The European Union (EU) adopted its first anti-money laundering (AML) directive in 1990 to prevent money laundering and terrorist financing. Generally, the purpose of the AML directive is to provide obliged companies with customer due diligence (CDD) requirements.
The directive helps prevent misuse events that can cause money laundering activities. This is extremely relevant when companies enter into new business relationships. In other words, if you work with other organizations, you might be required to conduct Business Verification or Know Your Business (KYB) Verification.
Who are Those Obliged Financial Regulated Entities?
The most important factor is to identify whether your company/organization is required to proceed with fully compliant Know your business (KYB) procedures or not. Most of the obliged entities are credit, financial institutions, and gambling service providers. Therefore, individuals such as auditors, external accountants, and tax advisors are also required to comply with AML regulations.
In 2020, the fifth money laundering directive went into effect and brought cryptocurrencies under the scope. Since then, the providers of cryptocurrency services have to register with financial institutions and comply with AML regulations either.
All organizations, businesses, and individuals that are subject to this regulation are listed here (Article 2).
The Most Important Question: How to Comply with AML Regulations?
If your company or organization belongs to the obliged institutions’ list, you must comply with AML regulations and apply customer due diligence measures when establishing a business relationship. To be compliant, organizations must collect the following information:
When gathering company data, it is required to collect the company name, company registration number, country of origin, operating address, and type of entity (LTD, JSC, LLC, etc.). Furthermore, the obliged companies must collect proof of registration or excerpt from the official Register or Legal entities.
The collection of CEO (director) and representative information (if applicable) is also required. The full name, date of birth, and nationality details must be gathered if the CEO is defined as a representative. As a result, if there are other representatives, the same information about them needs to be collected as well.
Additionally, the obliged companies are required to proceed with identity verification for the CEO and representatives, including collecting the representatives’ power of attorney letters and ID documents.
The obliged companies must collect data about the company’s shareholders together with an official document of the company’s ownership structure. The obliged companies must identify the Ultimate Beneficial Owner and other shareholders that hold 25% or more company shares.
The ownership structure can end only with an individual owner or a government-owned company. So if the company’s beneficiary is another company, the particular company’s beneficiaries must also be identified. Naturally, you can only imagine why automation is necessary to keep track of shareholders’ hierarchy for regulatory purposes.
As a “bonus”, you might need to collect additional information through special questionnaires. Obtaining such data helps identify the nature of the business relationship, self-declared PEPs, etc.
How to Apply AML Monitoring?
Before starting a business relationship, the company must check for Adverse media and AML results. Company, representatives, and all the shareholders must be scanned through AML and Adverse media results.
The company can be approved only if the company and/or UBOs aren’t sanctioned or the AML and Adverse media findings are false positives.
That’s not all. After the company is approved, the ongoing AML and Adverse media monitoring can be applied to all previously mentioned subjects. Monitoring includes daily checks every 24 hours through various databases all around the world.
Collecting Information is Not Enough
To stay fully compliant, having all the information about your potential client is not enough. Remember, the data that you gather from the forms and questionnaires during Business Verification could be false because fraudsters tend to falsify information.
For this reason, compliance and risk officers compare the provided information with official governmental registry reports. However, there is no such guide of what should be done if the information doesn’t match. In that situation, you should conduct the investigation further: contact the particular client directly and ascertain your client is not a potencial fraudster.
Understanding Country Risk Assessment
The business verification form, questionnaire, and general investigation might differ based on the country. Money launderers are doing their homework really well. That means they investigate the countries where the AML regulations standards are lower. For instance, some countries with the highest money laundering risks are Afghanistan, Haiti, and Myanmar.
For this reason, it’s extremely important to determine the company’s registration country, beneficiary countries, and possible links with high-risk countries. You can review the full list on the official website of the European Commission.
If the potential client has any links with an EU-listed high-risk country, enhanced due diligence (EDD) must be applied. The EDD demands businesses to:
- Verify the source of funds and wealth.
- Obtain senior management approval.
- Conduct extensive research and screening.
- Retrieve information on the intended nature of business of the customer.
- Other measurements that are listed above.
Business Verification Essence: Identify Your Client
Businesses must proceed with various processes to stay compliant with the AML regulations.
One of the greatest issues explaining the confusion behind such legal formalities is that we currently lack well-described rules that would help follow regulations. As a result, compliance officers tend to interpret these regulations themselves.
When it comes to Business Verification, the question you should answer yourself before onboarding another company is, “Who is my client?”. To answer it, the regulated entity must consider:
Business activity: this information should be taken out from the form and the questionnaires. To indicate whether that data is true, it must be compared to official government reports.
Reputation: there are many ways to determine reputation, including checking the reliability of the information provided by your client, conducting Adverse media screening, and investigating credit reports.
Ownership structure and beneficiaries: ask your client to provide the ownership structure and upload an official document. Also, do not forget to compare that information with the official registry reports.
Politically Exposed Persons (PEPs): it is really important to determine whether your client is an active PEP or not. Many PEP positions have access to funds from the state, and they tend to use companies for money laundering purposes. In addition, they are vulnerable to impersonation, intimidation, and bribery.
Therefore, you can still have a business relationship with a company whose beneficiary is a PEP. Just take adequate measures to establish the source of funds and source of wealth and conduct ongoing monitoring.
Sanctions screening: when your client is already onboarded, sanctions screening is the key factor. You should stay updated with suspicious activities during the whole business relationship period. An efficient monitoring system scans International Sanctions lists 24/7. Just Imagine the pain of screening everything manually…
Possible Fraud is Detected: What Are Your Next Steps?
If you detect possible fraud or money laundering during Business Verification, you must fill in a suspicious activity report (SAR). The letter should answer the following questions:
- Who is conducting suspicious activity?
- What instruments or mechanisms are being used?
- When was the possible fraud detected?
- How and where was it detected?
- Why do you think it’s suspicious activity?
Please note that the SAR should be provided to the local government department. In general, entities are required to file a SAR no later than 30 calendar days after the date of initial detection of potential fraud.
How to Choose the Right Business Verification Provider?
All the above-listed regulations vary depending on the country and the industry in which the business operates. The regulated companies must pass internal and external audits, so their providers typically have hands-on experience on how to stay compliant. Since the differences between legal requirements are slight, it’s important to find a provider with experience in different markets and sectors.
Human errors, such as forgetting to review AML results and missing suspicious activities, often lead to companies accidentally onboarding fraudsters. To combat this issue, we created our Business Verification solution. By adding different automation and customization options, our multi-function KYB platform prevents you from onboarding the other company without reviewing all the necessary information properly.
We help various enterprises, from large-scale businesses to small startups. No matter what your industry is, we’ve got you covered. Click here and see our KYB solution in action.