Explaining the Concept of Designated Transactions Under the PSPM Act 2019

Mobile banking concept. Hand holds smartphone with abstract icons of bank and financial services

Explaining the Concept of Designated Transactions Under the PSPM Act 2019

Individuals and entities engaged in money laundering (ML), terror financing (TF), and proliferation financing (PF) activities frequently use precious stones and precious metals to move their illicit money and disguise it as generated from legitimate sources. To curb ML/FT and PF risk, the Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Act, 2019 (PSPM Act 2019) created a category of Precious Stones and Precious Metals (PSPM) transactions known as “Designated Transactions” to which the Precious Stones and Precious Metals Dealers (PSMD) must be cautious about identifying and reporting the ML/FT/PF suspicion.

The PSPM Act 2019 provides in-depth clarity around the designated transactions, considering the following aspects, with respect to which the PSPMD must undertake necessary AML compliance:

Purpose of the transaction
Payment mode and threshold
Parties to the transaction
Location of transaction
Count of the transactions executed

What is a Designated Transaction under the PSPM Act 2019?

A “designated transaction” under the PSPM Act 2019 is a transaction when conducted wholly or partly in Singapore and

The purpose of the transaction is the sale of precious stones, precious metals, precious products, or asset-backed tokens by a regulated dealer to the customer against payment in cash or cash equivalent or digital payment tokens exceeding SDG 20,000.
Two or more PSPM sales transactions by a regulated dealer in a single day to the same customer or a person acting on behalf of the same customer against cash or cash equivalent or digital payment tokens exceeding SDG 20,000.
Transaction relating to the purchase of PSPM by the secondhand goods dealer from a customer (other than the regulated dealer) against cash or cash equivalent exceeding SGD 20,000.

Here, it is essential to understand who would be treated as a “regulated dealer”. A regulated dealer is a person engaged in the following regulated dealings or acting as an intermediary in such dealings:

manufacturing or selling PSPM
importing or possessing PSPM for sale
selling or redeeming asset-backed tokens (backed by PSPM)
purchasing any PSPM for resale

Why is it Important to Identify Designated Transactions?

Designated transactions involve cash and possess a higher degree of ML/FT/PF risk. Hence, it is essential to understand the nature of the transactions and apply appropriate risk mitigation measures.

The primary importance of identifying designated transactions is to detect and prevent the exploitation of the PSPM sector by financial criminals. Further, it is also essential to fulfil AML compliance obligations concerning designated transactions by a PSMD, including applying customer due diligence measures, reporting designated transactions to the STRO, etc.

Legal Obligations of a PSMD Engaged in Designated Transactions

To ensure compliance with Singapore’s AML regulatory regime and check the ML/FT/PF threats, a regulated dealer must adhere to the following obligations:

Risk Assessment and Internal Policies, Procedures, and Controls (IPPC)

A regulated dealer must assess the internal business risk assessment to identify the exposure to ML/FT/PF arising from the nature of customers, the geographies it is associated with, the type of PSPM offered, the complexities of the transactions, etc.

Based on the outcome of such Enterprise-Wide Risk Assessment and adopting the risk-based approach, a regulated dealer must design, implement and maintain its Internal policies, procedures and controls (IPPC) to mitigate ML, FT and PF risks.

The IPPC must provide detailed guidelines around performing the Customer Due Diligence measures, AML governance structure, identification and reporting of suspicious transactions, requirement for AML training, complying with Targeted Financial Sanctions, AML record-keeping requirements, etc.

Customer Due Diligence (CDD)

The regulated dealer must perform Customer Due Diligence (CDD) before entering any designated transaction. It must include measures to identify the customer and the beneficial owners, verify the identity, determine whether the customer is the owner of the cash, and screen the customer or beneficial owners to identify any connection with Sanctions Lists or Politically Exposed Persons (PEP), etc.

Depending upon the nature of the designated transaction and the risk associated with a particular business relationship, the PSMD must apply different CDD measures. For example, for a customer identified as high-risk, enhanced customer due diligence measures must be applied, covering the inquiries around the customer’s income level, source of funds and wealth.

Further, the regulated dealer must terminate the transaction or reject a customer if the CDD measures cannot be applied adequately or the PSMD suspects that the designated transaction may be connected to any ML, FT or PF activity.

The PSMD must carry out CDD measures to identify the third party acting on behalf of the customer to execute a designated transaction. Here, the PSMD must also obtain and verify the third party’s authority or specific rights to act on behalf of the customer.

Suspicious Transaction Report (STR)

When a regulated dealer cannot satisfactorily conclude the appropriate customer due diligence process or any red flags are observed concerning the designated transaction, the regulated dealer must file a Suspicious Transaction Report (STR) on SONAR.

The PSMD must submit the STR to the Suspicious Transaction Reporting Office (STRO) as soon as the customer is identified as suspicious involving proceeds of crime or activities related to ML/FT or PF.

While filing STR, the regulated dealer must provide complete details of the suspected transaction, red flags observed, and details of the parties to such suspicious transaction.

Cash Transaction Report (CTR)

A regulated dealer carrying out business related to PSPM must file a Cash Transaction Report (CTR) when he enters a designated transaction with the STRO.

CTR must be filed using Form NP 784 on the SONAR within 15 business days from the date of executing a designated transaction.

The CTR must capture accurate and complete information on the designated transactions and the identification details of the customer, the beneficial owners, or the person acting on behalf of the customer.

Record-keeping

A regulated dealer is under the obligation to maintain records about every designated transaction (irrespective of the completion status) for a minimum period of five (5) years, capturing the following details or documents:

All customers’ and beneficial owners’ identification details collected as part of the CDD process, including supporting documents relied upon
ID information of the person acting on behalf of the customer and proof of such authority given
Date, addresses, and amount of transaction entered into
Reasons recorded for inability to complete CDD or any other risk indicators observed
Copy of all STRs filed with the STRO
Copy of all CTRs and supporting documents relied upon for filing CTR

Independent Audit Function

The PSMD carrying out designated transactions are mandated to have their IPPC tested by an independent audit function to have an unbiased opinion regarding the health of AML/CFT controls and measures implemented, including:

Assessing and analysing the relevance and adequacy of IPPC
Assessing the effectiveness of IPPC by analysing AML compliance and engagement by the employee
Checking the quality and timeliness of the regulatory reporting

Other key regulatory obligations

In addition to the above, a regulated dealer is also required to comply with the following requirements:

appoint a competent Compliance Officer to manage and oversee the entity’s AML compliance, including performing a periodic review of the IPPC and its effectiveness
monitoring the transactions and business relationships to identify any suspicious activity or transaction
furnish a semi-annual return (SAR) with the Ministry of Law, capturing information about the dealer’s business profile, copy of IPPC, details of designated transactions executed, etc.
develop a robust AML training program for the staff, including senior management

Conclusion

Through the article, we have discussed the meaning, importance and obligations surrounding “designated transactions” for the PSPM sector in Singapore.

If you struggle to manage AML compliance, we have your back. Niyeahma is a leading AML consultancy service provider, offering top-notch quality AML support customised to your business needs. We offer consultancy around:

Assessing the risk and performing Enterprise-Wide Risk Assessment,
Developing internal Policies, Procedures, and Controls (IPPC),
Imparting comprehensive AML training to the team,
Performing an independent review of the IPPC and overall AML program,
Managing the KYC and Customer Due Diligence requirements.

Stay compliant, stay safe!

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Implement a Transaction Monitoring Program to strengthen the AML Efforts

As money laundering and terrorism financing is an ongoing process, so do regulated entities need to deploy Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) measures that function round-the-clock to detect the red flags. As per Singapore’s AML regulations, it is pertinent for the regulated entities to develop a comprehensive AML framework, including policies and procedures for identifying the financial crime risk, implementing adequate risk mitigation measures, and reporting the suspicions to the Suspicious Transaction Reporting office. This includes ongoing monitoring of the transaction and the customer’s profile, as that is the source where the potential vulnerabilities can be discovered.

In this article, we will discuss the transaction monitoring program, its significance in the overall AML structure, and the right approach to establish and implement the transaction monitoring program effectively.

Why is Transaction Monitoring a critical component of the AML Program?

Once the customers are onboarded after applying adequate Customer Due Diligence measures, the AML function does not end there. As the risk posed by the customer changes over time, the AML program must include measures that review the customer’s activities, identify these changes, and highlight the potential impact on the business. The regulated entities must have a robust transaction monitoring program as part of their AML framework to manage this.

As the name suggests, the Transaction Monitoring program systematically analyzes the large volume of customer transactions, their activities, and overall risk profile to detect the unusual patterns or inconsistencies that may indicate red flags associated with money laundering or terrorism financing.

When the customer’s transactions are monitored against the expected customer activities, the regulated entities can promptly detect suspicious activities and take timely action to prevent further business exploitation.

The AML program would be construed as complete only when the regulated entity has adopted an appropriate transaction monitoring system to detect and deter financial crime attempts, instilling the authorities’ confidence and the customer’s trust in the business.

What is an ideal approach to implementing a Transaction Monitoring Program effectively?

The effectiveness of the transaction monitoring program depends on how well the regulated entity has designed and implemented the same. The regulated entities may follow the below-mentioned steps to set up the transactions monitoring program systematically:

Understanding the business need for a Transaction Monitoring Program

The transaction monitoring program must be based on the entity’s risk exposure to the financial crime and the regulatory obligations imposed thereupon. Thus, the first step is to conduct the Enterprise-Wide Risk Assessment and determine the degree of risk each risk parameter poses to the business. The outcome of the risk assessment shall help the entity prioritize the resources and work out the scope of the monitoring program and the outcome expected in the context of different risk factors.

Moreover, considering the regulatory landscape will align the transaction monitoring program with applicable laws, enabling the entity to stay AML compliant.

The objective and scope of the transaction monitoring program must be well documented.

Thorough planning and designing of the Transaction Monitoring Program

Having worked out the need for a transaction monitoring program, the regulated entity must proceed with developing a program plan and design its implementation method. This stage involves prioritizing the risk areas and identifying and allocating the resources required. Here, the regulated entities would ponder upon the involvement of the human resources and the technology and tools required.

The entity must develop transaction monitoring policies and procedures, define the roles and responsibilities of the concerned personnel, integrate the program with the customer due diligence process, and other relevant aspects on which the program would rely for input data.

