9 minute read
Considerations for an effective Licensing Process
BOX 2.4 (continued)
For applicants who already operate businesses that will be transferred to a financial institution status, the evaluation also includes an abbreviated on-site assessment as part of osFI’s exercise to determine operational readiness.
Visit to newly authorized institutions: Mexico. the supervisor visits newly authorized financial institutions prior to their start of operations. these visits are comprehensive reviews of all aspects of compliance with AML/CFt regulations, including a fit and proper test of the corporate structure (background of the legal person members), effective customer identification programs, know-your-customer policies, an AML manual (a document containing all relevant AML policies, procedures, and corporate governance schemes according to the applicable legal framework), an AML risk matrix, reporting obligations, and an automated system to detect and report suspicious transactions and currency transactions in a timely manner.
CONSIDERATIONS FOR AN EFFECTIVE LICENSING PROCESS
Defining a Licensing Policy
A licensing policy should at least address the following issues:
● Prohibition on the establishment and continuation of shell banks;
● Prohibition on the issuance of bearer shares by the financial institution, at any level of the ownership structure;
● Prohibition (or strict controls) on the use of nominee shares and nominee directors that can hide the identity of the ultimate beneficial owners of the financial institution;
● Prohibition on the use of nontransparent and opaque ownership and control structures for the financial institution;
● Prohibition on persons who are not fit and proper from holding, or being the beneficial owner of, a significant or controlling interest or holding a management function in a financial institution; and
● Application of enhanced licensing measures where persons holding, or being the beneficial owner of, a significant or controlling interest or holding a management function are from high-risk jurisdictions or are politically exposed persons.
the licensing policy and processes have to take into account the ML/tF risks and AML/CFt compliance measures presented in the licensing application. this licensing policy should take account of different licensing scenarios, such as de novo banks or financial institutions, financial institutions transforming into banks, international banks establishing branches or subsidiaries in the jurisdiction, private entities vs. publicly listed entities, and so forth. shareholders may be subject to licensing requirements (fit and proper test) when they propose to control more than a certain percentage of an institution’s shares or voting rights (qualifying holdings), as determined by the jurisdiction. the licensing authority may reject applications where a financial institution would be controlled by multiple holding
companies or some other complex shareholding structure that would not allow for or would complicate identification of the beneficial owner or otherwise jeopardize the effectiveness of supervision. some jurisdictions also require banks to be listed on a stock exchange and subject to the related disclosure requirements. As a matter of policy, a jurisdiction can prohibit offshore entities from holding directly or indirectly any ownership interests in a financial institution.11
Categories of ML/TF Risks to Consider at the Licensing Stage
In considering a license application, the supervisor or licensing authority should assess the following ML/tF–related risks: (a) ownership and control risk and (b) business-related risk.
Ownership and Control Risk
ownership and control risk is the risk that criminals or their associates will own or control a financial institution and that directors, senior management, and key personnel will not be fit and proper. to mitigate this risk, the licensing authority should undertake the following when applying the licensing requirements:
● Identify the persons who will exercise effective influence and control over the bank, together or jointly as a group, including shareholders, beneficial owners, persons with a significant or controlling interest, directors, and senior management;
● Understand the primary reasons why these persons (such as their role and contributions) want to participate in the financial institution; and
● establish the rationale for being involved with a financial institution in the jurisdiction if nonresidents are involved either directly or indirectly.
Business-Related Risks
Business-related ML/tF risks are risks associated with the bank’s business lines—that is, the types of customers, products, services, geographic locations, and delivery channels. For instance, the licensing application should indicate what the target customer base will be (for example, retail, corporate, high-net-worth clients, or domestic or foreign customers). It should also indicate what products and services will be provided (for example, private banking, investment banking, fiduciary services, fund transfers, currency exchange, remittances, trade finance, or virtual assets). With respect to geography, the application should indicate if the financial institution will establish a network of branches and subsidiaries in the jurisdiction and abroad. the licensing authority should ensure that the proposed AML/CFt program of the financial institution takes account of ML/tF risks and that the proposed framework is proportionate to these risks. Key to an AML/CFt program are adequate policies and procedures, independent compliance and audit functions, client due diligence, processes for monitoring transactions and reporting suspicious transactions, screening of staff, ongoing training (including for directors and senior management), and record keeping. A strong culture of compliance should underpin the AML/CFt framework. the proposed framework should be reviewed as part of the licensing process, taking into account the ML/tF risks of the jurisdiction and the sector as well as applicable legal and regulatory requirements.
