Group Directive. Contents

Transcription

1 Group Directive Document Title 3.13 Policy for Anti-Money Laundering and Counter Terrorist Financing risk management in the Nordea Group Entry into force The Board of Directors of Nordea Bank AB (publ) (Group Board) has approved this policy, which was last updated on 10 June (12) Page Purpose and scope This policy sets the framework and minimum standard for Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) routines and processes in the Nordea Group. All employees of Nordea Group, including non-permanent staff working on behalf of Nordea, are subject to this Policy, which applies to handling of all customers and all services/products in the Nordea Group. It is the responsibility of each manager to ensure that this Policy is where relevant known and conformed to within his/her respective area of responsibility. Contents 1 INTRODUCTION AML AND CTF OBJECTIVES POLICY, INSTRUCTIONS, GUIDELINES AND ROUTINES GROUP LEVEL POLICY INSTRUCTIONS ISSUED BY LOCAL COUNTRY/BUSINESS UNITS GOVERNANCE AND RESOURCES ROLES AND RESPONSIBILITIES SPECIALIZED RESPONSIBILITIES RESOURCES INTERNAL CONTROLS AML RISK ASSESSMENTS FINANCIAL ANTI-CRIME PLATFORM (FACP) The FACP Application Strategy RECORD KEEPING REPORTING QUARTERLY REPORTS SEMI-ANNUAL COMPLIANCE REPORT TO THE CEO AND THE BOARDS SAR REPORTING TRAINING SENIOR MANAGEMENT MANAGERS AND EMPLOYEES COMPLIANCE MONITORING TESTING... 11

2 2 (12) Page 11 ABBREVIATIONS Introduction When providing financial services there is always a risk of money laundering and terrorist financing. The risks must be managed by having appropriate procedures, instructions and sound controls against money laundering and terrorist financing in place. These procedures, controls and instructions shall ensure adequate awareness and through that an appropriate management of the money laundering and terrorist financing risks in the Nordea Group. Protecting the Nordea Group from being used for the purpose of money laundering, terrorist financing and other prohibited activities is an important part of ensuring the stability and integrity of the Group. By approving this Policy for Anti-Money Laundering and Counter Terrorist Financing routines and processes in the Nordea Group (the AML and CTF Policy) the Group Board has established minimum standard for AML and CTF routines and processes in the Nordea Group. This AML and CTF Policy is applicable to all Nordea units and each Nordea unit shall develop procedures implementing the AML and CTF Policy requirements. Some of the Group s subsidiaries and branches (NY and London Branch) have additional and more detailed AML Policies. Group Compliance shall monitor the implementation and compliance of this AML and CTF Policy. The following eight pillars describe the structure of the AML and CTF Policy: 1. Policies and Instructions 2. Governance and Resources 3. Internal Controls 4. Record Keeping 5. Reporting 6. Training 7. Compliance monitoring 8. Testing Each pillar shall be guided by a Group Directive or by this AML and CTF Policy. The AML and CTF Policy and related Group Directives set the minimum standards for all AML and CTF policies and procedures adopted by local legal units or business units.

3 3 (12) Page 2 AML and CTF objectives Each unit in the Nordea Group must: Protect Nordea by reducing the risk of being used for money laundering and for the facilitation of terrorist financing activities; Adhere to the Know-Your- Customer (KYC) procedures of the business unit, e.g. appropriate Customer Due Diligence, Enhanced Due Diligence and Ongoing Customer Due Diligence routines; Screen customers and transactions in accordance with this AML and CTF Policy, as applicable; Monitor customer relationships, use of provided services, accounts and transactions to identify potential suspicious activity; Take appropriate action, once suspicious activity is detected, and make reports to governmental authorities in accordance with relevant laws, rules and regulations; Participate in appropriate and required training; and Comply with all relevant anti-money laundering and counter-terrorist financing laws, rules and regulations. 3 Policy, instructions, guidelines and routines The Nordea Group has established this Group level policy on AML and CTF and shall establish local country level AML and CTF instructions as well as business unit specific guidelines and routines on AML and CTF risk management to the extent deemed necessary. 3.1 Group level policy A robust KYC process is the key element in AML/CTF control activities. The Nordea Group shall therefore have Instructions on sound Know-Your-Customer practices and measures against money laundering and terrorist financing, (KYC Instructions) approved by the CEO in Group Executive Management to set the framework for sound KYC practices, how to prevent, detect and report money laundering and terrorist financing. The KYC Instructions must be applied as a minimum standard when requirements in national legislation are less stringent than the Nordea Group s requirements. If national legislation is more stringent than Nordea Group requirements, national requirements will take precedence.

4 4 (12) Page Group Compliance is the responsible unit for the KYC Instructions which shall stipulate the minimum standards for the following AML and CTF controls: 1. Roles and responsibilities: Head of Business Area Group Compliance Group Operational Risk (GOR) Group s network of Compliance Officers (COs), and Operational Risk Officers (OROs) Financial Anti-Crime units and other AML/CTF investigators Heads of Customer Responsible Units 2. The Risk-Based Approach (RBA) in KYC 3. Customer Due Diligence (CDD) must always take place before the customer relationship is established, meaning at a minimum to regard the following items: Identification and verification of customer identity Purpose and intended nature of the customer relationship Identification of beneficial owners and other associated parties Customer due diligence conducted by third parties Outsourcing of customer due diligence Consequences of deficient customer due diligence Correspondent banking relationships 4. Enhanced Customer Due Diligence (EDD) regarding at a minimum: Politically Exposed Persons (PEPS) and other mandatory cases Non face-to-face customers High risk customer group or segments based on the risk assessment 5. Ongoing Customer Due Diligence (ODD) 6. Record keeping / archiving 7. Reporting of suspicious activities (SAR reporting) 8. Training of managers and employees 3.2 Instructions issued by local country/business units Within the framework of this Policy locally issued instructions, guidelines and routines concerning AML, CTF and sound KYC procedures must be issued and adhered to in each country where Nordea operates. These local instructions shall supplement the KYC Instructions and cannot contradict Nordea Group standards. The local instructions shall set a control level to ensure that local operations are in compliance with local laws and regulations as well as with the KYC Instructions while giving specific instructions on what kind of additional guidance is required in the business units and how the work outlined in the KYC Instructions should be carried out locally. 4 Governance and Resources The Nordea Group shall adopt a risk-based approach when designing controls and procedures for preventing financial crime and applying them in practice. Special focus

5 5 (12) Page shall be put on appropriate systems and controls reflecting the degree of risk associated with the business and customers. The Nordea Group shall have defined responsibilities concerning AML/CTF risk management as described in section Roles and responsibilities The Group Board has the ultimate responsibility for ensuring that Nordea adopts adequate measures against money laundering and terrorist financing. The CEO is responsible for ensuring that business units develop and maintain effective measures against money laundering and terrorist financing within the Group. Each head of Business Area is responsible for ensuring that required attention, resources and procedures are given to money laundering and terrorist financing prevention as well as to internal and external reporting. Business units, as the owner of the risk, are responsible for the first line of defense activities concerning money laundering and terrorist financing crime detection, controls to mitigate the risks and reporting. This responsibility cannot be delegated. In the work business units are supported by the network of Compliance Officers and Operational Risk Officers, as part of the second line of defense supported by specialized resources in Group Compliance and Group Operational Risk (GOR) meaning co-ordination of the money laundering and terrorist financing risk management, including risk advice, training, mitigation, supporting the business in its risk monitoring and reporting obligations. Both the risk and business organisations shall have employees understanding the nature of the business and the risks related to the relevant activities and therefore the capability and vigilance to take necessary actions. Group Internal Audit is responsible for the third line of defense in AML/CTF compliance testing as described in section Specialized responsibilities The Group Compliance Officer is responsible for an instruction on financial crime management. This instruction shall be prepared by Group Compliance and it shall describe the overall framework for the activities of preventing financial crime within the Nordea Group and more specifically the roles and responsibilities of the first and second line of defense in AML/CTF risk management. The Nordea Group shall have dedicated resources in AML/CTF risk management on Business Area/Group Function/Division and Unit level. In units where AML Compliance Officers/AML Officers are not appointed, business shall have the responsibility to govern and issue instructions on governance of money laundering