Implementing the proper rules, processes, and systems

Once the transaction monitoring plan and design are ready, the regulated entity must move ahead with its implementation. To begin with, the entity must identify and deploy the right technology and solutions capable of handling and processing a large volume of data in real-time, detecting discrepancies and suspicions, and promptly generating alerts.

The monitoring rules and logic must be mapped accurately in the system, aligned with the nature of the business’s risk exposure, the customer base the entity engages with, the customer’s risk profile, the nature of products and services offered, etc. This configuration of the monitoring rules must be followed by independent testing, possibly using the dummy data, to ensure that defined monitoring rules are working fine and would be able to detect the red flags when the system goes live.

The regulated entity must train the team on the software, and solutions must be deployed for transaction monitoring. The AML training should cover the rules mapped in the system, how to navigate it, how to handle the alerts triggered by the system, and its disposition and escalation. Only the relevant staff members are empowered; the developing transaction monitoring program and system would yield the expected outcome.

Periodically reviewing and updating the Transaction Monitoring Program

Designing and implementing the transaction monitoring program is not a one-time effort; instead, it’s an ongoing activity warranting periodic review of the program, controls, and systems to check its relevance and quality and making necessary updates, if required, in line with the business risk and emerging ML/FT typologies.

During the review, the system’s performance must be evaluated considering the number of alerts generated, the number of false alerts, how these alerts were investigated, how these alerts resulted in reporting the Suspicious Transaction Report with the authorities, etc. These performance metrics would assist the regulated entities in enhancing the monitoring rules, the accuracy of the alerts, and the program’s overall efficiency.

During these reviews, the regulated entity must make diligent efforts to overcome the following key challenges associated with the Transaction Monitoring Program:

Regulatory Challenges

The latest developments in the applicable regulations and laws must be tracked and analyzed for their impact on the monitoring program. The required changes must be included in the transaction monitoring policies and systems to ensure adherence to the recent regulated amendments, avoiding any non-compliance consequences.

Technological Challenges

The integration of the monitoring program with the existing systems must be checked to ensure that complete and accurate data is flowing for transaction monitoring. Data validation exercises must be conducted regularly to maintain the systems’ effectiveness and ensure that no suspicious transactions go undetected.

If required, the weaknesses in the system must be managed by deploying technological updates or, if required, investing in advanced solutions.

Operational Challenges

The monitoring rules and rationales must be reviewed regularly to ensure that the alerts generated by the system are relevant, reducing the wastage of time and resources on unnecessarily investigation the false alerts flagged by the system.

Further, there shall be periodic refresher training for the relevant team members around the transaction monitoring program and conducting preliminary investigations of the highlighted transactions. This will ensure that the team is aware of the enhancements made to the entity’s transaction monitoring program, enabling them to resolve the alerts in a timely manner.

Only when the transaction monitoring program is systemically designed and implemented; its objective of detecting the risk indicators and preventing financial crime can be achieved.

How can Niyeahma assist you in designing and implementing the Transaction Monitoring Program to foster the AML framework?

With our years of experience working on AML implementation across entities in different sectors and jurisdictions, Niyeahma can assist you with designing a robust AML Program, including the much-needed Transaction Monitoring Program. We understand your exposure to financial crime and overall business profile and assist in selecting the appropriate technology and software that helps you stay compliant with Singapore’s AML regulations and safeguard your business against money laundering and terrorism financing.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Understanding WMD Proliferation and Proliferation Financing (PF)

Understanding Proliferation and Proliferation Financing

Understanding WMD Proliferation and Proliferation Financing (PF)

What is Weapons of Mass Destruction (WMD) Proliferation and Proliferation Financing (PF)?

Weapons of Mass Destruction (WMD) Proliferation refers to the illegal manufacture, acquisition, possession, development, export, trans-shipment, brokering, transport, transfer, stockpiling or use of nuclear, chemical, or biological weapons and their means of delivery and related materials (including both dual-use technologies and dual-use goods used for non-legitimate purposes).

The primary motive behind Proliferation Financing (PF) is to support a sanctioned state or further an ideology for power or profit. Iran and the Democratic People’s Republic of Korea (“DPRK”) come at the top of the list of countries involved with PF activities, such as the nuclear weapons program. The United Nations Security Council (“UNSC”) and the Financial Action Task Force (“FATF”) have issued various reports highlighting PF typologies and the techniques used by proliferators for sanctions evasion.

The financing of proliferation refers to the risk of raising, moving, or making available funds, other assets or other economic resources, or financing, in whole or in part, to persons or entities for purposes of WMD proliferation, including the proliferation of their means of delivery or related materials (including both dual-use technologies and dual-use goods for non-legitimate purposes.)

Proliferation Financing could be very complex to identify and detect. It may not be directly related to the physical flow of goods but may also include:

Insurance and Re-insurance services
Trust and Corporate Services
Third-Party Agent Services
Credit line for shipment of WMD or components thereof
Financial Transfers

National and International Standards and Laws to Fight Proliferation of WMDs and Proliferation Financing

Singapore Laws:

MAS (Sanctions and Freezing of Assets of Persons – Iran) Regulations 2016
MAS (Sanctions and Freezing of Assets of Persons – Democratic People’s Republic of Korea) Regulations 2016.
Sound Practices to Counter Proliferation Financing – MAS

International Standards:

UNSCR 1540 (2004)
UNSCR 1718 (2006)
UNSCR 2231 (2015)
FATF Recommendation 1
FATF Recommendation 2
FATF Recommendation 6
FATF Recommendation 7
FATF Recommendation 15

National and International Standards and Laws to Fight Proliferation of WMDs and Proliferation Financing

1. Terrorism Financing

Here, the terrorist organisations are financially supported to procure WMDs.

2. State Financing

Here, a state is financed by another state or state-controlled entity to enable it to procure WMDs.

The financing of proliferation refers to the risk of raising, moving, or making available funds, other assets or other economic resources, or financing, in whole or in part, to persons or entities for purposes of WMD proliferation, including the proliferation of their means of delivery or related materials (including both dual-use technologies and dual-use goods for non-legitimate purposes.)

Why is the detection and prevention of proliferation of Weapons of Mass Destruction and Proliferation Financing important?

Various countries develop Weapons of Mass Destruction to establish their power and have a variety of ill motives. The Proliferation of WMDs and Proliferation Financing help them achieve their objectives and create global instability.

The use of WMDs results in large-scale loss of life, and hence, it is important that the proliferation of Weapons of Mass Destruction (WMD) and Proliferation Financing are detected and prevented.

The Financial Action Task Force (FATF) recommends countries implement UNSC Resolutions concerning the prevention, disruption, and suppression of the proliferation of weapons of mass destruction (WMD) and Proliferation Financing. The countries are required to apply a freezing mechanism without any delay.

3 Stages of Proliferation Financing

To understand Proliferation and Proliferation Financing, it is essential first to understand the 3 stages of proliferation financing

1. Program Fundraising

This is the first stage for proliferators, where they gather or raise funds through illegal activities or predicate offences such as extortion, kidnapping, narcotics, smuggling, fraud, theft, robbery, or legitimate means such as improper use of charitable or relief funds where the donors may or may not know that donations given have been utilised to support PF causes. It could also be a state-sponsored activity where funds are provided through a domestic budget.

2. Disguising the funds

Disguising funds is a stage where the origin of the funds raised is made to look legitimate through a web of transactions within the complex business network by creating bogus invoices inter-se, usually through shell companies. In this stage, the proliferator blends the proceeds of crime with the international financial system. Many fake documents or paper trails are created to obscure the true nature of the origin of funds.

3. Procurement of proliferation-sensitive materials and technology

In the third stage, the proliferator uses the funds accumulated to pay for the goods, materials, technology, and logistics needed for its WMD proliferation program.

How does Proliferation Financing differ from Money Laundering and Terrorist Financing?

Proliferation Financing differs from Money Laundering and Terrorist financing. The difference is highlighted in the below table:

Sr	Criteria	Money Laundering	Terrorist Financing	Proliferation Financing
1	Stages	Placement à Layering à Integration	Fund Raising à Moving à Using	Fund Raising à Concealing à Procuring materials/technology
2	Motivation	Personal Benefit, Profit-maximisation.	To support a political, religious or psychological ideology.	For projecting a state as a global power, recognition, profit-making, or support a sanctioned state.
3	Intention	To legitimise the ill-gotten money.	To force others to do things through violent means.	To procure goods to develop WMD without getting caught.
4	Funding Sources	Illegal activities – predicate offences, tax evasion.	Illegal activities – predicate offences, improper use of donated funds. Legal means – donations, employment, business income, etc.	Illegal activities – Predicate offences. Legal means – foreign government sponsors, business income, employment, donations, etc.
5	Conduits	Banks and financial institutions.	Hawala, exchange houses, cash couriers.	Banks and Financial Institutions
6	Transaction Amount	Large amounts structured in a way to avoid monetary threshold	Small amounts below the monetary threshold	Moderate amounts
7	Methodology	Shell companies, Offshore secrecy havens, bearer shares, complex transactions.	Smuggling of cash and precious items, formal banking system, money exchange houses, Hawala.	Normal business transactions structured in such a way that they hide the source of funds.
8	Money Trail	Circular	Linear	Linear
9	Countering Mechanism	Suspicious transactions identification – Unusual transactions considering a person’s profile.	Suspicious relationship identification – transactions between unrelated parties.	Suspicious individuals, entities, transactions, states, goods and materials identification.

Red Flags Associated with Proliferation Financing

Customer Profile Risk Indicators for combating proliferation financing are where the customer:-

Provides vague or incomplete information about their proposed trading activities or legal entity, its owners, or senior managers appearing in sanctioned lists or negative news during ongoing monitoring or subsequent stages of due diligence.
Is a person connected with a country known for proliferation financing.
Is dealing with dual-use goods or complex equipment for which they lack technical background or which is inconsistent with their line of activity or usual course of business.
Involves complex trade networks involving numerous third-party intermediaries, unnecessarily creating a web of transactions.

Transaction Activity Risk Indicators

The transaction involves designated individuals or entities subject to reporting requirements.
The transaction involves higher-risk countries or jurisdictions, other entities with known deficiencies in AML, CFT, countering of proliferation financing controls, or possible shell companies.
Transactions that involve items controlled under dual-use or export control regimes or the customers have previously violated requirements under dual-use or export control regimes.
Transactions where the customer is domiciled in a country with weak implementation of relevant UNSCR obligations and FATF Standards or a weaker export control regime than Singapore’s.

