System Adequacy to Combat ML/FT

 The topic has been subjected to discussion in International forums and leading contributors are UNODC, FATF and BCBS of BIS.  The guidance of UNODC focus more on curbing predicate offenses, FATF on ML/FT risks management where as BCBS, BIS is more concerned with prudential risk management by banks. The FATF standards have been built largely into these guidelines by the above mentioned global organizations. A close reading of the guidelines of these agencies give inputs for developing a strategic risk management framework, within which the bank or financial institution/DNFPB can effectively identify and manage the risk, one is exposed to. This post brings the guidelines of UNODC, FATF and BCBS of BIS in that order.

A. UNODC on System Adequacy to Combat ML/FT

The five major aspects of the UNODC model on System Adequacy to combat ML/FT is discussed below :

Different countries have different history of vigorous action against criminal activities involving the monetary system. Depending on the problems they have faced, policy makers of countries should heavily focus on their systems and measures. For example, in the countries like Saudi Arabia affected by terrorist attacks, authorities put more emphasis on the measures to counter terrorism and the financing of terrorism whereas in the countries like Thailand with drug-trafficking and human-trafficking problems, authorities are more attentive to the measures against money laundering related to drug-trafficking and human trafficking. As Singapore, the fifth-biggest currency trading center in the world and the second biggest in Asia after Tokyo, has figured on a US State Department list since 2004 as a center of “primary concern” for money laundering1 it emphasizes introducing more new measures to try to detect money laundering and terrorism financing effectively. Lessons through experiences and recommendations produced by the evaluation teams from standard setters help policy makers improve and upgrade the standards of their respective AML-CFT systems to be more effective and efficient.

1 Legal system requirements

The degree of emphasis on certain areas of legal system of jurisdictions may vary although the legal system requirements for AML-CFT for a country should be based upon the FATF 40 + 9 Recommendations that are mandates for all countries, and countries should consult the FATF methodology for AML-CFT (June 2006 revised in 2013) for further explanations of these requirements. Different countries have different history of vigorous action against criminal activities involving the monetary system. Depending on the problems they have faced, policy makers of countries should heavily focus on their systems and measures. 

For example, in the countries like Saudi Arabia affected by terrorist attacks, authorities put more emphasis on the measures to counter terrorism and the financing of terrorism whereas in the countries like Thailand with drug-trafficking and human-trafficking problems, authorities are more attentive to the measures against money laundering related to drug-trafficking and human trafficking. As Singapore, the fifth-biggest currency trading center in the world and the second biggest in Asia after Tokyo, has figured on a US State Department list since 2004 as a center of “primary concern” for money laundering. It emphasizes introducing more new measures to try to detect money laundering and terrorism financing effectively. Lessons through experiences and recommendations produced by the evaluation teams from standard setters help policy makers improve and upgrade the standards of their respective AML-CFT syste

AML-CFT system

The criminalization of money laundering and financing of terrorism, in accordance with Article 3(1) (b) and (c) of the Vienna Convention (1988) and Article 6 (1) of the Palermo Convention (2000), and the criminalization of terrorist financing in line with Article 2, read in conjunction with Article 7 of the Convention against Financing of Terrorism (1999), focus on 3 important factors: (1) compliance with AML-CFT preventive measures, (2) acting against offenders and (3) international cooperation in this critical law enforcement function.

Since the UNSC Resolution 1617 (2005), paragraph 7 strongly urges all member States to implement the FATF Forty Recommendations on money laundering and Nine Special Recommendations on terrorist financing, they are mandates for action by every country. Although there are 20 designated categories of offenses according to the FATF Glossary of the Forty Recommendations, countries are encouraged to go beyond this . The essential requirement is to criminalize the proceeds derived from any type of conduct related to the 20 designated categories. A country must include “a range of offenses” within each of the designated categories of offenses in accordance with its domestic laws, and the specific legal method of criminalization is left to the discretion of the country concerned.ms to be more effective and efficient.

Competent authorities

 The 2004 FATF Forty Recommendation 30 states: Countries should provide their competent authorities involved in combating money laundering and terrorist financing with adequate financial, human and technical resources. Countries should have in place processes to ensure that the staff of those authorities are of high integrity. FATF 2004 Recommendation 30 & 31 cast responsibility on the nations

Investigation and confiscation

The AML-CFT laws and mechanisms should facilitate cooperation and coordination among competent authorities who are responsible for money laundering and terrorist financing investigations so as to obtain effective international cooperation including mutual legal assistance. Special investigative techniques and mechanisms should be developed and authorities concerned should exert every effort in cooperative investigations with other countries as well. There are 2 necessary steps to eliminate the profitability of international money laundering activities:

1. Establishing an effective confiscation regime for domestic purposes 

2. Creating cooperative mechanisms for enforcing cross-border confiscation order 

The Vienna Convention [Article 5-5(a) and 5(b)] and the Palermo Convention [Article 14-1, 14-3(a) and 3(b)] state that confiscated proceeds or property shall be disposed of by that party according to its domestic law and administrative procedures.

FIs/DNFBPs/NDNFBPs: The Classification of Business

According to the FATF, financial institutions are defined as “any person or entity who conducts as a business one or more of the following activities or operations on behalf of a customer.”

1). Acceptance of deposits and other repayable funds from the public.

2). Lending.

3). Financial leasing.

4).The transfer of money or value.

5. Issuing and managing means of payment (e.g. credit and debit cards, checks, traveler’s checks, money orders and banker’s drafts, electronic money).

6. Financial guarantees and commitments.

7. Trading in:

(a) Money market instruments (checks, bills, CDs derivatives, etc);

(b) Foreign exchange;

(c) Exchange, interest rate and index instruments;

(d) Transferable securities; and

(e) Commodity futures trading.

8. Participation in securities issues and the provision of financial services related to such issues.

9. Individual and collective portfolio management.

10. Safekeeping and administration of cash or liquid securities on behalf of other persons.

11. Otherwise investing, administering or managing funds or money on behalf of other persons.

12. Underwriting and placement of life insurance and other investment related insurance.

13. Money and currency changing

There are 2 types of non-financial institutions apart from the aforementioned financial institutions. They are designated non-financial businesses and professions (DNFBPs) and non-designated non-financial businesses and professions (NDNFBPs).

Non-Financial Businesses and Professions (DNFBPs)

The 2004 revised FATF Recommendations include certain designated non-financial businesses and professions (DNFBPs) within coverage of the Forty Recommendations16 as follows:

a) Casinos (which also includes internet casinos).

b) Real estate agents.

c) Dealers in precious metals.

d) Dealers in precious stones.

e) Lawyers, notaries, other independent legal professionals and accountants – this refers to sole practitioners, partners or employed professionals within professional firms. It is not meant to refer to ‘internal’ professionals that are employees of other types of businesses, nor to professionals working for government agencies, who may already be subject to measures that would combat money laundering.

 f) Trust and Company Service Providers refers to all persons or businesses that are not covered elsewhere under these Recommendations, and which as a business, provide any of the following services to third parties:

                                i.            Acting as a formation agent of legal persons;

                              ii.            Acting as (or arranging for another person to act as) a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons; providing a registered office; business address or accommodation, correspondence or administrative address for a company, a partnership or any other legal person or arrangement;

                            iii.            Acting as (or arranging for another person to act as) a trustee of an express trust;

                            iv.            Acting as (or arranging for another person to act as) a nominee shareholder for another person.

These institutions are categorized into two17 : (1) casinos, and (2) all other nonfinancial businesses and professions. The following points are strictly required for the casinos.

·         Licensing;

·         Measures to prevent casinos being owned, controlled or operated by criminals; and

·         Supervision of their compliance with AML-CFT requirements.

For all other non-financial businesses and professions such as lawyers, notaries, auditors and accountants, trust and company service providers, real estate agents, and dealers in precious metals and stones, effective systems for monitoring – carried out either by a government agency or a self-regulatory organization – and ensuring compliance on a risk-sensitive basis are to be put in place.

Regardless of the types of financial institutions, countries have to make sure that financial institutions are not controlled by the criminals. The financial institutions, consequently, are subject to comprehensive supervisory regimes as set out in the standards issued by the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors, and the International Organization of Securities Commissioners. The requirements applicable to DNFBPs are more limited and they are not normally subject to the same stringent requirements as Core Principles Institutions for the same prudential issues do not arise.

Non-Designated Non-Financial Businesses and Professions (NDNFBPs)

FATF Recommendation 20 states that the FATF 40+9 Recommendations should be applied to businesses and professions, other than designated non-financial businesses and professions that pose a money laundering or terrorist financing risk. Businesses relating to high value and luxury goods and pawnshops are some examples of nondesignated non-financial businesses and professions (NDNFBPs).

2. Preventive Measures

In order to prevent financial institutions from being used by criminals, internal policies which vary depending on the type and size of a particular financial institution and the scope and nature of its operation need to be in place. Internal policies should include ongoing training that keeps employees well-informed of the latest developments on AML and CFT. One important point, among others, is that adequate screening procedures should be done when hiring employees. The FATF Recommendation 15 states: Financial institutions should develop programs against money laundering and terrorist financing. 

These programs should include:

a) The development of internal policies, procedures and controls, including appropriate compliance management arrangements, and adequate screening procedures to ensure high standards when hiring employees.

b) An ongoing employee training program.

c) An audit function to test the system.

Also equally important is the identification of Beneficial Owner so that  Institutions are not used by illegal  elements  including Business and Legal system. Customer Identification and Acceptance, Record keeping, Monitoring Transactions and reporting Suspicious transactions lead to subjecting criminals to conviction and confiscation

3. Financial Intelligence Unit

In the simplest form, a financial intelligence unit (FIU) – a central agency to receive, analyze, and disseminate financial information to combat money laundering and terrorist financing – serves as a crucial element in an AML-CFT program to provide for the exchange of information between financial institutions and law enforcement agencies.

The basic features of an FIU should be consistent with the supervisory framework of that particular country as well as its legal and administrative systems and its financial and technical capabilities. 

4. Internatonal Cooperation

International cooperation is needed at all stages of AML-CFT procedures especially in obtaining information related to money laundering and terrorist financing from abroad as preventive measures. All of the three conventions - the Vienna Convention (1988), the Convention against FOT and the Palermo Convention – and the 2004 FATF 40+9 Recommendations give explicit recognition to the fact that international cooperation should be supported by a network of mutual assistance. Laws and procedures should, therefore, encourage and facilitate mutual legal assistance in obtaining evidence for use in AML-CFT investigations and prosecutions. FATF Recommendation 36 states: Countries should rapidly, constructively and effectively provide the widest possible range of mutual legal assistance in relation to money laundering and terrorist financing investigations, prosecutions, and related proceedings. In particular, countries should:

(a) Not prohibit or place unreasonable or unduly restrictive conditions on the provision of mutual legal assistance.

 (b) Ensure that they have clear and efficient processes for the execution of mutual legal assistance requests.

(c) Not refuse to execute a request for mutual legal assistance on the sole ground that the offense is also considered to involve fiscal matters.

(d) Not refuse to execute a request for mutual legal assistance on the grounds that laws require financial institutions to maintain secrecy or confidentiality.

 

 Countries should ensure that the powers of their competent authorities required under Recommendation 28 are also available for use in response to requests for mutual legal assistance, and if consistent with their domestic framework, in response to direct requests from foreign judicial or law enforcement authorities to domestic counterparts. To avoid conflicts of jurisdiction, consideration should be given to devising and applying mechanisms for determining the best venue for prosecution of defendants in the interests of justice in cases that are subject to prosecution in more than one country.”

 Special Recommendation V also reads:

 Each country should afford another country, on the basis of a treaty, arrangement or other mechanism for mutual legal assistance or information exchange, the greatest possible measure of assistance in connection with criminal, civil enforcement, and administrative investigations, inquires and proceedings relating to the financing of terrorism, terrorist acts and terrorist organizations. Countries should also take all possible measures to ensure that they do not provide safe havens for individuals charged with the financing of terrorism, terrorist acts or terrorist organizations and should have procedures in place to extradite, where possible, such individuals.

In order to construct an effective international cooperation, countries should meet three prerequisites. They are: 

1. Building a comprehensive and efficient domestic capacity. 

2. Ratifying and implementing the international conventions. 

3. Complying with the FATF Recommendations and other sector-specific international standards.

All necessary administrative and supervisory authorities as well as an FIU with necessary powers and responsibilities should be in place adequately provided with staff, budget and other useful resources to carry out their duties efficiently, especially to oversee financial institutions. In addition, criminal justice system and judicial/prosecutorial system are two crucial factors to obtain an effective AML-CFT regime

International Cooperation & FIUs

Regarding international cooperation between FIUs, there are three factors to be focused on: 

(1) the core features of FIU international cooperation; 

(2) conditioning the FIUs’ abilities to cooperate at the international level; and

 (3) the relationship between different organizational modals and international cooperation. 

An FIU, mostly attached to administrative authorities, should cooperate with all its counterparts regardless of their internal and organizational structure. However, three important points should be considered. They are: 

1. Whether there are or should be restrictions on sharing financial information; 

2. If so, how much information should be shared; and 

3. What type of information should be shared.

International Cooperation & DNFPBs

The Basel Committee issued the twenty five Core Principles (1997) for applying to all banking supervisors. In particular Principles 23, 24 and 25 state the issues regarding international cooperation. The Committee also issued Core Principles Methodology (1999) that describes under what conditions assessments should be made and detailed explanation of each principle.

Recommendations 4 and 40 also support the point that countries should not use the financial institution secrecy law as a ground for refusing to provide the mutual legal assistance and extradition. Recommendations 35-40 deal with international cooperation regarding AML-CFT for financial institutions and DNFBPs.

International Cooperation & Global Capital Market regulators

The home country supervisors are required to exchange information with the host country supervisors regularly so that the home country supervisors have up-to-date information at their fingertips. As financial institutions and DNFBPs have taken the vital roles in the AML-CFT process, prompt and efficient assistance and cooperation done by supervisors of those institutions can produce the fruitful result in any AML/CFT regime. The Global Capital Market Regulators like The International Association of Insurance Supervisors, Organization of Securities Commissioners etc have issued basic principles that uphold AML/CFt guidelines in letter ans spirit

5. Combating ML/FT

Mainly based on the UN international conventions, the 2004 FATF 40 Recommendations and 9 Special Recommendations were created and it is unquestionable that they are invaluable to law enforcement and judicial authorities in AML-CFT regimes. Therefore, the first step of the AML-CFT process is to ratify and implement the UN conventions or UN instrumentalities. In particular, implementation of the Vienna Convention (1988), the Convention against Financing of Terrorism (1999) and the Palermo Convention (2000) is essential to obtain an effective AML[1]CFT regime in accordance with the FATF Recommendations. Apart from the UN conventions, countries should fully ratify and implement the AML-CFT conventions adopted by their respective regional organizations. Besides the aforementioned conventions, countries should fully implement UN Resolutions dealing with terrorist financing, especially United Nations Securities Council Resolution 1373.

Under Recommendation 3, concerning ML, countries are encouraged to adopt measures similar to those set forth in the Vienna and Palermo Conventions and such measures should include:

 

(a) Identifying, tracing and evaluating property which is subject to confiscation;

(b) Carrying out provisional measures, such as freezing and seizing, to prevent any dealing, transfer or disposal of such property;

(c) Taking steps that will prevent or void actions that prejudice the State’s ability to recover property alleged to be liable to confiscation; and

(d) Taking any appropriate investigative measures.

 

Although Recommendation 3 covers terrorist financing cases as money laundering predicate offenses, Special Recommendation III emphasizes freezing and confiscating of terrorist assets. Each country should implement measures to freeze without delay funds or other assets of terrorists, those who finance terrorism and terrorist organizations in accordance with the United Nations resolutions relating to the prevention and suppression of the financing of terrorist acts. Each country should also adopt and implement measures, including legislative ones, which would enable the competent authorities to seize and confiscate property that is the proceeds of or used in, or intended or allocated for use in, the financing of terrorism, terrorist acts or terrorist organizations.

B. FATF on System Adequacy to combat ML/FT

In 2022, the FATF amended its assessment methodology for compliance with its recommendations and the effectiveness of AML/CFT systems. The FATF began its fifth round of evaluations using this new methodology in 2024

The below given links 3 and 4 take you to details. The Financial Action Task Force (FATF) recommends that supervisors allocate more resources to areas with higher money laundering (ML) and financial terrorism (TF) risk. Supervisors should determine the frequency and intensity of assessments based on the level of risk to the sector and individual banks.  When it's not possible to supervise all banks in detail, supervisors should prioritize higher risk areas.

Here are some other tips to protect against ML:

 

·         Make sure your AML program reflects your business

·         Ensure the program flow makes sense

·         Have a clear technology plan

·         Understand your tools

·         Conduct risk-based due diligence

·         Make sure your AML training is focused

·         Conduct regular reviews

C. BCBS, BIS  on System Adequacy to Combat ML/FT

The BCBS Guidelines on Sound management of risks related to money laundering and financing of terrorism was published in Jan 2014 and revised in July 2020. The report deals with three major aspects of the AML/CFT efforts:

I. Essential Elements of Sound ML/FT Risk Management

In accordance with the updated Core principles for effective banking supervision (2012), all banks should be required to “have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the banking sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities”. This requirement is to be seen as a specific part of banks’ general obligation to have sound risk management programmes in place to address all kinds of risks, including ML and FT risks.“

"Adequate policies and processes” in this context requires the implementation of other measures in addition to effective CDD rules. These measures should also be proportional and risk-based, informed by banks’ own risk assessment of ML/FT risks. 

        a). Assessment, Understanding, Management and Mitigation of risks 

Sound risk management requires the identification and analysis of ML/FT risks present within the bank and the design and effective implementation of policies and procedures that are commensurate with the identified risks. In conducting a comprehensive risk assessment to evaluate ML/FT risks, a bank should consider all the relevant inherent and residual risk factors at the country, sectoral, bank and business relationship level, among others, in order to determine its risk profile and the appropriate level of mitigation to be applied. The policies and procedures for CDD, customer acceptance, customer identification and monitoring of the business relationship and operations (product and service offered) will then have to take into account the risk assessment and the bank’s resulting risk profile. A bank should have appropriate mechanisms to document and provide risk assessment information to competent authorities such as supervisors. 

A bank should develop a thorough understanding of the inherent ML/FT risks present in its customer base, products, delivery channels and services offered (including products under development or to be launched) and the jurisdictions within which it or its customers do business. This understanding should be based on specific operational and transaction data and other internal information collected by the bank as well as external sources of information such as national risk assessments and country reports from international organisations. Policies and procedures for customer acceptance, due diligence and ongoing monitoring should be designed and implemented to adequately control those identified inherent risks. Any resulting residual risk should be managed in line with the bank’s risk profile established through its risk assessment. This assessment and understanding should be able to be demonstrated as required by, and should be acceptable to, the bank’s supervisor.

 

A bank should develop a thorough understanding of the inherent ML/FT risks present in its customer base, products, delivery channels and services offered (including products under development or to be launched) and the jurisdictions within which it or its customers do business. This understanding should be based on specific operational and transaction data and other internal information collected by the bank as well as external sources of information such as national risk assessments and country reports from international organisations. Policies and procedures for customer acceptance, due diligence and ongoing monitoring should be designed and implemented to adequately control those identified inherent risks. Any resulting residual risk should be managed in line with the bank’s risk profile established through its risk assessment. This assessment and understanding should be able to be demonstrated as required by, and should be acceptable to, the bank’s supervisor. 

b). Proper Governance Arrangements 

 Effective ML/FT risk management requires proper governance arrangements as described in relevant previous publications of the Committee. In particular, the requirement for the board of directors to approve and oversee the policies for risk, risk management and compliance is fully relevant in the context of ML/FT risk. The board of directors should have a clear understanding of ML/FT risks. Information about ML/FT risk assessment should be communicated to the board in a timely, complete, understandable and accurate manner so that it is equipped to make informed decisions. 

Explicit responsibility should be allocated by the board of directors effectively taking into consideration the governance structure of the bank for ensuring that the bank's policies and procedures are managed effectively. The board of directors and senior management should appoint an appropriately qualified chief AML/CFT officer to have overall responsibility for the AML/CFT function with the stature and the necessary authority within the bank such that issues raised by this senior officer receive the necessary attention from the board, senior management and business lines. 

c). The Three Lines of Defense 

As a general rule and in the context of AML/CFT, the business units (eg front office, customerfacing activity) are the first line of defence in charge of identifying, assessing and controlling the risks of their business. They should know and carry out the policies and procedures and be allotted sufficient resources to do this effectively. The second line of defence includes the chief officer in charge of AML/CFT, the compliance function but also human resources or technology. The third line of defence is ensured by the internal audit function. 

 As part of the first line of defense, policies and procedures should be clearly specified in writing, and communicated to all personnel. They should contain a clear description for employees of their obligations and instructions as well as guidance on how to keep the activity of the bank in compliance with regulations. There should be internal procedures for detecting and reporting suspicious. transactions. 

A bank should have adequate policies and processes for screening prospective and existing staff to ensure high ethical and professional standards. All banks should implement ongoing employee training programmes so that bank staff are adequately trained to implement the bank’s AML/CFT policies and procedures. The timing and content of training for various sectors of staff will need to be adapted by the bank according to their needs and the bank’s risk profile. Training needs will vary depending on staff functions and job responsibilities and length of service with the bank. Training course organisation and materials should be tailored to an employee’s specific responsibility or function to ensure that the employee has sufficient knowledge and information to effectively implement the bank’s AML/CFT policies and procedures. New employees should be required to attend training as soon as possible after being hired, for the same reasons. Refresher training should be provided to ensure that staff are reminded of their obligations and their knowledge and expertise are kept up to date. The scope and frequency of such training should be tailored to the risk factors to which employees are exposed due to their responsibilities and the level and nature of risk present in the bank. 

