law of Ukraine "On Prevention and Counteraction to the Legalisation (Laundering) of the Proceeds of Crime, Terrorist Financing and Financing of the Proliferation of Weapons of Mass Destruction" (hereinafter – the Law). In order to implement the Law, at the end of 2022, the Ministry of Finance of Ukraine issued Order No. 465 dated 28 December 2022, which entered into force on 24 February 2023, updating the criteria for the risk of legalisation (laundering) of proceeds of crime, terrorist financing and financing of the proliferation of weapons of mass destruction. Since the publication of the Order of the Ministry of Finance No. 465, the Order No. 584 dated 8 July 2016 has been repealed. Anton Marynych, the leading legal counsel at Nota Group, told Mind about the main changes of the updated criteria.

A new list of primary financial monitoring entities is now in effect

The updated risk criteria have defined an extensive list of PFMEs (primary financial monitoring entities) to which these criteria will apply:

professional participants of capital markets (except banks), the Central Securities Depository;
professional participants of organised commodity markets;
those who provide services for the circulation of virtual assets;
specially designated entities (except for those who provide services within the framework of labour relations). Namely:

- law firms, law firms' associations and lawyers practising individually;
- notaries;
- those who provide legal services;
- those who provide services for the establishment, operation, or management of legal entities;
- auditors;
- accountants and those who provide accounting services;
- tax consultants;
- those who provide intermediary and/or advisory services for real estate transactions;
- those who trade for cash in precious metals and precious stones and products made of them;
- those who conduct lotteries and/or games of chance;
- those who trade in cultural property and/or provide intermediary services in this regard.

If you are surprised that banks are excluded from this list, we would like to clarify that banks have separate criteria set by the NBU. And there is a logic to this.

Immanent limits will determine the risks

What else is new? If the internal financial monitoring documents contain such quantitative and/or evaluative characteristics as "significant increase", "large volumes", "high stakes", "regularity", "many years", "expensive", "unusually large assets", "extremely large transactions", the PFMEs should independently determine their inherent limits. IMMANENT means inherent in the nature of an object or phenomenon, intrinsic to it.

In other words, immanent limits are "red lines". And these "red lines" must be identified and established by the primary financial monitoring entity from the list of criteria for applying the risk-based approach independently in accordance with the specifics of its activities.

The criteria specify the grounds on which the PFMEs must determine that the risk of a business relationship is unacceptably high.

The law obliges the PFME to set this "upper limit" in the case of

inability to fulfil its statutory obligations;
to minimise the identified risks associated with a client or financial transaction;
if, based on the results of the study of suspicious activities of the client, there is a reasonable suspicion that such activities may be fictitious.

At the same time, the criteria also establish such a ground as "in other cases determined by the primary financial monitoring entity in internal documents on financial monitoring."

Thus, the by-law added flexibility to the PFMEs. They can now individually define the criteria for an unacceptably high risk of business relationships in their documents. However, the question remains: where does the immanent limit of such a criterion lie?

The PFME should assess its own risk profile on a point-by-point basis:

Nature and scale of activities.
Types of activities.
Types of clients and their risk profiles.
The geographical location of the PFME (as well as the country in which the bank accounts are opened).
Channels/methods of providing (receiving) services.
Counterparties.

A group risk factor will be used for business relationships

Another novelty is that primary financial monitoring entities have been given the opportunity to create a group risk profile. To do this, they need to set out certain parameters in their internal documents. For example, the social status of the client, the use of the same types of services, and the total volume of financial transactions.

What does this group approach bring? The ability to classify customers into certain categories and assign a "risk label" to such business relationships.

Moreover, the criteria clarify the requirements of the law for the primary financial monitoring entity to develop its own criteria. But even in this case, there are certain guidelines that can be found in sections II-IV of the criteria. One should also be guided by the typological studies in the field of prevention and counteraction prepared and published by The State Financial Monitoring Service of Ukraine; the results of the national risk assessment; recommendations of the state financial monitoring bodies that carry out state regulation and supervision of the relevant PFME. Of course, one should also take into account the specifics of it.

Typological studies published on the website of the State Financial Monitoring Service are nothing more than the result of the systematisation of information received in the reports of suspicious financial transactions by the PFMEs. These studies are also the result of the issues related to the detection, disclosure, and investigation of financial crimes, and the disclosure of the content of various schemes for laundering the proceeds of such crimes.

Signal markers – for reassessing the level of risk

The criteria define specific markers that signal that a primary financial monitoring entity needs to update its internal rules, including reassessing its risk profile.

Thus, the risk profile should be reassessed in case of:

changes in the business model;
introduction of new services that differ significantly from the existing ones.

The client's risk profile should be reassessed:

when taking measures to update customer data;
when new risk criteria inherent in the business relationship with the customer are identified.

Risk management measures

The criteria define a list of risk management measures. These measures include:

A clear division of duties and responsibilities among the staff of the PFME and ongoing internal controls.
Preliminary analysis of new services of the PFME to identify inherent risks,
Applying tools that limit the usage of a particular service,
Implementation of a diversified approach to obtaining permission to establish (continue) business relations with a client, applying a risk-based approach (here, the principle should be followed: the higher the risk, the higher the position of the authorised primary financial monitoring entity employee to grant such permission).
Obtaining additional permission from an authorised employee of the primary financial monitoring entity/manager/executive body to conduct certain high-risk financial transactions.
Monitoring of business relations with the client.
Implementation of an appropriate client verification (here, the "know your client" principle should be applied – obtaining additional necessary information to understand the content of the client's activities and/or the nature of the financial transaction).
Strengthening measures to monitor business relationships with high-risk customers.
Regularly and objectively informing the management of the primary financial monitoring entity about identified risks and measures to manage such risks.
Ensuring that employees of the PFME have a proper understanding of their responsibilities in the area of prevention and counteraction (in particular, through training).

On the impact of the new criteria

And now, actually, about the responsibility of PFMEs in the context of the new criteria.

For failing to ensure proper organisation and conduct of primary financial monitoring, and for not having a proper risk management system in place, the primary financial monitoring entity may be fined. According to the law, the fine may reach up to 10% of the total annual turnover (but not more than 7,950 tax-free minimum incomes).

As one can see, the new criteria for risk management measures and lists of risk criteria are significantly more detailed. Therefore, we strongly advise PFMEs to reassess their risk profile. They should also update their internal documents on financial monitoring measures according to the specifics of their activities.

Such reassessment and updating are necessary to ensure an adequate risk management system and primary financial monitoring.

It should also be borne in mind that although the new criteria provide certain flexible tools, this flexibility makes it difficult for the PFMEs to comply with the requirements of the financial monitoring legislation.

Stay tuned for business and economy news on our Telegram-channel Mind.ua and the Google NEWS feed