The Nexus Between Money Laundering and Terrorist Financing

The Nexus Between Money Laundering and Terrorist Financing

Understanding illicit practices like Money Laundering and Terrorist Financing is important to safeguard the financial systems, promote economic stability, and ensure national security. This blog intends to give a clear picture of both Money Laundering (ML) and Terrorist Financing (TF) and how these are connected to each other, helping Relevant Persons in the UK to ensure robust AML/CFT compliance.

Definition of Money Laundering

Money laundering is a process through which a person or an entity conceals the illegal source of funds in the legal economy. Basically, it’s a process where dirty (illicit) money is laundered and given the appearance of legitimate funds.

Process of Money Laundering

As laundry is done to wash away all the traces of wrongdoing until it is spotless, the same is the situation with money laundering; the process includes three steps by which dirty money is laundered. The steps are as follows: –

1. Placement: This is the initial stage, where the illicit money is introduced into the financial system. At this stage, the money is often in the form of cash. The goal of this step is to create distance between money and its criminal source. Here it includes:

  • Structuring, where a small amount of money is deposited into banks
  • Transferring funds through a cash-intensive business
  • Buying foreign exchange in cash with illicit cash.

2. Layering: This is the second stage, where the money is layered in a way that makes it difficult to trace the origin of funds. Here it includes:

  • Investing funds in real estate and high-value precious metals such as gold and silver
  • Moving funds with shell companies and offshore companies
  • Converting funds into different currencies and financial instruments.

3. Integration: This is the last and final stage, where the cleaned money is reintroduced into the mainstream economy as legally earned money or legitimate money. Here it includes:

  • Use the funds in buying goods and services without attracting the attention and scrutiny of authorities
  • Investing funds in high-value assets
  • Building business relationships and investing in such businesses.
This three-step process helps criminals to disguise the illegal origin of the funds and make it appear as legitimate money. This process makes it difficult for authorities to trace the illicit money and its source.

Background of Anti-Money Laundering Legislation in the United Kingdom

The background of legislation to combat ML risk in the UK is elaborated as follows:
  • Before 1990, the United Kingdom didn’t have any law specific to money laundering, but it became a member of the Financial Action Task Force (FATF) in 1990. After that, the Money Laundering Regulations 1993 (1993 No. 1933) were enacted. The ML Regulations, aligned with FATF standards, marked a significant milestone in the UK’s AML efforts, expanding the scope of oversight to encompass a wide range of financial and non-financial sectors.
  • The Joint Money Laundering Intelligence Taskforce (JMLIT) was established in 2015 by the Financial Sector Forum, which meets thrice a year to make the UK’s Financial Sector unfavourable for criminal activity.
  • In 2015, the UK published its first National Risk Assessment (NRA), recognising that the factors which make the UK attractive for legitimate financial activity also make it vulnerable to misuse by criminals and terrorists.
  • That’s how UK keeps assessing itself and upgrading the regulations for combatting money laundering practices.
The UK Anti-Money Laundering laws are set out in the following:

Proceeds of Crime Act 2002 (POCA) [As amended by the Serious Organised Crime and Police Act 2005 (SOCPA)]

  • It expands the scope of acts that, if committed by any person, constitute money laundering

      • Concealing, Disguising, Converting, Transferring, or Removing Criminal Property
      • Entering into or Becoming Concerned in an Arrangement
      • Acquisition, Use, and Possession of Criminal Property

These illicit acts are punishable by a maximum penalty of 14 years’ imprisonment and/or a fine. The act provides a framework for the following:
  • Submission of Suspicious Activity Report (SARs) to the UK Financial Intelligence Unit (UK FIU)
  • Submission of Defence Against Money Laundering (DAML) SAR
  • Asset Recovery.

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and its subsequent amendments

  • It provides for Relevant Persons in the UK to ensure:

    • ML/TF Risk Assessment
    • Risk-Based CDD
    • Establish AML/CFT Policies and Procedures to manage ML/TF risks.
    • Ensure ongoing compliance with AML/CFT Policies and Procedures
    • Ensure Staff Awareness and Training
    • Ensure Adequate Record-Keeping

  • It implements the EU Fifth Money Laundering Directive in the UK.
  • It extends the scope of the regulated sector, changes to customer due diligence and enhanced due diligence.
  • Added a new requirement to make reports to Companies House in relation to discrepancies between information collected during customer due diligence and information on the Persons with Significant Control register, also known as the Ultimate Beneficial Owners (UBOs).

Definition of Terrorist Financing

Terrorist Financing or Terrorism Financing is an activity that supports terrorist activities by using funds from both legitimate sources, like personal donations, business profit and criminal activities, like drug trade, weapon smuggling, etc. TF enablers move these funds through the formal banking system and by informal value transfer systems like hawalas and hundis, as well as by physically transported cash, gold, and other valuables. These funds are basically used for purchasing weapons, training people, providing accommodation, planning and executing terror attacks.

Process of Terrorism Financing

Terrorism Financing is a process through which terrorists collect funds to use for their further terror attack plans. This process includes four steps:

1) Raise: This is the collection stage, where the terrorism enablers gather money from legal and illegal means. Raising includes:

  • Direct donations by individuals and organisations
  • Use of charities and
  • Generate funds from legal business operations for TF purposes.

2) Store: The second stage includes storing, where terrorism enablers tend to store the funds in a manner that doesn’t attract the authorities’ attention. Storing includes:

  • Depositing cash in several bank accounts.
  • Use trade-based methods like over- or under-invoicing
  • Invest funds in cryptocurrencies and high-value assets.

3) Move: In the Moving stage, funds are mobilised by various formal and informal channels. Moving is a crucial step and is carried out with great confidentiality to avoid attention from law enforcement authorities. Moving includes:

  • Bulk cash couriers
  • Informal value system transfers
  • Sale and transfer of virtual assets.

4) Use: “Use” is the final stage where the funds intended for TF purposes reach the terrorists, and are used for the following purposes:

  • Direct operations like purchasing weapons
  • Training camps and recruitments
  • Support for Allied groups or political activities.

Background of Anti-Terrorism Financing Legislation in the United Kingdom

The background of the UK’s Anti-Terrorism Financing Legislation is elaborated as follows:
  • The requirement to criminalise terrorist financing was added to the FATF standards at a special plenary session of the FATF in the months following the 11 September 2001 attacks in the US. Before the 9/11 attacks, there was the Terrorism Act 2000 in the UK, but it was regarded as a temporary emergency measure.
  • After this attack, the UK developed an effective counter-terrorism mechanism and followed the guidelines of the FATF, remaining a nation where the threat was being managed. After the attack, the UK has been working on
  • According to the UK’s HMG publication, Counter-Terrorist Financing remains one of the UK’s priorities under the National Security objectives set out in the UK’s National Security Strategy.

The counter-terrorism regime in UK consists of:

The Joint Terrorism Analysis Centre (JTAC)

  • JTAC was founded in 2003
  • JTAC is an independent authority on terrorism assessment, defines the national terrorism threat level, and issues warnings to government departments and law enforcement agencies.

Counter Terrorism Strategy (CONTEST)

  • CONTEST is the UK’s Counter Terrorism Financing strategy, established in 2003
  • CONTEST’s core components provide for protecting UK citizens from terrorism by:
  • Preventing
  • Pursuing
  • Protecting
  • Preparing
  • Refreshed in 2018 and 2023, it governs and monitors cross-government counter-terrorism performance.

The Terrorism Act (TACT) 2006

  • TACT provides the length of time that a terror suspect could be detained without charge
  • TACT elaborates on acts of terrorism by creating offences of publication or dissemination of terrorist publications
  • TACT provides institutions with the ability to submit SARs to the UK FIU and file DAML.

Sanctions and Anti-Money Laundering Act (SAMLA), 2018

  • It provides the legal framework for the UK to impose, update and lift sanctions.

The ISIL (Da’esh) and Al-Qaida (United Nations Sanctions) (EU Exit) Regulations, 2019

  • It ensures sanctions under the UN sanctions regime in respect of ISIL (Da’esh) and Al-Qaida continue to be implemented effectively.

The UK Counter-Terrorism (International Sanctions) (EU Exit) Regulations, 2019

  • It allows the UK to implement autonomous UK listings with an international focus related to Counter-Terrorism and ensures the UK implements its international obligations under the UN Security Council Resolution 1373

The Counter-Terrorism (Sanctions) (EU Exit) Regulations, 2019

  • SAMLA came into force at the end of the EU exit transition period.
  • SAMLA allows the designation of individuals, groups or entities with a clear UK nexus where the designation will be in the interests of countering terrorist threats and/or protecting UK national security.
The UK has a robust legislative framework which criminalises the financing of terrorism in all its forms, and which continues to evolve alongside the more technological and complex threats that the UK and its interests may face.

Importance of Understanding the Nexus Between Money Laundering and Terrorist Financing

A better understanding of the two concepts and their nexus or inter-relationship is important for combating ML/TF and implementing the best AML/CFT compliance measures. Be it Bristol, Liverpool, or Plymouth, relevant persons across UK need to understand the nexus between ML and TF due to their inherent vulnerability to exploitation by illicit actors. Relevant Persons in the UK can safeguard their business from ML/TF threat by:
  • Enhancing suspicious activity and transaction detection
  • Implementing a risk-based approach to mitigate ML/TF risk
  • Enforcing robust internal AML/CFT Policies, Procedures, and Controls.

Similarities Between Money Laundering and Terrorist Financing

While addressing similarities between ML/TF, the following considerations need to be made:

Same Compliance Requirement: Both ML/TF compliance procedures are the same from the registration of the relevant Person to the appointment of the Nominated Officer, to Firm-Risk Assessment, the CDD procedure that includes KYChe investigation procedure of the Suspicious Activity Report (SAR) of both ML/TF is done by the UK Financial Intelligence Unit (UKFIU).

Same Legal Framework: Both ML/TF are governed by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 in the UK.

Shared Placement Pathways: Both ML/TF processes involve the placement, i.e., the introduction of funds into financial systems, such as banks, charities, and high-value assets. Launderers and terrorism enablers are focused on the same path to channelise their funds.

Difference Between Money Laundering and Terrorist Financing

Money Laundering and Terrorist financing are often mentioned together, but there are critically important differences between the two crimes.
Basis of Differentiation Money Laundering Terrorist Financing
Origin of Funds The funds arise from illegal activities only. The funds can arise from both legal and illegal activities.  
Process Money Laundering is a circular process as it starts with the person who obtained the dirty money from the predicate offence then moves on to wire transfers to hide the source, the money then returned to the original person in a way that it appears legitimate. Terrorism Financing is a linear process where the money will be transferred to the terrorist for the collection weapons and destructive materi als, training, and carrying out terrorist attacks.  
Threats According to NRA 2020, Money Mules and Trade Based Money Laundering (TBML) are threats to the UK as it exploits both domestic trade practices and the international trade practices. . According to NRA 2020, Islamist Terrorism and Far-Right Terrorism  

Nexus Between Money Laundering and Terrorist Financing

As money laundering and terrorist financing are used as the same terms, there are certain ways that both money launderers and terrorists use for ML/TF. The following points are ways that both launderers and terrorists use to circulate the funds:

1. Shell Companies

Shell companies are those which are just on paper but are not operational companies. Shell companies are misused by criminals to further money laundering and terrorist financing activities. The Relevant Person, while doing the AML compliance procedure, should make sure that they check the ownership structure of the business and their purpose structure so that an initial check can be done to see whether it is a legal operational company or a shell company made for illegal purposes.

For example: An authorised signatory of agricultural business comes to a Relevant Person, (High Value Dealers of Precious Metals And Stones) for purchase of precious stones worth millions, here the Relevant Person (High Value Dealers of Precious Metals And Stones) needs to check the economic rationale of the proposed business relationship and the Money Laundering Reporting Officer (MLRO) or the Nominated Officer (NO) should decide whether or not to file SAR on the NCA portal based on the facts of the case, so that the relevant person doesn’t unwittingly help the launderer or terrorism enabler (agriculture business, in this example).

2. Complex Transactions

Complex transactions, as the name suggests, are transactions where understanding the Source of Funds (SoF) and Source of Wealth (SoW) is difficult. Criminals use such transactions to make it difficult to detect the source of illicit money. The Relevant Person should ensure that their employees conduct the CDD procedure very carefully and know the red flags for the timely identification of suspicious transactions and activities so that the filing of SAR can be done in time.

3. Trade-Based Money Laundering (TBML)

Trade-Based Money Laundering (TBML) is a method where invoice values are manipulated by either over- or under-invoicing. Both ML/TF actors utilise this method to manipulate transactions and conceal the movement of illicit funds in the economy.

The relevant person should ensure regular CRA to detect red flags. These red flags should also be inculcated within the AML/CFT policies and procedures so that they help the employees and the Relevant persons detect the launderers or terrorism enablers at the initial stage.

4. Shared Vulnerabilities

The word vulnerable literally means lacking protection against attack or harm. In the context of ML/TF, businesses are susceptible to exploitation by criminals who may misuse them as vehicles to facilitate money laundering and terrorist financing activities.

So, the Relevant Person while developing their Firm-wide risk assessment (FWRA) should consider their weak/vulnerable points for creating better controls and prevent themselves from being an unwitting vehicle to the launderers and terrorists.

5. Overlap in Regulatory Compliance

The Relevant Person must ensure the formulation, implementation, and compliance with AML/CFT policies and procedures, which include measures such as Customer Due Diligence (CDD), ongoing monitoring, regulatory reporting, and external independent audit. Relevant Persons operating in multiple jurisdictions must ensure that their compliance processes do not overlap.

6. International Cooperation

ML and TF are inherently cross-border crimes which often involve complex networks that span multiple countries. To effectively combat these illicit activities, international cooperation is essential. Also, the Relevant Person needs to be very cautious while doing international trade as the other side’s business could be a launderer, terrorist or their agent.

7. Mutual Dependence Between Money Laundering and Terrorist Financing

Money laundering and terrorist financing go hand in hand; their pathway to channel funds is the same, by which they affect the financial and non-financial systems of countries. They are mutually interdependent as terrorist do use a money laundering network to transfer the money they receive from their benefactors.

Challenges Faced by Relevant Persons in UK Com While Combatting Money Laundering and Terrorism Financing Risks

The complexities of combating money laundering and terrorist financing risks arise due to numerous factors, such as:

Emergence of New Typologies

As there are new compliance processes for preventing and combatting ML/TF practices, there are new typologies made by the launderers and terrorists to continue the illicit practices. This is possible because no law is perfect; every law has loopholes, and the launderers and terrorists find such loopholes to break into the system. According to the NRA 2020, the following are the emerging typologies of ML/TF practices:
  • Mule Accounts
  • Organised Crime Groups (OCGs)
  • Professional Money Laundering.
The relevant person needs to be aware of these new typologies and conduct firm-wide risk assessments on a regular basis so that the firm/business has updated trigger points and red flags.

Mismatch in Regulatory Controls

As money laundering and terrorist financing are cross-border crimes, the rules, regulations and laws pertaining to AML/CFT vary from one country to another. Criminals involved in money laundering and terrorist financing (ML/TF) take undue advantage of regulatory variations to transfer funds for their own purposes.

There are numerous laws and acts in the UK governing AML/CFT, which tend to confuse the relevant persons, having multi-jurisdictional presence, as it becomes burdensome for them to go through all the regulations of different countries and maintain consistency across cross-border AML/CFT compliance requirements.

Lack of trained AML Professionals

The shortage of trained Anti-Money Laundering (AML) professionals in the UK presents several critical challenges that can impact operational efficiency. Operational challenges such as the scarcity of skilled AML professionals necessitate higher compensation packages to attract and retain talent, and the resource constraints lead to delays in processing and increased risk of oversight.

Lack of Awareness in the Non-Financial Sector

Many businesses in the non-financial sector, which come under AML/CFT compliance purview, often face difficulties in staying abreast of regulatory changes, leading to potential non-compliance, associated risks, and failure to comply with AML/CFT regulations can also lead to significant legal and financial repercussions, including fines, sanctions, and reputational damage.

UK’s Global Efforts in Fighting ML/TF

Most countries in the world follow FATF guidelines. The United Kingdom is one of them. Since 1990, the UK has adhered to FATF guidelines, and the recent Mutual Evaluation 2018 concluded that the country was compliant with 31 of the FATF’s recommendations. The UK was placed on the regular follow-up process immediately after the adoption of its third-round Mutual Evaluation Report (MER).

The Joint Money Laundering Steering Group (JMLSG) is a UK-based organisation that produces guidance (JMLSG Guidance) to assist those in financial industry sectors represented on JMLSG by their trade member bodies in complying with their obligations under UK anti-money laundering (AML) and counter-terrorist financing (CTF) legislation and the regulations prescribed pursuant to it.

Anti-Money Laundering and Counter-Terrorism Financing Need Stringent Compliance Procedure: Concluding Thoughts

Money laundering is a crime that the world faces financial loss from, and terrorist financing is a crime that the world suffers human loss from. If these crimes and their sources are not detected and stopped, then it will only lead to a world where neither money nor mankind is safe. Therefore, it is crucial for the Relevant Person to have stringent measures in place to detect such acts at the earliest stage, so that launderers and terrorists are unable to take them to the next stage or exploit the Relevant Person as an unwitting vehicle to carry out their illicit practices.

The Relevant Person must follow the guidelines and implement stringent compliance procedures with trained staff, ensuring that the process from registration to customer due diligence, filing SAR/STR, and record-keeping is carried out smoothly.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

How Blockchain helps in AML Compliance

How Blockchain helps in AML Compliance

This blog discusses how reporting entities, particularly tranche 2 entities, can capitalise on compliance with regulatory obligations through operational efficiency. With features like transparency, immutability, and decentralised nature, blockchain technology aligns seamlessly with Australia’s AML/CFT regulations. The blog explores key aspects of blockchain technology in an Australian context by explaining:  
  • What is blockchain, and what are the unique features that help combat money laundering, terrorism financing, and proliferation financing (ML, TF, and PF)?
  • The Role of Blockchain-Enabled KYC Process and its role in reshaping the AML compliance landscape in Australia.

What is Blockchain?

Blockchain is a process of tracking and recording transactions over a blockchain network. Each transaction is recorded as a data block and forms a chain of data. It is not possible to edit, temper, tweak, or modify data that has been entered once in a blockchain. Hence, blockchain provides a ledger of transactions that cannot be altered.

Blockchain is a shared database where transactions are recorded and tracked. It differs from traditional databases as data cannot be changed once entered. If a wrong data entry is made, then a reversal entry must be passed to nullify the effect. The salient features of blockchain transactions are discussed below:

Trusted Data Sharing – The data of a blockchain network is shared amongst the members only. It helps in keeping confidential data safe and protects it from being misused. Only those members who have access to blockchain data can access the information stored.

Decentralisation of Data – Blockchain data is not stored at a centralised location. It is captured over different computers on a network. When new information is added to the block, it is difficult to alter because other computers will reject it.

Easy Tracking – Multiple transactions are recorded in real time. It helps keep track of transactions easily.

Tamper-Proof – Data over a blockchain network is safe and secure from tampering. When new transactions are recorded, they are validated by other computer devices over the network based on a hash key of the current and previous transactions. After validation, the information is added to a block. No one can change or delete the transactions recorded, making the transactions immutable.

Efficient Record Keeping – Manual record-keeping is time-consuming and often leads to duplication. Blockchain helps in reducing the record-keeping process and eliminates the issue of duplicate records.

Accurate Information Retrieval – Data stored on a blockchain network is validated automatically, eliminating the chances of errors due to manual input in the data validation. This helps with accurate information retrieval.

