LogoRegulatory Alerts
2022-02-23

FMA Circular on Internal Organisation for the Prevention of Money Laundering and Terrorist Financing

The Austrian Financial Market Authority issued this February 2022 circular to provide guidance on the internal organizational frameworks obliged entities must establish to comply with the Financial Markets Anti-Money Laundering Act. The document mandates the appointment of a dedicated Anti-Money-Laundering Officer who reports directly to management and possesses specific competences, including free access to data and the authority to stop transactions. It further details requirements for deputy officers, outsourcing arrangements, risk assessments, group-wide policies, and the fitness and propriety standards for key personnel.

Finanzmarktaufsicht logo

Austria

Finanzmarktaufsicht

Click to view thumbnail

Document No.: Publication date: 02/2022 23.02.2022 FMA CIRCULAR ON INTERNAL ORGANISATION FOR THE PREVENTION OF MONEY LAUNDERING AND TERRORIST FINANCING Version: February 2022

Disclaimer: This circular does not constitute a legal regulation. It is intended to serve as guidance and reflects the FMA's legal interpretation. No rights and obligations extending over and above the provisions of the law can be derived from circulars.

CIRCULAR ON INTERNAL ORGANISATION TABLE OF CONTENTS TABLE OF CONTENTS ............................................................................................................................... 3 1 Introduction .................................................................................................................................... 4 2 Anti-Money-Laundering Officer ...................................................................................................... 7 2.1 Legal Basis ............................................................................................................................... 7 2.2 Organisational requirements .................................................................................................. 7 2.2.1 Duties of the AML Officer ................................................................................................ 8 2.2.2 Competences of the AML Officer .................................................................................... 9 2.2.3 Fitness and propriety of the AML Officer ...................................................................... 10 2.2.4 Compatibility of functions and activities ....................................................................... 12 3 Outsourcing ................................................................................................................................... 14 3.1 Legal Basis ............................................................................................................................. 14 3.2 Outsourcing the function of the AML officer and its tasks ................................................... 15 4 Strategies, Checks and Procedures ............................................................................................... 17 4.1 Legal Basis ............................................................................................................................. 17 4.2 Proportionality and Resources .............................................................................................. 18 4.3 General Scope of Strategies, Checks and Procedures ........................................................... 18 4.4 General requirements regarding strategies, controls and procedures................................. 19 4.5 Group-wide requirements regarding strategies and procedures ......................................... 20 4.5.1 General .......................................................................................................................... 20 4.5.2 Reporting ....................................................................................................................... 21 4.5.3 Evaluation ...................................................................................................................... 22 4.6 Training courses .................................................................................................................... 22 4.7 Personal reliability of employees .......................................................................................... 23 4.8 Central contact points pursuant to Article 23 para. 7 FM-GwG ........................................... 23 5 Annex............................................................................................................................................. 25 5.1 Literature ............................................................................................................................... 25 5.2 Description of the control inspection plan ............................................................................ 26

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 4 1 INTRODUCTION The due diligence obligations for the prevention of money laundering and terrorist financing in accordance with the Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt￾Geldwäschegesetz1 ) stipulate numerous organisational precautions, which inter alia includes the establishment of a special officer pursuant to Article 23 para. 3 FM-GwG (hereinafter referred to as the “Anti-Money-Laundering Officer” - AML Officer) as well as the implementation and realisation of (group-wide) policies and procedures pursuant to Articles 23 and 24 FM-GwG. This circular is intended to serve as guidance on the establishment of organisational frameworks for compliance with due diligence obligations for the prevention of money laundering and terrorist financing as well as the application of (group-wide) policies, procedures and checks for the obliged entities under the FM-GwG - hereinafter “obliged entities”. This circular does not constitute a legal regulation. It is intended to serve as guidance and reflects the FMA's legal interpretation. No rights and obligations extending over and above the provisions of the law can be derived from circulars. Obliged entities are

  • credit institutions pursuant to Article 1 para. 1 BWG and CRR-credit institutions pursuant Article 9 of the Banking Act (BWG2 ) that provide activities in Austria through a branch;
  • financial institutions pursuant to Article 1 para. 2 nos. 1 to 6 BWG;
  • insurance undertakings pursuant to Article 1 para. 1 no. 1 of the Insurance Supervision Act 2016 (VAG 2016; Versicherungsaufsichtsgesetz 20163 ) and small insurance undertakings pursuant to Article 1 para. 1 no. 2 VAG 2016 respectively within the scope of their life insurance operations (classes 19 to 22 pursuant to Annex A of VAG 2016));
  • investment firms pursuant to Article 3 para. 1 of the Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 20184 ) and investment services providers pursuant to Article 4 para. 1 WAG 2018;
  • AIFMs pursuant to Article 1 para. 5 and Article 4 para. 1 of the Alternative Investment Fund Managers Act (AIMFG; Alternative Investmentfonds Manager-Gesetz5 ) and non-EU-AIFMs pursuant to Article 39 para. 3 AIFMG;

1 Financial Markets Anti-Money Laundering Act (FM-GwG; Finanzmarkt-Geldwäschegesetz), published in Federal Law Gazette I No. 118/2016 as amended. 2 Austrian Banking Act (BWG; Bankwesengesetz), published in Federal Law Gazette No. 532/1993 as amended. 3 Insurance Supervision Act 2016 (VAG 2016; Insurance Supervision Act 2016), published in Federal Law Gazette I No. 34/2015, as amended. 4 Securities Supervision Act 2018 (WAG 2018; Wertpapieraufsichtsgesetz 2018), published in Federal Law Gazette I No. 107/2017, as amended. 5 Alternative Investment Fund Managers Act (AIFMG; Alternative Investmentfonds Manager-Gesetz), published in Federal Law Gazette I No. 135/2013 as amended.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 5

  • electronic money institutions pursuant to Article 3 para. 2 of the E-Money Act 2010 (E￾Geldgesetz 20106 );
  • Payment institutions pursuant to Article 10 of the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 20187 );
  • the Austrian Post with regard to its money transaction services;
  • financial institutions pursuant to points a) to d) of Article 3 (2) of Directive (EU) 2015/849 (4th Anti-Money Laundering Directive) with their place of incorporation in another Member State with business operations conducted through branches or branch establishments located in Austria as well as branches or branch establishments of such financial institutions that are authorised in third countries;
  • wind-down units pursuant to Article 84 para. 2 of the Bank Recovery and Resolution Act (BaSAG; Bundesgesetz über die Sanierung und Abwicklung von Banken8 ) as well as Article 3 para. 4 of the Federal Act on the Creation of a Wind-down Unit (GSA; Bundesgesetz zur Schaffung einer Abbaueinheit9 );
  • wind-down entities pursuant to Article 162 para. 1 BaSAG in conjunction with Article 84 para. 2 BaSAG;
  • service providers in relation to virtual currencies pursuant to Article 2 no. 22 FM-GwG. A financial institution pursuant to Article 1 para. 2 nos. 1 to 6 BWG is an institution that is not a credit institution as defined in Article 1 para. 1 BWG, and which is authorised to provide one or several of the activities listed in Article 1 para. 2 BWG on a commercial basis, provided that the institution conducts such activities as its principle activity. The principal activity as defined for the purpose of qualifying as a financial institution is to be identified on the basis of the overall picture arising in the specific case in hand, i.e. taking into consideration all relevant factors of both qualitative and quantitative natures as well as criteria with regard to a flexible system. In any case, a principal activity shall be assumed to exist, in the case that the activity contributes 50 % to the entity's performance.10 In addition, the existence of a principal activity is not only to be assessed purely based on the contribution of the activity to the entity's performance - i.e. a purely quantitative feature. Instead, it is the case, based on the overall picture of the case in hand on the basis of qualitative features, of whether an activity of an undertaking is a principal activity or whether this activity "due to its close relationship to the principal activity and due to its subordinate significance in comparison to the principal activity in accordance with public opinion appears to be comparable" . 11 In so doing, as part of a flexible system, the business plan and

6 Electronic Money Act 2010 (E-Geldgesetz 2010), published in Federal Law Gazette I No. 107/2010 as amended. 7 Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018), published in Federal Law Gazette I no. 17/2018, as amended. 8 Bank Recovery and Resolution Act (BaSAG; Bundesgesetz über die Sanierung und Abwicklung von Banken), published in Federal Law Gazette I No. 98/2014 as amended. 9The Federal Act on the Creation of a Wind-Down Entity (GSA; Gesetz zur Schaffung einer Abbaueinheit), published in Federal Law Gazette I No. 51/2014 as amended. 10 Supreme Administrative Court (VwGH) 10.11.2017, Ro 2017/02/0023 citing further literature. 11 Federal Administrative Court (BVwG) 02.08.2017, W230 2150836-1 citing further literature; VwGH 24.10.2018, Ro2017/02/0025.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 6 business strategy, the deployment of resources, returns, acquisitions and marketing etc. must be considered12 . It should focus on whether a specific activity "by way of its nature has an autonomous character or is purely of an ancillary nature to the undertaking's other […] activities".13 It should be noted in this context that the definition is based on the commercial law interpretation of the principal activity and that an undertaking may not necessarily only have one principal activity.14 For the provision of safe deposit services pursuant to Article 1 para. 2 no. 6 BWG, joint control by the entity is not a compulsory condition, provided certain security obligations - especially including access control - are observed.15 A virtual asset service provider is any natural or physical person resident/domiciled in Austria or providing a service in Austria on a commercial basis for third parties pursuant to Article 2 no. 22 FM-GwG, in relation to virtual currencies pursuant to Article 2 no.21 FM-GwG. It also covers virtual asset service providers domiciled in another EU Member State or in a third country that actively offers or provides a service pursuant to Article 2 no. 22 FM-GwG in Austria. Where designations used refer to natural persons, the formulation used applies to both genders.

12 The corporate identity, company name and the activity advertised on the undertaking's website, may be taken into consideration in the assessment. Furthermore, it must also be taken into account, whether "other items, other assets, another organisation and measures are necessary" for the performance of the activity in questions (BVwG 02.08.2017, W230 2150836-1). 13 Federal Administrative Court (BVwG) 02.08.2017, W230 2150836-1 citing further literature. 14In this case also Federal Administrative Court (BVwG) 02.08.2017, W230 2150836-1. 15 Supreme Administrative Court (VwGH) 10.11.2017, Ro 2017/02/0023.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 7 2 ANTI-MONEY-LAUNDERING OFFICER 2.1 Legal Basis The legal provision set forth in Article 23 para. 3 FM-GwG requires that a special officer (“AML Officer”) is established for ensuring compliance with the provisions of the FM-GwG. The function of the AML officer shall be set up in such a way that the AML officer shall be responsible only to the management body and shall report directly to it. The “Fitness & Propriety” requirements including the requirements with regard to reliability, honesty and integrity of the AML officer who has been or is to be appointed16 are highly personal characteristics that must be proven when being appointed as AML officer. In this way, the requirement arises that this function must be held by a natural person. Moreover, the AML Officer shall be granted free access to all information, data, records and systems that may in any possible way be connected to money laundering and terrorist financing. Furthermore, they shall also be granted sufficient powers for enforcement of compliance with the provisions of the FM-GwG. Furthermore, the obliged entities shall ensure that the AML Officer at all times possesses adequate professional qualifications, knowledge and experience (professional qualification), is reliable and possesses integrity (personal reputation). 2.2 Organisational requirements The AML Officer function shall be established in such a way that the AML Officer shall be responsible only to the management body and shall report directly to it without any intermediate levels. In this context, management body is to be understood as all members of the management body (e.g. all members of the management board of a stock company (Aktiengesellschaft)). In addition, the obliged entities shall take appropriate organisational measures to ensure that the AML Officer’s duties may be fulfilled on site at all times. As a minimum, deputising arrangements (“Deputy AML Officer”) in the event the AML Officer’s absence must be established to ensure compliance with due diligence obligations on a permanent basis. In so doing, it should be guaranteed that in particular in the event of the AML Officer’s absence that their duties can be taken over and conducted. The Deputy AML Officer shall also be required to possess adequate expert knowledge and qualifications like the AML Officer. In instances where the AML Officer also performs other duties or functions (e.g. the AML Officer is a member of staff in the legal department and in organisational terms is subordinate to another unit), on in cases of the outsourcing of the function of the AML Officer and/or individual activities regarding the prevention of money laundering, it must be ensured that the AML Officer is solely responsible towards the management body and reports to it. In the event of outsourcing, the

16 Cf. Joint EBA and ESMA Guidelines on the assessment of the suitability of members of the management body and key function holders (EBA/GL/2021/06).

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 8 entity that is outsourcing shall constantly be required to have a competent contact person for the AML Officer to contact (a "competent employee"). 2.2.1 Duties of the AML Officer It is the AML Officer’s duty to ensure the observance of the national and European regulations for the prevention of money laundering and terrorist financing. The remit of the AML Officer as the central point of contact in matters relating to the prevention of money laundering and terrorist financing includes, inter alia, the following activities:

  • drawing-up a risk assessment for the undertaking pursuant to Article 4 FM-GwG;
  • introducing and further development of adequate and appropriate strategies, checks and procedures as well as (IT) systems, including the reviewing and monitoring of their ongoing application, to ensure compliance with due diligence obligations for the prevention of money laundering and terrorist financing;
  • introducing and further development of group-wide policies and procedures, including review of their ongoing application;
  • drawing-up and further development of internal regulations (manuals, operating procedures etc.) on the issue of the prevention of money laundering and terrorist financing;
  • checking whether the measures taken and processes implemented by the obliged entity to prevent money laundering and terrorist financing are suitable to comply with the legal provisions (the check can be carried out, for example, by means of ongoing checks or random sampling) and, if necessary, adjusting the respective measures and processes;
  • defining and implementing a catalogue of measures for the scope of application of the enhanced customer due diligence obligations;
  • ensuring enhanced monitoring of business relationships that are subject to enhanced customer due diligence obligations (e.g. classification as increased risk, PEPs, etc.);
  • reviewing and approval/rejection of new business relationships to be established which have been classified as increased risk, or for which a review has been requested by the account manager;
  • stopping and releasing of transactions;
  • handling of anomalies arising during the course of the continuous monitoring of business relationships, e.g. conducting research and investigations to clear up such anomalies;
  • requiring that respective national law be applied in branches or branch establishments of the obliged entity in other Member States and, in any case that the requirements set out in the FM-GwG in branches, branch establishments and subsidiaries in third countries;
  • developing, organising or occasional or regular provision of training;
  • submitting suspicious activity reports pursuant to Article 16 FM-GwG or the conducting of requests to release a transaction pursuant to Article 17 para. 3 FM-GwG.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 9

  • establishing and further development of systems enabling the company to provide complete and rapid information in response to enquiries from the Financial Intelligence Unit (Geldwäschemeldestelle) or the FMA;
  • reporting to the management body on both an ad hoc and regular basis, for example certain reports, e.g. annual reports, are to be drawn up in writing;
  • submitting reports pursuant to Article 8 (2) of the Transfer of Funds Regulation to the competent authority for combating money laundering and terrorist financing. The actions to be taken for this purpose shall either be conducted by the AML Officer or initiated by them and their subsequently being conducted review by the AML Officer. 2.2.2 Competences of the AML Officer The AML Officer shall be provided with the competences that are necessary for it to fulfil its remit. These include:
  • free access to all information, data, records and systems that may possibly be related to money laundering and terrorist financing that serve the purpose of the prevention of money laundering and terrorist financing, in particular regarding carrying out verification activities;
  • the possibility to contact the management body at all times;
  • the possibility to stop or release transactions or the possibility to freeze accounts or instruct the conducting of such actions;
  • the possibility to reject the reason provided regarding business relationships or to instruct or recommend the termination of existing business relationships in accordance with the legal regulations;
  • comprehensive rights attached to give instructions to the staff members in the allocated area of responsibility;
  • Deciding whether a suspicious activity report or a report under the Transfer of Funds Regulation is to be submitted to the competent authorities. The organisational integration of the function, the essential tasks as well as the competences of the AML Officer must be recorded in writing, e.g. in a job or function description. Responsibility under administrative penal law shall remain with the persons authorised to represent the company externally despite duties or competences being transferred to the AML Officer.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 10 2.2.3 Fitness and propriety of the AML Officer In accordance with the final sentence of Article 23 para. 3 FM-GwG, obliged entities shall ensure that the AML Officer at all times possesses adequate professional qualifications, knowledge and experience (professional qualification) and is reliable and possesses integrity (personal reputation). Assessment of their professional qualification shall in any case take place under appropriate consideration of the nature, scope and complexity of the obliged entity’s business as well as the responsibilities entailed by the relevant function. With regard to guaranteeing the continuous compliance with the due diligence obligations for the prevention of money laundering and terrorist financing, ensuring the professional qualification and personal reputation of the AML Officer, this similarly applies to the Deputy AML Officer. Key function holders are members of staff who, by virtue of their position, have significant influence over the company’s focus, but who are not members of the management body. Likewise, heads of important business areas or key managers of important control functions as well as persons who have a significant influence on the business activity. In this sense, an obliged entity’s AML Officer is considered as a key function holder under the FM-GwG17 and sector-specific “Fit & Proper rules” only apply to the AML Officer.18 The checking of the fitness and propriety of the AML Officer must take place in a company’s internal “Fit & Proper assessment” during the process of appointment and the review and outcome are to be documented. The nature and scale of the internal Fit & Proper assessment may be defined by the obliged entity itself, but must observe the principle of proportionality, thereby adequately taking into consideration the nature, scale and complexity of the activities as well as the undertaking's risk structure. In addition, the FMA may also check the fitness and propriety of the AML Officer at any time. Criteria for the professional qualification include:

  • several years’ relevant working experience;
  • education and training in the area of the prevention of money laundering and terrorist financing;
  • knowledge about current developments in the area of the prevention of money laundering and terrorist financing. Personal reputation criteria include:
  • good repute (as proven by a criminal record certificate);
  • reliability regarding their attachment to legal values.

17 This does not cover the concept of key functions under the VAG 2016. 18 Cf. for example for credit institutions the FMA Circular on the assessment of suitability of executive directors, non-executive directors and key function holders (“Fit & Proper Circular”), August 2018.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 11 Under Article 73 para. 1b BWG19, credit institutions of significant relevance pursuant to Article 5 para. 4 BWG are required to notify the FMA in writing about the appointment of the AML Officer without delay (within 2 weeks) mentioning the conditions listed the final sentence of Article 23 para. 3 FM-GwG as well as any change in their person as well as every change in the conditions pursuant to the final sentence of Article 23 para. 3 FM-GwG for existing AML Officers. Documentation about professional qualification and personal reputation must be submitted with the notification, especially:20

  • confirmation about the internal Fit & Proper assessment,
  • curriculum vitae,
  • training records or scheduled training,
  • criminal record excerpt,
  • a current organisation chart. For credit institutions that do not exceed the significance threshold stipulated in Article 5 para. 4 BWG as well as for all other obliged entities, such a notification only has to take place where requested by the FMA. The FMA provides a separate notification form for notification of the AML Officer as well as for submission of documentation on the Incoming Platform.

19 Federal Law Gazette I No. 36/2018. 20 Joint ESMA and EBA “Guidelines on the assessment of the suitability of members of the management body and key function holders”, EBA/GL/2021/06.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 12 2.2.4 Compatibility of functions and activities In practice, the issue frequently arises about the compatibility of functions and activities associated with the function of the AML Officer and the Deputy AML Officer. To ensure the AML Officer’s independence, the performances of their duties in the area of the prevention of money laundering and terrorist financing should as a rule take place under an independent framework that is separate from other fields of activity. A material condition for the compatibility of functions and activities is that the independence of the AML Officer will not be compromised due to performing a double function, and ensuring that sufficient resources are available for fulfilling its duties in an orderly manner. In every (permissible) combination of functions, the corresponding organisational conditions must be met by the obliged entity. The combination of functions as well as measures for avoidance of any existing conflicts of interest and compliance with the prohibition of self-auditing as well as the application of the principle of proportionality must be documented by the obliged entity. Certain relief may be permissible for the AML Officer in taking into account the principle of proportionality on a case-by-case basis. Conflicts of interest should also be avoided between the different areas of responsibility of the person in question to as great an extent as is possible. 2.2.4.1 Compatibility of the AML Officer with the Compliance Function The AML Officer performing the compliance function at the same time21 is in principle possible, provided the AML Officer is given sufficient resources to perform the duties in a proper and independent manner. The assessment of the permissibility of performing the compliance function in parallel to other functions must in any case consider the respective supervisory laws. For example, if concurrently performing the function of the compliance officer under WAG 2018 and the function of AML Officer, then the legal requirements set out in WAG 2018 must be observed.22 2.2.4.2 Compatibility of the AML Officer and employees of the internal audit function In light of the fact that the internal audit function is also required to review the orderly fulfilment of all due diligence obligations in relation to the prevention of money laundering and terrorist financing, a combination of these functions is generally to be avoided due to self-auditing being prohibited. In order to comply with the ban on self-auditing, appropriate organisational precautions must be taken when functions are combined. Therefore, where someone simultaneously performs the function of the AML Officer and the function of an internal auditor, given that self-auditing is prohibited, it must be ensured that a staff member from the obliged entity who has completed the necessary specialist training or an external third party (e.g. external auditor or an auditing

21 Compliance function pursuant to Article 39 para. 6 nos. 2 and 3 BWG and pursuant to Article 29 WAG 2018. 22 FMA Circular regarding the organisational requirements of the Securities Supervision Act 2018 and Delegated Regulation (EU) 2017/565 (“WAG 2018 Organisational Circular”), July 2021.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 13 association)23 audits the AML Officer’s activities. It must be in any case be avoided that the head of the internal audit function also performs duties regarding the prevention of money laundering. 36 When assessing the permissibility of a combination of functions or activities based on the size of the undertaking, for example, the obliged party may use the specifications regarding size contained in Article 42 para. 6 BWG as guidance. However, this is no substitute for checking the case in hand about whether an incompatibility exists, despite not exceeding that threshold. 2.2.4.3 Compatibility of AML officer with activities in the legal department When considering the compatibility of the duties of the AML Officer and the activities in the legal department, particular attention should be paid to any conflicts of interest. Potential conflicts of interest may arise from divergent business policy interests between the two areas of activity. The obliged entity shall assess the potential compatibility between the two areas of activity, also taking into account the principle of proportionality (the size of the undertaking, business activity etc.). 2.2.4.4 Compatibility with front office activities The compatibility of the duties of the AML officer with front office activities contain significant potential for conflicts of interest due to divergent interests (e.g. sales targets vs critical appraisal of new business) between both fields of activity, and the FMA therefore generally considers this combination to be impermissible. 2.2.4.5 Compatibility with the function as director It shall only be permissible in exceptional cases for a director to perform the function of the AML officer, provided the law generally stipulates that the function of the AML officer is established in such a way that it is responsible towards the management body, and is required to report directly to the management body without any intermediate levels. On the one hand, the wording implies a hierarchical relationship (“responsible towards the management body”), while on the other hand the formulation “has to report directly to the management body” presupposes that this reporting obligation is incumbent on a person other than the management body. Furthermore, due to the large scope of responsibility, a director as a rule lacks the necessary time commitment to be able to perform all the duties associated with the AML function fully. Taking into consideration the principle of proportionality, in the case of microenterprises (as a guide: 6 full-time equivalents) the function of the AML officer may be performed by a director as an exception, in the case that it is difficult in terms of resources to split functions due to extremely headcount limitations. Where a director performs the function of the AML officer, then the obliged entity shall in any case ensure that the director actually meets the necessary time commitment to fully perform the duties associated with the function of the AML officer (provided that they are not outsourced). Additionally, any conflicts of interest possibly arising from performing other functions or activities must also be taken into account.

23 When entrusting an external auditor or an auditing association with internal auditing, the prohibition of self-auditing must be taken into account: i.e. the auditor who has been entrusted with an obliged entity’s internal auditing, may not also act as the external auditor of the obliged entity.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 14 3 OUTSOURCING 3.1 Legal Basis Within the scope of outsourcing, the possibility exists to outsource all or individual duties in order to fulfil due diligence obligations and the function of the AML officer. Under Article 15 FM-GwG, obliged entities may also make use of outsourcing service providers or representatives for this purpose.24 In this instance, they are not direct employees of the obliged entity, but they have a contractual relationship with it.25 Due to this contractual relationship, outsourcing service providers and representatives are considered as part of the obliged entity. Therefore, the obligations for the prevention of money laundering and terrorist financing only arise for them based on a written outsourcing or representation contract. They themselves do not as a result become obliged entities as defined in the FM-GwG. The significant issue is that the obliged entity remains responsible for observance of due diligence obligations.26 Within the scope of the information and submission obligations, the FMA may request corresponding information and the submission of corresponding documents from obliged entities at any time. In this regard, the FMA has the possibility to determine the manner and form in which documentation is to be submitted.27 Obliged entities must therefore ensure when involving outsourcing service providers and representatives that the necessary information and documentation used for this purpose is available at all times to ensure the observance of (outsourced) due diligence obligations. However, there is no resulting obligation to store documentation or copies of documentation at the premises of the obliged entity in all cases. However, it must be possible for such items to be made available to the FMA without delay upon request. Since outsourcing service providers and representatives are to be considered as part of the obliged entity, as with staff members of the obliged entity, it must be ensured that they are made aware of the due diligence obligations by suitable means. In particular, this includes regular attendance of training courses. In addition, a clear division of rights and obligations between the obliged entity and the outsourcing service provider must be set out in the form of a written agreement (e.g. "Service Level Agreement") that contains at least the following points:

  • a precise definition of the duties or functions that are to be outsourced;
  • determination and delimitation of competences including definitions of interfaces;

24 Regarding performance by third parties pursuant to Article 13 FM-GwG see the FMA Circular on the due diligence obligations for the prevention of money laundering and terrorist financing, in its current version. 25 They are considered as vicarious agents as defined in Article 1313a of the General Civil Code (ABGB), as they act with the will of the obliged entity within the scope of the obligations incumbent upon it. 26 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period 11. 27 Article 29 para. 1 FM-GwG.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 15

  • Determination of the respective competences, rights, obligations as well as powers to give instructions. The question about the permissibility of thresholds and limits of an outsourcing per se must be assessed in accordance with the respective applicable supervisory laws that apply for the obliged entities.28 The obliged entity always remains responsible for observance of the provisions in the FM-GwG despite of outsourcing.29 In any case, it must also be ensured, among other things, that the quality of the internal control function of the obliged entity as well as supervision by the FMA are not impeded as a result of outsourcing. Both the duties for observance of diligence obligations for the prevention of money laundering and terrorist financing and the function of the AML officer are to be considered as “material operative tasks”. These are defined respectively in Article 25 BWG as “operational tasks, which […] are material” in Article 34 WAG 201830 , “important operational tasks” as defined in Article 21 ZaDiG 2018, tasks as defined in Article 18 AIFMG and Article 28 InvFG 2011, operational tasks as defined in Article 15 E-Geldgesetz 2010 in conjunction with Article 21 ZaDiG 2018, or functions as defined in Article 5 no. 37 VAG 2016. The FMA must be notified in writing about the outsourcing of all tasks relating to the observance of due diligence obligations31 and outsourcing the function of the AML officer, taking into account the relevant provisions in the individual supervisory laws, or upon the FMA’s request pursuant to Article 34 WAG 2018 as well as Article 272 VAG 2016. The FMA has made a separate notification form available on the Incoming Platform for the notification of the outsourcing of the function of the AML officer and all tasks for observing due diligence obligations for the prevention of money laundering. 3.2 Outsourcing the function of the AML officer and its tasks The criteria stated in the final sentence of Article 23 para. 3 FM-GwG shall apply when outsourcing the function of the AML officer, and the obliged entity must ensure that the AML officer has sufficient professional qualifications and personal reliability at all times (cf. para. 24 et seq.) Taking into account that obliged entities remain responsible for observing due diligence obligations for the prevention of money laundering and terrorist financing when outsourcing the function of the AML officer or its duties, obliged entities must ensure a minimum level of remaining material competence and ensure the presence of a competent employee to guarantee immediate on-site reaction. The competent employee is an important point of contact, and occupies an essential position between the obliged entity and the service provider and must therefore be equipped with certain minimum tasks and competences:

28 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period 11. 29 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period 11. 30Article 34 WAG 2018 in conjunction with Articles 30 to 32 of Delegated Regulation (EU) 2017/565. 31 Notification is not necessary in the case that only individual tasks for the observance of due diligence obligations are outsourced.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 16

  • function as internal contact person at the obliged entity as well as the external point of contact for the AML officer or the authorities;
  • the possibility to conduct control activities;
  • free access to all information, data, records and systems that may possibly be related to money laundering and terrorist financing in any way; in particular to be able to carry out verification activities, including the inspection competence for all contracts and transactions;
  • the possibility to execute the stopping of transactions and freezing of accounts;
  • involvement when drawing up operating procedures, guidelines and general documents as well as the calibration of computer systems to ensure that they are suitable for the individual undertaking;
  • involvement in submission of suspicious activity reports. The competent employee must be equipped with sufficient resources and powers for performing these minimum tasks and competence. Where the function of the AML officer is outsourced, it must be ensured that the orderly fulfilment of the duties as set out under law, and the management and control functions of the management body of the obliged entity or the rights of inspection and control options of the supervisory authority are not impeded. The written agreement between the obliged entity and the outsourcing service provider must therefore, in addition to the points mentioned in para. 44, also contain the following points:
  • the service provider must be directly subordinate to the management body of the obliged entity;
  • the AML officer must not be subject to instructions by other superordinate instances to the service provider;
  • regular exchange of information between the AML officer and the competent employee of the obliged entity;
  • direct reporting obligations of the AML officer to the management body of the obliged entity.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 17 4 STRATEGIES, CHECKS AND PROCEDURES 4.1 Legal Basis Pursuant to Article 23 para. 1 FM-GwG obliged entities are required to have appropriate internal strategies, checks and procedures in place for the effective mitigation and controlling of risks of money laundering and terrorist financing identified at enterprise level, at national level and at EU level. Pursuant to Article 23 para. 2 FM-GwG, these strategies, checks and procedures are required to be determined in writing and approved by the management body. These must be applied on an ongoing basis, updated on both a regular and ad hoc basis, and must be monitored with regard to their viability. In developing and updating (both on a regular and ad hoc basis) such strategies, checks and procedures, obliged entities are required to take into consideration the European Commission’s report pursuant to Article 6 (1) of Directive (EU) 2015/849 (“Supra-national Risk Assessment”), the national risk assessment (Article 3 FM-GwG) and the risk assessment at company level (Article 4 FM-GwG). Pursuant to Article 24 FM-GwG, the application of strategies and procedures must not only be ensured on an individual basis, but also within a group as defined in Article 2 no. 11 FM-GwG. Its objective, starting with the obliged entities, is to ensure consistent (preventative) standards for the combatting of money laundering and terrorist financing are applied in the form of harmonised standards on organisational, due diligence and information requirements within a group, i.e. also for all branches or branch establishments and subsidiaries in Member States and third countries (see also para. 62 and para. 64). The group definition covers all branches or branch establishments, all majority-owned subsidiaries of the obliged entity and all other enterprises that are associated with the obliged entity as defined in Article 22 of Directive 2013/34/EU, provided that they are also obliged to comply with regulations on the prevention of money laundering and terrorist financing. Where the applicable minimum requirements are less strict in the branches or branch establishments and subsidiaries in third countries than those stipulated in the FM-GwG, and provided where permitted under the respective law of the third country, the application of the requirements that apply in accordance with the FM-GwG must be ensured. In cases where the law of the third country does not permit this, obliged entities are required to inform the FMA that this is the case, and to take additional risk mitigating measures.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 18 4.2 Proportionality and Resources The obligation to establish adequate strategies, controls and procedures also implies that obliged entities must have adequate staffing appropriate for the type and size of the undertaking, as well as the respective risk situation, to ensure compliance with due diligence obligations and further measures stipulated in accordance with the FM-GwG (e.g. reporting obligations, cooperation with the Financial Intelligence Unit (Geldwäschemeldestelle) and the FMA, etc.) in practical terms. Under the principle of proportionality, measures must be commensurate in particular to the size, organisational structure and risk situation of the individual obliged entity as well as to its business and customer structure. In connection with this, obliged parties under the FM-GwG must ensure by way of sufficient personnel resources that the measures defined based on the risk assessment are also implemented accordingly and that the calibration of the procedures by automated means carried out based on the risk assessment are evaluated on an ongoing basis or adapted as necessary.32 4.3 General Scope of Strategies, Checks and Procedures The legislator does not define specific requirements for the design of strategies, checks and procedures, however, the following (minimum) scope is defined in Article 23 para. 1 nos. 1 to 6 FM-GwG:

  • risk classification at customer level (Article 6 para. 5 FM-GwG);
  • risk management systems (Article 11 para. 1 no. 1 FM-GwG);
  • customer due diligence, including appropriate measures of the prevention of the misuse of new products, practices and technologies;
  • submission of suspicious activity reports;
  • retention of documentation and safeguards for compliance with Article 23 para. 6 FM-GwG regarding the obligation to check propriety in selecting employees and prior to the election of members of the supervisory board with regard to their attachment to legal values.

32 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 14.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 19 4.4 General requirements regarding strategies, controls and procedures

  • Defining and updating of internal policies such as e.g. a common understanding about relevant terms, competences, duties, responsibilities and processes in the obliged entity and the group;
  • Defining and continuing development of processes and appropriate strategies for the prevention of misuse of new products and technologies, that may in particular facilitate the anonymity of customers/business relationships and transactions;
  • Defining and documentation of control actions of both a qualitative and quantitative nature (in the sense of a presentation of all control activities – “a control plan” – see the description of the control inspection plan in the Annex);
  • Ongoing review of the effectiveness of processes and controls that have been implemented;
  • Establishing and ongoing updating of general and specific measures;
  • Establishing of clear reporting lines and obligations, including about which contents are reported to which addressees within which timeframe. The principles determined in strategies, checks and procedures and internal regulations must be:
  • set out in writing for documentation purposes and for internal transparency/accountability and approved by the management body;
  • applied in business operations on an ongoing basis, and their application evaluated on an ongoing basis;
  • reviewed or updated on an ad hoc basis as required. The AML officer shall be responsible for the monitoring and ensuring of the ongoing application of the instructions and regulations determined in the internal strategies, checks and procedures, both at individual enterprise level as well as at group level. Furthermore, a risk-based independent review of the policies, procedures and controls as well as their ongoing application, shall be conducted by Internal Audit. Where obliged entities are not required to have an internal auditing body, and where an independent inspection is necessary due to the type and scope of the business activities conducted, the inspection shall be conducted by an independent body. Obliged entities shall plan regular audit activities by the internal audit function or by an independent body with regard to the area of the prevention of money laundering and terrorist financing. Where a regular examination is not conducted on at least an annual basis, then appropriate actions must be taken to compensate for the lack of regular audit examinations, such as quarterly meetings with the internal audit function, conducting various audit activities etc. The scope of the examination by the internal audit function or audit by an independent body may depend on the nature and scope of the business activities as well as the size of the obliged entity.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 20 This also applies for the branch establishments of other credit institutions from within the EEA that are established in Austria. 4.5 Group-wide requirements regarding strategies and procedures 4.5.1 General Pursuant to Article 24 FM-GwG, group-wide strategies and procedures are to be established within the group, to be applied on an ongoing basis, as well as being documented in written form. The obliged entity shall be responsible for the rolling out of group-wide strategies and procedures in branches or branch establishments and subsidiaries in Member States and third countries (see para. 53 above in this regard).33 In those cases where the branch or branch establishment is located in a Member State, it shall be required to observe the national legislation in that country. In this context, potential differences in the transposition of the 4th Anti-Money Laundering Directive are to be taken into consideration by the obliged entities when rolling out group-wide strategies and procedures. The aim is to provide for as harmonised an application of the material relevant obligations under anti-money laundering law as possible within the group, in order to prevent recourse being made to foreign branches or branch establishments or subsidiaries with lower standards for the purpose of money laundering or terrorist financing. In such cases in which the legal minimum requirements for the combatting of money laundering and of terrorist financing are less strict in the third country that those set out in the FM-GwG, the requirements set out in the FM-GwG shall in any case be applied, where permitted by the law of the third country. Where implementing necessary group-wide strategies and procedures is not possible under the law of the third country (e.g. in conjunction with the provision on data protection and on the transmission of information), obliged entities shall inform the FMA about this, and measures shall be taken accordingly to counteract this at third country branches and branch establishments and subsidiaries. In this context, the Delegated Regulation relating to Article 45 of the 4th Anti-Money Laundering Directive shall be taken into account. 34

In order to fully consider and address risks of money laundering and terrorist financing at group level, individual risk assessments at company level of those Member State and third country branches or branch establishments and subsidiaries shall also be taken into consideration by the obliged entity that is part of a group as defined in Article 2 no. 11 FM-GwG, when drawing up its own risk assessment at company level. Consequently, in order to minimise group-wide risks,

33 See explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, 15. Regarding the purpose of the provision, the explanatory remarks to Article 24 FM-GwG state that “harmonised strategies and procedures [should] be implemented in all entities within a group, irrespective of whether an entity in the group is domiciled in a Member State or in a third country”. Furthermore, the explanatory remarks to Article 2 no. 11 FM-GwG clarify further that the respective applicable sectoral regulations should be referred to for the purposes of interpreting the definition of the group. 34 Commission Delegated Regulation (EU) 2019/758 of 31.01.2019 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regard to regulatory technical standards for the minimum action and the type of additional measures credit and financial institutions must take to mitigate money laundering and terrorist financing risk in certain third countries – C(2019) 646 final.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 21 measures (such as harmonised group-wide PEP obligations, etc.) must be defined that apply at both group and individual company level. Pursuant to Article 23 para. 2 FM-GwG, the AML officer shall also be responsible for ensuring compliance with group-wide strategies and procedures pursuant to Article 24 FM-GwG. To this end, the AML officer must ensure the group-wide implementation of the strategies and procedures by means of appropriate measures (e.g. spot checks, on-site visits) and shall be authorised to issue orders within the group within the scope of legal possibilities for the purpose of controlling and enforcing them. In order to perform their duties fully, the AML officer as well as the deputy AML officer - must be granted group-wide access to all necessary information and documents. The obliged entity must ensure a group-wide exchange of information between itself and the group's branches, branch establishments and subsidiaries in Member States and third countries. Such information shall include customer data, information on intended or filed suspicious activity reports, or information about contacts with authorities. The AML officer must inform the management body of the obliged entity about the group-wide implementation of and compliance with the strategies and procedures for the prevention of money laundering and terrorist financing in writing on both a regular basis and on an ad hoc basis. All group-wide policies and procedures adopted by the obliged entity for the prevention of money laundering and terrorist financing must be documented in writing and brought to the attention of the branches or branch establishments and subsidiaries in Member States and third countries. Within the scope of the information and disclosure obligations, necessary documentation must be submitted to the FMA in German or English upon request. Responsibility for the implementation and ongoing application of group-wide strategies and procedures pursuant to Article 24 FM-GwG remains with the obliged entity. The AML officer shall be responsible for ensuring compliance with the group-wide strategies and procedures. Furthermore, a risk-based independent review of the strategies, procedures and checks as well as their ongoing application, shall be conducted by the group internal audit function. Where obliged entities are not required to have an internal auditing body, and where an independent inspection is necessary due to the type and scope of the business activities conducted, the inspection shall be conducted by an independent body. This requires regular and ad hoc actions for reviewing the application of established strategies and procedures in branches or branch establishments and subsidiaries in Member States and third countries. The conducted checks and their results shall be documented accordingly. Furthermore, branches or branch establishments and subsidiaries shall regularly report in writing to the obliged entity about the implementation and application of the due diligence obligations as well as on an ad hoc basis about any anomalies. 4.5.2 Reporting Within the group, in order to ensure the ongoing exchange of information and for ensuring ongoing checks, reporting processes or clear and uniform reporting lines are to be defined regarding the

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 22 application of group-wide strategies, procedures and checks, and documented in writing and communicated to the group members. The scope of the defined reporting processes or reporting lines include the application and safeguarding of the strategies, procedures and checks set out in Article 23 para. 1 FM-GwG, as well as how to proceed in the event of complete or temporary non-compliance with strategies, controls and procedures at regular intervals starting at company level with the local AML officer reporting to the local management body as well as the AML officer, who is responsible for the observance of group-wide strategies and procedures pursuant to Article 24 FM-GwG. Subsequently the AML officer who is responsible for the observance of the group-wide strategies and procedures pursuant to Article 24 FM-GwG shall report to the obliged entity’s management body. For example the following thematic focuses are covered:

  • information about the business model;
  • the result and material content of the risk assessment;
  • training and continuing training measures;
  • procedures and measures for complying with due diligence obligations;
  • setting of measures for mitigating risks including control activities;
  • reporting about the suspicious activity reports submitted;
  • implementation and observance of group-wide strategies, checks and procedures;
  • local legal specificities. 4.5.3 Evaluation To ensure the observance of group-wide strategies and procedures, the obliged entity shall evaluate the implementation and application of group-wide strategies and procedures in branches or branch establishments and subsidiaries in Member States and third countries on both an ongoing and an ad hoc basis. This may be done by means of local company visits, conference calls or workshops in cooperation with the respective local AML officers. 4.6 Training courses The obliged entities shall have procedures in place that ensure that all of their employees are aware of the provisions for the prevention or combatting of money laundering or terrorist financing to an extent that is necessary for the fulfilment of their duties. This includes inter alia participation of the competent employees at regular relevant specialist training courses, that help to put them in a position to (better) recognise unusual payments or transactions that may be connected with money laundering or terrorist financing and to react in accordance with the undertaking’s internal guidelines, and to behave correctly in such cases. The obliged entity shall determine the type of training (e.g. face-to-face training, computer-based learning, etc.), its scope and frequency, as well as the participants, based inter alia on the nature, size and business model of the obliged entity as well as the scope of activities and function of the respective employees. As

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 23 a minimum requirement, it is to be ensured that new employees starting in the division for the prevention of money laundering and terrorist financing participate in training on relevant subjects within a short time of their joining. Training courses should in any case be conducted on both a regular and ad hoc basis (e.g. in the event of amendments to legal regulations). 4.7 Personal reliability of employees When appointing all of their employees and supervisory board members, as well as during their ongoing employment relationship or ongoing performance of a function, obliged entities shall examine their personal reliability with regard to their attachment to legal values, e.g. in any case a criminal record certificate should be submitted prior to the start of their employment relationship. Furthermore, the supervisory laws that apply for the obliged entities must also be taken into consideration when appointing employees and supervisory board members. Where factual grounds become known during the employee’s employment relationship or during the course of the supervisory board member’s current mandate that place doubt on their personal reliability (e.g. initiation of criminal proceedings, legally final convictions for having committed crimes, persistent breaches of obligations related to money laundering or internal instructions/guidelines), the AML officer at individual company level as well as at group level shall be informed about further steps to be taken. 4.8 Central contact points pursuant to Article 23 para. 7 FM-GwG Electronic money issuers and payment service providers established in another Member State (hereinafter: institutions) that perform activities in Austria through service providers35, such as agents as defined in Article 3 no. 20 ZaDiG 2018, fall pursuant to Article 23 para. 7 FM-GwG within the scope of application of the FM-GwG as a result of such activities. To guarantee observance of the rules on the prevention of money laundering and of terrorist financing, and in order to simplify supervision by the FMA, institutions that fulfil the conditions pursuant to the Delegated Regulation36 in relation to Article 45 (10) of the 4th Anti-Money Laundering Directive shall be required to name a central contact point to the FMA. The quantitative and qualitative conditions under which institutions are required to name a central contact point are derived from Article 3 (1) of the Delegated Regulation. In particular the central contact point should in any case ensure the compliance with the FM-GwG by services providers by means of the following measures:

35 The out-and-out distribution and redemption of electronic money by natural or legal persons on behalf of an electronic money institution located in another Member State are excluded from this rule (explanatory remarks to the government bill (ErlRV) no. 1335 in the supplements to the stenographic protocols of the National Council (BlgNR) for the 25th legislative period, SP 15). This covers the selling of electronic money products in tobacconists or supermarket chains. 36 Commission Delegated Regulation (EU) 2018/1108 of 7 May 2018 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regulatory technical standards on the criteria for the appointment of central contact points for electronic money issuers and payment service providers and with rules on their functions.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 24

  • providing the institution with the necessary information about the requirements of the FM￾GwG to make it possible to develop and implement strategies, checks and procedures article 23 para. 2 FM-GwG;
  • monitoring the application of the prescribed strategies, checks and procedures as well as compliance with the provisions in the FM-GwG;
  • informing the institution about all breaches as well as relevant information about compliance with the provisions of the FM-GwG, especially where relevant for the institution’s risk assessment;
  • ensuring that measures for corrective action are implemented;
  • ensuring the participation of employees of the service providers at training courses;
  • providing contact persons at the FMA and the Financial Intelligence Unit (Geldwäschemeldestelle). In order to simplify supervision by the FMA, central contact points must
  • have access to all relevant information held by service providers;
  • respond to all enquiries from the FMA and make relevant information available;
  • (if need be) participate in on-site inspections conducted by the FMA at the premises of the service providers.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 25 5 ANNEX 5.1 Literature

  • Directive (EU) 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (“4th Anti-Money Laundering Directive”).
  • Directive (EU) 2018/843 of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (“5th Anti-Money Laundering Directive”).
  • Delegated Regulation (EU) 2019/758 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regard to regulatory technical standards for the minimum action and the type of additional measures credit and financial institutions must take to mitigate money laundering and terrorist financing risk in certain third countries.
  • Delegated Regulation (EU) of 7 May 2018 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council with regulatory technical standards on the criteria for the appointment of central contact points for electronic money issuers and payment service providers and with rules on their functions.
  • Joint EBA and ESMA Guidelines on the assessment of the suitability of members of the management body and key function holders (EBA/GL/2021/06).
  • FMA Circular on the assessment of suitability of executive directors, non-executive directors and key function holders (“Fit & Proper Circular”), August 2018.
  • FMA Circular regarding the organisational requirements of the Securities Supervision Act 2018 and Delegated Regulation (EU) 2017/565 (“WAG 2018 Organisational Circular”), July 2021.
  • Rüdiger Quedenfeld, Handbuch Bekämpfung der Geldwäsche und Wirtschaftskriminalität, Erich Schmidt Verlag, 4th Edition (2017). Note: Where this circular contains weblinks, this is done solely for information purposes. The links are guaranteed as being correct at the time of the decision passed regarding the publication of this FMA Circular.

CIRCULAR ON INTERNAL ORGANISATION Version: February 2022 Page 26 5.2 Description of the control inspection plan

Share