Group-wide Policies and Procedures

Group-wide Policies and Procedures

The landscape of anti-money laundering (AML) regulations and the necessary compliance measures have significantly evolved, particularly with the introduction of the 4th Anti-Money Laundering Directive (AMLD) [Directive (EU) 2015/849] and its subsequent amendment under the 5th AMLD [Directive (EU) 2018/843]. For financial and credit institutions, understanding the intricacies of these directives, along with the Commission Delegated Regulation (EU) 2019/758, is crucial for effective group-wide policy implementation and risk management.

4th and 5th Anti-Money Laundering Directives: The 4th AMLD set a new standard for AML and counter-terrorist financing (CTF) policies in the EU, requiring a holistic approach to risk assessment and management at the group level. This directive was further enhanced by the 5th AMLD, which expanded the scope of compliance requirements, including stricter transparency rules around beneficial ownership and enhanced due diligence measures.

Commission Delegated Regulation (EU) 2019/758: Building on these directives, the Commission Delegated Regulation (EU) 2019/758 addressed specific challenges faced by entities operating in third countries where local laws might impede the implementation of AML/CTF measures. This regulation mandates institutions to take additional steps to manage ML/TF risks, such as obtaining customer consent for data sharing, conducting enhanced reviews, and, if necessary, limiting the nature of financial services offered in these countries.

Section 9 German GwG and Chapter 11 of the BaFin Interpretation and Application Guidance: In Germany, Section 9 of the GwG and Chapter 11 of the BaFin Interpretation and Application Guidance place similar emphasis on comprehensive group-wide AML/CTF policies. These regulations require parent undertakings to conduct thorough risk assessments, establish consistent internal controls, and ensure effective implementation of these measures across all branches and subsidiaries.

Common Threads in AML/CTF Regulations: Across these directives and regulations, several key points stand out:

  1. Risk-Based Approach: All regulations emphasize a risk-based approach, necessitating entities to identify, assess, and manage ML/TF risks specific to their operations.
  2. Group-Level Compliance: There is a uniform requirement for implementing AML/CTF policies at the group level, ensuring consistency across all branches and subsidiaries, regardless of geographic location.
  3. Enhanced Due Diligence and Training: Enhanced due diligence, especially in higher-risk scenarios, and targeted training for staff members are recurrent themes.
  4. Data Sharing and Protection: Balancing data sharing for AML/CTF purposes with data protection laws, particularly in third countries, is a critical component of these regulations.
  5. Adaptation to Local Laws: Institutions are required to navigate and comply with local laws in third countries, adapting their group-wide policies where necessary.
  6. Ongoing Monitoring and Reporting: Continuous monitoring of business relationships and transactions, along with timely reporting of suspicious activities, is a shared requirement.

For financial institutions and credit entities, staying compliant with these evolving AML/CTF regulations is not just about legal obligation but also about playing a pivotal role in the global fight against financial crimes. At, we provide comprehensive insights and guidance to help you navigate these complex regulatory landscapes effectively. Stay informed, stay compliant, and contribute to a safer financial system with our expert resources and analyses.

4th AMLD & 5th AMLD

The 4th AMLD [Directive (EU) 2015/849] and its amendments under 5th AMLD [Directive (EU) 2018/843] primarily deal with the implementation of group-wide policies and procedures in the context of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT).

