1994. Current AML / CFT relevant amendments:
a) Austrian Banking Act and Austrian Insurance Supervision Act last amended on 15 Aug 2015;
b) Austrian Criminal Code (§§ 165 following StGB) last amended on 14 Sep 2010; and
c) Austrian Finance Criminal Code (§ 38a and § 39 FinStrG) last amended on 31 Aug 2015
There are six different circulars in place regarding AML / CFT regulations for the banking industry, other financial services and insurance companies, issued by the Austrian Financial Markets Authority, last
Yes, every active customer has to be identified as well as every client whose account has been closed since 1994.
Yes, one-off transactions below EUR15,000 if there is no AML or CFT suspicion
the following has to be obtained:
a) full name;
b) date and place of birth;
d) address; and
the following has to be obtained:
a) registered name and domicile of the entity; and
b) full name of the legal representatives of the entity.
The Austrian banking and insurance laws require the verification of the identity of beneficial owners holding more than 25% of the shares or voting rights of an entity or holding 25% or more of a trust or foundation. Where a principal owner is another corporate entity or trust, the institution has to take measures to establish the identity of the ultimate beneficial owners (who can only be natural persons) and/or, if applicable, the trustees. In case of a trust or foundation, the identity of the founder and the beneficiaries designated to receive 25% or more of the trust/foundation have to be disclosed by the client. Credit institutions, financial institutions and insurance companies must call upon the customer to reveal the identity of the customer's beneficial owner(s). The customer must comply with this request, and credit institutions, financial institutions and insurance companies must take risk-based and appropriate measures to verify the beneficial owner's identity so that the credit institution, financial institution or insurance company is satisfied that it knows who the beneficial owner is. In the case of legal persons or trusts, this also includes taking risk-based and appropriate measures in order to understand the ownership and control structure of the customer.
For customers where a higher risk of money laundering or terrorist financing applies, for example: a) if the customer has not been physically present for identification (distance business/non-face-to-face-relationships); b) for cross-frontier correspondent banking relationships with correspondent banks from other countries or from the European Economic Area (‘EEA’) (the latter only if the AML/CFT risk is considered heightened); and c) for Politically Exposed Persons (“PEPs”) of other EU Member States and of third countries. Furthermore, if the client or an authorised signatory, a person, to whom the client has a significant business relationship, or the trustee or the beneficial owner has his/her domicile or residence in one of the following states (see below), or the transaction is made via an account at a bank in one of the following states: a) Iran; b) Democratic People’s Republic of Korea (“DPRK”); c) Bolivia; d) Cuba; e) Ethiopia; f) Indonesia; g) Kenya; h) Myanmar; i) Nigeria; j) Pakistan; k) Sao Tome and Principe; l) Sri Lanka; m) Syria; n) Tanzania; o) Thailand; p) Turkey; q) Vietnam; and r) Yemen.
In any transaction or business relationship with a PEP of another EU Member State (except Austria) or another country.
Enhanced due diligence procedures to be performed for cross-border correspondent banking relationships with correspondent banks from third countries or from the EEA (the latter only if the AML/CFT risk is considered heightened) as follows: a) credit institutions and financial institutions must gather sufficient information about a correspondent bank to fully understand the nature of its business and be able to ascertain the reputation of the institution and the quality of supervision on the basis of publicly available information; b) credit institutions and financial institutions must satisfy themselves of the correspondent bank's anti-money laundering and anti-terrorist financing controls; c) credit institutions and financial institutions must obtain approval from senior management before establishing new correspondent banking relationships; d) credit institutions and financial institutions must document the respective responsibilities of each institution; and with respect to payable-through accounts, credit institutions and financial institutions must be satisfied that the correspondent bank has verified the identity of and performed ongoing due diligence on the customers having direct access to accounts of the correspondent, and that it is able to provide relevant customer due diligence data to the correspondent bank upon request
Yes, credit institutions are prohibited from entering into or continuing a correspondent banking relationship with a shell bank. Credit institutions have to take appropriate measures to ensure that they do not
engage in or continue correspondent banking relationships with a bank that is known for permitting its accounts to be used by a shell bank.
