Reading time: 30 minutes

NGOs and measures against money laundering and terrorist financing – changes in the law and initial risk assessment for the sector

Photo: Image generated by artificial intelligence

In May 2022, the Report on Bulgaria from the Fifth Evaluation Round of the Council of Europe’s Committee of Experts on the Evaluation of Anti-Money Laundering Measures (MONEYVAL) was published.[1]The report analyzes the implementation of the recommendations of the Financial Action Task Force (FATF) and the effectiveness of the system for preventing money laundering and terrorist financing in Bulgaria. The report also makes recommendations to our country in connection with the analysis.

With regard to the non-profit legal entities (NPLE) sector, the MONEYVAL Report on Bulgaria identifies the following problems[2]:

  • Lack of a comprehensive and in-depth assessment of the risk of abuse of the NPLE sector for the purpose of terrorist financing;
  • Lack of identification of the characteristics and types of NPOs that, due to their activities, are likely to be exposed to risks of abuse for the purposes of terrorist financing;
  • Supervisory measures are applied to all NPOs rather than to those at high risk;
  • Information provided to NPOs and financial institutions on the risks of abuse of the NPO sector for terrorist financing is limited and insufficient;

In 2023, the state authorities took measures to implement the recommendations of the Council of Europe’s Committee of Experts on the Evaluation of Anti-Money Laundering Measures:

  • In July[3] and October[4], amendments to the Anti-Money Laundering Act and the Anti-Terrorist Financing Act were adopted;
  • An updated National Risk Assessment (NRA) on money laundering (ML) and terrorist financing (TF) was adopted[5]
  • The first Risk Assessment on Terrorist Financing in the Non-Profit Sector was adopted;

In connection with the legislative changes and the adoption of the risk assessment, there have also been changes in the obligations of legal entities with respect to measures against money laundering and terrorist financing. In this regard, we answer some key questions:

  • Which legal entities are subject to the Anti-Money Laundering Act following the amendments to the law in 2023?
  • Which legal entities are required to prepare their own risk assessment?
  • Should the risk assessment be updated?
  • What are the new requirements regarding internal rules?
  • What changes have been made to the rules on customer identification?
  • What are the changes relating to beneficial owners?
  • What are the new obligations relating to the storage of information?
  • What does Bulgaria’s placement under enhanced monitoring mean for NGOs?

Which legal entities are subject to the Anti-Money Laundering Act following the amendments to the law in 2023?

With the adoption of the new Anti-Money Laundering Act (AMLA) in 2018, all legal entities with non-profit status (except religious organizations) were designated as obligated entities under the Act (Article 4, item 28). This created administrative obligations for a wide range of NPOs, contrary to the risk-based approach and the FATF definition of “non-profit organizations.”[6]

When preparing the Risk Assessment of Terrorist Financing in the Non-Profit Sector, an analysis of Bulgarian legislation was carried out to identify the categories of NPOs in Bulgaria that are excluded from the FATF definition.[7] Thus, when the first amendments to the ZMIP were considered in 2023, the BCNL advocated that this analysis be taken into account and that Article 4(28) of the ZMIP be amended. This proposal was not accepted in June, but was included in the proposal for amendments to the law made only a month later by the Council of Ministers. Ultimately, Article 4(28) of the ZMIP was amended as follows:

28. (amended – State Gazette No. 84 of 2023) non-profit legal entities with the exception of those that do not carry out charitable, religious, cultural, educational, social or socially useful activities and fall into one of the following categories regulated by a special law:

a) creative unions bringing together persons engaged in related creative activities in the field of culture, established under the Law on Non-Profit Legal Entities to protect the interests of their members and having the character of a professional organization;

b) professional and branch organizations and unions, employers’ and trade union organizations, chambers of commerce and other associations in specific economic sectors;

This means that most: tourist associations; breeding organizations (non-profit legal entities for public or private benefit); branch organizations and unions; chambers of commerce; fishing associations and hunting clubs (legal entities with non-profit status); organizations for collective management of rights under the Copyright and Related Rights Act (association); irrigation associations; employers’ organizations under the Labor Code; trade unions of workers/employees; trade unions of civil servants; national and regional associations of municipalities; professional organizations of doctors and dentists, national bureau of Bulgarian motor insurers; which have limited their scope of activity to that specified for the relevant category of legal entities in a special law are no longer subject to the ZMIP

Which legal entities are required to prepare their own risk assessment?

