Financial and capital market Commission, the provisions of regulations No 219 of 28 in December 2016 (financial and capital market Commission Council meeting No. 45 3. p.)
Criminal money laundering and terrorism financing risk management of information technology security, regulations Issued under the provisions of Criminal money laundering and terrorist financing Prevention Act 47. the second paragraph of article 5, paragraph 1. General questions 1. "the Crime of money laundering and terrorism financing risk management of information technology security regulations" (hereinafter referred to as the regulations) defines the crime of money laundering and financing of terrorism (hereinafter referred to as the NILLTF) in the risk management of information technology (IT) security, minimum requirements for credit institutions and to the Member States and third countries, branches of credit institutions (hereinafter referred to as credit institution). Credit institutions to comply with the requirements of this regulation and the consolidation of individual groups or sub-groups of consolidation level, ensuring the consolidation group or subgroup, as well as anyone in the subsidiary requirements under these rules of risk management in NILLTF. 2. Terms used in the following terms: 2.1 IT system-data input, storage and processing system or a set of such systems, which provide the NILLTF risk management functions and provide for IT system users access stored data and information; 2.2. IT systems parameter – IT company-wide system variable, which is granted on a case-specific value. 2.3. IT systems user-credit the employee who made the limits of the powers conferred on IT in the operating system; 2.4. the customer risk profile – a term used in the financial and capital market Commission of 23 December 2015 the rules regulations No. 234 customer "in-depth research and regulations regulations for credit institutions licensed in payment and electronic money institutions (hereinafter referred to as Regulation No. 234); 2.5. customer risk evaluation (scoring) numeric system – a term used in rule No.  234; 2.6. NILLTF risk – a term used in the financial and capital market Commission of 23 September 2016. the normative regulation No 154 ' criminal money laundering and terrorism financing risk management regulations "(hereinafter Regulation No 154); 2.7. NILLTF risk exposure — the term used in Regulation No 154; 2.8. the risk factors or risk increasing factors – the term used in Regulation No 234; 2.9. risk segments – the term used in Regulation No 234; 2.10. "dormant" account-an account that meets at least one of the following symptoms: 2.10.1. first credit transaction account is taken not earlier than six months after the date of the start of business relations with the customer, and monthly credit turnover has reached 70 000 euro equivalent; 2.10.2. the first outgoing payment from an account is taken not earlier than 12 months after the date of account opening; 2.10.3. the customer's business account will resume after a break of at least six months, and the first month of resumed business debit or credit turnover has reached 70 000 euro equivalent; 2.11. list of sanctions – the person, site, service, or other item for which the international organisation or country has established sanctions (restrictions), which are applicable in Latvia or the credit institution has determined the list of binding; 2.12. special lists – credit institutions to maintain internal customer and potential customer, their true beneficiaries and authorised representatives, which are available on the negative information concerning involvement in NILLTF, including the person with whom the Criminal money-laundering and terrorist financing prevention law is not started or has ended the business relationship, the list. 3. the aim is to provide efficient, economic activities of the credit institution and the nature, as well as the credit risk exposure corresponds to NILLTF of the use of the IT systems of the credit institution's risk management NILLTF. 4. a credit institution according to the NILLTF risk exposure provides the necessary to effective IT solutions NILLTF risk management, made a timely, accurate and complete risk identification NILLTF, the inherent information processing and evaluation of results, as well as management reporting. 5. the credit institution on a regular basis, but not less frequently than once every 18 months, on the basis of current credit risk exposure, NILLTF NILLTF risk control function efficiency rating and subject to this provision in paragraph 17 that the audit results, evaluate the effectiveness of the IT systems and the compliance with credit risk exposure to the topical NILLTF. A credit institution shall ensure that increased credit risk exposure, is NILLTF in a timely manner to ensure the relevance of the IT systems of the current situation. 6. the Management Board of the credit institution or the Branch Manager, acting in the framework of the powers conferred on it, shall take a decision on the introduction of IT systems, as well as the credit institution if necessary, approve major changes in the system. Board Member, who is responsible for the prevention of NILLTF in the credit institution or branch manager will regularly inform the Board of the credit institution on the performance of IT systems.
