Revised AML guidelines from the EBA

On 16 October 2023, the CSSF published Circular 23/842 on the adoption of the revised guidelines, by the European Banking Authority (the “EBA”), on money laundering and terrorist financing risk factors. These guidelines amend the EBA guidelines on customer due diligence and the factors credit that the financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (the “ML/TF Risk Factors Guidelines”)

In January 2022, the EBA published its opinion on “de-risking”, which refers to decisions made by credit and financial institutions to refuse to enter into or to terminate business relationships with individual customers or categories of customers associated with higher ML/TF risk.

In this opinion it also analysed the extent and impact of de-risking practices in the EU, especially on not-for-profit organisation(s) (“NPO(s)”). Following this opinion and the European Commission’s request to the EBA to issue new guidelines on how institutions can facilitate access to financial services by NPOs, the EBA developed these amending guidelines for customers that are NPOs. Various previous reports including findings from the FATF concluded that NPOs may struggle to access a bank account in order to operate or face difficulties in transferring funds in certain jurisdictions where the NPO operates. This is especially the case where NPOs operate in what firms deem to be “high risk” under their internal policies. The new guidelines regarding the NPOs clarifications are now included as an annex to the ML/TF Risk Factors Guidelines and are referenced under Guideline 2, paragraph 2.7.(d) of the main body of the amended ML/TF Risk Factors Guidelines.
The main points that are added by the amended guidelines are the following:

• Assessment of the risk profile: to evaluate the ML/TF risk level of a new business relationship with an NPO acting as customer or as a potential customer, firms should adopt risk-based measures and gather enough information about the NPO's governance structure, funding sources, activities, operating locations and beneficiaries. In essence this is very similar to firms’ existing customer due diligence obligations.

• Activities in jurisdiction subject to EU or United Nations (the “UN”) sanctions: if the NPO operates in areas under EU or UN sanctions, firms need to check if the NPO is covered by any humanitarian aid or derogations provisions in the EU/UN financial sanctions regimes, such as humanitarian exemptions. Although, according to international reports, NPOs can be misused for terrorist financing, not all of them are exposed to these risks. When deciding how to service these customers and in accordance with their own asset freezing obligations, firms should get evidence that shows the NPO's activities in these areas are consistent with the exemptions in the regime, or that the NPO has a derogation from a relevant competent authority. The EBA observes that the types of evidence that NPOs can provide to show they are eligible for humanitarian aid provisions and exemptions or derogations in EU/UN financial sanctions regimes are not uniform across the EU. For EU sanctions, the EBA suggests that firms consult the factsheet published by the European Commission that explains the main rules and procedures in different Member States for evaluating requests and granting humanitarian exemptions or derogations under EU sanctions regulations.

• Establishment of dedicated contact point for NPO: in order to understand how an NPO operates, how it is funded, its activities, where it operates, and who its beneficiaries are, firms should establish a dedicated contact point for NPOs if they are likely to have them as customers.

Next steps

The amending guidelines will be applicable as of 3 November 2023. Thanks to this, credit and financial institutions will be able to better assess the risks under MT/TF associated with business relationships with NPOs in order to comply with know-your-customer obligations for this specific category of customers and to avoid firms having to reject NPOs as customers or decline a business transaction with them simply due to a lack of understanding