Appointment of the Internal Control and Communication Body

One of the obligations attributed to reporting entities is the appointment of the Internal Control and Communication Body (OCIC for its Catalan acronym). This body is responsible for establishing internal policies, procedures and training programs, as well as for performing risk assessments and evaluating the efficiency of the mitigation measures in place, among others. In order to perform its activities, the OCIC should be provided of sufficient authority and resources in order to establish an effective compliance program. For this purpose, it is essential that the members of the OCIC have a good understanding of the business activities carried out by the reporting entity, as well as of the applicable legislation in the matter of ML/TF.

Depending on the type of reporting entity, two forms of OCIC can be distinguished:

• If the reporting entity is an individual, licensee of the activity, this one will be considered to be the OCIC on its own by default, and will have to submit the  form (Catalan version only), duly signed, on paper or electronically to following addresses, as appropriate:
  • Physical address: C/Dr. Vilanova, 15-17, floor -4, AD500, Andorra la Vella
  • E-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.

• If, on the contrary, the reporting entity is a legal entity, the OCIC can be constituted by a sole member or a group of senior management officials, depending on the size, complexity and structure of the business. The  form (Catalan version only) must be submitted, duly signed, on paper or electronically to following addresses, as appropriate:
  • Physical address: C/Dr. Vilanova, 15-17, floor -4, AD500, Andorra la Vella
  • E-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it.

In the case of legal entities, it is important to state that the members of the OCIC will have to comply with a number of minimum requirements established by the current BC/TF (for more information see, CT-04/2018 and article 40 of Law 14/2017).

Any changes within the membership structure of the OCIC should be informed to the UIFAND within a maximum of 15 working days.

Relevant documentation: Appointment of the OCIC and the representative to the UIFAND form (Catalan version only)  Technical Communiqué CT-04/2018

Appointment of the representative to the UIFAND

In conjunction with the appointment of the OCIC, reporting entities must appoint a representative to the UIFAND and inform the UIFAND by the submission of the  Appointment of the OCIC and the representative to the UIFAND form (Catalan version only)

The responsibilities assigned to the representative to the UIFAND are established by article 40.4 of Law 14/2017, and are the following:

• Perform suspicious transaction reports, referred to in article 20 of Law 14/2017; and
• Receive requests and requirements from the UIFAND.

The representative to the UIFAND must be a senior management official and an active member of the OCIC on the basis of the person’s training, suitability and experience in the sector (for more information, see CT-04/2018 and article 40 of Law 14/2017).

Any changes in the appointment of the representative to the UIFAND should be informed to the UIFAND within a maximum of 15 working days.

Relevant documentation: Appointment of the OCIC and the representative to the UIFAND form (Catalan version only)  Technical Communiqué CT-04/2018

Due diligence measures

Due diligence measures (hereafter, DD measures) are essential in order to prevent and fight ML/TF. By this process, reporting entities collect, update and keep all the relevant information and documentation of their customer. Reporting entities should determine the scope of the DD measures under a risk-based approach considering, among other, the volume of transactions, the purpose and the duration of the business relationship.

What are DD measures?

DD measures include, at least, the:

• Identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source.
• Identifying the beneficial owner and taking reasonable measures to verify that person’s identity, on basis of documents, data or information obtained from a reliable and independent source, and, taking reasonable measures to understand the ownership and control structure of the customer.
• Assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
• Conducting ongoing monitoring of the business relationship (including the scrutiny of transactions undertaken throughout the course of that relationship and adopting measures to ensure that the documents, data or information held are kept up-to-date and are appropriate).
• The assessment, understanding, and procurement of information to identify and to verify the origin of the funds which are the object of the business relationship or of the occasional transaction.

For more information, see article 9 of Law 14/2017.

These measures must be applied under the consideration of a client risk-based approach.

When must these DD measures be applied?

DD measures must be applied:

• When establishing a business relationship;
• When carrying out an occasional transaction that amounts to EUR 15,000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked;
• When carrying out an occasional transaction that constitutes a transfer of funds exceeding EUR 1,000;
• When there is a suspicion of money laundering or terrorist financing;
• When there is a suspicion about the veracity, adequacy and validity of previously obtained customer identification data; and
• When such transactions are listed as susceptible to entail money laundering or terrorist financing or are qualified of special monitoring by the UIFAND by means of a technical communiqué.

