Author: Ricardo Quijano
The new Instructions for the Prevention, Detection, and Control of Money Laundering, Financing of Terrorism and Financing of the Proliferation of Weapons of Mass Destruction, which was approved through the Agreement No. 380, issued by the Attorney General of the Republic on October 22, 2021, and published in the Official Gazette No. 205, Volume 433 dated October 27, 2021, will enter into force 30 days after its publication in the Official Gazette, that is to say, it will enter into force as of November 26, 2021. 205, Volume 433 dated October 27, 2021, entering into effect 30 days after the day following its publication in the Official Gazette, that is to say, it will enter into effect as of November 26, 2021, its objective is to develop the obligations of the obligated subjects referred to in Article 2 of the Anti-Money Laundering Law (LCLDA) and Article 37 of the Special Law against Acts of Terrorism (LECAT), for the detection of unusual operations and reporting of suspicious operations that may be linked to money laundering, financing of terrorism and the proliferation of weapons of mass destruction (hereinafter LDA/FT/FPADM), as well as for the control and reporting of suspicious operations to the Financial Investigation Unit (UIF).
Among the main provisions contained in the instructions and which are mandatory for the regulated entities included in Article 2 of LCLDA and specifically for those subjects not regulated by the Superintendence of the Financial System (SSF), are the following:
1. REGISTRATION OF REGULATED ENTITIES IN FIU.
All regulated entities without exception must register before FIU in the platform designed for such purposes and are obliged to keep the information updated at all times. In case there are changes in the required information, they must update their registration in the platform within 15 business days.
Additionally, the obligation to provide information on its shareholder composition and beneficial owners is established, considering as such, in summary, the following:
(a) The natural person on whose account it is intended to establish a contractual relationship or intervene in any transaction.
b) The natural person who ultimately owns or controls directly or indirectly a percentage equal to or greater than 10% of the capital or voting rights of a legal person, or who by other means exercises direct or indirect control over the management of a legal person.
2. APPLICATION OF THE RISK-BASED APPROACH AND THE PRINCIPLE OF PROPORTIONALITY.
The regulated entities are instructed to apply a risk-based approach (RBA); which consists of identifying, assessing, and understanding their AML/CFT/ATF/MFATF risks and applying resources aimed at ensuring that these are effectively mitigated, as well as that the measures adopted are proportional to the risks identified.
In this regard, the EBR requires the regulated entity to implement intensified measures to manage and mitigate risks when there are higher risks, and simplified measures can be applied when the risks are lower. In assessing risk, reporting entities must consider all relevant risk factors before determining the overall level of risk and the appropriate level of mitigation to apply.
3. OBLIGATION TO ADOPT PREVENTION, CONTROL, AND DETECTION POLICIES.
The regulated entities must adopt policies that guide the actions of their managers, employees, subcontractors, and other collaborators, in all the activities they develop, so that their application strengthens the culture of prevention of AML/CFT/FPADM, allowing control, detection of unusual transactions and reporting of suspicious transactions, through the application of the risk-based approach, under best practices and international standards.
Following this line, the instructions establish specific obligations to the corporate management bodies, attributing to the highest governance body, i.e. the General Shareholders’ Meeting, the obligation to approve, promote and implement the policy for the prevention, control, and detection of unusual operations related to AML/CFT/FPADM, which must comply with minimum requirements, among which are:
a) The implementation of a risk management culture for the prevention of AML/CFT/FPADM and the control, detection of unusual transactions, and reporting of suspicious transactions with a risk-based approach,
b) To indicate the responsibility of the management, control, and compliance bodies, as well as of all employees and collaborators, to ensure compliance with internal regulations and other provisions related to the prevention, control, and detection of unusual transactions and reporting of suspicious transactions.
c) Approve the policies for acceptance of clients and counterparties, as well as management processes, updating of information, and consequences for clients or counterparties if they do not provide it.
d) Develop policies for the prevention, control, and detection of unusual operations concerning its clients and users, which must cover and develop the following aspects:
1. Perform due diligence.
2. Control of operations.
3. Management of risks associated with AML/CFT/FPADM offenses. These policies must allow the regulated entity to fully and reliably identify customers and users.
