The German Ministry of Finance published a proposal to implement Directive (EU) 2018/843 (fifth Anti-Money Laundering Directive) into German national law. The draft proposes changes when using trusted third parties.
The use of trusted third parties allows obliged entities under German Anti-Money Laundering Act (Geldwäschegesetz – GwG) to outsource certain AML-duties. This includes the identification of a (potential) customer. Two types of third parties can be referred to as trusted: Those that can be trusted by law (e.g. other obliged entities) and those that are trusted by contract (outsourcing providers).
Trusted third parties by law
So far, an obliged entity, according to German Regulator BaFin, could revert to a trusted third party as soon as this party fulfilled all required obligations set out in the applicable (national) law. For example, this meant a German credit institution could use a Dutch credit institution for the identification of Dutch customers which have been KYCed in compliance with Dutch AML regulations. As both Germany and the Netherlands implemented the European Anti-Money Laundering Directive, this has been a most practical approach that simultaneously satisfied the spirit of the directive. At the same time, German law was not entirely circumvented as German customers still needed to be identified by the German credit institution.
The new proposal now requires for obliged entities to make sure its trusted third parties comply with German anti-money laundering regulation as specified in GwG. The aim is to mitigate the risk of regulatory arbitrage used by the obliged entities. Especially with emerging digitalisation of the financial services sector, the German ministry argues that German law can systematically be circumvented.
Should the proposal come into law as is, cross border services will face limitations. A German credit institution would have to ensure that its Dutch counterpart complies with German regulations when identifying a Dutch customer. Considering that a contract is not necessary when relying third party trusted by law, the ministry’s proposal would effectively eliminate the use of this type in cross border services. To ensure this type of compliance a contract is unavoidable.
German obliged entities are unnecessarily hindered in their cross border services. A simple clarification in the GwG that a domestic customer needs to be identified by rules governed by domestic regulations would have sufficed.
Recourse to prior identification
Under BaFin’s general regulatory practice it used to be possible, under certain conditions, to recourse to a completed identification by a third party. A new identification was not necessary, but existing data could be recycled. This possibility is now to be implemented from practice into law.
A third party can, according to the ministry’s proposal, use existing customer data in the case the original purpose to collect the data was itself an identification. Further criteria implements BaFin’s regulatory practice:
1. The identification was part of the onboarding process of the third party.
2. The identification was not conducted under simplified customer due diligence rules.
3. The identification took place within less than the past 24 months.
4. There are no external circumstances for the obliged entity to doubt the authenticity of the data.
5. The identification document used in the process is still valid.
The obliged entity has to perform a plausibility check. According to the current wording, the 24 months-period cannot be extended by a simple update of the customer data. An equal treating would however be appreciated by the market. Thus BaFin’s current regulatory practice uses the date of the collection of the respective data as the relevant point of reference. An extension to allow the same procedure for third parties trusted by contract is not planned.
The German Ministry of Finance performed only a two-week consultation process for its proposal. Any changes on the legislative procedure remain to be seen.