Outdated browser

You are using an outdated browser. DNB.nl works best with:

17 February 2020 Supervision Supervision label Q&A

Question:

Does the Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft) also apply to bank and non-bank safe custody service providers?

Answer:

Yes, the Wwft also applies to safe custody service providers1.

Notes on the Q&A

At the beginning of 2019, partly in response to the supranational risk assessment (SNRA) by the European Commission, DNB conducted a thematic examination of non-bank safe custody service providers. The European Commission (EC) regards safe custody services as an activity with a significant money laundering risk. The SNRA2 discusses the risks to both bank and non-bank safe custody service providers. The EC states that although the service does not enable users to convert illicit money, it does enable them to conceal the proceeds of crime.

In the Netherlands banks that provide safe custody services and non-bank undertakings whose principal business is providing safe custody services (hereinafter referred to collectively as safe custody service providers) are subject to the Anti-Money Laundering and Anti-Terrorist Financing Act (hereinafter: Wwft). DNB is responsible for supervising compliance by safe custody service providers with the obligations under the Wwft3. In order to provide further details of the implementation of the Wwft, DNB has prepared the Guidelines on the Anti-Money Laundering and Anti-Terrorist Financing Act and the Sanctions Act (Wwft and SW) to provide guidance for institutions supervised by DNB under the Wwft4.

In July 2018 the Wwft was amended with the effect that non-financial corporations are now expected to conduct a systematic integrity risk analysis (SIRA), establish appropriate governance and conduct risk-based customer due diligence, among other requirements.

The updated Wwft requires safe custody service providers to have among other things:

  • A Strategic Integrity Risk Analysis (SIRA, Section 2b of the Wwft)
  • Policies, procedures and processes to prevent money laundering and terrorist financing (Section 2c of the Wwft)
  • A day-to-day policymaker with responsibility or ultimate responsibility for compliance with the Wwft (Section 24 of the Wwft)
  • depending on the nature and size of the institution, a Compliance function (Section 2d of the Wwft) and an Audit function (Section 2d of the Wwft)
  • A training programme (Section 35 of the Wwft)Safe custody service providers are also required to conduct examinations, monitoring and follow-up under the Wwft:
  • Appropriate customer due diligence (Section 3 of the Wwft), including:
    • identification and verification of the customer and of the customer’s ultimate beneficial owner (UBO)
    • examination of the purpose and intended nature of the relationship
    • a customer risk classification
    • examination of the source of funds
    • examination of the representative and persons acting on behalf of a third party
    • continuous scrutiny and monitoring of the customer
  • Enhanced customer due diligence in high-risk cases, e.g. politically exposed persons (PEPs, Section 8 of the Wwft)
  • Immediate reporting of unusual transactions (Section 16 of the Wwft)
  • Appropriate record-keeping (Section 33 of the Wwft)

The purpose of the 2019 thematic examination was to establish how safe custody service providers are complying with the legal obligations arising from the Wwft. It assessed the degree to which safe custody service providers understand their vulnerable components, activities and processes and the extent to which they take targeted measures to control the integrity risks associated with their customers.

The thematic examination revealed that the sector had difficulty complying sufficiently with its Wwft obligations. The sector needs additional guidance on the implementation of the Wwft and the way in which DNB assesses its implementation.

In addition to the DNB Guidelines on the Wwft and SW, which include guidance for safe custody service providers on the implementation of the Wwft, this Q&A explains how safe custody service providers can fulfil the requirements in four specific areas (SIRA, customer due diligence, transaction monitoring and reporting unusual transactions). Details of other areas can be found in the DNB Guidelines on the Wwft and SW.

1. What requirements must a SIRA fulfil?

Section 2b of the Wwft requires safe deposit service providers to have an appropriate, up-to-date SIRA covering their customer relationships, services and products. The analysis must relate to money laundering and terrorist financing.

The legislator requires a systematic approach to integrity risks. Systematic also means it must be a cyclical process whereby an institution conducts periodic inventory, analysis and control cycles and assesses the effectiveness of its control. After all, integrity risks are not static. Both internal and external factors can lead to changes in the risks borne by an institution. For example, financial and economic trends may arise, the product range may change and laws and regulations may be amended. DNB has published a booklet providing a practical explanation of the conduct of an integrity risk analysis5.

