A complete guide to effective customer due diligence

A complete guide to effective customer due diligence

Companies are vulnerable to financial crimes and used as channels for facilitating or carrying out illegal activities, such as money laundering (ML), financing of terrorism (FT), and proliferation financing (PF) of weapons of mass destruction. Thus, it is crucial for them to undertake an effective Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers. Here is a complete guide to effective customer due diligence to help you fight ML/TF risks.

Customer Due Diligence (CDD) is an essential element of UAE’s AML/CFT regulatory framework, which assesses the ML/FT and PF risks that arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc.

CDD enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.

What is Customer Due Diligence?

Customer Due Diligence (CDD) is all about identifying potential customers and checking their authenticity and legitimacy. In addition, it means cross-verification of the details provided by the customer for their legal validity and accuracy.

The CDD meaning remains the same, but the procedures change across the industries. In total, there are four aspects of CDD, namely, simplified, standard, enhanced, and ongoing.

By conducting CDD, businesses aim to mitigate the potential for financial crimes such as ML/FT and PF. Additionally, this multifaceted approach serves as a foundational element in establishing trust, credibility, and regulatory compliance within the business landscape.

UAE AML/CFT Regulations for CDD

The UAE has established robust AML laws to combat financial crimes, including ML/FT and PF. These robust regulatory frameworks include Federal regulations, which are aligned with international standards set out by the Financial Action Task Force (FATF).

Additionally, as part of the AML/CFT legal landscape, the regulated authorities in the UAE have released various guidelines supporting the primary regulations for undertaking effective measures.

The UAE’s regulatory framework necessitates CDD measures for every customer. The framework governing CDD is also based on FATF recommendation No. 10, which lays down the principle of undertaking a customer due diligence process. This includes disclosure of beneficial ownership and verification of identities.

Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to undertake CDD measures in assessing and combating risk associated with customers based on the risk-based approach taken by the entities.

Role of CDD in AML Regulatory Framework

As a crucial measure of UAE’s AML/CFT regulatory framework, regulated entities are required to undertake CDD measures, which include a thorough process of identifying and verifying customers, assessing their risk profile, and monitoring them throughout their customer lifecycle. Implementation of an effective CDD process helps reporting entities determine the different levels of risk associated with different customers and further establish the appropriate CDD measures for risk mitigation.

The CDD process provided under the UAE’s Regulatory Framework lays down a comprehensive framework for addressing potential ML/FT and PF threats when engaging with both new and existing customers. Therefore, CDD plays an important role in assisting reporting entities in maintaining regulatory compliance and safeguarding themselves against financial crimes.

Reporting Entities subject to CDD in the UAE

The legal framework governing AML/CFT in UAE applies to all financial institutions, banks, insurance companies, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Services Providers (VASPs). Furthermore, these DNFBPs include:
  • Dealers in precious Metals and Stones
  • Real Estate Agents and Brokers
  • Trust and Corporate Service Providers
  • Auditors & independent Accountants
  • Lawyers, Notaries & Other Legal Professionals
Therefore, every reporting entity in UAE needs to adopt an effective AML/CFT framework in order to mitigate and manage ML/FT and PF risks.

When is CDD required?

The need to apply the AML CDD process comes into the picture when a business organisation is required to abide by AML/CFT regulations and intends to establish a business relationship with a potential customer.

In line with the Customer Due Diligence Policy and Procedures, businesses try to understand the following and take adequate CDD measures:

  • Why is an account being opened?
  • How will it be used?
  • What will be the nature of transactions?
  • What will be the volume and frequency of transactions?
The business must verify the customer’s identity and assess the risk profile. Therefore, DNFBPs/FIs must carry out the Know Your Customer (KYC) procedure as part of CDD compliance procedures in the following situations.
  • Customer Due Diligence becomes mandatory and simply inevitable at the time of entering a new business relationship with an individual or a legal entity. This is important in order to verify the identity of the customer. When undertaking the CDD process for a new customer, the customer’s risk profile is also assessed, and the applicability of enhanced due diligence is determined.
  • Various occasional transactions warrant customer due diligence measures. An occasional transaction equal to or exceeding AED 55,000/- requires regulated entities to perform proper due diligence on customers.
  • An occasional wire transfer for an amount equal to or exceeding AED 3,500/- requires proper performance of CDD measures.
  • Business organizations who suspect the involvement of their customers or proposed customers in activities such as money laundering or financing of terrorism should impose KYC, CDD checks.
  • When it is observed that the identification documents provided by potential customers are inadequate, unreliable, or suspicious, KYC and CDD measures must be undertaken.

When is CDD conducted?

CDD is conducted:
  1. Before entering into a business relationship or
  2. During the course of entering into a business relationship or
  3. Before opening an account or
  4. During the course of opening an account or
  5. Before carrying out a transaction with a new customer
  6. Before entering into occasional transactions exceeding monetary thresholds
  7. When there is a suspicion as to ML/TF
  8. When the previously obtained customer identification data is not proper or adequate.

Fundamentals of Customer Due Diligence

At the initial level, CDD starts by verifying the identity of the customer and understanding the nature of its business. The entire CDD process involves certain steps and a few regulatory obligations imposed on DNFBPs under AML/CFT regulations, as follows:

1. Identification of customer

DNFBPs should first identify their customers by seeking personal information like name, date of birth, nationality, and address. This should further be backed by conclusive evidence issued by the Government in the form of a passport, ID Card, Driving License, etc. Businesses need to implement a comprehensive customer identification program (CIP) to comply with legal requirements.

2. Beneficial ownership

Customer Due Diligence measures should identify the beneficial owner of the customer or proposed transaction. This includes understanding the customer’s ownership control or the organisation’s structure.

3. Business Relationship

After verifying the customer and identifying business ownership, DNFBPs should focus on obtaining information related to the nature of the business relationship the client intends to establish.

Step-by-Step CDD Process

1. KYC - Identification and Verification

The foremost step of the CDD process is identifying and verifying the identities of customers before entering into business relationships with them. This process is what we call Know-Your-Customer (KYC). KYC is a fundamental element of the CDD process.

KYC is further divided into two steps: identification and verification of the customer.

a) Identification and collection of customer information

The first step of CDD is to get the essential information from customers or potential customers. A Know Your Customer Form or KYC form can be maintained for this purpose. The information to be obtained for the purpose of AML due diligence includes the following:

– KYC for Natural Persons

Here is the list of information to be sought from the customer:

  • Complete Name
  • Address of the customer
  • Contact numbers
  • Additional/ alternative contact numbers
  • Legit, accessible, and working email address
  • Place of birth
  • Date of birth
  • Nationality
  • Gender
  • Government-issued identification number
  • Occupation
  • Signature

Along with the above, at a minimum, a copy of the ID document and proof of address are also obtained.

– KYC for Legal Entities

Here is the list of information to be sought from the customer who is a business entity:

  • Name of the business entity
  • Type of the business entity
  • Nature of business the entity is into
  • Date and place of establishment
  • Information related to the board of directors
  • Certificate of establishment/incorporation
  • Information related to shareholders or ultimate beneficial owners
  • Annual report for the previous year
  • Information pertaining to senior management

Along with the above, a copy of the trade license, Memorandum of Association, Articles of Association, address proof, UBO details, and organisation chart are also obtained.

In high-risk situations, source of funds and source of wealth information is also obtained.

b) Verification of the customer

The second step of the KYC under the CDD program is to verify all the information that has been collected in the identification step. Again, it is essential to note that most of the collected data can be confirmed with the help of a government agency’s site or any reputable independent institution. For instance, documents like identity cards, tax receipts, and passports can be verified on the respective government portals based on the unique number associated with them.

2. Name Screening

Name screening is done in order to identify if the customer is a sanctioned individual or entity, a politically exposed person or a person with a criminal history and adverse media references. The primary objective behind carrying out the process of name screening is to check that the customers do not fall under the following categories:
  • Sanctioned individual or an entity
  • Politically Exposed Persons (PEPs)
  • Reported in Media with alleged involvement in any criminal activities

3. Customer Risk Profiling

At this stage, the AML Compliance Officer determines the risk level of each customer or potential customer based on various factors. While performing risk-based customer due diligence, the following risk factors are taken into consideration:
  • Type and nature of business relationship/transaction
  • Nationality of the customer
  • Political exposure of the customer
  • Mode of payment (Cash, Bank Transfer, Cheque)
  • Net worth of the individual
  • Documentary evidence available
  • Amount of transaction
  • The complexity of business structure
  • Local/international business
  • Transaction with a customer based in a blacklisted country
  • Transaction with a customer based in a grey-listed country etc.

Customer Risk Rating

Once the customer risk profile is identified, DNFBPs and FIs can decide the type of monitoring and level of controls to be imposed on such customers. The customers are classified into low-risk, medium-risk, and high-risk categories to determine the extent and frequency of monitoring required.

4. Ongoing Monitoring

Once the Customer Due Diligence process is completed and necessary decisions around risk classification have been made, regular monitoring of the customer’s risk profile cannot be overlooked. Monitoring should be carried out regularly for identified accounts for all financial transactions. The customer’s behaviour, along with accounts and transactions, must be compatible with the usual activities, and this needs to be tracked or overviewed at all costs. Depending upon the risks associated, ongoing due diligence frequency is determined.

5. Reporting Suspicion

During employing CDD measures, if the reporting entity comes across any suspicion or reasonable grounds that suggest that a customer is involved in criminal activity, it must take a thorough investigation and must report that information on the goAML platform via suspicious activity report (SAR). It should be noted that all employees, company directors, and officers are prohibited from tipping off customers if a SAR/STR has been filed against them.

Additionally, they need to report other reports, like HRC and HRCA, when engaging with a customer belonging to a high-risk country.

6. Record Keeping

This is the final stage of the entire AML CDD process. At this stage, one has to maintain the CDD-related records in accordance with the retention policies of the business organisation and as prescribed under AML/CFT regulation. In the UAE, AML/CFT regulations require maintenance of Client Due Diligence and other AML/CFT-related records for the period of 5 years from the relevant dates.

However, the record keeping duration varies from one supervisory authority to another.

  • The Virtual Assets Regulatory Authority (VARA) mandates Virtual Assets Service Providers (VASPs) to maintain records for a duration of 8 years
  • Dubai International Financial Centre (DIFC) requires DNFBPs to maintain AML/CFT compliance and CDD records for 6 years.
  • Abu Dhabi Global Market (ADGM) requires DNFBPs and VASPs to maintain AML/CFT compliance and CDD records for 6 years.
A systematic record-keeping facilitates the DNFBPs to meet its reporting obligation under AML/CFT regulations and furnish such details to the relevant supervisory authorities as and when demanded in the context of any Suspicious Transaction Report filed by the DNFBP.

What risks does a reporting entity face if it fails to carry out CDD?

If a reporting entity like a financial institution, DNFBP, or VASP does not carry out Customer Due Diligence, it harms its reputation and exposes itself to various risks like ML/FT and PF. It may also be subjected to administrative penalties. Further, a regulated entity must not enter into a business relationship if it fails to carry out customer due diligence and consider filing SAR/STR with the UAE FIU.

Types of Customer Due Diligence

Reporting entities deal with different types of customers, having different backgrounds, reasons for business establishment, wealth structures, etc. Similarly, risks associated with customers also vary, requiring different kinds of measures to deal with them.

To enhance the overall capabilities of the AML framework, reporting entities need to undertake different CDD procedures.

The following are different types of CDD processes that the reporting entity needs to undertake:

1. Simplified Due Diligence

The process of simplified customer due diligence comes into the picture when the customer belongs to a low-risk category. The Designated Non-Financial Business and Professions (‘DNFBP’) is required to know the customer’s identity and basic details under a simplified customer due diligence process, and there is no need to carry out detailed due diligence.

2. Standard Due Diligence

Generally, DNFBPs adopt Standard Customer Due Diligence procedures for the majority of the customers. As a part of this process, the identity of the respective customer is verified from several reliable sources. In addition to that, DNFBPs also determine and evaluate the nature of the customer’s business or the customer’s purpose for entering into a transaction with the DNFBP.

3. Enhanced Due Diligence

Enhanced Due Diligence is usually required for only those customers who have a high-risk quotient and are more likely to get involved with money laundering or financing of terrorism. There are undoubtedly quite a few factors that clearly establish that a particular customer hails from a high-risk background. For instance, Politically Exposed People (PEPs) are usually categorised as high-risk customers and require enhanced customer due diligence.

With the help of enhanced customer due diligence, the information of the customers is verified, and critical information like the origin or the source of their funds, source of wealth, and the primary purpose of the transaction is obtained.

Further, as a part of the enhanced CDD measures, it is ensured that the customer makes the payment from the bank account in his own name.

It is also required to obtain approval from senior management before entering into a transaction with high-risk customers. Once you meet the above Enhanced Due Diligence Requirements, you can carry out transactions with the customer.

Ongoing Due Diligence

The risks associated with a customer change over a period of time. One needs to have a proper monitoring system in place to detect changes in customer profiles. Ongoing due diligence should aim at discovering changes in the attributes related to a customer. Say a customer becomes a Politically Exposed Person or is placed on a Sanctions list. The KYC software should trigger alerts for the compliance officer the moment it detects changes in the customer profile, which necessitates a change in the risks associated with them.

Unless regulated entities require customers to provide their KYC documents on a regular basis, it becomes difficult to detect changes in their risk profile. A change in risk profile would also be reflected in the transaction patterns associated with a customer.

If the customer happens to be a High-risk customer, he should be placed under more frequent monitoring and CDD refresh.

Here’s a checklist of circumstances requiring KYC refresh:
  1. Changes in the beneficial owner
  2. Customers making unusual transactions not aligned with their profile
  3. Changes in a business relationship with a customer
  4. Changes in ownership structure at the customer’s end

Why is CDD necessary?

As mentioned above, CDD is a crucial process for assessing risks associated with customers and ensuring compliance with regulatory compliance.

Here’s a list of reasons that make undertaking the CDD process necessary:

Take a Risk-Based Approach

It is important for reporting entities to adopt the risk-based approach to help them assess risks based on different factors like geographical location, nature of business, etc. CDD facilitates taking a risk-based approach by adopting measures that assess the level of risk associated with the customers, which allows them to tailor their risk management strategies and allocate resources to high-risk customers where they are most needed.

Prevent Financial Crimes

It is important for reporting entities to employ measures that help prevent and detect illicit crimes, including ML/FT and PF. For this purpose, reporting entities undertake CDD measures, which aid in identifying and mitigating the ML/FT and PF risks. Further, it also helps them to easily detect and prevent suspicious activities by verifying the identities of customers and understanding the nature of their transactions.

ML/FT Risk Management

The whole reason why reporting entities adopt an AML framework is to effectively manage ML/FT and PF risks. The CDD process helps them to effectively manage the ML/FT and PF risks associated with customers. Additionally, by implementing robust CDD procedures, reporting entities can identify high-risk customers and transactions and, based on that, implement appropriate control measures and report suspicious activities.

