One-Stop Guide to Building a Strong AML/CTF/CPF Program

In a world where financial systems form the backbone of global commerce, protecting these systems from financial crimes is of utmost importance. In UK, Relevant Persons under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) are required to implement an Anti-Money Laundering, Counter-Terrorist Financing, and Counter Proliferation Financing (AML/CTF/CPF) measures. Building a strong AML/CTF/CPF Program helps Relevant Persons meet their AML/CTF/CPF obligations as well as detect, manage, mitigate financial crime risks.

In this blog, we will discuss the meaning, need, and components of a strong AML/CTF/CPF Program.

What Is an AML/CTF/CPF Program?

An AML/CTF/CPF Program defines and lays down the standards, practices, policies, procedures, governance, controls, and other related aspects, that have been put in place by the Relevant Person to protect itself from financial crimes such as Money Laundering, Terrorist, and Proliferation Financing (MLTPF) and meet its AML/CTF/CPF regulatory obligations. It serves as a comprehensive framework, demonstrating a Relevant Person’s commitment to AML/CTF/CPF compliance and establishing a compliance culture throughout the organisational structure of the Relevant Person.

Why Is an AML/CTF/CPF Program Required?

Enhances Protection Against MLTPF Risks

The various components of the AML/CTF/CPF Program are all geared towards detecting, reporting, and mitigating financial crimes, enhancing the Relevant Person’s ability to protect itself from MLTPF risks. For example, a Firm-Wide Risk Assessment helps Relevant Persons evaluate their MLTPF risk exposure, while AML/CTF/CPF Policies, Procedures, and Controls establish systems to manage the risks.

Facilitates Compliance with AML/CTF/CPF Obligations

AML/CTF/CPF Program helps Relevant Persons put in place systems to meet their compliance obligations under the AML/CTF/CPF regulatory regime in a comprehensive manner.

Establishes a Mechanism for Investigation and Reporting of MLTPF Risks

Reporting MLTPF through the Suspicious Activity Report (SAR) is a mandatory requirement for Relevant Persons. An AML/CTF/CPF Program establishes mechanisms to identify MLTPF risks through red-flags, monitoring software, and internal investigation. It also lays down the procedures and timing of SAR submission.

Enables Continuous Improvement

When AML/CTF/CPF Program is defined and put in place, it allows Relevant Persons to continually review and revise its existing systems to ensure that they are up-to-date and resilient enough to mitigate the evolving MLTPF threats.

Establishes a Culture of AML/CTF/CPF Compliance

Framing and implementing an AML/CTF/CPF Program portrays a Relevant Person’s commitment to fighting against financial crime risks, as well as ensures the inculcation of AML/CTF/CPF compliance culture throughout the organisational structure of the Relevant Person.

Delineates Roles and Responsibilities of AML/CTF/CPF Functions

AML/CTF/CPF Program clearly defines and delineates roles and responsibilities regarding the performance of AML/CTF/CPF compliance functions. For example, front-facing staff may be tasked with collecting customer information for customer identification and verification, while AML/CTF/CPF Compliance Officer may be tasked with overseeing the fruitful implementation of the AML/CTF/CPF Program.

After discussing why making and implementing an AML/CTF/CPF Program is essential, let us now discuss the various components to include for a comprehensive AML/CTF/CPF Program.

Components of an AML/CTF/CPF Program

Firm-Wide Risk Assessment

Under MLR 2017, conducting a Firm-Wide Risk Assessment (FWRA) is mandatory for Relevant Persons. An FWRA is the process of identifying and assessing the MLTPF risks that a Relevant Person is exposed to, after considering a range of

Therefore, the foundational step of making an AML/CTF/CPF Program is FWRA. This helps Relevant Persons assess its risk exposure and adopt the most appropriate risk mitigation measures, helping it focus its limited resources on the areas of higher risks.

AML/CTF/CPF Risk Management Practices

This includes practices the Relevant Person has implemented to manage the risks assessed during FWRA, its risk appetite, derisking policies, etc. This includes risk management tools such as AML software solutions, decision-making hierarchy regarding risks, etc.