The regulatory framework for an appropriate integrity policy and, more specifically, for controlling the risk of money laundering and terrorist financing is risk-based. This means that safe custody service providers can adapt legally required measures to the specific risks associated with certain customers, products and services and the delivery channels (the way in which contact is typically maintained with customers), as well as the combination of such risks. This highlights the individual responsibility of institutions: safe custody service providers must make their own assessment of the relevant risks and then take appropriate measures to mitigate them. In order to understand the actual risks incurred by the provider, it is important to carry out a systematic analysis of these integrity risks.

A major risk for safe custody service providers is that users may store illegal items or proceeds of criminal activity in the safe deposit box. In that context DNB notes that in law the possession of articles obtained by means of any crime constitutes money laundering. It is important that safe custody service providers control this risk. In this regard DNB refers to the letter from the Minister of Finance in response to parliamentary questions6, from which it can be inferred that there may be grounds for safe custody service providers to ask a customer to reveal the contents of a safe deposit box. By extension, it is appropriate for safe custody service providers to implement controls to identify high-risk situations, stating that customers must be asked what they are or will be keeping in the safe deposit box and that, under certain circumstances, the contents will be examined. This should be included in the provider’s terms & conditions and the customer should be informed that this is a possible risk control.

For further guidance, see the DNB Guidelines on the Wwft and SW.

2. How can safe custody service providers carry out customer due diligence?

The Wwft requires safe custody service providers to carry out customer due diligence at the start of the relationship on a risk basis. This means the institution carries out customer due diligence to a level determined by the risks posed by certain types of customers, products or transactions. The safe custody service provider is expected to implement additional controls in cases where there is a heightened risk of money laundering or terrorist financing. Transactions conducted during the relationship must also be monitored. For safe custody service providers, a ‘transaction’ within the meaning of the Wwft is deemed to be ‘an act or acts by the customer in relation to his or her safe deposit box’. Section 3 provides more information on transaction monitoring.

Customer due diligence comprises different components:

a. How do I identify and verify my customer?
Section 3(2a) of the Wwft requires a safe custody service provider to identify its customer, verify the customer’s identity and identify the customer’s ultimate beneficial owner. The provider must take reasonable steps to verify the customer’s identity and, if the customer is a legal entity, take reasonable steps to understand the ownership and control structure of the customer.

For identification purposes the customer must submit proof of identity. When verifying the identity, the provider ascertains that the declared identity matches the true identity. The provider must use documents, data or information obtained from reliable and independent sources (Section 11 of the Wwft) to verify the identity declared by the customer. Section 4 of the Regulation implementing Wwft specifies a number of documents that can be used for this purpose.

Safe custody service providers must also take reasonable steps to determine whether the customer is acting for himself or on behalf of a third party (Section 3(2)(f) of the Wwft). Where a customer acts on behalf of a third party, it is necessary to ascertain the nature of the relationship.

In the case of a natural person claiming to act as a representative of a customer (for example as director of a legal entity), the safe custody service provider must determine whether that person has power of representation. Where a natural person claims to represent a legal entity indirectly (e.g. an administrator if the legal entity is the customer), the chain of representation must be established. If such power of representation is confirmed, the customer will be the subject of the due diligence specified in Section 3 of the Wwft. The natural person acting as representative is identified and his identity is verified (see Section 3(2)(g) of the Wwft).

For further guidance, see the DNB Guidelines on the Wwft and SW.

b. How do I ascertain the purpose and intended nature of the business relationship?
Section 3(2)(c) of the Wwft requires a safe deposit service provider to determine the purpose and intended nature of the business relationship. Obtaining information on the purpose and intended nature of the business relationship enables the safe custody service provider to assess any risks arising from the provision of the service for the customer.
Some of the required information will usually emerge during contact prior to the business relationship. It is important to know why the safe deposit box is being rented. In situations where the safe custody service provider offers products other than safe depot boxes, a distinction can be drawn, including in the risk assessment, between existing customers who rent a safe deposit box as a new additional product and new customers who only rent a safe deposit box. In both cases the provider should ask questions (or additional questions) focused on the specific risks borne by safe custody service providers. Such additional questions are necessary to gain a clear picture of the user of the product or service. For example, a provider renting a safe deposit box to a customer having no home or business in the vicinity will need to know why he or she is using the institution’s services or products.