As part of the second line of defence, the chief officer in charge of AML/CFT should have the responsibility for ongoing monitoring of the fulfilment of all AML/CFT duties by the bank. This implies sample testing of compliance and review of exception reports to alert senior management or the board of directors if it is believed management is failing to address AML/CFT procedures in a responsible manner. The chief AML/CFT officer should be the contact point regarding all AML/CFT issues for internal and external authorities, including supervisory authorities or financial intelligence units (FIUs). 

The business interests of a bank should in no way be opposed to the effective discharge of the above-mentioned responsibilities of the chief AML/CFT officer. Regardless of the bank’s size or its management structure, potential conflicts of interest should be avoided. Therefore, to enable unbiased judgments and facilitate impartial advice to management, the chief AML/CFT officer should, for example, not have business line responsibilities and should not be entrusted with responsibilities in the context of data protection or the function of internal audit. Where any conflicts between business lines and the responsibilities of the chief AML/CFT officer arise, procedures should be in place to ensure AML/CFT concerns are objectively considered at the highest level. 

The chief AML/CFT officer may also perform the function of the chief risk officer or the chief compliance officer or equivalent. He/she should have a direct reporting line to senior management or the board. In case of a separation of duties the relationship between the aforementioned chief officers and their respective roles must be clearly defined and understood. 

The chief AML/CFT officer should also have the responsibility for reporting suspicious transactions. The chief AML/CFT officer should be provided with sufficient resources to execute all responsibilities effectively and play a central and proactive role in the bank’s AML/CFT regime. In order to do so, he/she must be fully conversant with the bank’s AML/CFT regime, its statutory and regulatory requirements and the ML/FT risks arising from the business. 

Internal audit, the third line of defence, plays an important role in independently evaluating the risk management and controls, and discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. A bank should establish policies for conducting audits of 

(i) the adequacy of the bank’s AML/CFT policies and procedures in addressing identified risks,

(ii) the effectiveness of bank staff in implementing the bank’s policies and procedures; 

(iii) the effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and

(iv) the effectiveness of the bank’s training of relevant personnel. 

Senior management should ensure that audit functions are allocated staff that are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the bank’s risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations. As a general rule, the processes used in auditing should be consistent with internal audit’s broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures. 

In many countries, external auditors also have an important role to play in evaluating banks’ internal controls and procedures in the course of their financial audits, and in confirming that they are compliant with AML/CFT regulations and supervisory practice. In cases where a bank uses external auditors to evaluate the effectiveness of AML/CFT policies and procedures, it should ensure that the scope of the audit is adequate to address the bank’s risks and that the auditors assigned to the engagement have the requisite expertise and experience. A bank should also ensure that it exercises appropriate oversight of such engagements. 

d). Adequate Transaction Monitoring system 

A bank should have a monitoring system in place that is adequate with respect to its size, its activities and complexity as well as the risks present in the bank. For most banks, especially those which are internationally active, effective monitoring is likely to necessitate the automation of the monitoring process. When a bank has the opinion that an IT monitoring system is not necessary in its specific situation, it should document its decision and be able to demonstrate to its supervisor or external auditors that it has in place an effective alternative. When an IT system is used, it should cover all accounts of the bank’s customers and transactions for the benefit of, or by order of, those customers. It must enable the bank to undergo trend analysis of transaction activity and to identify unusual business relationships and transactions in order to prevent ML or FT.  

In particular, this system should be able to provide accurate information for senior management relating to several key aspects, including changes in the transactional profile of customers. In compiling the customer’s profile, the bank should incorporate the updated, comprehensive and accurate CDD information provided to it by the customer. The IT system should allow the bank, and where appropriate the group, to gain a centralised knowledge of information (ie organised by customer, product, across group entities, transactions carried out during a certain timeframe etc). Without being requested to have a unique customer file, banks should be able to risk-rate customers and manage alerts with all the relevant information at their disposal. An IT monitoring system must use adequate parameters based on the national and international experience on the methods and the prevention of ML or FT. A bank may make use of the standard parameters provided by the developer of the IT monitoring system; however, the parameters used must reflect and take into account the bank’s own risk situation. 

The IT monitoring system should enable a bank to determine its own criteria for additional monitoring, filing a suspicious transaction report (STR) or taking other steps in order to minimise the risk. The chief AML/CFT officer should have access to and benefit from the IT system as far as it is relevant for his/her function (even if operated or used by other business lines). Parameters of the IT system should allow for generation of alerts of unusual transactions and should then be subject to further assessment by the chief AML/CFT officer. Any risk criteria used in this context should be adequate with regard to the risk assessment of the bank. 

Internal audit should also evaluate the IT system to ensure that it is appropriate and used effectively by the first and second lines of defense

2. Customer Acceptance Policy

 A bank should develop and implement clear customer acceptance policies and procedures to identify the types of customer that are likely to pose a higher risk of ML and FT pursuant to the bank’s risk assessment. When assessing risk, a bank should consider the factors relevant to the situation, such as a customer’s background, occupation (including a public or high-profile position), source of income and wealth, country of origin and residence (when different), products used, nature and purpose of accounts, linked accounts, business activities and other customer-oriented risk indicators in determining what is the level of overall risk and the appropriate measures to be applied to manage those risks. 

Such policies and procedures should require basic due diligence for all customers and commensurate due diligence as the level of risk associated with the customer varies. For proven lower risk situations, simplified measures may be permitted, if this is allowed by law. For example, the application of basic account-opening procedures may be appropriate for an individual who expects to maintain a small account balance and use it to conduct routine retail banking transactions. It is important that the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to banking services, especially for people who are financially or socially disadvantaged. The FATF Financial Inclusion Guidance21 provides useful guidelines on designing AML/CFT procedures that are not overly restrictive to the financially or socially disadvantaged. 

Where the risks are higher, banks should take enhanced measures to mitigate and manage those risks. Enhanced due diligence may be essential for an individual planning to maintain a large account balance and conduct regular cross-border wire transfers or an individual who is a politically exposed person (PEP). In particular, such enhanced due diligence is required for foreign PEPs. Decisions to enter into or pursue business relationships with higher-risk customers should require the application of enhanced due diligence measures, such as approval to enter into or continue such relationships, being taken by senior management. The bank’s customer acceptance policy should also define circumstances under which the bank would not accept a new business relationship or would terminate an existing one.

3. Customer and Beneficial Owner identification, verification and risk profiling

For the purposes of this guidance, a customer refers, in accordance with the FATF Recommendation 10, to any person who enters into a business relationship or carries out an occasional financial transaction with the bank. The customer due diligence should be applied not only to customers but also to persons acting on their behalf and beneficial owners In accordance with the FATF standards, banks should identify customers and verify their identity. 

 A bank should establish a systematic procedure for identifying and verifying its customers and, where applicable, any person acting on their behalf and any beneficial owner(s). Generally, a bank should not establish a banking relationship, or carry out any transactions, until the identity of the customer has been satisfactorily established and verified in accordance with FATF Recommendation 10. Consistent with BCP 2925 and the FATF standards, the procedures should also include the taking of reasonable measures to verify the identity of the beneficial owner. A bank should also verify that any person acting on behalf of the customer is so authorised, and should verify the identity of that person.

The identity of customers, beneficial owners, as well as persons acting on their behalf, should be verified by using reliable, independent source documents, data or information. When relying on documents, a bank should be aware that the best documents for the verification of identity are those most difficult to obtain illicitly or to counterfeit. When relying on other sources than documents, the bank must ensure that the methods (which may include checking references with other financial institutions and obtaining financial statements) and sources of information are appropriate, and in accordance with the bank’s policies and procedures and risk profile of the customer. A bank may require customers to complete a written declaration of the identity and details of the beneficial owner, although the bank should not rely solely on such declarations. As for all elements of the CDD process, a bank should also consider the nature and level of risk presented by a customer when determining the extent of the applicable due diligence measures.