Here is a summary of the key points

  1. Definition of a Group (Article 2(15) Directive (EU) 2015/849): A ‚group‘ is defined as a collection of undertakings, including a parent undertaking, its subsidiaries, and entities where the parent or its subsidiaries hold participation. This also includes undertakings linked by relationships as defined in Article 22 of Directive 2013/34/EU.
  2. Group-Wide Policies and Procedures (Article 45 Directive (EU) 2015/849):
    • Implementation Requirement: Obliged entities that are part of a group must implement group-wide policies and procedures, including data protection and information-sharing policies for AML/CFT.
    • Application in Branches and Subsidiaries: These policies and procedures must be effectively implemented in both EU Member States and third countries, at the level of branches and majority-owned subsidiaries.
    • Compliance in Third Countries: In cases where third-country laws are less stringent, branches and subsidiaries in these countries must implement the requirements of the Member State, as far as allowed by the third country’s law.
    • Coordination in Case of Legal Constraints: If a third country’s law prohibits the implementation of these policies, Member States and the European Banking Authority (EBA) are to be informed for coordinated action.
    • Handling Non-Compliant Third Countries: Additional measures must be applied by branches and subsidiaries in third countries that do not permit the implementation of required policies. If these measures are insufficient, further supervisory actions are mandated.
  3. Enhanced Customer Due Diligence (Article 18(1) Directive (EU) 2015/849): In high-risk scenarios, enhanced customer due diligence is required. However, branches or majority-owned subsidiaries in high-risk third countries that comply with group-wide policies may not automatically need to invoke these enhanced measures.
  4. Prohibition on Relying on Third Parties in High-Risk Countries (Article 26 (2) Directive (EU) 2015/849): Obliged entities are prohibited from relying on third parties in high-risk third countries, with potential exemptions for compliant branches and subsidiaries.
  5. Supervision and Cooperation (Article 47(5) Directive (EU) 2015/849): Competent authorities in Member States must cooperate to ensure effective supervision of these requirements, especially for credit and financial institutions that are part of a group.
  6. Amendments to Directive (EU) 2015/849 (Directive (EU) 2018/843):
    • Article 39, paragraph 3: Clarifies the conditions under which disclosure is allowed between credit institutions and financial institutions within the same group, including those in third countries.
    • Article 48, paragraph (5): Emphasizes the role of competent authorities in supervising the effective implementation of group-wide policies and procedures.

In essence, these articles establish a framework for obliged entities within a group to maintain consistent and robust AML/CFT practices across different jurisdictions, emphasizing compliance, data protection, and the need for coordination and communication between various entities and regulatory bodies.

Commission Delegated Regulation (EU) 2019/758

The Commission Delegated Regulation (EU) 2019/758, supplementing Directive (EU) 2015/849, establishes regulatory technical standards for actions that credit and financial institutions must undertake to mitigate money laundering and terrorist financing risks in third countries where local laws impede the implementation of group-wide policies and procedures. Here’s a summary of its key components:

  1. Purpose and Background:
    • It’s designed to address situations where branches or subsidiaries in third countries face legal barriers in implementing group-wide anti-money laundering and countering the financing of terrorism (AML/CFT) policies due to local laws, especially regarding data protection or banking secrecy.
  2. General Obligations in Third Countries (Article 2):
    • Institutions must assess and manage ML/TF risks in their group, reflect these risks in group-wide AML/CFT policies, obtain senior management approval for these policies, and provide targeted training to staff in third countries.
  3. Handling Specific Restrictions (Article 3 and 4):
    • When third-country laws restrict customer due diligence or data sharing/processing, institutions must inform their home Member State’s competent authority and explore whether customer consent can overcome these restrictions.
    • If consent is not feasible, they must apply additional measures to manage ML/TF risks, including enhanced reviews and restricting financial services to low-risk products.
  4. Measures for Non-Compliance (Article 3 and 4):
    • If effective risk management is not possible, institutions may have to terminate business relationships, avoid occasional transactions, or close operations in the third country.
  5. Disclosure of Suspicious Transactions (Article 5):
    • Where local laws restrict information sharing about suspicious transactions within the group, institutions must provide relevant information to their senior management and competent authorities, and take additional measures to manage risks.
  6. Transfer of Customer Data for Supervision (Article 6):
    • If data transfer is restricted, enhanced reviews, audits, and information provision to senior management and competent authorities are required.
  7. Record-Keeping (Article 7):
    • Institutions must overcome legal restrictions on record-keeping through customer consent or additional measures.
  8. Additional Measures (Article 8):
    • These include restricting services to low-risk products, not relying on due diligence measures of branches/subsidiaries in third countries, enhanced ongoing monitoring, and sharing suspicious transaction report information within the group, as permitted by law.
  9. Implementation and Application (Article 9):
    • The regulation entered into force on 20th February 2019 and has been applicable from 3rd September 2019.

In summary, the regulation mandates credit and financial institutions to take specific actions to manage ML/TF risks in third countries, especially where local regulations hinder the implementation of group-wide AML/CFT policies. These actions include risk assessments, enhanced due diligence, information sharing within the group, and additional measures in situations where standard policies cannot be applied due to legal constraints.

