1

New Danish Anti-Money Laundering Act in brief

On 2 June 2017, the Danish parliament, Folketinget, adopted the new Danish Anti-Money Laundering (AML) Act (hvidvaskloven), which takes effect from 26 June 2017. The Act implies a number of minor and major amendments to the existing regulations, including a transmission from a rule-based to a risk-based approach, and the foreign currency exchange services be-coming subject to an authorisation requirement. The next pages give you a brief overview of the new rules and the most important amendments caused by the new AML Act.

Contents

Introduction 3

The requirements of the Danish AML Act in a nutshell 7

From rule-based to risk-based approach 8

From identification procedures to customer due diligence 11

Overview of the most important amendments 12

For more information 17

2

3

Introduction

The new Danish AML Act implements the last parts of the fourth Anti-Money Laundering Directive 2015/849/EU (AMLD IV) and takes effect on 26 June 2017. The Act implies a series of amendments to the applicable legislation, including in particular the rules governing foreign currency exchange services and compliance with the AML Act.

The objectives of the Danish AML Act and the AMLD IV are to introduce new regulatory measures that will strengthen the efforts against criminals’ illegal use of Danish legal entities and the financial system for the purposes of money laundering and terrorist financing. The objectives also include measures to secure and uphold the integrity of the financial system. Figure 1 illustrates the objectives of the new Act and its target audience.

Figure 1. The underlying political issues and target audience

Underlying political issues Target audience

To strengthen con-certed action against money laundering and terrorist financing

To secure and uphold the integrity of the financial system

To minimise practical possibility of money laundering and terrorist financing

To give response to the most recent terrorist attacks

Financial institutions

Gambling operators

Lawyers, real-estate agents, accountants, providers of special

services

4

Figure 2. Historical overview of EU acts and instruments

First Anti-Money Laundering Directive

91/308/EEC

199110 June

Second Anti-Money Laundering Directive

2001/97/EC

20014 December

Third Anti-Money Laundering Directive

2005/60/EC

20061 August

First Fund Transfer Regulation

2006/1781/EC

200615 November

Second Fund Transfer Regulation

2015/847/EU

201520 Maj

Fourth Anti-Money Laundering Directive

2015/849/EU

201520 Maj

”Fifth Anti-Money Laundering

Directive” (proposal)

2017[ ]?

The European rules on prevention of money laundering and terrorist financing date back to 1991, when the first Anti-Money Laundering Directive was tabled. Since then, this Directive and its implementation have been subject to regular updating and revision, as illustrated by Figure 2.

The ongoing process of reviewing has led to a steady increase in the extent and scope of the rules, as illustrated by Figure 3. As it is, the rules on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing have never been as extensive as they are today. A fact that appears to be in direct contrast to the primary objective of the new AML Act; a change from the rule-based approach to the risk-based approach.

Figure 3. Developments in the scope and extent of the EU acts and instruments

First Anti-Money Laundering Directive

AML Directive

Fund Transfer Regulation

The three level-2 Regulations of the AML Directive

Second Anti-Money Laundering Directive

Third Anti-Money Laundering Directive and

First Fund Transfer Regulation

Fourth Anti-Money Laundering Directive and

Second Fund Transfer Regulation

0

10

20

30

40

50

60

70

80

90

6 pages 6 pages

22 pages

9 pages

45 pages

18 pages

? pages

5

The AML proposal has undergone a long process, giving rise to numerous responses as well as questions to the Minister for Industry, Business and Financial Affairs. Moreover, the legislative process has also been marked by the changing nature of statutory requirements and the introduction of new requirements, such as the authorisation requirement for foreign currency exchange services. This process is reflected by the timeline in Figure 4.

Figure 4. Timeline of the Danish legislative process

20171 June

2nd readingSubmitted to Folketinget

201613 October

20168 November

201722 February

201710 May

201719 May

201730 May

201713 February

201721 April

201716 May

201724 May

1st proposed amendment

3rd proposed amendment

5th proposed amendment

7th proposed amendment

White Paper6th proposed amendment

4th proposed amendment

2nd proposed amendment

1st readingDraft bill (pre-consultation)

3rd reading and adoption

201614 July

20172 June

6

The AMLD IV and the Danish implementation have been drawn up based on the recommendations of the Financial Action Task Force (FATF). Figure 5 provides an overall illustration of the AML regime. The dark blue colour indicates the legal acts (and recommendations) finally published, the blue colour indicates the legal acts that have been published but are subject to changes, and the light-blue colour indicates the legal acts that need to be redrafted.

The next few pages give you a brief description of and insight into the essence of the amendments to the state of the law as a consequence of the new regime.

Figure 5. Overall view of the new AML regime

FATF’s 40 Recommendations

Level 1Second Fund Transfer Regulation

(direct application)

Level 2Identification of high-risk

third countries (direct application)

The Executive Order on Registration

The Executive Order on Reporting to SEIC

The Executive Order on Exempted Legal Entity

The Executive Order on Payment Services and

Electronic Cash

The Danish FSA’s new Guidelines on the Danish AML Act

Level 3Guidelines on risk-based supervision

(to be issued by the ESAs)

The Danish AML Act

Level 3Guidelines on risk factors(to be issued by the ESAs)

Level 2Third countries

(direct application)

Level 2 RTS central contact point

(direct application)

Level 1 Fourth Anti-Money Laundering Directive

(implementation requirement)

7

The requirements of the Danish AML Act in a nutshell

Generally, the legal entities subject to the Danish AML Act must know their customers and the latter’s purposes of the business relationships. If the legal entity becomes suspicious of it being misused for money laundering or terrorist financing, the legal entity must scrutinise the matter more closely and, ultimately, notify the Danish Public Prosecutor for Serious Economic and International Crime (SEIC).

To ensure that the legal entities covered by the AML Act know their customers, the legal entities must perform certain customer due diligence measures. Such measures include the legal entities requesting their customers to produce various kinds of proof of identity, such as a copy of a passport or a Danish health care reimbursement card. Satisfacti-on of the due diligence requirement depends on how certain the legal entity is of the customer’s identity and whether the legal entity is able to verify the customer’s identify.

If the legal entity has a suspicion of being misused for money laundering or terrorist financing by a customer, the entity must immediately scrutinise the matter more closely. An example of such suspicious behaviour would be if the custo-mer acts in a manner that is atypical to what would be normal.

If the entity is unable to disprove its suspicion, SEIC must be notified immediately for the matter to be scrutinised more closely.

In general, the Danish FSA is the supervisory authority ensuring compliance with the rules, whereas SEIC conducts scrutiny of the matters notified and brings actions against the natural persons and legal entities laundering money and/or financing terrorists. Moreover, SEIC is also in charge with bringing actions against legal entities that are subject to the AML Act but fail to comply with the requirements or fail to document their compliance.

Figure 6 illustrates the requirements of the new AML Act.

Figure 6. The AML requirements in a nutshell

If suspicion, increase monitoring

If continued suspicion, report

to SEIC

Know and understand

your customer

Legal entity X

SEIC investigates and takes legalaction

against breach

Scrutinise and monitor the

customer relationship

The Danish FSAconducts supervision

8

From rule-based to risk-based approach

One of the major changes in the new AML Act is that the regulations are changed from being primarily based on rules to being based on risk assessment and monitoring. The object of this changed approach is to ensure increasingly targeted and effective efforts to prevent money laundering and terrorist financing.

By changing the approach, the legislator expects to create a more flexible system, which enables the legal entities to focus on their resources in the relevant risk areas. Accordingly, the legal entities covered by the AML Act must indivi- dually ”assess whether a business relationship may be categorised as being a low-risk, medium-risk or high-risk relationship.”

The legal entities will therefore be given the task to identify and manage the risks of them being misused for money laundering and terrorist financing. The legal entities will also get the chance of prioritising their resources and allocat- ing them to the areas entailing increased risk.

This is done by assessing risk in two steps: an overall risk assessment of the legal entity as such and a specific risk assessment of the individual customer. The overall risk assessment must form the basis of the legal entity’s precautio-nary measures against being misused for money laundering and terrorist financing. The risk assessment itself is based on the supranational, national and sector-specific risk assessments prepared by the European Commission, SEIC and the Danish FSA. The legal entity may also incorporate its own experience in the risk assessment. Figure 7 illustrates this risk assessment method.

