Transaction Monitoring in AML/CFT

 

The Transaction Monitoring process identifies suspicious activity, patterns, or trends that may indicate money laundering or terrorist financing activities. It is a process of monitoring, tracking, and analyzing financial transactions. It involves monitoring customer transactions and assessing their historical and current information and interactions to provide a complete picture of their activity.

Transaction monitoring means regularly keeping a close watch on the transactions. It involves checking a customer’s historical transactions, customer’s profile, account details, and interactions. These checks enable the identification of possible customer risks and the prediction of their future behaviour.  

 Transaction Monitoring refers to the monitoring of transfers, deposits and withdrawals, in real time or after they have been processed by a bank or financial institution. Transaction monitoring is an important part of a financial crime compliance programme; not only does it help to detect patterns of suspicious behaviour, it also provides a complete view of customers’ activity, including customer risk levels and predictions of future behaviour.

This process uses advanced technology and algorithms to identify transaction patterns, anomalies, and suspicious behavior. It is a crucial tool for financial institutions to help prevent criminal activities and maintain the financial system’s integrity. AML monitoring, therefore, becomes an essential component of this process

 Just like in Philip K. Dick’s “The Minority Report” novel, transaction monitoring, among other things, uses predictive mechanisms to detect and prevent crime before it happens by uncovering “red flags” in the past transactions and analysing the patterns in customer data.

Financial criminals conduct fraudulent activities by harnessing loopholes in regulations. They create an air of legitimacy around their scheme, company, and transactions. The Securities and Exchange Commission (SEC) charged Allianz Global Investors U.S. LLC (AGI US) and three former senior portfolio managers with a massive fraudulent scheme that concealed the immense downside risks of a complex options trading strategy they called “Structured Alpha” on May 17, 2022.  AGI US marketed and sold the strategy to approximately 114 institutional investors, including pension funds for teachers, clergy, bus drivers, engineers, and other individuals.  After the COVID-19 market crash of March 2020 exposed the fraudulent scheme, the strategy lost billions of dollars as a result of AGI US and the portfolio managers’ misconduct.  AGI US has agreed to pay billions of dollars as part of an integrated, global resolution, including more than $1 billion to settle SEC charges and together with its parent, Allianz SE, over $5 billion in restitution to victims.

Transaction Monitoring can help detect patterns of suspicious behaviour and financial crimes to and from customers. That is why it is a significant step in companies’ and governments’ AML /CFT programs. With transaction monitoring, you can detect crimes before their occurrence or in their early stages. Timely detection saves you from the repercussions.

The objectives of AML Transaction Monitoring

• Firstly, it aims to ensure compliance with regulatory obligations imposed by authorities to combat money laundering and terrorist financing. By monitoring transactions, financial institutions can demonstrate their commitment to due diligence and contribute to global efforts against financial crimes.
• Secondly, AML transaction monitoring aims to protect the financial system's integrity by detecting and preventing illicit activities. Institutions can take appropriate measures by identifying suspicious transactions, such as reporting to regulatory authorities or initiating internal investigations, to mitigate risks and safeguard their customers and the broader financial ecosystem.

A key pillar of any AML compliance program is to monitor transactions for suspicious activity. 

The scope of AML Transaction Monitoring 

The scope of AML transaction monitoring extends to various types of financial transactions, including electronic fund transfers, cash deposits and withdrawals, wire transfers, and credit card transactions, and payments. It encompasses monitoring activities across multiple channels, such as online banking, mobile banking, and point-of-sale transactions.

Typically, monitoring starts with a rules-based system that scans customer transactions for red flags consistent with money laundering. When a transaction matches a predetermined rule, an alert is generated and the case is referred to the bank’s internal investigation team for manual review. If the investigators conclude the behavior is indicative of money laundering, then the bank will file a Suspicious Transaction Report(STR)  with FIU-Ind on FINnet.portal. 

A sting operation that was conducted by reporters of an online media portal named "Cobrapost.com" (hereafter 'Cobrapost'). Sometime in the year 2012- 13 (dates on which the sting operation was conducted are not on record), the reporters of the media portal, Cobrapost, conducted a sting operation called "Operation Red Spider" (hereafter "the sting operation"). The sting operation, inter alia, entailed undercover reporters approaching employees of various banks representing themselves to be customers who required to open accounts to deposit black money belonging to "a Minister" and for laundering the same. The sting operation was designed to expose the role of banks in money laundering.

The tribunal held that the transcripts and videos were edited versions and could not be considered proof of actual conversations. Cobrapost had recorded some bank executives supposedly offering to convert unaccounted money.

It alleged in March 2013 that banks were systematically and deliberately violating provisions of various laws, including the Income Tax Act, Prevention of Money Laundering Act and know-your-customer norms, driven by their desire to boost deposits and and increase profit.

The FIU found banks guilty for not reporting suspicious transactions and levied fines on 15 banks, including Rs 26 lakh on HDFC Bank, Rs 14 lakh on ICICI Bank, Rs 5 lakh on State Bank of India and Rs 13 lakh on Axis Bank. The Financial Intelligence Unit also issued an order finding Axis Bank guilty of violating Section 12 of the Act, as well as Rules 2,3,5, and 7, and imposing a fine of Rs 13 lakhs for 13 instances of failure. Axis Bank, enraged by the aforementioned, filed an appeal with the Appellate Tribunal.

The banks challenged the penalties in the appellate tribunal.

The tribunal pulled up the banks for not reporting these attempted suspicious transactions and held that in future, they and their employees should be careful and report such discussions.

The challenged judgement dismissed the aforementioned appeal, holding that non-compliances did not justify the application of the maximum penalty and that this was a case where a penalty of warning, as allowed under Section 13(2)(a) of the Act, should have been given

Benefits to Financial Institutions and Their Customers

Beyond regulatory compliance, transaction monitoring offers several benefits to financial institutions and their customers. By effectively monitoring transactions, institutions can:

• Protect Customers: Safeguard customer accounts from unauthorized transactions and fraudulent activities, thereby enhancing customer trust and loyalty.
• Reduce Financial Losses: Prevent significant financial losses by detecting and mitigating fraudulent activities early in the transaction process.
• Improve Operational Efficiency: Streamline compliance processes and reduce the manual workload on compliance teams by automating the detection of suspicious transactions.
• Enhance Reputation: Build a reputation as a trustworthy and secure institution, which can attract more customers and business opportunities.

