NGOs and measures against money laundering and terrorist financing – changes in the law and first risk assessment for the sector

AI-generated picture

In May 2022, the Report for Bulgaria of the Fifth Evaluation Round of the Council of Europe's Committee of Experts on the Evaluation of Anti-Money Laundering Measures (MONEYVAL) was published.[1] The report is an analysis of the implementation of the Financial Action Task Force (FATF) recommendations and the effectiveness of the AML/CFT system in Bulgaria. The report also makes recommendations to the country for the analysis.  

Concerning the not-for-profit (NPO) sector, the MONEYVAL Bulgaria Report identifies the following issues[2] :

• Lack of a comprehensive assessment of the risk of abuse of the NPO sector for terrorist financing purposes;
• Lack of identification of the characteristics and types of NPOs that, due to their activities, are likely to be exposed to risks of abuse for terrorist financing purposes;
• Supervisory measures are applied to all NPOs instead of those at high risk;
• There is limited and insufficient awareness of the risks of abuse of the NPO sector for terrorist financing among NPOs and financial institutions;

In 2023, public authorities took measures to implement the recommendations of the Council of Europe's Committee of Experts on the Evaluation of Anti-Money Laundering Measures:

• On July[3] and October[4], amendments to the Anti-Money Laundering Measures Act and the Terrorist Financing Measures Act were adopted;
• An updated National Money Laundering (ML) Risk Assessment (NRA) was adopted and Terrorist Financing (TF) [5]
• The first Terrorist Financing Risk Assessment of the not-for-profit sector was adopted; 

In connection with the legislative amendments and the adoption of the risk assessment, there have also been changes regarding the obligations of NPOs regarding anti-money laundering and counter-terrorist financing measures. In this regard, we answer some basic questions:

• Who are the obliged NPOs under the AML Act after the changes in the law in 2023?  
• Which NPOs are obliged to prepare their risk assessment?
• Should the risk assessment be updated?
• What are the new requirements regarding internal rules?
• What changes are there to the customer identification rules?
• What are the changes related to the actual owners?
• What are the new obligations related to information storage?
• What does putting Bulgaria under increased surveillance mean for NGOs?

 

Who are the obliged NPOs under the AML Act after the changes in the law in 2023?  

With the adoption of the new Anti-Money Laundering Measures Act (AMLA) in 2018, all NPOs (except religious organizations) have been designated as obliged persons under it (Article 4(28)). This created administrative obligations for a wide range of NPOs, contrary to the risk-based approach and the FATF definition of "not-for-profit organizations". [6]

In the preparation of the Terrorist Financing Risk Assessment in the Non-Profit Sector, an analysis of Bulgarian legislation was carried out to identify the categories of NPOs in Bulgaria that are excluded from the FATF definition.[7]Thus, when considering the first amendments to the MIPA in 2023. BCNL advocated that this analysis be taken into account and that Article 4, item 28 of the MIPA be amended[8]. This proposal was not accepted in June, but was included in the proposal for changes to the law made only a month later by the Council of Ministers. In the end, Article 4(28) of the MLIPA was amended as follows:

28. (amend. – SG 84/2023) the non-profit legal entities, except for those that do not perform charitable, religious, cultural, educational, social, or useful for the society activities and fall into any of the following categories, regulated in a special law:

a) creative unions, uniting persons carrying out related creative activities in the field of culture, established under the Non-Profit Legal Entities Act to protect the interests of their members and having the character of a professional organization;

(b) professional and branch organizations and unions, employers and trade union organizations, chambers of commerce, and other associations in particular business sectors; 

This means that most: Tourist associations; breeding organisations (NPOs for public benefit or private benefit); branch organisations and unions; chambers of commerce; fishing associations and hunting clubs (NPOs); collective rights management organisations under the CPLA (association); irrigation associations; employers' organisations under the Labour Code; trade unions of workers/employees; trade unions of civil servants; national and regional associations of municipalities; trade unions of doctors and dentists, national bureau of Bulgarian motor insurers; which have limited their object of activity to that defined for the respective category of NPOs in a special law are no longer obliged persons under the MIPA 

 

Which NPOs are obliged to prepare their risk assessment?

Under Article 98 of the MLIA, the obliged persons listed in Article 4 of the MLIA shall prepare their risk assessments to identify, understand, and assess money laundering and terrorist financing risks. About obliged NPOs under Article 4(28) of the MLPC Act, an exception is provided and they should prepare an assessment in two cases:

1. Where they consider that there is a risk of their activities being used for: money laundering or terrorist financing; concealing the financing of terrorism through the use of persons with legitimate purposes and activities; diverting funds intended for legitimate purposes to individual terrorists, terrorist organizations, and persons financing terrorism (see Article 98(5) of the MLIA);
2. All NPOs under Article 4, item 28 of the MIPA with an annual turnover exceeding the amount specified in Article 98, paragraph 4 of the MIPA.

Until the recent amendments to the MIPA, the annual turnover amount set in Article 98(4) of the MIPA was BGN 20,000. This meant that in practice almost all active organizations in Bulgaria were charged with the administrative obligation to prepare a risk assessment and to adopt internal rules for the control and prevention of money laundering and terrorist financing.[9]

In considering both amendments to the MIPA in 2023. The BCNP advocated for an increase in the threshold of BGN 20,000 by linking it to the envisaged minimum taxable turnover at which the obligation arises for persons to register under the Value Added Tax Act (currently BGN 100,000), and thus avoid the need to amend the MIPA in the event of inflationary or economic changes. This suggestion was partially accepted and an increase in the threshold from BGN 20 000 to BGN 50 000 was eventually adopted without any indication in the reasoning as to how this amount was determined. 

Thus, according to the current requirements of the MLIA, the obliged to prepare their risk assessment are:

NGOs that are not excluded from the scope of the MIPA according to the current text of Article 4(28) of the MIPA AND:

(A) consider that there is a risk that their activities could be used for: money laundering or terrorist financing; concealing terrorist financing by using persons with legitimate purposes and activities; diverting funds intended for legitimate purposes to individual terrorists, terrorist organizations, and terrorist financiers (see Article 98(5) of the MLIA); OR

B) have an annual turnover exceeding BGN 50 000. 

To prepare their risk assessment, NGOs should use the Risk Assessment Methodology and Criteria published on the SANS website – https://www.dans.bg/bg/msip-091209-menu-bul/kritsum-mitem-bul. 

 

Should the risk assessment be updated?

Under Article 60 of the Regulations for the Implementation of the MIPA, the risk assessment must be updated every two years. However, since the internal risk assessment must reflect the results of the national and sectoral risk assessments and the Methodology and Criteria for Risk Assessment[10] published by the SANS explicitly mentions the update or adoption of a national or sectoral assessment as grounds for updating internal assessments, it is recommended that all NPOs obliged to adopt an internal risk assessment update it taking into account the results of the 2023 Terrorist Financing Risk Assessment of the sector of organizations with an[11]

When updating their internal risk assessments, NPOs should take into account the 4 likely terrorist financing threats identified by the Sector Risk Assessment in the not-for-profit sector in the Republic of Bulgaria:[12]

– False representation and fictitious non-profit organizations;

– Diverting legal funds intended for humanitarian programs;

– Misuse of programs to promote philosophies designed to promote religious hatred and spread the ideas of a terrorist organization;

– Links to terrorist entities

As well as the following activities and their characteristics that increase the risk of abuse by terrorist financing:

1. Carrying out activities in regions at risk of terrorism or receiving/sending funds from/to such regions; 

2. Receiving/sending funds from/to regions in armed conflict or war or from/to third countries with identified strategic weaknesses in their national IP/TF framework; 

3. Failure of religious organizations to provide information on their activities and financial transactions in a manner that can be verified by the relevant competent authority or the absence of an obligation to do so, as is the case with religious communities. 

4. Raising funds through crowdfunding or using virtual assets. 

5. Carrying out activities that require contact with persons vulnerable to radicalization or residing in regions with such activity.[13]

 

What are the new requirements regarding internal rules?

All NPOs that must prepare an internal risk assessment should also prepare internal rules for the control and prevention of money laundering and terrorist financing (Article 101 of the MLIA). The two amendments to the AML/CFT Act in 2023 introduced certain changes to the content requirements of the internal rules referred to in Article 101(2) of the AML/CFT Act, which also require their updating. For the convenience of NPOs and in fulfillment of an explicit legal obligation (Article 101(5) of the MIPA), Model Internal Rules have been published on the website of the SANS, but have not yet been updated by the new requirements of the MIPA. It is therefore important to take into account the following additions to be reflected when using the Model Internal Rules. 

1) Explicitly regulate the procedure for review, verification, and evaluation of rules, and procedures;

Under amended Article 101, paragraph 2, item 4, the Internal Rules shall regulate:

the procedure for review, verification, and evaluation of the rules, procedures, and requirements under this paragraph, by the internal control over the implementation of the obligations under paragraph 3;

This requires an explicit provision for a review, inspection, and evaluation procedure, as opposed to the previous requirements, which only required the provision of an "opportunity" to carry out this form of control and supervision. It is appropriate to regulate this procedure as an addition to Article 7 of the Model Internal Rules.

2) Changes to the rules for staff training

Before the 2023 changes, the MIPA required that the bylaws address training rules for all employees of the organization. With the changes to Article 101(2)(14), the training requirement no longer applies to all employees, but only to those employees whose duties, in the organization's judgment, could be relevant to the control and prevention of money laundering and terrorist financing. At the same time, however, new requirements are introduced:

• Policies and procedures should be set out in the internal rules for the verification of professional competence and reliability when recruiting staff whose duties, in the organization's judgment, could be relevant to the control and prevention of money laundering and terrorist financing;
• Policies and procedures for the ongoing assessment of the professional competence and reliability of other employees whose duties, in the organization's judgment, may be relevant to the control and prevention of money laundering and terrorist financing should be set out in the internal rules;

 

3) Clear criteria for identifying suspicious customers and suspicious transactions or transactions related to money laundering, the presence of funds of criminal origin, and terrorist financing;

The change in para. 1, Art. 101 of the MLIPA details the requirement to identify suspicious transactions or operations by adding to those related to money laundering and terrorist financing and also those related to the presence of funds of a criminal nature.

This change will require a revision of Chapter III "CRITERIA FOR RECOGNITION OF SUBSTANTIAL OPERATIONS OR DEALINGS AND CLIENTS" of the Model Internal Rules to comply with the current text of Art. 1, т. 1.

It is important to be aware that if, as a result of an inspection, it is found that the internal rules do not comply with the law or an implementing act, have not been adopted by a competent authority, or the measures provided for therein are not sufficient to achieve the objectives of the law, the Director of the Financial Intelligence Directorate of the State Agency "National Security" must give the organization instructions to eliminate the identified non-compliance. The instructions shall be implemented within one month of receipt. The Financial Intelligence Directorate of the State Agency for National Security shall be notified within three days of the implementation of the instructions (see Article 103(8) of the MIPA). A sanction may only be imposed if the instructions are not complied with. 

 

What changes are there to the customer identification rules?

The obliged SMFIs under the MIPA should carry out the identification of their clients by the risk levels established by the risk assessment as part of measures to monitor operations and transactions to comply with their obligations.[14] In the context of the activities of NPOs:

 A "client" is any natural or legal person or other legal entity that enters into a business relationship or carries out a casual transaction or deal with the organization; the term includes natural and legal persons who are donors and beneficiaries of NPOs, as well as recipients of products and services from NPOs.[15]

 

This means that some low-risk categories of customers may not require identification. For example, donor identification is generally not required when collecting donations through donation boxes or when selling goods at charity bazaars.[16] The customer identification process may affect NPOs in two cases:

1. Where an NPO is required to identify itself as an obliged person under the MIPA
2. Where the NPO is a client of another obliged person under the MIPA (e.g. a bank) and is subject to due diligence. 

Following the amendments to the MIPA adopted in 2023, the process of identification of foreign legal entities has been complicated and now requires, in addition to a reference to the relevant register on the account of the legal entity, the requirement and retention of a certified copy of the memorandum, deed or other documents necessary to verify the data, as well as documentation of the actions taken on the identification.[17] The documents referred to in the first sentence may be provided electronically if the internal rules lay down the rules for their acceptance, subject to the requirements of the Law on electronic documents and electronic certification services.

 

As regards the data to be collected on legal persons, it is now required that in addition to information on the control bodies, the management and representation bodies, and the type and composition of the collective management body, the specific natural persons in those bodies are also identified:

Article 54, paragraph 4 of the MIPA: 8. (suppl. – SG 84/2023) the control bodies, the bodies of management and representation, including the names of their members, and where some of the latter are legal persons or other legal entities – the names of the natural persons exercising control, management or representation;

9. (suppl. – SG 84/2023) the type and composition of the collective management body, including the names of its members, and in case the latter are legal persons or other legal entities – the names of the natural persons exercising the participation in the control body;

About the identification of proxies of clients – natural persons, a new provision (Article 53, paragraph 9 of the MIPA)[18] is provided, which more clearly regulates the obligation for proxies to identify themselves in the same manner as clients – natural persons. In addition, obliged entities should also require proof of their representative authority.

 

What are the changes related to the actual owners? 

The new Article 63a of the MIPA established a new procedure for the registration of the beneficial owner in the Commercial Register and the Register of Non-Profit Entities at the Registry Agency and the BULSTAT Register. According to it, the persons obliged under the MIPA and the administrative authorities should notify the AB within 14 days, when in the performance of their duties they find a discrepancy between the data collected by them on the beneficial owners of a person and the data entered in the relevant register on the beneficial owners of the same.

Upon receipt of a notification with attached documents relevant to the identified discrepancy, the Registry Agency shall make an entry regarding the existence of a notification of discrepancy in the account of the legal person or other legal entity. Thereafter, the AB shall send written notification at the registered office address of the legal person or legal entity entered in the Commercial Register and the Register of Non-Profit Legal Entities or in the BULSTAT Register to the legal person or other legal entity concerned of the obligation to apply for registration of a change in the registered circumstances concerning its beneficial owner or to submit documents establishing the existence of the registered circumstances on the account of the legal person or other legal entity. If the written notification is not received by the legal representative of the legal person or legal entity or by its attorney, the notification shall be deemed to have been served on the expiry of a period of one month from the date of entry of the existence of the notification of non-compliance in the account of the legal person or legal entity. Within 7 days from the receipt or service of the notification, the legal person or other legal entity concerned shall apply to the Commercial Register and the Register of Non-Profit Legal Entities or to the BULSTAT Register for a change of the registered circumstances concerning its beneficial owner or the deletion of the registered notification of non-compliance. An explicit legal provision excludes the liability of the persons obliged under the MIPA in respect of damages arising in connection with a notification submitted by them.

The new procedure may affect NPOs in two cases:

• Where they are obliged under the MIPA, they should comply with their obligation to notify the AB when, in the performance of their duties, they find a discrepancy between the data collected by them on the beneficial owners of a person and the data entered in the relevant register on the beneficial owners of the same;
• Where a person liable under the MIPA notifies the AB of a discrepancy in the registered circumstances of a beneficial owner on their account, to comply with their obligation to apply to amend the registered circumstances of their beneficial owner or to apply for the registered discrepancy notice to be cancelled.

The amendments to the MIPA adopted in July 2023 also introduced new requirements for the applicable documents when requesting the registration of circumstances related to the beneficial owner as well as the requirement to register the type and volume of rights held by the beneficial owners. In this regard, a new model of the Declaration under Article 63(4) of the MIPA, which shall be submitted with the application for registration and change of circumstances of the beneficial owners, has been adopted.   

We remind you that on the website of the SANS are published the INSTRUCTIONS for the procedure for determining the natural persons who are subject to identification as the beneficial owners of the non-profit legal entities (NPOs) registered under the Non-Profit Legal Entities Act (NPOA).

 

What are the new obligations related to information storage?

According to Art. 61, par. 61 (1) of the Law on Legal Entities of the Republic of Bulgaria, legal entities established on the territory of the Republic of Bulgaria (including NGOs) are obliged to obtain, have, and provide in the cases determined by law appropriate, accurate and up-to-date information on the natural persons who are their beneficial owners, including detailed data on the rights they hold. The amendments of the MIPA in 2023 introduced an obligation to keep this information for 5 years after the dissolution of the legal entity by its: managing and representing persons, liquidators, and all persons other than those already mentioned, carrying out activities in connection with the dissolution of the legal entity or other legal entity.[19]

 

What does putting Bulgaria under increased surveillance mean for NGOs?

On 27.10.2023, the Financial Action Task Force (FATF) placed Bulgaria under enhanced surveillance. 

Countries placed under enhanced surveillance are actively working with the FATF to address strategic deficiencies in their AML/CFT regimes. When the FATF places a jurisdiction under enhanced monitoring, it means that the country has committed to quickly address the identified strategic deficiencies within the agreed timeframe and is subject to enhanced monitoring.[20]

The FATF's disseminated plan for dealing with Bulgaria includes a measure:

Identify the subset of NGOs most vulnerable to terrorist financing abuse and demonstrate the initial implementation of risk-based monitoring to prevent abuse for terrorist financing purposes. [21]

This measure is the only one directly related to the NGO sector and is a good basis for reviewing the approach adopted in the Bulgarian legislation to counter money laundering and terrorist financing of non-profit legal entities. Until the adoption of the recent amendments to the MLIPA, all NPOs were obliged subjects under it. Following the changes to the AML Law that came into force in early October before the FATF announcement, certain categories of NPOs are now excluded from complying with the FATF definition of a non-profit organization. However, this approach does not follow the logic of the risk-based approach adopted by FATF. Therefore, BCNL will continue its advocacy work to consider as obliged entities under the MIPA only the categories of NPOs that, based on analysis, are identified as most vulnerable to risks of abuse for terrorist financing purposes.