Maintain Reputation

It is essential for reporting entities to maintain their reputation in order to grow and keep doing business. Undertaking CDD practices helps reporting entities to effectively detect and deter ML/FT and PF risks associated with customers, which further aids them in maintaining their reputation in the eyes of regulators and customers, which is essential for long-term success.

Maintain Financial Integrity

The business of reporting entities depends highly on the financial sector in which they are working. For this reason, they need to take actions that help maintain financial integrity. Employing effective CDD processes prevents illicit activities, which aids in maintaining and upholding the integrity of their operations and financial system and further contributes to a safer and more transparent financial environment.

Comply with Regulations

Reporting entities are mandated to comply with the regulatory framework. In UAE, the AML/CFT legal framework requires reporting entities to comply with regulations. Therefore, undertaking CDD practices helps them fulfil their regulatory obligations and avoid penalties, legal consequences, and reputational damage.

Benefits of Effective CDD Measures

Implementing robust CDD measures helps reporting entities to effectively measure the risks associated with customers.

The following are some points highlighting the benefits of undertaking an effective CDD process:

Risk Mitigation

CDD helps reporting entities check the background and activities of customers, which helps them to easily assess the ML/FT and PF risks associated with customers and accordingly take mitigation measures.

Regulatory Compliance

Conducting CDD measures is a regulatory requirement. Therefore, reporting entities must undertake effective CDD processes to comply with regulatory requirements, which is essential to avoid fines, penalties, and legal actions.

Decision Making

Employing CDD measures helps reporting entities get valuable insights about customer identities, which aid in decision-making about onboarding, monitoring, or terminating customer relationships. Furthermore, it helps them assess whether customers align with their risk appetite and business objectives.

Prevention of Financial Crime

CDD helps reporting entities to identify and verify the identities of customers, which further prevents financial crimes such as ML/FT and PF thus safeguarding the integrity of the financial system.

Adoption of a Risk-Based Approach

CDD measures facilitate reporting entities to adopt a risk-based approach to the AML compliance framework. This helps them to employ focused measures for high-risk customers and transactions while applying less-intensive measures to lower-risk ones.

Base for Enhanced Due Diligence

CDD processes help identify high-risks, such as PEPs or sanctioned individuals. This forms the basis for conducting EDD to gather additional information and mitigate associated risks.

Facilitates Ongoing Monitoring

CDD is a continuous process that monitors customer activities for any suspicious behaviour or changes in risk profile. This helps reporting entities to comply with ongoing compliance and risk management.

Limitations of CDD:

Although CDD is one of the important elements of the AML/CFT framework, there are various limitations of CDD in combating financial crimes and ensuring regulatory compliance.

Here’s the list of limitations of CDD:

Complexity

CDD requires undertaking thorough processes and procedures to gather and analyse various types of information about customers, their transactions, and potential risks. This makes the entire CDD process intricate and complex.

Reliance on Third Party

The main element of the CDD process is collecting and verifying data. For this purpose, reporting entities need to gather information from external sources, which introduces their dependencies on third parties, increases potential inaccuracies in the data, and further makes the verification process lengthy and complex.

Resource Intensive

Undertaking thorough investigations and monitoring processes, especially for large volumes of customers or transactions, requires significant resources in terms of time, experts, and technology to conduct. Therefore, CDD takes up a lot of resources, which indirectly impacts the efficiency of the reporting entities.

Difficulty in identifying UBOs

Reporting entities deal with various kinds of customers. Determining the true beneficiaries or owners of complex corporate structures from such numbers of customers can be challenging for them, especially in cases of shell companies or foreign entities.

Dynamic Nature of Risk

Financial crimes keep evolving, and criminals find new ways to facilitate their activities, including ML/FT and PF. This requires the reporting entity to take additional measures to adapt and stay updated to effectively mitigate these risks, making the CDD process more complicated and lengthier.

Dynamic Regulatory Framework

Compliance requirements and regulations related to CDD may change frequently to combat the dynamic nature of financial crimes. This evolving legal landscape makes it difficult for reporting entities to stay consistently compliant.

Privacy Issue

CDD process is about collecting, verifying, and maintaining customer information. However, this often leads to resistance from customers who are concerned about sharing their personal information due to privacy reasons. This reluctance poses a significant challenge, as it can make the CDD process seem intimidating and unwelcoming to customers.

Time Consuming

A thorough CDD process requires undertaking various processes and practices, which can be time-consuming. This leads to delays in onboarding new customers or processing transactions, which not only impacts customer experience but also affects the overall efficiency of business operations.

Best Practices for Effective CDD Program

Employing CDD is of utmost importance for the reporting entities to combat the ML/FT and PF risks. However, the CDD program should be effective and capable of detecting and preventing risks associated with customers or transactions. Therefore, to adopt an effective CDD program, they need to incorporate a few best practices.

Here are some practices that reporting entities can employ for adopting a comprehensive CDD program:

Adopting a Risk-Based Approach

Reporting entities engage with various customers who pose different levels of risk. Therefore, they need to adopt tailored CDD measures based on the customer’s risk profile. For this purpose, they should implement a risk-based approach while employing CDD measures that consider various risk factors like their industry, geographical location, transaction volume, and the products or services they use. Risks must be prioritised for their impact, and commensurate controls must be put in place.

Establishing CDD measures

CDD is a thorough program that requires undertaking CDD measures. Therefore, reporting entities should clearly define the steps and requirements of processes for undertaking CDD on new and existing customers.

Name Screening for Sanctions, PEP, and Adverse Media Checks

CDD is all about assessing the risk associated with customers by identifying and verifying their profiles and activities. As part of the CDD screening process, reporting entities should implement robust screening processes to identify any matches with sanction lists, politically exposed persons (PEPs), or adverse media coverage. This helps them mitigate the risk of customers involved in illegal or high-risk activities.

CDD Process Automation

Reporting entities should automate their CDD process using modern solutions and technologies to retrieve and evaluate data, determine risk levels, and make customer onboarding decisions based on results. This automation helps them to streamline their AML compliance efforts, which reduces manual errors and enhances the effectiveness of their risk management strategies in countering ML/FT and PF risks.

Data Security Measures

The main element of the CDD measure is collecting information from customers. However, maintaining information becomes challenging due to customers being hesitant about their private information. Therefore, to safeguard customer information and sensitive data, reporting entities can install effective data security measures such as encryption, access controls, regular security audits, and compliance with data protection regulations.

Regulatory Reporting

Reporting entities are required to assess suspicious activities and ensure compliance with relevant regulatory requirements by accurately reporting them to the appropriate authorities. They should be attentive when conducting CDD practices that assess customer risk about any suspicious activities or transactions. Further, based on the assessment, they should file STR/SAR reports or other regulatory filings on the goAML portal as soon as possible.

Periodic Reviews

Onboarding customers, as well as engagement with customers, is an ongoing process. Therefore, reporting entities should conduct regular reviews of customer information and transaction activity to ensure ongoing compliance with CDD requirements. They should also update customer profiles as necessary based on changes in risk profile or regulatory requirements.

CDD Training Programs

Conducting CDD requires expertise. For this purpose, reporting entities should provide comprehensive training to employees involved in the CDD process so they can easily understand their roles and responsibilities. These training programs should cover regulatory requirements, risk assessment methodologies, and the use of CDD tools and systems.

Record Keeping

It is a compliance requirement that reporting entities should keep a record of AML measures. Therefore, they need to maintain thorough and accurate records of CDD activities, including KYC documents, risk assessments, and transaction records. This documentation is essential for audit purposes, submission to regulated authorities when intimated, and demonstrating compliance with regulatory requirements.

AML Customer Due Diligence Checklist

Here is the CDD checklist that the compliance team must follow to ensure that they don’t miss out on any of the customer due diligence steps:
  1. Collect Customer ID and Residential Proof
  2. Verify Customer ID and Residential Proof
  3. Perform screening against the UAE Local Terrorist List and UNSC Sanctions List
  4. Perform Customer Risk Assessment
  5. Ongoing Monitoring of Business Relationships with Customer
  6. Record Keeping for 5 Years

Final Words on Effective CDD Process

Anti Money Laundering Customer Due Diligence is an important element of an effective AML CFT Program. Customer Due Diligence is the primary responsibility of the compliance team and frontline employees. Customer Due Diligence checks help identify red flags and counter ML/TF risks.

AML UAE provides consulting services on customer onboarding, KYC processes, CDD, and risk profiling of customers. If you are looking to automate your CDD functions, we can help you with the customer due diligence software. We also provide training on customer due diligence procedures and help you comply with UAE AML laws and regulations.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Automated AML Compliance Software: Cutting Costs Without Cutting Corners

Automated AML Compliance Software: Cutting Costs Without Cutting Corners

Key Takeaways

  • Traditional AML/CFT compliance processes are inefficient and time-consuming
  • Automated AML Compliance Software can help automate various compliance tasks like KYC, Screening, Risk Assessment, Transaction Monitoring, Regulatory Reporting, and Record Keeping
  • AML Software is the need of the hour to remain compliant with Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006 and Tranche 2 amendments

Along with advances in the financial market and enabling technologies, criminals are using technology to conduct illicit activities like fraud, money laundering, etc. The regulatory authorities are bringing in new laws and amending the existing laws to control the menace of financial crimes. Traditional AML compliance methods are not only costly and time-consuming but are highly inefficient in handling ever-increasing transaction volumes. Hence, financial and non-financial institutions are under pressure to stay updated and comply with these ever-changing rules. Automated AML Compliance Software makes it easier for businesses to stay compliant with Australia’s Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006 and other relevant regulations to ensure they don’t inadvertently facilitate illegal activities such as money laundering and terrorism financing.

Reporting entities are required to comply with various AML/CFT obligations such as sanctions screening, KYC, risk assessment, ongoing monitoring, and regulatory reporting. Automated AML Compliance Software helps regulated entities meet these regulatory requirements and achieve a high degree of efficiency.

Benefits of Automated AML Compliance Software

Automation makes it easier for reporting entities in Australia to stay compliant in smoother and more efficient ways. The benefits of Automated AML Compliance Software include quick decision-making, streamlined tracking and audit trails, improved compliance, reduction in time and costs and smooth communication channels within the organization and external law enforcement agencies.

With automation, businesses can overcome the challenges faced by traditional methods of working, which include the following:

  • Automated AML software helps serve more customers by automating KYC, sanctions screening, and risk assessment processes.
  • Automation in AML compliance processes reduces the room for errors and helps achieve a high degree of customer satisfaction
  • Automated AML Compliance Software helps achieve efficiency in compliance operations.
  • AML Compliance Software helps bring systematization to various tasks like customer due diligence and regulatory reporting and reduces the chances of non-compliance.
  • AML Compliance Software helps implement regulatory changes in no time. The customization options available in the software help implement new rules across the organization.

How Does an Automated AML Compliance Software Help Reporting Entities?

Maximises Operational Efficiency

Complying with AML laws means handling enormous amounts of data adhering to AML laws, which can be complicated, costly, and inefficient if done manually. Automated solutions help reduce costs by reducing time and manual workload and helping businesses stay in line with Australian regulatory requirements, such as those set by AUSTRAC (Australian Transaction Reports and Analysis Centre). It reduces false positives by allowing the compliance team to focus on more critical and high-risk cases. The software can effortlessly perform day-to-day tasks like KYC and CDD.

Faster Decision-Making

By automating the AML process, reporting entities can save time and reduce the resources required for manual compliance checks. A quick analysis of complicated scenarios is done easily without involving the workforce with technology-backed solutions. Even when human intervention is required, the software rapidly identifies and assesses potential risks and flags suspicious activities by giving accurate and insightful results. The compliance team can prioritize and review these results.

For Example, if a customer transfers a huge sum of money inconsistent with the nature of the business to a high-risk jurisdiction, the system will flag it as suspicious.

Streamlined Screening Process

It is difficult to conduct screening manually. All checks against a customer, such as PEPs, sanctions screening, involvement in any sort of crime, court cases, or negative media, can be done in seconds with the help of automation. Name screening software can instantly cross-check individuals and entities against global and local sanction lists, such as the Australian DFAT Sanctions List, OFAC Sanctions List, lists of politically exposed persons (PEPs), and adverse media. This allows for real-time screening of customers during the onboarding process and before initiating high-risk transactions.

Access to global databases

AML Compliance software can be easily integrated with global databases. Such as:
  • PEP Lists (local and international)
  • Sanction Lists (Australian DFAT, OFAC, EU, UK)
  • Negative media news
  • Watchlists provided by law enforcement agencies
This gives the business the advantage of accurately screening a business or entity against these lists in real-time. Further, the changes to the sanctions lists are automatically fetched by the sanctions screening software, which ensures that you always screen a person against the latest sanctions lists.

Scalability

With the help of an automated AML system, higher volumes of transactions can be handled without compromising efficiency or accuracy. Likewise, when a new type of financial instrument is introduced or if there is a change in payment methods, the software can be quickly updated or customized to ensure that transactions involving new products are adequately monitored for suspicious activity.

SaaS-Based Solutions

When an AML compliance solution is procured as SaaS (Software-as-a-Service), businesses can benefit immensely by getting enhanced customization and flexibility, as well as cost-effectiveness and scalability. The ability to easily tailor the solution to fit the size, nature, and jurisdiction of the business ensures that companies can comply with both local and global regulations. Unanticipated changes in the law or new upgrades can be easily deployed as the SaaS model provides a fast and efficient way to update software in response to regulatory changes, enabling businesses to stay compliant without disruption.

World-Class Customer Experience

KYC solutions coupled with the KYC Self-Service module help capture required KYC information in no time. It helps onboard customers quickly, providing a world-class customer experience resulting in a positive brand image and growth in revenues.

Automated AML Systems: A smart way to remain compliant

The cost of non-compliance is always greater than compliance cost. Non-compliance can lead to loss of business, customer faith, reputation damage and heavy fines. However, using automated compliance software can avoid all this. It is an investment that provides benefits in both the long run and short term.

Risk management can be done efficiently. Human resources are saved from error-prone heavy workloads. This saved time can then be utilized for other critical tasks. While it is difficult for all employees to follow exactly the same steps for a compliance process, the automated solution does the work in a systematic manner which can be configured easily.

A significant amount of money can be saved with automation. Below are some key pointers which conclude why it is smart to invest in automated solutions:

  • Saves time by doing the task accurately and efficiently
  • Human negligence can be avoided
  • Saves money as fewer human resources are required
  • Adherence to the law to avoid penalties
  • Helps in brand building
  • Maintains customer faith
  • Easy reporting and communication with government agencies

Conclusion

In conclusion, automated compliance software is the need of the hour. May it be the accuracy of data points collected for the KYC/CDD process, reducing false positives, quick decision-making by processing large amounts of data quickly or reporting in a timely manner, all is possible by automation of compliance processes.