7. the Council, the Management Board of the credit institution, its committees, Department managers and responsible workers regularly or on request is available for complete, accurate, timely and adequate IT systems ensure the information necessary for the performance of the duties of the positions and decisions. 2. NILLTF risk management IT system requirements 2.1. IT systems implementation and optimization requirements 8. a credit institution, the introduction of IT systems, ensure the development and implementation process, including the use of information and data, according to the safety regulations in the field of security of information systems. 9. a credit institution shall assess the personnel available to it, technological and other resources necessary for effective risk management NILLTF, and shall decide on the introduction of IT systems in one of the following ways: 9.1. credit institutions shall procure and implement specialised IT systems; 9.2. a credit institution shall develop an IT system using credit or its group companies in internal resources; 9.3. a credit institution shall develop an IT system using outsourcing. 10. a credit institution, the introduction of IT systems, ensure that the following requirements are met: 10.1. credit institutions shall ensure that the provisions of 9.3 above outsourcing provider's documented proven experience and knowledge NILLTF risk management IT system development and implementation; 10.2. The IT system meets the regulatory requirements in the area of prevention NILLTF, NILLTF risk exposure of the credit institution and operating model, as well as international best practices in risk management for IT security NILLTF; 10.3. IT systems function covers all credit institution-specific risk NILLTF segments t.sk. services provided by the credit institution and the customer accounts as well as all transactions that are made in the best interests of the client or the client's order. 2.2. IT systems functional requirements 11. IT systems are used in the context of the information and data integrity, accuracy and topicality. 12. IT is an automated system to prepare notification messages. IT prepared the system alert messages are available according to the authorized users of the IT systems for assessment and decision. 13. IT system IT system is provided to user access and authorization system maintenance the customer risk profile assessment, monitoring and evaluation of the risks associated with them, it is clear IT systems allow users actions according to the credit of the employee the functions to be performed and the levels of authority, including ensuring that restrictions on the rights of the employees to make a customer's risk profile and limit information for the customer. 14. the users of the IT systems according to the level of the authority is able to take all the necessary measures within the framework of the IT systems to effectively manage risk, including NILLTF: 14.1. ability to set additional parameters for monitoring transactions, suspicious and unusual transaction patterns for identification and warning of changes in the customer risk profile (such as thresholds, the number of transactions URu.tml.) or other similar activities; 14.2. the ability to centrally acquire systematic risk information step-up factors; 14.3. the ability to classify customers based on numerical evaluation of risk and risk of the customer type; 14.4. the opportunity to handle IT systems prepare for warning messages with a financial institution customer and transaction information that can affect the risk of NILLTF; 14.5. ability to set additional requirements for mandatory information fields (required fields). 15. IT systems user actions, including in connection with the initial warning message processing, the audit trail is kept for six years after the operation. 16. in the framework of the IT systems are provided at least the following NILLTF risk management features: 16.1. a credit institution's handling of customer information, providing: 16.1.1. automated control over the client, its true beneficiaries, authorised representative and other customer identification and activity of economic and personal knowledge of the information required to fill in a required field; 16.1.2. automated input information about the client, its true beneficiaries and authorised representative in relation to special lists; 16.1.3. the prohibition of automated customer account opening before filling out a required field; 16.1.4. testing the accuracy of the information you have entered (such as birth year value control, country of control of URu.tml existence.); 16.1.5. the information entered in an automated check, ensuring the warning message in the case of the preparation matches against 16.1.5.1. credit institutions: special lists or lists of sanctions, including the case where the customer during cooperation changes the actual beneficiary or authorized representative, 16.1.5.2. credit institutions information system in cooperation with the client stored history information; 16.1.6. customer identification and research of the information obtained in the process of storage in electronic form and availability of customer research cooperation; 16.1.7. automated alert messages on the client and his authorised person's identification document or mandate expires, and the corresponding restrictions relating to customer transactions after that document expiry date; 16.2 the customer risk classification and risk evaluation (scoring) numeric system maintenance and use, providing automated customer: 16.2.1. the risk assessment, risk types and corresponding numeric assessment; 16.2.2. automated customer risk profile of limit values applicable to system maintenance and use client activity monitoring (for example, client type, or a residence, the planned size of the transactions, the major political parties, the members of the family or with significant political person closely associated persons status, planned or the type of service used, customer legislation in-depth research and expanded surveillance criteria URu.tml.); 16.2.3. automated client identification, which must be carried out in-depth research in cases where the client consists of a group of related clients with customer risk rating reached the numerical credit limit set, after which the reached the customer apply to in-depth research activities before initiation of cooperation and collaboration; 16.2.4. automated control over the IT system user authorisation level of respect, acting in connection with the business relationship with the customer (for example, the possibility of opening an account) or extension (additional financial services), according to the client's risk profile; 16.2.5. automated risk assessment system in numerical terms without regard to (override) the statistical documentation and storage, providing information about the time of the event, override the IT system users who applied the override option transactions, personally identifiable information, as well as the reasons for override options uses; 16.2.6. automated client business activity type description (typology) storage and availability for future use or customer analysis; 16.3. client research and monitoring, providing: 16.3.1. in-depth studies, research and business decisions supporting electronic documentation of information, storage and availability based on user authorization system level (for example, Read only/edit mode); 16.3.2. in-depth research customer transactions are subject to automated testing legislation in-depth customer research specific risk factors for enhancing; 16.3.3. automated tools in-depth customer research cooperation during pursuit of support, including client cash flow analysis and result schema documentation (such as a customer's transaction diagram graphical representation of the transaction, the main business partner, transaction limit identification of excess URu.tml.); 16.3.4. automated control over the research activities of the in-depth and timely preparation of the alert in the event of delays; 16.3.5. in-depth research of the customer requirements electronic database maintenance and management according to laws of in-depth customer research claims, including ensuring: 16.3.5.1. law customer in-depth research of the information required for the in-depth subject of the research requirements of customers automated inclusion in the electronic database, the maintenance of this information and regular updates, credit institutions with which 16.3.5.2. established the correspondent, the request for the client's transactions and credit institutions to provide the answer to storing information in the electronic database according to the laws of customer research 16.3.5.3. reporting on, electronic database provision is included in the financial and capital market Commission; 16.3.6. automate the in-depth customer research status and applied to client transactions restrictions (such as currency, number, or extent, countries, partner URu.tml.); 16.3.7. automated control and warning reports on client transactions in which NILLTF identified the risk of enhancing factors (for example, deviations from the customer's declared activities in respect of the transaction, transactions, countries or territories, in cooperation with the special lists include persons, countries, territories URu.tml.); 16.3.8. automated information about the purpose of the existence of the transaction control; 16.3.9. automated payment processing (for example, suspension of payment, an authorized employee transfers, logging URu.tml.); 16.3.10. an automated audit trail creation and storage of transactions which for any reason (for example, coincidentally with the sanctions lists or lists URu.tml.) was a separate approval, including an IT system users who accept the deal, personally identifiable information; 16.4. "dormant" account supervision, ensuring: a deal that made 16.4.1. from "dormant" account or to the identification and additional automated check; 16.4.2. automated warning message on the first transaction conducted from "dormant" account or on it, and restrictions on the amount of the transaction; 16.5. the related customer group identification, providing: 16.5.1. automated customer related, which is the one true beneficiary, the identification of the Group; 16.5.2. a group of related transactions between the customer schema documentation, storage and updates; 16.6. the credit institution's special list or penalties list, providing automated penalties: 16.6.1. list maintenance, updating and use; 16.6.2. automated special list; 16.6.3. periodically, but not less frequently than every single working day, as well as before the payment of the customer, their true beneficiaries and representatives of an automated check information against specific lists and lists, as well as the sanctions before making a payment, the payer and the payee information for automated checking against lists of sanctions and the suspension of the transaction and the automated message dispatch according to the authorized user IT systems if that person is found, the information a coincidence with the sanctions lists or special lists; 16.6.4. the fact that a decision on further action this provision 16.6.3. in the cases referred to in paragraph 1 may be adopted only in the internal control system; 16.6.5. an automated audit trail creation for all cases where the customer, their true representatives of the beneficiary, the beneficiary of the payment providers or payment information found in coincidence with the special lists or lists of sanctions; 16.6.6. automated processing of test results (sending a warning message to the staff responsible for evaluation and decision URu.tml); 16.6.7. with the sanctions lists, and special lists people associated customer automated selection of related customer groups; 16.6.8. information on cases where the credit institution fulfilled the sanction lists or listed person's transactions or transactions by credit institutions to the client with the sanctions lists or listed person (incoming or outgoing payments URu.tml.), automated registration. 16.6.9. automated control over the sanctions lists specific sectoral requirements of sanctions and information on cases where the credit institution fulfilled the business with the sanctions lists specific sectoral items of penalties automated registration. 10.4. customers who are politically important persons, their family members or with significant political person closely associated persons (all together-PNP), monitoring, providing: automated alert message 16.7.1. preparation of the client, its true beneficiaries, representatives of the information identifies the possible PNP; 16.7.2. automated information about potential customers that have PNP, transfer decision NILLTF legislation in the area of prevention responsible employees of the credit institution; 16.7.3. automated control of all status PNP interrelated group of customers if it is identified with the PNP; 16.8. the report on unusual and suspicious transactions management, providing: 16.8.1. automated abnormal and suspicious transaction identification and counting features, including a group of related clients, internal reporting and tracking and control of the legislation in the area of prevention and NILLTF of the credit institution's internal time limit fixed by the legislation; 16.8.2. automated information on unusual and suspicious transactions according to the dispatch of an authorized user of the customer's IT systems NILLTF updating of the risk profile and control over the client's risk profile according to NILLTF information on unusual or suspicious transaction reports; 10.5. IT systems user empowerment, providing system management: client NILLTF 16.9.1. risk profile assessment, monitoring and evaluation of the risks associated with them, as well as in the decision making of employees of the participating credit institutions authorized system maintenance;   16.9.2. automated IT systems user acceptance restrictions to the provision of IT system of a credit institution in respect of the transaction and the customer available financial services; 16.10. a credit institution which is not a Member State or a branch of a third country, the risk assessment of exposure to NILLTF, providing: 16.10.1. automated data collection and reporting risk exposure assessment of NILLTF; 16.10.2. automated NILLTF risk exposure indicator in comparison with the previous period of evaluation results and their dynamic trends. 3. A credit institution's risk management IT security NILLTF quality control 17. The credit institution on a regular basis, but not less frequently than every 18 months for the independent evaluation of IT systems (audit), attracting external auditor with reasonable and demonstrable competency NILLTF risk management IT system audit. 18. a credit institution shall ensure continuity of IT systems and operational emergency recovery plan testing total regular testing of information systems of the credit institution. 4. Closing questions 19. a credit institution shall ensure that the functions referred to in paragraph 16 of the introduction of the following time limits: 19.1. to 30.06.2017.-16.1, 16.2, 16.4 and 16.6. in point function; 19.2. to 30.09.2017., except in paragraph 16.3.16.3.3., 10.4., 16.8, 16.9, and function set out in paragraph 16.10; 19.3. to 31.12.2017-16.5. in paragraph 16.3.3. and the specific implementation of the function. 20. a credit institution, subject to the provisions of paragraph 19 of these, develop and submit a plan to the Commission of these provisions as referred to in paragraph 16 of the introduction to function 31.01.2017.21. Be declared unenforceable. recommendations of the Commission 23.12.2015 No. 235 "recommendations for credit institutions a criminal money-laundering and terrorism financing risk management of information technology resources for security." Financial and capital market Commission Vice-President g. Razān»