Ordinance BACEN 3,978 of January 23, 2020, which was created for the purpose of regulating the policy, procedures and internal controls to be adopted by institutions authorized to operate by the Central Bank of Brazil (BACEN) with a view to preventing the use of financial system for the practice of crimes of “laundering” or concealment of assets, rights and values, as set out in Law 9,613, of March 3, 1998, and of terrorism financing, provided for in Law 13,260, of December 16, March 2016, would come into force on July 1, 2020. However, Ordinance BACEN 4,005, dated April 16, 2020, changed the effective date to October 1, 2020.
In view of the above, October 2020 begins with a new compliance scenario for financial institutions in Brazil, considering that despite BACEN regulation, they will have to establish their set of policies and procedures, in addition to establishing its effective internal controls in preventing money laundering and terrorist financing.
The Ordinance begins by stating that financial institutions must implement and maintain a policy formulated based on principles and guidelines that seek to prevent their use for money laundering and terrorist financing practices, making the risk profiles of (i) clients, (ii) institution, (iii) operations, transactions, products and services; and (iv) outsourced employees, partners and service providers.
This policy should basically establish the following:
This policy must be approved by the institution's Board of Directors, or, failing this, by its Board of Directors.
The creation of a governance structure to ensure compliance with said policy is now required, and the director responsible for complying with the new obligations introduced by this Ordinance must be appointed to BACEN.
1. Risk Assessment
It establishes the obligation to establish the risk assessment of financial institutions' products and services, regarding the possibility of money laundering and terrorist financing.
The identified risks must be analyzed in terms of the probability of occurrence and the magnitude of their impact, and risk categories must be defined that enable the adoption of management and mitigation controls for situations of higher risk or simplified controls in situations of lower risk. The risk assessment must be documented and approved by the director responsible for complying with the compliance program provided for in this circular and forwarded to the risk committee, audit committee and board of directors; in the absence of the latter, the institution's board of directors.
2. KYC (know your client) - Know your Client
It is necessary to establish the client's risk profile, with reinforced measures being adopted for clients classified in higher risk categories.
To this end, initially, financial institutions must adopt procedures that allow the identification and validation of the client's identity, including comparing their information with those available in public and private databases. The following information must be collected:
In case the customer resides or is headquartered abroad, in addition to items (i) and (ii) above, the number and type of the travel document, and the company identification or registration number, respectively, must be obtained.
The qualification of clients must be based on the risk profile and the nature of the business relationship, including whether they are politically exposed persons. Therefore, information must be collected to assess their financial capacity, understood as such income and billing, for the case of natural and legal persons, respectively. Such qualification must be reassessed periodically.
For the defect of this Ordinance, those listed below are considered politically exposed, and this condition shall prevail for up to 5 (five) years after the date on which the person ceased to fall into such categories:
The qualification of the corporate client must include the analysis of the corporate ownership chain until the identification of the individual featured as its final beneficiary, and the financial institutions must establish a minimum reference value of equity interest for the identification of the final beneficiary based on risk and cannot exceed 25% (twenty-five percent), considered, in any case , direct and indirect participation.
The Ordinance also contains 2 (two) very important definitions:
In addition to the identification and qualification of customers, there is also their classification, based on the information obtained in the customer's qualification procedures, especially if you are a representative, family member, close collaborator or politically exposed person.
No business relationship should be initiated until the customer identification and qualification procedures are completed.
3. Registration of Operations
With respect to the registration of transactions, financial institutions must register all transactions carried out, products and services contracted, including withdrawals, deposits, contributions, payments, receipts and transfers of funds.
For each operation, the type, amount, date of realization, name and number of the CPF or CNPJ and the channel used must be registered. In the case of a natural person abroad, name, type and number of the travel document and the respective issuing country and international body of which he is a representative for the exercise of specific functions in the country, if applicable. In the case of a legal entity abroad, company name and company identification or registration number in the respective country of origin.
The identification of the origin and destination of the resources, in addition to the transfer or payment instrument, must be added in the case of transactions relating to payments, receipts and transfers of resources. This includes:
If the operation is carried out with a financial institution not authorized to operate by BACEN, the participating institution must stipulate in the contract the right of access to the identification of the final recipients of the funds, for the purpose of preventing money laundering and the financing of terrorism.
In the case of registration of operations in kind, the following must be observed:
If there is a refusal to inform the origin of the funds, this fact must be registered by the institution.
In the case of withdrawal operations, with an individual value equal to or greater than R$ 50,000.00, the drawers, customers or not, must be instructed to communicate the withdrawal 3 working days in advance, in order for the provisioning to be made and institutions should include in the registry:
4. Monitoring, Selection, Analysis of Operations and Suspicious Situations
Financial institutions must implement procedures for monitoring, selecting and analyzing transactions and situations, within a period not exceeding 45 days from the date of the transaction or the situation, in order to identify and pay special attention to suspected money laundering and financing of terrorism, in particular:
A manual must be prepared and approved by the institution's board containing:
It is important to note that for the analysis of operations and suspicious situations, it is forbidden to hire third parties to perform them (although it is allowed to contract auxiliary services to the analysis), as well as to perform it abroad.
5. Communication to COAF
The communication decision on the part of the financial institutions to report to COAF operations or situations suspected of money laundering and terrorist financing, must take place within the 45-day period assigned for the analysis. Communication must take place by the business day following the communication decision.
With respect to operations in kind, financial institutions must report to COAF by the business day following the day on which the operation or provisioning occurs:
These communications must specify whether the person who is the subject of the communication is:
6. Knowledge of Employees (KYE), Partners (KYP) and Outsourced Service Providers
Financial institutions must implement procedures designed to get to know their employees, partners and outsourced service providers, including identification and qualification procedures, always with a focus on preventing money laundering and terrorist financing.
Therefore, the activities carried out by its employees, partners and outsourced service providers must be classified in the risk categories defined in the internal risk assessment and this classification must be kept up to date.
Financial institutions that enter into contracts with financial instructions based abroad must:
On the other hand, if financial institutions conclude contracts with
third parties not subject to authorization to operate by the Central Bank of Brazil, participants in a payment arrangement in which the institution also participates, must:
7. Monitoring and Control Mechanisms
Financial institutions must establish monitoring and control mechanisms, periodically tested by the internal audit in order to ensure the implementation and adequacy of the policy, procedures and internal controls introduced by this Ordinance, including:
8. Evaluation of Effectiveness
Financial institutions must evaluate the effectiveness of the policy, procedures and internal controls, preparing a specific report under the following conditions:
If deficiencies are identified, an action plan must be drawn up to address them by assessing effectiveness, with a follow-up report being prepared to document the remediation of the deficiencies, both documents having to be forwarded by June 30 of the following year the base date of the report, for the authorship committee, the board of directors and the board of directors of the institution.
The following documents must remain available to the Central Bank of Brazil; and the documents in items 5, 8, 9, 10, 11, 12, 13 and 14 must be available for a minimum period of 5 years:
The following documents must be kept at the disposal of the Central Bank of Brazil, for a minimum period of 10 years:
Finally, this Ordinance amends Ordinance 3,691,of December 16, 2013, which regulates Resolution 3,568, of May 29, 2008, which,in turn, regulates the foreign exchange market, in order to increase preventivemeasures to face money laundering and terrorist financing in such operations,through performance evaluation, commercial procedures and financial capacity.