Third Party Reliance under IFSCA AML/CFT Guidelines 2022
The IFSCA or International Financial services centres authority, issued IFSCA (Anti Money Laundering, Counter-Terrorist Financing & Know Your Customer) Guidelines, 2022 on 28th October 2022. It is mandated by the circular that the regulated entity shall conduct customer due diligence (CDD) for ascertaining the money laundering and terrorist financing risk. Customer due diligence requires the regulated entity to obtain customer information to frame policies and measures to mitigate the risk they may be exposed to. In assessing the risk, the regulated entity may appoint a third party to perform its CDD measures in accordance with Chapter VI of the guidelines. Henceforth, the present article will discuss in detail the provisions for third party reliance under the guidelines.
What is a third party under the IFSCA guidelines?
According to the IFSCA guidelines on AML or CFT, the “Third Party” means:
- Financial Institution that is supervised and subject to the financial regulator.
- Branches, subsidiaries or parent entity of Regulated entity
- Branches & subsidiaries of the parent entity and other corporations.
- Has an existing client relationship with an individual whose data may be used for CDD and customer verification by a regulated entity.
What are the conditions for third party reliance in performing Customer Due Diligence measures?
In Third Party reliance, the third party will typically have a current relationship with the customer that is independent of the relationship formed by the customer with the regulated entity. Henceforth, the third party will perform CDD measures according to its own AML or CFT policies, procedures and controls. The guidelines on AML or CFT provide that a regulated entity may use third party reliance to perform its customer due diligence measures on behalf of the regulated entity provided that:
- The regulated entity shall obtain records or information on the customer due diligence carried out by the third party within 2 days. The information obtained shall not merely means basic information such as name, address, and all relevant CDD information.
- The regulated entity must make sure that the copies of identification data and other relevant documents relating to customer due diligence shall be made available to them by the third party without any delay upon request. Therefore, it is clarified that the entity is not required to automatically obtain the certified documents from a third party. However, if particular jurisdictional laws such as data privacy legislation restrict the regulated entity from obtaining CDD information, in that case, the entity shall by itself undertake CDD.
- In Third Party Reliance, the regulated entity must make sure that the third party it relies on is regulated, supervised, and monitored & has measures put in place for compliance with CDD or Customer Due Diligence and record-keeping requirements under Regulations 10 & 11 of the FATF recommendations. The entity is further required to document its satisfaction that the requirements have been met. The entity shall also consider the following factors while assessing the measures:
- Mutual evaluations, follow-up reports and Assessment reports published by FATF or other international organisation.
- Contextual facilities, including political stability and level of corruption in the jurisdiction.
- Evidence of recent criticism of jurisdiction containing:
- FATF Advisory Services.
- Public Assessment of jurisdiction in terms of Anti-money laundering regime.
- Reports of specialist commercial organisations or non-governmental organisations.
However, where the regulated entity relies on a third party who is part of the same financial group, the condition mentioned above shall not be applicable. The entity may rely on a member of the financial group provided that such a member meets below requirements:
- The financial group applies and implements a group-wide policy on customer due diligence and record keeping in accordance with the standards enumerated under FATF recommendations.
- The financial regulator and other authorities supervise the implementation of customer due diligence and record-keeping at the group level.
- Under Third Party Reliance, the third party shall not be from a country or jurisdiction marked as high risk. The entity must take appropriate measures to identify and assess the ML or TF risks, particularly in those countries or jurisdictions in which the third party operates.
- The regulated entity shall not rely on a third party for ongoing monitoring of business relations with the customer.
- The regulated entity shall not rely on a Third party that is specifically ruled out by the authority.
- The third party shall be subject to the conditions specified in Rule 9(2) of the guidelines.
- The third party shall be subject to all the rules and regulations issued by the authority from time to time.
- If the regulated entity is satisfied that the customer or beneficial owner has not been reasonably identified and verified according to the guidelines, in that case, the regulated entity shall itself perform the customer due diligence immediately.
The Third party reliance enables the regulated entity to perform CDD measures more effectively. The third-party will perform the CDD measures in accordance with their Anti-money laundering or Counter terrorist financing policies, procedures and controls. Further, the regulated entity shall also ensure that it shall not rely on a third party for ongoing monitoring of its business relations with the customer. The entity shall further refrain from appointing a third party from a country or jurisdiction that is marked as high risk. Henceforth, even though the regulated entity may rely on a Third party for performing its CDD measure, that still does not do away with the accountability of the regulated entity.
Read Our Article: IFSCA guidelines on Anti-Money Laundering or Counter-Terrorist Financing