Brazil’s new approach to AML/CFT

Demarest partner Fabio de Almeida Braga outlines what practitioners need to know about Brazil’s new risk-based approach to anti-money laundering and counter-financing of terrorism.

The Central Bank of Brazil (BACEN) has recently revamped the anti-money laundering and the counter-financing of terrorism (AML/CFT) measures applying to financial institutions under its purview, following guidelines and recommendations issued by the Financial Action Task Force (FATF) since 2012.

The main changes have been enacted through a broad and in-depth revision of the then existing regulatory norms on the subject, which in January 2020 gave birth to the newly-enacted BACEN Circular 3,978, which came into force on 1 October.

The Brazilian financial system requires the establishment of adequate legal safeguards and protections against the risks posed by money laundering activities. For this reason, Brazil today has at its disposal not only legislation that typifies criminal conduct in this area, but also state agents and governmental organs whose function is to oversee the soundness and isolation of the financial system in relation to these risk exposures.

These include BACEN, whose most important function is to regulate, monitor, and supervise the entire system, requiring that financial institutions adopt and implement policies, procedures, and internal controls focused on preventing and combating money laundering and terrorist financing. Added to BACEN’s efforts are the actions of the Financial Intelligence Unit (COAF), the Public Prosecutor's Office and the Federal Revenue Service, forming together a system of interconnection and information-sharing relevant to the conducting of prevention activities and any such illicit activities across the country.

At the international level, Brazil is a member of specific forums dedicated to AML. Occupying a prominent position among these is the FATF, created in 1989 at the initiative of the G7 member countries, whose function is to create and promote international standards and policies to protect against and combat criminal actions within the global financial system.

More recently, BACEN — following guidelines and recommendations issued by FATF since 2012 — has promoted significant and relevant changes in the national financial system's internal AML regulations. It has, in fact, carried out a broad and in-depth revision of its regulatory norms for AML, in its Circular 3,978 which came into force on 1 October after being issued in January.

The new Circular updates and replaces Circular 3,461, which had been in force since 2009. It aims at improving all work and activities around financial intelligence, in order to protect the national financial system against undue attempts to access and misuse financial institutions in criminal schemes.

In addition to the new Circular 3,978, BACEN issued Circular-Letter 4,001, detailing operations and situations that may constitute evidence of money laundering and terrorist financing, and which may be reported to COAF.

It is now of high importance that BACEN-authorized institutions make a 360-degree evaluation, on a preventive basis, with analysis, review and, more importantly, that they update policies and procedures. They should do this according to a risk-based approach, carrying out an internal evaluation going beyond the institution itself, to its current and future products and services, its customers, employees, service providers and business partners – including distribution channels, such as Internet and mobile banking, as well banking correspondent entities.

A risk-based approach

Circular 3,978 has now introduced a new approach to AML/CFT issues, from the perspective of risk, based on FATF Recommendation No. 1 of 2012 and its Interpretative Note.

The new approach results from criticism and suggestions of change regarding the formulation of AML policies within the Brazilian financial market. Critics said these policies were very inflexible and did not proportionately take into account the particularities of clients, operations and situations where the risks could lead to an institution being more exposed to suspicious transactions.

A direct effect of applying the risk-based approach has been to generate a more appropriate view of allocation of institutions’ resources and efforts, according to the risk gradation measured in each specific situation. This approach is expected to generate the improvement and efficiency of prevention systems and policies.

It is important to emphasise that the risk-based approach is only a methodology – whose application by institutions is now mandatory – rather than an end in itself. This means that, even if institutions create policies, procedures and internal controls aimed at complying with the new regulatory obligation, they must be effective in complying with all their clients’ procedures, weighed and adjusted according to the characteristics of the business models of the institutions, and of the products and services each of their clients offer in the market.

The risk-based approach represents a change in philosophy in the efforts that institutions must undertake to create mechanisms to prevent and combat money laundering and terrorist financing. From now on, institutions must move from a position of merely complying with the rules – of compliance, in short – to a posture of establishing effective AML/CFT management policies and procedures, taking into account the risk matrix of their products and services, and their risk appetite.

The role of "active agent" that institutions must assume, in the context of the system of protection of the entire financial system, becomes more evident in view of the continuous risks arising from attempts to use banks and other institutions as a means and environment to legitimise resources of origins tainted by criminal actions.

Assuming that the risk-based approach represents a new philosophy of action among the institutions in this field, its implementation depends on five essential measures. In sum these are: governance, with the effective commitment of senior management; the on-boarding process of clients and beginning of relationships; monitoring and selection; analysis and communication; and the use of a control panel to gauge the effectiveness of the entire AML preventive system.

In short, the risk-based approach should exist as a result of the operation of an institution's internal regulatory structure, with policies and procedures, and of capability and knowledge-building programs – not only pro forma employee training sessions – that are continuous and widespread throughout the institution's organization, encompassing all employees, service providers and business partners.

Above all, it is now vital that institutions gain access to, and effectively enact, tools and technological solutions aligned with the modernity of digital relationships in the financial market, allowing them to react and make decisions at the same speed as innovations in the current system.

Therefore, institutions’ internal risk assessment should consolidate the risk profile of firstly their clients, secondly the institutions themselves, thirdly their operations, products and services, fourthly their channels and the technology they employ, and finally the activities of employees, business partners and service providers.

