CMVM Regulation regarding anti-money laundering and counter terrorist financing.
Legal Alert no. 15 - CMVM Regulation no. 2/2020
On 5 March 2020, CMVM released Regulation no. 2/2020 (“The Regulation”), on anti-money laundering and countering the financing of terrorism (“AML/CFT”), whose publication in the Portuguese Official Gazette is currently pending.
The diploma aims to regulate the provisions of Law 83/2017, of August 18, which establishes AML/CFT measures (“the AML/CFT Law”), with respect to obligated financial entities subject to the supervision of CMVM, either exclusively or together with Banco de Portugal, as well as to auditors.
Among the main innovations is the duty of obliged entities to carry out an assessment of the adequacy and actuality of the policies, procedures and controls in place to carry out an effective management of the ML/TF risks with a periodicity not exceeding 12 months. This periodicity can be extended to a period not exceeding 24 months between each assessment, whenever such decision is justified by lower exposure to ML/TF risks, according to the nature, size and complexity of the developed activity, type of customers and operations carried out.
At the same time, obliged entities must carry out, a periodic effectiveness assessment, as a general rule independently, on the quality, adequacy and effectiveness of their AML/CFT policies, procedures and controls. Generally, there can be no more than 12 months between each assessment, but, as with adequacy and actuality assessments of policies, procedures and controls, this period may be extended up to the limit of 24 months between each assessment, whenever such decision is justified by the lower exposure to ML/TF risks.
In both cases, the assessment results and any justifications for carrying them out with a periodicity longer than 12 months must be written down, kept under the terms of the AML/CFT Law, and, in the first case, made permanently available to CMVM.
Obliged entities must also inform CMVM of (i) the identity of the designated compliance officer, (ii) their contacts and (iii) the respective designation instrument within a maximum of 5 days after their designation. Likewise, the termination of compliance officer duties must be communicated within 5 days of it happening and, once verified, the obliged entities must proceed to replace the compliance officer within a maximum of 15 days.
Policies, procedures and controls must include a description of the means and mechanisms implemented to ensure the knowledge and immediate execution of restrictive measures that may be implemented by obliged entities. The compliance officer ensures the fulfillment of all obligations regarding the implementation of these measures and ensures the duty to communicate to the competent authorities, namely, the Directorate-General for Foreign Policy of the Ministry of Foreign Affairs and the Planning, Strategy, Evaluation and International Relations Office of the Ministry of Finance.
Compliance with restrictive measures, including the refusal to apply them, must be duly documented and maintained under the terms of the AML/CFT Law.
For the purpose of complying with the duty of identification and due diligence in the context of occasional transactions, a period of 30 days was established , counting from the last transaction or set of apparently related transactions worth € 15,000 or more, carried out by the client or group of clients apparently related entities, during which the obliged entities must pay attention to the quality and relationship of the intervening parties, the frequency of operations, the characteristics of the operations and the similarity of the object of the operations in order to detect any links with ML/TF practices. In this regard, the records kept in accordance with the duty t preserve must refer to the nature of the underlying transactions, framing them as occasional transactions or in the midst of a business relationship.
Regarding the deferral of the verification of the client's identity, a maximum period of 60 days after the initial collection of their identification elements is established, after which the obliged entity must cease the business relationship and execute the provisions related to the duty of refusal in case the client does not provide the respective means of proof. Also noteworthy is the prohibition on obliged entities to execute orders for the transmission or encumbrance of financial instruments or to transfer any other assets of the client until fully verifying their identity. The motives justifying identity verification after the establishment of a business relationship must also be included in the records and analyses of the obliged entities.
Furthermore, the Regulation establishes that obliged entities must define criteria for the enforcement of simplified and reinforced measures according to the concrete risk of ML/TF, establish the set of simplified and reinforced measures to be applied to each group of customers, as well as the respective frequency and intensity for monitoring and updating. At the same time, obliged entities must establish procedures for monitoring and accompanying customers which may trigger updates to their classification and the subsequent adjustment of the applied measures. The records of obliged entities should include information on the adoption of simplified and reinforced measures, as well as the respective periods of application.
Hiring third parties to perform the duty of identification and due diligence is now subject to compliance with the requirements set out in the Regulation and does not exempt obliged entities from ensuring the sufficiency of the third party's procedures, as well as the implementation of appropriate procedures and information flows which allow the fulfillment of the duties to which the obliged entity is bound under the AML/CFT Law and the Regulation.
Lastly, obliged financial entities and auditors must prepare and send an annual report to CMVM by February 28 - Annexes I and II to the Regulation, respectively - on their respective internal control systems, with reference to the period between 1 January and 31 December of the previous year. Exempt from this report are entities which operate in Portugal under the freedom to provide services, since these are obliged to submit their own report on their activity in Portugal whenever the volume of their activity in Portugal justifies it. Auditors who are not associated on an exclusive basis with a statutory auditors firm on the last day of the reference period will also be exempt from presenting the report in question.
The Regulation enters into force 30 days after its publication, which, as mentioned, is pending. Once in force, obliged entities must submit to CMVM, within 30 days, information on the compliance officer data and, if applicable, of the director responsible for monitoring ML/TF matters.
This legal alert does not constitute legal advice or exempt its reader from fully reading the Regulation in question, available here.