Ultimately, effective transaction monitoring is not just about compliance; it is about creating a safer and more secure financial environment for everyone involved.

Transaction Screening vs. Transaction Monitoring:

Transaction screening and transaction monitoring are two critical functions within the realm of anti-money laundering (AML) and fraud prevention. While they share the common goal of identifying suspicious activities, the two have distinct differences. Understanding these differences is crucial for implementing effective risk management strategies.

Transaction Screening

Transaction screening involves the real-time scanning of individual transactions against predefined lists or databases, such as sanctions lists, politically exposed persons (PEP) lists, or internal watchlists. It aims to quickly flag any transactions involving prohibited entities or individuals. Transaction screening is a proactive measure that helps prevent transactions with high-risk entities and ensures compliance with regulatory requirements. It acts as an initial filter, allowing financial institutions to block or review transactions that raise red flags.

Transaction Monitoring

Transaction monitoring, on the other hand, focuses on the continuous surveillance of customer transactions and activities over a period of time. It deals with analysing customers’ transactional data in real-time or near real-time to identify patterns, trends and anomalies that may indicate potential money laundering, terrorist financing, or other illicit activities. Transaction monitoring enables the identification of complex and evolving patterns of suspicious behaviour that may not be captured through transaction screening alone. It provides a comprehensive view of customer activity and helps in establishing a risk-based approach to monitoring.

The steps in Transaction Monitoring 

Effective TM is predicated on FIs’ sound understanding of their customers, which provides the necessary context for FIs to identify unusual/anomalous transactions and assess whether customers’ activity or behavioural patterns may pose reasonable suspicion. Before establishing business relations, FIs are required to perform customer due diligence (“CDD”) checks and assess the level of ML/TF risks posed by their prospective customers. In this regard, FIs should ensure that (i) their risk assessment frameworks and methodologies and (ii) the scope and extent of CDD measures that they apply are aligned with the requirements in RBI's  AML/CFT Guidances, and more importantly enable them to detect and address risks posed by their customers.

After establishing a business relationship, FIs are required to maintain current and accurate knowledge of their customers through the performance of periodic reviews and/or reviews based on trigger events, and where appropriate enhance the frequency and intensity of customer engagement where the risks are assessed to be greater. Further guidance on the conduct of risk assessments and CDD will be set out in MAS’ upcoming Guidance Paper on the findings and best practices from its AML/CFT inspections on capital markets intermediaries. 

Transaction monitoring is part of overall risk management and more specifically that of ML/FT. The steps in Transaction Monitoring are discussed in the following:

1. Identification of Suspicious Activity/Behavior

1.1 Sources of Unusual Activity Identification

• Employee Identification
• Law Enforcement Requests
• National Security Letters
• Transaction Monitoring
• Surveillance Monitoring

Employee Identification

 

• Activity identified by employees during day-to-day operations
• Training to  staff
• Employees need method to report suspicious activity to appropriate personnel
• Worksheet, e-mail, phone
• Central point of contact
• Documentation

Law Enforcement Inquiries and Requests

As per information received from the Reserve Bank of India (RBI), according to the publicly available information on the Bank of International Settlement’s website, the Basel Committee on Banking Supervision issued a Statement on ‘prevention of criminal use of the banking system for the purpose of money-laundering’ in December 1988, which included a principle on ‘Cooperation with law enforcement authorities’. In terms of this Statement, the banks should cooperate fully with National Law Enforcement Authorities to the extent permitted by specific Local Regulations relating to customer confidentiality. Further, where banks become aware of facts which lead to the presumption that money held on deposit derives from criminal activity or that transactions entered into are themselves criminal in purpose, appropriate measures, consistent with law, should be taken.

1. RBI has issued Know Your Customer (KYC) Direction, 2016 in which guidelines have been laid down in terms of the provisions of Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, as per which Regulated Entities, including banks are required to follow certain customer identification procedures while undertaking a transaction either by establishing an account-based relationship or otherwise and to monitor their transactions.
2. RBI has issued Master Directions on Frauds ― Classification and Reporting which require banks to report frauds beyond a threshold amount to the police, monitoring and follow-up of cases by a special committee, quarterly placement of information before Audit Committees of bank Boards, and annual review of frauds by bank Boards. These cover, inter alia, preventive measures, fraud detection systems, systemic lacunae, remedial action, monitoring of progress of investigation and recovery, and staff accountability.
1. Government has issued “Framework for timely detection, reporting, investigation etc. relating to large value bank frauds” to Public Sector Banks (PSBs), which provides, inter-alia, that¾
2. PSBs at the time of lodging a complaint with the CBI would also lodge a complaint with the Enforcement Directorate in those accounts where money laundering and Foreign Exchange Management Act violations also appear to be there. Similarly where the fraud also appears to involve violations in the export and/ or import of goods and services, a report will also be lodged with Directorate of Revenue Intelligence; and
3. Examination be initiated for willful default immediately upon reporting fraud to RBI.
3. RBI has issued a circular to all banks in February 2018 to implement security and operational controls such as straight-through process between the Core Banking Solution / accounting system and the SWIFT messaging system, enable time-based restrictions in SWIFT, review logs at regular intervals, undertake reconciliation, etc. in a time-bound manner.
4. RBI has instructed banks to report deficient third- party services (such as legal search reports, property valuers’ reports etc.) and ineffective action against collusion of these providers with fraudsters to the Indian Banks’ Association, which maintains a caution list of such service providers.

