Best practices for identifying and implementing the right AML controls

The challenges of money laundering are rising day by day. These and other financial crime threats are affecting many aspects of your business. So, dealing with them and finding the right corrective actions is vital for your business. You must have the right approach to strengthen your AML compliance in Singapore.

The first step of a robust AML framework is identifying and assessing your business risks. After this, you must identify and execute control measures to prevent these risks. This is what any business entity in Singapore does.

But it’s not as straightforward and easy a process as it seems. You require a clear, detailed strategy for planning control measures. You need to follow many steps.

So, you must adopt best practices to develop appropriate measures for your business. Without this, you will be directionless. Invest time, money, and effort to identify and execute AML/CFT control measures.

The blog here focuses on the best practices you can adopt for planning these control measures.

Best practices for the identification and implementation of AML controls

For framing effective AML controls to combat money laundering and terrorism financing and stay compliant with Singapore AML regulations, you must adopt the following best practices while identifying and executing AML controls:

Stay abreast of the regulatory provisions for your business

Singapore has many regulations and laws against money laundering and other financial crimes. Like other countries, Singapore extensively focuses on reducing the risks of such crimes. To this end, it keeps updating and changing its regulations in response to industry needs and rising crimes.

To develop suitable AML controls, you must stay up-to-date with these rules. You will need to refer to them while developing AML controls. You will incorporate the rules and guidelines by authorities in your internal controls. So, it is crucial to stay updated on these changes.

Failure to do so might lead to ineffective controls, resulting in non-compliance and increased exposure to financial crime.

Conduct comprehensive risk assessment and profiling

What do you need to develop measures against money laundering risks? A clear classification of risks. And how do you do that? By conducting risk identification and assessment.

That is why conducting a detailed risk detection and analysis is crucial for your business. Without the analysis, you cannot develop measures against these risks. So, identify the risks from your customers, delivery channels, products, and geographic locations. Analyze them to understand their sources and impact better.

Also, keep updating this risk assessment per the changes in regulations. Such risk assessments must include all the types of risks to your business.

If you miss such risk assessments and profiling, you will not have the basis to develop your AML controls.

Ensure effective understanding of suspicious transactions and risk indicators

The identified controls will reduce, end, or prevent money laundering. But you need to know what kinds of suspicious transactions your business can be exploited for. Understanding the red flags is crucial for putting in place proper controls.

You can detect unusual activities by implementing advanced technology systems. In these systems, you must develop rules to generate alerts for suspicious behaviour. You can also set parameters or thresholds for alert triggers. This is possible when you understand and are on top of the sector-specific financial crime typologies and trends.

Take a risk-based approach while designing your AML control strategy

Your business faces risks from different customers. Not all customers have the same risk level and type. So, you must design solutions according to each customer’s risk.

If the customer is highly risky, you must be extra cautious while dealing with or not transacting with them. If the risk is low, you can conduct transactions after confirming all details. If the risk is medium, you can conduct the basic due diligence before transacting.

You are wasting your money and time if you conduct enhanced due diligence for a low-risk customer. Similarly, a simple CDD for a high-risk customer will make you vulnerable to ML/FT risks. So, consider your risks before identifying the appropriate control measures.

Therefore, you must take a risk-based approach while strategizing these measures.

Create and maintain comprehensive records of transactions

The AML control measures are not a one-off exercise. You will have to keep implementing new initiatives as and when risks change. When new customers come on board, you might have to rethink your AML controls.

So, record keeping of suspicious transactions, risk scores, and KYC & CDD measures is essential. You can refer to these records whenever needed to develop effective AML controls. These records are also necessary during audits. You will also be required to submit some of these records to the regulatory authority.

Thus, you must have comprehensive, categorized, correct, and complete records. These records enable your compliance with AML reporting requirements.

In the absence of these records, you will fail to comply with Singapore AML laws.

Cultivate a culture of collaboration and communication between teams

The execution of any strategic initiative in an organization needs collaborative effort. Different teams must cooperate on different tasks. Be it risk management, customer handling, legal, or compliance teams, collaboration is a must.

Therefore, you must ensure collaboration and cooperation with other teams. Information sharing and smooth communication are also crucial in your AML measures.

Such communication will lead to effective measures against ML/FT risks. You can combine the intelligence of different departments to develop a cohesive approach for preventing ML/FT activities.

Besides internal communication, external collaboration is essential for an action-oriented AML plan. Such collaboration can occur with regulatory authorities, industry peers, and legal agencies. With such cooperation, you can be more aware of the types of suspicious transactions, potential customer risks, and technological innovations.

So, focus on complete, up-to-date, and dynamic AML risk assessments.

Find the proper use of secure and innovative technology in your processes

Technology is critical for achieving AML compliance. It is a way to reduce your threats of money laundering and terrorism financing. So, you must use the right technologies and for the proper purposes in your AML efforts. Use technological solutions for risk assessment, KYC, CDD, transaction monitoring, and recordkeeping.

The right technology can boost the quality and effectiveness of the AML controls.

Prepare your employees for upcoming changes due to the implementation of controls

While implementing internal controls, you must also pay attention to your employees. They need proper training for the changed processes and workflows. They must also accept the changes these internal control measures brought about.

You must conduct awareness programs on money laundering and other financial crimes. Participants must understand the importance of AML to prevent, mitigate, or eliminate ML/FT threats. They must be ready to accept changes in workflows and procedures due to deployed controls. Training is crucial to help them understand ML/FT trends and corrective actions. With their specialization and knowledge, you can improve your defense against money laundering threats.

Unprepared and unacceptable employees will thwart your AML control implementation.

Update, revise, and adjust your AML controls and measures

Business conditions do not always remain the same. AML regulations also keep changing. Even if your business grows or expands into new offerings or new markets. With all these changes, it is crucial to adjust your AML controls.

You must first review your existing AML policies, procedures, and controls for adjustment. If found misaligned to the goals, you must make changes. Also, if you add new business units, you must undertake risk assessments and determine controls accordingly. New risk assessments and mitigation plans are essential if you expand to new geographies.

Also, periodic reviews are necessary to look for changes in business conditions, regulations, and industry trends. You can employ external consultants and auditors for such health checks. You can update and improve your AML controls based on their insights and analysis.

If you do not update and adjust your AML controls according to market and business requirements, you will use policies not aligned with your goals. As a result, you may not generate positive results from existing AML controls as expected.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

Staying cautious while appointing an AML Principal Officer in India

AML regulations in India, whether it is the Prevention of Money Laundering Act, 2002 (PMLA) or the IFSCA (AML, CFT, and KYC) Guidelines, 2022, obligates the regulated entities to create and implement a strict AML/CFT program. The program includes:

Enterprise-Wide Risk Assessment
Putting in place AML and CTF controls and procedures
Compliance with AML regulations and identify the risk while onboarding the customers
Ongoing monitoring to spot the red flags
Timely reporting the suspicious transactions

Appointing an AML Principal Officer is necessary to manage and supervise these activities. An AML Principal Officer, also known as the compliance officer, is essential to ensure the development and enforcement of the AML framework. So, the entity must appoint an appropriate, skillful, competent, and knowledgeable person for this role.

However, regulated entities tend to make mistakes while engaging in the recruitment of AML Principal Officers. These mistakes can cause non-compliance with regulatory requirements, financial losses, reputational damage, or team demotivation. So, the entity must stay cautious and avoid these errors as much as possible.

To help the entities dodge these errors, we have listed them in this article to ensure that the regulated entities take the necessary care and ensure the right person is managing the AML function.

Vital Responsibilities Of An AML Principal Officer

An AML Principal Officer ensures compliance with the country’s AML rules and regulations applicable to the business. Specifically, even the PMLA and the IFSCA AML Guidelines provide the duties of an AML Principal Officer, which include:

Develop comprehensive AML policies, controls, and procedures for the business
Periodically review the implemented measures and make required changes therein
Study and assess the financial crime risks to the business from different aspects
Monitor the transactions, activities, and customers to identify the risks from them
Ensure timely implementation of adequate due diligence measures to prevent suspicious clients and activities
Identify the suspicious transactions and promptly report the same to the FIU
Create awareness around AML and train the staff, empowering them to perform the necessary AML/CFT tasks
Identify the best technology solution to help in the entity’s risk mitigation and AML compliance
Update the management about the entity’s AML initiates, gaps identified, and seek inputs

Thus, in tandem with the authorities, senior management and internal employees, the AML Principal Officer manages all the AML compliance-related responsibilities.

With the primary responsibility for AML compliance entrusted to the Principal Officer, the entities must exercise extreme caution while conducting the recruitment process.

