On 24 January 2018 the National Bank of Belgium (hereafter “NBB”) published its Circular 2018_02 on the overall assessment of money laundering and terrorist financing (hereafter “ML/FT”) risks. On 22 December 2017 the Royal Decree of 10 December 2017 approving the NBB Regulation of 21 November 2017 on the prevention of ML/FT, was published in the Belgian Official Journal.
The Circular and the Regulation build on the new Law of 18 September 2017 (hereafter “AML Law”) on the prevention of ML/FT and on the restriction of the use of cash.
The Circular and the Regulation provide further guidance on the:
- Requirements by and expectations of the NBB regarding the general AML/CFT risk assessment (Enterprise Wide Risk Assessment or “EWRA”).
- Additional provisions on the organisation and internal control by the obliged entities.
Risk Based Approach (“RBA”) based on an Enterprise Wide Risk Assessment (“EWRA”)
The new AML Law introduced the Risk Based Approach (“RBA”) as the corner stone for setting up each single piece of the institution’s AML/CFT framework. The RBA implies that, in a more clear way than before, available resources should be deployed in an optimal way to avoid/mitigate the risk of being misused for ML/FT purposes (for more details, see our Newsflash of 9 October 2017)
The set-up of the institution’s RBA should be based on an actual and profound knowledge and understanding of its ML/FT risks. Therefore, institutions are required to set-up and perform a general AML/CFT risk assessment (“Enterprise Wide Risk Assessment” – “EWRA”) at the level of their entity.
The NBB Regulation and Circular give further details on the governance and process of the EWRA. Moreover, a timeline is set for the performance of the first EWRA exercise by the institutions.
The set-up and performance of an EWRA is subject to several organisational requirements:
- Performed by the AMLCO and validated by the Executive Committee;
- Embedded in a clear methodology (in writing); and
- Results must be documented, regularly updated (annually or ad hoc in case of relevant changes in business model, new products, new markets,...) and made available to the NBB (yearly, together with the annual AML report) and all relevant stakeholders.
To perform an adequate EWRA, the institution has to obtain extensive and up-to-date knowledge on the ML/FT risks to which the institution is exposed and the corresponding risk insight.
Firstly, the institution must identify and categorise the relevant ML/FT risks, taking into account the applicable risk factors (as mentioned in the AML Law, ESA Guidance,... and taking into account the specific situation of the institution) and the relevant scope of the institution/group. As such, the institution will define its inherent ML/TF risks (“Risk Identification”).
In a second phase, the institution will assess actual control measures in place by evaluating the design and operating effectiveness of their policies and procedures, controls, trainings, systems,... related to the new AML Law and Regulation (“Gap Analysis”).
Based on the level of the identified risks and the adequacy of the actual measures in place, the institution should further evaluate if additional measures are required and put these in place (“Action Plan”). Such action plan should be embedded in the overall implementation of the requirements of the new AML Law.
In order to be able to follow the progress of the institutions regarding the set-up and performance of the EWRA, the NBB has set a clear timing to be respected. At indicated dates, the institutions will need to communicate (via e-corporate or mail) the results of their EWRA (as summarized in a template cf. Annex 1 to the Circular) and to provide further information on methodology, findings and next steps (questionnaire – included in Annex 3 to the Circular).
Key dates to take into account:
For the practical implementation of the EWRA and RBA in a timely and appropriate way, following steps need to be taken:
- Set-up EWRA Governance, Methodology and Tooling – a clear and practical methodology has to be elaborated to perform the required evaluations within the EWRA. In order to make the EWRA practical and useful in a consistent way, an adequate set-up and tooling should be foreseen. As the EWRA becomes a regular exercise, this should be embedded in an appropriate and consistent governance framework.
- Define concrete scope – in order to have an optimal effect on the further elaboration of the RBA of the institution, the EWRA should be tailored to the size, activities, organisation,... of the institution. The scope should take into account the appropriate risk factors (as described above).
- Carry out EWRA – based on the tailor-made methodology and scope, a first exercise of the EWRA will be carried out. As such, exercise will depend largely on the (timely) availability of required data; the necessary throughput time should be foreseen.
- Build RBA – Based on the results of the EWRA, the appropriate RBA should be defined and further elaborated in a practical and concrete action plan. It is recommended to include these actions in the overall action plan for the implementation of the new AML law in the institution.
Organisation and internal control
Next to the EWRA, the Regulation elaborates further requirements regarding the organisation and internal control within the institutions. As such, it replaces the old AML/CFT Regulation of the CBFA (23 February 2010).
The requirements of the new Regulation take into account:
- The annual activity report of the AMLCO;
- Details regarding internal procedures related to client acceptance, identification, verification and update of client data, investigation of transactions, intervention of third parties, declaration of suspicious activities, money transfers and sanctions and embargoes; and
- Organisation and internal control at group level.