4. CREATION OF INSTITUTIONAL CODE OF ETHICS
One of the novelties incorporated in these instructions is that all regulated entities must have an institutional code of ethics, to create an ecosystem of values, and implement measures aimed at increasing the sensitivity and awareness of all staff by establishing criteria to put ethical principles before the achievement of benefits or profits and personal and commercial interests, as well as adopting due diligence measures for the selection and hiring of employees and collaborators and monitoring the conduct of their employees (“know your employee policy”).
5. INTERNAL CONTROL SYSTEM.
The regulated entities must establish a series of bodies and entities responsible for evaluating compliance with the applicable controls for the prevention of AML/CFT/FPADM, following their business activities under the risk-based approach and for the detection of unusual transactions and the reporting of suspicious transactions so that failures or weaknesses can be determined and reported to the relevant authorities.
Internal control must include an organizational plan and the set of methods, policies, and procedures that ensure that the controls implemented are appropriate and sufficient, and internal audit, or whoever performs its functions, must evaluate compliance with their effectiveness at least once a year, for which purpose an annual verification plan must be defined.
6. EXTERNAL AUDIT.
The external auditors of the regulated entities must evaluate and issue a report on compliance with the rules and instructions and the policies and procedures for the prevention of AML/CFT/FPADM, with a risk-based approach.
7. DETERMINATION OF THE RISK INHERENT TO THE CUSTOMER OR COUNTERPARTIES’ AML/CFT/FPADM.
Every regulated entity must determine the level of an inherent risk of customers or counterparties (including suppliers and users), by weighting risk ratings, based on criteria of economic activity, products, channels, geographical areas, and jurisdictions, inclusion in the cautionary lists issued by international organizations or local authorities.
When as a result of the determination of the risk level a customer or counterparty is rated with a high inherent risk of AML/CFT/ATF/AML/CFT, enhanced due diligence measures must be applied, by the activities, nature, size, operations and risk level of the regulated entity.
Likewise, the instructions establish the obligation to have policies and procedures for updating information on clients and counterparties, information that may be requested at the physical address, e-mail address declared by the client or counterparty, or by telephone call, provided that it is recorded, and in case there are no changes in the information, the client or counterparty must declare it.
It is recommended that the information be updated at least once a year and in the case of clients or counterparties that change risk category, the update must be made within 60 days following the change of categorization.
The regulated entities are empowered to terminate contractual relations, refrain from initiating them, carry out the transaction or provide the service, in cases where the counterparty, client, or user does not provide the information required for risk assessment and updating of information.
8. DUE DILIGENCE MEASURES
In consideration of the risk classification of customers and counterparties, once the assessment has been made, reasonable due diligence measures must be implemented, which, according to the instructions, may be: standard, simplified, and intensified.
Standard measures comprise minimum due diligence procedures by the activities, nature, size, operations, and risk level of the regulated entity and should be implemented for all customers and counterparties; while simplified due diligence measures shall be applied when it is concluded from the assessment that the risk level is low; and on the other hand, enhanced due diligence measures shall be implemented to the extent that the AML/CFT/AML/CFT risk is higher.
9. IDENTIFICATION OF THE RISK OF NEW TECHNOLOGIES.
The instructions point out the obligation to identify and evaluate the risks that may arise concerning the development of new products and new business practices that include the use of new or developing technologies; the risk analysis must be carried out before the launching of the same.
10. OBLIGATION TO APPOINT A COMPLIANCE OFFICER.
All regulated entities that are not regulated by the Superintendence of the Financial System (SSF), must appoint a compliance officer and his alternate, appointments that must be made by the General Shareholders Meeting or equivalent management body and shall depend hierarchically on this corporate body and administratively on the president director, executive president, general manager or equivalent, reporting to the first line of a direct report of the latter, having the highest hierarchical rank of his counterparts of a direct report to such administrative officer.
The compliance officer shall reside in El Salvador and shall comply with training requirements in AML/CFT/FPADM matters, register before FIU, and may not be dismissed, sanctioned, or removed for complying with the attributions inherent to his/her functions.
The main functions of the compliance officer are associated with the routine monitoring of policies and procedures for the prevention of AML/CFT/FPADM and shall be compatible with the exercise of other administrative functions, except for the position of an accountant or internal auditor, extensive for the personnel working in such areas. The work of the compliance officer is not compatible with subcontracting.
The possibility of appointing the same Compliance Officer for a corporate group, when applicable, is contemplated.
11. REPORTING OF UNUSUAL AND SUSPICIOUS TRANSACTIONS AND ATTEMPTS THEREOF.
The regulated entities must have procedures for the identification of warning signals for the detection of unusual and suspicious transactions, taking into account the following aspects:
a) When identifying unusual operations of clients or counterparties, it must be determined whether there are sufficient elements of judgment to consider them suspicious operations, according to objective facts observed and established by the regulated entity in said analysis, and they must be reported to the FIU.
b) The Compliance Officer shall have a term of 15 business days to determine whether or not it is a suspicious transaction. Said term may be extended for an additional 15 days as long as the FIU is notified electronically or physically.
c) Suspicious transactions must be reported to the FIU within 5 business days from the day after the suspicious transaction is classified as suspicious.
d) Within the same period of 5 business days, the attempt of suspicious transactions must be reported, counted as of the determination as an attempt of suspicious transaction to inform the FIU.
12. INSTRUCTIONS FOR REPORTING OPERATIONS IN CASH OR OTHER MEANS.
The instructions develop the provision contained in Article 9 of the Anti-Money Laundering Law regarding the obligation to report operations in cash and other means:
A. Cash operations:
1. Individual Operations: all those carried out in a single transaction or event exceeds the amount of US$10,000.00, in which case there shall be a term of 5 working days to submit the report to the FIU.
2. Multiple Transactions: all those carried out in several transactions during a calendar month that cumulatively exceeds US$10,000.00, in which case the respective report shall be sent to the FIU within 5 working days.
B. Transactions by other means:
1. Individual Transactions: all those carried out in a single transaction or event exceeds the amount of US$25,000.00, in which case there shall be a term of 5 business days to send the report to the FIU.
2. Multiple Transactions: all those transactions carried out during a calendar month that cumulatively exceed US$25,000.00, in which case the respective report shall be sent to the FIU within 5 working days.
Multiple transactions in another medium shall also be considered, all operations that are made up of another medium and cash, as long as the operations in another medium are equal to or less than U$25,000.00, or it’s equivalent in foreign currency and that cumulatively during the calendar month exceed US$25,000.00. The report must only include the total amount of the transaction and the value in other media, according to the format designed for such purpose. These transactions must be reported to the FIU within 5 working days after the calendar month.
13. ANNUAL TRAINING AND INDUCTION PLAN FOR EMPLOYEES.
The instructions state that the Compliance Officer shall prepare an annual training plan following the training needs detection (DNC), which shall be submitted for approval to the governing body no later than December 31 of each year for its application in the year immediately following its approval for all employees, directors, managers, and subcontractors.
Likewise, the human resources area of the regulated entity must program the induction of employees and subcontracted personnel on generalities and consequences of AML/CFT/FPADM crimes, knowledge of policies and procedures for the prevention, control, detection, control, and detection of unusual operations and carry out a knowledge assessment test of the same.
14. OBLIGATION TO SAFEGUARD INFORMATION
The regulated entities must maintain through printed, digital, or electronic media, all documentation and information supporting the opening of accounts or contractual relationships, copies of identification documents, and transactions, which shall be kept for a period of not less than 15 years.
15. TECHNOLOGICAL INFRASTRUCTURE
The regulated entities must have the technology and systems necessary to guarantee adequate prevention of AML/CFT/ATF/AMLPF risk and must have technical support by their activities, nature, size, operations, and level of risk.
16. DESIGNATED NON-FINANCIAL ACTIVITIES AND PROFESSIONS (DNFPDP)
The instructions incorporate as a novelty, special instructions for designated non-financial activities and professionals (DNFBPs) among which are lawyers, notaries, accountants, and external auditors, who shall have the obligation to inform the FIU of the transactions they make or perform before their offices, greater than $10,000.00 and apply measures for the prevention and detection of AML/CFT/ATF/ATFAML in transactions for their clients on the following activities:
a. Purchase and sale of real estate,
b. Management of the client’s money, securities, or other assets,
c. Administration of bank, savings, or securities accounts,
d. Organization of contributions for the creation, operation, or administration of companies,
e. Creation, operation, or administration of legal persons, other legal structures, and purchase and sale of the same.
The obligation to inform the FIU, which is attributed to the aforementioned professionals concerning transactions carried out for their clients, constitutes another means of control for prevention and detection of AML/CFT/FPADM, being important that as clients are informed that the operations that comply with the budgets indicated by the instructions and in which LatinAlliance intervenes, will be made known to the FIU for regulatory compliance.