In an ever challenging and complicated world, the concept of ‘outsourcing’ has gained further traction amongst subject persons who seek to outsource a portion of their responsibilities with sector-specific experts who might be better equipped to perform key functions.
It goes without saying that Regulators in Malta are constantly requesting that licensed entities (in particular) maintain a ‘Culture of Risk and Compliance’ adhering to the strictest norms of ‘good governance’ and management. It is within this context that the legal requirements of ‘outsourcing’ should be further explored with some practical guidelines explained as cogently as possible.
From a Maltese perspective, outsourcing is best understood as the engagement of a third-party by a Subject Person (SP) to carry out an activity, process or service which would normally be carried out by the SP itself (for example, the verification of identity of individuals). However, the FIAU’s Implementing Procedures (IPs) are unequivocal in their stance that the acquisition of software or access to Commercial databases being processed by a third party is not to be considered as outsourcing.
‘Outsourcing vs Agency’
What is important to consider is that in the case of outsourcing, the subject person is delegating the fulfilment of its obligations to a third-party service provider who has no relationship with the SP’s customer, while in the case of an agency arrangement, the agent is merely an extension of the SP not a separate and distinct entity with its own Customer Due Diligence obligations.
‘Outsourcing vs Reliance’
Most practitioners tend to confuse the interoperability between Outsourcing and Reliance. In the majority of cases, the terms are often used interchangeably within the same phrase or argument yet there are important distinctions which one must consider.
In the case of Reliance, the Subject Person would typically rely on another Subject Person or Third-Party who would have carried out Customer Due Diligence (CDD) to meet its own AMLCFT obligations. However, an important caveat is that no reliance can be made insofar as Risk Assessment (Business Risk and Customer Risk) and/or On-going monitoring obligations are concerned. Strictly speaking, ‘Reliance’ is restricted to relying on CDD Measures undertaken by another Subject Person or third-party.
Furthermore, Outsourcing does not extend to the appointment of the MLRO and of the Officer in Charge of the Monitoring Function (for e.g. a Compliance Officer) since these functions must be specifically carried out by an officer of the Subject Person.
Key Obligations to consider
The FIAU’s Implementing Procedures also outline a number of obligations subject persons should consider when outsourcing their obligations. These include ‘inter alia’ the fact that responsibility can never be delegated – and must always be assumed by the SP itself. A SP may also engage consultants to assist in constructing/formulating Risk Assessment however it is the SPs ultimate responsibility to ensure that these address the specific Money Laundering/Financing of Terrorism risks to which it is exposed to.
The Compliance & AML Unit must also effectively monitor how the SP is carrying out its outsourced AMLCFT measures and corresponding procedures to ensure that these are being carried out as required by law. Moreover, ‘Periodical Reports’ should be provided by the person who has been outsourced to the SP. Also worth mentioning would be the obligation of the SP to ensure it has a contingency plan in place in the event that there is a sudden termination of the outsourcing arrangement (this is often enshrined in the SP’s Business Continuity/Disaster Recovery Policy).
What may be outsourced?
For the purposes of this article, it is also important to consider that the obligations that may be outsourced relate solely tothe implementation of Risk Assessment Procedures (as per Regulation 5 of the PMLFTR); the implementation of CDD Procedures (as per Regulation 7-11 of the PMLFTR) and the implementation of Record-Keeping Obligations (as per Regulation 13 of the PMLFTR).
The aforementioned three functions are collectively known as: General Outsourced Activities.
Sphere of Responsibility
A Subject Person is always responsible for all other obligations including, ‘without limitation’:
1) Customer Acceptance;
2) Not approving/entering an engagement with a Customer;
3) The Termination of a Business Relationship;
4) Undertaking an Occasional Transaction;
It is also worth mentioning that provision is made in local law wherein outsourcing of the monitoring functions is allowedalbeit in certain ‘specific’ circumstances. When the SP opts to outsource its AML/CFT obligations, the monitoring rolewould involve ensuring that the outsourced service provider is fulfilling its contractual obligations and carrying out the necessary controls whilst monitoring the implementation of those AML/CFT obligations, if any, that have not been outsourced.
Where the Monitoring Function is entrusted to someone other than the MLRO, it has to be carried out by ‘an officer’ of the subject person (i.e. sufficient seniority and command, occupying a managerial position).
The above-mentioned two requirements are considered to be equivalent to the requirements for the appointment of an MLRO, i.e. an officer of the subject person having sufficient seniority and command, and is therefore to be construed in the same manner, including the restrictions on outsourcing;
On a case-by-case basis, the subject person has to decide, based on the volume of oversight work involved, whether a dedicated monitoring function is necessary or whether this role could be equally handled by the MLRO.
Extending Internal Reporting Lines.
When extending internal reporting lines (including situations where the SP has outsourced on-going monitoring to a third-party) it is important to note that:
- The MLRO, should at all times, understand and be in agreement with the filtering criteria used and methodology adopted;
- when a decision is taken not to proceed with submitting an internal report to the MLRO, a written record has to be kept and reasons why it was decided not to file the internal report;
- when a decision is taken not to forward a report to the MLRO, the employee who made the report has to be informed of the decision. If the employee still considers that the report should be escalated to the MLRO, the internal procedures should be such as to still enable the employee to submit the report directly to the MLRO.
Nevertheless, a SP may still outsource a third-party to flag unusual transactions that may become the subject of an internal report to the MLRO or, where applicable, to the Designated Employee (DE), or engage consultants to assist in the determination of whether an STR is to be filed or otherwise. However, it is important to note that the determination as to whether an STR should be filed is not subject to any form of Outsourcing. This is to remain within the discretion of theMLRO.
The Regulator’s position on outsourcing.
The FIAU states that there must be specific requirements that must be met for outsourcing to be permissible. In this connection, prior to outsourcing the General Outsourced Activities to a third-party, the SP should:
- make an assessment of any potential ML/FT risk due to the proposed outsourcing (this is often classified as an ‘Outsourcing Risk Assessment’);
- maintain a written record of the assessment and;
- monitor the perceive risk;
Moreover, to ensure necessary competence and resources to undertake the General Outsourced Activities the SP is required to ensure that the outsourcing does not negatively prejudice the subject person’s ability to comply with its obligations at law and the effectiveness of the subject person’s compliance and audit functions. Also, the third party should have the necessary resources, qualifications, skills and authorisations (if required) at its disposal to effectively carry out the measures and procedures it is to perform on behalf of the SP.
Another key point to consider is the way in which the third-party proposes to implement the General Outsourced Activities on behalf of a subject person and make sure that they are in line with all applicable legal requirements and the SP’s own policies and procedures
The third party should also be in ‘good standing’ and there should not be any adverse information in its regard. The third-party should also be located and operating from Malta, an EU Member State or another reputable jurisdiction.
Finally, the third party should not be subject to any obligation that would lead to a breach of any data protection, professional secrecy, confidentiality or non-disclosure obligation to which the subject person has to adhere to.
Added to the above is the fact that the subject person must maintain a copy of the Risk Assessment undertaken prior to entering into an outsourcing arrangement and shall make it available to the FIAU (or any Regulator) upon request.
Furthermore, General Outsourced Activities to a 3rd party must be regulated by a ‘Written Agreement’ (Contract) with certain minimum requirements. To note that the SP might be requested by the FIAU or any other relevant supervisory authority to provide the authority concerned with the original or a copy of that document. Within this context, it is also important to note that the Regulator will expect records related to outsourcing (and reliance arrangements) to be retained for a minimum period of five (5) years from the conclusion/termination of any such arrangement
Local Authorities in Malta consider Outsourcing to also be a ‘Risk Factor’ (which poses threats and vulnerabilities of its own). It is therefore recommended that ‘Outsourcing’ is also factored in the SP’s Business Risk Assessment.
The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.
 ‘Third party’ = any person who does not constitute part of the subject person and is thus considered to be an external person to the subject person. This would include any person to whom the subject person may have outsourced any of its functions, processes, etc.