ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

All accounting entities and public accountants in Singapore carrying out covered activities are required to undergo periodic ACRA inspections, through which their Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) compliance measures are inspected by ACRA. The ACRA is responsible for forming and appointing the Public Accounts Oversight Committee (PAOC), which is responsible for appointing an entity reviewer to carry out the ACRA AML/CFT Requirements Review process of all accounting entities and individual practitioners.
The Accounting and Corporate Regulatory Authority (ACRA) registers and regulates public accountants and individual practitioners in Singapore as per the rules and standards prescribed under the Accountants Act, 2004.
The Accountants Act, 2004, also referred to as ‘the act’, is the primary legislation in Singapore governing accountancy services provided by accounting entities and professionals. The Accountants (Prevention of Money Laundering and Financing of Terrorism) Rules 2023 require accounting entities and their practitioners to have in place, an adequate AML/CFT compliance framework, consisting of internal policies, procedures and controls (IPPC) for combating Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) risk effectively.
Let’s examine these AML regulations in Singapore. Moreover, we’ll discover the AML compliance initiatives that luxury goods market operators must implement to reduce the risks of financial crimes. These measures mitigate money laundering risks and prevent criminals from exploiting this market.
Accounting entities and individual practitioners’ AML/CFT IPPC is subject to ACRA AML/CFT Requirements Review.

ACRA AML/CFT requirements review (inspection) process of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) Process of Public Accountants and Accounting Entities
The ACRA AML/CFT Requirements Review process comprises of following steps:

1. Entity Reviewer Inspects AML/CFT Compliance Requirements

The entity reviewer carries out an AML/CFT requirement review. For this purpose, the entity reviewer has the power to:
  • Examine any records or the description of records in the possession or under the control of the accounting entity or practitioner that the reviewer entity believes are relevant to review.
  • Seek explanations or further details of any records or documents, excluding any such record or document containing privileged communication to or from a legal practitioner.
  • Upon concluding the review, the entity reviewer submits a report to the Registrar.
ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

2. Opinion of the Registrar

After considering the report submitted by the entity reviewer, if the registrar is of the opinion that the accounting entity or any of its practitioners have breached any of the AML/CFT requirements, it shall submit a report to the Public Accounts Oversight Committee PAOC (Firm Level).

3. Decision by the Public Accounts Oversight Committee (PAOC)

Upon submission of the report by the registrar, the PAOC assesses and decides the consequences of non-compliance with AML/CFT requirements by accounting entities and practitioners.

Consequences of AML/CFT Non-Compliance by Accounting Entities and Public Accountants

The Public Accounts Oversight Committee (PAOC) is the final authority to decide on the outcome of AML/CFT requirements inspection as the PAOC determines procedure for conducting ACRA inspection of any accounting entity and public accountants
Upon considering the ACRA inspection report of the Registrar, if the PAOC (Firm Level) is satisfied that the accounting entity or its individual practitioners are non-compliant, with AML/CFT compliance requirements,
The following consequences may follow where the PAOC may direct the following orders:
  • Revocation of the approval granted to the accounting entity or cancellation of the registration of individual practitioners.
  • Suspension of the accounting entity from providing accountancy services or suspension of an individual practitioner for up to one year.
The PAOC is also empowered under the law to prescribe to public accountants and accounting entities, any standardised methodology, procedures, code of professional conduct, or other requirements necessary to enable them to identify, prevent, and mitigate ML/FT and PF risks, with timely reporting of suspicious activities and transactions to regulatory authorities, and maintaining adequate records of AML/CFT measures taken.

Conclusion

The PAOC in Singapore is responsible for deciding on the registrar’s opinion based on the ACRA inspection carried out by the entity reviewer. The PAOC, upon finding any incidence of non-compliance with the prescribed AML/CFT requirements, shall take punitive action.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

Excellence in EDD for high-risk customers Common slip-ups You can’t Afford to Commit

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

This article provides insights into achieving excellence in EDD for high-risk customers and sheds light on the common slip-ups you can’t afford to commit to.
Not all your customers are the same. Their requirements differ. Their expectations for support services vary. Similarly, their risk profiles are also distinct. Some pose a higher risk to your business, while some are safe to transact with.
As a business entity in India with strict AML measures, knowing which of your customers are high-risk and which are low-risk is essential.
For high-risk customers, you need Enhanced Due Diligence (EDD). You need to conduct thorough investigations and deep dive into customer profiles. With more data on such high-risk customers, you can identify the degree of the risk involved and determine whether the same can be managed and its nexus with the business’s risk appetite.
However, entities make some common mistakes while conducting EDD. If you know them, you’ll avoid committing these mistakes. So, in this blog, we list these mistakes by reporting entities while conducting EDD process for high-risk customers.
But before that, we’ll try to understand the characteristics of high-risk customers.

Characteristics of High-Risk Customers in India

Let’s look at the critical aspects that may make a customer high-risk.
  • Person associated with sanctioned individuals or businesses
  • Person identified as the terrorists or associated with one
  • Politically Exposed Persons (PEPs) and their close relatives
  • High-net-worth customers
  • Non-resident Indians (NRIs)
  • Foreign nationals
  • Customer with complicated business structure involving subsidiaries and business units
  • Individuals or entities with unexplained wealth, earnings, or net worth
  • Customers with bases in high-risk countries or with no or weak AML regulations
  • Non-face-to-face customers
  • Shell corporations
  • Companies with close family members as shareholders or beneficial owners without any business rationale
  • Firms with sleeping partners
  • Customers once identified as involved in a suspicious transaction or have any negative media references against them
  • Relationship with a company registered in a country where it has no physical presence and is not affiliated with any regulated group
  • Trusts, NGOs, and charities receiving donations
  • Pooled accounts
  • Virtual currency transactions
Moreover, customers insisting on the below types of transactions may also be classified as posing high-risk:
  • Large or complicated transactions
  • Transactions involving multiple parties, which are unknown to you
  • Cash-only transactions

Regulations for Enhanced Due Diligence in India

India is at the forefront of devising initiatives to reduce the threats of financial crimes. Strict regulations exist under the Prevention of Money Laundering Act, 2002 and the IFSCA (AML, CTF, and KYC) Guidelines, 2022, around KYC, KYT, due diligence, and other AML measures. Even for Enhanced Due Diligence, these AML regulations mention some key provisions.
Entities must conduct EDD for high-risk customers. In such cases, entities must verify the identities of customers prior to the commencement of business relationship. As part of the EDD process, you must apply additional measures to gather the following information and data on customers with reference to the following:
  • Understanding the customer’s source of funds involved in the transaction
  • Rigorous checks on the beneficial owners of the customer
  • Overall financial position of the customer, including verifying their source of wealth
  • Making detailed inquiries about the purpose and background of the transaction
  • Obtaining senior management approval, apprising them of the risk involved and seeking their go-ahead
  • Increasing the degree and frequency of monitoring transactions with high-risk customers
  • Ensuring that the customer makes the first payment towards the goods or services through their own account (specifically provided in the IFSCA Guidelines as one of the measures for managing the high-risk)
As part of EDD, once the additional information is gathered, verify them by using reliable, independent sources. You can use public registries, credible third-party databases, or other sources for verification, including seeking government-issued documents from the customer.
Drop the business relationship if the high-risk customer fails to submit the requested documents and details necessary to carry out the EDD process effectively. In case of failure to successfully conclude the EDD process on the high-risk customers, you must consider whether such a situation involves any suspicion and the necessity to report the same to FIU-IND by filing a Suspicious Transaction Report (STR).
The EDD measures must be enough to meet the AML compliance requirements in India. The entity must ensure that it has implemented the necessary measures against high-risk customers. This proves the entity’s risk-based approach in managing the risk in accordance with PMLA and the IFSCA Guidelines.
You must record the EDD records to show to the concerned authorities when requested. You must maintain the records of EDD results for five years from the transaction date or the end of the business relationship with high-risk customers. This requirement is six years for an IFSCA-regulated entity.
You must follow these EDD regulatory requirements in India to ensure AML compliance. If you miss doing so, you might increase your business’s money laundering risks, including ending up facing adverse consequences such as reputation loss and penalties for non-compliance. So, adopt the best practices of EDD and proceed with it. Ensure you do not make the common errors enumerated in the section below.

Usual slip-ups in Enhanced Due Diligence Procedure

Inadequate data on customers for enhanced investigation

EDD requires a lot of additional information about the customer. This includes personal, occupational, and financial. You must have data on the following aspects of your customer:
  • Full name
  • Registration details and office address in case of corporate customer
  • Residential address of an individual customer
  • Details of the beneficial owners and senior management in case of corporate customer
  • Details of the customer’s occupation or business activities
  • Sources of funds and source of wealth, including overall financial position
  • Coverage in negative media or sources
You will need all these details to thoroughly complete the verification of your high-risk customers. It helps you confirm the legitimacy of the customer, be it individual or corporate.
You can check customers’ financial position by checking the source of funds and wealth and determine whether the proposed transaction is in line with these details. With background checks, you can discover the client’s reputation in the market and come to know about their past involvement in illegal activities.
The information might be incomplete or inaccurate if you are lackadaisical in your approach. Collect all these data points on your customers or through independent research for a smooth EDD process.

No reference to reliable data sources to verify customers’ identities

You collect all the information from customers. But are you sure of its genuineness? Have your customers submitted actual documents for verification?
You cannot be dependent only on the data submitted by the customers. You need to check and verify the legitimacy of the data from reliable and independent data sources. Use government databases, publicly available sources, or renowned third-party data providers.
Information or data declared by the customer may not be reliable because customers might fake them or manipulate some details. In such cases, EDD will be inaccurate, leading to transactions with high-risk customers without applying necessary safeguarding measures. These are risky for your business and AML compliance.

Trusting only technology over humans or vice versa

Technology systems can help make the process faster, accurate, and complete. You can be sure of your results and that you haven’t missed anything. But what about the touch of human thinking and analysis in your EDD process? It’s necessary to have humans analyse the risks for a nuanced view of them.
Only humans managing the EDD process may also be erroneous because they might miss data or make errors while evaluating the huge volume of information or documents. So, you cannot ignore technology as well.
The optimal solution is to combine the expertise of technology and humans for the best results. You can run the data on technological solutions, and then experts can scan through them.

Conducting Due Diligence only once during the entire relationship

The risk profiles of customers keep changing. So, you cannot base your decision on one such instance of due diligence conducted at the time of customer onboarding. You must keep it going.
Engage in frequent monitoring of high-risk customers. It must be an ongoing process so that you can track the changes in customers’ risk profile. Also, with new transactions with these customers, you continue with transaction monitoring and ensuring that the transactional pattern aligns with the customer’s profile known to you.
So, never make the mistake of only doing Enhanced Due Diligence once. Make it a frequent exercise to capture the variations in the factors involved and ensure that you stay on top of the customer’s ever-changing risk profile.

Using outdated lists of PEPs, sanctions, and terrorists to match customers

While conducting EDD, you compare customers against lists of sanctions, PEPs, and other watchlists, including adverse media. If you use outdated lists, your results will be redundant. You must have the latest watchlists from the reliable sources for up-to-date and relevant results.
So, make it a practice to check for the latest lists.
In the case of adverse media checks, ensure that the oldest and the latest news sources are checked. You can find negative connotations about the customer from any year. Also, you must track all possible media sources for negative news. Make all this possible to produce accurate results on your customers’ EDD.

Failure to retain records of EDD

Your EDD results are critical for your business. You might need them later in your AML procedures. So, create proper records and maintain them for at least five years as instructed under the PMLA (or for six years as required under the IFSCA Guidelines).
Also, you must keep these records in proper formats. Maintain consistent standards to keep all year records in the same template. You must update them as and when you repeat your investigations, as part of an ongoing review or upon changes in the customer’s profile. So, practice maintaining accurate, complete, up-to-date, and consistent records of EDD.
In the case of missing EDD records, you will not have enough proof when asked by authorities. Also, you might not have past documents to refer to while conducting further investigations.

Forgetting to build a collaborative environment for an efficient EDD process

The EDD process is not the responsibility of a single team. The customer-facing team needs to gather data from all customers. The compliance team will collect data from reliable third-party sources and assess all the data points from different sources and conclude.
Different teams will carry out all these procedures. But they must collaborate and cooperate on the smooth execution of this process. They must maintain clear communication to facilitate effective results from EDD. You must train the employees on handling processes to ease the EDD execution.