6 6 (12) Page and terrorist financing risk management in a manner aligned with the Group standards and directions given by Group Compliance. The Financial Anti-Crime Platform (FACP), as described in more details in section 5.3, is the application used for AML transaction monitoring and sanctions screening of payments. The Group shall have a committee governing the FACP and this committee shall have a charter clarifying the governance around the committee i.e. members, duties, decision taking, authority, frequency of meetings and documentation. FACP committee shall provide business directions for development and further improvements of the FACP with due consideration to compliance and regulatory risk management aspects. The Group shall have a centralised Authentication & Financial Anti-Crime (AFAC) unit where the AML and sanctions screening investigators in the Nordic countries shall be located. This unit shall have a global responsibility for both the platform and for the support towards decentralised users of the FACP, e.g. London Branch, Shanghai Branch, Singapore Branch, and the Baltic branches and also towards the Money Laundering Reporting Officers (MLROs) in each Nordic country. The MLROs shall be located in GOR and also be users of the FACP. Customer sanction screening investigators in Nordic countries are located in Retail Bank Operations. 4.3 Resources Group Compliance and GOR shall support the Heads of Business Areas in their responsibilities concerning AML and CTF risk management as described in section 4.1. The Nordea Group shall have at least the following resources dedicated to the AML and CTF work: A Group Financial Crime Compliance Officer in Group Compliance AML Officers in GOR COs and OROs (including COs and OROs specialised in AML/CTF risk management) Financial Anti-Crime Investigators Money Laundering Reporting Officers Roles and responsibilities of these resources shall be described in Job Descriptions and Positions Descriptions. There shall be charters to clarify the roles and responsibilities and co-operation between the above listed resources. Instructions for the Operational Risk Officer and Compliance Officer work shall describe the duties of OROs and COs and what proactive initiatives are expected to support the business in managing operational and compliance risks, AML/CTF included. These instructions shall be governed by the Operational Risk Policy and the Instructions for the Nordea Compliance function.

7 7 (12) Page 5 Internal Controls In addition to KYC procedures described in the KYC Instructions the Group shall have defined internal controls e.g. tools and processes in order to mitigate money laundering and terrorist financing risks. Such controls are described in this chapter. 5.1 AML Risk Assessments A risk-based approach concerning KYC Procedures, Customer Due Diligence, Ongoing Customer Due Diligence, transaction monitoring, SAR reporting and employee training shall be applied in the Nordea Group to reflect the risks connected with different customer segments, products, services and distributions channels in complying with local legislations and regulations. For the purpose of adopting and maintaining a risk-based approach each Nordea unit shall conduct a money-laundering risk assessment (AML Risk Assessment) of its customer base, products and services. The AML Risk Assessment shall be updated on a regular basis, not to exceed 18-month intervals, and as changes occur to products, services and customers that would impact the risk assessment. Group AML Officers in GOR shall prepare the risk assessments on a country level in cooperation with the business. The minimum standards for the AML Risk Assessment Methodology shall always be approved by Group Compliance. The main purpose with the risk assessments shall be to identify money laundering and terrorist financing risks and to understand the risk profiles in different parts of the Group in order to enable an appropriate mitigation of the money laundering and terrorist financing risks and to give direction on how to monitor and manage these risks in the future. In doing that KYC routines and electronic transaction monitoring and sanctions screening conducted by any system support shall be key components. Group AML in GOR shall consolidate the results into an overall AML Risk Assessment report, which shall be provided to the CEO in the Group Executive Management, the Group Board and the Board of Directors of Nordea Bank Finland Plc, Nordea Bank Denmark A/S and Nordea Bank Norge ASA (hereinafter referred to as Subsidiary Boards). This assessment shall be documented and updated on a regular basis. 5.2 Financial Anti-Crime Platform (FACP) The Group shall have an electronic tool for assisting in detecting suspicious transactions i.e. a FACP to comply with regulations and management decisions when it comes to prevention of financial crime. Financial crime covers, when it comes to the FACP, adhering to national and international sanction regimes and any offence involving any offence involving money laundering, fraud, dishonesty, organised crime or financing of terrorism.