Figure 7. Source and methodology requirements in the new Danish AML Act

The European CommissionSupra-national

risk assessment 1

2

3

SEICNational

risk assessment

The Danish FSASector-specific

risk assessment

Legal entity XRisk assessment

according to business model

Identify

Which source? Which methodology?

Assess

Manage

9

Figure 8. Illustration of potential risk factors *

Customers Geography Delivery channel Products Services Business sector Other risk

factors

Very highrisk

PEPs, customers with connections to increased high-risk

sectors

Iran and North Ko-rea as well as other identified high-risk

countries

Delivery without physical contact and no specific security

measures

Very high com-plexity and low transparency

Very high com-plexity and low transparency

Foreign exchange bureaus, money

transfers

Often atypical transactions

High riskHigh-risk customer

segments and Danish PEPs

Countries known for widespread

corruption

Introduction through third

party without direct contract

High-value products

Private BankingFinancial institu-

tions and gambling operators

Business model facilitates anonymity

Medium risk ”Ordinary” customers

Countries not known for wide-

spread corruption or a high level of

terrorist financing

Delivery channel neither increases nor reduces risk

Products that have neither a high level nor a low level of transparency and

volume

Services that have neither a high level nor a low level of transparency and

volume

Electronic payment services

Business model entails neither reduced nor

increased risk

Low risk

Legal entities sub-ject to supervision or publicly listed

companies

EU countries, EEA countries and third countries with a low level of corruption

Direct delivery, but limited contact with

customer

Low-value products

Simple servicesLawyers and accountants

Business model facilitates easy identification of

customers

Very low risk Public authorities

In particular risk-free EU countries, EEA countries and

third countries

Delivery impedes the option of using the service for the purpose of money

laundering

Very low complexity and high trans-

parency

Very low complexity and high trans-

parency

Life insurance and pension funds

Business model entails the lowest

risk level at all

Factor

Risk

* See Annex 2 (reduced risk) and Annex 3 (increased risk) of the Danish AML Act

The legal entity performs a risk assessment of its customers on the basis of the overall risk assessment. This risk assessment is a specific assessment and will depend on the overall risk assessment and the nature of the recognised risk factors.

Figures 8 and 9 provide you with an overview of the potential risk factors and their impact on the customer due diligence. To cut a long story short, the higher the risk a customer may pose, the more certain must the legal entity be that the customer is in fact who the customer claims to be, and that the actual purpose of the business transaction is what the customer has stated.

10

Figure 9. The risk assessment’s impact on KYC procedures

Risk Requirements for KYC procedures Possible calibration of KYC procedures

Very high Procedures always subject to stricter requirements (ss 17-20)• Additional verification of customer ID• Additional information from the customer• Additional monitoring of the customer relationship

High Procedures always subject to stricter requirements (ss 17-20)• Additional verification of customer ID• Additional monitoring of the customer relationship

Medium Procedures subject to ordinary requirements (ss 10-16) • Standard procedures

Low Procedures subject to easier requirements (s. 21)• Eased process of verification of customer ID• Less detailed information required from the customer• Less strict monitoring of the customer relationship

Very low Procedures subject to easier requirements (s. 21)

• Eased process of verification of customer ID• Customer ID may be obtained at a later point• Less detailed information required from the customer• Less strict monitoring of the customer relationship

11

From identification procedures to customer due diligence

The general objective of the customer due diligence measures is to ensure that the legal entity knows who its customer is and the customer’s purpose of the business relationship. The idea is that being familiar with their customers’ identi- ties and purposes will facilitate the legal entities’ ability to identify suspicious behaviour and transactions.

With the new AML Act it is clarified that legal entities must comply with the customer due diligence requirement throughout the entire course of a business relationship. The customer due diligence must be performed on the estab- lishment of the business relationship and must be updated at regular intervals based on a risk assessment.

Customer due diligence comprises requirements for:

• Verification of the identity information obtained on natural persons and beneficial owners • Identification of a legal entity’s ownership and control structures• Identification and verification of information obtained on the purpose of the customer’s business relationship.

This is a continuation of applicable law, but the former requirements for identification procedures entailed a mis-apprehension of the requirement for continuous customer due diligence to be carried out by the legal entity. This specific requirement is illustrated by Figure 10.