Non face-to-face relationships and transactions are considered heightened AML/CFT risk by the relevant Austrian AML laws and regulations. For this reason, additional due diligence is always required for
non face-to-face relationships and transactions.
Trustees must always be identified personally (obligation of personal presence) - non face-to-face relationships are not sufficient for purposes of identification of trustees.
Furthermore, additional due diligence is always required (whether face-to-face or non-face-to-face) in the case of any doubts, indication or suspicion of money laundering or terrorist financing. In these cases,
suspicious activity reports have to be considered.
Suspicious activity reports are to be reported to the Austrian Financial Intelligence Unit (“A-FIU”), so called “Geldwäschemeldestelle”
Suspicious activities regarding money laundering and terrorist financing as well as the suspicion that a client might not properly have disclosed a trusteeship have to be reported
No, every suspicion described in A20 has to be reported, regardless of the amount.
No specific penalties prevail for non compliance with reporting requirements, but there are penalties for non compliance with AML and CFT regulations (e.g. § 99 (2) BWG, Austrian Banking Act). Non compliance with reporting requirements can be seen as non compliance with AML and CFT regulations.
In the course of suspicious activity reporting, the institution should ask the A-FIU, whether it can proceed with the transaction or not. The A-FIU has the right to stop ongoing transactions or to forbid future transactions, if there is a suspicion.
There is no clear rule in place, but there is the legal requirement that Austrian institutions have to apply the same AML/CFT standards as in Austria to jurisdictions outside Austria where they conduct their
once a year;
the report is submitted to the audit client who forwards it to the financial market authority and the Austrian national bank;
no, it is a separate audit of compliance with several regulatory requirements.
It requires testing the internal control system of the bank regarding regulatory requirements which also includes AML. No sample testing is required
See definition in Section 4 Data Protection Act: ”Data” (”Personal Data”) [Daten” (”personenbezogene Daten”)
see the definition in Section 4 Data Protection Act: ”Sensitive Data” (”Data deserving special protection”) [”sensible Daten” (”besonders schutzwürdige Daten”)]: Data relating to natural persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious or philosophical beliefs, and data concerning health or sex life; The use of sensitive data does not infringe interests in secrecy deserving only and exclusively in the special cases as set out in § 9 data protection act.
Some general remarks: All data applications [Datenanwendungen] are subject to notification, unless an exception applies (see below). A data application [Datenanwendung] encompasses all categories of data [Datenarten] (e.g. name, address, salary) processed about certain categories of data subjects [Betroffenenkreise] (e.g. employees, customers). The notification has to state the categories of recipients [Empfängerkreise] - including possible recipient states abroad - as well as the legal basis for the transmission. Data concerning health life are considered to be sensitive data (see the definition above). For information on Criminal Records [Strafregister], the special regulations of the Criminal Records Act 1968 [Strafregistergesetz 1968] shall apply. See: https://www.dsb.gv.at/DocView.axd?CobId=41936
The law does not apply to legal transactions under family and inheritance law, documents that must be notarized or real estate transactions where a notarial deed must be entered in the land register, companies register or other official register.
Austria’s law focuses on the enforceability of digital signatures. However, Section 3(1) provides that signatures may not be excluded merely because they are in electronic form.'
Summary of law
Austria follows the UNCITRAL model law and is similar to the laws of many European Union member states. It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case.
However, Austria’s laws are somewhat different in that they primarily provide for the enforceability of digital or advanced electronic signatures. However, electronic signatures are nonetheless enforceable, although it is especially important to obtain consent from the other party prior to using them.
Ministry of Finance
Yes, a “circular on the risk-based approach” was published by the Austrian Financial Markets Authority on 23 Dec 2009, updated on 01 Dec 2011
The requirements are defined and are to be seen as a way to rely on the authenticity of the document; if there are any doubts then the identity of a person should be verified by other measures. In this case, a
suspicious activity report has to be considered.
Austrian Banking Act
Yes, Credit institutions, their members, members of their governing bodies, their employees as well as any other persons acting on behalf of credit institutions must not divulge or exploit secrets which are