The AML/CFT : Basel Committee on Banking Supervision, BIS

By

 BIS published paper on Sound management of risks related to money laundering and financing of terrorism in January 2014 in continuation to its guidances issued earlier  :

• Core principles for effective banking supervision, September 2012

• The internal audit function in banks, June 2012

• Principles for the sound management of operational risk, June 2011

• Principles for enhancing corporate governance, October 2010

• Due diligence and transparency regarding cover payment messages related to cross-border wire transfers, May 2009

• Compliance and the compliance function in banks, April 2005

In an effort to rationalise the Committee’s publications on AML/CFT guidance, this document merges and supersedes two of the Committee’s previous publications dealing with related topics: Customer due diligence for banks, October 2001 and Consolidated KYC risk management, October 2004

Essential elements of sound ML/FT risk management

In accordance with the updated Core principles for effective banking supervision (2012), all banks should be required to “have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the banking sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities”.

Assessment, understanding, management and mitigation of risks

a)      Assessment and understanding of risks

Sound risk management requires the identification and analysis of ML/FT risks present within the bank and the design and effective implementation of policies and procedures that are commensurate with the identified risks. In conducting a comprehensive risk assessment to evaluate ML/FT risks, a bank should consider all the relevant inherent and residual risk factors at the country, 16 sectoral, bank and business relationship level, among others, in order to determine its risk profile and the appropriate level of mitigation to be applied. The policies and procedures for CDD, customer acceptance, customer identification and monitoring of the business relationship and operations (product and service offered) will then have to take into account the risk assessment and the bank’s resulting risk profile. A bank should have appropriate mechanisms to document and provide risk assessment information to competent authorities such as supervisors

b)      Proper governance arrangements.

 Effective ML/FT risk management requires proper governance arrangements as described in relevant previous publications of the Committee. In particular, the requirement for the board of directors to approve and oversee the policies for risk, risk management and compliance is fully relevant in the context of ML/FT risk. The board of directors should have a clear understanding of ML/FT risks. Information about ML/FT risk assessment should be communicated to the board in a timely, complete, understandable and accurate manner so that it is equipped to make informed decisions.

c)      The three lines of defence

As a general rule and in the context of AML/CFT, the business units (eg front office, customer facing activity) are the first line of defence in charge of identifying, assessing and controlling the risks of their business. They should know and carry out the policies and procedures and be allotted sufficient resources to do this effectively. The second line of defence includes the chief officer in charge of AML/CFT, the compliance function but also human resources or technology. The third line of defence is ensured by the internal audit function.

 As part of the first line of defence, policies and procedures should be clearly specified in writing, and communicated to all personnel. They should contain a clear description for employees of their obligations and instructions as well as guidance on how to keep the activity of the bank in compliance with regulations. There should be internal procedures for detecting and reporting suspicious transactions.

 A bank should have adequate policies and processes for screening prospective and existing staff to ensure high ethical and professional standards. All banks should implement ongoing employee training programmes so that bank staff are adequately trained to implement the bank’s AML/CFT policies and procedures. The timing and content of training for various sectors of staff will need to be adapted by the bank according to their needs and the bank’s risk profile. Training needs will vary depending on staff functions and job responsibilities and length of service with the bank. Training course organisation and materials should be tailored to an employee’s specific responsibility or function to ensure that the employee has sufficient knowledge and information to effectively implement the bank’s AML/CFT policies and procedures.

New employees should be required to attend training as soon as possible after being hired, for the same reasons. Refresher training should be provided to ensure that staff are reminded of their obligations and their knowledge and expertise are kept up to date. The scope and frequency of such training should be tailored to the risk factors to which employees are exposed due to their responsibilities and the level and nature of risk present in the bank.

As part of the second line of defence, the chief officer in charge of AML/CFT should have the responsibility for ongoing monitoring of the fulfilment of all AML/CFT duties by the bank. This implies sample testing of compliance and review of exception reports to alert senior management or the board of directors if it is believed management is failing to address AML/CFT procedures in a responsible manner. The chief AML/CFT officer should be the contact point regarding all AML/CFT issues for internal and external authorities, including supervisory authorities or financial intelligence units (FIUs).

