5 Risk Factors and Information Collection and Documentation

The risk* attached to a business relationship results from several factors related to the client’s identity, activity, and geography, as well as the current or anticipated product usage, transactional profile and delivery channel. The presence of PEPs, sanctions, financial security incidents and adverse information also impact the risk level and require specific attention.

Unless otherwise indicated, in this policy, this term refers to financial security risks.

The collection of information and documents aims at:

  • Identifying the client, its UBOs and other related persons.
  • Understanding the client’s activity and the nature and purpose of the business relationship.
  • Detecting risk factors in order to feed the risk assessment system.

This exercise is not limited to financial security topics: in order to improve operational efficiency and the client experience, this collection is extended to information and documents related to tax, client interest protection, corporate and social responsibility and market integrity.

The precise nature of required information and supporting documents depends on the client’s segment. The BUs’ standard operating procedures must provide with a local definition of the documents considered valid in their location.

When supporting evidence is required, electronic documents provided by the client are accepted as an alternative to original paper documents, as long as there is no doubt as to the probative value of the original document, and as to the source and the integrity of the document*.

* Local regulation may impose more stringent rules, to be confirmed at the BU location level.

Information and documentation must be updated prior to recertification.

5.1 Identification

The identification and verification requirements are defined in the COMPENDIUM and the segment-based policies. Any required document must be included in the KYC file.

5.1.1 Client

The client must be identified, and this identity must be verified in all cases by means of an official document (identity document for a natural person or incorporation and/or registration document for an entity). Valid documents must be defined at the BU location level.

In the absence of face to face meeting between the client or the natural person who represents it and the BU (or an intermediary duly authorized to perform identification checks), at least two of the following measures must be taken except if the identity has been verified via an electronic identification means presenting a high level of assurance*:

  • Collecting an additional official document confirming the client’s identity.
  • Having the identity document or registration evidence confirmed by an independent third-party.
  • Recording a first payment from or to an account held in the client’s name in a bank situated in a Recognized Equivalent Country.
  • Having the client’s identity confirmed by a bank situated in a Recognized Equivalent Country.
  • Using an electronic identification mean presenting a substantial level of assurance.
  • Obtaining an electronic advanced or qualified signature or seal by the means of the qualified certificate with the signatory’s identity or seal creator and delivered by a qualified trust service provider.
See the EU “eIDAS” regulation n°910/2014 dated 23 July 2014 that sets out rules for electronic identification and trust services, or equivalent.

5.1.2 Ultimate Beneficial Owners (UBO)

The following definitions set forth the minimum requirements for identifying UBOs. Local regulations may require that different or additional persons be identified as UBOs.

Ultimate Beneficial Owner Any natural person who directly or indirectly controls the client, or on whose behalf a transaction or a business activity is being conducted.
The client is: The UBOs are:
A natural person The UBO concept does not apply to natural persons, with exceptions:
  • Legal representatives of minors and incapacitated adults must be considered UBOs.
  • If there is any reason to suspect that the client is a straw man (a person whose identity is being used to conceal the true ownership interest of another person) and will not actually control the activity, Compliance must be informed and further inquiry or investigation must be made.
A corporate All natural persons meeting any one of the following criteria:
  • They own, directly or indirectly, 25% or more of the share capital or voting rights (10% or more for HR clients).
  • They exercise by any other means a control over the management bodies of the company or the general shareholders’ meeting*.

If no UBO meets the aforementioned criteria, at least one senior managing official of the company (§5.1.3.1) must be considered UBO and identified**.

A fund All natural persons meeting any one of the following criteria:
  • They own, directly or indirectly, 25% or more of the units or shares of the fund (10% for HR clients).
  • They exercise by any other means a control over the management bodies of the fund or the management company that represents it.
Another type of entity, a fiduciary vehicle or any other similar arrangement All natural persons meeting any one of the following criteria:
  • They own rights to 25% or more of the assets of the client (10% for HR clients).
  • They are set to become, by means of a legal act, the owners of rights to 25% or more of the entity’s assets, or of the assets transferred to a trust or any equivalent arrangement (10% for HR clients).
  • They belong to a group in whose principal interest the entity, trust, or any equivalent arrangement was incorporated or has produced its effects, when the individual beneficiaries have not been designated yet.
  • They hold any of the following position: settlor, trustee, beneficiary, protector, nominee.
* This language refers to shareholders who do not individually own the required percentage, but who are close relatives, or who participate in a shareholders agreement or any other arrangement that provides them, together with others, with the required level of control.
** In some jurisdictions such as the US, one senior managing official must always be identified as a UBO in addition to the shareholders.
For HR clients, the UBO’s detection threshold is lowered to 10%.

5.1.2.1 Identification

When the client issues bearer shares meeting certain conditions (§2.5), BNPP must be notified in case of any overrun of a 10% shareholding threshold.

The UBOs’ detection must be based on a description of the client’s shareholding structure. Complex shareholding structures must be carefully analyzed in order to detect all UBOs, as shown in the following illustrations:

  • Natural person A owns 50% of company B and 50% of Company C. B and C own 40% each of the Client. Therefore, A indirectly owns 40% of the Client and must be considered a UBO.
  • Natural person A owns 52% of Company B. B owns 52% of Company C. C owns 52% of Client. Although A indirectly owns only 14% of Client, A may exercise control over the Client and must be considered a UBO.

In case of multiple shareholders who do not individually exceed the detection threshold, but who are considered UBOs because they are close relatives, or they participate in a shareholders agreement or any other arrangement that provides them, together with others, with the required level of control (e.g. family-owned entities), identification is only required on selected shareholders.