Top Mistakes The Entity Makes While Recruiting An AML Principal Officer

The entity must have an effective recruitment process to get candidates with adequate skills to fulfill the AML duties. But there are possible mistakes during this recruitment process, which must be avoided to save costs and effort. These mistakes are:

Failure To Create A Clear, Structured Recruitment Strategy

AML compliance requirements are forever to stay. The entity must adhere to its rules annually, all year long. So, it is a must to have a long-term AML compliance strategy, its requirements, and what the entity plans to do. Also, how an AML Principal Officer would contribute to achieving these goals must be clear.

Only with such clarity can the entity move ahead with recruiting the proper AML officer.

For a clear recruitment strategy, it is important to define the following:

Job description
Key responsibilities
Qualification required
Skills and competencies to have
Attitude and Characteristics
Any prior experience

Additionally, define the steps of the recruitment procedure. The vital steps are initial screening, shortlisting, assessment test, final interview, etc. It gives clear direction to the entity on how to move forward and what aspects of the candidate must be assessed at each stage. If required, the entity can create a flowchart to keep track of every step and note the result of each step.

The absence of such a strategy will lead to a complicated, chaotic process. This may result in the hiring of an ill-fitting candidate, reducing the efficiency of the AML function while increasing the risk exposure and wastage of resources. If the candidate cannot diligently perform the AML compliance responsibilities, the entity might have to repeat the process.

Lack Of Alignment With The Business’s AML Requirements

The entity needs to understand clearly what AML provisions apply to its business. The entity must also know the present status of its compliance. Awareness of the following is critical:

All compliance requirements that the entity needs to fulfil to avoid regulatory penalties.
The various potential money laundering risks the business can be exposed to.

Knowledge of these two aspects clarifies how the candidate must be. The entity can accurately judge the candidate and test their knowledge in these aspects.

The absence of such alignment with the AML requirements of the business might lead to the hiring of the wrong candidate. This may lead to a loss of money and time while adversely impacting the effectiveness of the AML function. So, these mistakes must be avoided.

No Proper Marketing And Promotion Technique

An AML Principal Officer is a critical position in any regulated entity. It is not a short-term role but a long-term association with the business. The candidate must lead from the front, manage the team, and take an interest in all things related to ensuring AML compliance across the organization. So, the entity must attract suitable candidates for this job.

It is possible only if the entity focuses on the job ads. The crucial factors are how the job ads are posted, where it is posted, and what is included in it. The job descriptions must be inclusive and transparent and describe the ideal candidate profile.

The entity must not make the mistake of posting the job ad everywhere or anywhere. Proper promotion is needed for any job position. The candidate pool will be the same if the entity keeps posting at the same place. The ad might not reach suitable candidates if posted only at one or two places. So, it is recommended to use the company’s website, social media pages, and recruitment portals for job postings.

Another crucial point is to look for the right candidate, even internally. There might be employees with more skills and the right attitude to take up responsibilities of AML compliance. They already fit the company culture. Even if some grooming and AML training are essential, an internal candidate is better than an external candidate.

Absence Of Qualification, Certification, And Experience

As mentioned, the entity must be very careful in recruiting an AML Principal Officer. It is a pivotal position, and the entity cannot go wrong with it. So, the entity must carefully check and verify the qualifications, certifications, and past experiences.

The candidate must have relevant qualifications and certifications. These must be specialization courses from credible global institutions. Also, the candidates’ knowledge in these courses must be tested.

AML compliance for a company requires management from an expert individual. An individual without experience will be unable to contribute much to the role. They must understand and experience handling each of the AML tasks – however big or small it is. The absence of such an experience will lead to a chaotic situation or non-compliance. It might lead to non-compliance penalties or reputational damage later.

So, please pay full attention to the incoming candidates’ experience and knowledge.

Ignoring Background Checks

AML Principal Officers reduce the threat of financial crimes for the regulated entities. They develop and execute policies to protect the business from money laundering and terrorism financing risks. When they have this role of protectors, they cannot be a part of financial crimes.

Therefore, background checks must be essential to the entity’s recruitment process. For general jobs, companies also conduct these checks. AML Principal Officer is a critical responsibility, so it becomes mandatory to check a candidate’s association with any financial crime.

If the entity misses these checks and later finds the individual to be a part of a crime, questions on integrity might arise. It might also affect the business’s reputation in the market.

Not Conducting Enough Training And Development

Training and development are essential for any position in a company. Adequate training must be conducted even when selecting an AML Principal Officer.

Relevant training leads to brushing up on the existing knowledge of AML compliance. It keeps them up-to-date and eliminates any skill gaps. Such training programs help the officer know more about the industry, learn new AML technologies, and study global best practices in AML compliance.

Omission Of Judgment Based On Soft Skills

If the entity has no metric for judging the soft skills of incoming candidates, then the entity is in for significant damage. A candidate with all the qualifications and experience but no attitude and personality to lead the business’s AML compliance function is detrimental to the business’s growth and reputation. So, start paying attention to the soft skills.

These soft skills include:

Teamwork
Analytical mindset
Positive attitude
Attention to detail
Drive to fulfil responsibilities
Alignment with the business’s core values
Ethical and law-abiding
Problem-solving attitude
Communication skills
Critical thinking
Conflict resolution

The entity must consider these soft skills while recruiting an AML Principal Officer.

Rushing Through The Process Or Taking It Too Slow

If the entity has a swift hiring process, it might recruit an unfitting candidate. Or, if it takes too slowly, the applicants might move to another organization. So, be careful of the duration of the hiring process. It must be neither too fast nor too slow.

Pushing the recruitment process too rapidly may lead to missing applications from some deserving candidates. By the time they apply, the entity might have already recruited a less deserving candidate. This can affect the efficacy of the AML compliance efforts.

While, if the entity is sluggish in the hiring process, the shortlisted candidates might move to another organization by the time they are called for the next round or offered the position. So, the entity must improve the candidate selection and analysis process’s speed.

Overlooking Underqualified Or Overqualified Candidates

A common problem in the hiring process is neglecting over-skilled or under-skilled candidates. Suppose the entity finds some resumes and feels like “they are too qualified to take up this job”. Or some applicants do not have the qualifications per the job description.

It is recommended that such resumes for the AML compliance profile must not be ignored. Since the candidate has applied despite knowing their overqualification or underqualification, the entity must judge them based on interviews. The entity may get to know their skills, personality, aptitude, and attitude while talking to them. The overqualified candidate might want to get back to the basic tasks of this job. Or the underqualified candidate is a talented and fast learner.

In both cases, it would be a win-win situation for the entity. So, before throwing the resumes, interact with them.

These are the common mistakes recruiters make in hiring an AML Principal Officer. The regulated entities must consider these points while recruiting an AML Principal Officer.

How Can We Help The Regulated With AML Compliance?

We at AML India help regulated entities with AML compliance; it is a requirement under the PMLA 2002 and IFSCA AML guidelines. Our services include policy documentation, enterprise-wide risk assessment, training the staff and the AML Principal Officer and AML health check.

We also help you set up an AML compliance department and hire a fitting AML Principal Officer. Our consultants analyze your business’s AML requirements before providing services. Such an assessment gives us a better idea of your company’s AML obligations. We help you conduct the hiring process, promote it, and select the right candidate.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

What is NFT money laundering and how to combat it?

Technology has entered every field of work. The art field is the latest to have been impacted by technology in the form of Non-fungible Tokens (NFTs). NFTs are blockchain-based tokens depicting various art forms – painting, music, and games.

Since technological evolution brought the digitalization of art, money launderers came up with new typologies to exploit the same.

This article discusses NFT money laundering, why and how it is conducted, and what measures businesses should consider combating.

What are NFTs?

NFTs are tokens, which are data in the form of videos, pictures, artwork, memes, tweets, or any digital asset. These are stored on different forms of distributed ledgers, such as blockchains. These cannot be interchanged with other NFTs. Thus, they are non-interchangeable digital assets but can only be bought and sold using cryptocurrencies.

They have unique identifying codes and are finite in numbers. People can see NFTs for free, but to own them, they must pay the price to the actual owner. The value of an NFT is based on its perceived value, driven by its market demand.

After the purchase, there is a built-in authentication, which the new user can show as proof of ownership. Here, the new owner gets ownership of the NFT and not the physical object, while the original creator owns the intellectual rights of the work. So, NFTs are famous because people value digital bragging rights over an item instead of the actual physical item.

How are NFTs different from cryptocurrencies?

The only similarity between cryptocurrencies and NFTs is that they are built on the same programming. Both are secured in digital wallets. And you need cryptocurrencies to buy NFTs.

Any physical currency and cryptocurrency are fungible. It means that these assets can be interchanged and traded with one another. That is not the case with NFTs because they are non-fungible.

Cryptocurrencies and physical currencies are equal in value. It means one dollar is equal to one dollar. One Ethereum is equal to one Ethereum. In the case of NFTs, each has a digital signature that makes it unique; thus, one NFT cannot be exchanged with another NFT. At any given moment, only one person can own an NFT, and the digital signature gives that ownership value.

Why are NFTs attractive to money launderers?

As it is said, the perceived value of art and its market demand decide an NFT. The perceived value factor makes dealing with NFTs a bit subjective and hence, away from the scrutiny of regulators.

The transfer of ownership of NFT happens in an instant. Buying and selling NFTs is easy and smooth and requires no additional financial cost except the token’s value. Also, there are no geographical restrictions on these transactions; NFTs created in one country can be done in another country without any limitation

Moreover, NFT is an entirely new concept and a new market. Many different NFT platforms exist with different structures, operations, standards, ownership models, and due diligence rules. Therefore, it becomes challenging for regulators to create standard regulations for the NFT space applicable to various countries across the globe.

Smart contracts in the NFT market are one of the critical reasons money launderers are attracted to it. In smart contracts, the user generates revenue each time a transaction occurs on the blockchain. So, launderers rapidly conduct a transaction to generate revenues. Now, this becomes a significant motivation to execute smart contracts; in the process, forget about the identity verification of buyers. Launderers exploit this loophole to their benefit.

How does NFT money laundering occur?

Wash trading

Generally, criminals use their illicit money (converted into cryptocurrency) to buy an NFT. They use illegal money, but the purchase is a legal one. Later, they can sell the NFT and earn legal cryptocurrencies. This process is called wash trading.

The central concept in wash trading is to increase the value of the transaction. Thus, in this transaction, criminals benefit in two ways: they avoid taxes and convert unlawful funds to legitimate digital assets or currencies. Only a record of this purchase and sale transaction is present on the blockchain, and nothing about the funds obtained to buy this NFT.

Standard money laundering

Another way is to do multiple buying and selling transactions between their accounts or someone known to them to create layers of fake transactions. With each transaction, illegitimate money gets transformed into legitimate money.

Now, since the determination of the fair market value of an NFT depends only on how the appraiser values it, you never get to know the actual price of the NFT. Launderers create multiple accounts and transfer assets from one account to another for any price. These transactions layer the illegal money with legitimacy and cleanse huge funds.

How to combat NFT money laundering?

Whenever there is a new technological innovation, money launderers exploit them. And NFT is the latest technology to become its victim.

Individuals and businesses dealing in NFTs or facilitating NFTs exchanges must find ways to regulate NFT activities – to verify the buyer and seller’s identity and the transaction’s authenticity. They can improve their AML and KYC checks or implement some monitoring software to track all movements. They must trace NFT transactions between wallets and conduct the KYC of wallet holders.

They must know how launderers engage in NFT money laundering and related red flags to identify suspicious transactions. Countries can implement relevant regulatory laws and actions to control this NFT market. It requires efforts globally because NFT transactions can occur globally without border restrictions.

Money launderers exploited the NFT world as countries, and international regulators introduced AML rules in the traditional buying and selling activities of art. So, criminals come up with newer ways and means; businesses must take the help of AML consultants to identify the risks to NFTs.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Strengthening the KYC process by averting these 12 common mistakes

Strengthening The KYC Process By Averting These 12 Common Mistakes

With the rise in financial crimes, Know Your Customer (KYC) has become a critical part of the anti-money laundering (AML) strategy for regulated entities, including financial institutions, Designated Non-Financial Businesses and Professions and IFSCA-regulated entities.

The Prevention of Money Laundering Act, 2002 (PMLA) and IFSCA (AML, CFT, and KYC) Guidelines, 2022 require regulated entities to undertake relevant AML measures, including Customer Due Diligence to prevent money laundering. As a key component of Customer Due Diligence, KYC helps regulated entities identify suspicious customers.

KYC is about identifying the customer, the beneficial owners and the beneficiaries and verifying their identities before establishing a business relationship. In the course of KYC, the regulated entities get to know the customers’ true identities, based on which the entity can decide whether to work with them or not. Thus, with KYC, the regulated entities can shield the business from the financial criminals and the ill effects of money laundering and terrorism financing.

The KYC process is not as straightforward as it looks. KYC must be attended with full attention to avoid the common mistakes. It is a critical function to help optimize the AML compliance efforts.

So, let’s dive into the common mistakes necessary to avoid the same to strengthen the KYC process and implement it as an invaluable foundation of AML compliance.

Top KYC Blunders To Avoid

Concerning the AML regulatory provisions for India, the regulated entities must implement and carry out KYC for all their customers, suppliers and associated business partners. The regulated entity must follow the key best practices to avert these common mistakes. If not, the reporting entity might be vulnerable to financial crime, making it a costly and time-consuming affair to mitigate and manage risks. These standard errors around KYC are:

Risk Arising From The Nature Of The Customer

Yes, KYC is essential for AML compliance. The entity must identify and verify its customers to determine their risk profiles. But generally, it has been observed that the entities consider it as an administrative task. KYC is perceived as a task that hinders routine business operations. A costly task. A regulatory burden to carry.

But that won’t be a wise standpoint.

The KYC process is more than a compliance requirement. With KYC, the entities can identify the customers and collate the necessary information to determine the customer’s risk profile. It can help the entity reduce risks and protect the revenues and business operations from money laundering threats.

Thus, the entities can save the brand reputation from going awry. To enjoy these benefits, viewing KYC as a strategic initiative is essential. A value-adding exercise for the business, not just restricted to compliance needs. A way to allow honest customers to use the products and services and block the dishonest and illegal ones.

Losing Sight Of The Changes In AML And KYC Regulations

In the current dynamic times, regulations evolve now and then. As and when new threats arise, regulators make changes in AML regulations. So, the provisions become tighter. These evolving laws can lead to amendments in KYC requirements.

The regulated entity must keep track of these changes. If the entity misses the changes, the KYC procedures will be incomplete and ineffective. The KYC procedures must align or adjust to local laws and industry standards. Ignoring them can lead to blunders in the KYC, leading to non-compliance, fines, and other problems like engagement with criminals.

Absence Of A Proper Plan For Conducting The KYC Process

KYC is a cumbersome process. It consumes a lot of time. It can be tiresome for teams and customers. KYC requires the collection of many data points on each customer and managing the customer onboarding process. Whatever it may require, it is essential and critical for AML compliance. So, having a proper plan for KYC is a must.

Before engaging in routine KYC tasks, the entity must make a plan with details on information points, processes, resources responsible, and timelines, i.e., a detailed KYC Program. The entity must define the workflow for KYC. It includes coordination points between compliance, business, and technical teams. The reporting entity can have a successful execution of KYC processes only when a sturdy KYC plan exists.

A Shortage Of Budget For KYC

KYC is essential for reporting entities to achieve AML compliance. The entities must continuously conduct the KYC as and when new customers are onboarded or there are changes in the existing customers’ details. Thus, constant monitoring of all existing customers is also critical.

All these activities need a proper amount of time and money investment. Investment in terms of technology, skilled human resources, and employee hours. So, the regulated entity must make a proper budget allocation for KYC. It is an expensive exercise, but it can keep the business safe from financial crime threats.

Inadequate, Outdated, Or Incomplete Data On Customers

The KYC process involves identifying and verifying customers before forming a business relationship. It is essential to avoid the threats of money laundering and terrorism financing. So, the entity must be cautious in its execution.

The KYC process is incomplete if data points are missed, or the entity forgets to collect a few details on a customer. Also, outdated data will lead to outdated results. The data gaps can mar the entity’s compliance efforts.

Data quality ensures detailed and insightful customer risk assessment. If any details are missed, the customer might prove risky even though the entity may have put them on a no-risk or low-risk list. This impacts the business operations. So, it’s better to ensure data security, integrity, accuracy, and quality. Such quality data ensures a comprehensive assessment of each customer during the complete Customer Due Diligence process.

No Use Of Technology For The KYC Process

The KYC process requires the regulated entity to collect and analyse customer data. The entity must verify the data with identity documents and other reliable, independent sources.

If this process is managed manually, errors, duplication, or missing data are possible, resulting in flaws in the KYC process. It affects the business, exposing it to higher threats of money laundering and other financial crimes.

