Here is a Q & A exercise to help you better understand this new concept.
What does ‘Outsourcing’ mean?
Outsourcing is being defined as:
“the engagement of a third party by a Subject Person to carry out an activity, process or service that would normally be carried out by the subject person itself. Outsourcing therefore means that the subject person would not implement certain measures and procedures itself but would delegate their implementation to another person”.
Is the use of software considered as an ‘outsourcing activity’?
The acquisition of software or access to commercial databases to assist in, or facilitate, the carrying out of AML/CFT obligations without any data or information belonging to the subject person being submitted to and processed by a third party is not to be considered as outsourcing.
Does outsourcing mean reliance?
Outsourcing is NOT reliance. In terms of Regulation 12 of the Prevention of Money Laundering and Funding of Terrorism (PMLFTR), in a reliance arrangement, the Subject Person would rely on third party who have carried out Customer Due Diligence (CDD) and the CDD documentation is held by the relying party.
What are the responsibilities of a Subject Person when there is an outsourcing arrangement in place?
The Subject Person remains at all times responsible to adhere to any legal or regulatory requirements. Such responsibility can never be delegated.
What cannot be outsourced?
Outsourcing is not to be extended to the adoption and application of policies and procedures necessary to ensure the Subject Person is compliant with its AML-CFT obligations at all times. The Subject Person may engage consultants to assist it in carrying out any risk assessment or drawing up any policies and procedures, but it remains the ultimate responsibility of the Subject Person to ensure that these address the ML/FT risks to which it is exposed, satisfy the requirements at law, and are implemented properly.
What can then be outsourced?
Outsourcing is allowed in so far as the implementation of the Subject Person’s policies and procedures. The obligations that can be outsourced (in full or in part) are:
- the implementation of risk assessment procedures (Regulation 5 of the PMLFTR);
- the implementation of CDD procedures (Regulation 7 to Regulation 11 of the PMLFTR)
- the implementation of record keeping obligations (Regulation 13 of the PMLFTR)
Can the outsourced party submit an internal report to the MLRO or flag an unusual transaction?
Yes, an outsourced party can submit an internal report to the MLRO or flag an unusual transaction.
Can the outsourcing party then determine whether an STR has to be submitted?
Absolutely not. It is only the MLRO who can exercise the discretion.
Are there any requirements needed to be completed by the Subject Person prior to entering into an outsourcing arrangement?
Yes, these are:
- Make an assessment of any potential ML/FT risk due to the proposed outsourcing. This must be kept and made available to the FIAU upon request.
- Maintain a written record of the assessment; and
- Monitor the perceived risk.
What conditions should the Subject Person fulfil?
- The outsourcing does not negatively prejudice the Subject Person’s ability to comply with its obligations at law and the effectiveness of the subject person’s compliance and audit functions, nor will the outsourcing impede the effective supervision of the subject person by the FIAU or the compliance by the subject person with any obligation related to the FIAU’s analytical function;
- The outsourcing party has the necessary resources, qualifications, skills and authorisations (if required) at its disposal to effectively carry out the measures and procedures it is to perform on behalf of the subject person;
- The manner in which the outsourcing party proposes to implement the outsourcing activities on behalf of a subject person is in line with all applicable legal requirements and the subject person’s own policies and procedures;
- The outsourcing party is in good standing, there being no adverse information in its regard, and it is located and operating from Malta, an EU Member State or another reputable jurisdiction; and
- The outsourcing party is not subject to any obligation that would lead to a breach of any data protection, professional secrecy, confidentiality or non-disclosure obligation to which the subject person has to adhere.
Is there a need for a written agreement to be in place?
Yes. The FIAU or other regulatory body may request the Subject Person to be provided with the original or copy of such agreement.
The agreement must cover:
- The exact parameters of the measure or procedure being outsourced to the outsourcing party;
- The precise requirements concerning the performance of the measure or procedure, taking account of the intended objective of the measure or procedure to be outsourced;
- The respective rights and obligations of the parties to the agreement, including:
- the obligation of the outsourcing party to notify the Subject Person immediately of any change in its circumstances that negatively affects its standing or its ability to meet its obligations under the agreement;
- the right of the Subject Person to monitor the outsourcing party’s performance and the obligation of the outsourcing party to take any corrective measures that may be required by the Subject Person to ensure that the measure or procedure being outsourced is carried out effectively;
- unrestricted and immediate access at any time by the Subject Person to any data, documentation, information, reports or findings that are collected, obtained or made use of to fulfil the measures or procedures outsourced, including the ability to access and retrieve data, information and documentation to enable STRs to be submitted or to reply to requests for information from the FIAU, law enforcement and any other relevant supervisory authority without having to disclose the purpose that data, information or documentation is being accessed; and
- where the retention of data, information and documents collected in the course of implementing the outsourced measures or procedures also forms part of the outsourcing agreement, the data, information and documents are segregated from that belonging to the outsourcing party or any other customer thereof.
- The circumstances under which the agreement can be terminated and the terms that would become applicable, including:
- a termination clause allowing either the proper and orderly transfer of the outsourced measure or procedure to another outsourcing party identified by the subject person or the proper and orderly reintegration of that measure or procedure within the subject person, with the outsourcing party continuing to carry out the outsourced measure or procedure until such time as the transfer is complete; and
- the possibility for the subject person to terminate the agreement when the FIAU so requires and when the outsourcing party is no longer in a position to meet its obligations under the agreement.
- The ownership of any data, information, reports or other documentation that may be produced, collated or collected in the course of carrying out the measure or procedure being outsourced, taking into consideration the record-keeping obligations of the subject person;
- That any processing of personal data has to take place in accordance with applicable data protection laws and any data, information, reports or other documentation are kept confidential and will not be disclosed to anyone other than in the circumstances where the law permits this disclosure;
- The communication lines to be followed, especially with regard to the transmission of data, information, documentation, reports or findings to the subject person by the outsourcing party related to the measures or procedures outsourced;
- That the outsourcing party is to allow the FIAU, including anyone duly authorised to act on its behalf, direct access to its premises and to any data, information, documentation reports or findings relative to the outsourced measures or procedures, as the FIAU may require;
- That sub-contracting by the outsourcing party is not to be allowed without the prior agreement of the subject person, whose consent can only be granted once the subject person has ascertained that the sub-contractor meets the conditions set out in this section and that the sub-contracting will not impact negatively the arrangement entered into between the subject person and the outsourcing party; and
- The subject person must regularly evaluate the outsourcing party’s performance, using mechanisms, such as service delivery reports, self-certification, independent reviews or the subject person’s own audit function.
How can the Subject Person monitor the activities of the outsourcing party?
The Subject Person is responsible to monitor the activities of the outsourcing party. This can be done by various forms and the following are just examples:
- Periodic reports
- Spot checks
- Request for CDD information on clients
Yes – the Subject Person must ensure that it has a contingency plan in place in the eventuality of a sudden termination of the outsourcing arrangement that it would ensure that it can resume without delay the implementation of the outsourced activities.