  • Selected shareholders are the ones considered having the strongest influence over client decisions, either owing to their publicly known or assumed role in the shareholders community, or because they own individually 5% or more of the shares or voting rights.
  • The identity of such selected shareholders must be verified (see below).
  • The shareholding structure must still be analyzed (equity share of the family, number of family member shareholders, intermediate legal person shareholders in case of indirect detention).
The UBOs’ identification is not required:
  • for any corporate listed on a regulated exchange in a Recognized Equivalent Country. However, the risk analysis may require collecting adequate information on the significant share- or voting rights-holders of such listed companies;
  • for Commercial Corporates owned at 75% or more by a company listed on a regulated exchange in a Recognized Equivalent Country – 90% or more for a High Risk client.

5.1.2.2 Identity verification

The UBOs’ identity must be verified as follows:

For Low Risk clients, in the absence of suspicion of money laundering or terrorism financing
In France, EU member states and Recognized Equivalent Countries* where UBO registers present the same guarantees than the European registers** Extract from the UBO public register.
Failing this, see below.
In any other country UBO certification form signed by the client.
Failing this, official document such as annual report, articles of association, shareholders’ register or other available public source.
In any other case, including when UBOs have been detected but not reported by the client in a public register or a UBO certification form
  • Official document such as annual report, articles of association, shareholders’ register or any other reliable independent public source.
  • Failing this, non-official document such as UBO certification form, capitalization table, description of shareholding structure, or any other reliable source, independently certified by a notary, a law firm, or any certifier authorized by local regulation.
* Country of incorporation, or country of registration for branches.
** As assessed by Local Compliance.

In case of doubt about a UBO’s identity, an individual identification document must be required and a copy must be retained.

Local regulation (such as the US’) may require a UBO certification form in all situations (with exceptions).

A UBO certification form template is provided in the COMPENDIUM.

The UBOs’ identity verification is not required, provided the client is rated LR, and there is no suspicion of money laundering or terrorist financing, for:
  • Banks, when they are regulated* in Recognized Equivalent Countries.
  • Other Financial Institutions: credit institutions, payment service providers, electronic money providers, social welfare institutions, mutual insurers, investment service providers, asset management companies, clearing and settlement institutions, central depositories, regulated investment advisors, management companies of Exchanges, when they are regulated in Recognized Equivalent Countries.
  • Insurance companies and brokers, when they are regulated in Recognized Equivalent Countries.
  • Public authorities or agencies as defined by the EU law, the law of a EU member state or any international agreement in which France is a party, provided their identity is public, transparent and certain, their activities and accounting practices are transparent, and they are either responsible towards a EU institution or a EU member state, or submitted to adequate control.
  • Notaries, court bailiffs or members of other independent legal professions holding accounts on behalf of third-parties when they are established in Recognized Equivalent Countries.
  • Clients whose product usage is strictly limited to a product mentioned in the regulatory list of products eligible to simplified due diligence.
One of these conditions not being satisfied any longer must trigger a targeted file update.
* Regulated by the primary regulator of their country in charge of AML-CFT, excluding any other supervisory body such as self-regulatory organizations (SRO).

5.1.3 Other related persons

5.1.3.1 Senior Managing Officials (SMO)

Senior Managing Officials: The Chairman of the Board of Directors or Supervisory Board*, the CEO*, the CFO*, and possibly other natural persons that have a prominent influence on the client’s decisions – e.g. the COO* or other executives.
* Or equivalent positions.

SMOs must be identified.

When SMOs are considered UBOs, they must be included in the UBO certification form when available, and the same identification check requirement applies (§5.1.2). Alternatively, in countries where the official registration procedure includes an identity check, the BU may rely on the client’s registration document.

5.1.3.2 Directors

Directors: Natural persons or entities members of the Board of Directors. Members of the Supervisory Board are treated as Directors.

Directors must be identified.

When Directors are legal entities, these entities as well as the natural persons representing them must be identified.

5.1.3.3 Parent companies

Parent companies: Entities holding directly or indirectly 50% or more of the client’s shares or voting rights.

The client’s parent companies must be identified.

5.1.3.4 Authorized signatories

Authorized signatories: Natural persons that are specifically authorized by the client to operate the account(s) opened in the books of the BU, or to execute contractual commitments with the BU.

Authorized signatories must be identified and their identity must be verified. Their powers must be documented.

The identification of an Authorized signatory may be deferred until an order is received or a contract is to be signed. However, the Authorized signatory’s name must be checked against sanctions and PEPs lists, and his/her authority must be verified, prior to executing the order or the contract.

In situations where delaying the execution of an order would raise business or legal issues, the verification of the Authorized signatory’s identity may be completed after executing the order.

5.1.3.5 Legal representatives

Legal representatives:
  • Natural persons or entities that have been designated by law or judicial decision as officially representing a natural person, such as the parent of a minor or the guardian of an adult lacking legal capacity.
  • Legal entities mandated by the client to act on its behalf vis-a-vis the BNPP BU on a permanent basis (excluding occasional mandates given e.g. to law firms or certified accountants for the execution of a contract).

Legal representatives must be identified and their identity must be verified.

Natural persons representing a Legal Representative entity must also be identified, and their identity must be verified.

The parents of a minor are subject to the same due diligence measures as clients.

5.1.3.6 Guarantors

Guarantor: Natural person or an entity that agrees to be responsible for the client’s debt under a contract, if the client fails to pay or to perform.

Guarantors must be identified, and their identity must be verified.

5.1.3.7 Other types of related persons

Some products or client types may require the identification of other types of related persons, as specified in the segment policies.

5.2 Politically Exposed Persons

Politically Exposed Persons (PEP): Individuals who are or have been entrusted with prominent public functions and have significant decision-making powers.

Due to their decision making authority or the influence they exercise by virtue of their past or present official position, PEPs present a higher risk of corruption. As such, they – as well as their families and close associates – must be subject to enhanced due diligence.