Automated AML Compliance Software can be easily integrated with global databases, which helps with accurate risk assessment. New changes in internal compliance policies or in the applicable laws can be swiftly configured without hurdling the day-to-day operations. Thus saving the cost of non-compliance. Businesses can easily identify potential threats with a streamlined compliance workflow. It helps people stay vigilant against criminal practices and fight against them.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

One-Stop Guide to Building a Strong AML/CTF/CPF Program

One-Stop Guide to Building a Strong AML/CTF/CPF Program

In a world where financial systems form the backbone of global commerce, protecting these systems from financial crimes is of utmost importance. In UK, Relevant Persons under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) are required to implement an Anti-Money Laundering, Counter-Terrorist Financing, and Counter Proliferation Financing (AML/CTF/CPF) measures. Building a strong AML/CTF/CPF Program helps Relevant Persons meet their AML/CTF/CPF obligations as well as detect, manage, mitigate financial crime risks.

In this blog, we will discuss the meaning, need, and components of a strong AML/CTF/CPF Program.

What Is an AML/CTF/CPF Program?

An AML/CTF/CPF Program defines and lays down the standards, practices, policies, procedures, governance, controls, and other related aspects, that have been put in place by the Relevant Person to protect itself from financial crimes such as Money Laundering, Terrorist, and Proliferation Financing (MLTPF) and meet its AML/CTF/CPF regulatory obligations. It serves as a comprehensive framework, demonstrating a Relevant Person’s commitment to AML/CTF/CPF compliance and establishing a compliance culture throughout the organisational structure of the Relevant Person.

Why Is an AML/CTF/CPF Program Required?

Enhances Protection Against MLTPF Risks

The various components of the AML/CTF/CPF Program are all geared towards detecting, reporting, and mitigating financial crimes, enhancing the Relevant Person’s ability to protect itself from MLTPF risks. For example, a Firm-Wide Risk Assessment helps Relevant Persons evaluate their MLTPF risk exposure, while AML/CTF/CPF Policies, Procedures, and Controls establish systems to manage the risks.

Facilitates Compliance with AML/CTF/CPF Obligations

AML/CTF/CPF Program helps Relevant Persons put in place systems to meet their compliance obligations under the AML/CTF/CPF regulatory regime in a comprehensive manner.

Establishes a Mechanism for Investigation and Reporting of MLTPF Risks

Reporting MLTPF through the Suspicious Activity Report (SAR) is a mandatory requirement for Relevant Persons. An AML/CTF/CPF Program establishes mechanisms to identify MLTPF risks through red-flags, monitoring software, and internal investigation. It also lays down the procedures and timing of SAR submission.

Enables Continuous Improvement

When AML/CTF/CPF Program is defined and put in place, it allows Relevant Persons to continually review and revise its existing systems to ensure that they are up-to-date and resilient enough to mitigate the evolving MLTPF threats.

Establishes a Culture of AML/CTF/CPF Compliance

Framing and implementing an AML/CTF/CPF Program portrays a Relevant Person’s commitment to fighting against financial crime risks, as well as ensures the inculcation of AML/CTF/CPF compliance culture throughout the organisational structure of the Relevant Person.

Delineates Roles and Responsibilities of AML/CTF/CPF Functions

AML/CTF/CPF Program clearly defines and delineates roles and responsibilities regarding the performance of AML/CTF/CPF compliance functions. For example, front-facing staff may be tasked with collecting customer information for customer identification and verification, while AML/CTF/CPF Compliance Officer may be tasked with overseeing the fruitful implementation of the AML/CTF/CPF Program.

After discussing why making and implementing an AML/CTF/CPF Program is essential, let us now discuss the various components to include for a comprehensive AML/CTF/CPF Program.

Components of an AML/CTF/CPF Program

Firm-Wide Risk Assessment

Under MLR 2017, conducting a Firm-Wide Risk Assessment (FWRA) is mandatory for Relevant Persons. An FWRA is the process of identifying and assessing the MLTPF risks that a Relevant Person is exposed to, after considering a range of

Therefore, the foundational step of making an AML/CTF/CPF Program is FWRA. This helps Relevant Persons assess its risk exposure and adopt the most appropriate risk mitigation measures, helping it focus its limited resources on the areas of higher risks.

AML/CTF/CPF Risk Management Practices

This includes practices the Relevant Person has implemented to manage the risks assessed during FWRA, its risk appetite, derisking policies, etc. This includes risk management tools such as AML software solutions, decision-making hierarchy regarding risks, etc.

AML/CTF/CPF Governance

Relevant Person must define and establish internal controls or governance structure with respect to AML/CTF/CPF compliance. This section must also include the duties and responsibilities of the relevant roles.

The governance structure must designate the roles and responsibilities of the following positions:

  • Compliance Officer: The compliance officer is the individual in charge of the relevant person’s compliance under MLR 2017. This individual must be a member of the board of directors or senior management of the Relevant Person.
  • Nominated Officer: The Nominated Officer of a Relevant Person is in charge of receiving disclosures under the Terrorism Act 2000 or the Proceeds of Crime Act 2002 Whenever an MLTPF risk is detected by an employee of the Relevant Person, the employee needs to make an internal report regarding the same to the Nominated Officer. The Nominated Officer must review and investigate the internal report and then report the same to the National Crime Agency of UK, which houses the Financial Intelligence Unit of UK.
    Under MLR 2017, when the Compliance Officer or Nominated Officer is appointed, or there are subsequent changes to this appointment, the Supervisory Authority must be informed within 14 days of this appointment.
  • AML/CTF/CPF Compliance Department: The AML/CTF/CPF Compliance Department is established under the AML/CTF/CPF Compliance Officer and helps the Relevant Person comply with all its AML/CTF/CPF. This department may include roles such as:
    • Screening Analyst
    • KYC Analyst
    • Risk Analyst
    • Compliance Analyst
    • Subject Matter Experts
  • Frontline Employees: These are the employees who interact with the customers directly and are in a unique position to identify MLTPF red flags through customer behaviour, hesitancy in providing customer details, etc. They also perform AML/CTF/CPF tasks such as customer identification and verification, conducting name screening, etc.

Customer Due Diligence

Customer Due Diligence (CDD) is a mandatory part of a Relevant Person’s compliance obligations under MLR 2017. Under the AML/CTF/CPF Program, a Relevant Person must lay down the policies and procedures for the following components of a CDD process:
  • Identification and verification of the customer and their Beneficial Owners and persons authorised by the customer to act on their behalf
  • Obtaining information on the purpose and nature of the business relationship, or occasional transaction
  • Conducting Name Screening, which includes Sanctions Screening, Politically Exposed Person (PEP) Screening, Adverse Media Screening
  • Customer Risk Assessment (CRA), including its methodology and assigning risk scores and levels to various risk factors
  • Type of CDD to be adopted based on the level of MLTPF risks a customer poses, as assessed during the CRA process
  • Ongoing CDD to ensure that the information collected during the CDD process is updated and accurate

Sanctions Compliance Policy

During CDD and Sanctions Screening, if a sanctions match is found, the same must be reported to the Office of Financial Sanctions Implementation (OFSI) the authority for implementing financial sanctions in UK. The Relevant Person is obligated to follow compliance requirements under laws related to the sanctions regime, including the Sanctions and Anti-Money Laundering Act 2018, Counter Terrorism Act 2008, and Anti-Terrorism, Crime and Security Act 2001.
The AML/CTF/CPF Program of the Relevant Person detail:
  • Sanctions Screening mechanisms, including screening software, subscribing to the required sanctions lists such as the UK Sanctions List, etc
  • Procedures on disambiguating sanctions screening results, and if a match is found, reporting the same to the OFSI
  • Procedures on Asset Freezing, preventing transactions or access to financial resources to the designated persons or organisations
  • Training employees on sanctions compliance

Customer Acceptance and Exit Policy

In this part of the AML/CTF/CPF Program, the Relevant Person should define its policies with respect to customer engagement. This includes the factors that make a customer acceptable to the Relevant Person, based on the Customer Risk Profile, or circumstances that make a customer unacceptable. It should also describe situations in which a Relevant Person would adopt derisking measures, to avoid MLTPF risks it cannot manage.

Transaction Monitoring and Ongoing Monitoring

A Relevant Person must specify its transaction monitoring and ongoing monitoring policies and procedures, as well as the mechanisms it has adopted to achieve the same. Monitoring must be conducted throughout the course of the business relationship for:
  • Transactions to ensure that the same is in line with the customer’s business, risk profile, and known information about the customer. MLR 2017 specifies that the following transactions should be scrutinised:
    • Complex transactions
    • Transactions that are unusually large
    • Unusual patterns in transactions
    • Transactions without economic or legal purpose
    • Transactions indicating MLTPF risks
  • Existing customer records and information to ensure that the same are accurate and up-to-date

Employee Screening

Relevant Person must establish policies and procedures to screen the Relevant Employees before their appointment and throughout the duration of their appointment.
The Relevant Employees include the following:
  • Employees involved in the Relevant Person’s compliance under MLR 2017
  • Employees contributing to the identification, detection, mitigation, and prevention of MLTPF risks faced by the Relevant Person
The Employee Screening must assess the following components:
  • Skills
  • Knowledge
  • Expertise
  • Conduct
  • Integrity

Suspicious Activity Reporting

The Relevant Person must establish an internal mechanism for reporting and investigating suspicious activities indicating MLTPF risks to ensure that the same is reported to the UK FIU, housed within the NCA, in a timely manner. The Relevant Person must implement policies and procedures for suspicious activity reporting, which must include the following:
  • Training to their staff to detect MLTPF threats in a prompt manner and making internal report to the Nominated Officer
  • Investigation of the MLTPF threat by the Nominated Officer and making the Suspicious Activity Report (SAR) to the NCA
  • Policy and Procedures for filing Defence Against Money Laundering (DAML)
  • Procedures to ensure that there is no “tip-off”
  • Policy on relationship with the customer after SAR filing

Staff Awareness and Training

MLR 2017 provides that the Relevant Persons must train their staff on the following:
  • MLTPF risks and red flags and AML/CTF/CPF law
  • Their responsibilities in the AML/CTF/CPF Program
  • The various components of the AML/CTF/CPF Program of the Relevant Person
  • Relevant Person’s procedures and how to identify and address potential MLTPF risk, including making internal report to the Nominated Office
The staff training should be conducted regularly, with records maintained of the same. The AML/CTF/CPF Program of the Relevant Person must provide policies and procedures on staff training and awareness.

Independent Audit Function

As a part of its AML/CTF/CPF Program, the Relevant Person must establish an independent audit function. The objective of an independent audit function is to analyse and monitor the adequacy and effectiveness of the AML/CTF/CPF Program, detect any vulnerabilities, and adopt recommendations to fill these vulnerabilities.

Record Keeping

MLR 2017 provides that Relevant Persons must keep up-to-date and accurate records for five years on AML/CTF/CPF related tasks, which include the following:
  • CDD related information and documents
  • Records on transactions
  • Internal and external reports on suspicious activities
  • Training and its effectiveness
  • Compliance monitoring
The AML/CTF/CPF Program of the Relevant Person must include policies and procedures for maintaining these records for the required time period.

Data Protection Policy

MLR 2017 obligates Relevant Persons to ensure that any personal data that the Relevant Person collects for the purposes of fulfilling their obligations under MLR 2017 must only be processed to prevent MLTPF. It must also adhere to the provisions of the Data Protection Act 2018.

The AML/CTF/CPF Program of the Relevant Person must include its Data Protection Policy, detailing its obligations and procedures to meet these obligations.

Building a Strong AML/CTF/CPF Program: Final Words

An effective AML/CTF/CPF Program is indispensable for ensuring compliance with regulatory obligations under MLR 2017. It fosters a culture of compliance and ethicality across the organisational structure of the Relevant Person. It also ensures that staff at all levels understand their roles in AML/CTF/CPF Program and implement it properly. Continuous improvement through health checks and independent audits, regular staff training and awareness, etc., enhance the Relevant Person’s resilience against financial crime threats.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Lodging and Updating RORC information with ACRA: A Bird’s Eye View

Lodging and Updating RORC information with ACRA: A Bird’s Eye View

Identifying the Ultimate Beneficial Owner (UBO) or Registrable Controller is an essential component of the Customer Due Diligence (CDD) process in Anti-Money Laundering (AML) compliance.

The Accounting and Corporate Regulatory Authority (ACRA) maintains a central registry of registrable controllers of companies, foreign companies, and LLPs functioning in Singapore. For this purpose, ACRA requires companies, foreign companies, and LLPs to lodge and update their RORC information with ACRA. Here’s the article explaining the ACRA’s regulatory requirements for maintaining RORC.

Persons Qualified to Become Registrable Controllers

A registrable controller or beneficial owner is a natural or legal person having a significant interest or control over a company or a Limited Liability Partnership (LLP). For companies and foreign companies with a share capital, a registrable controller is someone having a significant interest, including:
  • Interest in more than 25% of the shares of the company or foreign company (irrespective of the class of shares or the value of shares) or
  • Interest in shares (except treasury shares) holding more than 25% of the voting power of the company or foreign company.
For companies or foreign companies without a share capital (such as companies limited by guarantee), a registrable controller is someone having a significant interest, includes:
  • Direct or Indirect share in more than 25% of the capital or profits of the company or foreign company

Having significant control includes having the following:

  • The right to appoint or remove directors who have a majority of the voting rights in the director meetings,
  • More than 25% of the voting rights in the matters that are decided by voting of shareholders
  • Exercises or has the right to exercise significant influence over the company or foreign company
If a person exercises or has the right to exercise any of the above significant interests or controls, then such a person is a controller. Companies, foreign companies, and LLPs have to set up and maintain a Register of Registrable Controllers (RORC).

Indirect Holding

Companies need to consider and analyse situations where an individual or a legal entity may not directly hold the above rights and may indirectly hold control through a legal entity or a chain of legal entities.

Setting Up the RORC

Companies, foreign companies, and LLPs are required to set up and maintain the RORC either at their registered office address or at the office of their Registered Filing Agent (RFA).

The RORC is not the same as the electronic registers of private companies maintained by the Accounting and Corporate Regulatory Authority (ACRA), the register of members that public companies maintain with themselves or the register of directors and nominee shareholders.

The Register must include the date of entry/update, name of the controller, particulars of the controller and notes or remarks regarding the date on which notice was sent to the beneficial owner and the date on which confirmation was received.

Companies, foreign companies, and LLPs are required to disclose the location of their RORC in their annual return filing. However, they are not required to disclose the location of their RORC to the Accounting and Corporate Regulatory Authority (ACRA).

RORC can be maintained in electronic and physical formats. However, the register is a confidential document which must not be made public.

Measures for Identifying Registrable Controller

Companies, foreign companies, and LLPs are expected to take reasonable steps to identify the beneficial owners. This section discusses the measures that can be taken by companies, foreign companies, and LLPs to identify their registrable controllers.

Taking Reasonable Measures

Companies, foreign companies, and LLPs must take reasonable measures to identify their beneficial owners, such as:
  • By sending a physical or electronic notice to every director of the company every year,
  • By sending yearly physical or electronic notice to every member of the company who has more than five per cent of the voting share in the company,
If they are aware of the identity of the registrable controllers of the company, foreign company or LLP.

