Alle advokatvirksomheder, der håndterer sager omfattet af hvidvaskloven, skal foretage en “konkret, sagsspecifik risikovurdering”. Det står klart i både lovgivningen og i Advokatrådets vejledning. Alligevel oplever Advokatsamfundet under tilsyn, at denne vurdering ofte er mangelfuld eller udført på et generisk niveau.

‍

Hvad siger vejledningen?

Ifølge Advokatrådets vejledning skal risikovurderingen:  

• Udarbejdes for hver sag omfattet af hvidvasklovens § 1, stk. 1, nr. 13  
• Være sagsspecifik og dokumenterbar 
• Baseres på **forretningsmodellen, altså klienttyper, produkter, leveringskanaler og geografisk relation  
• Udføres med fokus på den iboende risiko – altså risikoen før risikobegrænsende foranstaltninger

Det er ikke tilstrækkeligt, at man har en overordnet risikovurdering. Hver enkelt sag skal vurderes særskilt, og vurderingen skal dokumenteres.  

(Kilde: Advokaten nr. 1, 2024 – Risikovurdering efter hvidvasklovens § 7)

‍

Eksempel: Fast ejendom – lav risiko? Måske, men ikke nødvendigvis

‍

Et klassisk eksempel er rådgivning i forbindelse med køb af fast ejendom. Mange advokater ville opfatte denne sagskategori som lav risiko, fordi klienten typisk er en privatperson, og finansieringen sker via dansk realkredit.

‍

Men Advokatrådets vejledning peger på flere forhold, der kan påvirke risikobilledet:

• Er der udenlandske klienter involveret?  
• Indgår der andre aktiver i handlen?
• Hvor ofte handler klienten ejendomme?
• Hvornår er ejendommen erhvervet og hvordan?  
• Foregår rådgivningen uden fysisk kontakt?  
• Ejendommen istandsat under den klientens ejerskab

‍

Ovenstående er ikke udtømmende og en standardvurdering af “lav risiko” vil ikke være tilstrækkelig. Der skal foretages en konkret vurdering. Netop ejendomme kan være genstand for hvidvask, da mange ulovlige midler kan anvendes til at øge værdien af en ejendom, såsom anvendelse af sort arbejde til istandsættelser, løsøre med høj værdi osv.

‍

Hvad skal vurderingen dække?

Ved vurdering på sagsniveau skal vi tage stilling til bl.a.:  

1. Klienttypen

• Fysisk eller juridisk person  
• Geografisk tilhørsforhold  
• Persontype/historik 

2. Produktet eller tjenesten

• Hvilken type rådgivning ydes?  
• Er sagen kompleks eller usædvanlig?  
• Har advokaten fuldt overblik over transaktionen?

3. Leveringskanalen

• Foregår rådgivningen fysisk eller digitalt?  
• Er der anonymitet eller afstand mellem klient og advokat?

4. Geografisk tilknytning

• Er der elementer i sagen med forbindelse til højrisko-lande?  
• Bruges banker, selskaber eller fonde i lande med lav gennemsigtighed?

‍

Typiske udfordringer som vi ser i praksis

• Brugen af standardiserede skemaer, hvor alle sager ender i samme risikokategori  
• Mangel på dokumentation for, hvorfor en vurdering er foretaget  
• At kundekendskabsproceduren (KYC) forveksles med selve risikovurderingen  
• Manglende brug af eksterne kilder som nationale og EU’s risikovurderinger  

‍

Ofte, vil det være rigtig svært at begrunde sit “flueben” når sagen udtrækkes ifm. et tilsynsbesøg 4 år efter den er afsluttet. 

‍

Nogle gode råd til praksis

• Tænk i sagskategorier - udarbejd vejledende rammer for forskellige sagsområder, men justér for hver sag.
• Dokumentér jeres overvejelser - en risikovurdering er ikke blot et flueben – den skal kunne stå alene ved tilsyn.
• Hold jer opdateret på eksterne risikovurderinger - Brug fx Hvidvasksekretariatets og EU-Kommissionens vurderinger som pejlemærker.
• Involver hele teamet - Sikrer, at alle medarbejdere kender kravene og forstår forskellen mellem klientkendtskab og risikovurdering.

‍

Det bedste råd, vil nok være, at have fokus på de beskrivelser som bør indgå i selve risikovurderingen.   

‍

Refleksion: Har I styr på det?

• Er jeres vurderinger “konkrete og individuelle”, eller er de præget af standardisering?  
• Tager I højde for “den iboende risiko”, uden at lade jer påvirke af jeres interne procedurer?  
• Kan I dokumentere “hvordan og hvorfor” I har vurderet en sag som høj, mellem eller lav risiko?

‍

What is a DPO?

What is a DPO? This term is an abbreviation of the word, Data Protection Officer. This person or company carries out tasks, such as data security checks, in a company. This includes compliance with the GDPR.

Public authorities and bodies must have a DPO, Data Protection Officer, who carries out these tasks. This DPO must also advise the data controller of the specific body. It is a legal obligation for these authorities and bodies to have a data protection officer appointed, which may also be the case for several companies.

You can read much more about GDPR,, the Personal Data Act, the Data Protection Act and the difference between them in our articles on this page. Where and for how long can a company keep personal data? Who is covered by the GDPR? These are questions that a DPO, Data Protection Officer can help answer.

A Data Protection Officer will often act as a liaison between the Data Protection Authority and the data controller in the company. In addition, a company's DPO must be independent and external, and must not receive instructions on the selection of tasks.

How does Meo work with data security?

At Meo we can help you with the secure transfer of information to and from customers, as well as a software system that can act as an administration tool for both: verification, checking and monitoring of current and prospective customers, as well as a tailored risk assessment.

This system, Meo Identity, helps you and your DPO to check and manage data correctly, and this system and automation of data management ensures your compliance with GDPR, avoiding penalties, in the form of fines or similar.

We are ISO 27001 certified, as GDPR and AML compliant, which means we are internationally approved and certified in information security and data handling.

Manage your data securely with a DPO, Data Protection Officer

It is essential to work correctly with data, as there may be major penalties for violations of, among others, GDPR, the General Data Protection Regulation. With an automated system, not only can you free up resources from semi-manual processes, but you also ensure control and reduce risk.

A Data Protection Officer will, by advising on a company's data security, look into the handling and guide employees to the extent that potential knowledge about data security, GDPR and the exchange of data with customers or clients is lacking.

This advisor may therefore also provide guidance or recommend useful applications or IT systems that may be relevant for maintaining data security.

Let us help make your client management transparent and secure, so that all processes take place under legal conditions.

What is compliance - Get answers and take a non-binding check up

Let us help you understand "what is compliance" and why regular compliance check ups are important. We conduct non-binding surveys and check ups of your KYC processes, where we provide an overview of the efforts and procedures you can optimise and how.

At Meo, we treat your data and responses confidentially and securely, in order for you to receive a compliance check up with peace of mind. But allow us to introduce Meo and our identity, as well as put you in the picture of what compliance is.

What is meant by a compliance check up?

When talking about a compliance check up, we mean an examination of whether rules, legislation and guidelines are being adhered to in the respective processes. This applies to processes in connection to customers as well as internally.

In the same process, the term KYC compliance is used. KYC is primarily an abbreviation of Know Your Customer, and this term, therefore, covers knowing your customers legislation and guidelines and what you need to be aware of. The term is used in financial contexts.

These concepts and efforts have been created to safeguard customers against corruption, money laundering, fraud and other types of financial abuses.

The purpose of conducting these check ups, and gaining knowledge on what constitutes compliance, is to avoid pitfalls that can, in the worst case, lead to sanctions if you violate laws, guidelines or other regulations.

Who is Meo?

We are a RegTech company located in Denmark, working on platforms for the benefit of secure customer data handling.

At Meo, we offer complete solutions through software to automate customer verification, checks, monitoring as well as risk assessments and onboarding flows allowing you to save resources.

We help save you time on cumbersome processes that are essential to avoid breaches of legislation, regulations or guidelines. By automating or streamlining processes and gaining a deep understanding of "what is compliance", we can ensure that everyday life is easier and more manageable for both you and your clients.

So spend time wisely on other processes and streamline your efforts while ensuring your data exchange is secure and confidential.

What does due diligence mean?

Due diligence means, in short, a thorough investigation. This process involves a careful review of various elements related to drawing up or designing a contract regarding a change of ownership of a company.

It is necessary in this context to closely examine the assets that the company has and generally their financial status. Therefore, the following elements are often investigated:

• The financial statements
• Management
• Marketing
• Tax situation
• Contracts and rights of an intellectual nature
  

However, the investigation varies depending on the purpose of the change of ownership and the specific industry. Which information is crucial can vary depending on the purpose of the investigation. It can be advantageous to use professional tools such as relevant platforms for this due diligence process.

This is how it works in practice

How this process works in practice can vary, but what is often done in practice is to divide the company's assets and areas into groups and phases, and then each area and phase is investigated step-by-step.

First and foremost, a preliminary investigation of the company can provide insight into whether there are any parameters that generally prevent the agreement and the change of ownership from being completed. This preliminary investigation can, therefore, also put a natural hold on the upcoming investigation, due diligence if some areas are inadequate.

The next step in a due diligence process is to collect data on the company. This data can cover the aforementioned areas, which are analyzed and interpreted thoroughly and with care.