Fit and Proper Procedures
In conducting fit and proper due diligence, the licensing or supervisory authority should obtain information about the shareholders, beneficial owners, persons with a significant or controlling interest, directors, and senior management (eBA 2016a, 2016b, 2017). the following information should be obtained and considered at a minimum:
● evidence, such as police and judicial records, is needed to determine whether the persons or entities have a criminal and a civil record and, if so, the nature and seriousness of the offenses involved. In some jurisdictions, legal entities can be held criminally liable, while in others they can only be subject to civil action for the same types of offenses.
● Reliable information is needed on the business, professional, and work experience of the applicants that clearly demonstrates their competency and capacity to contribute to the success of the financial institution. this information can include a certificate of good conduct from past employers.
● For natural persons proposed as shareholders, reliable information is needed on their net worth (assets and liabilities) to ensure that they are solvent. their financial standing should demonstrate their capacity to invest in the institution from own resources and to inject additional capital when needed. to ensure that no criminals or their associates are involved, it is especially relevant to determine that the sources of funds and the wealth of these persons are legitimate.
● For legal entities proposed as shareholders, due diligence should include (a) their business purpose, activities, and history; (b) their financial condition, preferably through independently audited accounts; (c) their corporate and ownership structure, including beneficial owners; and (d) their governance and reputation, including open-source information.
● For legal entities that will form the financial institution itself, the extent of due diligence will depend on whether the entity is a newly formed or an existing one. For a new entity, due diligence will be basic, including incorporation (if already formed) and proposed shareholding and directorships that will be part of the due diligence conducted on natural persons and legal persons as proposed shareholders of the bank.
● For legal entities already established and operational, further due diligence will be required to determine whether they are acceptable applicants (if there is no adverse news on these entities).
In certain cases, enhanced due diligence will be required to investigate their business practices, regulatory and supervisory reputation, financial condition, and legal and judicial record.
● For nonresidents, whether natural or legal persons, further due diligence can involve consulting with parties in their jurisdiction of origin, including supervisors, law enforcement, and financial intelligence units.
● In general, use of open-source information is strongly recommended.
In conducting risk-based due diligence procedures, the licensing or supervisory authority should also consider risk factors with respect to the jurisdictions where the financial institution will operate as well as with respect to the jurisdictions where the shareholders, directors, and other related persons reside. For this purpose, supervisors should review the national risk assessments of the jurisdiction or jurisdictions involved as well as the AML/CFt framework of those jurisdictions. For jurisdictions with a weak AML/CFt framework or a high level of ML or tF and related offenses, due diligence on the applicant should be enhanced.
With regard to foreign banks wishing to open branches and subsidiaries in the jurisdiction, the due diligence process will be different from that for a de novo bank. In the first place, the host licensing or supervisory authority should obtain information from the home supervisor indicating that the institution is in good standing and has an adequate AML/CFt framework. In particular, the following minimum risk-based due diligence procedures should be considered, beyond the normal fit and proper procedures:
● Review the risk profile of the jurisdiction of origin and of any other jurisdictions in which the institution operates;
● establish the regulatory and supervisory history of the institution, including compliance with
AML/CFt requirements;
● Determine if the institution has been involved in ML/tF investigations;
● Review the adequacy of the institution’s AML/CFt compliance framework and whether it is appropriate for the domestic requirements and risks;
● Review internal audit and compliance reports as well as external audit reports and management letters for AML/CFt issues; and
● Research open sources to obtain information on the reputation and background of the institution.
Transparency and Reliable Verifiable Information
the applicant is responsible for providing accurate and adequate information to the licensing authority so that the authority can make an informed decision on whether to grant a license. Providing false, misleading, or intentionally incomplete information may be grounds for refusal of a license, the imposition of administrative and civil sanctions, such as barring persons from participating in the proposed financial institution or the sector generally, or the application of fines. the licensing authority should at any time have the right to withdraw the license authorization if it identifies that the applicant willfully provided false or misleading information. supervisors can obtain information from multiple sources when they process license applications. In general, supervisors obtain information from the applicant and from other sources. to obtain information from the applicant, the supervisor can use questionnaires, (sworn) declarations, or similar mechanisms to obtain information on the natural and legal persons associated with the application. such initial documentation should include the business proposal, projected financial statements, and information on the AML/CFt framework. the supervisor can interview shareholders, promotors, and other parties involved in the application process to collect information about the applicant. In addition, the supervisor can conduct its own due diligence, information gathering, and inquiries (with third parties such as other supervisors, domestically and abroad, law enforcement, financial intelligence units, intelligence service agencies, credit-rating and search agencies, the internet, and other reliable, publicly available information). In all cases, the supervisor should base its licensing decisions on reliable and verifiable information.
It is standard practice for supervisors to post their licensing requirements and procedures on their websites. these requirements and procedures should be reviewed periodically to ensure that they remain relevant and accurate, especially when changes are made to applicable laws, regulations, and policy.