Figure 10. From identification procedures to customer due diligence

Phase 1

Obtain information

Phase 2

Verifyinformation

Phase 3

Identity proven

Why does your customer act in a particular way?

What are your

customer’s intentions?Who is

your customer?

Know Your CustomerIdentification procedures

12

Overview of the most important amendments

To help you get an overview of the most important amendments to the Danish AML Act, Figure 11 explains the various elements by means of a traffic-light chart.

Figure 11. Traffic-light chart of amendments to the new Danish AML Act

Risk-based approach Whistle-blower scheme Money transfer

KYC – new customers Compliance documentation Data processing

Ongoing KYC procedures Employee screening Training and instruction

Politically exposed persons

Foreign currency exchange services

Cash-payment threshold and counterfeit money

Organisational requirements Cross-border activities

The following pages complement the traffic-light signal with a few comments on the most important amendments to the individual areas of the new AML Act.

Signal Explanation

Will have significant impact

Will have impact

Will have no impact

13

Subject Analysis Signal

• A change in standards and procedures from a rule-based approach to a risk-based approach.

• Extensive changes to the description of the risk assessment. • The preparation of risk assessments will be extended significantly

as a result of the new requirements. • The risk assessment creates the basis for the legal entity’s

customer due diligence procedures and for the risk assessment procedures applicable to its individual customers.

• Increased documentation requirements based on supranational, national and sector-specific risk assessments.

• Unlike today, the risk assessment may not be based on assump- tions, only on documented facts and circumstances.

• The supervisory authorities will have authority to punish legal entities for failing to produce a satisfactory and well-documented risk assessment of their activities.

• The overall risk assessment must form the basis for drawing up the customer due diligence measures and the risk assessment procedures applicable to the individual customers.

• A change in standards and procedures from identification proce-dures to customer due diligence.

• If circumstances require strict customer due diligence measures, the legal entity must not rely on a third party to obtain the requisite customer information.

• The group of third parties from which information may be ob-tained will be extended to include not only financial institutions, but every legal entity covered by the AML Act, as well as certain third-country legal entities subject to similar requirements.

• New requirements lay down that natural persons must be informed of the rules governing the protection of their personal data.

• Changes with regard to identification and verification of beneficial owners of legal entities and of ownership and control structures.

• It is stressed that KYC procedures must be carried out on any relevant changes in the customer’s situation.

• Introduction of a mandatory requirement for regular, new KYC procedures (including low-risk customers).

• The awareness obligation becomes part of the scrutiny obligation. • The scrutiny obligation is supplemented with a requirement for

monitoring obligation • The one-year requirement relative to the maximum penalty for

the underlying offence will be removed subject to the disclosure obligation towards SEIC.

• Financial institutions will have to assume additional responsibili- ties in the form of settlement requirements pertaining to customer relationships.

Risk-based approach

Know Your Customer (KYC) – new customers

Ongoing KYC procedures

14

Subject Analysis Signal

• Compared with the existing AML Act, the definition of PEPs will be extended to include members of the governing bodies of political parties and of international organisations.

• Moreover, it will no longer be significant whether a PEP is a resident of Denmark or of another country.

• The Minister for Industry, Business and Financial Affairs has been charged with keeping and publishing a record listing the Danish PEPs.

• A PEP’s customer relationship with financial institutions, mort-gage credit institutions, investment firms, payment services and electronic cash providers, investment management companies, AIFMs, Danish UCITs, AIFs, etc. is subject to approval by the AML officer.

• The customer relationship is no longer subject to approval by the senior day-to-day management on its establishment.

• The AML officers in financial institutions must be authorised to make decisions on behalf of the legal entity in the area of anti- money laundering.

• The AML officer’s decision-making powers must include decisions in respect of approval of (i) policies, business procedures, control measures, etc., (ii) business relationships customers posing increased risk, such as PEPs and (iii) establishment of correspon-dent banking relationships.

• Action must be taken to ensure that the AML officer has ade- quate knowledge of risks posed by the legal entity in terms of money laundering and terrorist financing and their impact on the risk exposure.

• According to the Danish FSA, this operational task is relocated from the day-to-day management to the AML officer, thus questioning to which part of the organisation the AML officer belongs.