In no case should a bank disregard its customer identification and verification procedures just because the customer is unable to be present for an interview (non-face-to-face customer); the bank should also take into account risk factors such as why the customer has chosen to open an account far away from its seat/office, in particular in a foreign jurisdiction. It would also be important to take into account the relevant risks associated with customers from jurisdictions that are known to have AML/CFT strategic deficiencies and apply enhanced due diligence when this is called for by the FATF, other international bodies or national authorities. 

 While the customer identification and verification process is applicable at the outset of the relationship or before an occasional banking transaction is carried out, a bank should use this information to build an understanding of the customer’s profile and behaviour. The purpose of the relationship or the occasional banking transaction, the level of assets or the size of transactions of the customer, and the regularity or duration of the relationship are examples of information typically collected. Therefore, a bank should also have policies and procedures in place to conduct due diligence on its customers sufficient to develop customer risk profiles either for particular customers or categories of customers. The information collected for this purpose should be determined by the level of risk associated with the customer’s business model and activities as well as the financial products or services requested by the customer. These risk profiles will facilitate the identification of any account activity that deviates from activity or behaviour that would be considered “normal” for the particular customer or customer category and could be considered as unusual, or even suspicious. Customer risk profiles will assist the bank in further determining if the customer or customer category is higher-risk and requires the application of enhanced CDD measures and controls. The profiles should also reflect the bank’s understanding of the intended purpose and nature of the business relationship/occasional banking transaction, expected level of activity, type of transactions, and, where necessary, sources of customer funds, income or wealth as well as other similar considerations. Any significant information collected on customer activity or behaviour should be used in updating the bank’s risk assessment of the customer. 

 A bank should obtain customer identification papers as well as any information and documentation obtained as a result of CDD conducted on the customer. This could include copies of or records of official documents (eg passports, identity cards, driving licences), account files (eg financial transaction records) and business correspondence, including the results of any analysis undertaken such as the risk assessment and inquiries to establish the background and purpose of the relationships and activities. 

 A bank should also obtain all the information necessary to establish to its full satisfaction the identity of their customer and the identity of any person acting on behalf of the customer and of beneficial owners. While a bank is required to both identify its customers and verify their identities, the nature and extent of the information required for verification will depend on risk assessment, including the type of applicant (personal, corporate etc), and the expected size and use of the account. The specific requirements involved in ascertaining the identity of natural persons are usually prescribed in national legislation. Higher-risk customers will require the application of enhanced due diligence to verify customer identity. If the relationship is complex, or if the size of the account is significant, additional identification measures may be advisable, and these should be determined based on the level of overall risk. 

 When a bank is unable to complete CDD measures, it should not open the account, commence business relations or perform the transaction. However, there may be circumstances where it would be permissible for verification to be completed after the establishment of the business relationship, because it would be essential not to interrupt the normal conduct of business. In such circumstances, the bank should adopt adequate risk management procedures with respect to the conditions and restrictions under which a customer may utilise the banking relationship prior to verification. In situations where an account has been opened but problems of verification arise during the course of the establishment of the banking relationship that cannot be resolved, the bank should close or otherwise block access to the account. In any event, the bank should consider filing a STR in cases where there are problems with completion of the CDD measures. Additionally, where CDD checks raise suspicion or reasonable grounds to suspect that the assets or funds of the prospective customer may be the proceeds of predicate offences and crimes related to ML/FT, banks should not voluntarily agree to open accounts with such customers. In such situations, banks should file an STR with the relevant authorities accordingly and ensure that the customer is not informed, even indirectly, that an STR has been, is being or shall be filed 

 A bank should have in place procedures and material capacity enabling front office, customerfacing activities to identify any designated entities or individuals (eg terrorists, terrorist organisations) in accordance with their national legislation and the relevant United Nations Security Council Resolutions (UNSCRs) 

 While the transfer of funds from an account in the customer’s name in another bank subject to the same CDD standard as the initial deposit may provide some comfort, a bank should nevertheless conduct its own due diligence and consider the possibility that the previous account manager may have asked for the account to be closed because of a concern about illicit activities. Naturally, customers have the right to move their business from one bank to another. However, if a bank has any reason to believe that an applicant has been refused banking facilities by another bank due to concerns over illicit activities of the customer, it should consider classifying that applicant as higher-risk and apply enhanced due diligence procedures to the customer and the relationship, filing an STR and/or not accepting the customer in accordance with its own risk assessments and procedures.

 A bank should not open an account or conduct ongoing business with a customer who insists on anonymity or who gives an obviously fictitious name. Nor should confidential numbered accounts function as anonymous accounts but they should be subject to exactly the same CDD procedures as all other customers’ accounts, even if the procedures are carried out by selected staff. While a numbered account can offer additional confidentiality for the account-holder, the identity of the latter must be verified by the bank and known to a sufficient number of staff to facilitate the conduct of effective due diligence, especially if other risk factors indicate that the customer is higher-risk. A bank should ensure that its internal control, compliance, audit and other oversight functions, in particular the chief AML/CFT officer, and the bank’s supervisors, have full access to this information as needed. 

4.Ongoing Monitoring 

Ongoing monitoring is an essential aspect of effective and sound ML/FT risk management. A bank can only effectively manage its risks if it has an understanding of the normal and reasonable banking activity of its customers that enables the bank to identify attempted and unusual transactions which fall outside the regular pattern of the banking activity. Without such knowledge, the bank is likely to fail in its obligations to identify and report suspicious transactions to the appropriate authorities. Ongoing monitoring should be conducted in relation to all business relationships and transactions, but the extent of the monitoring should be based on risk as identified in the bank risk assessment and its CDD efforts. Enhanced monitoring should be adopted for higher-risk customers or transactions. A bank should not only monitor its customers and their transactions, but should also carry out cross-sectional product/service monitoring in order to identify and mitigate emerging risk patterns.

All banks should have systems in place to detect unusual or suspicious transactions or patterns of activity. In establishing scenarios for identifying such activity, a bank should consider the customer’s risk profile developed as a result of the bank’s risk assessment, information collected during its CDD efforts, and other information obtained from law enforcement and other authorities in its jurisdiction. For example, a bank may be aware of particular schemes or arrangements to launder proceeds of crime that may have been identified by authorities as occurring within its jurisdiction. As part of its risk assessment process, it will have assessed the risk that activity associated with such schemes or arrangements may be occurring within the bank through a category of customers, group of accounts, transaction pattern or product usage. Based on this knowledge, the bank should design and apply appropriate monitoring tools and controls to identify such activity. These could be through alert scenarios for computerised monitoring systems or setting limits for a particular class or category of activity, for instance. 

 Using CDD information, a bank should be able to identify transactions that do not appear to make economic sense, that involve large cash deposits or that are not consistent with the customer’s normal and expected transactions.

A bank should have established enhanced due diligence policies and procedures for customers who have been identified as higher-risk by the bank. In addition to established policies and procedures relating to approvals for account opening, a bank should also have specific policies regarding the extent and nature of required CDD, frequency of ongoing account monitoring and updating of CDD information and other records. The ability of the bank to effectively monitor and identify suspicious activity would require access to updated, comprehensive and accurate customer profiles and records.

A bank should ensure that they have appropriate integrated management information systems, commensurate with its size, organisational structure or complexity, based on materiality and risks, to provide both business units (eg relationship managers) and risk and compliance officers (including investigating staff) with timely information needed to identify, analyse and effectively monitor customer accounts. The systems used and the information available should support the monitoring of such customer relationships across lines of business and include all the available information on that customer relationship including transaction history, missing account opening documentation and significant changes in the customer’s behaviour or business profile and transactions made through a customer account that are unusual. 

The bank should screen its customer database(s) whenever there are changes to sanction lists. The bank should also screen its customer database(s) periodically to detect foreign PEPs and other higher risk accounts and subject them to enhanced due diligence.

5. Management of information 

(a) Record-keeping 

A bank should ensure that all information obtained in the context of CDD is recorded. This includes both (i) recording the documents the bank is provided with when verifying the identity of the customer or the beneficial owner, and (ii) transcription into the bank’s own IT systems of the relevant CDD information contained in such documents or obtained by other means.

A bank should also develop and implement clear rules on the records that must be kept to document due diligence conducted on customers and individual transactions. These rules should take into account, if possible, any prescribed privacy measures. They should include a definition of the types of information and documentation that should be included in the records as well as the retention period for such records, which should be at least five years from the termination of the banking relationship or the occasional transaction. Even if accounts are closed, in the event of ongoing investigation/ litigation, all records should be retained until the closure of the case. Maintaining complete and updated records is essential for a bank to adequately monitor its relationship with its customer, to understand the customer’s ongoing business and activities, and, if necessary, to provide an audit trail in the event of disputes, legal action, or inquiries or investigations that could lead to regulatory actions or criminal prosecution.

Adequate records documenting the evaluation process related to ongoing monitoring and review and any conclusions drawn should also be maintained and will help to demonstrate the bank’s compliance with CDD requirements and ability to manage ML and FT risk. 

(b) Updating of information

Only if banks ensure that records remain accurate, up-to-date and relevant by undertaking regular reviews of existing records and updating the CDD information can other competent authorities, law enforcement agencies or financial intelligence units make effective use of that information in order to fulfil their own responsibilities in the context of AML/CFT. In addition, keeping up-to-date information will enhance the bank’s ability to effectively monitor the account for unusual or suspicious activities

(c) Supplying information to the supervisors

A bank should be able to demonstrate to its supervisors, on request, the adequacy of its assessment, management and mitigation of ML/FT risks; its customer acceptance policy; its procedures and policies concerning customer identification and verification; its ongoing monitoring and procedures for reporting suspicious transactions; and all measures taken in the context of AML/CFT. 

6. Reporting of Suspicious Transactions and Asset Freezing 

(a) Reporting of Suspicious Transactions 

 Ongoing monitoring and review of accounts and transactions will enable banks to identify suspicious activity, eliminate false positives and report promptly genuine suspicious transactions. The process for identifying, investigating and reporting suspicious transactions to the FIU should be clearly specified in the bank’s policies and procedures and communicated to all personnel through regular training. These policies and procedures should contain a clear description for employees of their obligations and instructions for the analysis, investigation and reporting of such activity within the bank as well as guidance on how to complete such reports.

There should also be established procedures for assessing whether the bank’s statutory obligations under recognised suspicious activity reporting regimes require the transaction to be reported to the appropriate law enforcement agency or FIU and/or supervisory authorities, if relevant. These procedures should also reflect the principle of confidentiality, ensure that investigation is conducted swiftly and that reports contain relevant information and are produced and submitted in a timely manner. The chief AML/CFT officer should ensure prompt disclosures where funds or other property that is suspected to be the proceeds of crime remain in an account. 

Once suspicion has been raised in relation to an account or relationship, in addition to reporting the suspicious activity a bank should ensure that appropriate action is taken to adequately mitigate the risk of the bank being used for criminal activities. This may include a review of either the risk classification of the customer or account or of the entire relationship itself. Appropriate action may necessitate escalation to the appropriate level of decision-maker to determine how to handle the relationship, taking into account any other relevant factors, such as cooperation with law enforcement agencies or the FIU. 

(b) Asset Freezing 

Financing of terrorism has similarities compared to money laundering, but it also has specificities that banks should take into due consideration: funds that are used to finance terrorist activities may be derived either from criminal activity or from legal sources, and the nature of the funding sources may vary according to the type of terrorist organisation. In addition, it should be noted that transactions associated with the financing of terrorists may be conducted in very small amounts.

 A bank should be able to identify and to enforce funds freezing decisions made by the competent authority and it should otherwise not deal with any designated entities or individuals (eg terrorists, terrorist organisations) consistent with relevant national legislation and UNSCRs.

 CDD should help a bank to detect and identify potential FT transactions, providing important elements for a better knowledge of its customers and the transactions they conduct. In developing customer acceptance policies and procedures, a bank should give proper relevance to the specific risks of entering into or pursuing business with individuals or entities linked to terrorist groups. Before establishing a business relationship or carrying out an occasional transaction with new customers, a bank should screen customers against lists of known or suspected terrorists issued by competent (national and international) authorities. Likewise, ongoing monitoring should verify that existing customers are not entered into these same lists. 

 All banks should have systems in place to detect prohibited transactions (eg transactions with entities designated by the relevant UNSCRs or national sanctions). Terrorist screening is not a risk-sensitive due diligence measure and should be carried out irrespective of the risk profile attributed to the customer. For the purpose of terrorist screening, a bank may adopt automatic screening systems, but it should ensure that such systems are fit for the purpose. A bank should freeze without delay and without prior notice the funds or other assets of designated persons and entities, following applicable laws and regulations

II. AML/CFT in a Group-wide and Cross-border context

Sound ML/FT risk management where a bank operates in other jurisdictions entails consideration of host country legal requirements. Given the risks, each group should develop group-wide AML/CFT policies and procedures consistently applied and supervised across the group. In turn, policies and procedures at the branch or subsidiary levels, even though reflecting local business considerations and the requirements of the host jurisdiction, must still be consistent with and supportive of the group’s broader policies and procedures. 

In cases where the host jurisdiction requirements are stricter than the group’s, group policy should allow the relevant branch or subsidiary to adopt and implement the host jurisdiction local requirements. 

1. Global Process for Managing Customer Risks

Consolidated risk management means establishing and administering a process to coordinate and apply policies and procedures on a group-wide basis, thereby implementing a consistent and comprehensive baseline for managing the bank’s risks across its international operations. Policies and procedures should be designed not merely to comply strictly with all relevant laws and regulations, but more broadly to identify, monitor and mitigate group-wide risks. Every effort should be made to ensure that the group’s ability to obtain and review information in accordance with its global AML/CFT policies and procedures is not impaired as a result of modifications to local policies or procedures necessitated by local legal requirements. In this regard, a bank should have robust information-sharing among the head office and all of its branches and subsidiaries. Where the minimum regulatory or legal requirements of the home and host countries differ, offices in host jurisdictions should apply the higher standard of the two.
Furthermore, according to FATF Standards,  if the host country does not permit the proper implementation of those standards, the chief AML/CFT officer should inform the home supervisors. Additional measures should be considered, including, as appropriate, the financial group closing its operations in the host country.