8 8 (12) Page The FACP shall as a minimum have the following components: Automated Transaction Monitoring (AML TM) in system using monitoring scenarios to detect suspected money laundering. Customer and transaction sanction screening i.e. automated screening of customer and associated party databases and automated screening of payment transactions for incoming and outgoing SWIFT and SEPA payments against the sanction and PEP lists. The FACP shall be developed to include risk scoring and financial anti-crime solutions across the Nordea Group as required to deliver the needed financial anticrime solutions to support the business The FACP Application Strategy Head of Authentication & Financial Anti-Crime shall have the responsibility for the content of the compliance strategy for the FACP Application, which shall cover as a minimum: Automated Transaction monitoring (AML TM) to spot and alert on suspicious or abnormal customer activities and transactions based on scenarios chosen and implemented to support Nordea to be compliant with internal and external AML/CTF requirements. The scenarios shall have thresholds and other parameters set for different customer types and segments. AML TM shall be a supporting tool to for the Customer Responsible Units (CRUs) in their responsibilities for on-going customer due diligence. When choosing the scenarios at least four aspects shall be considered i.e.: 1. That the chosen scenarios can deliver what is expected, which require right and good quality data from core systems. 2. The scenarios shall be chosen based on the AML/CTF risk assessments and general transaction information so that they best support the KYC processes. Special attention shall be paid to e.g. high risk customers, customers involved in higher risk businesses, electronically Straight Through transactions and transactions to/from high risk countries. 3. That all available internal and external information is used meaning e.g. quality and quantity information from MLROs and SARs, CDD/ODD/EDD routines, feedback from relevant stakeholders (e.g. COs), input from WLM process and Sanctions Monitoring Group meetings, etc. External sources are, e.g. Financial Intelligence Units, Financial supervisors, media, different 3rd party information providers, Financial Action Task Force, etc. 4. That the scenarios are flexible, meaning that there might be a need to run different scenarios in different time frames (daily, weekly, monthly) to create a

9 9 (12) Page good risk management over-view and to keep the investigators / MLROs workload on a manageable level. Customer and transaction sanction screening i.e. screening against sanction lists Customer and transaction screening shall screen transactions, customer and associated party databases electronically to detect and identify that transactions do not involve individuals or entities sanctioned under relevant sanctions regimes. The FACP shall enable screening of transactions and customer databases against sanctions lists provided by national and supranational regulators. Information on a payment transaction shall be utilized to screen against sanctions lists to detect, if sanctioned individuals or entities are party to a transaction. The FACP shall have a mechanism to: - Automatically screen transactions in an adequate and efficient manner by detecting transactions involving sanctioned individuals or entities; - Automatically screen customer and associated party databases in an adequate and efficient manner; - Efficiently and with quality investigate transactions potentially violating sanctions, or indicating other potential criminal activity; and - Robustly and adequately screen protocols, logic and rules to ensure maximum efficiency and security. 6 Record keeping Each Nordea unit shall have procedures that ensure compliance with applicable recordkeeping requirements. The minimum requirement in the Group is that records must be maintained of the following: KYC customer information Transaction monitoring Screening of payments Compliance monitoring, and SAR reporting for a minimum period of five years, provided that no local requirements state otherwise or prohibit this. With the KYC information the time limit will be calculated from ending of the customer relationship. The main rule for record keeping is electronic storing but if that is not possible paper copies can be accepted.

