A. Definition of the reporting entity
Tax advisors that manage tax obligations before local authorities or provide wealth management activities to their clients are considered to be reporting entities.
Non-resident natural and legal persons carrying out activities of equal nature as the aforementioned in the Principality of Andorra are also considered to be reporting entities.
B. Obligations of the reporting entity
The main obligations attributed to the tax advisors in the matter of the prevention of money laundering and terrorist financing are the following:
Appointment of the Internal Control and Communication Body
One of the obligations attributed to reporting entities is the appointment of the Internal Control and Communication Body (OCIC for its Catalan acronym). This body is responsible for establishing internal policies, procedures and training programs, as well as for performing risk assessments and evaluating the efficiency of the mitigation measures in place, among others. In order to perform its activities, the OCIC should be provided of sufficient authority and resources in order to establish an effective compliance program. For this purpose, it is essential that the members of the OCIC have a good understanding of the business activities carried out by the reporting entity, as well as of the applicable legislation in the matter of ML/TF.
Depending on the type of reporting entity, two forms of OCIC can be distinguished:
a) If the reporting entity is an individual, licensee of the activity, this one will be considered to be the OCIC on its own by default, and will have to submit at the UIFAND premised the form (Catalan version only) duly completed.
b) If, on the contrary, the reporting entity is a legal entity, the OCIC can be constituted by a sole member or a group of senior management officials, depending on the size, complexity and structure of the business. The form will have to be submitted at the premises of the UIFAND (Catalan version only)
In the case of legal entities, it is important to state that the members of the OCIC will have to comply with a number of minimum requirements established by the current BC/TF (for more information see, CT-04/2018 and article 40 of Law 14/2017).
Any changes within the membership structure of the OCIC should be informed to the UIFAND within a maximum of 15 working days.
Relevant documentation
Appointment of the OCIC and the representative to the UIFAND form (Catalan version only)
Appointment of the representative to the UIFAND
In conjunction with the appointment of the OCIC, reporting entities must appoint a representative to the UIFAND and inform the UIFAND by the submission of the Appointment of the OCIC and the representative to the UIFAND form (Catalan version only).
The responsibilities assigned to the representative to the UIFAND are established by article 40.4 of Law 14/2017, and are the following:
• Perform suspicious transaction reports, referred to in article 20 of Law 14/2017; and
• Receive requests and requirements from the UIFAND.
The representative to the UIFAND must be a senior management official and an active member of the OCIC (for more information, see CT-04/2018 and article 40 of Law 14/2017).
Any changes in the appointment of the representative to the UIFAND should be informed to the UIFAND within a maximum of 15 working days.
Relevant documentation
Appointment of the OCIC and the representative to the UIFAND form (Catalan version only)
Technical Communiqué CT-04/2018
Due diligence measures
Due diligence measures (hereafter, DD measures) are essential in order to prevent and fight ML/TF. By this process, reporting entities collect, update and keep all the relevant information and documentation of their customer. Reporting entities should determine the scope of the DD measures under a risk-based approach considering, among other, the volume of transactions, the purpose and the duration of the business relationship.
What are DD measures?
DD measures include, at least, the:
1) Identification and verification of the customer’s identity, on the basis of reliable documentation.
2) Identification and verification of the beneficial owner’s identity and the understanding of the ownership and control structure of the customer.
3) Understanding of the purpose and intended nature of the business relationship.
4) Implementation of on-going monitoring measures and the collection of the necessary documentation in order to verify the source of wealth of the customer.
For more information, see article 9 of Law 14/2017.
These measures must be applied under the consideration of a client risk-based approach.
When must these DD measures be applied?
DD measures must be applied:
- When establishing a business relationship;
- When carrying out an occasional transaction that amounts to EUR 15,000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked;
- When there is a suspicion of money laundering or terrorist financing;
- When there is a suspicion about the veracity, adequacy and validity of previously obtained customer identification data; and
- When such transactions are listed as susceptible to entail money laundering or terrorist financing or are qualified of special monitoring by the UIFAND by means of a technical communiqué.
For more information, see article 8 of Law 14/2017.
Identification and verification of the identity of the client and the beneficial owner
Definitions
A client is considered to be whatever individual or legal entity to which a product or service is offered during the course of a business relationship that is subject to the obligations under Law 14/2017.
Law 14/2017 defines a beneficial owner as the individual(s) who ultimately controls the customer and/or the individual(s) on whose behalf a transaction or activity is being conducted.
For more information, see the Guide on the beneficial owner.
When is the identity of the client and the beneficial owner verified?
a) Before the business relationship is established or a transaction is conducted.
b) Where there is little risk of money laundering or terrorist financing, the verification of the identity can be completed during the establishment of the business relationship, so as not to interrupt the normal conduct of business.
If the reporting entity cannot identify and/or verify the identity of the client and/or the beneficial owner, or has doubts on about the veracity or adequacy of the information obtained, the business relationship should not be established and the reporting entity should consider submitting a suspicious transaction report to the UIFAND.