Sending Out Notices

Companies, foreign companies, and LLPs must send notices to persons that they know or have reasonable grounds to believe are registrable controllers of the company, foreign company or LLP.

The notice must clearly seek the status of beneficial ownership, request for particulars if the addressee confirms that they are a beneficial owner and mention the address to which a reply must be sent, with a timeframe and the regulatory consequences of not responding to the notice.

The notice can be sent in either electronic or physical format.

By implementing these initiatives, companies, foreign companies, and LLPs can fulfil their regulatory obligations towards identifying the beneficial owners.

Obligation for Companies, Foreign Companies, and LLPs with Ambiguity in Identifying Their Registrable Controller

Companies, foreign companies, and LLPs are obligated to identify their registrable controllers or beneficial owners. However, if they are not able to identify their registrable controllers, they must send notices to individuals and legal persons that the company knows or has reasons to believe that such persons know or have reasonable grounds to know the identity of a person who is a registrable controller of the company, foreign company or LLP. Upon taking reasonable measures, if the companies, foreign companies, or LLPs are of the opinion that they do not have a beneficial owner or are unable to identify them, then all the directors with executive control and Chief Executive Officers (CEOs) of the company shall be taken as the registrable controller. In such a case, companies, foreign companies, and LLPs must enter the following details:
  • A note stating that the company or LLP knows or has reasonable grounds to believe that the company has no registrable controller or has not been able to identify the registrable controller.
  • The note must also mention that all the CEOs and directors with executive control are taken to be registrable controllers of the company.
  • The particulars of CEOs and directors to be taken will be the same as that taken for individual controllers.

What Information Must Be Lodged with ACRA

The Accounting and Corporate Regulatory Authority (ACRA) requires companies, foreign companies, and LLPs to lodge particulars of its Registrable Controllers. These particulars are differentiated based on whether the controller is an individual or a corporate entity.

An individual who has significant interest or control over the company, foreign company or LLP is an individual controller.

A body corporate or legal entity incorporated or existing in Singapore or a foreign company registered under the Companies Act having significant interest or control is a corporate controller.

Particulars of Controllers Who Are Individuals

Companies, foreign companies, and LLPs must collect the following information:
  • Full name of the individual.
  • Aliases (if any).
  • Residential Address.
  • Nationality of the individual.
  • Identity card/passport number.
  • Date of Birth.
  • The date on which the individual became a controller of the company, foreign company or LLP.
  • The date on which the individual ceased to be a controller of the company, foreign company or LLP.

Particulars of Controllers Who Are Corporate Entities

Companies, foreign companies, and LLPs must collect the following information:
  • Name of the entity controller.
  • A unique identity number is issued by the registrar (if any).
  • The legal form of the entity controller.
  • Address of the registered office of the entity.
  • Jurisdiction where the entity is formed or incorporated.
  • The statute under which the entity controller is formed or incorporated.
  • Name of the register in the jurisdiction where the entity is registered.
  • Identification or registration number of the entity in the register of the jurisdiction where it is formed or incorporated.
  • The date on which the entity became controller of the company, foreign company or LLP.
  • The date on which the entity ceased to be a controller of the company, foreign company or LLP.
The obligation to maintain RORC information with ACRA does not exempt companies, foreign companies, and LLPs from keeping the same information with themselves.

Lodging Information through a Registered Filing Agent or Self-Submission

Companies, foreign companies, and LLPs can lodge the RORC information either by themselves or through their Registered Filing Agents (RFAs) using ACRA’s online portal Bizfile+.

Bulk Upload Option for RFAs

RFAs can bulk upload RORC information for multiple entities (such as foreign corporate entities, societies, trusts, and entities with UEN not issued by ACRA) identified as controllers using a prescribed Excel template that can be uploaded on Bizfile+.

The records uploaded through the bulk option are processed a day after they are uploaded. Hence, the lodgers are notified by email the next day after uploading. The information uploaded can be viewed through the transaction status enquiry option on Bizfile+ using the transaction number that is provided to the lodger.

Registered Filing Agents (RFAs) can only lodge RORC information for entities in their client list. Before Bulk uploading the information, RFAs need to ensure that they are authorised by their client to lodge and update RORC information on behalf of that client. However, no specific filing access is required for RFA to lodge their client’s RORC information with ACRA.

Individual Upload Option for Self-Submission

Individual companies, foreign companies, and LLPs can upload information for a single entity using the individual upload option by entering the Unique Entity Number (UEN). Companies must verify if they are exempted from updating RORC information. Unexempted entities should then decide the category of the registrable controller, whether it is a corporate entity or an individual, and then enter the relevant information.

Upon uploading all the particulars, the lodger must verify the information before finally submitting it to ACRA and keep a record of the acknowledgement receipt.

Updating RORC Information with ACRA

Companies, foreign companies, and LLPs have to keep the RORC information with ACRA accurate and up to date by periodically sending out a notice to all the registrable controllers asking if a relevant change in the particulars has occurred or if any of the particulars in the RORC are incorrect.

If the company, foreign company, or LLP receives credible information that the particulars of its registrable controllers are incorrect or outdated, then such company or LLP must notify its registrable controller to share correct information. Such notice can be sent physically or electronically. There is no regulatory requirement for a director or secretary’s signature on the notice or for the notice to be sent through a registered address.

If a company, foreign company, or LLP that could not previously identify or did not previously have a registrable controller updates the particulars of a registrable controller. Then, the company or LLP must also enter a note in the register that its directors and CEOs cease to be the registrable controllers, along with the date on which the particulars are added.

ACRA’s Regulatory Timelines for RORC Maintenance, Lodging and Update

There exists a timeframe that companies, foreign companies, and LLPs need to abide by when keeping, lodging or updating RORC information. The RORC must be set up within thirty days of incorporating the company or LLP.

Within thirty days, companies, foreign companies, and LLPs take reasonable measures to identify the beneficial owners and seek confirmation from such persons by sending out notices. Once a confirmation is received in reply to the notice, companies, foreign companies, and LLPs must enter the particulars within two days of confirmation.

However, if no confirmation is received, companies, foreign companies, and LLPs must enter the particulars that they have in their possession within two days after the end of thirty days from the date on which the notice was sent.

If the company, foreign company, or LLP is satisfied that it has no registrable controller or is unable to identify them, then the company, foreign company, or LLP must enter the particulars and note within two days from the date on which the company, foreign company, or LLP forms such an opinion.

If there are any changes in the particulars entered in the RORC, the company, foreign company, or LLP must update the changes in the RORC within two days from the date on which such change comes into the knowledge of the company.

Penalties for Not Maintaining RORC Information with ACRA

The Companies Act, 1967 and the Limited Liability Partnership Act, 2005 requires companies, foreign companies, and LLPs (unless exempted) to comply with the RORC obligations. If the compliances are not met, then companies, foreign companies, and LLPs are liable for a penalty of up to 5,000 SGD.

The regulatory framework in Singapore also mandates controllers to disclose information to be mentioned in the RORC and update the company, foreign company, or LLP about any changes in the RORC particulars. Failure to meet this requirement can result in a penalty of up to 5,000 SGD for the controller.

Common Mistakes to Avoid while Filing RORC Information

Maintaining, lodging and updating RORC information can be a tedious task. Therefore, companies, foreign companies, and LLPs should try to avoid the following commonly occurring mistakes:
  • Not checking if the entity falls under the exempted category
  • Furnishing incomplete or incorrect information without any justification with ACRA where complete information is not available with the company, foreign company or LLP
  • Missing statutory timelines for filing or updating information
  • Not identifying registrable controllers having significant interest or control
  • Wrongly identifying registrable controllers that do not meet the criteria for holding significant interest or control
  • Not verifying details entered on Bizfile+ before submitting it to ACRA

Best Practices for Maintaining RORC

  • Documenting copies of the notices sent to the registrable controllers and receipt of their replies.
  • Reviewing and updating the RORC information annually by checking for any material changes with the beneficial owners.
  • Documenting reasons for satisfaction about accuracy and relevancy of RORC particulars if the company/LLP opts not to send a notice for updating particulars to its registrable controllers.
  • Sending notice electronically through a registered email address with the signature of a Key Managerial Person (KMP), for instance, a director or secretary.
  • Review the register of members and constitution to determine if an individual or corporate entity qualifies as a registrable controller.
  • Attach relevant supporting documents, such as the National Registration Identity Card (NRIC), passport copy, utility bills and certificate of registration, when lodging RORC information copy of foreign controllers with ACRA.
  • Keep a note of persons who have access to RORC.

Conclusion

Companies, foreign companies and LLPs equipped with a comprehensive understanding of the process of setting up and maintaining RORC and lodging and updating RORC information can effectively fulfil the regulatory requirements set by ACRA.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Transforming Client Onboarding with Robust AML Procedures

Transforming Client Onboarding with Robust AML Procedures

Getting more clients and business growth are the primary goals of every business. With the increasing number of clients, a robust client onboarding mechanism can help businesses rule out the potential risk of financial crimes, including Money Laundering (ML), Terrorism Financing (TF), and Proliferation Financing (PF) associated with clients. This blog discusses the prevalent Anti-Money Laundering (AML) requirements and procedures, such as KYC (Know Your Customer) and CDD (Customer Due Diligence) requirements, to be considered while conducting client onboarding by businesses operating in Singapore.
By incorporating AML practices in routine business operations, such as client onboarding, businesses can ensure greater profits and a secure work environment for themselves. Through this blog, businesses can develop an understanding of how to easily and efficiently integrate AML practices into their routine onboarding process.

Risks to be Considered While Conducting Client Onboarding

Client onboarding is the process of getting new clients who set up an account with a business and avail themselves of the products/services offered by such businesses.
However, businesses need to be mindful that some of the clients may increase a business’s exposure to ML/TF/PF threats if such clients are identified as:

Sanctioned Individuals:

Specific individuals or entities subject to targeted financial sanctions by the United Nations Security Council or other relevant committees or international sanctions lists that contribute to the threat or breach of international peace and security.

Politically Exposed Persons (PEPs):

PEPs are individuals entrusted with essential public functions, including the role held by the head of state, head of government, government minister, senior civil or public servant, senior judicial or military official, senior executive of a state-owned corporation, or senior political party official in Singapore or any other jurisdiction outside Singapore. However, mid-level or junior officials are not considered as PEPs.
Individuals who perform essential functions for international organisations, such as working in the capacity of a director, deputy director, member of the board, and member of the senior management of an international organisation, are also considered PEPs. However, mid-level or junior officials are not considered PEPs.

Terrorists or Terrorist Groups:

Individuals or groups engaged in terrorist activities or terrorism financing (TF).

Originate from or Connected to High-Risk Countries:

Individuals or entities belonging to countries that have significant strategic loopholes in their AML/CFT frameworks.

Behaviour Suggests Money Laundering Activities:

If the client’s behaviour resembles the commonly observed red flags or typologies.

Prior Connection with Financial Crimes:

Individuals or entities previously associated with financial crimes, such as tax evasion, corruption, bribery, etc.

AML Compliance Procedures to Follow During the Client Onboarding Process

In order to counter ML/TF/PF effectively, businesses need to identify and categorise their potential clients into high-risk, medium-risk and low-risk clients.
This identification and classification help businesses decide whether to form a business relationship with a client. Businesses apply the following procedures during client onboarding to identify and segregate clients based on the risk appetite of their respective businesses:

Know Your Customer (KYC):

Businesses must undertake KYC processes to identify a client by obtaining particulars such as names, addresses, contact numbers, and other critical information. Further, collect documents and verify the details submitted by the client.

Client Screening:

Businesses must screen the client against lists of sanctions, Politically Exposed Persons (PEPs), terrorists, and negative news sources.

Risk Assessment:

Before onboarding a client, businesses must assess the client’s risk based on the client’s business, location, transaction, delivery channels, and products/services.

Configure Transaction Monitoring Rules:

Establish transaction monitoring rules based on the expected nature, size, and volume of the customer’s transactions, along with other identified risk factors.

Record-Keeping:

Maintain records of all processes undertaken for the client and their results for further reference and usage.

Review and Audits:

Review the client onboarding process to ensure its effectiveness and alignment with regulatory requirements.
Businesses must follow these processes while onboarding new clients. These measures ensure that businesses do not onboard clients linked to illicit activities.

Client Onboarding Regulations in Singapore

Singapore has always been at the forefront of setting global standards for a secure business environment. The Corruption, Drug Trafficking, and Other Serious Crimes (Confiscation of Benefits) Act is the main law that criminalises laundering funds from illicit activities.
To streamline the regulatory practices, a regulatory authority has been established for each sector to define regulatory requirements and ensure compliance by regulated entities.

Know Your Customer (KYC):

Businesses are required by their respective sectoral regulatory authorities to obtain client information such as:
  • Full name, including aliases
  • Unique identification number
  • Registered address
  • Date of Birth or date of incorporation/registration
Additional case-specific documents must also be collected based on the client’s business structure:
  • Name, legal form and proof of existence
  • Instrument under which the entity is constituted
  • Identities of Directors/ Senior-most executive official
  • Principal place of business
  • Ultimate Beneficial Owners
Businesses must verify the information provided by the client using reliable sources such as:
  • Information available on client’s website or published annual reports,
  • Information available with public sources such as government directories (Bizfile+), annual returns and filings with regulatory bodies,
  • Information from other reliable sources like research reports.

Name Screening:

Regulatory authorities require businesses to take reasonable measures to determine if the client or their family members or close associates are Politically Exposed Persons (PEPs). If the client or its family or associates are identified as PEPs, then enhanced due diligence measures must be taken. If there is a reason for a business to suspect that the client may be a terrorist or sanctioned individual, the business must:
  • Refuse to enter into any transaction with such client,
  • Terminate any transaction entered into with the client,
  • Report the police.

Risk Assessment:

Regulatory authorities have specified factors that registered entities must consider when conducting a risk assessment of a client, including:
  • Type of client
  • Scale of client’s business activities
  • Purpose of Business relationship with the client
  • Geographic area of client’s business activities
  • Client’s business relationships/transactions with persons from/in countries with inadequate AML/CFT measures
  • Layers of the client’s business structure

Risk-Based Approach:

Businesses must perform due diligence measures in accordance with the client’s risk profile. For high-risk customers, EDD measures must be taken, such as:
  • Approval of a senior management official is required before entering into a business relationship with the client.
  • Reasonable steps must be taken to establish the relevant person’s source of wealth and source of funds
  • Record the basis of assessment
Where the client’s risk profile is low, businesses can take appropriate simplified or standard due diligence measures to identify the client, its beneficial owners and persons acting on behalf of the client.

Transaction Monitoring:

Businesses must ascertain that the client’s transactions are consistent with the business’s knowledge of the client, the client’s income and sources of funds.