• Generally, the AML officer is placed in the First Line, however, in small financial institutions, the officer may be found in the Second Line (compliance), provided action is taken to ensure that another person exercises control over the AML officer.

• Non-financial legal entities covered by the AML Act must make arrangements under which their employees have the opportunity through separate, independent channels to report breach or potential breach of this Act and any rules issued pursuant to the Act. This requirement applies only to legal entities employing more than five persons.

• Legal entities may not expose their employees to any unfair treatment or disadvantageous consequences as a result of the employee having reported the legal entity’s breach or potential breach of the AML Act to a supervisory authority, a whistleblower scheme set up in the legal entity or SEIC.

Politically exposed persons (PEPs)

Organisational requirements

Whistle-blower scheme

15

Subject Analysis Signal

• The legal entities must prepare a general assessment of the risk of the legal entity being misused for the purpose of money laundering or terrorist financing. This requirement is currently contained in the guidelines, but will be incorporated into the AML Act in the future.

• The description of the risk assessment has been subject to exten-sive changes. Consequently, the preparation of risk assessments has been extended significantly as a result of the new require-ments.

• If the legal entity fails to prepare a satisfactory risk assessment, taking into account all risks and all parts of its business, it may receive punishment.

• Legal entities must draw up policies and business procedures for their employee screening.

• The legal entities must lay down procedures to ensure that they discover whether a potential or existing employee has any possible criminal history that may pose a risk of misuse of the employee’s position.

• A new requirement is imposed on legal entities under which they must obtain authorisation from the Danish FSA to offer foreign currency exchange services in Denmark.

• Such entities must meet the following criteria: - Their registered office must be based in Denmark - Management and owners must be fit and proper - Procedures and control measures must be established - The legal entity must not previously have committed a criminal offence that justifies an imminent risk of misuse of the autho- risation. • Legal entities currently registered with the Danish Business

Authority may postpone their application for authorisation from the Danish FSA until 31 December 2017.

• Legal entities carrying on activities in another EU or EEA country must make sure that the entities established abroad comply with national legislation.

• Legal entities which form part of a group must share information with the other legal entities in the group if there are grounds for suspecting that customer funds derive from proceeds of criminal activity or are connected with terrorist financing.

• The current exception applying to money transfers to non-profit organisations will not be continued.

Compliance documentation

Employee screening

Foreign currency exchange services

Cross-border activities

Money transfer

16

Subject Analysis Signal

• Legal entities will be given the option of disclosing information to supervisory authorities for legal enforcement purposes.

• Legal enforcement purposes include prevention of, investigation of, detection of and prosecution for criminal behaviour as well as preventive protection from threats against the security of (public) life and property.

• Information may be shared with branches and majority-owned subsidiaries located in third countries, provided that such branches and majority-owned subsidiaries fully comply with the group’s policies and procedures.

• Pursuant to a new requirement, legal entities must ensure that relevant employees and management also receive satisfactory training and instruction in data protection rules.

• The training sessions must instruct the employees in how to comply with the data protection rules governing the legal entity.

• The new AML Act continues to stipulate that any trader or retailer not covered by the scope of the Act may not receive cash pay-ments of DKK 50,000 or more.

• Furthermore, any legal entity whose activities involve the handling and dispensing of notes and coins to the public is under an obli-gation to withdraw such notes and coins from circulation if there is any reason to believe that they are forged.

Data processing

Training and instruction

Cash-payment threshold and counterfelt money

17

Bech-Bruun is a market-oriented law firm offering specialist services. With our wide range of products, we serve a large section of the Danish corporate sector, the Danish public sector as well as international enterprises.

With the help of more than 500 talented employees and some of the most recognised and experienced experts in the business, we customise solutions to our clients, embracing all of our business areas. Our goal is to strengthen our clients’ businesses and help them outperform their competitors.

If you have any questions, please do not hesitate to contact us.

David MoalemPartnerT +45 72 27 33 24E dmm@bechbruun.com

Lars Lindencrone PetersenPartnerT +45 72 27 35 35E llp@bechbruun.com

Kristoffer Probst LarsenJunior associateT +45 72 27 35 64E kpl@bechbruun.com

Nikolai Villumsen Junior associateT +45 72 27 35 49E nvi@bechbruun.com

For more information