Commencing on September 1, 2023 the Bank of Lithuania AML/CTF Amended Instructions and new Sanctions Compliance Instructions will take effect. The Instructions introduce an array of requirements for financial market participants, encompassing sanctions risk assessment, informing the Bank of Lithuania on the appointed MLRO and board member responsible for AML/CTF compliance, testing, auditing of internal control systems and reporting on its deficiencies, as well as detailing requirements on sanctions screening.
According to the BoL Instructions, financial market participants will be required to assess and ensure that persons responsible for implementation of sanctions are knowledgeable on sanctions legislation and have enough resources to perform their functions. Board member responsible for AML/CTF and MLRO will have to be evaluated whether they have relevant competence, experience, qualification in the AML/CTF field.
With the new Instructions, the BoL obliges FMPs to inform the BoL and the Financial Crime Investigation Service on the appointed MLRO and board member responsible for AML/CTF within 7 business days. When informing the BoL, FMPs must provide the BoL and the FCIS with the appointed persons’ contact information (i.e., name, surname, phone number, e-mail), date of appointment, documents and information confirming the appointment (e.g., decision of the board) via the following emails: [email protected] and [email protected]. FMPs are not required to inform the BoL on the appointed person responsible for sanctions compliance.
The Sanctions Instructions implement a new requirement for FMPs – annual and ad-hoc enterprise-wide sanctions risk assessment, in which the financial market participants assess their operational risk, customers risk, and the risk of proliferation financing. The enterprise-wide sanctions risk assessment may identify increased-risk situations for which a risk remediation plan would have to be drafted and the responsible person assigned. The sanctions risk assessment may be carried out as part of enterprise-wide money laundering and terrorist financing risk assessment or separately.
The Amended AML/CTF instructions introduce detailed requirements on how the assessment on effectiveness, efficiency, and suitability of internal control system should be performed, including a requirement to describe used methods, customer selection criteria, description of assessed systems, and more. Subsequently, FMPs will now also have to perform such assessment on systems used for the implementation of sanctions. However, the Sanctions Instructions refrain from delving into the specifics of the procedural framework for this assessment. AML/CTF and sanctions assessments are performed by employees during their daily activities, after the competent institution has identified deficiencies, in the event of significant changes, periodically – but at least once every 2 years. The assessment may be carried out in the following methods:
- in the course of an internal or external audit
- during testing of internal controls
- in other ways chosen by the FMP.
Regarding sanctions screening, the Sanctions Instructions do not describe in detail what data must be screened. The type and amount of screened data depends on the type of FMP, type of transaction, etc. However, the Instructions provide general guidance on who must be screened:
- customers, counterparties, financial institutions involved in the transaction or in its execution (e.g. correspondence relations) and other persons involved (e.g. beneficial owners)
- FMP service providers, business partners, intermediaries (this includes office space providers, coffee providers, etc.)
- FMP shareholders and managers (also new employees)
- whether the transactions of the FMP / its clients are outside the scope of international sanctions.
Lastly, FMPs are now required to inform the Bank of Lithuania within 5 business days on the detected serious deficiencies in its internal control system when those deficiencies had a serious impact on the implementation of international sanctions. For example, report may be issued if the sanctions screening systems did not check the UN sanctions lists for a month. It is important to distinguish that the reports provided to the FCIS are about sanctions matches or evasion suspicions, while reports to the Bank of Lithuania are about the internal system deficiencies.
Prepared by Vilius Neverdauskas, Associate of ECOVIS ProventusLaw