Regulatory Alerts2022-11-15
Guidance on the Money Laundering Act
The Norwegian Financial Supervisory Authority issued this guidance to clarify the interpretation and administrative practice of the Money Laundering Act for supervised entities. It mandates a risk-based approach to customer due diligence, including enhanced measures for Politically Exposed Persons and virtual currency services, while establishing strict protocols for internal controls and reporting. The document further details obligations regarding the identification of beneficial owners, the use of third parties, and the prohibition of tipping off subjects of suspicious activity reports.
FINANS TILSYNET Postboks 1187 Sentrum 0107 Oslo Circular Guidance on the Money Laundering Act CIRCULAR: 4/2022 DATE: 15.11.2022 THE CIRCULAR APPLIES TO: Banks Credit institutions Financing companies E-money institutions Loan intermediaries Companies engaged in currency exchange Payment institutions and others entitled to provide payment services Agents for foreign payment institutions Exchange and custody services for virtual currency Insurance companies Insurance intermediaries Securities companies Asset management companies for investment funds Alternative investment fund managers Central securities depositories External accountants Accountants Auditors Real estate agents
Guidance on the Money Laundering Act 2 | Finanstilsynet Contents 1 Introduction 7 1.1 The Money Laundering Act of 2018 7 1.2 Newer reporting entities 7 1.2.1 Agents for foreign payment institutions ............................................................ 7 1.2.2 Exchange and custody services for virtual currency ...................................... 8 1.2.3 Specifics on newer payment services ...................................................................... 9 2 Risk-based approach, risk assessment and procedures 10 2.1 Risk-based approach 10 2.2 Risk assessment 10 2.2.1 Introduction........................................................................................................... 10 2.2.2 Method, scope and design........................................................................... 11 2.2.3 Details on content....................................................................................... 11 2.2.4 Expectations regarding source of funds................................................................................. 13 2.2.5 Anchoring of risk assessment........................................................................... 14 2.2.6 Specifics on new products, services and new technology .......................................... 14 2.3 Procedures 14 2.3.1 Requirements for the company's money laundering procedures............................................................... 14 2.3.2 Content of the procedures............................................................................................... 15 2.3.3 Overarching procedures vs. operational procedures .......................................................... 16 2.4 Risk classification 16 3 Organization 17 3.1 Internal control 17 3.2 Money Laundering Compliance Officer 17 3.2.1 Responsibilities and organization of Money Laundering Compliance Officers ............................................... 17 3.2.2 Group relationships and branches.................................................................................. 18 3.2.3 Outsourcing of Money Laundering Compliance Officer.......................................................... 19 3.2.4 Suitability of Money Laundering Compliance Officers ................................................................... 19 3.3 Compliance Officer 19 3.4 Internal audit 20 4 Customer due diligence 20 4.1 Obligation to perform customer due diligence 20 4.1.1 When customer due diligence shall be performed .................................................................... 20 4.1.2 Establishment of customer relationship................................................................................ 21 4.1.2.1 Introduction 21 4.1.2.2 Customer relationships in multiple branches 21 4.1.2.3 Reporting entities providing services not regulated by the Money Laundering Act 21 4.1.2.4 Specifics on manager registration 22 4.1.2.5 Corporate finance assignments 22 4.1.2.6 Loan syndicates 22 4.1.2.7 Guarantee facilities to group companies 23 4.1.2.8 Guardianship 23 4.1.2.9 Agreements with multiple parties 23 4.1.2.10 Guarantors and sureties 23 4.1.2.11 Payment mandate services 23 4.1.3 Execution of individual transactions ................................................. 23 4.1.4 Suspicion of money laundering or terrorist financing .............................................. 24 4.1.5 Prepaid e-money cards – exemption from requirement for customer due diligence......................... 24
Guidance on the Money Laundering Act Finanstilsynet | 3 4.1.6 Exemption from certain customer due diligence for products linked to public benefits........... 24 4.2 Purpose and intended nature of the customer relationship 24 4.2.1 Introduction........................................................................................................... 24 4.2.2 Purpose of the customer relationship ..................................................................................... 25 4.2.3 Intended nature of the customer relationship ............................................................................ 25 4.2.4 Assessment and confirmation of information....................................................... 26 4.2.5 Details on the origin of funds.................................................................... 26 4.2.5.1 Specifics on funds originating from virtual assets, including virtual currency 27 4.2.6 Specifics on customer relationships with customers who are reporting entities .................. 28 4.3 Confirmation of identity – natural persons 28 4.3.1 The customer ............................................................................................................... 