Overlooking the escalation of suspicious cases of transactions with high-risk customers

EDD is for investigating high-risk customers. So, what about the EDD results? What do you do with them? Just sit, happy that you have identified your high-risk customers.
Having carried out additional verification checks on the customer, you must notify about such high-risk customers to your senior management and seek their approval to establish and continue the business relationship with them.

Missing to plan for data protection and confidentiality

For EDD, you will collect a good amount of customer information. You’ll have details on their finances, job, and access to other sensitive information. Customers’ biggest fear is data leakage or access by a third party.
So, you must make it a practice to plan for data privacy and protection. You must adopt every possible way and technology to keep data safe and secure. Safeguarding customer information in the most secure way and retaining it for future use. Restrict the accessibility of this data only to a few trustworthy people in your company.

Not investing in the audit and quality review of EDD procedures

Are you happy with your EDD procedures? Are you confident of the EDD measures and its capability to manage your increased risks? Does it reflect the changes in laws and industry practices?
If the answer is no, you must realise it’s high time for a quality assurance check.
You must audit the EDD process to assess its effectiveness. Ensure that EDD procedure and results contribute to achieving AML compliance in India. For this, you must put in place a quality assurance program for frequent checks of the EDD process.
Based on the results of these checks, you must update your EDD policies. These changes and updates must align EDD with PMLA and the relevant AML guidelines, including the FATF recommendations. Also, these policies should resonate with business goals and the sector’s AML best practices. Thus, continuous improvement is essential to adapt to the changing conditions and emerging risks.
You must avoid these significant slip-ups while performing EDD for high-risk customers. If you need help in performing EDD, AML India is right here.

Niyeahma contribution to your AML compliance

Niyeahma is a reliable provider of all kinds of services to help your business become AML compliant. We help entities have a smooth transition from non-compliance to compliance. You can partner with us for all AML services to prevent ML/TF threats.
We help entities conduct customer due diligence and identify high-risk customers. After this, we will conduct enhanced due diligence for further investigations into such customers. Thus, we adopt all the necessary best practices to avoid the risks of financial crimes.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

AML compliance for the luxury goods market in Singapore

AML compliance for the luxury goods market in Singapore

AML compliance for the luxury goods market in Singapore

AML compliance for the luxury goods market in Singapore

Money laundering threats are a common stain on all kinds of luxury goods. Worldwide, financial criminals consider art, antiques, gems and stones, yachts, and watches to be an accessible medium to launder money. So, AML compliance for the luxury goods market is essential to eliminating money laundering.
Recently, Singapore fell prey to such a money laundering scandal in the luxury goods market in 2023. The criminals earned dirty money through illicit means and cleaned them up in the legal Singaporean financial system. Using this money, they bought several luxury goods, which the police seized during investigations. This scam brought the country’s regulatory authorities’ attention back to strengthening AML regulations for the luxury goods market.
Let’s examine these AML regulations in Singapore. Moreover, we’ll discover the AML compliance initiatives that luxury goods market operators must implement to reduce the risks of financial crimes. These measures mitigate money laundering risks and prevent criminals from exploiting this market.

AML compliance mandate concerning luxury goods

The AML regulations in Singapore apply to “precious products”.
Recently, the Singapore authorities introduced a Bill seeking to expand the scope of “precious products.” Previously, this term was restricted to high-value products wherein at least 50% of value was attributed to precious stones or precious metals (PSPM). Now, with the newly proposed definition of “precious products,” the mandatory condition of having a PSPM element in a product to qualify as a “precious product” has been relaxed.
Now, the “precious products” would include the following items subject to the prescribed threshold, and the dealers engaged in such precious products would be subject to AML compliance in Singapore:
AML compliance for the luxury goods market in Singapore
Jewellery, watches, ornaments, apparel, accessories, etc., of value exceeding S$ 20,000, irrespective of the value attributable to the PSPM.
Considering the money laundering vulnerabilities associated with luxury items, the definition of “precious product” is proposed to be amended to include high-value luxury items traded at premium prices because of the brand label associated with the item or the involvement of craftsmanship.
Such products include high-end watches, accessories, apparel, etc., though they involve very little or no element of precious metals or precious stones. Criminals have exploited these products, resulting in the laundering of illegally obtained proceeds.

Money laundering threats in the luxury goods market

The risks associated with luxury goods are high due to the following reasons:

High-valued items

Luxury items are high-valued goods, attracting money launderers who exploit them in several ways. High-valued items make it easier for money launderers to launder vast sums of money.

Cash transactions

The purchase and sale of luxury goods are mainly through cash transactions. Thus, it becomes difficult for authorities and police to track their source and destination.

Global Nature

You can transact luxury items globally across multiple jurisdictions. This feature increases your exposure to money laundering and similar other threats, with no restriction on the boundaries.

Easy to transport

These goods are easily transportable, and questioning and interrogation are minimal or non-existent. You can carry some of these items, like jewellery, luxurious apparel or ornaments, across borders without hassles.

High resale value

One unique characteristic of luxury items is their high resale value. There is a high demand for these goods among wealthy and high-net-worth individuals. These goods also fetch a good resale value, specifically in the case of rare and unique collectibles. So, criminals leverage this feature to their benefit.

Involvement of intermediaries

Luxury items provide an easy way to use shell companies or third parties to buy, sell, and manage these assets. This means you buy these items not directly but using offshore or foreign accounts. The anonymity and privacy associated with these intermediaries increase the possibility of money laundering activity, concealing the true identity of the criminal or launderer.

Confidentiality

The luxury goods markets enjoy a sense of confidentiality and discretion. You need not provide details on the actual owners of these goods. That is why the risk of financial crimes is high.

Low awareness

Dealers in such luxury items are unaware of the AML compliance requirements worldwide and nationally. Moreover, they are ignorant of the risks of such financial crimes to their business.

Trade-based money laundering

Trade-based money laundering is possible in the case of luxurious items carrying a premium associated with the brand, which is abstract. It is an accessible market for over- or under-invoicing. You can manipulate the prices to show higher or lower rates for laundering money. Criminals might also create false invoices to show a purchase and sale transaction despite no such activity.

Secured transaction zones for art

Another primary factor that has cropped up in recent years is the construction of Freeports. These are storage spaces in transit zones near airports to facilitate art purchase and sale transactions. These are secured zones offering privacy and anonymity to buyers and sellers. In these spaces, no tax is applicable on art and antiques, so you are also saved from those costs.

Easy to buy and sell personal luxury items

Money laundering in personal luxury items is easy because anyone can buy these from any country. Ineffective due diligence measures at borders lead to easy transit to the country of residence. Thus, provoking the launderers to evade taxes on such items and launder money without coming into the spotlight of the origin country’s regulator. Moreover, no one asks the beneficial ownership of these personal luxury items.

Possible use as currency or medium of exchange

Luxury goods obtained illegally are used as a means of payment or to barter another luxury item. Thus, you can place dirty money in the legal market as a currency.

Virtual luxury items

Now, these luxury items are also available in virtual form. So, the risks associated with virtual assets also apply to them. Specifically, they can avoid many regulatory mandates and sanctions.
Thus, these are the possible ways criminals can engage in money laundering through luxury goods transactions.
Accordingly, recognising the legal requirement and the associated risk, you must prevent criminals and launderers from saving your business from exposure to financial crimes. If you don’t, you will be AML non-compliant, inviting fines and penalties. It can lead to criminal action against you, reputational damage, or loss of business. So, you must adopt appropriate techniques to prevent them.

Strategies in AML compliance for the luxury goods market

To prevent and mitigate money laundering and other financial crimes, you must implement the following techniques in AML compliance for the luxury goods market:

Strategies to Ensure AML Compliance in Luxury Goods Market

Detailed AML compliance program

The high risks of money laundering require a detailed strategy for fighting it. You need to know your plan for complying with AML regulations. It is also essential to prevent and mitigate the potential money laundering threats.
So, design a comprehensive customized AML compliance program. It must have adequate policies and controls to fight these financial crimes. This includes procedures for KYC, CDD, transaction monitoring, and sanction screening. Keep updating them on time to align with the evolving regulations and innovations in money laundering.
The strategy must also define the skills you need in your business to handle AML compliance. Based on this, you can hire people for AML compliance-specific jobs. It also enables you to design relevant AML training for your AML activities. Thus, the strategy directs you on how to go about your AML compliance.
This AML compliance program must align with the following acts applicable to luxury items businesses in Singapore:
  • Corruption, Drug Trafficking, and Other Serious Crimes Act (CDSA)
  • Terrorism (Suppression of Financing) Act (TSOFA)
  • Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Act, 2019
  • Precious Stones and Precious Metals (Prevention of Money Laundering and Financing of Terrorism) Regulations, 2019

KYC and customer due diligence

AML compliance requirements need you to know about your customers. So, you must focus your efforts on conducting KYC and customer due diligence of your customers. Collect the following details on your customers and verify the same using reliable, independent sources:
  • Name, address, occupation
  • Nationality
  • Transaction’s purpose and objective
  • Source of funds and wealth
  • Beneficial owners of luxury items
  • Expected mode of payment
The most critical information is where the money is coming from and where it is going. Also, the information bit on beneficial ownership. Both these data points help you establish any potential linkages to financial crimes.
You must create your customers’ risk profiles based on all these details. The risk profile helps you categorise customers as low, medium, and high risks. It is also necessary to screen your customers against different national, regional, and international watchlists, including but not limited to:
  • Terrorists
  • Politically Exposed Persons (PEPs)
  • Sanctions
  • Individuals involved in corruption, bribery, and other illegal acts
So, you must be extra careful while dealing with high-risk customers. All these information-gathering and analysing processes need you to deal with more paperwork.

Transaction monitoring & Identifying suspicious transactions

Monitoring your customers’ transactions is critical to spot suspicious ones. You must be aware of the red flags to detect them. Once you know them, it is easier for you to detect them. You can investigate them further and take action based on the results.
Understanding the layering of transactions is essential. This is where launderers play smartly to hide dirty money in clean money. So, you must create custom transaction rules based on your customers’ risk profiles and transaction patterns. Look for signs that raise doubt in your mind, like the following:
  • Large cash transactions
  • Concealing beneficial ownership
  • Inconsistency of the transaction with the customer’s profile
  • Customers from high-risk jurisdictions
  • Involvement of layers of intermediaries in transactions
Using a technological solution to monitor transactions is a smart move. You can ensure accurate results, complete monitoring, and faster processing. But do not ignore adding the human touch to transaction monitoring. Check the suspicious ones manually to understand the customer behaviour behind possible money laundering.

AML training

You must make it a point to give due importance to AML compliance in your entity. All employees must understand how significant AML compliance is in preventing financial crimes.
Thus, whether you want to create an AML culture in your business, monitor transactions, conduct CDD, or report suspicions, your employees must know how to do all this. If your employees are unaware of the reason and procedures, your AML compliance will go haywire.
So, pay attention to training your employees on AML measures and strategies. Such training must teach the following topics:
  • Significance of AML compliance for your industry
  • Methods of conducting KYC, due diligence, and sanction screening
  • Monitoring transactions, identifying and reporting suspicions
Until employees know the what, why, and how of AML procedures and controls, it is challenging to get their focused dedication; only when they give their 100% can you ensure a culture of AML compliance. It will help you prevent money laundering risks and follow Singaporean AML requirements.

Reporting & AML Recording Keeping

As crucial as transaction monitoring and due diligence are to AML compliance, similar criticality is held by reporting and record-keeping. You will be checking transactions to identify the suspicious ones amongst those. You will also be monitoring your customers to detect their levels of risk to your business. If you forget to maintain records of these results, they do not serve the complete purpose.
Recording and reporting these procedures and results is significant. Since you need to file suspicious activity reports and cash transaction reports, you must have a well-defined procedure for them. Define the people responsible for them, the procedure, and the format. Also, explain any internal reporting process you must follow for AML compliance.
Similarly, maintain records of each of your AML procedures. Save everything, be it KYC records, due diligence reports, customer risk profiles, transaction monitoring results, or AML training manuals. As stipulated in the regulations, maintain these records for at least five years.

Internal and external collaboration

An often overlooked AML strategy is internal and external collaboration, communication, and cooperation.
Smooth communication on AML between departments eases your AML compliance journey. You must discuss the AML procedures that overlap with your activities and challenges, deliberate on potential solutions, and consider their impact. You must also communicate well with senior management to discuss suspicious transactions and customers. The management must communicate the AML policies and procedures to the employees.
Besides internal communication, external cooperation is necessary with:
  • Industry regulators for AML expectations & guidance
  • Peers for shared database in KYC, sanctions screening, and due diligence
Thus, you must collaborate with your industry players to achieve AML compliance and free the luxury goods market from money laundering threats.

Niyeahma – your AML compliance journey partner

These AML compliance strategies can ensure your luxury items business sparkles. But doing it all alone while dealing with the rising competition is daunting. So, the best option is to partner with a specialist AML compliance services provider. And who better than AML Singapore to join hands with to move ahead in your AML compliance journey?
Amidst all these money laundering concerns regarding luxury items, you have a beacon of hope in AML Singapore. We help you with all the necessary strength to fight money laundering. Our consultants provide support to protect the integrity of financial transactions.
Our consultants are here to help you with any of the AML compliance strategies listed above. Not only this, we create a customised strategy to suit your business needs. These AML measures ensure you protect your luxury items from exposure to money laundering threats.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

FATF travel rule compliance requirements for VDASPs in India

FATF travel rule compliance requirements for VDASPs in India

FATF travel rule compliance requirements for VDASPs in India

FATF Travel Rule is one of the advanced measures in the anti-money laundering regime to bring transparency around the electronic movement of the funds – whether wire transfer or transfer of virtual digital asset. This rule, FATF’s Recommendation 16, applies to financial institutions and Virtual Digital Asset Service Providers.
It requires the identification of the originator (payer) and beneficiary (payee) involved in the electronic transfer of funds or exchange of virtual digital assets. This data helps the reporting entities understand the parties involved in exchanging funds or virtual digital assets and detect any potential connection with money laundering.
In India, along with financial institutions, the FATF travel rule compliance under the AML framework has been made mandatory for virtual digital asset service providers (VDASPs). Let’s explore the FATF travel rule requirements and their impact on virtual digital asset businesses.

What Is The FATF Travel Rule?

FATF travel rule is the compliance requirement warranting the identification of the person initiating the transfer of funds and the intended recipient. It is similar to the traditional bank wire transfer transaction. While transferring money from one bank account to another, the reporting entities need to identify the account holder transferring the funds and the recipient of such funds. A similar requirement is now being adhered to by the reporting entities providing services related to virtual digital assets as part of travel rule compliance.
The travel rule requires the reporting entity engaged in virtual digital asset-related activities to obtain necessary details about the originator and beneficiary, apply necessary verification measures, and exchange such information with the counterparty VDASP or the recipient service provider.
Here, the one sending the virtual digital assets would be treated as the Originator, and the one receiving them is the Beneficiary.

India’s Adoption Of The FATF Travel Rule In AML

Money launderers have exploited all possible financial instruments to commit crimes. With virtual digital assets’ popularity worldwide, they have also found ways to commit crimes through them. In this regard, compliance with the FATF travel rule will imbibe transparency between the VDASPs regarding the parties involved in the virtual digital transfers.
In line with India’s Prevention of Money Laundering Act 2002 (PMLA), the Central Government of India issued a notification on 07th March 2023 to bring the activities related to virtual digital assets under the ambit of the anti-money laundering regime. Pursuant to this inclusion of VDASPs as the reporting entity under PMLA, the authorities issued detailed AML and CFT guidelines for the reporting entities providing services related to the virtual digital assets on 10th March 2023, laying down the directives and compliance obligations of the VDASPs to safeguard the VDA ecosystem from being exploited by the financial criminals.

Collecting The Necessary Information

Under these guidelines, the VDASPs are mandated to comply with the Travel Rule, which requires the originating VDASPs to collect the required and accurate details about the originator and the beneficiary of the VDA transfer and securely share this information with the beneficiary VDASP along with the transfer request.
The information to be collected by the Originating or Ordering VDASPs and shared with the Beneficiary VDASPs includes:

Originator

  • Originator’s Permanent Account Number (PAN) or National Identity Number,
  • Complete name of the VDA transfer’s originator,
  • Originator’s account number (VDA wallet address) used to process the transaction or from where the VDA transfer has been initiated,
  • The originator’s geographical location helps in identifying the originator,
  • Date and place of birth of the originator.

Beneficiary

  • Name of the beneficiary, i.e., the person named as the recipient of the VDA to be transferred by the originator,
  • Wallet address of the beneficiary

Role Of VDASPs Involved In The Transfer

Originating VDASP

The ordering or the originating VDASP must obtain accurate details of the originator and the beneficiary, as mentioned above.
Additionally, the VDASP must verify the originator’s identity and address using reliable information as part of the KYC and Customer Due Diligence process. The ordering VDASP is not required to verify the beneficiary’s identity, but the beneficiary must be screened for sanctions checks and be cautious of ML/FT suspicion.
Once the originating VDASP is satisfied with the accuracy and completeness of the required details, it must share them with the beneficiary VDASP along with the VDA transfer message.

Beneficiary VDASP

Upon receiving the details along with the VDA transfer communication, the beneficiary VDASP must check the details to determine if any necessary details are missing.
The beneficiary VDASP must verify the beneficiary’s identity before concluding the transfer if such a person has not been verified as part of the customer onboarding and CDD process.

Intermediary VDASP

An intermediary VDASP facilitating the transfer of virtual digital assets must ensure that the necessary originator and beneficiary details are adequately transmitted along with the VDA transfer trail while retaining the same information at the intermediary level.
The regulated entity must verify the customer’s identity using reliable documents. To verify a natural person’s identity and resident address, a regulated entity must obtain that contains a photograph of the customer, name, unique identification number, date of birth, and nationality.
Additionally, a regulated entity can verify residential addresses based on OVD or recent utility bills, bank statements, etc.

Retaining The Obtained Information

The originating VDASPs must retain the information acquired about the originator and the beneficiary for five (5) years from the date of transfer. Similarly, the beneficiary VDASPs must accurately maintain the originator and beneficiary information obtained from the originating VDASP for a minimum five (5) year’s period.

When Information About The Originator Or Beneficiary Is Not Available

In cases where the VDASPs cannot obtain the required information about the originator or beneficiary or where such information cannot be adequately verified, then the VDASP must not execute the virtual digital asset transfer transaction. Further, if required under the circumstances, the VDASP must consider reporting the suspicion to the Financial Intelligence Unit, India, by submitting the Suspicious Transaction Report.

Counterparty Due Diligence

As part of travel rule compliance, the originating VDASP must apply necessary due diligence measures on the counterparty VDASP, involved in transferring virtual digital assets, adopting a risk-based approach. Further, the originating VDASP must ensure that such counterparty due diligence is satisfactorily concluded before transmitting the information about the originator and beneficiary to avoid any engagement with criminals or aiding the illicit movement of funds.

Challenges Of FATF Travel Rule Compliance And Solutions

FATF travel rule compliance is an excellent method to prevent money laundering in virtual digital asset transactions. With timely collection and exchange of originator and beneficiary details between the VDASPs involved in the transfer, the detection and reporting of money laundering activity become easy.
The travel rule in AML checks virtual asset transactions’ transparency and traceability. It also enables collaboration between VDASPs to better the sector, which could lead to a trustworthy and credible virtual digital asset ecosystem

Challenges

Despite the merits of the FATF travel rule, it also has many challenges, such as
  1. Difficulties in obtaining accurate details about the beneficiary, given the anonymity involved and frequent reference to the wallet address of the beneficiaries.
  2. Delay in exchange of information from the originating VDASP to the recipient VDASP without proper tools and solutions at both ends.
  3. Non-maintenance of the originator and beneficiary details for the required time period.
  4. There is no standardised mechanism worldwide for consistently implementing the travel rule across cross-border VDA transfers. Many countries have mandated compliance with the travel rule, while some are still considering adopting it, making it challenging to exchange information when a transaction occurs between two counterparties in different jurisdictions.
FATF travel rule compliance requirements for VDASPs in India

Solutions For Challenges

One possible solution to fight these challenges is innovative technology. The VDASPs can have a technological solution to collect, verify and store data. Also, the data-sharing feature is essential for exchanging information with the counterparty securely and on a timely basis, accompanying the VDA transfer instruction. The onus is on VDASPs to find an appropriate solution to fulfil these needs and promote industry growth.
The solution must be in a universal language understood across countries. Real-time customer identification and verification can be an advanced feature of such a tool. The aim must be to ensure smooth data collection and exchange between counterparties.
Further, the VDASP must make it a policy not to accept the transfer request unless the originator and beneficiary of the VDA transfer are adequately identified.

Niyeahma – Your Trustworthy AML Compliance Consultant

Niyeahma has been leading from the front in AML compliance. We help clients understand the requirements of AML regulations and comply with them. Together with you, we aim to prevent money laundering and terrorism financing threats to your business. So, we take a customised approach to make you AML compliant and protect you from financial crimes.
You can hire us for any or all of the following AML compliance services:
  • Conducting the Enterprise-Wide Risk Assessment to assess the ML/Ft exposure to your VDA activities
  • Developing and implementing an AML program for managing the ML/FT risks
  • Appointing an AML Principal Officer and assisting in setting up an AML compliance department
  • Creating transaction monitoring rules to detect suspicious VDA transfers timely
Thus, you can find all kinds of support related to AML compliance at Niyeahma.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Mitigating ML/TF risks associated with high-net-worth individuals

Mitigating MLTF risks associated with high-net-worth individuals

Mitigating ML/TF risks associated with high-net-worth individuals

Mitigating ML/TF risks associated with high-net-worth individuals

The ML/TF risks associated with high-net-worth individuals are high. Their relation to money laundering (ML) and terrorist financing (TF) is two-fold:
Fraudsters and criminals target them because of the presence of many opportunities to commit fraud. High-net-worth individuals can themselves engage in illicit business activities; their wealth might be from illicit sources or dirty money.
If you have a high-net-worth individual as a customer, you are prone to money laundering in both cases. So, you must have appropriate AML measures to deal with the risks of high-net-worth individuals. But first, let’s understand what a high-net-worth individual is in AML and the ML/TF risks posed by them.

Risks associated with high-net-worth individuals (HNIs)

Generally, the definition of HNIs varies from industry to industry and within the same industry. However, an individual with a net worth between US$1 and US$5 million is considered a high-net-worth individual. Net worth means a person’s liquid financial assets. If the individual has a net worth of US$5-30 million, they are very high-net-worth individuals (VHNIs). Then there are ultra high-net-worth individuals (UHNIs) with a net worth exceeding US$30 million.
High-net-worth individuals are more vulnerable to money laundering and other financial crimes. The potential threats include:
  • With the digitalisation of transactions, high-net-worth individuals’ transactions are at a higher risk. Cybercriminals access these transactions to change the destination of funds transfers.
  • HNIs might be keeping funds in offshore bank accounts to enjoy the tax savings in that jurisdiction. Also, it helps them transfer funds anonymously or protect illicitly gained assets.
  • As they are HNIs, they have connections with PEPs, other HNIs, and other influential persons. Such connections might force them to take part in or assist with fraudulent transactions or money laundering activities.
Mitigating MLTF risks associated with high-net-worth individuals
In all these cases, you are at risk as a product or service provider to such HNI. So, when you onboard a high-net-worth individual, consider the risks they pose to your business. Your exposure to such risks will increase your vulnerability to money laundering and terrorist financing threats.
Considering the risks, if you do not onboard such HNIs, you will lose big sales and revenues. It will also affect your credibility in the market. It will not have much impact in the short term, but the long-term effects are unavoidable. So, you need to be cautious while dealing with the AML risks of high-net-worth individuals.

Best practices to deal with ML/TF risks posed by high-net-worth individuals

You must implement the following best practices and AML measures to deal with the risks of high-net-worth individuals:

Maintain a list of ML/TF red flags

The first action you can take is to be aware of the fact that high-net-worth individuals are risky for your business. It does not mean they will indeed cause money laundering or terrorist financing. However, the ML/TF risks are high. So, you must know the potential red flags or warning signs of HNIs’ money laundering activities. Some of these red flags are:
  • Not cooperating in the KYC and due diligence process
  • Providing wrong documents or missing out some information in the KYC process
  • Engaging in financial transfers with unusual patterns, different from their usual transactions
  • Unexplained or erratic customer behaviour while conducting financial transactions
  • Using unrelated or unknown third parties in a transaction
  • Financial activities that don’t align with the HNI’s business
  • Sudden or unexplained large transactions to or from high-risk jurisdictions
  • Providing incorrect information on identity, business, or transactions
  • Too many transactions of buying and selling properties despite financial losses
  • Linkages to business in sectors like gambling, weapons of mass destruction, or arms trade
  • Frequent cross-border transactions in jurisdictions with no relation to HNIs’ business interests
  • A high volume of cash transactions
If you are aware of these, you can take the right action. You can investigate the transaction further to confirm the particulars. If found suspicious, you can report it to the UAE FIU.

Perform Enhanced Due Diligence

HNIs are high-risk customers. Since you know this, you must be ready to implement strict KYC and due diligence on your HNI customers. So, deep research should be conducted on these clients.
Conducting in-depth research on HNI customers’ identities is essential. You must know the following details:
  • Full names with family details
  • All the previous residential addresses
  • Past and present passports held
  • Nationalities and citizenships of different countries
  • Professional background
  • Shareholdings in different entities
  • Utility bills
Focus on finding every possible information on their wealth, funds, assets, and structuring. So, you must collect and verify the following information on HNIs:
  • Origin and legitimacy of their funds
  • Overall wealth (holdings and assets) and their sources
  • Types of assets like properties, salaries, investments, inheritances, dividends, bonuses, and shareholdings
  • Financial statements
  • Identifying their structures’ complexity
  • Presence in opaque and risky jurisdictions
All these data points help you spot suspicious activities or transactions.

Perform name screening

HNIs are hi-fi individuals known to the public. But you must be careful before dealing with them. In addition to due diligence, try every possible method to learn more about them. Conduct a deeper examination of their identities and financial behaviour. Screen them against lists of:
  • National, regional, and international sanctions released by authorities
  • Terrorists or terrorist-funding organisations
  • Politically Exposed Persons (PEPs)
  • High-profile people with links to financial crimes like money laundering, corruption, bribery, etc.
It’s not enough to check only if HNIs’ names are on the list. HNIs might have linkages to people featured in these lists. So, you must also verify those points. Use databases and intelligence tools for any linkages to illicit activities.
Another check that is essential for you is adverse media sources. Check if their names appear in any adverse news related to crimes. Any negative mention of their names in media must be investigated in depth. The issue is that some criminals own such media channels or pay them good money to hide their negative news. They plant more positive news about themselves to paint an optimistic picture. That is why you must have experts working on investigating HNIs.

Examine tax compliance status

Checking high-net-worth individuals’ sources of wealth, linkages to financial crimes, and assets is crucial. But another critical factor that is generally ignored is their tax compliance. You must know about their tax compliance status to decide on their connections with illicit activities.
Generally, criminals use many offshore bank accounts to transfer money from one tax jurisdiction to another. Also, they engage in multiple global money transfers, which is, again, a suspicious activity. They also use structures like trusts, shell companies, and charities to invest, move, and control assets.
Collect necessary data on their tax compliance to understand if they are compliant. Identify any tax evasive strategies they have used in their past or current operating years. Check if they have used shell structures or other opportunities to avoid paying taxes or mitigate tax liabilities illegally.

Ongoing monitoring

You have already conducted KYC and due diligence. However, there is a chance that you will miss some data points or fail to focus on a document. So, ongoing monitoring is essential to prevent any money laundering risks to your business from high-net-worth individuals.
Constant monitoring helps to factor in:
  • Changes in the data of HNIs
  • Emerging risks of money laundering and terrorism financing
  • Advanced technologies and techniques for collecting information
  • Variations in HNIs’ risk profiles
If you have HNIs as customers, conduct real-time monitoring of their transactions. You must look for some unusual patterns or suspicious activities. Set a threshold or limit to transactions and investigate them if you observe outliers. Manual reviews of such suspicious transactions enable you to draw more conclusions.

Scrutinise crypto investment or payment

Are your high-net-worth customers dealing in cryptocurrencies?
Do they make payments using cryptocurrencies?
If your answer is yes to any of these, you must be extra careful. Cryptocurrencies are more vulnerable to money laundering. Also, cryptocurrency transactions have a higher degree of confidentiality and privacy. This fact makes it easier to conceal the illegitimacy of a transaction.
That is why if your HNI customer uses cryptocurrencies, conduct more investigations. Check if they are trading crypto assets or have invested in such assets. All these data points help you confirm your high-net-worth customers’ legitimacy.

Partner with an expert AML consultant

All of the above measures are necessary to confirm the identities of your HNI customers. You need to know them in and out to check for any connections with financial crimes. Collecting and verifying all these data points is an arduous task. So, hiring a specialist AML consultant who performs identity verification is a better option.
Search for a services provider with expertise in KYC and customer due diligence. One, who can collect all information on high-net-worth individuals and verify with respective documents. The vendor must have industry connections, access to databases, and skilful professionals to conduct these exercises. They will have complete knowledge of UAE’s AML regulations to ensure compliance. Such expertise is essential to ensure data accuracy, relevance, and completeness for high-net-worth customers.
So, as a regulated entity in UAE with high-net-worth individuals as customers, you must apply these seven AML measures to avoid falling prey to money laundering risks. For the last one, you have the best option in Niyeahma as your expert AML compliance partner.

Niyeahma – your partner for professional AML consulting services

Niyeahma is an expert provider of AML compliance consulting services in the UAE. You can always ask our experts for help in AML compliance. With immense knowledge and extensive experience in AML compliance, our professionals can help you through any AML procedure.
We help you with KYC, due diligence, and screening of all types of customers. If the customers are high-net-worth individuals or high-risk, you’ll have more digging to do. Our AML experts manage all data collection and verification with a unique investigative approach. We help you build customers’ risk profiles so that you know whom to onboard and, thus, take a risk-based approach to fight ML/TF.
Besides KYC and due diligence, our expertise lies in:
  • Monitoring transactions of your customers
  • Conducting risk assessments and building customers’ risk profiles
  • Creating and implementing customised AML policies and procedures
  • Selecting proper AML software for your compliance needs
  • Hiring and appointing an expert AML compliance office
  • Forming a capable and skilful AML team for your business
So, for all these needs, you have one contact to call – Niyeahma.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25+ years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.

Customer Due Diligence Requirement under IFSCA AML Guidelines

How-can-RegTech-help-streamline-AML-compliance-2

Customer Due Diligence Requirement under IFSCA AML Guidelines

Customer Due Diligence Requirement Under IFSCA AML Guidelines

As an international financial hub, the International Financial Service Centre in India provides a platform for businesses operating within to increase their customer base and expand their reach on a global scale. With global exposure, the risk of such businesses being used as vehicles or channels for furthering the movement of illicit proceeds or carrying out illegal activities (such as money laundering (ML), financing of terrorism (FT) and proliferation financing (PF) of weapons of mass destruction) also increases. Thus, the performance of adequate Customer Due Diligence measures is an integral part of the IFSCA anti-money laundering (AML) framework.
The ML/FT and PF risks may arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc. The IFSCA has issued IFSCA Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer Guidelines, 2022 (IFSCA AML Guidelines), which provide for entities operating in the IFSC to conduct Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers.
Customer Due Diligence (CDD) enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.

What Is Customer Due Diligence?

Customer Due Diligence is a process that includes identifying and verifying the customer and the beneficial owner (in the case of corporate customers) using reliable and independent sources. The CDD measures are focused on customer identification to check their authenticity and legitimacy. It includes a set of internal controls that help businesses establish a customer’s identity, determine the nature and purpose of transactions that the customer is likely to engage in and assess associated ML/FT, and PF risks the businesses may face when dealing with such customers.
Further, depending on the risk-based approach, the degree of strictness and scrutiny of the CDD measures shall vary according to the ML/FT and PF risks posed by various customers.

Role Of CDD In AML Regulatory Compliance

CDD is a crucial element of the IFSCA AML Guidelines as it helps verify the identity of customers, assess their risk profiles, and monitor their transactions to detect and prevent financial crimes. With the implementation of the CDD procedures, regulated entities can determine the varying levels of risk associated with different customers and establish the appropriate CDD measures for risk mitigation.
The CDD process provided under the IFSCA AML Guidelines maps out a comprehensive framework for addressing potential threats of ML/FT when engaging with both new and existing customers. Thus, it assists regulated entities in safeguarding themselves and maintaining compliance with regulatory requirements.

When Is CDD Required?

The CDD process is a must before establishing the business relationship to establish the identity of the prospective customer. Additionally, the regulated entity must undertake CDD measures on an existing customer if there are doubts regarding the authenticity and legitimacy of provided documents, data, or information. Further, CDD measures should be undertaken if the regulated entity comes across suspicions of ML/FT, a change in the customer’s risk rating, or any material change in the customer’s circumstances.
Thus, CDD is also crucial on an ongoing basis, in the course of the business relationships, to ensure that the customer’s identified profile holds good and that any changes in the identification details are immediately identified, which may pose an increased risk to the business.

Who All Are Subject To CDD By The IFSC Regulated Entities?

As per the IFSCA AML Guidelines, CDD measures must be adequately applied to all customers, whether individuals, legal persons, or legal arrangements, including the beneficial owners of such legal persons or arrangements.

Decoding The Customer Due Diligence Process

Customer Due Diligence is a necessary procedure that must be undertaken in a structured manner with utmost due care to better comply with the IFSCA AML Guidelines while achieving its objective of safeguarding the business against potential financial criminals. Here is a detailed note on the elements of the CDD process that you need to keep in mind:

Data Collection And Verification (Know Your Customer)

The first level of CDD involves identifying and verifying the customer’s identity and understanding the nature of the business. This process is generally known as “Know Your Customer” (KYC). The regulated entity must undertake the KYC process and seek information from its natural and legal customers.
After collecting the data, CDD’s next step is to verify all such customer information. It is essential to verify the information provided to check its adequacy and establish the authenticity of the customer and proposed business relationship. A customer with ill intentions of routing illicit funds may furnish information that may not be legitimate. Therefore, verification becomes crucial so that the regulated entity can mitigate risk by knowing the true identity of a customer and understanding the purpose of the transaction.
The critical components of the KYC are as follows:

1. Identification and Verification of Identity of Customer

A regulated entity must collect KYC information from the customers, whether a natural person or a legal structure.

2. Natural Person

This information typically includes a natural person’s full name, Unique Identification Number, date of birth, nationality, address, and contact details.
The regulated entity must verify the customer’s identity using reliable documents. To verify a natural person’s identity and resident address, a regulated entity must obtain that contains a photograph of the customer, name, unique identification number, date of birth, and nationality.
Additionally, a regulated entity can verify residential addresses based on OVD or recent utility bills, bank statements, etc.

3. Legal Person

A legal person established in whatever form must provide KYC information containing the full name and trading name, Unique Identification Number, registered or business address, principal place of business, date and place of incorporation. Furthermore, in cases where the customer is a legal person or legal arrangement, a regulated entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement.
The regulated entity shall verify the legal form, proof of existence, constitution, and document defining regulatory powers. For such purposes, a regulated entity must obtain a certificate of incorporation, partnership deed/agreement, trust deed, constitutional document, certificate of registration or any other document.

4. Identification and Verification of the Natural Person appointed to act on behalf of the Customer

A natural or legal person may appoint one or more natural persons to deal with on its behalf for business purposes. Therefore, a regulated entity needs to identify and verify such a person. All documents specified above should be obtained from appointed natural persons acting on behalf of the customer. Additionally, documents authorising the appointment of such a natural person should also be obtained, including power of attorney, resolutions passed by the governing body, etc.

5. Identification and Verification of Identity of Beneficial Owner

CDD measures should also use relevant information to identify the beneficial owner of the customer, who is a legal person or legal arrangement. This includes understanding the customer’s control or ownership structure.
For legal persons, the regulated entity should identify the natural persons exercising control over the entity through ownership. In case of uncertainty or no natural person owning the legal person, the regulated entity should identify the natural persons having effective control over it.
For legal arrangements like trusts, the information regarding beneficial owners includes the trust’s author, trustee, beneficiaries having a significant interest, and any other person exercising control over the trust.
The IFSCA AML Guidelines have prescribed certain percentage thresholds for varying legal structures to determine ownership or control rights. For example, a beneficial owner of a corporate entity is a person who holds more than 10% of the entity’s shares.

6. Information on the Purpose and Intended Nature of business relationship

When gathering customer information, a regulated entity must also obtain information regarding the purpose and intended nature of a customer’s business relationship. To collect such information, a regulated entity should employ methods that align with the risk level and complexity of the regulated entity’s business.

