Apex Regulatory Update: July 2017

An updated anti-money laundering and counter-terrorism financing framework came into effect in the European Union (EU) on June 26, 2017; including the fourth Anti-Money Laundering Directive (AMLD4) and the revised Wire Transfer Regulation (WTR2).

In line with the Financial Action Task Force’s (“FAFT”) Special Recommendation VII, (“SR VII”) which aims to enhance the transparency of electronic payment transfers, the scope of WTR2 has been materially extended and now requires that certain payment service providers, intermediaries and fund transfers include information on the payee/beneficiary of the payment, in addition to the information already required on the payer/remitter. The WTR2 also tightens requirements relating to payment products that are for anonymous use or cannot be linked to individuals.

The scope of the changes intends to prevent criminals/money launderers/financers of terrorism from the possibility of transferring money freely within the EU. It addresses problems relating to illegitimate money transfers, as well as ensuring the adoption of International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by FATF on 16 February 2012 (the ‘revised FATF Recommendations’).

Key changes and requirements set out in the first Wire Transfer Regulation include:

• The Payment Service Providers (“PSP”) must ensure fund transfers are accompanied by information on the payee AND the payer.
• The PSP of the payee must verify the accuracy of the information on the payee for fund transfers above the value of EUR 1,000.
• Clarification must be made that WTR2 will apply for person-to-person fund transfers made using payment cards, electronic money instruments, mobile phones or any other digital or IT prepaid or postpaid devices with similar characteristics.
• The PSP of the payee and the intermediary PSPs must establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds that lacks the required payer and payee information.
• The PSP must establish whistleblowing procedures.
• The derogation for intra-EU transfers continues to apply under WTR2 as it did under WTR (although under WTR2 such transfers must be accompanied by at least the account number of both the payer and the payee, as opposed to just the account number of the payer, as was the case under WTR).
• Firms that wish to take advantage of the derogation will need to have systems in place for distinguishing which transactions benefit from the derogation and those that do not.  

Exceptions apply to bank-to-bank transfers (regular MT202) as well as certain retail transactions, including payment cards used simply to pay for goods and services.

Impact on Apex Clients

Clients using SWIFT as a fund transfer method must review their current set up to ensure it meets WTR2 requirements. Apex suggests its clients contact their PSP without delay to ensure that any issued (or received) payments contain the required information detailed by WTR2.

**In the case of EU cash transfers (type MT103 payments), whereby all counterparties are located within the EU, the account number will have to be added in most cases. For non-EU cash transfers (valid when one party is not located within the EU) a wider list of additional information will be required by the new regulation. Non-EU cash transfer messages must include all of the information listed below:

• Account number
• Name
• Address, or
• Official Identity number or
• Client number or
• Date and place of birth

In order to support the extended requirements for payee information, SWIFT [1]has added the F format to field 59 (Beneficiary Customer), which provides a structured format to capture name, account number and address of the beneficiary in an MT message. For Non-EU transfers, field 59 will include the account number and name only.

The same structured F format option has been implemented for field 50 (Ordering Customer) for some time.

Originating banks should therefore ensure that appropriate information accompanies wire transfers while others in the payment chain (e.g. intermediaries) are required to monitor the payment they process based on this information.

The below table contains the new obligations PSP are expected to comply with, including the implicit statement that if these are not met no payment can be made.

Transparency

The Basel Committee encourages all banks to apply high transparency standards (in full compliance with applicable national laws and regulations), in the context of cover payments initiated to settle a customer transaction. In particular:

• Appropriate information should be included in payment messages as described in this document. Financial institutions should not omit, delete or alter information in payment messages for the purpose of avoiding the detection of that information by any other financial institution in the payment process.
• Financial institutions should not use any particular payment message for the purpose of avoiding detection of information by other financial institutions during the payment process.
• Subject to all applicable laws, financial institutions should cooperate as fully as practicable with other financial institutions in the payment process when requested to provide information about the parties involved.
• Financial institutions should take into account, in their correspondent bank relationship, the transparency practices of their correspondents.

NEW EU Rules to fight money laundering and terrorist financing start to apply across Europe.

On the 26^th of June 2017 the Commission released its Supranational Risk Assessment Report, focusing on the vulnerability of financial products and services in relation to money laundering and terrorist financing risk. It is the first time that the European Union has addressed the strengthening of existing rules at an EU level. The fourth Anti-Money Laundering Directive (AMLD) took effect on the 26^th of June 2017;all EU countries l have two years from that day to implement AMLD  rules into national AML LAWS. The new AMLD applies to banks and financial institutions as well as to auditors and accountant firms.

Key changes:

Extension of the Directive’s Scope

• The threshold for customer due diligence will be lowered under 4MLD, bringing anyone trading in cash with a value over €10,000 into scope (the previous threshold was €15,000).
• Gambling sector is now in scope of the directive
• Virtual currency exchange platforms within its scope
• Wallet providers that allow the public to have access to virtual currencies
• Domestic PEPs in scope of EDD (see related section)

Inclusion of Tax crimes as predicated offences

The 4AMLD includes an explicit reference to tax crimes (related to direct and indirect taxes) as being ‘predicated offences’.

The Circular 15/609 on anti-money laundering in tax matters issued by the Luxembourg financial regulator (“CSSF”) in March 2015, emphasises that supervised entities should continue to actively work on:

• Exchange of information
• AML
• Tax infractions

At a Group level, Apex Fund Services implemented an upgraded its Anti-Money Laundering and Counter Terrorist Financing Policy in February 2017. This policy already considers certain elements of the 4^th AMLD as standard and ensures upgrades are safeguarded  to protect Apex and its customers in high risk areas. Apex has created dedicated Transfer Agency Know Your Customer (KYC) Investor Guidelines and checklists, including aspects of the 4th AML Directive. These upgraded standards are been rolled out in Luxembourg, Ireland and will be introduced across Europe and where cross-border services are offered by Apex.

See below the comparison matrix upon which Apex has implemented upgrades into its existing framework:

GDPR | What is truly new in this Data Protection Regulation?

Apex has performed a comparison of the current and the upcoming GDPR and has detected the following new additions which are part of the GDPR implementation plan.

Key facts on the current EU Data Protection Directive vs the upcoming GDPR:

• Article 4 and 9 – Definition of consent and conditions for consent have been reinforced with need to review existing or missing consents from data subjects within the company. The process has to focus on employees, client relationships, third party relationships including vendors and service providers.
• Article 5 – Principles relating to the processing of personal data have been reinforced with the need to review the existing ways personal data are processed by a company or any other company performing this task under delegation of the company.
• Articles 12, 13 and 14 – Privacy Notices will have to be reviewed and reinforced reflecting the additional standards and details to ensure they are in line with the GDPR and protect the company in all areas.
• Article 22 – Automated individual decision making including profiling has been contained in the EU Data Protection Directive, but has been reinforced. This requires companies to review their current operational processes and contractual framework. Costs might be associated depending on the outcome of the review.
• Article 24 – Responsibilities of the data controller have been reinforced which means all existing standards, contracts and oversight have to be reviewed to ensure data requirements as per GDPR are covered. This is a huge data review assessment which goes from data classification to data control and protection, appropriate storage, timely deletion, legal framework allowing control and reflecting data subjects rights. Definitely a cost and time consuming exercise.
• Article 28 – Data Processor comes with additional obligations and liability which means that there is the absolute need to review legal arrangements and processes to ensure they are not exposing the data processor as such or towards the data controller.
• Article 31 and 32 – Co-operation and Security of processing have been reinforced with need to perform review against existing processes, frameworks and controls.
• Articles 44 up to 49 – Cross border transfers have been definitely reinforced as the basic notion of the new GDPR is to cover data flows within and even outside of the EU. Any operational or IT delegation structures have to be reviewed and reinforced with respective legal coverage and updates in the consent framework to ensure transparency where missing.

Cayman Island – First legal Data Protection Framework introduced March 2017

In March 2017, the Legislative Assembly of the Cayman Islands passed the Data Protection Law 2017, introducing for the first time a true legal framework on the management of data in the region. The Cayman government published a Data Protection Bill in 2016 proposing a data protection framework based on principles describing rights and duties in all areas where personal data is involved. The suggestions put forward in the Data Protection Bill, 2016, were inspired by the legislative framework of the European Union and international best practices.Until the law is enforced, the Cayman Islands will continue to operate under the previous duty of confidentiality enshrined in the common law and provisions for the Confidential Relationships Preservation Law (as revised) of the Cayman Islands (the ‘CRPL’).

The new Data Protection Law in Cayman imposes principles such as the ‘fair and accurate management and storage of personal data’. The Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike, as well as entities outside the Islands that have certain data processing functions. This is similar to the upcoming GDPR going beyond the European territory. Apex is closely monitoring the Cayman Island data protection developments, market practice adaptations and the nuances of each single principles to understand similarities or differences in legal notions and will provide further updates in due course.

This constitutes a big success with regards to progress in this area as it is the third time a government has attempted to implement such a defined legislation – the previous two attempts to pass such a Data Protection Bill failed, not even making it to Legislative Assembly level.

[1] https://www.swift.com/node/14361