Configurable Accessibility – There are various types of blockchains which can be customised and configured according to requirements. If a blockchain is public, anyone can view the data stored. Some businesses use private blockchains to keep the transactions and information within the organisation. It is accessible only to members who are part of a blockchain network.

Auditability – Blockchain, due to its tamper-proof security, efficient record-keeping, and accessibility, helps track transactions backed by blockchain. The transactions are recorded in a chronological manner, with all the information, like who did what. Since everything is captured online, the audit becomes easier and faster, providing easy auditability.

Blockchain-Enabled KYC

Blockchain helps in storing and tracking customer data. Moving from paper-based KYC to digital KYC helps in reducing costs. With all information saved on a decentralised network, it is not possible to tamper with customer data.

Legal Basis for Blockchain-Enabled KYC in Australia

The Australian AML laws administered by Australian Transaction Reports and Analysis Centre (AUSTRAC) require reporting entities to verify customer identities, assess risks, and monitor transactions to prevent financial crimes. Traditional KYC methods often have high costs, data security, and inefficiency issues. Blockchain-enabled KYC solves these concerns by streamlining compliance enhancing security and transparency.

Under the AML/CFT Amendment Act, 2024, tranche 2 reporting entities are required to conduct initial customer due diligence (CDD) before providing designated services to customers. This replaces the previous ‘applicable customer identification procedures’ (ACIP) with the initial CDD, which focuses on knowing the customer and understanding the risks of money laundering, terrorist financing, or proliferation financing while providing designated services to them.

Benefits of Blockchain-Enabled KYC

Security – Blockchain enabled KYC solutions provide security to customer information. The customer data is stored on a decentralised network, which is only accessible to participant members. Thus, criminals find it difficult to breach the system and get confidential customer information. With public and private keys in blockchain, people who do not have the key cannot access confidential data.

No tempering – One of the inherent properties of blockchain is that the data stored cannot be altered. A blockchain KYC system allows information to be validated by different network systems. If the data entered is changed, it will be validated by other systems. The majority of systems will reject the changes if validation fails. Hence, the altered data will not become part of a block. Data quality can be maintained as the log is created when an attempt is made to alter data.

Consistent & Efficient – Blockchain makes the KYC process efficient. It prevents making duplicate entries. The risk of error and inconsistency can be avoided.

Data storage – Blockchain helps in storing the customer data. AML laws require to keep customer data for several years. When data is stored in a database, it can be easily accessed as and when required. Huge amounts of data can be stored easily by reducing the size without compromising the authenticity of data.

Real-Time Update – The KYC information is stored on a decentralised network. It can be shared within the network. With this, other businesses that are part of the network can use the information, saving time and the cost of collecting the same information again.

Blockchain is Reshaping the AML Compliance

Blockchain technology has revolutionised AML compliance in Australia. It provides solutions to the concerns posed by traditional compliance methods. This technology has enhanced the customer due diligence process through blockchain-enabled KYC, providing secure and efficient identity verification and reducing the cost of operations and duplication. This empowers tranche 2 reporting entities to meet AUSTRAC’s reporting requirements and retain the records accurately.

Low cost – Blockchain helps a business reduce the cost of AML compliance. When transactions are stored and kept in a digital ledger, fewer human resources are required, also removing the element of human error. It also increases efficiency when the AML compliance team can dedicate more time to matters related to AML compliance. Cross-border transactions need more intermediaries. Blockchain can help reduce the involvement of intermediaries and related expenses.

More transparent – Public blockchain networks give transparency of information. Law enforcement agencies can leverage this information to investigate suspicious activities. As a log of each activity is maintained digitally, it is easy to investigate any transaction. Smart contracts help in identifying suspicious transactions. For example, if a threshold is exceeded in a financial transaction, the system will flag and alert the compliance team.

More secure – A blockchain network is decentralised. It does not allow changes in the data entered in a block. Criminals find it difficult to alter data in a blockchain database. Private blockchain networks are only accessed by members who have the right to access them. It prevents financial information from going into the hands of criminals. Thus making it safe and secure.

FAQs on Blockchain in AML Compliance

How does blockchain help in KYC?

KYC is a process of identifying a customer by collecting personal information. Blockchain is a database that helps collect, verify, and store confidential data, including customers’ KYC details and transactions. Blockchain makes the KYC process transparent and secure and reduces the overall cost of the process. With blockchain technology, customer data is securely stored on a decentralised network. Alteration of customer identification information is not possible by non-members who don’t have access to the network.

It streamlines the onboarding process by reducing the information collection time and verification. The KYC questionnaire is sent to the customer and is not accessed by anyone else. The customer will provide information and supporting documents, which can be viewed by users who have access to them, making the KYC process fast and secure. It protects the integrity of customer information, data privacy and alteration of data.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

KYC Documentation Guide for KYC Analysts

KYC Documentation Guide for KYC Analysts

KYC Documentation Guide for KYC Analysts

This article serves as a guide for KYC Analysts when handling KYC documents by discussing the process of extracting useful information from KYC documents. Let us begin with understanding the meaning of KYC. Know Your Customer (KYC) is an important component of the Customer Due Diligence (CDD) process. The Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) obligations. The Regulatory regime of the UAE obligates regulated entities to conduct KYC to identify their customer and verify their identity. For this purpose, regulated entities collect KYC documents to establish the identity of their customers and validate the same from reliable, independent sources.

What is KYC?

KYC, which is Know Your Customer, is a systematic process that is used by business entities to verify the identity of their potential customers, and Re-KYC is the process of periodically updating and refreshing the KYC details of existing customers. Verifying customers’ identities ensures that they are the ones they claim to be and the information contained in the identity document is valid, accurate, and relevant.

What is a KYC Analyst?

A KYC Analyst is the person responsible for carrying out the KYC process in a regulated entity. While performing the KYC process, the KYC Analyst has to ensure compliance with the AML regulations. The KYC Analyst helps regulated entities, such as Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Service Providers (VASPs), counter financial crime risk by verifying the identity of their potential customer. They weed out suspicious individuals or entities and assist the AML Compliance Officer with timely identification, escalation, and reporting of suspicious activities and transactions. The KYC Analyst is responsible for conducting the KYC process and ensuring compliance with the customer onboarding guidelines that are prescribed within the regulated entity’s AML/CFT/CPF Policies and Procedures.

Guiding KYC Analyst with KYC Documentation through the Customer Onboarding Process

KYC Analysts play a pivotal role in handling KYC documentation and extracting useful information from KYC documents. This can be done after collecting identity documents from the customer and verifying the validity and authenticity of the ID document, followed by verifying the extracted information across valid and reliable independent sources or validation gateways to verify the identity of the customer.
Conducting KYC is important for regulated entities as it protects the business from being misused as a vehicle for conducting illegal financial transactions by identifying customers with criminal intentions. It also helps in ensuring compliance with Anti-Money Laundering (AML), Combatting the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) laws and regulations.

Key Responsibilities of KYC Analyst

Here are some key responsibilities of KYC Analyst that help guide with KYC documentation management:

Customer Due Diligence (CDD):

CDD is the procedure by which the KYC Analyst satisfies himself if the information obtained from the customer is sufficient to establish a profile of the customer.

Let us discuss the key information that the KYC Analyst must collect as a part of his customer due diligence process:

  • Full name and aliases
  • Identification Document Number
  • Official Address Detail
  • Date of Birth or Place of Incorporation
  • Current Nationality
  • Details as to persons associated (UBOs in case of corporate entity)
In this process, he identifies and assesses risks associated with a customer and determines if additional documents are required to complete the due diligence. After collecting the basic information, the KYC Analyst provides that information to the screening analyst for sanctions screening. The screening analyst then provides findings and comments regarding the screening, adverse media, and Politically Exposed Persons (PEP) checks. The Risk Analyst gives the risk rating based on the findings and comments of the Screening Analyst. There are 3 types of CDD measures that are undertaken based on the risk-based approach adopted by the reporting entity. These are Simplified Due Diligence, Standard Due Diligence, and Enhanced Due Diligence.

Customer Onboarding:

The KYC Analyst helps in customer onboarding by becoming a link between the compliance team and the customer. He communicates with the customer if there are additional requirements, if any, and finally helps onboard the customer.

Regular Monitoring:

The other responsibility of KYC analysts is to monitor customers’ information regularly and keep it updated all the time. There can be changes at the customer end after the initial onboarding. Say, change in the structure of the company, expiry of trade licenses, etc. The KYC Analyst communicates with the customer and keeps this information updated.

Documentation and Reporting:

The KYC Analyst is responsible for maintaining and recording the documents related to the CDD process. These documents include customer verification processes, risk assessments, monitoring activities, etc.

Documents to be Collected for KYC of Individual Customers

KYC documents are required for identity verification and address verification. Here are the KYC documents required for individual customers.

For the Customer Identity verification: Emirates ID/Passport/Driving License/Any other government-issued document having a photograph

For the Customer’s address verification: Utility Bill (not older than 3 months)/Municipal Tax Record/Property Purchase or Rent Agreement/Bank Statement/Insurance Policy/Any other Government document capturing address.

Role of KYC Analyst in KYC Document Management by Extracting Useful Information from an Individual Customer's KYC Documents & its Validation

What should a KYC Analyst look for in Key KYC Documents?

When extracting and interpreting useful information from KYC documents, the KYC Analyst must consider the following:

Passports and Identity Documents:

  • Validate Authenticity and Expiry Dates: The passport and identity documents should be checked carefully to see whether they are authentic or not. It can be checked by comparing the attributes of the document as mentioned on the applicable government websites. Moreover, the expiration date of a document is important to check, as expired documents cannot be used in the normal course of business.
  • Cross-Check Personal Details Against Other Provided Documents: The personal details of clients, like name, date of birth, etc, should match the other provided documents. This information is not likely to change, so it should be matched with the details provided in some other documents.
  • Examine Security Features to Detect Forgeries: Forgery is an act of falsifying information or a document with the intention of defrauding the other person. The security feature of the KYC document must be checked to detect forgeries, which will help in curbing instances of fraud. For instance, security features in identity documents include holograms, specially made intricate designs, the embedding of electronic chips containing biometric information, and the use of Public Key Infrastructure (PKI) to prevent misuse or forgery of identification documents. The examination of security features can help detect false information, thereby making the KYC Analyst aware of forged documents or information.

Memorandum and Articles of Association (MOA and AOA):

  • Verify the Company’s Purpose and Business Activities: MOA and AOA provide the complete information about a company. With the help of MOA and AOA, the name, address, purpose, and work of any business can be understood. It even verifies that the business is legally registered. Before proceeding with a corporate customer, the KYC Analyst must verify the corporate customer’s MOA and AOA.
  • Confirm Authorised Share Capital and Shareholding Structure: It is also important to be aware of the company’s share capital and shareholding structure. It provides information regarding the distribution of power, decision-making authority, etc. This also throws light on the ultimate beneficial owner (UBO) of the corporate entity.
  • Assess Provisions Related to the Appointment of Directors and Decision-Making Processes: The provisions related to the appointment of directors and decision-making processes provide a brief understanding of the company. Knowing a company’s policy and procedures will help in making informed decisions as to whether the customer is authentic or not.

Trade License:

  • Ensure Validity and Authenticity: A Trade license is an important document as it provides information about the legal registration of a company. The document needs to be valid and authentic, as this will help determine whether a customer is genuine and whether an entity can proceed further with the customer. The validity and authenticity of a trade license reduce the chances of any fraud by the customer. The trade license helps identify the type of business activity the customer conducts and compares it with the actual purpose of the business relationship to identify if there is an inconsistency between the business’s intended purpose and actual business activity.
  • Confirm the Scope of Permitted Business Activities: The scope of permitted business activities should also be checked. It helps in identifying if the nature of the business relationship is in alignment with the scope of permitted business activities; if the subject matter of the business relationship is not aligned with the business’s approved scope, this should raise a red flag as such deviation might indicate involvement of ML, FT, of PF activities.
    For instance, if the customer of a regulated entity is a company whose permitted scope of business is jewellery manufacturing and sales but the subject matter of business with the regulated entity is the purchase and sale of real estate property not for corporate but for private purpose, then this must alert the AML compliance officer to look into the business relationship closely for suspicious activity.
  • Check for Any Restrictions or Special Conditions: The entity should also check for any restrictions or special conditions imposed upon a company. Compliance with such conditions will help the regulated entity know more about the customer company and that it is complying with all the requirements. It will help safeguard the entity from potential ML, FT, or PF threats.

Questions that help KYC Analysts Determine Customer Risk from KYC Documents Collected

KYC Information Collection Considerations

Ensuring Accuracy and Completeness of Collected Data

While collecting the documents for verification, it is important to extract & interpret useful information from KYC documents to verify each and every piece of information accurately, such as the name, address, etc. Moreover, it should also be ensured that the data provided in the document is complete. All the relevant data should be collected carefully.

Implementing Secure Data Storage Solutions:

The data collected should be stored safely. For this, secure data storage solutions should be considered. The storage of data can be helpful in retracting the data afterwards as well. It will even be helpful if the customer has already been in a business relationship with the entity. In this situation, verifying the information and assessing the customer’s risk would be easy.

Regularly Updating Customer Information:

Along with collecting and storing the information, the periodic updation of customer information is also very important and mandated by UAE’s AML laws. KYC analysts can refer to AML UAE’s eBook: A Complete Guide on Re-KYC Process in AML Compliance to learn more about Re-KYC requirements in UAE.

The KYC Analyst should carry out the ongoing monitoring of business relationships to ensure that customer information is up-to-date. For example, if the customer’s address has been changed, it should be updated accurately. Updating information will help in ensuring compliance with the requirements of UAE’s AML, CFT, and CPF provisions contained in the Federal Decree Law and the Cabinet Decision, requiring regulated entities to ensure that customer details and records maintained with the regulated entity are updated and contain latest customer information. Ongoing monitoring must be done in accordance with the established customer risk profile.

Obtaining Customer Consent for Data Processing:

The KYC Analyst must exercise caution while extracting & interpreting useful information from KYC documents in the context of upholding data privacy and data protection requirements. The Federal Decree-Law No. 45 of 2021 Regarding the Protection of Personal Data protects the personal data of natural persons in the UAE. It states that customer consent is necessary before processing any personal data. This requirement of consent can be exempted in cases where the processing of personal data is important in the public interest.

Complying with Data Protection Regulations:

The Federal Decree-Law No. 45 of 2021 governs data protection in the UAE. While collecting information for KYC, it is necessary to comply with the above-mentioned law. Under this law, before processing personal information, the person’s clear consent is required. The person even has the right to get the personal information corrected.

Detecting Fraudulent Documents During KYC

  • Common Indicators of Document Fraud: There are certain common indicators of document fraud, like inconsistencies in font sizes and issues in formatting. The expired document is also an indication of document fraud. Alterations in name, photo, and other details are also common indicators of document fraud. While checking a document, every minute detail should also be checked to prevent the chances of document fraud.
  • Techniques for Manual and Automated Document Verification: The manual technique for document verification includes checking all the details in the documents themselves. In manual document verification, each and every detail should be checked carefully, for example, by matching the photograph of the customer. If the entity has any doubt about a mismatch of information, then they can video call the person to check whether the person is the same or not. Apart from manual document verification techniques, there are automated document verification techniques in which the entity has software that checks the document. The use of software makes the verification task easy and fast. The chances of error are also very low in this case. AML UAE’s article What Is The Role of Technology In Anti-Money Laundering Compliance can be referred to by KYC Analysts.
  • Utilising Third-Party Verification Services: In third-party verification services, the entity can take the services of some third party for document verification. The third-party verification provides a double check on the document verification, thereby removing the chances of any fraud. However, KYC analysts must be mindful that utilising third-party services does not shift the KYC obligation of the regulated entity under UAE’s AML laws.
  • Establishing Protocols for Handling Suspected Fraud: There should be certain protocols in place by means of AML policies, governance structures and workflows for handling suspected ML, FT, or PF activities or transactions requiring the filing of SAR/STR and conducting the proper internal investigation in case of any suspicion. The appropriate steps, like offboarding the customer and informing the government regarding the fraudulent documents, should also be taken.

Signature Verification Methods: KYC Analyst's Toolkit

  • Comparing Signatures with Official Records: In the process of verifying the documents, signature verification is an important step. The first and foremost step is to compare the signature with the official records. The signature should match the signature in the official record. The writing style and spelling should be the same. A slight mismatch in the signature might be a sign of fraud, which might be disguising potential ML, FT, or PF activities. Though it will be difficult for the regulated entities to verify signatures, a comparison of the same with past KYC records will help ensure that they are not forged.
  • Employing Digital Signature Verification Tools: The digital signature verification tools provide a more secure way of verification. These tools use multi-factor authentication methods such as email, SMS verification, or biometric data. The signer needs to sign the document electronically. If any change occurs in the signature, the hash value will change, which indicates tampering with the signature. Digital signature verification tools make the verification process more robust and secure for KYC Analysts.
  • Understanding Legal Implications of Electronic Signatures: It is important to understand the legal implications of electronic signatures before employing them. The electronic signatures are legally binding, provided they are reliable. It means that while creating the signature, it was under the control of the signer and should be uniquely linked to the signer.
  • Training Staff in Handwriting Analysis Techniques: Training the relevant staff in handwriting analysis techniques will help in building a strong system for handwriting analysis. If the relevant staff members are trained properly, the chances of missing out on identifying forged signatures are minimal. The training should include verifying the customer’s handwriting style and spelling, etc.

KYC in Remote Onboarding: Best Practices

KYC in Remote Onboarding: Best Practices

  • Implementing Secure Digital Identity Verification Processes: Secure digital identity verification processes make remote onboarding seamless, AML measures for non-face-to-face customers: Combatting money laundering threats can be referred to know more on AML measures to ensure during remote onboarding. Digital identity verification includes biometric authentication methods and PIN or password validation. By implementing a secure digital identity verification process, the chances of any fraud are nil.
  • Utilising Biometric Authentication Methods: Biometric authentication is the most secure identification method. The biometric methods include face identification, iris recognition, and fingerprint recognition. These methods verify the face, iris, and fingerprint of the person and match them to see whether the customer is the same or not. It is an accurate method of proving the identity of the customer.
  • Ensuring Robust Cybersecurity Measures: In the case of remote onboarding, the chances of cybersecurity challenges are high, making it prone to cyber-attacks, phishing, etc. Robust cybersecurity measures can protect against data breaches. The measures can include providing training to staff regarding cybersecurity so that they can become aware of the ways to protect themselves from such cyber-attacks. The entity can also conduct regular risk assessments to identify potential threats.
  • Providing Clear Guidance to Customers on Remote Verification: Remote verification is a bit complicated, so clear guidance will be helpful to customers. The clear guidance will remove the possibility of any mistake, thereby reducing the chances of any ID fraud by the customers.
  • Monitoring Remote Transactions for Unusual Activities: Monitoring transactions is important for preventing any instances of fraud or money laundering. An unusual activity in the case of remote transactions can be monitored with the help of software. The software can trace doubtful transaction-related activity. It can be done using a geolocation discrepancy alert, multiple failed login attempts alert, unusual time to transact alert, etc.
    Monitoring the activities can help in detecting unusual activity before it can cause harm to an entity. Checkout AML UAE’s infographic on Streamlining Video KYC: A Guide to Best Practices to Understand the best practices when relying on Video KYC.