The business interests of a bank should in no way be opposed to the effective discharge of the above-mentioned responsibilities of the chief AML/CFT officer. Regardless of the bank’s size or its management structure, potential conflicts of interest should be avoided. Therefore, to enable unbiased judgments and facilitate impartial advice to management, the chief AML/CFT officer should, for example, not have business line responsibilities and should not be entrusted with responsibilities in the context of data protection or the function of internal audit. Where any conflicts between business lines and the responsibilities of the chief AML/CFT officer arise, procedures should be in place to ensure AML/CFT concerns are objectively considered at the highest level.

The chief AML/CFT officer may also perform the function of the chief risk officer or the chief compliance officer or equivalent. He/she should have a direct reporting line to senior management or the board. In case of a separation of duties the relationship between the aforementioned chief officers and their respective roles must be clearly defined and understood.

The chief AML/CFT officer should also have the responsibility for reporting suspicious transactions. The chief AML/CFT officer should be provided with sufficient resources to execute all responsibilities effectively and play a central and proactive role in the bank’s AML/CFT regime. In order to do so, he/she must be fully conversant with the bank’s AML/CFT regime, its statutory and regulatory requirements and the ML/FT risks arising from the business.


Internal audit, the third line of defence, plays an important role in independently evaluating the risk management and controls, and discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. A bank should establish policies for conducting audits of

(i) The adequacy of the bank’s AML/CFT policies and procedures in addressing identified risks,

 (ii) The effectiveness of bank staff in implementing the bank’s policies and procedures;

(iii) The effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and

(iv) The effectiveness of the bank’s training of relevant personnel.

Senior management should ensure that audit functions are allocated staff that are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the bank’s risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations.

As a general rule, the processes used in auditing should be consistent with internal audit’s broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures.

In many countries, external auditors also have an important role to play in evaluating banks’ internal controls and procedures in the course of their financial audits, and in confirming that they are compliant with AML/CFT regulations and supervisory practice. In cases where a bank uses external auditors to evaluate the effectiveness of AML/CFT policies and procedures, it should ensure that the scope of the audit is adequate to address the bank’s risks and that the auditors assigned to the engagement have the requisite expertise and experience. A bank should also ensure that it exercises appropriate oversight of such engagements.

(d) Adequate transaction monitoring system

A bank should have a monitoring system in place that is adequate with respect to its size, its activities and complexity as well as the risks present in the bank. For most banks, especially those which are internationally active, effective monitoring is likely to necessitate the automation of the monitoring process. When a bank has the opinion that an IT monitoring system is not necessary in its specific situation, it should document its decision and be able to demonstrate to its supervisor or external auditors that it has in place an effective alternative. When an IT system is used, it should cover all accounts of the bank’s customers and transactions for the benefit of, or by order of, those customers. It must enable the bank to undergo trend analysis of transaction activity and to identify unusual business relationships and transactions in order to prevent ML or FT.

In particular, this system should be able to provide accurate information for senior management relating to several key aspects, including changes in the transactional profile of customers. In compiling the customer’s profile, the bank should incorporate the updated, comprehensive and accurate CDD information provided to it by the customer. The IT system should allow the bank, and where appropriate the group, to gain a centralised knowledge of information (ie organised by customer, product, across group entities, transactions carried out during a certain timeframe etc). Without being requested to have a unique customer file, banks should be able to risk-rate customers and manage alerts with all the relevant information at their disposal. An IT monitoring system must use adequate parameters based on the national and international experience on the methods and the prevention of ML or FT. A bank may make use of the standard parameters provided by the developer of the IT monitoring system; however, the parameters used must reflect and take into account the bank’s own risk situation.

The IT monitoring system should enable a bank to determine its own criteria for additional monitoring, filing a suspicious transaction report (STR) or taking other steps in order to minimise the risk. The chief AML/CFT officer should have access to and benefit from the IT system as far as it is relevant for his/her function (even if operated or used by other business lines). Parameters of the IT system should allow for generation of alerts of unusual transactions and should then be subject to further assessment by the chief AML/CFT officer. Any risk criteria used in this context should be adequate with regard to the risk assessment of the bank. 31. Internal audit should also evaluate the IT system to ensure that it is appropriate and used effectively by the first and second lines of defence.

This paper further cast responsibility on  banks to have 

·         Customer Acceptance Policy,

·   Policies & Procedures for Customer & Beneficiary Identification, Verification and Profiling

·         Ongoing Monitoring

·         Management Information system

·         Reporting STR and freezing assets

Among others matters.


Happy reading

Those who read this, also read: 






Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more