An understanding of the reason for the rental and the contents of the safe deposit box also enables the provider to identify regular transaction patterns. In doing so, the provider assesses the type of transactions (e.g. quantity, frequency and size) that would be expected from the customer having regard to the reason for the rental and the contents. For example, the storage of securities would be expected to have a different pattern than the storage of items such as jewellery. This information is used as input to determine a risk profile (or high-risk profile) for the customer and implement associated controls. A customer’s expected transaction profile is also defined, providing the basis for the ongoing monitoring of the business relationship.

c. How do I determine my customer’s risk classification?
Under Section 3(2), preamble and (d) of the Wwft a safe custody service provider is required to assess the customer’s activities during the relationship against the risk profile drawn up at the start of the service. It follows from Section 8 of the Wwft that a safe custody service provider must carry out enhanced customer due diligence if the business relationship, by its very nature, entails a heightened risk of money laundering or terrorist financing.

DNB expects safe custody service providers to identify the high-risk indicators relevant to them and to address these as part of the customer acceptance process, for example by assigning a high-risk profile to the customer. Safe custody service providers may consider indicators such as the customer’s occupation or business activities/sector, possible PEP status or UBO, customers living a long distance from the rented safe deposit box, abnormal transaction behaviour, increased attention paid to a customer by the judicial authorities, customers with multiple safe deposit boxes, customers with multiple agents or agents having an illogical relationship with the customer or customers with legal forms such as foundations.

Based on the identified risks associated with the customer, safe custody service providers should then be able to draw up a risk profile for the customer and implement appropriate controls, such as:

  • requesting additional documents during customer acceptance
  • more frequent reviews or more intense ongoing monitoring of the customer
  • risk-based examination of the contents of the safe deposit box

If risks are deemed unacceptable, the safe custody service provider will not accept the prospective customer or will terminate the relationship with an existing customer. DNB expects unacceptable risk situations to be defined.

d. How do I conduct a periodic review of my customer?
Section 3(11) of the Wwft, Section 6(3) of the Wwft and Section 8(11) of the Wwft require safe custody service providers to take reasonable steps to ensure that the data collected as a result of the customer due diligence are kept up to date. This is necessary in order to assess whether any changes have occurred that are relevant to the means by which and the depth to which ongoing customer due diligence must be conducted. The data are periodically updated, taking into account the risks associated with the business relationship or transaction. Safe custody service providers also use signals that could justify a change to the customer’s risk profile.

DNB expects safe custody service providers to analyse the information from the ongoing monitoring during a review and to adapt their controls accordingly. For example, the customer’s behaviour (e.g. unusual visit frequencies or times) may be grounds for additional questions or controls (e.g. additional monitoring, additional questions to the customer, asking the customer to reveal the contents of the safe deposit box, reporting unusual transactions to FIU-the Netherlands).

For further guidance, see the DNB General Guidelines on the Wwft and SW.

e. How do I conduct enhanced customer due diligence on Politically Exposed Persons (PEPs)?
PEPs are persons who hold or have held prominent political functions and immediate relatives or associates of such persons. The PEP concept is not limited to foreign politically exposed persons; it also includes PEPs in the Netherlands. The definition of a PEP is set out in Section 2 of the Wwft Implementation Decree 2018.

Section 8(5) of the Wwft requires a safe custody service provider to have appropriate risk management systems, including risk-based procedures, to determine whether the customer or the UBO is a PEP. If so, the provider must take additional measures when entering into or continuing a business relationship or executing a transaction for a PEP. These additional measures comprise:

  1. consent of a member of the provider’s senior management to enter into or continue the business relationship;
  2. appropriate measures to identify the source of assets and funds used in the business relationship or transaction;
  3. ongoing enhanced monitoring of the business relationship.

DNB expects safe custody service providers to be able to determine whether their customers and/or UBOs may have PEP status and whether any additional controls are needed. This can be done, for example, by carrying out background checks on customers and/or UBOs, or enquiring about the customer’s and/or UBO’s occupation.

For further guidance, see the DNB Guidelines on the Wwft and SW.

3. How should safe custody service providers monitor customers’ transactions?

Sections 2a(1) and 3(2)(d) of the Wwft 2018 require safe custody service providers to carry out constant monitoring of the business relationship and the transactions carried out during that relationship and to pay particular attention to unusual or potentially unusual transaction patterns and/or transactions (e.g. an abnormal visit pattern, unusual purchasing of services such as multiple safes in different locations, renters or agents from high-risk countries). This is necessary to ensure that they are consistent with the provider’s knowledge of the customer and the associated risk profile (drawn up during customer acceptance and periodic reviews), if necessary with an examination of the source of the funds used in the business relationship or transaction. In the case of safe custody service providers, a transaction as referred to in the Wwft is deemed to be an act or acts by the customer in relation to the use of his or her safe deposit box.

Ongoing monitoring enables the provider to understand the nature and background of the customer and his behaviour. The monitoring is aimed partly at detecting a possible abnormal visit pattern (e.g. compared to similar customers in the provider’s customer base) and whether situations may arise involving heightened risk of money laundering and/or terrorist financing. The institution must continuously monitor unusual or suspicious behaviour, patterns or activities. It is important to assess possible connections between separate monitoring channels, for example between transactions taking place on a customer’s bank account and transactions related to the use of the safe deposit box.

For further guidance, see the DNB Guidelines on the Wwft and SW.

4. What action should be taken if unusual transactions are detected?

Section 16 of the Wwft requires a safe custody service provider to report any actual or proposed unusual transactions to Financial Intelligence Service (FIU-the Netherlands) as soon as it becomes aware of the unusual nature of the transaction. The reporting requirement applies even if the customer due diligence does not produce the required result or a business relationship is terminated and there are indications that the customer is involved in money laundering or terrorist financing. Safe custody service providers must not disclose the fact that a report has been submitted.

The list of indicators on which reports must be submitted is set out in the Annex to Section 4 of the Wwft Implementation Decree 2018. That list contains objective and subjective indicators, both of which are relevant to safe custody service providers’ identification of unusual transactions. DNB expects safe custody service providers to consider any subjective indicators that could point to possible money laundering, such as: frequency of visits inconsistent with the intended use of the safe custody box; renting multiple safe deposit boxes without good reason; change in the frequency of visits; suspicious behaviour by the customer; visits by the customer accompanied by third parties or frequent changes of authorisations. In order to identify unusual transactions properly, a safe custody service provider must have sufficient knowledge of the purpose and intended nature of the relationship. On that basis it can then determine the expected visit pattern and detect any departures from that normal pattern.

The FIU-the Netherlands website explains how safe custody service providers can file their reports7.

DNB also expects safe custody service providers to consider and record the actions they will take (in addition to reporting to the FIU) if potentially unusual transactions take place. Possible actions include reviewing the customer’s file, amending the customer’s risk profile, asking the customer questions, requesting evidence of the origin of the contents of the safe deposit box, examining the contents or initiating an exit from the customer relationship if the risk is unacceptable. In the case of a customer who also purchases other products, DNB expects providers to address the entire business relationship in their reports, for example by carrying out an event-driven review (an examination of the customer in response to a specific event).

For further guidance, see the DNB Guidelines on the Wwft and SW.

Relevant laws and regulations
This Q&A concerns the following laws and regulations:

  • Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft)

1 The definition of financial undertaking in the Wwft (Section 1a(1) and (3)) refers to parties other than banks whose principal business is performing one or more of the activities included in points 2, 3, 5, 6, 9, 10, 12 and 14 of Annex I to the Capital Requirements Directive. Point 14 of that annex refers to: ‘Safe custody services’.
2 See also: http://europa.eu/rapid/press-release_IP-17-1732_en.htm and http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=81272 
3 See Section 1d(1) of the Wwft: The implementation and enforcement of this act has been entrusted to: a. de Nederlandsche Bank N.V. in so far as it concerns the institutions referred to in Section 1a (2), (3)(a), (b), (e), (f), (g) and (j), or branches of such institutions having their registered office outside the Netherlands as referred to in Section 1a(4)(f).
4 https://www.toezicht.dnb.nl/en/4/6/51-204770.jsp
5 www.toezicht.dnb.nl/binaries/50-234068.pdf.
6 https://www.tweedekamer.nl/kamerstukken/kamervragen/detail?id=2018Z04844&did=2018D27817 

sector

  • Banks