KYC policy; more than files in order

Last week (May 17, 2023), the House of Representatives was briefed on the “status of the policy agenda to address money laundering. One of the agenda items is the “balance of obligations and burdens for small institutions. Previous research by EY, commissioned by the Ministry of Finance has shown that especially small institutions subject to the Wwft struggle with the enforceability of the Wwft, report relatively few unusual transactions and are less likely to have established lines of conduct. That should really come as no surprise to policymakers. After all, small organizations do not have extensive risk & compliance departments. Nearly nine months have now passed since the publication of the policy agenda. Apart from many good intentions, no concrete commitments regarding a reduction in the regulatory burden for small institutions are found in the update. Our expectations are frankly not high at this point especially since the Wwft has a principle-based approach as opposed to a rule-based approach.

In a principle-based approach, the legislature does not prescribe on points and commas how organizations should proceed but does specify what should be achieved. The underlying principle is the risk-based approach. That is, the scope and level of detail of procedures, measures and policies depend on the risks of facilitating money laundering, terrorist financing and the extent to which the organization is willing to accept certain risks. It is not obvious given the focus on deterring financial crime that policymakers would vote to reduce the Wwft’s objectives.

Wwft-regulated organizations, small and large, must design, implement, monitor, evaluate, adjust and update KYC/ALM policies as efficiently as possible. Partly through this blog, we want to support parties in this.

The starting point for designing the KYC/ALM policy is the risk analysis. Based on the results of the analysis, appropriate policies, procedures and measures can then be defined. The Wwft outlines a number of points that the risk analysis must meet. The risk analysis should cover the characteristics of the organization, the relationships served, the services provided and the geographical aspects of the aforementioned items. Moreover, the risks as described in the latest version of the supranational risk assessment(SNRA) and national risk assessment(NRA) whitewash should be visibly included.

Identifying the risks alone won’t get you there. Determining the probability, the impact, the extent to which the organization is willing to accept certain risks and assessing the effectiveness of the control measures already in place are also part of the analysis. Both the AFM and DNB have published helpful tools on their websites. Of course, Addition Knowledge House consultants can also lend a helping hand.

The law does not explicitly specify requirements for traceability, consistency, validity and reliability in the analysis, but the guidance documents and other expressions of supervisors do reflect these criteria. Thus, organizations would do well to include justification of the methods and practices used in policy documentation as well. Keep in mind that what has not been described usually cannot be demonstrated. Very annoying when the external supervisor requests it.