Updated FMA circulars regarding the prevention of money laundering and combat of terrorist financing


On February 23, 2022, the Austrian Financial Market Authority (FMA) published updated circulars regarding the prevention of money laundering and combat of terrorist financing (ML/TF). These changes affect all four circulars, namely the circulars on Due Diligence Obligations, Risk Analysis, Internal Organisation, and Reporting Obligations.

This article summarises the main changes of the updates. It intends to assist obliged entities to quickly identify whether and to what extend their internal policies need to be amended.

Primary changes of the FMA circulars

The primary changes briefly outlined below include:

  • An introduction of a risk-based “Know-Your-Customer's-Customer” (KYCC) principle when obtaining information regarding the purpose and nature of the business relationship and checking the Source of Wealth;
  • New requirements concerning the continuous monitoring of business relationships and analyzing the Source of Funds;
  • Clarifications regarding the identification and verification of identity of beneficial owners of private-equity funds;
  • Clarification of due diligence obligations regarding the WiEReG-Compliance Package;
  • Adjustment of due diligence obligations for registered service providers regarding virtual currencies.
  • Adjustment of the circular “Risk Analysis” according to the results of the current Austrian National Risk Assessment of ML/TF.

The changes are explained in more detail below.

Background of the updates

The update of the FMA circulars was necessary due to new legal amendments, mainly the introduction of the WiEReG-Compliance Package and the revised definition of money laundering in the Austrian Criminal Code. Furthermore, the revised EBA guidelines on ML/TF risk factors from March 1, 2021, and the National Risk Assessment of ML/TF from May 2021 had to be considered. Additionally, the newly introduced obligations for registered service providers regarding virtual currencies needed to be included.

The amendments to the FMA circulars will require all entities subject to the obligations of the Austrian Financial Market Anti-Money Laundering Act (FM-GwG) to adjust their internal ML/TF strategies, systems, and procedures.

Main changes to the FMA circular on due diligence obligations:

“Know-Your-Customer's-Customer” (KYCC)

The FMA now requires obliged entities to obtain in individual cases additional information and, if necessary, documents on significant business partners and relevant contracting parties of clients, depending on the risk of the client or the transaction. The information should then be added to the KYC-profile of the client.

Obtaining KYCC information shall help gathering information about the legal origin of the funds used and to identify and investigate irregularities.

In contrast to the consultation draft, the final circular contains examples of the application of the KYCC-principle:

  • Example 1: the corporate client of a bank exports goods to a high-risk country. Before establishing a business relationship with this client, the bank must obtain information on the client's business activities and business environment. The bank must further obtain information on the client's main business partners and thus, on the legal origin of the funds used in the transactions.
  • Example 2: the bank has a client that is an individual selling real estate. In the event of certain risk factors – such as excessive or non-marketable prices, complex structure, unusual payments, etc. – the mere submission of the sales contract will not be sufficient. Rather, additional information on the legal origin of the funds used and thus on the business partner (the buyer of the real estate) of the client needs to be collected.

Altogether, the validity of the information or documents required is based on the respective risk of the client or the transaction. The higher the risk, the stricter the requirements on the validity of the information or documents regarding the business partners of the client.

We regard the obligation to obtain KYCC information as rather problematic as there is no legal basis for such requirements. Neither European Law nor the FATF-recommendations indicate a KYCC requirement. Also, it is not clear in which cases such obligation needs to be fulfilled. Further clarifications by the FMA would be desirable.

Ultimately, serious constitutional, data protection, and civil law concerns arise in this context. It remains to be seen how the FMA will concretize the KYCC-principle in their supervisory practice and whether it will stand up to judicial review.

Clarifications regarding source of wealth

The requirements of a source of wealth (SOW) due diligence were only vaguely described in the previous version of the circular on due diligence obligations, which led to legal uncertainty.

The FMA now clarifies that during ongoing monitoring of the business relationship, the SOW shall be assessed, and the origin of the client’s assets shall be adequately documented. It is possible that the client has either generated the assets himself or has received them from third parties, such as in the case of sale-and-purchase or donation agreement. If the client's assets derive from third parties and a high risk exists, it will be necessary to validate the SOW through additional information or documents obtained from independent sources.

Further, the FMA clarifies that in certain cases, simply obtaining a contract document without any further information on the SOW will not be sufficient (keyword: KYCC-principle). However, during consultations members of the insurance sector rightfully pointed out that a SOW check is not feasible in practice. After all, clients are very often subject to data protection or confidentiality obligations vis-à-vis their clients themselves.

Lastly, the circular lists risk factors to be considered when validating transactions and assessing the extent of documentation required in the course of SOW checks. Such risk factors include among others the duration of the business relationship, amount and number of transactions, risk classification, as well as the client’s financial situation and payment history. The SOW check must be based on the risk of the individual transaction as well as the risk represented by the customer, implying that also suspicious transactions of standard risk clients must to be scrutinized in-depth.

Tightened requirements regarding ongoing monitoring of business relationships: source of funds

The FMA states that during the ongoing monitoring of the business relationship, it might also be required to examine the source of funds (SOF) in addition to the SOW, due to the fact that funds serving the purpose of terrorism financing originate from both legal and illicit sources. Consequently, information regarding the purpose of the business relationship or transaction needs to be obtained and validated. Obliged entities may not exclusively rely on clients’ verbal statements but must additionally obtain documentation on the SOF.

As there is no legal basis for such a check of SOF, we consider this requirement to be rather disproportionate. It is unclear how such a check of SOF could be implemented. During consultations, market participants pointed out that it is hardly feasible to validate verbal information provided by clients and to obtain written evidence regarding SOF.

Lastly, the FMA clarifies that comprehensive records of a client’s KYC information build the basis of ongoing monitoring. Depending on the client’s risk, business model, payment history, key business partners and transactions, as well as information on products and supply, need to be documented. Obliged entities must be in a position to understand why a business partner of a client partners conducts a transaction and the also purpose of such transaction.

Simplifications regarding beneficial owner identification

Recent amendments to the WiEReG-Compliance Package facilitate the identification and verification of identity of beneficial owners. Hence, obliged entities are allowed to identify and verify the identity of clients’ beneficial owners based on risk, making use of an extended excerpt of the Austrian Register of Beneficial Owners and the documents included in a complete Compliance Package. However, they need to assure themselves that the documents included in the Compliance Package, together with any extra information available, provide for sufficient KYC-information. If they conclude that additional information or documents are required, such need to be obtained. In the end, there must not be any indications that could raise doubt as to the accuracy and completeness of the documents included in the Compliance Package.

The FMA further highlights the change service pursuant to Section 9 para 9 of the Austrian Beneficial Owners Register Act (WiEReG). Obliged entities can receive automated notifications regarding a change in clients’ beneficial owners. This change service helps obliged entities to keep data on clients’ beneficial owners up to date and its use is recommended.

However, besides these simplifications, the circular clarifies that obliged entities might not make use of the risk-based approach when it comes to the verification of the identity of beneficial owners. Accordingly, the scope of the verification process remains the same at all levels and the identity of each intermediary needs to be verified based on conclusive documentation. When establishing a new business relationship with a corporate client, obliged entities mandatorily need to obtain a respective excerpt of the Register of Beneficial Owners.

The circular has further been amended by a new paragraph regarding the identification and verification of identity of beneficial owners where PE-funds are part of the ownership chain. Multiple parties are involved in the set-up of a PE-funds, such as fund managers, General Partners, investors and advisers. Thus, it might be possible that multiple parties exert joint control in the meaning of the WiEReG over the PE-funds. Consequently, agreements and side letters that disclose rights and obligations of the parties involved are an important source of information when conducting KYC due diligence.

What virtual currency service providers need to know

The FMA has added clarifications regarding the specific due diligence obligations of virtual currency service providers (VASPs) to all circulars, responding to the increasing interest in digital assets and virtual currencies. Namely the circular on due diligence has been amended by a separate section concerning the requirements for and the procedure of registering as a VASP.

Mainly, VASPs need to consider that the KYC due diligence obligations not only apply when establishing a permanent business relationship with a client, but also in the event of occasional transactions exceeding EUR 15,000 or an equivalent amount of virtual currencies.

It shall be particularly noted that the FMA is of the view that the European Transfer of Funds Regulation applies “equally to transfers of virtual currencies”. We do not share this view. The regulation explicitly only applies to transfers of funds to or from (intermediary) payment service providers. Virtual currencies are not covered by the legal definition of “funds” as stated in Art. 3 no. 9 of the Transfer of Funds Regulation in conjunction with Art. 4 no. 15 of the Payment Services Directive. However, the FMA has ignored respective criticism during the consultation phase.

Consequently, the FMA is of the view that before carrying out a transaction, VASPs need to obtain information and conclusive evidence as to who the owner of the respective sender or receiver wallet is. By this, traceability of transactions involving virtual currencies should be ensured and the number of anonymous transactions reduced.

The FMA further provides information on how VASPs should comply with KYC due diligence obligations. Documents that might serves as proof of SoW are for example extracts from the client’s wallet (hot and cold storage), receipts regarding purchases and sales of virtual currencies, as well as documentation of mining activities.

The FMA also clarifies that in the course of the ongoing monitoring of transactions, both transactions of fiat currencies and virtual currencies must be monitored. Transactions involving virtual currencies should be monitored not only by physical monitoring, but also by IT monitoring systems.

We advise to make employees aware of the above mentioned amendments by way of training courses. Additionally, internal instructions and processes shall be adapted accordingly.

FMA circular on risk analysis

The updated FMA circular on risk analysis takes into account the current Austrian National Risk Assessment from May 2021. It provides an overview of the current most important predicate offences, ML/TF schemes and risks. The most common ML/TF activities involve cryptocurrencies, money mules (illegal financial agents), hawala (informal value transaction system for transfers to home countries) and document forgery.

Further, an overview of the results of the Austrian National Risk Assessment regarding several sub-sectors of the financial sector was added to the circular.

The FMA now also requires that the EBA ML/TF Risk Factors Guidelines must be taken into account when conducting the risk analysis at corporate level. Also, the current Supranational Risk Analysis of the European Commission might provide valuable input for defining and analyzing relevant risk factors.

Lastly, new risk factors concerning clients, products, services, transactions and distribution channels regarding individual clients as well as risk factors for determining and analyzing risks about virtual currencies were added to the risk analysis.

We advise to include these amended risk factors at the latest in the course of the next regular update of your company's internal risk analysis.

FMA circular on internal organisation

Guidance was added to the FMA circular on internal organisation, concerning auditing organizational units responsible for ML/TF by either internal audit or an independent body. Regular audits need to take place at least once a year, otherwise appropriate measures must be taken in place. Such include quarterly meetings with the internal auditing unit and other audit actions.

Scope and extent of audit depends on the type and size of commercial activity as well as the size of the obliged entity. This also applies to branches of credit institutions from the EEA having a registered office in Austria.

FMA circular on reporting obligations

The FMA circular on reporting obligations has been amended by a list of conspicuous features concerning business relationships, transactions and other activities involving virtual currencies. These conspicuous features are particularly relevant for VASPs and for all business models involving cryptocurrencies.

The circular now also covers additional types of predicate offences and the new definition of money laundering pursuant to Section 165 of the Austrian Criminal Code. Obliged entities need to consider these when filing suspicious activity reports pursuant to Section 16 FM-GwG as well as in their internal policies and procedures in order to keep them up to date.

What we can do for you

Our comprehensive ML/TF know-how enables us to thoroughly support you in updating your ML/TF policies, handbooks, risk analyses and any other document or process associated with the new requirements. We are looking forward to your enquiry.

Contact persons: Dr. Bernd Fletzberger, Mag. Sanijel Ficulovic and Miriam Broucek

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.