View
241
Download
0
Category
Preview:
DESCRIPTION
Accounting
Citation preview
211
NotesModule 10:Customer Due Dilligence (CDD) and
Risk Profiling
Learning objectives
The purpose of this module is to:
explain the nature of CDD outline the practical steps needed to carry out effective CDD discuss the value to the organisation of effective CDD outline the benefits of a risk-based approach to CDD provide a framework for the application of risk-based CDD explain the requirements for enhanced due dilligence (EDD) enable the application of monitoring and CDD understand the meaning and importance of beneficial partnership understand the obligations on an organisation in respect of record keeping
1. What is CDD?Customer Due Diligence (CDD) information comprises the information about a client that enables an organisation to assess the extent to which that client exposes it to a range of risks, including the risk of involvement in money laundering. CDD is often referred to as KYC (Know Your Customer) information, although the terminology has developed, as KYC was often associated with the client identification process, commonly thought of as the passport and two utility bills approach to CDD. CDD is a far more holistic concept than basic client identification measures, and encompasses a wider range of information and processes, which need to be gathered, verified and assessed throughout a client relationship.
More particularly, CDD information generally comprises information on the following aspects of a client relationship.
Who is the client? What are the geographical locations of the clients
residence assets, and business interests?
What is the nature of the clients business interests/occupation? What is the commercial rationale for the relationship between the client and the organisation (what is the client seeking to achieve)? What is the clients source of funds? What is the clients source of wealth? What has been the historical pattern of the clients relationship activity with the business, and has it been consistent with what was expected at the outset of the relationship? Is the current or proposed activity consistent with the clients prole and commercial objectives?
212
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes 2. The value of CDD informationThere are two stages to beneting from CDD information. The rst is to obtain it and use it to decide whether to acquire a prospective client; the second, which is what is usually referred to as CDD, is to use the information actively to facilitate the effective monitoring of client relationships for unusual and potentially suspicious activity.
The key to obtaining maximum value from CDD information is to use it. The mistake nancial services businesses commonly make is to obtain and document CDD information, but then fail to refer to it before conducting transactions. Such mistakes can prove to be costly.
Consider the following example.
An offshore Corporate Service Provider (CSP) manages and controls a client company that its les show was set up for investment holding purposes.
Three years after its incorporation, the company enters into an agency agreement for the procurement of contracts and receives large commission payments.
No questions are raised by the CSP, which fails to take account of the CDD information on its own les that indicates that the company was not set up to trade.
It later transpires that the agency activity was illegal, and that the commissions received were the proceeds of crime.
The directors of the CSP are asked to explain why they did not regard it as unusual for an investment holding company that they were managing and controlling to begin trading. They are unable to provide an acceptable explanation.
3. Taking a risk-based approach to CDDCDD information is not only valuable in assessing potential exposure to the risk of money laundering; it is essential to the assessment and avoidance of a range of additional risks, all of which (including money laundering) are interrelated.
The Financial Action Task Force (FATF) Recommendation 5 (see Course Appendix VI), the Third European Directive (Appendix III), the Basel CDD paper, (Appendix V), IAIS Guidance Paper 5, and the IOSC AML Principles paper explicitly envisage that financial institutions will take a risk-based approach to AML. It is important to understand, however, that applying a risk-based approach to client identification does not remove any underlying responsibility for verifying a clients identity, it merely allows a firm to modify and simplify and, in higher-risk cases, increase the method of identity verification.
A risk-based approach to AML involves the following aspects:
risk identification and assessment identifying the money laundering (and associated legal, regulatory and reputational) risks facing the firm, given its customer, product and service profile and having regard to available information, including published typologies; assessing the potential scale of those risks and of the possible impact if they crystalliserisk mitigation identifying and applying measures effectively to mitigate the material risks emerging from the assessmentrisk monitoring putting in place management information systems and keeping up to date with changes to the risk profile through changes to the business or to the threats it faces, and
213
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notesdocumentation having policies and procedures that cover the above and ensure effective accountability from the board and senior management down.
The UK JMLSG Guidance Notes89 advise that:
A risk-based approach is one that takes a number of discrete steps in assessing the most cost-effective and proportionate way to manage the money laundering and terrorist financing risks faced by the firm. These steps are:
identify the money laundering and terrorist financing risks that are relevant to the firm assess the risks presented by the firms particular:
customers products delivery channels geographical areas of operation
design and implement controls to manage and mitigate these assessed risks, and monitor and improve the effective operation of these controls; and record appropriately what has been done and why.
Risk assessment is a continuous process: policies and procedures must be reviewed and updated to ensure they are still effective.
3.1 The benefits of a risk-based approachA risk-based approach places the responsibility on financial institutions and their boards and senior management to identify, assess, mitigate and monitor their money laundering risks on a considered and continuing basis and to ensure that they have adequate controls in place to manage those risks. It is therefore not a soft option but it does allow firms to be flexible on where they concentrate their efforts. A risk-based approach:
allows managers to differentiate between their clients in a way that matches the risk in their particular businessallows senior management to apply its own approach to the firms procedures, systems and controls, in particular circumstanceshelps to produce a more cost-effective system, and ensures that attention and resources can be concentrated where there is the greatest risk.
3.2 The MLRO role in AML risk assessmentThe MLRO must play a principal role in determining the institutions risk strategy and risk assessment policies and procedures. In the UK the Financial Skills Partnership (formerly known as the Financial Services Skills Council) Standards90 states that in assessing and mitigating the money laundering risks relevant to the business, the MLRO must be able to:
assess the probability and potential impact of different types of money laundering activities that may affect the organisationdetermine the jurisdictional scope of the regulatory and legislative environment in which the firm operatescomplete a risk assessment of the organisation that takes into account external events and threats and firm-specific risks, including staff risksassess the risks that are external to the organisation but that directly or indirectly affect its business or control risksidentify any gaps in the information available about the money laundering risks faced by the organisation and locate this information
89. 2010 Guidance paragraph 4.2.90. The Financial Skills Partnership originally created the standards in 2006 and these were revised in 2011, see
www.int-comp.org/standards
214
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes develop a risk-mitigation programme to address issues identified by the risk assessmentensure that the risk-mitigation programme is proportionate to the risks posed, in terms of their potential impact and probability, andreview the risk assessment at regular, agreed intervals and when specific events may affect the assessment.
3.3 Understanding different money laundering risks3.3.1 Criminal risk of money laundering
It must be appreciated that the risk of money laundering applies at both an organisational and an individual employee level.
3.3.2 Regulatory risk This is the risk that a regulatory authority will impose a sanction, upon either an organisation or an officer thereof, for failing to comply with the regulatory standards applicable in a particular industry sector. A variety of different forms of sanction can be applied, including:
the imposition of conditions upon a licence (conditions can be in a variety of different forms, e.g. removal of a particular officer or employee, implementation of remedial action)fines withdrawal of a licence, and removal of an individuals authorisation to operate within the financial sector.
Where the criminal risk of money laundering materialises, some form of regulatory risk may also materialise.
3.3.3 Legal risk This is the risk of exposure to litigation; it can occur in a variety of guises, including action for breach of a constructive trust, or a breach of contract.
3.3.4 Reputational riskThis is the risk that the reputation of an organisation will be damaged in such a way that it will be regarded less positively, or even damaged to such an extent that the business is forced to close. Reputational damage always follows the materialisation of criminal or regulatory risk.
3.3.5 Compliance riskThis can take on a variety of meanings but is often used to refer to the risk that a business will fail to adhere to its own internal compliance procedures. The impact of such a risk can result in both legal and regulatory liability as well as giving rise to the expense of remediation to correct any past business failures. The concept of compliance risk will become more significant when operating in a principles-based regime where more generic regulation places increasing emphasis on businesses to devise internal compliance arrangements appropriate to the nature and complexity of their own activities.
