KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

namedate of birthplace of birthnationalityaddresssignature specimen

KYC to onboard international persons

namedate of birthplace of birthaddresssignaturenationality

corporate requirements

registered namedomicile of the entityfull name of legal representatives

National ID card name

Austrian identity card

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

Federal Electronic Signature Law

E-sig law files

austria.pdf

What year did the relevant AML laws and regulations become effective?

1994

Further details on AML regime

1994. Current AML / CFT relevant amendments: a) Austrian Banking Act and Austrian Insurance Supervision Act last amended on 15 Aug 2015; b) Austrian Criminal Code (§§ 165 following StGB) last amended on 14 Sep 2010; and c) Austrian Finance Criminal Code (§ 38a and § 39 FinStrG) last amended on 31 Aug 2015

Who is the regulator for AML controls for Banking

Austrian Financial Markets Authority (FMA)

Link to site

https://www.fma.gv.at/en/homepage.html

Other financial Services

Austrian Financial Markets Authority (FMA)

Website of Regulator

https://www.fma.gv.at/en/homepage.html

Financial Sector regulator

https://www.wko.at/Content.Node/wir/Austrian_Economic_Chambers_Home.html , https://english.bmf.gv.at/

Practical Guidance for AML

There are six different circulars in place regarding AML / CFT regulations for the banking industry, other financial services and insurance companies, issued by the Austrian Financial Markets Authority, last

Practical guidance PDF's

Is there a requirement to verify the identity of customers retroactively?

YES

Retroactive details

Yes, every active customer has to be identified as well as every client whose account has been closed since 1994.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Yes

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Yes, one-off transactions below EUR15,000 if there is no AML or CFT suspicion

What are the requirements for customer identification information for individuals

the following has to be obtained: a) full name; b) date and place of birth; c) nationality; d) address; and e) signature.

Details to be Collected on Corporates

the following has to be obtained: a) registered name and domicile of the entity; and b) full name of the legal representatives of the entity.

What are the high level requirements around beneficial ownership (identification and verification)?

The Austrian banking and insurance laws require the verification of the identity of beneficial owners holding more than 25% of the shares or voting rights of an entity or holding 25% or more of a trust or foundation. Where a principal owner is another corporate entity or trust, the institution has to take measures to establish the identity of the ultimate beneficial owners (who can only be natural persons) and/or, if applicable, the trustees. In case of a trust or foundation, the identity of the founder and the beneficiaries designated to receive 25% or more of the trust/foundation have to be disclosed by the client. Credit institutions, financial institutions and insurance companies must call upon the customer to reveal the identity of the customer's beneficial owner(s). The customer must comply with this request, and credit institutions, financial institutions and insurance companies must take risk-based and appropriate measures to verify the beneficial owner's identity so that the credit institution, financial institution or insurance company is satisfied that it knows who the beneficial owner is. In the case of legal persons or trusts, this also includes taking risk-based and appropriate measures in order to understand the ownership and control structure of the customer.

What circumstances are enhanced customer due diligence measures required?

For customers where a higher risk of money laundering or terrorist financing applies, for example: a) if the customer has not been physically present for identification (distance business/non-face-to-face-relationships); b) for cross-frontier correspondent banking relationships with correspondent banks from other countries or from the European Economic Area (‘EEA’) (the latter only if the AML/CFT risk is considered heightened); and c) for Politically Exposed Persons (“PEPs”) of other EU Member States and of third countries. Furthermore, if the client or an authorised signatory, a person, to whom the client has a significant business relationship, or the trustee or the beneficial owner has his/her domicile or residence in one of the following states (see below), or the transaction is made via an account at a bank in one of the following states: a) Iran; b) Democratic People’s Republic of Korea (“DPRK”); c) Bolivia; d) Cuba; e) Ethiopia; f) Indonesia; g) Kenya; h) Myanmar; i) Nigeria; j) Pakistan; k) Sao Tome and Principe; l) Sri Lanka; m) Syria; n) Tanzania; o) Thailand; p) Turkey; q) Vietnam; and r) Yemen.

How should FI's deal with Politically exposed persons

In any transaction or business relationship with a PEP of another EU Member State (except Austria) or another country.

What enhanced due diligence must be performed for correspondent banking relationships?

Enhanced due diligence procedures to be performed for cross-border correspondent banking relationships with correspondent banks from third countries or from the EEA (the latter only if the AML/CFT risk is considered heightened) as follows: a) credit institutions and financial institutions must gather sufficient information about a correspondent bank to fully understand the nature of its business and be able to ascertain the reputation of the institution and the quality of supervision on the basis of publicly available information; b) credit institutions and financial institutions must satisfy themselves of the correspondent bank's anti-money laundering and anti-terrorist financing controls; c) credit institutions and financial institutions must obtain approval from senior management before establishing new correspondent banking relationships; d) credit institutions and financial institutions must document the respective responsibilities of each institution; and with respect to payable-through accounts, credit institutions and financial institutions must be satisfied that the correspondent bank has verified the identity of and performed ongoing due diligence on the customers having direct access to accounts of the correspondent, and that it is able to provide relevant customer due diligence data to the correspondent bank upon request

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes, credit institutions are prohibited from entering into or continuing a correspondent banking relationship with a shell bank. Credit institutions have to take appropriate measures to ensure that they do not engage in or continue correspondent banking relationships with a bank that is known for permitting its accounts to be used by a shell bank.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Non face-to-face relationships and transactions are considered heightened AML/CFT risk by the relevant Austrian AML laws and regulations. For this reason, additional due diligence is always required for non face-to-face relationships and transactions. Trustees must always be identified personally (obligation of personal presence) - non face-to-face relationships are not sufficient for purposes of identification of trustees. Furthermore, additional due diligence is always required (whether face-to-face or non-face-to-face) in the case of any doubts, indication or suspicion of money laundering or terrorist financing. In these cases, suspicious activity reports have to be considered.

