Apex Regulatory Update: July 2017


Share on facebook
Share on twitter
Share on linkedin


Regulation 2015/847 | Revised Wire Transfer Regulation

An updated anti-money laundering and counter-terrorism financing framework came into effect in the European Union (EU) on June 26, 2017; including the fourth Anti-Money Laundering Directive (AMLD4) and the revised Wire Transfer Regulation (WTR2).

In line with the Financial Action Task Force’s (“FAFT”) Special Recommendation VII, (“SR VII”) which aims to enhance the transparency of electronic payment transfers, the scope of WTR2 has been materially extended and now requires that certain payment service providers, intermediaries and fund transfers include information on the payee/beneficiary of the payment, in addition to the information already required on the payer/remitter. The WTR2 also tightens requirements relating to payment products that are for anonymous use or cannot be linked to individuals.

The scope of the changes intends to prevent criminals/money launderers/financers of terrorism from the possibility of transferring money freely within the EU. It addresses problems relating to illegitimate money transfers, as well as ensuring the adoption of International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by FATF on 16 February 2012 (the ‘revised FATF Recommendations’).

Key changes and requirements set out in the first Wire Transfer Regulation include:

  • The Payment Service Providers (“PSP”) must ensure fund transfers are accompanied by information on the payee AND the payer.
  • The PSP of the payee must verify the accuracy of the information on the payee for fund transfers above the value of EUR 1,000.
  • Clarification must be made that WTR2 will apply for person-to-person fund transfers made using payment cards, electronic money instruments, mobile phones or any other digital or IT prepaid or postpaid devices with similar characteristics.
  • The PSP of the payee and the intermediary PSPs must establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds that lacks the required payer and payee information.
  • The PSP must establish whistleblowing procedures.
  • The derogation for intra-EU transfers continues to apply under WTR2 as it did under WTR (although under WTR2 such transfers must be accompanied by at least the account number of both the payer and the payee, as opposed to just the account number of the payer, as was the case under WTR).
  • Firms that wish to take advantage of the derogation will need to have systems in place for distinguishing which transactions benefit from the derogation and those that do not.  

Exceptions apply to bank-to-bank transfers (regular MT202) as well as certain retail transactions, including payment cards used simply to pay for goods and services.

Impact on Apex Clients

Clients using SWIFT as a fund transfer method must review their current set up to ensure it meets WTR2 requirements. Apex suggests its clients contact their PSP without delay to ensure that any issued (or received) payments contain the required information detailed by WTR2.

**In the case of EU cash transfers (type MT103 payments), whereby all counterparties are located within the EU, the account number will have to be added in most cases. For non-EU cash transfers (valid when one party is not located within the EU) a wider list of additional information will be required by the new regulation. Non-EU cash transfer messages must include all of the information listed below:

  • Account number
  • Name
  • Address, or
  • Official Identity number or
  • Client number or
  • Date and place of birth

In order to support the extended requirements for payee information, SWIFT [1]has added the F format to field 59 (Beneficiary Customer), which provides a structured format to capture name, account number and address of the beneficiary in an MT message. For Non-EU transfers, field 59 will include the account number and name only.

The same structured F format option has been implemented for field 50 (Ordering Customer) for some time.

Originating banks should therefore ensure that appropriate information accompanies wire transfers while others in the payment chain (e.g. intermediaries) are required to monitor the payment they process based on this information.

The below table contains the new obligations PSP are expected to comply with, including the implicit statement that if these are not met no payment can be made.

Payer Bank (originator)Intermediary bankPayee Bank (receiver)
Ensure the payment instructions includes the below:


Full originator information:

  • Name
  • Account Number
  • Address or DoB or official ID number or client number

Full beneficiary information (Payee bank):

  • Name
  • Account number
All received information must be kept with the transfer


Detect transactions with missing or incomplete information

Establish risk based policies and procedures to determine:

  • when to execute, reject or suspend transactions with missing or incomplete information
  • appropriate follow-up-action
Detect transactions with or incomplete information


Verify identity of beneficiary

Establish risk based policies and procedures to determine:

  • when to execute, reject
  • or suspend transactions
  • with missing or incomplete information
  • appropriate follow-up-action


The Basel Committee encourages all banks to apply high transparency standards (in full compliance with applicable national laws and regulations), in the context of cover payments initiated to settle a customer transaction. In particular:

  • Appropriate information should be included in payment messages as described in this document. Financial institutions should not omit, delete or alter information in payment messages for the purpose of avoiding the detection of that information by any other financial institution in the payment process.
  • Financial institutions should not use any particular payment message for the purpose of avoiding detection of information by other financial institutions during the payment process.
  • Subject to all applicable laws, financial institutions should cooperate as fully as practicable with other financial institutions in the payment process when requested to provide information about the parties involved.
  • Financial institutions should take into account, in their correspondent bank relationship, the transparency practices of their correspondents.

NEW EU Rules to fight money laundering and terrorist financing start to apply across Europe.

On the 26th of June 2017 the Commission released its Supranational Risk Assessment Report, focusing on the vulnerability of financial products and services in relation to money laundering and terrorist financing risk. It is the first time that the European Union has addressed the strengthening of existing rules at an EU level. The fourth Anti-Money Laundering Directive (AMLD) took effect on the 26th of June 2017;all EU countries l have two years from that day to implement AMLD  rules into national AML LAWS. The new AMLD applies to banks and financial institutions as well as to auditors and accountant firms.

Key changes:

Extension of the Directive’s Scope

  • The threshold for customer due diligence will be lowered under 4MLD, bringing anyone trading in cash with a value over €10,000 into scope (the previous threshold was €15,000).
  • Gambling sector is now in scope of the directive
  • Virtual currency exchange platforms within its scope
  • Wallet providers that allow the public to have access to virtual currencies
  • Domestic PEPs in scope of EDD (see related section)

Inclusion of Tax crimes as predicated offences

The 4AMLD includes an explicit reference to tax crimes (related to direct and indirect taxes) as being ‘predicated offences’.

The Circular 15/609 on anti-money laundering in tax matters issued by the Luxembourg financial regulator (“CSSF”) in March 2015, emphasises that supervised entities should continue to actively work on:

  • Exchange of information
  • AML
  • Tax infractions

At a Group level, Apex Fund Services implemented an upgraded its Anti-Money Laundering and Counter Terrorist Financing Policy in February 2017. This policy already considers certain elements of the 4th AMLD as standard and ensures upgrades are safeguarded  to protect Apex and its customers in high risk areas. Apex has created dedicated Transfer Agency Know Your Customer (KYC) Investor Guidelines and checklists, including aspects of the 4th AML Directive. These upgraded standards are been rolled out in Luxembourg, Ireland and will be introduced across Europe and where cross-border services are offered by Apex.

See below the comparison matrix upon which Apex has implemented upgrades into its existing framework:

Risk Based ApproachConsider geography, customer, product and channel as part of the risk-based approach in establishing a compliance program.Consider geography, customer, product and channel as part of the risk-based approach in establishing a compliance program. Include nationwide AML risk assessments conducted by individual EU Member States.
Third Country Equivalent jurisdiction (“White List”) allowed application of SDDThe concept of “White List” has been dropped.


Financial institutions must determine the level of AML risk posed by a customer prior to applying the SDD status to such customer and provide justification for such qualification.

Record Retention: 5 yearsRecord Retention still 5 years, however might be extended to 10 years in case needed for prevention, detection or investigation on money laundering or terrorist financing.
Ownership and ManagementIdentification and verification of any beneficial owner that controls > 25% of the shares or voting rightsSame rule apply. However the FI can downgrade to 10% the trigger to identify the UBO, in case of higher risk. The BO information are to be submitted to a central register in each Member States.
Issuance of bearer shares by companies permitted.Issuance of bearer shares by companies is not permitted.
Senior management = members of the Board of Directors of the financial institutionSenior management = an officer or employee with specific knowledge of the institution’s exposure to money laundering or terrorist financing risk and sufficient seniority to make decisions affecting its risk exposure.
Tax CrimeN/ATax crimes (in the broadest definition permitted under individual Member States’ laws) will be a predicate AML offense.


PEPsPolitically Exposed Persons (PEPs) are defined as ‘natural persons who are or have been entrusted with prominent public functions and immediate family members, or persons known to be close associates, of such persons.’ A PEP is a natural person who is or who has been entrusted with prominent public functions and includes the following:


  1. Heads of State, heads of government, ministers and deputy or assistant ministers;
  2. Members of parliament or of similar legislative bodies;
  3. Members of the governing bodies of political parties;
  4. Members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
  5. Members of courts of auditors or of the boards of central banks;
  6. Ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
  7. Members of the administrative, management or supervisory bodies of State-owned enterprises;
  8. Directors, deputy directors and members of the board or equivalent function of an international organization.

No public function referred to in points (1) to (8) shall be understood as covering middle-ranking or more junior officials.

Before engaging in any transactions and/or relationships with PEPs, FIs must:


  1. Have appropriate risk-based procedures to determine whether the customer is a PEP;
  2. Have senior management approval for establishing business relationships with such customers;
  3. Take adequate measures to establish the source of wealth and source of funds;
  4. Conduct enhanced ongoing monitoring of the business relationship


Before engaging in any transactions and/or relationships with PEPs, FIs must:


  1. Have in place appropriate risk management systems, including risk-based procedures, to determine whether the customer or the beneficial owner of the customer is a PEP;
  2. Apply the following measures in cases of business relationships with PEPs:
  • Obtain senior management approval for establishing or continuing business relationships with such persons;
  • Take adequate measures to establish the source of wealth and source of funds that are involved in business relationships or transactions with such persons;
  • Conduct enhanced, ongoing monitoring of those business relationships

N/AWhere a PEP is no longer entrusted with a prominent public function, financial institutions must consider the continuing risk posed by affiliation with such PEP for at least 12 months (or longer, until the financial institution determines that the risk specific to such PEP has diminished).
Policies and ProceduresDisclosure of information should be in accordance with the rules on transfer of personal data to third countries as laid down in Directive 95/46/EC of the European Parliament.


Information exchanged between financial institutions in connection with AML/ CTF investigations shall be used exclusively for the purposes of the prevention of money laundering and terrorist financing.

The Fourth AML Directive “is without prejudice to the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, including Council Framework Decision.”


Member States shall ensure that the sharing of information within the group is allowed.

Any suspicious activity is to be promptly reported to the local FIU, which have anonymous access to centralized registers or electronic data retrieval systems.

Where EU-based financial institutions have branches and subsidiaries located in third countries where the legislation in this area is deficient, they should apply the Community standard or notify the competent authorities of the home Member State if this is impossible.Financial institutions that are part of a group must implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions that have branches or majority-owned subsidiaries located in third countries shall implement the more strict laws between the headquarter or subsidiary/branch’s country laws.


Where a third country’s law does not permit implementation of the policies and procedures required above, financial institutions must ensure that branches and majority-owned subsidiaries in that third country apply additional measures to handle the risk of money laundering or terrorist financing, and inform the competent authorities of their home Member State. If this is not sufficient, the competent authorities of the home Member State shall exercise additional supervisory actions.

PenaltiesMember States should ensure that appropriate administrative measures or penalties could be imposed on financial institutions in a manner that would be “effective, proportionate and dissuasive”. For natural persons sanctions could be adjusted “in line with the activity carried out” by that person.For serious, repeated and/or systematic failures in the areas of CDD, suspicious transaction reporting, record keeping and internal controls, minimum penalties may include:


  • Public reprimand
  • Cease and desist orders
  • Suspension of authorization
  • Temporary ban from managerial functions
  • Maximum pecuniary sanctions of at least €5M or 10% of the total annual turnover (and at least €5M for a natural person).

For non-financial institutions, penalties can amount to twice the amount of the benefit derived from the breach, or at least €1M.

Cash Payments for MerchantsPersons trading in goods must report cash payments of €15,000 or more, either as one or multiple related transactionsPersons trading in goods must report cash payments of €10,000 or more, either as one or multiple related transactions

GDPR | What is truly new in this Data Protection Regulation?

Apex has performed a comparison of the current and the upcoming GDPR and has detected the following new additions which are part of the GDPR implementation plan.

Key facts on the current EU Data Protection Directive vs the upcoming GDPR:

  • Article 4 and 9 – Definition of consent and conditions for consent have been reinforced with need to review existing or missing consents from data subjects within the company. The process has to focus on employees, client relationships, third party relationships including vendors and service providers.
  • Article 5 – Principles relating to the processing of personal data have been reinforced with the need to review the existing ways personal data are processed by a company or any other company performing this task under delegation of the company.
  • Articles 12, 13 and 14 – Privacy Notices will have to be reviewed and reinforced reflecting the additional standards and details to ensure they are in line with the GDPR and protect the company in all areas.
  • Article 22 – Automated individual decision making including profiling has been contained in the EU Data Protection Directive, but has been reinforced. This requires companies to review their current operational processes and contractual framework. Costs might be associated depending on the outcome of the review.
  • Article 24 – Responsibilities of the data controller have been reinforced which means all existing standards, contracts and oversight have to be reviewed to ensure data requirements as per GDPR are covered. This is a huge data review assessment which goes from data classification to data control and protection, appropriate storage, timely deletion, legal framework allowing control and reflecting data subjects rights. Definitely a cost and time consuming exercise.
  • Article 28 – Data Processor comes with additional obligations and liability which means that there is the absolute need to review legal arrangements and processes to ensure they are not exposing the data processor as such or towards the data controller.
  • Article 31 and 32 – Co-operation and Security of processing have been reinforced with need to perform review against existing processes, frameworks and controls.
  • Articles 44 up to 49 – Cross border transfers have been definitely reinforced as the basic notion of the new GDPR is to cover data flows within and even outside of the EU. Any operational or IT delegation structures have to be reviewed and reinforced with respective legal coverage and updates in the consent framework to ensure transparency where missing.

Cayman Island – First legal Data Protection Framework introduced March 2017

In March 2017, the Legislative Assembly of the Cayman Islands passed the Data Protection Law 2017, introducing for the first time a true legal framework on the management of data in the region. The Cayman government published a Data Protection Bill in 2016 proposing a data protection framework based on principles describing rights and duties in all areas where personal data is involved. The suggestions put forward in the Data Protection Bill, 2016, were inspired by the legislative framework of the European Union and international best practices.Until the law is enforced, the Cayman Islands will continue to operate under the previous duty of confidentiality enshrined in the common law and provisions for the Confidential Relationships Preservation Law (as revised) of the Cayman Islands (the ‘CRPL’).

The new Data Protection Law in Cayman imposes principles such as the ‘fair and accurate management and storage of personal data’. The Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike, as well as entities outside the Islands that have certain data processing functions. This is similar to the upcoming GDPR going beyond the European territory. Apex is closely monitoring the Cayman Island data protection developments, market practice adaptations and the nuances of each single principles to understand similarities or differences in legal notions and will provide further updates in due course.

This constitutes a big success with regards to progress in this area as it is the third time a government has attempted to implement such a defined legislation – the previous two attempts to pass such a Data Protection Bill failed, not even making it to Legislative Assembly level.

[1] https://www.swift.com/node/14361


Share on facebook
Share on twitter
Share on linkedin

Get in touch with our team

Submit your query

Cookie control
This website uses cookies so that we can make your experience better. If you wish to change your cookie settings please refer to our Privacy Policy. Otherwise we will assume you’re OK to continue. Privacy Policy