Section 9 German GwG

Section 9 of the German Anti-Money Laundering Act (Geldwäschegesetz – GwG) outlines group-wide requirements for combating money laundering and terrorist financing. The section details obligations for parent companies and group entities, emphasizing consistent internal controls, information exchange, and data protection. Here is a summary of its key points:

  1. Risk Assessment and Group-Wide Measures (Subsection 1):
    • Parent companies must conduct a risk assessment for all branches, establishments, and group companies involved in anti-money laundering and counter-terrorist financing.
    • They are required to establish consistent internal controls, appoint a money laundering officer for group-wide strategy and coordination, create procedures for intra-group information exchange, and implement data protection measures.
    • These measures must be effectively implemented by controlled branches, establishments, and group companies.
  2. Compliance with National Legislation in EU Member States (Subsection 2):
    • Parent companies must ensure that majority-owned establishments and group companies in other EU member states comply with the national legislation of those states transposing Directive (EU) 2015/849.
  3. Adherence to Requirements in Third Countries (Subsection 3):
    • For branches and group companies in third countries with less rigorous AML/CFT standards than Germany, parent companies must ensure compliance with the requirements of the German Act, as permitted by the laws of the third country.
    • If full implementation is not allowed by the third country’s law, parent companies must take additional measures to counter the risk of money laundering and terrorist financing and inform the competent supervisory authority of these measures.
    • In case of insufficient measures, the supervisory authority can direct parent companies to cease or not initiate business relationships or transactions in that third country.
  4. Applicability to Other Obliged Entities (Subsection 4):
    • This section also applies to other obliged entities that control at least one other company, provided their parent company is not required to take group-wide measures under this section or under the law of the country where it is located.
  5. Implementation by Group Companies (Subsection 5):
    • Group companies under a parent company must implement the measures referred to in subsection (1), especially regarding information exchange and data protection.
    • All other obliged entities in the group must implement applicable group-wide requirements.
    • These obligations coexist with other statutory obligations under anti-money laundering and counter-terrorist financing law.

In summary, Section 9 of the German AML Act mandates comprehensive, group-wide measures for parent companies and their subsidiaries to prevent money laundering and terrorist financing. These measures include risk analysis, internal controls, information exchange, data protection, and adherence to both EU-wide and third-country regulations.

BaFin Interpretation and Application Guidance on the German GwG

The BaFin Interpretation and Application Guidance pursuant to section 51 (8) of the German Anti-Money Laundering Act (GwG) provides detailed instructions on the group-wide implementation of anti-money laundering (AML) and counter-terrorist financing (CTF) measures, as outlined in section 9 of the GwG. Here’s a summary of its main points:

  1. Scope of Group-Wide Implementation Obligation (11.1):
    • The obligation applies to all obliged entities under section 2 (1) of the GwG that are parent undertakings of a group and headquartered in Germany.
    • The definition of a „group“ is broad and includes various forms of control and influence by the parent undertaking over subsidiaries.
  2. Obliged Entities within the Group (11.2):
    • Branches, branch offices, and undertakings in Germany and other countries subordinate to a parent undertaking and subject to AML obligations must comply with group-wide obligations.
  3. Nature of Group-Wide Obligations (11.3):
    • Risk Assessment: Parent undertakings must produce and update a group-wide risk assessment, including the assessments of individual branches and subsidiaries.
    • Implementation of Measures: Based on this assessment, necessary measures and obligations must be implemented across all group entities where legally possible.
    • Consistent Safeguards: Safeguards must be consistently applied across all group entities, regardless of their specific category (like credit institution or insurance undertaking).
    • Group Anti-Money Laundering Officer: A group officer must be appointed to devise and oversee a group-wide AML/CTF strategy.
    • Information Exchange and Access: Procedures must be established for the exchange of information within the group, and the group officer must have access to relevant information for AML/CTF compliance.
    • Data Protection Measures: Compliance with data protection regulations is required across the group.
  4. Requirements in Third Countries:
    • Parent undertakings must ensure compliance with national AML/CTF laws in third countries.
    • If third-country laws are less stringent or prohibit certain AML/CTF measures, parent undertakings must implement additional measures to counter AML/CTF risks and notify BaFin of these measures.
    • Additional measures can include limiting financial services, enhanced monitoring, and transaction restrictions.
  5. Enforcement and Proportionality:
    • BaFin may require the termination of business relationships or transactions in third countries if the implemented measures are insufficient.
    • BaFin’s decisions must adhere to the principle of proportionality and be based on a risk-based approach.

In essence, the guidance mandates comprehensive and consistent group-wide AML/CTF measures, including risk assessment, implementation of safeguards, appointment of responsible officers, information sharing, and data protection. It places particular emphasis on ensuring compliance across different jurisdictions, including taking additional measures in third countries where local laws are less stringent or conflict with German AML/CTF requirements.

ith conflicting legal requirements. The standards aim to ensure that even in challenging international contexts, institutions maintain robust procedures to prevent money laundering and terrorist financing.