In connection with possible problems with organising processes related to counteracting money laundering and financing of terrorism (hereinafter referred to as “AML/CFT") within obligated institutions that are members of a group and with the use of third party services for the purposes of the application of customer due diligence measures in the light of the provisions of the Act of 1 March  2018 on Counteracting Money Laundering and Financing of Terrorism (Journal of Laws of 2021, item 1132, as amended, hereinafter referred to as the “AML Act”), the General Inspector of Financial Information (hereinafter referred to as the “GIFI”) hereby informs as follows:
1.    The application of the group procedure referred to in Article 51(1) of the AML Act is obligatory only where the group includes at least:
- two entities that are obligated institutions within the meaning of the AML Act, or an obligated institution and its subsidiary in which the obligated institution holds the majority share, that is subject to AML/CFT obligations in the country where it is established, or
- an obligated institution and its branch in a third country.
2.    The group procedure must include mandatory elements regarding the exchange and protection of information made available for the purposes of performing AML/CFT obligations between entities subject to AML/CFT obligations that are part of a group, and may contain optional elements. Optional elements that may be included in the procedure will depend on the entities (subject to AML/CFT) belonging to the group and the nature of their business activity.
3.    Within the meaning of Article 47(1) of the AML Act “without delay” means on an ongoing basis, immediately or promptly.
4.    Any obligated institution that wants to use or uses third party services when applying customer due diligence measures must constantly monitor changes in the lists of high-risk countries kept by The Financial Action Task Force (on Money Laundering) (hereinafter referred to as “FATF”), organisations and bodies related to the FATF, as well as changes in the European Commission lists.
 
Ad 1
The wording of Article 51(1) of the AML Act may indicate that all entities included in a group are to be covered by the group procedure, regardless of their status in the light of the AML/CFT provisions[1]. As the group procedure is aimed at counteracting money laundering and financing of terrorism, it is reasonable for it to cover only those entities that are subject to obligations in this area, i.e. obligated institutions within the meaning of the AML Act and entities based in third countries conducting business activity corresponding to that of obligated entities as defined in EU regulations. This means that if a group consisting of domestic entities only includes only one entity that is an obligated institution (other entities of the group do not have such status), it is not required to introduce the group procedure referred to in Article 51(1) of the AML Act. Similarly, it is not required to introduce a group procedure where the group includes an obligated institution and subsidiaries established in a third country that do not conduct business activity corresponding to that of obligated entities as defined in EU regulations. A group procedure should be developed where:
- the group includes at least one obligated institution and
- the group also includes at least one of the following entities: another obligated institution or an entity carrying out business activity corresponding to that of obligated entities as defined in EU regulations.
A group procedure should also be developed where the obligated institution has established a branch in a third country.
 
Ad 2
The provisions of the AML Act narrowly define the scope of the mandatory elements of a group procedure. This does not mean that such a procedure may not and should not contain additional elements ensuring the application of high and uniform AML/CFT standards within the group. Similarly, FATF Recommendation 19 concerning, among others, group-wide programmes, is also limited to the mandatory content of a group procedure, namely provisions on the procedure for sharing information within the group. The explanatory note to this FATF Recommendation also indicates additional elements of a group procedure. Following the indications presented in the aforementioned note, the GIFI considers that a group procedure should also include provisions regarding:
- development of internal policies and procedures that will ensure high standards of employment in group entities,
- ongoing employee training programme,
- establishing independent audit in the group that will enable testing particular elements of the system for counteracting money laundering and financing of terrorism in place in group entities.
These provisions should be adapted to the nature of the business activity of the entities within the group.
Obligatory information exchange provisions should include provisions to ensure confidentiality and prevent information leakage.
 
Ad 3
When applying the statutory [2] customer due diligence measures, the obligated institution may use the services of only such third party that enables transfer of necessary information and documents without delay. If the technical conditions on the part of the obligated institution do not make it possible for it to receive such information or documents without delay, it may not use third party services to apply specific customer due diligence measures.
Promptness may be ensured by concluding a relevant agreement between the obligated institution and a third party, that will regulate the rules for information exchange and technical arrangements that will allow for the provision of information without delay. It is also reasonable to introduce mechanisms that will:
- adequately protect the processing of personal data being transferred, and
- make it possible to ensure data transfer without delay where the main channel for communication between the obligated institution and the third party fails, and
- secure the communication channel against hacking attacks.
The concept of acting without delay is defined differently in various legal acts. In the case of the regulation under Article 47(1) of the AML Act, speed is of significant importance, which means that the term “without delay” can be interpreted in this case as immediately. This is due to the fact that an obligated institution using third party services often guards the entry to the financial system (acts as a gatekeeper), and therefore, before admitting a customer to this system, it needs to receive information without delay so as to consider the result of the application of the customer due diligence measure in its business activity.[3] Article 47(1) of the AML Act, including the term “without delay”, implements Article 27 of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, (hereinafter referred to as “AMLD IV”), in which the legislator uses the word “immediately”
 
Ad 4
Pursuant to Article 47(1) read together with Article 47(3) and (4) of the AML Act, obligated institutions may use third party services when applying the statutory customer due diligence measures[4]. Third parties whose services may be used by obligated institutions include:
(a) obligated institutions as defined in the AML Act,
(b) obligated entities, as defined in AMLD IV, based in an EU Member State
(c) entities meeting the definition of an obligated entity as defined in Article 2 of AMLD IV, based in a third country other than an EU Member State, provided that:
a.    the regulations of that third country in which the entity is established oblige it to apply customer due diligence measures, store documents and information in accordance with the EU rules for counteracting money laundering and financing of terrorism, and
b.    these entities are subject to the supervision of the authorities of the third country in which the entity is established and this supervision is exercised in accordance with the rules corresponding to supervision provided for in EU law for counteracting money laundering and financing of terrorism.
Neither in Poland nor at the EU level, there is a list of third countries other than the EU Member State with a system for counteracting money laundering and financing of terrorism equivalent to that in force in the EU, that may be used by obligated institution to assess whether a third party based in a third country meets the requirements set in Article 47(3)(2) in fine of the AML Act. Therefore, it is the obligated institution wishing to use such services that will have to make such equivalence assessment on its own. For this purpose, it may be reasonable to introduce an internal procedure in the obligated institution that will enable such assessment to be made. It should be pointed out that the obligated institution may also use – as support – reports prepared by the FATF and related organisations that assess AML supervisory systems in force in particular countries.
At the same time, the provisions of the AML Act stipulate that it is not possible to use services provided by a third party based in a high-risk third country, unless the conditions specified in Article 47(4)(1) or (2) of the AML Act have been met. To find which countries belong to the category of high-risk third countries it is required to check the lists of high-risk countries used by the FATF and in the regulations of the European Commission including such lists. Obligated institutions using third party services to apply specific customer due diligence measures should follow the changes in these lists.
 
________________________________________
[1] Both the national provisions, i.e. AML Act, and, respectively, the provisions relating to this area in force in a third country.
[2] Only when applying the customer due diligence measures referred to in Article 34(1)(1)-(3) of the AML Act.
[3] This is especially important when obligated institutions apply Article 41(1) of the AML Act. If the circumstances stipulated in this provision occur, the obligated institution must act very quickly to prevent any use of the financial system for money laundering or financing of terrorism.
[4] Only when applying the customer due diligence measures referred to in Article 34(1)(1)-(3) of the AML Act.