Trade Finance Risk Indicators

The customer requests a letter of credit for trade transactions for the shipment of dual-use goods or goods subject to export control.
There is a lack of complete information or inconsistencies in trade documents and financial flows, such as names, companies, addresses, destinations, etc.
Transactions include wire instructions or payment details from or due to parties not identified on the original letter of credit or other documentation.

Assessing the risks associated with Proliferation Financing

Proliferation Financing risk assessment is based on the risk-based approach (RBA) prescribed under Singapore Law and FATF recommendations. A Proliferation Financing risk can be seen as the result of three factors: threat, vulnerability, and consequence.

The threats are discussed as red-flag indicators and refer to designated persons and entities that can potentially evade or breach PF-TFS (Targeted Financial Sanctions). Critical Proliferation and PF threats include countries like North Korea and Iran, along with terrorist groups who are always assumed to be interested in nuclear weapons and radiological materials.

Vulnerabilities can be seen as the evasion of sanctions or non-implementation of sanctions. PF vulnerabilities may be based on factors such as business structure or sector (banking or insurance), products or services (virtual assets or money transfer services), customers and transactions (customers from high-risk jurisdictions like Iran).

Consequences refer to the outcome where proliferators use the funds to acquire materials, items, or systems for developing and maintaining illicit nuclear, chemical, or biological weapon systems.

A Proliferation Financing risk assessment may follow the same stages as an ML/TF risk assessment, and they are identifying, assessing, and understanding the PF risk in an entity’s business and taking reasonable steps to manage and mitigate PF risks.

6 Steps for Proliferation Financing Risk Assessment

Preliminary Analysis
Planning and Organisation
Threats and Vulnerabilities Identification
Analysis
Evaluation and Followup
Update

PF risk needs to be identified and assessed concerning:

customer’s profile
- if the customer is sanctioned by any of the Sanctions Lists
- identification of individuals and ultimate beneficial owners against the names in the sanctions list during the screening process
- customer’s country of origin and present location
- countries or territories where the entity has operations in
nature of product or services engaged in, such as PSPMs or VASPs (e.g. value, liquidity, or source)
the services provided (e.g. retail, wholesale, manufacture, or export/import)
mode and value of transactions (e.g. cash, in-kind payments, bank transfer, credit card, virtual currencies, or digital payment tokens); and
delivery channels (e.g. the over-the-counter, courier or delivery to a foreign country or territory)

Thus, knowledge of PF risk helps with combating proliferation financing.

Difficulties associated with the identification of Proliferation of WMDs and Proliferation Financing

1. Dual Use Goods

Dual Use Goods have legitimate uses as well. Proliferation of WMDs is easier to detect if the fully manufactured products are bought. Dual-use chemicals make it difficult to separate them from legitimate and illegitimate use. Further, it requires a specialist to identify such materials.

2. Complex Networks

Complex Networks are created to facilitate trading WMDs and components used therein. Criminals create false documentation, making it even more difficult to identify proliferation financing. Further, agents, front companies, and false end-users are used to conceal the true identity behind such transactions.

3. Transfer of Funds through legal channels

Often, the funds are transferred through legal channels for a transaction that appears perfectly in line with normal business transactions. The source of funds is normally legitimate, causing no suspicion, but only the end-user identification is obscured.

4. Crypto transactions

Crypto transactions are harder to detect. New platforms built on distributed ledger technology, i.e.’ blockchain’, support anonymity and make it difficult to identify the criminals and the underlying transactions.

Measures to Prevent and Mitigate Proliferation Financing Risk

Simply identifying, assessing, and understanding PF risk factors is not enough. The Singapore government has enacted laws, regulations, and guidelines based on the National Risk Assessment. More particularly, the guidelines for the precious metals and precious stones dealers sector prescribe a practical AML/CFT/PF governance framework that entities should implement to mitigate risk. These guidelines broadly address the need for commitment, participation and authority of owners and controlling persons such as directors and senior management to ensure that PF risk mitigation measures are adequate, robust, and effective. To be able to do so, controlling persons should be well-informed about the latest legal and regulatory developments and ensure that processes are in place to manage and mitigate ML/TF/PF risks.

The critical tool or programme to aid in AML/CFT/PF governance is the implementation of sound Internal Policies, Procedures and Controls (“IPPC”), which are approved by the controlling persons and provide for

Compliance management arrangements
Ongoing or regular program to train employees on the IPPC.
Enhanced measures to manage and mitigate the risk of ML/TF/PF where higher risks are identified.
Ideally, the IPPC should cover aspects such as
- Assessment of risks faced by the business.
- Appointment of compliance officer and charting out their roles and responsibilities.
- Procedures in place for carrying out diligence measures such as Customer Due Diligence (CDD) and Enhanced Customer Due Diligence (ECDD).
- Procedures to fulfil reporting obligations to Singapore’s Financial Intelligence Unit – Suspicious Transaction Reporting Office (STRO), such as Suspicious Transaction Reports (STRs), Cash Transaction Reports (CTRs) and Cash Movement Reports (CMRs) to analyse and detect Money Laundering, Terrorism Financing, Proliferation Financing, and other serious crimes.
- Record-keeping requirements.
Further, the IPPC should be consistent across the group/branches and subsidiaries; in simple words, group oversight should be taken care of, the branch or subsidiary in a foreign country or territory having laws for the prevention of ML/TF/PF that differs from Singapore, then adequate measures must be applied to ensure consistency in mitigation measures across the group.

Best Practices to Counter WMD Proliferation and Proliferation Financing

Screening of customers, suppliers, goods, and third-parties associated with the transaction.
Staff training on Dual-Use Goods, PF red flags, WMD and PF typologies
Transaction Monitoring
Validation of shipping container numbers
Maintaining up-to-date sanction lists
Checking if a Government license is required to transact in certain goods

Proliferation Financing and Customer Risk Assessment

While assessing the overall risks associated with a customer, WMD Proliferation and Proliferation Financing risks must also be considered.

Criteria	High	Medium	Low
Geography	WMD Proliferator Country	Countries with undeclared WMD Programs	Others
Geography	Countries with weak controls as to ML/TF/PF	Countries with moderate controls as to ML/TF/PF	Countries with strict controls as to ML/TF/PF
Customer	Deals in Dual-Use Goods	Deals in standard industrial goods	Deals in non-industrial goods
Customer	Manufactures Dual-Use Goods with a history of export control violations	Manufactures Dual-Use Goods	Does not manufacture Dual-Use Goods
Customer	A University with a nuclear physics or a technical department with a history of export control violations or a sanctioned university	A University with a nuclear physics or a technical department	Others
Customer	Connected with a proliferating country	Connected with a country with diversion concern	Not connected with a proliferating or diversion concern country
Business Transactions	Inconsistent with the customer’s profile	Occasionally inconsistent with the customer’s profile	In line with the customer’s profile

Conclusion

Entities transacting or involved with international businesses form the first line of defence to disrupt and prevent funds from reaching criminals’ hands for proliferation financing activities.

These entities need to maintain a watchful eye on events worldwide to look for threats of ML/FT/PF activities that may use their business as a vehicle to carry out their illicit operations by channelling their funds through entities within Singapore.

To disrupt Proliferation and its Financing, entities must be aware of red flags for Combating proliferation financing. As discussed above, it is necessary to utilise the strategic framework and ensure that IPPC and STRO requirements are complied with.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

A Guide to Avoiding the Top 6 AML Record-Keeping Mistakes

AML record-keeping is one of the most crucial obligations of the regulated entities. The entities need to ensure that they maintain adequate AML/CFT records to meet regulatory requirements. The ML/FT records maintained by an entity help authorities in further investigations and combatting financial crimes. In this article, we will explore the top 6 AML record-keeping mistakes and global best practices to avoid them.

Singapore AML regulations

The Monetary Authority of Singapore (MAS) supervises the implementation of AML provisions in financial institutions. Further, The Accounting and Corporate Regulatory Authority (ACRA) supervises accountants, accounting firms and trust or company service providers (TCSPs). The Council for Estate Agents supervises the real estate agency sector, and the Casino Regulatory Authority supervises casinos.

These authorities mandate the regulated entities to keep all data, documents, and information related to:

Customer due diligence (CDD)
Know Your Customer (KYC)
Customer risk assessments
Transaction monitoring results
Records of transactions with customers
Copies of STRs, SARs, and other reports submitted to MAS
Other AML-related relevant documents

The regulated entities must maintain all these records for five years following the transaction completion or termination of business relations.

You can maintain these records as originals or copies in any of the following forms:

Paper
Electronic form
On microfilm

The Singapore court of law may ask for these documents as evidence. You must create and maintain these records to submit them to the court when requested.

What records must be maintained under the AML/CFT Laws of Singapore?

The law requires regulated entities to maintain records of the following:

Customers’ identities

You must collect information on individuals, such as names, dates of birth, addresses, and other details. Gather necessary documents to verify these details, like address proof and identity documents. For entities, you must find information on names, incorporation date, number of employees, beneficial owners, and other relevant data. You must also save your correspondence with customers on transactions, business relationships, and other matters.

You must save these data points on your individual and entity customers. And refer to them when needed before a transaction. Collecting these data points before forming a business relationship is essential. Results of customer screening against watchlists, PEPs, and sanctions are also vital.

Also, you must recheck them regularly to update the changes, if any. Maintain proper records in the correct format and language. Raise an alert when you detect something suspicious. Maintaining the templates and forms you use to collect KYC and CDD data is also crucial.

Transaction details

It would be best if you tracked your transactions to avoid any possibility of money laundering. For this, you must collect data on each transaction, such as:

Date of transaction
Parties involved and their role
Type of transaction
Transaction value
Taxes and charges involved
Medium of payment
Payment date
Source of money or name of the sender

All these information points can serve as a good reference point in the future when you want to track it. Also, you can raise an alert if you spot something out of the ordinary. For example, it is suspicious if the payment value is enormous and the customer prefers an all-cash transaction.

Suspicious transactions and activities

Most of the effort for AML compliance is towards identifying suspicious transactions. You can stop,g prevent, or reduce their effects only when you identify them. So, it’s crucial to have records of these suspicious transactions.

Every regulated entity must understand what a suspicious transaction is in their field of operations. Like a sizeable cash-value transaction. Or a transaction with the involvement of an unknown third party. All these are different types of suspicious transactions found in different industries. You must make a list of all the possible transactions. Then, review your transactions and compare them to detect suspicious ones.

You must maintain records of such suspicious transactions and other related details. It helps you avoid similar transactions. Since you maintain records of all transactions, separate the suspicious transactions from that list and make another file. Analyse it properly to identify patterns or trends and make conclusions. Thus, these records can help you in your future decisions. Also, you need to report these to authorities.

Records of detailed investigations

When you identify suspicious transactions, some of them are false positives. But if those relate to high-risk customers, you must investigate further.

More investigations require you to collect more data from customers and other parties. You must maintain records of the extra data and information you analyse. Whatever evidence you get, save it. Such records help you determine whether the activity has linkages to money laundering.

If you want any third party or authority to investigate further, you can submit these records to help in their assessment.

AML Compliance Officer’s reports

Entities under the AML regime in Singapore must have a dedicated AML compliance team. This team must have a deserving AML compliance officer to manage all AML-related activities.

They will ensure the business complies with all the AML provisions in Singapore. For this, they will:

Create AML framework, policies, procedures, and controls
Manage the monitoring of transactions with customers
Supervise risk assessments of customers and build risk profiles
Conduct training for employees
Ensure submission of reports to MAS and other authorities

You must maintain a copy of the reports the officer submits to the senior management and MAS. These records will help you refer to them for decision-making in the future. Also, these reports are a summary of the entity’s efforts for AML compliance. So, you must maintain them as records to assess your past performance and make plans.

Training programs with complete details

AML regulations in Singapore require you to conduct AML training for your employees. The authorities might ask you about the different training programs conducted for them. So, it would be best if you made a note of the following details on your training programs:

Topics covered in training
Number of participants
Seniority level in the business
Education and experience of participants
Materials used
Medium of training

These records enable you to prove to others that you are doing enough to follow AML regulations.

Communication with MAS and other authorities

An often ignored aspect of record-keeping is all your communication with MAS. You must maintain its records until there is clarity on that aspect. Records of the following are necessary:

Any requests for submissions of documents or reports from MAS and other authorities
Any complaints raised by MAS on your AML compliance
Your response to MAS on their complaints and their approval
Any requests/queries, or doubts submitted by you to MAS

These will help you get confirmation on your AML compliance and work towards it better.

AML actions taken until now

MAS and other relevant AML authorities in Singapore expect AML compliance from you. In this race, they supervise your AML efforts. They review your AML compliance and recommend remediation measures to you.

In response to these recommendations, you must act to comply with AML regulations. For every action taken by you, you must maintain records of it. You must give details on the recommendation action taken and its impact on your business. You must also attach the audit reports on your AML compliance efforts.

These records are essential to know your actions in response to MAS’s supervisory engagement. Also, it proves that you are working towards complying with all provisions of AML laws.

Unprocessed information

Suppose you conduct investigations on customers or transactions that later turn out to be non-suspicious. That means the customer or transaction is legal, and you did not find any trace of money laundering. It does not mean that you delete the records of such investigations.

You must maintain proper records of such transactions and customers who were initially suspicious but later found non-suspicious.

Top 6 AML record-keeping mistakes to avoid

The above section explains the various types of records you must maintain for AML compliance. While creating and maintaining these records, adopt the global best practices. You must avoid the following mistakes to keep your records relevant for your business and Singaporean authorities:

1. Failure to maintain records per requirements

It’s the age of technology. Generally, companies maintain records in the AML KYC Software. This ensures complete and accurate records. Also, you can be sure of their safety and security. You can keep these records confidential by managing permissions for accessibility. Also, such software solutions allow analytics and insights generation, leading to better decision-making and compliance.

In Singapore, you must maintain records in originals and copies in paper, digital, or microfilm formats. So, you must maintain these records in these forms.

2. Not keeping records secure and confidential.

Data confidentiality is a serious issue. There are chances of data theft by internal employees or external hacking. So, make it a practice to protect all your sensitive data.

In the case of AML, generally, you have data on customers and transactions. Any theft of this data leaks customer information and payments-related materials. So, you must encrypt the data to keep it secure. Also, permit only a few trustworthy personnel to access data.

3. Failure to keep updated ML/FT records

Constant changes occur in AML compliance requirements. Even organisations undergo changes in operations, processes, data, and other aspects. So, all these amendments must have equal adjustments in records as well.

You can’t keep your records outdated. So, update them according to the changes in your business. If you keep them up-to-date, there are higher chances of easy and smooth compliance. So, don’t forget to update your records as and when new changes come.

4. Overlook the need for regular audits of records.

Your records might have some errors or loopholes. Also, the record-keeping processes can have deficiencies or gaps. These deficiencies can lead to inaccurate or incomplete records, affecting your AML compliance. So, it is crucial to pay attention to audits of your records and record-keeping processes.

You can set a schedule for regular internal audits. You can identify errors and rectify them to improve their quality and efficiency. Also, you can set an annual external audit by an AML auditor to get an outside perspective on your record-keeping procedures. These records must meet regulatory standards and help you comply with them.

5. Insufficient reporting

You are maintaining records of customers and their identities. You also have records of transactions in value and volume and related aspects. You maintain all these records to help you with AML compliance.

What happens when you detect some red flags in records? Or some strange activity, different from the usual? You report it to authorities. This is what you are supposed to do with records. Whenever you spot something unusual, report it to senior management or regulatory authorities. These records help you create reports to submit to authorities according to Singaporean reporting requirements.

6. Improper destruction of records

According to Singaporean AML regulations, you must maintain these records for five years. After five years, you can destroy them unless MAS asks you not to destroy specific records.

But while destroying these records, ensure it happens properly and securely. Use a solution to ensure permanent deletion from electronic sources. If those are paper records, you can shred them to destroy every part of the paper. Whatever way you use, ensure there is no trace left.

How can AML Singapore help you?

You know the various records you must maintain for AML compliance in Singapore. These records will act as evidence of a successful AML compliance program. Also, the investors and senior management feel confident about the entity’s AML efforts after seeing these records. So, avoid these basic pitfalls in record-keeping to ensure up-to-date, accurate, and complete records.

If you need help designing your record-keeping procedures, hire an expert AML consultant like Niyeahma.

Niyeahma is a leading AML consultant in Singapore. We help with this fundamental task of proper record-keeping. Our expert AML professionals ensure you stay safe from the legal repercussions of AML non-compliance. We also regularly audit these records to check for gaps and inconsistencies. Besides AML compliance, it helps you with operational efficiency and financial management.

So, give record-keeping the importance it deserves and adopt its best practices.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

The ABC of AML screening: 8 common mistakes you can’t afford to make

The ABC of AML screening: 8 common mistakes you can’t afford to make

AML screening helps assess the risks of an existing or potential customer for your business. These risks include money laundering, terrorism financing, and similar financial crimes. Screening allows you to check and verify their identities against several lists. Let’s explore the ABC of AML Screening and learn about the common mistakes that businesses make while screening a person or an entity.

The screening helps match your customers against the lists of:

Terrorists
Sanctions
Politically Exposed Persons (PEPs)
Banned or wanted
Adverse media

These checks are necessary to see if your customers are on any lists. If they do, you do not transact with terrorists, sanctioned, or banned customers. You conduct Enhanced Customer Due Diligence (ECDD) for politically exposed persons (PEPs) and customers with negative media references before forming a business relationship. If they don’t appear on the above lists, you can be sure of their identities and proceed with the transaction.

AML screening of employees is also essential for entities. You must check their backgrounds to verify their involvement in money laundering activities. These checks help you prevent the threats of financial crimes.

Let’s dive into the world of AML screening to understand:

Types of AML screening
Benefits of AML screening
Process of AML screening
When is AML screening necessary?
Mistakes to avoid while performing AML screening

Types of AML screening

The different types of AML screening include:

PEP checks

PEP means politically exposed persons. These can be government officials or members of a political party. Because of their job and position, they have higher opportunities to engage in bribery, corruption, money laundering, or other financial crimes. These can also include high-position officials in other public sectors.

By PEP screening, you can prevent the occurrence of these crimes. You can screen your clients against this PEP list. If matches are found, you perform Enhanced Customer Due Diligence and obtain senior management approval before entering into a transaction.

Sanctions screening

Sanctions are the lists of restrictions countries or international organizations impose on individuals, entities, activities, countries, or regions. These restrictions exist to avert threats to security, peace, or humanity. Restrictions can include:

Trading not allowed
No access to financial systems
Penalties

Family members or business associates might also feature in the sanctions list because of their association with a sanctioned individual or entity. By sanction screening, you can identify such customers and avoid onboarding them.

Watchlist screening

Watchlists are databases of known criminals or suspected persons. These can be individuals involved in:

Terrorist activities
Illegal arms, human, or drug trafficking
Corruption
Money laundering
Proliferation of weapons of mass destruction

Governments, regulatory bodies, international organizations, and law enforcement agencies create such lists. You scan your clients against these lists to see if their names feature in any of them. If yes, you can stop transacting with them or don’t enter into a business relationship with them.

Adverse media screening

It includes checking your existing and potential clients’ names in adverse media. You can check the news, media databases, and social media posts for this. Databases of legal filings and public records are also good sources to search for adverse media.

Any negative news about them in the past can be a tip for you on their involvement in illegal activities. You must search the individual’s name and related keywords on these databases for negative mentions. Nowadays, companies use artificial intelligence (AI), natural language processing (NLP), and other advanced technologies to screen adverse media.

You can perform Enhanced Customer Due Diligence for such customers and submit a Suspicious Transaction Report if you suspect ML/TF.

Background checks of employees and outsourcing service providers

These are not the usual checks of customers. These pertain to screening your employees and outsourcing service providers. You must conduct background checks whenever you onboard a new employee or outsource a task to a third party.

Any kind of association of employees or outsourcing vendors with illegal activities may harm your reputation. By conducting such checks, you can prevent the following types of threats:

Recruitment of a criminal candidate
Theft of data or intellectual property
Association with perpetrators of illegal activities

Benefits of AML screening

By screening your customers regularly, you realize who is risky and who isn’t. Besides, you can also enjoy the following benefits:

Contribute to the greater good

AML compliance is one of the ways to protect national and international economies from financial crimes. Screening customers, transactions, and employees helps you identify and verify suspicions. Thus, it helps keep your business from transacting with criminals. You can avert the entry of illegal money into the regulated and legal financial system. This is how you can ensure national and global business community security.

Comply with AML regulations

Conducting KYC and due diligence of customers are critical parts of an AML framework. And AML screening of customers is one of the ways to know your customers better. Thus, by conducting an AML screening, you fulfil one requirement of your AML framework. It helps you in AML compliance. Thus, you also protect your business from non-compliance fines or penalties.

Prevent financial crimes

By conducting customer screening, you verify their identities. Thus, you learn about the potential source of risks to your business. Based on the results of such AML screening, you can decide whether to form a business relationship with them. If you don’t transact with them, you save your business from the risks of financial crimes.

Maintain your business reputation

If you conduct such AML screening, you can detect risks to your business better. Thus, you can make plans to manage and mitigate them. This shows your serious attention to AML compliance to avoid financial crimes. It gives you good publicity, building customers’ trust in you. Thus, you can improve your business reputation and reliability in the market.

Process of AML screening

The process of AML screening includes the following steps:

Collect customer data and information necessary for screening them against watchlists.
Verify their identities through identity documents collected from them.
Match your customers against different national and international watchlists.
Keep aside the confirmed matches and take the required measures.
For potential matches, investigate further to reduce the chances of false positives.
Regularly screen your customers against these watchlists to detect suspicions.

When is AML screening necessary?

You must conduct AML screening during or before the following processes:

Before onboarding a new customer
Before employing new employees
Constant and regular monitoring of customers
When the local and international lists of sanctions, PEPs, bans, terrorists, etc., undergo changes
When your existing customers’ beneficial owners or management changes

8 Mistakes to avoid while performing AML screening

Different types of AML screening are essential for your AML compliance program. You know the benefits it provides to your business. You can also see the procedure for conducting AML screening. If you commit any mistake during this process, it might not generate the stated benefits. The blunders you must try to dodge while conducting this process include the following:

1. Conducting only manual screening

This aspect needn’t be explained but is a common pitfall in AML screening. Sometimes, entities only screen their customers manually against lists of sanctions and PEPs. This would be okay if the dataset is too small.

In the case of a large database of customers, manual screening may not be the best option. The process is erroneous, takes time, and you might miss matching a few. Using advanced technological systems can be a game changer in such situations. You get a guarantee of high accuracy, less time, and a comprehensive screening process.

So, choose a combination of manual and automated screening for better quality results and higher efficiency.

2. Missing international databases

This aspect needn’t be explained but is a common pitfall in AML screening. Sometimes, entities only screen their customers manually against lists of sanctions and PEPs. This would be okay if the dataset is too small.

In the case of a large database of customers, manual screening may not be the best option. The process is erroneous, takes time, and you might miss matching a few. Using advanced technological systems can be a game changer in such situations. You get a guarantee of high accuracy, less time, and a comprehensive screening process.

So, choose a combination of manual and automated screening for better quality results and higher efficiency.

3. Failure to generate reports of such AML screenings

As a part of your AML frameworks, you will conduct regular AML screenings of customers. It’s a best practice to maintain records of the screening performed. Businesses often tend to neglect this aspect and fail to meet the record-keeping requirements required under the law.

4. Using outdated lists for matching

How about screening your customers against outdated lists? There are higher chances of false positives. You gauge a customer as a sanctioned individual, but they are not on the updated list. Alternatively, you do not find a customer in any sanction list and transact with them. But they may feature in updated lists.

In any of these cases, you will suffer. In the first case, you miss out on a good customer. In the second case, you get involved with a criminal.

So, use updated lists of PEPs, sanctions, and watchlists. The relevant organizations release updated lists, so you must stay up-to-date with them.

5. Conducting AML screening only once during the entire customer lifecycle

Individuals change. Entities change. And you must also adjust to these changes. So, you cannot stay put with the first screening of customers you did while onboarding them.

It’s crucial to screen your customers on an ongoing basis. If you miss, you might become vulnerable to such financial crimes. Situations like the following call for ongoing AML screening:

Changes in your clients’ beneficial owners or global presence
Request for some unusual, unique, highly complex, or unreported transaction
Change in the source of funds
Request for a transaction inconsistent with the customers’ risk profile or usual activities
Involvement of a third party in the transaction
Changes in the sanctions, PEP database, and Adverse Media lists

You might never know when you become a part of an illegal transaction. So, match your customers with these lists regularly. Regular monitoring helps you avoid any chances of money laundering crimes.

6. Absence of quality checks of AML screening process

Is your AML screening process generating false positives? Are you doubtful of the quality of AML screening results? If yes, your AML screening process is not up to the mark.

It’s not only about the quality of the technological system you use for these checks. The overall process needs a revamp. You must check with the Screening software vendors for the reliability and relevance of the data, data update frequency, fuzzy logic, ongoing monitoring functionality, and more.

7. Forgetting to screen former names or acronyms

Sometimes, the mismatch between customers and these watchlists is due to acronyms, nicknames, or different names.

Now, the watchlists and databases might use the former names of individuals or entities. You screen your clients’ current names. In such cases, there is a possibility of no match.

Alternatively, entities might be using acronyms while databases mention the full names of companies. Sometimes, the names are not in the Latin alphabet, and their translation is inaccurate. So, you must check all these options to avoid missing any matches.

8. Lack of fuzzy logic matching

A critical aspect to remember while matching clients with databases is approximate matching. Generally, entities believe in 100% matching of names. But that shouldn’t be the case. You might be missing out on some criminals or money launderers just because they didn’t match 100%.

You must include fuzzy logic matching in your AML screening tools. It allows you to set alerts for approximate matches. Also, ensure the incorporation of AI and machine learning to improve data accuracy in fraud detection.

Concluding thoughts

You must adopt these best practices in your AML screening processes. Comprehensive screening with accurate and faster results is what you aim for. So, the best solution is to use advanced technology systems to automate the process. You can conduct further investigations and deploy adequate risk mitigation initiatives based on the alerts generated.

You can also refer to MAS’s guidance on Strengthening AML/CFT Name Screening Practices released in April 2022. It is an information paper on MAS’s inspections of entities’ name screening processes. It assessed how robust the entities’ AML screening frameworks were and provided the results.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Best practices for identifying and implementing the right AML controls

The challenges of money laundering are rising day by day. These and other financial crime threats are affecting many aspects of your business. So, dealing with them and finding the right corrective actions is vital for your business. You must have the right approach to strengthen your AML compliance in Singapore.

The first step of a robust AML framework is identifying and assessing your business risks. After this, you must identify and execute control measures to prevent these risks. This is what any business entity in Singapore does.

But it’s not as straightforward and easy a process as it seems. You require a clear, detailed strategy for planning control measures. You need to follow many steps.

So, you must adopt best practices to develop appropriate measures for your business. Without this, you will be directionless. Invest time, money, and effort to identify and execute AML/CFT control measures.

The blog here focuses on the best practices you can adopt for planning these control measures.

Best practices for the identification and implementation of AML controls

For framing effective AML controls to combat money laundering and terrorism financing and stay compliant with Singapore AML regulations, you must adopt the following best practices while identifying and executing AML controls:

Stay abreast of the regulatory provisions for your business

Singapore has many regulations and laws against money laundering and other financial crimes. Like other countries, Singapore extensively focuses on reducing the risks of such crimes. To this end, it keeps updating and changing its regulations in response to industry needs and rising crimes.

To develop suitable AML controls, you must stay up-to-date with these rules. You will need to refer to them while developing AML controls. You will incorporate the rules and guidelines by authorities in your internal controls. So, it is crucial to stay updated on these changes.

Failure to do so might lead to ineffective controls, resulting in non-compliance and increased exposure to financial crime.

Conduct comprehensive risk assessment and profiling

What do you need to develop measures against money laundering risks? A clear classification of risks. And how do you do that? By conducting risk identification and assessment.

That is why conducting a detailed risk detection and analysis is crucial for your business. Without the analysis, you cannot develop measures against these risks. So, identify the risks from your customers, delivery channels, products, and geographic locations. Analyze them to understand their sources and impact better.

Also, keep updating this risk assessment per the changes in regulations. Such risk assessments must include all the types of risks to your business.

If you miss such risk assessments and profiling, you will not have the basis to develop your AML controls.

Ensure effective understanding of suspicious transactions and risk indicators

The identified controls will reduce, end, or prevent money laundering. But you need to know what kinds of suspicious transactions your business can be exploited for. Understanding the red flags is crucial for putting in place proper controls.

You can detect unusual activities by implementing advanced technology systems. In these systems, you must develop rules to generate alerts for suspicious behaviour. You can also set parameters or thresholds for alert triggers. This is possible when you understand and are on top of the sector-specific financial crime typologies and trends.

Take a risk-based approach while designing your AML control strategy

Your business faces risks from different customers. Not all customers have the same risk level and type. So, you must design solutions according to each customer’s risk.

If the customer is highly risky, you must be extra cautious while dealing with or not transacting with them. If the risk is low, you can conduct transactions after confirming all details. If the risk is medium, you can conduct the basic due diligence before transacting.

You are wasting your money and time if you conduct enhanced due diligence for a low-risk customer. Similarly, a simple CDD for a high-risk customer will make you vulnerable to ML/FT risks. So, consider your risks before identifying the appropriate control measures.

Therefore, you must take a risk-based approach while strategizing these measures.

Create and maintain comprehensive records of transactions

The AML control measures are not a one-off exercise. You will have to keep implementing new initiatives as and when risks change. When new customers come on board, you might have to rethink your AML controls.

So, record keeping of suspicious transactions, risk scores, and KYC & CDD measures is essential. You can refer to these records whenever needed to develop effective AML controls. These records are also necessary during audits. You will also be required to submit some of these records to the regulatory authority.

Thus, you must have comprehensive, categorized, correct, and complete records. These records enable your compliance with AML reporting requirements.

In the absence of these records, you will fail to comply with Singapore AML laws.

Cultivate a culture of collaboration and communication between teams

The execution of any strategic initiative in an organization needs collaborative effort. Different teams must cooperate on different tasks. Be it risk management, customer handling, legal, or compliance teams, collaboration is a must.

Therefore, you must ensure collaboration and cooperation with other teams. Information sharing and smooth communication are also crucial in your AML measures.

Such communication will lead to effective measures against ML/FT risks. You can combine the intelligence of different departments to develop a cohesive approach for preventing ML/FT activities.

Besides internal communication, external collaboration is essential for an action-oriented AML plan. Such collaboration can occur with regulatory authorities, industry peers, and legal agencies. With such cooperation, you can be more aware of the types of suspicious transactions, potential customer risks, and technological innovations.

So, focus on complete, up-to-date, and dynamic AML risk assessments.

Find the proper use of secure and innovative technology in your processes

Technology is critical for achieving AML compliance. It is a way to reduce your threats of money laundering and terrorism financing. So, you must use the right technologies and for the proper purposes in your AML efforts. Use technological solutions for risk assessment, KYC, CDD, transaction monitoring, and recordkeeping.

The right technology can boost the quality and effectiveness of the AML controls.

Prepare your employees for upcoming changes due to the implementation of controls

While implementing internal controls, you must also pay attention to your employees. They need proper training for the changed processes and workflows. They must also accept the changes these internal control measures brought about.

You must conduct awareness programs on money laundering and other financial crimes. Participants must understand the importance of AML to prevent, mitigate, or eliminate ML/FT threats. They must be ready to accept changes in workflows and procedures due to deployed controls. Training is crucial to help them understand ML/FT trends and corrective actions. With their specialization and knowledge, you can improve your defense against money laundering threats.

Unprepared and unacceptable employees will thwart your AML control implementation.

Update, revise, and adjust your AML controls and measures

Business conditions do not always remain the same. AML regulations also keep changing. Even if your business grows or expands into new offerings or new markets. With all these changes, it is crucial to adjust your AML controls.

You must first review your existing AML policies, procedures, and controls for adjustment. If found misaligned to the goals, you must make changes. Also, if you add new business units, you must undertake risk assessments and determine controls accordingly. New risk assessments and mitigation plans are essential if you expand to new geographies.

Also, periodic reviews are necessary to look for changes in business conditions, regulations, and industry trends. You can employ external consultants and auditors for such health checks. You can update and improve your AML controls based on their insights and analysis.

If you do not update and adjust your AML controls according to market and business requirements, you will use policies not aligned with your goals. As a result, you may not generate positive results from existing AML controls as expected.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Top 10 mistakes to avoid while conducting ML/FT Enterprise-Wide Risk Assessment

Enterprise-Wide Risk Assessment is an essential ingredient of an AML compliance program, enabling regulated entities to stay wary of the financial crime risks to their business. Once they identify the risks, they can apply relevant measures to mitigate or manage them

As the effectiveness of the AML program is highly dependent upon the analysis of the Enterprise-Wide Risk Assessment (EWRA) or the Business Risk Assessment, the regulated entities cannot go wrong with it. If the risk assessment is erroneous or the evaluation of any risk factor is missed, the regulated entity might face repercussions. Unidentified risks might affect your business, leading to money laundering or other financial crime vulnerabilities. It affects your operations, business reputation, and financials.

So, avoiding common mistakes in such risk assessments is wise. Keep a note of them and dodge their attack.

Let’s examine these common mistakes regulated entities may make while carrying out EWRA.

Top mistakes to avoid while performing AML Enterprise-Wide Risk Assessment

The regulated entities must thoroughly conduct the business risk assessment, considering all the relevant risk scenarios and their possible impact on the business. An inadequate or inaccurate risk assessment degrades the entity’s overall anti-money laundering efforts and compliance. So, you must be cautious of these mistakes and overcome them.

The following are the common pitfalls to avoid while performing AML risk assessments:

Missing defining the business’s risk appetite

An entity’s financial crime risk appetite means how much risk the business can and is ready to tolerate. It includes types of risks and their severity. It differs from business to business. The regulated entity must answer this question, “How much ML/FT risks is it ready to bear to achieve the strategic goals and objectives?” before proceeding with the risk assessment exercise. Also, when the risk appetite is defined and documented, the same serves as a base for developing the entire AML framework on a risk-based approach.

No commitment from the senior management

The EWRA task begins with management-approved risk appetite and ends with their approval of the outcome of the final risk assessed.

When the senior management does not get involved in the process, the entity might face teething issues in diligently concluding the EWRA, which may ultimately impact the quality of AML measures and result in a conflict of interest between AML’s compliance function and the business goals.

Thus, the senior management’s commitment to the risk assessment process is very critical.

Not taking into account the changes in regulatory provisions

Regulations keep changing. Monetary Authority of Singapore (MAS) or other AML supervisory authorities release new guidelines to tackle emerging threats, setting new benchmarks for AML compliance. All such updates and amendments must be considered because they affect the risk assessments. When critical regulatory provisions are missed while carrying out the EWRA, the entity may pay a huge price due to non-compliance and an inefficient AML program.

Overlooking some of the risk types

Risk assessment for any business involves studying and analyzing the risks from:

Customers/clients
Transactions
Geography
Delivery methods
Products and services
Technology

Developing a comprehensive business risk profile is challenging if the entity misses evaluating any of these risks. In the future, the regulated entity might face money laundering threats from the skipped risk factors, leading to non-compliance penalties and reputational damage. So, all these risk factors must be considered in assessing the ML/FT risk.

Insufficient efforts in data collection, analysis, and scoring

Risk assessment is not a simple activity. It requires dedicated efforts towards assessing the business exposure, considering qualitative and quantitative risk attributes. Any lazy attitude towards exercise can affect the assessment results. So, the regulated entity must be thorough in:

Collecting data for the assessment
Studying the customers, geographies, delivery methods, offerings, and transactions
Analyzing each data point
Using sophisticated risk-scoring models to score risks
Evaluating the risks by their severity, likelihood, frequency, and impact
Scientifically categorizing and rating the risk parameters as high, moderate, and low risk

If the data used for risk assessment is incomplete or inaccurate, the business risk assessment will not be relevant and in alignment with your goals. The entity may end up duplicating the efforts in re-doing the exercise or lead to half-baked results. So, reliance on a comprehensive and quality data set is critical in EWRA.

Incomplete, outdated, or static risk assessments

What is the frequency of conducting risk assessments in a year?
Whether all the latest regulations and laws have been considered while conducting risk assessments?
Whether all the potential threats to the business have been taken into account?
What about the industry trends and emerging ML/FT typologies? Have those been assessed for their potential impact on business?
Is your risk assessment updated to factor in the new business statistics or changing circumstances?

If the answer to the above questions is “No, ” then the risk assessment exercise cannot significantly benefit the entity’s AML efforts.

The entity must keep updating EWRA frequently, incorporating changes in industry, clients, transactions, regulations, geopolitics, etc. The entity must study and assess the emerging risks to improve the effectiveness of the business risk study.

The regulated entity must adjust the Enterprise-Wide Risk Assessment based on past assessments’ accuracy level and usefulness. The entity must check whether the past risk analysis was applicable or inaccurate; if inaccurate, necessary changes must be made.

So, focus on complete, up-to-date, and dynamic AML risk assessments.

Prioritizing assessment of risks in silos instead of a holistic view

When considering a client’s risks, the entity must not consider just one factor. An isolated view of one risk does not give a complete picture. The entity must analyze the client risk from all factors:

What are the risks from the client’s nature of business?
Is there anything irregular about the products and/or services requested by the client?
Are their delivery methods involving any money laundering activity?
Does their headquarters or registration location harm the entity’s business?
Is their preference for specific transaction types detrimental to the regulated entity’s AML compliance efforts?

Suppose a high-risk client is based in a tax haven with no AML regulations. It is riskier than a high-risk client in a normal country with strict AML regulations.

This requires the entities to consider all these factors at the same time. If each risk is evaluated individually, it may yield a limited picture of risks. In contrast, a parallel assessment of the different risk aspects will give a holistic view of the business’s total exposure to ML/FT.

Absence of technology or the use of complicated systems

Sometimes, the methods deployed for manually assessing the risk are too simplistic and inadequate, generating no quality results. Such risk assessments might be inaccurate, time-consuming, and miss some critical data points. So, deploying sophisticated EWRA methods, including advanced tools and technology for carrying out enterprise-wide ML/FT risk assessment, is best.

Neglecting the documentation of the risk assessment process and results

AML risk assessment will help the business plan the corrective actions to combat financial crimes. EWRA empowers the entity to adopt a risk-based approach to mitigate, manage, or prevent these risks. For depending on the EWRA and ensuring consistency in the measures implemented, it is necessary to document EWRA methodology, risk factors considered, the base for extracting quantitative data, final risk assessed, etc.

Further, maintaining adequate EWRA documentation is also a regulatory obligation. So, the regulated entities must not miss documenting their process, results, and conclusions to strengthen AML compliance efforts.

Not preparing for the response action

Enterprise-Wide Risk Assessment serves a purpose in the entity’s AML compliance function. It is not just an exercise. It must lead to the next step towards the AML journey.

The entity must decide how to respond to these risks based on the ML/FT risk appetite. The entity might accept a few while eliminating or reducing the impact of the others. The outcome of the EWRA must be utilized for formulating and executing a risk mitigation and management plan.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Enhanced Due Diligence: Navigating the measures to manage high-risk under Singapore AML Laws

The regulated entities engage with different customers every day, coming from different jurisdictions from various business profiles, posing different levels of money laundering or terrorism financing exposure. The AML regulations in Singapore mandate the regulated entities to apply adequate customer due diligence measures depending on the customer’s risk profile. The law prescribes adopting Enhanced Customer Due Diligence when engaging with high-risk customers, i.e., the business relationships or the transaction construed as posing an increased risk of financial crime.

In this article, let us explore Enhanced Due Diligence (EDD), the measures there under, the circumstances when EDD is performed, and its significance under AML Singapore regulations.

What is Enhanced Due Diligence?

Enhanced Due Diligence (EDD) is a type of customer Due Diligence comprising extensive measures applied to establish the customer’s identity when the assessed risk arising from such customer or business relationship is high.

EDD is an extension of the Standard Customer Due Diligence, generally followed in the case of normal customers, categorized under low or medium-risk levels. During EDD, the regulated entities dive deep into the customer’s background to detect potential red flags suggesting involvement in money laundering or terrorism financing attempts. In addition to the basic due diligence related to identifying and verifying the identity, EDD involves additional inquiry and review around the customer, their purpose of establishing the business relationship, their financial profile, etc.

What are the circumstances when Singapore AML regulation mandates the performance of EDD?

The AML regulations of Singapore provide for the following circumstances when the customer would be classified as “high-risk”, warranting the regulated entity to implement the Enhanced Due Diligence process:

When the customer comes from or is closely associated with the countries subject to FATF’s Call for Action, either apply the countermeasures or adopt enhanced measures to manage the risk (FATF Blacklist).
When the customer is a resident of or has business connections with jurisdictions with inadequate regulatory frameworks to combat money laundering and terrorism financing or countries notorious for financial crimes or high levels of corruption.
When the customer or the beneficial owner is a Politically Exposed Person (PEP) or is a close associate or a family member of a PEP. (It is important to note that in case of a domestic PEP or a person holding a prominent public function in any international organization, such customer shall, by default, not be treated as high-risk unless any unusual activity is detected or any other risk indicator suggests otherwise).
When any concerned authority has notified the person as posing an increased risk of money laundering or terrorism financing.

In addition to the above, if the regulated entity observes any other red flag or potential risk indicator requiring the customer to be classified as high-risk, adequate enhanced due diligence measures must be applied in proportion to the risk assessed.

What are the EDD measures prescribed under the Singapore AML regulations?

To manage the increased risk of financial crime, the EDD program crafted by the regulated entity must be comprehensive and focused on detecting any malicious intention of the customer to exploit the business for laundering funds or financing terrorist activities. The EDD measures that must form part of the entity’s EDD framework are as follows:

Inquiry around the financial profile of the customer:

When a potential customer is identified as high-risk, the inquiry must be made around the funds involved in the transactions and the nature of the customer’s income to establish whether such amount is in any way connected with any financial crime. As part of EDD, the regulated entities must make reasonable efforts to understand the customer’s income level and the nature of the source of funds and wealth and try to determine its legitimacy using reliable sources like salary slips, annual financial statements, or tax returns. In the case of a corporate customer, the regulated entities must apply these measures to check the financial profile of the beneficial owners as well, as they are the real persons pumping in the funds or navigating the transactions.

Here, the source of funds would mean the origin of the funds or the amount involved in the particular transaction. While the source of wealth indicates the origin of the accumulated assets or resources of the customer.

Senior Management Approval:

The senior management of the regulated entity must be aware of the increased risk that a customer or a transaction poses to the business. For this, the Singapore AML regulations require that the regulated entities seek senior management approval when a business relationship is proposed to be established with a high-risk customer.

Moreover, senior management approval is also required in the case of an existing customer when the customer’s risk classification changes during the ongoing business relationship. This approval must be obtained before executing any further transaction with the customer, i.e., continuing the existing relationship.

Applying enhanced ongoing monitoring:

It is essential to track its profile and the transactions in the course of an established business relationship to detect any red flags or suspicious activities promptly. The frequency and the degree of such ongoing monitoring must be increased in case of high-risk customers subject to Enhanced Due Diligence. Here, the regulated entities may implement a policy to periodically select certain transactions of high-risk customers that would be thoroughly investigated to check their validity.

Approach to implementing the Enhanced Due Diligence

Having developed a robust Enhanced Customer Due Diligence program, it is equally important to adopt the right approach to ensure the effectiveness of the EDD measures. A systematic approach, as mentioned hereunder, will help the regulated entities in managing the high ML/FT exposure and staying compliant with the Singapore AML regulations:

1. Assessing the customer risk and identifying the high-risk business relationships:

The foundation of the EDD program is that the regulated entity has classified a customer or a business relationship as high-risk. The entity must adopt a holistic approach while determining a customer’s risk profile, considering various factors like the location of the customer, its business activities, the intended nature of the business relationship, etc.

2. Obtaining and verifying additional details and documents:

Once high-risk customers or transactions are identified, the regulated entities must obtain additional information and documents from the customer. The authenticity of the received details and documents must be verified.

3. Checking the adequacy of measures applied to the risk identified:

Having applied the additional measures and checks, the regulated entity must assess whether these measures align with the customer’s increased risk and whether the Customer Due Diligence process can be construed to have been satisfactorily concluded. If the regulated entity still believes that the measures do not appropriately manage the risk, the entity must consider applying stringent measures, if possible; otherwise, reject the customer and explore the requirement to report the person by filing a Suspicious Transaction Report (STR).

4. Perform ongoing monitoring of the customer’s profile and the transactions:

Once the high-risk customer is onboarded, the regulated entity must subject this customer and the transactions monitoring to ongoing monitoring to detect any suspicious customer behaviour or transaction inconsistent with the customer’s overall profile. If any red flags suggest the customer’s involvement with financial crime or attempts to launder the funds, the regulated entities must timely report the same to the authorities by filing a suspicious Transaction Report.

By thoroughly adopting the enhanced due diligence process, the regulated entities can efficiently detect and prevent financial crime while staying compliant with the AML regulations in Singapore.

Why is EDD a significant element of the AML Program?

Enhanced Due Diligence, though it may be treated as an additional exercise requirement for more resources, is essential, making a significant impact on the regulated entities’ efforts to combat financial crimes, which are as follows:

When the regulated entity implements the EDD program, it demonstrates the commitment and dedication of the business in fighting money laundering and terrorist financing. It enhances the government and the customer’s trust and confidence in the business.
With more strict measures and checks, the regulated entities can control the financial criminals sneaking into the business to achieve their criminal objectives. It saves the business from commercial loss and also avoids reputational damages.
When EDD measures are not applied for customers posing higher ML/FT risks, the same tantamount to regulatory non-compliance results in huge fines and penalties. It also adversely impacts the regulated entity’s reputation in the market.

In the interest of the business, it is inevitable for the business to design and maintain a robust Enhanced Due Diligence program to manage the risk, protect the business, and stay AML compliant.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

The risk-based approach in Anti-Money Laundering Compliance

The principal AML regulation in Singapore, viz., Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 and various guidelines issued by the Monetary Authority of Singapore (MAS) require regulated entities to adopt a risk-based approach in Anti-Money Laundering Compliance.

With the revised FATF International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, issued in 2012, the risk-based approach has become central to fulfilling various requirements set therein.

The FATF requires applying a risk-based approach at several levels, starting at the country level in the form of national ML/TF risk assessment, then at the state, and finally at the company level.

History of risk-based approach:

Earlier, financial institutions, banks, and other non-financial businesses and professions followed the regulatory requirements concerning customer risk assessment.

It was a tickbox kind of approach where every customer and the regulated entity were treated equally irrespective of their risk appetite and the risk carried by them. The companies used to follow a checklist and collect documents required by the law to comply with the risk assessment requirements.

Many criticized the one-size-fits-all approach as each entity is different in terms of its business, customers, products, services, and related risks. This led to adopting the risk-based approach in dealing with financial crimes like anti-money laundering.

What is the principle of risk-based approach (RBA)?

In simple terms, the risk-based approach refers to adopting a methodology where risks are identified, assessed, and managed in accordance with the amount of damage they can cause. The risk-based approach follows the principle of “higher the risk, higher the amount of controls.

The firms resort to the risk-based approach as the resources are always scarce, and they must be deployed in such a way that they can be optimally utilized.

What is the risk-based approach in anti-money laundering?

Financial Institutions, Non-Financial Businesses and Professions, and Virtual Asset Service providers are the primary targets of financial criminals. There are a variety of financial crime risks, and these risks are associated with products, services, customers, geographies, delivery channels, technology, and more.

The risk-based approach is a recognition of the fact that not all customers are the same, and some of them pose a higher level of money laundering and terrorist financing risks than others.

What is the need for a risk-based approach in anti-money laundering?

Each company is different in terms of products and services, customer base, delivery channels, geography, technology, and more; hence, a one-size-fits-all approach in terms of deploying controls to counter money laundering risks can not work.

The companies should be able to assess their own money laundering and terrorist financing risks and take necessary measures to counter them, and there comes the need for the adoption of a risk-based approach.

The adoption of a risk-based approach forces companies to understand various ML/TF risks they are exposed to and tailor their AML/CFT program to counter them.

How to implement a risk-based approach to AML?

To implement a risk-based approach to AML, companies need to follow the following steps:

1. Risk Identification

The first step is identifying risks associated with customers, products, services, geographies, delivery channels, and technologies.

2. Risk Assessment

Each risk needs to be assessed in terms of its likelihood and potential impact on the business. Normally, risk factors are assessed in terms of their impact, viz., low, medium, and high.

3. Controls identification

Suitable controls are identified in line with the assessed risk

4. Implementation of Controls

Controls are implemented and evaluated in terms of their effectiveness.

5. Ongoing Monitoring & Health Check

Ongoing monitoring and regular health checks are performed to identify new risks, potential harm posed by each risk factor, and the effectiveness of controls in place. It is also assessed whether the net risk is within the limits of the amount of risk a firm wants to carry.

6. Record Keeping

Regulated entities must maintain records concerning their ML/TF and customer risk assessments. Accordingly, the entity must maintain records around risk factors, their likelihood and impact, controls and their effectiveness, residual risk, and risk appetite. Further, KYC records, customer risk assessment records, records related to screening, suspicious transaction reports, and ongoing monitoring must be maintained. As per the FATF recommendations, these records must be maintained for a period of 5 years.

What are the benefits of a risk-based approach?

The risk-based approach is beneficial in fighting the menace of financial crimes.

1. Flexible

The risk-based approach is flexible; companies can customize their response against the risks considering their potential impact.

2. Efficient

The risk-based approach is efficient in the sense that the companies can put higher controls in areas where they feel there’s more ML/TF risk.

3. Systematic

The risk-based approach follows a systematic methodology and considers various risks related to customers, products, services, technology, delivery channel, etc.

What controls are commonly employed by companies adopting the risk-based approach to counter ML/TF risks

AML compliance program: It is best to have an effective AML compliance program that consists of AML policies, procedures, and controls. The business must create an AML policy document in line with its ML/TF risk. The AML compliance program is then implemented to counter various money laundering risks.
AML compliance officer: The AML compliance officer is responsible for implementing the AML framework approved by the board of directors. He ensures that the AML/CFT policies and procedures are followed regularly and that the staff is adequately trained to counter money laundering and terrorist financing.
KYC: Know Your Customer (KYC) is an integral part of the onboarding process in which the business collects customer documents to verify their identity. The business must know whom they are dealing with and understand the risk associated with the customer profile.
CDD: Customer Due Diligence (CDD) is a significant part of an AML compliance program. The compliance department verifies various documents and performs screening, in-depth investigation, and customer risk assessment. A decision to onboard the customer is made based on the customer acceptance policy. In the case of high-risk customers, Enhanced Due Diligence (EDD) is performed, and the source of funds, source of wealth, and top management approval is obtained before entering into a business relationship.
Transaction monitoring: A business must closely monitor the transactions and detect any suspicious activity. With continuous monitoring, the business can identify and prevent money laundering attempts immediately. It can file suspicious transactions with the authorities and diligently follow the AML rules and regulations. Transaction monitoring lets the business keep track of customer behavior and detect unusual patterns that might be connected to money laundering.
PEP Screening: PEP refers to Politically Exposed Persons. They hold influential positions or have political connections to help them gain an undue advantage. Such a customer profile is highly risky because of access to funds and power. So businesses must carry out EDD – Enhanced Due Diligence process, monitor transactions and report suspicious activity as part of a proactive AML compliance program for PEPs.
UBO Identification:Identifying the Ultimate beneficiary ownership is a part of the risk-based approach that a business must integrate to know the ultimate beneficiary of the transactions. UBO identification lets the company correctly understand the real beneficiary behind the legal structures and take appropriate measures to counter money laundering risks.
Training: Regular training helps frontline staff know emerging risks and associated red flags they can apply while dealing with customers. A refresher training for the compliance department will help institute a common understanding of AML/CFT policies and procedures. Further, training the top management will help secure their commitment to the AML/CFT efforts put in by the business.
Record Keeping:The company must document and maintain the Enterprise Wide Risk Assessment (EWRA) performed by it. Various risk factors, their likelihood, and their impact, must be documented along with the controls put into effect by the company. The risk appetite of the company and the residual risk must be documented so that the necessary corrective measures can be recommended by the compliance officer and approved by the top management.
Senior management oversight: The senior management must be aware of the company’s ML/TF risks exposure to formulate strategies to mitigate and manage the risks. The board must approve and oversee the implementation of the AML/CFT program and ensure that it aligns with the company’s risk-based approach. Further, senior management must approve all high-risk customers before entering into a business transaction with them.
Adverse Media Monitoring: Adverse Media Monitoring helps understand negative media reports against a customer or a potential customer. It helps the compliance officer understand if the customer has a criminal history. Criminals generate dirty money by committing predicate offenses, then try to place that money into the legitimate economy. Adverse media monitoring helps identify risks associated with a customer and take the necessary measures to counter ML/TF risks.
Risk-based regulatory reporting:A business can prevent money laundering and financing of terrorism by reporting suspicious transactions. Continuous transaction monitoring helps in identifying unusual customer behavior and preventing crime. All suspicious activities and transactions must be reported to Singapore’s Suspicious Transaction Reporting Office (STRO). It is a risk-based approach that helps companies protect their organization against reputational damage, helps to safeguard customers’ interests and abide by AML rules and regulations.

Risk-based approach examples

Example 1:

An accountant deals with a customer hailing from a country known for weak AML laws.

To mitigate and manage this risk, the compliance team requests for AML/CFT policy of the customer, classifies the customer as high-risk, and conducts Enhanced Due Diligence.

Example 2:

A financial institution identifies a sudden increase in cash deposits by a customer.

To mitigate and manage this risk, the compliance team requests fresh KYC documents to understand if there is a change in the business activities of the customer, asks for the source of funds, carries out ongoing monitoring, and evaluates whether to offboard the customer in accordance with the customer exit policy and file suspicious transactions report.

How often should the risk assessment be carried out under the risk-based approach?

As a best practice, the risk assessment should happen at least once a year. However, new product introduction, identification of new risks, and changes in national risk assessment could trigger a fresh ML/TF risk assessment.

How should AML/CFT program take account of the risk-based approach?

The AML/CFT program should be drafted in line with the Enterprise-Wide Risk Assessment performed by the regulated entity. The risk factors having the greatest impact must be adequately managed and controlled. Various risk factors like products, services, customers, geography, technology, and delivery channels must be considered while defining procedures around customer risk assessment. Further, the customer acceptance policy should define customer onboarding criteria and procedures. Red flags concerning the business must be documented, and the staff must be trained to identify and tackle them. Written procedures must be drafted to report all suspicious activities and transactions. The AML/CFT program must document criteria and procedures around the ongoing monitoring of a business relationship. Further, the requirements around Enhanced Due Diligence must be documented to counter the risks arising from a high-risk customer. Sanctions screening requirements should be clearly documented and explained to the staff.

Risk-based approach with Sanctions Screening Software

The sanctions screening software helps identify if the customer is a sanctioned individual or entity. Its underlying database must be updated regularly to counter the new risks arising out of newly listed individuals and corporates. Further, it must be configured in such a way that false matches are reduced, and true matches are identified and escalated immediately.

Risk-based approach with transaction monitoring software

The transaction monitoring software must be configured in such a way that red flags concerning customers are given due consideration while processing the transactions. The entity must be able to define rules and scenarios requiring the immediate attention of the compliance team. All suspicious transactions must be automatically flagged for further scrutiny and action by the compliance department.

Why adopt a risk-based approach?

The global best practices in countering ML/TF advocate adopting a risk-based approach. The risk-based approach aims to follow the legislation’s true intent and prevent financial crimes. It’s a systematic approach providing flexibility to an entity to implement necessary controls to counter ML/TF risks. The risk-based approach is more efficient in countering money laundering and terrorist financing. Further, it minimizes the cost of compliance and undue hardship on customers. It is dynamic enough to respond to new and emerging risks in line with the changes in ML/TF typologies.

Adopting a risk-based approach to AML/CFT

It is best to have a risk-based approach to prevent money laundering and financing of terrorism. Companies should create an AML compliance program in which KYC is a critical part. The Know Your Customer policy lets the business know who the customer is and whom they will onboard. It helps in risk assessment and mitigation with the appropriate measures. KYC and CDD are the foundation of an AML program, and so businesses must follow the rules and regulations to avoid non-compliance and legal consequences such as penalties. A business should also invest time in sanction screening to find if a customer is on the sanction list and make informed decisions to continue or discontinue the business relationship. Other elements in the risk-based approach are PEP- Politically Exposed Persons, and UBO- Ultimate Beneficiary Ownership.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Know Your Business: An critical element of Customer Due Diligence

The regulated entities deal with clients of different natures – individuals or legal persons. Further, the legal person could be of a different legal structure, engaged in different activities, with various beneficial owners running the business operations, etc. These factors impact the level of risk these corporate customers pose to the business.

Here comes the need for the Know Your Business process to identify this ML/FT risk associated with business relationships established with corporate customers and suppliers.

What is Know Your Business?

Know Your Business (KYB) is a critical component of the AML program, which generally gets missed out under the cover of Know Your Customer. KYB is a specific terminology for the identification process for the business entities the regulated organizations are dealing with.

The KYB process requires the Financial Institutions and Designated Non-Financial Businesses and Professions (DNFBPs) to verify corporate customers’ and suppliers’ identity, including the nature of the business activity, business profile, persons making the business decisions in the name of such business entity, etc. It is an integral component that enables regulated organizations to determine whether the legal person with whom they are conducting business activities is genuine and not just a mere structure used as a veil to obscure the identity of launderers and other financial criminals.

Often, shell companies are used for money laundering, and they become the most commonly used vehicles for running unlawful money through the legal financial system and passing it as money obtained via legitimate activities. The KYB process lets the regulated entity know if the company is legitimate and exists in real rather than merely existing on paper. The KYB will let the regulated organization know about the company’s background and know if the goods traded are legal, transactions are made, and the source of the funds and financial status of the company.

KYB will strengthen the organization’s AML Program, ensuring that the AML regulations are followed in the true spirit, protecting their business against financial crimes, and preventing non-compliance penalties.

What are the elements of the KYB Process?

The KYB process establishes a business’ identity by verifying corporate documents that help establish the company’s name, place of business, legal structure, and information about the top management and stakeholders. The regulated entities can verify the business’s identity and know if it’s legitimate and is not associated with any money laundering and financing of terrorism activities by including the following measures in the KYB process.

Identification and Verification of the business entity:

The KYB process focuses on the due diligence aspect of AML compliance, wherein information about the business, ultimate beneficiaries, the purpose of the transaction, and allied information are collected. Further, to verify the information about the corporate entity, the corporate documents must be obtained, such as a certificate of incorporation, Unique Entity Number, Memorandum of Association, Articles of Association, etc.

Identification and Verification of the Beneficial Owners:

Investigating the beneficial ownership is a critical component of the KYB process that will enable the regulated entities to know who the ultimate beneficiary of the financial transactions is. Often, criminals use shell companies and set up companies in countries with lax regulatory disclosure requirements, breeding grounds for money launderers who escape the AML/CFT scrutiny and successfully launder money. The regulated organization must seek the shareholder register, senior management register, or extract from the company registry to determine the beneficial owners.

Once the beneficial ownership structure is determined, identification information such as names, nationality, shareholding in the business entity, association with Politically Exposed Persons, place of residence, contact details, etc., must be obtained for all the beneficial owners.

Further, such information must be verified using reliable, independent sources like government-issued ID cards, utility bills, third-party databases, etc.

Screening – Sanctions, PEP and Adverse Media:

The KYB process lets businesses know if the entity has been listed on the sanctioned list. It is essential to know about the sanctioned entities to make decisions regarding terminating or denying the business relationship with them. Not just entities, the beneficial owners and the senior management must also be screened to understand their connection with sanctions.

Further, KYB requires the regulated entities to screen the corporate customers/suppliers and their beneficial owners to determine if they have any connection with Politically Exposed Persons, as generally, association with politics increases the risk of corruption and financial crimes.

Under KYB, the regulated entities should also scan the corporates and the beneficial owners to check the presence of any adverse media. The known connection with money laundering, terrorism financing, or other financial crime increases the risk of being exploited by the corporate. Thus, the regulated entities must conduct adverse news screening for the business entity and their beneficial owners.

Risk Classification:

The risk classification of the business entity is highly dependent on the risk classification of the beneficial owners.

With the outcome of the identification and verification and the screening, including the results about the beneficial owners, the regulated entity must develop a risk profile of the business entity. It will enable the regulated entities to adopt a risk-based approach and decide whether Enhanced Due Diligence is required.

Enhanced Due Diligence:

If the business entity is classified as posing an increased risk to the regulated organization, then additional information must be obtained to determine the entity’s source of funds and wealth and rigorous checks must be performed for verification of the identities and obtaining management approval before establishing the business relationship. Moreover, the source of wealth of the beneficial owners must also be sought, if the facts warrant so, to protect the organization against money laundering attempts and safeguard the overall business interests.

In conclusion, though not popularly mentioned in the laws, KYB is vital to the anti-money laundering program. It enables in-depth insights into a corporate or legal person associating with the business. The KYB process helps to correctly assess the ML/FT risk and make an informed decision to establish a business relationship with the legal structure.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore