AML Measures of obliged entities

Obliged entities are obliged to take preventive and risk-oriented measures to prevent their activities from being misused for money laundering and the financing of terrorism. This is done, among other things, by carrying out risk assessments, formulating policies and procedures, training employees, examining the reliability of customers, the risk-classification of customers, monitoring them on a regular basis, and investigating and reporting suspected money laundering and terrorist financing.

Click on an image to learn more:

A business wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing in the activities of obliged entities. The risk assessment is intended to identify the main weaknesses and threats to the obliged entities, and it shall specify methods and means for managing and mitigating the identified risk of the activities being misused for money laundering and terrorist financing.

In accordance with Act No. 140/2018 (in Icelandic), obliged entities are obliged to conduct risk assessments of their operations and transactions. The risk assessment shall be updated at least every two years and when the need arises.

• Conducting a risk assessment for money laundering and terrorist financing
• Regulation No. 545/2019 on risk assessment (in Icelandic)
• Risk assessment of the National Commissioner of the Police (in Icelandic)
• EBA Risk Factors Guidelines
• Risk assessment (in Icelandic)
• Risk factors in the banking sector (in Icelandic)
• Risk factors in the securities and fund market (in Icelandic)
• Risk factors in the life insurance market (in Icelandic)
• Risk factors due to the issuance and handling of electronic money (in Icelandic)
• Risk factors related to money remittance (in Icelandic)
• Risk factors in the provision of payment services (in Icelandic)

The risk assessment shall be used to develop policies, controls and procedures to mitigate and manage the identified risks and maintain adequate control.

The policy should lay the foundations for the company's defences and be a policy statement about the culture and values that shall be upheld by the obliged entity in order to prevent their activities being misused for money laundering and terrorist financing. In addition, the policy should discuss how responsibilities are divided between individual employees and units.

Employee training is one of the key elements in the prevention of money laundering and the financing of terrorism and forms part of the active internal control of obliged entities. Obliged entities shall ensure that their employees including employees of branches and subsidiaries, receive special training in measures against money laundering and terrorist financing and acquire appropriate knowledge of the provisions of Act No. 140/2018 (in Icelandic), regulations and rules issued on the basis thereof.

The risk assessment of obliged entities forms the basis for customer risk classification. The assessment determines the type of due diligence to be carried out. When a risk assessment shows that there is a low risk, a simplified due diligence may be applied. If, on the other hand, a risk assessment shows a higher risk, more rigorous due diligence should be performed. At the same time, increased due diligence must also be carried out under certain statutory circumstances.

Firstly, customers, beneficial owners and any parties that have authority to represent the customer towards the obliged entity must prove their identities to the obliged entities by presenting recognised ID and legal entities information from an official register.

• Secondly, the obliged entities themselves must obtain adequate information about customers, beneficial owners and any parties that have authority to represent the customer towards the obliged entity.
• Thirdly, obliged entities need to ensure the reliability of information about customers and beneficial owners. This involves verifying the identity of the customer and the beneficial owner where applicable. This also applies to any parties that have authority to represent the customer towards the obliged entity. The identity of these parties shall be verified on the basis of reliable and independent information, in addition to which information on the purpose and nature of the proposed transaction shall be assessed. An obliged entity shall independently assess whether the information about the beneficial owner is correct and satisfactory and that the entity understands the ownership, activities and organisational structure of the clients, who are legal entities, trust funds or other comparable entities. There shall also be an assessment of whether the transaction is carried out in the interest of a third party and, if so or if there is reason to believe so, the identity of the third party must be verified. The parties must also confirm, as appropriate, the source of the funds used in the transaction and take appropriate measures to verify the relevant information.

Under the supervision of the Central Bank of Iceland, obliged entities shall carry out due diligence in the following circumstances:

• when establishing a contractual relationship,
• when carrying out individual transactions amounting to EUR 15,000 or more, based on the officially posted exchange rate at any time, whether the transaction is carried out in a single operation or in several operations, which appear to be linked,
• in the case of a transfer of funds, in the case of individual transactions, whether it be a transfer of funds within the country or across borders, amounting to EUR 1,000 or more at the official exchange rate as recorded at any given time,
• in the trading of goods and services, which are paid for in cash, whether the transaction is made in one payment or several payments, which appear to be linked, amounting to EUR 10,000 or more, based on the official exchange rate recorded at any given time,
• when there is a suspicion of money laundering or terrorist financing, regardless of any exemption or threshold,
• when there are doubts about the veracity or reliability of submitted information on the customer or beneficial owner.
• The performance of due diligence is further stipulated in section III of Act no. 140/2018 and Regulations no. 745/2019 on Due Diligence and the guidelines of the European Banking Authority (EBA).

• Regulation No. 745/2019 on due diligence (in Icelandic)
• Due diligence - educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)
• Risk Factors Guidelines

The risk assessment of an obliged entity forms the basis for decisions on the risk classification of clients. Obliged entities shall ensure that customers are risk classified in accordance with their transactions and shall preserve all the data, information and reasoning regarding the customers' risk classification. The risk classification shall reflect the risk posed by the customer at any given time.

When assessing a customer's risk classification, any relevant risk factors, which may, in themselves or in combination, increase or decrease the risk of money laundering or terrorist financing, should be considered. The total risk associated with the customer should be considered and it should be borne in mind that a single risk factor does not necessarily mean that the risk classification increases or decreases.

Among other things, the following shall be taken into account:

• the activities, reputation and political exposure of the customer and the beneficial owner,
• which countries or territories are linked to the business relationship,
• risk factors related to the product, service or transaction that is being sought,
• which distribution channels are used,
• whether the customer uses intermediaries to represent him,
• whether the customer is a legal entity with a complex ownership or administrative structure,
• whether the customer is a trust or a comparable entity, and
• whether the customer mainly trades in cash.
• When assessing an individual risk factor, obliged entities shall, as a minimum, ensure that:
• A single risk factor does not have an abnormal effect on lowering the risk classification,
• a decision on the weight of individual risk factors does not prevent contractual relationships from being classified as high risk,
• financial and profit-driven considerations do not affect risk classification,
• the provisions of the Act on Measures against Money Laundering and Terrorist Financing regarding cases where increased due diligence is to be applied always take precedence over the risk classification of obliged entities,
• It is possible to bypass automated risk classification if deemed necessary. The reasons for such a decision shall be documented.
• Obliged entities are authorised to use automated information technology systems to reach a risk classification decision in order to classify contractual relationships and occasional transactions. The obliged entity, on the other hand, needs to be able to explain to the regulator how the system works and how it combines risk factors to reach a final conclusion regarding risk classification. The entity must also ensure that the result reflects the risk of money laundering and terrorist financing and be able to justify such a conclusion to regulators.

• Regulation No. 545/2019 on risk assessment (in Icelandic)
• Regulation No. 745/2019 on due diligence (in Icelandic)
• Conducting a risk assessment for money laundering and terrorist financing
• Risk assessment – educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)
• Risk factors in the banking sector (in Icelandic)
• Risk factors in the securities market and funds (in Icelandic)
• Risk factors in the life insurance market (in Icelandic)
• Risk factors due to the issuance and handling of electronic money (in Icelandic)
• Risk factors related to money remittance (in Icelandic)
• Risk factors in the provision of payment services (in Icelandic)

The risk assessment of an obliged entity and the customer's risk classification form the basis for a decision on how the monitoring of money laundering and terrorist financing shall be conducted. On-going monitoring involves monitoring customer information, on the one hand, and their transactions, on the other.

Obliged entities shall update customer information on a regular basis and provide additional information as necessity dictates. Changes in customer information, contractual relationships or related individual aspects, as well as the risk assessment of obliged entities may provide grounds to perform new due diligence in light of the changed information. The risk assessment of obliged entities can also give rise to new due diligence being performed on a regular basis.

The documented risk assessment or rules of the obliged entity shall specify the timing of the updated due diligence with regard to the risk classification of individual customers or groups, as applicable.

Obliged entities shall regularly assess whether a customer or beneficial owner is in a risk group, due to being a politically exposed person.

Obliged entities shall regularly monitor contractual relationships with customers and provide adequate information on transactions conducted during the term of the agreement to ensure that their transactions are consistent with available information and risk assessments. The entities must also confirm, as appropriate, the sources of the funds used in the transactions and take appropriate measures to verify the relevant information.

Obliged entities shall ensure that there is increased or systematic monitoring of higher risk transactions and contractual relationships.

In order to carry out periodic inspections, obliged entities shall have automated monitoring systems in place to flag transactions under certain circumstances and/or methods and processes for detecting deviations or suspicious transactions of their customers. Systems and methods shall at least include the following elements:

• that certain transfers or transactions are flagged or examined, based on pre-determined criteria or rules,
• that the relevant transfers or transactions are examined and investigated by the relevant employee of the obliged entity,
• that a position is taken on the transfers or transactions that are flagged, with regard to the available information about the customer and
• to take appropriate measures, such as further investigation of the transactions, if an examination reveals suspicious transactions.

Obliged entities shall also investigate, as far as possible, the background and purpose of all transactions, which at least one of the following conditions applies to:

in the case of complex transactions,

in the case of unusually high transactions,

in the case of unusual business patterns or

in the case of transactions that do not appear to have an economic or legal purpose.

All such transactions and related contractual relationships shall be subject to increased scrutiny for the purpose of identifying whether they are suspicious transactions.

• Regulation No. 545/2019 on risk assessment (in Icelandic)
• Regulation No. 745/2019 on due diligence (in Icelandic)
• Due diligence - educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)

Obliged entities, their employees and managers shall notify the Financial Intelligence Unit (hereinafter FIU) in a timely manner of suspicious transactions and funds that are suspected of being traceable to criminal conduct. The term suspicion refers to the lowest level of suspicion and does not therefore constitute as detailed and unequivocal a claim as generally applies in legal proceedings for a substantiated suspicion, but in this case refers to a sufficient suspicion. In accordance with international rules in the field of measures against money laundering and terrorist financing, it is considered better for obliged entities to report more often than not. The FIU is responsible for processing the matter further and analysing the information attached to the notification.

• Investigation and reporting requirements  – educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)
• goAML System