Mal Module10

211

NotesModule 10:Customer Due Dilligence (CDD) and

Risk Profiling

Learning objectives

The purpose of this module is to:

explain the nature of CDD outline the practical steps needed to carry out effective CDD discuss the value to the organisation of effective CDD outline the benefits of a risk-based approach to CDD provide a framework for the application of risk-based CDD explain the requirements for enhanced due dilligence (EDD) enable the application of monitoring and CDD understand the meaning and importance of beneficial partnership understand the obligations on an organisation in respect of record keeping

1. What is CDD?Customer Due Diligence (CDD) information comprises the information about a client that enables an organisation to assess the extent to which that client exposes it to a range of risks, including the risk of involvement in money laundering. CDD is often referred to as KYC (Know Your Customer) information, although the terminology has developed, as KYC was often associated with the client identification process, commonly thought of as the passport and two utility bills approach to CDD. CDD is a far more holistic concept than basic client identification measures, and encompasses a wider range of information and processes, which need to be gathered, verified and assessed throughout a client relationship.

More particularly, CDD information generally comprises information on the following aspects of a client relationship.

Who is the client? What are the geographical locations of the clients

residence assets, and business interests?

What is the nature of the clients business interests/occupation? What is the commercial rationale for the relationship between the client and the organisation (what is the client seeking to achieve)? What is the clients source of funds? What is the clients source of wealth? What has been the historical pattern of the clients relationship activity with the business, and has it been consistent with what was expected at the outset of the relationship? Is the current or proposed activity consistent with the clients prole and commercial objectives?

212

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism

Notes 2. The value of CDD informationThere are two stages to beneting from CDD information. The rst is to obtain it and use it to decide whether to acquire a prospective client; the second, which is what is usually referred to as CDD, is to use the information actively to facilitate the effective monitoring of client relationships for unusual and potentially suspicious activity.

The key to obtaining maximum value from CDD information is to use it. The mistake nancial services businesses commonly make is to obtain and document CDD information, but then fail to refer to it before conducting transactions. Such mistakes can prove to be costly.

Consider the following example.

An offshore Corporate Service Provider (CSP) manages and controls a client company that its les show was set up for investment holding purposes.

Three years after its incorporation, the company enters into an agency agreement for the procurement of contracts and receives large commission payments.

No questions are raised by the CSP, which fails to take account of the CDD information on its own les that indicates that the company was not set up to trade.

It later transpires that the agency activity was illegal, and that the commissions received were the proceeds of crime.

The directors of the CSP are asked to explain why they did not regard it as unusual for an investment holding company that they were managing and controlling to begin trading. They are unable to provide an acceptable explanation.

3. Taking a risk-based approach to CDDCDD information is not only valuable in assessing potential exposure to the risk of money laundering; it is essential to the assessment and avoidance of a range of additional risks, all of which (including money laundering) are interrelated.

The Financial Action Task Force (FATF) Recommendation 5 (see Course Appendix VI), the Third European Directive (Appendix III), the Basel CDD paper, (Appendix V), IAIS Guidance Paper 5, and the IOSC AML Principles paper explicitly envisage that financial institutions will take a risk-based approach to AML. It is important to understand, however, that applying a risk-based approach to client identification does not remove any underlying responsibility for verifying a clients identity, it merely allows a firm to modify and simplify and, in higher-risk cases, increase the method of identity verification.

A risk-based approach to AML involves the following aspects:

risk identification and assessment identifying the money laundering (and associated legal, regulatory and reputational) risks facing the firm, given its customer, product and service profile and having regard to available information, including published typologies; assessing the potential scale of those risks and of the possible impact if they crystalliserisk mitigation identifying and applying measures effectively to mitigate the material risks emerging from the assessmentrisk monitoring putting in place management information systems and keeping up to date with changes to the risk profile through changes to the business or to the threats it faces, and

213

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

Notesdocumentation having policies and procedures that cover the above and ensure effective accountability from the board and senior management down.

The UK JMLSG Guidance Notes89 advise that:

A risk-based approach is one that takes a number of discrete steps in assessing the most cost-effective and proportionate way to manage the money laundering and terrorist financing risks faced by the firm. These steps are:

identify the money laundering and terrorist financing risks that are relevant to the firm assess the risks presented by the firms particular:

customers products delivery channels geographical areas of operation

design and implement controls to manage and mitigate these assessed risks, and monitor and improve the effective operation of these controls; and record appropriately what has been done and why.

Risk assessment is a continuous process: policies and procedures must be reviewed and updated to ensure they are still effective.

3.1 The benefits of a risk-based approachA risk-based approach places the responsibility on financial institutions and their boards and senior management to identify, assess, mitigate and monitor their money laundering risks on a considered and continuing basis and to ensure that they have adequate controls in place to manage those risks. It is therefore not a soft option but it does allow firms to be flexible on where they concentrate their efforts. A risk-based approach:

allows managers to differentiate between their clients in a way that matches the risk in their particular businessallows senior management to apply its own approach to the firms procedures, systems and controls, in particular circumstanceshelps to produce a more cost-effective system, and ensures that attention and resources can be concentrated where there is the greatest risk.

3.2 The MLRO role in AML risk assessmentThe MLRO must play a principal role in determining the institutions risk strategy and risk assessment policies and procedures. In the UK the Financial Skills Partnership (formerly known as the Financial Services Skills Council) Standards90 states that in assessing and mitigating the money laundering risks relevant to the business, the MLRO must be able to:

assess the probability and potential impact of different types of money laundering activities that may affect the organisationdetermine the jurisdictional scope of the regulatory and legislative environment in which the firm operatescomplete a risk assessment of the organisation that takes into account external events and threats and firm-specific risks, including staff risksassess the risks that are external to the organisation but that directly or indirectly affect its business or control risksidentify any gaps in the information available about the money laundering risks faced by the organisation and locate this information

89. 2010 Guidance paragraph 4.2.90. The Financial Skills Partnership originally created the standards in 2006 and these were revised in 2011, see

www.int-comp.org/standards

214


Notes develop a risk-mitigation programme to address issues identified by the risk assessmentensure that the risk-mitigation programme is proportionate to the risks posed, in terms of their potential impact and probability, andreview the risk assessment at regular, agreed intervals and when specific events may affect the assessment.

3.3 Understanding different money laundering risks3.3.1 Criminal risk of money laundering

It must be appreciated that the risk of money laundering applies at both an organisational and an individual employee level.

3.3.2 Regulatory risk This is the risk that a regulatory authority will impose a sanction, upon either an organisation or an officer thereof, for failing to comply with the regulatory standards applicable in a particular industry sector. A variety of different forms of sanction can be applied, including:

the imposition of conditions upon a licence (conditions can be in a variety of different forms, e.g. removal of a particular officer or employee, implementation of remedial action)fines withdrawal of a licence, and removal of an individuals authorisation to operate within the financial sector.

Where the criminal risk of money laundering materialises, some form of regulatory risk may also materialise.

3.3.3 Legal risk This is the risk of exposure to litigation; it can occur in a variety of guises, including action for breach of a constructive trust, or a breach of contract.

3.3.4 Reputational riskThis is the risk that the reputation of an organisation will be damaged in such a way that it will be regarded less positively, or even damaged to such an extent that the business is forced to close. Reputational damage always follows the materialisation of criminal or regulatory risk.

3.3.5 Compliance riskThis can take on a variety of meanings but is often used to refer to the risk that a business will fail to adhere to its own internal compliance procedures. The impact of such a risk can result in both legal and regulatory liability as well as giving rise to the expense of remediation to correct any past business failures. The concept of compliance risk will become more significant when operating in a principles-based regime where more generic regulation places increasing emphasis on businesses to devise internal compliance arrangements appropriate to the nature and complexity of their own activities.