Combating Financing of Terrorism

As and when list of individuals and entities, approved by Security Council Committee established pursuant to various United Nations' Security Council Resolutions (UNSCRs), are received from Government of India, Reserve Bank circulates these to all banks and financial institutions. Banks/Financial Institutions should ensure to update the lists of individuals and entities as circulated by Reserve Bank. The UN Security Council has adopted Resolutions 1988 (2011) and 1989 (2011) which have resulted in splitting of the 1267 Committee's Consolidated List into two separate lists, namely:

1.      “Al-Qaida Sanctions List”, which is maintained by the 1267 / 1989 Committee. This list shall include only the names of those individuals, groups, undertakings and entities associated with Al-Qaida. The Updated Al-Qaida Sanctions List is available at http://www.un.org/sc/committees/1267/aq_sanctions_list.shtml

2.      “1988 Sanctions List”, which is maintained by the 1988 Committee. This list consists of names previously included in Sections A (“Individuals associated with the Taliban”) and B (“Entities and other groups and undertakings associated with the Taliban”) of the Consolidated List. The Updated 1988 Sanctions list is available at http://www.un.org/sc/committees/ 1988/list.shtml

It may be noted that both “Al-Qaida Sanctions List” and “1988 Sanctions List” are to be taken into account for the purpose of implementation of Section 51A of the Unlawful Activities (Prevention) Act, 1967.

Banks are required on receipt of the list of individuals and entities subject to UN sanctions (referred to as designated lists) from the Reserve Bank, they should ensure expeditious and effective implementation of the procedure prescribed under Section 51 A of UAPA in regard to freezing /unfreezing of financial assets of the designated individuals/entities enlisted in the UNSCRs and especially in regard to funds, financial assets or economic resources or related services held in the form of bank accounts.

Banks are expected to disclose information to LEAs under PMLA2002 and no tipping off to the account holder.

Transaction Monitoring: Monitory Instruments

RBI MD dated 25 Feb 2016 updated as on 04 Jan 2024 prescribes that transactions involving rupees fifty thousand and above shall be undertaken only by:

• Debit to customers’ account or against cheques; and
• Obtaining and verifying the PAN given by the account-based as well as walk-in customers.

The instruction above shall also apply to sale of REs’ own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for rupees fifty thousand and above.

So look for transactions that are structured below threshold level, Common Payees, Common Purchasers and also Consecutively numbered monetary instruments to arrive at Suspicious Transactions. 

National Security Letters

NETRA (NEtworking TRaffic Analysis) is a software network developed by India's Centre for Artificial Intelligence and Robotics (CAIR), a Defence Research and Development Organisation (DRDO) laboratory, and is used by the Intelligence Bureau, India's domestic intelligence agency, and the Research and Analysis Wing (R&AW), the country's external intelligence agency to intercept and analyse internet traffic using pre-defined filters. The program was tested at smaller scales by various national security agencies, and is reported to be deployed nationwide as of 2022.

The letters issued by Intelligence Bureau as well as that issued by Research and Analysis Wing  are to be given due importance by banks. 

Transaction Monitoring

Also called Manual Transaction Monitoring system targets specific types of transactions. Manual review of various individual reports generated by institution’s host or other systems to identify unusual activity

For Example:

• Cash, Wire, or Monetary Instrument Sales Reports
• Significant Balance Change Reports
• Nonsufficient Funds (NSF) reports 
• Structured Transaction Reports 

Review of daily or monthly reports etc.. are decided  on  risk based approach and cover institution’s higher-risk products, services, customers, entities, and geographic locations; it may also use a discretionary dollar threshold. The thresholds selected should enable you to detect unusual activity

After review, if unusual activity is identified, evaluate all relevant information to determine whether the activity is really suspicious Programming of institution’s monitoring systems should be independently reviewed and evaluated for reasonable filtering criteria “Is your program sufficient for the risk level of your institution?”

Transaction Monitoring - Cash Reviews

In case of transactions carried out by a non-account based customer, that is a walk-in customer, where the amount of transaction is equal to or exceeds rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, the customer's identity and address should be verified.  if a bank has reason to believe that a customer is intentionally structuring a transaction into a series of transactions below the threshold of Rs.50,000/- the bank should verify identity and address of the customer and also consider filing  a suspicious transaction report (STR)  to FIU-IND.

Transaction Monitoring - Funds Reviews

International Transaction

In terms of Clause (b) (ii) of sub-Rule (1) of Rule 9 of the PML Rules, 2005 banks and financial institutions are required to verify the identity of the customers for all international money transfer operations

All types of Transactions

All cash transactions of the value of more than Rupees Ten Lakh or its equivalent in foreign currency;

All series of cash transactions integrally connected to each other which have been valued below Rupees Ten Lakh or its equivalent in foreign currency where such series of transactions have taken place within a month and the aggregate value of such transactions exceeds Rupees Ten Lakh;

CDD for even occasional transactions are required from 2023 onwards.Thus, the scope of CDD measures expands from just account-based relationships to occasional transactions to effectively detect the financial crime activities attempted through occasional transactions or international money transfers.

Identification of Suspicious Transactions 

• Review for patterns of unusual activity
• Periodic review for institutions with low activity is usually sufficient to identify anything unusual
• For more significant activity, spreadsheets or software is needed to identify unusual patterns
• Reports may focus on identifying higher-risk geographic locations and larger dollar funds transfer transactions
• Establish filtering criteria for both individuals and businesses.
• Review noncustomer transactions and payable upon proper identification (PUPID) transactions.
• Activities identified should be subjected to additional research to ensure that activity is consistent with stated account purpose and expected activity.
• When inconsistencies are identified, the institution may need to conduct a global relationship review to determine if a STR is warranted.

The notification modifies Rule 8(2) of the PMLR, removing the timeline of seven (7) days earlier prescribed for filing STR with the Financial Intelligence Unit.

Now, the reporting entities are required to promptly submit the STR once the activity or transaction is identified as suspicious.

The revised PMLR provides that the reporting entity and its employees must maintain the AML records and the AML reports filed with FIU with the utmost confidentiality. However, relaxation is granted around this when such information is necessary to be shared with the group entities for analysis or evaluation of unusual or suspicious activities.

