Navigating Group Compliance Risks in Third Countries: EU Regulations
08 Apr 2019

Following HSBC’s 2012 money laundering scandal, the Financial Action Task Force called on financial and credit institutions to adopt group-wide financial crime policies. The Fourth EU Anti-Money Laundering Directive (4AMLD), passed in 2015, implemented a similar requirement for European institutions. But to address situations when international firms could not fully implement their group policies in units outside of the European Economic Area, the European Supervisory Authorities were tasked with producing guidance, or Regulatory Technical Standards (RTS) in Euro-speak, to   assist with compliance efforts.

In January, the European Commission issued a final version of the RTS on this matter, setting out a number of measures that international firms must take when their foreign branches and majority-owned subsidiaries (units) cannot fully implement group-wide policies due to local impediments.

In producing the RTS, the European Commission sought to provide a more harmonised and consistent approach in addressing such risks, whilst setting clear expectations of the measures to be taken, thus providing a level playing field across the EU and enhancing financial crime standards in third countries. Consistency across the EU has been enhanced by the Commission adopting the RTS as a regulation, which means in has direct effect in all member-states without being subject to the legislative procedures the come with directives.

Here’s what you need to know:

Requirements for all third-country entities

Under the RTS, third-country operations of international groups must assess, document and update the financial crime risks they pose to their parent institutions, regardless of whether they face local impediments to their broader compliance obligations. Such analysis must then be made available to any competent regulator that requests it. Once assessed, the risks must be properly reflected in group policies and senior management approval must be obtained for both the assessment and subsequent group policies that address its findings. Finally, staff in third countries must have effective, targeted training to identify financial crime risk indicators.

Customer due diligence

When third-country subsidiaries face legal obstacles to fulfilling their enterprise-wide policies—for example, when they cannot fully access beneficial ownership data for due diligence purposes—the group head office must notify its domestic regulator of the specific country and law hindering fulfilment of its customer risk obligations within 28 days of learning of the problem.

Furthermore, the group must determine whether it can circumvent the restrictions by obtaining the consent of relevant customers and beneficial owners to obtain and share data that would otherwise be restricted. When such a workaround is feasible, consents should be sought, according to the RTS. But when consents won’t resolve the problem, “additional measures” (see below) must be taken.

When even the additional measures aren’t enough to effectively mitigate financial crime risks, local units must terminate the respective business relationships, and subsequently refuse to process relevant occasional transactions. In extremis, some or all the unit’s business lines must be terminated, according to the guidance. Whatever the group’s ultimate decision, it must be able to demonstrate to its regulator that it has done enough to mitigate its compliance risks.

Customer data-sharing and processing

In cases when local law hinders the sharing of compliance-related customer data, the group must again notify its domestic regulator. As with customer due diligence issues, customer consent should be sought when appropriate and “additional measures” taken when consent is insufficient or infeasible. If such measures are inadequate in mitigating the unit’s financial crime risk, some or all of the unit’s business lines must be terminated.

Sharing SAR information

In some third countries, subsidiaries or other units may be restricted in sharing information contained in local suspicious activity reports (SARs) with their global compliance departments. In such situations, senior managers at a group level must be notified of the number of suspicious transactions reported in a set period and they must be given appropriate statistical analysis of the SAR cases. Furthermore, domestic regulators must be notified of the problem and additional measures taken when appropriate.

Transferring customer data to member-states

Unsurprisingly, the RTS requires groups to notify their regulators whenever third-country law bars a subsidiary or branch from fully sharing client data within the EU. As before, institutions have a 28-day window after they learn of the issue in which to notify their supervisory authorities.

To determine how effectively group policies have been implemented, onsite checks or independent audits should be conducted and those findings should be made available to the group’s regulator.

The group’s senior managers should also be made aware of the number of relevant high-risk clients in the third country and statistical analysis explaining why the clients pose a risk, including whether they are politically exposed persons. Likewise, the same managers should have access to SAR counts and related analysis, and this information should be given to regulatory officials on request.


Recordkeeping obligations under the RTS largely mirror those related to other compliance duties: home regulators should be informed of related restrictions, consent should be sought from clients and beneficial owners when appropriate, and when this is not sufficient, additional measures must be taken.

Additional measures

A key part of the RTS is the use of one or more “additional measures” to mitigate legal impediments to group-wide compliance policies. These are:

  • restricting products and services in the third-country unit to those clients that are deemed low-risk, including with regard to the group’s exposure
  • ensuring that other branches and majority-owned subsidiaries in the group do not rely on the customer due diligence performed by the third-country unit, and that these other branches and majority-owned subsidiaries conduct their own customer due diligence for clients referred by the third-country unit
  • conducting enhanced reviews, including onsite inspections or independent audits, to determine whether the unit effectively assesses, identifies and mitigates financial crime risks
  • ensuring that the group’s senior managers approve the establishment and maintenance of any higher-risk business conducted by the third-country unit
  • ensuring the third-country unit ascertains the source, and where appropriate, the destination of funds used in such high-risk business
  • ensuring the third-country unit conducts enhanced ongoing monitoring of all business relationships, including enhanced transaction monitoring, until the unit is reasonably satisfied that it understands the financial crime risk of each business relationship
  • ensuring the unit shares with the group details underlying any local SARs, including any personal data, to the extent permitted by local law
  • ensuring enhanced ongoing monitoring is conducted on any customer and beneficial owner established in the third country who has been the subject of a SAR submitted by any unit in the group
  • ensuring third-country units have effective systems and controls to identify and report suspicious transactions
  • ensuring the third-country unit maintains up-to-date records of its due diligence and its risk profiles of all its customers for as long as legally possible, but at least for the duration of the business relationship


Given that the RTS is currently in effect, compliance departments should carefully consider the guidance and determine whether they should seek independent legal advice to determine what legal barriers they face when operating in other jurisdictions.

Staff would be well advised to review how their group satisfied the requirements of Article 31 of the Third Money Laundering Directive, which mandated groups to notify their regulator of local legal impediments regarding compliance with customer due diligence and recordkeeping requirements. Should impediments as foreseen in the RTS exist, they should then consider how the group is to adopt the RTS’ requirements and be able to demonstrate to the group’s regulator the adequacy of its policies. In some cases, that may include terminating some or all of each unit’s business lines.

Denis O’Connor is both a Fellow of the Institute of Chartered Accountants in England & Wales and the Chartered Institute of Securities and Investment. He was a member of the British Bankers’ Association Money Laundering Committee from 2003 -10; and a member of the JMLSG’s Board and Editorial Panel between 2010 and 2016.

He has been a frequent speaker at industry conferences on financial crime issues, both in the UK and abroad.

This article is expressing personal opinions and is meant for information purposes only. The article does not intend to replace professional or legal advice. It is recommended that readers seek independent professional or legal advice, or speak to authorised persons/organisations.

Advance your CPD minutes for this content, by signing up and using the CPD Wallet