Challenges in KYC Processes

  • Dealing with Complex Corporate Structures: The complex corporate structure used by criminals to disguise beneficial ownership poses a challenge in KYC processes, making tracing ultimate beneficial owners difficult. Moreover, complex corporate structures make the way for criminals to create the way for illegal funds. It is important to understand the complex corporate structure to avoid AML non-compliance.
  • Identifying Ultimate Beneficial Owners (UBOs): Identifying the ultimate Beneficial Owners is important to know about the authenticity of the people controlling the business. The legitimacy of UBOs provides the insight that the company is authentic.
  • Managing High Volumes of Data and Documentation: It is difficult to derive, analyse, verify, and maintain high volumes of customer information and documentation. The use of technology must be considered to streamline and meet record-keeping requirements in the UAE.
  • Keeping Up with Evolving Regulatory Requirements: The regulatory requirements are subject to change. To keep up with it is a difficult task. It is difficult to be aware of each and every new guideline and requirement which is introduced frequently. Non-compliance with these requirements might cost the regulated entity badly by way of fines and penalties.
  • Balancing Customer Experience with Compliance Needs: It becomes difficult to fulfil the customer’s expectations with the compliance procedure. The compliance procedure is long and tiresome, but the customer wants a seamless procedure. It becomes difficult to balance these two.

Leveraging Technology in KYC

  • Overview of KYC Software Solutions: Using technology in KYC makes the process easy, fast, and error-free. KYC software is used for identity verification, document verification, compliance checks, etc. As this method is more accurate, it helps in avoiding the risk of any fraud.
  • Criteria for Selecting Appropriate KYC Tools: There are certain criteria for selecting appropriate KYC tools. For example, the tool should be able to grasp the slight change in the customer’s situation and should be able to provide an alert regarding this. Moreover, it should be able to perform customer remote customer verification. The KYC tool should be able to facilitate easy communication with the customer.
  • Integration of Artificial Intelligence and Machine Learning: The integration of Artificial intelligence and Machine Learning makes the verification process seamless. It is time-efficient and cost-efficient, and it even limits the possibility of any error. With the help of AI, thousands of transactions can be verified quickly. It can even detect any unusual transaction, removing the possibility of fraudulent transactions.
  • Benefits of Automated Document Verification: Automated document verification helps verify lots of information within less time. It saves time and cost. It is more accurate, removing the chances of any discrepancy. As the process of verification has become seamless, it results in more customer satisfaction.
  • Ensuring System Security and Data Integrity: Using the technology in KYC ensures data integrity, which further ensures the accuracy and consistency of data. The technology even ensures system security, like the privacy of information. System security and data integrity build the confidence of the customers in the entity. Along with confidence, the chances of any error are minimal.

Best Practices in KYC Implementation

  • Adopting a Risk-Based Approach to Customer Verification: The risk-based approach includes identifying, assessing, mitigating, and monitoring risk. This approach helps the KYC analyst when making decisions while detecting and preventing instances of ML, FT, and PF. This approach helps the KYC Analyst to segregate the customer into three categories: low-risk customers, medium-risk customers, and high-risk customers, thereby making it easy to conduct thorough scrutiny of high-risk customers while continuing CDD of low-risk customers with lenient measures.
  • Utilising Advanced Technologies for Identity Verification: The use of technology makes identity verification seamless and error-free. Advanced technologies can be used to verify identification documents in less time. The chances of errors are very low, which ultimately reduces the chances of any financial crimes. Apart from this, the use of advanced technology is cost-effective.
  • Regular Training for Staff on KYC Procedures and Updates: For efficient work, regular staff training is important. Regular and focused training makes the staff aware of all the updates and procedures related to KYC. Regularly Training the staff will ultimately contribute to improved work quality and decreased chances of errors. In case of any unusual transaction, the staff can identify it easily and promptly escalate it to relevant personnel.
  • Maintaining Comprehensive Records of Customer Interactions: Maintaining records of customer interactions ensures adherence to KYC protocols and record-keeping requirements in the UAE. It shows that customers’ information is properly documented and stored, which can help in conducting an investigation, due diligence, and risk assessment.
  • Ensuring Data Privacy and Protection Compliance: In this digital world, data is a valuable asset. It is important to ensure that customer data is protected adequately. Data privacy and adherence to data protection requirements build the trust of customers and protect the entity from any legal repercussions.
  • Establishing Clear Escalation Protocols for Suspicious Activities: Establishing clear escalation protocols for reporting suspicious activities ensures that prompt action is taken in the event of ML, FT, or PF activities detected.

KYC Document Management by KYC Analyst through Extracting & Interpreting Useful Information from KYC Documents: A Summary

KYC is the process through which an entity can know about its customers, which helps the regulated entity identify, assess, and mitigate the risks associated with the customers. Certain specific information can be extracted from each document. The use of technology in extracting information from KYC documents makes the process of extraction and interpretation of documents easy, seamless, and reliable.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Financial Watchdogs: The Role of Gatekeepers in Combatting Financial Crimes

Gatekeepers are coveted professions, often considered as ‘entry points’ to the legitimate financial system. Due to this uniquely positioned role, Gatekeepers act as financial watchdogs by detecting, preventing, and mitigating financial crimes. In this blog, we will discuss the role of Gatekeepers in combating financial crimes such as Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF).

Let us first discuss the professions that comprise Gatekeepers.

Who Are the Gatekeepers?

Gatekeepers are those professions that act as an entry point or a gateway to the legitimate financial system. Due to this placement, Gatekeepers are uniquely situated to prevent the infiltration of illicit funds into the formal financial system.

Gatekeepers include the following professions:

  • Lawyers, notaries, and other legal professionals and practitioners
  • Auditors and accountants
  • Trust and Company Service Providers (TCSPs)
  • Real estate agents and brokers.

These professions are at high risk of being unknowingly or unwittingly misused as conduits to commit financial crimes by criminal actors. Therefore, they are regulated under UAE’s Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter Proliferation Financing (CPF) regulatory regime, to protect them and the larger financial system from the menace of ML/TF and PF.

Let us now understand why financial criminals seek to exploit Gatekeepers to conduct ML/TF and PF.

Why Do Gatekeepers Appeal to Financial Criminals?

Financial criminals seek to misuse Gatekeepers due to several reasons highlighted below:
Commonly used methods of identity verification include:
  • Access to Financial Systems: Gatekeepers are considered ‘entry points’ to the financial system due to the nature of their services. Financial criminals seek to use their services to gain access to the legitimate economy.
  • Skills and Expertise: Gatekeepers possess specialised knowledge in creating and managing corporate structures such as shell corporations, facilitating real estate transactions, managing funds, etc. Financial criminals seek this expertise to undertake ML/TF and PF, especially to obscure the origin of illicit funds.
  • Perception of Legitimacy: Engaging reputable professionals such as Gatekeepers lends an appearance or veneer of legitimacy to financial transactions. This perceived credibility is sought by financial criminals to deter scrutiny from regulatory bodies, allowing illicit activities to go unnoticed.
Therefore, due to the potential misuse by financial criminals, gatekeepers are regulated under UAE’s AML/CFT/CPF regulatory regime and required to comply with certain obligations. Let us understand these obligations.

AML/CFT/CPF Regulatory Obligations of Gatekeepers in UAE

The following are the AML/CFT/CPF regulatory obligations of Gatekeeper professionals in UAE, such as Lawyers, notaries, other legal professionals and practitioners, Auditors and accountants, Trust and Company Service Providers (TCSPs) and Real estate agents and brokers are as follows:

1. Appointing AML/CFT/CPF Compliance Officer:

To oversee the gatekeeper’s entire AML/CFT/CPF compliance processes, an AML/CFT/CPF Compliance Officer must possess relevant qualifications and expertise and should be a fit and proper person.

2. Conducting Enterprise-Wide Risk Assessment

To identify and assess its ML/TF and PF risk exposure and adopt risk control measures accordingly. This helps the gatekeeper professional to identify the types of risks they are exposed to and tailor adequate and appropriate risk mitigation measures. Some of the examples of such risks include geographic risks, customer risks, transaction risks, etc. Gatekeeper professionals can make use of this checklist to assess or evaluate the efficacy of their risk management measures and take adequate measures to fortify them.

3. Establishing AML/CFT/CPF Policies, Procedures, and Controls:

To effectively comply with AML/CFT/CPF obligations.

4. Establishing Customer Due Diligence Procedures:

To understand the identity of customers and the degree of ML/TF and PF risks they pose to the gatekeeper professional, and adopt risk-based ML/TF and PF risk management measures.

5. Putting in Place Indicators to Detect ML/TF and PF Risks:

This facilitates swift identification of suspicious transactions and suspicious activities indicating ML/TF and PF risks. Some of the literature that can assist gatekeeper professionals in identifying ML/TF and PF indicators, commonly known as red flags effectively are listed hereunder:
  • Red flags associated with high-risk jurisdictions
  • Red flags associated with smurfing
  • Reg flags pertaining to tax evasion

6. Organising Awareness and Training Program for Staff

To ensure that the AML/CFT rules and regulations and the policies and procedures adopted by the company are consistently followed across the company and potential ML/TF/PF concerns are identified and suitably reported.

7. Establishing Systems for Regulatory Reporting:

To ensure internal reporting and investigation of suspicious activities and transactions, as well as its reporting through the filing of
  • Suspicious Activity Report (SAR) or
  • Suspicious Transaction Report (STR)
  • High-Risk Country Transaction Report (HRC) or High-Risk Country Activity Report (HRCA)
Through the goAML portal.

8. Complying with Targeted Financial Sanctions (TFS) Requirements:

To comply with TFS obligations and conduct sanctions screening and promptly report any client sanctioned under the UNSC Consolidated List or UAE Local Terrorist List through the Fund Freeze Report, Partial Name Match Report, etc.

9. Ensuring Record-Keeping:

To maintain detailed records of information related to CDD measures, transaction records, AML/CFT/CPF compliance for at least 5 years in mainland UAE.

10. Following Specific Requirements:

For example, Real Estate Activity Report (REAR) for Real Estate Agents.

Let us now discuss the important role Gatekeepers play as financial watchdogs in combating ML/TF and PF.

Role of Gatekeepers in Combating Financial Crimes

Let us discuss the role of each Gatekeeper in combating financial crimes by understanding how Gatekeepers can detect and combat financial crimes through insightful examples.

Lawyers, Notaries, and Other Legal Professionals and Practitioners

Consider the case of a legal professional in the UAE. A client approaches the legal professional for the management of their funds. During such management, the legal professional notices that the funds involved have their source of origin from third parties. However, the third party has no apparent connection with the client. Further, the funds are then transferred to a foreign jurisdiction that is a high-risk country due to being Blacklisted by FATF.

In this case the following ML/TF and PF red flags are detected:

  • The money being transacted has been funded by a third-party with no apparent connection, or any legitimate explanation
  • The funds received by the client are transferred to a FATF Blacklisted country, which is considered a high-risk country.
Actions that can be taken by the legal professional to prevent ML/TF and PF:
  • The legal professional should file the High-Risk Country Report because the transaction involves a high-risk country
  • The legal professional should reconduct the Customer Risk Assessment (CRA) and categorise the client as high-risk due to the red flags detected
  • The legal professional should verify the Source of Funds and Source of Wealth of the client and ask for further details as part of the Enhanced Due Diligence (EDD) process. If ML/TF and PF risks are detected, the same should be reported through the STR.

Auditors and Accountants

Consider the example of an auditor in the UAE. The auditor is approached by a client to conduct an audit of their business. However, the client is reluctant to provide information and other relevant information required for the audit process. Further, the client makes a request for the auditor to expedite the process and complete the audit process quickly. When the auditor makes further requests for data, the auditor comes to know that the client is unable to provide evidence for real activity, such as business operations. The auditor is unable to get further relevant information due to the client’s hesitancy.

In this case, the following ML/TF and PF red flags are detected:

Actions that can be taken by the auditor to prevent ML/TF and PF:
  • Since various red flags are detected, and the auditor is unable to investigate further due to lack of information, the auditor can deboard the client to derisk itself, which is one of the risk treatment strategies
  • Since the red flags detected by the auditor are common typologies used to conduct financial crimes, the auditor should report the same through SAR if funds have not been transferred or STR if money has exchanged hands.

Trust and Company Service Provider

Consider the case of a TCSP in the UAE. It is approached by an agent of a client to establish a company in UAE, as well as provide nominee services. The client preferred not to communicate with the TCSP directly. While conducting Know Your Customer (KYC) procedures, TCSP finds that the client’s Ultimate Beneficial Owner (UBO) has several companies in many jurisdictions worldwide, which appear to be shell companies due to a lack of business operations.


In this case, the following ML/TF and PF red flags can be detected:

  • The client refused to communicate with the TCSP directly
  • The client was a UBO of many shell companies around the world. Misusing shell companies is a common typology used by financial criminals.
Actions that can be taken by the TCSP to prevent ML/TF and PF:
  • Categorise client as ‘high-risk’ during the Customer Risk Assessment (CRA) process
  • Conduct Enhanced Due Diligence (EDD) for the client, and understand their nature and purpose of establishing the company
  • If the occurrence of financial crimes is detected, report the same through SAR or STR.

Real Estate Agents and Brokers

Consider the example of a Real Estate Agent in the UAE. A trustee of a trust established in an offshore jurisdiction approaches the Real Estate Agent to purchase luxury property. The trust was established in a known tax haven company, and the trustee insisted on paying for the real estate property upfront. Upon inquiry, the Real Estate Agent finds that the ownership structure of the trust is complex and difficult to ascertain.
In this situation, the following red flags can be detected:
  • The trust is registered in a known tax haven
  • The ownership structure of the trust is complex, and may be so to obscure the identities of Ultimate Beneficial Owners
  • The trustee is ready to pay for a luxury property upfront
Actions that can be taken by the Real Estate Agent to prevent ML/TF and PF:
  • Conduct Enhanced Due Diligence (EDD) for the trustee and the trust and ascertain the Source of Funds and Source of Wealth
  • Ask for additional information to ascertain the identity of the UBOs
  • Investigate suspicions of ML/TF and PF and report the same through STR or SAR.
Now, let us discuss the best practices that can be adopted by the Gatekeepers to enhance their efforts in combating financial crimes.

Best Practices for Gatekeepers to Combat Financial Crimes

Gatekeeper professionals such as Lawyers, notaries, other legal professionals and practitioners, Auditors and accountants, Trust and Company Service Providers (TCSPs) and Real estate agents and brokers must adopt the following best practices to safeguard their business against ML/FT and PF by:

Developing and Implementing Effective AML/CFT/CPF Program

Gatekeeper professionals should make, establish, and implement a clear and concise AML/CFT/CPF Program. The AML/CFT/CPF Program includes policies, procedures, controls, governance structures, and other components that help Gatekeepers meet their AML/CFT/CPF compliance obligations and promptly detect, manage, and mitigate ML/TF and PF risks.

Ensuring Thorough Customer Due Diligence

Customer Due Diligence (CDD) is a Gatekeeper’s weapon against illicit actors that seek to misuse the Gatekeeper to commit financial crimes. A new age CDD process must make use of Video-KYC and Perpetual KYC tools. CDD facilitates the Gatekeeper professional to understand the identity of their customers, the ML/TF and PF risks the customer poses to the Gatekeeper.

It enables the Gatekeeper to adopt risk mitigation measures proportionate to the degree of ML/TF and PF risks posed by the customer.

Establishing Systems to Proactively Detect and Mitigate ML/TF and PF Risk

Gatekeepers should establish strong monitoring systems to proactively detect potential ML/TF and PF activities by installing transaction monitoring systems.

Gatekeepers can leverage technologies such as advanced data analytics, Artificial Intelligence, Machine Learning, etc. Gatekeepers should also ensure that they understand the red flags and common typologies of ML/TF and PF, and the same is part of the AML/CFT/CPF Training for their employees.

Establishing a Culture of AML/CFT/CPF Compliance, Integrity, Accountability and Transparency

Gatekeepers should inculcate a culture of AML/CFT/CPF compliance and values such as integrity, accountability, and transparency throughout their organisational structure. Such a culture plays a key role in shaping the actions of the various stakeholders, ensuring that they act ethically in all their functions. Senior management should take the initiative to set the tone of compliance and ethical values from the top, and make sure that the same permeates at every level of the organisational structure.

Regularly Conducting AML/CFT/CPF Training

Gatekeepers should conduct regular AML/CFT/CPF training for employees to enable them to effectively perform their role in the AML/CFT/CFP compliance process of the Gatekeeper. Training should cover key topics such as recognising ML/TF and PF red flags and typologies, Gatekeeper’s AML/CFT/CPF compliance obligations, reporting suspicious activities and transactions, etc.

Encouraging Open and Transparent Communication

Gatekeepers should encourage open communication and promote a ‘speaking up’ culture. Doing so would ensure that any stakeholder who comes across a suspicious activity or transaction that indicates financial crime risks would promptly report the same internally.

Gatekeepers should also establish a clear process for internal reporting. It should also implement whistleblower policies to ensure their anonymity and protection. The UAE government has become proactive in developing laws requiring various reporting entities and professions to draw up whistleblower policies to ensure regulatory compliance.

Engaging in Cross-Industry and Cross-Sector Collaboration

Gatekeepers should proactively engage with a broad network of organisations across industries and sectors to share useful information, best practices, red flags, etc., that detect and combat financial crimes.

Some organisations have immense experience in detecting ML/TF and PF typologies, while others may be experts at technological solutions to tackle financial crimes. Sharing information ensures that all participants learn from each other’s strengths while addressing their own vulnerabilities. Through this, gatekeepers can strengthen market integrity through collaborative efforts in mitigating ML/TF and PF.

The Role of Gatekeepers in Combatting Financial Crimes: Final Thoughts

Gatekeeper professions, therefore, are responsible for maintaining the financial system’s integrity by detecting and preventing financial crimes. By adhering to AML/CFT/CPF regulatory requirements and implementing the best practices discussed above, these Gatekeepers can effectively mitigate financial crime risks and contribute to a safer financial environment.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

A Complete Guide to ID Verification: Best Practices and Tools

A Complete Guide to ID Verification: Best Practices and Tools

A Complete Guide to ID Verification: Best Practices and Tools

What are ID documents?

Commonly known ID documents are government-issued identity documents such as passports, resident identity cards or driving licenses, among many such Identity (ID) documents, varying in terminology according to the jurisdiction where the authority is located.

For example- a government-issued identity document is commonly called an Aadhaar Card in India, an Emirates ID in UAE, a Pinyin Card in China, a National Identity Card (NIC) in Europe and a Social Security Number (SSN) in the USA to name a few.

What is ID verification?

Identity verification or ID verification is a process wherein the identity of the person they claim to be is verified against the document purported to be officially issued by the government or semi-government authority that such an individual presents to support such claim.

In simple words, ID verification is a security measure deployed to confirm the authenticity of an individual’s identity and the validity of a document supporting the identity claimed by such an individual.

The ID verification process has become one of the routinely sought requirements for the Customer Due Diligence (CDD) process across various sectors such as Banking and Finance, Designated Non-Financial Businesses and Professions (DNFBPs), IT Services, healthcare, real estate, Virtual Assets activities and services, and many other sectors.

What is Digital Identity Verification?

The Digital Identity Verification is aimed at confirming an online identity. It uses various methods, such as biometric verification and facial recognition, to authenticate that the person is the one he claims to be.

What Are the Common Methods of Identity Verification?

Commonly used methods of identity verification include:

Document Verification

Document verification is the most common method to verify a person’s identity. The ID document is verified by examining its security features and details.

Biometric Verification

Using biometric information such as facial recognition, voice recognition, iris and retina scanning, and fingerprint matching with a database to confirm a match with the actual ID holder.

Credit Bureau-Based Authentication

This method relies on information from various credit bureaus, which hold vast credit information repositories on consumers, such as their names, addresses, and ID numbers.

Database Identification Methods

Database ID methods collect information from multiple sources to confirm a person’s identity. These sources include various social media platforms, including offline databases.

