Communication no. 45 on the assessment of customer information obtained by obligated institutions and steps to be taken where the customer due diligence measures may not be applied
Being competent, pursuant to Article 12(1)(11) of the Act of 1 March 2018 on Counteracting Money Laundering and Financing of Terrorism (Journal of Laws of 2021, item 1132, as amended, hereinafter referred to as the “AML Act”), to share knowledge and information regarding provisions on counteracting money laundering and financing of terrorism, the General Inspector of Financial Information (hereinafter referred to as “the General Inspector” or the “GIFI”) drawn attention to the following issues.
Selected provisions of the AML Act regarding the assessment of information by obligated institutions and the inability to apply the customer due diligence measures
Pursuant to Article 34(1)(4)(a) and (b) of the AML Act, customer due diligence measures (hereinafter referred to as “CDDM”) comprise, among others, ongoing monitoring of the customer’s business relationship, including the analysis of transactions carried out by the customer and the examination of the origin of assets available to it.
The application of the CDDMs is related to the provisions of the AML Act concerning the consequences of the inability to apply the CDDMs, i.e. Article 41 of the AML Act. Pursuant to this provision, where it is not possible to apply at least one CDDM, the obligated institution shall:
- not establish any business relationship;
- not carry out an occasional transaction;
- not carry out transactions through the bank account;
- terminate the business relationship.
Assessment of information obtained by obligated institutions
Article 33(2) and (3) of the AML Act stipulates that the obligated institution shall assess the level of the identified risk and document the factors taken into account in this assessment. The above provision implies a standard that obliges the obligated institution to take the following obligatory steps (none of them may be omitted):
1. Obtaining all necessary [1] information for the purpose of carrying out or updating the assessment of the risk of money laundering and financing of terrorism, including information from the customer [2] (this information is obtained both when establishing a relationship and in the course of its maintenance).
2. Performing an assessment of the risk of money laundering and financing of terrorism following an analysis of the information obtained from the customer and about the customer obtained from other entities (such assessment must take place at the latest when establishing a business relationship, and it must be subsequently updated in the course of maintaining the relationship and obtaining further information from the customer and about the customer).
3. Documenting each step of the risk assessment.
Consequently, the obligated institution should introduce and use processes in accordance with which each customer information received, falling within the scope specified in item 1 above, entails the obligation to assess or verify the risk of money laundering and financing of terrorism. It is unacceptable for an obligated institution to obtain some customer information and include it in its database without assessing whether it affects the level of the risk of money laundering and financing of terrorism associated with a given customer. Collecting customer information by an obligated institution may not be carried out without obligation to assess such information in terms of its possible impact on the risk of money laundering and financing of terrorism.
Example 1
The obligated institution has been keeping an account for a given customer since 2019. In 2020, the district prosecutor’s office requested the obligated institution to provide the record of the customer’s account, indicating that it needed this information for the purposes of the ongoing preparatory proceedings connected with the suspicion that the customer had committed a crime of being involved in a criminal group as well as money laundering and financing of terrorism. The obligated institution did not assess the impact of the information from the law enforcement authority regarding the pending preparatory proceedings on the risk of money laundering and financing of terrorism (it only included the letter in its database covering correspondence regarding the customer concerned) [3].
Referring to Example 1, due to the lack of action on the part of the obligated institution, the level of the risk of money laundering and financing of terrorism identified at the time of establishing the relationship with the customer did not change and, as a result, the CDDMs were not applied to the extent required under Article 33(4) of the AML Act.
Example 2
The obligated institution receives inquiries regarding its customers from law enforcement authorities. Although a register of incoming letters is kept, there is no register of inquiries with regard to the customers mentioned in these letters. Moreover, letters from law enforcement authorities regarding these customers are not attached to the customer documentation in the database of the obligated institution. Therefore, the obligated institution is aware of the inquiry, but this information is neither used nor analysed to fulfil the obligations under the AML Act.
Referring to Example 2, it should be noted that this institution has organisational deficiencies that prevent the fulfilment of the obligations stipulated in the AML Act. In particular, the obligated institution will not be able to properly assess the risk associated with a given customer and apply CDDMs that are adequate to the identified risk.
Application and inability to apply the customer due diligence measures following the revision of the assessment of the risk of money laundering and financing of terrorism
Each customer information obtained by the obligated institution should be analysed as it may lead to a change in the assessment of the risk of the risk of money laundering and financing of terrorism. Should the change in the assessment lead to an increase in the risk associated with a given customer, Article 33(4) of the AML Act requires the obligated institution to apply the CDDMs to a new, greater extent resulting from the newly identified risk of money laundering and financing of terrorism, thus ensuring compliance with the obligations specified in Article 34(1)(3) and (4) of the AML Act.
