The FIAU has just released the Implementing Procedures Part II ("IPs") focusing specifically on AML/CFT obligations for professionals and firms offering services contemplated under the Company Service Providers Act, namely:
- Formation of companies or other legal entities;
- Acting as or arranging for another person to act as director or secretary of a company, a partner in a partnership or in a similar position in relation to other legal entities;
- Provision of a registered office, business correspondence or administrative address and other related services for a company, a partnership or any other legal entity.
The National Risk Assessment ("NRA") elicited the following significant risk elements for CSPs:
- A significant volume of high-risk clients due to a number of non-resident beneficial owners ("BOs");
- Risky services are provided such as setting up complex corporate structures and holding shares in a fiduciary capacity;
- High level of geographical risk due to a large number of non-EU resident BOs;
- A large volume of international business handled by CSPs
- Sizeable service interface risk due to a big portion of CSP clients being on-boarded on a non-face-to-face- basis.
The NRA also noted to a small number of suspicious transaction reports ("STR") in comparison to other sectors when taking into consideration the size of the CSP industry.
The IPs placed significant emphasis on properly defining what certain services include and CSPs obligations in relation to such. When it comes to "Arranging", in the services mentioned above, headhunting and the mere compilation of statutory forms to appoint such functionaries are not considered as company services.
The filing of the necessary beneficial owner form for the incorporation of a company or other ancillary statutory forms on their own would not constitute "Formation of Companies or other Commercial Partnerships".
This section focuses on who the customer is and the nature of the service being offered, namely:
- Formation of a company or a commercial partnership – The prospective shareholder/BO/partner, for whom the company or other legal entity will be set up will be considered the customer. This would constitute an occasional transaction.
- Acting as a director or secretary of a company, or a partner in a commercial partnership, or arranging for another person to act as such – The company or commercial partnership is the customer. This would constitute a business relationship.
- Provision of registered office, business correspondence or administrative address or related services to a company or commercial partnership – The company or commercial partnership is the customer. This would constitute a business relationship.
Introducers, Intermediaries and Agents
A common occurrence within the CSP industry is the involvement a an individual or an entity in between the actual customer and the CSP. Depending on the level of involvement of such individual or entity the necessary classification would be required as per the below:
- Introducers – Solely make the introduction and their involvement ends there. There are no AML/CFT obligations in relation to the Introducer.
- Intermediary – Introduces third party to a CSP and then remains involved to communicate client instructions to the CSP, without necessarily being legally authorized to bind the customer in the same way as an Agent would.
- Agent – A person who acts on the customer's behalf and has the authority to bind the customer such as through execution of transactions or signing contracts. Company directors and partners vested with legal and judicial representation of the legal entity, are considered Agents in the context of an occasional transaction or business relationship. Only those directors or partners actually exercising such legal powers within a specified transaction or business relationship must be identified, verified and provide proof of authorization.
The determination as to whether an individual is an Introducer or an Intermediary cannot just be limited to who is ultimately paying the fees but a wider scope must be considered.
If during or after the formation of the business relationship it results that the presumed customer or BO is acting on behalf of another person, the CSP should consider submitting an STR to the FIAU and limit the services provided to the customer.
The CSPs must be clear in their distinction between the involvement of an Intermediary or Agent and the placing of reliance to satisfy their AML/CFT obligations.
Customer Due Diligence on Intermediaries
CSPs should have internal processes to review and approve Intermediaries before the CSP services customers introduced and represented by such Intermediaries and this process should include senior management approval prior to establishing a working relationship with Intermediaries. The basic checks for all Intermediaries should include:
- Determination whether the Intermediary is representing and liaising with the end customer through another Intermediary ("Intermediary Chains") or directly with the customer;
- Establishment of existence of the Intermediary through public sources;
- Assessment of the Intermediary's reputability and integrity, including confirmation whether they are licensed, regulated or accredited professionals;
- Ongoing monitoring of relationship with Intermediary to update information initially collected and carry out ongoing checks on an annual basis;
When it comes to dealing with Intermediaries:
- Not subject to any licensing, regulation or professional accreditation;
- Situated in high-risk or non-reputable jurisdictions; or
- Lack of information through public sources available;
the following checks must be carried out:
- Identification and verification of the Intermediary's identity, in case of firms the directors, partners or administrators must also be identified and the ultimate BO identified and verified;
- Reputability and integrity checks not limited to the entity but extended to directors, partners or administrators and its ultimate BOs;
- Requesting information on the Intermediary's AML/CFT procedures;
- Holding introductory meetings; and
- Ongoing checks must be done on an annual basis.
In the case of Intermediary Chains, these procedures must be replicated for all Intermediaries involved.
Customer Due Diligence on Agents
When an Agent is involved, the CDD measures must not only be applied on the customer but on the Agent too. The CSP must identify and verify the identity of any person purporting to act on the customer's behalf, together with proof of authorization.
Identification and verification of the identity of directors solely involved in the occasional transaction or business relationship must be carried out and the constitutive document may be used as proof that the individual is vested with the required authority to bind the entity.
When the individual acting as an Agent, is another individual involved in the entity, such as a CEO, identification and verification of identity, together with the authorization to represent the company must be obtained. Where a member of staff in such entity start providing instructions, a link must be established between a member of staff and the entity and the verified and authorised Agent, in such a case the CEO, would be in copy in the relevant emails.
Purpose and Intended Nature, and Establishing the Customer's Business and Risk Profile
Subject Persons under the PMLFTR and IPs Part I are obliged to understand the purpose of the business relationship and the customer's business and risk profile. This can be established by obtaining information on:
- The information on the rationale
- Information on the activity or purpose
- The profile of the shareholders or beneficial owners
- The value of share capital or assets of that company or entity
- Ongoing monitoring of transactions
When a business relationship is established CSPs must carry out ongoing monitoring, that includes:
- Transaction or activities monitoring ensuring they are in line with expected volume and specific activities; and
- Reviewing and updating of CDD documentation on a regular basis.
The IPs specify a number of considerations that must be undertaken when carrying out the above and obligations such as in case of a customer classified as posing a high risk, at a minimum an annual review must be carried out.
Ongoing Monitoring expected per service:
- All CSP Services (except company formation) – the below processes must be in place to keep CDD documentation up to date:
- Reviewing financial statements to monitor customer activity;
- Review corporate filings to maintain oversight on customer's structure or involved parties;
- Carry out media searches regularly;
- Screen using commercial databases regularly; and
- Request information about any changes from customer itself.
- Registered office and hold mail services – Ongoing monitoring shall be limited to CDD and no ongoing monitoring of transactions is required.
- Directorship services – Both types of ongoing monitoring are required and depending on the level of accessibility of the Director pre-transaction monitoring and post-transaction monitoring must be carried out.
- Pre-transaction monitoring is carried out when authorization from the Director is required to carry out the transaction;
- Post-transaction monitoring is carried out when authorization is not required and therefore Director requests information after transaction has taken place.
- Company Secretarial services – Ongoing monitoring shall not include transaction monitoring in this case, but besides ongoing monitoring of CDD the CSP shall document discussions at board level;
- Company incorporation – no ongoing monitoring obligations
When it comes to complex and unusual types of transactions, in scenarios that CSPs are obliged to monitor transactions, these transactions include both transactions between the CSP and its customer and underlying transactions between the CSP's customer and its own customers. Proper documentation of transaction monitoring must be kept and available for inspection by the FIAU.
Timing of Due Diligence Procedures
CSP must initiate CDD procedures when a customer takes active steps to seek the services of the CSP and not when just an initial enquiry is made. When the risk of ML/FT is considered to be low, verification procedures may be carried out during the establishment of the business relationship or carrying out of an occasional transaction.
Termination of Business Relationships for AML/CFT Purposes
When a CSP loses contact with a customer being offered registered office services, the Malta Business Registry ("MBR") must be notified, but the CSP must have exhausted all possible means to contact the client, and documented such. The date of termination of the business relationship shall be the date the CSP notifies the MBR.
All CSPs must subscribe to the sanctions list by sending an email to email@example.com and to screen their clients regularly against such list unless this is done in an automated matter.
The IPs Part II for CSPs may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.