The PEP policy (CG0030) defines the applicable management rules and the comprehensive list of public functions.

Natural person clients are rated HR if they are PEPs or if their authorized signatories, legal representatives or joint account holders are PEPs. The origin of assets and funds involved in the relationship must be documented.

Entity clients are rated at least MR if their UBOs or SMOs are PEPs. The origin of funds originating from shareholders or partners who are PEPs must be checked.

PEPs as clients or as in-scope related persons of a client entity must be approved by the executive body or an authorized representative thereof (CPL0310) and by one Compliance Delegation Holder (Category 2).

New relationships with HR PEP’s must be approved by two Compliance Delegation Holders (Category 3), of which one GFS Delegation Holder.

Segment policies contain further segment-specific requirements.

All names of clients and in-scope related natural persons collected during the KYC process must be checked against the PEP list, and this check must be repeated on a regular basis (CG0128).

In case of positive match, supplemental information such as the person’s date of birth must be obtained in order to clear possible homonyms or other false positives.

All screening results must be traceable by means of a print-out of the result or an accessible audit trail included in the screening system. At onboarding and at any time in case of positive hit, the result must be recorded in the KYC file.

5.3 Sanctions

Sanctions: The withdrawal of customary trade and financial relations for foreign and security policy purposes, imposed by national governments as well as international organizations. Sanctions may be comprehensive, prohibiting commercial activity with regard to an entire country, or they may be targeted, blocking transactions of and with particular businesses, groups, or individuals.

When a client is subject to a sanction, it is rated HR and the business relationship must generally be terminated.

When a client-related person is subject to a sanction, this client is rated HR in some cases and must be recertified in any case.

The impacts of sanctions in terms of risk level and process are detailed in appendix (§10).

All names collected during the KYC process must be checked against the sanctions lists (CG0245), and this check must be repeated on a regular basis (CG0128):

  • Natural person client: names of client and related persons, all related cities and countries.
  • Entity client: legal and trading names*, UBOs and other related persons; parent companies and any other companies that were identified while detecting the UBOs, all related cities and countries.
* Trading names are the names commonly used to designate a firm in public communication and the media, in particular when the legal entity’s name is not well known. Trading names can be some of the brand names owned by the firm. However, the collection of all brand names is not required.

In case of positive match on a natural person’s name, supplemental information such as the person’s date and place of birth must be obtained in order to clear possible homonyms or other false positives.

All screening results must be traceable by means of a print-out of the result or an accessible audit trail included in the screening system. At onboarding and at any time in case of positive hit, the result must be recorded in the KYC file.

Any positive match with sanction lists must be communicated to GFS, and must be shared with the other BUs having a business relationship with the client or its parent companies.

5.4 Financial information

Financial information helps understanding the client’s business and financial situation: the extent of an individual client’s wealth, the development pace, indebtedness and profitability of an entity are useful data for assessing the materiality of AML risk factors.

The segment policies detail the required information for each client segment:

  • For entities: financial statements or key financial information.
  • For natural persons and Private Investment Vehicles: amounts and sources of income and wealth.

5.5 Geography

The country risk is assessed by collecting the following information, depending on the client type:

  • Country of incorporation or registration of entities.
  • Relations of any kind with MSCs.
  • Countries in or with which the client, including its subsidiaries, has its activities*.
  • Countries of nationality**, tax residence or activity of natural persons (clients and UBOs).
  • Countries to or from which financial flows are recorded.
* Depending on the client segment, activity may be measured by revenues, spending, investments, or balance sheet commitments.
** Defined as the link between an individual and a country, as usually evidenced by an identification document. This concept may be named « citizenship » in some jurisdictions.

When belonging to the following categories, countries may impact the information and documentation collection, the score, the qualitative risk assessment and the decision process.

5.5.1 Sensitive countries

Sensitive countries: Countries presenting a higher risk due to several factors such as: unstable institutions, insufficient legislation, the level of organized crime, the level of corruption, involvement in armed conflicts, the presence of oligopolies with close relationships with public authorities, the banking or business secrecy culture, the tax system.

GFS classifies countries on the basis of these factors (CG0097) on a four-level sensitivity scale: low (LS), medium (MS), high (HS) and very high (VHS)*.

* The Assessment of countries sensitivity is available on Echonet.

5.5.2 Countries in which BNPP has no presence

Pn countries: Countries where BNPP has no presence.

BNPP has limited visibility on countries in which it has no presence. These countries are classified into four categories (P0, P1, P2, P3) corresponding to four levels of business restrictions (CPL0248).

Clients are classified as HR if they are incorporated in a VHS country with no BNPP presence.

Clients are subject to enhanced due diligence measures (decision process) if they are incorporated in a HS or VHS country with no BNPP presence.

5.5.3 Major Sanctioned Countries and regions

Major Sanctioned Countries and regions (MSC): Countries and regions that are subject to comprehensive embargoes by the EU and the US, or are high risk jurisdictions for which the Group has decided to maintain the same restrictive controls (CG0233 & CG0214).

All links of any kind with MSCs – of the client, its parent companies and subsidiaries – must be documented, using the standard Major Sanctioned Countries and regions Questionnaire (MSCQ) as required by the MSCQ procedure. This procedure defines in particular:

  • The in-scope clients.
  • Exemptions and possible adaptations of the MSCQ for some client segments.
  • The conditions under which the MSCQ of the client’s parent company can be used.
  • The aggregate exposure to MSCs.
  • How to qualify the MSC risk.
  • The validity period of the MSCQ.
  • Delegation and CAC referral rules.
  • Whenever a client is exposed to MSCs as per its MSCQ, a quantitative and qualitative analysis of this exposure in terms of activities and countries must be performed.