Name Screening

Sanction screening is a process to ensure that the regulated entity does not deal with the organisations and individuals sanctioned under the Ministry of Home Affairs, United Nations Security Council, and other relevant sanction lists, as per the firm’s risk-based approach.
Thus, name screening is performed primarily to check whether customers are designated under any local or international list of banned or sanctioned persons. For name screening, the regulated entity must scan the customer against the national list issued by the Ministry of Home Affairs, the UNSC sanctions list, or any other international sanction lists relevant to the particular business relationship.
Navigating the AML Regulatory Framework in India
Additionally, screening must be undertaken to identify if any customer is a Politically Exposed Person (PEP) or has connections with financial crime as captured in reliable adverse media sources.
The regulated entities must conduct the sanctions screening to reinforce the KYC process and identify any additional details that may impact the customer’s risk profile.

Customer Risk Profiling

The risk landscape related to customers is multifaceted and affected by various factors. Thus, customer risk profiling is essential as it establishes the customer’s risk profile and helps determine the level of due diligence required of every customer. The IFSCA AML Guidelines mandate that regulated entities assess the risk posed by each customer. In accordance with risk assessment, the regulated entity applies mitigation measures, adopting a risk-based approach.
Thus, the regulated entities must assess the level of ML/FT risk the customer poses to the business and determine its risk profile while establishing the business relationship or executing a transaction. Here is the list of parameters that must be considered to assess the customer risk systemically:
  • Timing and seasonality of transactions
  • Involvement of counterparties and intermediaries
  • Customer’s financial profile
  • Ownership and management structure
  • Nature and purpose of the business relationship
  • Location of customer
  • Nature of customer’s activities
  • Estimated size or value of the transaction
Based on these parameters, the regulated entities must determine the degree of customer involvement in a business relationship and classify the customers as high, medium, or low. With this risk allocation, the regulated entities can tailor the risk mitigation strategies for each customer to effectively mitigate the risk while staying compliant with the AML regulatory framework.
Here are the required or permitted modifications to the standard CDD measures as per IFSCA AML Guidelines, depending upon the degree and severity of the ML/FT risks:

Enhanced Customer Due Diligence (ECDD)

When a customer is identified as high-risk, there is increased ML/FT risk associated with them. Therefore, additional identity checks and verification measures are to be applied. These additional measures to be applied under ECDD include identifying and verifying the customer’s source of funds and wealth and seeking senior management approval before onboarding the customer or executing the transaction.

Simplified Customer Due Diligence (SCDD)

Simplified Due Diligence means applying relaxed identification checks and measures to manage risk when customers are designated low-risk. Therefore, SCDD measures allow regulated entities to adopt a process where lower ML/FT risk is adequately managed with optimal resource utilisation.

Ongoing Customer Due Diligence

The ongoing monitoring of the business relationship offers the regulated entity an opportunity to determine if the risks originating from the customer are still the same as identified at the time of customer onboarding. The ongoing CDD process allows for the regulated entities to monitor their customers’ profiles on an ongoing basis and assists the entities in timely spotting any fluctuation or change in the risks, empowering them to take prompt mitigation actions.

Periodic Updating of CDD

As part of ongoing CDD, the regulated entities must periodically review and update the customer’s documents and CDD information to reflect any necessary updates, such as a change in address or renewal of an important document such as a passport. Thus, as part of ongoing CDD, this period of CDD update measures shall ensure that customer information gathered remains updated and relevant to determine the customer’s existing risk profile.
The regulated entities should adopt a risk-based approach to conducting periodic CDD updates. According to the IFSCA AML Guidelines, the frequency of periodic CDD updates varies based on customers’ risk levels.

Record Keeping

This is the last step, which requires the regulated entities to maintain the CDD-related records adequately for six (6) years from the date the business relationship ends or the transaction is completed. Systematic record-keeping facilitates the regulated entities’ meeting of their reporting obligation and furnishing such details to the concerned authorities or any law enforcement agency immediately upon request.

What Happens When CDD Is Not Performed?

Onboarding customers without applying any CDD or inadequate measures can subject a regulated entity to severe risks such as reputation loss, compliance risk, and financial loss. It is mandated that a regulated Entity establishes a business relationship only after employing adequate CDD measures to identify the customer and associated risk. When a regulated entity cannot perform or complete the CDD process for a customer, the IFSCA AML Guidelines impose certain restrictions on the regulated entities, such as:
  • It should avoid opening an account and provide a service to the customer.
  • It must not conduct a transaction with or for the customer whose CDD has not been conducted.
  • When CDD measures are not undertaken, a Regulated Entity must terminate or suspend any business relationship with the customer.
  • A regulated entity must return any funds or assets received from the customer.
Furthermore, in such cases, it is crucial to assess whether the lack of CDD requires the submission of a Suspicious Transaction Report (STR).
Imposing these restrictions on a regulated entity where the CDD process is not properly conducted is to protect the business from inadvertently facilitating any transactions leading to ML/FT crimes.

Best Practices For Implementing Effective CDD Program

For implementing CDD measures effectively, here are a few points that a regulated entity should consider:

Including CDD Program Into Internal AML Policy And Procedures

The regulated entity should incorporate CDD procedures into its AML/CFT policies, procedures and controls to improve consistency in CDD measures implementation across the organization. The CDD program must detail the KYC process, the details to be obtained, the documents and sources to be relied upon for verification of the customer identity, the frequency of ongoing CDD and periodic review, etc.
The AML policy should also define staff roles and responsibilities in conducting CDD. This will promote clarity and compliance with regulatory requirements.

Appointing A Competent Person To Conduct CDD

It is essential that the person overseeing compliance with regulatory requirements is skilled and has the expertise to conduct CDD procedures. Customer-facing CDD staff should know basic CDD procedures, associated red flags, and ML/FT and PF typologies. Employing such a skilled person for CDD measures enhances the productivity and accuracy of the CDD process and brings efficiency to the AML efforts to protect the business.

Implementing Software And Tools For Conducting CDD Rd Of India

A regulated entity must consider employing suitable tools to streamline and improve the CDD process. These software include various aspects such as identity verification systems, collecting information from different sources, sanctions screening, systematic customer risk assessment, and ongoing transaction monitoring.

Employing Data Security Measures

CDD collects customers’ data, which needs to be handled carefully. Thus, while conducting CDD procedures, a regulated entity should include encryption protocols, controlled access to the data, and audits to prevent data breaches. Data security measures help businesses gain the trust of their customers and protect their data from unauthorised access. By implementing and making its customers aware of the regulated entity’s Data Protection and Privacy Policy, the regulated entity ensures it utilises and stores customer data solely for regulatory compliance, ensuring transparency and accountability in data handling practices.

Periodic CDD Reviews And Updates

As mentioned above, the IFSCA AML Guidelines provide for the periodic review of customers’ CDD files. A regulated entity must include a methodology and a system to conduct periodic reviews to keep up with changes related to customers’ business, wealth, and overall profile. Keeping up with new updates helps businesses be more vigilant towards suspicious activities and proactively identify and manage the risk.

CDD Training And Awareness Programs

As a regulatory requirement, the regulated entity must conduct regular training sessions and awareness programs to educate staff about processes, procedures, and the importance of CDD. This helps update employees with emerging AML trends and clarify their roles and responsibilities in ensuring compliance with regulations. Furthermore, training programs should be tailored to employees’ specific needs and roles, such as training programs for senior management, operational staff, and managers.

Conclusion

CDD is an essential factor for mitigating risks associated with ML/FT. An IFSCA-regulated entity that implements CDD practices can establish the identity of its customers, understand the nature of its business relationships, and assess the potential risks involved in the particular business relationship. Additionally, for better performance, best practices in CDD should be employed, such as incorporating a CDD program within the documented AML policy, employing adequate AML software to empower the CDD process, and conducting AML training for the staff.
Therefore, prioritizing CDD not only helps organisations comply with regulatory requirements but also safeguards their financial integrity and reputation.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

The role of Re-KYC process in AML Compliance

KYC Automation

The role of Re-KYC process in AML Compliance

The role of Re-KYC process in AML Compliance

KYC is a critical AML compliance requirement for regulated entities in the UAE. It lets you know your customers better and gauge the risks associated with their transactions. Nowadays, authorities are also stressing on the need for re-KYC of customers to keep track of updated information. Let us learn the role of Re-KYC process in AML compliance and strengthen our defences against money laundering and terrorist financing.

What is Re-KYC?

KYC must not be a one-time event. As customers’ details and regulations change, you must also update these data points in your database. That is why re-KYC of customers is essential. Re-KYC means periodic updates of the customers’ KYC details.
For a smooth conduct of the re-KYC process, you must invest your time, effort, and money in it. Recollect the information on customers, verify them, and add them to your database. This must lead to accurate and up-to-date details on all your customers. You also need to carry out sanctions screening and customer risk assessment to classify customers into low-risk, medium-risk, and high-risk customers and apply suitable countermeasures to fight against the risks they pose.

Why is re-KYC of customers essential?

Re-KYC of customers is essential for every regulated entity for the following reasons:

AML/CFT policy and procedures

AML/CFT policy and procedures mandate the KYC refresh. Depending upon the local rules and regulations and the risk-based approach adopted by the regulated entity, the schedule for periodic review is predecided and triggered. For example, the organisation may have a policy to conduct re-KYC every year for high-risk customers, once every two years for medium-risk customers, and once every three years for low-risk customers.

Industry transformations

KYC Automation
Post-COVID, business models have significantly changed. Some of the old industries do not exist anymore or have undergone significant changes. The associated ML/TF risks have changed. Re-KYC helps understand customer profiles in the changed context, align risks, and take appropriate countermeasures to fight ML/TF.

Change in customer profile

Like fluctuations in your business, your client’s business or profile also witnesses changes. For example, they expand to a new territory, add a new product or service line in their offerings, have new owners, change the source of funds, or something else. These types of deviations in your clients change their risk profiles. To incorporate the amendments in their risk profiles, you must conduct a re-KYC of customers.

Internal shifts

Your business is unique, with its own set of requirements, business models, objectives, capabilities, and procedures. Based on these factors, you also define your risk appetite to tolerate money laundering risks. Any internal shifts in these factors lead to a change in your risk appetite. This leads to changes in your AML measures and compliance policies. In such situations, re-KYC of customers is essential.

Regulatory amendments

To keep up with the regulatory changes, you may be required to gather additional information about customers. Re-KYC helps gather that information and comply with legal requirements.

FATF Greylisting of a country

If a country is greylisted, you need to take a risk-based approach and require your customers to furnish additional information as to the source of funds and source of wealth. Re-KYC helps you do that.

FATF Black listing of a country

If a country is blacklisted, you need more information about your customers in high-risk jurisdictions, and hence Re-KYC or KYC refresh is required.
Due to all these reasons, it becomes essential for regulated entities to conduct the re-KYC process. Whether you conduct it twice a year or once every two years, the aim is to have updated information. Such up-to-date and accurate data facilitates the correct risk profiling of the customer. Based on this, you can take a risk-based approach for further AML compliance initiatives. Thus, you can prevent money laundering and terrorism financing activities.
Another benefit of the KYC process is a better understanding of your customers. You can tailor your services to their needs to improve customer satisfaction. Thus, you can also enhance your customer relationships with the re-KYC of customers.

Steps of the re-KYC process

You have the reasons and benefits of the re-KYC process. But what are the steps of conducting this process?
The re-KYC process involves the following steps:

Step 1: Client communication

The first step of the re-KYC process is letting your customers know you will conduct KYC again. Communicate to them the reasons for this exercise and its importance. Inform them about the documents you will need for re-KYC.

Step 2: Information collection

Once you have identified the customers for whom you want to repeat the KYC process, list the necessary details. You might need some past information as well as dig some new details. Collect all those data points from customers.

Step 3: Information verification

In the next step, verify all the customer details with the necessary documents received from them. You must ask them for proof of identity and address, beneficial ownership, sources of funds, payment methods used, and other necessary documents. Match the details submitted by clients with these documents.

Step 4: Screening

Screen your customers against lists of sanctions, terrorists, watchlists, PEPs, or any other local and international list of criminals. Moreover, check for adverse media or social media mentions of crime-related activities.

Step 5: Risk Assessment

Assess each bit of information on your customers. Examine every slight suspicion you have about them based on their behaviour, transactions, and profile changes. Based on these results of such analysis, update their risk profile. Keep an eye on those customers whose risks have increased.

Best practices in re-KYC of customers

For the smooth and accurate performance of the re-KYC process, avoid making the most common errors. You can imbibe the following best practices for successful re-KYC process and quality outcomes:

Establish Re-KYC procedures

AML compliance is not an easy journey. You have to manage quite a few procedures to ensure you comply with all the requirements. KYC is one such procedure. It helps you better know your customers to prevent or mitigate their risks. So, give it the importance it deserves.
Define a strategy for conducting re-KYC of customers. Mention the steps. List the timelines, resources required, and budget for the re-KYC process. Also, define the potential challenges you might face in this process, like customers’ disagreement, and the steps to deal with them. Such a strategy enables a seamless process.

Implement KYC software

KYC is a lengthy process. If you do it manually, it takes a lot of time. Also, it requires special skills to manage this exercise without errors and hassles. So, you need to spend money on hiring skilled staff as well. Also, the manual process has increased the chances of errors. All these can affect your re-KYC process.
So, the best solution to all these problems is automating the re-KYC process. Such a solution will lead to accurate results, faster processes, and customer ease. Also, these KYC solutions raise an alert when they detect an anomaly, suspicion, or shift from the usual behaviour. Thus, you are better equipped to fight money laundering risks.

Take a risk-based approach

AML compliance is all about a risk-based approach. You have to decide the next action based on your customers’ risk levels. The same is the case with re-KYC. For high-risk customers, the frequency of re-KYC is higher. So, you must know whether your customer is high or low risk and when you last conducted their KYC.
So, if the customer is high risk, conduct a re-KYC frequently. If the risk is low, postpone it for later. Thus, you can decide the frequency and depth of your KYC procedures.

Customer communication is key

Inform your customers about the re-KYC process. They must be aware of the purpose of such data collection and document verification. It is also a good practice to obtain their consent to this exercise. Inform them about the documents needed, the time taken, and other necessary details. Constant communication from your side facilitates better relationships with customers. Since it will be a disturbing and problematic exercise for your customers, explain its significance to them.

Allocate proper resources

Re-KYC is not an administrative process. It is not a scheduled thing that you do away with by just following the steps. It needs your complete dedication and sincerity. It will help you stay away from risky customers and transactions. Thus, it is a part of your business’s risk prevention and mitigation plan.
So, you must give it much importance. Don’t forget to allocate skilful resources, a reasonable budget, and specific timelines to this exercise. Also, ensure that you do not destroy customer relationships while managing this procedure.

Ensure proper record-keeping

You must document every result and finding of the re-KYC process. Since you are analysing the client again and rebuilding the risk profile, the rationale behind it must be saved and secured. So, maintain proper records of each data point on the customer. Save the documents. These records help you during audits or investigations by regulatory authorities.
These six effective approaches can help you with a successful re-KYC process. Ensure that you imbibe them and follow the step-by-step journey. Do not forget to conduct a re-KYC of customers to be doubly sure of their risks to your business. Only with such re-KYC and due diligence can you strengthen your AML measures.

AMLUAE – your partner for conducting re-KYC of customers

AMLUAE is a prominent provider of AML compliance services in the UAE. We help you follow AML regulations in the UAE at every step. You needn’t worry about deadlines or regulatory updates; we handle everything on time and in compliance.
We also handhold you through the entire KYC and re-KYC process. Our consultants and AML experts conduct customer due diligence on your clients for accurate results. Ultimately, you will have each customer’s detailed risk profile to enable you to take a risk-based approach to your AML compliance.
Besides KYC and due diligence, we also help monitor transactions to detect suspicious ones. Our team can impart personalised training to your employees, create and implement AML policies, and manage all communication with regulatory authorities. The aim is to let you focus on your core business while we manage the AML compliance.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25+ years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.

Why is Record-Keeping of Customer Identity and Transactions necessary?

Record Keeping of Customer Identity

Why is Record-Keeping of Customer Identity and Transactions necessary?

Why is Record-Keeping of Customer Identity and Transactions necessary?

Illicit financial activities, such as money laundering, financing terrorism, and proliferation financing (ML/FT and PF), hamper the integrity of the economy as well as the operations of business entities. To combat these illicit activities, businesses adopt robust Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) measures, which are aligned with the regulatory framework.
As part of the UAE’s AML/CFT regulatory framework, all regulated entities, including Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs), are required to maintain records of KYC, CDD, EDD, transactions, audit logs, software audit trail, AML/CFT policy, procedures, etc.
In this article, we’ll discuss why record keeping of customer identity and transactions is important and what its best practices are.

What is Record-Keeping?

Whenever regulated entities undertake measures and activities to mitigate ML/FT and PF risks, such as customer due diligence, transaction monitoring and AML audit, they generate several documents in the process. Maintaining these documents is necessary as it makes it easier for them to access data as and when required, which is crucial for combating financial crimes, including ML/FT and PF.
This is the essence of AML record-keeping. Therefore, record-keeping in the AML framework means maintaining documents pertaining to AML measures that include customer identity records, transaction records, adverse media checks, etc. Record-keeping thus carries a significant purpose in ensuring AML compliance.
Record Keeping of Customer Identity

What type of records are required to be maintained?

The types of records that regulated entities need to maintain depend on the regulations they need to follow. In the UAE, regulated entities must maintain records related to various compliance measures undertaken by them.
Here is a comprehensive list of customer-related information and transactions which require record-keeping in the UAE:

1. EWRA, Internal policies, Procedures and Control Measures

The CDD process includes verifying the customer’s identity and keeping a copy of references and other related pieces of evidence. Other documents include a copy of identities and any other additional information that must be maintained to facilitate regular monitoring of the records. Companies must also keep customers’ scanning process records on various checks such as PEP and Sanction. They can present them as evidence to the investigation agencies as and when needed.
As part of policies and procedures, regulated entities need to establish a risk appetite statement that provides the entity’s stand on accepting risks and sets a base to analyse trade-off decisions. A risk appetite statement helps everyone understand the level of risks the entity is willing to take and accordingly apply suitable control measures.
Furthermore, based on risk appetite, the regulated entity must also identify and enforce AML control measures to combat ML/FT and PF risks associated with the entity.

2. Customer Due Diligence

It is essential for regulated entities to conduct the CDD process to measure ML/FT and PF risks associated with customers. There are various elements for an effective CDD. The CDD process includes conducting know-your-customer (KYC) measures to verify the customer’s identity. It is required to maintain KYC records along with supporting documents like Emirates ID, Passport, Utility Bill, etc.
Customer risk assessment is a key component of the CDD process that helps detect and prevent ML/FT and PF risks by evaluating the risk associated with each customer. Regulated entities must maintain customer risk assessment documents as evidence of their risk profiling.
Based on customer risk assessment, regulated entities are needed to undertake Enhanced Due Diligence (EDD) for higher-risk customers that pose ML/FT and PF risks and thus present increased exposure to them. They need to maintain any additional information related to customers within CDD records concerning EDD.

3. Transactional Records

Regulated entities have to keep a record of the business relationship- transactions involved from five years of completing the transaction. The various transaction records involve purchase orders, sales orders, invoices, receipts, payments, credit and debit notes and correspondence with the business. Regulated entities must maintain all the documents to establish a proper audit trail.

4. Regulatory Reports

To meet the internal and external reporting requirements, regulated entities must maintain all submissions made to the regulatory authorities.
As a part of his responsibility, the compliance officer prepares a semi-annual AML compliance report, which he submits to the senior management. These reports must be preserved. Further, semi-annual reports submitted to the regulatory authorities must be preserved for a period of 5 years.
The AML regulations in the UAE mandate the regulated entities to identify suspicions related to ML/FT and PF and report such suspicions by filing a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR). As part of record-keeping compliance, they must keep records of STR/SAR.
In addition to MLRO and STR/SAR, the regulated entity needs to submit additional reports based on the nature of the customer’s business, circumstances and place of the customer’s business or transactions. These reports include the High-Risk Country Report, High-Risk Country Activity Report, Real Estate Activity Report, Fund Freeze Report, Partial Name Match Report and Dealers in Precious Metals and Stones Report. Regulated entities in the UAE are mandated to maintain such reports.
An Independent AML Audit report issued by the external auditor must be preserved for at least 5 years.

5. Correspondence and Directives Issued by Regulatory Authorities

Regulated entities should also keep records related to communication and directives issued by regulatory bodies, ensuring compliance with applicable laws and regulations. With such records, regulated entities in the UAE can effectively manage risks associated with their customers and transactions and help supervisory authorities keep checks and balances.

6. Training Logs

Training logs are key tools within the AML/CFT framework. They ensure that staff and employees within businesses are adequately trained to fulfill their responsibilities effectively. By maintaining comprehensive training logs, regulated entities demonstrate their commitment to AML/CFT compliance, fostering a culture of compliance within the organization and empowering staff to detect and prevent financial crimes effectively.

Why is record-keeping of customer-related information necessary?

Record-keeping is an integral part of the AML/CFT framework. It supports various compliance activities like customer due diligence, transaction monitoring, reporting, compliance documentation, regulatory examinations, and investigations. Properly maintained customer records are essential for compliance with AML regulations.
Here is the list of reasons that make record-keeping of customer information and transactions necessary:

Legal and Regulatory Compliance

The AML/CFT regulatory framework requires regulated entities to maintain customer-related AML records. If a regulated entity fails to maintain records, it can result in legal consequences, fines, or penalties. Therefore, having a system for record-keeping helps in avoiding legal implications.

Customer Due Diligence

AML regulations require regulated entities to conduct due diligence on their customers to assess their risk levels and verify their identities. Record keeping helps regulated entities maintain proper documentation of customer information, identity verification, and risk assessments. Furthermore, it helps them avoid any financial and reputational loss in case a customer is engaged in illicit activities.

Proactive Monitoring

Regulated entities are required to monitor customer transactions for suspicious activities that may indicate money laundering or other illicit activities. Record-keeping plays a vital role in enabling proactive monitoring from an AML/CFT standpoint.

Regulatory Reporting

When suspicious activities are detected, financial institutions must file SAR/STR with the appropriate regulatory authorities. Proper record-keeping ensures that all necessary information related to the customer’s suspicious activity is documented and can be provided to regulatory authorities.

Performance Evaluation

Record-keeping helps regulated entities assess the performance of AML measures across the entire organisation, including those measures incorporated for customers. By tracking KPIs over time, regulatory entities can easily identify AML measures’ strengths, weaknesses, and gaps for improvement.

Decision Making

Records provide valuable data and insights that aid in making informed decisions. Whether it’s about customer-business relationships, control measures, or strategic direction, having access to historical records enables better decision-making. A well-structured record-keeping system allows for better tracking of suspicions, which in turn helps in making informed decisions.

Independent AML Audit

Regulated entities need to appoint an independent AML auditor to carry out the audit of their AML/CFT compliance. Record-keeping facilitates such audits.

Inspections and Investigationsit

Often, regulatory authorities come for inspections and ask for various compliance records. Record-keeping also helps investigators conduct investigations into cases related to money laundering and terrorist financing.

How do you maintain customer identity and transaction records?

Record keeping procedure depends on local and global regulatory requirements. The number of records required to be maintained affects the manner in which such records are maintained. The records can be maintained physically or in an electronic form. Ideally, the following documents should be maintained:
  • Original documents
  • Photocopies of original documents
  • Documents stored in electronic form
It is noteworthy that the records maintained should be easily accessible. If the source documents are available in a foreign language, then translated copies must be made available to ensure AML/CFT compliance.

Challenges for maintaining customer records

Although it is necessary to keep records of customer information and transactions, regulated entities face various challenges in maintaining an efficient system.
The following are some major challenges:

Large and Complex Data

Customer records are comprehensive data that include information relating to customer due diligence, transactions, ongoing monitoring, suspicion reports and internal policies, procedures, and controls. Thus, handling the large volume and complexity of AML records becomes challenging for businesses.

Regulatory Variations

Global businesses have to adhere to multiple laws and regulations. Such variations in regulatory requirements pose a constant challenge as every jurisdiction requires different record-keeping obligations, making adherence to regulatory frameworks challenging for the entities.

Privacy and Consent

KYC information is personal in nature. Before keeping records, regulated entities must obtain consent from the person to whom such information belongs. However, customers are hesitant to provide information due to privacy concerns. Further, remote onboarding procedures require liveness checks, IP address logging, etc. If customers are not willing to part such information, it becomes difficult to onboard customers.

Data Security

Keeping a large amount of data requires effective security measures. Businesses face challenges in ensuring the security of sensitive data. Additionally, information pertaining to customers and their transactions is very sensitive and is targeted by criminals for facilitating their illicit activities. This obligates regulated entities to deploy enhanced data security measures.

Incomplete and Inaccurate Data

There is an abundance of information collected by the regulated entity from various sources while undertaking AML measures. However, not all information is relevant, complete, or accurate. It becomes a challenge to segregate qualitative and accurate data from the amount of information available.

Best practices for effective record-keeping of customer information

It is essential for regulated entities to implement effective record-keeping measures to maintain accurate documentation concerning customers and third parties.
Here are some best practices that regulated entities can establish for record-keeping of customer information:

Implement Document Management Software

Document management tools provide a harmonious and logical filing system that is easy to understand and use. Regulated entities can implement such tools to standardise AML record-keeping processes for maintaining customer information and transactions across their operations.

Use Cloud-based Storage

Regulated entities collect a large volume of customer data for which they can use cloud-based storage. The transition to cloud-based storage solutions can help them store records while providing scalability and accessibility.

Implement Security and Privacy Guidelines

Customers have privacy concerns about data usage and retention, which makes it difficult for regulated entities to obtain consent from them. Thus, to maintain their trust, they should establish clear data usage and retention policies which comply with relevant privacy regulations.

Deploy Data Security Tools

Keeping a large amount of data requires effective security measures. For this purpose, regulated entities should implement encryption technology, firewalls, etc., to limit unauthorised access and tackle data breaches.

Backup and recovery

Maintaining customer information is very important for regulated entities, and any loss of data can lead to major repercussions. Thus, regulated entities must implement backup procedures for records to prevent data loss by system failure or cyber-attacks. Further, they should also develop a recovery plan to ensure that records can be quickly restored in the event of loss.

Regular Updates and Review

Regulated entities must regularly update their systems and underlying procedures to remain compliant with the ever-changing regulatory environment. Internal health-check reviews must be conducted to find discrepancies in record-keeping and take immediate remedial measures.

Final Words on Maintaining Effective Customer-related Records

For regulated entities, record-keeping of the identities of their customers and transactions is crucial to ensure compliance with regulations, manage risks, and easily access data for submitting it to the authorities as and when required.
Niyeahma is a global AML/CFT consulting firm assisting regulated entities in deploying countermeasures to curb financial crimes.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25+ years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.

AML measures for non-face-to-face customers

AML measures for non-face-to-face customers

AML measures for non-face-to-face customers

AML measures for non-face-to-face customers

Financial institutions and DNFBPs have moved to the next level of customer service. One such aspect that they cover is non-face-to-face customer onboarding or transactions. However, the ML/TF risks associated with such customers are high, and that is why you need well-defined and strict AML measures for non-face-to-face customers.
A customer’s physical absence during onboarding is a red flag of money laundering or other financial crimes. Also, such customers avoid meeting the officials of regulated entities. In some cases, customers are present at the time of onboarding but conduct all transactions remotely. Such non-face-to-face (NFTF) customers have a high risk of money laundering for these entities.
To negate the chances of money laundering, you need to be extra careful during identity verification. That is, again, a task since you must have more documents to verify identities and addresses.
The task of onboarding a remote customer is full of challenges, and here is the article that provides insights on implementing appropriate AML measures for non-face-to-face (NFTF) customers.

How do non-face-to-face clients pose a threat to your business?

Technology has made rapid inroads into DNFBPs, VASPs, and FIs. Customers require on-demand, anytime, and anywhere services. They want to perform remote and digital transactions to avoid physical presence and visits. These are digital transactions conducted via mobiles or the internet.
ID verification and KYC software make all of these possible. Many regulated entities, especially banks and other financial institutions, have embraced such digital business methods.
Customers prefer digital transactions to avoid visiting the vendor’s offices.
AML measures for non-face-to-face customers
The biggest demotivators are the hassle of visiting the office, providing hard copies for conducting transactions and standing in queues. Digitally, you can manage several transactions at your convenience with online documentary proof. So, less effort and faster service.
But, in such cases, money laundering risks for the regulated entity increase. Remote onboarding of non-face-to-face customers exposes DNFBPs and VASPs to the following risks:

Fake identities

Customers can use fake identities to open an account with your business and conduct transactions. Since you won’t be able to associate their wrongdoing with a face and identity, it becomes difficult to capture them. This anonymity of non-face-to-face customers increases the ML, TF, and PF risks for your business.

Limited visibility of customer behaviour

Physical interaction with customers enables an understanding of their behaviour. In the absence of such face-to-face meetings, you have no idea of their conduct and actions. So, it becomes difficult to identify suspicious behaviour, activity, or transaction.

Transaction speed

Digital transactions are faster than normal in-person transactions. So, money launderers prefer to engage in non-face-to-face transactions so that criminal activity occurs faster before anyone detects suspicious behaviour.

Hidden ownership structures

In the case of non-face-to-face customers, understanding the ownership structure is challenging. They might be using this anonymity feature to hide their beneficial ownership. There might be possibilities of the presence of shell companies to conduct transactions. This is a widespread way by which non-face-to-face clients launder money.
With in-person onboarding, the compliance team gets a chance to ask questions and counter-question the customer. Remote onboarding works in a pre-defined way and offers little flexibility. Further, the human element is missing, so judgement is on technology to identify suspicious customers and their activities.

Cross-border transactions

Engaging in cross-border transactions is the most effective way for non-face-to-face financial criminals to conduct crimes. Identifying the origin and destination of funds in transactions conducted across different jurisdictions is challenging. Also, it becomes easier for anonymous customers to hide these details or produce false documents. This is how money laundering occurs predominantly in such cases.

Third-party risks

DNFBPs and VASPs who rely on third parties to conduct KYC and CDD expose themselves to ML/TF risks if the third parties do not adopt adequate procedures for customer identification and verification. The criminals may exploit the vulnerabilities existing in third-party KYC and onboarding procedures and misuse the system.

Data security and privacy

Online onboarding exposes the firm to data security and privacy breaches. The genuine customers’ accounts may be taken over by criminals to perform their illegal activities, and this exposes the DNFBPs and VASPs to various types of ML/TF risks.
You must devise and apply effective AML measures to reduce the risks of such occurrences and fight the money laundering threats.

Common ML/TF Typologies employed through NFTF Channels

Smurfing and structuring are the most common ML/TF typologies employed by criminals onboarded through NFTF channels.

Structuring

Criminals are resorting to structuring split large transactions into several small transactions to avoid their detection. Normally, regulators across the globe have specified thresholds for reporting cash transactions. The criminals smartly plan their transactions to avoid crossing the thresholds.

Smurfing

Smurfing is similar to structuring. Here, the criminals split transactions into small amounts and use multiple parties to deposit funds into the banking system.

Effective AML measures for non-face-to-face customers

Following are some of the effective AML measures that you can carry out to manage your ML/TF risks arising out of the digital onboarding of customers:

Develop a risk-based approach to respond to risks related to non-face-to-face clients

Understand that the risks from non-face-to-face clients are high. So, you must be better prepared for such customers. Your AML measures for non-face-to-face customers must be well-planned and defined. Give it due importance in your scheme of things so that you can prevent and avoid the risk.
Take a risk-based approach to such customers depending on the following factors:
  • Industry of your operations
  • Location of customers
  • Money laundering threats from customers
If customers’ risks are high, enhanced due diligence measures should also be implemented. If the risk is low, you can continue with the existing KYC and simple due diligence.

Create customised identification and verification procedures

Since the risk is high, you can have custom identity checks to protect your business. Define the minimum criteria for accepting non-face-to-face customers. This depends on the nature of your business operations. If your sector is more susceptible to money laundering threats, it’s better to avoid such remote online customers. You can define new verification procedures like submission of more documents, manual visits to the client’s office, or any other relevant action.

Conduct in-depth KYC to understand the risks of non-face-to-face customers

The first thing to match for the regulated entities is the customer’s face with the identity document. You make a decision based on a match or no match. However, in the case of non-face-to-face clients, the customer’s face is not available to match. This is a big challenge for you.
You can face such situations when onboarding a new remote customer or while conducting a transaction. So, you must have a stringent KYC policy to know your customers better. The KYC and CDD measures are the same, plus some additional aspects. Since the risk is higher, you must ensure the following:
  • Check for certification and attestation of documents. Such certification must be from specific authorised individuals or organisations. Such attestation can facilitate higher credibility in the authenticity of documents.
  • You must also ask for additional proof to know the non-face-to-face clients better. These documents must be from reliable sources that can verify these customers’ identities.
  • Have a known third party to guarantee the authenticity of such customers. Check if your existing customers, suppliers, or associates have complete knowledge of these customers. Also, ensure that you have complete KYC and due diligence of these third parties.

Consider the non-face-to-face clients’ geographical location

One aspect that you can consider critically is the geographical location of your customers. Be very careful about who you onboard as a customer. Have second thoughts if the customer is from any of the following jurisdictions:
  • Economically sanctioned
  • Weak AML controls or financial systems
  • Politically unstable
  • High levels of corruption, drug trafficking, human trafficking, terrorism, or smuggling
If your non-face-to-face customer is from any of the above jurisdictions, the smarter decision would be not to onboard them. By onboarding them, you’ll increase your risk exposure. You’ll need to put more effort into KYC and CDD before transactions.

Apply enhanced due diligence measures for non-face-to-face clients

You don’t have the customer in front of you for conducting the transaction. It means identity verification is a challenge. Since the risk is high, you can’t let it go. So, you must apply enhanced due diligence measures to prevent the risks of financial crimes:
  • Exercise caution before engaging in transactions with these non-face-to-face clients. The first payment must be from a known bank account in the customer’s name. Even for the succeeding transactions, check the details thoroughly.
  • Use safe and secure electronic identification technologies to verify the identities of your non-face-to-face customers.
  • You can also check the national registers of trade, businesses, associations, and patents. Even the population and credit data registers can help you confirm the identities of your non-face-to-face customers.
A combination of these identification and verification techniques can ensure the authenticity of your customers’ documents and identities. But do check the dates of the latest updates to these registers for timely information.

Hire third parties for identity verifications of cross-border customers

Dealing with non-face-to-face clients becomes challenging when they reside in other countries. The identity documents are different from the local UAE documents. However, you must get all possible identity and address evidence from your customers. Now, match the details provided by the customers with these documents.
One solution in these cases is to hire third parties for such certifications to prove the authenticity of documents and identities. However, you must be careful before engaging with a third-party provider. Ensure that the provider is registered and licensed in the jurisdiction of its operations. Check the quality of its KYC and due diligence technology systems and procedures. Also, management understanding and technical acumen are required to ensure quality services.

Employ video conferencing AML measures for identifying and verifying non-face-to-face customers

You can conduct a video-based process to verify the identities of your customers. This will be a secure, live, and informed audio-visual interaction between the regulated entity and the customer. You must obtain the customer’s consent before conducting such a meeting.
Manage the KYC verification process through this video conferencing method. Have a live video call with the regulated entity’s KYC expert. You will interview them with identity questions and detect their liveness. Check their identity documents live by asking the customer to hold them in the video. Match the face with the photo to verify the identity in real time. Also, click live photos for facial recognition.
However, you also need to ensure a secure way of conducting this video interview. It must be end-to-end encrypted. The video must be clear enough to verify the identity of the customer. The live GPS coordinates and date-time of the customer interview must be available in the video recording.

Use advanced technologies to confirm non-face-to-face customer identity

Technologies like artificial intelligence, machine learning, and blockchain have improved many sectors. You can use the same technologies in AML measures for non-face-to-face customers. One way to do this is to use them for customer data storage data and comparison with other documents.
You can use AI in facial recognition to verify customers’ identities based on the proof they submit. AI even helps confirm the authenticity of identity proof submitted by customers. AI makes it possible to check the passport chip of biometric passports and the authenticity of holograms. You can use blockchain technology for secure and confidential data storage. You can also implement AML software, which supports liveness checks. It will help you reduce deepfakes and strengthen your defenses against ML/TF.

Monitor transactions for unusual trends or patterns

Transaction monitoring is an effective AML measure for non-face-to-face customers. You should be careful about any unusual or out-of-pattern behaviour of customer transactions. So, when supervising their transactions, look out for the following:
  • Unusual pattern not matching with customers’ profiles or regular transactions
  • If more than one user is using the same account
  • If the user opens more than one account
  • If the customer information and IP address don’t match
  • If the customer uses different payment methods for different transactions
When you see such patterns or unusual behaviour, investigate further. You must report the issue to higher authorities and classify the transaction as suspicious.

Ongoing monitoring is a critical AML measure for non-face-to-face clients

Face-to-face customers visit you for transactions. So you can still verify their identities. It is also possible to monitor their activity and behaviour. However, in the case of non-face-to-face customers, ongoing monitoring is essential. You cannot skip it at all.
So, keep monitoring the customers’ risks. Keep an eye on their transactions to spot anything out of the usual. Maintain records of their transactions for a specific period for analysis whenever you wish. Keep repeating this exercise to prevent any potential money laundering risks.
If you have any suspicions about the customer’s activity, report it to the FIU using SAR/STR. In cases where the risks posed by customers are beyond your risk appetite, you can exit the business relationship. Carefully draft your customer acceptance and exit policies to effectively counter ML/TF.
These 10 AML measures for non-face-to-face customers can help you reduce the money laundering risks. You can confirm their identities and decide whether to proceed with the business relationship or transaction. If you still find the customer as suspicious, do not engage in a transaction. Start a business relationship if any of these verification methods prove their authenticity.
If you need help dealing with such non-face-to-face customers, hire an expert AML consultant like Niyeahma.

Niyeahma – your partner for professional AML consulting services

Niyeahma is an expert in AML Consulting services. We have guided clients throughout the journey of becoming compliant with AML laws in the UAE. You will always find us with customised and appropriate solutions to your AML concerns. Our offerings include:
  • Customized AML policies, procedures, and internal controls
  • Risk assessments and analysis of your business
  • KYC and different levels of due diligence of your customers to build their risk profiles
  • Monitoring transactions and customers to detect suspicious ones and take respective actions
  • Personalized training solutions for your AML needs and industry requirements
  • Regular health checks and audits of your AML compliance
Likewise, we also help you deal with non-face-to-face customers with appropriate AML measures. We take all possible steps to prevent money laundering and terrorism financing threats from such customers. So, don’t worry about remote, digital customers; we have the right AML measures for you.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25+ years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.

AML compliance vs AML risk management: Closely aligned despite striking differences

AML compliance vs AML risk management

AML compliance vs AML risk management: Closely aligned despite striking differences

AML compliance vs AML risk management: Closely aligned despite striking differences

Understanding AML compliance vs AML risk management is essential. In the realm of AML, businesses use compliance and risk management as substitutes. Both are crucial for any business entity. So, you must understand the differences between risk management and compliance in AML.
Anti-money laundering compliance is an ‘in-trend’ term for businesses nowadays. Another similar term that has been in use for quite a long time is risk management, specifically in the case of financial institutions. While the former talks about adherence to rules, the latter entails managing threats to a business.
In this blog, we will explore the distinctions between the two. First, we will understand what AML compliance and AML risk management mean. Then, we will discover the similarities and differences between AML risk management and compliance.

Compliance and risk management: Term differences

What is compliance?

Compliance means adhering to regulations, laws, and rules. It means you are ethical in your business practices. You do what the government and the law expect you to without deviating from the business morals. Thus, it is a reactive exercise to show your country and regulator that you follow the rules.
Suppose you are a business in the UAE. You must follow the local rules and regulations related to your operations, license, environment, labour, and many other aspects. The process of following these rules and how well you are able to do it means compliance.
AML compliance vs AML risk management
By complying with laws, the regulator or relevant authority will not impose penalties or fines on you. Also, you will not face any legal cases for non-compliance. Thus, by complying, you save yourself from financial losses, legal ramifications, and reputational damages.

What is risk management?

Risk management means managing the risks to your business. How do you manage them? You identify these risks, categorise them, measure their probability and impact, and develop strategies to mitigate, control, or manage them.
You can try to avoid risks in the first place. Or, you can try to reduce their impact on your business activities. Whatever you do, you can plan it before the risks affect you. Thus, it is a proactive action from your side based on your expectations of potential risks.
When there is a change in the business environment, potential risks change. So, you must keep changing your risk management strategies. Thus, risk management requires you to be more strategic in your thinking while planning for it.
Thus, compliance and risk management differ in many aspects. But, when you consider these terms related to money laundering, some more differences crop up. Let’s explore these differences between AML risk management and compliance.

AML compliance vs AML risk management: Definitions

AML compliance

AML compliance means adhering to the regulations to protect your business from money laundering. It involves creating a framework that includes policies, procedures, practices, and internal controls to guide the fight against money laundering. Moreover, this framework or strategy is unique to each business’s needs and activities.
AML compliance requires businesses to comply with the local AML regulations. As per the UAE AML/CFT laws, you need to:
  • Create an AML compliance department and appoint an AML compliance officer
  • Assess the money laundering risks to your business from several factors so that you can fight them
  • Create a risk-based AML compliance program that enables adherence to each requirement of the law
  • Monitor transactions to identify suspicious ones
  • Conduct KYC, screening, and due diligence of customers to identify threats
  • Conduct training of your employees on AML-specific aspects
  • Implement technology solutions or manual systems to facilitate compliance
  • Create reports on suspicious transactions and customers and report them to authorities

AML risk management

If you check the aspects of AML compliance, risk management is an integral part of it. It requires you to identify the money laundering risks from your:
  • Customers
  • Transactions
  • Geographies
  • Delivery methods
  • Products and services
After risk identification, it entails analysis, rating, and categorising. Based on the levels of risks identified, you can take a risk-based approach for your AML compliance. It allows you to determine:
  • Stern AML measures for high-risk customers
  • Less strict AML actions for moderate-risk customers
  • Relaxed AML strategies for low-risk customers
These measures include:
  • KYC of customers, which is typical for every risk type
  • Customer due diligence, which is standard for every customer
  • Enhanced due diligence for high-risk customers
  • Monitoring of transactions of high-risk and medium-risk customers
  • Ending the relationship or cancelling the transaction is possible only in the case of high-risk customers

Differences between AML risk management and AML compliance

AML compliance vs AML risk management is crucial but challenging to understand. However, you must remember that to comply with AML regulations, you need to follow the rules. Risk management is a strategy to ensure that you adhere to these rules.

Superset vs subset

A crucial aspect of the AML compliance vs AML risk management contest is to identify which concept includes the other.
AML compliance is the set of activities you must undertake to adhere to the UAE regulations. AML risk management is a broader term that includes strategies, policies, and procedures an organisation implements to identify, assess, and counter ML/TF risks. Thus, AML compliance is a subset of AML risk management.
Compliance has always been a part of risk management. Further, there is something called compliance risk management, wherein the risks associated with non-compliance are identified, assessed, and managed.

Reactive vs proactive

AML compliance is a reactive exercise. As a business entity in the UAE, you must follow UAE’s AML regulations. To avoid penalties, you must adhere to each requirement. Thus, you react to a mandate by the government.
In contrast, AML risk management is a proactive exercise. You must protect your business from money laundering risks so you can take action to prevent or mitigate them. Thus, you act before these risks affect you.

Legal vs strategic aspect

Another factor that differentiates AML compliance from AML risk management is the business aspect covered.
AML compliance is a legal requirement in the UAE. Since you are one of the financial institutions, DNFBPs, or VASPs, you must follow the UAE’s AML regulations. So, the goal is the same for all of you, although your compliance journey might differ.
When you follow these rules accurately and on time, you are AML-compliant. These requirements include submitting:
  • Suspicious Transaction Report and Suspicious Activity Report
  • Funds Freeze Report and Partial Name Match Report
  • DPMSR and REAR reports
  • HRC and HRCA reports
  • PNMR and FFR reports
  • Surveys and Questionnaires
On the other hand, AML risk management is a strategy to enable AML compliance. You must identify, categorise, rate, and assess risks to manage and mitigate risks. During this process, you generate KYC, CDD, PNMR, FFR, DPMSR, REAR, STRs, and SAR records.
Your risk management differs from that of other organisations because the risks differ. Even in the same industry, the impact of these risks differs because your operations and business models vary. So, you need to create a unique strategy for AML risk management to help you with legal and regulatory compliance in AML.

Current vs futuristic

AML compliance is more of a current process. It defines your legal obligations for this year. So, this year, you have to follow these specific AML requirements. So, you know what you have to do. You are legally obligated to follow these rules, which makes you compliant for this year.
On the other hand, AML risk management ensures you are safe from money laundering risks now and in the future. You have to predict the risks your business will face from money launderers. You need to consider the emerging threats of predicate offences as well. Thus, it makes you more of a planner for the current and future risks.

Tangible vs intangible

The tangibility of the process is a crucial point in AML compliance vs AML risk management.
AML compliance is a tangible process. You have to follow specific rules to comply with industry standards. If you follow these particular requirements of the AML regulator, you become AML-compliant. If you do not follow them, you will have to face penalties. Thus, you will suffer financial losses, reputational damage, and legal proceedings.
In the case of AML risk management, there are no concrete rules. You have to analyse the business environment in which your firm operates. You need to predict and evaluate the possible ways criminals can launder money through your business processes. Thus, it is unique to every firm. If you cannot control or mitigate these risks, your business suffers. The money laundering risks will affect your business, causing losses in terms of customers, credibility, and money.
However, the FATF has recommended that regulated entities follow a risk-based approach, and similarly, the UAE Federal Decree Law No. (20) of 2018 and related cabinet decisions require reporting entities to do the same. By virtue of this, AML risk management is embedded in the AML compliance requirements.

Tickmark exercise vs continuous process

AML compliance is more of a checklist-based process. The AML compliance department ensures the business adheres to each requirement and tickmarks it. If you miss any of these, you have to pay a penalty. Once you adhere to the requirements, your work ends.
In contrast, AML risk management is not a tickmark exercise. It’s not like you have submitted a report, so you are done with it. It is a continuous process. You need to keep identifying the money laundering risks your business faces. Analyse them. Find ways to mitigate, prevent, or manage them. So, you must continue the AML risk management exercise to reap complete benefits.
Besides these differences between AML risk management and compliance, there are also some similarities. These include:
  • Risk management tactics and compliance strategies keep changing. As and when the regulations change, you need to make changes in your AML compliance program. Moreover, the money laundering risks, macroeconomic climate, and industry trends keep changing, leading to amendments in your AML risk management policies.
  • Both AML compliance and risk management become better with the help of technology. Innovative solutions and technologies make these procedures smoother. The technologies use data analytics, artificial intelligence, and other advanced concepts to ensure your process is faster, smoother, and more accurate.
  • Both AML compliance and risk management need decision-making at the top level. Since identifying and managing money laundering risks is critical, the top management must set the tone. Only when you ensure AML compliance and risk management culture at the top, you can maintain it across the firm.
  • One significant challenge in both these procedures is maintaining a good customer experience. Customers demand a seamless user experience. If you are unable to do that, you might lose customers. So, while managing AML compliance and risk management, you must ensure the processes are not time-consuming or intrusive for them. On the other hand, collecting all information is also essential for successful procedures.
Setting the similarities and differences aside, your primary focus must be to protect your business from money laundering threats. To do this, you need to create a robust AML compliance program. This program will include a well-defined AML risk management strategy. In combination, it will help you meet UAE’s AML regulations and prevent risks.
Exploring these differences and similarities enables you to fit both into your strategy. You can determine the efforts, resources, timelines, and overall alignment with business operations. This is how you can prevent potential threats and create value for your business. To help you achieve this objective, partnering with an expert AML consultant like Niyeahma will help.

How can Niyeahma help you?

Niyeahma has revolutionised the AML compliance landscape in the UAE. We help clients strategise risk management and compliance in AML. Be it just one part of AML compliance or the entire journey, you can rely on us for quality services.
Your business can enjoy our expertise in:
  • Monitoring transactions and identifying suspicious ones
  • Conducting KYC and due diligence of customers
  • Identifying money laundering risks to your business and assessing them
  • Developing a risk-based AML compliance framework personalised to your entity
  • Imparting AML training to your employees
  • Preparing and submitting STR, SAR, and other industry-specific reports to authorities
By partnering with us, you get a streamlined AML compliance process for the fight against money laundering risks.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 25+ years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.

He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.