In particular this amendment has introduced changes to the know-your-customer (KYC) procedure used by the ‘obliged institutions’ (institutions required to observe AML requirements such as banks, payment institutions, e-money institutions, gambling institutions, consumer finance companies) towards their customers. KYC is the procedure during which an institution collects information/data on the given customer, such as name, address, identification number, and ID number, as well as information on a business entity’s ultimate beneficial owner (UBO), being the individual having control over the business entity.
The AML Act names this procedure as applying customer due-diligence measures, which include identifying and verifying the customer’s identity and the UBO’s identity. Both these measures need to be taken by the obliged institution prior to commencing a business relationship with the customer or executing an occasional transaction (or series of transactions) in the amount exceeding €1,000.
A verification of the customer’s identity consists in confirming his/her data based on a reliable and independent source of information, such as ID document, driving licence or public register. To prove that such verification has been made, institutions need to obtain a copy or scan of a given document, which requires much organisational effort from the institution when entering into the relationship with a customer without physical presence, i.e. using remote communication such as internet or phone. Consequently, institutions have built IT infrastructure to collect and store scans or copies of customers’ documents.
The recent amendment to the AML Act has made this process easier. Customer verification can be carried out not only on the basis of physical documents, but also on electronic identification means or trust services as set out in the EU eIDAS Regulation (Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions).
A trust service is an electronic service which consists of the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or certificates for website authentication, or the preservation of electronic signatures, seals or certificates related to those services.
An electronic identification means (eID) is a material and/or immaterial unit containing person identification data and is used to confirm identity (authentication) for an online service. On the Polish market, such a solution for the purpose of the private sector is mojeID, offered by the national clearing house (Krajowa Izba Rozliczeniowa S.A.). The electronic identification solution for the public sector is called Profil Zaufany. These solutions such as mojeID allow private sector companies to identify their customers based on a confirmation obtained from a trusted third party, such as a bank, who is known as an identity provider.
Thanks to that recent amendment, the KYC procedure may be performed based on one of the following sources: the customer’s ID, data or information originating from another reliable and independent source, or electronic identification means or trust services as set out in the eIDAS Regulation. Using one of these sources is enough to successfully verify a customer’s identity as part of the KYC process. This means that when performing the KYC procedure based on electronic identification solutions such as mojeID or a trust service, an obliged institution is not required to ask a customer for other documents or information to verify their identity, such as scan or copy of the customer’s ID.
This does not change the general rule relating to situations where verification of a customer’s identity needs to be made with enhanced diligence – based on two different sources of information. According to the interpretation of the AML-competent authority in Poland, the general inspectorate of financial information (Generalny Inspektor Informacji Finansowej) customer verification based on two different documents or other sources of information is required in the case of a high AML risk.
Therefore, it is possible that in case of a high AML risk an obliged institution would conduct the KYC process based on both electronic identification means and another document or source of information. However, such a situation is rather unlikely, as the sole use of electronic identification means minimises AML risk.
Another important amendment to the AML Act introduced by the recent amendment relates to the identification of the corporate customer’s UBO. As part of this customer due diligence measure an obliged institution should check the UBO’s data obtained from the customer in the public register of beneficial owners (Centralny Rejestr Beneficjentów Rzeczywistych) and in other sources of information or documents. This means that in practice an institution is required to obtain confirmation that the given customer is registered with that public register or an excerpt from this register. As a next step, an obliged institution is required to verify whether the beneficial owner’s data obtained during the KYC procedure is consistent with information kept in the public register of beneficial owners. An obliged institution should clear up and discuss any discrepancies directly with the customer, and notify them to the register.
This amendment relates only to those customers who are obliged to register themselves at the public register of beneficial owners, which are in particular limited liability companies, joint-stock companies, limited partnerships etc. Under the recent amendment to the AML Act, the list of entities obliged to be registered has been extended to include in particular foundations, cooperatives and partnerships.
The above does not cover all issues amended or introduced to the Polish AML Act by the recent amendment, but are crucial for carrying out the KYC procedure.
* Act of 1 March 2018 on Counteracting Money Laundering and Terrorism Financing, which implements to the Polish legal system the EU Directive AML V (Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU.