Categorisation of the amendments1
1This is a heavily simplified depiction, intended to offer a swift, initial categorisation of the topic. Every institution should determine the relevance and tangible need for action on a specific, individual basis.
Verification of the beneficial owner
Previously, an institution needed to ascertain the identity of the beneficial owner, in principle. It was only necessary to check the plausibility of the details of the beneficial owner if there was doubt as to the accuracy of these details or in the context of special background investigations for a business relationship involving increased risk.
However, from 2023, the AMLA requires the details of beneficial owners, or the controlling persons of legal entities, to be reviewed and documented appropriately, as a matter of principle. This takes the form of a plausibility check. In other words, the identity of the beneficial owner or the controlling owner does not necessarily have to be proven. However, the clarifications must give rise to the justified assumption that the details are correct. The scope and extent of the clarifications are dependent on the risk in question, and, by extension, on the case at hand. For clients with a normal or low level of risk less extensive clarifications are expected than for clients with a higher level of risk.
Legislators have not provided further details regarding the precise way in which the verification is to be undertaken. In general, the clarification methods listed in Art. 16 AMLO-FINMA, such as consulting publicly available sources and databases, can be applied analogously. That said, for clients (individuals) with a normal level of risk, it can in principle be assumed that verification can be performed by comparing the details with other information available about the client. For these clients, verification can be considered adequate if the information on the beneficial owner is simply consistent with the other information available. Conversely, for clients with an increased level of risk, it is worth being guided by the additional clarification methods under Art. 16 AMLO-FINMA.
Institutions that already hold extensive KYC documentation on all their clients will frequently be able to draw on their existing KYC information to verify the beneficial owner. Insofar as relationships between custodian banks/investment firms, on the one hand, and external asset managers or trustees, on the other, go, every institution involved is independently responsible for appropriately performing and documenting the verification, even if these organisations look after the clients in question jointly.
In practice, the checks can be documented in various ways, provided that an external third party (e.g. auditor, public body) is able to transparently see how the plausibility of the details was reviewed. Depending on the institution, this could take the form of a simple physical memo, forms modified for this purpose, or a suitable digital CRM system.
For legal entities, it must be noted that the identity of the beneficial owner or controlling person needs to be verified, alongside the beneficial owner. This can be undertaken by inspecting the share register, company contracts, or similar. At the outset, the verification obligation only impacts new business relationships initiated from 1 January 2023 onwards. However, existing clients will need to have the corresponding verification retrospectively documented sooner or later, as part of periodic updates.
At the outset, the verification obligation only impacts new business relationships initiated from 1 January 2023 onwards. However, existing clients will need to have the corresponding verification retrospectively documented sooner or later, as part of periodic updates.
Periodic updating of client information
Now, client information must be regularly checked and updated for all business relationships. The frequency and extent of these checks can be adapted to the risk at hand. In other words, more frequent, more thorough checks are expected for clients with a higher level of risk than for those with a lower or a normal level of risk. For the latter, many institutions are providing for a review cycle of five years, or more, in their internal AMLA directives moving forward.
The updating obligation encompasses all the information collected about clients as part of due diligence. This includes straightforward personal details like names, addresses, place of residence, and so on, along with background information typical of KYC checks, such as the origin of the assets, the identity of the economic beneficiary or an individual’s status as a politically exposed person (PEP).
It is worth noting that reviewing a client’s details may also reveal that no update is required. In other words, only the information and documents that need to be amended actually have to be updated. In particular, if identity verification has already been performed under applicable law, there is no need to repeat this every time an update is carried out. Nevertheless, particular heed should be paid to older business relationships. For business relationships that were initiated back when specific due diligence obligations were not yet in force (e.g. prior to the introduction of the obligation to identify the controlling person of operationally active companies in 2016), current due diligence obligations need to be met when the update is performed.
Information can be obtained from reliable sources for the update. It is wise to contact the client directly to update their information. A standardised query can be useful, be it for transactions involving private individuals or legal entities, to clarify whether the client’s material circumstances (domicile, income situation etc.) have changed since the last update. This can be undertaken via an online form or a letter, for instance.
To begin with, financial intermediaries should start by updating the client information for the business relationships that are associated with the highest levels of risk. As a result, it is worth dividing your business relationships into various risk groups, depending on their risk classification, and then updating these risk groups at different intervals in line with their level of risk. The frequency of these updates needs to be regulated in internal directives. Depending on the institution and its client structure, it can also be sensible to stagger the way in which this obligation is fulfilled to avoid having to deal with a barrage of updates in one year.
Summary and potential need for action
The revised AMLA will be entering into force very soon. Most institutions are likely to have already assessed the impact of the amendments on their business model and decided on the relevant steps to put into practice. While there is still some time to resolve any specific questions regarding the implementation of the obligation to update client details, internal regulations should cover the new obligations in generic form as of 1 January 2023. In addition, from this point onwards, it will be necessary to adapt the process for entering into new business relationships and, if applicable, the tools and forms used as part of this, to ensure that the verification obligation is being fulfilled. The employees involved should be briefed accordingly on meeting their new obligations. We would be happy to advise on all matters relating to the revised AMLA: we look forward to hearing from you!