In cases where reporting entities form a suspicion of money laundering or terrorist financing, and they reasonably believe that performing the customer due diligence process will tip-off the customer, they are allowed not to pursue the customer due diligence process, provided that a suspicious transaction report is submitted to the UIFAND.
In relation to pre-existing business relationships, reporting entities should establish a frequency for the review of the identification and verification of the beneficial owner, under a risk-based approach, that will not exceed 5 years.
For more information, see the Technical Communiqué CT-02/2019.
How is the identity of the client and the beneficial owner verified?
In the case of customers who are natural persons and beneficial owners, reporting entities should verify their identity by means, at least, of the display and copying of the official identity document bearing a photograph.
When any person states that he acts on behalf of the customer, such circumstance should be verified by obtaining a copy of the respective power of attorney.
In the case of customers who are legal entities, trusts and other entities, reporting entities should identify the customer and the beneficial owner and verify their identity by means of documents, data or information, such as a deed of incorporation or the articles of association, etc.
For more information, see article 7 of the Regulation of Law 14/2017.
Purpose and intended nature of the business relationship
Reporting entities should identify the goal and purpose by which the client is subscribing to a service or acquiring a given product.
Source of wealth
Within the context of the application of DD measures, the source of wealth is the activity that has generated it (professional activity, inheritance, etc.).
It is a common error to confuse the source of wealth with the source of funds, that allow the reporting entity to follow the trace of the funds but that, usually, brings no further light on how they have been accrued.
The source of wealth verification can be done through a variety of means that the reporting entity must define depending on its own criteria and knowledge of the customer. It can be done, for example, by obtaining tax returns, copies of audited accounts, payrolls, etc.
Simplified DD measures
When can these simplified DD measures be applied?
Simplified customer due diligence measures can be applied in those cases in which the business relationship or the transaction presents a low degree of risk according to the following factors:
- Customer risk factors (i.e. public companies listed on a stock exchange and subject to disclosure requirements, public administration offices, etc.)
- Product, service, transaction or delivery channel risk factors
- Geographical risk factors (i.e. EU Member States)
For more information, see article 11 of Law 14/2017.
The application of simplified DD measure does not exempt reporting entities from monitoring transactions and business relationships in order to detect unusual or suspicious transactions.
How are simplified DD measures applied?
The application of DD measures allow reporting entities to adjust the frequency of data reviews and transaction monitoring, as well as reducing the amount of information collected within the application of DD measures.
For more information, see article 9 of the Regulation of Law 14/2017.
Enhanced DD measures
When must enhanced DD measures be applied?
Reporting entities must apply enhanced DD measures on PEPs, their family members and close associates.
Additionally, reporting entities must apply enhanced DD measures according to, among others, the following high-risk situation evidences:
- Customer risk factors (companies that have nominee shareholders or shares in bearer form, cash-intensive businesses, etc.)
- Product, service, transaction or delivery channel risk factors (new or developing technologies, products or transactions that might favour anonymity, etc.)
- Geographic risk factors (i.e. countries subject to International sanctions)
For more information, see article 12 of Law 14/2017.
How must enhanced DD measures be applied?
In relation to enhanced DD measures, the Andorran legislation established that reporting entities must increase the volume of information collected and the frequency of reviews, diversify the sources of information and must obtain the authorization of senior management officials in order to establish or maintain the business relationship.
For more information, see article 10 of the Regulation of Law 14/2017.
Politically Exposed Persons (PEPs)
Politically exposed persons are individuals that have been entrusted with prominent public functions on which enhanced DD measures should be applied, as well as in relation to their family members and close associated. Article 3.6 of Law 14/2017 defines the concept of prominent public functions.
For more information, see article 3 sections 6, 7, and 8 of Law 14/2017.
In relation to transactions or business relationships with politically exposed persons, reporting entities shall:
- Have in place appropriate risk management systems to determine whether a customer or the beneficial owner of the customer is a politically exposed person;
- Obtain senior management approval for establishing or continuing a business relationship with politically exposed persons;
- Take adequate measures to establish the source of wealth and source of funds that are involved in business relationship or transactions;
- Conduct enhanced, on-going monitoring on that relationship.
Additionally, reporting entities must establish mechanisms that allow them to detect if a customer or beneficial owner has become a PEP, so to apply the corresponding enhanced DD measures as from that moment.
In relation to customers and beneficial owners that are PEP, reporting entities will apply enhanced DD measures at the establishment of a business relationship with a PEP, during the business relationship life-cycle and until, at least, after a year that the politically exposed person is no longer entrusted with the public function, given that he is still maintaining a business relationship with the reporting entity.
For more information, see articles 14 and 17 of Law 14/2017 and article 2 of the Regulation of Law 14/2017.
On-going monitoring of the business relationship
In the case of continuing relationships with the customer, reporting entities must establish procedures in order to monitor the behavioural patterns of their customers, analyse them and adjust their initial risk profiles, if necessary. In this sense, reporting entities must ensure that the transactions being conducted are consistent with the reporting entities’ knowledge of the customer and establish mechanisms that alert of possible deviations and of transactions susceptible of entailing money laundering or terrorist financing.
On practical terms, in order to perform an on-going monitoring of their customers, reporting entities must apply a risk-based approach and perform controls with different scope and frequency, depending on the risk profile of the customer. The UIFAND has established, by means of the technical communiqué CT-02/2019, that DD obligations, in terms of identification and verification of the beneficial owner, must be conducted every 5 years, at last.
It is highly recommended to reflect the on-going monitoring of clients on written form.
Reporting obligation
A suspicious transaction report (DOS, by its Catalan acronym) is a written report declared by the reporting entity to the UIFAND by its own initiative in order to communicate any transaction or attempted transaction related to the funds where the reporting entity is aware of, knows, suspects or has reasonable grounds to suspect that are the proceeds of criminal activity or are related to terrorist financing. This written report must be done by following a specific set of instructions and must be submitted by presenting the applicable form. Before submitting the report, reporting entities must convey telephonically a day and time to submit it in written form at the UIFAND premises.
It is important to state that completion of a SAR cannot be delegated to another reporting entity or individual.
Relevant documentation
Internal procedures and training
Internal procedures
The Andorran AML/CFT legislation establishes that reporting entities must have internal control procedures and policies. It is essential that these procedures and policies are in written form and that they are at the disposition of its employees, depending on their exposure to potential ML/TF. Additionally, these procedures may establish some minimum requirements to be taken into account by their service provides or authorized individuals.
These internal policies and procedures must include, at least, the customer admission policy, the description of due diligence measures, indicators for detecting suspicious transactions, internal communication procedures, etc. (for more information, see article 17 of the Regulation of Law 14/2017).
The reporting entity must ensure that these internal policies and procedures are written in a clear manner and that they are applied by all the involved parties. Additionally, these internal procedures should be updated periodically (in order to include new legislation, new mitigation measures, etc.) in order to ensure their effectiveness and their adaptation in the light of new tendencies or detected risks.
The internal policies and control procedures are to be approved by the top management. In all cases, the internal policies should be approved by the administration body.
These internal policies and control procedures are prepared by taking into account the size, structure and complexity of the reporting entity, and they should allow the management and mitigation of the risks identified, either by the authorities or by the reporting entity. In the case the reporting entity is a member of an association, and that it provides them with a sample document of policies and procedures, the reporting entity will have to ensure their adaptation depending on the characteristics of its specific business activity.
For more information, see article 40 of Law 14/2017 and article 16 of the Regulation of Law 14/2017.
Training
In terms of trainings, they should be addressed to both the individuals that are directly related to the customer and those who participate in client-related transactions, as well as to all of those in charge of the application of AML/CTF policies and procedures and members of senior management.
The content of the training should cover general ML/TF concepts and definitions, internal policies and procedures, suspicious transaction reports, the identification and verification of the customer’s and beneficial owner’s identity, record keeping, KYC, OCIC, risk indicators of the sector, etc. and, in all cases, include updated and adapted information in relation to the position held by the trainees in the company and their level of exposure to ML/TF risks.
Members of an reporting entity must have the capability of understanding the obligations being applied to the reporting entity, the vulnerability to with it is exposed, the internal policies and the control procedures that have been established in order to comply with the ML/TF legislation.
In this sense, it is highly recommended that reporting entities keep a record of all individuals that have performed trainings, its content, frequency, methodology (on-site, online, external) and, preferably, their degree of accomplishment.
For more information, see article 42 of Law 14/2017 and article 18 of the Regulation of Law 14/2017.
Record keeping
The Andorran legislation establishes a period of conservation of ML/TF related documentation of at least 10 years. This documentation includes all documents, data and information obtained under Law 14/2017 (identity of the client, nature and date of the transaction, source of wealth, currency and total amount of transactions and purpose and intended nature of the business relationship), receipts and registers of operations and transactions, account files and business correspondence, and the results of any analysis undertaken, submitted suspicious transaction reports and all internal communications that may have derived.
This period of conservation starts from:
a) The date of termination of the business relationship with the customer;
b) The date of the occasional transaction
The UIFAND may further extend the retention period for a maximum period of five additional years, in an individual and reasoned manner.
For more information, see article 37 of Law 14/2017.
Personal data shall be processed by reporting entities on the basis of Law 14/2017.
Individual Risk Assessment
Reporting entities must have their Individual Risk Assessment (hereafter ERI, by its Catalan acronym). It is a document by which the reporting entities assess their ML/TF risk exposure. The goal of this assessment is that reporting entities identify all the inherent risks linked to their business activity and apply the corresponding mitigating measures. It is therefore essential that the results obtained from this assessment reflect the reality of the business. In other words, these results, that must be documented, should be adapted to the complexity and size of the business.
For more information, see the Guide on ERI.
Restrictive measures
Reporting entities must ensure that none of the persons with whom they establish a business relationship is included in the United Nations List.
For more information, see section Restrictive Measures.