28 4.3.1.1 Identification 28 4.3.1.2 Obligation to confirm correct copy of received identification documents 29 4.3.1.3 Specifics on electronic identification 29 4.3.1.4 Confirmation of identity without personal appearance 29 4.3.1.5 Access to basic services and financial inclusion 31 4.3.1.6 Persons without valid identification – minors 32 4.3.1.7 Persons without valid identification – persons under guardianship 32 4.3.1.8 Persons without valid identification – elderly and very ill persons 32 4.3.1.9 Persons without valid identification – foreign nationals 33 4.3.2 Persons acting or disposing on behalf of the customer ...................................... 34 4.3.2.1 Confirmation of identity 34 4.3.2.2 Confirmation of the right to act on behalf of the customer 34 4.4 Confirmation of identity – legal persons 35 4.4.1 Lookup in or printout from register or company certificate...................................... 35 4.4.2 Obligation to confirm correct copy of identification documents .................................. 36 4.4.3 Requirements for organization number and registration obligation .......................................... 36 4.4.3.1 Entities and companies with registration right, but not registration obligation 36 4.4.3.2 Companies in formation 36 4.4.3.3 Companies without organization number 37 4.4.3.4 Board members and managing directors 37 4.4.4 Natural persons acting on behalf of the customer or having disposal rights ... 37 4.5 Ownership, control and beneficial owners 37 4.5.1 Purpose and starting point..................................................................................... 37 4.5.1.1 Understanding the ownership and control structure of the customer 38 4.5.2 Definition of beneficial owners.................................................................. 38 4.5.3 Risk-based approach ..................................................................................... 38 4.5.4 Identification of beneficial owners when the customer is a natural person .......... 39 4.5.5 Identification of beneficial owners when the customer is not a natural person... 39 4.5.5.1 General on identification of beneficial owners when the customer is not a natural person 39 4.5.5.2 Identification of beneficial owners when the customer is a legal person or association 40 4.5.5.3 Identification of beneficial owners through indirect control 42 4.5.5.4 When there are no beneficial owners, or there is doubt about whether the identified are beneficial owners 44 4.5.5.5 Exemption for listed companies 45 4.5.5.6 Identification of beneficial owners in a foundation or a foreign legal arrangement 45 4.5.5.7 Beneficial owners – some examples 46 4.5.5.8 Occupational pension 47 4.5.5.9 Branches 47 4.5.6 Register of beneficial owners .................................................................. 47 4.5.7 Confirmation of the identity of beneficial owners .......................................... 48 4.5.8 Documentation................................................................................................... 49 4.6 Simplified customer due diligence 49
Guidance on the Money Laundering Act 4 | Finanstilsynet 4.6.1 Introduction........................................................................................................... 49 4.6.2 Examples of simplified customer due diligence................................................................. 50 4.6.3 Risk factors in the Money Laundering Regulation § 4-6................................................ 51 4.6.3.1 Risk factors related to the type of customer 51 4.6.3.2 Risk factors related to product, transaction, service provision or delivery channel 52 4.6.3.3 Geographic risk factors 53 4.7 Customer due diligence in property insurance and life insurance 53 4.7.1 Property insurance – exemption from requirement for customer due diligence............................................. 53 4.7.2 Life insurance..................................................................................................... 54 4.8 Enhanced customer due diligence 54 4.8.1 Introduction........................................................................................................... 54 4.8.2 Which measures shall be performed?........................................................................ 55 4.8.3 Risk factors..................................................................................................... 56 4.8.3.1 Risk factors related to customer 56 4.8.3.2 Risk factors related to product, transaction, service or delivery channel 57 4.8.3.3 Geographic risk factors 57 4.9 Enhanced customer due diligence – Politically Exposed Persons (PEP) 58 4.9.1 Purpose ................................................................................................................ 58 4.9.2 Who is a PEP? .................................................................................................... 58 4.9.3 National positions considered as PEP............................................................ 59 4.9.4 Handling of PEP ............................................................................................. 61 4.9.5 Systems to determine if the customer relationship involves a PEP............................... 62 4.9.6 Enhanced customer due diligence in customer relationships where PEP is involved ....................... 63 4.9.6.1 Information to be obtained about PEP 63 4.9.6.2 Enhanced customer due diligence 63 4.9.7 Ongoing follow-up of PEP............................................................................... 64 4.9.8 De-risking of PEPs.......................................................................................... 65 4.10 Enhanced customer due diligence – correspondent relationships 65 4.10.1 General .............................................................................................................. 65 4.10.2 Correspondent relationships within the EEA.......................................................... 66 4.10.3 Correspondent relationships outside the EEA............................................................ 67 4.10.4 RMA keys ....................................................................................................... 68 4.10.5 Respondent relationships...................................................................................... 