If the obligated institution attempts to apply the CDDMs, but ultimately it will not be possible to apply at least one of them (e.g. due to the lack of appropriate action on the part of the customer), the obligated institution has to [4] apply the rule provided for in Article 41(1) of the AML Act. The application of this rule involves:
(1) refraining from establishing a business relationship with the customer;
(2) refraining from carrying out an occasional transaction;
(3) refraining from carrying out transactions through the bank account;
(4) terminating the business relationship with the customer.
The structure of the provisions contained in Article 41(1) of the AML Act shows that where the obligated institution is unable to apply at least one of the CDDMs, it shall take the actions specified in the aforementioned provision. When taking those actions, the obligated institution should be guided by the key principle according to which it has to select from available measures and apply those that will be most effective in terms of counteracting money laundering and financing of terrorism, while observing the due diligence principle. Where the obligated institution finds that it is not possible to apply the CDDMs, it has to take all possible measures provided for in Article 41(1) of the AML Act that will prevent money laundering and financing of terrorism to the greatest extent, and not those that will be easiest to implement[5]. Such obligated institution should also make an assessment in accordance with Article 41(2) of the AML Act and consider notifying the GIFI.
Example 3
An obligated institution maintaining an account for its customer has made an attempt to apply the CDDM provided for in Article 34(1)(3) of the AML Act, requesting the customer to provide information on the nature of the customer’s business relationship and the purpose of the transactions that did not correspond to the customer’s profile determined when the relationship with this customer was being established. The customer did not reply to the letter, but continued to make transactions through the account. The obligated institution sent to the customer a declaration of intent in which it terminated the account agreement with a 3-month notice period (such notice period was provided for in the agreement), and concluded that it thus fulfilled its obligation and terminated its business relationship with this customer in accordance with Article 41(1)(4) of the AML Act. During the notice period, the customer was still able to make transactions through the account and took advantage of this opportunity.
Referring to Example 3, it should be indicated that the obligated institution took action, but it was ineffective. It should be stated that in this case there was a violation of Article 41(1)(3) and (4) of the AML Act, as the obligated institution did not respond to the inability to apply the CDDM in the manner provided for in this provision. If an obligated institution requests its customer for information by applying the CDDMs, but does not receive any response explaining the doubts aroused, it needs to be considered that the termination of the bank account agreement with a notice period and while executing transactions is not tantamount to the termination of the business relationship with the customer concerned. This relationship lasts until the expiry of the notice period. In the case described in Example 3, the customer was able to carry out transactions until the expiry of the notice period, which is tantamount to the failure to properly apply Article 41(1)(3) of the AML Act. Therefore, such conduct by the obligated institution should be assessed definitely negatively.
In order to streamline the application of Article 41(1)(4) of the AML Act, obligated institutions may provide in model account agreements for possible agreement termination with immediate effect by the obligated institution where it is unable to apply the CDDMs. In this case, obligated institutions may also choose not to terminate agreements with immediate effect, but suspend the execution of the customer’s transactions (pursuant to Article 41(1)(3) of the AML Act) until the notice period expires. Should the customer provide the obligated institution, within the notice period, with information that was required as part of the application of the CDDMs, there are no contraindications in the AML Act for continuing the business relationship with this customer.
Harmonisation of internal regulations and model agreements in obligated institutions with the AML Act and other legal regulations is a good practice enabling the indisputable performance of the obligation specified in Article 41(1)(4) of the AML Act.
Operational analysis of the customer’s transactions and the assessment of information obtained from the customer
Pursuant to Article 43(3) of the AML Act, obligated institutions analyse transactions on an ongoing basis. Such analysis is mandatory irrespective of the risk assigned to the customer, also in the case of low-risk customers.
Moreover, pursuant to Article 43(4) of the AML Act in the case of disclosure of transactions that:
(1) are complicated, or
(2) involve high amounts that are not justified by the circumstances of the transaction, or
(3) are carried out in an unusual manner, or
(4) seem to have no legal or economic justification
– obligated institutions take steps to clarify the circumstances in which these transactions were carried out and, in the case of transactions carried out as part of business relationships, intensify the application of the CDDM referred to in Article 34(1)(4) of the AML Act, with respect to the business relationships under which these transactions were carried out.