3.3.6 Concentration riskThis is a risk that generally applies in respect of both the assets and the liabilities of banks. The risk is either that the assets of a bank will be too greatly concentrated on certain borrowers or groups of related borrowers, or the risk that the liabilities of the bank will be too concentrated on a small group or groups of depositors. This can arise when criminals become the principal depositors and engage in capital flight to avoid detection.
215
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notes3.3.7 Liability risk This risk usually results from the materialisation of legal risk and the subsequent establishment of blame on the part of an organisation. Liability risk can also result in reputational and regulatory risk.
3.3.8 Credit risk This is the risk that funds obtained fraudulently will not be repaid.
3.3.9 Operational risk This is the risk that systems and controls may be compromised owing to internal collusion or the infiltration of the organisation by criminals.
3.3.10 Financial riskThis risk concerns the cost of defending a charge of money laundering and clearing ones name with the regulator, which can be significant both in real costs and in management resources.
3.4 The questions to be askedThe risks posed by clients differ according to the number and type of risk factors within a relationship. The risks posed by an ordinary retail bank current account for a local resident earning RM40,000 per annum with an obvious source of funds and regular standing order or direct debit expenditure will not be as great as the risks of a relationship with a non-resident PEP wishing to invest RM10 million through an offshore trust in a munitions company based in a former Soviet satellite state. The amount of CDD information required in the latter example, both at the outset and throughout the duration of the relationship, will be far greater, in order for an organisation to be able to assess and monitor the risk.
In order to tailor its policies and procedures to the particular AML risks that the institution faces, the MLRO and senior management will need to ask themselves a number of questions.
3.4.1 What risk is posed by the firms customers? For example, MLROs should evaluate the risk of:
complex business ownership structures, which can make it easier to conceal underlying beneficiaries, where there is no legitimate commercial rationalean individual in a public position and/or location which carries a higher exposure to the possibility of corruption (e.g. a PEP)customers based in, or conducting business in or through, a high-risk jurisdiction e.g. a jurisdiction with higher levels of corruption or organised crime, or a jurisdiction known to be a drug production/distribution or trans-shipment point, or a jurisdiction that appears on sanctions listscustomers engaged in a business which involves significant amounts of cash, and customers that work in high-risk industries, for example, the arms trade, pharmaceuticals, telecommunications, construction, mineral extraction or gambling or are involved in public contracts.
3.4.2 What risk is posed by a customers behaviour? For example:
when there are requests to associate undue levels of secrecy with a transaction situations where the origin of wealth and/or source of funds cannot be easily verified or where the audit trail has been deliberately broken and/or unnecessarily layered, andthe unwillingness of non-personal customers to give the names of their businesss real owners and controllers.
216
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes 3.4.3 How does the way the customer comes to the firm affect the risk?For example the MLRO should evaluate the risks of:
one-off transactions as compared with business relationships introduced business, depending on the effectiveness of the due diligence carried out by the introducernon-face-to-face acceptance, and companies based in jurisdictions with poor regulatory controls, high levels of corruption or jurisdictions known to have excessive secrecy or lack of transparency in respect of financial entities and transactions.
3.4.4 What risk is posed by the products/services the customer is using? For example the MLRO should:
consider whether the product features can be used for money laundering or terrorist financing, or to fund other crimeconsider whether the products allow or facilitate payments to third parties understand that the main risk may be that inappropriate assets might be placed with, or moved from, or through, the firm, andconsider the risk if a customer migrates from one product to another within the firm.
3.5 Assessing the effect of the countermeasures in placeAn AML/CTF risk assessment is not a one-off event. Risks change as do client activities and profiles, and the institutions products, services and the method of delivery will also evolve. It is generally recommended by national and international bodies that the institution should re-visit its risk assessment at least annually.
As part of its continuous review, a financial institution should have some means of assessing whether its risk-based approach and countermeasures are working effectively. The result of the review and any improvements or changes that need to be made should be included in the MLRO annual report. The matters that will need to be taken into account when assessing the effect of the strategy should include:
whether the procedures to identify changes in client characteristics are satisfactory and whether the changes are being adequately documentedwhether the vulnerabilities of the various products and services have changed and whether new products and services have been adequately risk assessedthe extent to which staff awareness-raising and training is resulting in a sufficient degree of understanding and competencethe results of the compliance monitoring arrangements and action that has been taken as a result of any reports raisedwhether sufficient information is being given to senior management to enable the AML risks to be managed, and the action to be taken by senior management in response, andthe effectiveness of the liaison with regulatory and law enforcement agencies and whether improvements can be made.
3.6 Implementing a risk-based approachHow a risk-based approach is implemented will depend on the institutions operations structure and the answers to the questions set out in the previous section.
There are a range of client, product and delivery mechanism characteristics that, when taken together, can indicate the level of money laundering or terrorist financing risk inherent in the particular customer relationship. Each individual institution must decide, on the basis of its risk assessment, the level of identity verification, additional CDD information and frequency of monitoring that are required. The background and rationale behind
217
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notesall decisions and the procedures put in place to implement them will need to be clearly documented. In particular, the arrangements for higher and lower-risk clients need to be fully documented, particularly to justify the need for simplified or enhanced due diligence.
In June 2011 the Institute of International Finance (IIF) published a report entitled Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions. The IIF states that the objective of its report is to provide insights and practical recommendations to the different stakeholders in the design and implementation process of these frameworks. In particular, the report contains recommendations for different levels of the management.
Board directors: this includes the need for such directors to ensure that they are able to engage fully with firms risk and risk appetites.Senior management: this includes the need for senior management to set the tone and lead discussion regarding risk appetite.The risk management function: for example, the need for risk management to provide clarity of concept, definition and support regarding risk and risk appetite within an organisation.
In addition, the IIF reports key recommendations to firms include that:
firms should initiate a dialogue across businesses, risk, IT, and operations on how to redesign the risk IT architecture to fill gaps in functionality, especially with respect to simulations, including stress-testingfirms should consider establishing a single point of responsibility to oversee the development of new risk applicationsfirms should develop data collection capabilities that provide senior management with timely views of the whole firms exposures to any given firm or sector, andfirms should aim to create a common data model, including standard definitions of all risk-related data and, where appropriate, also consider the consolidation of their data into a small number of data warehouses.
The report offers practical insights and case studies on how embedding a risk appetite into the firm can be achieved.
4. CDD in Malaysia4.1 AMLATFA provisions
In Malaysia requirements, under section 16 of AMLAFTA, specify that a reporting institution:
a) Shall maintain accounts in the name of the account holder; andb) Shall not open, operate or maintain any anonymous account or any account which is
in a fictitious, false or incorrect name.
A reporting institution shall:
a) Verify, by reliable means, the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, as well as other identifying information on that person, whether he be an occasional or usual client, through the use of documents such as identity card, passport, birth certificate, drivers licence and constituent document, or any other official or private document, when establishing or conducting business relations, particularly when opening new accounts or passbooks, entering into any fiduciary transaction, renting of a safe deposit box, or performing any cash transaction exceeding such amount as the competent authority may specify; and
b) Include such details in a record
A reporting institution shall take reasonable measures to obtain and record information about the identity of the person on whose behalf an account is opened or a transaction
218
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes is conducted if there are any doubts that any person is not acting on his own behalf, particularly in the case of a person who is not conducting any commercial, financial or industrial operations in the foreign State where it has its headquarters or domicile.
For purposes of this section person shall include any person who is a nominee, agent, beneficiary or principal in relation to a transaction.
4.2 Customer acceptance policiesThere is an obligation on all reporting entities to develop customer acceptance policies and procedures in order to know their customer and the nature of the customers business. To this end the reporting entity should identify and evaluate the potential risk posed by a customer. A risk profile is required, particularly, in respect of high-risk customers such as PEPs and high-net-worth individuals.
In conducting a risk-profiling exercise, the reporting organisation should take into account, as a minimum, the following factors:91
the origin of the customer and the location of the business background and profile of the customer nature of the customers business structure of ownership for a corporate customer information indicating the customer is high risk.
Reporting institutions should ensure that the CDD information that they hold on the customer is regularly reviewed and updated, especially when there are changes in the circumstances of the individuals business or employment.92
The general principle when conducting CDD on a customer is to ensure that there is satisfactory evidence and proper records relating to the identity and legal existence of the potential customer. The documentary support materials should be reliable and independent.
4.3 Customer due diligence proceduresReporting institutions should conduct CDD wherever:
a new business relationship is established cash or occasional transactions in excess of RM50,000 are being transacted (banking activities only)there is any suspicion of money laundering or terrorist financing the nature of the previously supplied information by the customer is questionable the transaction involves a new type of service or product or a new technology of deliverya wire transfer is used and the amount exceeds RM3,000.
In conducting CDD the minimum requirements to be undertaken include:
identification and verification of the customer identification and verification of any beneficial ownership and control of a transaction the purpose and nature of the business relationship or transaction, and continuing due diligence and scrutiny
If a customer fails to provide the necessary information or fails to cooperate with the reporting entity then this constitutes suspicious activity in itself and any new relationship should be inserted and the lodging of an STR considered. Occasionally a period of grace, circa 14 days, may be given where there is genuine reason for non-production of information and the risk category of the customer is low.
91. See Malaysia Standard Guidelines on AML/CFT Sections 4 and 592. See Malaysia AML/CFT Sectoral Guidelines on Banking and Financial Institutions, Section 2
219
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
NotesAs a general principle, the extent of CDD required varies according to the risks associated with the type of customer, the nature of the service or product or the type of transaction undertaken.
5. The practical application of CDDIt is worth repeating the fundamental reasoning behind why CDD is performed. It is the foundation of a good AML regime that assists in the prevention and detection of criminal activity and those behind such activity. As such it is important that firms ensure they have:-
identified the customer (including beneficial owners) verified that identity, and recorded and kept up to date sufficient information (at least the reason for the relationship) and data on their customers to assist in the detection of potentially suspicious activity.
It is also expected this will be carried out in a risk-based way in order that firms can apply resources to CDD appropriately. For example, the level of CDD and resources applied to a salaried individual working for a multinational company who wants a credit card should differ considerably from that of an SME based in a country with a reputation for high levels of corruption and poor regulation that is seeking a series of products including trade finance and large term deposits.
In some firms this may be relatively straightforward, if the customer base is small, and the product offering and geographic footprint are limited. For others it presents a considerable challenge to differentiate the risk posed by the many types of potential customer.
A key area of challenge for many firms is the interpretation of what regulations mean when they use phrases such as understanding the nature of business or the purpose and reason for opening the account. The first table below looks at how firms may consider explaining to those of their staff responsible for CDD how these could be interpreted.
Table 4.1: The practical application of regulatory expectations
Regulatory expectation
Practical application
Understand the nature and details of the business
A demonstration that a firm clearly does know the customers business activities.
Generic descriptions such as general merchandising, general imports and exports, real estate, etc. are not sufficient. There should be more description, as in the examples below.
(i) Retail sale of electrical products for domestic use washing machines, TVs, DVD players as well as kitchen and other smaller home-use appliances (toasters, hairdryers). Mr A and his two sons have been the owners of the company since 1998; with Mr A being the main person running the business and the decision-maker of the company.
(ii) Import and export of roller skates since 2006. Main countries where the imports are sourced are China and Taiwan, and exports are mainly to European countries (>50% to Germany).
220
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes An understanding of the business activities
Document in detail the customers business activities, going beyond the description above.
(i) Are there business divisions if so what are they?(ii) Describe any major clients of the customer.(iii) Describe any major suppliers to the customer.(iv) Describe any competitors of the customer.(v) Describe the main countries or regions where the
customer does business.
The purpose and reason for opening the account or establishing the relationship
Demonstrate understanding of the customers need for the services and/or products to be provided, as in the examples below
(i) Customer needs a collection product to manage retail receipts.
(ii) Customer needs trade finance facilities to support import-export business between China and Europe.
(iii) Customer needs a short-term finance facility to support operations during quiet periods in the property market.
As such the products that the customer will use could be: Trade Finance LCs, Export documentary collection, etc., Financial Markets FX, bonds, interest rate swaps, equity derivatives, etc., Cash Management current account with cheque books, overdraft, etc.
An understanding of the anticipated volume of activity for the products used by the customer
Demonstrate understanding of the how the customer intends to use the products that will be provided.
Consider providing a range of monthly activity for each product indicated. For example, Export L/Cs HK$xx, USD/Yen FX US$ yy, Outgoing payments Euro$ zz, etc. This could be determined from available information (e.g. copies of recent financial statements).
The source of funds
Demonstrate understanding of the origin of funds to be used/received throughout the relationship. In practice that means the activity from which the funds are ultimately derived, e.g. the customers business activities or sale of assets.
Description such as Business proceeds would be fine if there is information available, for example, financial statements demonstrating a business that generates such proceeds. For other customers more description is required, for example, proceeds from media business that generates RMx of annual sales and has a record operating income of RMy in 2011.
The next set of tables and situations provide practical examples of CDD that may be applied in most situations (excepting those already given above). These are only theoretical examples of a risk-sensitive approach to CDD. Firms should develop and design an approach dependent on the actual money laundering risk derived by a ML risk assessment, any subsequent customer risk rating methodology employed and extant regulations or internal requirements.
221
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
NotesTable 4.2: Practical applications of guidelines on individual customers
Individual Customers Practical Applications
Standard Guidelines
Full name NRIC passport numberPermanent and mailing addressDate of birth Nationality
To verify the identity of the individual documents that describe the full name and either date of birth or residential address are the desired method.
In certain cases, the individual required to be verified is well-known (e.g. well-known businessman often in the public domain) and sighting of any document as mentioned above may not be always be practical. Although all efforts should be taken to obtain such documents, where this is not practical,
Sectoral guidelines
Occupation, type/self-employedName of employer or nature of self employment/nature of businessContact number (home, office. Mobile)
International best practice
Anticipated level and number of transactionsThe purpose of, and reasons for opening, the account (if not implicit in the products taken)Source of wealth
reliance may be made on any publicly available documents containing photographs of the individual. However, this process may be risky at times when the opening of account is via an intermediary/third party acting on behalf of the individual VVIP. The third party has not had the privilege of a face to face with the VVIP and thus it will not be able to confirm to the bank that the VVIP is the same as that in the photo.
1. Preferred document to verify identity
A government-issued document which contains the name, photograph and either the residential address or date of birth. For example:
passport driving licence NRIC for Malaysian/permenant resident ID Card issued by Electoral Office.
2. Other methods
(i) A government-issued document without a photograph, incorporating full name and supported by
(ii) a second document either government issued, or issued by a judicial authority, a public sector body or authority, or another AML regulated firm, which incorporates the customers full name and either his residential address or his date of birth.
Examples of second document
Instrument of a court appointment such as liquidator or grant of probateTax demand letter or statement from government departments or local bodiesBank or credit/debit card statements (should be current within last 3 months) issued by a regulated financial sector firm in an equivalent jurisdiction) Utility bill (should be current within last three months)
222
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes 3. In some jurisdictions electronic data sources (not pure credit bureaus) can provide the necessary verification without involving the customer. To rely on an electronic confirmation, it is necessary to achieve:
one match on an individuals full name and current address from a secondary check, a second match on an individuals full name and either his current address or his date of birth.
Appropriate evidence such as a relevant print out or agency report must be retained.
4. PO Boxes are not generally acceptable as a residential address. In those countries where PO Boxes are commonly used, such as the Middle East, the residential address must, at the very least, be a recorded description. PO Boxes are acceptable as mailing addresses.
Table 4.3: Other less common situations for Individuals
Non face-to-face opening account. (Where customer is not met personally while opening account, e.g. request through mail, Internet)
While the documents obtained and seen may be similar to those required in normal individual circumstances it is important to try and obtain some independent corroboration of that which may include having them certified by other banks, lawyers, accountants, diplomatic missions, Commissioners of Oaths or Notary Public, diplomatic missions; or allowing uncertified documents provided the first payment to the account is carried out through an account in the customer's name with a bank from an equivalent jurisdiction.
Customers who cannot provide standard evidence (such as customers in low-income groups; with legal, mental or physical inability to manage their affairs; people under care of others; dependent spouses or minors; students, refugees, migrant workers; and prisoners)
There are good reasons why such customers are unable to provide the documentation for verification but who, quite correctly, are entitled to financial services and should not be excluded. In these cases, alternate methods of verification may be used, examples being:
letter from relevant authorities, in case of recipients of government benefits/financial support such as unemployment benefit/old age pensionletter from Care Home Manager or employer letter from prison authorities or police letter from educational institution. a letter or statement of reference from a person of good social standing such as a doctor, a teacher, a lawyer, an accountant, certifying his knowledge of that person is who he claims to be is the lowest level of verification that is acceptable.
223
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
NotesTable 4.4: Practical application of guidelines for corporate customers
Corporate Customers Practical application
Standard Guidelines
Memorandum/ Articles/Certificate of incorporation/partnership
Identification document of Directors/Shareholders/PartnersAuthorisation for any person to represent the company/business
Relevent documents to identity of the person authorised to represent the company/business in the dealings with the reporting institution
The articles should be supplied and a copy taken (certified true copies/duly notarised copies may be accepted) or other reliable references to verify identity of the corporate customer.
Certified true copies/duly notarised copies of Form 24 and 49 as prescribed by Companies Commission of Malaysia or equivalent documents for foreign incorporation, may be accepted.
Identification evidence is required wherever an individual shareholder has a majority or more than 25% of a controlling interest in the entity.
A reporting institution should conduct a risk review of any organisation about which it has doubts, e.g. basic searches and enquiries to ensure the organisation has not been or is not in the process of being dissolved or liquidated. The authenticity of information can be checked with the companies commission of Malaysia.
The reporting institution should identify the beneficial owner of the corporate customer and know the ownership and control structure of the corporate customer in order to detect any unusual circumstances concerning changes to the company/business structure or ownership or payment profile of its account.
On the basis of the risk profiling conducted on the customer, reporting institutions should take reasonable measures to verify the beneficial owner of the corporate customer.
The reporting institution is not required to obtain a copy of the Memorandum and Articles of Association or certificate of incorporation or to identify or verify the directors and shareholders of corporate customers which fall under the following categories:
a) public listed companies/corporations (including foreign companies listed in exchanges recognised by Bursa Malaysia Securities Berhad) subjected to regulatory disclosure
b) government-linked companies in Malaysiac) state-owned corporations and companies
in Malaysia
224
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes d) financial institutions licensed under the Islamic Banking Act 1983, the Takaful Act 1984, the Banking and Financial Institutions Act 1989, the Insurance Act 1996, the Securities Commission or the Labuan Offshore Financial Services Authority, or
e) prescribed institutions under the Development Financial Institutions Act 2002 and supervised by Bank Negara Malaysia
Table 4.5: CDD requirements in relation to privately owned entities
225
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notes
Typ
e of
Cus
tom
erSt
and
ard
CD
D r
equi
rem
ents
Enh
ance
d C
DD
req
uire
men
tsPr
acti
cal a
pp
licat
ion
con
sid
erat
ion
s an
d c
hal
len
ge
area
s
Priv
atel
y ow
ned
Ap
plie
s to
priv
ate
com
pan
ies,
p
artn
ersh
ips
and
unin
corp
orat
ed
bus
ines
ses
(Not
falli
ng u
nder
any
of
the
Spec
ial C
ateg
orie
s
give
n b
elow
)
Info
rmat
ion
and
verif
icat
ion
Reco
rd n
ames
of
all d
irect
ors,
part
ners
, pro
prie
tors
Unw
rapp
ing
owne
rshi
p
st
ruct
ures
Reco
rd n
ames
of a
ll b
enef
icia
l
owne
rs id
entif
ied
thro
ugh
the
unw
rap
pin
g p
roce
ss
Reco
rd n
ames
of s
hare
hold
ers
ow
ning
at l
east
25%
of t
he
shar
es/c
apita
l or v
otin
g rig
hts
Reco
rd n
ames
of a
ll au
thor
ised
sign
ator
ies
Nat
ure
and
deta
ils o
f the
bus
ines
sPu
rpos
e an
d re
ason
for o
peni
ng
th
e ac
coun
t or e
stab
lishi
ng
the
rela
tions
hip
The
antic
ipat
ed v
olum
e of
activ
ity
for t
he p
rodu
cts
used
by
the
cust
omer
W
heth
er th
e cu
stom
er
cond
ucts
bus
ines
s w
ith a
ny
coun
trie
s su
bjec
t to
sanc
tions
.
Sour
ce o
f fun
ds
Reco
rd n
ames
of s
hare
hold
ers
ow
ning
at l
east
10%
of t
he
shar
es/c
apita
l or v
otin
g rig
hts
Reco
rd n
ames
of a
ll b
enef
icia
l
owne
rs a
t 10%
leve
lD
etai
led
desc
riptio
n of
the
bus
ines
s ac
tiviti
esC
ondu
ct a
dditi
onal
med
ia
sear
ches
Whe
re th
e cu
stom
er is
a m
ajor
ity-
owne
d su
bsid
iary
(i.e
. mor
e th
an 5
0%
owne
rshi
p) o
f reg
ulat
ed F
inan
cial
In
stitu
tion
(FI)
or L
iste
d Co
rpor
ate
(regu
late
d m
arke
t).
A s
trea
mlin
ed a
pp
roac
h co
uld
b
e ac
cep
tab
le:
evid
ence
from
the
annu
al
audi
ted
rep
ort o
r oth
er
inde
pen
dent
sou
rce
that
co
nfirm
s th
e su
bsi
diar
y st
atus
of
the
cust
omer
, AN
D
atta
ch a
cop
y, w
here
app
licab
le, o
f the
regu
lato
rs
inte
rnet
pag
e or
FIs
lice
nce
to
esta
blis
h th
e re
gula
ted
stat
us
of th
e p
aren
t FI.
226
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes
Verif
icat
ion
Iden
tity
of C
usto
mer
ent
ity.
1.
Iden
titie
s of
all
prin
cipa
l be
nefic
ial o
wne
rs o
wni
ng a
t le
ast 2
5% o
f the
sha
res/
capi
tal
or v
otin
g rig
hts.
2.
Aut
horit
y of
aut
horis
ed
sign
ator
y(ie
s) to
ope
n an
d op
erat
e th
e ac
coun
t
Con
side
r fur
ther
che
cks
on th
e id
entit
y of
one
or m
ore
cont
rolli
ng
dire
ctor
s (e
.g. m
anag
ing
dire
ctor
), p
artn
er o
r pro
prie
tor
typ
ical
ly th
e di
rect
or w
ith a
utho
rity
to o
per
ate
th
e ac
coun
t.
Priv
atel
y ow
ned
Sign
ifica
nt a
nd W
ell-
Esta
blis
hed
Priv
ate
Entit
ies
(SW
EPE
s).
