The obligations of Subject Persons when outsourcing Compliance

As a result of the continuously growing compliance requirements, the outsourcing of compliance functions has increased in popularity. Increasing compliance requirements means that firms would be subject to higher operational costs, therefore, when subject persons choose outsourcing, they will have the advantage of reducing costs while also focusing on their core business.

When a subject person chooses to outsource the compliance function, this would mean that the subject person has delegated its AML/CFT obligations to a third party, therefore entering into an agreement where the third party would be responsible for the implementation of the agreed measures and procedures. These obligations would relate to the implementation of risk assessment procedures, the implementation of CDD procedures and the implementation of record keeping obligations. It is very important to bear in mind that outsourcing is to be allowed only to the extent of the implementation of a subject person’s policies and procedures.

The PMLFTR clearly states that it is the subject person’s responsibility to ensure that it is abiding by AML/CFT obligations, and this responsibility can never be delegated. Consequently:

• Prior to outsourcing the compliance functions, the subject person must assess any potential ML/FT risk due to the proposed outsourcing, maintain a written record of the assessment and monitor the perceived risk. The documented assessment must be available to the FIAU upon request.

• The subject person must also ensure that the third party is in good standing and has the necessary competence and resources to be able to complete the delegated functions effectively. The third party must be located and operating from Malta, an EU member state or another reputable jurisdiction.

• While outsourcing is allowed for the implementation of policies and procedures, it is the subject person’s ultimate responsibility to ensure that these are sufficient to tackle all risks the subject person is exposed to. The subject person must also ensure that such policies and procedures are in line with all applicable legal requirements, and they are implemented effectively.

• The subject person must continuously monitor the functions carried out by the third party. This can be done effectively by regularly conducting spot checks and also through the request of CDD information on particular clients.

• Another fundamental obligation is that the subject person must have a contingency plan in place in case the outsourcing agreement is suddenly terminated. It is crucial that in the case of such event, the subject person will be able to resume the implementation of the outsourced functions without undue delay.

• At all times, the subject person will remain responsible for the acceptance or rejection of a customer, the termination of a business relationship and the agreement to any occasional transactions.

• Filing of an STR with the FIAU remains at the discretion of the subject person’s MLRO. Therefore, the subject person must ensure that even the third party can submit reports to the MLRO. This would mean that in case a third party flags unusual transactions, they would be obliged to submit an internal report to the MLRO, and subsequently the MLRO would assess the situation & decide if an STR should be filed.

• The subject person must also ensure that the third party is not subject to any obligations which can lead to a breach of any data protection and professional secrecy obligations that the subject person should adhere to.

It is of utmost importance that the subject person abides by the above requirements as the FIAU will always consider the subject person as responsible for compliance with its AML/CFT obligations.
If you are a subject person considering AML/CFT compliance outsourcing, you may reach out to our outsourcing AML team by email on [email protected].