The new regulatory framework for AML in Brazil

Back to Banking Law Committee publications

José Luiz Homem de Mello
Pinheiro Neto Advogados, São Paulo
jhmello@pn.com.br

Ricardo Binnie
Pinheiro Neto Advogados São Paulo
rbinnie@pn.com.br

Ana Cristina do Val Fausto
Pinheiro Neto Advogados São Paulo
afausto@pn.com.br

 

Following the guidelines of the Financial Action Task Force on Money Laundering (‘FATF’) for the banking sector, Brazil recently changed the regulatory regime for financial institutions, setting forth a risk-based approach for anti-money laundering and compliance matters (‘AML’).

Generally, AML requirements under Brazilian law are set forth in Law No 9.613, of 3 March 1998 (‘Law 9.613/98’). In 2012, Law 9.613/98 was amended and updated by Law No 12,683, of 9 July 2012 (‘Law 12,683/12’), making the rules broader and more stringent. Such laws establish that AML rules are applicable to financial institutions and to a comprehensive list of entities engaging in financial and payment-related activities including, among others, companies rendering consulting, accounting, auditing, advisory, as well as assistance or accessory services, of any nature, in financial transactions.

In this respect, AML requirements in Brazil are also established in specific regulations issued by the Brazilian Central Bank (the ‘Central Bank’) and by the Brazilian Securities and Exchange Commission (‘CVM’).

Based on the terms and conditions established in Law 9,613/98, as amended, the Central Bank enacted certain regulations specifically related to compliance and adoption of AML controls. Currently, the main banking AML regulation is Circular No 3,461, dated 24 July 2009 (‘Circular 3,461/09’), which concentrates the AML rules and procedures that must be adopted by financial institutions and other institutions authorised by the Central Bank.

This rule was recently reviewed and will be replaced from 1 October 2020 by Circular No 3,978, of 23 January 2020 (‘Circular 3,978/2020’). The first provides a more detailed AML procedure, while the last focuses on a risk-based approach.

The risk-based approached supervision provides that the controls used in a certain operation or with a certain customer shall be proportionate to the level of risk posed by such operation or customer. Situations classified as having a low risk should have simplified controls, as opposed to situations classified as having a high level of risk.

The risk-based approach allows financial institutions to adopt a more flexible set of measures in order to target their resources more effectively and apply preventive measures that are commensurate to the nature of risks, in order to focus their efforts in the most effective way.

Considering such new standards, Circular 3,978/20 grants the power to each financial institution to analyse their own operations and clients and classify their respective risks. Therefore, regulated entities shall conduct a specific internal risk evaluation, with the objective of identifying and rating the use of its products and services vis-à-vis the potential practice of money laundering and financing of terrorism.

Among other changes, Circular 3,978/20 expands the minimum know-your-customer (‘KYC’) data that is required from customers on their onboarding. Regulated entities shall have mechanisms to identify, qualify and classify each customer, by means of the gathering and validation of personal information, and analysis of the compatibility of the customers’ risk profile with the nature of the business relationship, the AML policy and the internal risk evaluation of the institution.

Such procedures shall be permanently re-evaluated, according to the evolution of the institution’s relationship with the customer and the changes to the customer’s risk profile. Additionally, financial institutions are required to have a specific KYC routine for their employees, partners and third-party service providers, including standards for identification and qualification.

In addition, Circular 3,978/2020 establishes that every operation and transaction (regarding, without limitations, every product and service offered by the entity) shall be registered in a manner that allows the institution to identify: (1) the parties involved in the operation; and (2) the origin and recipient of resources; in the case of payment transactions, the receipt and transfer of funds. The new rule also provides a list of people who must be considered as a politically exposed person.

Specifically reflecting FATF recommendations, Circular 3,978/2020 also allows for financial institutions that are part of worldwide economic groups to implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML purposes. Nonetheless, Circular 3,978/2020 expressly forbids that the analysis of suspicious transactions is outsourced and/or is conducted abroad, even if by an entity of the same economic group as the financial institution.

If, on the one hand, the possibility of sharing information within the economic group allows more effectiveness in the analysis and control of suspicious transactions, on the other hand, the Central Bank aims at avoiding situations in which the Brazilian financial institution outsources all the AML procedures to foreign entities. Practical experience has shown that in these situations the AML procedures are usually not parameterised according to the local regulatory requirements.

It is worth mentioning that the risk-based approach was also implemented in the Brazilian capital market with the enactment, on 5 December 2019, of CVM Ruling No 617 (‘ICVM 617’), which entered into force on 1 July 2020.

Like Circular 3,978/2020, ICVM 617 establishes new parameters for implementing AML policies, KYC procedures, monitoring and reporting operations, as well as for enforcing, within the capital market, coercive measures.

Although the new AML regulation is only just enforceable, implementing a risk-based approach can present a number of challenges to financial institutions, which are already mapping out their risks and reviewing their internal controls and procedures to be in full compliance with Circular 3,978/2020 by October 2020.

One of the main challenges is allocating responsibility under the risk-based approach regime. By granting more flexibility to financial institutions to decide on the most effective way to address their respective risks, inevitably, it needs to be considered if the parameters adopted by the institution are in accordance with what the regulator expects and understands as reasonable.

In this sense, the financial institution’s strategy has to take into account the applicable national legal, regulatory and supervisory frameworks. After all, financial institutions must decide how to address their risks based on the regulator’s guidance. It is interesting that, in the United Kingdom, which implemented the risk-based approach years ago, you can visit the government website to get general guidance on how to risk assess your business for money-laundering supervision.

The Central Bank’s initiatives are therefore an important leap forward in developing a more efficient AML system in Brazil, and it seems that local financial institutions will have some challenges in adapting their internal procedures to the new AML regulatory framework in order to avoid exposing themselves to possible future liabilities.

 

Back to Banking Law Committee publications