Dutch banking uses industry baselines to reduce client AML-CTF impact
Published on 12th Jun 2023
Five risk-based baselines have been published by the Dutch Banking Association with 12 more expected
The Dutch Central Bank (DNB) has significantly intensified its supervision in recent years of compliance with anti-money laundering and combatting the financing of terrorism (AML-CTF) laws, which has resulted in some Dutch banks facing serious and punitive enforcement measures.
Consequently, banks have tightened their AML-CTF procedures to such an extent that increasingly, bona fide clients are excluded access from basic financial services like opening corporate bank accounts or face repetitive and burdensome requests for information as part of the bank's ongoing client monitoring obligations.
DNB and the Dutch banking sector agree that AML-CTF procedures and related supervision should be more targeted, in order to limit effects on bona fide clients and increase effects on clients that pose actual AML-CTF risks. DNB has entered into discussions with the Dutch Banking Association (NVB), of which nearly all banks that are active in the Netherlands, including branches of foreign banks, are members, with the aim of agreeing on principles for banks to perform their AML-CTF gatekeeper obligations proportionately, while focusing on real risks. This has resulted in the publication on 30 May 2023 of the first five risk-based Industry Baselines.
Although the baselines are designed for banks, they may be used as guidance by other financial institutions subject to Dutch AML-CTF laws, such as e-money and payment institutions.
Industry Baseline 1: UBO identification and verification
The baseline on ultimate beneficial owner (UBO) identification and verification (ID&V) describes the practices to implement UBO ID&V for low-, neutral- and high-risk scenarios. The baseline has various examples and use cases for each scenario, including the basis for identification of the UBO and its verification.
|
Basis for UBO identification |
||
|
|
Low or neutral risk |
High risk |
|
In case of access to UBO register |
|
|
|
In case of no obligation to consult the UBO register or no access to a UBO register |
|
The UBO declaration must be supported by additional documentation such as the shareholders register, trust deed, third-party UBO statement or annual reports. |
|
Basis for UBO verification |
|
|
Low and neutral risk |
High risk |
|
Additional information from a reliable source, such as a certified copy of an identification document. When the UBO is seen in person, the identity can be verified at that time by obtaining proof of the identity of the UBO. |
Industry Baseline 2: Pseudo-UBO
In case no UBO can be identified based on ownership or control, all executive board members, or, in the case of a partnership, all partners with ultimate and overall responsibility of the legal entity qualify as UBO(s), referred to as the pseudo-UBO.
The baseline on pseudo-UBO describes the practices to implement pseudo-UBO ID&V for low-, neutral- and high-risk scenarios. The baseline includes various examples and use cases for each scenario.
The below table sets out the basis for identification of the pseudo-UBO:
|
Basis for pseudo-UBO identification |
||
|
|
Low or neutral risk |
High risk |
|
EU entity |
EU trade register |
EU trade register and recording in the client file that:
|
|
Non-EU entity or no access to EU trade registers |
i) senior managing officials are identified as being UBO as a fallback after exhausting of all other possible means to identify the UBO by ownership or factual control and ii) that there are no grounds for suspicion of ML-TF. |
|
The pseudo-UBO verification, can be based on the following documents:
|
Basis for pseudo-UBO verification |
|
|
Low or neutral risk |
High risk |
|
|
Industry Baseline 3: High-risk third-parties EDD
The baseline on enhanced due diligence (EDD) measures for European Commission high-risk third parties describes how to perform (EDD) where it concerns transactions, business relationships and correspondent relationships related to the Commission's high-risk third countries (HRTC).
In case of HRTC-related EDD, additional information must be obtained by banks regarding:
- the client and UBO(s);
- the purpose and nature of the business relationship;
- the source of funds which are used in the business relationship or transaction;
- the source of wealth of the client and UBO(s); and
- the background and reasons of the proposed or performed transactions.
In addition, senior management approval must be obtained for establishing or continuing the relationship and enhanced client monitoring measures must be implemented. The baseline elaborates on these requirements in case of low-, neutral- and high-risk scenarios.
|
|
Low or neutral risk |
High risk |
|
Client and UBO information |
Regular information gathering during client due diligence (CDD) process as provided for in article 3 of the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act is adequate. |
Additional information can be requested from the client or collected via desk research (for example, activities and employment). |
|
Purpose and nature of relationship |
When aligned with the established purpose and nature (also if by peer grouping), no additional information needed. |
Additional information can be requested from the client, (for example, further transactions and annual accounts) or collected via desk research. |
|
Source of funds (SoF) |
Assessment of information collected on SoF as part of the regular CDD process is adequate. |
Additional SoF information can be requested from the client or from a reliable source (for example, income statements and tax declaration). |
|
Source of wealth |
Information can be collected via desk research, with a plausibility check but no obligation to reach out to client and/or UBO. |
Collect information via desk research or information request to the client or UBO (for example, tax declaration). |
|
Background and reason for transaction |
When in line with the risk profile or expected transactions, no additional information needs to be collected. When outside risk profile or expected transactions, additional information should be obtained on context of the transaction via desk research or client outreach. |
Client outreach to collect information on the specific transactions – for example, invoices, booking confirmations – to the extent not already available. |
|
Senior management approval |
When in line with the risk profile or expected transactions, senior management approval is already assigned at client acceptance. When outside risk profile or expected transactions, the mandate for approval may delegated in accordance with the delegation framework. |
Senior management approval in accordance with the delegation framework. Senior management must be sufficiently informed on transactions and business relationships related to HRTC. |
|
Enhanced monitoring |
Having adequate transaction monitoring controls in place (including for HRTC) meets the requirement of enhanced monitoring. EDD measures for transactions with an HRTC executed within a business relationship only need to be applied when performing reviews. |
High risk clients are typically subject to more frequent reviews. Having adequate transaction monitoring controls in place (including for HRTC) meets the requirement of enhanced monitoring. |
Industry Baseline 4: Expected transaction profile
The baseline on expected transaction profile (ETP) describes the measures that can be applied during ongoing due diligence and transaction monitoring to detect deviations from expected transaction patterns and unusual transactions. Unusual transactions must be reported to the Dutch Financial Intelligence Unit (FIU). The baselines set out guidelines in relation to a range of topics related to ETPs:
- Purpose and scope. ETP is used to compare expected transaction behaviour with actual transaction behaviour and is usually based on expected transaction behaviour for groups of clients, combining client characteristics with transaction data.
- Risk relevant use. The starting point is that ETP must be applied in scenarios where this method has relevancy to detect certain risk(s).
- Banks decide on how they determine the ETP and document the ETP process. ETP can be based on information provided by the client or be derived from client data or client behaviour after onboarding. It is not required to define a unique ETP tailored to each individual client.
- Risk response. ETP-related alerts must be documented and acted upon, including where required a notification of an unusual transaction to the FIU.
- Client types. It may not always be possible to assign a specific client to a client group due to lack of homogeneity within the client portfolio. In such case, an individual ETP can be established or it may be decided that an ETP is not feasible, with substantiation of the rationale.
- Criteria to demonstrate effective implementation. The effectiveness of AML-CTF controls must be demonstrated by describing relevant processes in policies and procedures. The effectiveness on controls must be regularly tested and monitored within the structure if the three lines of defence model. Control measures must be tailored to test results, including potentially eliminating controls that require significant resources but which have minimal risk mitigating effects. When ETP is applied to client groups, it must substantiated how the group is established (for example, what is the homogeneity of the group). The methodology of ETP must be documented, tested and where required amended.
Industry Baseline 5: Client data actualisation
The baseline on client data actualisation describes the practice to identify client data that must be obtained and clarifies the method and timing to actualise such data. The baselines set out guidelines in relation to the below topics.
- Client data required by law to perform adequate CDD. The baseline lists the information that must be obtained from individuals, legal entities, representatives and UBO(s) in the context of CDD (excluding simplified due diligence and EDD).
- Moment of client data actualisation. Client data mut be actualised periodically (time based) or event driven (trigger based). It is allowed to determine that data correctness does not expire until there are reasons to doubt the correctness thereof. The preferred moment of data actualisation is trigger-based.
- Methods and sources. The baseline distinguishes three sources for client data actualisation: external sources, like chamber of commerce extracts and UBO registers; internal analysis based on the bank's internal sources, such as product use and ETP; and client contact and outreach. The baseline in detail sets out preferred methods and sources to actualise data.
- Risk relevancy. The decision on the moment of data actualisation and which sources will be used in that regard is determined by the bank, based on its risk profile and risk appetite. It is possible to differentiate in approach between client types and risk classifications.
- Criteria to demonstrate effective implementation. The effectiveness of client data actualisation must be demonstrated by describing relevant processes in policies and procedures, including moments, methods and sources used. The processes must be evaluated and adjusted where required.
Baselines status and more to come
The baselines are not statutory law and it is not mandatory to apply the baselines: they describe principles and guidelines that may be used by banks in designing their AML-CTF measures. If the baselines are applied, this must be done in a manner that takes into account the risk framework and risk appetite of the financial institution in question.
The NVB intends to publish around 12 more baselines, which will either be sector or subject oriented. In-scope sectors include non-profit organisations, crypto businesses, and automotive companies. Subjects that are in scope are politically exposed persons, SoFs, methods for alert handling, models for generating alerts and alert handling, and ongoing due diligence.
