Pursuant to Article 33 of the Act of 1 March 2018 on Counteracting Money Laundering and Terrorist Financing (hereinafter referred to as the "AML Act"), obligated institutions apply financial security measures to their customers. Article 36 of the AML Act provides the following enumerative list of such measures:
1) customer identification and verification of his identity;
2) identifying the beneficial owner and taking reasonable steps to:
a) verify his or her identity,
b) determine the ownership and control structure – in the case of a client who is a legal person, an organizational unit without legal personality or a trust;
3) assessing the business relationship and, where appropriate, obtaining information on its purpose and intended nature;
4) ongoing monitoring of the client’s business relationship, including:
a) analysis of transactions carried out as part of the business relationship to ensure that these transactions are consistent with the obligated institution’s knowledge of the client, the type and scope of his/her business activity and consistent with the risk of money laundering and terrorist financing associated with that client,
b) examination of the source of the asset values at the client’s disposal – in cases justified by the circumstances,
c) ensuring that the documents, data or information held regarding the business relationship are updated on an ongoing basis.
However, should the above measures be applied to their full extent in every situation? Does the obligated institution have a choice in selecting measures depending, for example, on the type of customer served?
First of all, it should be noted that financial security measures are applied in the case of:
- established economic relations,
- carrying out certain occasional transactions.
The type of measures applied will therefore depend on what actions the obligated institution takes.
If the client only conducts occasional transactions, it will be impossible to apply the measures specified in points 3-4 above, which directly concern "business relationships." It's also worth noting that occasional transactions are of a discrete nature and are executed (as of the date they are made) without any intention of repeating them. Therefore, it's difficult to speak of "monitoring" or "analyzing" in their case, as these activities involve maintaining contact with the client over an extended period of time. Therefore, in the case of occasional transactions, only measures related to the identification and verification of the client and the beneficial owner will be possible.
Doubts regarding the scope of the measures applied are also confirmed by the very wording of Article 33, Section 4 of the AML/CFT Act, according to which the application of financial due diligence measures shall be "to a degree and with intensity." This wording can be understood to mean that some financial due diligence measures may be omitted in certain situations. However, according to the position adopted in the doctrine, such a solution would be inconsistent with FATF Recommendation No. 10, as "obligated institutions shall in all cases apply all basic financial due diligence measures, and depending on the identified risk, they shall adjust their intensity ." Such an interpretation is understandable, considering that it is difficult for an obligated institution to adequately recognize a money laundering or terrorist financing threat without applying any of the measures. This applies particularly to such basic security measures as identification and verification of the customer and their beneficiary. If the institution did not have basic data about the customer, it would be difficult to imagine taking any measures to mitigate the risk associated with such relationships or transactions. In such a situation, it would also be impossible to properly submit the reports referred to in Article Article 74 sec. 1, Article 86 sec. 1, Article 89 sec. 1 and Article 90 of the AML Act. It is also worth emphasizing that the scope of data indicated in Article 36 of the AML Act "constitutes the minimum scope of personal data that should be required by the obligated institution to identify the customer, in respect of which the obligated institution has been granted the right to process them" *. Therefore, it is not possible for the obligated institution to collect from the customer, for example, only information about the first and last name.
In summary, in the case of occasional transactions, the obligated institution should always collect customer and beneficiary data, at least to the extent specified in Article 36 of the AML Act. If a business relationship is established, the institution will be obligated to apply all financial security measures listed in Article 33 of the AML Act. However, these measures (specifically those specified in paragraph 1, points 3 and 4 of the aforementioned provision) may be applied with varying frequency depending on the specific situation. The frequency will depend, for example, on whether the customer poses a lower or higher money laundering risk.
This alert is for informational purposes only and does not constitute legal advice.
*M. Dyl, M. Królikowski (eds.), Act on Counteracting Money Laundering and Terrorist Financing. Commentary, Warsaw 2021, article 33; R. Obczyński, in: Counteracting Money Laundering (ed. W. Kapica), 2020, article 33.
**M. Dyl, M. Królikowski (eds.), Act on Counteracting Money Laundering and Terrorist Financing. Commentary, Warsaw 2021, article 36
