The EU's 4th AML Directive, in Section 4 Articles 25-29, permits obliged entities to rely on other obliged entities for certain CDD tasks, as long as the party being relied upon is subject to an equivalent AML/CFT regime and is not in a high risk third country.
This is a limited permission, and applies only to some CDD tasks (clauses (a), (b) and (c) of the first subparagraph of Article 13.1), namely:
- Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source.
- Identifying the beneficial owner and taking reasonable measures to verify that person's identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer.
- Assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship.
While it supposedly applies to all types of obliged entity, the exceptions make it clear that is really about banking groups, rather than about international accountancy firms or legal groups, which may anyway not count as groups upon closer inspection.
If you were in an independent law firm in Portugal, would you be willing to rely on CDD carried out by a law firm in Lithuania, even one where there was some form of association? The risk of doing so could be quite high.
Article 28 permits parts of the same banking group to act as trusted third parties (TTPs) towards one another if there is a compliant, group-level AML/CFT policy but arguably only to the degree that the headquarters of the banking group is in an EU member state. If these conditions are fulfilled, all the banking entities (branches and subsidiaries) in any EU member state can benefit from this permission.
This just about dovetails into the obligation of a banking group with its headquarters in an EU member state to implement a compliant and group-level AML/CFT policy throughout all branches and subsidiaries, wherever they are located:
- In other EU member states.
- In non-EU countries that are not ranked by the EU as high risk.
- In non-EU countries that are ranked by the EU as high risk.
Under Article 26.2 it is left up to Member States to allow a banking group that has implemented this to gain a benefit, namely an exemption for all the group's branches and majority-owned subsidiaries established in the EU, whereby they may regard their sister branches and majority-owned subsidiaries in high risk countries as TTPs.
If we were talking about the Banco Santander group, and if its group AML/CFT policy was both compliant and implemented everywhere amongst its branches and majority-owned subsidiaries, any one of them established in the EU could rely on CDD done by any other part, say in Uruguay, China or Mexico.
If we were talking about JPMorgan Chase NA, though, its branches and subsidiaries in the EU could arguably not rely on one another at all because the group is headquartered outside the EU. This might be sufficient reason to create an EU-based bank and have all the EU operations as branches or subsidiaries of that bank.
The benefits of being able to rely on CDD work done by a sister entity are considerable, and spare the same work being done twice, but the permission only applies to CDD being carried out on the exact same legal entity on the client side. This limits its usefulness when dealing with a multinational corporate, where the "customer" is liable in each case to be a subsidiary incorporated in the same jurisdiction as the branch/subsidiary. No sister branch/subsidiary has done CDD on that entity, so the exemption counts for nothing.
Other than these limited exemptions, each obliged entity must do its own CDD, but it is allowed to rely on warranties from other legal entities about the matters falling within the scope of Article 13.1 (a) to (c). This could be as simple as a bank putting a stamp on every page of a set of documents and signing it, where the stamp has the wording "Certified by [name of bank] as a true copy of the original".
This was the arrangement within IBOS Association for account opening, where each partner bank lodged a signature list with the IBOS secretariat that was then made visible to all members in the membersí website. The wording of the signature list combined with the wording on the stamp and in the Membersí Protocol for Account Opening to deliver sufficient comfort from the introducing bank to the account-opening bank to induce the latter to regard the documents as if they had been notarised and apostilled. That covered off 13.1.a. The introducing bank also facilitated the delivery of the UBO information to cover off 13.1.b. Then there a so-called Customer Referral Sheet conveying commercial information signed by both the customer and the introducing bank, and this covered off 13.1.c.
Given that IBOS could not benefit from the provisions of Article 28 because it was a network of independent banks, and given that several of the members were headquartered outside the EU, this was as far as the reliance could be made to go.
It was a policy of the Association only to admit members who were headquartered in the EU or in one of the EU White List countries - the arrangement that preceded the EU High-Risk Third Country process. Being white-listed meant that the country had an equivalent AML/CFT regime to that of the EU.
In practical terms the "trusted third party" status substantially benefits groups of bank headquartered in the EU where it is the exact same customer requiring services from different EU-based branches and subsidiaries, but its main potential benefit on a wider scale is to enable confirmation of the authenticity of documents. However the giver and receiver of the authentication would usually want to be in a closer association with one another - like IBOS - rather than simply relying on any other obliged entity. How would they be sure it even was an obliged entity?