As mentioned in our previous post, the Estonian FIU hosted a webinar on how virtual currency service providers should implement due diligence measures in correspondent relationships with other financial institutions.
The concept of correspondent relationship is given in Estonian MLTFPA § 7, and due to the complexity of this legal wording, we only highlight its main characteristics.
According to FIU and the legal understanding, these are mutual relations between credit institutions and financial institutions, which are characterized by:
• continuous and repetitive nature;
• nested services.
The following can be distinguished according to the types of institutions participating in the business relationship:
credit institution-credit institution
credit-institution-finance institution
finance institution-finance institution
In the case of virtual asset service providers aka VASP or (CASP by MiCA definition) services are provided by a correspondent institution to a respondent institution to service its customers, using the following sequence as an example:
Estonian VASP (correspondent institution)-Respondent institution (financial institution who is a client of Estonin VASP)-The Customer who ultimately benefits from the transaction, i.e. the Financial Institution customer, i.e. customer of VASP customer.
The valid question is are the risks greater in the case of correspondent relationships? We can say they are indeed, because :
A correspondent agency usually does not have one business relationship with the customers of the respondent institution
Identifying the real beneficiaries and the origin of the assets used in the transactions is more difficult than usual
In general, the correspondent institution does not directly apply due diligence measures to the customers who ultimately benefit from the correspondent service
There is at least one more link in the asset movement chain
According to FIU, two options are applicable depending on whether and how the correspondent institution wants to apply due diligence measures.
Option I
If the correspondent institution does not want to directly apply due diligence measures to the customers who ultimately benefit from the transaction
Then the obliged entity must apply the following additional due diligence measures (MLTFP § 40 paragraph 2):
to determine that the financial institution which is the client (respondent institution) is itself obliged to implement and apply (in real life) measures equivalent to the requirements stipulated in MLTFP;
to be aware of the risk structure of the clients who ultimately benefit, and to ensure that the resulting risk is in line with the risk appetite of the obliged person (correspondent institution);
ensure with the contract that, if necessary, all data and documents can be obtained without delay in order to identify the person who ultimately benefits from the transaction;
take adequate measures to ensure that the conditions in the first point are met.
FIU suggests the following self-check questions in this case:
1) What measures does the correspondent institution use to ensure that the respondent institution actually applies the provisions of RahaPTS and the relevant directives of the European Parliament and the Council
equivalent measures?
• Questionnaires?
• Remote controls?
• On-site inspections?
• Spot checks?
2) Does the correspondent institution collect enough data and use metrics that allow in reality to understand the risk structure of the respondent institution's customers, i.e. the final beneficiary customers?
3) What is the proportion of high-risk customers in the respondent institution's customer base, the customers' residence, areas of activity, etc.?
4) Is it monitored that the risk associated with end customers is in line with the risk appetite of the correspondent institution?
Option II
If the correspondent institution wants to directly apply due diligence measures to the customers who ultimately benefit from the transaction, then
If the conditions of the aforementioned additional due diligence measures (MLTFP § 40 paragraph 2) are not met, the correspondent institution must apply its own due diligence measures to the final beneficiary customers.
In the case of the Estonian VASP, it is worth noting that it is prohibited to rely on the respondent institution with high risk when applying due diligence measures in the case of respondent institutions established in a third country. (MLTFPA § 40 paragraph 3).
Here again, the following checklist might be useful:
Q - Is the correspondent institution ready to apply its own due diligence measures to end customers?
Please note that in the case of respondent institutions established in a high-risk third country, it is prohibited to rely on the respondent institution!
• How does the correspondent institution work if there are errors in the application DD stated in MLTFP?
• Will transactions be suspended in case of incomplete data?
• Are there risk management solutions if the correspondent institution is unable to apply due diligence measures?
• Informing management and implementing additional measures?
• Warning -> restriction of service -> termination of business relationship?
Many Estonian VASPs have business relationships with financial institutions established in a third country.
In the case of a cross-border correspondent relationship with a respondent institution of a third country and in the case of a correspondent relationship with a respondent institution with a higher risk of money laundering or terrorist financing (RahaPTS § 40 subsection 1) additional DD measures must be implemented:
1) gathering sufficient information about the respondent institution;
2) prevention of money laundering and terrorist financing implemented in the respondent institution
assessment of control systems;
3) obtaining prior approval from senior management to establish a new correspondence relationship;
4) documentation of relevant obligations;
5) requirements for accounts with extended usage rights.
If you are a correspondent institution, FIU recommends the following self-assessment questions:
Does the correspondent entity have rules and define which ones respondent institutions are at higher risk?
Does the correspondent institution have measures in place to identify whether the respondent institution is or has become a high risk or is a respondent institution of a third country?
Does the correspondent institution carry out continuous monitoring of the business relationship, periodically update the data, and perform media monitoring?
is the senior management of the obliged entity deciding about establishing high-risk correspondent relationships? Is the decision based on thorough analysis?
Does the contract between the parties have the rights of both parties and responsibilities clearly defined?
Can the correspondent agency quick and exhaustive information about the due diligence measures applied by the respondent fee to the end customer?
If your entity is dealing with a respondent institution, pay attention to the following:
Does the respondent institution have an operating license that
meets the requirements in the EU?
Has the supervisory authority identified deficiencies in the activities of the respondent institution?
Are the control systems implemented in the respondent institution relevant and effective?
Which products and services does the respondent institution offer, in which jurisdictions (ie to which target markets), and through which sales channels?
What is the customer base of the respondent institution?
Does the information collected about the respondent institution come from reliable sources and is it sufficient?
SUMMARY
To provide a correspondent service, a correspondent institution must:
• Create a suitable organizational structure for the provision of correspondence services and with it
to manage associated risks;
• Ensure the existence of relevant procedural rules and internal regulations;
• Have an effective risk control system
The correspondent institution must know its correspondent institution and the risks associated with it, including:
Understanding the nature of the respondent institution's activities (collection of information and
keeping up to date);
Making sure of the existence and operation of the activity license and proper control system for preventing money laundering and terrorist financing (on-site checks, remote checks, random checks);
Knowledge of the risk structure of the respondent institution's customer base;
Signing a contract with specific requirements and conditions with the respondent institution, including ensuring the availability of all necessary data;
Continuous monitoring of the correspondence relationship.
As you see, the application of due diligence measures in correspondent relationships is a very complex topic, where practical reasoning must follow the legal requirements. If you want to establish a proper AML/KYC structure in your company and be compliant with all legal regulations, do not hesitate