Pablo Epifanio, Senior Associate, Morgan & Morgan
The stock market is undoubtedly one of the most important economic forces in the world. Every year, billions of dollars are moved through stock exchange operations, and year after year, in most jurisdictions, the stock market is promoted as a tool for financing or capturing capital for issuers and as an investment for thousands of participants seeking to place their funds in higher yield investments.
Thus, it is not unreasonable to foresee that although the stock market has had such a positive and important purpose, and in which transactions are increasingly sophisticated and complex, may be used for illicit purposes, particularly those related to financial crimes, including laundering of assets, financing of terrorist groups, among others.
This article succinctly analyzes the implications and scope of the compliance measures established in Agreement 6-2015 adopted by the Superintendency of the Securities Market of Panama, based on Law 23 of April 27, 2015, by which measures are being taken to prevent money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction (the “Compliance Act”).
Regulatory Framework for Compliance Measures in Panama
The Compliance Act approved in 2015, regulated by Executive Decree No. 363 of August 13, 2015, which adopts measures that allow entities regulated under it to prevent the use of their platforms and businesses for purposes related to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
The Compliance Act classifies those regulated entities: regulated non-financial entities, regulated financial entities and professional activities subject to supervision. The Compliance Act within the regulated financial entities includes the majority of the participants in the securities market, establishing that the provisions of the same apply to:
a) Self-regulated organizations;
b) Securities Firms;
c) Investment Managers;
d) Pension Fund Management;
e) Unemployment Fund Management;
f) Investment Companies;
g) Self-Managed Investment Companies;
h) Investment Advisers; and
i) Administrative Service Providers of the Securities Market.
An important fact to note is that the Compliance Act, Executive Decree 363 and Agreement 6-2015 do not include the issuers of securities registered with the Superintendency of the Securities Market within their scope of application. This is likely to be the case, since most of the essential intermediaries to carry out a public offering and issuance of securities are subject to regulations, including custodians, payment agents, brokerage firms and investment advisors, they are, in short, those that have a direct relationship with investors. At the same time, the issuer would unlikely be able to properly and efficiently apply due diligence measures to investors with whom it usually does not have direct contact.
The Compliance Act seeks more than anything to establish the regulatory framework applicable to regulated entities in order to facilitate the adequate identification of customers with a risk-based approach, detect funds of illicit origin, establish guidelines regarding the due diligence that regulated entities must applied to their customers, in terms of the application of the “know your customer” policy and encourage the adoption of risk policies.
For the purposes of accurately understanding the applicable legislation on compliance, it is important to keep in mind the definition of “customer” under the Compliance Act: “natural or legal person, as defined by the legal provisions that apply for each economic or professional activity indicated in the Law, with which the regulated financial entities, regulated non-financial entities and activities carried out by professionals subject to supervision establish, maintain or have maintained, in an usual or occasional manner, a contractual, professional or business relationship for the supply of any product or services inherent to its activity.”
Lastly, the Compliance Act empowers the respective regulatory authorities for the activities carried out by the different regulated entities to oversee the compliance with the Compliance Act and adopt regulations that adjust to the reality of each regulated activity.
- Sectoral Regulation Applicable to the Securities Market
The Superintendency of the Securities Market has adopted Agreement 6-2015 of August 19, 2015 (the “Agreement 6-2015”), through which it issued the provisions applicable to regulated financial entities supervised by the Superintendency of the Securities Market, to the prevention of the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
The regulated financial entities supervised by the Superintendency of Securities Market under Agreement 6-2015 have the obligation to maintain due diligence and care in their operations in order to reasonably prevent such operations from being carried out with funds from activities related to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Thus, the regulated entities under the supervision of the Superintendency of the Securities Market must have the mechanisms, policies and methodologies required to manage the risk of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction, taking in consideration factors such as: the risk profile of the activity exercised by the regulated entity, the profile and types of customers of the regulated entitity, the products and services offered by the regulated entity, the distribution or commercialization channels used by the regulated entity, the location of the facilities of the regulated entity, of its customers and final beneficiaries, and the risk of the custodian or correspondent services of the regulated entity.
For the evaluation of the factors described above, regulated entities must apply a “risk-based approach”, which is nothing more than an understanding of the level of risk according to their nature, in order to focus their efforts effectively. Thus, regulated entities subject to supervision must classify their customers by applying a risk-based approach to: (i) high risk customers, (ii) moderate risk customers and (iii) low risk customers; and they should review this classification at least once a year. With this approach in mind, the regulation gives certain entities flexibility to assess the risks in the services they provide, so that they can apply reinforced measures against major risks, basic measures against usual risks and simplified measures against minor risks, managing and / or mitigating risks, as the case may be.
Agreement 6-2015 specifically establishes the minimum information and documentation that should be requested and verified from customers, both for natural and legal persons, as part of the simplified due diligence that regulated entities subject to supervision of the Superintendency of the Securities Market must apply, which include: complete general information, a copy of the customer’s identification, bank and commercial references, support of funds, detail of activities to which he / she is dedicated, among others.
For the purposes of simplified due diligence in the case of legal persons, Agreement 6-2015 seeks to fully identify the final beneficiary of the legal entity and imposes measures and requirements to be obtained from each customer that is a legal entity for that purpose. For the purposes of the final beneficiary, Agreement 6-2015 states that it shall be understood as such, any natural person who individually or by common agreement with other persons, directly or indirectly, is the owner or has the right to exercise the vote with respect to ten percent (10%) or more of the issued and outstanding shares of a legal entity. In addition to the foregoing, the following must also be fully identified: (i) in the case of companies: the administrators, representatives, attorneys-in-fact and signatories of the legal entity; (ii) in the case of private interest foundations: the members of the founding council, founder and protector; and in the case of trusts: the trustee and the trustor.
Agreement 6-2015 establishes that regulated entities under it will have to apply full-range or enhanced due diligence measures for their customers or activities that may represent a high risk, in order to deepen the information of this type of customers. The Superintendency of the Securities Market, as well as other regulators of activities under the Compliance Act, has issued a guide of indicators of suspicious operations and activities in order that the regulated entities can identify high risk customers and timely apply the measures of full-range due diligence.
Among the types of customers that should be subject to full-range or enhanced due diligence, we have, among others:
a) Natural or legal persons or related business persons with natural or legal persons domiciled or incorporated in jurisdictions considered high risk by national or foreign organizations;
b) Individuals or legal entities that appear in national or foreign lists related to the prevention of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
c) Politically exposed persons (PEP), close relatives and close collaborators;
d) Legal persons that receive or offer the correspondent service, with special attention to those domiciled in jurisdictions that have not effectively implemented the recommendations regarding the prevention of money laundering, terrorist financing and financing of the proliferation of weapons of mass destruction;
e) Businesses with a high volume of operations in cash or quasi-cash; and
f) Businesses with a high volume of international transfers to and from countries and high-risk countries that have not implemented the recommendations regarding the prevention of money laundering crimes, financing of terrorism and financing the proliferation of weapons of mass destruction.
When applying full-range or enhanced due diligence measures, regulated entities supervised by the Superintendency of the Securities Market shall require the same information and minimum documentation established for simplified due diligence, and in addition shall: (i) obtain the approval of senior management at the beginning of the business relationship; (ii) update the records of information and documentation, at least one (1) time each semester; (iii) continuous intensified monitoring throughout the commercial relationship and / or (iv) apply any other measure determined by the senior management of the regulated entity.
Simplified due diligence is the most basic policy, procedures and measures defined in the Compliance Act that may be applied by regulated entities to their customers, and are only applicable if in accordance with the risk policies of the regulated entities, based on a risk approach, it is determined that the customers to apply it are of low risk.
Executive Decree No. 363, which regulates the Compliance Act, expressly establishes the simplified due diligence measures allowed to regulated entities:
a) Reduce the documentary review process;
b) Reduce the frequency of customer identification updates; and
c) Reduce the monitoring of the business relationship and the scrutiny of operations that do not exceed the minimum amount established by supervisory bodies.
Although it does not appear so, simplified measures significantly reduce the economic and managerial burden of due diligence measures for regulated entities, especially in cases where it is evident that the business relationship is not or can not be used for illicit purposes.
An important point to be highlighted is Article 28 of the Compliance Act that establishes that the regulated entities – whether they are intermediaries or not in the securities market – will apply simplified due diligence measures to their customers that are legal persons and are listed in a stock exchange recognized by the Superintendency of the Securities Market. That is, to the issuers of common shares or participation quotas, which are duly registered in the Superintendency of the Securities Market and listed on a stock exchange, simplified due diligence measures will be applied by law. Therefore, regulated intermediaries may apply their simplified due diligence measures to their issuing customers, provided that the before mentioned comply with the conditions established in Article 28 of the Compliance Act.
The main purpose of the compliance regulation in question is based more than anything on prevention, that is why in cases where a customer of a regulated entity does not facilitate compliance with the relevant measures of due diligence, the regulated entity may not open the account or start the business relationship or make the proposed transaction.
Agreement 6-2015 establishes that any new account or commercial relationship must comply with the evaluation of the financial and transactional profile of the customer, in order to measure the risk of the products or services offered. For these purposes, “financial profile” means “the result of the analysis of a set of socioeconomic and demographic characteristics and variables that are presented by a customer and verified by the regulated entity at the time of opening the account or beginning of the business relationship; and that it must be enriched with updated and historical information, with the purpose of establishing the common practice that the customer will maintain with the regulated entity.”
Basically, the analysis and processing of the financial documentation required in the course of the simplified or enhanced due diligence measures gives rise to the financial profile that the regulated entity must develop for each customer. On the other hand, the “transactional profile” refers to the “contrast between the financial profile and the frequency and capacity of a customer’s actual transaction in one or several periods of time.”
In conclusion, the obligation of each regulated entity supervised by the Superintendency of the Securities Market is to perform an analysis based on criteria in terms of capacity and financial transaction volume of each customer and then make the contrast between said analysis and the reality of each case.
Agreement 6-2015 establishes two important obligations in regards to the employees of the regulated entities supervised by the Superintendency of the Securities Market: the first obligation is to have a “Know Your Employee” policy, which seeks that regulated entities have personnel selection procedures and supervise the behaviour of their employees, especially those who perform positions related to customer management, fund management, control of information and other important controls. It is also important that regulated entities establish a profile of this type of employees, which shall be updated at least once a year.
The second obligation of the regulated entities in regards to their employees is the obligation to carry out continuous and specific trainings at least once a year, to the employees with roles related to the management, communication and handling of customer and supplier relationships, receipt of funds, transaction processing, product design and services, compliance, risk, human resources, technology and internal auditing in a way that allows them to be updated on the different types, cases and regulations of money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction.
One of the most important tools that the Compliance Act and the Agreement 6-2015 gives to the regulated entities supervised by the Superintendency of the Securities Market are the Suspicious Operations Reports (ROS) and the Unusual Operations Reports (ROI) to the Financial Analysis Unit (UAF). Many times we tend to use these terms as synonyms when they are different and have different implications.
“Suspicious operation” is understood as an operation that can not be justified or sustained against the financial or transactional profile of the customer or that which may be related to illicit purposes. On the other hand, “unusual operation” is understood to be one that is not consistent with a financial or transactional profile declared by the customer or that exceeds the parameters set by the regulated entity in the due diligence process performed on the customer, and that consequently must be justified.
Thus, unusual operation means in short an alert for the regulated entity that the operation is not regular, based on the expected behavior of the customer or exceeds the criteria set for the customer in terms of financial capacity or volume of transactions, and the customer must be required to sustain the operation. Suspicious operation, on the other hand, is one that has no way to be justified or that can reasonably be considered to be linked to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Executive Decree No. 363 that regulates the Compliance Act establishes that the regulated entities must have measures that allow the timely detection of unusual operations in order to analyze them and rule out or corroborate the unusual operation. Unusual operations that can not be corroborated or verified according to the customer’s profile may be reported by the regulated entity as suspicious transactions.
In addition, operations suspected of being related to the crimes of money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction shall be reported as suspicious transactions to the Financial Analysis Unit within 15 calendar days from the detection of the event, transaction, operation or control failure.
In addition, the regulated entities have the obligation to report transactions in cash or quasi-cash, for amounts exceeding the sum of Ten Thousand Dollars (US$10,000.00), legal currency of the United States of America, within the first 10 business days of each month. “Quasi-cash” means, for these purposes, cashier’s checks, travel checks, orders issued to bearer, multiple endorsements, blank endorsements, and other negotiable documents.
All reports to the Financial Analysis Unit must be made through the compliance officer, who will be the liaison person with said entity in regards to the regulated entities supervised by the Superintendency of the Securities Market.
Agreement 6-2015 establishes the obligation for regulated entities supervised by the Superintendency of the Securities Market to adopt, through its Board of Directors, a Prevention Manual that must be reviewed at least one (1) time a year and must contain at least:
1) Mechanism, policies and methodologies for administration and policies for mitigating the risk of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
2) The classification of customers according to the risk-based approach;
3) The “Know Your Customer” policy;
4) The “Know Your Employee” policy;
5) The periodicity of the reviews and updating of the information and documentation of the customers;
6) Policies relating to correspondent relations;
7) Policies relating to customers or high-risk activities;
8) Policies regarding the confidentiality and protection of information;
9) Contingency plans for information retrieval in cases of disasters;
10) Internal control policies;
11) Norms of self-evaluation of the degree of risk and good practices for the prevention of the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
12) Ethical norms and standards;
13) The liaison person with the Financial Analysis Unit;
14) Management of ROS and other reports to the Financial Analysis Unit;
15) Formation of the Ethics and Compliance Committee and the Audit Committee.
Regarding the Ethics and Compliance Committee, Agreement 6-2015 provides that all regulated entities supervised by the Superintendency of the Securities Market must have one to approve the opening of accounts or the commencement of business relations for customers or activities requiring full-range or enhanced due diligence measures to be carried out, and the follow-up to this type of high risk customers. This committee must be formed by at least three (3) members of the Board of Directors. The Ethics and Compliance Committee must also plan, coordinate and ensure compliance with current regulations on the prevention of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Likewise, Agreement 6-2015 provides that all regulated entities supervised by the Superintendency of the Securities Market must have an Audit Committee that is responsible for the execution, evaluation and effectiveness of the internal control systems of the regulated entity, in order to monitor the internal measures and softwares used in relation to the protection of information, prevention of unlawful acts and compliance with current regulations on the prevention of money laundering crimes, financing of terrorism and financing the proliferation of weapons of mass destruction.
All regulated entities supervised by the Superintendency of the Securities Market must update the information and documentation of their customers at least one (1) time per year for all customers and one (1) time per semester for customers subject to full-range or enhanced due diligence measures. At the same time, they must safeguard the information, documentation and records of the operations carried out, for a minimum period of five (5) years from the termination of the commercial relationship with the customer.
The Compliance Act classifies sanctions in two types: Generic Sanctions and Specific Sanctions. Generic sanctions are those established by said Law for breaches of the provisions of the Compliance Act or its sectoral regulations, including as such Agreement 6-2015, for which there is no specific sanction, which will consist of a fine of US$5,000.00 to US$1,000,000.00. Specific Sanctions are those applicable to specific breaches of the Compliance Act or its sectoral regulations, as regulated by the regulatory authority of the respective activity. The Superintendency of the Securities Market has not regulated the specific sanctions to date, for which generic sanctions (fines) will be applied pursuant to article 60 of the Compliance Act.
The fines imposed for breaches of the Compliance Act may be collected through the coercive jurisdiction of each supervisory body, or through the coercive collection process before the General Revenue Directorate. These fines are without prejudice to any civil or criminal liability that may arise.
Executive Decree No. 363 provides a clear picture in terms of the seriousness of the infractions, since it lists some breaches as infractions with minor severity, medium severity and maximum severity. This allows the regulated entity to identify the level of severity of the sanction for the non-compliances listed.
Finally, Executive Decree No. 363 gives the supervisory bodies of each activity the right to cancel, withdraw, restrict or remove licenses, Certificates of Competence or other authorizations from regulated entities that violate the provisions in force regarding compliance, subject to the verification of the sanctioning processes that correspond.
It is a true and lawful translation into English of the original document written in Spanish. Panama, March 12, 2018. Michelle Williams – Authorized Public Translator – Resolution No. 5775 of November 12, 2014, Republic of Panama.