Record Keeping:

Businesses must maintain records for a period prescribed by their respective regulatory authorities of the following information:
  • All transactions with the client
  • All information of the client collected during the CDD process
  • Copy of supporting documents relied on during the CDD process

Review and Audit:

Businesses must implement an independent audit and review mechanism to periodically assess the effectiveness of the business’s AML program.

Tech Initiatives for Improved Client Onboarding Compliance

To streamline the onboarding process, the Monetary Authority of Singapore (MAS) has recognised the MyInfo platform as a reliable source for identifying and verifying customer details such as name, unique identification number, date of birth, nationality, and residential address. Where the MyInfo platform is used, Financial Institutions are not required to obtain additional identification documents or photographs of the client.
Another initiative is non-face-to-face client identity verification. Secure methods such as digital signature, biometric identification, and real-time video conferencing. MAS recommends that regulated entities adopt technological solutions to improve AML efforts, including the client onboarding processes.
For companies registered in Singapore by its residents, verification of corporate structure is easier. However, in the case of a foreign company or a company registered in Singapore by foreigners, a simple verification through video conferencing won’t suffice. Businesses should ensure additional checks by verifying soft copies of registration certificates of such foreign companies or companies registered by foreign persons.
Manual checks of scanned documents can be cumbersome, leading to delays or false results. So, businesses must adopt advanced technological software or systems and deploy experienced compliance teams to handle the verification process. Advanced systems leverage AI, biometrics, and authentication tools for accurate and faster results.
The regulatory authorities have created an email alert system to send UN sanctions list updates to Financial Institutions (FIs) and Designated Non-Financial Businesses and Professions (DNFBPs). Such government initiatives make compliance easier for businesses.

Best Practices of Client Onboarding in AML

Adopt the following best practices of customer onboarding to enable AML compliance:

Follow the precise AML-incorporated client onboarding process.

  • Customer Identification: Collect data on customers and verify the same with the help of documentary proof.
  • Risk Assessment: Identify the potential risks of the customer to the business and create a risk profile. Categorise the customer as low, medium, or high risk.
  • Due Diligence: Standard due diligence is enough if the client is low-risk. In the case of a high-risk client, undertake enhanced customer due diligence, collect more data on such customers, and escalate the case to higher-level authorities.
  • Account Opening: On collecting all the customer information, if the client’s risk profile is low or medium, proceed with account opening. If the client is high-risk or only half of the data points are available, reject the application.
  • Annual Assessment: Assess the client’s transactions to detect sudden anomalies. Re-evaluate their risks to check for any changes in risk levels and act accordingly.

Create a crisp and clear client onboarding strategy

A business-client relationship is usually a long-term relationship. So, it is not ideal for any business to start an onboarding process without a clear strategy.
Hence, businesses need to define their onboarding strategy.
  • Start by defining the objectives of the onboarding process.
  • Make a list of all the goals the organisation aims to achieve with this onboarding process.
  • Identify the outcomes that the business wishes to achieve.
  • Define the step-by-step procedure and guidelines for each step.
  • List the resources required for each task.
  • Decide upon the timelines and costs associated with each step.
This will provide a clear direction for the client onboarding process execution.

Update the client onboarding process with changing regulatory requirements

While onboarding customers, businesses need to consider the AML regulations related to:
  • KYC
  • CDD
  • Transaction monitoring
  • Customer screening

Businesses must perform these procedures while onboarding customers. Any changes in these processes must be reflected in the onboarding process. Thus, it is essential to be updated with the regulatory environment and adapt the business’s internal policies to regulatory changes. These adjustments can ensure proper compliance with regulatory requirements during the customer onboarding process.

Use a combination of human and technology-based techniques for identification and verification

A client onboarding process involves the following processes:
  • Data collection
  • Assessment
  • Verification
  • Recordkeeping

Manual handling of these processes can be taxing and time-consuming and may lead to high false positives and false negatives. There is a high chance of human error and negligence in identifying critical data. The time-consuming nature of the entire manual process can be a pain point for the customer.

Businesses often resort to advanced technological solutions to tackle this challenge. Automated KYC and CDD solutions collect and verify customers’ data. Advanced systems ensure safe recordkeeping and an overall efficient and secure customer onboarding experience.

Moreover, customers enjoy the automated client onboarding process because it is faster, more accurate, and less complicated. Customers are less likely to get frustrated with repetitive, complicated, or unnecessary questions, so the friction points diminish. Hence, customer drop-offs decrease.

However, complete neglect of human insights is a big mistake. Human eyes can notice strange customer behaviour, which even technology cannot. So, manual checks and technology scanning are necessary to get a 360-degree view of customer risks.

Embrace remote KYC and due diligence methods

MAS has issued circulars for the use of MyInfo and CDD Measure for non-face-to-face business relations. It involves data collection and validation using video conferencing, biometric identification, and digital signature. Regulated entities are encouraged to embrace remote KYC for the following reasons:
  • It adds to customers’ convenience. It enables customers to complete the process from anywhere at any time using their devices.
  • It avoids the hassle of office visits and producing physical documents. All these are manageable digitally, adding to a positive user experience.
  • When customers complete the identification and validation processes remotely, the onboarding is accelerated. Saving time on client onboarding allows businesses to focus on other strategic tasks.
  • Technological interventions by the government and regulatory authorities such as MyInfo and Singpass provide the necessary features to check the authenticity of documents and information. This ensures enhanced risk management.
If customers are happy, there are fewer chances of drop-offs.

Train the employees on client onboarding in AML

Client onboarding processes require managing a lot of information and documentation, which requires trained and skilled employees. Unskilled employees affect the process’s quality.

Training must be provided on the significance of AML compliance and employee responsibilities. Employees must know the KYC and CDD data points to collect to build the risk profile. These include:

  • Identity
  • Contact details
  • Sources of income/wealth
  • Beneficial owners
  • Credibility score
  • Any mention of sanctions or PEPs
Efficient data collection and verification with documents ensure quality and correct results. Employees must keep up with the latest industry trends, best practices in client onboarding, and AML regulations.

Recordkeeping- The backbone of the AML program

The client onboarding process leads to a massive load of data. Businesses must maintain records of every step of the onboarding process, including KYC, CDD, and KYT (Know Your Transaction) procedures. Records are essential for future use and to ensure compliance. Advanced technologies have systems in place to collect and validate data, which can be used for record keeping.

Authorities refer to these records when conducting audits or investigations of an organisation’s AML compliance processes. Businesses must furnish records such as account details and information about the entity when submitting suspicious activity and cash transaction reports to the Suspicious Transaction Reporting Office (STRO) using the STRO Online Notices and Reporting Platform (SONAR).

Creating a balance between AML compliance and customer experience

It is important to strike a balance between adhering to regulatory requirements and catering to the client’s needs. Businesses can take the following steps to enhance client experience while performing AML procedures:
  • Making efforts to reduce the time taken in AML procedures with the help of advanced technologies
  • Prioritising the client’s data privacy and ensuring transparency during the onboarding process to build trust
  • Engaging the client with the business’s core products or services to create a long-term relationship.
Businesses can adopt such strategies to improve the customer experience while completing the client onboarding process.

Motivate customers to furnish correct, complete, and updated data

Clients may not always be ready to furnish their information. They might find the data collection process tedious and invasive. So, it becomes important for businesses to devise effective ways to gather data from customers like:
  • Explaining the significance of AML compliance to the client.
  • Making the data collection process more manageable and smoother.
  • Train employees to engage with clients during the onboarding process to make it a more comfortable experience.
  • Incorporate technological solutions to speed up the process.

Adopt a risk-based approach for further due diligence

Upon performing KYC, businesses can identify client risks. So, based on the customer’s risk profile, businesses can perform adequate due diligence measures.

Thus, a risk-based approach must be adopted for customer due diligence. Applying the same and consistent due diligence for all customers is a big mistake.

So, due diligence measures vary based on a customer’s risk profile. If a client is high-risk, enhanced due diligence (EDD) is required. A simple CDD or standard CDD would suffice if the risk is low. This process allows businesses to determine their client acceptance and exit policy.

Increase the KYC and due diligence intensity for foreign customers

The involvement of more than one country changes the story of AML compliance. There are differences in AML regulations, and distinct identification and verification rules exist. These variances affect the process of validating customer data. Therefore, businesses must exercise greater caution while dealing with cross-border transactions.
Organisations can adhere to the following practices:
  • Collect more data about foreign clients, their agents and beneficial owners.
  • Assess the AML regulations of the jurisdiction that the client belongs to or is connected with.
  • Perform client screening against that jurisdiction’s local sanctions list, PEP lists, and adverse media information.

Ensure sufficient data security policies for keeping customer data safe

In the current times, data protection is a significant concern. Businesses store large quantities of customer data. Ignoring data security may make customer identities and documents unsafe. So, businesses must ensure data protection by implementing these principles:
  • Maintain data confidentiality and security.
  • Implement technological solutions to prevent data breaches and hacking.
  • Follow privacy regulations to avoid any access by non-permitted users.
  • Adopt sound cybersecurity measures and anti-malware policies to protect customer data from malicious actors.

Corroborate client representation with reliable information

It is important not to rely solely on the information provided by the client. Businesses must verify client’s information with reliable documents and evidence. For instance, Businesses can seek a company memorandum and articles of association to verify the particulars of a corporate entity and identify its beneficial owners.

For Politically Exposed Persons (PEPs) or prominent public profiles, businesses can corroborate such client representation against reliable public information sources.

Conclusion

Implementing the above-mentioned best practices can ensure a safe and smooth onboarding process that can culminate into a long-term business relationship with mutual benefit for businesses and clients.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

The role of Re-KYC process in AML Compliance

KYC Automation

The role of Re-KYC process in AML Compliance

The role of Re-KYC process in AML Compliance

KYC is a critical AML compliance requirement for regulated entities in the UAE. It lets you know your customers better and gauge the risks associated with their transactions. Nowadays, authorities are also stressing on the need for re-KYC of customers to keep track of updated information. Let us learn the role of Re-KYC process in AML compliance and strengthen our defences against money laundering and terrorist financing.

What is Re-KYC?

KYC must not be a one-time event. As customers’ details and regulations change, you must also update these data points in your database. That is why re-KYC of customers is essential. Re-KYC means periodic updates of the customers’ KYC details.
For a smooth conduct of the re-KYC process, you must invest your time, effort, and money in it. Recollect the information on customers, verify them, and add them to your database. This must lead to accurate and up-to-date details on all your customers. You also need to carry out sanctions screening and customer risk assessment to classify customers into low-risk, medium-risk, and high-risk customers and apply suitable countermeasures to fight against the risks they pose.

Why is re-KYC of customers essential?

Re-KYC of customers is essential for every regulated entity for the following reasons:

AML/CFT policy and procedures

AML/CFT policy and procedures mandate the KYC refresh. Depending upon the local rules and regulations and the risk-based approach adopted by the regulated entity, the schedule for periodic review is predecided and triggered. For example, the organisation may have a policy to conduct re-KYC every year for high-risk customers, once every two years for medium-risk customers, and once every three years for low-risk customers.

Industry transformations

KYC Automation
Post-COVID, business models have significantly changed. Some of the old industries do not exist anymore or have undergone significant changes. The associated ML/TF risks have changed. Re-KYC helps understand customer profiles in the changed context, align risks, and take appropriate countermeasures to fight ML/TF.

Change in customer profile

Like fluctuations in your business, your client’s business or profile also witnesses changes. For example, they expand to a new territory, add a new product or service line in their offerings, have new owners, change the source of funds, or something else. These types of deviations in your clients change their risk profiles. To incorporate the amendments in their risk profiles, you must conduct a re-KYC of customers.

Internal shifts

Your business is unique, with its own set of requirements, business models, objectives, capabilities, and procedures. Based on these factors, you also define your risk appetite to tolerate money laundering risks. Any internal shifts in these factors lead to a change in your risk appetite. This leads to changes in your AML measures and compliance policies. In such situations, re-KYC of customers is essential.

Regulatory amendments

To keep up with the regulatory changes, you may be required to gather additional information about customers. Re-KYC helps gather that information and comply with legal requirements.

FATF Greylisting of a country

If a country is greylisted, you need to take a risk-based approach and require your customers to furnish additional information as to the source of funds and source of wealth. Re-KYC helps you do that.

FATF Black listing of a country

If a country is blacklisted, you need more information about your customers in high-risk jurisdictions, and hence Re-KYC or KYC refresh is required.
Due to all these reasons, it becomes essential for regulated entities to conduct the re-KYC process. Whether you conduct it twice a year or once every two years, the aim is to have updated information. Such up-to-date and accurate data facilitates the correct risk profiling of the customer. Based on this, you can take a risk-based approach for further AML compliance initiatives. Thus, you can prevent money laundering and terrorism financing activities.
Another benefit of the KYC process is a better understanding of your customers. You can tailor your services to their needs to improve customer satisfaction. Thus, you can also enhance your customer relationships with the re-KYC of customers.

Steps of the re-KYC process

You have the reasons and benefits of the re-KYC process. But what are the steps of conducting this process?
The re-KYC process involves the following steps:

Step 1: Client communication

The first step of the re-KYC process is letting your customers know you will conduct KYC again. Communicate to them the reasons for this exercise and its importance. Inform them about the documents you will need for re-KYC.

Step 2: Information collection

Once you have identified the customers for whom you want to repeat the KYC process, list the necessary details. You might need some past information as well as dig some new details. Collect all those data points from customers.

Step 3: Information verification

In the next step, verify all the customer details with the necessary documents received from them. You must ask them for proof of identity and address, beneficial ownership, sources of funds, payment methods used, and other necessary documents. Match the details submitted by clients with these documents.

Step 4: Screening

Screen your customers against lists of sanctions, terrorists, watchlists, PEPs, or any other local and international list of criminals. Moreover, check for adverse media or social media mentions of crime-related activities.

Step 5: Risk Assessment

Assess each bit of information on your customers. Examine every slight suspicion you have about them based on their behaviour, transactions, and profile changes. Based on these results of such analysis, update their risk profile. Keep an eye on those customers whose risks have increased.

Best practices in re-KYC of customers

For the smooth and accurate performance of the re-KYC process, avoid making the most common errors. You can imbibe the following best practices for successful re-KYC process and quality outcomes:

Establish Re-KYC procedures

AML compliance is not an easy journey. You have to manage quite a few procedures to ensure you comply with all the requirements. KYC is one such procedure. It helps you better know your customers to prevent or mitigate their risks. So, give it the importance it deserves.
Define a strategy for conducting re-KYC of customers. Mention the steps. List the timelines, resources required, and budget for the re-KYC process. Also, define the potential challenges you might face in this process, like customers’ disagreement, and the steps to deal with them. Such a strategy enables a seamless process.

Implement KYC software

KYC is a lengthy process. If you do it manually, it takes a lot of time. Also, it requires special skills to manage this exercise without errors and hassles. So, you need to spend money on hiring skilled staff as well. Also, the manual process has increased the chances of errors. All these can affect your re-KYC process.
So, the best solution to all these problems is automating the re-KYC process. Such a solution will lead to accurate results, faster processes, and customer ease. Also, these KYC solutions raise an alert when they detect an anomaly, suspicion, or shift from the usual behaviour. Thus, you are better equipped to fight money laundering risks.

Take a risk-based approach

AML compliance is all about a risk-based approach. You have to decide the next action based on your customers’ risk levels. The same is the case with re-KYC. For high-risk customers, the frequency of re-KYC is higher. So, you must know whether your customer is high or low risk and when you last conducted their KYC.
So, if the customer is high risk, conduct a re-KYC frequently. If the risk is low, postpone it for later. Thus, you can decide the frequency and depth of your KYC procedures.

Customer communication is key

Inform your customers about the re-KYC process. They must be aware of the purpose of such data collection and document verification. It is also a good practice to obtain their consent to this exercise. Inform them about the documents needed, the time taken, and other necessary details. Constant communication from your side facilitates better relationships with customers. Since it will be a disturbing and problematic exercise for your customers, explain its significance to them.

Allocate proper resources

Re-KYC is not an administrative process. It is not a scheduled thing that you do away with by just following the steps. It needs your complete dedication and sincerity. It will help you stay away from risky customers and transactions. Thus, it is a part of your business’s risk prevention and mitigation plan.
So, you must give it much importance. Don’t forget to allocate skilful resources, a reasonable budget, and specific timelines to this exercise. Also, ensure that you do not destroy customer relationships while managing this procedure.

Ensure proper record-keeping

You must document every result and finding of the re-KYC process. Since you are analysing the client again and rebuilding the risk profile, the rationale behind it must be saved and secured. So, maintain proper records of each data point on the customer. Save the documents. These records help you during audits or investigations by regulatory authorities.
These six effective approaches can help you with a successful re-KYC process. Ensure that you imbibe them and follow the step-by-step journey. Do not forget to conduct a re-KYC of customers to be doubly sure of their risks to your business. Only with such re-KYC and due diligence can you strengthen your AML measures.

AMLUAE – your partner for conducting re-KYC of customers

AMLUAE is a prominent provider of AML compliance services in the UAE. We help you follow AML regulations in the UAE at every step. You needn’t worry about deadlines or regulatory updates; we handle everything on time and in compliance.
We also handhold you through the entire KYC and re-KYC process. Our consultants and AML experts conduct customer due diligence on your clients for accurate results. Ultimately, you will have each customer’s detailed risk profile to enable you to take a risk-based approach to your AML compliance.
Besides KYC and due diligence, we also help monitor transactions to detect suspicious ones. Our team can impart personalised training to your employees, create and implement AML policies, and manage all communication with regulatory authorities. The aim is to let you focus on your core business while we manage the AML compliance.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

The risk-based approach in Anti-Money Laundering Compliance

man-finger-abRisks analyze, low riskout-press-analysis-push-button-focus-blue-led-concept-image-illustration-risk-management-assessment

The risk-based approach in Anti-Money Laundering Compliance

The risk based approach to AML - Anti-Money Laundering Compliance

Money Laundering and Terrorist Financing are global threats. Governments across the globe have framed laws and regulations to counter Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF). The regulated entities are obligated to employ their resources to fight financial crimes. For any business, resources are always scarce, and hence they would want them to be employed efficiently. That is where the Risk Based Approach to AML compliance comes into play and helps businesses deal with financial crimes efficiently.

Definition of Risk Based Approach (RBA):

The Risk-Based Approach (RBA) is basically the effective deployment of controls to counter the most significant ML/TF/PF risks a business is exposed to. It takes into account various risk factors, their likelihood of occurrence, impact, controls in place, and the risk appetite of the management to keep ML/TF risks at an acceptable level. Every business has its own risk-bearing capacity, and in AML compliance, it becomes essential to adopt a Risk-Based Approach in order to tackle ML, TF, and PF. Further, under an RBA, there is no such thing as ZERO risk, but it offers the most effective way to counter the risks. EDD for high-risk customers, determination of sample size by AML auditors, cash transaction thresholds, customer acceptance and customer exit policies are some of the common examples of having taken a risk-based approach.

Before going into detail about compliance requirements for a Risk-Based Approach under the UAE’s AML/CFT regulations, let us understand what a Risk-Based Approach in the AML realm means.

What is a Risk-Based Approach in Anti-Money Laundering (AML)?

Risk Based Approach: Meaning

The UAE Federal Decree Law No (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations required Fis, DNFBPs, and VASPs to take a Risk-Based Approach to counter money laundering and terrorist financing risks.
The Risk-Based Approach (RBA) helps reporting entities effectively identify, assess and tackle ML/TF/PF risks. Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) should apply appropriate measures and procedures commensurate with the risks of money laundering, terrorist financing, and proliferation financing. The Risk-Based Approach enables the reporting entities to apply their efforts optimally to mitigate ML/TF/PF and sanctions risks. The RBA provides the risk-sensitive application of AML/CFT measures. Accordingly, companies are able to apply the principle of “higher the risks, higher the controls”.
The application of the Risk-Based Approach helps firms decide on the degree, frequency, or intensity of the ML/TF/PF/ controls.
Enforcement of cash thresholds by entities to mitigate ML/TF risks is one example of a risk-based approach. Other examples of RBA include EDD for high-risk customers, ML/TF independent audits, etc.

Step-by-step implementation of Risk-Based Approach in AML

RBA requires proper implementation of controls for an AML program to be successful. For an effective RBA process, all steps must be looked into and implemented correctly. The following is the step-wise process that DNFBPs should undertake for taking a Risk-Based Approach to compliance:

1. Risk Identification:

In identifying the ML/FT and PF risks to which DNFBPs are exposed, they should consider various internal and external factors such as the nature of business, product, services, risks associated with each customer, geography, especially high-risk jurisdictions and distribution channels. This step becomes a base for risk assessment, as DNFBPs are supposed to conduct risk assessments based on the factors identified to evaluate the emerging and relevant ML/FT and PF threats.

2. Risk Assessment:

It forms the basis of the DNFBP’s RBA for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the institution and stating the risk level deemed acceptable.
man-finger-abRisks analyze, low riskout-press-analysis-push-button-focus-blue-led-concept-image-illustration-risk-management-assessment
This step enables DNFBPs to understand the possibilities of risk materialising and the impact thereof.

4. Residual Risk:

It is necessary for DNFBPs to compare the risk profile to risk controls to measure the effectiveness of control measures against risk. This step requires identifying risk that remains after efforts have been made to reduce the inherent risk. The residual risk is also known as net risk.

Residual Risk = Inherent Risk – Controls

5. Risk Appetite:

After residual risk is identified, it is vital to compare it to determine whether it meets the risk acceptance level set out in the risk appetite. Risk appetite is set at the early stage, which defines the amount and type of risk that is accepted. As a forward-looking concept, it helps in assessing the residual risk an organisation can accept.

6. Take Additional Measures:

After residual risk is identified, it is vital to compare it to determine whether it meets the risk acceptance level set out in the risk appetite. Risk appetite is set at the early stage, which defines the amount and type of risk that is accepted. As a forward-looking concept, it helps in assessing the residual risk an organisation can accept.

Principles of The Risk Based Approach to AML Compliance

Acceptance of the existence of risk is the first thing that actually matters when it comes to the principles of the RBA to AML compliance. A risk assessment should be carried out according to the intensity of risk, the risk assessment process should be examined, and the compliance process should be applied.

Inherent Risk:

The gross risk is the risk an entity is exposed to before putting any AML/CFT controls in place.

Residual Risk:

The residual risk is the risk the reporting entity assesses once AML/CFT controls and measures are put in place.
According to the principles of a Risk-Based Approach, controls need to be aligned with the risks involved. The risk-based approach requires an entity to focus more on the risks that can have a higher impact.

For instance, the Customer Due Diligence (CDD) Process for Politically Exposed People (PEPs), which undoubtedly belongs to a high-risk profile, will remain insufficient if Enhanced Due Diligence isn’t carried out for them.

In addition, business enterprises must continuously monitor, analyse, and interpret their pool of data that falls within the scope of anti-money laundering compliance.
The manual monitoring of a business relationship is impractical when the transaction volume is high. Therefore, the regulated entities may resort to transaction monitoring software which can help them identify suspicious patterns in customer’s transactions and help them investigate the cases further and submit SAR/STR depending on the facts of the case.

Importance of Risk-Based Approach in Anti-Money Laundering Compliance

The risk appetite and risk-bearing capacity differ from one company to another. Therefore, following the same AML process for each enterprise or individual will not fetch healthy results.
Besides that, the risk-bearing appetite of the companies from the same industry also differs because the management style isn’t uniform everywhere.
Here is when the need for and importance of a Risk-Based Approach come into the picture. With the help of a Risk-Based Approach, companies from various business sectors can create an anti-money laundering framework that helps them fight ML/TF effectively.

The Traditional Tick-Box Approach vs. Risk-Based-Approach

Prior to the evolution of RBA, financial institutions (Fis) and DNFBPs were employing a tick-box approach to manage their AML compliance requirements. Under the traditional tick-box approach, merely going through a set of uniform AML standards was assessed and satisfied. However, with the changing financial landscape and advancement of technology, the Financial Action Task Force (FATF) presented the concept of RBA.
The following is an analysis of the traditional tick-box approach vs. the Risk-Based Approach on different factors:

Criteria  

Tick-Box Approach 

Risk-Based Approach 

Flexibility  

It is an inflexible approach as a set of compliance requirements without considering underlying unique aspects of risk. 

It is a flexible approach as it leaves the possibility to consider the unique risk profile and make it more adaptive.  

Efficiency  

In terms of efficiency, there is no scope to change and make it adaptive to new changes and risks, thus making it an inefficient approach.  

It is dynamic and adaptable, which allows efficient use of resources in combating ML/FT and PF risks, thus increasing the efficiency of AML measures.  

Resource 

This measure follows a resource-intensive approach for applying AML measures. It requires extensive manual effort and time to complete. Thus, for efficient measures, this approach can take up a lot of resources, leading to an increase in financial burden as well. 

This allows for smarter allocation of resources by focusing efforts on areas of higher risk, optimising efficiency, and enhancing effectiveness in identifying and mitigating risks. It also fosters a more dynamic and targeted approach to AML compliance. 

Effectiveness  

It is a superficial approach that only addresses surface-level aspects of AML compliance and disregards associated risks.  

It is an effective approach that focuses on in-depth learning, understanding new risks, and implementing measures accordingly.  

Prioritising  

This works by taking a one-size-fits-all approach to every risk, leaving little room for risk prioritisation 

This approach prioritises risk by incorporating a tailored method for each risk according to its impact and probability. 

Proactiveness  

It is an active approach for AML measures by working in a manner that follows standard policies without being open to the risk that requires a proactive approach.  

It is a proactive approach to compliance by entailing measures for identifying, assessing, and controlling risks.  

UAE AML/CFT Laws and FATF Recommendations Around Risk-Based Approach

What is the reasoning behind implementing a risk-based anti-money laundering approach?

The UAE has adopted effective AML laws to combat financial crimes, including ML, FT, and PF. The regulatory framework in the UAE includes federal laws that are aligned with international standards set out by the Financial Action Task Force (FATF).
Within UAE’s legal regime, it has implicitly adopted RBA to AML compliance to understand ML/FT and PF risks and implement appropriate measures. Furthermore, Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organisations Guidelines for Designated Non-Financial Businesses and Professions mandate DNFBPs to implement RBA to identify, assess and understand ML/FT and PF risks and further take the most appropriate mitigating measures.
The RBA framework is also based on FATF recommendation no. 1, which lays down the principle of applying RBA to assess and adopt measures for ML/FT and PF risks.

Primary Elements of a Risk-Based Approach in AML Compliance for DNFBPs and VASPs

The following is the list of primary elements of a Risk-Based Approach in AML compliance for DNFBPs and VASPs:

ML/FT Enterprise-Wide Risk Assessment

ML/FT Enterprise-Wide Risk Assessment (EWRA), also known as Business Risk Assessment, is a key pillar of the RBA. It is an enterprise-level risk assessment that plays a pivotal role in combating ML/FT and PF risks.
EWRA is a process of identifying all external and internal risk factors such as products, services, transactions, delivery channels, customers, geographies, technology, etc, and further assessing their impact, exploring ways to mitigate, and controlling and monitoring associated risks.
Assessing the risk at the enterprise level helps in formulating a comprehensive and better AML framework.

AML/CFT Policy and Procedures

AML/CFT policies and procedures are the foundational documents that outline an entity’s approach to preventing, detecting, and mitigating ML/FT and PF activities.
These documents provide guiding principles to compliance officers and employees regarding their responsibilities to ensure compliance with AML/CFT regulations and the actions required.
These policy documents cover a wide range of areas under the AML framework that include CDD, transaction monitoring, reporting activities, and risk management.
The policies and procedures detail the actual implementation of RBA within an organisation. What it perceives as an ML/TF/PF risk and the commensurate controls to counter it.
With effective AML/CFT policies and procedures, DNFBPs can establish an effective AML/CFT framework within their organisation to counter financial crimes, including ML/FT and PF.

KYC and Customer Due Diligence (CDD)

Know your customer, and the customer due diligence processes are carried out in order to identify who the customers really are and to further verify their identity and the nature of the businesses they engage with.
These procedures are one of the most fundamental building blocks of efficient and effective anti-money laundering compliance management. Within the scope of these procedures, you can assess and determine the level of risks associated with the customer and then take necessary actions to mitigate those risks.
Assessing the risk level of your customers accurately is an undeniable prerequisite for the Risk-Based Approach. However, without accurate customer due diligence, it is difficult to analyse risks posed by a customer.

Sanctions Screening

Sanctions screening aims to restrict dealings with persons involved in illicit activities. For this purpose, an entity is required to screen names against sanction lists maintained by governments, international organisations, and regulatory authorities.
DNFBPs, by conducting sanctions screening, can efficiently identify and prevent dealings that are against the regulatory framework and can also demonstrate adherence to the compliance requirements.
As per UAE AML Regulations, DNFBPs and VASPs are required to conduct screening against the UNSC Consolidated List and the UAE Local Terrorist List.
If the regulated entity deals with foreign countries, it can adopt a Risk-Based Approach and consider other relevant sanction lists for screening purposes.

PEP Screening

PEP screening means screening customers to identify if they are politically exposed persons (PEPs) or are related to a person identified as PEP. PEPs pose a high risk to DNFBPs because of their prominent position, which can be misused for illicit activities like corruption and financial crimes.
This measure involves screening customers against a PEP database to assess the nature and extent of their political exposure.
PEP screening helps to implement RBA and a better risk assessment process, which enhances the ability to take appropriate risk mitigation measures like Enhanced Due Diligence.

Adverse Media Screening

Any negative news about an individual customer or a business enterprise can broadly impact the decision to enter into a business relationship with them.
Plus, keeping an eye on such news is the best way to protect your organisation from any potential risks that might come when dealing with clients with high-risk profiles.
Adverse Media Screening helps a reporting entity adopt a Risk-Based Approach effectively and fight ML/TF risks.

Anti-money Laundering Transaction Monitoring

The regulated entities conduct CDD and risk assessments while onboarding the customer. This helps them understand the customer profile and the expected nature, volume, and frequency of transactions.
If the actual transactions with customers are not monitored, the risk-based approach adopted by the entity fails. What if the customer is transacting beyond his means?
Regulated entities implement transaction monitoring software which help them segment their customers based on various attributes like age, gender, nationality, turnover, size of business, etc. and frame rules to identify and investigate exceptions.
The system then monitors transactions and generates alerts when it finds a suspicious transaction.
Risk based transaction monitoring helps in suitably changing customer profiles and the risks associated with them, and it helps implement RBA in its true sense.

AML Compliance Officer

The DNFBPs and VASPs in UAE are required to designate a competent person as the company’s compliance officer. The compliance officer is responsible for AML/CFT program management, imparting AML/CFT training, and submitting regulatory reports on the goAML portal.
The AML Compliance Officer is the human arm of the Risk-Based Approach. The compliance officer adds the human element to RBA and changes the approach to fighting ML/TF according to the risks involved.
Thus, an AML compliance officer is an integral part of the implementation of the Risk-Based Approach.

Independent Audit

An AML independent audit is a comprehensive review of the AML program by an external party who is not involved in the operations of the business. The purpose of conducting an AML independent audit is to outline the effectiveness of the AML program, identify gaps for non-compliance and provide recommendations for improvement.
This measure helps maintain the transparency, integrity, and credibility of DNFBPs in the AML efforts. An external AML audit is an integral part of the RBA adopted by the regulated entity.

Monitoring and Review

When an entity establishes business relationships with persons, it is required to conduct ongoing monitoring to address any evolving risks and changes in the compliance framework. Monitoring and review are ongoing processes of RBA in AML that continuously assess the effectiveness of the AML compliance program.
Monitoring measures involve regular surveillance of customers, their transactions, and activities to detect any suspicious activity or unusual behaviour that may indicate potential ML/FT and PF activities.
The review measures include periodic evaluation of the AML framework to identify changes in risk patterns, determine the capacity of control measures in combating financial crimes, and observe areas for improvement.
By undertaking these measures, DNFBPs can proactively address compliance gaps and areas for improvement and, based on such evaluation, enhance their risk management capabilities.

Challenges in Implementing a Risk-Based Approach

Difficulty in Identifying Risk Factors

The complexity of identifying and categorising risk factors makes it difficult to implement RBA within the AML framework. Additionally, the realm of the financial landscape keeps changing due to new trends in criminal activities, making it more difficult to identify risk.

Difficulty in Assessing ML/TF and PF Risks

RBA requires an accurate assessment of ML/FT and PF risks. However, the assessment of ML/FT and PF risks requires knowledge about the financial landscape, known ML/TF/PF typologies, FATF recommendations, National Risk Assessment (NRA), transactions and patterns, which makes it difficult to assess.

Difficulty in Assessing the Effectiveness of Controls

The application of AML measures requires continuous updates and monitoring due to the dynamic nature of the business. This requires continuous changes in control measures, thus making it difficult to assess the effectiveness of control measures. Further, the effectiveness of the control measures is measured by the quality of their implementation than the quantity. This adds a layer of subjectivity to the overall assessment.

Difficulty in Identifying Risk Appetite

It is a crucial step of RBA to establish an accurate Risk Appetite Statement that lays down the level of risk an entity is willing to accept. However, it becomes difficult to identify risk appetite due to the changing landscape and the involvement of multiple parameters.

Lack of Expertise

The application of RBA is technical, and it requires knowledge of the business and existing and emerging ML/TF/PF risks and their patterns. DNFBPs face challenges here due to their small size and the unavailability of competent persons internally.

Top Management Support

RBA requires taking proactive action to combat ML/FT and PF risks and top management’s support is vital as various actions require approval from senior management, which at times can be difficult. Unavailability and resistance to change from top management makes it difficult for businesses to take proactive measures.

Consistency in Risk Assessment Methodologies

Consistency is utmost important while adopting RBA for risk management. It helps staff stick to a uniform procedure. However, for a growing organization, changes in products, services, and technology are constant variables. This leads to inconsistency in applying RBA.

Handling Customer Experience

RBA requires taking stringent measures to implement an effective AML framework within the organisation. These measures include undertaking enhanced due diligence and monitoring, which may cause inconvenience to customers who are not involved in any illicit activities. It is thus difficult to find a balance between mitigating AML risks and positive customer experience.

Lack of Budget

RBA is a detailed process that requires expert knowledge and resources for effective implementation. However, such measures need budgetary support, which could be difficult for small organisations.

Building a Robust AML Compliance Framework using RBA

Crafting an effective AML compliance framework using RBA is important to detect and deter financial crimes, including ML/FT and PF.
Here is the list of elements required for building a robust AML compliance framework using RBA:

Establishing a Strong AML Culture

The AML compliance culture means shared values, practices, and behaviours within a business workplace that prioritise adherence to the AML regulatory framework.
With a strong compliance culture, businesses can efficiently and consistently employ a risk-based approach.

Training and Awareness Programs for Staff

Compliance officers and staff need to carry out responsibilities in the AML/CFT framework for successful compliance with the AML regulatory requirements. An AML compliance framework incorporates a training program tailored to staff based on their role and responsibilities. Further, in order to have effective AML governance, DNFBPs must undertake periodic and up-to-date training program activities and maintain training records.
With such AML training programs, employees can easily understand ML/FT and PF risks and, therefore, employ measures required to fight such risks. This goes a long way in implementing the RBA in the regulated entity.

Customer Identification and Verification

To ensure compliance with KYC and CDD requirements, customer identification and verification systems are necessary. Customer identification and verification systems come with liveness checks, two-factor authentication, and checks for the authenticity of ID documents. Such systems help adopt a Risk-Based Approach and determine if the customer is acceptable, considering the company’s customer acceptance policy.

Transaction Monitoring

Transaction monitoring helps identify transactions that do not align with the customer’s profile or expected business activities. There are transaction monitoring tools available to identify suspicious patterns and put transactions on hold until the compliance team investigates them and decides if there is a requirement to submit SAR/STR.
By employing transaction monitoring tools, DNFBPs can take a Risk-Based Approach and decide if EDD is required, customer offboarding is necessary, or the system generates a false alert.

Record-Keeping

Under the UAE AML/CFT Laws, regulated entities are required to keep all AML/CFT records for a minimum of 5 years. The ADGM and DIFC-based entities are required to retain records for 6 years.
The record-keeping serves as evidence of having taken a Risk-Based Approach.

Reporting Structure

An effective reporting structure is required for better implementation of the AML framework to combat ML/FT and PF risks. DNFBPs must maintain records and develop a reporting system in their AML governance program.
This measure must include systems for maintaining data on the number of customers rejected, terminated relationships, transactions monitored, and alerts generated, as well as systems for reporting suspicious transaction reports and suspicious activity reports STRs/SARs via the goAML system.
Periodic AML/CFT compliance reporting to top management helps management take a Risk-Based Approach and determine if they need to put in more resources to counter ML/TF risks or tweak AML/CFT policies and procedures to align them with their risk appetite.

Internal Controls and Risk Management

Internal Controls and Risk Management processes help fight ML/TF. The nature and extent of such internal control mechanisms differ from business to business, depending on the entity’s risk appetite and risk-based approach.

Technological Support

Technology has made life easy for DNFBPs and criminals as well. To counter technologically driven criminal activities, the AML compliance framework should leave space to employ technologically driven tools.
It also helps enhance AML compliance by quickly analysing vast quantities of data to detect suspicious patterns and anomalies that might indicate the happening of ML, FT, or PF activity.

How Does the Risk-Based Approach Work in AML?

The Risk-Based Approach works differently for every business as no two businesses are the same, and so are the risks. It essentially boils down to the risk appetite of the regulated entity and what they think is an acceptable risk.
There is no concept like ZERO risk in business. Risk management is resource-intensive, and businesses have to control their costs. However, they also need to ensure that the ML/TF and PF are countered and legal requirements are met.
Regulated entities, therefore, prioritise their risks and enforce controls judicially to maintain risks at an acceptable level.

Benefits of a Risk-Based Approach to AML

Resource Optimization

Risk-based approach to compliance focuses on allocating resources based on risk assessment and its impact on the regulated entity. It’s a need-based resource allocation which optimises resource utilisation and saves costs.

Effective in Countering ML/TF

With elaborate steps and a defined approach, RBA effectively counters ML/FT and PF risks. Furthermore, RBA targets the risk in a structured manner based on its impact. This increases the effectiveness of DNFBPs’ AML efforts.

Enhances Customer Onboarding Experience

RBA enhances the customer onboarding experience. It treats each customer in isolation depending on the risks they pose to the business. Low-risk customers undergo simplified due diligence, medium-risk customers undergo standard due diligence, and high-risk customers undergo enhanced due diligence.
In the case of high-risk customers, the business can also decide to exit the business relationship if the risks are not acceptable as per the risk appetite.
This enhances the customer onboarding experience as not everyone goes through the stringent KYC and CDD requirements.

Improved Risk Management

RBA follows a proactive approach to prevent and mitigate financial risks, including ML/FT and PF. Such proactive measures of identifying and managing risks reduce DNFBPS’ exposure to financial crimes and illicit activities.

Ensures Regulatory Compliance

It is essential for all DNFBPs in the UAE to adhere to the AML/CFT regulatory framework. RBA increases their attention to regulatory outcomes, and activities throughout the business lifecycle. Thus, adopting RBA in their AML framework helps DNFBPs meet their regulatory requirements effectively.

Strategic Business Insights

RBA is a continuous process that involves risk assessment, policy framework, and the systematic application of mitigation measures. With RBA to AML, DNFBPs gain valuable insights for informed decision–making and improving performance. Therefore, RBA enhances flexibility in AML compliance and boosts competitiveness in the market.

Improved Regulatory Reporting

RBA applies controls based on risk level and focuses on prioritising resources on identified risks. With such a targeted approach, it is easier for DNFBPs to focus on high-risk areas and report suspicious activities with more efficiency and accuracy. RBA, therefore, improves the reporting system, which helps DNFBPs, as well as regulatory authorities, to fight ML/TF risks effectively.

Employee Engagement

Adopting RBA requires the proactive application of measures that require quick decision–making for AML policies, implementation, and performance assessment. This fosters employee engagement, which enhances the overall effectiveness of AML measures and promotes responsibility among employees and a compliance culture.

Final words on Risk Based Approach

The UAE AML CFT Law requires FIs, DNFBPs, and VASPs to employ a Risk-Based Approach that is tailored to their business. The controls employed by a reporting entity should be in sync with the risks to which it is exposed. Money Laundering and Terrorist Financing risks differ from organisation to organisation and industry to industry. Therefore, DNFBPs need to assess and understand ML/TF risks associated with each customer, supplier, and third party.
The adoption of a Risk-Based Approach does not mean that the organisation will be able to eliminate all risks related to financial crime. It only means that ML/TF risks are managed, but the organisation is still vulnerable to various risks that it couldn’t identify and assess. Risks, by their very nature, are dynamic.
Niyeahma provides extensive help and guidance on implementing a Risk-Based Approach. Contact us if you are looking to optimise your ML/TF countermeasures.

About the Author

Linkedin

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

NIYEAHMA teams up as a knowledge partner with FACCTUM

NIYEAHMA teams up as a knowledge partner with FACCTUM

NIYEAHMA teams up as a knowledge partner with FACCTUM to deliver state-of-the-art AML compliance software for Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Asset Service Providers (VASPS).
DNFBPs and VASPs are regulated entities under the AML/CFT laws and regulations of various countries. Entities including Dealers in Precious Metals and Stones (DPMS), Trust and Company Service Providers (TCSP), Lawyers, Notaries, and Other Legal Professionals, Accountants, Auditors, Tax Consultants, and Real Estate Agents, are classified as DNFBPs.
The DNFBPs and VASPs sector is characterised by small and medium-sized entities. This sector is required to comply with various requirements, such as sanctions screening, KYC, customer risk assessment, regulatory reporting, AML/CFT policies and procedures, Enterprise-Wide Risk Assessment (EWRA), and more.
Due to the ever-increasing compliance burden, unavailability of skilled resources, and diverse rules and regulations, the DNFBPs and VASPs struggle to automate their compliance processes.

AML/CFT solutions are available in silos, and the entity-level compliance picture is seldom known. That’s where RapidAML comes into the picture, a software developed by FACCTUM with NIYEAHMA working as a knowledge partner.

RapidAML is a unified AML compliance software offering an enterprise-wide view of risk and compliance.

Linkedin

KK Gupta

Founder & CEO, FACCTUM

A single consolidated view of the entity-wide AML/CFT compliance for DNFBPs and VASPs is something which has been missing for quite some time. With NIYEAHMA working with us as Knowledge Partners, we want to revolutionise AML compliance for regulated entities just as we do for banks and financial institutions.

NIYEAHMA provides AML consultancy services through its brands – AML UAE, AML Singapore, AML Consultants UK, AML KSA, AML Bahrain, AML Muscat, AML India, AML FAQs, and ProAML Training. It possesses premium know-how in global AML/CFT laws and regulations.
NIYEAHMA understands the pain points of DNFBPs and VASPs when it comes to automating their compliance processes. RapidAML is unified AML software for DNFBPs and VASPs that automates screening, KYC, customer risk assessment, case management, and regulatory requirements.
RapidAML is currently under active development and is open for beta testing by select DNFBPs and VASPs.

Pathik Shah

Founder, NIYEAHMA

As we deliver our services, we constantly encounter the challenges that DNFBPs and VASPs face. But soon, those challenges will be a thing of the past. We're working diligently on writing specifications and stepping in as Knowledge Partners to tackle the unique issues regulated entities in this sector deal with. With FACCTUM, our trusted technology partner known for its expertise in RegTech and RiskTech, we're confident that AML compliance is about to become far easier and faster for DNFBPs and VASPs. Together, we're committed to leaving no stone unturned to fight financial crimes.

Linkedin

United by the shared vision, Facctum’s tech skills and NIYEAHMA’s AML expertise complement each other and it’s being utilised in the development of RapidAML. To learn more about RapidAML, visit https://rapidaml.com

NIYEAHMA understands the pain points of DNFBPs and VASPs when it comes to automating their compliance processes. RapidAML is unified AML software for DNFBPs and VASPs that automates screening, KYC, customer risk assessment, case management, and regulatory requirements.

“I am pleased to find the presence of veteran professionals in the industry who are dedicatedly working on addressing the challenges faced by DNFBPs and VASPs. NIYEAHMA looks forward to elevating the AML compliance efficiency through this collaboration.”