For more information, see article 8 of Law 14/2017.

Identification and verification of the identity of the client and the beneficial owner

Definitions

A client is considered to be whatever individual or legal entity to which a product or service is offered during the course of a business relationship that is subject to the obligations under Law 14/2017.

Law 14/2017 defines a beneficial owner as the individual(s) who ultimately controls the customer and/or the individual(s) on whose behalf a transaction or activity is being conducted.

For more information, see the  Guide on the beneficial owner 

When is the identity of the client and the beneficial owner verified?

• Before the business relationship is established or a transaction is conducted.
• Where there is little risk of money laundering or terrorist financing, the verification of the identity can be completed during the establishment of the business relationship, so as not to interrupt the normal conduct of business.

If the reporting entity cannot identify and/or verify the identity of the client and/or the beneficial owner, or has doubts on about the veracity or adequacy of the information obtained, the business relationship should not be established and the reporting entity should consider submitting a suspicious transaction report to the UIFAND.

In cases where reporting entities form a suspicion of money laundering or terrorist financing, and they reasonably believe that performing the customer due diligence process will tip-off the customer, they are allowed not to pursue the customer due diligence process, provided that a suspicious transaction report is submitted to the UIFAND.

In relation to pre-existing business relationships, reporting entities should establish a frequency for the review of the identification and verification of the beneficial owner, under a risk-based approach, that will not exceed 5 years, or when the client circumstances have changed, or when the party under obligation has the legal obligation, during the correspondent natural year to contact with the client to review any relevant information according to the tax exchange information Law (Law 19/2016 of 30 of November).

For more information, see the Technical Communiqué  CT-01/2023 and tax exchange information Law (Law 19/2016 of 30 of November).

How is the identity of the client and the beneficial owner verified?

In the case of customers who are natural persons and beneficial owners, reporting entities should verify their identity by means, at least, of the display and copying of the official identity document bearing a photograph.

When any person states that he acts on behalf of the customer, such circumstance should be verified by obtaining a copy of the respective power of attorney.

In the case of customers who are legal entities, trusts and other entities or legal arrangements, reporting entities should identify the customer and the beneficial owner and verify their identity by means of documents, data or information, such as a deed of incorporation or the articles of association, certificate from the Registry, etc. In addition, reasonable measures should be taken to understand the ownership and control structure of the customer.

It is important to note that, when establishing a new business relationship with this type of clients, reporting entities shall collect proof of registration or an excerpt of the Registry.

For more information, see article 7 of the Regulation of Law 14/2017 and the article 10.1 of Law 14/2017.

Purpose and intended nature of the business relationship

Reporting entities should identify the goal and purpose by which the client is subscribing to a service or acquiring a given product.

On-going monitoring of the business relationship

In the case of continuing relationships with the customer, reporting entities must establish procedures in order to monitor the behavioural patterns of their customers, analyse them and adjust their initial risk profiles, if necessary. In this sense, reporting entities must ensure that the transactions being conducted are consistent with the reporting entities’ knowledge of the customer and establish mechanisms that alert of possible deviations and of transactions susceptible of entailing money laundering or terrorist financing.

On practical terms, in order to perform an on-going monitoring of their customers, reporting entities must apply a risk-based approach and perform controls with different scope and frequency, depending on the risk profile of the customer. The UIFAND has established, by means of the technical communiqué  CT-01/2023, that DD obligations, in terms of identification and verification of the beneficial owner, must be conducted every 5 years, at least.

It is highly recommended to reflect the on-going monitoring of clients on written form.

Origin of funds

Within the context of the application of DD measures, the source of funds is the activity that has generated it (professional activity, inheritance, etc.).

It is a common error to confuse the source of funds with the traceability of funds, that allow the reporting entity to follow the trace of the funds but that, usually, brings no further light on how they have been accrued.

The source of funds verification can be done through a variety of means that the reporting entity must define depending on its own criteria and knowledge of the customer. It can be done, for example, by obtaining tax returns, copies of audited accounts, payrolls, etc.

Simplified DD measures

When can these simplified DD measures be applied?

Simplified customer due diligence measures can be applied in those cases in which the business relationship or the transaction presents a low degree of risk according to the following factors:

• Customer risk factors (i.e. public companies listed on a stock exchange and subject to disclosure requirements, public administration offices, etc.)
• Product, service, transaction or delivery channel risk factors
• Geographical risk factors (i.e. EU Member States)

For more information, see article 11 of Law 14/2017.

The application of simplified DD measure does not exempt reporting entities from monitoring transactions and business relationships in order to detect unusual or suspicious transactions because the information obtained by parties under obligation applying simplified DD measures should be enough to consider that the analysis justifies the low degree of risk and that information is sufficient in order to determine the nature of the business relationship.

How are simplified DD measures applied?

The main distinguishing feature of simplified DD measures from all other possible measures is that they allow reporting entities to adjust the frequency of data reviews and transaction monitoring, as well as reducing the amount of information collected within the application of DD measures.

For more information, see article 9 of the Regulation of Law 14/2017.

Enhanced DD measures

When must enhanced DD measures be applied?

Reporting entities must apply enhanced DD measures on PEPs, their family members and close associates.

Additionally, reporting entities must apply enhanced DD measures according to, among others, the following high-risk situation evidences:

• Customer risk factors (companies that have nominee shareholders or shares in bearer form, cash-intensive businesses, etc.)
• Product, service, transaction or delivery channel risk factors (new or developing technologies, products or transactions that might favour anonymity, etc.)
• Geographic risk factors (i.e. countries subject to International sanctions)

For more information, see article 12 of Law 14/2017.

How must enhanced DD measures be applied?

In relation to enhanced DD measures, the Andorran legislation established that reporting entities must increase the volume of information collected and the frequency of reviews, diversify the sources of information and must obtain the authorization of senior management officials in order to establish or maintain the business relationship.

Parties under obligation should obtain information about the reasons of estimated transactions or transactions made and they should also obtain information about client’s and beneficial owner’s source of wealth.

Moreover, reporting entities should examine, as is reasonably practicable, the context and the purpose of all transactions that have at least on of this requirements:

• Complex transactions,
• Unusual high amount transactions,
• Unusual transactions,
• Transactions without apparent economic or lawful purpose.

For more information, see article 10 of the Regulation of Law 14/2017 and article 12 of Law 14/2017.

Politically Exposed Persons (PEPs)

Politically exposed persons are individuals that have been entrusted with prominent public functions on which enhanced DD measures should be applied, as well as in relation to their family members and persons known to be close associates of PEPS.

For more information, see article 3 sections 6, 7, and 8 of Law 14/2017 where the concept of “prominent public functions” is defined.

In relation to transactions or business relationships with politically exposed persons, reporting entities shall:

• Have in place appropriate risk management systems to determine whether a customer or the beneficial owner of the customer is a politically exposed person;
• Obtain senior management approval for establishing or continuing a business relationship with politically exposed persons;
• Take adequate measures to establish the source of wealth and source of funds that are involved in business relationship or transactions;
• Conduct enhanced, on-going monitoring on that relationship.

Additionally, reporting entities must establish mechanisms that allow them to detect if a customer or beneficial owner has become a PEP, so to apply the corresponding enhanced DD measures as from that moment.

In relation to customers and beneficial owners that are PEP, reporting entities will apply enhanced DD measures at the establishment of a business relationship with a PEP, during the business relationship life-cycle and until, at least, after a year that the politically exposed person is no longer entrusted with the public function, given that he is still maintaining a business relationship with the reporting entity.

For more information, see articles 14 and 17 of Law 14/2017 and article 2 of the Regulation of Law 14/2017.

Reporting obligation

A suspicious transaction report (DOS, by its Catalan acronym) is a written report declared by the reporting entity to the UIFAND by its own initiative in order to communicate any transaction or attempted transaction related to the funds where the reporting entity is aware of, knows, suspects or has reasonable grounds to suspect that are the proceeds of criminal activity or are related to terrorist financing. This written report must be done by following a specific set of  instructions (Catalan version only) and must be submitted by presenting the applicable  form (Catalan version only). Before submitting the report, reporting entities must convey telephonically a day and time to submit it in written form at the UIFAND premises.

It is important to state that completion of a SAR cannot be delegated to another reporting entity or individual.

Relevant documentation: Instructions on how to submit a SAR (Catalan version only)  SAR Form (Catalan version only)

Internal procedures and training

Internal procedures

The Andorran AML/CFT legislation establishes that reporting entities must have internal control procedures and policies. It is essential that these procedures and policies are in written form and that they are at the disposition of its employees, depending on their exposure to potential ML/TF. Additionally, these procedures may establish some minimum requirements to be taken into account by their service provides or authorized individuals.

These internal policies and procedures must include, at least, the customer admission policy, the description of due diligence measures, confidentiality measures, record keeping and data updating, internal communication procedures, procedures for the application of restrictive measures, etc. (for more information, see article 17 of the Regulation of Law 14/2017).

The reporting entity must ensure that these internal policies and procedures are written in a clear manner and that they are applied by all the involved parties. Additionally, these internal procedures should be updated periodically (in order to include new legislation, new mitigation measures, etc.) in order to ensure their effectiveness and their adaptation in the light of new tendencies or detected risks.

The internal policies and control procedures are to be approved by the senior management. In all cases, the internal policies should be approved by the administration body.

These internal policies and control procedures are prepared by taking into account the size, structure and complexity of the reporting entity, and they should allow the management and mitigation of the risks identified, either by the authorities or by the reporting entity. In the case the reporting entity is a member of an association, and that it provides them with a sample document of policies and procedures, the reporting entity will have to ensure their adaptation depending on the characteristics of its specific business activity.

For more information, see article 40 of Law 14/2017 and article 16 of the Regulation of Law 14/2017.

Training

Reporting entities should take measures that include ongoing training programs and special updating courses for employees.

In terms of trainings, they should be addressed to both the individuals that are directly related to the customer and those who participate in client-related transactions, as well as to all of those in charge of the application of AML/CTF policies and procedures and members of senior management.

The content of the training should cover general ML/TF concepts and definitions, internal policies and procedures, suspicious transaction reports, the identification and verification of the customer’s and beneficial owner’s identity, record keeping, KYC, OCIC, risk indicators of the sector, etc. and, in all cases, include updated and adapted information in relation to the position held by the trainees in the company and their level of exposure to ML/TF risks.

In general, members of a reporting entity must have the capability of understanding the obligations being applied to the reporting entity, the vulnerability to with it is exposed, the internal policies and the control procedures that have been established in order to comply with the ML/TF legislation.

In addition, it is highly recommended that reporting entities keep a record of all individuals that have performed trainings, its content, frequency, methodology (on-site, online, and external) and, preferably, their degree of accomplishment.

For more information, see article 42 of Law 14/2017 and article 18 of the Regulation of Law 14/2017.

Record keeping

The Andorran legislation establishes a period of conservation of ML/TF related documentation of at least 5 years. This documentation includes all documents, data and information obtained under Law 14/2017 (identity of the client, nature and date of the transaction, source of wealth, currency and total amount of transactions and purpose and intended nature of the business relationship), receipts and registers of operations and transactions, account files and business correspondence, and the results of any analysis undertaken, submitted suspicious transaction reports and all internal communications that may have derived.

It is highly recommended that the reporting entity identifies, among the information and the documentation that keeps from the customer, that which corresponds to the fulfilment of the AML/CTF obligations, and, if possible, for each of the obligations.

This period of conservation starts from

• The date of termination of the business relationship with the customer;
• The date of the occasional transaction

The UIFAND may further extend the retention period for a maximum period of five additional years, in an individual and reasoned manner.

For more information, see article 37 of Law 14/2017.

Personal data shall be processed by reporting entities on the basis of Law 14/2017.

Individual Risk Assessment

Reporting entities must have their Individual Risk Assessment (hereafter ERI, by its Catalan acronym). It is a document by which the reporting entities assess their ML/TF risk exposure. The goal of this assessment is that reporting entities identify all the inherent risks linked to their business activity and apply the corresponding mitigating measures. It is therefore essential that the results obtained from this assessment reflect the reality of the business. In other words, these results, that must be documented, should be adapted to the complexity and size of the business.

For more information, see the  Guide on ERI 

Restrictive measures

Reporting entities must ensure that none of the persons with whom they establish a business relationship is included in the United Nations List.

This implies developing controls in order to verify periodically the customers database (including beneficial owners, representatives and other participants in the business relationship) against the United Nations List, as well as, the implementation of the operating procedures to be taken in cases where a positive is detected.

For more information, see section Restrictive Measures.

Other relevant documentation

•  Informative note addressed to the sectors of economists, auditors, tax consultants, accountants, administrative services bureaus and other company services providers 
•  FATF Risk Based Approach Guidance for accountants