68 4.10.6 Underlying correspondent relationships («nested accounts» / «downstream banking») .......................................................................................................................... 68 4.11 Ongoing follow-up 68 5 Rejection, partial termination and termination of customer relationships 70 5.1 Rejection of customer or transaction 70 5.2 Termination, partial termination and blocking of ongoing customer relationships 73 5.3 Relationship to reporting obligation 74 5.4 Handling of customer deposits upon termination 75 5.4.1 Introduction........................................................................................................... 75 5.4.2 Practical execution of termination – handling of customer funds.................. 75 6 Investigation and reporting 75 6.1 Investigation obligation 75 6.1.1 When does the investigation obligation arise? ................................................................. 76 6.1.2 Specifics on electronic transaction monitoring.................................................. 77 6.1.3 What does the investigation obligation cover? .................................................................. 77 6.1.4 Processing of indications of money laundering and terrorist financing ..................... 77 6.2 Reporting obligation 78
Guidance on the Money Laundering Act Finanstilsynet | 5 6.2.1 Obligation to provide Økokrim with further information upon request........................... 79 6.2.2 Exemption from liability ...................................................................................................... 79 6.3 Prohibition of tipping off 79 6.3.1 Purpose of the prohibition of tipping off................................................................................ 79 6.3.2 Content of the prohibition of tipping off.............................................................................. 80 6.3.3 Who does the prohibition of tipping off apply to?................................................................ 80 6.3.4 Exemptions from the prohibition of tipping off............................................................................ 81 6.3.5 Notification to the prosecution authority and supervisory authority ................................ 81 6.3.6 Group relationships................................................................................................... 81 6.3.7 Exemption for banks, credit, financing and insurance companies ...................... 82 6.3.8 Exemption for reporting entities regarding joint customer etc. ...................................... 82 6.3.8.1 Conditions regarding joint customer 82 6.3.8.2 Conditions regarding a transaction where the relevant reporting entities are involved 82 6.3.8.3 Conditions regarding the same professional category 83 6.4 Execution of suspicious transactions 83 6.4.1 Stop of suspicious transaction – notification to Økokrim........................... 83 6.4.2 Execution of suspicious transaction before notification to Økokrim................ 84 6.4.3 Subsequent notification to Økokrim .................................................................... 85 7 Requirements for systems that enable quick and complete answers to authorities 85 8 Use of third parties 86 8.1 Support tools 86 8.2 Customer due diligence performed by third party 87 8.2.1 General .............................................................................................................. 87 8.2.2 Customer due diligence performed by foreign third parties................................................... 88 8.2.3 Third-party control in group ............................................................................. 88 8.3 Outsourcing 89 8.3.1 What can be outsourced?..................................................................................... 89 8.3.2 Who can it be outsourced to? ....................................................................... 89 8.3.3 Control of the supplier.................................................................................... 89 8.3.4 Responsibility in outsourcing................................................................................ 90 9 Processing of information 90 9.1 Information sharing 90 9.1.1 Right to exchange within the same legal entity ................................................ 90 9.1.2 Exchange of information in group................................................................ 90 9.1.2.1 Conditions for exchange of information in group 90 9.1.2.2 Joint customer register 91 9.1.2.3 Centralized function for information sharing 92 9.1.2.4 Obligation to exchange information in group 92 9.1.2.5 Exchange of information between reporting entities 93 9.2 Registration and storage of information 93 9.3 Deletion of information 94 10 Other obligations 94 10.1 Training 94 10.2 Protection of employees – whistleblowing systems 95 10.2.1 Protection against negative reactions during investigations and reporting..................... 95 10.2.2 Whistleblowing system............................................................................................. 96 10.3 Electronic monitoring system 96 10.3.1 Introduction........................................................................................................... 96
Guidance on the Money Laundering Act 6 | Finanstilsynet 10.3.2 Requirements for use of electronic monitoring system................................................ 96 10.3.3 Requirements for the electronic monitoring system................................................... 97 10.3.4 Specifics on screening against sanctions lists ........................................................... 98 10.3.5 Dispensation from the requirement for electronic monitoring system.............................. 98 10.4 Reporting entities' operations abroad 98