Database Identification Methods

Database ID methods collect information from multiple sources to confirm a person’s identity. These sources include various social media platforms, including offline databases.

Knowledge-Based Authentication

Knowledge-based authentication (KBA) validates a person’s identity by prompting them to answer security questions specific and unique to that individual, which can be answered only by the person in question and not anyone else within a specified timeframe.

Online Verification

The online verification process includes determining whether a government-issued ID belongs to the person claiming it. Further, it includes using biometrics, AI, and human review. This method usually performs validity checks by prompting the person to share a selfie to ensure that the person holding the ID (during ID Verification) is the same person shown in the ID photo.

Two-Factor Authentication [2FA]

2FA includes two steps. As the name suggests, it requires the person to provide personal identification called a token and this token is requested to be provided when prompted for the same. Some of its examples are signing into a Google account using prompts provided on the registered email ID/device and phone number and entering the token to the login page from where it originated, in addition to entering the password.

Device Verification

The device verification method checks for the device’s legitimacy used to conduct a transaction.

The Identity Verification Process

The ID verification process covers numerous stages aimed at confirming and validating a person’s identity, and these stages differ from business to business depending on their unique individual requirements. The infographic provides the usual flow of the ID verification process.
To sum it up, the ID verification process entails.
  • Assessing ID verification needs
  • Determine, implement, test, and revise the right ID verification method – whether offline/online, whether API to be used.
  • Inform Customers and request for documents.
  • Receive, verify, and validate ID documents.
Further steps include screening, risk assessment, ongoing monitoring, and record keeping.

Why is digital identity verification necessary?

Compliance with Regulations

Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Laws worldwide and recommendations of the Financial Action Task Force (FATF) call for identity verification as a requisite to prevent money laundering and terror financing (ML/TF). Thus, implementing identity verification programs helps businesses comply with AML/CFT laws.

Digital ID verification ensures that ID verification checks and balances are uniformly applied across the organization, records can be extracted whenever needed, and API integration with the government/regulator database ensures up-to-date compliance.

Cost Efficiency

Digital ID verification is undeniably more cost-efficient than manual ID verification as it brings down operational costs because most of its process is automated, and the verification process that requires intricate scrutiny is digitized, thus reducing human efforts significantly and bringing down operational costs.

Improved Customer Experience

Customer experience derived from Digital ID verification methods such as self-service login and filling of questionnaires, quick verification through QR code scanning at kiosks/counter-tops saves the customer from waiting in long queues and providing remote access to fulfil formalities instantly, thus ensuring customer satisfaction retention and low rates of abandonment.

Fraud Prevention

The very purpose of ID verification is to prevent financial crime in its initial stage by successfully identifying whether the person whose identity is being verified is an authentic person or not. Fraud can enter the organization through identity theft, online scams, account hacking, identity cloning, etc. By verifying an individual’s identity, fraud risk can be significantly prevented.

Security Enhancement

Confirming and validating individuals’ identities before entering business relationships ensures that only authorized individuals can access services and sensitive information, thus reducing the risk of data breaches and cyber-attacks.

Recent Developments in Identity-Related Offences

There has been a rise in the use of “deepfakes”, i.e., the creation of pictures, videos or audio that appear realistic but, in fact, are generated using artificial intelligence. Criminals are using this technology to generate fake identification documents like driver’s licenses and passports and create false pictures by modifying a stolen source picture or creating an entirely new image using AI.

Digital ID Verification Software Features

Identity Verification

Digital ID Verification Software helps verify government-issued IDs and performs biometric selfie matches.

Liveness Check

Liveness Check ensures the genuineness of the ID holder using a selfie video. One can also add various prompts to make this process more robust.

Sanctions Check

The underlying software performs sanctions checks against the UNSC and local sanctions lists as per the regulatory requirements and helps identify full, partial, or false matches.

PEP Check

The Screening Software comes with a global Politically Exposed Persons (PEPs) database and helps identify high-risk customers.

Adverse Media Check

The Digital ID Verification Software also comes with a feature where one can perform adverse media checks and identify risks associated with a customer.

Address Verification

The Digital ID Verification Sofware supports Optical Character Recognition (OCR) and saves valuable time. It validates proof of address documents like utility bills, bank statements, property lease agreements, etc.

Multi-Party Video Verification

Multi-Party Video Verification facilitates collective confirmation of the KYC information. It helps eliminate the risk of impersonation or fraudulent activities.

Customer Due Diligence (CDD) Questionnaire

One can customize the KYC form and add customer due diligence questions as per the regulatory requirements and risks associated with an individual.

Biometric MFA

Biometric MFA adds an extra layer of protection, making it difficult for unauthorized individuals to forge authentication, and it mitigates the risk of impersonation.

Phone Verification

Phone Verification helps perform Two-Factor Authentication.

Email Verification

Email Verification helps perform Two-Factor Authentication.

eSignatures

eSignature helps perform seamless customer onboarding and ensures legal compliance.

What is an Online ID Verification Service?

Online ID verification services are those that compare the identity a person claims to possess with data that proves it; these are identity proofing solutions which usually confirm/verify and validate government documents such as the passport, driver’s license, resident identity card, etc. with the person providing the same or claiming the same to be their ID.

Online ID verification services use APIs as discussed above to balance customer experience and security and help enterprises conduct business in a fast, efficient, safe, and compliant manner by preventing the imposition of penalties for non-compliance with AML/CFT, KYC and sanctions regulations – laws which call for robust identity verification.

Traditional Identity Verification vs. Digital ID Verification API

The pitfalls of the Traditional ID verification process entail
  • Customer abandonment: The traditional ID verification process is elaborate and time-consuming and leads to incidences of onboarding abandonment while seeking to enrol with other companies that use API-based digital ID verification, which is much easier, faster, and grants a world-class customer onboarding experience.
  • High Cost: The cost of ID document collection, scanning and verification is relatively high, especially when done in large quantities.
Digital ID verification by using an API has numerous benefits, such as
  • Eliminating the need to re-verify customers who are previously or already registered.
  • There is no need to verify and cross-check documents physically.
  • Reduction in operational costs while using digital ID verification API as it provides a high return on investment.
  • Improved end-customer experiences and increased onboarding success.
Thus, shifting to Digital ID Verification API is highly beneficial as it is secure, accurate and scalable for businesses with different needs.

How Can Technology Maximize the Effectiveness of Identity Verification?

Shifting from the traditional method of collecting ID verification documents to the utilization of technology is essential in this age as it’s necessary to keep up with the advancement of technology.

It is only logical that organizations optimize the use of their resources by implementing fast, efficient, reliable, highly accurate, and compliant methods that can be used remotely and in real-time.

Digital Identity verification processes consist of a combination of biometric, AI-driven end-to-end feature sets powering workflows from ID capture and verification to proof of address and AML screening.

In simple words, the use of technology Increases the effectiveness of the ID verification process:

  • Lowers the operational costs
  • Reduces infrastructure costs while entering new markets without the need for a physical presence
  • Increases the chances of fraud detection, thereby lowering the compliance cost
  • Increasing customer satisfaction, thus lowering abandonment rate by having fully remote and almost instant access through mobile apps.

How to Choose the Right ID Verification API

Due to stringent regulatory requirements, such as customer due diligence, ID verification has become a mandatory process for businesses when onboarding individuals to prevent fraudulent activities and AML/CFT violations. The ID verification Application Programming Interfaces (API) are tools that enable efficient ID verification for the same.

What is an API and how it works?

API is a software intermediary that allows two applications/software to communicate using a set of protocols. A simple daily use example is the Weather Department’s software system, which contains daily data and updates of the status of weather reports, and the ‘weather app’ on our cell phones communicates (using API) with weather department software and provides us with real-time information on weather updates.
A similar example from the AML/CFT perspective would be the Sanctions and Targeted Financial Sanctions lists maintained by the United Nations Security Council Resolution (UNSCR), Office of Foreign Assets Control (OFAC), etc., that are accessed by various ID Verification and Sanctions Screening APIs to give results across the name of individual/businesses screened for compliance purposes.

Selecting the suitable ID Verification API

Picking the suitable API that meets your business needs is a crucial step, which first includes surveying the market for the kinds of APIs that could suit your unique and specific requirements. From an AML/CFT compliance viewpoint, the correct API for you must entail ticking off several checkboxes, such as
  1. ID verification API should be easy to embed into the onboarding workflow, enabling quick and efficient ID verification that is compliant with local and international AML/CFT laws
  2. API should be able to carry out an age verification process for several age-restricted products and services such as online gaming, online dating, online gambling, etc.
  3. API should be able to capture IDs through OCR and extract ID information.
  4. API should be able to verify the authenticity of the information captured from supposed ID documents provided by the customer
  5. API should be able to validate ID document numbers such as passport number, driver’s license number, Social Security numbers (SSNs), Emirate ID number (EID), etc., across the document provided to validate the same.
  6. API should verify the phone numbers provided by customers
  7. API should be ideally ISO certified GDPR compliant and should provide options such as
  • direct integration
  • Integration Via Core Providers
  • Integration Via 3rd Parties
  1. API should provide a unified solution for AML/CFT compliance, client onboarding and client self-service for the customer due diligence process.
  2. The API provider should ideally provide sufficient development support, tutorials, cloud SaaS, usage tier-based pricing, and on-premise integration.
  3. The API should be white-labelable to suit businesses’ branding and privacy requirements.
  4. Ultimately, the API should
    • Lower Operational Costs
    • Lower Infrastructure Costs
    • Lower Compliance Costs
    • Lower Fraud Rate
    • Lower Abandonment Rate
    • Thus giving a Return on Investment that is sizeable in nature.

How Does Identity Verification Weave Its Magic Across Different Sectors?

The need for digital ID verification is no longer limited to the banking or finance sector. Its scope has widened to curb illegal activities and ensure compliance with regulations imposed by authorities. Sectors that require ID verification to conduct their business in a safe and compliant manner are:

Banking and Finance

Due to the inherently risky nature of business, the banking and finance sector is most prone to fraud. It requires digital ID verification to comply with regulations such as AML/CFT laws and KYC requirements.

Digital ID verification helps automate compliance with citizenship and sanction regulations. KYC needs are fulfilled through AI data extraction and validation from the provided Proof of Address documents.

Regulatory compliance is ensured through global regulations that involve validation of customer ID, addresses and information for AML/CFT and KYC compliance.

Designated Non-Financial Businesses and Professions (DNFBPs)

DNFBPs comprise a wide range of entities and individuals involved with activities outside the scope of the traditional financial sector. Still, they can be exploited for ML/FT purposes or other illicit financial activities.

The Financial Action Task Force/FATF prescribe DNFBPs to combat ML/FT as they are vulnerable and responsible for identifying and mitigating risks associated with financial crimes. Broad categories of DNFBPs include:

Lawyers, Notaries, Conveyancers, and Other Independent Legal Professional
Legal professionals such as lawyers and notaries provide legal services, including property conveyancing, trust creation, and company formation.

Accountants, Auditors, and Tax Advisors

Accountants, auditors, and tax advisors are responsible for maintaining financial records, conducting audits, and guiding individuals and businesses on tax matters.

Real Estate Agents, Developers, and Brokers
Professionals in the real estate industry, including agents, developers, and brokers, facilitate property transactions, such as buying, selling, and leasing real estate properties.

Dealers in Precious Metals, Jewels, and Stones
This category encompasses businesses engaged in buying, selling, or trading precious metals like gold and silver and dealing with jewellery and valuable gemstones.

Trusts and Company Service Providers
These entities specialize in creating, managing, and administering trusts, companies, or other legal structures for clients.

Casinos, Online Gaming, and Gambling Establishments
Casinos, online gaming platforms, and gambling establishments fall into this category, as they handle financial transactions related to gambling activities

Insurance Firms, Agents, and Brokers

Insurance companies, agents, and brokers are involved in selling and providing insurance products and services.

Virtual Asset Service Providers (VASPs)

Entities involved in cryptocurrency trading, exchange platforms, and virtual currency wallet services.

The abovementioned sectors have to implement an ID verification process and record keeping as a part of their AML/CFT compliance framework to maintain the integrity of the economic system.

ID verification is the first step for the mandatory customer due diligence (CDD) process, following which risk assessment, enhanced due diligence and ongoing monitoring of business relationships are conducted.

Age Restrictive Sectors

Alcohol, Dating Services, Online Gambling, Online Gaming
 They fall under the restricted goods category globally and require compliance with age-restriction law provisions. Age Verification APIs can provide quick and efficient age validation tools.

What Are the Legal and Regulatory Requirements for Identity Verification?

Compliance with global ID verification regulations is essential for businesses while collecting, handling, and using personal information.

Non-compliance with regulations could lead to imposition of fines and penalties and loss of reputation. Awareness of and compliance with ID verification regulations can help businesses detect and prevent non-compliance with regulations and prevent events such as identity theft, account hacking and other fraud.

A few general ID verification regulations include:

AML/CFT Regulations

AML/CFT laws across the globe include but are not limited to:
  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations applicable in the UAE.
  • Guidance for Licensed Financial Institutions on Digital Identification for Customer Due Diligence issued by the Central Bank of the UAE.
  • Anti-Money Laundering Directives (AMLD) and Sixth Anti-Money Laundering Directive (6AMLD) by the European Union
  • Money Laundering, Terrorist Financing and Transfer of Funds Act 2017, the Proceed of Crime Act 2002, and the Terrorism Act 2000 are applicable in the UK.
  • Federal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1997, also referred to as the Anti-Money Laundering Act (AMLA), is applicable in Switzerland.
  • The Bank Secrecy Act (BSA), the Patriot Act, and the Anti-Money Laundering Act 2020 (AMLA) are applicable in the USA.
  • The Monetary Authority of Singapore (MAS) provides AML/CFT supervision in Singapore.
  • Financial Transaction Reports Act 1988, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Australian Transaction Reports and Analysis Centre (AUSTRAC) provide AML/CFT supervision in Australia.
  • Prevention of Money-Laundering Act, 2002, applicable in India.

United Nations Security Council Resolutions

UNSCR mandates its member states to implement measures to prevent terrorism, including identity verification, sanctions screening, and business relationship monitoring requirements for regulated businesses.

Financial Action Task Force (FATF) Recommendations

FATF 40 recommendations are applicable globally, and these provide guidance on AML/CFT measures, including customer due diligence and identity verification requirements to be implemented while applying Risk Based Approach (RBA) to mitigate the risk that business is exposed to from their potential customers, further, the risk is prioritized according to attributes the customer risk poses such as demographic, age distribution, homogeneity, market size etc.

These regulations prevent criminals from using established financial systems and businesses for ML/FT and require regulated institutions to verify the identities of their customers.

Data Protection and Data Privacy Laws

Compliance with global regulations encompassing the rights of an individual and their rights over the use of their data by the data controller and data processer, to name a few; data protection regimes across the globe include but are not limited to
  • The Personal Data Protection Law, UAE, Federal Decree-Law No. 45 of 2021, regarding the Protection of Personal Data
  • General Data Protection Regulation (EU GDPR)
  • California Consumer Privacy Act (CCPA)
  • The California Privacy Rights Act of 2020
  • Digital Personal Data Protection (DPDP) Act, 2023, India
  • The Personal Data Protection Act (PDPA), Singapore

Know Your Customer KYC Regulations/Requirements

KYC regulations usually originate from AML/CFT and FATF recommendations and require regulated businesses to identify and verify the identity of their customers to prevent money laundering, fraud, and terrorist financing.

Electronic Identification, Authentication and Trust Services (eIDAS) regulation

This EU-based regulation provides a legal framework for electronic identification and trust services, including digital signatures, seals, and timestamps.

Payment Card Industry Data Security Standard (PCI DSS)

This global standard applies to businesses that accept credit card payments and includes requirements for identity verification to prevent fraud.

Electronic Signatures in Global and National Commerce Act (ESIGN)

It is a US law providing a legal framework for electronic signatures and verification recognized globally.

Red Flags Associated with Digital Identity Verification

Regulated businesses must verify their prospective clients’ ID to ensure regulatory compliance. Red flags are indicative of potential issues that could arise while carrying out the ID verification process, including but not limited to the unwillingness to provide identification information, including:
  • Concealment of true Identity or Lack of valid identity proof
  • PO box or phone number associated with an answering service or is a foreign national with no significant dealings in the country and apparent economic or other rationale for doing business with the business/organization conducting verification.
  • Concealment of Beneficial ownership (for corporate clients).
    • Fund sources.
    • Transaction reasons.
  • Inconsistent or Altered Documents
    • Documents that appear fake, altered, or otherwise inauthentic.
    • Inconsistent identity document numbers
    • Suspicious or inconsistent personal information (such as a wrong address on a document)
  • Personal information is inconsistent across multiple sources.
  • Personal information is associated with known fraud activity and cases.
  • An existing customer is unable to answer challenge questions correctly.

What Are the Challenges and Risks Associated with Identity Verification?

Challenges faced with the ID verification process include:

Fraud and Impersonation

After establishing a business relationship, it is natural for businesses to exchange sensitive information with their counterparties. Fraudsters and Identity thieves create fake accounts and impersonate legitimate users to gain access to confidential information. It leads to violation of the Data Protection and Privacy rights of individuals.

Customer Experience

Manual ID verification processes are paper-based and time-consuming. Businesses need to strike a balance between customer experience and compliance requirements. Digital ID Verification solutions provide a world-class experience and security while handling the customer onboarding processes.

Malicious Acts - Identity Theft and Fraud

Using stolen private data or creating fake identities to gain unauthorized access harms the business reputation, leads to loss of customers, and brings down customer trust.

Authenticity of Documents

Authenticating the validity of identity documents is a necessary step in the verification method. Coming across fake identities, whether modified or forged, out of the documents that are hard to distinguish from the original, while document cross-verification may lead to false positives against ID verification checks. This makes it essential for businesses to install advanced document verification techniques.

Installation of Authentication Software

Incorporating identity verification tools such as APIs into existing applications can be complicated if not taken care of, especially for large-scale businesses with diverse systems and platforms. Ensuring a smooth integration process without disrupting existing systems is essential.

What Are the Best Practices for Identity Verification?

By implementing best practices, businesses can ensure compliance with identity verification requirements prescribed in AML/CFT regulations across the globe and protect their customers’ personal information from identity fraud and other illicit activities.

Some of the suggestive best practices include:

Adoption of Risk Based Approach (RBA)

Implementing and formulating ID verification measures commensurate with the risk the business is exposed to is important as not all ID verification APIs or programs are the same and constantly evolve to meet business needs. By using RBA, businesses can customize the ID verification process to the level of risk it is exposed to for a particular client or transaction.

AML/CFT Compliance Framework

A formally drafted and approved Compliance Framework can help businesses ensure that they adhere to all relevant identity verification, AML/CFT, data protection and data privacy regulations.

The compliance framework should include policies and procedures for collecting, retaining, and using personal information for future use, as well as processes for monitoring and reporting any violations of regulations, such as suspicious activity reports.

Data Encryption and Security

Implementing data encryption protocols and cybersecurity measures through a reliable ID verification API solution that safeguards sensitive user information from breaches.

Obtaining Explicit Consent

Obtaining explicit consent from customers is a legal requirement prescribed by various global data protection and data privacy regulations for collecting and using their personal information. Businesses should ensure that customers know what information is being collected and how it will be used and obtain their consent before verifying.

Customer Behaviour Observation

APIs that can assess odd user behaviour in real-time and respond quickly to any security threat.

Global Compliance Regulatory Standards

Ensure that the business is equipped with the latest fraud-detecting techniques. Also, ensure that the ID verification and authentication methods align with regional compliance standards to minimize legal risks.

Multi-Factor Authentication (MFA) Implementation

Implementing MFA ensures that an extra layer of security is provided to customers. This could include something customers already know (password), device access (a mobile device/laptop/PC), and biometric data.

The Importance of ID Verification Apps in Ensuring World-Class Customer Experience

An ideal ID verification App ensures World-Class Customer Experience by facilitating the end-customer with
  1. Global coverage supporting ID types from all over the world, ensuring seamless accessibility.
  2. Accurate verification of good customers against fraud by keeping fraud attempts negligible, thus reducing inherent risk.
  3. Multi-factor authentication – adding biometric authentication that enhances security, data protection and customer experience.
  4. Password reset and account recovery through self-service solutions.
  5. Enable real-time, multi-party transactions through live video verification that is remotely accessible
  6. Provide for eSignatures feature wherever required to ensure the legality of electronic contracts and agreements.
  7. Automated verification of the identity of customers to avoid duplication of efforts.
  8. Ability to detect and incorporate NFC chip damage into adaptive process flow, reducing the requirement of asking for fresh IDs in case of damaged IDs.
  9. Enabling self-verification through self-service on their device through QR codes or kiosks by filling out Customer Due Diligence questions and activating their accounts for said service.

What Future Trends and Innovations Illuminate Identity Verification's Path?

As the saying goes, “Necessity is the mother of all inventions.” The same holds true for any innovation that comes into being; the very need to innovate or improvise arises from a lack of accessible and practical solutions to problems encountered by the public at large. Such issues and their future ‘fixes’ – which are innovations and future trends, include:

Liveness Check and Proof of Humanity:

When it comes to ensuring the genuine presence of an individual whilst conducting online/remote Identity verification using a video call, ‘Liveness check’ detects if the subject is a real live human or a bot. It provides an additional layer of security to ensure that the user is a real and unique person, thus enhancing the value of online platforms.

Digital Avatars:

Digital IDs (DIDs)or Digital Avatars are created on open-source, public blockchains, are unique, and can be independently controlled by the individual, thus eliminating the need to depend on third parties for identity verification.

The Digital Avatar will complete the KYC/ID verification procedures, such as verifying the identity of any person seeking to create an account, maintaining records of the information used to verify the person’s identity and ultimately determining whether the person appears on any government-provided lists of known or suspected terrorists or terrorist organizations.

Centralized ID:

The need for centralized ID is the most pressing one. Think of the current situation; most of us have at least one bank account, but the minute we decide to open a second one, we must go through all formalities, such as the elaborate and time-consuming ID verification process. Having a centralized framework will eliminate the need for repeated ID verification processes.

Fraud reduction:

Future IDs will undoubtedly have features or attributes that would be near impossible to forge, steal or mimic, which shall play a significant role in cancelling out the events of identity theft.

Checking for Deepfakes during ID Verification

Although it is not easy to identify deepfakes through plain visual inspection, there are tested techniques that can be used during ID verification. Some of these techniques include:

Reverse Image Search

Reverse image search is very similar to text, where instead of writing text in the search column, a picture or image URL or associated keywords are uploaded. These serve as the focal point in identifying similar pictures that match the identity pictures and their relevant details, like the owner/administrator of the websites where the images appear.

Specific Manipulations Detectors

A vast majority of the deepfakes are created using a combination of visual landmarks. This can include emotions, facial expressions, the position of the head and its alignment, and even lip-syncing. Deep learning-based AI detectors can, therefore, identify image or video manipulation, such as manipulation of facial features, face swaps, and facial reenactment.

Digital Forensics Devices

Various software examines metadata, inconsistencies in pixels and other kinds of image transformation, such as resizing, cropping, colour changes and edits, to identify the subtle artefacts that are left out while creating deepfakes.

Conclusion

ID verification is essential to ensure compliance with AML/CFT laws. Digital ID verification is the need of the hour, and companies would experience smooth customer onboarding and significant time and cost savings by implementing it.

AML UAE provides end-to-end consulting services to help you identify the right Digital ID Verification software, assess and analyze associated risks, and suggestive solutions to ensure world-class customer experience while balancing AML/CFT compliance requirements.

In AML/CFT compliance, customer identification and verification are crucial. The right AML software allows complying with the rules and regulations efficiently. It helps to build customer trust and promote business growth. AML UAE is a popular and reliable AML consultant that offers a comprehensive range of AML compliance services.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

The Role of Residual Risk in Financial Crime Compliance

The Role of Residual Risk in Financial Crime Compliance

The Role of Residual Risk in Financial Crime Compliance

Conducting a business comes with accompanying risks, including the risk of financial crime, which are inherent in nature. The key is to manage this gross risk, also known as inherent risk, as much as possible by implementing effective control measures, thereby minimising the net risk, also known as residual risk.

In this article, we will discuss residual risk, how it is different from inherent risk, and examples of residual risk. The article also explores the process of identifying residual risks, challenges in Managing Residual Risk, Best Practices for Managing Residual Risk, and Future Trends and Development in risk management.

What is Residual Risk in Financial Crime Compliance

Residual risk is the remaining or leftover risk after implementing the control measures adopted by the businesses. In terms of financial crime compliance, residual risk is the risk of a business being exposed to financial crime after implementing all measures and controls aligned with the financial crime compliance laws, such as Anti Money Laundering (AML), Counter Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF) Laws and regulations in UAE to control or mitigate the risk.

Compliance with AML/CFT & CPF regulations involves recognising inherent risk and deploying adequate control measures, thus minimising the residual risk appropriately. Residual risk is not eliminated entirely; it reflects the uncertainty that remains even after controls are applied. Businesses must continuously assess and adjust their risk management strategies to address residual risks effectively.

What is Financial Crime Compliance

Compliance, in a general sense, means actions taken by individuals or organisations to follow laws, rules, policies, or guidelines that are expected to be followed. In case of non-compliance, they need to pay a price in the form of financial penalties, legal repercussions, and reputational damage. Financial Crime Compliance is a set of policies, procedures, and practices that the business needs to put in place in order to comply with and follow laws and regulations to prevent and detect financial crimes, such as money laundering (ML), Financing Terrorism (FT), fraud, corruption, proliferation financing (PF), etc.

Difference between Inherent Risk and Residual Risk

Inherent risk and residual risk are key concepts in AML, CFT and CPF risk management, and they represent different aspects of risk within the business. In order to keep residual risk in check, businesses need to implement control measures. To understand the role of residual risk, it is crucial for businesses to know what inherent risk is and how it is different from residual risk.

The following is an analysis of the inherent risk vs. the residual risk based on different factors

How to Identify Residual Risk in AML, CFT and CPF Compliance

Here’s a step-to-step approach to identifying residual risk to help businesses understand and manage their exposure to financial crime effectively.

Identify Inherent Risks

The foremost step is analysing the business’s activities, products, and services to identify areas vulnerable to financial crimes, including ML, FT, and PF. Inherent risk emerges from various factors such as:
  • Customers
  • Countries
  • Delivery Channels
  • Products, Services, Transactions
  • Staff, Third-parties.

Assess Inherent Risks

After identifying inherent risks, businesses need to assess and evaluate the likelihood and potential impact of each identified inherent risk, considering factors like regulatory environment, customer profiles, and geographic exposure.

Prioritise Risks

Based on the assessment, businesses should rank the inherent risks. Such ranking can be based on their severity and likelihood, which would help businesses to focus on those that pose the greatest threat to the business. Risk prioritisation is based on the fundamentals of a risk-based approach (RBA).

Identify Existing Controls

After prioritising the risks, businesses need to identify control measures applied to fight against identified ML, FT, and PF risks. As part of this, they need to catalogue current AML and compliance measures, including policies, procedures, and technologies designed to mitigate identified risks

Evaluate Control Effectiveness

Based on the implementation and application of control measures, businesses must analyse the performance of existing controls through testing, audits, and reviews to determine how well they counter the inherent risks. Only then can businesses actually fill the gaps and analyse control effectiveness.

Determine Residual Risk

After evaluating the control effectiveness, all that is left is calculating the remaining risk, that is, residual risk. Such is determined by subtracting the effectiveness of existing controls from the assessed inherent risks, giving businesses a clear view of remaining ML, FT, and PF vulnerabilities.

Example of Residual Risk: The Complete Lifecycle

Considering a situation where a Designated Non-Financial Business and Profession (DNFBP) named ABC Corp. needs to conduct an Enterprise-Wide Risk Assessment (EWRA).

Risk Identification

A DNFBP conducts a thorough EWRA by considering factors such as customers, countries, staff and third parties and identifying risk scenarios to assess which ML, FT, or PF risks may materialise and what form they may take by assessing the impact on business. The impact on business was catagorised into low, medium, and high basis the loss or damage such risks would have on the business.
And conduct a thorough analysis of Scenarios to determine likelihood of occurrence and resulting impact for each probable scenario.

Deploying Control Measures and Analysis of Controls

To mitigate risks identified, the DNFBP, ABC Corp. deployed various control measures such as:
  • AML/CFT & CPF Compliance Framework
  • AML/CFT & CPF Policies & Procedures
  • Systems & Controls.
Following which analysis of control measures was conducted for each scenario identified.

Determining Residual Risk, Assessing Risk Appetite

After implementing these measures, determination of residual risks is possible.

Evaluating Control Effectiveness and Deploying Additional Measures if Required

The DNFBP, ABC Corp. recognises that while it has taken significant steps to mitigate the identified risks, some risk still exists due to factors beyond its control. ABC Corp. is required to regularly monitor and evaluate control effectiveness

How to Manage Residual Risk in AML, CFT & CPF Compliance

Managing residual risk in AML, CFT & CPF compliance is very important for businesses in mitigating potential ML, FT, or PF risks. Here’s an approach that lays down the basis for managing residual risk:

Define Risk Appetite

Defining the risk appetite gives clarity in the risk level that a business can take and its objectives related to financial crime compliance. For this purpose, businesses need to ensure that risk appetite aligns with overall business strategy and operational goals, as it cannot restrict or keep loose strands.

Enhance the Design and Implementation of Existing Controls

It is crucial for businesses to regularly review and assess current controls to identify any gaps and weaknesses. Based on the assessment, businesses need to customise existing controls by aligning them with best practices. When doing so, businesses need to keep in mind the specific residual risk of their business and operations.

Introduce New Controls

As mentioned above, residual risk is the risk after employing effective measures; thus, for managing residual risk, it is essential for businesses to introduce new controls. Such new controls can include implementing new technologies and processes to address gaps identified.

Ongoing Residual Risk Assessment & Monitoring

Conducting ongoing assessments and monitoring of residual risk is essential for maintaining an effective compliance program. This involves continuously evaluating potential risks as new threats emerge as business operations evolve. Utilising key risk indicators and factors when undertaking ongoing monitoring and employing effective measures for dealing with residual risks allows for timely adjustments to the compliance strategy.

Continuous Transaction Monitoring

Implementing continuous real-time transaction monitoring systems is key for identifying suspicious activities promptly. Businesses should adopt advanced analytics that can detect anomalies and adapt to emerging patterns of financial crime, including ML, FT, and PF and provide a system to deal with the impact of residual risks.

Businesses need to incorporate insights from monitoring activities into the compliance framework, which allows businesses to continuously adapt and improve. By focusing on these strategies, they can effectively manage residual risks associated with financial crime compliance, enhancing their ability to detect, prevent, and respond to financial crime threats, including ML, FT, and PF.

Staff Training

Staff training is fundamental to an effective compliance program. Regular training sessions should cover compliance procedures, emerging threats, and the importance of individual roles in the compliance framework. Creating awareness through training fosters a culture of compliance, empowering employees to identify any suspicious activities.

Suspicion Reporting and SAR/STR Submission

Managing residual risk is important to keep the business in check. When assessing residual risk, if there is any suspicion, businesses need to promptly report it to their regulatory authorities. Businesses should also keep checking and streamlining the process of submitting Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) on the goAML portal. In doing so, they need to ensure that the submission process is efficient and compliant with regulatory requirements for timely reporting. As part of this, businesses need to look over and manage residual risk by monitoring submission trends that can provide insights for improving the compliance framework.

AML Software

Investing in comprehensive AML software is crucial for integrating various compliance functions. When choosing AML software for managing residual risk, businesses should employ robust and customisable, allowing them to tailor it to their specific risk profiles and operational needs. A well-integrated AML solution enhances the efficiency and effectiveness of the compliance program and also continuously helps to identify and manage any ML, FT, and PF risks.

Data Analytics

Leveraging data analytics is essential for uncovering hidden patterns that may indicate financial crime, including ML, FT and PF-related crimes. Advanced analytics tools and technology can identify correlations and trends that manual processes might overlook. Regular reviews of these analytics methods will help businesses stay ahead of emerging risks, allowing for proactive adjustments to their compliance strategies.

Health-Checks

Conducting periodic health checks on the compliance program is key to ensuring its ongoing effectiveness. These assessments evaluate whether the current policies, controls, and procedures remain relevant and efficient or if there are any gaps in their effectiveness. As part of health checks, businesses should benchmark against industry standards to identify areas for improvement and enhance overall compliance performance.

Independent Audits

Engaging independent auditors to review the compliance program adds an extra layer of assurance to the AML/CFT framework’s effectiveness. These audits provide an objective assessment of the effectiveness of financial crime compliance measures. The findings from independent audits should be used to drive enhancements, ensuring that the compliance program evolves in response to new challenges.

AML/CFT & CPF Program Review and Enhancement

Regularly reviewing and enhancing the AML/CFT program is a must for adapting to the changing regulatory framework and evolving risks. This includes evaluating existing policies, procedures, and controls to ensure they are effective and up-to-date. Implementing necessary enhancements will strengthen the overall compliance framework.

Industry Collaboration

Collaborating with industry peers provides valuable insights and best practices in managing financial crime risks, including ML, FT, and PF. Sharing information on emerging threats and effective strategies enhances collective knowledge and strengthens the overall industry response to financial crime.

Regulatory Engagement

Active engagement with regulatory bodies is essential for staying informed about compliance requirements and expectations. Businesses should establish open lines of communication with regulators, ensuring that they are aware of any changes in regulations and can adapt their compliance programs accordingly.

Risk-Based Approach in Managing Residual Risk in AML, CFT, and CPF Compliance

The risk-based approach (RBA) requires entities such as DNFBPs to deploy ML, FT, and PF risk mitigation in proportion to the extent to which ML, FT, and PF are exposed. RBA can be used to effectively manage residual risk due to the following reasons:

Efficient Resource Allocation

By identifying and prioritising residual risks, businesses can allocate resources to the areas that pose the greatest remaining threat, optimising their compliance efforts.

Proactive Risk Identification

Even after controls are in place, a risk-based approach facilitates the ongoing identification of new or evolving risks, ensuring that residual risks are continuously monitored and addressed.

Dynamic Adaptation

Businesses can adjust their compliance strategies in response to changes in the ML, FT, PF, and other financial crime risks, ensuring that residual risks are effectively managed as circumstances evolve.

Enhanced AML/CFT and CPF Compliance

By focusing on residual risks, businesses can enhance their compliance with AML/CFT regulations, ensuring that they remain vigilant even after initial controls are applied.

Greater Agility

The ability to quickly adapt to new information about residual risks allows businesses to respond more effectively to potential financial crime threats.

Informed Decision Making

Analysing residual risks using a risk-based approach provides critical insights that guide management decisions regarding additional controls or modifications to existing ones, enhancing overall risk management.

Regulatory Compliance

Understanding and managing residual risks is essential for demonstrating compliance with regulatory expectations, reducing the likelihood of violations even after implementing controls.

Brand Image Protection

A risk-based approach helps in effectively managing residual risk and helps safeguard the business’s reputation, as proactive measures convey a commitment to ethical standards and compliance.

Tailored Controls

The risk-based approach allows for the development of specific controls targeting identified residual risks, enhancing their effectiveness and relevance.

Focused Training

Training programs can be designed to address the specific residual risks faced by the business, ensuring that employees are prepared to handle these challenges effectively.

Risk-Based CDD

By implementing Risk-Based Customer Due Diligence (CDD) procedures, businesses can focus their efforts on high-risk clients, mitigating residual risks associated with less scrupulous actors.

Transparency

Maintaining a clear framework for understanding and managing residual risks fosters transparency within the business organisation and builds trust with regulators and clients.

Trust

Proactively addressing residual risks reinforces stakeholder trust, as it demonstrates a commitment to effective risk management and ethical business practices.

Challenges in Addressing Predicate Offences

Here is the list of challenges usually faced by businesses in managing residual risk:

Evolving ML/FT & PF Typologies

ML/FT & PF typologies are dynamic in nature, constantly changing as criminals adapt their methods. This evolution can be driven by advancements in technology or changes in the financial market. As a result, businesses face the challenge of keeping their risk assessments relevant and effective, as outdated information can lead to undetected risks.

Evolving Regulations

With dynamic ML/FT typologies and to combat them, regulation needs to be amended, making the regulatory environment surrounding financial crimes dynamic, with frequent updates and new requirements. Businesses need to navigate a complex landscape of laws, which also vary based on jurisdiction. This constant flux in the regulatory framework can lead to confusion, leaving businesses open to non-compliance if they fail to keep a pace that exposes them to ML, FT, and other financial risks.

Cross-Border Jurisdictional Differences

For any cross-border multinational organisation, following differing regulations across countries is necessary and can complicate compliance efforts. Each jurisdiction has its own AML rules, which can create a patchwork of requirements that are difficult to manage. This complexity can lead to gaps in compliance and increased vulnerability to ML, FT, and PF risks.

Resource Constraints

Businesses operate under budgetary and staffing limitations, which can hinder their ability to implement effective risk management practices. Limited resources may result in inadequate AML compliance functions and ineffective technology solutions. This scarcity can ultimately leave businesses exposed to ML, FT, and PF risks they cannot adequately address.

Data Silos

Data silos occur when information is isolated within specific systems, preventing a holistic view of risk. This fragmentation can obscure insights and hinder collaboration, making it challenging to identify trends or correlations that could indicate risk. The lack of comprehensive data integration can lead to blind spots in risk management efforts.

Data Quality

Data quality can severely impact risk assessments and compliance efforts. Poor, inaccurate, incomplete, or inconsistent data can lead to misguided conclusions and decisions. The reliance on large volumes comprising poor-quality data makes it difficult to ensure high standards of data integrity across and in the AML compliance implementation measures.

Legacy Systems

Many businesses rely on outdated legacy systems that may not support current risk management needs. These systems can be inflexible, difficult to integrate with new technologies, and incapable of processing modern data requirements. The reliance on legacy systems can impede the business’s ability to respond to emerging risks effectively.

False Positives

Transaction monitoring systems are prone to high rates of false positives, which can overwhelm compliance teams, leading to inefficiencies and a significant drain on resources. When too many alerts are triggered, it can create alert fatigue, causing critical risks to be overlooked or deprioritized. This reduces the effectiveness of compliance efforts and undermines staff morale.

Staff Resistance

Residual risk requires implementing new controls or procedures often meet with resistance from staff. This resistance can stem from a fear of change, a lack of understanding of new processes, or the perception that additional compliance requirements increase their workload. Such resistance can hinder the adoption of necessary changes, ultimately impacting the effectiveness of risk management efforts.

Best Practices for Managing Residual Risk

Regulated Entities such as DNFBPs can manage residual risk through the implementation of the following best practices:

Regular Enterprise-Wide Risk Assessments

Conduct comprehensive risk assessments on a regular basis to identify and evaluate potential risks across the business. This proactive approach helps adapt to evolving threats and ensures a consistent understanding of the risk landscape.

Strong Controls

Implement robust internal controls that are tailored to the business’s specific risk profile. These controls should address key vulnerabilities and ensure compliance with regulatory requirements.

Ensuring Control Effectiveness

Regularly test and review the effectiveness of controls to identify any weaknesses. Utilise key performance indicators to monitor control performance and make necessary adjustments.

Automation

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Ensuring Data Quality

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Automation

Leverage technology to automate routine compliance and monitoring tasks. Automation can enhance efficiency, reduce human error, and allow staff to focus on higher-level analysis and decision-making when managing residual risks.

Ensuring Data Quality

Prioritise data quality through governance practices, validation processes, and regular audits. High-quality data is essential for accurate risk assessment and compliance efforts.

Ongoing Monitoring

Establish continuous monitoring systems to detect anomalies and assess risk in real time. This allows organisations to respond promptly to potential threats before they escalate.

Independent Audit

Conduct independent audits of risk management practices and compliance programs to provide an objective assessment of their effectiveness. Audits help identify areas for improvement and reinforce accountability.

Training and Awareness

Invest in regular training programs to ensure staff understand their roles in risk management and compliance. Foster a compliance culture that emphasises the importance of vigilance and ethical behaviour.

Top Management Oversight

Ensure that senior management is actively involved in risk management efforts. Their commitment and oversight are crucial for setting the tone at the top and ensuring alignment with strategic objectives.

Clearly Defined Policies and Procedures

Develop and communicate clear policies and procedures related to risk management and compliance. This provides staff with a framework for understanding their responsibilities and ensures consistency in execution.

Defined Risk Appetite

Clearly articulate the business’s risk appetite to guide decision-making and resource allocation. A well-defined risk appetite helps align risk management strategies with the business’s overall objectives and ensures a balanced approach to risk-taking.

Future Trends and Development in the Management of Residual Risks

Future Trends and Development for Residual Risk Management in AML, CFT and CPF Compliance.

Artificial Intelligence

AI will play a crucial role in enhancing fraud detection and compliance processes. By leveraging AI algorithms, businesses can automate the identification of suspicious activities, analyse patterns, and reduce false positives, ultimately streamlining compliance operations.

Machine Learning

Machine learning models will continuously improve risk assessments by learning from historical data. These models can adapt to evolving financial crime tactics, enhancing the accuracy of predictions and helping institutions stay ahead of emerging threats.

Blockchain

Blockchain technology offers a transparent and immutable ledger that can enhance traceability in financial transactions. Its application can help verify the authenticity of transactions and reduce the risk of fraud, thus strengthening compliance measures.

Robotic Process Automation

RPA can automate repetitive tasks such as data entry and reporting, allowing compliance teams to focus on more strategic activities. By improving efficiency, RPA helps manage residual risks more effectively and reduces the likelihood of human error.

Big Data Analytics

The integration of big data analytics enables businesses to analyse vast amounts of data from various sources. This holistic view helps identify potential risks and anomalies that may indicate financial crime, allowing for proactive measures to mitigate those risks.

Increased Regulatory Scrutiny

As financial crimes become more sophisticated, regulators are tightening compliance requirements. Businesses will need to adopt more robust residual risk management frameworks to meet these evolving standards and avoid hefty penalties.

Public-Private Partnership

Collaboration between public institutions and private businesses can enhance intelligence-sharing regarding financial crime trends. These partnerships can lead to more effective strategies for managing residual risks and improving overall compliance frameworks.

Dynamic Risk Assessment Models

The development of dynamic models that can adjust in real time to reflect changes in risk profiles. This agility will enable businesses to respond promptly to emerging threats and manage residual risks more effectively.

Scenario Analysis and Stress Testing

Regular scenario analysis and stress testing will become integral in understanding potential impacts of financial crime. Businesses will simulate various scenarios to gauge their risk exposure and develop mitigation strategies accordingly.

Governance Frameworks

Strengthening governance frameworks will be essential for managing residual risks. This includes establishing clear roles, responsibilities, and accountability mechanisms within businesses to ensure effective compliance and risk management.

Conclusion

Regulated Entities, when assessing residual risk, must document their assessment of residual risk as part of their AML compliance frameworks, ensuring they remain vigilant and prepared to respond to potential threats. Residual risk is an inevitable aspect of AML, CFT and CPF compliance that businesses must navigate effectively.

Assessing residual risk is a challenging task and requires businesses to implement effective measures using a risk-based approach. Continuous assessment and adaptation of controls, along with a proactive approach to training and technology, are essential in mitigating residual risks.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Offshore Banking and the Increasing Risks of Money Laundering

Offshore Banking and the Increasing Risks of Money Laundering

Offshore banking is a financial strategy that involves holding accounts or investments in banks outside one’s home country. It has evolved significantly since its inception. Offshore banking offers a range of benefits by providing global banking services with less stringent procedures and attractive schemes.

However, the growth of Offshore banking has also raised concerns about money laundering and regulatory compliance. This blog delves into the origins of offshore banking, its advantages, the challenges it faces, how it is linked to money laundering techniques, and strategies to combat money laundering in offshore banking.

What is Offshore Banking?

The word offshore refers to any place away from one’s own home country. For example, if one lives in UAE, UK is an offshore for that person. Offshore banking refers to the activity of utilising the services of a bank located in a country that is offshore for the account holder, located outside the account holder’s country of residence. Offshore banks are required to obtain an Offshore Banking License that enables the bank to conduct business with citizens and the currency of other countries, except for the country in which it is located.

Evolution of Offshore Banking

There are several records indicating that Offshore banking started due to Europe being in a constant state of revolutions and political disturbances during the mid-1800s. People felt the need to park their funds and wealth in countries that were relatively stable.

This type of banking system gained popularity in the 1900s when several offshore banks were operational in low or no-tax jurisdictions, which was accelerated by the enactment of the Swiss Banking Act of 1934. This law provided for customer information privacy, enhancing Switzerland’s reputation as a safe tax haven for privacy-seeking clients, which introduced a privacy clause that enhanced confidentiality for account holders and attracted international deposits.

From its inception in Europe, offshore banking soon spread to the rest of the world, and investors from afield took benefit of these tax havens. The modern era of offshore banking began in the 1960s, when the Bahamas established itself as one of the first Offshore Financial Centres (OFC), offering tax incentives and a favourable regulatory environment for international banks.

OFC is a financial centre where offshore activity takes place. This OFC trend accelerated in the 1970s during the oil crisis and the rise of petrodollars, leading to an influx of capital into offshore banking as banks expanded their services to meet growing demand. The 1980s and 1990s saw continued growth in the offshore banking industry, driven by globalisation and technological advances that facilitated cross-border transactions.

However, the 2008 global financial crisis brought increased scrutiny to the offshore banking sector, raising concerns about tax evasion and money laundering. In response, many offshore financial centres implemented stricter regulations and transparency measures to improve their reputations.

As the global economy recovered in the 2010s, new financial centres emerged, revitalising the role of offshore banking in global banking relationships. This evolution reflects a complex interplay of historical, regulatory, and economic factors that have shaped the offshore banking landscape over time.

Features of Offshore Banking

Knowing the basic features of offshore banking is essential to understand the linkage between offshore banking and money laundering. The following are features of offshore banking:

Anonymity

Offshore banking offers a higher degree of confidentiality and private protection, which may include not disclosing account holder information to the public to third parties without consent. This anonymity can be valuable for individuals seeking to maintain a low profile or protect sensitive financial information. This privacy needs to be aligned with compliance requirements like Anti-Money Laundering (AML) regulations and cannot restrict the sharing of information with regulatory authorities under certain circumstances.

Private Banking

Offshore banking is mostly private banking services that cater to high-net-worth individuals or investments looking to diversify their assets. As a private banking system, it includes providing personalised financial services and investment advisory that are tailored to the specific needs and goals of the clients.

Multi-Currency Accounts

Offshore banking includes multi-currency accounts, which allow clients to hold, manage, and transact in multiple currencies within a single account. This allows investors and businesses to engage in international trade or investment opportunities. Multi-currency accounts facilitate easier cross-border transactions, reduce currency conversion costs, and help with current fluctuations.

Online Banking

Offshore banking deals with non-residents, thus providing online banking platforms, enabling clients to manage their accounts from anywhere in the world. Online banking services include account monitoring, fund transfers, bill payments, access to financial tools, and investment opportunities. This allows clients to handle their banking needs efficiently, regardless of their location.

Dedicated Relationship Manager

Offshore banks often assign a dedicated relationship manager to each client, providing a personalised point of contact for all banking needs. This relationship manager acts as a liaison between the client and the bank, offering tailored advice, managing investments, and addressing any concerns or special requests.

Multilingual Support

Given the international nature of offshore banking, many offshore banks offer multilingual support to cater to a diverse clientele. This means that clients can receive banking services and assistance in their preferred language, enhancing communication and understanding.

Structured Products

Offshore banks often provide access to structured products, which are investment vehicles designed to meet specific financial goals. These products combine traditional investments with derivatives to create customised investment solutions that offer various risk-return profiles. Structured products can include options such as deposit accounts, international wire transfers, foreign currency, and income-generating investments, allowing clients to tailor their investment strategies to their unique financial objectives.

Reasons for Offshore Banking

Offshore banking developed for many reasons, which include the following:

New Investment Avenues

Offshore banking offers access to a wider range of investment opportunities and provides tax incentives, attracting investors from around the world. This leads to new investment avenues in emerging markets, alternative assets, and specialised financial products that might not be easily accessible in the home country.

Asset Protection

Offshore banking is a lucrative alternative to domestic asset protection strategies as it can safeguard investors against extreme events such as bankruptcy, costly litigation, and political and financial instability in their home country.

Global Banking Services

Offshore banking has opened the gates of global banking services. With offshore banking, people gain access to global banking services, including global investment opportunities, multi-currency accounts, and international wire transfers.

Higher Interest Rates

The flexibility of offshore banking provides investors with access to international markets that offer higher interest rates than domestic banks, which helps investors earn better returns on their deposits and savings, thereby maximising their financial growth.

Customised Banking Solutions

Offshore banks provide tailored banking solutions that cater to the needs of the client. Offshore banks can adapt their offerings to meet the unique requirements of individuals and businesses as they do not have to abide by the banking regulatory framework imposed by the central bank of the country.

Global Trade

Offshore banking facilitates smoother operations for businesses in global trade by providing easy access to foreign currency and streamlines cross-border transactions. Offshore banking also supports global trade by minimising currency conversion costs and improving transaction efficiency.

Tax Planning

Many countries with limited resources offer tax incentives to foreign investors to generate revenue. Making investments in these countries allows investors to save taxes as a part of their tax planning strategy. By investing in these countries, investors and businesses can benefit from their favourable tax regimes.

Privacy and Confidentiality

Offshore banks usually have strict privacy policies in place to protect the confidentiality of their customer details. These policies are supported by the jurisdiction’s domestic laws that establish strict privacy and data protection norms, ensuring clients’ financial details remain private and secure.

Geographical Diversification

Offshore banking allows investors and businesses to spread their assets across different regions. With such diversification, there is reduced risk associated with economic or political instability in a single country, stabilising their overall investment and portfolio performance.

Currency Diversification

Considering today’s geopolitical scenario, most investors do not rely on domestic investments in a single currency due to economic fluctuations that can diminish the currency’s value. Offshore banking is used to diversify the risk of currency risk by investing in stable foreign currencies.

Succession Planning

Offshore banking allows investors and individuals to use offshore accounts and trusts to transfer their wealth as they wish and to countries, they find potential in, with fewer complications and tax implications. This fact helps in preserving and managing assets for future generations.

Risk Management

With the diversification of assets across different jurisdictions and currencies, investors can better manage and mitigate various financial risks. Offshore banking can shield assets from market volatility, economic instability, and other risks linked to political or economic disturbance.

What is Money Laundering?

Money laundering is the process of concealing the illegal origins of money, making it appear as proceeds earned from a legitimate source. This is achieved by moving the funds through a series of complex transactions to obscure their criminal origins. The crime of money laundering takes place in three stages: placement, layering, and integration.

Offshore Banking and Increasing Money Laundering Risks

Banking Secrecy

Offshore banks offer a high level of confidentiality and privacy to their clients, creating an environment where illicit activities, such as laundered money, can be concealed more easily. The secrecy can hinder law enforcement and regulatory agencies from tracking financial transactions and identifying suspicious activities.

Weak Regulatory Environment

Offshore jurisdictions with less stringent regulations may attract clients looking to evade scrutiny. Weak regulatory frameworks can mean fewer checks on the sources of funds, less rigorous Anti-Money Laundering (AML) measures, and inadequate enforcement of financial laws. This laxity makes offshore banking in these areas more attractive to corporations and individuals looking to avoid taxation, as well as large amounts of banking secrecy and shadow banking, ultimately facilitating money laundering activities.

Multi-Currency Transactions

Offshore banks often deal with multiple currencies, which can complicate transaction tracking and monitoring. The use of various currencies can obscure the origin and difference of funds, making it more challenging for the regulator to track any suspicious activities across different financial systems.

Virtual Currency Transactions

With the advancement of cryptocurrencies and other virtual assets, a new system of anonymous transactions and cross-border transfers is happening, making them a popular tool for money laundering. The decentralised nature of these currencies and the lack of global standards make it challenging to detect and prevent any illicit activities facilitated by the use of virtual currencies.

Technological Advancements

Technological advancements such as encryption and blockchain have transformed the way of financial transactions. It has increased the reach and access to offshore banks. While these technologies offer the security and efficiency required for financial transactions, they can be used and exploited for money laundering by obscuring transaction trails and complicating investigations.

Inter-Relationship Between Offshore Banking and Money Laundering

Criminals use offshore banking as a medium to launder their dirty money and proceeds from criminal activities. The tools and environment provided by offshore banking can be used for money laundering and to facilitate the concealment and movement of illicit funds across borders. Here’s how offshore banking and money laundering are inter-related to each other:

Privacy and Confidentiality

Offshore banks are often located in countries that offer high levels of privacy and confidentiality and have stringent laws that protect the identities and financial information of account holders. With such confidentiality, offshore banking can be exploited by individuals or organisations involved in money laundering. The secrecy makes it harder for regulatory authorities to trace the origins of funds, enabling money launderers to conceal illicit activities more easily and effectively. It is a tendency of criminals to use offshore accounts to hide their identities and obscure the trail of their money.

Shell Companies

Shell companies are often established in offshore jurisdictions. These companies are legal entities that exist on paper but typically have no substantial operations or assets. It is one of the known mediums for money laundering. Money launderers use shell companies to create a facade of legitimacy. They funnel illicit money through these entities, making it appear as though the money comes from legitimate business activities. By setting up their shell companies in an offshore jurisdiction, they further obscure the ownership and flow of funds, aiding in the laundering process.

Layering Techniques

Layering involves complex financial transactions designed to obscure the origin of illicit funds. Offshore banks facilitate this by allowing rapid and opaque transfers between accounts in different jurisdictions. Money launderers use layering techniques to create a convoluted path for their money, making it difficult to trace. This might include transferring funds through multiple offshore accounts, converting money into different currencies, or making investments in various assets. Offshore banking services provide the necessary infrastructure to perform these transactions with relative ease and anonymity.

Use of Tax Havens

Tax havens are countries or jurisdictions that offer low or zero tax rates and financial secrecy. Offshore banks are usually located in these tax havens. Tax havens are attractive to money launderers because they offer both secrecy and a favourable regulatory environment. By routing money through these jurisdictions, launderers can evade taxes, hide illicit gains, and exploit legal loopholes. The combination of secrecy and lenient regulations makes tax havens a popular choice for laundering money.

Offshore Banking Compliance Challenges

Evolving Money Laundering Typologies

Money laundering typologies are constantly evolving as criminals find new ways to disguise illicit activities. This requires banks to stay ahead of emerging trends and adapt their compliance measures accordingly.

Inadequate Know Your Customer (KYC) Procedures

Conducting a thorough KYC process for offshore banks can be challenging due to distance, a lack of access to local resources, and varying levels of transparency and secrecy. Offshore banks often deal with clients from diverse geographical locations, which can complicate the verification process. Furthermore, offshore banks are required to undertake effective AML measures based on the identification and verification processes, which can be difficult to implement due to improper and deficient KYC procedures.

Complex International Regulatory Framework

The international regulatory framework for offshore banking is complex due to different banking regulations across different jurisdictions, which can complicate compliance for offshore banks. Regulatory environments are constantly evolving. Institutions must stay updated on laws and regulations changes in all relevant jurisdictions to remain compliant. This creates challenges in maintaining compliance and ensuring that all regulatory requirements are met.

Strategies for Combating Money Laundering in Offshore Banking

Regulatory Oversight

Regulatory oversight helps create a controlled environment where offshore banks are monitored and held accountable for their actions. Countries should implement and enforce regulations that enhance transparency requirements and mandate offshore banks to implement due diligence processes. The countries should, as part of regulatory oversight, ensure that all offshore banks have licensing requirements and that there are checks on their adherence to these requirements.
In UAE, the following Anti-Money Laundering (AML) laws mandate Financial Institutions such as banks to adopt efficient Customer Due Diligence (CDD) and other AML measures to detect and mitigate money laundering risks:
  • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations.
  • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018.

AML/CFT Policies and Procedures

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) policies and procedures are essential for preventing financial crimes within businesses. As part of this strategy, offshore banks should create detailed policies, procedures, and controls for effective compliance with their AML/CFT regulatory obligations and the detection of suspicious activities related to money laundering, terrorism financing, and proliferation financing. As part of the AML/CFT policies, offshore banks should implement measures to identify the customer and, verify their identity and understand the nature of their transactions in order to mitigate the potential money laundering, terrorism financing, and proliferation financing risks associated with the clients.

The AML/CFT policies, procedures, and controls should be made in accordance with the risk-based approach. Risk-based approach requires offshore banks situated in UAE to assess the money laundering, terrorism financing, and proliferation financing risks the bank faces, and adopt risk control and management measures accordingly. Risk-based approach works on the principle of “higher the risks, higher the controls.”

AML Software

Advanced technological measures play a crucial role in detecting and preventing money laundering through automated systems. Offshore banks should use AML software that can monitor transactions and red flags and help generate reports. They should also ensure to update the AML software to adapt to new money laundering typologies and regulatory changes. When choosing AML software, offshore banks need to ensure that AML software integrates seamlessly with other systems for operational efficiency and effective monitoring.

A unified AML Software would have solutions for the following AML/CFT regulatory obligations:

  • Customer Due Diligence
  • Know Your Customer (KYC)
  • Sanctions Screening, Politically Exposed Person Screening, Adverse Media Screening
  • Customer Risk Assessment
  • Ongoing Monitoring of Business Relationships
  • Transaction Monitoring
  • Regulatory Reporting
  • AML Health Checks and Independent AML Audit
  • Record-Keeping

Awareness and Training

Offshore banks must ensure that their employees and staff are educated and equipped to detect and prevent money laundering risks. For this purpose, offshore banks need to conduct regular AML training sessions on AML/CFT policies, red flags, compliance requirements, reporting procedures, and emerging trends and tactics in money laundering. This training needs to be role-specific, so that the staff is equipped to play their role in AML compliance processes of the bank effectively.

In order to prevent and detect money laundering risks, offshore banks should focus on fostering a culture of compliance. Well-trained staff are better equipped to detect and respond to suspicious activities, which is crucial for effective AML efforts.

International Cooperation

Offshore banks involve cross-border transactions, which may be used for money laundering techniques, making international cooperation essential for effective detection and mitigation through enforcement. Money laundering often spans multiple jurisdictions, and international cooperation helps ensure a unified approach to combating it. Some international initiatives that offshore banks must follow include the following:
  • Adherence with Financial Action Task Force (FATF) Recommendations: FATF is an international watchdog that aims to set international standards to mitigate the crimes of money laundering, terrorism financing, and proliferation financing. FATF has released its recommendations to ensure international coordination and global response to these financial crimes. Offshore banks should follow these recommendations and take into account FATF reports and research while making their own AML/CFT policies, procedures, and controls.