AML/CTF/CPF Governance

Relevant Person must define and establish internal controls or governance structure with respect to AML/CTF/CPF compliance. This section must also include the duties and responsibilities of the relevant roles.

The governance structure must designate the roles and responsibilities of the following positions:

  • Compliance Officer: The compliance officer is the individual in charge of the relevant person’s compliance under MLR 2017. This individual must be a member of the board of directors or senior management of the Relevant Person.
  • Nominated Officer: The Nominated Officer of a Relevant Person is in charge of receiving disclosures under the Terrorism Act 2000 or the Proceeds of Crime Act 2002 Whenever an MLTPF risk is detected by an employee of the Relevant Person, the employee needs to make an internal report regarding the same to the Nominated Officer. The Nominated Officer must review and investigate the internal report and then report the same to the National Crime Agency of UK, which houses the Financial Intelligence Unit of UK.
    Under MLR 2017, when the Compliance Officer or Nominated Officer is appointed, or there are subsequent changes to this appointment, the Supervisory Authority must be informed within 14 days of this appointment.
  • AML/CTF/CPF Compliance Department: The AML/CTF/CPF Compliance Department is established under the AML/CTF/CPF Compliance Officer and helps the Relevant Person comply with all its AML/CTF/CPF. This department may include roles such as:
    • Screening Analyst
    • KYC Analyst
    • Risk Analyst
    • Compliance Analyst
    • Subject Matter Experts
  • Frontline Employees: These are the employees who interact with the customers directly and are in a unique position to identify MLTPF red flags through customer behaviour, hesitancy in providing customer details, etc. They also perform AML/CTF/CPF tasks such as customer identification and verification, conducting name screening, etc.

Customer Due Diligence

Customer Due Diligence (CDD) is a mandatory part of a Relevant Person’s compliance obligations under MLR 2017. Under the AML/CTF/CPF Program, a Relevant Person must lay down the policies and procedures for the following components of a CDD process:
  • Identification and verification of the customer and their Beneficial Owners and persons authorised by the customer to act on their behalf
  • Obtaining information on the purpose and nature of the business relationship, or occasional transaction
  • Conducting Name Screening, which includes Sanctions Screening, Politically Exposed Person (PEP) Screening, Adverse Media Screening
  • Customer Risk Assessment (CRA), including its methodology and assigning risk scores and levels to various risk factors
  • Type of CDD to be adopted based on the level of MLTPF risks a customer poses, as assessed during the CRA process
  • Ongoing CDD to ensure that the information collected during the CDD process is updated and accurate

Sanctions Compliance Policy

During CDD and Sanctions Screening, if a sanctions match is found, the same must be reported to the Office of Financial Sanctions Implementation (OFSI) the authority for implementing financial sanctions in UK. The Relevant Person is obligated to follow compliance requirements under laws related to the sanctions regime, including the Sanctions and Anti-Money Laundering Act 2018, Counter Terrorism Act 2008, and Anti-Terrorism, Crime and Security Act 2001.
The AML/CTF/CPF Program of the Relevant Person detail:
  • Sanctions Screening mechanisms, including screening software, subscribing to the required sanctions lists such as the UK Sanctions List, etc
  • Procedures on disambiguating sanctions screening results, and if a match is found, reporting the same to the OFSI
  • Procedures on Asset Freezing, preventing transactions or access to financial resources to the designated persons or organisations
  • Training employees on sanctions compliance

Customer Acceptance and Exit Policy

In this part of the AML/CTF/CPF Program, the Relevant Person should define its policies with respect to customer engagement. This includes the factors that make a customer acceptable to the Relevant Person, based on the Customer Risk Profile, or circumstances that make a customer unacceptable. It should also describe situations in which a Relevant Person would adopt derisking measures, to avoid MLTPF risks it cannot manage.