One of the recommended solutions is to use technological systems for KYC. Such technology automates the process around customer data collection, organization, cleansing, categorization, or analysis. Thus, it saves time, costs, and effort, increasing efficiency and effectiveness in the KYC process.

Engaging Unskilled And Untrained Employees In KYC Exercise

High-tech people are committing financial crimes. They identify loopholes in processes or technologies and use them to their advantage. They find innovative ways to launder money and commit fraud. If the fraudsters are proficient and capable in their work, how can an unskilled worker be expected to identify such crimes?

So, the regulated entity must engage knowledgeable, experienced, and skilled people for AML activities. Similarly, the engagement of well-trained and qualified persons to carry out the KYC process is also necessary. They must understand different red flags that may be observed during the customer identification or verification process, including risk indicators related to customer behaviour. They must undergo training around details and documents to be verified to conclude the KYC process better.

Not Using Multiple, Credible Data Sources

The regulated entities should rely on more than one source to verify the customers’ identities. Some of the examples of credible data sources include:

Ministry of Corporate Affairs’ list of businesses
List of GST taxpayers
Industry associations’ list of firms
List of corporate taxpayers
List of PEPs
Sanction lists
Credit reports of companies
Global watchlists

Checking and verifying the customer’s identity on multiple reliable sources boosts the confidence that the entity is dealing with the right customers.

Lack Of Communication And Coordination Between Departments And Teams Handling KYC

The regulated entity may have a dedicated team to handle the KYC process, with different sub-teams working on different tasks. For example, one team collects data while the other verifies the collected information.

The entity must ensure communication among the team members and data sharing for a smooth process. The entity can also create a shared database of customers with accessibility permissions so that team members work on the same data sets. They must coordinate with each other to build the customer’s risk profile.

A small communication gap might ruin all the AML efforts, affecting the quality of the KYC process.

Asking For Too Much Or Too Little Information

Keep the KYC forms in optimum sizes. The entity cannot keep it so long that potential customers lose interest in forming a business relationship. Also, it cannot be too short that the form does not serve informational purposes, necessary to identify the customer and assess the customer risk. So, try to have all the necessary questions in it. Also, ask for necessary proof and documents to verify the information provided.

If necessary, information is excluded, and the regulated entity cannot create a risk profile. The available information will be insufficient to know whether the client is risky or not. If too many unnecessary data points are included, irrelevant as AML measures, clients will find it a prolonged, tedious exercise. This will demotivate the customer, resulting in business loss.

The mandatory compliance needs and the good-to-have details necessary for understanding the risk posed by the business relationship must be included in the KYC form.

Ignoring Customer Experience For KYC

We all know how tiresome and time-consuming exercise KYC is! No one would like to fill out lengthy forms every year. Or visit the office to submit documents for verification. Remote verification is not possible in some cases. These are all the situations that can make the business lose potential customers or move to its competitors.

So, it becomes crucial to focus on improving customer experiences. Yes, digitalization is a solution. However, it must align with overall operations and the AML compliance requirements. The regulated entity can use customized, automated solutions to improve customer interaction with the system.

Disregarding The Importance Of Continuous Monitoring – KYC Remediation

Constant monitoring of customers is essential to track the changes in customer details and know the changes in their risk level.

KYC is not a one-time activity. Instead, the KYC process includes KYC remediation, focusing on the ongoing review of the customer’s information to identify the changes in the customer’s information and determine if the customer’s details submitted earlier are valid and whether the originally assessed risk holds good.

Ignoring KYC remediation or lapses in the continuous monitoring of the customer profile may lead to exploitation of the business by the customers originally tagged as low-risk and, thus, imposition of non-compliance penalties and reputational damage.

Thus, monitoring the customers’ details and documents is an excellent practice.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

A guide to sanction and PEP screening in customer onboarding process

Sanctions are basically the penalties imposed on institutions or organizations that fail to comply with laws and regulations. Government or global organizations usually apply a sanction decision to other individuals or states. A sanction check is taken in order to prevent transactions with persons prohibited from certain activities and transactions.

There could be various reasons behind sanctions. However, the primary reasons behind sanctions could be economic or political disputes. Economic and political conflicts between two or more countries lead to sanctions against each other.

In this article, we will discuss the importance of sanctions and PEP screening during the customer onboarding process.

What are the various types of sanctions?

There are undoubtedly many types of sanctions. The sanctions are based on different reasons. The reasons and various kinds of sanctions are significant for business enterprises.

1- Economic Sanctions

Economic sanctions are basically a foreign policy instrument between war and diplomacy. There are three main objectives of economic sanctions.

Undermining the target country
Punish the target country
Change the behavior of the target company.

2- Military Sanctions

Some countries do not produce their own military equipment. Hence, the most common type of military sanctions is actually the prohibition of the sale of military equipment. With the help of this advantage, stronger states warn the weak states.

3- Diplomatic Sanctions

Diplomatic sanctions are the political measures taken in order to express dissatisfaction between two or more governments. A few of the political sanctions are the cancellation of senior government visits and the withdrawal of diplomatic persons from the target country.

Sanctions on Individuals

Sanctions on individuals are nothing but the sanctions imposed on economic persons, political leaders, or any illegal identities. Organizations sanction terrorists or governments, money launderers, drug traffickers are the people who are more likely to perform any sort of illicit activities, resulting in blockage of bank accounts.

Many local and global regulators effectively control financial institutions. The sole purpose of these sanction checks is to combat financial crimes. Regulators need these financial institutions to know their customers. Therefore, regulators regularly publish new customer guidelines.

Sanction and politically exposed person screening (PEP) screening in customer onboarding process

For financial institutions (FIs), and Designated Non-Financial Businesses and Professions, the customer onboarding process is quite tedious and challenging. As per the know your customer (KYC) requirements, enterprises have to make some checks in the process of onboarding the customers.

The purpose behind PEP screening is to identify the ability of the customers to pose any threat or risks. The accuracy of the information of the customer is verified at the first stage. Once the customer identification information is confirmed, the level of risk of that particular customer is also identified.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures enable the FIs and DNFBPS to identify the overall risk level involved.

During the course of this process, the customer is scanned against the list maintained by the UAE local Government and the UNSC list. It is also checked if the customer is a politically exposed person (PEP).

If the customer and his account come out clean, then the account of that particular customer or client will be opened, and business transactions can be made. However, the business enterprises will still have to carry out PEP KYC, sanctions, and PEP screening at regular intervals.

Why is the sanction check and PEP check required for business companies?

Bribery, financing of terrorists, money laundering, and corruption are financial crimes that are considered highly hazardous all over the world. The majority of these financial crimes occur because of the loopholes in the law and economic systems.

Regulators try to prevent all of these financial crimes by thoroughly regulating the companies in the financial sector. Many anti-money laundering regulations have been published to serve this purpose individually.

In order to comply with these anti-money laundering regulations, financial institutions and DNFBPs should get involved in some sort of control process. Therefore, a sanction search and PEP screening are essential processes for financial institutions and DNFBPs to ensure AML compliance.

Sanction and PEP screening in the process of transaction screening

Quite a lot of transactions take place throughout the day in your financial systems. Therefore, as per the anti-money laundering regulations, financial institutions should control the financial operations of their clients. If the financial transactions are not handled, severe financial crimes like money laundering and terrorist financing come into play.

However, manually controlling all your financial transactions can be a cumbersome and time-consuming process. Hence, you can use automated tools to carry out sanctions and PEP screening.

Politically exposed person screening in the process of background check

The most essential thing for companies or business enterprises is their reputation. If any business enterprise loses its reputation, it directly loses its customers or clients.

Enterprises make internal controls regularly in order to avoid all of these risks. Pre-employment background checks, employment background checks, and company background checks are taken by the companies in order to protect the reputation of the company.

PEPs screening is performed performed against the politically exposed person list on the employees in order to check for the possibility of any sort of risk for the company.

Watchlist and PEP screening helps regulated entities implement necessary controls while onboarding high-risk customers.

How do business enterprises comply with anti-money laundering regulations?

Financial institutions (FIs) and DNFBPs have to apply sanction checks on their clients in order to comply with anti-money laundering regulations.

Financial institutions need sanction screening in order to protect the reputation of the company and not to violate any sanctions-related decisions. With the ever-evolving technology, manual sanction checks and PEP screening have lost all the points and have become merely a way of wasting time.

There are pretty many sanctions listed across the world, and enterprises can practically and logically not check them all manually.

Hence, the need and importance of anti-money laundering screening software come into the picture. This type of software automates the complete compliance process of the enterprises.

In addition to that, financial institutions and DNFBPs can quickly check their clients with the help of automated compliance software. This type of software scans the sanctioned lists and instantly intimates any kind of suspicious activity.

PEP Screening Software: Enhancing Due Diligence and Regulatory Compliance

To comply with the UAE AML Regulations, it’s essential that regulated entities carry out screening before onboarding a customer.

In order to identify individuals holding prominent public positions or persons associated with individuals, the implementation of Politically Exposed Persons Screening Software is a must. PEP Screening Software helps regulated entities to identify and mitigate risks associated with PEPs.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

AML Measures when Dealing with High-Risk Customers under IFSCA AML Guidelines

The regulated entities operating in the International Financial Service Centre (IFSC) are required to identify and assess the money laundering and terrorism financing risk and apply adequate risk mitigation measures in accordance with IFSCA (AML, CFT, and KYC) Guidelines, 2022 (IFSCA AML Guidelines). The IFSC AML Guidelines mandate the regulated entities to perform Enhanced Customer Due Diligence when the identified ML/FT exposure is high.

In this article, we shall discuss Enhanced Due Diligence (EDD). These certain risk factors may suggest increased risk involved, warranting the performance of enhanced measures and EDD measures to be applied when engaging with high-risk customers.

What Is Enhanced Due Diligence?

The IFSCA AML Guidelines require regulated entities to implement robust AML policies and procedures, focusing on the timely identification of ML/FT risks and conducting necessary checks and verifications to manage these risks.

One of the key AML provisions prescribed under IFSCA AML Guidelines is conducting the Customer Due Diligence (CDD) process to identify the customer, verify their identities and assess the risk exposure from the particular business relationship.

An integral part of the CDD is enhanced customer due diligence, applied when the customers are identified as posing increased risks. This concept is in line with the foundation of the AML program – the risk-based approach, requiring the regulated entities to apply increased controls when the higher risk is assessed, and for lower-risk customers or transactions, standard risk mitigation measures can be enough.

Enhanced Due Diligence is an advanced version of normal Customer Due Diligence, with additional inquiries around the customer information and stringent verification of the customer’s profile. This may include a thorough understanding of the customer’s business activities, the purpose of the business relationship, the customer’s financial position, etc.

For applying these additional checks and controls, the regulated entity may seek additional details and information from the customer relying on third-party reliable and independent data sources, social media, etc.

Identifying The High-Risk Customers?

It is essential for the regulated entities to identify the high-risk business relationships or transactions to manage the risk to ensure:

Regulatory compliance with the provisions of IFSCA AML Guidelines
Protection of the business against potential exploitation by financial criminals
Avoid reputational damage to the business
Contribute towards stability and integrity of the economy

The IFSCA AML Guidelines have enlisted certain factors around the nature of the customer, product or services offered, the jurisdiction involved, etc., which pose a higher risk of being associated with money laundering, terrorism financing, other financial crime, or its typologies.

Here are certain high-risk factors that regulated entities must consider while developing the Customer Risk Assessment methodology:

Risk Arising From The Nature Of The Customer

Customer is a Politically Exposed Person (PEP) or is a close relative or associate of the PEP
Customer involved in high-risk business activities (such as casino, money service provider, etc.)
A corporate customer has a complex ownership structure or where identification of the beneficial owners is difficult
Corporate customer having nominee arrangements – nominee shareholders or nominee directors
Legal persons or arrangements acting as personal asset-holding vehicles
The customer has been alleged or convicted in the past for any financial crime

Geographic Risk

Customer is hailing from or is closely associated with high-risk countries such as jurisdictions subject to FATF grey list or black list (e.g., North Korea or Iran)
Transaction is expected to be executed in a country known for a high level of corruption
Countries with weak or no AML regulatory framework for controlling and preventing money laundering, terrorism financing or financial crimes
Jurisdictions subject to sanctions, embargos or similar restrictions by the United Nations or any other international organisations
Countries known for funding terrorist activities

Customer Due Diligence

Products or services favouring anonymity
When the customer is onboarded via remote channels or non-face-to-face basis without applying adequate controls in this regard
The customer is insisting on settling the transaction charges through a significant value of cash or crypto or other virtual assets
Business relationship involves agents and intermediaries without any business sense
When the transaction payment is settled through an unassociated third-party account
The value of a product or service is disproportionate to the customer’s financial profile
The services requested by the customer are related to the appointment of nominee shareholders or setting up a trust in a foreign country

The list here is not an exhaustive one, and the overall customer risk profile must be determined considering the combination of various risk parameters and not just one. The customer risk assessment program must align with the business’s nature and the overall Enterprise-Wide Risk Assessment.

What AML Measures Are To Be Implemented For High-Risk Customers By IFSCA-Regulated Entities?

To adequately apply the Enhanced Due Diligence measures and to manage the increased risk posed by high-risk customers, the regulated entities must perform the following AML measures in addition to the standard CDD process:

Additional Details

Additional inquiries must be made to understand the customer’s occupation, nature of business activities, ownership and control structure, etc.). These details may be sought directly from the customer or information can be gathered from other data sources (internet, paid subscription, corporate register, social media like LinkedIn, etc.)

The regulated entity must also establish the customer’s intended purpose of a particular business relationship.

Financial Status Of The Customer And The Beneficial Owners

Reasonable efforts must be made to understand the customers’ and the beneficial owners’ financial position and its alignment with the nature and value of the transaction. For this, the regulated entities must obtain information about their source of funds and source of wealth

The regulated entity must establish the validity of this information by obtaining valid documents like audited financial statements, tax returns, payslips, bank statements, etc.

Senior Management Approval

The senior management must be apprised of the risk involved. The regulated entity must have systems and procedures to seek senior management approval for onboarding or transacting with high-risk customers.

Enhanced Ongoing Monitoring

The degree of risk the high-risk customer poses may increase or decrease over time, impacting the relevance and validity of the EDD measures and other controls applied. Thus, the regulated entities must subject these high-risk customers to an increased monitoring program. Under this, the transactions executed by these customers shall be closely monitored, and the customer’s overall profile shall be reviewed frequently and rigorously.

Condition Around First Payment

The regulated entities must ensure that the first payment towards the business relationship with the regulated entity is settled through the high-risk customer’s account with a bank subject to similar AML regulations and CDD measures.

This includes the following institutions where the customer has maintained an account in his own name:

a Bank
a financial institution subject to AML regulation and supervision, implemented in accordance with FATF Recommendations,
a subsidiary of the abovementioned entity, following the AML regulations applicable to the parent institution.

The IFSCA-regulated entities must implement the above-stated measures as part of EDD to mitigate money laundering and terrorist financing risks.

Best Practices To Manage High-Risk Customers

The following are a few tips that the regulated entities must consider when developing the Enhanced Due Diligence Program:

AML training on EDD is mandatory to manage the risk effectively. The regulated entity must ensure that the compliance team and relevant staff are adequately trained on identifying high-risk customers and diligently applying the additional checks and measures.
To bring efficiency and speed to the monitoring program, the regulated entity may consider implementing a robust business relationship and transaction monitoring system, wherein advanced technologies (like AI & ML) can be leveraged to review the transaction on a time basis, map it with the customer’s profile and promptly identify the suspicious activities.
To maintain the effectiveness, quality and relevance of the AML program, including the customer onboarding process and EDD measures, the regulated entity must establish a periodic review and AML audit function. The review must identify the weaknesses and flaws in the AML efforts and provide recommendations on strengthening the same.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Crypto money laundering and how to combat the same

Crypto money laundering:

Money laundering is on the rise globally. Money launderers and financial criminals are increasingly exploiting technological advancements to conduct financial crimes. They are misusing loopholes in regulations and technology to find out new ways of placing and layering illicit money. And the latest victim of their laundering attacks is the world of virtual assets and cryptocurrency.

Why is crypto money laundering attractive to criminals?

Inadequate or no regulation

The absence or lack of controls and regulations on cryptocurrencies is the primary reason for a rise in crypto money laundering. Many laws and rules exist for other financial channels, currencies, and instruments, wherein fines and penalties are imposed for non-compliance with these laws.

However, these are not currently prevalent in regulating the world of cryptocurrencies. Since it is a new form of currency, not yet acceptable in all countries, it is not adequately regulated by most countries. There are no centralized authorities involved in crypto transactions. Money launderers are attracted to crypto assets, as loose regulations result in a higher scope of not being caught by authorities.

Anonymous in nature

Individuals do not have to share their names while dealing with cryptocurrencies. Public addresses are used in these transactions, which do not relate to the user’s name. It provides users with a degree of anonymity, which is what makes cryptocurrencies desirable to money launderers.

There is no paper trail of a transaction. Only a digital record exists on the distributed ledger technology. Therefore, it is easier for criminals to move large amounts of illicit funds through blockchain technology without disclosing their identity.

Fast and convenient

The processing of cryptocurrencies occurs through online exchanges. These online transactions can happen across borders without many protocols. Thus, launderers are not required to deal with cash, which is more suspicious to investigators. Also, these transactions can happen rapidly between senders and recipients in any part of the world without giving much time to AML regulators to notice the transactions.

Fewer chances of being suspected

Transactions of cryptocurrencies are recorded in public domains on the blockchain. Only the individual who carried out the transaction can access their wallet. It is highly encrypted. Therefore, there are fewer chances of linking it to a specific individual or wallet. It reduces the chances of being suspected of money laundering, as the specific transaction by a criminal may get mixed up with genuine transactions over the blockchain.

No legal tender

Since cryptocurrencies have no legal tender, they cannot be authorized. Also, anyone can subscribe to it. Since no owner details are maintained, it is easier to launder.

How does crypto money laundering occur?

Gambling and gaming websites

Money launderers use illicit cryptocurrencies to buy chips or game currency on gambling websites. Once they are finished with gambling or gaming, they encash the remaining amount. Thus, the illicit cryptocurrency entered the gaming or gambling website is cleaned and converted to cash.

Anonymizing services

Launderers can hide illicit funds’ sources by anonymizing services on crypto exchanges. Anonymizing services breaks the connection between cryptocurrency transactions. Launderers can also participate in Initial Coin Offering (ICO) – using one type of coin to buy another. Thus, they can disguise the origins of the unlawful money by creating multiple layers.

Tumblers and mixing services

Tumblers are mixtures of different digital assets – dirty and clean – from diverse addresses. Once these are blended well, they are redistributed to new addresses or wallets. Once mixed, it is difficult to differentiate the legal and illegal currencies.

Also, by blending the cryptocurrencies, their anonymity increases, making it more challenging for investigators to find the owners. Thus, criminals can save themselves from being suspected and transfer the blended funds to legal businesses or crypto exchanges.

Use of cryptocurrencies in terrorism financing or paying for drugs

Many terrorist organizations raise cryptocurrencies through Telegram and Facebook groups. Many intermediaries are involved in transferring such funds to terrorist organizations. Further, money generated from drug trafficking on the internet is disguised as cryptocurrencies.

Illegal payments are made in cryptocurrency. Fiat currency is converted to cryptocurrency through a blockchain trading platform. These are later transferred to drug traffickers’ accounts.

The payments received in cryptocurrencies are transferred to virtual wallets in different crypto exchanges. Thus, it becomes difficult to trace the origin of funds.

Dark exchanges

Many unregulated cryptocurrency exchanges operate across the world. They do not conduct any identity checks or KYC of customers or transactions. So, criminals use such exchanges to launder cryptocurrencies. Specifically, launderers use illegal money in fiat currency to open an online account with currency exchanges.

Money launderers repeatedly transfer illegal currency to multiple accounts or move from one currency to another, thereby developing various layers to cleanse the funds. They sent the cleaned currency to an external cryptocurrency wallet in the last transfer. Alternatively, they convert it into cash using crypto ATMs.

Over-the-counter (OTC) brokers

Over-the-counter brokers facilitate transactions between buyers and sellers of cryptocurrencies. They are the intermediaries who get commissions to facilitate transactions. They are involved in converting illegal cryptocurrency to cash or vice versa by charging high commission rates.

Integration stage

In the integration stage, criminals aim to legitimize illicit cryptocurrency. They have successfully laundered the illegal money but need to show a legal source. In such cases, crypto money launderers create a fake online company that allows crypt currencies as payment methods.

Thus, they transform illegal crypto into legal money by faking the trade transaction. Alternatively, launderers can show the money as the sale of a profitable business or an asset appreciation.

What are the red flags of crypto money laundering?

You must be aware of the following red flags to save yourself from the threat of crypto money laundering:

When funds are received from a platform that does not have any AML regulations or has been categorized as a jurisdiction with high money laundering risks.
Several high-value transactions suddenly occur in an inactive account or in a new one.
When there are multiple transfers of cryptocurrencies from multiple crypto wallets to one account.
When there are several transactions of purchase of cryptocurrencies by several individuals with the same IP address, followed by several transfers to accounts in another country.
When the crypto sending and receiving transactions are just below the mark of reporting thresholds.
When several credit cards and bank accounts are linked to a single crypto wallet to use it to move funds around.
Connected crypto wallets where the customer profiles do not match.
Continuous occurrence of many high-value transactions in a short time.
When several high-value transactions occur in a regular pattern and stop entirely after a specific period.
When there are cryptocurrency transactions that do not match the profile of a customer.
When there are frequent transactions of fiat conversion to crypto with no logical reasoning.
When many unrelated wallets transfer cryptocurrencies to one common wallet, which immediately converts it to fiat currency.
When transactions occur with digital wallets whose owners are earlier connected to cases of fraud, ransomware, or feature in the sanctions list.

How to combat crypto money laundering?

Yes, there is anonymity in cryptocurrency transactions, which launderers take benefit of. But all the cryptocurrency transactions are documented on a distributed public ledger. These digital records stay permanently. One mistake in the entire money laundering process can help investigators trace the illegitimacy.

One way of protecting cryptocurrencies from money laundering threats is implementing KYC rules. With KYC norms, exchanges could identify the customers and have data about owners of virtual wallets and cryptocurrencies. Registration and licensing of operators in the cryptocurrency market is also a solution that can address the money laundering issue.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article UAE

Detecting structured transactions under PMLA and IFSCA (AML, CFT, & KYC) Guidelines, 2022

One of the standard techniques criminals use to launder illegally obtained money is through structuring. In this context, the Prevention of Money Laundering Act, 2002 (PMLA) and IFSCA (AML, CFT, and KYC) Guidelines, 2022 require financial institutions and other regulated entities to implement necessary anti-money laundering (AML) measures to identify the structured transactions, report, and prevent the same.

The article here discusses the structuring of transactions from an AML perspective and the measures to be adopted for enhancing the AML program, focusing on the detection and deterrence of such transactions.

What Is Structuring?

It is essential to understand the concept first before deploying the controls to curb it. Structuring refers to a process where the large sum of the amount is intentionally broken into smaller denominations to avoid the attention of the authorities or AML-related enquiries from the regulated entities.

The launderers use structuring during the placement as well as the layering stage of the money laundering process. During the placement stage, the large amount of cash generated through criminal activities is split into small values for putting such cash into the financial system without raising suspicion (when millions of cash value is divided into 100s of smaller deposits). During the layering phase, the structuring of transactions is done to distance the owner and origin from the dirty money.

The objective of structuring transactions is to artificially manipulate the value and count of transactions that appear to be expected and within the threshold of AML checks to escape scrutiny. Structuring leads to the creation of a complex web of transactions, concealing the source of criminal proceeds and the identity of the launderer.

This calls for a comprehensive framework to monitor the transactions to spot such falsely structured transactions attempted to launder illicit money.

Why Is It Crucial To Detect Structured Transactions?

When any structured transactions go undetected, the regulated entities are deemed to have aided the money laundering process, though inadvertently. This can lead to severe unwarranted effects such as:

Legal Consequences:

The failure to detect and prevent the structuring of transactions would be treated as non-compliance with provisions of PMLA and the IFSCA (AML, CFT, and KYC) Guidelines. This can result in huge penalties and other legal actions by the regulatory authorities.

Reputational Damage:

when the entity is known for being exploited by criminals to route illegal money, it portrays the image of weak AML controls of the company. This adversely damages the business’s reputation in the market, including loss of customer trust. Rebuilding the original brand takes a long time and is an expensive affair!

Financial And Operational Risk:

Loss of reputation and customer confidence has a long-lasting impact, resulting in loss of new business opportunities. No rational investor is willing to associate with an entity that does not demonstrate a solid commitment to AML compliance and overall ethical business conduct.

Further, when the business has been misused by criminals for money laundering, it may also have led to the exploitation of the business resources, resulting in financial loss to the regulated entity.

Given the severity of the impact the structured transaction can have on business, regulated entities must understand the significance of its detection and implement a strong AML program that ensures no structuring of transactions goes unidentified.

What Are The Key AML Measures For Detecting The Structuring Of Transactions?

The following elements must be developed thoroughly and implemented in the whole spirit to identify and prevent the potential suspicious transactions suggested structuring:

Customer Due Diligence

The regulated entity needs to identify the customer and the beneficial ownerswith whom the business relationship is to be established. Verification of the identity of such persons is very crucial to determine if the person is genuine, has no mention on the Sanctions List or is not connected with one, has some adverse media or is associated with a Politically Exposed Person (PEP)that warrants application of additional measures.

Further, understanding the purpose of transactions and the nature of business relationships is also a significant measure to uncover any potential structuring activities.

Implementing Robust Ongoing Monitoring Mechanism

Only with continuous monitoring can the structuring of transactions be detected. The regulated entities must develop a comprehensive ongoing monitoring program to identify suspicious trends or inconsistencies with the customer’s profile. This program must include tools and technologies configured with monitoring rules to immediately flag the complex transactional patterns suggesting structuring, as the manual review may not possibly cover a holistic review of the transactions and is also subject to human oversight. The system uses sophisticated logic to draw anomalies and unusual patterns, such as the same amount of funds being frequently deposited from one account to another or the purchase of the same value of gold (below the reporting threshold) every week.

The regulated entity must explore investing in advanced technologies like machine learning and artificial intelligence that can run large volumes of transactional data in seconds, predict the trends and generate alerts for any suspicious series of transactions, indicating structuring. Further, with intelligent algorithms, the number of false positives can be minimized, saving on human efforts to examine the alerted transactions. Data analytics capabilities can also analyse customer behaviour and map it with the overall risk profile of the customer and the transactions being executed by the customer over the period of time to determine any dubious activities.

AML Awareness And Training

Having well-trained employees is as important as having the AML program. The regulated entities must invest resources in imparting adequate training to the team to create awareness on:

internal AML policies and procedures implemented,
the money laundering-related red flags,
the software and tools deployed to manage the AML compliance,
identification and reporting of suspicious transactions, including potential structuring activities,
specific to the structuring of transactions – various structuring methods must be discussed,
overall duties and responsibilities towards the AML framework.

The employees must be trained on thoroughly investigating the flagged transactions to trace the origin and true beneficiary of the funds to uncover any attempts to launder the funds through structuring.

The training program must include case studies and workshops to empower the employees to deal with real-life scenarios when any risk indicators are observed.

Periodic Review Of The AML Program, Including Monitoring Systems

The regulated entities must periodically review their AML policies, procedures, controls and systems to check the effectiveness and validity in identifying and preventing the structuring of transactions, along with other vulnerabilities.

This periodic review of the AML program shall ensure that the entity is aligned with regulatory developments and emerging risk trends. During this process, gaps or weaknesses in the AML framework, if any, can be detected and addressed to strengthen the efficacy of the AML efforts. Further, it can also assist in verifying that the transaction monitoring rules are working fine and no transaction structuring goes unobserved.

With a systematic approach and a robust AML program encompassing Customer Due Diligence, continuous transaction monitoring, AML training and AML health checks, the regulated entities can effectively detect and prevent the structuring of transactions.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

Top 10 mistakes to avoid while conducting ML/FT Enterprise-Wide Risk Assessment

Enterprise-Wide Risk Assessment is an essential ingredient of an AML compliance program, enabling regulated entities to stay wary of the financial crime risks to their business. Once they identify the risks, they can apply relevant measures to mitigate or manage them

As the effectiveness of the AML program is highly dependent upon the analysis of the Enterprise-Wide Risk Assessment (EWRA) or the Business Risk Assessment, the regulated entities cannot go wrong with it. If the risk assessment is erroneous or the evaluation of any risk factor is missed, the regulated entity might face repercussions. Unidentified risks might affect your business, leading to money laundering or other financial crime vulnerabilities. It affects your operations, business reputation, and financials.

So, avoiding common mistakes in such risk assessments is wise. Keep a note of them and dodge their attack.

Let’s examine these common mistakes regulated entities may make while carrying out EWRA.

Top mistakes to avoid while performing AML Enterprise-Wide Risk Assessment

The regulated entities must thoroughly conduct the business risk assessment, considering all the relevant risk scenarios and their possible impact on the business. An inadequate or inaccurate risk assessment degrades the entity’s overall anti-money laundering efforts and compliance. So, you must be cautious of these mistakes and overcome them.

The following are the common pitfalls to avoid while performing AML risk assessments:

Missing defining the business’s risk appetite

An entity’s financial crime risk appetite means how much risk the business can and is ready to tolerate. It includes types of risks and their severity. It differs from business to business. The regulated entity must answer this question, “How much ML/FT risks is it ready to bear to achieve the strategic goals and objectives?” before proceeding with the risk assessment exercise. Also, when the risk appetite is defined and documented, the same serves as a base for developing the entire AML framework on a risk-based approach.

No commitment from the senior management

The EWRA task begins with management-approved risk appetite and ends with their approval of the outcome of the final risk assessed.

When the senior management does not get involved in the process, the entity might face teething issues in diligently concluding the EWRA, which may ultimately impact the quality of AML measures and result in a conflict of interest between AML’s compliance function and the business goals.

Thus, the senior management’s commitment to the risk assessment process is very critical.

Not taking into account the changes in regulatory provisions

Regulations keep changing. Monetary Authority of Singapore (MAS) or other AML supervisory authorities release new guidelines to tackle emerging threats, setting new benchmarks for AML compliance. All such updates and amendments must be considered because they affect the risk assessments. When critical regulatory provisions are missed while carrying out the EWRA, the entity may pay a huge price due to non-compliance and an inefficient AML program.

Overlooking some of the risk types

Risk assessment for any business involves studying and analyzing the risks from:

Customers/clients
Transactions
Geography
Delivery methods
Products and services
Technology

Developing a comprehensive business risk profile is challenging if the entity misses evaluating any of these risks. In the future, the regulated entity might face money laundering threats from the skipped risk factors, leading to non-compliance penalties and reputational damage. So, all these risk factors must be considered in assessing the ML/FT risk.

Insufficient efforts in data collection, analysis, and scoring

Risk assessment is not a simple activity. It requires dedicated efforts towards assessing the business exposure, considering qualitative and quantitative risk attributes. Any lazy attitude towards exercise can affect the assessment results. So, the regulated entity must be thorough in:

Collecting data for the assessment
Studying the customers, geographies, delivery methods, offerings, and transactions
Analyzing each data point
Using sophisticated risk-scoring models to score risks
Evaluating the risks by their severity, likelihood, frequency, and impact
Scientifically categorizing and rating the risk parameters as high, moderate, and low risk

If the data used for risk assessment is incomplete or inaccurate, the business risk assessment will not be relevant and in alignment with your goals. The entity may end up duplicating the efforts in re-doing the exercise or lead to half-baked results. So, reliance on a comprehensive and quality data set is critical in EWRA.

Incomplete, outdated, or static risk assessments

What is the frequency of conducting risk assessments in a year?
Whether all the latest regulations and laws have been considered while conducting risk assessments?
Whether all the potential threats to the business have been taken into account?
What about the industry trends and emerging ML/FT typologies? Have those been assessed for their potential impact on business?
Is your risk assessment updated to factor in the new business statistics or changing circumstances?

If the answer to the above questions is “No, ” then the risk assessment exercise cannot significantly benefit the entity’s AML efforts.

The entity must keep updating EWRA frequently, incorporating changes in industry, clients, transactions, regulations, geopolitics, etc. The entity must study and assess the emerging risks to improve the effectiveness of the business risk study.

The regulated entity must adjust the Enterprise-Wide Risk Assessment based on past assessments’ accuracy level and usefulness. The entity must check whether the past risk analysis was applicable or inaccurate; if inaccurate, necessary changes must be made.

So, focus on complete, up-to-date, and dynamic AML risk assessments.

Prioritizing assessment of risks in silos instead of a holistic view

When considering a client’s risks, the entity must not consider just one factor. An isolated view of one risk does not give a complete picture. The entity must analyze the client risk from all factors:

What are the risks from the client’s nature of business?
Is there anything irregular about the products and/or services requested by the client?
Are their delivery methods involving any money laundering activity?
Does their headquarters or registration location harm the entity’s business?
Is their preference for specific transaction types detrimental to the regulated entity’s AML compliance efforts?

Suppose a high-risk client is based in a tax haven with no AML regulations. It is riskier than a high-risk client in a normal country with strict AML regulations.

This requires the entities to consider all these factors at the same time. If each risk is evaluated individually, it may yield a limited picture of risks. In contrast, a parallel assessment of the different risk aspects will give a holistic view of the business’s total exposure to ML/FT.

Absence of technology or the use of complicated systems

Sometimes, the methods deployed for manually assessing the risk are too simplistic and inadequate, generating no quality results. Such risk assessments might be inaccurate, time-consuming, and miss some critical data points. So, deploying sophisticated EWRA methods, including advanced tools and technology for carrying out enterprise-wide ML/FT risk assessment, is best.

Neglecting the documentation of the risk assessment process and results

AML risk assessment will help the business plan the corrective actions to combat financial crimes. EWRA empowers the entity to adopt a risk-based approach to mitigate, manage, or prevent these risks. For depending on the EWRA and ensuring consistency in the measures implemented, it is necessary to document EWRA methodology, risk factors considered, the base for extracting quantitative data, final risk assessed, etc.

Further, maintaining adequate EWRA documentation is also a regulatory obligation. So, the regulated entities must not miss documenting their process, results, and conclusions to strengthen AML compliance efforts.

Not preparing for the response action

Enterprise-Wide Risk Assessment serves a purpose in the entity’s AML compliance function. It is not just an exercise. It must lead to the next step towards the AML journey.

The entity must decide how to respond to these risks based on the ML/FT risk appetite. The entity might accept a few while eliminating or reducing the impact of the others. The outcome of the EWRA must be utilized for formulating and executing a risk mitigation and management plan.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article Singapore

AML Customer Risk Assessment: Identifying The ML/FT Risk

In accordance with the Prevention of Money Laundering Act, 2002 (PMLA) and the IFSCA (AML, CFT, and KYC) Guidelines, 2022, the reporting entities (regulated entities) are required to develop and implement robust anti-money laundering programs to combat money laundering and terrorism financing crimes. This AML program must be comprehensive and targeted to identify the financial crime risks and adopt adequate controls to manage the same. One of the critical AML measures is customer risk assessment, a crucial component of the Customer Due Diligence (CDD) process.

In this article, we shall discuss customer risk assessment or customer risk profiling, its significance, and the best practices to determine the customer risk profile effectively.

Understanding Customer Risk Assessment Under The AML Program

AML customer risk assessment is a systematic process adopted to assess the financial crime risk a particular customer or business relationship poses to the business. This process shall help the entity develop a risk profile for each customer and determine the nature and degree of the customer due diligence measures to be applied to manage the assessed customer risk.

The customer risk assessment is carried out considering the various factors like:

Customer’s identification information, including the residential and occupational location
Legal structure and ownership/control structure (in case of legal person or legal arrangement)
Nature of the associated business activities
Connection with Politically Exposed Person (PEP)
Purpose of the given transaction or nature of the business relationship
Expected value and volume of the transaction
Person’s financial position
Involvement of any intermediaries or third parties

All these parameters about the customer and the proposed transaction offer great insights into the person’s risk classification, allowing the entity to reasonably categorise the customers as high risk, low risk or medium risk. When the risk assessed seems to exceed the entity’s ML/FT risk appetite, such customer must be identified as “unacceptable” unless necessary risk mitigation measures ensure the net risk is within tolerable limits.

Customer risk assessment is not limited to one-time activity while onboarding the customers. The customer’s profile is dynamic, as would be the customer’s risk rating. Hence, the regulated entities must continuously monitor the customer’s activities, identification details, transaction patterns, etc., to check if the initially developed customer risk profile is appropriate or needs re-assessment to incorporate the changes in nature of risk radiated and the control measures required.

Exploring The Significance Of Customer Risk Assessment Under AML Compliance

Customer risk assessment is a significant aspect of the Customer Due Diligence process and the overall AML compliance program that enables regulated entities to adopt a proactive approach to safeguard the business against budding threats and maintain the integrity of the business and the national economy as a whole.

Identifying The ML/FT Risks

The thesis around which the AML framework revolves is the timely identification of potential ML/FT vulnerabilities and the application of necessary measures to prevent them.

By thorough analyses, if the customer risks, the regulated entities may identify the red flags associated with the given business relationship. This also empowers the entity to pinpoint the high-risk customers, exposing increased financial crime exposure.

Further, while monitoring the adequacy of the risk classification allotted to a customer, the entities monitor the customer’s conduct and transactions, resulting in the identification of suspicious activity or unusual patterns, if any.

Application Of Risk-Based Approach And Staying AML Compliant

PMLA and the IFSCA AML Guidelines provide for adopting a risk-based approach while implementing the AML program, ensuring effective risk mitigation while optimally utilising the resources.

With the customer risk score, the regulated entities can determine the nature of risk mitigation measures to be deployed, ensuring efficient allocation of the AML resources to manage the assessed customer risk. For example, the entities must deploy Enhanced Due Diligence (EDD) measures when the customer is graded as high-risk. In contrast, in other cases, a standard customer due diligence would be sufficient.

This shall also ensure that the entities comply with the regulatory requirements for assessing the customer risk and deploying adequate measures adopting a risk-based approach, including enhanced customer due diligence and ongoing monitoring of business relationships.

Maintaining Business Reputation

The efforts around customer risk assessment demonstrate the entity’s commitment toward AML measures while ensuring a smooth and hassle-free customer onboarding process. When medium or low-risk customers are not burdened with excessive inquiries (which are otherwise necessary for high-risk customers), it boosts the customer’s confidence in the client’s business and compliance approach. It builds a maintainable reputation for the business in the eyes of the customers and other stakeholders.

Approach And Best Practices To Effectively Carry Out AML Customer Risk Assessment

As mentioned above, customer risk assessment is a systematic process involving analysis of the customer’s details to evaluate the type and extent of risk associated with a business relationship or transaction.

The following are the best practices the regulated entity must keep in mind for AML customer risk assessment:

Developing A Robust Customer Risk Assessment Program

To ensure consistency and effectiveness in customer risk assessment, it is important to document a sophisticated methodology to carry out the customer risk assessment, defining the factors to be considered for such assessment and the circumstances when the customer would be classified under high, medium or low-risk baskets.

The risk assessment process must be developed considering the applicable AML regulations, the risk indicators generally observed in the business sector, and the outcome of the entity’s Enterprise-Wide Risk Assessment to make it more personalized and practicable.

This should also include the reference to the ongoing monitoring of the risk classification, its validity and the scenarios warranting change in the customer risk category.

A written set of procedures would serve as a foundation of the AML Program, guiding the compliance team to analyse the customer risk and document it appropriately and thoroughly.

360-Degree Review Of The Customer Profile

An ideal process of customer risk assessment begins with a diligent review of the customer’s information collected during the “Know Your Customer” stage. The information to be considered for risk assessment includes personal details like:

date and place of birth
nationality
addresses
details about the beneficial owners and senior management
nature of business activities the customer is engaged in
financial profile of the customer (source of funds and source of wealth)
other identification details such as PEP, connection with high-risk jurisdictions mentioned on sanctions lists

This must be clubbed with transactional parameters like the nature of products and services requested, etc. For an existing business relationship, the customer’s transaction patterns and frequency, the complexity of the transaction, payment modes used, etc., must also be considered.

Only a holistic understanding of the customer can ensure that the assessed risk is appropriate, helping the entity to deploy accurate risk mitigation controls.

Continuous Monitoring Of Customer Risk Profile

The regulated entity must regularly review and update the customer risk profile, considering the nexus between the original risk profile and the transactions and activities carried out during the ongoing business relationship. For this, the regulated entity must deploy robust ongoing monitoring systems that review the transactions and customer behaviour, including the relevance and accuracy of the customer’s identification details.

With ongoing monitoring, the entity can immediately identify the change in customer details or behaviour that warrants a relook at the appropriateness of the customer’s risk rating and the due diligence measures deployed.

For example, if the customer happens to be a PEP after 2 months of onboarding, the entity must quickly get a notification for the same, triggering the application of enhanced due diligence measures.

Adequate Employee Training

It is essential to create familiarity around the importance of customer risk assessment and the methodology to carry out the same. The entity must invest in regular employee training, imparting necessary education on factors to be considered for assessing customer risk, their roles and responsibilities, actionable when any anomalies are examined, etc.

Implementing The Right Tools And Solutions For AML Customer Risk Assessment

The entity may consider deploying advanced AML solutions and software that automatically evaluates customer information and puts them into appropriate risk categories based on the evaluated information and the configured assessment rules. Further, technologies like AI and data analytics can keep track of customer transactions and activities and continuously map them with the customer risk profile to determine any inconsistencies between the two, highlighting the actional insights around the reassessment of the customer risk.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India