Finally, a report is prepared that outlines areas where there may be issues. This is done with a view to the further negotiation of the contract or potential termination of the negotiation.

Who are we at Meo?

At Meo, we work on streamlining KYC procedures and digital data management systems, which includes our software solution: Meo Identity. We specialize in streamlining processes with clients, as well as ensuring the best possible handling of data.

We automate verifications, check and monitor current and future customers, as well as perform risk assessments.

We make it possible for your company to share data internally and with customers, quickly and efficiently, without worrying about sensitive personal data or other security measures.

In addition to knowledge about due diligence, you can read much more on our site about areas such as money laundering and AML, as well as PEP lists and data security. We help companies with a compliance check to investigate where you can optimize and need updates.

Its Purpose, Process, and Necessity

Are you questioning: what is a declaration of consent? In this article, we can answer the questions of what it is, how it is filled in and why it may be necessary. This is a written document that is created when having to give consent or permission for a specific action.

More specifically, it is used in the context of travel with children, professional consent in regards to private collaboration, which is both within and outside the legal framework. It can, therefore, also be a written agreement on how an external company manages data security in another company, and so on.

What does such a statement entail?

A declaration of consent is a written agreement that covers a wide range of issues and situations. But generally speaking, there is always one party giving permission to another party to perform a particular action.

Among other things, the consent form involves:

• Identifiable descriptions of all parties
• The time period of the consent
• What is consented to - the object in question
• How the consent itself is to be used
• What a possible cancellation or revocation looks like

Which parties are involved in this document?

When filling in a declaration of consent, there are always several parties present. This involves the "giving" party and the opposite party to whom the consent is given. The descriptions and information in such a statement must be referable, which means that they must be able to identify the parties.

The essence of this whole covenant and permission is that the giving party must give consent voluntarily. This is regardless of the context. There are some points and areas which must also always be complied with and completed.

Understand what is a declaration of consent and what the points are

It can be beneficial to have a declaration of consent template that a company or individual uses in situations where consent is required.

• Descriptions of the parties should include the full names of all parties and contact details provided, together with any social security or company registration numbers.
• The time period must be clearly defined. This gives an indication of when and for how long it may be used.
• What is consented to is the most essential, as it implies the object. It can be the given data used in the collaboration, the certificate used, the person, the company or whatever this may be.
• How the consent and this declaration of consent are to be used is in several places a more optional point. However, if a company wants this point included, the purpose of the act can be described.
• How to withdraw consent may be a beneficial area to cover in the event that parties disagree or rules are broken for the consent form in place.

Reduce risks with digital data management platform

At Meo, we work with data security through a digital platform. Therefore, in addition to being able to introduce you to what is a declaration of consent, we can also assist with digital help to handle everything from verification, monitoring, checking of customers - current as well as new.

We automate time-consuming KYC procedures, creating more time for your work and reducing the possibility of errors.

Too long, too personal

According to recent research, 68% of consumers abandoned an application for a financial service in 2021. A 3% rise since 2020 and a huge missed business opportunity. Not surprisingly, the two key reasons were the longer-than-expected application process and the amount of personal information requested.

Bad UX in onboarding is still a major pain

While a bit of friction is necessary in industries providing services where consumers have personal finances or delicate information at stake, too much friction is detrimental to successful onboarding.‍

Meo partners with e-Boks

Our new partnership with e-Boks results in a more safe and seamless user experience than ever seen before within KYC.

A solution that meets companies’ growing need for access to data, now requested through the most trusted digital postbox, allowing the customers to share data through a platform that they are familiar with and comfortable using.

Frontrunners in the KYC space are dedicating resources to improve onboarding flows and make them more similar to UX leaders like Apple, Amazon etc., while adding just the right amount of friction to induce trust.

Increased scepticism towards data requests

Consumers can be fickle. While increased public attention to GDPR has raised consumers expectations towards regulatory compliance, they still want to share as little personal information as possible.

Research shows that consumers have become increasingly sceptical due to fear of data breaches. Thus, to cater to the digitally enlightened consumer, factors such as data privacy, data transparency and data control are powerful generators of trust in a company or brand.

Where to begin?

As indicated by the data above, speed, UX, data volume and trust are major arenas for battle when it comes to improving onboarding and winning customers. While regulation may prohibit you from reducing the amount of personal information you request, there is a lot to be done in how and where you ask for information. Tuning in on those factors can potentially be a game changer to ensure your customers complete onboarding.

To mend the trust gap and make onboarding and KYC simpler for consumers, we are partnering with e-Boks, the most trusted digital postbox in Denmark. Our customers can now deliver data requests to a provider that consumers know, use and trust with their data already. With conversion rates up to 98% on data requests in e-Boks, completing onboarding feels both more familiar and more safe.