  • Targeted Financial Sanctions (TFS) Implementation:     The United Nations Security Council (UNSC), through its UNSC Resolutions (UNSCR), sanctions individuals, groups, undertakings, etc., with the aim of combating the crimes of terrorism, terrorist financing, and financing of proliferation of weapons of mass destruction. These are called Targeted Financial Sanctions (TFS). In UAE, UN Financial Sanctions are implemented through:
    • Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations
    • Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Law No. (20) of 2018
    • Cabinet Resolution No. (74) of 2020 Regarding Terrorism Lists Regulation and Implementation of UN Security Council Resolutions on the Suppression and Combating of Terrorism, Terrorist Financing, Countering the Proliferation of Weapons of Mass Destruction and its Financing and Relevant Resolutions
  • Group Oversight: When an offshore bank situated in UAE is part of a group, the offshore bank is obligated to ensure that its branches and majority-owned subsidiaries situated abroad apply AML/CFT measures that are in consonance with the AML/CFT laws of UAE. This includes the implementation of policies and procedures for sharing data with respect to CDD and money laundering, terrorism financing, and proliferation financing risk management. Further, in cases where there are diverse regulatory requirements, the offshore banks are obligated to implement the most stringent requirements. This ensures that offshore banks apply AML/CFT measures across jurisdictions.

Conclusion

Offshore banking, while providing numerous benefits such as asset protection, investment opportunities, and global financial services, is fraught with challenges, particularly regarding money laundering. The features that attract legitimate investors can also facilitate illicit activities. As criminals exploit these advantages to obscure the origins of their funds, the link between offshore banking and money laundering becomes increasingly concerning. In mitigating the threats posed by money laundering in offshore banking, OFCs and onshore banks must implement effective AML measures, equipping them to detect and prevent suspicious activities effectively.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

AML measures for non-face-to-face customers: Combatting money laundering threats

AML measures for non-face-to-face customers: Combatting money laundering threats

AML measures for non-face-to-face customers: Combatting money laundering threats

Regulated Entities such as Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs) have advanced to an enhanced level of customer service with the help of technology. One of the classes of customers catered through the use of technology is Non-Face-to-Face (NFTF) customers.

However, the Money Laundering (ML) and Terrorism Financing (TF) risks associated with such customers need to be mitigated with utmost care, and that is why Regulated Entities need well-defined and strict Anti-Money Laundering (AML) measures for NFTF customers.

To negate the chances of ML/TF, Regulated Entities need to be cautious during identity verification of NFTF customers.

The task of onboarding a remote customer is full of challenges, and this blog attempts to provide insights on implementing appropriate AML measures while onboarding and continuing business relationship with NFTF customers.

How do non-face-to-face clients pose a threat to your business?

Technology has made rapid inroads into DNFBPs, Virtual Assets Service Providers (VASPs), and FIs. Customers these days want to perform remote and digital transactions to avoid physical presence and visits. These digital transactions are conducted via mobile apps and the internet.

ID verification and Know Your Customer (KYC) software make all these possible. Many regulated entities, especially banks and other financial institutions, have embraced such digital business methods.

Customers prefer digital transactions to avoid visiting the vendor’s offices. The biggest demotivators are the hassle of visiting the office, providing hard copies for conducting transactions and standing in queues.

Digitally, Regulated Entities can manage several transactions at their convenience with online documentary evidence, ensuring decreased manual effort and faster service.

But, in such cases, ML and TF risks for the Regulated Entity needs to be carefully analysed and mitigated. Remote onboarding of NFTF customers exposes DNFBPs and VASPs to the following risks:

Fake identities

Customers can use fake identities to open an account with Regulated Entity’s business and conduct transactions. Since regulated entities won’t be able to associate their wrongdoing with a face and identity, it becomes difficult to ascertain the real perpetrators. This anonymity of NFTF customers may increase the ML and TF risks for regulated entity’s business.

Limited visibility of customer behaviour

Physical interaction with customers facilitates with understanding their behaviour and demeanour. In the absence of such face-to-face meetings, Regulated Entities have no idea of their actual conduct and actions. It becomes difficult to identify suspicious behaviour, activity, or transaction.

Transaction speed

Digital transactions are faster than normal in-person transactions. Money launderers prefer to engage in NFTF transactions so that criminal activity occurs quickly, before anyone can detect suspicious behaviour and report it for further action.

Hidden ownership structures

In the case of NFTF customers, understanding the ownership structure is challenging. Money launderers may use the anonymity feature in NFTF interactions to hide their beneficial ownership. There might be a possibility of the use of shell companies to conduct transactions. This is a widespread typology by which NFTF clients may launder money.

With in-person onboarding, the compliance team gets a chance to ask questions and counter-questions to the customer. Remote onboarding works in a pre-defined way and offers little flexibility. Further, the human element is missing, so judgement is on technology to identify suspicious customers and their activities.

Cross-border transactions

Engaging in cross-border transactions is one of the methods adopted by financial criminals to launder money. Identifying the origin and destination of funds in transactions conducted across different jurisdictions is challenging. It also becomes easier for anonymous customers to hide these details or produce false documents.

Third-party risks

DNFBPs and VASPs who rely on third parties to conduct KYC and Customer Due Diligence (CDD) expose themselves to ML/TF risks if the third parties do not adopt and successfully implement adequate procedures for customer identification and verification. The criminals may exploit the vulnerabilities existing in third-party KYC and onboarding procedures and misuse the system to launder money.

Data security and privacy

Online onboarding through technology exposes the Regulated Entities to data security and privacy breaches. The genuine customers’ accounts may be taken over by criminals to perform their illegal activities, and this exposes the regulated entities such as DNFBPs and VASPs to various types of ML/TF risks.

Regulated entities must devise and apply effective AML measures to reduce the risks of such occurrences and fight the money laundering threats.

Common ML/TF Typologies employed through NFTF Channels

Smurfing and structuring are the most common ML/TF typologies employed by money launderers that may be onboarded through NFTF channels.

Structuring

Criminals may resort to structuring large transactions into several small transactions to avoid their detection. Normally, regulators across the globe have specified thresholds for reporting cash transactions. The criminals smartly plan their transactions to avoid crossing these thresholds.

Smurfing

Smurfing is similar to structuring. In smurfing, the criminals split transactions into small amounts and use multiple parties to deposit funds into the banking system.

Effective AML measures for non-face-to-face customers

Following are some of the effective AML measures that Regulated Entities can carry out to manage ML/TF risks arising out of the digital onboarding of customers:

Develop a risk-based approach to respond to risks related to non-face-to-face clients

The risks from NFTF clients needs to be carefully examined. AML measures for NFTF customers must be well-planned, well defined, and well documented. Regulated Entities need to adopt a risk-based approach for such customers depending on the following factors:
  • Industry in which the regulated entity operates
  • Location of customers
  • ML/TF threats from customers
If an NFTF customer is found to pose high risk to the Regulated Entity, Enhanced Due Diligence (EDD) measures should also be implemented. If the NFTF customer poses low risk, Regulated Entities can continue with the existing KYC and simple due diligence.

Create customised identification and verification procedures

Since the risks posed by NFTF customers needs to be examined carefully, Regulated Entities can have custom identity checks to protect their business. They can do so by defining the minimum criteria for accepting NFTF customers. This depends on the nature of a Regulated Entity’s business operations. If the Regulated Entity’s sector is more susceptible to money laundering threats, it’s better to avoid onboarding such remote NFTF customers. Regulated Entities can define new verification procedures like submission of more documents, manual visits to the client’s office, or any other relevant action.

Conduct In-Depth KYC to Understand the Risks of Non-Face-to-Face Customers

While conducting KYC, the first thing to match for the Regulated Entities is the customer’s face with the government issued identity document (ID) shared by the customer, purporting to be the individual or the entity specified in such an ID document. Regulated Entities need to decide based on verification and validation of such ID document, whether the customer is genuine with a valid ID proof or if there is any element of underlying criminal activity in guise of such NFTF customer.

Regulated Entities must have a stringent KYC policy to verify the identities of NFTF customers. Regulated Entities must ensure the following:

  • Regulated Entities must check for certification and attestation of documents: Such certification must be from specific authorised individuals or organisations. Such attestation can facilitate higher credibility in the authenticity of documents.
  • Regulated Entities must ask for additional proof to know the NFTF clients better: These documents must be from reliable sources that can verify these customers’ identities.
  • Regulated Entities should have a known third party to guarantee the authenticity of such customers: To check if the Regulated Entity’s existing customers, suppliers, or associates have complete knowledge of these customers. Also, ensure that Regulated Entities have conducted complete KYC and due diligence of these third parties.

Consider the non-face-to-face clients’ geographical location

One aspect that Regulated Entities can consider critically is the geographical location of their customers. Regulated Entities must exercise caution if the customer is from any of the following jurisdictions:
  • Economically sanctioned regions
  • Jurisdictions with weak AML controls or financial systems
  • Politically unstable regions
  • Countries with high levels of corruption, drug trafficking, human trafficking, terrorism, or smuggling

Apply risk-based due diligence measures for non-face-to-face clients

Regulated Entities don’t have the NFTF customer in front of them while conducting the transaction. It means identity verification is a challenge. Since the NFTF customer risk needs to be examined with utmost care, regulated entities need to implement risk-based due diligence measures to prevent the risks of financial crimes. These measures include:
  • Exercising caution before engaging in transactions with NFTF clients. The first payment must be from a known bank account in the customer’s name. Even for the succeeding transactions, details need to be checked thoroughly.
  • Using safe and secure electronic identification technologies to verify the identities of NFTF customers.
  • Checking the publicly available information from reliable sources, also known as using open-source intelligence, by checking national registers of trade, businesses, associations, and patents. Even the population census and credit data registers can help Regulated Entities confirm the identities of their NFTF customers.
A combination of these identification and verification techniques can ensure the authenticity of NFTF customers’ documents and identities

Hire third parties for identity verifications of cross-border customers

Dealing with NFTF clients becomes challenging when they reside in other countries. The identity documents are different from the local UAE documents.

However, Regulated Entities must get all possible identity and address evidence from publicly available and reliable information. One solution in these cases is to hire third parties for conducting such identity verification process to prove the authenticity of documents and identities. However, Regulated Entities must be careful before engaging with a third-party provider.

Employ video conferencing AML measures for identifying and verifying non-face-to-face customers

Regulated Entities can conduct a video-based process to verify the identities of their customers. This will be a secure, live, and informed audio-visual interaction between the Regulated Entity and the customer. Regulated Entities must obtain the customer’s consent before conducting such a meeting.

To manage the KYC verification process through video conferencing, a live video call with the Regulated Entity’s KYC expert and the customer needs to be conducted. Regulated Entities will interview the customer with identity questions and detect their liveness. Verification also involves checking the customer’s identity documents live by asking the customer to hold them in the video and matching their face with the photo to verify the identity in real time. Verification also includes clicking live photos for facial recognition.

However, Regulated Entities also need to ensure a secure way of conducting this video interview. It must be end-to-end encrypted. The video must be clear enough to verify the identity of the customer. The live GPS coordinates and date-time of the customer interview must be available in the video recording.

Use advanced technologies to confirm non-face-to-face customer identity

Technologies like artificial intelligence, machine learning, and blockchain have improved many sectors. Regulated Entities can use the same technologies in AML measures for NFTF customers. One way to do this is to use them for customer data storage data and comparison with other documents.

Regulated Entities can use AI in facial recognition to verify customers’ identities based on the proof they submit. AI even helps confirm the authenticity of identity proof submitted by customers. AI makes it possible to check the passport chip of biometric passports and the authenticity of holograms. Regulated entities can use blockchain technology for secure and confidential data storage. Regulated entities can also implement AML software, which supports liveness checks. It will help regulated entities reduce deepfakes and strengthen their defences against ML/TF.

Monitor transactions for unusual trends or patterns

Transaction monitoring is an effective AML measure for NFTF customers. Regulated Entities should rely on transaction monitoring to identify any unusual or out-of-pattern behaviour of customer transactions. So, when monitoring their transactions, entities can look out for the following:
  • Unusual pattern not matching with customers’ profiles or regular transactions
  • If more than one user is using the same account
  • If the user opens more than one account
  • If the customer information and IP address don’t match
  • If the customer uses different payment methods for different transactions
When Regulated Entities see such patterns or unusual behaviour, they need to investigate the customer relationship, purpose of transaction and source of funds for such transaction further.

Ongoing monitoring is a critical AML measure for non-face-to-face clients

In the case of NFTF customers, ongoing monitoring is essential. Regulated Entities need to implement tools to conduct ongoing monitoring of business relationship.

Conclusion

While NFTF customers may pose significant ML/TF risks to a business, the AML measures discussed in the blog can help FIs, DNFBPs and VASPs in the UAE to detect, prevent and mitigate these risks.

AML UAE – your partner for professional AML consulting services

AML UAE is an expert in AML Consulting services. We have guided clients throughout the journey of becoming compliant with AML laws in the UAE. You will always find us with customised and appropriate solutions to your AML concerns. Our offerings include:
  • Customized AML policies, procedures, and internal controls
  • Risk assessments and analysis of your business
  • KYC and different levels of due diligence of your customers to build their risk profiles
  • Monitoring transactions and customers to detect suspicious ones and take respective actions
  • Personalized training solutions for your AML needs and industry requirements
  • Regular health checks and audits of your AML compliance
Likewise, we also help you deal with non-face-to-face customers with appropriate AML measures. We take all possible steps to prevent money laundering and terrorism financing threats from such customers. So, don’t worry about remote, digital customers; we have the right AML measures for you.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Mastering Periodic Customer Reviews with eKYC and Automation

Mastering Periodic Customer Reviews with eKYC and Automation

The process of conducting periodic reviews of customer information helps ensure the relevance of anti-money laundering and counter-financing of terrorism measures (AML/CFT) that designated non-financial businesses and professions (DNFBPs) have implemented in their business.
This blog elaborates upon the following:
  • The purpose and factors triggering the initiation of conducting customer reviews.
  • The management of such periodic review processes through automation with AML software.
  • The best practices for carrying out effective customer reviews.
  • The advantages of relying on eKYC with the use of automation tools.

Periodic Review of Customers in the context of AML/CFT Compliance

The AML/CFT law in UAE requires DNFBPs to conduct periodic reviews of customer information collected during the customer due diligence (CDD) process. Keeping the CDD information up to date is a legal requirement that DNFBPs need to adhere to. The guidelines for DNFBPs require them to adopt a risk-based approach (RBA) when it comes to updating CDD. To achieve this, DNFBPs are required to have in place appropriate AML/CFT policies and procedures, which clearly state the steps and measures taken by the DNFBP to conduct periodic reviews of customer information, the tools or software used, and defined workflows to ensure that customer information collected during the CDD is maintained up to date.

Purpose of Periodic Review of customer KYC details

The regulatory requirement of conducting periodic reviews of customer information throughout the business lifecycle is backed by purposes such as:

Identifying Suspicious Activities

Conducting periodic reviews enables DNFBPs to identify suspicious activities, which is made possible through tracking or monitoring the customer details. It also helps entities to submit required regulatory reports like SAR/STR.

Assessing Customer Risk Profiles

When the customer information and activity are monitored or supervised periodically, such periodic review enables the DNFBP to assess the fluctuation in customer risk, such as the shift of low-risk customers to high-risk status or vice-versa due to changes in their circumstances supported by valid documents.

Ensuring Compliance with Regulatory Requirements

The UAE AML/CFT laws and guidelines require DNFBPs to conduct periodic reviews of CDD information, which is a regulatory compliance requirement.

Strengthening Risk Management Practices

When periodic reviews are conducted in a timely manner, the DNFBP is able to identify the customer profiles needing attention and additional or enhanced due diligence (EDD) measures. The exercise of conducting periodic reviews helps strengthen risk management as a DNFBP is able to plan how it shall mitigate ML/FT and PF risks.

Key Triggers for Periodic Reviews

The situations or circumstances necessitating the carrying out of periodic reviews are:

Risk-Based

DNFBPs need to imbibe a risk-based approach, meaning that they shall deploy risk mitigation measures according to the degree and extent of risk they are exposed to. One of the simplest ways to set or determine the frequency and timing of periodic reviews is to review their profiles according to the risk they pose to a DNFBP’s business, for instance. A low-risk customer’s profile can be examined less frequently than a high-risk customer whose profile needs to be examined more frequently.

Coming across changes in customer information that would impact the customer’s existing risk profile.

Changes in the list of High-Risk countries as maintained by the FATF.

Event-Based

Change in circumstances of a legal entity customer, such as a change in beneficial ownership, legal structure, change of address, purpose of business, or capital structure. For instance, non-PEP customers getting classified as PEP, change in transaction pattern, etc.

Discovery of adverse or negative media about the natural person customer or ultimate beneficial owners (UBOs) of a legal entity customer, where such adverse news contains information that can materially impact the business relationship with a DNFBP. For instance, there is adverse news pertaining to involvement in a predicate offence, which might ultimately be linked to financial crime such as ML/FT or PF.

Commencement of legal proceedings against the customer.

Due to recommendations derived from findings of AML auditor.

Transactions or behaviours indicating suspicion with regard to ML/FT or PF involvement.

Time-Based

DNFBPs, through their internal AML/CFT policies and procedures, need to set rules according to various customer risk categories and the timing and frequency of their CDD reviews, whether such reviews shall be conducted through notification parameters configurated into eKYC software, the degree of manual input and automation parameters for CDD or KYC reviews.

DFNBP can set the periodicity of customer information reviews in their policy according to the ML/FT and PF risk customers pose to the business, which can be semi-annual, annual, etc.

Components Contributing to Periodic Customer Review

A periodic customer review of a DNFBP usually consists of the following components:

Transaction Monitoring

Transaction monitoring is an AML compliance component that enables the DNFBP to configure alert generation in the context of transactions by customers that are not normal, reasonable, or consistent with the customer’s risk profile. Any change or deviation in customer transaction patterns should be considered as a factor necessitating the initiation of customer review or re-KYC.

Behavioral Analysis

The suspicious nature of customer activities and transactions can be identified through behavioural pattern analysis. For example, if a customer starts behaving differently than their normal pattern, then such a change in behaviour must generate a red flag for a DNFBP, following which they can conduct KYC refresh or re-CDD to ascertain the consistency and identify the cause of change in customer behaviour.

eKYC/CDD, Ongoing Monitoring, and Transaction Monitoring software are often equipped with machine learning capabilities, which can be taught to identify or detect suspicious behaviour patterns to trigger KYC refresh

Screening

Screening of customers against relevant watchlists such as sanctions lists, politically exposed persons (PEPs) databases, and adverse media screening enables DNFBPs to identify if the customer’s name matches with that of the names contained in such watchlists or sanctions list, enabling the DNFBP to determine the degree of ML/FT and PF risk posed by such customer and classify them into high risk, medium risk, or low-risk categories.

Based on the assigned risk classification, the DNFBP can determine the periodicity of conducting a re-examination or review of customer information.

Risk Assessment

Based on the risk assessment of the ML/FT and PF risk posed by the customer, the DNFBP can determine at which level of risk classification it would request for KYC refresh or re-CDD and document the same in the AML/CFT policies and procedures.

Managing Periodic Review of Customers with AML Software

The process of periodic review of customers can be streamlined with the use of AML software solutions such as:

1. eKYC Software

An eKYC software is responsible for automating the KYC obligations of a DNFBP. The eKYC software facilitates the following:
  • Setting periodicity or time duration notifications or alerts for conducting eKYC refresh.
  • Generates alerts when any customer document is approaching expiry, necessitating document renewal and revision of eKYC information.
  • Remotely fulfilling eKYC requirements such as customer identity verification through liveness check.

2. Screening Software

Sanctions screening software helps with periodic review as it constantly monitors the customer names across relevant and applicable sanctions lists, generating notifications or alerts for further CDD refresh or EDD when a true match or partial match is found.

3. Customer Risk Assessment Software

Customer risk assessment software facilitates the implementation of the customer review process in terms of determining or configuring the risk classification criteria and assigning customer review periodicity. This helps segregate customers into high, medium, and low-risk categories and conduct re-KYC according to the duration defined in the organisation’s AML/CFT policy.

4. Case Management Software

A case management software for AML compliance facilitates holistic monitoring and management of ML/FT and PF risks. The case management tool helps by:
  • Designing workflows for escalation and management of tasks for conducting re-CDD, such as requesting document renewal for expired or about-to-expire documents.
  • Keeping track of the case status.

5. Transaction Monitoring Software

A transaction monitoring software generates alerts whenever it identifies any anomaly or change in the pattern of transactions in real-time, which facilitates DNFBPs to conduct re-CDD or KYC refresh in real-time.

6. Regulatory Reporting Software

Reporting software is extremely helpful when, during the screening of customers or transaction monitoring, any positive match or materially suspicious activity is found, which requires the immediate filing of a suspicious activity report (SAR)or suspicious transaction reports (STR) on the goAML portal of the UAE Financial Intelligence Unit (FIU).

Advantages of AML Software While Conducting Periodic Reviews

An AML software is advantageous in conducting periodic reviews in the following ways:

Streamlined Data Collection

AML software, such as eKYC software and screening software, helps with easy document collection where a customer can upload their documents remotely through the app-based customer onboarding tools.

Real-Time Monitoring

Transaction monitoring, ongoing monitoring, and sanctions screening software are the software or tools to look for when any DNFBP intends to track customer activity, behaviour patterns, sanctions inclusion, and PEP classification status in real-time.

Reduced Manual Efforts

The very purpose of software and tools is to automate repetitive manual processes such as entering customer data, screening across regulator-issued sanctions lists, customer document validation, etc., which, due to automation, can help DNFBPs to reduce manual efforts.

Workflow

Various AML software solutions, such as case management, regulatory reporting, monitoring, and screening software, facilitate companies to define and assign workflows for escalation of tasks according to expertise level, right from screening analyst or risk analyst through AML compliance officer or Money Laundering Reporting Officer (MLRO) for further actions or senior management approval for onboarding or continuation of business relationship with high-risk customers.

Document Management

AML software tools help in document management by facilitating the storing and generating of documents required for AML compliance and recording steps taken to ensure compliance with AML measures, such as steps taken to complete the CDD process, alerts set for document expiry, factors triggering re-KYC, timing or frequency of re-KYC, all such measures including others as the case may be, are recorded by the AML software, and such records can be fetched instantly to fulfil record-keeping requirements in UAE.

Regulatory Compliance

AML software facilitates ensuring the timely filing of regulatory reports as well as ensuring regulatory compliance with relevant AML/CFT obligations. AML software facilitates streamlined processes, which, as a result, helps ensure compliance.

Cost-Savings

The most lucrative prospect of switching or opting for AML software is the resultant cost saving that comes due to the reduction of human efforts and increased efficiency.

Best Practices for Effective Periodic Customer Reviews

Ensure Data Quality:

Rich quality data helps in identifying suspicious activity or behavior in a timely manner, reducing the incidences of false positives.

Take A Risk-Based Approach:

Implementing risk measures commensurate with the type and severity of the risk to which the business is exposed helps ensure that a periodic review of customer details is conducted in a timely manner, according to the type of risk the ML/FT and PF customer poses.

Utilise Technology:

The UAE AML/CFT laws and guidelines recommend using technology whenever needed to streamline and strengthen AML processes. Relying on technology to get alerts and triggers for conducting EDD and re-CDD is preferable for DNFBPs to ensure that further steps are taken to ensure regulatory compliance in a timely manner.

Provide Training and Awareness:

Whenever a new or different methodology or technology is introduced in an organisation, as a best practice, personnel must be trained on how to use technology for carrying out the AML/CFT compliance obligations such as ongoing monitoring, re-CDD, KYC refresh, the factors necessitating conducting re-CDD, recordkeeping of CDD and Re-CDD measures, and so on.

Consider Cross-Border Challenges:

Businesses must consider cross-border challenges, such as changes in regulatory requirements and the ability of personnel and technology used by such a business to adapt to the requirements of different jurisdictions.

Consider Emerging Threats:

As a best practice of risk management, it is important to identify the emerging patterns in the relevant field; doing so would enable better management of AML/CFT risk.

Conclusion

When it comes to end-to-end customer relationship management, conducting periodic reviews of customer details obtained during the eKYC or the CDD process can be simplified through the use of the eKYC process and automation with the use of various kinds of AML software to ensure regulatory compliance.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Understanding the New Tipping Off Regime in Australia

Understanding the New Tipping Off Regime in Australia

The tipping off mandate has been updated in Australia as a part of a series of reforms to the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006. These reforms are set to apply from 31st March 2025. In this article, we discuss the new and updated definition of tipping off in Australia, its essentials, and guidance for reporting entities on how to reduce the risk of breach of the tipping off offence.

Reformed Definition of Tipping Off for AML/CTF Compliance in Australia

If a person discloses a certain kind of information to another person, where such information would/could reasonably be expected to prejudice an investigation, then such an act of disclosure amounts to an offence of Tipping Off under the new reforms to the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006.

Insights into the Need for Tipping Off Offence

The offence of tipping off prevents reporting entities from disclosing any kind of information that can lead criminals to hide or change their illegal activities. Tipping off also protects the privacy and reputation of the customer, who may be a victim of the suspected criminal activity, as mere suspicion is not conclusive evidence that the customer is involved in any financial crimes.

The provision of tipping off offence also protects the identity of the person submitting a Suspicious Matter Report (SMR) to AUSTRAC by maintaining high standards of confidentiality.

Now, let us understand the essentials of the new tipping off offence.

Essentials of the New Tipping Off Offence

The amended AML/CTF Act, 2006 provides the essential elements of tipping off offences in Australia, which include:
  • If the person discloses information to another person who is not entrusted by AUSTRAC
  • If the person making the disclosure is or has been either a reporting entity/ any officer/employee/agent of a reporting entity/ a person required to share further information or documents specified in a notice by AUSTRAC CEO/Commissioner of the Australian Federal Police/CEO of Australian Crime Commission/Commissioner of Taxation/Comptroller-General of Customs/National Anti-Corruption Commissioner/Investigation Officer concerning the reports filed by the reporting entity under the AML/CTF ACT, 2006 or the repealed Financial Transaction Reports Act 1988, or information/document that may assist AUSTRAC CEO in performing their functions.
  • If the information disclosed includes:
    • Information that can establish that the reporting entity submitted an SMR or that their reporting obligations are triggered.
    • Information about the report made or prepared for the purpose of meeting SMR obligations
    • Copies of the SMR or any document purporting to set out SMR information, like formation or existence of a suspicion.
    • Information about any notice sent by the AUSTRAC CEO for obtaining information or documents in certain circumstances or for seeking further information and whether the person is required to give information or produce a document in response to the notice.
    • For Cash Dealers prior to 7 January 2025, Information about Suspect Transaction Report (SUSTR) under the repealed Financial Transaction Reports Act 1988, including specifications about the suspicion formed concerning a transaction, whether such information was submitted to AUSTRAC CEO through SUSTR or as a response to the relevant notice and any information from which anyone could reasonably deduce that such information concerning suspicion was given to AUSTRAC
  • If the disclosure would or could reasonably be expected to prejudice an investigation of any offence against a law of the Commonwealth or any State/Territory, or for the purpose of the Proceeds of Crime Act 2002 (POCA) or any regulations thereunder, or any State or Territory laws corresponding to POCA or any regulations thereunder.

Understanding Prejudice to an Investigation as a Requirement for Tipping Off Offence

One of the major requirements for the offence of Tipping Off is that the disclosure of information could or would reasonably be expected to prejudice an investigation. This means that if disclosure of information can reasonably be expected to negatively affect an investigation, then it amounts to tipping off. The risk of prejudicing an investigation may depend on a combination of the following factors:

Content of the Information Disclosed

If the content of the information disclosed includes any protected information covered in the AML/CTF Act, 2006, for instance, if any information relating to the Suspicious Matter Report is revealed or any explicit actions from which the customer can infer that a suspicion has arisen, then it can negatively affect an investigation.

Recipient of the Disclosed Information

Whether a disclosure can prejudice an investigation also depends on the person to whom the disclosure is made. For example, if the disclosure is made to any person entrusted by AUSTRAC, then such disclosure cannot negatively affect an investigation, but say if the disclosure is made to a third party who can potentially share it with the public at large, like a journalist, then that can prejudice an investigation.

Method of Disclosure

For a disclosure to amount to tipping off, it is not necessary for the person disclosing information to know that the disclosure will negatively affect an investigation. For example, if an employee discloses any such information by mistake on a public platform, then it would still amount to tipping off.

Time of Disclosure

Time is everything when combating financial crimes, and therefore, if disclosures are made before or during the period of investigation, then it can give the criminals an opportunity to conceal any trail of evidence, certainly hampering the course of an investigation. However, this does not imply that reporting entities are free to disclose any protected information after reporting it because it may even compromise future investigation efforts, if any. Thus, it is important for compliance professionals to be alert about not unintentionally disclosing information while following their Customer Due Diligence (CDD) obligations.

Therefore, reporting entities must ensure that to avoid any kind of prejudice to an investigation, their protected information should not be publicly released or get back to a person who might be engaged in any criminal activity or to any other person who is associated with the person suspected of criminal activity.

Disclosures that are not Considered as Tipping Off

There are some disclosures that are exempted from being considered as tipping off. At the same time, some disclosures are not likely to be considered as tipping off, as per AUSTRAC:

Disclosures to Prevent Crime

Disclosures relating to information or reports concerning suspicious matters are exempted from being considered as tipping off if:

  • The person making the disclosure is a reporting entity that is either a legal practitioner/qualified accountant/any partnership or company carrying on a business of providing professional legal services/accountancy services through legal practitioners or qualified accountants, respectively, or any other person specified in the AML/CTF Rules, and
  • The information is about the affairs of the reporting entity’s customer, and the disclosure is made in good faith to prevent the customer from partaking in any sort of conduct that constitutes or may constitute an offence against the law of the Commonwealth or a State/Territory.
  • AUSTRAC recommends that such entities focus on how the customers’ activities could result in a breach of the law and the penalties thereof. However, it is recommended that reporting entities do not disclose any information about related STR/SUSTR/relevant notice or obligations of the reporting entity with respect to the STR or notice.

Disclosures for Sharing Information to Identify, Avert or Disrupt Money Laundering, Terrorism Financing, Proliferation Financing (ML, TF, and PF), and Other Serious Crimes

Disclosure of any protected information does not amount to an offence of tipping off if such disclosure is made to another reporting entity for the purpose of identifying, averting, or disrupting ML, TF, PF, and other serious crimes, subject to any regulatory conditions prescribed.

For example, disclosures made between reporting entities engaging in the activities of Fintel Alliance cannot be considered as tipping off.

Disclosures to Comply with Requirements in Commonwealth, State, or Territory Laws

If any disclosures are made pursuant to the laws of the Commonwealth or State/Territory, for instance, there are multiple disclosure requirements under the Scams Prevention Framework that the regulated entities need to follow. In such cases, the disclosures made shall not amount to tipping off.

Disclosures Made for Meeting the Reporting Entity’s AML/CTF Obligations or Mitigating ML/TF Risks to the Business

Any internal disclosures made to the reporting entity’s staff or senior management, or any external disclosures to other reporting entities of the same designated business group for the purpose of managing ML/TF risks to the business, are not considered as tipping off.

Similarly, if a reporting entity appoints any external service providers/ consultants to support them in AML/CTF remediation and enhancement or seeks any legal advice from a lawyer on its AML/CTF obligations, then such communication cannot be considered as tipping off.

Disclosures Made During Corporate Restructuring

According to AUSTRAC, any disclosures made during a merger or acquisition involving the reporting entity to support the due diligence processes will not be considered as tipping off.

Reasonable Questions for Effective Risk-Based Customer Due Diligence

As per AUSTRAC, if a reporting entity’s SMR obligations are not triggered, and the reporting entity or persons engaged by the reporting entity ask reasonable questions to a customer or conduct Enhanced Due Diligence, then such line of questioning cannot be considered as tipping off.

Disclosures to AUSTRAC Entrusted Persons

Disclosure of information to AUSTRAC entrusted persons or Australian law enforcement, intelligence, or regulatory agencies, like the Commonwealth, State/Territory police and agencies having investigative functions, such as the Australian Taxation Office, National Anti-Corruption Commission, Australian Border Force, Australian Criminal Intelligence Commission and alike agencies, does not amount to a breach of the new tipping off offence.

AML Compliance Procedures to Follow to Avoid the Risk of Tipping Off

Businesses that do not deploy adequate controls within their structure are often at a higher risk of tipping off when sharing information within their designated business group or with a third party. Upon implementing the following AML/CTF compliance procedures, reporting entities have a better chance of avoiding the risk of tipping off:

1. Adopting and Maintaining AML/CTF Policies to Prevent Tipping Off

To comply with the new tipping off reforms, AUSTRAC recommends reporting entities to adopt and maintain AML/CTF policies that define proper procedures for identifying the information held by the business, the situations where disclosing such information would or could be reasonably expected to prejudice any investigation and determine measures to implements to prevent the risk of tipping off when disclosing any information or processing any communication.

The AML/CTF policies should also define the legal obligations of third parties to whom any protected information is shared

2. Maintaining Proper Audit Trails

Reporting entities should implement and periodically review audit trails with employee names and timestamps to understand who has access to specific information and during what period of time.

3. Employee Training and Employee Due Diligence

Reporting entities must perform due diligence on their employees to ensure that they do not pose any ML/TF risks and are suited for sharing sensitive information. Additionally, periodic training must be provided to the employees to make sure that they are aware of the risks of breaching the tipping off offence. Role-specific training should be given to customer-facing staff on how to handle sensitive information while balancing customer relationships.

One important thing to keep in mind when training employees is that if any trends or insights are discussed, then reporting entities should be cautious about not mentioning specific customer information or transactions and simply talking about the generally identified patterns.

4. Record-Keeping

It is important for reporting entities to document all the steps taken by the reporting entity. For example, when dealing with a customer in relation to a suspicious activity or information, reporting entities should document their interactions with the customer along with the steps taken by the reporting entity to reduce the risk of breach of the tipping off offence.

Similarly, if at the time of conducting Enhanced Customer Due Diligence (ECDD), the reporting entity is of the opinion that some specific ECDD measures would tip off the customer, then they should not proceed with ECDD and document the reasons for taking this decision.

Moreover, if a person makes any kind of disclosure that is exempted from being an offence, then they should maintain proper records of the disclosure, including the purpose of disclosure, method of disclosure, time of disclosure, etc. This is because, under the AML/CTF Act, 2006, the burden of providing evidence that suggests a reasonable possibility that the disclosure is exempted from the tipping off offence rests with the party seeking exemption.

Thus, by adopting and following proper AML/CTF procedures, reporting entities can reduce the risk of tipping off to a great extent. But let’s take a moment to understand the impact of following AML/CTF obligations on customer relationships and how reporting entities can fulfil their regulatory obligations without tipping off the customer or damaging their reputation.

Balancing Customer Relationships Without Tipping Off

Reporting entities constantly need to balance their need for business growth and the necessity of mitigating the risk of financial crimes. Therefore, while fulfilling their regulatory requirements, it is also important to be aware of its impact on customer relationships. Being seen with a suspicious eye is no pleasant experience for any customer, so here’s how reporting entities can fulfil their regulatory obligations without tipping off and without any friction with the customer:

Seeking Further Information from a Customer without Tipping Off

As discussed before, asking reasonable questions about a customer’s activity cannot in itself be considered as tipping off, but it is necessary for reporting entities to ensure that while seeking additional information, they do not disclose any protected information that could or would reasonably be likely to prejudice an investigation. So to avoid indicating that the reporting entity is suspicious of the customer’s behaviour, AUSTRAC recommends reporting entities to either:
  • Inform the customer that the information sought is a part of their routine AML/CTF compliance obligations or KYC obligations, or
  • Tell the customer that the exercise is conducted to ensure that the reporting entity has the most updated details on its record or
  • Inform them that it is a business policy to collect additional information in certain situations or
  • Additional verification is required to resolve issues with customer information or identification documents

Terminating a Business Relationship with a Customer without Tipping Off

Where a reporting entity chooses to terminate the business relationship with a customer, then it is advised that they offer genuine reasons for the same which do not indicate that the reporting entity is suspicious of the customer’s behaviour, such as:
  • Reasons that can establish that there is a commercial basis for ending the relationship or
  • The reporting entity does not have the funds, additional systems or controls required to manage the regulatory obligations that are related to the customer’s account or
  • The customer has taken an unreasonably long time to provide the additional information requested by the reporting entity or
  • The additional information shared by the customer is unsatisfactory or
  • The nature of the customer’s activities is beyond the reporting entity’s risk appetite
In addition to the steps suggested by the regulatory authorities, reporting entities can also follow some of the industry-wide accepted best practices to further reduce the risk of tipping off.

Best Practices to Follow To Lower the Risk of Tipping Off

In addition to modifying the AML compliance procedures, reporting entities can adopt some of the following best practices to further reduce the risk of breach of the tipping off offence:
  • Imposing restrictions on access to information on a strict and genuine need-to-know basis
  • Using legally enforceable agreements or undertakings when disclosing protected information to employees or third parties to maintain the confidentiality of information.
  • Using secure electronic document storage systems with password protection to prevent easy access to protected information
  • When appointing any third party to support the reporting entity’s AML/CTF compliance obligations, the reporting entity should, as a best practice, take into consideration the internal controls deployed by the third party to prevent tipping off
  • When seeking additional information from the customer, use standardised forms or means of communication so the customer is not tipped off and does not feel uneasy about requests for additional information
  • When training new customer-facing staff, provide them with scripts or clear communication instructions for making additional inquiries

Frequently Asked Questions about Tipping Off Reforms

Can a person be required to disclose protected information to Courts and Tribunals?

A person is not required to disclose protected information to a court or tribunal except where it is necessary to disclose the protected information to give effect to the AML/CTF Act, 2006.

Is disclosing information to a third party allowed under the new tipping off offence?

Reporting entities are not prohibited from disclosing information to third parties under the new tipping off offence so long as it would not or could not reasonably be expected to prejudice an investigation. However, this non-prohibition on disclosure cannot be considered as authorisation for disclosure as other legal restrictions may be applicable to reporting entities, such as the restrictions stipulated in the Privacy Act 1988.

If the reporting entity is of the perception that performing Enhanced Customer Due Diligence (ECDD) will lead to tipping off, should they proceed with ECDD?

While gathering more information about a customer’s identity and source or destination of funds for the purpose of ECDD is not in itself considered as tipping off, if the reporting entity is of the opinion that performing specific ECDD measures would lead to tipping off, then such measures should not be performed.

AML Australia’s Due Considerations Towards the New Tipping Off Reforms

Our experts at AML Australia know the value of long-term business relationships and the need for business risk protection. Therefore, we give due weightage to tipping off requirements when designing AML/CTF programs for our customers so that their business thrives on the foundation of AML compliance.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik