This Technical Note sets out the findings and recommendations made in the context of the 2019 Financial Sector Assessment Program for Austria in the areas of Anti-Money Laundering/Combating the Financing of Terrorism. It provides a targeted review of Austria’s progress in addressing the Money Laundering/Terrorism Financing vulnerabilities. Several initiatives, the amendments introduced to the Financial Markets Anti-Money Laundering Act, the Beneficial Owners Register Act, and other sectoral laws have led to significant enhancements of the legal and regulatory framework which resulted in a number of upgrades on technical compliance ratings by the Financial Action Task Force in the context of the two follow-up reports. The authorities took steps to transpose the Fourth and the Fifth Anti-Money Laundering Directives into national legislation. Steps have been taken to improve the legal and regulatory framework that applies to lawyers, notaries and tax advisors, and other Designated Non-Financial Business and Professions, but there is room for enhancing implementation. The authorities have recently adopted a comprehensive set of reforms to enhance entity transparency, including through the establishment of a Register of Beneficial Ownership.

Abstract

This Technical Note sets out the findings and recommendations made in the context of the 2019 Financial Sector Assessment Program for Austria in the areas of Anti-Money Laundering/Combating the Financing of Terrorism. It provides a targeted review of Austria’s progress in addressing the Money Laundering/Terrorism Financing vulnerabilities. Several initiatives, the amendments introduced to the Financial Markets Anti-Money Laundering Act, the Beneficial Owners Register Act, and other sectoral laws have led to significant enhancements of the legal and regulatory framework which resulted in a number of upgrades on technical compliance ratings by the Financial Action Task Force in the context of the two follow-up reports. The authorities took steps to transpose the Fourth and the Fifth Anti-Money Laundering Directives into national legislation. Steps have been taken to improve the legal and regulatory framework that applies to lawyers, notaries and tax advisors, and other Designated Non-Financial Business and Professions, but there is room for enhancing implementation. The authorities have recently adopted a comprehensive set of reforms to enhance entity transparency, including through the establishment of a Register of Beneficial Ownership.

Executive Summary1

This Technical Note (TN) sets out the findings and recommendations made in the context of the 2019 Financial Sector Assessment Program (FSAP) for Austria in the areas of AML/CFT. It provides a targeted review of Austria’s progress in addressing the ML/TF vulnerabilities in the banking sector, including AML/CFT supervision and cross-border activities, progress in enhancing the transparency of legal persons and arrangements, and risks related to virtual assets (VAs) and virtual assets service providers (VASPs). This review is not an assessment or evaluation of the country’s AML/CFT regime. In this regard, Austria’s AML/CFT system was assessed by the Financial Action Task Force (FATF) against the current FATF standard and the Mutual Evaluation Report (MER) was adopted in September 2016. The authorities are focused on improving the effectiveness of the legal, regulatory, and supervisory framework in mitigating ML/TF risks.

Since the 2016 MER and the 2013 FSAP, the authorities have taken significant steps to strengthen the country’s AML/CFT regime. Several initiatives, in particular the amendments introduced to the Financial Markets Anti-Money Laundering Act (FM AML Act), the Beneficial Owners Register Act (BORA), and other sectoral laws have led to significant enhancements of the legal and regulatory framework which resulted in a number of upgrades on technical compliance ratings by the FATF in the context of the two follow-up reports (FURs). The authorities took steps to transpose the Fourth and the Fifth Anti-Money Laundering Directives (4AMLD and 5AMLD) into national legislation. Steps have been taken to improve the legal and regulatory framework that applies to lawyers, notaries and tax advisors, and other Designated Non-Financial Business and Professions (DNFBPs), but there is room for enhancing implementation.

The authorities have recently adopted a comprehensive set of reforms to enhance entity transparency, including through the establishment of a Register of Beneficial Ownership. A Register of Beneficial Owners of Companies, Other Legal Entities and Trusts was created in 2017 (through BORA) to implement the 4AMLD, which helped to address some of the deficiencies identified in the 2016 MER in the area of beneficial ownership (BO) information, ensuring that legal persons and arrangements have an obligation to obtain and maintain up-to-date BO information and provide this to the register. Competent authorities have timely access to this information through the register. The BO Register is a key development in the fight against ML/TF and has contributed to increasing entity transparency. In July 2019, the BORA was amended to transpose the 5AMLD into domestic law.

Austria is in the process of reviewing its ML/TF national risk assessment (NRA), which is critical to enabling the authorities to take appropriate risk mitigation measures and allocate resources accordingly. Austria’s last ML/TF NRA was completed in 2015 but was not comprehensive. Since then, the authorities have been taking actions to deepen their understanding of ML/TF risks. In reviewing the NRA, the authorities should ensure that the exercise includes a comprehensive review and assessment of the ML/TF threats and vulnerabilities (i.e., the extent to which legal persons and arrangements can be, or are being, misused for ML/TF purposes, VAs/VASPs risks, etc.). Following the revision of the NRA, the authorities are encouraged to take adequate measures to address the ML/TF risks and adopt an AML/CFT strategy and action plan to inform the national policies and priorities in line with the findings of the NRA.

The Austrian authorities have demonstrated a strong commitment to strengthening banking AML/CFT supervision and addressing cross-border related risks, but there is room for further improvement. In general, the Financial Market Authority (FMA) has a sound understanding of ML/TF risks and vulnerabilities present in the institutions under its supervision. The FMA has adopted a risk-based approach to AML/CFT supervision and has developed an offsite risk rating tool to classify financial institutions (FIs) in terms of ML/TF risk profile, which forms the basis for its supervisory strategies and resource allocation. The methodology and risk-scoring tool for the supervision of ML/TF are good developments but should be further refined. The authorities should consider revising the results generated by the tool to ensure that they are in line with the ML/TF risks profile of banks and incorporate the cross-border exposure better. Currently almost 80 percent of the banks are rated low risk.

Austria’s large financial sector, the possibility to establish complex ownership structures, the cross-border linkages, and the significant exposure to Central, Eastern, and South Eastern Europe (CESEE) countries make it vulnerable to ML/TF risks. The FMA has intensified AML/CFT supervision and placed more emphasis on the banking sector. This is a positive development, and the authorities are recommended to build upon this to further strengthen the supervisory practices. In particular, the authorities should consider revising the approach to onsite related activities and ensure that the supervisory cycle is shortened to ensure that banks are subject to onsite inspections on a more regular basis. This would ensure that they are compliant with the AML/CFT framework and have a robust risk management framework to address cross-border linkages (such as exposures to non-resident customers and offshore corporate structures, particularly from CESEE countries).

High-profile cross-border ML/TF scandals involving large international institutions, including some Austrian banks, call for additional efforts on group-wide supervision regarding risk management systems and controls, and to mitigate cross-border risks. AML/CFT supervision of FIs is the primary responsibility of national AML/CFT supervisors, but uneven AML/CFT supervision, regulatory arbitrage as well as differences in the implementation of the FATF standard contributes to increased ML/TF risks in the Euro Area. Accordingly, the authorities are encouraged to support the establishment of a Euro Area or EU level arrangement directly responsible for AML/CFT supervision. As the national AML/CFT supervisor, the FMA has taken steps to ensure that banks implement sound risk management systems, which in turn could help contain financial integrity risks and prevent exposing the banks to reputational risks, among others. Efforts are underway to supervise cross-border risks and ensure that group-wide policies and procedures are implemented so that branches and subsidiaries, particularly those in CESEE countries, properly manage the ML/TF risks. The authorities should continue to focus on cross-border risks and the effective implementation of customer due diligence (CDD) obligations, including, but not limited to, the application of enhanced due diligence (EDD), in particular for higher risk activities and categories of clients, to ensure that financial integrity risks are mitigated.

Good practices for communication between the AML and the prudential teams should be further enhanced. In particular, the authorities are encouraged to foster increased collaboration and exchange of information between the AML team and the prudential supervisors (including the National Austrian Bank (OeNB) and the European Central Bank (ECB)) so that they can be informed on a timely basis and gain a deeper understanding of the ML/TF risks and their possible impact on the overall risk profile of the supervised entities.

The current legal and regulatory frameworks in Austria generally allow for cross-border cooperation with EU/European Economic Area (EEA) countries, but legal obstacles can hinder effective information exchange with several third countries. The submission of information to authorities in third countries pursuant to the FM AML Act is only permissible, if they are subject to, or have agreed, to an equivalent level of professional secrecy that corresponds to that of the respective European legal acts (European Banking Authority list equivalence). Local rules on confidentiality, professional secrecy, data protection, and information exchange should be analyzed on a case-by-case basis. In these circumstances, uncertainty regarding home/host supervisory responsibilities and access to information also affects proper implementation of cross-border supervision. Given the limitation, the authorities should closely monitor and ensure that strong AML/CFT controls are applied at the group level, and in case of concerns, employ remedial actions.

Significant progress has been made in strengthening the AML/CFT framework in line with the recently revised standard applicable to VAs and VASPs. The authorities informed that the FM AML Act has recently been amended to transpose the 5AMLD into national legislation, commencing January 2020. The Act assigns the FMA responsibility over the registration and monitoring of VAs/VASPs, which are obliged entities under the FMA AML Act and therefore subject to all AML/CFT obligations. The Act defines virtual currencies and virtual currencies service providers in line with the FATF definition. The definition goes beyond the 5AMLD. The FMA is aware of five local companies already providing VA-related services, but there is no concrete data with respect to VA/VASPs based abroad offering products and services in Austria. In the short term, efforts should continue to address the challenges and ML/TF risks associated with VAs and VASPs to ensure proper implementation of the AML/CFT obligations.

Table 1.

Austria: Main FSAP Recommendations for AML/CFT

article image
article image

NT = Near Term (within 6 months/1 year); MT = Medium Term (within 2 to 2 1/2 years).

Introduction

1. This TN sets out the findings and recommendations made in the context of the 2019 FSAP for Austria in the areas of AML/CFT. It provides a targeted review of Austria’s efforts and progress made in addressing the ML/TF vulnerabilities in the banking sector including with respect to AML/CFT supervision and cross-border activities, progress in enhancing the transparency of legal persons and arrangements, and addressing the risks related to VAs and VASPs. This review is not, in any way, an assessment or evaluation of the country’s AML/CFT regime. In this regard, Austria’s AML/CFT system was assessed by the FATF against the current FATF standard and the MER was adopted in September 2016. The TN provides a factual update on the key measures taken by the authorities since the last MER in the area of banking supervision, entity transparency, and VAs and VASPs.

2. Staff analysis is based on a range of background information and benefitted from discussions with the authorities. Staff reviewed available information including the most recent MER from 2016, and the FURs from December 2017 and November 2018. The analysis also draws on the authorities’ responses to questions submitted by staff ahead of the FSAP, and discussions held on the mission in September 3–18, 2019.

Progress Since the Last Assessment

A. Compliance with the International Standard

3. Austria was assessed by the FATF in 2015 and the report was adopted in 2016. As a result of the assessment, Austria was placed under the FATF’s enhanced follow-up process. In the 2016 MER, assessors concluded that overall Austria has a strong legal and institutional framework for combating ML and TF. The MER noted that the technical compliance framework was strong in relation to legal and law enforcement requirements, preventive measures, and supervision for FIs and DNFBPs. Improvements were required with respect to national AML/CFT policy coordination, assessment of risk, and targeted financial sanctions.

4. In terms of effectiveness, Austria was found to have achieved substantial results in the investigation and prosecution of persons financing terrorism, in the implementation of targeted financial sanction related to proliferation financing, and in international cooperation. Moderate results were considered in understanding of risk, transparency of legal persons and arrangements, confiscation, and targeted financial sanctions related to TF. Fundamental improvements were needed in the collection and use of financial intelligence and investigation and prosecution of ML. The FATF has yet to assess Austria’s improvement in addressing effectiveness.

5. FATF has recognized some improvements in technical compliance and has upgraded several recommendations. The FATF has conducted two FURs on Austria and concluded that the country has made progress in addressing most of the technical deficiencies identified in its 2016 MER. Austria’s first enhanced FUR was adopted in December 2017. The report analyzes Austria’s progress in addressing certain technical compliance deficiencies, which were identified in the 2016 MER. Notably, Austria received a total of 12 upgrades where sufficient progress has been made2. Austria’s second enhanced FUR was adopted in November 2018 where two upgrades were provided in the area of transparency and BO information of legal persons and legal arrangements (R. 24 and 25). Similarly, progress in implementing the new requirements related to FATF recommendations which have changed since the 2016 MER was analyzed (R. 7, 18 and 21).

B. Legislative/Regulatory Framework and Other Initiatives

6. Since the last 2016 MER, several amendments to the AML/CFT legislative and regulatory framework have been adopted. The FM AML Act was amended in 2018 and most recently in July 2019. The first amendment aimed at transposing the obligations from the 4AMLD and 5AMLD, respectively. The authorities informed that Austria transposed into legislation the 4AMLD in 2018 and most recently the 5AMLD (Federal Law Gazette I No. 62/2019, July 22, 2019). The transposition of the 5AMLD enters into effect on January 10, 2020.

7. The sanctioning regime for violations to the AML/CFT framework was enhanced. Art. 34 and 35 of the FM AML Act now allows for the imposition of fines for individual persons: up to EUR 5,000,000 and for legal persons up to EUR 5,000,000 or 10 percent of the total turnover. Under the previous framework (Art. 98 of the Banking Act and similar provisions in other relevant acts for the insurance companies, investment firms, etc.), the maximum monetary fine was EUR 150,000.

8. In particular the most recent amendments introduced in July 2019 were as follows:

  • Incorporates VASPs to the list obliged entities; this inclusion means that VASPs will be subject to the same AML/CFT requirements as credit and FIs (with the very limited exception of provisions that pertain only to bank accounts). Entry into force: August 1, 2019.

  • Adds a definition of VAs. 3 Entry into force: January 10, 2020.

  • Adds a definition of VASPs in line with the FATF definition. The FM-AML Act goes beyond the 5 AMLD (which only includes custodian wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies). The amendment includes providers of: custodian wallet providers—services to safeguard private cryptographic keys, to hold, store, and transfer virtual currencies on behalf of a customer—(point a); exchange of virtual currencies for fiat currencies and vice versa (point b); exchange of one or more VAs for other VAs (point c); the transfer of virtual currencies (point d); the provision of financial services related to the issuance and the selling of virtual currencies (point e). Entry into force: October 1, 2019.

  • Requires the national coordination group to consult the state authorities responsible for supervising the gambling sector’s compliance with AML/CFT standards in their respective states when drawing up the NRA. Entry into force: August 1, 2019.

  • Requires obliged entities to inspect the BO Register as part of their CDD obligations when establishing a new business relationship with a legal person. When establishing a new business relationship with a trust or a legal arrangement similar to a trust established in another EU member state or a third country, obliged entities now have to seek to obtain a proof of registration from the national BO Register where those countries require registration in a BO Register that fulfils the requirements of Art. 30 and 31 of the Directive (EU) 2015/849. Entry into force: January 10, 2020.

  • Lowers the threshold for high-risk third country involvement that triggers EDD requirements. These now include business relationships and transactions with any kind of involvement of high-risk third countries (Art.9 para. 1). Previously, EDD requirements were triggered if the customer was established in a third country. Entry into force: January 10, 2020.

  • Requires VASPs that intend to offer services for Austrian customers or base their operations in Austria to apply for a registration with the FMA (Art. 32a para. 1). The application must include a description of the company’s proposed AML/CFT measures (Art. 32a para. 1 point 4). Entry into force: October 1, 2019 (with the specification that the registration requirement enters into force on the January 10, 2020).

  • Offering VA services without registration now carries a fine of up to EUR 200,000 (Art. 34 para. 4). Entry into force: January 10, 2020.

9. The BORA was recently amended (July 2019). The legislative amendments provide for the transposition of the 5AMLD into domestic law. It provides for public access to BO data held in the BO register. Furthermore, it introduces a know-your-customer registry (identification and verification of BO identity by means of so called “compliance-packages”). Changes will enter into force on January 10, 2020 and November 10, 2020 respectively.

10. In regard to lawyers and civil notaries, the AML/CFT legal framework was further strengthened through a number of amendments. Changes were introduced in the Lawyers’ Act; the Notarial Code and the Disciplinary Statute for lawyers and lawyer-candidates—DST (Federal Law Gazette I No. 10/2017 of January 13, 2017). The main scope of the legal amendments in 2016, which came into force on January 1, 2017, was the alignment of the AML/CFT provisions with the 4 AMLD. The amendments addressed most of the deficiencies identified in the FATF-MER 2016.4 Most recently, the law amending the Lawyers’ Act, the Notarial Code, the Disciplinary Statute for lawyers and lawyer-candidates and the Court Jurisdiction Act (Federal Law Gazette I No. 61/2019 of July 22, 2019) was amended and entered into force in August 2019. It aimed to clarify and specify the AML/CFT provisions regarding lawyers and civil notaries in alignment with the Directive 2015/849 (4 AMLD).5

11. The authorities have set up a national AML/CFT committee which became operational in January 2017. The main tasks of the committee are to ensure that the NRA is kept up-to-date; strategies and measures for AML/CFT at a national level are developed, and recommendations are issued.

12. A national anti-corruption strategy was adopted in 2018 and a comprehensive action plan is currently underway and monitored. The Federal Bureau of Anti-Corruption has taken a number of initiatives in the fight against corruption.

13. Austria is in the process of reviewing its ML/TF country risk assessment, which is critical in enabling the authorities to take appropriate risk mitigation measures and to allocate resources accordingly. Austria’s last ML/TF NRA was completed in 2015 but was not considered to be comprehensive according to the 2016 MER. In reviewing the NRA, the authorities should ensure that the assessment includes a comprehensive review and assessment of ML/TF risks associated with all types of legal persons in Austria.

14. The OeNB has been adopting measures to improve the regime applicable to financial sanctions. The authorities informed the team that the timely implementation of UN listings is a challenge for all EU member states but that listing procedures at EU level have been recently overhauled and considerably accelerated. Under the new expedited EU procedures, new listings are normally transposed within 48 hours after the adoption by the UN Security Council. The OeNB has adopted a risk-based inspection plan to monitor compliance with the framework.

15. A public private partnership initiative was established and is currently underway under the leadership of the financial intelligence unit (FIU), which is a very positive development. This serves as a tool to guarantee a more efficient fight against ML/TF and close cooperation between the public and the private sector. The FIU is currently taking the lead on this initiative, which has achieved positive results. On the other hand, the statistics on the number of STRs reflect that there is still a low level of compliance with the reporting obligation by some sectors (see Table 2), which calls for additional efforts in this area. There is a need to enhance the quality and consistency of reporting across sectors, with emphasis on the DNFBPs sector where the level of reporting is very low. In this respect, the FIU should consider providing guidance on typologies and timely feedback to obliged entities to increase the quantity and improve the quality of STRs in line with ML/TF risks present in the country.

Table 2.

Austria: STRs Received by Reporting Entities

article image

C. Conclusions and Recommendations

16. Significant progress has been made in aligning Austria’s AML/CFT framework with the FATF standard and the European AMLDs. Austria has made progress in addressing most of the technical deficiencies identified in its 2016 MER. Continuing to implement these initiatives will further strengthen the AML/CFT regime going forward. In particular, the authorities are advised to:

  • Conclude the revision and update of the NRA as soon as feasible and adopt an AML/CFT strategy and action plan in line with the findings of the NRA. The ongoing revision of the 2015 NRA is an important development. Extending the scope of the NRA to include a more in–depth analysis of the ML/TF risks present in the jurisdiction, an assessment of the ML/TF risks faced by legal persons and arrangements, as well as by the NPOs sector will be key to developing a strong basis for the development of national policies going forward. Similarly, broader participation of the private sector at an earlier stage of the exercise should contribute to enhancing the understanding of ML/TF risks.

  • Adopt an AML/CFT strategy and action plan to ensure that the national policies and priorities are in line with the findings of the NRA.

  • Continue with the ongoing efforts on domestic coordination and cooperation among all relevant agencies in charge of combating ML/TF. Ensure a broader engagement with the private sector and monitor the implementation of the recommendations set at the National AML/CFT Coordination Committee.

  • Enhance the quality and consistency of reporting across sector, with emphasis in the DNFBPs sector where the level of reporting is very low. The FIU should provide guidance on typologies and timely feedback to obliged entities to increase the quantity and improve the quality of STRs in line with ML/TF risks.

  • Monitor the proper implementation of the new obligations imposed in the national legislation (FMA Act and BORA) as part of the transposition of the 5AMLD.

AML/CFT Measures and Risk-Based & Supervision in the Banking Sector

A. ML/TF Vulnerabilities in the Banking Sector

17. Austria is a major regional and international financial center, which has significant cross-border linkages. The financial system is dominated by banks that hold 75 percent of the total financial sector assets. As of September 2019, there are almost 600 banks in Austria, which have a complex structure in terms of ownership and financial linkages. Austria has one of the densest banking and branch networks in Europe.

18. Austrian banks have a systemic role as a gateway to CESEE countries. Due to the geographical proximity, central location, and historical ties, Austrian banking groups control significant shares of the banking markets in CESEE. Austrian banks have subsidiaries with significant market shares in 19 countries, including Russia.

19. The banking sector is considered to be the most vulnerable channel to ML activity in Austria. The NRA identified banks as bearing a moderate to high risk for ML/TF. Due to the small volume of invested and managed assets, the capital market, although also important, was assessed to have a moderate level of ML/TF. The insurance sector was assessed to have a low level of ML/TF. Staff’s review will therefore focus on the banking sector.

20. The 2016 MER notes that banks have a good understanding of their ML/TF risks and AML/CFT obligations. The main risks that they face are associated with offshore activities, as the banking sector exposure to nonresident customers and offshore corporate schemes is high. The first supra-national risk assessment on ML/TF risks conducted by the European Commission concluded that the region’s internal market remains vulnerable to ML/TF risks.

B. AML/CFT Supervision of Banks

21. AML/CFT supervision for the financial sector falls under the responsibility of the FMA. Austria has adopted an integrated approach to AML/CFT supervision where the FMA performs both prudential and AML/CFT supervision. On the prudential side there is a dual oversight by the OeNB and FMA.6

22. Supervision of FIs’ compliance with regulatory requirements (including AML/CFT) is mandated to the FMA by the FM AML Act. It includes all persons and entities that conduct the financial activities listed under the FATF definition of FIs. This includes a total of 780 institutions as follows: (i) 544 credit institutions; (ii) 24 credit institutions that are subsidiaries; (iii) 6 insurance companies/subsidiaries; (iv) 6 payment institutions; (v) 9 payment institutions/subsidiaries via freedom of establishment; (vi) no EMI; (vi) 2 EMIs/subsidiaries via freedom of services; (vii) 14 Investment Fund Management companies; (viii) 5 real estate investment fund management companies; (ix) 8 corporate provision funds; (x) 65 investment firms (supervised by another FMA department); (xi) 43 investment service providers (supervised by another FMA department), (xii) 32 licensed or registered alternative investment fund managers.7

23. The FMA is vested with adequate powers to ensure compliance with the AML/CFT framework and enforce all existing obligations on FIs. Under the FM AML Act, the scope of AML/CFT supervision involves granting the license, issuing regulations, conducting offsite activities and onsite inspections to ensure compliance with the AML/CFT obligations, compelling production of any information relevant to monitoring, reviewing the risk assessments conducted by FIs, and enforcing the existing obligations, including through the ability to impose a range of disciplinary and financial sanctions and the power to withdraw, and restricting or suspending the FI’s license in case of non-compliance.

24. AML/CFT supervision is conducted by a specialized AML Division. The Division (Division IV/5-Prevention of ML/TF) was established in 2011 and is part of Department IV that covers integrated supervision. The Division’s responsibility covers credit and payment institutions and insurance companies, while FMA’s Division III/2 supervises investment firms and investment service providers for AML purposes. The current staff allocated to the Division is 18,25 FTE and comprised two teams, namely the “Onsite Inspections Team”, which also deals with offsite surveillance work, and the “Enforcement Team”, which is primarily devoted to administrative proceedings and actions aimed at restoring legal compliance. To address the gaps raised in the 2016 MER in terms of resources, five additional staff were assigned to the unit since then.

25. Overall the FMA has a sound understanding of ML/TF risks present in the institutions it supervises and is conscious of the cross-border risks. Based on this understanding, it has developed a methodology and supervisory tools in line with a risk-based approach to classify the institutions in line with their ML/TF risk exposure. The tool is a good initial step, but further adjustments are recommended to reflect a more realistic risk exposure of banks in terms of ML/TF, as further explained below.

26. The FMA has established and adopted a risk-based approach to AML/CFT supervision. As part of its supervisory toolkit, the FMA developed an offsite risk scoring tool to develop institutional ML/TF risk profiles, form the basis for its supervisory strategies, and allocate resources more efficiently. The tool was developed to capture both quantitative and qualitative information addressing the FATF risk factors in terms of customers, products and services, geographical locations and delivery channels and the quality of the internal control systems.

27. The framework is designed to help the FMA identify those institutions that are exposed to a higher level of ML/TF risk, which feeds into the FMA’s AML/CFT supervisory plans. The tool is filled by an annual AML questionnaire that is sent to the obliged entities to assess the inherent risks within the institution. The tool considers a number of factors, including but not limited to, outsourcing, cash transactions, client as a foreign trust, money remittances, PEPs, risk of BO, risk of location, transaction volume, and number of transactions. Similarly, it analyzes the quality of risk mitigation measures set by the entity, which is complemented by an assessment of the findings of onsite inspections and the supervisory/expert judgement, statutory audit reports, etc. The last data collection was completed by mid-August 2019.

28. The methodology and risk scoring tool designed for FI’s classification is an important step in improving the supervisory practices, but it should be further improved to complement the data analyzed and place greater emphasis on cross-border ML risk. Currently the tool is heavily reliant on information provided on an annual basis by the credit institutions. The authorities may consider adding additional input, such as audit reports, financial information provided by the prudential team, and risk factors to properly capture all the risks, including the cross-border risks. For instance, it will not only consider the risk of location (subsidiaries and branches in EU member states and third countries), but more specifically, granular information related to the number; locations; size of overseas branches or subsidiaries; customer base in those branches and subsidiaries; volume of transactions; products and services provided, both at the branch and subsidiary level; as well as other qualitative information with respect to the risk management system, and the robustness of the information sharing practices between the head office and all the branches and subsidiaries.

29. Driven by results of the risk-scoring system, the FMA conducts its supervisory activities over FIs through a combination of offsite surveillance and onsite activities. The offsite measures include a variety of actions, including but not limited to the review of audit reports, previous onsite reports, legal enquires, etc. The most recent exercise conducted by the FMA reflects that only 1 percent of the credit institutions were rated as high-risk; 1.5 percent have an elevated ML/TF risks; 18.1 percent were rated as moderate risk, and 79.4 percent were rated as low risk.

article image

30. Considering the size, complexity, and cross-border linkages of the Austrian banks, the results (risk classification) arising from the methodology and risk-scoring tool suggest that more is needed in terms of risk classification. Based on the existing methodology, the majority of the banks fall under the low risk category. The number of banks with an elevated and moderate risk is surprisingly low. It is understood that the systemic banks fall under the high-risk category. Against this background and given that the results of the offsite tool drive all the onsite activities, the authorities are advised to reassess the risk rating criteria to validate the results and ensure that there is a more realistic distribution of banks under the four risk categories capturing the domestic and cross-border risks and exposure.

31. The FMA has defined the intensity and frequency of onsite activities. Two types of onsite measures are in place, namely the onsite inspections and the onsite examinations. While the first ones provide for a “fully-fledged analysis” in terms of inherent risks, quality of the AML/CFT systems in place, and the adequacy of the risk mitigation strategies (sample testing of customer files and the transaction monitoring system, including access to the core banking system), the second ones are only aimed at familiarizing the onsite inspection team with the FIs’ AML/CFT set-up and identifying potential outstanding issues related to any pending offsite proceedings. On average, onsite inspections last one to three weeks and involve a team of two people (up to five for large banks), while onsite examinations are limited to a three-hour visit involving two people. Other onsite tool used are management talks (three to four hours) at the FMA’s premises.

32. The intensity and approach to AML/CFT supervision is driven by the results of the risk-scoring tool. The table below reflect the intensity of onsite activities as a result of the risk-classification of FIs.

article image
article image

33. The number of onsite measures, including both onsite inspections and examinations have increased over the last years, although more is needed. Considering the large population of institutions under the supervision of the FMA and the risk profile, also in terms of cross-border linkages, more action is required in terms of frequency and intensity of onsite inspections.

34. The large population of institutions, the risk exposure, and the complexity of the banks’ structure suggest that the supervisory cycle should be shortened to ensure that all FIs are subject to onsite inspections on a more regular basis. Onsite inspections are a key element of the supervisory cycle as they enable the supervisors to conduct a comprehensive review to validate the risk management framework and the procedures and control systems in place to adequately mitigate ML/TF risks. In this respect, the FMA may consider intensifying the frequency of onsite inspections. For instance, banks rated as high risk should be inspected at least annually. Similarly, those banks with an elevated risk profile should be subject to an onsite inspection once every 18 to 24 months at a maximum. In particular, it is unclear why there are only onsite examinations but no established period by which banks rated as low risk should be subject to an onsite inspection. In this respect, the authorities indicated that seven FIs rated low risk were subject to onsite inspections between 2016–2019.

35. Sound supervisory practices do not preclude the conduct of onsite inspections when the risks have been identified as low. While recognizing that a risk-based approach to AML/CFT supervision is key to targeting the supervisory resources, the FMA should consider conducting within a reasonable time more frequent and comprehensive visits to reach an informed judgement regarding the risk profile of the bank, validate the findings of the risk scoring tool and the preliminary assessment on the quality of the internal control system . This is especially relevant if we consider that almost 80 percent of the banks are rated as low risk institutions and only seven onsite inspections have been conducted in the last four years (2016–2019).

36. The inadequacy or absence of sound ML/TF risk management exposes banks to serious risks, especially reputational, operational, compliance, and concentration risks. All these risks are interrelated and should be properly analyzed and considered to prevent any negative impact on the bank (i.e., enforcement actions taken by the supervisor could carry significant financial costs to the bank that should be properly considered). Concerns over the adequacy of AML controls on foreign branches and subsidiaries may expose Austrian banks to operational and reputational risks. As such it is important that supervisory practices at the FMA allow for a more regular monitoring and validation of the activities conducted by the banks to ascertain whether ML/TF risks are properly managed and take appropriate action, if needed.

37. The authorities have enhanced cooperation and exchange of information between the FMA’s prudential banking supervision department and the AML division. The authorities have implemented a number of good communication practices but should continue with those efforts. The authorities informed that FMA’s Department for Prudential Banking Supervision is aware of planned and conducted onsite measures and the AML division is informed about onsite measures of the OeNB. The authorities should consider further sharing any developments with respect to financial and non-financial risks affecting the sector, the risk factors, risk categorization and results of the risk scoring tool, adjustments to the methodology and supervisory tools, and any additional information to address fast-moving developments in the banking sector. Similarly, it is important to ensure that this information is shared with the OeNB and ECB on a timely basis and provide for a more proactive engagement to reinforce the overall supervisory approach.

38. In the course of its supervisory activities the FMA has found deficiencies in a number of banks in relation to the CDD obligations and management of higher-risk business. Similarly, failings to comply with the CDD obligations, inadequate transaction monitoring, failure in the identification and verification of the BO, and weak internal controls and procedures were the main breaches identified. The deficiencies resulted in administrative penal proceedings by the FMA, including a total of 35 in 2016; 21 in 2017; and 11 in 2018, some of which included a penal decision, warnings, or abatement of action.

39. The FMA has been vested with additional powers and a broad range of sanctions to enforce the AML/CFT obligations on obliged entities. (Art. 34 of the FM AML Act). The most significant fines imposed by the FMA were applied in 2018 to one of the largest banks (EUR 2,748,000) for inadequate verification of the identity of the BO and failure to regularly update the necessary documents, data and information required to understand the ownership and control structures with regard to high-risk customers (offshore—this case was in connection with the Panama Papers). Similarly, another Austrian bank was fined in 2018 with a EUR 414,000 fine for similar violations as well as for the lack of reporting of a suspicious transaction in due time.8

40. The FMA needs to ensure sufficient resources to deal with the large population of FIs under the FMA responsibility. Resources are stretched considering the large population of institutions under the supervision of FMA, the complexity of the financial system, the cross-border linkages, and the most recent incorporation of VAs and VASPs under the FMA’s responsibility. Against this background, there is a need to consider in the short term allocating further resources to AML/CFT supervision.

41. The FM AML Act has recently introduced an obligation to regulate and supervise VAs and VASPs. The FMA will be responsible for the regulation and monitoring of VASPs, which will put additional pressure on the existing resources allocated to AML/CFT supervision, in particular considering that the FMA is still in the process of developing the in-house knowledge to monitor them and this will take time.

C. Passported Payment Providers and E-Money Institutions Operating in Austria Under the EU Passporting Regime

42. Under the current EU framework, the home supervisor is responsible for the AML oversight of the authorized payment institutions operating under the free provision of services. These companies offer their services within EU by means of a single license and EU passporting. Currently there are 63 foreign EMIs that are operating in Austria under the EU passporting regime, in addition to 281 passported PSPs and their agents.

43. The FMA is responsible for PSPs and EMIs providing services via agents. As part of the measures that have been implemented, there is an obligation for PSPs and EMIs to comply with Austrian AML/CFT rules and notify the FMA if agents are used as well as to provide an overview of the internal AML/CFT control mechanisms that are put in place by them. After meeting certain criteria, PSPs and EMIs must notify a central contact point for the FMA. The latter is responsible on behalf of the institution to ensuring compliance with all AML/CFT obligations.

44. Setting a centralized structure and using a central contact point may prove to be useful to oversee compliance of a network of agents with the locally applicable AML/CFT requirements. Notwithstanding the role played by the central contact point, the FMA in its supervisory role should ensure proper compliance by agents with all the AML/CFT framework.

45. While progress has been made in amending the legal framework to enforce AML/CFT obligations on agents and supervisory powers on the FMA, more is needed. It is critical that the FMA increases the oversight on agents to ensure a proper supervision of the activities and full compliance with the AML/CFT obligations.

46. Given the nature of the activity conducted by the agents, close cooperation is needed between competent authorities. This could prove to be challenging in cases where a payment institution carries out activities through a comprehensive number of agents established in the host member state(s). The authorities are encouraged to consider strengthening coordination and cooperation, which should include, but not limited to: (i) the home supervisor’s assessment of the ML/TF risk associated with the business model and an assessment of the payment institution’s management of it ML/TF risks, including the quality of its internal controls and procedures; (ii) any information which is likely to have impact on the ML/TF risk assessment of the PSP in regards to the activities carried out by its agents in the host country and any assessment conducted by the host supervisor in this respect.

47. The PSPs and EMIs play a key role in preventing that transfers of funds can be abused for ML purposes. The services they offer pose ML/TF risks, as large amount of cash is handled through these services. Although the FMA has taken some initial actions to supervise these institutions, more work is needed in this respect.

D. Cross-Border AML/CFT Supervision in the Banking Sector

48. Being an important regional and international financial center as well as a gateway to CESEE countries,9 Austria faces a range of ML and TF risks. The 2016 MER notes that Austria is particularly vulnerable to proceeds from a variety of international crimes transiting through Austria such as corruption, embezzlement, etc. Companies established offshore with Austrian bank accounts are vulnerable for these purposes. In many cases, a lawyer or another professional intermediary will be acting as a trustee for such companies.

49. Austria’s financial system is heavily exposed to CESEE countries and has a complex ownership structure. There are almost 600 banks in Austria, which include 6 significant institutions under the Single Supervisory Mechanism (SSM) representing 60 percent of total system assets. There is high concentration in the banking system (three banks hold 50 percent of market share), with few large internationally active banks and the rest is within less significant institutions. Austrian banks maintain branches and subsidiaries overseas, with most of them in place in CESEE countries (24 percent exposure in 2018), and the rest in third countries.

50. The FM AML Act has been revised to explicitly stipulate the obligation for international banking groups and groups of FIs to have group-wide policies and procedures for combating ML/TF. Art. 24 of the FM AML Act requires that the group wide policies and procedures are rolled out across the whole group. This is a good development in considering the deficiencies identified in the 2016 MER regarding the lack of requirements for FIs to have a business wide compliance function that would apply to branches and subsidiaries in CESEE countries. The group-wide policies and procedures must be implemented effectively at the level of branches and subsidiaries in member states and third countries. The exchange of information, including customer information within the group is permitted, in particular the documents needed for the purpose of conducting CDD and information submitted together with a STR.

51. Effective cross-border supervision is based on effective home and host supervision. Domestic and international cooperation are key elements in this arrangement. To achieve this, it is essential that all arrangements for home and host cooperation and information sharing grant the ability to carry on consolidated remedial actions and the ability to deter cross-border corporate structures than hinder effective supervision. A solid framework for sharing information between supervisors should also ensure, but should not be limited to: confidentiality, exclusive use of the information for supervisory purposes, reciprocity, a framework that favors home supervisor visits when needed, timely communication between supervisors, and removal of obstacles for the parent bank to have access to information from their branches and subsidiaries.

52. High profile cross-border ML/TF scandals involving several banks in the Euro Area, including some Austrian banks,10 calls for a closer scrutiny of some critical activities conducted by banks. The quality of AML/CFT supervision varies among countries which contributes to an increase exposure to ML/TF risks—which needs to be properly managed. Efforts should focus on further ensuring that banks properly implement the AML/CFT obligations, conduct EDD, in particular for higher risk activities and categories of clients, and reinforce the control over cross-border activities.

53. As experienced by the Danske Bank and other high-level scandals affecting European banks, the loss of reputation risk calls for enhanced AML/CFT supervision and collective efforts across the European region. AML/CFT supervision of FIs is the primary responsibility of national AML/CFT supervisors, but uneven AML/CFT supervision, regulatory arbitrage, as well as differences in the implementation of the FATF standard contributes to increased ML/TF risks in the Euro Area. Ongoing debate has been taken in the region on whether to assign AML prevention to a common European institution.

54. Consolidation of AML/CFT supervision has the benefit of better contributing to enhancing the quality and consistency and addressing any gaps or “weak links” that could be exploited for ML/TF purposes. Regardless of the outcome of the ongoing discussion, there is an evident need for a deeper integration/consolidation of AML/CFT supervision and enhanced collaboration between national authorities and the ECB. Accordingly, the authorities are encouraged to support the establishment of a Euro Area or EU Level arrangement directly responsible for AML/CFT supervision. Legal and regulatory framework supporting cooperation agreements.

55. The Austrian authorities have taken important steps toward enhancing domestic and international cooperation to mitigate cross-border ML/TF risks. Close cooperation at a domestic level and in a cross-border context with other member states and third countries is envisaged under the FM AML ACT, including allowing the conduct of inspections. The 5AMLD requires that information-sharing mechanisms are in place between prudential and AML/CFT supervisors (including the SSM).

56. The FMA is an active member in the European Supervisory Authorities’ Joint Sub-Committee on AML (AMLC). The AMLC serves as a forum for formal and informal exchange between EU member states’ supervisors. This Committee convenes three times a year.

57. The FMA AML Law requires the FMA to cooperate with EU/EEA counterparts. In this respect, it is empowered to cooperate with the European Supervisory Authorities and with other participants of the European System of Financial Supervision and make all information available to them without any delay.

58. There is an explicit legal basis in the FM AML Act that allows the FMA to cooperate with authorities in member states and third countries that perform the duties that correspond to the FMA duties. This obligation is under Art. 25 para. 5, which states that the FMA must share all information that serves the purpose of supervision of financial markets. This may also include information about shareholders, members of the management board, the supervisory board, the administrative board, and the executive directors of the obliged entities, as well as information relating to the customers of the obliged entities.

59. When it comes to third countries, the submission of information to those authorities is only permissible under specific circumstances. Art. 25 para 6 FM AML Act stipulates that the submission of information to authorities in third countries pursuant to para. 5 shall only be permissible if they are subject to or have agreed to an equivalent level of professional secrecy that corresponds to that of the respective European legal acts that govern the activities of obliged entities. Where information that the FMA receives from the competent authority of another member state is affected, such information may only be allowed to be disclosed with the explicit consent of that supervisory authority and only for the purposes, for which that authority has given its consent. Furthermore, such a submission shall only be permissible based on a reciprocal agreement or actual reciprocity.

60. The evaluation regarding the equivalency is closely done by the FMA Department for International and Legislative Affairs. In this regard, the FMA takes into account the evaluation of the European Banking Authority assessment of equivalence. According to this list, the Russian Federation is currently not equivalent. Given the additional limitations, the FMA should put additional efforts to ensure that group-wide policies and procedures are implemented by Austrian banks with branches and subsidiaries located in Russia and pursue full access to critical information in relation to all aspects of the business conducted by the branches and subsidiaries.

61. While the current legal and regulatory framework in Austria allows for cross-border cooperation with EU/EEA countries, legal obstacles hinder effective information exchange with some third countries when rules have not been harmonized. Local rules on confidentiality, professional secrecy, data protection, and information exchange should be analyzed on a case-by-case basis. In these circumstances, uncertainty regarding home/host supervisory responsibilities and access to information also affect a proper implementation of cross-border supervision.

62. The authorities informed that currently the limitation only extends to Russia, but not to the rest of the third countries where Austrian banks have subsidiaries. There is also uncertainty as to whether there is a similar limitation with Ukraine. As such, the general principles that allows the FMA under Art. 24 to supervise the effective implementation of strategies and procedures throughout the group, including the ability to conduct inspections, can be challenging in some instances. Ensuring that group-wide policies and procedures are implemented by banks with branches and subsidiaries located in Russia and pursuing full access to critical information in relation to all aspects of the business conducted by the branches and subsidiaries becomes a priority.

63. The FMA has informed that in those cases where the local rules do not allow for the implementation of group-wide policies and procedures, further action is taken. As part of the additional actions, the FMA is empowered to require the group through the parent company to take additional measures to avert the related risks, which in extreme cases could imply instructing the group to refrain from carrying out any further transactions with those countries or to suspend their business there altogether.11

64. The FMA is entrusted to conclude cooperation agreements for the purpose of cooperation and exchange of confidential information with the competent authorities of third countries. The agreements shall only be allowed to be concluded on the basis of reciprocity, and when it is possible to guarantee that the competent authorities in the third country to which the information is passed on, at least is subject to the same requirements of professional secrecy as per the FM AML Act. In case there is a MOU, this does not exclude the FMA from the duty to examine whether the exchange of information is legally permissible according to the provisions stated in Art. 25 of the FM AML Act.

65. The FMA signed bilateral and multilateral cooperation agreements “MOUs” for enhanced cooperation and exchange of information. This, as well as the supervisory colleges, in which all the relevant authorities for the supervision of cross-border groups cooperate, are both important elements of the existing cooperation agreements in Austria. The goal is to speed up practical supervisory activities for cross-border issues and provide confidence-building measures, particularly towards non-EEA member states and cooperation with CESEE countries.12

66. Similarly, the FMA signed a multilateral agreement on practical modalities for exchange of information between ECB and national AML authorities in January 2019. The authorities informed that given the recent change introduced in the FM AML Act, in particular the power granted under Art. 25 para. 5, there is no obstacle to share information in the absence of an MOU. An MOU provides further determination of practical modalities for the exchange of information but is not needed as a basis for the exchange of information. Although not legally bounding, the authorities should consider pursuing MOUs with third countries where Austrian banks have branches and subsidiaries.

67. The FMA has also been granted powers when it comes to credit institutions and FIs that are part of a group, in particular if the parent company has its place of incorporation in Austria. In this respect, the FMA shall supervise the effective implementation of strategies and procedures throughout the group pursuant to Art. 24. When credit institutions and FIs have a registered office in Austria with its place of incorporation in another member state, then the FMA shall cooperate with the competent authorities of the member states. This shall also apply with regard to branches or branch establishments of credit institutions that are part of a group. Obliged entities must fulfill the obligations concerning the implementation of group-wide policies and procedures (Art. 24 FM AML Act). This includes sharing of all relevant information within the group regardless whether there is an MOU or other form of cooperation between the respective AML National Competent Authorities.

68. In case the Austrian obliged entity is not able to fully comply with this obligation, the FMA has strong legal remedies in order to mitigate potential risks. According to Art. 24 para 4 FM AML Act the obliged entities shall inform the FMA in cases in which the implementation of the policies and procedures to be applied on a group-wide basis pursuant to para. 1 is not permissible in accordance with the law of a third country. Furthermore, the obliged entities shall ensure that their branches or branch establishments and their subsidiaries in this third country apply additional measures to effectively mitigate the risk of money laundering or terrorist financing. If the additional measures are not sufficient, then the FMA shall exercise additional supervisory actions. The FMA may among other things prescribe that the group shall not be allowed to establish or that it terminates business relationships and shall not be allowed to undertake transactions in the third country or where necessary request the group to close down its operations in the third country.

E. Conclusions and Recommendations

69. The Austrian authorities have demonstrated strong commitment to strengthen banking AML/CFT supervision and address cross-border related risks. As part of the measures adopted, the risk scoring tool, which serves as a critical input into the development of the annual inspection plan, already considers issues related to risk location, in particular information regarding the location of subsidiaries and branches in EU member states and third countries. Please refer to previous paragraphs for more details on further recommendations in this area to redefine the risk criteria and risk factors.

70. The banking sector remains a high priority for the FMA and enhanced efforts have been put in place to strengthen the supervisory framework. Due to the size of the banking sector, in particular the number of credit institutions, its significance for Austria’s financial sector, and the risks exposure in terms of ML/TF, high priority is placed, and more resources are allocated to the supervision of banks, as reported by the authorities.

71. As part of its recent efforts, the FMA has intensified its supervision and control over banks to improve compliance across banks with the legal and regulatory framework and ensure a proper risk mitigation. The FMA has increased the number of onsite inspections and onsite examinations in the last years and developed further guidance for the industry. It issued a Circular on “Risk Assessment”, which was published in March 2018 with the purpose of assisting the FIs to implement a risk-based approach and passed three additional Circulars which were published at the end of 2018 and in 2019 covering CDD obligations, internal organization, and STRs. Although not legally binding, the Circulars have helped the FIs to further increase their compliance with the AML/CFT obligations.

72. The actions taken by the authorities are important steps in the area of AML/CFT supervision. However, considering the relevance of the banking system in Austria, and the cross-border linkages and ML/TF risk stemming from CESEE countries, a number of recommendations are set below to further strengthen the overall AML/CFT supervisory framework for banks and improve some of the current practices. Mostly, recommendations are aimed at increasing effectiveness. To continue to build upon this progress, the authorities are advised to:

  • Ensure that banks and other FIs implement the recent changes to the legal framework (i.e., lower threshold for high-risk third country involvement that triggers EDD requirements; obligation to inspect the BO Register as part of the CDD obligations).

  • Revise the methodology and risk-scoring tool to ensure that the results generated are in line with the ML/TF risks profile of the banks. Further calibrations seem to be needed to reflect a more realistic distribution of the banks in terms of ML/TF risk exposure, when considering the complexity, sophistication, and cross-border operations of Austrian banks.

  • Expand the information incorporated into the risk-scoring tool to further consider cross-border risks. Similarly, expand the quantitative and qualitative information that is critical for the assessment if ML/TF inherent risks and the internal control environment. For instance, not only information provided on annual basis by the institutions but also other additional input, like audit reports, financial information provided by the prudential team, and more granular data on cross-border risks.

  • Support the establishment of a Euro Area or EU level arrangement directly responsible for AML/CFT supervision.

  • Increase the frequency and scope of onsite inspections over banks to ensure timely and proper assessment of the inherent ML/TF risks within the institution, the quality of the ML/TF risk management framework, and overall compliance with the AML/CFT obligations. Conduct onsite inspection of low risk institutions on a more regular basis to ensure and confirm the preliminary assessment of the inherent ML/TF risks and the quality of the risk management framework.

  • Reinforce the efforts to ensure that banks properly conduct enhanced CDD for higher risk activities (i.e., offshore customers and activities and complex ownership and control schemes) and reinforce the control over their cross-border activities. Increase the number, frequency, and scope of onsite inspections in branches and subsidiaries, particularly those in CESEE countries to ensure that there is an effective implementation of sound risk management practices and that the group-wide policies and procedures are applied effectively.

  • Increase AML/CFT supervision over PSPs and EMIs providing services via agents and ensure closer dialogue and cooperation other member states where agents operate.

  • Increase the efforts improve cross-border information exchanges with non-EU/EEA countries. Consider pursuing MOUs with third countries where Austrian banks have branches and subsidiaries (i.e., Albania, Belarus, Serbia, Kosovo, Montenegro, North Macedonia, Moldova, and Ukraine).

  • Foster increased collaboration and exchange of information between the AML team and the prudential supervisors (OeNB and ECB) on a timely basis to gain a deeper understanding of the ML/TF risks and its possible impact on other risks (i.e., reputational, operational, etc.).

  • Increase the supervisory resources allocated to the AML Division and ensure proper training to build the necessary skills to address the recently assigned responsibilities (i.e., VA/VASPs).

Transparency of Legal Persons and Arrangements

A. Austria’s Corporate Landscape

73. The company forms most commonly used in Austria to pursue commercial activities is a (private) limited liability company. The other forms of legal persons that can be established in Austria are defined by law in Austria and are as follows: (1) general partnerships (“offene Gesellschaft”); (2) limited partnership (“Kommanditgesellschaft”), which are both regulated by the UGB; (3) limited liability company (“Gesellschaft mit beschränkter Haftung— GmbH”) regulated by the GmbHG; (4) stock corporation (“Aktiengesellschaft —AG”) regulated by the AktG; (5) cooperative societies (“Genossenschaft”) regulated by the GenG; (6) private foundations (“Privatstiftung”) regulated by the PSG; and (7) associations (“Verein”) regulated by the VerG. There are some other specific forms of legal persons provided in the legislation, such as European companies, European economic interest groupings, and European cooperative societies. There are approximately 272.795 legal companies in Austria.

74. Austria has its own type of legal arrangements, namely the Treuhänd. The Treuhänd is a civil contract, which is not regulated in law but is based on the general principle of the autonomy of contracting parties and is delimited by jurisprudence and doctrine. It is created when an individual, the Treuhänder (or trustee), is authorized to exercise rights over property in his or her own name, on the basis of and in accordance with, a binding agreement with another person, the Treugeber (or settlor). Although any member of the general public who can be party to a contract can act as a Treuhänder, it is often lawyers and notaries that act in this capacity. Trustees and Treuhänder must hold accurate and up-to-date information on the parties to a trust, although there is no requirement for these persons to maintain information on trusts regulated agents or service providers.

75. Information on legal persons is kept up-to-date and is accessible on-line without delay in the legal information system of the federal government. In addition, the business portal of the federal government describes the processes to be followed to create a legal person and the prerequisites that must be met for that purpose. Further information is also available through other sources.13

B. ML Risks Involving the Misuse of Legal Persons and Arrangements

76. There is currently no assessment of ML/TF risks arising from the different types of legal persons and arrangements. Austria’s NRA has not included a review and assessment of ML/TF risks involving the misuse of legal persons and arrangements. Although the NRA did not cover such assessment, the 2016 MER notes that the competent authorities’ understanding of risks and vulnerabilities of legal persons and arrangements appears to be adequate.

77. Ongoing initiatives undertaken by the authorities include an assessment of the possible ML/TF risks posed by legal persons and arrangements. The authorities informed that as part of their plans to update the NRA, there will be an explicit assessment on this issue.

78. According to the authorities, the most widespread type of legal persons involved in ML schemes domestically is the limited liability company (GmbH). This is mainly due to the ease and cost of its creation. The risks will be higher if there is a professional intermediary (such as a lawyer or tax advisor) involved in the establishment and management of such legal person acting in the capacity of a trustee (Treuhänder). In the cross-border context, the main risks relate to those legal persons that have complex ownership structure with multiple layers of legal persons established in jurisdictions where the information on legal and/or BO is not publicly available and reliable.

79. Notaries, lawyers, and accountants play a key role within the economic system as they are often involved in high-risk business, like company formation and real estate transfers. At the time of the 2016 MER, there were concerns regarding whether they fulfilled their gatekeeper role effectively. There were several deficiencies in the legal framework with respect to the CDD obligations applicable to them. One of the main deficiencies related to the lack of requirements to understand the ownership and control structure of their customers, identify customers that are legal persons or arrangements, including the BO of a trust, identify and verify the settlor, trustee(s), or protector of a trust, among other shortcomings.

80. A number of amendments were introduced in the legal framework to reinforce the CDD obligations applicable to lawyers, notaries, and accountants. Most of the deficiencies were addressed by the authorities, in particular with respect to CDD applicable to legal persons and arrangements, and consequently were positively considered by the FATF in its first follow-up report (December 2017).14 Going forward it is critical that the responsible agencies in charge of supervision/monitoring of notaries, lawyers, and accountants ensure proper implementation by these obliged entities of the AML/CFT framework.

81. According to the 2016 MER, the real estate sector is perceived to be vulnerable to ML/TF risks. The report notes that such sector is misused for investment of illicit proceeds stemming from organized crime and corruption from geographic areas that are considered high-risk locations, and that a Treuhänd arrangement will often be used in real estate transactions (para. 57).

82. Against this background, it is important to ensure proper and timely implementation of the CDD obligations and continue to implement mitigating measures to address the potential ML/TF risks with respect to company formation and real estate transactions. The recent improvement of the legal and regulatory framework with respect to notaries, lawyers, and accountants is a welcome development given the key role that they play in the formation of company and real estate transactions. Going forward, it is key to ensure effective implementation of the revised obligations.

C. Transparency of Legal Persons and Arrangements: Overview of the Legal Framework

83. The Company Register (Firmenbuch”) is the main source of information for legal company formation and ownership and is kept up-to-date. All legal persons (except for associations which are registered in the local register of associations) become fully existent when the registration with the Company Register is completed. The Register is an electronic database administered by 16 Austrian regional courts (“Landesgerichte”), which registers all basic information (i.e., company name, its legal form, its status, its seat and business address, its directors as well as other persons with general commercial power of representation, shareholders, etc.). The entire content of the Company Register, including all important documents filed by the legal persons (e.g., articles of association), is open to the public (for a fee)15, either for inspection at court or online.

84. The register contains reliable basic information on the legal ownership of the legal persons. This includes the respective percentage of shares belonging to each shareholder. The registry is kept up-to-date and the companies are obliged to notify the courts of any changes without delay.

85. Companies must comply with a comprehensive set of disclosure requirements. Before obtaining the registration in the Company Registry, a number of documents and background information (for example, the articles of association, ID papers, etc.) have to be submitted, which must be certified by a notary in the physical presence of the persons that are establishing the legal person. If a company has not been registered in the Company Registry, it will not come into existence and as such will not be able to enter any business relationship.

86. A range of sanctions are available for failing to meet the reporting requirements. All legal persons are required to communicate any relevant changes either to the company register (i.e., the competent court), or to the respective registers without delay. There are sanctions foreseen for the failure to comply with this requirement. The changes that have not been notified to the relevant registry are not legally effective. Monetary penalties are often used by the courts against persons who do not comply with the requirements to provide information to the company registry, and they appear to be generally effective according to the 2016 MER.

87. Associations should be registered in the local register of associations. The associations’ statutes must contain all relevant information (i.e., name of the association, location, a clear and comprehensive description of the association’s purpose, the activities intended for fulfilling the purpose, and the way of raising funds, etc.). However, there are no clear requirements to maintain the identities of those who own, control, or direct their activities, including senior officers, board members, and trustees. Information that is kept publicly available, is entered in the Local Register of Associations then forwarded to the BMI’s Central Register of Associations.

D. Measures to Enhance Entity Transparency

88. At the time of the 2016 MER Austria’s legal framework had several gaps in terms of access to BO information. The assessment found that under the legal framework there was no general obligation to obtain and keep up-to-date BO information; timely access to BO information could not be assured; there was no requirement for companies to cooperate with competent authorities in identifying the BO; there was no sanction for failure to maintain BO information and there was no specific provision concerning the international exchange of information on shareholders. The Commercial Register only contained data regarding the legal owners of companies and foundations and there was no information on BO separately recorded. The authorities were advised to introduce measures that would increase the transparency of the Treuhänd arrangements.

89. Significant progress was achieved in the area of entity transparency and BO information. A Register of Beneficial Owner of Companies, other Legal Entities and Trusts was created in 2017 (through BORA) in implementation of the 4AMLD, which helped address some of the deficiencies identified in the 2016 MER in the area of BO information and ensure that legal persons and arrangements have an obligation to obtain, maintain, and keep up-to-date BO information and provide it to the register. Competent authorities have timely access to this information through the register.

90. The BO Register is a key development in the fight against ML/TF and has a number of objectives. The register enhances the AML/CFT framework in the area of entity transparency and BO information; strengthens the due diligence obligations of obliges entities; and provides a register that contains adequate current data and aligns it with international best practices. All these requirements, in turn, contribute to the enhancement of the AML/CFT regime.

91. The BORA16 took effect on January 15, 2018 and establishes a Central Register for recording the BOs of companies, and other legal entities such as foundations and trusts, in implementation of the 4AMLD. The BO Register is maintained by the Registry Authority established by the Federal Ministry of Finance. This authority has been granted extensive analytic capabilities for the purpose of ensuring the accuracy and completeness of the data and preventing ML/TF. The Registry Authority also has the power to request documentation on BO from companies and to carry out offsite audits.

92. The BORA was amended in July 2019 to transpose the 5AMLD into domestic law.17 The 5AMLD opens access to this information to the public at large as said directive has removed the need to demonstrate a “legitimate interest” to access the information filed with the BO register and extends BO reporting requirements to any legal arrangements that is similar to a trust. The authorities have already implemented many elements of the 5AMLD and expect to implement the rest of the obligations, including public access to the register via the homepage of the Ministry of Finance by January 2020.

93. The BO Register contains master data that is derived from different sources. First, the master data of legal entities included in the BORA’s scope of application is automatically taken from the Commercial Register, the Register of Associations, and the Supplementary Register for Others. This data is then either completed with the BO information through automated or manual reports, with additional safeguards to ensure data quality. Similarly, as explained by the authorities, the register also has the advantage of providing FIs and DNFBPs with a simple and efficient mean of identifying and checking the identity of the BO based on complete extended excerpts from the Register. However, the final obligation to identify the BO remains with the FIs and DNFPS.

94. On average 353,010 reportable companies are recorded in the Register, which are referred to as legal entities. To avoid unnecessary administrative burdens, the BORA under Art. 6 provides extensive exemptions from the reporting requirements. This applies if the BO are already recorded in the Commercial Register or the Register of Associations. To date, the exception covers 280,495 legal entities and include: (i) ordinary partnerships and limited partnerships if all partners are natural persons; (ii) limited liability companies, if all the shareholders are natural persons; (iii) commercial and industrial cooperative societies; (iv) mutual insurance associations, small mutual insurance associations, and savings banks; and (v) associations pursuant to the Associations Act.18 It is important that the exemption does not apply if another person is the BO as the framework should also include those natural persons who exert control but are not direct shareholders.

95. The BORA clearly sets out the mechanisms and process for obtaining BO information on legal persons. Legal persons have the obligation to obtain and maintain up-to-date BO information and provide it to the register. The requirements include: (i) the identification and verification of the BO, including obtaining appropriate certificates with respect to BOs, ownership and control; (ii) the retain of copies of the documents and information provided; (iii) the review of the information (CDD requirements) at least once a year to ensure that the reported data is still up-to-date; (iv) the reporting of changes within four weeks. For trusts and arrangements of a similar nature to trusts, it is the responsibility of the trustee or person comparable to the trustee to report the BOs.

96. Access to the register is provided to obliged entities that must meet the due diligence requirements in the fight against ML/TF and to the authorities in charge of ensuring compliance with the AML/CFT obligations. Obliged entities may inspect the BO register for their due diligence duties to prevent ML and TF. Authorities may inspect the register for certain statutory purposes. Starting on January 10, 2020, natural persons and organizations may consult the register without the need to demonstrate a legitimate interest.

97. Compliance with the obligation to report BO information to the Register is ensured on an ongoing basis through the implementation of automated coercive penalties (Art. 16 BORA). These range from a “reminder letter” on overdue reports from the BMF to financial penalties ranging from EUR 1,000 to EUR 4,000. The authorities informed that with this automated system the Registry Authority was able to achieve a reporting rate of more than 95 percent as of September 2, 2019. In addition to the coercive penalties, the BORA also includes a set of penal provisions for breaches of the reporting obligation.

98. A risk classification of all legal entities will be put in place by January 10, 2020. The BORA, as amended in July 2019, requires the BO Registry Authority to have a risk classification of all legal entities based on their risk profile (very high/high/medium/low). The aim is to assist the BO Registry Authority in focusing its analysis and examination on reports of entities with a medium, high, or very high-risk rating. With the new BORA, the BO Registry Authority’s supervisory powers and technical possibilities were expanded, including but not limited to drawing samples for examinations of reports based on the risk assessment and complementary perform examinations on a sample basis

99. The BORA strengthens the transparency of legal arrangements. The Act extends the scope to trusts and trusts like arrangements, which have business in Austria or acquire property in Austria and increases the obligations for trustees of trusts and arrangements similar to trusts by disclosing their status. The new obligations enter into force on January 10, 2020.

100. When establishing a new business relationship with a legal person, obliged entities now must inspect the BO Register as part of their CDD obligations. In the past this was optional. When establishing a new business relationship with a trust or a legal arrangement similar to a trust established in another EU member state or a third country, obliged entities now have to seek to obtain proof of registration from the national BO Register where those countries require registration in a BO Register that fulfils the requirements of Art. 30 and 31 of the Directive (EU) 2015/849. This will enter into force on January 10, 2020.

101. The BORA has introduced a “compliance package”, which will enter into force on November 10, 2020. The purpose of the compliance package is to provide legal entities with the option of submitting the documents necessary for the identification and verification of BOs on a yearly basis together with the report. According to the authorities, this measure is intended to significantly reduce the time required to fulfill the due diligence obligation of legal and obliged entities and boost quality of the BO data stored by FIs and DNBPs. The quality of the compliance packages is to be monitored and checked based on a risk-based approach by the BO Registry Authority.

102. The obliged entity remains responsible for the CDD obligations. The authorities informed that FIs and DNBPs may use the documents stored in the BO Register as part of their risk-based approach, but in all instances have the obligation to ascertain with the customer, whether the documents in the compliance package, together with other information available to the obliged entity, are sufficient to identify and verify the BO, so that the obliged entity is certain to know who the BO is. The submission of a compliance package will only be permitted if the BOs have been verified and identified by a legal professional.

103. While a lot has been done to strengthen the transparency of legal entities and arrangements, the authorities could now consider taking further efforts to enhance the transparency of foreign legal entities and arrangements. This is particularly relevant considering that the 2016 MER identifies that companies established offshore with Austrian banks are vulnerable to ML/TF.

E. Conclusions and Recommendations

104. The authorities took substantial measures to strengthen entity transparency and prevent the misuse of legal persons and arrangements. A number of important measures have been introduced to increase the transparency of the Treuhänd arrangements. All these developments are important achievements. To build upon this progress, the authorities are recommended to:

  • Continue to pursue the effective implementation of all the recent measures that are aimed at enhancing the transparency of Treuhänd arrangements, including in the operation of legal arrangements.

  • Ensure that there is a legal requirement for trustees (or equivalent persons) to hold information on the regulated agents or service providers to the trusts.

  • Ensure proper and timely implementation of the CDD obligations by lawyers, notaries, and accountants to implement mitigating measures to address the potential ML/TF risks with respect to company formation and real estate transactions.

  • Ensure that associations are legally required to maintain a list of their members.

Virtual Assets and Virtual Assets Service Providers

A. Overview and Recent Change Introduced in the Legal Framework

105. The authorities are aware of the ML/TF risks presented by crypto-based assets and have undertaken a number of initiatives. The goal was to better understand the risks involved in crypto-assets. The authorities have undertaken a number of empirical studies to quantify and assess potential risks and criminal activities involving crypto-assets. The review concluded that crypto-asset mining is strongly centralized and controlled by few real-world actors residing outside the EU.19

106. Austria considers the use of Bitcoin as a high ML risk. The 2015 NRA concluded that “Bitcoin poses a high-risk in terms of ML since the issue has come up during drug investigations and the authorities lack knowledge on the extent of the phenomenon”.

107. A joint Austrian-German project called “Bitcrime” was undertaken. The purpose was to gain a better understanding of the risks arising from the use of virtual currencies and provide tailor-made solutions. The project was concluded in 2017. It was one of the first research projects in the field of cryptocurrencies with the goal of developing forensic methods for identifying financial transactions and studying the anonymity property of cryptocurrencies. As a consequence of this, GraphSense”, which is an open source transaction analysis platform for cryptocurrency transaction ledgers, was developed and further implemented.

108. An international project called “TITANIUM”20 has been set up by the Ministry of Interior. The goal was to detect various kinds of criminal activities within the VA ecosystem (focus on currencies except Bitcoins) and in the darknet and develop technical solutions and tools for transaction analysis in the VA system, including forensic tools.

109. At the national level a number of additional initiatives have been initiated. The authorities informed that Austrian research organizations and policy makers are already investigating methods and solutions for the analysis of “criminal transactions in post-Bitcoin Cryptocurrencies (VIRTCRIME21), such as Monero or ZCash”. Similarly, research institutions and government institutions are defining a research agenda for enhancing the understanding in token system and take proactive action to mitigate the risks.

110. The authorities continue to assess the ML/TF risks involved in VAs. As part of the update to the NRA, which is underway, the authorities plan to revise and provide an assessment of the risks arising from VAs. This in turn, will help the authorities continue to take appropriate measures to mitigate the risks. The update is expected to be finalized by the beginning of 2020. The FMA has been very active in this area and participated in a number of workshops with the Austrian Institute of Technologies and the Research Institute for Cryptoeconomics. 22 The FMA is a cooperation partner of the Austrian Blockchain Center.

111. The FMA23 has been taking steps to assess the size of the VA industry as well as collecting information regarding the main types of VASPs operating in Austria. The authorities informed that in 2018 there were a number of inquiries to the FMA regarding services related to VAs. Compared to 2018, there was an increase in enquires regarding Initial Coin Offerings (ICOs), Bitcoin trading, and mining models. Due to its FinTech contact point, the FMA is aware of some forms of VA-related activities conducted in Austria (i.e., “VA-ATMS” or “VA Exchange Platforms”). To mitigate the risks, the FMA has issued a letter to banks to inform them of the higher risks involved in VAs and the risk factors that should be taken into consideration. The FMA has informed that a license in accordance with the Payment Services Act24 was granted to a company whose only customer is a VASP. The licensed company offers payment services and is a subsidiary of a future VASP, which offers trading with VAs.

112. The FMA informed that the main VA-related activities conducted in Austria are trading in crypto-assets from and to fiat money via VASPs inside and outside Austria. Similarly, trades within the crypto-asset eco system are relevant in addition to the activity of crowdfunding related to ICO and STO. The FMA informed that some forms of VA-related activities conducted in Austria are: VA-ATMs, or VAs Exchange Platforms.

113. The National AML/CFT Committee, which became operational in January 2017, is the mechanism in place for ensuring coordination and cooperation amongst relevant AML/CFT stakeholders on VA and VASPs issues. As reported by the authorities, the committee, which is also in charge of overall coordination on AML/CFT policies is comprised of all the relevant policy makers, including the VA industry.

114. VAs fall within the scope of ML/TF offences and the existing provisions on seizing, freezing, and confiscation of assets. The relevant provisions under the Criminal Code (Arts. 165 and 278) cover all assets, including virtual. Similarly, VAs fall within the scope of existing provisions on seizing, freezing, and confiscation of assets related to a crime including TF and targeted financial sanctions related to TF and PF (under the Criminal Code). The authorities informed that VA have been successfully seized, frozen, and confiscated.

115. The mechanisms for mutual legal assistance and international cooperation apply in the context of VA as reported by the authorities. The authorities informed that if the issue is within the FMA’s supervisory competence, the FMA provides international cooperation to the maximum extent possible. There have already been international requests for cooperation regarding the activities of VASPs operating in Austria but licensed elsewhere. There is international cooperation involving VASPs, and law enforcement authorities are also cooperating through Europol and Interpol. International cooperation in cases involving VAs has been provided and requested.

116. The FM AML Act has recently been amended to transpose the 5AMLD into national legislation. The amendment will enter into force in January 2020. The Act assigns the FMA the responsibility over the registration and monitoring of VA/VASPs, which are obliged entities under the FMA AML Act and therefore subject to all AML/CFT obligations. The various categories of VASPs defined by the FATF will be subject to the AML/CFT framework. Art. 2 para. 21 and 22 defines virtual currencies and providers in relation to virtual currencies in line with the FATF definition.25 Providers in relation to virtual currencies are considered obliged entities pursuant to Article 1.

117. The FM AML Act requires VASPS to be registered at the FMA. According to Article 32, “where a provider pursuant to Article 2, para. 22 intends to carry out an activity in Austria, or to offer its activities from Austria, then it shall apply to the FMA for a registration and submit the required documents.” The registration period started on October 1 and will become mandatory on January 10, 2020. Anyone who “provides services in relation to virtual currencies pursuant to Article 2, 22 without the necessary registration pursuant to Article 32 a, para1, commits an administrative offence punishable with a fine of up to EUR 200,000.”

118. There is legal uncertainty as to how the registration/licensing requirements will operate across members states. Currently the EU passporting regime system for banks and financial services companies enables firms that are authorized in any EU or EEA state to trade freely in any other country with minimal additional authorization (travel rule). In the area of VAs/VASPs, there is no single license principle yet, and as such, the industry has expressed lack of clarity as to how the registration and licensing authorization will operate when the VASPs offers products and services in more than one jurisdiction. The authorities confirmed that if a foreign VASP offers services and products to Austrian citizens, a registration should be obtained.

119. FMA is working towards building adequate expertise and developing the supervisory tools that are required to monitor and supervise VASPs. Proactive and early engagement with those providers already providing the service in Austria will help the FMA develop and enhance the required knowledge and expertise for regulating and monitoring this industry. The FMA informed that as part of its inspection plan for 2020 it will put a thematic focus on VAs/VASPs in order to monitor the implementation of the AML/CFT obligations. Given the cross-border nature of VASPs activities and provision of services, international cooperation between the FMA and other supervisory agencies will be needed.

120. There is currently low level of data and there is no clarity as to how many providers would be interested in applying for the registration. The FMA has knowledge that 12 local companies are providing VA related services, but there is no concrete data with respect to VASPs licensed abroad but offering products and services in Austria. The authorities consider that VASPs licensed abroad are active in Austria. Collecting reliable data on the main players and different activities conducted is essential. It is also important for the FMA to foster close dialogue with the VA providers seeking to obtain the registration to help them understand their AML/CFT obligations and how they can effectively comply with these requirements.

121. The FMA should be provided with sufficient resources, both human and technological, to enable timely and effective monitoring of VASPs. The new responsibilities assigned to the FMA with respect to VA activities will demand additional work and resources. The FMA is already stretched in terms of human resources allocated to AML/CFT supervision given the large number of FIs under its purview. Similarly, there are currently no information technology systems or tools to monitor developments in this area. The complexity of the transactions due to technological sophistication requires proper information technology solutions and tools as well adequate skills to ensure proper monitoring. Therefore, the skills of staff monitoring VA related activities and VASPs will take time to build.

B. Conclusions and Recommendations

122. Significant progress has been made in strengthening the AML/CFT framework in line with the recently revised standard applicable to VAs and VASPs. Efforts should continue to ensure proper implementation of the recently adopted AML/CFT framework for VA/VASPs. Going forward, and in the short term, the authorities are advised to focus on the following:

  • Monitor developments closely, specifically on the growth of the VAs/VASPs to ensure that ML/TF risks are properly considered and addressed on time. When updating the 2015 NRA, further consideration should be given to further understanding the ML/TF risks associated with VAs and VASPs.

  • Foster close cooperation and dialogue with the industry to understand their concerns and challenges in adjusting their systems and or developing the necessary controls to ensure compliance with the AML/CFT obligations.

  • Allocate sufficient resources both human and technological, to enable timely and effective monitoring of VAs/VASPs and provide the necessary support to build in-house knowledge and expertise to properly monitor VASPs.

  • Ensure a thematic focus on VASPs during the next inspection plan for 2020 in order to monitor the implementation of the new AML/CFT obligations.

1

This note was prepared by Carolina Claver (IMF’s Legal Department). It reflects the findings and discussions during the September 2019 FSAP mission to Austria.

2

Eight Recommendations that had been rated partially compliant, were upgraded to largely compliant. Recommendations that had been rated as low compliant were upgraded to compliant. The report also analyzed Austria’s progress in implementing new requirements relating to FATF Recommendations which have changed since Austria’s assessment (R. 5 and R. 8).

3

Virtual currencies: a digital representation of value that is not issued or guaranteed by a central bank or public authority is not necessarily attached to a legally established currency and does not have a legal status of currency or money but is accepted by natural persons as means of exchange and which can be transferred, stored and traded electronically.

4

In 2018 the Law amending the Limited Liability Company Act and the Notarial Code (founding of a company by electronic notarial act) was passed and entered into force in January 2019.

5

New provisions to clarify the restrictions of lawyers/civil notaries to engage third parties for certain tasks, risk-based approach to AML/CFT supervision, among others.

6

Except for significant institutions (SIs), which are directly exercised by the ECB, all other Austrian banks are subject to a dual-oversight by the Austrian National Bank and the FMA. The ECB as prudential supervisor of SIs in the Euro Area is not the competent authority for AML/CFT issues However, under the new legislative banking package “CRD V” Regulation EU 2019/876 and Directive (EU) 2019/878), once implemented, competent supervisory authorities (including the ECB) are required to better factor AML concerns into their prudential assessments. In particular, competent supervisory authorities are now required to take into account AML/CFT risks in relation to, among others, withdrawals of authorizations, fit and proper assessments, licensing procedures and in the context of the supervisory review and evaluation process of credit institutions.

7

Although the FMA is responsible for the entire population of financial institutions as defined by the FATF, the focus of this TN would be to address all relevant issues pertaining to AML/CFT banking supervision.

8

The rest of the pecuniary fines are in the range of EUR 600 to EUR 200,000.

9

CESEE countries include: Albania, Belarus, Bosnia and Herzegovina, Bulgaria, Croatia, Czech Republic, Estonia, Hungary, Kosovo, Latvia, Lithuania, Macedonia, Moldova, Montenegro, Poland, Romania, Russia, Serbia, Slovak Republic, Slovenia, Turkey, and Ukraine.

10

A complaint filed in March 2019 about potential ML activity by Raiffeisen Bank led to a 13 percent share price fall. Other Austrian banks (i.e., Hypo Vorarlberg Bank) were also mentioned in the Panama Papers.

11

FMA takes into account the direct applicable Delegated Regulation (EU) 2019/758 dated January 2019 (RTS) from the European Commission, which described the type of actions that credit institutions and FISs must put in place to mitigate the ML/TF risks in certain third countries.

12

The list of third countries with Austrian branches/subsidiaries with which the FMA has an MOU regarding credit institutions are: Bosnia and Herzegovina, Russia and Switzerland (Austrian branches and subsidiaries are present here). The list of third countries with Austrian branches/subsidiaries without an MOU: Albania; Belarus; Serbia; Kosovo; Montenegro; North Macedonia; Moldova; and Ukraine.

13

Austrian Chamber of Commerce,14 the Founder’s Service of the Chamber15 and the HELP-service of the Federal Government.

14

Recommendation 22 was rated from partially compliant to largely compliant.

15

This does not apply to federal, regional, and municipal authorities that can get excerpts from the Company Register for free.

16

BGBl. I No. 136/2017

17

The 5AMLD entered into force on July 9, 2018 and member states are obliged to transpose the obligations into national law by latest January 20, 2020.

18

The exemption from the obligation does not apply if another person is the BO.

19

(c.f., Romiti et al (2019), A Deep Dive into Bitcoin Mining Pools: An Empirical Analysis of Mining Shares)

20

Tools for the investigation of transactions in underground markets. Project funded by the European Union.

21

Forensic Methods and Solutions for the Analysis of Criminal Transactions in Post-Bitcoin Cryptocurrencies.

22

At Vienna University of Economics and Business.

23

Responsible for the registration and monitoring over VASPs.

24

ZaDiG 2018, which transposes the PSD II into Austrian law.

25

In 2018 the FATF adopted an amendment to Rec. 15 and the Glossary in order to set out the application of the FATF Rec. to VAs. The Interpretative Note to Rec. FATF Rec. 15 was adopted in June 2019. There is currently no methodology for assessing compliance with the new standard.