10 10 (12) Page 7 Reporting The AML/CTF risk in the Group shall be reported on a regular basis as described in this section. The minimum standard and content for the Group reporting of AML/CTF risks shall be defined by Group Compliance. 7.1 Quarterly Reports Head of AML in GOR shall each quarter provide a more comprehensive report on AML/CTF issues to the CEO in the Group Executive Management and the Group Board. The report shall also provide the Group Board with a follow up of the implementation of this AML and CTF Policy. The Subsidiary Boards shall also be provided with a quarterly update on the status of AML issues by Head of AML in GOR. 7.2 Semi-annual compliance report to the CEO and the Boards The Group Compliance Officer shall semi-annually submit and present the Group Compliance Report to the CEO in the Group Executive Management and to the Group Board and the Subsidiary Boards. The report shall reflect the Group Compliance Officer s independent assessment of the AML/CTF compliance risk level and development during the previous six months as well as the challenges ahead and specific observations of the future development of the compliance risk related areas. 7.3 SAR Reporting There shall be reporting of unusual transactions from the business to dedicated risk functions. These unusual transactions shall be investigated by the dedicated risk functions and if found suspicious an AML/CTF Suspicious Activity Report (SAR) shall be filed with the Financial Intelligence Units (FIUs) or other authorities according to the local regulatory requirements. Transactions detected as hits against sanctions lists shall be investigated by the dedicated risk functions. During the investigation the risk functions shall be in control of the transaction and have the authority to make the decisions required. 8 Training The Group shall have as the objective for the AML/CTF training that all employees receive the level of training needed in their area of responsibility. The means and channels utilized in the training may vary. 8.1 Senior Management Senior managers shall receive at least an overall awareness training in AML and CTF issues to get an overview of the requirements and expectations governing the financial

11 11 (12) Page industry and more specifically Nordea. Group Compliance shall be responsible for providing this training in the Compliance Awareness for Senior Management programme. Group Compliance, GOR, Group Legal, Group Internal Audit and HR Partner shall be covered by this awareness training programme. 8.2 Managers and Employees Group Compliance shall have the responsibility for the AML/CTF training for COs in the Group. Business units shall have the responsibility for conducting the mandatory and regular AML training of their managers and employees. Group Compliance/AML COs in Nordic Countries shall in local instructions set the minimum requirements of the training conducted by the business. 9 Compliance monitoring The monitoring of compliance with AML/CTF requirements in the Group shall be on appropriate level meaning that all monitoring shall be performed adequately, consistent and structured independently to monitor the Group s adherence to internal and external AML/CTF requirements. Group Compliance shall monitor the implementation of and report the exceptions from this AML and CTF Policy to the CEO in the Group Executive Management, the Group Board and Subsidiary Boards, as described in section 7. The COs shall undertake the compliance monitoring of AML/CTF requirements in the business, as described in the Instructions for the Operational Risk Officer and Instructions for Compliance Officer, issued by GOR and Group Compliance. Group Compliance shall set the minimum requirements for this monitoring. 10 Testing Group Internal Audit (GIA) shall have the responsibility for conducting independent testing of AML/CTF compliance risk management in the Group as described in the annual Audit Plan.

12 12 (12) Page 11 Abbreviations AML AFACP CO CDD CTF EDD FAC GOR KYC MLRO ODD ORO Anti-Money Laundering Authentication & Financial Anti-Crime Platform Compliance Officer Customer Due Diligence Counter Terrorist Financing Enhanced Due Diligence Financial Anti-Crime Unit Group Operational Risk Know-Your-Customer Money Laundering Reporting Officer On-going Due Diligence Operational Risk Officer 11.1 Applicable This policy applies to Nordea Bank and, subject to local regulations, to its subsidiaries. Where required for implementation this policy is to be resolved by the Board of Directors in the subsidiary concerned. It was resolved by the Board of Directors of Nordea Bank Danmark on 16 July 2014 Nordea Bank Finland on 16 July 2014 Nordea Bank Norge on 23 June 2014 that this policy applies in relevant parts for the respective company. Responsible unit and contact Group Compliance, supported by Group Operational Risk, is responsible for the establishment and maintenance of this policy and for supporting the implementation. Contact person: Heidi Suila