Transaction Monitoring and Ongoing Monitoring

A Relevant Person must specify its transaction monitoring and ongoing monitoring policies and procedures, as well as the mechanisms it has adopted to achieve the same. Monitoring must be conducted throughout the course of the business relationship for:
  • Transactions to ensure that the same is in line with the customer’s business, risk profile, and known information about the customer. MLR 2017 specifies that the following transactions should be scrutinised:
    • Complex transactions
    • Transactions that are unusually large
    • Unusual patterns in transactions
    • Transactions without economic or legal purpose
    • Transactions indicating MLTPF risks
  • Existing customer records and information to ensure that the same are accurate and up-to-date

Employee Screening

Relevant Person must establish policies and procedures to screen the Relevant Employees before their appointment and throughout the duration of their appointment.
The Relevant Employees include the following:
  • Employees involved in the Relevant Person’s compliance under MLR 2017
  • Employees contributing to the identification, detection, mitigation, and prevention of MLTPF risks faced by the Relevant Person
The Employee Screening must assess the following components:
  • Skills
  • Knowledge
  • Expertise
  • Conduct
  • Integrity

Suspicious Activity Reporting

The Relevant Person must establish an internal mechanism for reporting and investigating suspicious activities indicating MLTPF risks to ensure that the same is reported to the UK FIU, housed within the NCA, in a timely manner. The Relevant Person must implement policies and procedures for suspicious activity reporting, which must include the following:
  • Training to their staff to detect MLTPF threats in a prompt manner and making internal report to the Nominated Officer
  • Investigation of the MLTPF threat by the Nominated Officer and making the Suspicious Activity Report (SAR) to the NCA
  • Policy and Procedures for filing Defence Against Money Laundering (DAML)
  • Procedures to ensure that there is no “tip-off”
  • Policy on relationship with the customer after SAR filing

Staff Awareness and Training

MLR 2017 provides that the Relevant Persons must train their staff on the following:
  • MLTPF risks and red flags and AML/CTF/CPF law
  • Their responsibilities in the AML/CTF/CPF Program
  • The various components of the AML/CTF/CPF Program of the Relevant Person
  • Relevant Person’s procedures and how to identify and address potential MLTPF risk, including making internal report to the Nominated Office
The staff training should be conducted regularly, with records maintained of the same. The AML/CTF/CPF Program of the Relevant Person must provide policies and procedures on staff training and awareness.

Independent Audit Function

As a part of its AML/CTF/CPF Program, the Relevant Person must establish an independent audit function. The objective of an independent audit function is to analyse and monitor the adequacy and effectiveness of the AML/CTF/CPF Program, detect any vulnerabilities, and adopt recommendations to fill these vulnerabilities.

Record Keeping

MLR 2017 provides that Relevant Persons must keep up-to-date and accurate records for five years on AML/CTF/CPF related tasks, which include the following:
  • CDD related information and documents
  • Records on transactions
  • Internal and external reports on suspicious activities
  • Training and its effectiveness
  • Compliance monitoring
The AML/CTF/CPF Program of the Relevant Person must include policies and procedures for maintaining these records for the required time period.

Data Protection Policy

MLR 2017 obligates Relevant Persons to ensure that any personal data that the Relevant Person collects for the purposes of fulfilling their obligations under MLR 2017 must only be processed to prevent MLTPF. It must also adhere to the provisions of the Data Protection Act 2018.

The AML/CTF/CPF Program of the Relevant Person must include its Data Protection Policy, detailing its obligations and procedures to meet these obligations.

Building a Strong AML/CTF/CPF Program: Final Words

An effective AML/CTF/CPF Program is indispensable for ensuring compliance with regulatory obligations under MLR 2017. It fosters a culture of compliance and ethicality across the organisational structure of the Relevant Person. It also ensures that staff at all levels understand their roles in AML/CTF/CPF Program and implement it properly. Continuous improvement through health checks and independent audits, regular staff training and awareness, etc., enhance the Relevant Person’s resilience against financial crime threats.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.