To whom are SAR's made? (suspicious activity reports)

Suspicious activity reports are to be reported to the Austrian Financial Intelligence Unit (“A-FIU”), so called “Geldwäschemeldestelle”

Link to website of SAR reporting

http://www.bmi.gv.at/cms/BK/meldestellen/geldwaesche/start.aspx

Other Suspicious or unusual transactions obligations.

Suspicious activities regarding money laundering and terrorist financing as well as the suspicion that a client might not properly have disclosed a trusteeship have to be reported

Are there any de-minimis thresholds below which transactions do not need to be reported?

No, every suspicion described in A20 has to be reported, regardless of the amount.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

No specific penalties prevail for non compliance with reporting requirements, but there are penalties for non compliance with AML and CFT regulations (e.g. § 99 (2) BWG, Austrian Banking Act). Non compliance with reporting requirements can be seen as non compliance with AML and CFT regulations.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

In the course of suspicious activity reporting, the institution should ask the A-FIU, whether it can proceed with the transaction or not. The A-FIU has the right to stop ongoing transactions or to forbid future transactions, if there is a suspicion.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

There is no clear rule in place, but there is the legal requirement that Austrian institutions have to apply the same AML/CFT standards as in Austria to jurisdictions outside Austria where they conduct their

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

YES

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

once a year;

To whom should the report on AML systems be submitted?

the report is submitted to the audit client who forwards it to the financial market authority and the Austrian national bank;

Is an AML system part of the financial statement audit?

no, it is a separate audit of compliance with several regulatory requirements.

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

It requires testing the internal control system of the bank regarding regulatory requirements which also includes AML. No sample testing is required

Data Protection Laws And Personal Data

See definition in Section 4 Data Protection Act: ”Data” (”Personal Data”) [Daten” (”personenbezogene Daten”)

Data Protection for Corporate Data

Data protection for "sensitive Data" and additional protections.

see the definition in Section 4 Data Protection Act: ”Sensitive Data” (”Data deserving special protection”) [”sensible Daten” (”besonders schutzwürdige Daten”)]: Data relating to natural persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious or philosophical beliefs, and data concerning health or sex life; The use of sensitive data does not infringe interests in secrecy deserving only and exclusively in the special cases as set out in § 9 data protection act.

Do any restrictions on the transfer of credit reports exist?

Some general remarks: All data applications [Datenanwendungen] are subject to notification, unless an exception applies (see below). A data application [Datenanwendung] encompasses all categories of data [Datenarten] (e.g. name, address, salary) processed about certain categories of data subjects [Betroffenenkreise] (e.g. employees, customers). The notification has to state the categories of recipients [Empfängerkreise] - including possible recipient states abroad - as well as the legal basis for the transmission. Data concerning health life are considered to be sensitive data (see the definition above). For information on Criminal Records [Strafregister], the special regulations of the Criminal Records Act 1968 [Strafregistergesetz 1968] shall apply. See: https://www.dsb.gv.at/DocView.axd?CobId=41936

Regulator Acronym

FMA

Field 67

due diligence

National ID card details

Austrian identity card

National ID source

https://en.wikipedia.org/wiki/Austrian_identity_card

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Yes

Regulator allows for monitoring transactions outside jurisdiction

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

A-FIU

shell banks

Yes

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

EUR 15,000

Min transaction USD

16353

Personal Data protection

Personal Data Protection Act

http://www.coe.int/t/dghl/standardsetting/dataprotection/National%20laws/Austria%20Federal%20Act%20DP.pdf

key restrictions

The law does not apply to legal transactions under family and inheritance law, documents that must be notarized or real estate transactions where a notarial deed must be entered in the land register, companies register or other official register.

Summary

Austria’s law focuses on the enforceability of digital signatures. However, Section 3(1) provides that signatures may not be excluded merely because they are in electronic form.' Summary of law Austria follows the UNCITRAL model law and is similar to the laws of many European Union member states. It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. However, Austria’s laws are somewhat different in that they primarily provide for the enforceability of digital or advanced electronic signatures. However, electronic signatures are nonetheless enforceable, although it is especially important to obtain consent from the other party prior to using them.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

Ministry of Finance

Does the country have a risk based approach?

Yes, a “circular on the risk-based approach” was published by the Austrian Financial Markets Authority on 23 Dec 2009, updated on 01 Dec 2011

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

The requirements are defined and are to be seen as a way to rely on the authenticity of the document; if there are any doubts then the identity of a person should be verified by other measures. In this case, a suspicious activity report has to be considered.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

Austrian Banking Act

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

Yes, Credit institutions, their members, members of their governing bodies, their employees as well as any other persons acting on behalf of credit institutions must not divulge or exploit secrets which are