The AML package encompasses a multitude of changes compared to the previous legal framework. The third part of our series addresses the alterations in risk management for obligated entities.
Table of Contents
Expansion of Internal Safeguard Measures
The components of internal risk management, as currently regulated in § 4 GwG, will henceforth be governed by the directly applicable AML Regulation (“AML-R”). The central norm here is Article 7 – Scope of internal policies, procedures, and controls of the AML-R.
Already in the first paragraph, a paradigm shift becomes apparent: the guidelines, processes, and controls to be introduced by obligated entities are intended not only to serve the risks of money laundering and terrorism financing but also specifically the risks arising from a lack of implementation of measures to enforce sanctions or circumvent them.
Differences from the Previous Legal Framework
While the fundamental systematics are largely continued, there are some innovations under the AML-R compared to the previous legal framework:
Outsourcing and Reliance on Third-Party Identification Records
The internal policies and procedures should explicitly encompass regulations regarding outsourcing and reliance on third parties.
Assessment of Risk Management and Dealing with Deficiencies
The internal policies and procedures must include procedures for assessing the implemented policies and procedures, the implementation of processes for identifying and dealing with deficiencies, as well as remedial measures.
Communication of Policies and Procedures to Employees, Distribution Channels, and Agents
The policies and procedures should furthermore stipulate how the developed measures are communicated internally within the obligated entity. When utilizing external distribution companies or agents, the policies and procedures should also encompass communication with them.
Independent Audit of Policies and Procedures
A certain explosive potential lies in the obligation for the independent audit of the developed policies and procedures (Article 7 (2) lit. b) AML-R). According to this, the developed policies and procedures should be controlled and reviewed by an independent internal audit. In the absence of such an internal audit, the audit should be conducted by “external experts.”
For obligated entities in the financial sector that have a compliance organization following the three lines of defense model, as is standard for credit or securities institutions, the obligation does not pose a significant novelty. The regulation regarding independent audit is likely to be challenging for obligated entities outside the financial sector, such as lawyers or tax advisors, who typically do not have such an internal organization with independent audit capabilities. The obligation for external audit is likely to entail a significant additional workload here.