Institutions must continually perform their internal risk assessments in relation to all possible risk manifestations to which they may be exposed. Once any risk points and situations are identified, they should evaluate the probability of these materialising, and the magnitude of financial, legal, reputational and socio-environmental impacts relative to themselves. In this task, institutions must create a risk-categorisation matrix, using controls to manage and mitigate the risk in different profiles and degrees. Depending on the classification of each concrete situation based on such a matrix, they should adopt appropriately rigid standards of scenario verification.

The new circular obliges financial institutions to document their internal risk assessments, giving express knowledge of their governance structure. That structure should include the risk committee (provided for in Article 45 of the National Monetary Council Resolution No. 4,557), the audit committee and the board of directors or board of executive officers. The internal risk assessment should be reviewed every two years or, prior to this, if and when there is any change in risk profiles.

Know-your-client procedures

One essential pillar to the structure of financial institutions is a set of procedures allowing each institution to get to know its clients in depth, and so modulate their procedures according to their risk profiles. These procedures should ensure that each institution identifies, qualifies and classifies its clients according to their risk profile. This data and information should be used continuously by the institution, particularly in view of suspicious operations.

Institutions should not initiate any relationship with any client before completing identification and qualification procedures. In case information about the qualification is insufficient, the institution may maintain the relationship for 30 days, but only if the lack of information does not jeopardize the monitoring and selection of situations and operations that may indicate suspicion of money laundering and terrorist financing.

Procedures of identification, qualification and classification must be created and applied not only as regards the clients, but also their representatives and administrators. This, however, must be in a weighted manner – that is, according to the functions the administrator performs, and the extent and scope of the representative.

Identification procedures must be applied in a way that ensures that an institution obtains, verifies and validates the authenticity of not only the information it already stores, but also that which is searched in databases. In basic terms, the name or denomination of the clients, and their addresses, fiscal identity or international travel document (in case of individuals) must be collected.

The know-your-client (KYC) procedure must also approach the qualification of clients using an evaluation that takes into account the client’s status – their qualification profile – and their financial capacity in relation to the characteristics of their relationship with the institution, including the magnitude of the operation, considering elements such as income, billing and heritage.

The qualification, based on the client’s financial capacity, must be verified and validated according to the client’s risk profile and the operation being performed. This evaluation of financial capacity must be provided for in the policy of the institution, as it must be applied continuously in virtue of the evolution of the relationship between institution and client.

As for qualification due to the client's status, the institution must consider in its procedures the verification of the client's condition as a politically exposed person (PEP). Besides the client themselves, the procedures should also be applied to their representatives, relatives and people who are considered "close collaborators".

The rule considers close collaborators as individuals maintaining a close relationship with the PEP. This can be due to joint participation in any legal entity, being the PEP’s trustee, jointly participating with a PEP in arrangements without legal personality – which has been included since 2017 in COAF’s Resolution 29 – and participating in the legal entity control or arrangement created for the benefit of a PEP.

Finally, KYC procedures must take into account how a risk matrix, created through the risk categories defined in an institution’s internal risk assessment, classifies each client.

Identification and qualification of ultimate beneficial owners

The procedures for the identification and qualification of a legal entity must include analysis of its equity participation structure, all the way up to the identification of the individual characterised as its ultimate beneficial owner. The representatives, attorneys and nominated agents that exercise effective command of the legal entity as ultimate beneficiary owners must also be taken into consideration and duly scrutinized.

This rule does not apply in regard to publicly-held companies, cooperatives and not-for-profit legal entities. But the rules for capturing information from persons who are representatives, controllers, administrators and directors remain applicable.

To identify the ultimate beneficial owner of their clients organised as legal entities, institutions must establish a minimum amount of corporate interest based on risk, which may not be greater than 25%. The criteria for determining this minimum value must be substantiated and documented by the institution’s management in a manual of procedures.

An important point about this issue is that if a client resides abroad and is also a client of the same group of the Brazilian institution overseas, it is possible for the Brazilian institution to obtain information directly from its sibling foreign institution. The institution must give access to BACEN regarding the information and procedures adopted.

Customer qualification as a politically exposed person

PEPs in Brazil are considered to be those persons who are qualified by the institution's procedures. These include elected officials, government ministers, directors of indirect public administration entities, judges, the presidents and treasurers of political parties, and members of Brazil’s Federal Audit Court.

The new rule also considers foreign PEPs. These include heads of state or government, high-ranking politicians, senior government officials, general officers and senior members of foreign judiciaries, senior executives of public companies, and political party leaders.

Whenever the institution is dealing with clients residing abroad, it must adopt at least two of the following measures: requesting express declaration from the client regarding such qualification; consulting public information; and/or consulting databases about a PEP.

It is important that AML procedures are also maintained in relation to persons previously considered PEP even when they no longer hold this status. This rule must be applied for five years after an individual stops being a PEP.

As can be seen, the changes introduced by the new Circular 3,978 are complex and require full attention from Brazilian financial institutions and other legal entities authorised to operate by BACEN. This makes these regulatory standards for the prevention and combating of money laundering and terrorist financing a real instrument that has its driving force in internal risk assessment.

Fabio de Almeida Braga is a partner in the banking and financial area of Demarest Advogados in São Paulo, Brazil

Get unlimited access to all Global Banking Regulation Review content