To carry out analyses, the obligated institution obtains information both from the customer and about the customer from other sources (public databases, open sources of information). Situations where the obligated institution obtains information for the purposes of transaction analysis, but does not take further steps provided for in legal regulations, in particular, it does not assess the information obtained, which should lead to a reliable explanation of the circumstances in which the transactions referred to in items 1-4 above were carried out, should be assessed as incorrect. The foregoing frequently results in the continuation of transactions and maintaining business relationship with the customer, despite the inability to apply at least one CDDM. Obtaining information by the obligated institution should always be followed by a comprehensive and multifactor analysis, and the results of this analysis should be confronted with the determined customer profile [6] and the previous information about the customer. It should also be assessed whether the undertaken steps have contributed to the accomplishment of the objective consisting in explaining the circumstances in which the transactions specified in items 1-4 above were carried out. If the collected information does not make it possible to determine that the transactions correspond to the defined customer profile, the obligated institution should take steps to mitigate the risk. If the obligated institution fails to determine the reasons for the transactions carried out by the customer, in particular where these are complicated or involve large amounts, or are carried out in an unusual manner, or seem to have no legal or economic justification, it is not possible to apply the CDDMs. It is therefore necessary to take the steps defined in Article 41 of the AML Act. If the obligated institution has obtained information that is insufficient to determine the nature of the transactions, it should take steps due to the inability to apply the CDDMs.
Example 4
The obligated institution opened an account for a customer that is a company. The core business of the company included consulting services for businesses in Poland. From the beginning of 2021, only international transfers were made through the bank account (several transfers to various recipients in a month). The obligated institution requested the customer to provide documents justifying international transfers and asked it questions about its business and transactions. The customer provided 6 invoices for the last two months and brief answers to the questions. The obligated institution saved the obtained information in its database, but did not draw conclusions therefrom and continued to serve this customer. The institution submitted a notification to the GIFI pursuant to Article 74 of the AML Act, in which it only quoted a few general circumstances, questions addressed to the customer and its answers as well as the invoices.
Referring to Example 4, it should be indicated that the obligated institution collected information, but failed to assess it. The obligated institution has made an attempt to apply the CDDMs, but it still does not know what its customer actually does and has not found any justification for the transactions carried out. In these circumstances, the obligated institution cannot be deemed to have applied the CDDMs (neither did it establish the source of the funds nor did it obtain information on the purpose and nature of the customer’s business relationship) and should have taken the steps specified in Article 41(1) of the AML Act. Moreover, if the obligated institution has collected information or documents from the customer, such information or documents should always be analysed, and if there are circumstances justifying the submission of a notification to the GIFI, this analysis should be reflected in this notification as an element of the justification.
When assessing the practice of the operation of obligated institutions and the fulfilment of the obligation to notify the GIFI, it is inappropriate to provide the GIFI only with documents or information about transactions, without carrying out and presenting their analysis by the obligated institution. Obligated institutions are required, pursuant to Article 74(3)(8) of the AML Act, to justify their notification, and when formulating such justification, they should refer to analyses carried out in accordance with Article 43(3) of the AML Act or Article 34(1)(4)(a) of the AML Act.
Example 5
When opening a bank account for a customer being a commercial company bought from an entrepreneur setting up companies, registered in a virtual office, the obligated institution obtained, among others, information on the planned volume of transactions on the account of PLN 5,000 per month. No transactions were made through the account for 5 months. From the 6th month onwards, transactions of PLN 300,000 per month were carried out through the account. The obligated institution made it possible to carry out these transactions for 6 consecutive months and requested the customer to justify such transactions after it had transferred funds in the amount of PLN 1,800,000. At the time of the attempted contact with the customer, the account balance was PLN 4,000. The customer did not provide any documents and ceased responding to attempted contacts by the obligated institution.
In the example described above, the steps taken by the financial institution were delayed and ineffective. The obligated institution should have requested the customer for explanations as early as in the first month in which the transactions significantly exceeded the declared amount of PLN 5,000 per month. In this case, already at the time of sending the request, the obligated institution’s knowledge did not allow for the assessment of the business relationship and the transactions should not have been carried out until the customer provided explanations demonstrating their economic justification. The mere attempt to contact the customer, e.g. sending a letter, does not mean that the obligated institution has applied any CDDM, and therefore does not release it from applying Article 41(1)(3) and (4) of the AML Act until it obtains convincing explanations.
Example 6
The obligated institution maintains an account for a natural person – a foreigner residing outside Poland. The customer has declared that the account would be used for ordinary activities related to keeping the household. The analysis carried out by the obligated institution showed that within a year, the customer received 900 transfers from a foreign postal operator for a total amount of EUR 60,000. The obligated institution found the transactions to be inconsistent with the knowledge of the customer and took steps to contact the customer in order to clarify any doubts. At the same time, the institution made it impossible for the customer to carry out transactions through the bank account. The customer did not respond to the attempted contact, and the obligated institution submitted a notification to the GIFI pursuant to Article 74 of the AML Act. Then the customer contacted the obligated institution and explained that the transfers he received were payment for the goods sold by him. As proof, he presented 3 invoices issued by him. These invoices did not contain other information apart from the issuer’s name and surname and residence address. The institution found these explanations credible and made it possible for the customer to execute transaction again, informing him that the settlement of business operations through a personal account is contrary to the bank account regulations.
The operation of the obligated institution should be considered incorrect. The obligated institution became aware that the transactions carried out by the customer related to his business activity, however, it abandoned the re-application of the CDDMs, in particular [7] thorough re-identification of the customer and verification of his identity from the point of view of Article 36(1)(1)(f) of the AML Act – i.e. it did not determine the name (company), tax identification number, address of the principal place of business – in the case of a natural person running a business. It did not take into account the information obtained as part of the assessment of the risk level. The obligated institution should have immediately made an attempt to apply the CDDMs. If at least one of the CDDMs could not have been applied, it should not have made it possible for the customer to execute transactions again.
If the obligated institution finds that transactions executed by a natural person declaring no business activity are carried out as part of business activity, it is mandatory to apply the CDDM consisting in the identification of the customer in terms of the name (company), tax identification number and the address of the principal place of business activity. Moreover, the business relationship should be reassessed and information about its purpose and intended nature should be obtained. The obligated institution should identify the risk of money laundering by obtaining information on the purpose of the account and the type of products, services and methods of their distribution by the customer, and assess the level of the identified risk.
Steps plannedto control obligated institutions
Summarising the guidelines resulting from this Communication of the General Inspector, it should be pointed out that when applying the provisions of the AML Act, the obligated institution should always strive to accomplish to the greatest possible extent the objective of the AML Act, which in the case of the problems indicated in the Communication will involve providing by the obligated institution, whenever new information about the customer appear, an answer to the following question: does such information about the customer affect the risk of money laundering and financing of terrorism? If the answer is in the affirmative, the obligated institution is required to consider verification of the assessment of the risk of money laundering and financing of terrorism and take effective action if it is unable to apply the CDDMs.
If the General Inspector finds that the customer information is not analysed by the obligated institution or the steps taken by it due to the inability to apply the CDDMs are ineffective, the obligated institution may be subject to control activities carried out by the entities referred to in Article 130(1) and (2) of the AML Act. Obligated institutions must also be prepared to demonstrate that they have applied the CDDMs adequate to the identified risk level, in accordance with Article 34(3) of the AML Act.
________________________________________
[1] An obligated institution always takes into account and documents all factors specified in Article 33(3)(1)-(6) of the AML Act. The list of these statutory factors is non-exhaustive – the obligated institution should assess the specific characteristics of its business and, based on such assessment, extend the list of factors taken into account in risk assessment.
[2] An obligated institution should not rely solely on information obtained from the customer, but should also collect information from other sources, including law enforcement agencies, the GIFI, the Office of the Polish Financial Supervision Authority and the National Bank of Poland. Information from other sources should also be used to verify information received from the customer.
[3] If an obligated institution receives letters from law enforcement agencies regarding its customer, indicating that this customer is involved in an illegal activity, the obligated institution should increase the risk level corresponding to this customer, which should be reflected in the documentation related to the risk assessment of this customer.
[4] Subject to Article 41(3) of the AML Act.
[5] Article 14(4) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, stipulates that: Member States shall require that, where an obliged entity is unable to comply with the customer due diligence requirements laid down in point (a), (b) or (c) of the first subparagraph of Article 13(1), it shall not carry out a transaction through a bank account, establish a business relationship or carry out the transaction, and shall terminate the business relationship and consider making a suspicious transaction report to the FIU in relation to the customer in accordance with Article 33. This provision is implemented by Article 41 of the AML Act, which means that obligated institutions, where they are unable to apply a customer due diligence measure, must take all practicable steps from the list provided for in Article 41(1) of the AML Act.
[6] More information about the customer profile is available in the GIFI’s Communication No. 31 of 22 June 2021.
[7] Which does not mean that the obligated institution should not take in a specific case also other customer due diligence measures.