Info
rmat
ion
Reco
rd n
ames
of a
ll di
rect
ors,
par
tner
s, p
rop
rieto
rsRe
cord
nam
es o
f sha
reho
lder
s
owni
ng a
t lea
st 2
5% o
f the
sh
ares
/cap
ital o
r vot
ing
right
s (w
here
a li
mite
d co
mp
any)
Reco
rd n
ames
of a
ll
ben
efic
ial o
wne
rsRe
cord
nam
es o
f all
auth
oris
ed s
igna
torie
sN
atur
e an
d de
tails
of
the
bus
ines
sPu
rpos
e an
d re
ason
for
open
ing
the
acco
unt o
r es
tab
lishi
ng th
e re
latio
nshi
pTh
e an
ticip
ated
vol
ume
of
activ
ity
for t
he p
rodu
cts
used
by
the
cust
omer
Sour
ce o
f fun
ds
Det
aile
d de
scrip
tion
of th
e
bus
ines
s ac
tiviti
esC
ondu
ct a
dditi
onal
med
ia s
earc
hes
Def
initi
ons:
1.
SWEP
Es m
ay b
e lim
ited
com
pan
ies,
so
le p
rop
rieto
rshi
ps
or
par
tner
ship
s. A
SW
EPE
sh
ould
hav
e:
(i)
a lo
ng h
isto
ry in
thei
r in
dust
ry
(ii)
scal
e (ii
i) su
bst
antia
l pub
lic
info
rmat
ion
abou
t the
m
and
thei
r prin
cip
als
and
cont
rolle
rs
with
info
rmat
ion
on
ben
efic
ial o
wne
rshi
p (a
t 25
% le
vel)
info
rmat
ion
in th
e p
ublic
dom
ain;
(iv)
good
rep
utat
ion
227
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notes
Whe
ther
the
cust
omer
con
duct
s
busi
ness
with
any
cou
ntrie
s su
bjec
t to
the
cont
rols
in th
e G
roup
san
ctio
ns p
roce
dure
s
Verif
icat
ion:
1.
Iden
tity
of C
usto
mer
ent
ity.
2.
Aut
horit
y of
aut
horis
ed
sign
ator
y(s)
to o
pen
and
oper
ate
the
acco
unt.
Clu
bs/
Soci
etie
s
and
Cha
ritie
sIn
form
atio
n an
d Ve
rific
atio
n
Cer
tific
ate
of re
gist
ratio
n
Lega
l sta
tus
of th
e cl
ub/s
ocie
ty
com
pan
y, tr
ust,
etc.
Purp
ose
of th
e cl
ub/s
ocie
ty
Reco
rd n
ames
of a
ll of
ficer
s
Reco
rd n
ames
of a
ll
auth
oris
ed s
igna
torie
sPu
rpos
e an
d re
ason
for o
peni
ng
th
e ac
coun
t or e
stab
lishi
ng
the
rela
tions
hip
The
antic
ipat
ed v
olum
e of
activ
ity
for t
he p
rodu
cts
used
by
the
cust
omer
W
heth
er th
e cu
stom
er
cond
ucts
bus
ines
s w
ith a
ny
coun
trie
s su
bjec
t to
the
cont
rols
in th
e G
roup
sa
nctio
ns p
roce
dure
s
Sour
ce o
f fun
ds
Des
crib
e ho
w m
emb
ers
or
asso
ciat
es u
se o
r ben
efit
from
th
e cl
ub/s
ocie
ty/c
harit
yC
ondu
ct a
dditi
onal
med
ia s
earc
hes
Verif
icat
ion
enha
ncem
ents
Iden
tity
of a
ll th
e of
ficer
s
Cer
tifie
d co
py o
f con
stitu
tiona
l do
cum
ents
or e
quiv
alen
t of t
he c
lub
/so
ciet
y fo
r ide
ntit
y an
d le
gal s
tatu
s.
Min
utes
aut
horis
ing
the
app
rop
riate
of
ficer
(s) t
o op
en a
nd o
per
ate
the
acco
unt.
Due
Dili
genc
e p
ract
ical
idea
s
Des
crib
e ho
w m
emb
ers
or a
ssoc
iate
s us
e or
ben
efit
fr
om th
e cl
ub/
soci
ety.
Fo
r exa
mp
le:
Prof
essi
onal
soc
iety
for l
awye
rs
or
acc
ount
ants
: the
mem
bers
ob
ject
ive
is to
mai
ntai
n th
eir
prof
essi
onal
qua
lific
atio
n st
atus
.
228
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes
Verif
icat
ion:
Iden
tity
and
lega
l sta
tus
of th
e cl
ub/s
ocie
ty
Iden
tity
of th
e of
ficer
s
(num
ber
of s
igna
torie
s) w
ho
have
aut
horit
y to
op
erat
e an
ac
coun
t or t
o gi
ve in
stru
ctio
ns
conc
erni
ng th
e us
e
or tr
ansf
er o
f fun
ds
or a
sset
sVe
rific
atio
n th
at th
e p
erso
n
has
bee
n
duly
aut
horis
ed b
y th
e cl
ub/
soci
ety
to o
pen
and
op
erat
e
the
acco
unt.
The
rep
ortin
g in
stitu
tion
shou
ld c
lose
ly s
crut
inis
e th
e ac
coun
ts o
f clu
bs,
soc
ietie
s an
d ch
ariti
es fo
r dis
crep
anci
es.
Recr
eatio
nal c
lub
: the
mem
ber
s ar
e en
title
d to
the
use
of th
e re
crea
tiona
l fac
ilitie
s,
e.g.
gol
f cou
rses
. ava
ilab
le in
th
e co
untr
y as
wel
l as
over
seas
w
here
the
club
op
erat
es.
Whe
re th
e cl
ub o
per
ates
in
diff
eren
t cou
ntrie
s, re
cord
all
the
geog
rap
hic
loca
tions
.
The
abov
e ta
bles
set
out
a s
igni
fican
t pro
port
ion
of th
e ty
pe o
f CD
D s
ituat
ions
like
ly to
be
enco
unte
red
wha
teve
r the
type
of r
egul
ated
indu
stry
in w
hich
a
firm
may
ope
rate
in. T
he C
DD
requ
irem
ents
rela
te to
indi
vidu
als
or n
on-in
divi
dual
s an
d, a
s m
entio
ned,
the
abov
e si
tuat
ions
pro
vide
pra
ctic
al a
lbei
t th
eore
tical
CD
D c
onsi
dera
tions
in a
risk
bas
ed w
ay.
229
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
NotesThere are other types of customer that could introduce specific risks. This may be because they are required by regulation to have enhanced due diligence conducted or because it is not entirely clear exactly who the customer is for CDD purposes.
Consider the following examples:
Mrs A wishes to open a joint current account with her husband. She works in a call centre and her husband is an employed plumber. They are resident in the country where they are opening the account and will be depositing an initial sum of RM2,000. They expect to deposit around RM3,000 monthly from salary payments.
The above is a good example of a situation where a standard set of due diligence procedures would apply.
Mr B wants to open current and savings account with an initial deposit of RM50,000. He is a Philippine national but resident in Malaysia where he is a senior diplomat.
This may well be an Enhanced Due Diligence scenario. It would have to be determined whether Mr B is a PEP and if so this would be an automatic enhanced due diligence situation (EDD) requiring more in-depth consideration of Mr Bs actual source of wealth.
6. Assessing CDD risk6.1 Who is the customer and what is meant by the identification of
beneficial owners?The application of CDD is required when an institution, covered by the regulations, enters into a business relationship with a customer or, at times, potential customer. This will include occasional, one off transactions even though this may not constitute an actual business relationship as it is defined.
The general approach taken is that a customer is a party or parties with whom a business relationship is established or for whom a one off transaction is carried out. The term business relationship applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.