The Committee recognises that implementing group-wide AML/CFT procedures is more challenging than many other risk management processes because some jurisdictions continue to restrict the ability of banks to transmit customer names and balances across national borders. For effective groupwide monitoring and for ML/FT risk management purposes, it is essential that banks be authorised to share information about their customers, subject to adequate legal protection, with their head offices or parent bank. This applies in the case of both branches and subsidiaries

 2. Risk Assessment and Management

 The bank should have a thorough understanding of all the risks associated with its customers across the group, either individually or as a category, and should document and update these on a regular basis, commensurate with the level and nature of risk in the group. In assessing customer risk, a bank should identify all relevant risk factors such as geographical location and patterns of transaction activity (declared or self-stated) and usage of bank products and services and establish criteria for identifying higher-risk customers. These criteria should be applied across the bank, its branches and its subsidiaries and through outsourced activities (see Annex 1). Customers that pose a higher risk of ML/FT to the bank should be identified across the group using these criteria. Customer risk assessments should be applied on a group-wide basis or at least be consistent with the group-wide risk assessment. Taking into account differences in risks associated with customer categories, group policy should recognise that customers in the same category may pose different risks in different jurisdictions. The information collected in the assessment process should then be used to determine the level and nature of overall group risk and support the design of appropriate group controls to mitigate these risks. The mitigating factors can comprise additional information from the customer, tighter monitoring, more frequent updating of personal data and visits by bank staff to the customer location.

Banks’ compliance and internal audit staff, in particular the chief AML/CFT officer, or external auditors, should evaluate compliance with all aspects of their group’s policies and procedures, including the effectiveness of centralised CDD policies and the requirements for sharing information with other group members and responding to queries from head office. Internationally active banking groups should ensure that they have a strong internal audit and a global compliance function since these are the primary mechanisms for monitoring the overall application of the bank’s global CDD and the effectiveness of its policies and procedures for sharing information within the group. This should include the responsibility of a chief AML/CFT officer for group-wide compliance with all relevant AML/CFT policies, procedures and controls nationally and abroad (see item 3 below last two para).

         3. Consolidated AML/CFT policies and procedures

A bank should ensure it understands the extent to which AML/CFT legislation allows it to rely on the procedures undertaken by other banks (for example within the same group) when business is being referred. A bank should not rely on introducers that are subject to standards that are less strict than those governing the bank’s own AML/CFT procedures. This will entail banks monitoring and evaluating the AML/CFT standards in place in the jurisdiction of the referring bank. A bank may rely on an introducer that is part of the same financial group and could consider placing a higher level of reliance on the information provided by this introducer, provided this introducer is subject to the same standards as the bank, and the application of these requirements is supervised at the group level. A bank taking this approach should ensure, however, that it obtains customer information from the referring bank (as further detailed in Annex 1), as this information may be required to be reported to FIUs in the event that a transaction involving the referred customer is determined to be suspicious.
Relevant information should be accessible by the banking group’s head office for the purpose of enforcing group AML/CFT policies and procedures. Each office of the banking group should be in a position to comply with minimum AML/CFT and accessibility policies and procedures applied by the head office and defined consistently with the Committee guidelines.

Customer acceptance, CDD and record-keeping policies and procedures should be implemented through the consistent application of policies and procedures throughout the organisation, with adjustments as necessary to address variations in risk according to specific business lines or geographical areas of operation. Moreover, it is recognised that different approaches to information collection and retention may be necessary across jurisdictions to conform to local regulatory requirements or relative risk factors. However, these approaches should be consistent with the group-wide standards discussed above.
Regardless of its location, each office should establish and maintain effective monitoring policies and procedures that are appropriate to the risks present in the jurisdiction and in the bank. This local monitoring should be complemented by a robust process of information-sharing with the head office, and if appropriate with other branches and subsidiaries regarding accounts and activity that may represent heightened risk.
To effectively manage the ML and FT risks arising from such accounts, a bank should integrate this information based not only on the customer but also on its knowledge of both the beneficial owners of the customer and the funds involved. A bank should monitor significant customer relationships, balances and activity on a consolidated basis, regardless of whether the accounts are held on-balance sheet, off-balance sheet, as assets under management or on a fiduciary basis, and regardless of where they are held. The FATF standards have now also set out more details relating to banks’ head office oversight of group compliance, audit and/or AML/CFT functions. Moreover, if these guidelines have been conceived primarily for banks, they might be of interest for conglomerates (including banks).
Many large banks with the capability to do so centralise certain processing systems and databases for more effective management or efficiency purposes. In implementing this approach, a bank should adequately document and integrate the local and centralised transaction/account monitoring functions to ensure that it has the opportunity to monitor for patterns of potential suspicious activity across the group and not just at either the local or centralised levels.
A bank performing business nationally and abroad should appoint a chief AML/CFT officer for the whole group (group AML/CFT officer). The group AML/CFT officer has responsibility, as a part of the global risk management, for creating, coordinating and group-wide assessment of the implementation of a single AML/CFT strategy (including mandatory policies and procedures and the authorisation to give orders for all branches, subsidiaries and subordinated entities nationally and abroad).

The function of the group AML/CFT officer includes ongoing monitoring of the fulfilment of all AML/CFT requirements on a group-wide basis, nationally and abroad. Therefore, the group AML/CFT officer should satisfy him/herself (including through on-site visits on a regular basis) that there is groupwide compliance with the AML/CFT requirements. If needed, he/she should be empowered to give orders or take the necessary measures for the whole group.

 4. Group-wide information-sharing

Banks should oversee the coordination of information-sharing. Subsidiaries and branches should be required to proactively provide the head office with information concerning higher-risk customers and activities relevant to the global AML/CFT standards, and respond to requests for account information from the head office or parent bank in a timely manner. The bank’s group-wide standards should include a description of the process to be followed in all locations for identifying, monitoring and investigating potential unusual circumstances and reporting suspicious activity.

The bank’s group-wide policies and procedures should take into account issues and obligations related to local data protection and privacy laws and regulations. They should also take into account the different types of information that may be shared within a group and the requirements for storage, retrieval, sharing/distribution and disposal of this information.
The group’s overall ML/FT risk management function should evaluate the potential risks posed by activity reported by its branches and subsidiaries and, where appropriate, assess the group-wide risks presented by a given customer or category of customers. It should have policies and procedures to ascertain if other branches or subsidiaries hold accounts for the same customer (including any related or affiliated parties). The bank should also have policies and procedures governing global account relationships that are deemed higher-risk or have been associated with potentially suspicious activity, including escalation procedures and guidance on restricting account activities, including the closing of accounts as appropriate.
In addition, a bank and its branches and subsidiaries should, in accordance with their respective domestic laws, be responsive to requests from law enforcement agencies, supervisory authorities or FIUs for information about customers that is needed in their efforts to combat ML and FT. A bank’s head office should be able to require all branches and subsidiaries to search their files against specified lists or requests for individuals or organisations suspected of aiding and abetting ML and FT, and report matches.
A bank should be able to inform its supervisors, if so requested, about its global process for managing customer risks, its risk assessment and management of ML/FT risks, its consolidated AML/CFT policies and procedures, and its group-wide information-sharing arrangements. 

5. Mixed financial groups

Many banking groups engage in securities and insurance businesses. The application of ML/FT risk management controls in mixed financial groups poses additional issues that may not be present for deposit-taking and lending operations. Mixed groups should have the ability to monitor and share information on the identity of customers and their transaction and account activities across the entire group, and be alert to customers that use their services in different sectors, as described in paragraph  above.

Differences in the nature of activities and patterns of relationships between banks and customers in each sector may require or justify variations in the AML/CFT requirements imposed on each sector. The group should be alert to these differences when cross-selling products and services to customers from different business arms, and the appropriate AML/CFT requirements for the relevant sectors should be applied

III. The Role of Supervisors

 Banking supervisors are expected to comply with FATF Recommendation 26, which states in part: “For financial institutions subject to the Core Principles, the regulatory and supervisory measures that apply for prudential purposes, and which are also relevant to money laundering and financing of terrorism, should apply in a similar manner for AML/CFT purposes. This should include applying consolidated group supervision for AML/CFT purposes.” The Committee expects supervisors to apply the Core principles for effective banking supervision to banks’ ML/FT risk management in a manner consistent with and supportive of the supervisors’ overall supervision of banks. Supervisors should be able to apply a range of effective, proportionate and dissuasive sanctions in cases when banks fail to comply with their AML/CFT requirements.

Banking supervisors are expected to set out supervisory expectations governing banks’ AML/CFT policies and procedures. The essential elements as set out in this paper should provide clear guidance for supervisors to proceed with the work of designing or improving national supervisory practice. National supervisors are encouraged to provide guidance to assist banks in designing their own customer identification policies and procedures. The Committee has therefore developed two specific topic guides in Annexes 1 and 2, which could be used by supervisors for this purpose

Supervisors should adopt a risk-based approach to supervising banks’ ML/FT risk management. Such an approach requires that supervisors

 (i) Develop a thorough understanding of the risks present in the jurisdiction and their potential impact on the supervised entities;  

(ii) Evaluate the adequacy of the bank’s risk assessment based on the jurisdiction’s national risk assessment(s); 

(iii) Assess the risks present in the target supervised entity to understand the nature and extent of the risks in the entity’s customer base, products and services and the geographical locations in which the bank and its customers do business;

(iv) Evaluate the adequacy and effectiveness in implementation of the controls (including CDD measures) designed by the bank in meeting its AML/CFT obligations and risk mitigation; and 

(v) Utilise this information to allocate the resources, scope the review, identify the necessary supervisory expertise and experience needed to conduct an effective review and allocate these resources relative to the identified risks.

Higher-risk lines of business or customer categories may require specialised expertise and additional procedures to ensure an effective review. The bank’s risk profile should also be used in determining the frequency and timing of the supervisory cycle. Again, banks dealing with higher risk profiles may require more frequent review than others. Supervisors should also verify whether banks have adequately used their discretion with regard to applying AML/CFT measures on a risk-based approach. They should also evaluate the internal controls in place and how banks determine whether they are in compliance with supervisory and regulatory guidance, and prescribed obligations. The supervisory process should include not only a review of policies and procedures but also, when appropriate, a review of customer documentation and the sampling of accounts and transactions, internal reports and STRs. Supervisors should always have the right to access all documentation related to the transactions conducted or accounts maintained in that jurisdiction, including any analysis the bank has made to detect unusual or suspicious transactions.

Supervisors have a duty to ensure their banks maintain sound ML/FT risk management not only to protect their own safety and soundness but also to protect the integrity of the financial system.  Supervisors should make it clear that they will take appropriate action, which may be severe and public if the circumstances warrant, against banks and their officers who demonstrably fail to follow their own internal procedures and regulatory requirements. In addition, supervisors (or other relevant national authorities) should be able to apply appropriate countermeasures and ensure that banks are aware of and apply enhanced CDD measures to business relationships and to transactions when called for by the FATF or that involve jurisdictions where their AML/CFT standards are considered inadequate by the country. In this aspect, the FATF and some national authorities have listed a number of countries and jurisdictions that are considered to have strategic AML/CFT deficiencies or that do not comply with international AML/CFT standards,  and such findings should be a component of a bank's ML/FT risk management. 89. Supervisors should also consider a bank’s overall monitoring and oversight of compliance at the branch and subsidiary level as well as the ability of group policy to accommodate local regulatory requirements and ensure that where there is a difference between the group and local requirements, the stricter of the two is applied. Supervisors should also ensure that in cases where the group branch or subsidiary cannot apply the stricter of the two standards, the reasons for this and the differences between the two should be documented and appropriate mitigating measures implemented to address risks identified as a result of those differences.

In a cross-border context, home country supervisors should face no impediments in verifying a bank’s compliance with group-wide AML/CFT policies and procedures during on-site inspections. This may well require a review of customer files and a sampling of accounts or transactions in the host jurisdiction. Home country supervisors should have access to information on sampled individual customer accounts and transactions and on the specific domestic and international risks associated with such customers to the extent necessary to enable a proper evaluation of the application of CDD standards and an assessment of risk management practices. This use of information for a legitimate supervisory need, safeguarded by the confidentiality provisions applicable to supervisors, should not be impeded by local bank secrecy or data protection laws. Although the host country supervisors and/or other authorities retain responsibility for the enforcement of compliance with local AML/CFT requirements (which would include an evaluation of the appropriateness of the procedures), host country supervisors should ensure they extend full cooperation and assistance to home country supervisors who may need to assess how the bank oversees compliance with group-wide AML/CFT policies and processes.

The role of group audit (external or internal) is particularly important in assessing the effectiveness of AML/CFT policies and procedures. Home country supervisors should ensure that there is an appropriate policy, based on the risks, and adequate resources allocated regarding the scope and frequency of audit of the group’s AML/CFT. They should also ensure that auditors have full access to all relevant reports during the audit process.

Supervisors should ensure that information about banks’ customers and transactions is subject to the same confidentiality measures as are applicable to the broad array of information shared between supervisors on banks’ activities.

 It is essential that all jurisdictions that host foreign banks provide an appropriate legal framework to facilitate the passage of information required for customer risk management purposes to the head office or parent bank and home country supervisors. Similarly, there should be no impediments to on-site visits to host jurisdiction subsidiaries and branches by home jurisdiction head office auditors, risk managers, compliance officers (including the chief AML/CFT officer and/or AML/CFT group officer), or home country supervisors, nor any restrictions in their ability to access all the host jurisdiction bank’s records, including customers’ names and balances. This access should be the same for both branches and subsidiaries. If impediments to information-sharing prove to be insurmountable, and there are no satisfactory alternative arrangements, the home supervisors should make it clear to the host supervisor that the bank may be subject to additional supervisory actions, such as enhanced supervisory measures on the group, including, as appropriate, requesting the parent group to close down its operations in the host jurisdiction.

 Where a bank’s head office staff are granted access to information on local customers, there should be no restrictions on them reporting such information back to head office. Such information should be subject to adequate safeguards on confidentiality and use and may be subject to applicable privacy and privilege laws in the home country.

The Committee believes that there is no justifiable reason why local legislation should impede the transfer of customer information from a host bank branch or subsidiary to its head office or parent bank in the home jurisdiction for risk management purposes, including ML and FT risks. If the law in the host jurisdiction restricts disclosure of such information to “third parties”, it is essential that the head office or parent bank and the home jurisdiction bank supervisors are clearly excluded from definitions of a third party. Jurisdictions that have legislation that impedes, or can be interpreted as impeding, such information-sharing for ML/FT risk management purposes, are urged to remove any such restrictions and to provide specific gateways appropriate for this purpose.

Prudential and AML/CFT supervisors should establish an effective cooperation mechanism regardless of the institutional setting, as set out in Annex 5, to ensure that ML/FT risks are adequately supervised in the domestic and cross-jurisdictional context for the benefit of the two functions.

Happy reading,

Those who read this, also read

1. Financial Intelligence Unit(FIU) India

2. AML/CFT: International Cooperation

3. Framework for Country Risk Analysis : FATF

4. National Risk Analysis(NRA) Framework