    Clients are classified as HR and are subject to enhanced due diligence measures if they meet one of the following criteria:
    • Client is resident in an MSC, or has 5% or more of its activity with an MSC.
    • UBO is resident in an MSC.
    • Client is a supranational organization with 10% or more of its voting rights owned by MSCs.
    Whichever the risk level, any client activity with an MSC triggers Compliance’s involvement, and a CAC if such activity exceeds 1% of total client activity, including the activity of its affiliates.

    5.5.4 Recognized equivalent countries

    Recognized Equivalent Countries: Countries recognized by BNPP as imposing requirements equivalent to the ones imposed by the European Union and French regulations.

    This equivalence allows for simplified due diligence (SDD) measures to the extent permitted by regulation*.

    * The List of countries recognized as equivalent by BNP Paribas is available on Echonet.

    5.6 Sectors of activity

    Some business sectors present a higher risk due to several factors such as: lack of or poor regulation, the strategic importance of a business sector to a particular country and the level of control exercised by its public authorities, the level of business concentration, the complexity of the economic and financial channels used by the players, the usage of paper money.

    In addition, sanctions may target specific business sectors.

    GFS classifies sectors on a four-level sensitivity scale: Low Sensitivity (LS), Medium Sensitivity (MS), High Sensitivity (HS), Very High Sensitivity (VHS)*.

    The business sector risk is taken into account differently depending on the client types:

    • For entities: the sector(s) in which the client – including its subsidiaries – is active.
    • For natural persons: the main sector in which the client or its employer is active.
    * The List of sensitive sectors is available on Echonet.

    5.7 Transactional profile

    The transactional profile must be documented at onboarding, and updated at recertification or at any time in case of significant change.

    At recertification, the transactional profile includes a comparison between the expected profile and the actual relationship history.

    5.7.1 Nature and purpose of the business relationship

    The nature and purpose of the business relationship are defined by the client’s objectives and reasons to enter into a relationship with BNPP, and the development plan at the BU’s level (§4.1).

    5.7.2 Product usage

    The products offered to or subscribed by the client must be identified, in order to assess their sensitivity.

    GFS classifies products on a four-level sensitivity scale: Low Sensitivity (LS), Medium Sensitivity (MS), High Sensitivity (HS), Very High Sensitivity (VHS)*.

    * The List of sensitive products is available on Echonet.

    Product sensitivity is taken into account by different means:

    • A dedicated segment policy when corresponding to a specific product offering (e.g. investment products for Wealth Management clients).
    • Specific provisions in a segment policy (e.g. correspondent banking).
    • A dedicated format of transactional profile (e.g. cash management, trade finance).
    • A scoring criterion (e.g. products favoring anonymity)*.
    * See the COMPENDIUM for a detailed mapping of the sensitive products treatment.

    5.7.3 Transactions analysis

    The transactional profile documents:

    • The types and order of magnitude of anticipated or actual transactions, as well as the origin and destination of funds, with specific attention paid to frequent cash transactions and international flows to and from HS and VHS countries.
    • For individual clients and private investment vehicles, the amount of assets under management (AuM)*. Such clients are usually managed within a business segment depending on the amount of AuM. AuM exceeding the threshold of the commercial segment managing the client is considered a risk factor.
    * Assets under management refer to all monetary and security deposits booked in the client accounts, as well as life insurance policies subscribed with the Group, with or without an asset management mandate.

    Transactional profiles are adapted to each client segment.

    5.8 Financial Security incidents

    Financial Security Incidents: Established cases or attempts of money laundering, terrorism financing or international sanction breach, whether or not reported to a public authority.

    Financial security incidents may be detected further to alerts generated by internal transaction monitoring and filtering systems, or to administrative or judicial requests. Such incidents may lead either to the client being rated HR and recertified, a targeted file review, or termination.

    The details of financial security incidents and their impact in terms of risk level and process are detailed in appendix (§10).

    Financial security incidents must be recorded in the KYC file (possibly as a “flag” without further details) as and when they occur. If the presence or absence of such incidents is not established in the file, the KYC Operations team must ask local Compliance.

    Multi-site clients: Such incidents must be reported to the Primary Site that initiates the recertification process, if need be.

    Each financial security incident record must mention its status with regard to scoring, i.e. whether it must be taken into account when assessing the corresponding criterion. Indeed, Compliance may validate that some or all past incidents be disregarded when assessing the client’s risk.

    5.9 Adverse information

    Adverse information: Information of any kind and from any source that may have an adverse impact on the client’s risk level, the level of due diligence and the reputational risk*.
    * “Negative news” as addressed in policy CG0245 “Guidelines for Escalating Negative News“ are not in the scope of this KYC policy.

    Adverse information gathered from public or other sources (including contact with the client) may disclose a significant risk factor when related to financial security, market integrity, CSR, corruption, overall business conduct, official investigations or other actions (criminal, civil or regulatory), convictions or litigation.

    Searching for and analyzing adverse information is therefore an important step in the qualitative risk assessment of the client. In order to ensure a homogeneous process and to improve operational efficiency, Compliance has selected an external information provider, and provides the Businesses with detailed guidelines*.

    ù The Adverse Information Operational Guidelines are available on Echonet.

    5.9.1 Scope

    Adverse information search is generally required for all clients and related persons, with exceptions as specified in the segment policies. Client names must always be searched, including trading names and branches for entities, and aliases and maiden names for individuals.

    Entities’ subsidiaries are not in scope. However, if the search on the client yields results related to subsidiaries, these results must be analyzed and, if deemed relevant, complemented with a specific search on the subsidiaries concerned.

    Search must be performed at onboarding and recertification. Interim search must also be performed in case of established or suspected adverse information, or upon Compliance request.

    Multi-site clients: prior to sharing information, the Primary Site must renew the adverse information search if the last one is older than three months.

    5.9.2 Search period

    The search period must cover information published during the five last years for new clients and new related persons, or information published since the last search for existing clients and related persons.

    5.9.3 Languages

    The search must cover information in the language of the BU’s location, as well as in English for any entity with international activity. Searching information in other languages may be required in cases such as non-resident individuals, border workers and border trade.

    5.9.4 Analysis

    Adverse information must be analyzed as per its relevance, materiality, and mitigating factors if any, and this analysis must be documented.

    • Relevance: adverse information is relevant when the client or a related person is the actual subject of the information, and not their namesakes.
    • Materiality: adverse information is deemed material depending on its nature and topic. The following lists are indicative and not exhaustive: o Nature: rumor, judicial investigation, indictment, conviction, confession, settlement, acquittal. o Topic: money laundering, terrorism financing, sanctions, corruption, fraud, tax fraud or evasion, legal or regulatory breaches (especially with regard to competition, intellectual property or internal control), market integrity infringement, issues related to corporate and social responsibility.
    • Mitigating factors: material adverse information may be mitigated by other information gathered from public sources or from the client. Examples are: evidence of fake news, well-founded denial, undertaking of corrective action, dismissal of the responsible individual, age of the facts.

    5.9.5 Reporting and filing

    The presence of material adverse information triggers Compliance’s involvement in the validation of the final risk level.

    Adverse information search results and analysis must be fully recorded in the KYC file, regardless of their relevance or materiality.

    5.10 Other risk factors

    5.10.1 Date of foundation

    Recently created firms present a higher risk level because they are not well known yet. Also, money laundering is often facilitated by the creation of ad hoc vehicles.

    The date of foundation of entities must be collected.

    5.10.2 Access to insider information

    A natural person who has access to insider information may commit an insider trading offence (CG0241), which may constitute a predicate offence to money laundering.

    This risk factor is detected from the client’s occupation or UBO or SMO position in a listed company.

    5.10.3 Introduction channel

    Intermediaries (business introducers, distributors) are subject to specific due diligence measures aimed at assessing the financial security risk (CPL0279-0280-0281). This risk is taken into account in the client risk assessment.

    The name of the intermediary must be documented and its risk level must be assessed.

    The lack of a face-to-face meeting with the client is a risk factor, except when mitigated by complementary measures. However, video-conferencing may replace a physical meeting, if not prohibited by local regulation.

    5.11 Tax regulations

    Tax regulations require Financial Institutions to identify and report information on accounts holders to tax authorities.

    • FATCA (Foreign Account Tax Compliance Act) requires non-US financial institutions to identify and report to the US Internal Revenue Service information on accounts held directly or indirectly by US persons.
    • AEOI (Automatic Exchange of Information) impose a Common Reporting and due diligence Standard (“CRS”) for the identification and reporting of any accounts whose holder is Tax Resident in another Jurisdiction participating to the AEOI to the tax authority(ies) of the clients’ country of tax residence(s).
    • QIA (Qualified Intermediary Agreement) requires BNPP entities which have signed a QIA to obtain documentation relating to the beneficial owners of the payments made (for most forms of US source income).

    As a complex set of factors determines the extent of information and the precise nature of supporting documents, this policy only presents a high level summary of the information collection and processing tasks. These requirements apply regardless the KYC segment. For detailed requirements, please refer to the relevant FATCA, AEOI and QI procedures (CG0198, CG0168, CG0239, CG0247, CCC0019 & CCC0020).

    5.11.1 Common Considerations

    In order to meet FATCA requirements in IGA countries* and AEOI requirements through a single document, Group Tax and CFCO (Client Fiscal Compliance Office within Compliance Advisory) have developed an integrated AEOI/FATCA self-certification form.

    * IGA countries are countries having signed an Intergovernmental Agreement (IGA) with the IRS

    To assess the reasonableness of the collected documentation, whenever a FATCA or AEOI self-certification or a W-9* file is collected, a checklist must systematically be completed. Regarding W-8 forms, use of the form W-8 checklists is compulsory for all BNPP QI entities (and recommended as a best practice for other entities – see section 5.11.3 on Qualified Intermediary). Such checklists must be filled by the relationship manager and archived along with the collected documentation.

    * Clients can be documented using IRS forms (W-9 for US clients and W-8 series forms for non-US clients)

    The FATCA and AEOI concept of substantial ownership or controlling person is generally equivalent to the Ultimate Beneficial Ownership (UBO) concept. However, the identification thresholds may be different: in IGA countries, the 25% identification threshold defined by the AML-CFT regulation generally applies, but local law may define different thresholds. In countries that have not entered into an Intergovernmental Agreement with the US, the threshold is lowered to 10%.

    New accounts cannot be opened without the mandatory documentation.

    5.11.2 Foreign Account Tax Compliance Act (FATCA)

    FATCA is part of the Hiring Incentives to Restore Employment Act, a US law of 2010 which became effective in July 2014. FATCA seeks to combat tax evasion by US taxpayers through direct and indirect ownership of offshore (i.e. non-US) financial accounts.

    The Entities required to identify their clients under FATCA are the Financial Institutions located outside the US (FATCA FFIs)*.

    * All FFIs participating to FATCA are listed on the IRS website:
    https://apps.irs.gov/app/fatcaFfiList/flu.jsf.
    The FFIs belonging to the BNP Paribas SA Expanded Affiliated Group are the ones whose GIIN starts with 1G159I.

    The type of documentation to be collected depends on whether the local Jurisdiction has signed an Intergovernmental Agreement (IGA) with the IRS and on the type of IGA (IGA Model 1 Financial Institutions report to the local Tax Authority of IGA Model 2 report directly to the IRS).

    5.11.2.1 Documentation obligations for pre-existing accounts

    Clients with accounts opened before 1 July 2014 must have been identified for FATCA purposes by 30 June 2016 at the latest. In some cases, this included collecting a FATCA self-certification or a W-8/W-9 form. See FATCA general procedure (CG0198EN) for further details.

    In Final Regulations Jurisdictions, clients that have not provided required documentation (and waiver allowing reporting for US clients) are considered as recalcitrant clients and their account should be closed within a reasonable period of time.

    In IGA Jurisdictions, it is not required to close the account of clients that have not provided required documentation, but BNP Paribas should nevertheless keep on trying to collect a self-certification or a W-series form if the client presented US indicia.

    5.11.2.2 Documents to be collected for new accounts

    Common provisions

    • In all cases, W-9 IRS forms are compulsory for all US persons.
    • W-series forms can be replaced by substitute forms*.
    • In IGA model 2 and Final Regulations Jurisdictions, the US clients and US Controlling Persons or substantial owners of Passive NFFEs client must also provide a waiver of any applicable customer privacy law for reporting purposes. The account cannot be opened without this waiver.
    • Documentation validity: o In IGA jurisdictions: indefinite validity of the self-certification until there is a change in circumstances re the status of the account holder; o FATCA final regulations jurisdictions: limited validity of 3 years**.
    • In all cases, Financial Institutions are required to renew FATCA documentation if they have a reason to know that any documentation collected previously is no longer valid (such as a conflict with more recent collected information).
    * Identification forms that can be developed locally by BNP Paribas. Their content is expected to be very similar to the IRS W-9/W-8 forms (e.g. translations of IRS forms into local language or reformatted IRS forms).

    ** Unless the documentary evidence contains an expiration date in which case the expiration date will prevail. Specific exceptions to the 3 year validity rule are provided for in the FATCA final regulations.

    IGA Jurisdictions

    • For Natural Persons: o Collect a self-certification. o Complete the checklist. o Additionally, for US clients, collect a W-9 (A US client documented with only a W-9 will be considered documented for FATCA but not for the AEOI). o Alternatively, for non-US clients, it is also possible to collect W-8BEN forms, although more complex. This is not advised for operational reasons (document more complex and cannot be used for AEOI) but is allowed for FATCA purposes.
    • For Entities: o Collect a self-certification. o Complete the checklist. o Additionally, for US clients, collect a W-9. o Alternatively, for non-US clients, it is also possible to collect W-8BEN-E forms, although
    • Specific cases: o Some non US clients with very specific FATCA status* may still be required to provide a W-8BEN-E IRS form on top of their self-certification as the FATCA self-certification does not include such statuses. o Non-US Entities below are not legally required to submit any FATCA documentation:  Foreign Financial Institutions (FFI) may only provide their Global Intermediary Identification Number (GIIN).  Companies listed on a recognized stock exchange (specific list maintained by CFCO), and their affiliates, governmental entities, international organizations, central banks and Active NFFE can be classified based on publicly available information. o If a client is a Passive NFFE**, the list of its Controlling Persons must be collected in their self-certification or W-8BEN-E form. Controlling Persons are not required to provide any documentation to BNP Paribas (as long as the above forms are provided by the account holder).
    * When the group FATCA & AEOI self-certification template is used, only FFIs that selected the “Other FFI” and Direct Reporting Passive NFFE must provide a W-BEN-E in addition to their self-certification.

    ** Status as Passive NFFE is declared by the client in his Self-certification or W-8BEN-E.

    Final Regulations Jurisdictions

    • For Natural Persons: o US clients: Collect a W-9 form, complete the checklist. o Non-US clients: collect a W-8 or obtain record of documentary evidence to establish status of client.
    • For Entities: o US clients: Collect a W-9, complete the checklist, obtain a waiver of any applicable customer privacy law for reporting purposes. o Non US-clients: collect W-8BEN-E*.
    • Specific cases: o If a client is a Passive NFFE, the list of their substantial owners must be collected in the W-8BEN-E form.  If the Passive NFFE has substantial US owners, this account must be treated as US reportable and the Financial Institution must obtain documentation as well as a valid and effective waiver from the US substantial owner  Non-US substantial owners are not required to provide any documentation to BNP Paribas. o Some Entities are not legally required to submit any FATCA documentation:  Financial Institutions may instead provide their Global Intermediary Identification Number (GIIN);  Entities publicly traded on a recognized stock exchange (specific list maintained by CFCO) can be classified based on publicly available information.
    * Some exceptions (“alternative procedure for offshore obligations”) may apply to some entities, especially Active NFFE – to be checked with local FATCA correspondent.

    5.11.3 Automatic Exchange of Information (AEOI)

    Further to the launch of FATCA by the USA, the OECD along with the G20 decided to launch the Standard for Automatic Exchange of Information (AEOI) in Tax Matters (“the Standard”).

    The Entities required to identify their clients under the AEOI are the Financial Institutions located in Jurisdictions participating in the AEOI*. Countries can join the AEOI at different dates. In Jurisdictions of the first wave (~50 Jurisdictions), the AEOI entered into force on January 1st 2016 for a first AEOI Reporting in 2017. For countries of the second wave, all deadlines are delayed by one year.

    Under the AEOI, the only form to be used to document clients is the AEOI self-certification, using either a template developed by BNP Paribas (such as the merged FATCA & AEOI self-certification) or another template (such as the BIAC AEOI self-certification template).

    5.11.3.1 Documentation obligations for pre-existing accounts

    • In countries of the first AEOI wave, pre-existing clients, i.e. clients with accounts opened before 1 January 2016, had to be identified for AEOI purposes by 31 December 2016 for high-value accounts* (HVA) and by 31 December 2017 for low-value accounts (LVA) and entities. In some cases, this included collecting a AEOI self-certification.
    • Whenever an AEOI self-certification is collected, the validity of such form must be controlled using a self-certification checklist. Such checklist must be archived along with the collected documentation.
    * Are considered HVA natural persons with aggregated accounts balance above $1M.

    5.11.3.2 Documents to be collected for new accounts

    • For Natural Persons: o Collect an AEOI self-certification. o Complete the checklist.
    • For Entities: o Collect an AEOI self-certification (subject to exceptions below). o Complete the checklist.
    • Specific cases: o If a client is a Passive NFE, the list of its Controlling Persons must be collected in their self-certification form. Controlling Persons are equivalent to UBOs, and the threshold defined by the AML-CFT law applies. o By exception, some Entities are not legally required to submit an AEOI self-certification and can be classified based on publicly available information: Financial Institutions, companies listed on a recognized stock exchange (specific list maintained by CFCO) and their affiliates, governmental entities, international organizations and central banks.

    Documentation validity: the AEOI self-certification remains valid indefinitely. Still Financial Institutions are required to renew it if they have a reason to know that any documentation collected previously is no longer valid (such as a conflict with more recent collected information).

    5.11.4 Qualified Intermediary (QI)

    The U.S. Treasury Regulations generally require that BNPP entities (notably withholding agents/ payors/ upstream custodians) making payments of most forms of U.S. source income (interest, dividends, and other fixed or determinable annual or periodical (“FDAP”)) to foreign persons or U.S. non-exempt recipient, obtain documentation relating to the beneficial owners of the income. Where the beneficial owners are not documented/disclosed, the regulations require U.S. tax be withheld at the rate of 30% on US source income paid to foreign persons or 28% in case of a backup withholding tax on U.S. sourced income and gross proceeds paid to U.S. non-exempt recipient subject to backup withholding (i.e. undocumented U.S. non-exempt recipient).

    5.11.4.1 Scope of application within BNPP

    The QI regime applies to all BNP Paribas Financial institutions that elected to enter in a QI agreement with the IRS.

    5.11.4.2 Documentation obligations

    All clients that hold financial accounts with a BNPP entity which has specifically entered into a QIA with the IRS or beneficial owners of payments are subject to the regulation and must be documented and identified regardless of their KYC segment.

    • A direct account holder is any person who has an account directly with the QI and is the payee or beneficial owner.
    • An indirect account holder is any person who receives amounts from the QI but who does not have a direct relationship with the QI. The direct relationship with the QI is maintained by an intermediary.
    • An intermediary is the entity that has a direct relationship with the QI, and is the direct account holder acting on behalf of the underlying payee or beneficial owner.

    Common provisions

    • In all cases, collect a waiver if local regulation requires it in order to allow for QI reporting.
    • Whenever an IRS W-8/W-9 form is collected, the validity of such form must be controlled using the relevant checklist. Such checklist must be archived along with the collected documentation.
    • W-series forms can be replaced by a substitute form*.
    • Documentation validity: W-9 IRS forms do not expire. However, other W-8 forms usually have a 3 years validity. Still, Financial Institutions are required to renew it if they have a reason to know that any documentation collected previously is no longer valid (such as a conflict with more recent collected information).
    * Identification forms that can be developed locally by BNP Paribas. Their content is expected to be very similar to the IRS W-9/W-8 forms (e.g. translations of IRS forms into local language or reformatted IRS forms).

    Documentation of Beneficial owners (direct or indirect)

    • For Natural persons: o US persons (US citizenship or US resident status): Collect a W-9 form. o Non-US persons: collect documentary evidence based on KYC if permitted by QI-KYC rules*, or collect a W-8BEN form.
    • For Entities: o US persons (companies incorporated in the US): Collect a W-9 form. o Non-US persons: rely on KYC if permitted by QI-KYC rules, or collect a relevant W-form. o For entities and since January 2017, the QI must inform account holders of the terms of the limitation on benefits (LOB) provisions of a treaty**.
    * If the client is documented based on KYC rules, the QI may document the client based on an attachment to the QI Agreement that lists the specific types of KYC documentary evidence for each country that is sufficient for the purposes of the QI Agreement. See List of countries whose KYC is considered sufficiently robust by the IRS and acceptable documentary evidence.

    ** These procedures are required regardless of whether the LOB provisions are provided via a treaty statement or form W-8 BEN-E. This treaty statement is not required when the account holder is an individual, government, or political subdivision. Suggested language for the treaty statement is as follows: “[Name of account holder] meets all provisions of the treaty that are necessary to claim a reduced rate of withholding, including any limitation on benefit provisions, and derives the income within the meaning of section 894 of the Code, and the regulations thereunder, as the beneficial owner”.

    Documentation of Intermediaries

    • Collect a W-8IMY IRS form.
    • Collect withholding statement from the intermediary entity if the entity is not acting as a QI assuming primary withholding responsibility or a withholding foreign partnership or trust.
    • Collect documentary evidence from each underlying payee or beneficial owner (indirect account holders).

    5.12 Swap counterparties (CFTC regulation)

    The CFTC US Swap Dealer Group Policy (CPL0259) describes the Commodity Futures Trading Commission (CFTC) regulations and requirements for BNPP Group Entities. As per this policy, swap dealers must be identified and classified.

    This policy applies to BNP Paribas SA and any entity that is directly or indirectly controlled by BNP Paribas SA, and that is entering into swap transactions in scope of the CFTC regulation*.

    * For purposes of this section, an entity (including a special purpose vehicle or joint venture), is “controlled” by BNPP (and thus a BNPP Group Entity), if BNPP directly or indirectly:
    • holds (i) 10% or more of the voting equity of such entity, or (ii) 20% or more of the total equity of such entity; or
    • holds more than one board seat of such entity (or one board seat on a board with fewer than 5 directors); or
    • has any contractual or other relationship giving BNPP or its affiliates approval or veto rights with respect to, or the right to control or determine, major policies and decisions of such entity, such as hiring, firing, and compensating executive officers (or having BNPP employees serving in a day-to-day management capacity in such entity), engaging in new business lines, raising additional debt or equity capital, merging or consolidating, or acquiring or disposing of significant assets; or
    • acts as a general partner, managing member or trustee of such entity.
    The above is intended to exclude only those relationships that are clearly outside the “control” definition. When in doubt, please contact US Legal for further analysis.

    It does not apply to BNPP Entities that are US persons trading CFTC swaps as principals. It does apply to BNPP Entities that are U.S. Persons trading swaps as agent for (i.e. are booking transactions in) other BNPP Entities.

    5.12.1 CFTC counterparty classification

    In order to determine the applicability of the CFTC’s swap requirements, each BNPP Group Entity is required to assess the CFTC counterparty classification status of each of its swap counterparties* during the onboarding process. Each swap counterparty should receive one of the following CFTC counterparty classifications:

    1. Bona Fide Foreign Branch of a U.S. Swap Dealer
    2. Emerging Market Foreign Branch of a U.S. Swap Dealer
    3. Foreign branch of a U.S. Person
    4. U.S. Person – CFTC definition differs from FATCA definition
    5. U.S. Guarantee
    6. U.S. Conduit
    7. Non-U.S. Person
    * A “counterparty” is a legal entity or natural person on-boarded for purpose of being able or allowed to enter into swap transactions with the BNPP Group Entity.

    The definitions of the counterparty classifications can be found in the BNP Paribas CFTC Swap Dealer Compliance Manual, chapter 3.3. Each counterparty should receive only one classification. If more than one classification is applicable, the correct classification is the classification higher up in the list.

    Each BNPP Group Entity must obtain its own counterparty representation for each client as the status may differ from one BNPP Group Entity to another.

    5.12.2 Obligation to obtain a CFTC counterparty classification representation during onboarding

    To ensure that all swap counterparties are accurately classified, BNPP Group Entities must obtain a written representation from each swap counterparty during onboarding prior to entering into CFTC swap transactions. In this representation, the swap counterparty represents its CFTC counterparty classification to the BNPP Entity.

    Swap counterparties must make written representations on their CFTC classification status by:

    • completing the industry-standard ISDA Cross-Border Swaps Representation Letter (“ISDA Rep Letter”) or the ISDA Cross-Border Swaps Representation Letter for U.S. Banks (the U.S. Banks ISDA Rep Letter) via the ISDA Amend platform on Markit or bilaterally; or
    • other equivalent written representations (this includes, but is not limited to, a written email from the counterparty or filling out the BNPP standard Regulatory Onboarding Questionnaire).

    For BNP Paribas SA, all CFTC classification status information must be stored in the central client referential database (CRDS). Other BNPP Group Entities must reflect the counterparty representations in their own client management database.

    5.12.3 “Red Flag” check of the received CFTC counterparty representation

    BNPP Group Entities may not rely on a counterparty representation if they have information that would cause a reasonable person to question the accuracy of the representation (“red flags”). In the event of a misclassification, the BNPP Group Entity may be held liable if it failed to exercise due diligence or ignored red flags. BNPP Group Entities must therefore verify that they do not have internal static data contradicting the counterparty’s representation*.

    * Static data that should be checked includes, but is not limited to:
    • Organized in or incorporated under the laws of a U.S. jurisdiction
    • Principal Place of Business (i.e. headquarters) in the U.S.
    • Asset manager of a Non-U.S. fund or collective investment vehicle located in the U.S.
    • Are the obligations of the counterparty with respect to its swap transactions guaranteed by U.S. Persons
    • Registered as a U.S. Swap Dealer

    If a red flag is encountered, the BNPP Group Entity must investigate and challenge the counterparty by asking for more information to justify its CFTC status classification.

    5.12.4 Periodic review of the CFTC counterparty representation

    The BNPP Group Entity is required to review the counterparty representations on a periodic basis and reach out to the counterparty as needed during the KYC recertification process to ensure that the representations remain actual and appropriate for the intended purpose.

    5.13 Corporate and Social Responsibility (CSR)

    CSR policies (RSE0020 and sector policies) define exclusions and monitoring measures according to sets of social and environmental criteria concerning each economic sector. The application of those criteria may trigger the monitoring and exclusion of some economic actors within the related economic sector.

    The CSR Department maintains a list of excluded companies, a list of excluded goods and a list of companies under monitoring.

    Depending on their segment, clients being on-boarded or recertified must be screened against these lists. Screening results must be recorded in the client file. Positive results must be communicated to the CSR representative, who decides on the course of action.

    5.14 Protection of Interests of Clients (PIC)

    The Protection of Interests of Clients (PIC) domain is committed to promoting the proper selling of products and services to the clients.

    Requirements related to proper selling are specific to each location. Consequently, based upon its activities, client types and applicable regulation if any, each Business must determine the type of information needed in order to ensure the adequacy of the products and services offered to the clients.

    When dealing with sophisticated clients (as defined by Compliance according to local norms), including those represented by a professional advisor or fiduciary, compliance with local norms may be supported by another process than the client information collection described below.

    With regard to client information collection, it is expected in all cases that the amount and type of information be reasonable vis-a-vis the nature of the client and the nature and purpose of the business relationship. Where implemented, this process should at a minimum allow a Business to:

    • Reasonably ensure that the products and services meet the client’s expressed needs and goals.
    • Reasonably assess whether the client is able to understand the nature of the products or services and all associated risks.

    For further details, please refer to the Group policies (CPL0276 & CG0078) and to applicable local policies.