The important issues to focus on are that:
even where there is no business relationship but only a one off transaction, CDD will still be required, andCDD will also be required where a business relationship is established yet there are no transactions (e.g. advisory services).
6.1.1 Beneficial ownersThe principle behind this requirement is that criminals will attempt to disguise and/or hide the actual ownership of assets through the use of complex structures with numerous entities and/or beneficial owners.
The requirement is for firms to identify who the actual beneficial owners are and, on a risk-sensitive basis, verify the identity of such beneficial owners.
In meeting this requirement firms need to be aware of the risk behind such complex structures and probe sufficiently well to satisfy themselves that those claiming to be beneficial owners are, in fact, actual beneficial owners and not acting on someone elses behalf.
230
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes A beneficial owner may be defined as:
The natural person who ultimately owns or controls a customer (whether through direct or indirect ownership and control, including through bearer share holdings), or the natural person on whose behalf a transaction or activity is being conducted, or the natural person who exercises ultimate effective control over the management of a legal entity.
There are some practical challenges to understanding the identity of the customer for CDD purposes.
There are circumstances where a number of parties may be involved in a business relationship or transaction (e.g. a syndicated loan) where for each individual firm they may not all be customers.The actual CDD requirements to be applied in the numerous customer type situations vary.There can be difficulties working out exactly who are beneficial owners within more complex organisation and entity structures.
Practical approaches to all types of CDD and examples of more complex CDD situations, including beneficial ownership, are considered later in this module providing potential solutions to these challenges.
6.2 FATF and beneficial ownership6.2.1 The FATF requirements
Beneficial ownership is a major area of contention in AML/CTF globally. Although the FATF recommendation is clear as to its expectations even FATF member countries have not found it an easy matter to cover in domestic AML/CTF regulations.
The FATF recommendation on beneficial ownership is found in recommendation five which says that financial institutions should verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers. The definition of beneficial ownership used by the FATF says that the beneficial ownership is a reference to the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.
The World Bank compiled data regarding the compliance of countries with recommendation five and it makes for interesting reading. Even FATF member countries have difficulties with compliance with recommendation five with 71% of members only partially compliant during the current round of mutual evaluations.
6.2.2 The World Banks Puppet Masters Report 2011This report argues that beneficial ownership should be understood as a material and substantive concept and not just a legal definition. The reports view is that beneficial ownership is a reference to the de facto control over a corporate vehicle.93
The report contends that the focus should be on two factors when identifying beneficial ownership:
The control exercised; and The benefit derived.
Law enforcement searches for the individual who benefits from a structure when they investigate complex and opaque structures and money flows.94 A legal person
93. Executive Summary page 3 World Bank's Puppet Masters Report 2011.94. World Bank's Puppet Masters Report 2011 page 18
231
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notescannot be a beneficial owner because it can never be an ultimate controller. An ultimate controller is always an individual.95
The essence of beneficial ownership is not ownership but control. It is important not to confuse the concept of legal ownership with the concept of control.96
A formal approach, based on percentage thresholds of ownership may yield useful information about ultimate ownership or control and may lead to identification of people of interest who possesses information regarding the beneficial owners. However, the percentage approach has significant limitations.
The report makes the point that beneficial ownership cannot be resolved without knowing more about the context. Therefore simple rules or formulas whilst helpful are not of themselves dispositive of the issue.97
The Wolfsberg Group has aligned itself to a substantive approach to beneficial ownership rather than a formal one.98
The Report noted that many corporate vehicles are established solely to gain access to financial institutions.99 The provision by financial institutions of services that may be used for receiving, holding, or conveying the illicit proceeds of corruption is a critical part of the laundering process. Hence the nexus between beneficial ownership and legal entities and ML/TF risk is plain to see.100
6.2.3 Common practiceThe Puppet Masters Report made the following findings regarding the KYC information typically present in Financial Institutions files:
Identity documentation for the legal entity almost always present. A physical address for the account almost always present. Documentation that provides evidence of agency to represent the legal entity - almost always present.Information about individuals who hold more than a certain percentage of equitable interest in the legal entity often present.Information about shareholders and directors often present. Records of meetings granting authority to open an account or perform a transaction sometimes present.Documented compliance logs covering name checking, transaction monitoring and trend analysis sometimes present.Information from independent sources to verify information captured from the customer sometimes present.The identity of the beneficial owners rarely present.
Reports on mis-use of corporate vehicles
The following reports have catalogued the abuse of corporate vehicles:
UNODCs report Financial Havens, Banking Secrecy and Money Laundering in 1998 (UNODC was then called UNODCCP).The European Commissions report Protecting the EU Financial System from the Exploitation of Financial Centres and Off shore Facilities by Organised Crime published in 2000.
95. World Bank's Puppet Masters Report 2011 page 19.96. World Bank's Puppet Masters Report 2011 page 19.97. World Bank's Puppet Masters Report 2011 page 19.98. See Wolfsberg Group's FAQs on ownership.99. World Bank's Puppet Masters Report 2011 page 97. 24 World Bank's100. World Bank's Puppet Masters Report 2011 page 97.
232
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes The OECD report Behind the Corporate Veil: Using Corporate Entities for Illicit Purposes 2001.The International Trade and Investment Organization and the Society of Trust and Estate Practitioners report Towards a Level Playing Field: Regulating Corporate Vehicles in Cross-Border Transactions in 2002.The FATFs report The Misuse of Corporate Vehicles in 2006. The Caribbean FATF-style regional bodys report Money Laundering Using Trust and Company Service Providers on Money Laundering in 2010.
6.2.4 Bearer sharesBearer shares are shares in companies which are in the form of certificates. Whoever is in possession of the certificate is the owner of the shares. Most jurisdictions have reformed their laws on bearer shares, with some moving through a phasing out stage. Today, according to the World Banks research no bank with any sort of basic due diligence procedures would knowingly conduct business with free-floating bearer shares.101
6.2.5 Trusts versus companiesThe World Bank found in their Puppet Masters report that trusts were only used in 5% of the 150 cases of grand corruption that it investigated. Those schemes that were found were predominantly in the U.S.A., the Bahamas, the Cayman Islands and Jersey.102
6.2.6 Fictitious entities and unincorporated economic organisationsThe World Bank conducted research as part of the Puppet Masters Report looking at entities which have not undergone a formal incorporation process and which only have the most tenuous separation from their controllers. The benefit of using these types of entities lies in the fact that the authorities cannot track their existence. These entities vary from those that once might have had a legitimate use to blatant deceit involving fictitious companies not incorporated anywhere. Some cases involving these types of entities also involved collusion by bankers. Some involved false or forged documents.
6.2.7 Rationale for complex ownership structuresOften other legal entities are interposed as the owners of shares in a company, or are the beneficiaries of trusts. Reporting entities need to understand the rationale for complex structures because the absence of a rationale that makes sense is a risk indicator for money laundering or terrorism financing.103
6.2.8 Professional nomineesIf a reporting entity believes that they are dealing with a nominee director or shareholder or other officer then attention needs to be paid to the persons behind the nominee. This will be evidenced in trust deeds, indemnification of agent contracts and power of attorney declarations and declarations of trust executed between the nominee and the beneficial owner.
6.2.9 Surrogates and professional nomineesA surrogate (or front man) is a person connected to a beneficial owner whose name attracts less attention than the beneficial owner. The beneficial owner might be a corrupt PEP or a criminal or connected with terrorism financing. Through the use of a surrogate who is acting on the instructions of the beneficial owner, the beneficial owner avoids detection. The links between front men and beneficial owners may be very varied. But the bond relies on either a high degree of trust or a strong enforcement capability.
Professional nominees are persons (individuals and legal entities) that act in a nominee capacity for a fee. They might act as directors or shareholders or other formal officers of
101. World Bank's Puppet Masters Report 2011 page 43.102. World Bank's Puppet Masters Report 2011 page 44.103. One compliance officer was cited in e Puppet Masters Report as using a three layer complexity test as a quick and dirty
rule of thumb. Use of more than three layers of legal entities between the benecial owners and the entity should trigger a step burden of proof requirement. World Bank's Puppet Masters Report 2011 page 56.
233
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notesa company. The liability of nominees is misunderstood a director will be liable under the laws of the country in which they perform actions and under the laws of the country in which the company is incorporated irrespective of their nominee status. Nominees will normally have a contract which limits their authority and limits their liability and requires them to follow the instructions of the principal. This exposes the nominee to taking actions which they might not realise are illegal.
Front men cannot hide behind banking secrecy laws or legal professional privilege and are more likely to cooperate if pursued by law enforcement.104
2.6.10 Trust and corporate service providers (TCSPs)Reporting entities that deal with companies and trusts established outside Malaysia should read section 4.3 of Trust and Company Services Providers in the Puppet Masters Report. TCSPs are crucial to the formation of corporate vehicles and trusts and thus in their licit and illicit use. In addition to handling the incorporation of establishment of the vehicle they may also handle renewal fees, provide mail- forwarding facilities, virtual office facilities, act as registered local agents, resident secretaries, nominee services, as well as acts as intermediaries and introducers to financial institutions.105 Their business models vary enormously across this spectrum of services.
Many TCSPs promote their services promising anonymity or secrecy, qualities which are attractive to those seeking to protect their assets from creditors and former spouses as well as those involved in money laundering, terrorism financing or predicate crimes to money laundering.
6.3 Continuous Monitoring and CDDWhile ongoing monitoring of a business relationship is a general regulatory requirement seen as applying to the transactions conducted over the accounts of a customer it is also, either by actual regulation or expectation, related to keeping the CDD data and information a firm retains on customers relevant and up to date. Again this is accepted to be on a risk-sensitive basis.
Ensuring that customer information is relevant and up to date is also a requirement contained within data protection legislation and regulation.
There is no expectation for firms re-verify the identity of a customer (unless there are doubts or new information e.g. the previous Identity Document used is missing or no record of it retained or there is a new executive director or partner).
This ongoing monitoring has seen the emergence in many firms of periodic customer reviews which, in a risk-sensitive environment, creates their own challenges.
What should such a review cover? When should it occur? Should it apply across all customers?
It is clearly common sense to be able to identify when a customers behaviour would make a firm reconsider the money laundering risk associated with the customer (e.g. one who becomes a PEP or attracts adverse media attention in relation to a criminal investigation for financial crime). The challenge is how, in a risk-sensitive way, this monitoring of customer behaviour, as well as keeping customer data and information up to date, can be made operationally effective yet efficient. This is looked at in the section below.
104. World Bank's Puppet Masters Report 2011 page 63105. World Bank's Puppet Masters Report 2011 page 84
234
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes CDD must be completed on any individual who alternately owns or controls a transaction which has been entered into by a person who is not the person carrying that transaction. Enhanced due dilligence will be needed if the beneficial owner or controller is a Politically Exposed Person (PEP).
6.4 High-risk customersEnhanced due diligence (EDD) is required for high-risk customers. More detailed enquiries and information are required in respect of these individuals, and senior management sign-off is advisable before embarking on a business relationship with such an individual.
The Malaysian Standard Guidelines on AML/CTF highlight some examples of high-risk customers. These include:
high-net-worth individuals non-resident customers customers from locations known for their high rates of crime (e.g. drug producing, trafficking, smuggling)customers from countries or jurisdictions with inadequate AML/CTF laws and regulations as highlighted by the FATFPEPs customers that are involved in legal arrangements that are complex (e.g. trusts, nominees)businesses/activities identified by the FATF as of higher money laundering and financing of terrorism risk
6.4.1 Mandatory high-risk Politically exposed persons (PEP)One of the most prominent risks to the financial services sector is the risk posed by public officials, their associates and family members. There have been a number of damaging high-profile money laundering scandals within the private banking sector, and involving PEPs, the most notorious in the UK being General Abacha.
The danger posed by PEPs is that a financial institution may be exposed to property that has been generated by corrupt practices. Regardless of any criminal or civil liability, which will undoubtedly arise, the high profile of such cases can expose any professional business or financial institution that becomes involved to an enormous reputational and regulatory risk.
PEPs are generally defined as:
individuals who are or have been entrusted with prominent public functions in a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials.
The definition of PEP extends to members of an officials family, and close associates, and to any business (incorporated or unincorporated) with which the official has a relationship.
The European third, and latest, Directive assists further by defining PEPs as:
heads of state, heads of government, ministers and deputy or assistant ministers Members of Parliament members of supreme courts, of constitutional courts and of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstancesmembers of courts of auditors and of the boards of central banks
235
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notesambassadors, chargs daffaires and high-ranking officers in the armed forces members of the administrative, management or supervisory bodies of state- owned enterprises.
Immediate family members include:
the spouse any partner considered by national law as equivalent to the spouse the children and their spouses or partners the parents.
Close associates are likely to include:
any natural person who is known to have joint beneficial ownership of legal entities and legal arrangements, or any other close business relationship with the PEPany legal entity or legal arrangement whose beneficial owner is the PEP alone and which is known to have been set up for the benefit of the PEP.
One significant challenge is whether to include domestic PEPs in this definition. While most regulators only refer to foreign PEPs many financial services groups, especially those that operate across borders, have set aside this exclusion. The FATF encourages countries to include domestic PEPs in their definition.
Knowing whether or not a client is a PEP is an essential element of CDD for all relationships. Many firms now employ databases to assist in the identification of PEPS. The recently published (2011) FSA thematic review of Banks Management of High Money Laundering Risk Situations has commented that firms need to seriously consider whether the use of such databases should be their sole method of identifying PEPs or whether they need additional methods to assist in this process.
For instance, a relationship managers personal knowledge of the customer could be viewed as a critical source of information. In addition, a PEP may be identified through methods including:
checking names against external databases Internet searches (e.g. Google), and newspaper/media reports.
Nonetheless, databases are merely a tool to assist in identifying potential PEPs and any hits can only be used as a reference/guide for determining whether an individual is actually a PEP. In addition, the absence of a match from online research is not a reason to ignore the possibility that a person is a PEP.
Given the potentially high money laundering risk posed by PEPs there are enhanced due diligence (EDD) requirements that should include an understanding of, as well as information, and corroboration of:
source of wealth (the economic activities that have generated the clients net worth) source of funds (the origin and means of transfer for monies that are accepted for the account)the commercial rationale for the arrangement/relationship, and the need to conduct enhanced continuous monitoring of a business relationship.
Additionally, PEP relationships should have senior management sign off or approval.
236
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes While there is no requirement, firms should consider involving money laundering practitioners (e.g. MLRO) in the on-boarding approval process for PEPs.
The Malaysian Standard Guidelines on Anti Money Laundering and Counter Financing of Terrorism, section 5.9, recommends that all reporting institutions should create a risk management framework to determine whether current or new customers are PEPs and to conduct appropriate due diligence to establish this. The role of senior management in determining whether a business relationship with a PEP should be entered into or continued is seen as a critical issue. PEPs should be subject to enhanced and on-going due diligence throughout any relationship.
6.4.2 Mandatory high-risk correspondent bankingRegulations in most countries require additional due diligence measures in relation to correspondent banking relationships (see also Module 5, section 1.3.1).
Correspondent banking can be defined as:
the provision of banking-related services by one bank (the Correspondent) to another bank (the Respondent) to enable the Respondent to provide its own customers with cross-border products and services with which it cannot provide them itself, typically owing to lack of an international network. In other words, a Correspondent is effectively an intermediary for the Respondent and executes/ processes/ clears payments/transactions for customers of the Respondent.Money laundering risks in correspondent banking relationships arise because:
the correspondent has limited information about the entire transaction. the correspondent is often dependent on the due diligence processes conducted by its respondent bank. The correspondent does not have a direct relationship with the underlying clients for the transaction and can not therefore assess if the underlying transaction is consistent with the business profile of the client.
In the vast majority of cases it is appropriate to treat a relationship with another bank as a correspondent banking relationship. It is extremely difficult to identify and continually monitor for changes to circumstances where there may not be an actual correspondent relationship and merely a principal to principal relationship (e.g. transactions conducted between the parties even if they settle through SWIFT or capital markets, foreign exchange).
The level of enhanced due diligence requirements to apply to correspondent banking relationships should include consideration of and, as applicable, responses from the respondents on some or all of the following factors.
The AML risks in the country of establishment and the country of operation of the customer (whichever is higher).The transactions that the customer will support for its customers. Is it a downstream correspondent clearer (i.e. the Respondent that receives correspondent banking services from the Correspondent and itself provides correspondent banking services to other financial institutions in the same currency as the account it maintains with its Correspondent)?Whether it gives its clients access to the firms correspondent accounts. The businesses undertaken by the Respondent such as:
private banking as sole business private banking/HNW wealth management alongside other business lines Internet only current account and third-party payments/wires trade finance.
237
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
NotesThe Respondents customer base: retail customers domestic retail customers international corporate customers domestic corporate customers international financial institutions domestic financial onstitutions international MSBs/money transmission service shell companies.
The Respondents ownership: controlled by a PEP, or publicly quoted on a recognised market.
The AML regulation to which the Respondent is subject: operating with an offshore banking licence operating in an equivalent jurisdiction parent is regulated in an equivalent jurisdiction.
In order to obtain credible responses to the above firms should seriously consider using an appropriate questionnaire (one based on the Wolfsberg Questionnaire for correspondent banking). However, firms also need to ensure their processes do not encourage a mere tick box approach with common answers being applied to the questionnaires year after year.
The Malaysian Sectoral Guidelines for Banking and Financial Institutions prescribe that in respect of correspondent banking the procedure below shall be followed.
i. When entering such a business relationship, the reporting institution should capture and assess at the minimum the following information on the respondent institution, to determine the reputation and quality of supervision:
board of directors and the management business activities and products applicable legislation, regulations and supervision, and AML/CFT measures and control.
ii. The reporting institution should establish or continue a correspondent banking relationship with the respondent institution only it if is satisfied with the assessment of the information gathered.
iii. The reporting institution should also document the responsibilities of the respective parties in relation to the correspondent banking relationship, in particular, matters in relation to customer due diligence for all products and services.
iv. The decision and approval to establish or continue a correspondent banking relationship should be made at the Senior Management level.
v. The reporting institution should ensure that such correspondent banking relationship does not include any respondent institution that has no physical presence and which is unaffiliated with a regulated financial group (e.g. shell banks).
vi. Where a correspondent banking relationship involves the maintenance of payable-through account, the reporting institution should be satisfied that:
the respondent institution has performed all the normal obligations on its customers that have direct access to the accounts of the reporting institution, and
238
Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism
Notes the respondent institution is able to provide relevant customer identification data upon request by the reporting institution.
vii. In addition, the reporting institution should pay special attention to correspondent banking relationships with respondents institution from countries highlighted by the internationally recognised AML/CFT bodies, such as FATF, as insufficiently implementing the internationally accepted AML/CFT measures, which would require enhanced due diligence to assess the money laundering and financing of terrorism-associated risks.
6.5 Automatic low-risk situationsMost regulations now allow for a form of simplified due diligence in the lowest risk situations. For example the UK JMLSG Guidance provides the following explanation of simplified due diligence:
Simplified due diligence means not having to apply CDD measures. In practice, this means not having to identify the customer, or to verify the customers identity, or, where relevant, that of a beneficial owner, nor having to obtain information on the purpose or intended nature of the business relationship. It is, however, still necessary to conduct ongoing monitoring of the business relationship. Firms must have reasonable grounds for believing that the customer, transaction or product relating to such transaction falls within one of the categories set out in the Regulations, and may have to demonstrate this to their supervisory authority. Clearly, for operating purposes, the firm will nevertheless need to maintain a base of information about the customer.
Simplified due diligence may be applied to:
certain other regulated firms in the financial sector in equivalent jurisdictions (those jurisdictions providing a level of regulation equivalent to EU standards.companies listed on a regulated or recognised market (which have been listed and defined under MiFID Committee of European Security Regulators) and provided it can be confirmed that other such exchanges comply with the European requirementsbeneficial owners of pooled accounts held by notaries or independent legal professionalsUK public authorities community institutions certain life assurance and e-money products certain pension funds certain low-risk products child trust funds.
What this means in practice is that if the nature of business being conducted fits within one of the above categories a firm may apply a lighter touch in terms of the extent of CDD undertaken.
This approach may provide opportunities to reduce costs and remove paperwork from account opening processes. For example, in respect of a simple term assurance life insurance policy, minimal documents and information may be collected at account opening, with greater checks in place at the claim payout stage.
Nonetheless, it is important to note that any such decision must be carefully documented and be justifiable in the eyes of the regulators. An example of this challenge concerns financial institutions and the apparent contradiction relating to correspondent banking.
239
Module 10: Customer Due Dilligence (CDD) and Risk Profiling
Notes6.6 Assessing money laundering risk in all other circumstancesAgain, most regulations require firms to assess their own money laundering risk in all other cases and apply a risk-based approach to the level of due diligence to be applied.
This has seen many manifestations over the years of money laundering regulation, such as the application of High, Medium and Low risk ratings by some firms, just High and Low by others and still other firms categorising even further to High High, High Medium, etc.
There is no right or wrong categorisation provided the approach is proportionate to the overall money laundering risks encountered by the firm, which will depend on the type of business it is in (e.g. insurance, money transfer, eMoney, credit provision) and the scale of its operation (e.g. domestic, international).
The considerations above will determine the level of sophistication required for risk assessment and whether to employ the assistance of an automated system in the process.
However a firm applies its risk-based approach there is a regulatory expectation that a number of factors will be considered when applying a risk-based approach to all other customers.
6.6.1 Clients deemed to be unacceptableA firm, in considering money laundering risks, regulations and guidance may consider certain types of relationship as unacceptable to them. An example of one that FATF refers to would be shell banks (defined as banks that: (i) do not conduct business at a fixed address in a jurisdiction in which they are authorised to engage in banking activities; (ii) do not employ one or more individuals on a full-time business at this fixed address; (iii) do not maintain operating records at this address; (iv) are not subject to inspection by the banking authority that licensed it to conduct banking activities; and (v) are unaffiliated with a regulated financial group).
Quite clearly another example would be individuals or entities that are on relevant sanctions lists issued by countries in compliance with UN resolutions or those to which countries have applied sanctions unilaterally (UK, US and others).
To capture such individuals and entities many firms now use name screening systems and processes. In many situations these systems will also capture other adverse information from media reports as well as identifying PEPs (see section 6.3 above).
It is a matter for firms how they use such intelligence in their risk-based approach to CDD but it should seriously be considered as an ingredient in any risk assessment.
Having determined those clients that are unacceptable, along with those that will require mandatory EDD or be allowed Simplified Due Diligence (as described in section 6.4 above) the large population remaining needs to be risk rated on the basis of a number of factors, which may include those discussed in section 6.6.2 below.
6.6.2 Risk-rating clients
the product offering of the firm and the product taken up by a
Recommended