According to Article 98 of the ZMIP, the entities listed in Article 4 of the ZMIP shall prepare their own risk assessments to identify, understand, and assess the risks of money laundering and terrorist financing.

With regard to the legal entities subject to the MLPA under Article 4(28) of the MLPA, an exception is provided for and they must prepare an assessment in two cases:

  1. When they consider that there is a risk that their activities may be used for: money laundering or terrorist financing, concealing terrorist financing through the use of persons with legitimate purposes and activities; diverting funds intended for legitimate purposes to individual terrorists, terrorist organizations, and persons financing terrorism (see Article 98, paragraph 5 of the Money Laundering and Terrorist Financing Prevention Act);
  2. All non-profit legal entities under Article 4(28) of the MLPA with an annual turnover exceeding the amount specified in Article 98(4) of the MLPA.

Until the latest amendments to the MLPA, the annual turnover specified in Article 98(4) of the MLPA was BGN 20,000. This meant that, in practice, almost all active organizations in Bulgaria were burdened with the administrative obligation to prepare a risk assessment and adopt internal rules for the control and prevention of money laundering and terrorist financing.[9]

When considering both amendments to the ZMIP in 2023, BCNP advocated increasing the threshold from BGN 20,000 by linking it to the minimum taxable turnover at which persons are required to register under the Value Added Tax Act (currently BGN 100,000), thus avoiding the need to amend the ZMIP in the event of inflationary or economic changes. This proposal was partially accepted and, ultimately, an increase in the threshold from BGN 20,000 to BGN 50,000 was adopted without specifying in the explanatory memorandum how this amount was determined.

Thus, according to the current requirements of the ZMIP, the legal entities subject to the obligation to prepare their own risk assessment are:

Legal entities that are not excluded from the scope of the ZMIP according to the current text of Article 4, item 28 of the ZMIP AND:

A) assess that there is a risk that their activities may be used for: money laundering or terrorist financing, concealing terrorist financing through the use of persons with legitimate purposes and activities; diverting funds intended for legitimate purposes to individual terrorists, terrorist organizations, and persons financing terrorism (see Article 98, paragraph 5 of the ZMIP); OR

B) have an annual turnover exceeding BGN 50,000.

In order to prepare their own risk assessment, legal entities subject to the MLPA must use the risk assessment methodology and criteria published on the SANS website – https://www.dans.bg/bg/msip-091209-menu-bul/kritsum-mitem-bul

Should the risk assessment be updated?

According to Article 60 of the Regulations for the Implementation of the ZMIP, the risk assessment must be updated every two years. However, insofar as the internal risk assessment must reflect the results of the national and sectoral risk assessments and the Methodology and Criteria for Risk Assessment[10]published by the State Agency for National Security, the updating or adoption of a national or sectoral assessment are explicitly mentioned as grounds for updating internal assessments, it is recommended that all NCAs required to adopt an internal risk assessment update it taking into account the results of the 2023 Risk Assessment of Terrorist Financing in the Non-Profit Sector.[11]

When updating their internal risk assessments, legal entities with non-profit status should take into account the four potential threats of terrorist financing in the non-profit sector in the Republic of Bulgaria identified in the Sectoral Risk Assessment:[12]

– False representation and fictitious non-profit organizations;

– Diversion of legal funds intended for humanitarian programs;

– Abuse of programs to promote philosophies designed to encourage religious hatred and spread the ideas of a terrorist organization;

– Links to terrorist entities

As well as the following activities and their characteristics, which increase the risk of abuse of terrorist financing:

1. Carrying out activities in regions at risk of terrorism or receiving/sending funds from/to such regions;

2. Receiving/sending funds from/to regions where there is armed conflict or war or from/to third countries whose national anti-PI/FT legislation has identified strategic weaknesses;

3. Failure by religious organizations to provide information on their activities and financial transactions in a manner that can be verified by a competent authority, or the absence of such an obligation, as is the case with religious communities.

4. Raising funds through group financing (so-called crowdfunding) or the use of virtual assets.

5. Carrying out activities that require contact with persons vulnerable to radicalization or residing in regions with similar activity.[13]

What are the new requirements regarding internal rules?

All non-profit legal entities that are required to prepare an internal risk assessment must also prepare internal rules for the control and prevention of money laundering and terrorist financing (Article 101 of the AML/CFT Act). The two amendments to the AMLA in 2023 introduced some changes to the content requirements for internal rules set out in Article 101(2) of the AMLA, which also requires them to be updated. For the convenience of legal entities and in compliance with an explicit legal obligation (Article 101(5) of the AML Act), Model Internal Rules have been published on the website of the State Agency for National Security (SANS), but they have not yet been updated in accordance with the new requirements of the AML Act. It is therefore important to take into account the following additions, which should be reflected when using the Sample Internal Rules.

1) Explicit regulation of the procedure for reviewing, verifying, and evaluating the rules and procedures;

Pursuant to the amended Article 101(2)(4), the internal rules shall regulate:

the procedure for reviewing, verifying, and evaluating the rules, procedures, and requirements under this paragraph by the internal control over the performance of the obligations under point 3;

This requires the explicit establishment of a review, verification, and assessment procedure, unlike the previous requirements, which only required the establishment of a “possibility” for this form of control and supervision. It is appropriate for this procedure to be established as an addition to Article 7 of the Model Internal Rules.

2) Changes to the rules on employee training

Prior to the changes in 2023, the ZMIP required internal rules to set out rules on training for all employees of the organization. With the amendments to Article 101(2)(14), the training requirement no longer applies to all employees, but only to those employees whose duties, in the organization’s assessment, could be relevant to the control and prevention of money laundering and terrorist financing. At the same time, however, new requirements are introduced:

  • Internal rules shall lay down policies and procedures for verifying the professional competence and reliability of employees whose duties, as assessed by the organization, could be relevant to the prevention of money laundering and terrorist financing;
  • Internal rules should establish policies and procedures for the ongoing assessment of the professional competence and integrity of other employees whose duties, as determined by the organization, could be relevant to the control and prevention of money laundering and terrorist financing.

3) Clear criteria for identifying suspicious customers and suspicious transactions or operations related to money laundering, the availability of funds of criminal origin, and terrorist financing;

With the amendment to point 1 of paragraph 1 of Article 101 of the AMLA, the requirement for identifying suspicious transactions or operations is detailed, adding to those related to money laundering and terrorist financing those related to the presence of funds of a criminal nature.

This amendment will require an amendment to Chapter III “CRITERIA FOR RECOGNIZING SUSPICIOUS TRANSACTIONS OR OPERATIONS AND CUSTOMERS” of the Model Internal Rules in order to comply with the current text of Article 101, paragraph 1, item 1.

It is important to note that if, as a result of an inspection, it is found that the internal rules do not comply with the law or an act implementing it, have not been adopted by a competent authority, or the measures provided for therein are not sufficient to achieve the objectives of the law, the director of the Financial Intelligence Directorate of the State Agency for National Security shall issue instructions to the organization to remedy the identified non-compliance. The instructions shall be implemented within one month of their receipt. Within three days of compliance with the instructions, the Financial Intelligence Directorate of the State Agency for National Security shall be notified (see Article 103(8) of the ZMIP). A sanction may only be imposed if the instructions are not complied with.

What changes have been made to the rules for identifying customers?

Legal entities subject to the AMLA must identify their customers in accordance with the risk levels established by the risk assessment as part of their measures for monitoring operations and transactions in order to fulfill their obligations.[14] In the context of the activities of legal entities subject to the MLPA:

“Customer” means any natural or legal person or other legal entity that enters into a business relationship or carries out an occasional transaction or operation with the organization; the term includes natural and legal persons who are donors and beneficiaries of the NPO, as well as recipients of products and services from the NPO.[15]

This means that for some low-risk categories of customers, identification may not be necessary. For example, it is not generally necessary to identify donors when collecting donations through donation boxes or when selling goods at charity bazaars.[16] The customer identification process may affect NPOs in two cases:

  1. When an NPO is required to carry out identification in its capacity as an obligated entity under the AML/CFT Act
  2. When an NPO is a customer of another obligated entity under the AML/CFT Act (e.g., a bank) and is subject to a comprehensive check.

Following the amendments to the AML/CFT Act adopted in 2023 , the process of identifying foreign legal entities has been complicated and now requires, in addition to a reference in the relevant register under the legal entity’s file, the request and retention of a copy of the memorandum of association, an act or other documents necessary for verifying the data, as well as documentation of the actions taken to identify the person.[17] The documents referred to in the first sentence may be provided electronically if the internal rules lay down the rules for their acceptance in compliance with the requirements of the Electronic Document and Electronic Certification Services Act.

With regard to the data collected for legal entities, in addition to information on the control bodies, management and representation bodies and the type and composition of the collective management body, the specific natural persons in these bodies must also be identified:

Art. 54, para. 4 of the ZMIP: 8. (amendment – State Gazette No. 84 of 2023) the supervisory bodies, management and representation bodies, including the names of their members, and where some of the latter are legal entities or other legal arrangements – the names of the natural persons exercising control, management or representation;

9. (amended – State Gazette No. 84 of 2023) the type and composition of the collective management body, including the names of its members, and where the latter are legal entities or other legal arrangements – the names of the natural persons exercising participation in the control body;

With regard to the identification of proxies of clients who are natural persons, a new provision has been introduced (Article 53(9) of the ZMIP)[18], which more clearly regulates the obligation of proxies to identify themselves in the same manner as clients who are natural persons. In addition, the obligated entities should also request proof of their representative authority.

What are the changes related to beneficial owners?

The new Article 63a of the AMLA introduces a new procedure for registering the beneficial owner in the Commercial Register and the Register of Legal Entities and Non-Profit Organizations at the Registry Agency (RA) and the BULSTAT Register. According to this procedure, the persons obliged under the ZMIP and the administrative authorities must notify the RA within 14 days if, in the performance of their duties, they establish a discrepancy between the data they have collected on the beneficial owners of a given person and the data entered in the relevant register on the beneficial owners of that person.

Upon receipt of the notification with the documents relating to the discrepancy attached thereto, the Registry Agency shall make an entry in the file of the legal entity or other legal arrangement regarding the existence of a notification of discrepancy. The Registry Agency shall then send a written notification to the address of the registered office of the legal entity or legal arrangement entered in the commercial register and the register of non-profit legal entities or in the BULSTAT register, to the relevant legal entity or other legal arrangement, informing it of its obligation to apply for an entry of a change in the circumstances entered regarding its actual owner or to submit documents establishing the existence of the circumstances entered in the file of the legal entity or other legal arrangement. If the written notification is not received by the legal representative of the legal entity or legal arrangement or by its authorized representative, the notification shall be deemed to have been delivered upon the expiry of a one-month period from the entry of the notification of non-compliance in the file of the legal entity or legal arrangement. Within 7days of receiving or delivering the notification, the relevant legal entity or other legal arrangement shall submit to the commercial register and the register of non-profit legal entities or to the BULSTAT register an application for a change in the circumstances entered regarding its actual owner or an application for deletion of the notification of non-compliance entered for non-compliance. An explicit legal provision excludes the liability of persons obliged under the ZMIP for damages incurred in connection with a notification submitted by them.

The new procedure may affect non-profit legal entities in two cases:

  • When they are persons liable under the ZMIP, they must fulfill their obligation to notify the AV when, in the performance of their duties, they establish a discrepancy between the data they have collected on the beneficial owners of a given person and the data entered in the relevant register on the beneficial owners of that person;
  • When an obligated person under the ZMIP notifies the CA of a discrepancy between the circumstances entered regarding the beneficial owner in their file, they must fulfill their obligation to submit an application for a change in the circumstances entered regarding the beneficial owner or an application for deletion of the notification of discrepancy entered.

The amendments to the ZMIP adopted in July 2023 also introduced new requirements for the documents to be submitted when applying for the registration of circumstances related to the beneficial owner, as well as the requirement to register the type and scope of the rights held by the beneficial owners. In this regard, a new template for the declaration under Article 63(4) of the ZMIP has been adopted, which must be submitted with the application for registration and change of circumstances of the beneficial owners.

We remind you that the SANS website has published INSTRUCTIONS on the procedure for determining the natural persons who are subject to identification as beneficial owners of non-profit legal entities (NPLEs) registered under the Non-Profit Legal Entities Act (NPLEA)

What are the new obligations related to information storage?

According to Article 61, paragraph 1 of the ZYULNC, legal entities established in the territory of the Republic of Bulgaria (including YULNC) are required to obtain, possess, and provide, in the cases specified by law, accurate and up-to-date information about the natural persons who are their actual owners, including detailed data on the rights they hold.

accurate and up-to-date information on the natural persons who are their actual owners, including detailed data on the rights they hold. With the amendments to the ZMIP in 2023, an obligation was introduced for this information to be kept for 5 years after the termination of the legal entity by its: managers and representatives, liquidators and all persons other than those already mentioned who perform activities in connection with the termination of the legal entity or other legal entity.[19]

What does Bulgaria’s placement under enhanced monitoring mean for NGOs?

On October 27, 2023, the Financial Action Task Force (FATF) placed Bulgaria under enhanced monitoring.

Countries placed under enhanced monitoring work actively with the FATF to address strategic deficiencies in their anti-money laundering, counter-terrorist financing, and counter-proliferation financing regimes. When the FATF places a jurisdiction under enhanced monitoring, it means that the country has committed to quickly address the identified strategic deficiencies within the agreed timeframe and is subject to enhanced monitoring.[20]

The FATF’s work plan for Bulgaria includes the following measures:

identify the subgroup of NGOs most vulnerable to terrorist financing and demonstrate initial implementation of risk-based monitoring to prevent abuse for terrorist financing purposes. [21]

This measure is the only one directly related to the NGO sector and provides a good basis for reviewing the approach adopted in Bulgarian legislation to combat money laundering and terrorist financing with regard to non-profit legal entities. Until the adoption of the latest amendments to the AML/CFT Act, all non-profit legal entities were subject to it. Following the amendments to the AML/CFT Act, which entered into force in early October prior to the FATF report, certain categories of non-profit legal entities have been excluded in order to comply with the FATF definition of a non-profit organization. However, this approach clearly does not reflect the risk-based approach adopted by the FATF. Therefore, the BCNL will continue its advocacy work to ensure that only those categories of NPOs that have been identified through analysis as most vulnerable to the risks of abuse for terrorist financing purposes are considered obliged entities under the AMLA.

[1] See here: https://www.coe.int/en/web/moneyval/jurisdictions/bulgaria

[2] https://rm.coe.int/moneyval-2022-1-summ-bulgaria/1680a9e86d

[3] https://dv.parliament.bg/DVWeb/showMaterialDV.jsp?idMat=196883

[4] https://dv.parliament.bg/DVWeb/showMaterialDV.jsp?idMat=199877

[5] https://www.dans.bg/images/stories/FID/NOR_2023/Pr1_Syobsht_result_NOR_2023.pdf

[6] See FATF Recommendation 8: https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

[7] https://www.dans.bg/images/stories/FID/NOR/RA_NPO/Information_NPOs_izvyn_FATF_definition_bg.pdf

[8] See BCNP STATEMENT ON THE AMENDMENT TO THE ZMIP – https://www.parliament.bg/bg/parliamentarycommittees/3209/standpoint/16107

[9] Learn more in the BCNP publication: https://bcnl.org/analyses/zmip-materiali-chetvarta-chast-sobstvena-otsenka-na-riska-i-vatreshni-pravila.html

https://www.dans.bg/images/stories/FID/Primerni_vytreshni_pravila_28072020/4_Metodologia_kriterii_ocenka_risk_ULNC.pdf
https://www.dans.bg/images/stories/FID/NOR/RA_NPO/Summary_ranpo_bg.pdf

[12] https://www.dans.bg/images/stories/FID/NOR/RA_NPO/Summary_ranpo_bg.pdf

[13] See also Summary matrix for assessing inherent risk factors: https://www.dans.bg/images/stories/FID/NOR/RA_NPO/Matrix_inherent_risk_factors_bg.pdf

[14] In general, legal entities are exempt from the obligation to apply comprehensive assessment measures pursuant to Article 11(4) of the Money Laundering and Terrorist Financing Prevention Act: (4) Persons under Article 4, item 28, who do not fall simultaneously into another category of persons under Article 4, shall not apply the comprehensive verification measures, but shall take appropriate risk-based measures to monitor operations and transactions in order to fulfill their obligations under Articles 47, 72, 76, and 98 and their obligations under the Law on Measures against the Financing of Terrorism.

[15] The definition is formulated in the Model Internal Rules published by the State Agency for National Security on the basis of § 1, item 9 of the Additional Provisions of the Money Laundering and Terrorist Financing Prevention Act.

[16] Hypotheses listed as exceptions in the Model Internal Rules published by the State Agency for National Security.

[17] Article 54, paragraph 2 of the ZMIP: (2) (Amended and supplemented – State Gazette No. 60 of 2023, effective as of 14.07.2023, amended, No. 84 of 2023) The identification of legal persons and other legal entities registered in an official public commercial or company register in a Member State or in a third country under Article 27 shall be carried out by consulting the relevant register under the entry for the legal person and other legal entity, requesting and keeping a copy of the memorandum of association, deed or other documents necessary for verifying the data under paragraph 4, certified by a legal representative or proxy of the identified person, as well as documenting the actions taken to identify the person. The documents referred to in the first sentence may be provided electronically, whereby the person referred to in Article 4 shall lay down in the internal rules referred to in Article 101 the rules for their acceptance in compliance with the requirements of the Electronic Document and Electronic Certification Services Act.

[18] (9) (New – SG No. 94 of 2019, previous paragraph 8, SG No. 84 of 2023. Comparison with the previous version) Where applicable, customer identification and verification of identification data may also be carried out by means of electronic identification, corresponding certification services provided for in Regulation (EU) No. 910/2014 or by another means of electronic identification recognized by law or a qualified authentication service within the meaning of that Regulation, provided that the requirements of this Act and the regulations for its implementation regarding customer identification and verification of identification are met.

[19] Art. 67, para. 8 of the ZMIP: (8) (New – State Gazette No. 60 of 2023, effective as of 14.07.2023) Legal entities and other legal formations established on the territory of the Republic of Bulgaria, their managers and representatives, their liquidators, as well as the natural persons designated as contact persons under Art. 63, para. 4, item 3, shall be obliged to store the data and information under Art. 61, para. 1 for a period of 5 years after the termination of the legal entity or other legal arrangement. This obligation also applies to all persons other than those mentioned above who perform activities in connection with the termination of the legal entity or other legal arrangement.

[20] https://www.fatf-gafi.org/en/publications/High-risk-and-other-monitored-jurisdictions/Increased-monitoring-october-2023.html

[21] Ibid.