Guidance on the Money Laundering Act Finanstilsynet | 7 1 Introduction Money laundering is all handling of proceeds from criminal acts. Terrorist financing is the financing of terrorist acts, terrorist organizations or individual terrorists. Companies under supervision shall prevent and detect matters related to proceeds from criminal acts or related to terrorist financing. Further rules on this follow from the money laundering regulatory framework. The measures in the money laundering regulatory framework shall protect the financial and economic system and society as a whole. This circular replaces Finanstilsynet's circular 8/2019. It expresses Finanstilsynet's interpretation and administrative practice related to the money laundering regulatory framework. The circular applies to all reporting entities under Finanstilsynet's supervision. 1.1 The Money Laundering Act of 2018 In 2018, the new Money Laundering Act came into force (Act of 1 June 2018 No. 23 on measures against money laundering and terrorist financing). The law is based on the recommendations of the Financial Action Task Force (FATF) and the EU's Fourth Money Laundering Directive, and it gave certain changes and clarifications compared to previous legislation. For example, the group of reporting entities was expanded, politically exposed persons (PEP) were expanded to also include national PEPs, and companies can be fined for non-compliance with the law. A regulation to the law has been issued, Regulation of 14 September 2018 No. 1324 on measures against money laundering and terrorist financing (the Money Laundering Regulation). The law and the regulation came into force on 15 October 2018. This circular also includes guidance on subsequent amendments to the Money Laundering Act with regulation, including amendments to implement the EU's amending directive, the so-called Fifth Money Laundering Directive (Directive 2018/843). 1.2 Newer reporting entities 1.2.1 Agents for foreign payment institutions It follows from the Money Laundering Regulation § 1-2 first paragraph that the Money Laundering Act Chapter 4 on customer due diligence and ongoing follow-up, Chapter 5 on closer investigations and reporting, and §§ 40 and 52, apply to agents for payment institutions from other EEA countries (hereinafter referred to as «agents»). Even though the agents and their networks in Norway are not subject to requirements for own risk assessment and procedures, they must still document that they have risk-based customer due diligence and ongoing follow-up, cf. Money Laundering Act § 9. Agents can be given orders and coercive fines under Money Laundering Act § 47, and they can be ordered to temporarily cease operations in Norway. Finanstilsynet can order foreign payment institutions with agents in Norway to establish a central contact point, cf. Money Laundering Regulation § 7-2. The central contact point shall ensure that the business complies with Norwegian money laundering rules, facilitate cooperation with authorities, and report suspicious matters to Økokrim. The central contact point shall be located in Norway and have good knowledge of the Norwegian language and money laundering regulatory framework. In some cases, an agent and the principal foreign payment institution («the principal») have an agreed division of tasks regarding compliance with Money Laundering Act Chapters 4 and 5.
Guidance on the Money Laundering Act 8 | Finanstilsynet Money Laundering Regulation § 1-2 does not prevent a division of tasks between the principal and the agent, but the division of tasks must be described clearly in an agreement between the parties. For example, some actors have centralized solutions where the principal handles many of the duties in Money Laundering Regulation Chapter 4 and 5, while the agents act as an extended first-line role with limited autonomy. In other actors, the opposite is the case, where the agents perform more of the tasks and have greater freedom to make relevant assessments and decisions related to Chapters 4 and 5. The principal is obliged to comply with the host state's money laundering regulatory framework, and is responsible for ensuring that their agents do the same. According to Money Laundering Regulation § 1-2, the agents have an independent responsibility for ensuring that the duties under Money Laundering Act Chapters 4 and 5 are taken care of in a prudent manner. A division of tasks between the parties where the principal performs one or more tasks that are subject to the agent under Norwegian regulation, does not exempt the agent from responsibility. The agent may be given orders and coercive fines under Money Laundering Act § 47 even if the deficiency is related to the execution of a task handled by the principal. 1.2.2 Exchange and custody services for virtual currency Virtual currency is defined in Money Laundering Regulation § 1-3 as «… a digital expression of value, which is not issued by a central bank or public authority, which is not necessarily linked to an official currency, and which does not have legal status as currency or money, but which is accepted as a means of payment, and which can be transferred, stored or traded electronically.» The duties under the Money Laundering Act apply to providers of exchange and/or custody services for virtual currency. These are reporting entities under the Money Laundering Act, cf. Money Laundering Regulation § 1-3, and only businesses registered with Finanstilsynet can offer such services. The registration obligation includes among other things services such as
- trading or exchanging a type of virtual currency for an official currency, for example Bitcoin and Norwegian kroner, or vice versa
- exchanging between different types of virtual currencies, for example between Bitcoin and Ethereum
- facilitating trading and exchanges by connecting buyers and sellers, for example through a platform
- storing private cryptographic keys on behalf of others, to transfer, store or trade virtual currency All exchanges between different virtual currencies, as well as between virtual currency and official currencies from all countries, are covered. This applies regardless of payment method, i.e., whether virtual currency is bought/sold with credit card, cash, e-money etc. Providers of exchange and/or custody services for virtual currency are reporting entities under Money Laundering Regulation § 1-3 if they are: a) registered as a company in Norway, or b) operate from Norway or c) target the Norwegian market. Finanstilsynet considers among other things service providers who actively target the Norwegian market, for example through marketing/advertising, have websites in Norwegian or actively offer