 

Jyoti Maheshwari

Partner, NIYEAHMA

Linkedin
RapidAML endeavours to transform AML/CFT compliance for the new era!

Be among the FIRST to try RapidAML Your all-in-one AML software in action

Join waitlist

Sign up for the invite-only closed beta waitlist

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

All accounting entities and public accountants in Singapore carrying out covered activities are required to undergo periodic ACRA inspections, through which their Anti-Money Laundering and Counter-Financing of Terrorism (AML/CFT) compliance measures are inspected by ACRA. The ACRA is responsible for forming and appointing the Public Accounts Oversight Committee (PAOC), which is responsible for appointing an entity reviewer to carry out the ACRA AML/CFT Requirements Review process of all accounting entities and individual practitioners.
The Accounting and Corporate Regulatory Authority (ACRA) registers and regulates public accountants and individual practitioners in Singapore as per the rules and standards prescribed under the Accountants Act, 2004.
The Accountants Act, 2004, also referred to as ‘the act’, is the primary legislation in Singapore governing accountancy services provided by accounting entities and professionals. The Accountants (Prevention of Money Laundering and Financing of Terrorism) Rules 2023 require accounting entities and their practitioners to have in place, an adequate AML/CFT compliance framework, consisting of internal policies, procedures and controls (IPPC) for combating Money Laundering (ML), Financing of Terrorism (FT), and Proliferation Financing (PF) risk effectively.
Let’s examine these AML regulations in Singapore. Moreover, we’ll discover the AML compliance initiatives that luxury goods market operators must implement to reduce the risks of financial crimes. These measures mitigate money laundering risks and prevent criminals from exploiting this market.
Accounting entities and individual practitioners’ AML/CFT IPPC is subject to ACRA AML/CFT Requirements Review.

ACRA AML/CFT requirements review (inspection) process of Public Accountants and Accounting Entities

ACRA AML/CFT Requirements Review (Inspection) Process of Public Accountants and Accounting Entities
The ACRA AML/CFT Requirements Review process comprises of following steps:

1. Entity Reviewer Inspects AML/CFT Compliance Requirements

The entity reviewer carries out an AML/CFT requirement review. For this purpose, the entity reviewer has the power to:
  • Examine any records or the description of records in the possession or under the control of the accounting entity or practitioner that the reviewer entity believes are relevant to review.
  • Seek explanations or further details of any records or documents, excluding any such record or document containing privileged communication to or from a legal practitioner.
  • Upon concluding the review, the entity reviewer submits a report to the Registrar.
ACRA AML/CFT Requirements Review (Inspection) of Public Accountants and Accounting Entities

2. Opinion of the Registrar

After considering the report submitted by the entity reviewer, if the registrar is of the opinion that the accounting entity or any of its practitioners have breached any of the AML/CFT requirements, it shall submit a report to the Public Accounts Oversight Committee PAOC (Firm Level).

3. Decision by the Public Accounts Oversight Committee (PAOC)

Upon submission of the report by the registrar, the PAOC assesses and decides the consequences of non-compliance with AML/CFT requirements by accounting entities and practitioners.

Consequences of AML/CFT Non-Compliance by Accounting Entities and Public Accountants

The Public Accounts Oversight Committee (PAOC) is the final authority to decide on the outcome of AML/CFT requirements inspection as the PAOC determines procedure for conducting ACRA inspection of any accounting entity and public accountants
Upon considering the ACRA inspection report of the Registrar, if the PAOC (Firm Level) is satisfied that the accounting entity or its individual practitioners are non-compliant, with AML/CFT compliance requirements,
The following consequences may follow where the PAOC may direct the following orders:
  • Revocation of the approval granted to the accounting entity or cancellation of the registration of individual practitioners.
  • Suspension of the accounting entity from providing accountancy services or suspension of an individual practitioner for up to one year.
The PAOC is also empowered under the law to prescribe to public accountants and accounting entities, any standardised methodology, procedures, code of professional conduct, or other requirements necessary to enable them to identify, prevent, and mitigate ML/FT and PF risks, with timely reporting of suspicious activities and transactions to regulatory authorities, and maintaining adequate records of AML/CFT measures taken.

Conclusion

The PAOC in Singapore is responsible for deciding on the registrar’s opinion based on the ACRA inspection carried out by the entity reviewer. The PAOC, upon finding any incidence of non-compliance with the prescribed AML/CFT requirements, shall take punitive action.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

Excellence in EDD for high-risk customers Common slip-ups You can’t Afford to Commit

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

This article provides insights into achieving excellence in EDD for high-risk customers and sheds light on the common slip-ups you can’t afford to commit to.
Not all your customers are the same. Their requirements differ. Their expectations for support services vary. Similarly, their risk profiles are also distinct. Some pose a higher risk to your business, while some are safe to transact with.
As a business entity in India with strict AML measures, knowing which of your customers are high-risk and which are low-risk is essential.
For high-risk customers, you need Enhanced Due Diligence (EDD). You need to conduct thorough investigations and deep dive into customer profiles. With more data on such high-risk customers, you can identify the degree of the risk involved and determine whether the same can be managed and its nexus with the business’s risk appetite.
However, entities make some common mistakes while conducting EDD. If you know them, you’ll avoid committing these mistakes. So, in this blog, we list these mistakes by reporting entities while conducting EDD process for high-risk customers.
But before that, we’ll try to understand the characteristics of high-risk customers.

Characteristics of High-Risk Customers in India

Let’s look at the critical aspects that may make a customer high-risk.
  • Person associated with sanctioned individuals or businesses
  • Person identified as the terrorists or associated with one
  • Politically Exposed Persons (PEPs) and their close relatives
  • High-net-worth customers
  • Non-resident Indians (NRIs)
  • Foreign nationals
  • Customer with complicated business structure involving subsidiaries and business units
  • Individuals or entities with unexplained wealth, earnings, or net worth
  • Customers with bases in high-risk countries or with no or weak AML regulations
  • Non-face-to-face customers
  • Shell corporations
  • Companies with close family members as shareholders or beneficial owners without any business rationale
  • Firms with sleeping partners
  • Customers once identified as involved in a suspicious transaction or have any negative media references against them
  • Relationship with a company registered in a country where it has no physical presence and is not affiliated with any regulated group
  • Trusts, NGOs, and charities receiving donations
  • Pooled accounts
  • Virtual currency transactions
Moreover, customers insisting on the below types of transactions may also be classified as posing high-risk:
  • Large or complicated transactions
  • Transactions involving multiple parties, which are unknown to you
  • Cash-only transactions

Regulations for Enhanced Due Diligence in India

India is at the forefront of devising initiatives to reduce the threats of financial crimes. Strict regulations exist under the Prevention of Money Laundering Act, 2002 and the IFSCA (AML, CTF, and KYC) Guidelines, 2022, around KYC, KYT, due diligence, and other AML measures. Even for Enhanced Due Diligence, these AML regulations mention some key provisions.
Entities must conduct EDD for high-risk customers. In such cases, entities must verify the identities of customers prior to the commencement of business relationship. As part of the EDD process, you must apply additional measures to gather the following information and data on customers with reference to the following:
  • Understanding the customer’s source of funds involved in the transaction
  • Rigorous checks on the beneficial owners of the customer
  • Overall financial position of the customer, including verifying their source of wealth
  • Making detailed inquiries about the purpose and background of the transaction
  • Obtaining senior management approval, apprising them of the risk involved and seeking their go-ahead
  • Increasing the degree and frequency of monitoring transactions with high-risk customers
  • Ensuring that the customer makes the first payment towards the goods or services through their own account (specifically provided in the IFSCA Guidelines as one of the measures for managing the high-risk)
As part of EDD, once the additional information is gathered, verify them by using reliable, independent sources. You can use public registries, credible third-party databases, or other sources for verification, including seeking government-issued documents from the customer.
Drop the business relationship if the high-risk customer fails to submit the requested documents and details necessary to carry out the EDD process effectively. In case of failure to successfully conclude the EDD process on the high-risk customers, you must consider whether such a situation involves any suspicion and the necessity to report the same to FIU-IND by filing a Suspicious Transaction Report (STR).
The EDD measures must be enough to meet the AML compliance requirements in India. The entity must ensure that it has implemented the necessary measures against high-risk customers. This proves the entity’s risk-based approach in managing the risk in accordance with PMLA and the IFSCA Guidelines.
You must record the EDD records to show to the concerned authorities when requested. You must maintain the records of EDD results for five years from the transaction date or the end of the business relationship with high-risk customers. This requirement is six years for an IFSCA-regulated entity.
You must follow these EDD regulatory requirements in India to ensure AML compliance. If you miss doing so, you might increase your business’s money laundering risks, including ending up facing adverse consequences such as reputation loss and penalties for non-compliance. So, adopt the best practices of EDD and proceed with it. Ensure you do not make the common errors enumerated in the section below.

Usual slip-ups in Enhanced Due Diligence Procedure

Inadequate data on customers for enhanced investigation

EDD requires a lot of additional information about the customer. This includes personal, occupational, and financial. You must have data on the following aspects of your customer:
  • Full name
  • Registration details and office address in case of corporate customer
  • Residential address of an individual customer
  • Details of the beneficial owners and senior management in case of corporate customer
  • Details of the customer’s occupation or business activities
  • Sources of funds and source of wealth, including overall financial position
  • Coverage in negative media or sources
You will need all these details to thoroughly complete the verification of your high-risk customers. It helps you confirm the legitimacy of the customer, be it individual or corporate.
You can check customers’ financial position by checking the source of funds and wealth and determine whether the proposed transaction is in line with these details. With background checks, you can discover the client’s reputation in the market and come to know about their past involvement in illegal activities.
The information might be incomplete or inaccurate if you are lackadaisical in your approach. Collect all these data points on your customers or through independent research for a smooth EDD process.

No reference to reliable data sources to verify customers’ identities

You collect all the information from customers. But are you sure of its genuineness? Have your customers submitted actual documents for verification?
You cannot be dependent only on the data submitted by the customers. You need to check and verify the legitimacy of the data from reliable and independent data sources. Use government databases, publicly available sources, or renowned third-party data providers.
Information or data declared by the customer may not be reliable because customers might fake them or manipulate some details. In such cases, EDD will be inaccurate, leading to transactions with high-risk customers without applying necessary safeguarding measures. These are risky for your business and AML compliance.

Trusting only technology over humans or vice versa

Technology systems can help make the process faster, accurate, and complete. You can be sure of your results and that you haven’t missed anything. But what about the touch of human thinking and analysis in your EDD process? It’s necessary to have humans analyse the risks for a nuanced view of them.
Only humans managing the EDD process may also be erroneous because they might miss data or make errors while evaluating the huge volume of information or documents. So, you cannot ignore technology as well.
The optimal solution is to combine the expertise of technology and humans for the best results. You can run the data on technological solutions, and then experts can scan through them.

Conducting Due Diligence only once during the entire relationship

The risk profiles of customers keep changing. So, you cannot base your decision on one such instance of due diligence conducted at the time of customer onboarding. You must keep it going.
Engage in frequent monitoring of high-risk customers. It must be an ongoing process so that you can track the changes in customers’ risk profile. Also, with new transactions with these customers, you continue with transaction monitoring and ensuring that the transactional pattern aligns with the customer’s profile known to you.
So, never make the mistake of only doing Enhanced Due Diligence once. Make it a frequent exercise to capture the variations in the factors involved and ensure that you stay on top of the customer’s ever-changing risk profile.

Using outdated lists of PEPs, sanctions, and terrorists to match customers

While conducting EDD, you compare customers against lists of sanctions, PEPs, and other watchlists, including adverse media. If you use outdated lists, your results will be redundant. You must have the latest watchlists from the reliable sources for up-to-date and relevant results.
So, make it a practice to check for the latest lists.
In the case of adverse media checks, ensure that the oldest and the latest news sources are checked. You can find negative connotations about the customer from any year. Also, you must track all possible media sources for negative news. Make all this possible to produce accurate results on your customers’ EDD.

Failure to retain records of EDD

Your EDD results are critical for your business. You might need them later in your AML procedures. So, create proper records and maintain them for at least five years as instructed under the PMLA (or for six years as required under the IFSCA Guidelines).
Also, you must keep these records in proper formats. Maintain consistent standards to keep all year records in the same template. You must update them as and when you repeat your investigations, as part of an ongoing review or upon changes in the customer’s profile. So, practice maintaining accurate, complete, up-to-date, and consistent records of EDD.
In the case of missing EDD records, you will not have enough proof when asked by authorities. Also, you might not have past documents to refer to while conducting further investigations.

Forgetting to build a collaborative environment for an efficient EDD process

The EDD process is not the responsibility of a single team. The customer-facing team needs to gather data from all customers. The compliance team will collect data from reliable third-party sources and assess all the data points from different sources and conclude.
Different teams will carry out all these procedures. But they must collaborate and cooperate on the smooth execution of this process. They must maintain clear communication to facilitate effective results from EDD. You must train the employees on handling processes to ease the EDD execution.

Overlooking the escalation of suspicious cases of transactions with high-risk customers

EDD is for investigating high-risk customers. So, what about the EDD results? What do you do with them? Just sit, happy that you have identified your high-risk customers.
Having carried out additional verification checks on the customer, you must notify about such high-risk customers to your senior management and seek their approval to establish and continue the business relationship with them.

Missing to plan for data protection and confidentiality

For EDD, you will collect a good amount of customer information. You’ll have details on their finances, job, and access to other sensitive information. Customers’ biggest fear is data leakage or access by a third party.
So, you must make it a practice to plan for data privacy and protection. You must adopt every possible way and technology to keep data safe and secure. Safeguarding customer information in the most secure way and retaining it for future use. Restrict the accessibility of this data only to a few trustworthy people in your company.

Not investing in the audit and quality review of EDD procedures

Are you happy with your EDD procedures? Are you confident of the EDD measures and its capability to manage your increased risks? Does it reflect the changes in laws and industry practices?
If the answer is no, you must realise it’s high time for a quality assurance check.
You must audit the EDD process to assess its effectiveness. Ensure that EDD procedure and results contribute to achieving AML compliance in India. For this, you must put in place a quality assurance program for frequent checks of the EDD process.
Based on the results of these checks, you must update your EDD policies. These changes and updates must align EDD with PMLA and the relevant AML guidelines, including the FATF recommendations. Also, these policies should resonate with business goals and the sector’s AML best practices. Thus, continuous improvement is essential to adapt to the changing conditions and emerging risks.
You must avoid these significant slip-ups while performing EDD for high-risk customers. If you need help in performing EDD, AML India is right here.

Niyeahma contribution to your AML compliance

Niyeahma is a reliable provider of all kinds of services to help your business become AML compliant. We help entities have a smooth transition from non-compliance to compliance. You can partner with us for all AML services to prevent ML/TF threats.
We help entities conduct customer due diligence and identify high-risk customers. After this, we will conduct enhanced due diligence for further investigations into such customers. Thus, we adopt all the necessary best practices to avoid the risks of financial crimes.

About the Author

Linkedin

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti