For companies subject to Act No. 253/2008 Coll., on selected measures against the legitimisation of the proceeds of crime and financing of terrorism (also known as Anti-Money Laundering Act or AML/CFT Act), it is mandatory to develop and apply in practice a specific system of internal policies, procedures and control measures – hereinafter referred to as “system of internal rules”.
The information in this article applies only to the activities of companies registered and operating in the Czech Republic. At the same time, 90% of the information applies to other EU jurisdictions.
What is a system of internal rules, and what is a risk assessment?
A system of internal rules describes specific processes, procedures and tools related to fulfilling all company obligations to combat money laundering and financing of terrorism under the AML/CFT Act. It is, in essence, a clearly defined instruction for company employees. If properly drafted and sufficiently trained, such guidance should ensure that all of the above obligations are fully implemented.
Such detailed instructions are compiled into a single document for internal use only. The purpose of the system of internal rules is to ensure that the company’s actions are in full compliance with the AML/CFT Act and to prevent unscrupulous customers from using the company’s services or products for illegal money laundering operations.
Article 21a of the AML/CFT Act establishes that companies must identify and assess the money laundering and terrorist financing risks that may arise during their activities. A risk assessment should be implemented as part of the company’s system of internal rules.
A risk assessment should include a written analysis in which companies should consider all possible risk factors, particularly the type of customers, purpose, regularity and duration of the business relationship or transaction outside of the business relationship, type of product, value and transaction method as well as the risk profile of countries or geographic areas related to the transaction.
It is mandatory to update a system of internal rules regularly, including a risk assessment. All changes must be reported to the Financial Analytical Office (FAÚ) or the Czech National Bank (ČNB). In addition, all employees whose work is affected by these documents must undergo appropriate training at least once a year.
Developing a system of internal rules: procedures
The development of the system of internal rules must be approached with utmost responsibility. In general, the procedure for this should be as follows:
- determine whether the development of a system of internal rules is mandatory for a company, depending on its type of activity;
- conduct risk assessment;
- develop specific procedures and tools necessary to combat money laundering and terrorist financing;
- transfer the developed document to the Financial Analytical Office or the Czech National Bank (if required by law);
- update a system of internal policy promptly and regularly and report these changes to the aforementioned competent authorities.
Following the AML/CFT Act, a system of internal rules must be developed by the persons and companies listed in Article 2 of the AML/CFT Act. These include credit and financial institutions, gambling operators, companies authorised to act as real estate traders or brokers, legal entity service providers, those who work with virtual assets, accounting and tax advisory service providers, used goods dealers, etc.
It is worth noting that some individuals and companies are not required to have a written system of internal rules and submit it to the relevant authorities but must develop and apply all procedures to comply with their AML/CFT obligations fully. However, as practice shows, even in this case, it is more convenient to have detailed instructions for employees.
The optimal system of internal rules: content
A properly drawn up system of internal rules must, first of all, comply with Article 21 of the AML/CFT Act and the guidelines of the Financial Analytical Office and contain:
- a list of tools that will allow the company to confirm compliance with AML/CFT obligations in the event of an audit;
- procedures in line with standards (lists of recognized standards can be found in publications from FATF, ČNB and FAÚ);
- clear instructions for assigned responsibilities, written in accessible language.
It is also important for the instructions to be flexible enough to consider possible changes in the company’s structure, staff turnover, etc. At the same time, they should not unduly burden either the operating staff or the customers.
Why should a specialist be assigned to develop a system of internal rules?
The development of the system of internal rules requires rather specific knowledge: this includes detailed knowledge of anti-money laundering procedures, an understanding of the international FATF standards in the field of anti-money laundering, and knowledge of the requirements put forward by the ČNB and FAÚ supervisory authorities. Therefore, it will not be easy for an ordinary company employee to cope with such a task. It is much easier to turn to experienced specialists who are professionally involved in developing the system of internal rules for various companies and can guarantee a high result.
What can the absence of the system of internal rules lead to?
If a company, which is legally required to have a system of internal rules, does not comply with AML/CFT regulations, this can lead to:
- the imposition of a fine of 1 million CZK;
- reputational losses for business;
- complaints about the company from competitors.
Moreover, such a company risks attracting the attention of the competent authorities and may be suspected of aiding money laundering and terrorist financing or become attractive to fraudsters and terrorists.
Possible penalties for non-compliance with AML/CFT obligations
- Fine up to 10 million CZK for failure to identify and verify the customers.
- Fine up to 10 million CZK for entering into a transaction with an unidentified customer.
- Fine up to 5 million CZK for failure to provide employees training.
- Fine up to 5 million CZK for failure to report customers’ suspicious activity.
- Fine of up to 1 million CZK for failure to prepare the system of internal rules and conduct risk assessment.