3.3.6 Concentration riskThis is a risk that generally applies in respect of both the assets and the liabilities of banks. The risk is either that the assets of a bank will be too greatly concentrated on certain borrowers or groups of related borrowers, or the risk that the liabilities of the bank will be too concentrated on a small group or groups of depositors. This can arise when criminals become the principal depositors and engage in capital flight to avoid detection.

215


Notes3.3.7 Liability risk This risk usually results from the materialisation of legal risk and the subsequent establishment of blame on the part of an organisation. Liability risk can also result in reputational and regulatory risk.

3.3.8 Credit risk This is the risk that funds obtained fraudulently will not be repaid.

3.3.9 Operational risk This is the risk that systems and controls may be compromised owing to internal collusion or the infiltration of the organisation by criminals.

3.3.10 Financial riskThis risk concerns the cost of defending a charge of money laundering and clearing ones name with the regulator, which can be significant both in real costs and in management resources.

3.4 The questions to be askedThe risks posed by clients differ according to the number and type of risk factors within a relationship. The risks posed by an ordinary retail bank current account for a local resident earning RM40,000 per annum with an obvious source of funds and regular standing order or direct debit expenditure will not be as great as the risks of a relationship with a non-resident PEP wishing to invest RM10 million through an offshore trust in a munitions company based in a former Soviet satellite state. The amount of CDD information required in the latter example, both at the outset and throughout the duration of the relationship, will be far greater, in order for an organisation to be able to assess and monitor the risk.

In order to tailor its policies and procedures to the particular AML risks that the institution faces, the MLRO and senior management will need to ask themselves a number of questions.

3.4.1 What risk is posed by the firms customers? For example, MLROs should evaluate the risk of:

complex business ownership structures, which can make it easier to conceal underlying beneficiaries, where there is no legitimate commercial rationalean individual in a public position and/or location which carries a higher exposure to the possibility of corruption (e.g. a PEP)customers based in, or conducting business in or through, a high-risk jurisdiction e.g. a jurisdiction with higher levels of corruption or organised crime, or a jurisdiction known to be a drug production/distribution or trans-shipment point, or a jurisdiction that appears on sanctions listscustomers engaged in a business which involves significant amounts of cash, and customers that work in high-risk industries, for example, the arms trade, pharmaceuticals, telecommunications, construction, mineral extraction or gambling or are involved in public contracts.

3.4.2 What risk is posed by a customers behaviour? For example:

when there are requests to associate undue levels of secrecy with a transaction situations where the origin of wealth and/or source of funds cannot be easily verified or where the audit trail has been deliberately broken and/or unnecessarily layered, andthe unwillingness of non-personal customers to give the names of their businesss real owners and controllers.

216


Notes 3.4.3 How does the way the customer comes to the firm affect the risk?For example the MLRO should evaluate the risks of:

one-off transactions as compared with business relationships introduced business, depending on the effectiveness of the due diligence carried out by the introducernon-face-to-face acceptance, and companies based in jurisdictions with poor regulatory controls, high levels of corruption or jurisdictions known to have excessive secrecy or lack of transparency in respect of financial entities and transactions.

3.4.4 What risk is posed by the products/services the customer is using? For example the MLRO should:

consider whether the product features can be used for money laundering or terrorist financing, or to fund other crimeconsider whether the products allow or facilitate payments to third parties understand that the main risk may be that inappropriate assets might be placed with, or moved from, or through, the firm, andconsider the risk if a customer migrates from one product to another within the firm.

3.5 Assessing the effect of the countermeasures in placeAn AML/CTF risk assessment is not a one-off event. Risks change as do client activities and profiles, and the institutions products, services and the method of delivery will also evolve. It is generally recommended by national and international bodies that the institution should re-visit its risk assessment at least annually.

As part of its continuous review, a financial institution should have some means of assessing whether its risk-based approach and countermeasures are working effectively. The result of the review and any improvements or changes that need to be made should be included in the MLRO annual report. The matters that will need to be taken into account when assessing the effect of the strategy should include:

whether the procedures to identify changes in client characteristics are satisfactory and whether the changes are being adequately documentedwhether the vulnerabilities of the various products and services have changed and whether new products and services have been adequately risk assessedthe extent to which staff awareness-raising and training is resulting in a sufficient degree of understanding and competencethe results of the compliance monitoring arrangements and action that has been taken as a result of any reports raisedwhether sufficient information is being given to senior management to enable the AML risks to be managed, and the action to be taken by senior management in response, andthe effectiveness of the liaison with regulatory and law enforcement agencies and whether improvements can be made.

3.6 Implementing a risk-based approachHow a risk-based approach is implemented will depend on the institutions operations structure and the answers to the questions set out in the previous section.

There are a range of client, product and delivery mechanism characteristics that, when taken together, can indicate the level of money laundering or terrorist financing risk inherent in the particular customer relationship. Each individual institution must decide, on the basis of its risk assessment, the level of identity verification, additional CDD information and frequency of monitoring that are required. The background and rationale behind

217


Notesall decisions and the procedures put in place to implement them will need to be clearly documented. In particular, the arrangements for higher and lower-risk clients need to be fully documented, particularly to justify the need for simplified or enhanced due diligence.

In June 2011 the Institute of International Finance (IIF) published a report entitled Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions. The IIF states that the objective of its report is to provide insights and practical recommendations to the different stakeholders in the design and implementation process of these frameworks. In particular, the report contains recommendations for different levels of the management.

Board directors: this includes the need for such directors to ensure that they are able to engage fully with firms risk and risk appetites.Senior management: this includes the need for senior management to set the tone and lead discussion regarding risk appetite.The risk management function: for example, the need for risk management to provide clarity of concept, definition and support regarding risk and risk appetite within an organisation.

In addition, the IIF reports key recommendations to firms include that:

firms should initiate a dialogue across businesses, risk, IT, and operations on how to redesign the risk IT architecture to fill gaps in functionality, especially with respect to simulations, including stress-testingfirms should consider establishing a single point of responsibility to oversee the development of new risk applicationsfirms should develop data collection capabilities that provide senior management with timely views of the whole firms exposures to any given firm or sector, andfirms should aim to create a common data model, including standard definitions of all risk-related data and, where appropriate, also consider the consolidation of their data into a small number of data warehouses.

The report offers practical insights and case studies on how embedding a risk appetite into the firm can be achieved.

4. CDD in Malaysia4.1 AMLATFA provisions

In Malaysia requirements, under section 16 of AMLAFTA, specify that a reporting institution:

a) Shall maintain accounts in the name of the account holder; andb) Shall not open, operate or maintain any anonymous account or any account which is

in a fictitious, false or incorrect name.

A reporting institution shall:

a) Verify, by reliable means, the identity, representative capacity, domicile, legal capacity, occupation or business purpose of any person, as well as other identifying information on that person, whether he be an occasional or usual client, through the use of documents such as identity card, passport, birth certificate, drivers licence and constituent document, or any other official or private document, when establishing or conducting business relations, particularly when opening new accounts or passbooks, entering into any fiduciary transaction, renting of a safe deposit box, or performing any cash transaction exceeding such amount as the competent authority may specify; and

b) Include such details in a record

A reporting institution shall take reasonable measures to obtain and record information about the identity of the person on whose behalf an account is opened or a transaction

218


Notes is conducted if there are any doubts that any person is not acting on his own behalf, particularly in the case of a person who is not conducting any commercial, financial or industrial operations in the foreign State where it has its headquarters or domicile.

For purposes of this section person shall include any person who is a nominee, agent, beneficiary or principal in relation to a transaction.

4.2 Customer acceptance policiesThere is an obligation on all reporting entities to develop customer acceptance policies and procedures in order to know their customer and the nature of the customers business. To this end the reporting entity should identify and evaluate the potential risk posed by a customer. A risk profile is required, particularly, in respect of high-risk customers such as PEPs and high-net-worth individuals.

In conducting a risk-profiling exercise, the reporting organisation should take into account, as a minimum, the following factors:91

the origin of the customer and the location of the business background and profile of the customer nature of the customers business structure of ownership for a corporate customer information indicating the customer is high risk.

Reporting institutions should ensure that the CDD information that they hold on the customer is regularly reviewed and updated, especially when there are changes in the circumstances of the individuals business or employment.92

The general principle when conducting CDD on a customer is to ensure that there is satisfactory evidence and proper records relating to the identity and legal existence of the potential customer. The documentary support materials should be reliable and independent.

4.3 Customer due diligence proceduresReporting institutions should conduct CDD wherever:

a new business relationship is established cash or occasional transactions in excess of RM50,000 are being transacted (banking activities only)there is any suspicion of money laundering or terrorist financing the nature of the previously supplied information by the customer is questionable the transaction involves a new type of service or product or a new technology of deliverya wire transfer is used and the amount exceeds RM3,000.

In conducting CDD the minimum requirements to be undertaken include:

identification and verification of the customer identification and verification of any beneficial ownership and control of a transaction the purpose and nature of the business relationship or transaction, and continuing due diligence and scrutiny

If a customer fails to provide the necessary information or fails to cooperate with the reporting entity then this constitutes suspicious activity in itself and any new relationship should be inserted and the lodging of an STR considered. Occasionally a period of grace, circa 14 days, may be given where there is genuine reason for non-production of information and the risk category of the customer is low.

91. See Malaysia Standard Guidelines on AML/CFT Sections 4 and 592. See Malaysia AML/CFT Sectoral Guidelines on Banking and Financial Institutions, Section 2

219


NotesAs a general principle, the extent of CDD required varies according to the risks associated with the type of customer, the nature of the service or product or the type of transaction undertaken.

5. The practical application of CDDIt is worth repeating the fundamental reasoning behind why CDD is performed. It is the foundation of a good AML regime that assists in the prevention and detection of criminal activity and those behind such activity. As such it is important that firms ensure they have:-

identified the customer (including beneficial owners) verified that identity, and recorded and kept up to date sufficient information (at least the reason for the relationship) and data on their customers to assist in the detection of potentially suspicious activity.

It is also expected this will be carried out in a risk-based way in order that firms can apply resources to CDD appropriately. For example, the level of CDD and resources applied to a salaried individual working for a multinational company who wants a credit card should differ considerably from that of an SME based in a country with a reputation for high levels of corruption and poor regulation that is seeking a series of products including trade finance and large term deposits.

In some firms this may be relatively straightforward, if the customer base is small, and the product offering and geographic footprint are limited. For others it presents a considerable challenge to differentiate the risk posed by the many types of potential customer.

A key area of challenge for many firms is the interpretation of what regulations mean when they use phrases such as understanding the nature of business or the purpose and reason for opening the account. The first table below looks at how firms may consider explaining to those of their staff responsible for CDD how these could be interpreted.

Table 4.1: The practical application of regulatory expectations

Regulatory expectation

Practical application

Understand the nature and details of the business

A demonstration that a firm clearly does know the customers business activities.

Generic descriptions such as general merchandising, general imports and exports, real estate, etc. are not sufficient. There should be more description, as in the examples below.

(i) Retail sale of electrical products for domestic use washing machines, TVs, DVD players as well as kitchen and other smaller home-use appliances (toasters, hairdryers). Mr A and his two sons have been the owners of the company since 1998; with Mr A being the main person running the business and the decision-maker of the company.

(ii) Import and export of roller skates since 2006. Main countries where the imports are sourced are China and Taiwan, and exports are mainly to European countries (>50% to Germany).

220


Notes An understanding of the business activities

Document in detail the customers business activities, going beyond the description above.

(i) Are there business divisions if so what are they?(ii) Describe any major clients of the customer.(iii) Describe any major suppliers to the customer.(iv) Describe any competitors of the customer.(v) Describe the main countries or regions where the

customer does business.

The purpose and reason for opening the account or establishing the relationship

Demonstrate understanding of the customers need for the services and/or products to be provided, as in the examples below

(i) Customer needs a collection product to manage retail receipts.

(ii) Customer needs trade finance facilities to support import-export business between China and Europe.

(iii) Customer needs a short-term finance facility to support operations during quiet periods in the property market.

As such the products that the customer will use could be: Trade Finance LCs, Export documentary collection, etc., Financial Markets FX, bonds, interest rate swaps, equity derivatives, etc., Cash Management current account with cheque books, overdraft, etc.

An understanding of the anticipated volume of activity for the products used by the customer

Demonstrate understanding of the how the customer intends to use the products that will be provided.

Consider providing a range of monthly activity for each product indicated. For example, Export L/Cs HK$xx, USD/Yen FX US$ yy, Outgoing payments Euro$ zz, etc. This could be determined from available information (e.g. copies of recent financial statements).

The source of funds

Demonstrate understanding of the origin of funds to be used/received throughout the relationship. In practice that means the activity from which the funds are ultimately derived, e.g. the customers business activities or sale of assets.

Description such as Business proceeds would be fine if there is information available, for example, financial statements demonstrating a business that generates such proceeds. For other customers more description is required, for example, proceeds from media business that generates RMx of annual sales and has a record operating income of RMy in 2011.

The next set of tables and situations provide practical examples of CDD that may be applied in most situations (excepting those already given above). These are only theoretical examples of a risk-sensitive approach to CDD. Firms should develop and design an approach dependent on the actual money laundering risk derived by a ML risk assessment, any subsequent customer risk rating methodology employed and extant regulations or internal requirements.

221


NotesTable 4.2: Practical applications of guidelines on individual customers

Individual Customers Practical Applications

Standard Guidelines

Full name NRIC passport numberPermanent and mailing addressDate of birth Nationality

To verify the identity of the individual documents that describe the full name and either date of birth or residential address are the desired method.

In certain cases, the individual required to be verified is well-known (e.g. well-known businessman often in the public domain) and sighting of any document as mentioned above may not be always be practical. Although all efforts should be taken to obtain such documents, where this is not practical,

Sectoral guidelines

Occupation, type/self-employedName of employer or nature of self employment/nature of businessContact number (home, office. Mobile)

International best practice

Anticipated level and number of transactionsThe purpose of, and reasons for opening, the account (if not implicit in the products taken)Source of wealth

reliance may be made on any publicly available documents containing photographs of the individual. However, this process may be risky at times when the opening of account is via an intermediary/third party acting on behalf of the individual VVIP. The third party has not had the privilege of a face to face with the VVIP and thus it will not be able to confirm to the bank that the VVIP is the same as that in the photo.

1. Preferred document to verify identity

A government-issued document which contains the name, photograph and either the residential address or date of birth. For example:

passport driving licence NRIC for Malaysian/permenant resident ID Card issued by Electoral Office.

2. Other methods

(i) A government-issued document without a photograph, incorporating full name and supported by

(ii) a second document either government issued, or issued by a judicial authority, a public sector body or authority, or another AML regulated firm, which incorporates the customers full name and either his residential address or his date of birth.

Examples of second document

Instrument of a court appointment such as liquidator or grant of probateTax demand letter or statement from government departments or local bodiesBank or credit/debit card statements (should be current within last 3 months) issued by a regulated financial sector firm in an equivalent jurisdiction) Utility bill (should be current within last three months)

222


Notes 3. In some jurisdictions electronic data sources (not pure credit bureaus) can provide the necessary verification without involving the customer. To rely on an electronic confirmation, it is necessary to achieve:

one match on an individuals full name and current address from a secondary check, a second match on an individuals full name and either his current address or his date of birth.

Appropriate evidence such as a relevant print out or agency report must be retained.

4. PO Boxes are not generally acceptable as a residential address. In those countries where PO Boxes are commonly used, such as the Middle East, the residential address must, at the very least, be a recorded description. PO Boxes are acceptable as mailing addresses.

Table 4.3: Other less common situations for Individuals

Non face-to-face opening account. (Where customer is not met personally while opening account, e.g. request through mail, Internet)

While the documents obtained and seen may be similar to those required in normal individual circumstances it is important to try and obtain some independent corroboration of that which may include having them certified by other banks, lawyers, accountants, diplomatic missions, Commissioners of Oaths or Notary Public, diplomatic missions; or allowing uncertified documents provided the first payment to the account is carried out through an account in the customer's name with a bank from an equivalent jurisdiction.

Customers who cannot provide standard evidence (such as customers in low-income groups; with legal, mental or physical inability to manage their affairs; people under care of others; dependent spouses or minors; students, refugees, migrant workers; and prisoners)

There are good reasons why such customers are unable to provide the documentation for verification but who, quite correctly, are entitled to financial services and should not be excluded. In these cases, alternate methods of verification may be used, examples being:

letter from relevant authorities, in case of recipients of government benefits/financial support such as unemployment benefit/old age pensionletter from Care Home Manager or employer letter from prison authorities or police letter from educational institution. a letter or statement of reference from a person of good social standing such as a doctor, a teacher, a lawyer, an accountant, certifying his knowledge of that person is who he claims to be is the lowest level of verification that is acceptable.

223


NotesTable 4.4: Practical application of guidelines for corporate customers

Corporate Customers Practical application

Standard Guidelines

Memorandum/ Articles/Certificate of incorporation/partnership

Identification document of Directors/Shareholders/PartnersAuthorisation for any person to represent the company/business

Relevent documents to identity of the person authorised to represent the company/business in the dealings with the reporting institution

The articles should be supplied and a copy taken (certified true copies/duly notarised copies may be accepted) or other reliable references to verify identity of the corporate customer.

Certified true copies/duly notarised copies of Form 24 and 49 as prescribed by Companies Commission of Malaysia or equivalent documents for foreign incorporation, may be accepted.

Identification evidence is required wherever an individual shareholder has a majority or more than 25% of a controlling interest in the entity.

A reporting institution should conduct a risk review of any organisation about which it has doubts, e.g. basic searches and enquiries to ensure the organisation has not been or is not in the process of being dissolved or liquidated. The authenticity of information can be checked with the companies commission of Malaysia.

The reporting institution should identify the beneficial owner of the corporate customer and know the ownership and control structure of the corporate customer in order to detect any unusual circumstances concerning changes to the company/business structure or ownership or payment profile of its account.

On the basis of the risk profiling conducted on the customer, reporting institutions should take reasonable measures to verify the beneficial owner of the corporate customer.

The reporting institution is not required to obtain a copy of the Memorandum and Articles of Association or certificate of incorporation or to identify or verify the directors and shareholders of corporate customers which fall under the following categories:

a) public listed companies/corporations (including foreign companies listed in exchanges recognised by Bursa Malaysia Securities Berhad) subjected to regulatory disclosure

b) government-linked companies in Malaysiac) state-owned corporations and companies

in Malaysia

224


Notes d) financial institutions licensed under the Islamic Banking Act 1983, the Takaful Act 1984, the Banking and Financial Institutions Act 1989, the Insurance Act 1996, the Securities Commission or the Labuan Offshore Financial Services Authority, or

e) prescribed institutions under the Development Financial Institutions Act 2002 and supervised by Bank Negara Malaysia

Table 4.5: CDD requirements in relation to privately owned entities

225


Notes

Typ

e of

Cus

tom

erSt

and

ard

CD

D r

equi

rem

ents

Enh

ance

d C

DD

req

uire

men

tsPr

acti

cal a

pp

licat

ion

con

sid

erat

ion

s an

d c

hal

len

ge

area

s

Priv

atel

y ow

ned

Ap

plie

s to

priv

ate

com

pan

ies,

p

artn

ersh

ips

and

unin

corp

orat

ed

bus

ines

ses

(Not

falli

ng u

nder

any

of

the

Spec

ial C

ateg

orie

s

give

n b

elow

)

Info

rmat

ion

and

verif

icat

ion

Reco

rd n

ames

of

all d

irect

ors,

part

ners

, pro

prie

tors

Unw

rapp

ing

owne

rshi

p

st

ruct

ures

Reco

rd n

ames

of a

ll b

enef

icia

l

owne

rs id

entif

ied

thro

ugh

the

unw

rap

pin

g p

roce

ss

Reco

rd n

ames

of s

hare

hold

ers

ow

ning

at l

east

25%

of t

he

shar

es/c

apita

l or v

otin

g rig

hts

Reco

rd n

ames

of a

ll au

thor

ised

sign

ator

ies

Nat

ure

and

deta

ils o

f the

bus

ines

sPu

rpos

e an

d re

ason

for o

peni

ng

th

e ac

coun

t or e

stab

lishi

ng

the

rela

tions

hip

The

antic

ipat

ed v

olum

e of

activ

ity

for t

he p

rodu

cts

used

by

the

cust

omer

W

heth

er th

e cu

stom

er

cond

ucts

bus

ines

s w

ith a

ny

coun

trie

s su

bjec

t to

sanc

tions

.

Sour

ce o

f fun

ds

Reco

rd n

ames

of s

hare

hold

ers

ow

ning

at l

east

10%

of t

he

shar

es/c

apita

l or v

otin

g rig

hts

Reco

rd n

ames

of a

ll b

enef

icia

l

owne

rs a

t 10%

leve

lD

etai

led

desc

riptio

n of

the

bus

ines

s ac

tiviti

esC

ondu

ct a

dditi

onal

med

ia

sear

ches

Whe

re th

e cu

stom

er is

a m

ajor

ity-

owne

d su

bsid

iary

(i.e

. mor

e th

an 5

0%

owne

rshi

p) o

f reg

ulat

ed F

inan

cial

In

stitu

tion

(FI)

or L

iste

d Co

rpor

ate

(regu

late

d m

arke

t).

A s

trea

mlin

ed a

pp

roac

h co

uld

b

e ac

cep

tab

le:

evid

ence

from

the

annu

al

audi

ted

rep

ort o

r oth

er

inde

pen

dent

sou

rce

that

co

nfirm

s th

e su

bsi

diar

y st

atus

of

the

cust

omer

, AN

D

atta

ch a

cop

y, w

here

app

licab

le, o

f the

regu

lato

rs

inte

rnet

pag

e or

FIs

lice

nce

to

esta

blis

h th

e re

gula

ted

stat

us

of th

e p

aren

t FI.

226


Notes

Verif

icat

ion

Iden

tity

of C

usto

mer

ent

ity.

1.

Iden

titie

s of

all

prin

cipa

l be

nefic

ial o

wne

rs o

wni

ng a

t le

ast 2

5% o

f the

sha

res/

capi

tal

or v

otin

g rig

hts.

2.

Aut

horit

y of

aut

horis

ed

sign

ator

y(ie

s) to

ope

n an

d op

erat

e th

e ac

coun

t

Con

side

r fur

ther

che

cks

on th

e id

entit

y of

one

or m

ore

cont

rolli

ng

dire

ctor

s (e

.g. m

anag

ing

dire

ctor

), p

artn

er o

r pro

prie

tor

typ

ical

ly th

e di

rect

or w

ith a

utho

rity

to o

per

ate

th

e ac

coun

t.

Priv

atel

y ow

ned

Sign

ifica

nt a

nd W

ell-

Esta

blis

hed

Priv

ate

Entit

ies

(SW

EPE

s).

Info

rmat

ion

Reco

rd n

ames

of a

ll di

rect

ors,

par

tner

s, p

rop

rieto

rsRe

cord

nam

es o

f sha

reho

lder

s

owni

ng a

t lea

st 2

5% o

f the

sh

ares

/cap

ital o

r vot

ing

right

s (w

here

a li

mite

d co

mp

any)

Reco

rd n

ames

of a

ll

ben

efic

ial o

wne

rsRe

cord

nam

es o

f all

auth

oris

ed s

igna

torie

sN

atur

e an

d de

tails

of

the

bus

ines

sPu

rpos

e an

d re

ason

for

open

ing

the

acco

unt o

r es

tab

lishi

ng th

e re

latio

nshi

pTh

e an

ticip

ated

vol

ume

of

activ

ity

for t

he p

rodu

cts

used

by

the

cust

omer

Sour

ce o

f fun

ds

Det

aile

d de

scrip

tion

of th

e

bus

ines

s ac

tiviti

esC

ondu

ct a

dditi

onal

med

ia s

earc

hes

Def

initi

ons:

1.

SWEP

Es m

ay b

e lim

ited

com

pan

ies,

so

le p

rop

rieto

rshi

ps

or

par

tner

ship

s. A

SW

EPE

sh

ould

hav

e:

(i)

a lo

ng h

isto

ry in

thei

r in

dust

ry

(ii)

scal

e (ii

i) su

bst

antia

l pub

lic

info

rmat

ion

abou

t the

m

and

thei

r prin

cip

als

and

cont

rolle

rs

with

info

rmat

ion

on

ben

efic

ial o

wne

rshi

p (a

t 25

% le

vel)

info

rmat

ion

in th

e p

ublic

dom

ain;

(iv)

good

rep

utat

ion

227


Notes

Whe

ther

the

cust

omer

con

duct

s

busi

ness

with

any

cou

ntrie

s su

bjec

t to

the

cont

rols

in th

e G

roup

san

ctio

ns p

roce

dure

s

Verif

icat

ion:

1.

Iden

tity

of C

usto

mer

ent

ity.

2.

Aut

horit

y of

aut

horis

ed

sign

ator

y(s)

to o

pen

and

oper

ate

the

acco

unt.

Clu

bs/

Soci

etie

s

and

Cha

ritie

sIn

form

atio

n an

d Ve

rific

atio

n

Cer

tific

ate

of re

gist

ratio

n

Lega

l sta

tus

of th

e cl

ub/s

ocie

ty

com

pan

y, tr

ust,

etc.

Purp

ose

of th

e cl

ub/s

ocie

ty

Reco

rd n

ames

of a

ll of

ficer

s

Reco

rd n

ames

of a

ll

auth

oris

ed s

igna

torie

sPu

rpos

e an

d re

ason

for o

peni

ng

th

e ac

coun

t or e

stab

lishi

ng

the

rela

tions

hip

The

antic

ipat

ed v

olum

e of

activ

ity

for t

he p

rodu

cts

used

by

the

cust

omer

W

heth

er th

e cu

stom

er

cond

ucts

bus

ines

s w

ith a

ny

coun

trie

s su

bjec

t to

the

cont

rols

in th

e G

roup

sa

nctio

ns p

roce

dure

s

Sour

ce o

f fun

ds

Des

crib

e ho

w m

emb

ers

or

asso

ciat

es u

se o

r ben

efit

from

th

e cl

ub/s

ocie

ty/c

harit

yC

ondu

ct a

dditi

onal

med

ia s

earc

hes

Verif

icat

ion

enha

ncem

ents

Iden

tity

of a

ll th

e of

ficer

s

Cer

tifie

d co

py o

f con

stitu

tiona

l do

cum

ents

or e

quiv

alen

t of t

he c

lub

/so

ciet

y fo

r ide

ntit

y an

d le

gal s

tatu

s.

Min

utes

aut

horis

ing

the

app

rop

riate

of

ficer

(s) t

o op

en a

nd o

per

ate

the

acco

unt.

Due

Dili

genc

e p

ract

ical

idea

s

Des

crib

e ho

w m

emb

ers

or a

ssoc

iate

s us

e or

ben

efit

fr

om th

e cl

ub/

soci

ety.

Fo

r exa

mp

le:

Prof

essi

onal

soc

iety

for l

awye

rs

or

acc

ount

ants

: the

mem

bers

ob

ject

ive

is to

mai

ntai

n th

eir

prof

essi

onal

qua

lific

atio

n st

atus

.

228


Notes

Verif

icat

ion:

Iden

tity

and

lega

l sta

tus

of th

e cl

ub/s

ocie

ty

Iden

tity

of th

e of

ficer

s

(num

ber

of s

igna

torie

s) w

ho

have

aut

horit

y to

op

erat

e an

ac

coun

t or t

o gi

ve in

stru

ctio

ns

conc

erni

ng th

e us

e

or tr

ansf

er o

f fun

ds

or a

sset

sVe

rific

atio

n th

at th

e p

erso

n

has

bee

n

duly

aut

horis

ed b

y th

e cl

ub/

soci

ety

to o

pen

and

op

erat

e

the

acco

unt.

The

rep

ortin

g in

stitu

tion

shou

ld c

lose

ly s

crut

inis

e th

e ac

coun

ts o

f clu

bs,

soc

ietie

s an

d ch

ariti

es fo

r dis

crep

anci

es.

Recr

eatio

nal c

lub

: the

mem

ber

s ar

e en

title

d to

the

use

of th

e re

crea

tiona

l fac

ilitie

s,

e.g.

gol

f cou

rses

. ava

ilab

le in

th

e co

untr

y as

wel

l as

over

seas

w

here

the

club

op

erat

es.

Whe

re th

e cl

ub o

per

ates

in

diff

eren

t cou

ntrie

s, re

cord

all

the

geog

rap

hic

loca

tions

.

The

abov

e ta

bles

set

out

a s

igni

fican

t pro

port

ion

of th

e ty

pe o

f CD

D s

ituat

ions

like

ly to

be

enco

unte

red

wha

teve

r the

type

of r

egul

ated

indu

stry

in w

hich

a

firm

may

ope

rate

in. T

he C

DD

requ

irem

ents

rela

te to

indi

vidu

als

or n

on-in

divi

dual

s an

d, a

s m

entio

ned,

the

abov

e si

tuat

ions

pro

vide

pra

ctic

al a

lbei

t th

eore

tical

CD

D c

onsi

dera

tions

in a

risk

bas

ed w

ay.

229


NotesThere are other types of customer that could introduce specific risks. This may be because they are required by regulation to have enhanced due diligence conducted or because it is not entirely clear exactly who the customer is for CDD purposes.

Consider the following examples:

Mrs A wishes to open a joint current account with her husband. She works in a call centre and her husband is an employed plumber. They are resident in the country where they are opening the account and will be depositing an initial sum of RM2,000. They expect to deposit around RM3,000 monthly from salary payments.

The above is a good example of a situation where a standard set of due diligence procedures would apply.

Mr B wants to open current and savings account with an initial deposit of RM50,000. He is a Philippine national but resident in Malaysia where he is a senior diplomat.

This may well be an Enhanced Due Diligence scenario. It would have to be determined whether Mr B is a PEP and if so this would be an automatic enhanced due diligence situation (EDD) requiring more in-depth consideration of Mr Bs actual source of wealth.

6. Assessing CDD risk6.1 Who is the customer and what is meant by the identification of

beneficial owners?The application of CDD is required when an institution, covered by the regulations, enters into a business relationship with a customer or, at times, potential customer. This will include occasional, one off transactions even though this may not constitute an actual business relationship as it is defined.

The general approach taken is that a customer is a party or parties with whom a business relationship is established or for whom a one off transaction is carried out. The term business relationship applies where a professional, commercial relationship will exist with an expectation by the firm that it will have an element of duration.

The important issues to focus on are that:

even where there is no business relationship but only a one off transaction, CDD will still be required, andCDD will also be required where a business relationship is established yet there are no transactions (e.g. advisory services).

6.1.1 Beneficial ownersThe principle behind this requirement is that criminals will attempt to disguise and/or hide the actual ownership of assets through the use of complex structures with numerous entities and/or beneficial owners.

The requirement is for firms to identify who the actual beneficial owners are and, on a risk-sensitive basis, verify the identity of such beneficial owners.

In meeting this requirement firms need to be aware of the risk behind such complex structures and probe sufficiently well to satisfy themselves that those claiming to be beneficial owners are, in fact, actual beneficial owners and not acting on someone elses behalf.

230


Notes A beneficial owner may be defined as:

The natural person who ultimately owns or controls a customer (whether through direct or indirect ownership and control, including through bearer share holdings), or the natural person on whose behalf a transaction or activity is being conducted, or the natural person who exercises ultimate effective control over the management of a legal entity.

There are some practical challenges to understanding the identity of the customer for CDD purposes.

There are circumstances where a number of parties may be involved in a business relationship or transaction (e.g. a syndicated loan) where for each individual firm they may not all be customers.The actual CDD requirements to be applied in the numerous customer type situations vary.There can be difficulties working out exactly who are beneficial owners within more complex organisation and entity structures.

Practical approaches to all types of CDD and examples of more complex CDD situations, including beneficial ownership, are considered later in this module providing potential solutions to these challenges.

6.2 FATF and beneficial ownership6.2.1 The FATF requirements

Beneficial ownership is a major area of contention in AML/CTF globally. Although the FATF recommendation is clear as to its expectations even FATF member countries have not found it an easy matter to cover in domestic AML/CTF regulations.

The FATF recommendation on beneficial ownership is found in recommendation five which says that financial institutions should verify the identity of the customer and beneficial owner before or during the course of establishing a business relationship or conducting transactions for occasional customers. The definition of beneficial ownership used by the FATF says that the beneficial ownership is a reference to the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.

The World Bank compiled data regarding the compliance of countries with recommendation five and it makes for interesting reading. Even FATF member countries have difficulties with compliance with recommendation five with 71% of members only partially compliant during the current round of mutual evaluations.

6.2.2 The World Banks Puppet Masters Report 2011This report argues that beneficial ownership should be understood as a material and substantive concept and not just a legal definition. The reports view is that beneficial ownership is a reference to the de facto control over a corporate vehicle.93

The report contends that the focus should be on two factors when identifying beneficial ownership:

The control exercised; and The benefit derived.

Law enforcement searches for the individual who benefits from a structure when they investigate complex and opaque structures and money flows.94 A legal person

93. Executive Summary page 3 World Bank's Puppet Masters Report 2011.94. World Bank's Puppet Masters Report 2011 page 18

231


Notescannot be a beneficial owner because it can never be an ultimate controller. An ultimate controller is always an individual.95

The essence of beneficial ownership is not ownership but control. It is important not to confuse the concept of legal ownership with the concept of control.96

A formal approach, based on percentage thresholds of ownership may yield useful information about ultimate ownership or control and may lead to identification of people of interest who possesses information regarding the beneficial owners. However, the percentage approach has significant limitations.

The report makes the point that beneficial ownership cannot be resolved without knowing more about the context. Therefore simple rules or formulas whilst helpful are not of themselves dispositive of the issue.97

The Wolfsberg Group has aligned itself to a substantive approach to beneficial ownership rather than a formal one.98

The Report noted that many corporate vehicles are established solely to gain access to financial institutions.99 The provision by financial institutions of services that may be used for receiving, holding, or conveying the illicit proceeds of corruption is a critical part of the laundering process. Hence the nexus between beneficial ownership and legal entities and ML/TF risk is plain to see.100

6.2.3 Common practiceThe Puppet Masters Report made the following findings regarding the KYC information typically present in Financial Institutions files:

Identity documentation for the legal entity almost always present. A physical address for the account almost always present. Documentation that provides evidence of agency to represent the legal entity - almost always present.Information about individuals who hold more than a certain percentage of equitable interest in the legal entity often present.Information about shareholders and directors often present. Records of meetings granting authority to open an account or perform a transaction sometimes present.Documented compliance logs covering name checking, transaction monitoring and trend analysis sometimes present.Information from independent sources to verify information captured from the customer sometimes present.The identity of the beneficial owners rarely present.

Reports on mis-use of corporate vehicles

The following reports have catalogued the abuse of corporate vehicles:

UNODCs report Financial Havens, Banking Secrecy and Money Laundering in 1998 (UNODC was then called UNODCCP).The European Commissions report Protecting the EU Financial System from the Exploitation of Financial Centres and Off shore Facilities by Organised Crime published in 2000.

95. World Bank's Puppet Masters Report 2011 page 19.96. World Bank's Puppet Masters Report 2011 page 19.97. World Bank's Puppet Masters Report 2011 page 19.98. See Wolfsberg Group's FAQs on ownership.99. World Bank's Puppet Masters Report 2011 page 97. 24 World Bank's100. World Bank's Puppet Masters Report 2011 page 97.

232


Notes The OECD report Behind the Corporate Veil: Using Corporate Entities for Illicit Purposes 2001.The International Trade and Investment Organization and the Society of Trust and Estate Practitioners report Towards a Level Playing Field: Regulating Corporate Vehicles in Cross-Border Transactions in 2002.The FATFs report The Misuse of Corporate Vehicles in 2006. The Caribbean FATF-style regional bodys report Money Laundering Using Trust and Company Service Providers on Money Laundering in 2010.

6.2.4 Bearer sharesBearer shares are shares in companies which are in the form of certificates. Whoever is in possession of the certificate is the owner of the shares. Most jurisdictions have reformed their laws on bearer shares, with some moving through a phasing out stage. Today, according to the World Banks research no bank with any sort of basic due diligence procedures would knowingly conduct business with free-floating bearer shares.101

6.2.5 Trusts versus companiesThe World Bank found in their Puppet Masters report that trusts were only used in 5% of the 150 cases of grand corruption that it investigated. Those schemes that were found were predominantly in the U.S.A., the Bahamas, the Cayman Islands and Jersey.102

6.2.6 Fictitious entities and unincorporated economic organisationsThe World Bank conducted research as part of the Puppet Masters Report looking at entities which have not undergone a formal incorporation process and which only have the most tenuous separation from their controllers. The benefit of using these types of entities lies in the fact that the authorities cannot track their existence. These entities vary from those that once might have had a legitimate use to blatant deceit involving fictitious companies not incorporated anywhere. Some cases involving these types of entities also involved collusion by bankers. Some involved false or forged documents.

6.2.7 Rationale for complex ownership structuresOften other legal entities are interposed as the owners of shares in a company, or are the beneficiaries of trusts. Reporting entities need to understand the rationale for complex structures because the absence of a rationale that makes sense is a risk indicator for money laundering or terrorism financing.103

6.2.8 Professional nomineesIf a reporting entity believes that they are dealing with a nominee director or shareholder or other officer then attention needs to be paid to the persons behind the nominee. This will be evidenced in trust deeds, indemnification of agent contracts and power of attorney declarations and declarations of trust executed between the nominee and the beneficial owner.

6.2.9 Surrogates and professional nomineesA surrogate (or front man) is a person connected to a beneficial owner whose name attracts less attention than the beneficial owner. The beneficial owner might be a corrupt PEP or a criminal or connected with terrorism financing. Through the use of a surrogate who is acting on the instructions of the beneficial owner, the beneficial owner avoids detection. The links between front men and beneficial owners may be very varied. But the bond relies on either a high degree of trust or a strong enforcement capability.

Professional nominees are persons (individuals and legal entities) that act in a nominee capacity for a fee. They might act as directors or shareholders or other formal officers of

101. World Bank's Puppet Masters Report 2011 page 43.102. World Bank's Puppet Masters Report 2011 page 44.103. One compliance officer was cited in e Puppet Masters Report as using a three layer complexity test as a quick and dirty

rule of thumb. Use of more than three layers of legal entities between the benecial owners and the entity should trigger a step burden of proof requirement. World Bank's Puppet Masters Report 2011 page 56.

233


Notesa company. The liability of nominees is misunderstood a director will be liable under the laws of the country in which they perform actions and under the laws of the country in which the company is incorporated irrespective of their nominee status. Nominees will normally have a contract which limits their authority and limits their liability and requires them to follow the instructions of the principal. This exposes the nominee to taking actions which they might not realise are illegal.

Front men cannot hide behind banking secrecy laws or legal professional privilege and are more likely to cooperate if pursued by law enforcement.104

2.6.10 Trust and corporate service providers (TCSPs)Reporting entities that deal with companies and trusts established outside Malaysia should read section 4.3 of Trust and Company Services Providers in the Puppet Masters Report. TCSPs are crucial to the formation of corporate vehicles and trusts and thus in their licit and illicit use. In addition to handling the incorporation of establishment of the vehicle they may also handle renewal fees, provide mail- forwarding facilities, virtual office facilities, act as registered local agents, resident secretaries, nominee services, as well as acts as intermediaries and introducers to financial institutions.105 Their business models vary enormously across this spectrum of services.

Many TCSPs promote their services promising anonymity or secrecy, qualities which are attractive to those seeking to protect their assets from creditors and former spouses as well as those involved in money laundering, terrorism financing or predicate crimes to money laundering.

6.3 Continuous Monitoring and CDDWhile ongoing monitoring of a business relationship is a general regulatory requirement seen as applying to the transactions conducted over the accounts of a customer it is also, either by actual regulation or expectation, related to keeping the CDD data and information a firm retains on customers relevant and up to date. Again this is accepted to be on a risk-sensitive basis.

Ensuring that customer information is relevant and up to date is also a requirement contained within data protection legislation and regulation.

There is no expectation for firms re-verify the identity of a customer (unless there are doubts or new information e.g. the previous Identity Document used is missing or no record of it retained or there is a new executive director or partner).

This ongoing monitoring has seen the emergence in many firms of periodic customer reviews which, in a risk-sensitive environment, creates their own challenges.

What should such a review cover? When should it occur? Should it apply across all customers?

It is clearly common sense to be able to identify when a customers behaviour would make a firm reconsider the money laundering risk associated with the customer (e.g. one who becomes a PEP or attracts adverse media attention in relation to a criminal investigation for financial crime). The challenge is how, in a risk-sensitive way, this monitoring of customer behaviour, as well as keeping customer data and information up to date, can be made operationally effective yet efficient. This is looked at in the section below.

104. World Bank's Puppet Masters Report 2011 page 63105. World Bank's Puppet Masters Report 2011 page 84

234


Notes CDD must be completed on any individual who alternately owns or controls a transaction which has been entered into by a person who is not the person carrying that transaction. Enhanced due dilligence will be needed if the beneficial owner or controller is a Politically Exposed Person (PEP).

6.4 High-risk customersEnhanced due diligence (EDD) is required for high-risk customers. More detailed enquiries and information are required in respect of these individuals, and senior management sign-off is advisable before embarking on a business relationship with such an individual.

The Malaysian Standard Guidelines on AML/CTF highlight some examples of high-risk customers. These include:

high-net-worth individuals non-resident customers customers from locations known for their high rates of crime (e.g. drug producing, trafficking, smuggling)customers from countries or jurisdictions with inadequate AML/CTF laws and regulations as highlighted by the FATFPEPs customers that are involved in legal arrangements that are complex (e.g. trusts, nominees)businesses/activities identified by the FATF as of higher money laundering and financing of terrorism risk

6.4.1 Mandatory high-risk Politically exposed persons (PEP)One of the most prominent risks to the financial services sector is the risk posed by public officials, their associates and family members. There have been a number of damaging high-profile money laundering scandals within the private banking sector, and involving PEPs, the most notorious in the UK being General Abacha.

The danger posed by PEPs is that a financial institution may be exposed to property that has been generated by corrupt practices. Regardless of any criminal or civil liability, which will undoubtedly arise, the high profile of such cases can expose any professional business or financial institution that becomes involved to an enormous reputational and regulatory risk.

PEPs are generally defined as:

individuals who are or have been entrusted with prominent public functions in a foreign country, for example Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations, important political party officials.

The definition of PEP extends to members of an officials family, and close associates, and to any business (incorporated or unincorporated) with which the official has a relationship.

The European third, and latest, Directive assists further by defining PEPs as:

heads of state, heads of government, ministers and deputy or assistant ministers Members of Parliament members of supreme courts, of constitutional courts and of other high-level judicial bodies whose decisions are not generally subject to further appeal, except in exceptional circumstancesmembers of courts of auditors and of the boards of central banks

235


Notesambassadors, chargs daffaires and high-ranking officers in the armed forces members of the administrative, management or supervisory bodies of state- owned enterprises.

Immediate family members include:

the spouse any partner considered by national law as equivalent to the spouse the children and their spouses or partners the parents.

Close associates are likely to include:

any natural person who is known to have joint beneficial ownership of legal entities and legal arrangements, or any other close business relationship with the PEPany legal entity or legal arrangement whose beneficial owner is the PEP alone and which is known to have been set up for the benefit of the PEP.

One significant challenge is whether to include domestic PEPs in this definition. While most regulators only refer to foreign PEPs many financial services groups, especially those that operate across borders, have set aside this exclusion. The FATF encourages countries to include domestic PEPs in their definition.

Knowing whether or not a client is a PEP is an essential element of CDD for all relationships. Many firms now employ databases to assist in the identification of PEPS. The recently published (2011) FSA thematic review of Banks Management of High Money Laundering Risk Situations has commented that firms need to seriously consider whether the use of such databases should be their sole method of identifying PEPs or whether they need additional methods to assist in this process.

For instance, a relationship managers personal knowledge of the customer could be viewed as a critical source of information. In addition, a PEP may be identified through methods including:

checking names against external databases Internet searches (e.g. Google), and newspaper/media reports.

Nonetheless, databases are merely a tool to assist in identifying potential PEPs and any hits can only be used as a reference/guide for determining whether an individual is actually a PEP. In addition, the absence of a match from online research is not a reason to ignore the possibility that a person is a PEP.

Given the potentially high money laundering risk posed by PEPs there are enhanced due diligence (EDD) requirements that should include an understanding of, as well as information, and corroboration of:

source of wealth (the economic activities that have generated the clients net worth) source of funds (the origin and means of transfer for monies that are accepted for the account)the commercial rationale for the arrangement/relationship, and the need to conduct enhanced continuous monitoring of a business relationship.

Additionally, PEP relationships should have senior management sign off or approval.

236


Notes While there is no requirement, firms should consider involving money laundering practitioners (e.g. MLRO) in the on-boarding approval process for PEPs.

The Malaysian Standard Guidelines on Anti Money Laundering and Counter Financing of Terrorism, section 5.9, recommends that all reporting institutions should create a risk management framework to determine whether current or new customers are PEPs and to conduct appropriate due diligence to establish this. The role of senior management in determining whether a business relationship with a PEP should be entered into or continued is seen as a critical issue. PEPs should be subject to enhanced and on-going due diligence throughout any relationship.

6.4.2 Mandatory high-risk correspondent bankingRegulations in most countries require additional due diligence measures in relation to correspondent banking relationships (see also Module 5, section 1.3.1).

Correspondent banking can be defined as:

the provision of banking-related services by one bank (the Correspondent) to another bank (the Respondent) to enable the Respondent to provide its own customers with cross-border products and services with which it cannot provide them itself, typically owing to lack of an international network. In other words, a Correspondent is effectively an intermediary for the Respondent and executes/ processes/ clears payments/transactions for customers of the Respondent.Money laundering risks in correspondent banking relationships arise because:

the correspondent has limited information about the entire transaction. the correspondent is often dependent on the due diligence processes conducted by its respondent bank. The correspondent does not have a direct relationship with the underlying clients for the transaction and can not therefore assess if the underlying transaction is consistent with the business profile of the client.

In the vast majority of cases it is appropriate to treat a relationship with another bank as a correspondent banking relationship. It is extremely difficult to identify and continually monitor for changes to circumstances where there may not be an actual correspondent relationship and merely a principal to principal relationship (e.g. transactions conducted between the parties even if they settle through SWIFT or capital markets, foreign exchange).

The level of enhanced due diligence requirements to apply to correspondent banking relationships should include consideration of and, as applicable, responses from the respondents on some or all of the following factors.

The AML risks in the country of establishment and the country of operation of the customer (whichever is higher).The transactions that the customer will support for its customers. Is it a downstream correspondent clearer (i.e. the Respondent that receives correspondent banking services from the Correspondent and itself provides correspondent banking services to other financial institutions in the same currency as the account it maintains with its Correspondent)?Whether it gives its clients access to the firms correspondent accounts. The businesses undertaken by the Respondent such as:

private banking as sole business private banking/HNW wealth management alongside other business lines Internet only current account and third-party payments/wires trade finance.

237


NotesThe Respondents customer base: retail customers domestic retail customers international corporate customers domestic corporate customers international financial institutions domestic financial onstitutions international MSBs/money transmission service shell companies.

The Respondents ownership: controlled by a PEP, or publicly quoted on a recognised market.

The AML regulation to which the Respondent is subject: operating with an offshore banking licence operating in an equivalent jurisdiction parent is regulated in an equivalent jurisdiction.

In order to obtain credible responses to the above firms should seriously consider using an appropriate questionnaire (one based on the Wolfsberg Questionnaire for correspondent banking). However, firms also need to ensure their processes do not encourage a mere tick box approach with common answers being applied to the questionnaires year after year.

The Malaysian Sectoral Guidelines for Banking and Financial Institutions prescribe that in respect of correspondent banking the procedure below shall be followed.

i. When entering such a business relationship, the reporting institution should capture and assess at the minimum the following information on the respondent institution, to determine the reputation and quality of supervision:

board of directors and the management business activities and products applicable legislation, regulations and supervision, and AML/CFT measures and control.

ii. The reporting institution should establish or continue a correspondent banking relationship with the respondent institution only it if is satisfied with the assessment of the information gathered.

iii. The reporting institution should also document the responsibilities of the respective parties in relation to the correspondent banking relationship, in particular, matters in relation to customer due diligence for all products and services.

iv. The decision and approval to establish or continue a correspondent banking relationship should be made at the Senior Management level.

v. The reporting institution should ensure that such correspondent banking relationship does not include any respondent institution that has no physical presence and which is unaffiliated with a regulated financial group (e.g. shell banks).

vi. Where a correspondent banking relationship involves the maintenance of payable-through account, the reporting institution should be satisfied that:

the respondent institution has performed all the normal obligations on its customers that have direct access to the accounts of the reporting institution, and

238


Notes the respondent institution is able to provide relevant customer identification data upon request by the reporting institution.

vii. In addition, the reporting institution should pay special attention to correspondent banking relationships with respondents institution from countries highlighted by the internationally recognised AML/CFT bodies, such as FATF, as insufficiently implementing the internationally accepted AML/CFT measures, which would require enhanced due diligence to assess the money laundering and financing of terrorism-associated risks.

6.5 Automatic low-risk situationsMost regulations now allow for a form of simplified due diligence in the lowest risk situations. For example the UK JMLSG Guidance provides the following explanation of simplified due diligence:

Simplified due diligence means not having to apply CDD measures. In practice, this means not having to identify the customer, or to verify the customers identity, or, where relevant, that of a beneficial owner, nor having to obtain information on the purpose or intended nature of the business relationship. It is, however, still necessary to conduct ongoing monitoring of the business relationship. Firms must have reasonable grounds for believing that the customer, transaction or product relating to such transaction falls within one of the categories set out in the Regulations, and may have to demonstrate this to their supervisory authority. Clearly, for operating purposes, the firm will nevertheless need to maintain a base of information about the customer.

Simplified due diligence may be applied to:

certain other regulated firms in the financial sector in equivalent jurisdictions (those jurisdictions providing a level of regulation equivalent to EU standards.companies listed on a regulated or recognised market (which have been listed and defined under MiFID Committee of European Security Regulators) and provided it can be confirmed that other such exchanges comply with the European requirementsbeneficial owners of pooled accounts held by notaries or independent legal professionalsUK public authorities community institutions certain life assurance and e-money products certain pension funds certain low-risk products child trust funds.

What this means in practice is that if the nature of business being conducted fits within one of the above categories a firm may apply a lighter touch in terms of the extent of CDD undertaken.

This approach may provide opportunities to reduce costs and remove paperwork from account opening processes. For example, in respect of a simple term assurance life insurance policy, minimal documents and information may be collected at account opening, with greater checks in place at the claim payout stage.

Nonetheless, it is important to note that any such decision must be carefully documented and be justifiable in the eyes of the regulators. An example of this challenge concerns financial institutions and the apparent contradiction relating to correspondent banking.

239


Notes6.6 Assessing money laundering risk in all other circumstancesAgain, most regulations require firms to assess their own money laundering risk in all other cases and apply a risk-based approach to the level of due diligence to be applied.

This has seen many manifestations over the years of money laundering regulation, such as the application of High, Medium and Low risk ratings by some firms, just High and Low by others and still other firms categorising even further to High High, High Medium, etc.

There is no right or wrong categorisation provided the approach is proportionate to the overall money laundering risks encountered by the firm, which will depend on the type of business it is in (e.g. insurance, money transfer, eMoney, credit provision) and the scale of its operation (e.g. domestic, international).

The considerations above will determine the level of sophistication required for risk assessment and whether to employ the assistance of an automated system in the process.

However a firm applies its risk-based approach there is a regulatory expectation that a number of factors will be considered when applying a risk-based approach to all other customers.

6.6.1 Clients deemed to be unacceptableA firm, in considering money laundering risks, regulations and guidance may consider certain types of relationship as unacceptable to them. An example of one that FATF refers to would be shell banks (defined as banks that: (i) do not conduct business at a fixed address in a jurisdiction in which they are authorised to engage in banking activities; (ii) do not employ one or more individuals on a full-time business at this fixed address; (iii) do not maintain operating records at this address; (iv) are not subject to inspection by the banking authority that licensed it to conduct banking activities; and (v) are unaffiliated with a regulated financial group).

Quite clearly another example would be individuals or entities that are on relevant sanctions lists issued by countries in compliance with UN resolutions or those to which countries have applied sanctions unilaterally (UK, US and others).

To capture such individuals and entities many firms now use name screening systems and processes. In many situations these systems will also capture other adverse information from media reports as well as identifying PEPs (see section 6.3 above).

It is a matter for firms how they use such intelligence in their risk-based approach to CDD but it should seriously be considered as an ingredient in any risk assessment.

Having determined those clients that are unacceptable, along with those that will require mandatory EDD or be allowed Simplified Due Diligence (as described in section 6.4 above) the large population remaining needs to be risk rated on the basis of a number of factors, which may include those discussed in section 6.6.2 below.

6.6.2 Risk-rating clients

the product offering of the firm and the product taken up by a

Mal Module10

Documents