Rulebook on the Procedure for Assessing Money Laundering and Terrorist Financing Risks and the Method for Implementing Simplified and Enhanced Customer Due Diligence Measures

Croatian Financial Services Supervisory Agency, 10000 Zagreb, Franje Račkoga 6, P.O. Box 164, Croatia t: 01 6173 200, f: 01 4811 507, e: info@hanfa.hr, OIB: 49376181407, MB: 02016419, w: www.hanfa.hr

RULEBOOK ON THE PROCEDURE FOR ASSESSING RISKS OF MONEY LAUNDERING AND TERRORIST FINANCING AND THE METHOD FOR IMPLEMENTING MEASURES OF SIMPLIFIED AND ENHANCED CUSTOMER DUE DILIGENCE (Official Gazette, No. 59/18, 144/21 and 69/23 – unofficial consolidated text)

PART ONE CHAPTER I. GENERAL PROVISIONS

Article 1. (OG 69/23) (1) This Rulebook prescribes for the obligated entities the procedure for assessing risks of money laundering and terrorist financing, the risk factors that obligated entities must consider when assessing the risks of money laundering and terrorist financing associated with an individual business relationship and occasional transaction, and the method for implementing measures of simplified and enhanced customer due diligence. (2) The obligated entities referred to in paragraph 1 of this Article are companies from Article 9, paragraph 2, points 6, 7, 8, 9, 10, 11, 12, 13, and 19 of the Act on the Prevention of Money Laundering and Terrorist Financing ("Official Gazette", Nos. 108/17, 39/19, and 151/22) over which the Croatian Financial Services Supervisory Agency conducts supervision of the application of that Act, and branches of similar companies from other Member States and third countries, which are established in the Republic of Croatia in accordance with the law governing their work. (3) The obligated entities from Article 9, paragraph 2, points 6, 7, 8, 9, 10, and 11 of the Act on the Prevention of Money Laundering and Terrorist Financing are obliged, in addition to this Rulebook, to apply the Guidelines of the European Banking Authority on customer due diligence and factors that credit and financial institutions should take into account when assessing the risks of money laundering and terrorist financing associated with individual business relationships and occasional transactions, which were adopted on the basis of Article 17 and Article 18, paragraph 4 of Directive (EU) 2015/849 (EBA/GL/2021/02), and for which HANFA declared compliance with the European Banking Authority on September 29, 2021, whereby, in the event of any inconsistency between the provisions of this Rulebook and the aforementioned Guidelines, the aforementioned Guidelines shall apply. In areas not otherwise regulated by the aforementioned Guidelines, the provisions of this Rulebook shall apply. (4) The obligated entities from Article 9, paragraph 2, points 12, 13, and 19 of the Act on the Prevention of Money Laundering and Terrorist Financing are obliged, in addition to this Rulebook, to apply the Guidelines of the European Banking Authority on customer due diligence and factors that credit and financial institutions should take into account when assessing the risks of money laundering and terrorist financing associated with individual business relationships and occasional transactions, which were adopted on the basis of Article 17 and Article 18, paragraph 4 of Directive (EU) 2015/849 (EBA/GL/2021/02), whereby, in the event of any inconsistency between the provisions of this Rulebook and the aforementioned Guidelines, the aforementioned Guidelines shall apply. In areas not otherwise regulated by the aforementioned Guidelines, the provisions of this Rulebook shall apply.

Article 2. The terms used in this Rulebook have the following meanings:

1. HANFA is the Croatian Financial Services Supervisory Agency
2. Act is the Act on the Prevention of Money Laundering and Terrorist Financing ("Official Gazette", No. 108/17)
3. Directive (EU) 2015/849 is Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, amending Regulation (EU) No 648/2015 of the European Parliament and of the Council and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (Text with EEA relevance) (OJ L 141, 5.6.2015.)
4. Regulation (EU) 2015/847 is Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (Text with EEA relevance) (OJ L 141, 5.6.2015.)
5. Regulation (EU) 910/2014 is Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014.)
6. Regulation (EU) 2016/679 is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) (OJ L 119, 4.5.2016.)
7. Office is the Office for the Prevention of Money Laundering
8. politically exposed person is a person defined by the provisions of Article 46 of the Act
9. family members of a politically exposed person are persons defined by the provisions of Article 46, paragraph 4 of the Act
10. close associate of a politically exposed person is a person defined by the provisions of Article 46, paragraph 5 of the Act
11. Member State is a state defined by the provisions of Article 4, point 3 of the Act
12. third country is a state defined by the provisions of Article 4, point 44 of the Act
13. customer is a person defined by the provisions of Article 4, point 41 of the Act
14. EEA is the European Economic Area
15. OECD is the Organisation for Economic Co-operation and Development
16. G20 is the Group of Twenty finance ministers and central bank governors
17. FATF is the intergovernmental body described in Article 4, point 34 of the Act
18. FSAP is the Financial Sector Assessment Program
19. business relationship is a business, professional or commercial relationship connected with the professional activities of the obligated entity and from which at the time of its establishment it is expected to contain an element of permanence
20. risk factors are variables that, alone or in combination, may increase or decrease the risk of money laundering and terrorist financing posed by a specific individual business relationship or occasional transaction
21. risk is the effect and likelihood of the occurrence of money laundering and terrorist financing, and refers to the existing risk, i.e., the level of risk that exists prior to the application of risk mitigation measures, and does not refer to residual risk, i.e., the level of risk that remains after the application of risk mitigation measures
22. risk-based approach is an approach in which competent authorities and obligated entities identify, assess and understand the risks of money laundering and terrorist financing to which obligated entities are exposed and take measures to prevent money laundering and terrorist financing that are proportionate to those risks
23. source of funds is the origin of funds involved in a business relationship or occasional transaction, which includes the activity by which the funds used in the business relationship were created
24. source of wealth is the origin of the customer's total assets
25. complex and unusual transaction is a transaction that is larger than expected by the obligated entity with regard to knowledge of the customer, business relationship or category to which the customer belongs, or has an unusual or unexpected pattern compared to the usual activity of the customer or pattern of transactions associated with similar customers, products or services, or is very complex compared to other, similar transactions associated with similar types of customers, products or services, as well as transactions without apparent economic or visible legal purpose, and those that deviate from the usual or expected business of the customer, even if reasons for suspicion of money laundering and terrorist financing have not yet been established for such a transaction
26. countries associated with higher risks of money laundering and terrorist financing are countries that, based on the assessment of risk factors from Chapter II of this Rulebook, represent a higher risk of money laundering and terrorist financing. The term includes, but is not limited to, high-risk third countries for which strategic deficiencies in their systems for preventing money laundering and terrorist financing have been identified under Article 49, paragraph 4 of the Act
27. predicate criminal offense is a criminal offense defined by the provisions of Article 4, point 33 of the Act.

CHAPTER II. RISK ASSESSMENT AND RISK MANAGEMENT OF MONEY LAUNDERING AND TERRORIST FINANCING

Article 3. The obligated entity is obliged, when assessing and managing risks of money laundering and terrorist financing associated with a business relationship and occasional transaction, to include the following:

1. assessment of the entire business in terms of products and services offered, types and profiles of customers, number and size of transactions, and delivery channels through which services are offered to customers;
2. customer due diligence, including initial customer due diligence prepared before establishing a business relationship or executing an occasional transaction, the level and type of which the obligated entity determines based on findings and assessment of the entire business;
3. comprehensive consideration and review of risks associated with a specific business relationship and occasional transaction, including additional customer due diligence measures and comprehensive information to identify and identify all relevant risk factors; and
4. regular updating and revision of prepared risk assessments, monitoring transactions, and as necessary, investigating sources of funds, and control and review of prepared risk assessments with the aim of determining changes in the risk of the business relationship.

Customer Due Diligence

Article 4. (1) Before establishing a business relationship or executing an occasional transaction, the obligated entity is obliged to apply initial customer due diligence. (2) The initial analysis referred to in paragraph 1 of this Article includes at least risk-based measures with the aim of:

1. identifying the customer and, where applicable, the beneficial owner or legal representatives of the customer;
2. verifying the identity of the customer based on reliable and independent sources and, where applicable, verifying the identity of the beneficial owner of the customer for secure establishment;
3. determining the purpose and intended nature of the business relationship.

Comprehensive Review of Risks of a Business Relationship or Occasional Transaction

Article 5. (1) The obligated entity is obliged to collect sufficient information to ensure the identification of all relevant risk factors, including the application of additional customer due diligence measures, when necessary. (2) The obligated entity is obliged to assess risk factors and create a comprehensive risk review associated with an individual business relationship and occasional transaction.

Assessment of Risks of Money Laundering and Terrorist Financing

Article 6. (1) The assessment of risks of money laundering and terrorist financing consists of:

1. identification of risks of money laundering and terrorist financing; and
2. assessment of risks of money laundering and terrorist financing. (2) The obligated entity is obliged, when identifying risks of money laundering and terrorist financing, to be guided by the following risk factors:
3. customer risk factors;
4. country and geographical area risk factors;
5. product, service, and transaction risk factors;
6. delivery channel risk factors. (3) The obligated entity is obliged, where possible, to collect information on risk factors of money laundering and terrorist financing from different sources, whether accessing them individually or through commercially available mechanisms or databases where information from several sources is consolidated. (4) The obligated entity is obliged to determine the type and number of data sources containing information and data on factors. (5) The information sources that the obligated entity is obliged to take into account when determining the sources from paragraph 4 of this Article are:
7. supranational assessment of risks of money laundering and terrorist financing by the European Commission;
8. national assessment of risks of money laundering and terrorist financing;
9. strategic publications and warnings of state authorities and explanations given with relevant regulations;
10. guidelines, circulars, and information of competent authorities and explanations of decisions on imposed penalties;
11. threat reports, warnings, and typologies and other information of the Office and law enforcement agencies;
12. information obtained as part of initial customer due diligence. (6) The obligated entity may also take into account other relevant information sources such as:
13. its own knowledge and professional experience;
14. information from obligated entities' associations on typologies and emerging risk information;
15. information from civil society on corruption indices and other country reports;
16. information from international bodies responsible for setting standards on mutual evaluation reports or non-binding blacklists;
17. information from credible and reliable public sources and media;
18. information from credible and reliable commercial organizations, such as risk reports; and
19. information from statistical organizations and the academic community.

Risk Assessment Factors

Article 7. (1) The obligated entity is obliged to prescribe in its internal act the risk factors it will use and apply. When defining risk factors, the obligated entity is obliged to consider at least the risk factors from this Rulebook and the Act. The risk factors prescribed by this Rulebook do not represent a final list of risk factors and are considered in accordance with the circumstances of each case. (2) When assessing the risk of an individual business relationship or occasional transaction, the obligated entity is not obliged to identify all risk factors prescribed by this Rulebook, but only those that are relevant to the specific business relationship or occasional transaction. (3) The obligated entity is obliged to adopt a comprehensive risk approach associated with the circumstances of a specific business relationship or occasional transaction and take into account that the existence of isolated risk factors does not necessarily raise or lower the risk category, except in the case referred to in Article 44 of the Act.

Customer Risk Factors

Article 8. (1) The obligated entity is obliged, when identifying risks associated with the customer and the beneficial owner of the customer, to consider risks related to their business or professional activity, reputation, and nature and behavior. (2) The risk factors related to the business or professional activity of the customer or beneficial owner of the customer that the obligated entity is obliged to consider are the following:

1. whether the customer or beneficial owner of the customer is connected with sectors exposed to higher corruption risks, for example, the construction sector, pharmaceutical sector, healthcare sector, arms and defense trade, mining industry, or public procurement sector;
2. whether the customer or beneficial owner of the customer is connected with sectors exposed to higher risks of money laundering and terrorist financing, for example, money transfer services, casinos, or precious metal dealers;
3. whether the customer or beneficial owner of the customer is connected with sectors involving significant amounts of cash;
4. in the case where the customer is a legal entity or subject from Article 26, paragraph 1 of the Act, what is the purpose of their establishment, for example, what is the nature of their business;
5. whether the customer or beneficial owner of the customer is a politically exposed person or if there are other relevant connections with a politically exposed person;
6. whether the customer or beneficial owner of the customer holds another prominent public office or is a person who could abuse their position for personal gain, for example, members of prominent sports bodies with decision-making powers or individuals who can influence the executive branch or other decision-makers;
7. whether the customer is a legal entity subject to disclosure requirements that ensure that reliable information about the beneficial owner of the customer is publicly available, for example, joint-stock companies whose shares are listed on the stock exchange;
8. whether the customer is a credit or financial institution acting for its own account in a country with an effective system for preventing money laundering and terrorist financing and which is supervised regarding compliance with obligations to prevent money laundering and terrorist financing;
9. whether the customer is a credit or financial institution against which sanctions or other measures have been applied by the competent authority in recent years due to failures in fulfilling obligations to prevent money laundering and terrorist financing or other relevant failures in business;
10. whether the customer is a public administration body or a commercial company from a country with low levels of corruption;
11. whether the background of the customer or beneficial owner of the customer is consistent with the obligated entity's knowledge of their previous, existing, or planned business activity, business income, source of funds, and assets of the customer or beneficial owner. (3) The risk factors related to the reputation of the customer or beneficial owner of the customer that the obligated entity is obliged to consider are the following:
12. whether there are unfavorable reports from credible and reliable media or other information sources about the customer or beneficial owner of the customer, for example, allegations of criminal offenses or connection with terrorism or terrorist financing. It is not necessary that a final judgment has been issued for these illegal acts;
13. whether, due to administrative or criminal proceedings or allegations of terrorist activity or terrorist financing, the assets of the customer, beneficial owner of the customer, or any person known to be closely connected with them have been frozen or the obligated entity has grounds to suspect that they have been frozen;
14. whether the obligated entity has knowledge that the customer or beneficial owner of the customer has been reported to the Office due to suspicious transactions; and
15. whether the obligated entity has other information about the integrity of the customer or beneficial owner of the customer that it has collected during the course of the business relationship. (4) The obligated entity must take into account that some of the risk factors related to the nature and behavior of the customer or beneficial owner of the customer will not be visible at the establishment of the business relationship, or may appear after the business relationship has already been established. (5) The risk factors related to the nature and behavior of the customer or beneficial owner of the customer that the obligated entity is obliged to consider are the following:
16. whether the customer has a justified reason for not being able to provide solid proof of its identity, for example, because it is a person seeking international protection;
17. whether there is doubt about the authenticity or truthfulness of the identity of the customer or beneficial owner of the customer;
18. whether there is suspicion that the customer is trying to avoid establishing a business relationship, for example, the customer intends to execute one transaction or several one-off transactions even though establishing a business relationship would be more economically justified;
19. whether the ownership and control structure of the customer is complex or opaque and whether there is an obvious business or legal justification for this;
20. whether the customer issues bearer shares or has nominal shareholders;
21. whether the customer is a legal entity or legal arrangement that could be used as a means of holding assets;
22. whether there is a justified reason for a change in the ownership and control structure of the customer;
23. whether the customer requests the execution of transactions that are complex, unusually or unexpectedly large, or have an unusual or unexpected flow without apparent economic or visible legal purpose or business justification;
24. whether there is reason to suspect that the customer is trying to avoid the thresholds from Article 16, paragraph 1, points 2 and 3, and Article 61, paragraph 1 of the Act;
25. whether the customer requests unnecessary or unreasonable levels of secrecy, for example, hesitates to provide information necessary for the implementation of due diligence or shows signs of concealing the true nature of its business;
26. whether the information provided about the source of wealth or source of funds of the customer or beneficial owner of the customer is understandable and convincing, for example, the source of funds comes from salary, inheritance, or investment;
27. whether the customer uses products and services contracted in accordance with expectations at the establishment of the business relationship;
28. whether the needs of the customer who is a non-resident could be better met elsewhere and whether there is an obvious economic and legal justification for the type of transaction the customer requests; and
29. whether the customer is a non-profit organization whose activities could be abused for the purposes of terrorist financing.

Country or Geographical Area Risk Factors

Article 9. (1) The obligated entity is obliged, when identifying risks associated with countries and geographical areas, to consider risks related to countries where the customer and beneficial owner of the customer:

1. have their headquarters or residence;
2. have their main place of business; and
3. have relevant personal or business connections. (2) The obligated entity is obliged to take into account that the nature and purpose of the business relationship can often be a decisive factor in the relative importance of individual country and geographical risk factors, for example:
4. when the funds used in the business relationship were earned outside the Republic of Croatia, the level of predicate criminal offenses and the effectiveness of the legal system of another country may be an important factor;
5. when funds are received from countries or sent to countries where it is known that terrorist groups operate, the obligated entity is obliged to consider to what extent this may cause suspicion, based on the company's knowledge of the purpose and nature of the business relationship;
6. when the customer is a credit or financial institution, the obligated entity is obliged to take into account the adequacy of the system for preventing money laundering and terrorist financing in the country and the effectiveness of supervision of money laundering and terrorist financing prevention in that country;
7. when the customer is a legal entity, the obligated entity is obliged to take into account the extent to which the country with which the customer and, if necessary, the beneficial owner of the customer are connected effectively fulfills international standards for tax transparency. (3) The risk factors that the obligated entity is obliged to consider when determining the effectiveness of the system for preventing money laundering and terrorist financing of a specific country are the following:
8. whether it is a high-risk third country determined by Directive (EU) 2015/849;
9. existence of information from more than one credible and reliable source on the quality of controls for preventing money laundering and terrorist financing in the country, which includes information on the quality and effectiveness of regulatory measures and supervision;
10. information sources may include: a) FATF mutual evaluation reports or reports of regional bodies modeled on FATF; b) FATF list of high-risk and non-cooperative countries; c) assessments by the International Monetary Fund; and d) FSAP reports;
11. the obligated entity must take into account that membership in FATF or a regional body modeled on FATF does not presuppose that the system for preventing money laundering and terrorist financing of a specific country is adequate and effective. (4) The risk factors that the obligated entity is obliged to consider when determining the level of terrorist financing risk associated with a specific country are:
12. existence of information from authorities responsible for enforcing the Act or credible and reliable media sources that the country finances or supports terrorist activities or that it is known that terrorist groups operate within that country or territory; and
13. the country being subject to financial sanctions, embargoes, or measures related to terrorism, terrorist financing, or proliferation of weapons imposed by the United Nations or the European Union. (5) The risk factors that the obligated entity is obliged to consider when determining the level of transparency and tax discipline of a country are the following:
14. existence of information from more than one credible and reliable source that the country is compliant with international standards for tax transparency and information exchange and evidence that appropriate rules are effectively applied in practice;
15. Information sources may include: a) reports of the OECD Global Forum on Transparency and Exchange of Information for Tax Purposes in which countries are assessed for the purposes of tax transparency and information exchange; b) assessments of the obligation for automatic exchange of information which j