The Regulation setting out the measures firms covered by MLD4 must take when they are members of a group with offices outside the EU has been published in the OJEU. It will apply from 3 September 2019.
- requires firms with branches or majority owned subsidiaries in third countries to at least carry out a senior-manager backed risk assessment which is reflected in group policies and procedures and provide training to the staff in those third countries;
- requires that, where the third country’s laws do not permit the group-wide policies to operate, the firm tells its home state regulator and considers how to mitigate the risk. If it can do this by getting consent from relevant customers, it must do so. If this is not possible, it must apply appropriate countermeasures, a list of which appears in the Regulation, to business and customers from the relevant jurisdiction – which at worst may mean terminating business relationships or business lines or closing the operation;
- requires firms to apply similar measures if the third country’s data protection legislation does not allow for sharing of data for AML/CTF purposes either within the group or to regulators. Where the information in question relates to suspicion reporting, certain information must additionally be provided to senior management so that it can make an informed decision about how this affects the risk assessment – and again, the ultimate action could be to stop business in the relevant jurisdiction; and
- finally, imposes similar notification and risk mitigation requirements in respect of required record-keeping (including the possibility of overcoming regulatory restrictions by getting customer consent).
All notifications to be made must be made within 28 days.