February marked the end of the consultation period for the Bill amending the Anti-money Laundering and Combating the Financing of Terrorism Act 10/2010, and also for the draft amendments to the Royal Decree 304/2014, 5 May, resulting in the approval of the secondary legislation for the above mentioned Act 10/2010.

Both projects have a twofold purpose: firstly, to transpose into Spanish law some of the items pending from the IV European Directive*; and secondly, to make certain regulatory amendments to reinforce prevention mechanisms.

Specifically, the draft Royal Decree makes a number of adjustments in order to adapt the regulation to the amendments included in the draft bill, with a view to improving the law’s efficiency and its contents.

The main changes that will be brought in by the bill are:

General provisions

The Additional Provision, which dealt with two matters, related to the loss of the “equivalent third country” classification, and the upkeep of a list of States, territories or jurisdictions which the General Secretariat for the Treasury and Financial Policy considered had the condition of equivalent third country.

New regulated entities are included, among them: financial credit institutions, securities fund management companies, banking asset fund management firms, electronic money institutions, online gambling operators who use online, informatic, telematic and interactive channels, and crowdfunding platforms.

The draft defines who should be treated as the beneficial owners in the case of Trusts as they are understood in the US/UK sphere of influence. It clarifies that for legal instruments of this nature, regulated entities have the duty to identify and take appropriate measures to confirm the identity of the people occupying equivalent or similar positions to those being treated as beneficial owners.

It also broadens the duty of identifying the beneficial owner in structures without legal personality, trusts and any other structure of this nature, and authorizes regulated entities to collect information from their clients about the beneficial owners without the explicit consent of these.

Due diligence measures

A communication of suspicious operations can be sent without completing the defined due-diligence process, when there are indications or certainty that there is an AML/AFT link, and the regulated entity has reasonable grounds to believe that that its request for additional information could alert the client of its suspicions. Should it be necessary to terminate the business relationship and where this cannot be effected immediately, operating limitations must be put in place until the definitive termination of the relationship.

Likewise, third parties may be used to apply due diligence measures, provided that: they apply due diligence requirements and preserve records appropriately, that these are equivalent to those provided for in EU Directive, and their compliance is supervised by the competent authorities. Finally, the bill acknowledges the new European regulation on electronic signatures for the purpose of clarifying remote identification mechanisms.

Act 10/2010 already included that, as well as the usual due diligence measures, regulated entities must apply reinforced measures commensurate with their risk analysis, in those situations which inherently present a high risk of money laundering or financing of terrorism. In any event, the following transactions fall into this category: i) private banking; ii) money remittances, and iii) foreign currency exchange.

According to the project, those projese reinforced measures should also be applied to businesses or transactions involving people with public accountability, and will have to establish the lowest hierarchical level necessary to authorize these business relationships, which must take the transactional risk and specific client risk into account. These members of staff must have enough knowledge about the individual’s exposure to money laundering risk and terrorism financing risk and have the experience and seniority required to take decisions that affect this exposure.

If the individuals concerned no longer perform a public duty, the regulated entities must continue applying appropriate due diligence measures commensurate with the client’s risk level, until it can be established that they present no specific risk deriving from their previous condition as a person with public accountability.

On the other hand, the bill defines correspondent relationships as: the provision of banking services by a bank, in the capacity of correspondent, for another bank, in the capacity of client. These services include the provision of current and other liability accounts and related services, such as the management of cash, international fund transfers, settlement of checks and currency exchange services. This concept also covers any relationship between credit institutions and/or financial institutions, including payment entities, providing services similar to those of a correspondent to a client, namely, relationships set up for transactions with securities or fund transfers, among others.

Finally, the control requirements over these correspondent relationships have been broadened. Thus, transactions carried out as part of business operations must be subject to reinforced and continued monitoring, taking into account geographical risk, client risk or risk inherent to the type of service being provided.

Reporting obligations

There must be reinforced and permanent monitoring of the business relationship; the entity’s internal procedures must state the lowest hierarchical level necessary to authorize, establish or continue business relationships with the persons listed above and the other measures laid out must be applied. These measures expire two years after the person with public accountability has stopped performing these functions. The above notwithstanding, due diligence measures will continue to be applied commensurate with the risk that each individual represents for the institution.

Preservation of records

Regulated entities must conserve for at least 10 years the documents accrediting their compliance with legal obligations. The Bill specifies that five years after the business relationship has ended or the one-off transaction has been completed, the records preserved may only be accessed through the institution’s internal control bodies or, if applicable, those in charge of its legal defense. In no case may this information be used for commercial ends.

Whistle-blowing channels

Internal processes will be created so that employees, directors or other agents can report infractions against Act 10/2010 anonymously and these whistle-blowers will be protected from reprisals, discrimination or any other unfair treatment. The foregoing is not a substitute for the required existence of specific independent mechanisms to report suspicious transactions internally.

Personal data protection and information exchange

The need to obtain consent for processing data has been removed in the following scenarios: when a) it is needed in order to comply with information obligations, and when b) the data is for compliance with due diligence obligations between regulated entities that belong to the same business group. Similarly, high levels of security, as provided for in the personal data protection regulation, must be applied over the resulting files.

Finally, regulated institutions may create shared systems to store the information and records collected while conducting due diligence. Finally, regulated institutions may create shared systems to store the information and records collected while conducting due diligence. This information may only be accessed by regulated entities when the natural or legal person is their client, or during the process of signing them up as a client, and always after authorization has been received from the interested party.

International financial countermeasures

The Bill indicates that the financial sanctions to block funds and other economic resources established by the United Nations Security Council Resolutions and adopted pursuant to article 41 of the UN Charter must be applied to any natural or legal person from the moment they are published by the Security Council. The Bill proposes that the Council of Ministers, at the request of the Ministry of Economy, Industry and Competitiveness, may agree to apply financial countermeasures over third countries that represent a higher risk of AML/AFT or of financing the proliferation of weapons of mass destruction.

Financial ownership file

The scope of this file will be expanded from its original purpose in order to impede and prosecute AML/CFT and their concomitant crimes, as well as broadening the information that should be declared for payment accounts and safe deposit boxes.  Furthermore, it adds to the list of entities who may access this file, including the Justice Ministry’s Asset Management & Recovery Office, the Anti-Terrorism & Organized Crime Intelligence Unit and the National Securities Exchange Commission, among others.

Financial Intelligence Unit & AML/CFT Supervisory Authority (SEPBLAC)

Its functions in the areas of operating and procedural guidelines have been extended, together with staff hiring processes. Its supervisory scope when dealing with economic groups has also been more tightly defined. The Bill recommends that its supervisory tasks and annual plans be conducted employing a supervisory risk-based approach which should determine what kind of reviews are conducted, how deep these should go and how frequently they should take place. In addition, SEPBLAC will have access to the information supplied to the Tax Authorities and may not divulge this information except when it is being divulged to domestic or international supervisory authorities.

Other content

• The section on disclosure restrictions has been updated, specifying the exceptions and clarifying the way in which information can be exchanged between institutions within a group.
• Entities may not commission independent reviews from any natural or legal person who has supplied or is supplying any other kind of remunerated AML/AFT prevention services during the three years prior to or after the report is published.
• Directors and agents are included in the scope of employee training.
• Defines treatment of payment systems subject to intervention.
• With regard to the trading of goods, it sets out the importance of complying with the obligations specified in articles 3, 17, 18, 19, 21, 24 and 25 of Act 10/2010, on transactions in which the charges or payments are made by non-resident natural persons for sums over EUR10,000 euros in cash, over one or several transactions.
• Adds two breaches to the list of those classified as very serious, and five to the list of those treated as serious. Maximum sanctions have increased, and the minimums have remained the same. There is a provision for publicizing the sanctions anonymously, should no agreement be reached on how to make them public.
• External experts may now be held liable for breaches that are chargeable on the grounds of harmful or negligent conduct.
• The scope of those potentially liable to sanctions for committing very serious, serious and minor breaches has been extended considerably, and the criteria for grading those breaches, and when they lapse, have been brought up to date.

If you are interested in the draft amendments to the Royal Decree 304/2014, 5 May, resulting in the approval of the secondary legislation for the above mentioned Act 10/2010, you can click in the second link "Download the document".