Surveillance Monitoring: Also called Automated Account Monitoring System 

• Combines multiple types of transactions
• Use various rules
• Identify individual transactions, patterns of activity, or deviations from expected activity
• Can capture a wide range of account activity, such as cash activity, funds transfers, ACH, and ATM transactions and monetary instruments
• May include rule-based and intelligent systems to detect unusual or higher-risk transactions
• More sophisticated than transaction monitoring, which only filters on one rule (e.g., transaction greater than $10,000[USA, Australia], Rs 50,000[India])
• May apply multiple rules, overlapping rules, and filters or “alerts” that are more complex
• May include adaptive-filter transactions, based on historical account activity (for example, spikes from average activity)
• Capabilities and thresholds refer to the parameters or alert filters used in the monitoring process
• Parameters and filters: 
• Reasonable and tailored to activity that institution is trying to identify or control;
• Should be reviewed before implementation to identify any gaps (common money laundering techniques or frauds) that may not have been addressed

Example: Institution may have set their filters for cash structuring to only be triggered by a daily cash transaction aggregation in excess of $10,000. (CTR threshold) – USA; In India it is Rs 10,00,0000/

• May need to refine filter to avoid missing potentially suspicious activity because common cash structuring techniques often involve – transactions slightly under the CTR threshold or – are conducted over several days
• Review and test system capabilities and thresholds on a periodic basis
• Focus on specific parameters or filters to ensure that suspicious or unusual activity will be captured
• Are the parameters or filters appropriate for institution’s particular risk profile
• Understanding the filters in your system and how your system works is critical to assessing the effectiveness of your monitoring program
• When developing filters, consider institution’s higher-risk products & services, customers & entities, & geographies
• Filters should be based on what is reasonable & expected for each type of account
• Monitoring based solely on historical activity can be misleading if the activity is not consistent with similar types of accounts & customers
• Account may have historical activity that is substantially different from what would normally be expected from that type of account

 

EXAMPLE: check-cashing business that deposits large sums of cash instead of withdrawing cash for cashing checks

• Authority to establish or change filters should be clearly defined & should require the approval of PMLA officer or senior management
• Document and be able to explain filtering criteria, thresholds used, & how both are appropriate for your risks
• Management should periodically review filtering criteria & thresholds established
• Are they still effective & appropriate for the risk
• Methodology & effectiveness should be independently reviewed & evaluated – To ensure that you are detecting potentially suspicious activity – Are there any gaps

Changes in CDD for Indian banks wef 17 Oct 2023

• Verifying the identity of the customer and the beneficial owners using reliable and independent sources
• Making necessary efforts to understand the nature of the customer’s business
• Understanding the customer’s legal structure – ownership and control

Others:

• The window of two days, as available earlier, to obtain the CDD details from a third party or from the Central KYC registry (when reliance is placed on such a third party to carry out the CDD process) has not been removed, making mandatory for the reporting entity to get these details on immediate basis.
• When the customer is a Trust, it is now required to obtain the identification details of the trust’s protector.
• Inserted a phrase to mandate the reporting entities to maintain the customer’s profile up-to-date and relevant, specifically when the customer is identified as “high-risk”.

The entity’s Customer Due Diligence program must be aligned with its exposure to ML/FT and the nature and size of the business.

2. Red Flags/Alerts Generation

The word red flag represents a metaphor. This is usually used as a warning or cause of concern that a particular situation is having a problem. There may be red flags in business which alert investors and analysts about a company or stock's financial future and/or health. Economic red flags also indicate economic issues looming.

In Anti-Money Laundering (AML) compliance, a red flag describes a warning sign that indicates the possibility of money laundering or other criminal activity. Red flags can include transactions involving companies in sanctioned jurisdictions, large volumes, or funds being transmitted from unknown or opaque sources. 

This concept is used to detect and report suspicious activities by identifying any transaction, activity, or customer behavior and associating it with a certain level of risk. This identification makes it easier for financial institutions to detect and report suspicious activity. Leveraging advanced sanction screening software and staying updated on list-based sanctions can further enhance their capabilities in this regard.

The red flag concept serves as a tool for financial institutions to fight financial crimes by tracking customers' transactions and detecting and reporting suspicious activities. However, financial institutions must have an adequate understanding of money laundering and terrorist financing and operate an effective AML/CFT program to make the most of the red flag concept. Leveraging advanced sanction screening software, staying updated on list-based sanctions, and conducting regular sanction checks can further enhance their capabilities in this regard.

 

All the activities and transactions that fall outside the expected customer activity or certain predefined threshold should generate a “red flag” or alert, for review and investigation by the MLRO or AML team, in coordination with other relevant staff. MLRO must ensure that the red flag mechanism incorporates the possible risk factors considering the customers’ risk profiles.

Red alert thresholds are set for transaction monitoring purposes and are marked in the automated transaction monitoring system. Alerts are generated on the breach of the thresholds or occurrence of unusual transactions or activity. The AML analyst investigates such transactions and activity generating an alert.

Transaction monitoring is an essential process used by financial institutions to detect and prevent money laundering, terrorist financing, fraud, and other financial crimes. Red flags are specific indicators or patterns in financial transactions that suggest potential illegal activity. Effective transaction monitoring systems use a combination of automated tools and human analysis to identify and investigate suspicious transactions.

AML red flags are warning signs, such as unusually large transactions, which indicate signs of money laundering activity. If a company detects one or more red flags in a customer's activity, it should pay closer attention. Identifying red flags is a key component of any AML strategy and regulated businesses need to have a clear process for doing so and then adequately investigating identified issues further. In some cases and jurisdictions, regulated businesses will also need to submit Suspicious Transaction Reports (STRs) to relevant authorities following the identification of a red flag among their clients. 

Red Flags to be Considered in Transaction Monitoring

Responses are sought from the customer on the alert generation and the satisfactory provision of information from the respective customer. Then, the AML Analyst or reviewer marks the alert as closed. 

The number of alerts generated within each bank varies based on several factors, including the number of transactions running through the monitoring system, as well as the rules and thresholds the bank employs within the system to generate the alerts. Banks typically score alerts based on elements contained in the alert, which determines the alert’s priority. 

Banks typically review and re-optimize their alert programs every 12-18 months. Banks noted that many alerts are ultimately determined to be “noise” generated by the software. One bank noted that it is working continuously to reduce the “noise” generated by the software and to develop typologies to enrich the data and reveal the most critical information.

The IBA Working Group report 2010 has listed examples of red flags in its Annexures. The Financial Action Task Force (FATF) has outlined 42 specific red flags for companies to monitor in relation to suspicious financial activities. These red flags are grouped into four key categories that help businesses identify potential money laundering and compliance risks: Client, Source of Funds, Choice of Lawyer and Retainer.

FATF  has also compiled a list of  red flags related to the Virtual Asset industry, which it has separated into six broad categories:

Red flags related to transactions: for example, large transaction volumes or multiple transactions of small volumes

Red flags related to transaction patterns: irregular, unusual or uncommon transaction patterns

Red flags in the source of funds or wealth: when the source of funds is opaque or obscured by multiple ownership layers and the lack of a tax record — or associated with known criminal networks

Red flags related to anonymity: when transactions are originating or being sent to unknown or non-identifiable individuals or entities

Red flag indicators about senders or recipients: when there are irregularities detected in the Known Your Customer (KYC) process, such as multiple accounts being created for the same person

Red flag indicators related to geographical risks: if a transaction party is located in geographic areas that have a high rate of money laundering activity, or are in sanctioned countries. 

Other FATF warnings

The FATF provides extensive insights into the methods used by criminals to launder illegally-obtained financial proceeds, both using VAs and VASPs as well as through the traditional financial industry (FI). The FATF warns that criminals can use one or a combination of the following methods in order to attempt to integrate their illegal proceeds into the legal financial system. These include:

Misusing or exploiting client accounts: using apparently legitimate business/corporate accounts to carry out personal financial functions

Property acquisitions: investing illegally-obtained funds in hard assets such as real estate

Shell company and trust creation: often used to obscure ownership of assets obtained illegally, or used to carry out transactions and/or moeny laundering with illegal funds. 

Use of bogus representatives: creating false identities in order to manage funds and deflect attention away from true perpetrators of financial crime 

Lending: companies can often be used to provide loans to other in return for real assets 

3. Alert Management 

Alert Management is the process used to investigate & evaluate any unusual activity identified. Consider all methods of identification & ensure that your suspicious activity monitoring program includes the process to evaluate any unusual activity identified, regardless of method of identification. Bank should have board approved  policies & procedures in place for referring unusual activity from all areas of the bank or business lines to the personnel responsible for evaluation. It should establish a clear & defined escalation process from the point of initial detection to conclusion of the investigation. 

Resources for Alert Management

Assign adequate staff to identification, evaluation, & reporting of potentially suspicious activities. Factors to be considered are:

• Consider overall risk and volume of transactions
• Experience levels and ongoing training to maintain expertise
• Sufficient internal & external tools to allow them to properly research activities & formulate conclusions

Internal & External research tools

Both Internal & External research tools are needed for supporting trained staff.

Internal Research Tools

• Access to account systems & account information (Employee Accounts too)
• CDD and EDD information – Assist in evaluating if the unusual activity is considered suspicious

External research tools

Available Internet media search tools, as well those accessible by subscription find application here.

In general, there can be three levels of alert processing successively narrowing down to most crucial ones on a risk based approach. 

 

i. Level 1 alerts: The first stage of AML Transaction Monitoring entails Identifying and validating an alert, and checking whether the alert can be discounted or confirming the alert is “true” and requires a thorough investigation.

ii. Level 2 alerts: Reviewing and validating alerts sent by the Level 1 team. Based on the alert, Level 2 investigators create a case to determine the nature of the alert activity (such as anomalous activity or high-risk transfer) and ascertain whether to report the activity to MLROs for SAR/STR filing or close the alert. Activities at this level will include a holistic investigation of the customer, transaction activity and other associated entities which forms the second stage of AML Monitoring.

iii. Level 3 alerts: Reviewing the cases from Level 2 investigators and validating their findings. After ensuring the cases are accurate and compliant, supporting with compiling STRs.

Detailed version on alert management as per IBA Working Group report 2010 is provided in the link given at the end of this post. 

Document Conclusions

After research & analysis investigators should establish the  Document Conclusions (including recommendation regarding to file or not to file)

When multiple departments are responsible for researching unusual activities, lines of communication must remain open

This will allow multiple departments to gain efficiencies by sharing information at the same time reducing redundancies as well as  ensuring all suspicious activity is identified, evaluated, & reported

 

Whitelisting

When repeatedly low risk transactions are listed in the process, technically it is called false positive. To ensure a risk -based approach , such names/entities are moved to another list and appropriate due diligence is carried out before classifying them as Low Risk. This process often results in a significant number of alerts that require manual resolution, consequently creating substantial backlogs and overwhelming workloads. FIs, in their quest to mitigate these challenges, have adopted a practice known as “whitelisting”. This involves clearing a name or entity as “verified,” after which it is exempted from future screening processes, including those against updated data.

Imagine, for example, a ‘single originator to multiple beneficiaries’ situation. This is sometimes referred to as the terrorism rule. This describes one person or entity sending money from a bank account to multiple people or entities. This is a transaction behavior common among financers of terror. But it’s also common legitimate behavior for some corporate accounts. Without whitelisting, AML software might flag a longstanding and trusted corporate account for the ‘terrorism rule’—creating a false positive. Now-a-days regtech software packages come with whitelisting , de-duplication and secondary evaluation that control tracking transactions.

Secondary evaluation for details like matching phone numbers, addresses, and company affiliations can pick out the needle in the haystack of false positives. And a good software solution can do that automatically. Whitelisting conserves valuable resources. 

4. STR Decision Making

After research & analysis is complete, forward findings to final decision maker – May be individual or committee

REs should have group-wide policies & procedures for referring unusual activity from all business lines to personnel responsible

Within procedures, establish clear & defined escalation process from point of initial detection to conclusion of investigation

 

Decision maker should have the authority to make the final STR filing decision. If committee, should be a clearly defined process to resolve differences of opinion on filing decisions

 

Document STR decisions, including the specific reason for filing or not filing a STR. Thorough documentation provides record of STR decision-making process, including final decisions not to file a STR and is made available during the audit. 

The STR Decision may be an inherently subjective judgment. The examiners focus on whether there’s an effective STR decision-making process, not individual decisions. They  review individual STR decisions as a way to test effectiveness of monitoring, reporting, & decision making processes

However in instances where the institution has an established decision-making process and it has  followed existing policies, procedures, & processes , and has determined not to file a STR, it should not be criticized for failure to file unless significant or accompanied by evidence of bad faith

5. STR Completion & Filing

The most critical part of Transaction Monitoring  is the STR completion and Filing. Policies & procedures to ensure STR forms are filed in a timely manner ,  complete and accurate  as well as the narrative provides a sufficient description of activity as well as the reason for filing. 

There are  altogether five reporting formats prescribed for a banking company viz. i) Manual reporting of cash transactions ii) Manual reporting of suspicious transactions iii) Consolidated reporting of cash transactions by Principal Officer of the bank iv) Electronic data structure for cash transaction reporting and v) Electronic data structure for suspicious transaction reporting which are enclosed to this circular. The reporting formats contain detailed guidelines on the compilation and manner/procedure of submission of the reports to FIU-IND. 

 

TIMING:

PMLR 2005 requires filing promptly, and in any case not later than 7 days on confirmation of suspicion.  RE may need to research transaction, account activity, or other circumstances in order to determine whether to file or not. The need for a review of a customer or transactions does not necessarily indicate a need to file a STR

Time period for filing starts when organization, during its review or because of other factors, knows or has reason to suspect that the activity or transactions under review meet one or more of the definitions of suspicious activity

The phrase "initial detection" should not be interpreted as meaning the moment a transaction is highlighted for review for calculating time limit for reporting.   A variety of legitimate transactions could raise a red flag simply because they are inconsistent with account holder’s normal account activity

For example, a real estate purchase or sale, or an inheritance, or a stock sale, may cause an account to have a significant credit or debit that would be inconsistent with typical account activity

 

The bank’s  monitoring system, alerts, or initial discovery of information on a report may flag the transaction; however, this should not be considered initial detection of potential suspicious activity. The applicable time limit does not begin until an appropriate review is conducted and a determination is made that the transaction under review is “suspicious.”

An expeditious review is recommended & helps law enforcement and a complete reviews in a reasonable period of time.

What is "reasonable" will vary according to facts & circumstances of what is being reviewed & the effectiveness of the STR monitoring, reporting, & decision-making process

Key factor is whether there are  established & adequate procedures for reviewing & assessing facts & circumstances identified as potentially suspicious, & are they being followed

For situations requiring immediate attention, in addition to a timely STR, immediately notify, by phone, "appropriate law enforcement authority" &, as necessary, your primary regulator. “Appropriate law enforcement authority" is generally the local office of Enforcement Directorate. Notifying law enforcement of a suspicious activity does not relieve an institution of its obligation to file a STR.

The STR Quality

 

REs required to file STRs that are complete, thorough, & timely. So include all known subject information and importance of accuracy cannot be overstated; inaccurate information, or an incomplete or disorganized narrative, may make further analysis difficult, if not impossible.

 

May be legitimate reasons why info is not provided in STR, such as when filer does not have the information (missing birth date or Aadhar Number, etc)

Thorough & complete narrative may make the difference in determining whether possible criminal nature is clearly understood by law enforcement

STR narrative section is the only area summarizing suspicious activity, this section is critical

Failure to adequately describe the factors making a transaction or activity suspicious undermines the purpose of the STR

STR Narratives:

 

The STR narratives are subjective in nature and examiners generally will not criticize interpretation of facts

Ensure narratives are complete & thoroughly describe the extent & nature of the suspicious activity

No attachments can be sent or stored in the BSA-reporting database (regardless of paper filing or e-filing)

Guidance available in https://rbidocs.rbi.org.in/rdocs/content/Pdfs/68787.pdf

 

Repetitive STRs (STR Renewals)/STR Filing on Continuing Activity

 

One purpose of filing is to identify potential violations of law to appropriate law enforcement for investigation. Objective is accomplished by filing the STR that identifies the activity of concern.

If this activity continues over a period of time, this needs to be made known to law enforcement and federal banking agencies. FinCEN’s (USA) guidelines suggest that institutions should report continuing suspicious activity by filing a report at least every 90 days. 

This practice will notify law enforcement of the continuing nature of the activity. STR renewals remind the institution that it should continue to review the activity to determine whether other actions may be appropriate, such as determining that it is necessary to terminate a relationship with a customer or employee who is the subject of the filing

Law enforcement may want accounts to remain open even if there is suspicious or potential criminal activity in connection with those accounts. If they request that account remains open, institution should ask for a written request. The request should indicate that agency has requested the account remain open & the purpose & duration. The ultimate decision to maintain or close an account should be made by each financial institution in accordance with its own standards and guidelines. So it needs to add to current policies and procedures when to escalate issues or problems identified as the result of repeat STR filings on accounts.

Procedures should include a review by senior management & legal staff (e.g., PMLA compliance officer or STR committee) . The criteria for when analysis of the overall customer relationship is necessary  as well as the criteria for whether &, if so, when, to close the account including that for  when to notify law enforcement

Record Retention

 

Retention & Supporting Documentation 

The RE needs to  retain copy of STR & supporting documentation for 5 years from date of filing: Electronic or Paper. Provide all documentation supporting the filing of a STR upon request to FIU-Ind or appropriate law enforcement or RBI. “Supporting documentation” refers to all documents or records that assisted the institution in making the determination that a STR was required. No legal process is required for FIU-Ind  or appropriate law enforcement or RBI  to obtain copies of the supporting documentation.

Sharing STRs

 

Notify Board of Directors:

 

Notify board of directors or appropriate board committee as per group policy. The dynamic nature of purpose requires no mandated format or frequency; monthly, quarterly; may, but not required to, provide actual copies of STRs or  provide summaries, tables of STRs filed for specific violation types, or other forms of notification

Regardless of format, sufficient & timely information must be provided on STR filings to the board or appropriate committee in order for them to fulfill their fiduciary duties

 

Sharing with Head Offices & Controlling

 

Companies Institutions may share STRs with head offices & controlling companies, whether in India  or abroad . The controlling company defined as:

Bank holding company (BHC)

Savings & loan holding company

Company having the power, directly or indirectly, to direct management policies of an industrial loan company or a parent company or to vote 10% or more of any class of voting shares of an industrial loan company or parent company

Companies:

Indian branch or agency of a foreign bank may share STR with head office outside India

Indian bank may share STR with controlling companies whether domestic or foreign

Maintain appropriate arrangements to protect the confidentiality of STRs. According to the Prevention of Money Laundering Act (PMLA), 2002, a group company is a company, firm, association, or body of individuals that owns, controls, or manages a payment system in India, directly or indirectly. This includes companies, firms, associations, or bodies of individuals that are incorporated or registered outside of India.

 Prohibition of STR Disclosure

 

No institution, director, officer, employee, or agent of a bank that reports a suspicious transaction may notify any person involved in the transaction that the transaction has been reported

 

Frank Mendoza, former Chase Bank official, faces up to 95 years in prison, convicted of disclosing the existence of a suspicious activity report to the suspect. Mendoza, a loss mitigation specialist, approached subject of the SAR & disclosed existence of SAR & suggested suspect pay him $25K for more information about the investigation. Both agencies FIU-Ind and RBI  should take the position that banks’ internal controls for the filing of STRs should minimize the risks of disclosure. 

6. Reporting Suspicious Activity  

REs are required to report activity that may involve money laundering, PMLA  violations, terrorist financing, & certain other crimes

However, RE is not obligated to investigate or confirm the underlying crime (e.g., terrorist financing, money laundering, tax evasion, identity theft, & various types of fraud)

Investigation is the responsibility of law enforcement. When evaluating & completing STR, the RE has to do it to the best of their ability, identify the characteristics of the suspicious activity

7. Review

The review step involves the ongoing evaluation of the effectiveness of the transaction monitoring software. This includes reviewing the parameters and alerts to ensure they are still relevant and practical and reviewing any false positives or negatives to identify areas for improvement. All predetermined rules get evaluated for their relevance and threshold limits.

8.Audit

Financial institutions must establish a clear audit trial for monitoring  and investigations. This helps demonstrate compliance with regulatory requirements and aids in identifying any potential gaps in the transaction monitoring process.

Furthermore, if any discrepancies or suspicious activity is detected, it is essential to notify regulators or increase the vigilance of specific accounts. This is crucial in preventing money laundering and other financial crimes from occurring.

One of the major inputs is STRs in the AML/CFT audit. The establishing of suspicion based on transaction analysis and customer profiling exercises must be appropriately documented and preserved for producing before auditors, RBI and FIU-Ind.   

Reports to FIU-Ind

The role and responsibilities of the Principal Officer include overseeing and ensuring overall compliance with regulatory guidelines on KYC/AML/CFT issued from time to time and obligations under the Prevention of Money Laundering Act, 2002, rules and regulations made thereunder, as amended form time to time. The Principal Officer will also be responsible for timely submission of CTR, STR and reporting of counterfeit notes  and all transactions  involving receipts by non-profit  organisations of value more than rupees  ten lakh or its equivalent in foreign currency to FIU-IND.With a view to enabling the Principal Officer to discharge his responsibilities effectively, the Principal Officer and other appropriate staff should have timely access to customer identification data and other CDD information, transaction records and other relevant information.

The Cash Transaction Report (CTR) for each month should be submitted by NBFCs to FIU‑IND by 15th of the succeeding month. Cash transaction reporting by branches to their Principal Officer / controlling offices should, therefore, invariably be submitted on monthly basis and banks should ensure to submit CTR for every month to FIU-IND within the prescribed time schedule. In regard to CTR the cut off limit of  Rs10 lakh is applicable to integrally connected cash transactions also.

As per ‘Prevention of Money Laundering (Maintenance of Records) Rules, 2005’ amended through issuance of the notification no. 12 of 2013 dated 27 th August, 2013, all cross border wire transfers of value more than rupees five lakh or its equivalent in foreign currency where either the origin or destination is in India needs to be reported every month by the 15th of the succeeding month. Hence, all transactions whether these are for Trade, Non trade or merchant are to be reported if it involves cross border transfers and exceeds the threshold of rupees five lakh.

The Prevention of Money-laundering Act, 2002, and rule thereunder require every banking company, financial institution and intermediary, to furnish to FIU-IND information relating to - All cash transactions of the value of more than rupees ten lakhs or its equivalent in foreign currency; All series of cash transactions integrally connected to each other which have been valued below rupees ten lakhs or its equivalent in foreign currency where such series of transactions have taken place within a month.

The Prevention of Money-laundering Act, 2002, and rule thereunder require every banking company, financial institution and intermediary, to furnish to Financial Intelligence Unit India information relating to all cash transactions where forged or counterfeit currency notes or bank notes have been used as genuine or where any forgery of a valuable security or a document has taken place facilitating the transactions.

Monitoring of Small Accounts

A ‘Small Account' means a savings account which is opened in terms of sub-rule (5) of rule 9 of the PML Rules, 2005. Details of the operation of a small account and controls to be exercised for such account are specified in Section 23.

Notwithstanding anything contained in Section 16 and as an alternative thereto, in case an individual who desires to open a bank account, banks shall open a ‘Small Account’, which entails the following limitations:

        i.            the aggregate of all credits in a financial year does not exceed rupees one lakh;

      ii.            the aggregate of all withdrawals and transfers in a month does not exceed rupees ten thousand; and

    iii.            the balance at any point of time does not exceed rupees fifty thousand.

Provided, that this limit on balance shall not be considered while making deposits through Government grants, welfare benefits and payment against procurements.

Further, small accounts are subject to the following conditions:

a.       The bank shall obtain a self-attested photograph from the customer.

b.      The designated officer of the bank certifies under his signature that the person opening the account has affixed his signature or thumb impression in his presence.

Provided that where the individual is a prisoner in a jail, the signature or thumb print shall be affixed in presence of the officer in-charge of the jail and the said officer shall certify the same under his signature and the account shall remain operational on annual submission of certificate of proof of address issued by the officer in-charge of the jail.

c.       Such accounts are opened only at Core Banking Solution (CBS) linked branches or in a branch where it is possible to manually monitor and ensure that foreign remittances are not credited to the account.

d.      Banks shall ensure that the stipulated monthly and annual limits on aggregate of transactions and balance requirements in such accounts are not breached, before a transaction is allowed to take place.

e.   The account shall remain operational initially for a period of twelve months which can be extended for a further period of twelve months, provided the account holder applies and furnishes evidence of having applied for any of the OVDs during the first twelve months of the opening of the said account.

f.       The entire relaxation provisions shall be reviewed after twenty-four months.

g.      Notwithstanding anything contained in clauses (e) and (f) above, the small account shall remain operational between April 1, 2020 and June 30, 2020 and such other periods as may be notified by the Central Government.

h.     The account shall be monitored and when there is suspicion of money laundering or financing of terrorism activities or other high-risk scenarios, the identity of the customer shall be established as per Section 16 or Section 18.

i.       Foreign remittance shall not be allowed to be credited into the account unless the identity of the customer is fully established as per Section 16 or Section 18.

Simplified procedure for opening accounts by Non-Banking Finance Companies (NBFCs): In case a person who desires to open an account is not able to produce documents, as specified in Section 16, NBFCs may at their discretion open accounts subject to the following conditions:

a.       The NBFC shall obtain a self-attested photograph from the customer.

b.      The designated officer of the NBFC certifies under his signature that the person opening the account has affixed his signature or thumb impression in his presence.

c.      The account shall remain operational initially for a period of twelve months, within which CDD as per Section 16 or Section 18 shall be carried out.

d.      Balances in all their accounts taken together shall not exceed rupees fifty thousand at any point of time.

e.       The total credit in all the accounts taken together shall not exceed rupees one lakh in a year.

f.     The customer shall be made aware that no further transactions will be permitted until the full KYC procedure is completed in case Directions (d) and (e) above are breached by him.

g.     The customer shall be notified when the balance reaches rupees forty thousand or the total credit in a year reaches rupees eighty thousand that appropriate documents for conducting the KYC must be submitted otherwise the operations in the account shall be stopped when the total balance in all the accounts taken together exceeds the limits prescribed in direction (d) and (e) above.

h.    The account shall be monitored and when there is suspicion of ML/TF activities or other high-risk scenarios, the identity of the customer shall be established as per Section 16 or Section 18.

Walk-in Customers 

In case of transactions carried out by a non-account based customer, that is a walk-in customer, where the amount of transaction is equal to or exceeds rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, the customer's identity and address should be verified. However, if a bank has reason to believe that a customer is intentionally structuring a transaction into a series of transactions below the threshold of Rs.50,000/- the bank should verify the identity and address of the customer and also consider filing a suspicious transaction report (STR) to FIUIND.

NOTE: In terms of Clause (b) (ii) of sub-Rule (1) of Rule 9 of the PML Rules, 2005 banks and financial institutions are required to verify the identity of the customers for all international money transfer operations

AML software capable of capturing, generating and analysing alerts for the purpose of filing CTR/STR in respect of transactions relating to third party products with customers including walk-in customers shall be available.

Transactions involving rupees fifty thousand and above shall be undertaken only by:

·         debit to customers’ account or against cheques; and

·         obtaining and verifying the PAN given by the account-based as well as walk-in customers.

These instruction  shall also apply to sale of REs’ own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for rupees fifty thousand and above.

Operation of Bank Accounts & Money Mules

The instructions on opening of accounts and monitoring of transactions shall be strictly adhered to, in order to minimise the operations of “Money Mules” which are used to launder the proceeds of fraud schemes (e.g., phishing and identity theft) by criminals who gain illegal access to deposit accounts by recruiting third parties which act as “money mules.” Banks shall undertake diligence measures and meticulous monitoring to identify accounts which are operated as Money Mules and take appropriate action, including reporting of suspicious transactions to FIU-IND. Further, if it is established that an account opened and operated is that of a Money Mule, but no STR was filed by the concerned bank, it shall then be deemed that the bank has not complied with these directions.

UAPA Cases/UNSCR etc..

 In case, the match of any of the customers with the particulars of designated individuals/entities is beyond doubt, the banks, stock exchanges/depositories, intermediaries regulated by SEBI and insurance companies shall prevent such designated persons from conducting financial transactions, under intimation to the Central [designated] Nodal Officer for the UAPA at Fax No.011-23092551 and also convey over telephone No.011-23092548. The particulars apart from being sent by post should necessarily be conveyed on e-mail id: jsctcr-mha@gov.in, without delay.

The banks, stock exchanges/depositories, intermediaries regulated by SEBI, and insurance companies shall file a Suspicious Transaction Report (STR) with FIU-IND covering all transactions in the accounts, covered under Paragraph 5.1(ii) above, carried through or attempted as per the prescribed format.

The reporting formats and comprehensive reporting format guide, prescribed/ released by FIU-IND and Report Generation Utility and Report Validation Utility developed to assist reporting entities in the preparation of prescribed reports shall be taken note of. The editable electronic utilities to file electronic Cash Transaction Reports (CTR) / Suspicious Transaction Reports (STR) which FIU-IND has placed on its website shall be made use of by REs which are yet to install/adopt suitable technological tools for extracting CTR/STR from their live transaction data. The Principal Officers of those REs, whose all branches are not fully computerized, shall have suitable arrangement to cull out the transaction details from branches which are not yet computerized and to feed the data into an electronic file with the help of the editable electronic utilities of CTR/STR as have been made available by FIU-IND on its website http://fiuindia.gov.in.

While furnishing information to the Director, FIU-IND, delay of each day in not reporting a transaction or delay of each day in rectifying a mis-represented transaction beyond the time limit as specified in the Rule shall be constituted as a separate violation. REs shall not put any restriction on operations in the accounts merely on the basis of the STR filed.

Every RE, its directors, officers, and all employees shall ensure that the fact of maintenance of records referred to in rule 3 of the PML (Maintenance of Records) Rules, 2005 and furnishing of the information to the Director is confidential. However, such confidentiality requirement shall not inhibit sharing of information under Section 4(b) of this Master Direction of any analysis of transactions and activities which appear unusual, if any such analysis has been done.

Happy Reading,

Those who read this, also read:

1. RBI Guidelines on Transaction Analysis

2. IBA WGR on AML/CFT 2010: Alert Management

3. Obligations by RE under PMLA 2002.