Roadmap to AML/CTF/CPF Audit Readiness

An independent Anti-Money Laundering / Counter-Terrorist Financing / Countering Proliferation Financing (AML/CTF/CPF) audit helps businesses evaluate the effectiveness of their AML/CTF/CPF Program and ensure compliance with AML/CTF/CPF laws and regulations of India.

It identifies potential vulnerabilities in the AML/CTF/CPF program of the business and offers suggestions to overcome these gaps. Here is your roadmap to AML/CTF/CPF audit readiness, guiding your way to counter financial crimes and stay compliant with legal obligations.

The Meaning and Significance of an Independent AML/CTF/CPF Audit

What is an Independent AML/CTF/CPF Audit

An independent AML/CTF/CPF audit refers to the regular assessment of the quality and effectiveness of the internal AML/CTF/CPF policies, procedures and controls adopted by entities and resultant records and regulatory compliance thereof. It involves systematically examining the different components of the AML/CTF/CPF program of the Reporting Entity, such as the Know Your Customer(KYC) process, Sanctions Screening, Customer Due Diligence (CDD), Record Keeping, etc.

Significance of an Independent AML/CTF/CPF Audit

Ensures Compliance with Indian AML/CTF/CPF Laws

India’s AML regulations mandate independent AML audits. For example, the Guidelines issued for Dealers in Precious Metals and Stones, Real Estate Agents and Virtual Digital Assets under the Prevention of Money Laundering Act 2002 (PMLA) require regular AML audits. The International Financial Services Centres Authority (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022 (IFSCA Guidelines) also mandates the same.

Assesses AML/CTF/CPF Program Efficiency

AML/CTF/CPF audit evaluates the effectiveness of the AML/CTF/CPF program and ensures that it aligns with the latest AML/CTF/CPF laws of India and the Enterprise-Wide Risk Assessment (EWRA) of the Reporting Entity.

Provides Unbiased Suggestions to Combat the Identified Vulnerabilities

AML/CTF/CPF audit recognises vulnerabilities in the AML/CTF/CPF program and includes suggestions to overcome them and mitigate money laundering (ML), terrorism financing (TF) and proliferation financing (PF) risks.

Strengthens AML/CTF/CPF Compliance Culture

Regular AML/CTF/CPF audits strengthen the AML compliance culture of the Reporting Entity by demonstrating the commitment of senior management towards AML/CTF/CPF compliance.

Builds Positive Reputation

AML/CTF/CPF audit improves the reputation of the Reporting Entity amongst its customers, investors, as well as AML/CTF/CPF regulators by demonstrating its commitment to AML/CTF/CPF compliance and combating ML, TF and PF risks.

After discussing the meaning and significance of an independent AML/CTF/CPF audit, let us understand when an independent AML/CTF/CPF audit is to be conducted.

When Should AML/CTF/CPF Audit be conducted?

To ensure that the AML/CTF/CPF program is effective against ML, TF and PF risks and up to date with the latest AML/CTF/CPF compliance requirements, AML/CTF/CPF audit should be conducted periodically. The best practice is to conduct the audits annually. Such periodic audits should assess both the individual business practices of the Reporting Entity as well as the overall entity-wide AML/CTF/CPF program.

However, the frequency of the AML/CTF/CPF audits depends on the nature and size of the Reporting Entity’s business. Its customer base, the products and services it offers, the geographies it serves, and the level of ML, TF, or PF risks it is exposed to as assessed under its Enterprise-Wide Risk Assessment (EWRA). For example, if the reporting entity provides services that are exposed to higher ML, TF, or PF risks due to their nature, the reporting entity needs to conduct the AML/CTF/CPF audit process more frequently.

Now that we know when an independent audit should be conducted, let us turn the discussion towards what an independent audit entails, and the various components of an AML/CTF/CPF program that should be examined in an independent audit.

Scope of an independent AML Audit

For an independent AML Audit to be comprehensive, it should evaluate the efficacy of the following components of the Reporting Entity’s AML program:

The EWRA of the Reporting Entity, taking into account its nature, size, and complexity of the business operations
The AML/CTF/CPF program and controls and its adequacy in countering ML, TF and PF risks
The robustness of the AML/CTF/CPF program against the dynamic ML, TF and PF risks evolved since the last EWRA
Red flags to recognise ML, TF and PF risks
Changes made to AML/CTF/CPF program since the last audit, including the implementation of the suggestions made in the last audit
Employee training on the AML/CTF/CPF program and AML/CTF/CPF regulatory requirements in India
KYC and CDD procedures, including Enhanced Due Diligence (EDD) procedures, Politically Exposed Persons (PEP) screening and adverse media screening
Sanctions screening procedures
Transaction monitoring systems and their adequacy considering the ML, TF and PF risk exposure of the company
Procedures for submitting Suspicious Transaction Reports (STR) and other required reports both internally to the AML Principal Officer and externally to the Financial Intelligence Unit of India
Record-keeping practices and their alignment with AML/CTF/CPF regulatory requirements, including the quality, adequacy, and comprehensiveness of the records maintained
AML/CTF/CPF software adopted by the Reporting Entity, including its functioning and whether it is up to date with the latest regulatory requirements
Customer acceptance policy, customer onboarding process and customer exit policy
Periodic reports related to AML/CTF/CPF measures submitted by the AML Principal Officer or Designated Director of the Reporting Entity to the senior management or Board of Directors and the action taken on these reports
AML Principal Officer’s implementation of the directions or feedback received from the AML/CTF/CPF supervisory authorities
Correspondence or outcome regarding any AML/CTF/CPF inspection or review conducted by the AML/CTF/CPF supervisory authority
Responses of any AML/CTF/CPF related survey submitted
Status of remediation measures adopted to fill the gaps identified by the AML Principal Officer, the latest AML/CTF/CPF audit or inspection conducted by the AML/CTF/CPF supervisory authorities
Policy related to AML/CTF/CPF data access and archival
Status of compliance with other regulatory requirements, such as sector-specific Guidelines for Dealers in Precious Metals and Stones, Real Estate Agents and Virtual Digital Assets

As discussed in this section, an AML/CTF/CPF audit assesses a wide range of components, so it is crucial for entities to take proactive preparatory measures to streamline the auditing process. The following section provides a comprehensive guide on preparatory measures Reporting Entities can take for a smooth independent AML/CTF/CPF auditing process.

Roadmap to AML/CTF/CPF Audit Readiness

The preparatory measures for an independent AML/CTF/CPF audit involve two essential steps. First, the Reporting Entity must finalise its list of requisites for the AML/CTF/CPF audit and an independent AML/CTF/CPF auditor. Second, it must gather and finalise all necessary information and documents to be reviewed during the auditing process. These steps have been discussed in detail.

Finalisation of Requisites for an Independent AML Auditor

Reporting Entities need to prepare and approve their own list of requisites they expect from an independent AML/CTF/CPF auditor and the auditing process to ensure that the auditing process is aligned with their needs. Deciding on these requisites makes sure that the auditing process is smooth without any hiccups. This list should take into account the following components:

Period to be included for review

Reporting Entity needs to specify the timeframe for which the auditor will review and assess the AML/CTF/CPF program.

Scope of Audit: Limited or Full Scope

Limited scope audit involves an evaluation of identified areas rather than a comprehensive examination of the entire AML/CTF/CPF program of the Reporting Entity. For example, a Reporting entity may choose to audit only its CDD process or its KYC process. On the other hand, a full scope audit involves an auditing process covering all components of the AML/CTF/CPF program.

The Expected Outcome

The reporting entity needs to decide and list the expected outcomes of the auditing process. For example, if the Reporting Entity requires so, it can specify that the auditing process should be followed by practical action plans to combat the vulnerabilities found.

The Budgeted Cost

Reporting Entity needs to outline the range of budget it aims to allocate to the auditing process. This depends on the scope of the audit that it has decided to opt for.

Time Estimation

The Reporting Entity needs to specify the time period in which it expects the auditing process to be completed.

Preparation of Information and documents

To streamline the AML/CTF/CPF audit process and avoid delays, the Reporting should prepare the following information and documents in advance:

1. Business Profile: This includes a comprehensive overview of the Reporting Entity’s nature and size of business, the products and services it offers, its customer base, the geographies it serves, its delivery channels, etc. This profile helps auditors understand the business and identify potential ML, TF and PF risks.

2. Certificate of Incorporation, Memorandum and Articles of Association: These documents provide information regarding the Reporting Entity’s establishment and its operational and ownership structure

3. Organisation Structure: This includes information about the hierarchy in the organisation to help auditors understand the management and decision-making process in the Reporting Entity

4. Annual Financial Statements: This includes financial statements of the entity for the immediately previous financial year.

5. Enterprise-Wide Risk Assessment: As a part of AML/CTF/CPF compliance, all Reporting Entities must have an EWRA in place. Assessing the EWRA helps auditors examine the ML, TF and PF risk exposure of the Reporting Entity, the actions it has taken to address these risks and the effectiveness of these actions.

6. AML/CTF/CPF Program: AML/CTF/CPF Program includes all policies, procedures and controls in place to comply with the AML/CTF/CPF regulatory obligations of the Reporting Entities and combat ML, TF and PF risks.

7. Red Flags Applicable to the Reporting Entity: Depending on factors such as the nature and size of the business, the products and services it offers, its customer base, the geographies it serves and its delivery channels, all Reporting Entities may have different red flags in place to identify any potential ML, TF and PF risks during its business operations. This list needs to be examined by the auditor.

8. AML/CTF/CPF Governance: This includes details on the oversight and management of AML/CTF/CPT activities within the Reporting Entity, and its adequacy needs to be examined by the auditor.

9. AML Principal Officer’s Profile: All Reporting Entities need to appoint an AML Principal Officer to oversee the AML/CTF/CPF compliance in the entity. Auditors need to be provided with the profile of the Principal Officer, which should include information about their qualifications, experience, responsibilities, powers, etc.

10. KYC, CDD, Customer Onboarding Procedures and Templates: This outlines the procedure of a Reporting Entity’s customer onboarding, identity verification and Customer Risk Assessment (CRA) process.

11. Procedures for Submitting Various Regulatory Reports: These reports include Cash Transaction Report (CTR), Counterfeit Currency Report (CCR), Property Transaction Report, Non-Profit Organisation Transaction Report, Cross Border Wire Transfer Report (CBWTR), and Suspicious Transaction Report (STR) to be submitted to Financial Intelligence Unit of India.

12. AML/CTF/CPF Record Keeping Policy: This policy outlines the procedure for maintaining and storing AML/CTF/CPF related records, including customer identification documents, transaction records, etc, as required under AML/CTF/CPF regulations of India.

13. AML/CTF/CPF Training Logs and Training Material: Training materials and logs should document the AML/CTF/CPF training provided to staff, including the regularity of such training, topics covered, participant details, etc.

14. Details of Targeted Financial Sanctions Program and Systems: This includes information on how the Reporting Entity implements and manages targeted financial sanctions, such as screening against various sanctions lists.

15. Customer and Supplier Registers: This includes a comprehensive list of all customers and suppliers of the Reporting Entity, including their details and ML risk profiles

16. Register for the AML/CTF/CPF Reports Filed with the Financial Intelligence Unit of India: This helps auditors examine the AML/CTF/CPF compliance function of the Reporting Entity as well as the accuracy of the reports submitted.

17. Employee Register: This includes a list of all employees and their roles and responsibilities in the AML/CTF/CPF program.

18. List of Countries Identified as High-Risk Countries: This list contains countries considered high-risk from AML/CTF/CPF perspective. Information given must also include the Reporting Entity’s association with customers from such high-risk countries.

19. The Procedures to Identify and Establish a Business Relationship with PEPs: Procedures for identifying Politically Exposed Persons (PEPs) and establishing business relationships with them should be shared with the AML/CTF/CPF auditor. This includes EDD measures in place for PEPs to mitigate any potential ML, TF and PF risks.

20. Previous Years’ Independent AML/CTF/CPF Audit Reports: These reports help auditors evaluate the effectiveness of past measures taken to improve past AML/CTF/CPF programs.

21. Information About the Inspection or Review Conducted by the Supervisory Authorities and Guidance Received from Them: This includes information regarding any inspections or reviews conducted by supervisory authorities, as well as action taken on any instructions provided by them.

22. Information About Administrative Fines and Penalties Imposed on the Reporting Entity: Under the PMLA or IFSCA Guidelines, penalties related to AML/CTF/CPF non-compliance may be imposed on Reporting Entities. This information should be given to the auditor to help the auditors assess the entity’s AML/CTF/CPF compliance culture and its response to regulatory supervision.

23. Periodic Report Submitted by the AML Principal Officer to the Senior Management: This report should summarise the AML Principal Officer’s observations and suggestions regarding the entity’s AML/CTF/CPF program.

24. Access to Staff Members and Senior Management: AML/CTF/CPF auditors should have access to relevant staff members and senior management involved in the AML/CTF/CPF program of the Reporting Entity to discuss and assess compliance practices, collect required information and address any concerns.

25. Access to Files and Various AML/CTF/CPF Compliance Records: Auditors should be given access to all relevant files and records related to AML/CTF/CPF compliance.

26. Disclosure of all Known Instances of Statutory Non-Compliance: Any known instances of non-compliance with AML/CTF/CPF statutory requirements under the PMLA, IFSCA guidelines or any other AML/CTF/CPF regulations should be disclosed to the AML auditor. This transparency helps the auditors understand the compliance issues that the Reporting Entity faces.

Conclusion

An independent AML audit is important because it helps assess and improve the effectiveness of a Reporting Entity’s AML program. For a comprehensive and smooth AML auditing process, preparing for the AML audit is indispensable. By finalising requisites for the AML auditor and auditing process and gathering all relevant information and documents, Reporting Entities can streamline the independent AML audit process.

Niyeahma – Your Trustworthy AML Compliance Consultant

Conducting the Enterprise-Wide Risk Assessment to assess the ML/Ft exposure to your VDA activities
Developing and implementing an AML program for managing the ML/FT risks
Appointing an AML Principal Officer and assisting in setting up an AML compliance department
Creating transaction monitoring rules to detect suspicious VDA transfers timely

Thus, you can find all kinds of support related to AML compliance at Niyeahma.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Behind the Veil: Common Methods of Money Laundering Uncovered

The methods used to launder money are constantly evolving with the use of technology. In India, it is necessary to keep up with the common typologies used in money laundering to develop measures for curbing them. This article uncovers the common methods and channels used by money launderers to make their illicitly gained money seem legitimate.

Money launderers exploit various channels to ‘clean’ their ‘dirty’ money. These channels are used in all three stages of money laundering, i.e., placement, layering and structuring. These channels along with the methods money launderers employ to exploit them are discussed below.

Banking Companies and Financial Institutions as Channels for Money Laundering

Structuring, Smurfing and Micro-structuring:

These typologies involve the breaking of large amounts of illicit funds into smaller amounts to make sure that the funds don’t appear to be suspicious.

In structuring, after breaking the funds into smaller amounts, the funds are then placed in different bank accounts to avoid detection.
In smurfing, multiple individuals or ‘smurfs’ are deployed to deposit the broken-up funds into multiple bank accounts.
Micro structuring is similar to structuring but done at a much smaller level, and larger funds are broken up into very small amounts.

Electronic transfer of money:

Money launderers use electronic transfer of money services to move funds between accounts, banks, and jurisdictions with the aim of creating multiple layers of transactions. This obscures the source of funds and makes detection by law enforcement difficult.

Private Banking:

Private Banks often provide specialised services to individuals with high net worth. Private banks are also known for adopting high-level of measures to ensure client confidentiality and have limited transparency provisions. This environment is exploited by money launderers as private banks may not adopt rigorous client due diligence methods due to their close and personal relations with the clients.

Correspondent Banking:

Correspondent banks act as agents of other banks located abroad and provide correspondent banking services to the customers of such banks. This is done by banks when they don’t have a presence in a particular jurisdiction but wish to provide international banking services to their clients.

The indirect nature of correspondent banking relationships implies that the bank offers services to individuals and entities relying on the due diligence performed by correspondent banks, and many times, it turns out to be non-existent or inadequate. This vulnerability is exploited by money launderers.

Offshore Banking:

Money launders often employ services of banks located abroad in jurisdictions with strict privacy laws, lax anti-money laundering regulatory regimes or tax havens.

Non-Banking Financial Companies as Channels for Money Laundering

Money Laundering through Credit Card:

Credit cards are used in the layering or integration stage of money laundering. For example, illicit funds already placed into the banking system are routed to pay for credit card services, enabling the obscuring of the source of funds. Or, after placing the illicit funds in an offshore bank with lax anti-money laundering policies, the funds are accessed through credit cards

Money Laundering through Payment Service Providers:

Third Party Payment Processors (TPPPs) offer domestic and international payment processing services to merchants and business entities. The type of merchants the TPPPs serve can significantly increase their exposure to money laundering risks. For example, TPPPs working with internet merchants may be at a high risk of money laundering due to the high susceptibility of these merchants to financial crimes.

Money Laundering through Virtual Digital Assets Service Providers (VDA SPs):

Virtual Digital Assets Service Providers (VDASPs) such as cryptocurrencies, offer high levels of privacy and anonymity. Criminals use these platforms to convert illicit funds into cryptocurrency, which can then be laundered or spent anonymously. Similarly, virtual assets such as Non-Fungible Tokens (NFTs) are brought and traded through illicit funds to layer the laundered money.

Money Laundering through Money Service Businesses:

Money Service Businesses (MSBs) provides money transmission or conversion services. MSBs are often exploited to convert illicit funds into different currencies, further layering the transactions and complicating anti–money laundering detection.

Money Laundering through Securities or Insurance service providers:

Brokers can be used to invest illegally gained funds into securities, bonds, insurance or other financial products. These investments can then be claimed or pledged to generate legitimate returns on the funds, facilitating the layering and integration of the laundered money. Top of Form

Designated Non-Financial Businesses and Professions as Channels for Money Laundering

Real Estate:

Illegally gained money can be used to purchase real estate, which can then be resold or rented to generate seemingly legitimate income. Further, overvaluing real estate or using shell companies to make real estate purchases is used to obscure the source of the funds. Therefore, real estate agencies need to be careful and adopt AML measures to avoid these risks.

Dealers in Precious Metals, Precious Stones and other High-value goods:

In India, the high-value goods market may be exploited by money launderers to buy and resell these items, thereby disguising the source of the funds and blending them into the financial system. Therefore, for Dealers in Precious Metals and Precious Stones, adopting AML measures becomes very important.

Accountants and Lawyers:

Accounting and legal services are used to create complex financial structures or to provide legal cover for illicit transactions. They may facilitate the movement of funds or help to establish shell companies. Due to client confidentiality obligations, it may become difficult for law enforcement agencies to detect money laundering.

For more information, check out our article on common mistakes by Chartered Accountants in AML Compliance

Trusts and Company Service Providers:

Trusts and company service providers are exploited to create complex legal structures and corporate vehicles that obscure the true ownership of funds.

Trade-Based Money Laundering

Over-invoicing and under-invoicing:

Money launderers use over–invoicing to mix legitimate and illegitimate funds. For example, they invoice for goods or services at inflated prices, allowing them to move excess funds across borders. Similarly, under–invoicing involves declaring the value of goods or services as lesser than their actual value. The objective is to transfer value to the goods seller (in over–invoicing) or the customer (in under–invoicing). In simple terms, the difference between the actual price and the altered price is used to transfer illicit money.

Over shipping, short shipping or ghost shipping:

In these typologies, the quantity of goods exported or imported is misrepresented to the authorities to move the illicit funds under the guise of import-export trade payments. Both the importer and exporter are involved in this scheme.

Black Market Trades:

Using black market trade allows money launderers to undertake transactions that are not reported to authorities and are therefore difficult to detect.

Money Laundering through Corporate Vehicles

Shell Companies:

Shell companies are set up and used to transfer and disguise the source of illicit funds. These companies have no significant business operations or assets of their own but are used to create a facade of legitimacy for transactions. These are created in tax havens and other high-risk jurisdictions with minimal anti-money laundering oversight.

Shelf Companies:

A shelf company is an already registered company that is currently inactive or “put on the shelf.” This corporation is then sold to buyers who may engage in money laundering by activating these shelf companies.

Trusts:

Arrangements of trusts are exploited to hold and manage assets while disguising their true ownership. By placing illicit funds into a trust, money launderers obscure the source of these funds and integrate it into legitimate financial structures. Since trusts are private structures, there is often less anti-money laundering scrutiny for its members.

Other Typologies

Money Mules:

Money mules are individuals that knowingly or unknowingly facilitate money laundering. They may be recruited to receive, transfer or withdraw the illicit funds through their bank accounts.

Cyber Money Laundering:

Cyber money laundering involves using digital technologies and online platforms such as the dark web markets or online black markets, to transfer illegally gained funds. Advanced technologies such as encryption, anonymisation, tumblers, etc are also used to avoid detection.

Commingling:

Commingling is the process in which illicit funds are mixed with legitimately sourced money to obscure the origin of the illegally gained funds. Commingling makes it difficult to separate and detect the laundered money from the legitimate money.

Informal Value Transfer Systems (IVTFs)

IVTFs are informal services that enable the transferring and remittance of funds through persons who receive the funds and facilitate payment of an equal value to a third party located in another country. This is a form of alternative banking system which operates underground through established networks. Examples of such systems include Hawala and Hundi. IVTFs enable money laundering by transferring illicit funds from one jurisdiction to another through underground networks.

Conclusion

The money laundering typologies described in this article explore different aspects of the financial system and various types of institutions. Understanding these methods is the first step towards designing effective anti-money laundering program, including rigorous regulatory oversight, advanced monitoring systems and reporting, and effective international cooperation.

Niyeahma – Your Trustworthy AML Compliance Consultant

Niyeahma has been leading from the front in AML compliance. We help clients understand the requirements of AML regulations and comply with them. Together with you, we aim to prevent money laundering and terrorism financing threats to your business. So, we take a customised approach to make you AML compliant and protect you from financial crimes.

Conducting the Enterprise-Wide Risk Assessment to assess the ML/Ft exposure to your VDA activities
Developing and implementing an AML program for managing the ML/FT risks
Appointing an AML Principal Officer and assisting in setting up an AML compliance department
Creating transaction monitoring rules to detect suspicious VDA transfers timely

Thus, you can find all kinds of support related to AML compliance at Niyeahma.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

This article provides insights into achieving excellence in EDD for high-risk customers and sheds light on the common slip-ups you can’t afford to commit to.

Not all your customers are the same. Their requirements differ. Their expectations for support services vary. Similarly, their risk profiles are also distinct. Some pose a higher risk to your business, while some are safe to transact with.

As a business entity in India with strict AML measures, knowing which of your customers are high-risk and which are low-risk is essential.

For high-risk customers, you need Enhanced Due Diligence (EDD). You need to conduct thorough investigations and deep dive into customer profiles. With more data on such high-risk customers, you can identify the degree of the risk involved and determine whether the same can be managed and its nexus with the business’s risk appetite.

However, entities make some common mistakes while conducting EDD. If you know them, you’ll avoid committing these mistakes. So, in this blog, we list these mistakes by reporting entities while conducting EDD process for high-risk customers.

But before that, we’ll try to understand the characteristics of high-risk customers.

Characteristics of High-Risk Customers in India

Let’s look at the critical aspects that may make a customer high-risk.

Person associated with sanctioned individuals or businesses
Person identified as the terrorists or associated with one
Politically Exposed Persons (PEPs) and their close relatives
High-net-worth customers
Non-resident Indians (NRIs)
Foreign nationals
Customer with complicated business structure involving subsidiaries and business units
Individuals or entities with unexplained wealth, earnings, or net worth
Customers with bases in high-risk countries or with no or weak AML regulations
Non-face-to-face customers
Shell corporations
Companies with close family members as shareholders or beneficial owners without any business rationale
Firms with sleeping partners
Customers once identified as involved in a suspicious transaction or have any negative media references against them
Relationship with a company registered in a country where it has no physical presence and is not affiliated with any regulated group
Trusts, NGOs, and charities receiving donations
Pooled accounts
Virtual currency transactions

Moreover, customers insisting on the below types of transactions may also be classified as posing high-risk:

Large or complicated transactions
Transactions involving multiple parties, which are unknown to you
Cash-only transactions

Regulations for Enhanced Due Diligence in India

India is at the forefront of devising initiatives to reduce the threats of financial crimes. Strict regulations exist under the Prevention of Money Laundering Act, 2002 and the IFSCA (AML, CTF, and KYC) Guidelines, 2022, around KYC, KYT, due diligence, and other AML measures. Even for Enhanced Due Diligence, these AML regulations mention some key provisions.

Entities must conduct EDD for high-risk customers. In such cases, entities must verify the identities of customers prior to the commencement of business relationship. As part of the EDD process, you must apply additional measures to gather the following information and data on customers with reference to the following:

Understanding the customer’s source of funds involved in the transaction
Rigorous checks on the beneficial owners of the customer
Overall financial position of the customer, including verifying their source of wealth
Making detailed inquiries about the purpose and background of the transaction
Obtaining senior management approval, apprising them of the risk involved and seeking their go-ahead
Increasing the degree and frequency of monitoring transactions with high-risk customers
Ensuring that the customer makes the first payment towards the goods or services through their own account (specifically provided in the IFSCA Guidelines as one of the measures for managing the high-risk)

As part of EDD, once the additional information is gathered, verify them by using reliable, independent sources. You can use public registries, credible third-party databases, or other sources for verification, including seeking government-issued documents from the customer.

Drop the business relationship if the high-risk customer fails to submit the requested documents and details necessary to carry out the EDD process effectively. In case of failure to successfully conclude the EDD process on the high-risk customers, you must consider whether such a situation involves any suspicion and the necessity to report the same to FIU-IND by filing a Suspicious Transaction Report (STR).

The EDD measures must be enough to meet the AML compliance requirements in India. The entity must ensure that it has implemented the necessary measures against high-risk customers. This proves the entity’s risk-based approach in managing the risk in accordance with PMLA and the IFSCA Guidelines.

You must record the EDD records to show to the concerned authorities when requested. You must maintain the records of EDD results for five years from the transaction date or the end of the business relationship with high-risk customers. This requirement is six years for an IFSCA-regulated entity.

You must follow these EDD regulatory requirements in India to ensure AML compliance. If you miss doing so, you might increase your business’s money laundering risks, including ending up facing adverse consequences such as reputation loss and penalties for non-compliance. So, adopt the best practices of EDD and proceed with it. Ensure you do not make the common errors enumerated in the section below.

Usual slip-ups in Enhanced Due Diligence Procedure

Inadequate data on customers for enhanced investigation

EDD requires a lot of additional information about the customer. This includes personal, occupational, and financial. You must have data on the following aspects of your customer:

Full name
Registration details and office address in case of corporate customer
Residential address of an individual customer
Details of the beneficial owners and senior management in case of corporate customer
Details of the customer’s occupation or business activities
Sources of funds and source of wealth, including overall financial position
Coverage in negative media or sources

You will need all these details to thoroughly complete the verification of your high-risk customers. It helps you confirm the legitimacy of the customer, be it individual or corporate.

You can check customers’ financial position by checking the source of funds and wealth and determine whether the proposed transaction is in line with these details. With background checks, you can discover the client’s reputation in the market and come to know about their past involvement in illegal activities.

The information might be incomplete or inaccurate if you are lackadaisical in your approach. Collect all these data points on your customers or through independent research for a smooth EDD process.

No reference to reliable data sources to verify customers’ identities

You collect all the information from customers. But are you sure of its genuineness? Have your customers submitted actual documents for verification?

You cannot be dependent only on the data submitted by the customers. You need to check and verify the legitimacy of the data from reliable and independent data sources. Use government databases, publicly available sources, or renowned third-party data providers.

Information or data declared by the customer may not be reliable because customers might fake them or manipulate some details. In such cases, EDD will be inaccurate, leading to transactions with high-risk customers without applying necessary safeguarding measures. These are risky for your business and AML compliance.

Trusting only technology over humans or vice versa

Technology systems can help make the process faster, accurate, and complete. You can be sure of your results and that you haven’t missed anything. But what about the touch of human thinking and analysis in your EDD process? It’s necessary to have humans analyse the risks for a nuanced view of them.

Only humans managing the EDD process may also be erroneous because they might miss data or make errors while evaluating the huge volume of information or documents. So, you cannot ignore technology as well.

The optimal solution is to combine the expertise of technology and humans for the best results. You can run the data on technological solutions, and then experts can scan through them.

Conducting Due Diligence only once during the entire relationship

The risk profiles of customers keep changing. So, you cannot base your decision on one such instance of due diligence conducted at the time of customer onboarding. You must keep it going.

Engage in frequent monitoring of high-risk customers. It must be an ongoing process so that you can track the changes in customers’ risk profile. Also, with new transactions with these customers, you continue with transaction monitoring and ensuring that the transactional pattern aligns with the customer’s profile known to you.

So, never make the mistake of only doing Enhanced Due Diligence once. Make it a frequent exercise to capture the variations in the factors involved and ensure that you stay on top of the customer’s ever-changing risk profile.

Using outdated lists of PEPs, sanctions, and terrorists to match customers

While conducting EDD, you compare customers against lists of sanctions, PEPs, and other watchlists, including adverse media. If you use outdated lists, your results will be redundant. You must have the latest watchlists from the reliable sources for up-to-date and relevant results.

So, make it a practice to check for the latest lists.

In the case of adverse media checks, ensure that the oldest and the latest news sources are checked. You can find negative connotations about the customer from any year. Also, you must track all possible media sources for negative news. Make all this possible to produce accurate results on your customers’ EDD.

Failure to retain records of EDD

Your EDD results are critical for your business. You might need them later in your AML procedures. So, create proper records and maintain them for at least five years as instructed under the PMLA (or for six years as required under the IFSCA Guidelines).

Also, you must keep these records in proper formats. Maintain consistent standards to keep all year records in the same template. You must update them as and when you repeat your investigations, as part of an ongoing review or upon changes in the customer’s profile. So, practice maintaining accurate, complete, up-to-date, and consistent records of EDD.

In the case of missing EDD records, you will not have enough proof when asked by authorities. Also, you might not have past documents to refer to while conducting further investigations.

Forgetting to build a collaborative environment for an efficient EDD process

The EDD process is not the responsibility of a single team. The customer-facing team needs to gather data from all customers. The compliance team will collect data from reliable third-party sources and assess all the data points from different sources and conclude.

Different teams will carry out all these procedures. But they must collaborate and cooperate on the smooth execution of this process. They must maintain clear communication to facilitate effective results from EDD. You must train the employees on handling processes to ease the EDD execution.

Overlooking the escalation of suspicious cases of transactions with high-risk customers

EDD is for investigating high-risk customers. So, what about the EDD results? What do you do with them? Just sit, happy that you have identified your high-risk customers.

Having carried out additional verification checks on the customer, you must notify about such high-risk customers to your senior management and seek their approval to establish and continue the business relationship with them.

Missing to plan for data protection and confidentiality

For EDD, you will collect a good amount of customer information. You’ll have details on their finances, job, and access to other sensitive information. Customers’ biggest fear is data leakage or access by a third party.

So, you must make it a practice to plan for data privacy and protection. You must adopt every possible way and technology to keep data safe and secure. Safeguarding customer information in the most secure way and retaining it for future use. Restrict the accessibility of this data only to a few trustworthy people in your company.

Not investing in the audit and quality review of EDD procedures

Are you happy with your EDD procedures? Are you confident of the EDD measures and its capability to manage your increased risks? Does it reflect the changes in laws and industry practices?

If the answer is no, you must realise it’s high time for a quality assurance check.

You must audit the EDD process to assess its effectiveness. Ensure that EDD procedure and results contribute to achieving AML compliance in India. For this, you must put in place a quality assurance program for frequent checks of the EDD process.

Based on the results of these checks, you must update your EDD policies. These changes and updates must align EDD with PMLA and the relevant AML guidelines, including the FATF recommendations. Also, these policies should resonate with business goals and the sector’s AML best practices. Thus, continuous improvement is essential to adapt to the changing conditions and emerging risks.

You must avoid these significant slip-ups while performing EDD for high-risk customers. If you need help in performing EDD, AML India is right here.

Niyeahma contribution to your AML compliance

Niyeahma is a reliable provider of all kinds of services to help your business become AML compliant. We help entities have a smooth transition from non-compliance to compliance. You can partner with us for all AML services to prevent ML/TF threats.

We help entities conduct customer due diligence and identify high-risk customers. After this, we will conduct enhanced due diligence for further investigations into such customers. Thus, we adopt all the necessary best practices to avoid the risks of financial crimes.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

FATF travel rule compliance requirements for VDASPs in India

FATF Travel Rule is one of the advanced measures in the anti-money laundering regime to bring transparency around the electronic movement of the funds – whether wire transfer or transfer of virtual digital asset. This rule, FATF’s Recommendation 16, applies to financial institutions and Virtual Digital Asset Service Providers.

It requires the identification of the originator (payer) and beneficiary (payee) involved in the electronic transfer of funds or exchange of virtual digital assets. This data helps the reporting entities understand the parties involved in exchanging funds or virtual digital assets and detect any potential connection with money laundering.

In India, along with financial institutions, the FATF travel rule compliance under the AML framework has been made mandatory for virtual digital asset service providers (VDASPs). Let’s explore the FATF travel rule requirements and their impact on virtual digital asset businesses.

What Is The FATF Travel Rule?

FATF travel rule is the compliance requirement warranting the identification of the person initiating the transfer of funds and the intended recipient. It is similar to the traditional bank wire transfer transaction. While transferring money from one bank account to another, the reporting entities need to identify the account holder transferring the funds and the recipient of such funds. A similar requirement is now being adhered to by the reporting entities providing services related to virtual digital assets as part of travel rule compliance.

The travel rule requires the reporting entity engaged in virtual digital asset-related activities to obtain necessary details about the originator and beneficiary, apply necessary verification measures, and exchange such information with the counterparty VDASP or the recipient service provider.

Here, the one sending the virtual digital assets would be treated as the Originator, and the one receiving them is the Beneficiary.

India’s Adoption Of The FATF Travel Rule In AML

Money launderers have exploited all possible financial instruments to commit crimes. With virtual digital assets’ popularity worldwide, they have also found ways to commit crimes through them. In this regard, compliance with the FATF travel rule will imbibe transparency between the VDASPs regarding the parties involved in the virtual digital transfers.

In line with India’s Prevention of Money Laundering Act 2002 (PMLA), the Central Government of India issued a notification on 07th March 2023 to bring the activities related to virtual digital assets under the ambit of the anti-money laundering regime. Pursuant to this inclusion of VDASPs as the reporting entity under PMLA, the authorities issued detailed AML and CFT guidelines for the reporting entities providing services related to the virtual digital assets on 10th March 2023, laying down the directives and compliance obligations of the VDASPs to safeguard the VDA ecosystem from being exploited by the financial criminals.

Collecting The Necessary Information

Under these guidelines, the VDASPs are mandated to comply with the Travel Rule, which requires the originating VDASPs to collect the required and accurate details about the originator and the beneficiary of the VDA transfer and securely share this information with the beneficiary VDASP along with the transfer request.

The information to be collected by the Originating or Ordering VDASPs and shared with the Beneficiary VDASPs includes:

Originator

Originator’s Permanent Account Number (PAN) or National Identity Number,
Complete name of the VDA transfer’s originator,
Originator’s account number (VDA wallet address) used to process the transaction or from where the VDA transfer has been initiated,
The originator’s geographical location helps in identifying the originator,
Date and place of birth of the originator.

Beneficiary

Name of the beneficiary, i.e., the person named as the recipient of the VDA to be transferred by the originator,
Wallet address of the beneficiary

Role Of VDASPs Involved In The Transfer

Originating VDASP

The ordering or the originating VDASP must obtain accurate details of the originator and the beneficiary, as mentioned above.

Additionally, the VDASP must verify the originator’s identity and address using reliable information as part of the KYC and Customer Due Diligence process. The ordering VDASP is not required to verify the beneficiary’s identity, but the beneficiary must be screened for sanctions checks and be cautious of ML/FT suspicion.

Once the originating VDASP is satisfied with the accuracy and completeness of the required details, it must share them with the beneficiary VDASP along with the VDA transfer message.

Beneficiary VDASP

Upon receiving the details along with the VDA transfer communication, the beneficiary VDASP must check the details to determine if any necessary details are missing.

The beneficiary VDASP must verify the beneficiary’s identity before concluding the transfer if such a person has not been verified as part of the customer onboarding and CDD process.

Intermediary VDASP

An intermediary VDASP facilitating the transfer of virtual digital assets must ensure that the necessary originator and beneficiary details are adequately transmitted along with the VDA transfer trail while retaining the same information at the intermediary level.

The regulated entity must verify the customer’s identity using reliable documents. To verify a natural person’s identity and resident address, a regulated entity must obtain that contains a photograph of the customer, name, unique identification number, date of birth, and nationality.

Additionally, a regulated entity can verify residential addresses based on OVD or recent utility bills, bank statements, etc.

Retaining The Obtained Information

The originating VDASPs must retain the information acquired about the originator and the beneficiary for five (5) years from the date of transfer. Similarly, the beneficiary VDASPs must accurately maintain the originator and beneficiary information obtained from the originating VDASP for a minimum five (5) year’s period.

When Information About The Originator Or Beneficiary Is Not Available

In cases where the VDASPs cannot obtain the required information about the originator or beneficiary or where such information cannot be adequately verified, then the VDASP must not execute the virtual digital asset transfer transaction. Further, if required under the circumstances, the VDASP must consider reporting the suspicion to the Financial Intelligence Unit, India, by submitting the Suspicious Transaction Report.

Counterparty Due Diligence

As part of travel rule compliance, the originating VDASP must apply necessary due diligence measures on the counterparty VDASP, involved in transferring virtual digital assets, adopting a risk-based approach. Further, the originating VDASP must ensure that such counterparty due diligence is satisfactorily concluded before transmitting the information about the originator and beneficiary to avoid any engagement with criminals or aiding the illicit movement of funds.

Challenges Of FATF Travel Rule Compliance And Solutions

FATF travel rule compliance is an excellent method to prevent money laundering in virtual digital asset transactions. With timely collection and exchange of originator and beneficiary details between the VDASPs involved in the transfer, the detection and reporting of money laundering activity become easy.

The travel rule in AML checks virtual asset transactions’ transparency and traceability. It also enables collaboration between VDASPs to better the sector, which could lead to a trustworthy and credible virtual digital asset ecosystem

Challenges

Despite the merits of the FATF travel rule, it also has many challenges, such as

Difficulties in obtaining accurate details about the beneficiary, given the anonymity involved and frequent reference to the wallet address of the beneficiaries.
Delay in exchange of information from the originating VDASP to the recipient VDASP without proper tools and solutions at both ends.
Non-maintenance of the originator and beneficiary details for the required time period.
There is no standardised mechanism worldwide for consistently implementing the travel rule across cross-border VDA transfers. Many countries have mandated compliance with the travel rule, while some are still considering adopting it, making it challenging to exchange information when a transaction occurs between two counterparties in different jurisdictions.

Solutions For Challenges

One possible solution to fight these challenges is innovative technology. The VDASPs can have a technological solution to collect, verify and store data. Also, the data-sharing feature is essential for exchanging information with the counterparty securely and on a timely basis, accompanying the VDA transfer instruction. The onus is on VDASPs to find an appropriate solution to fulfil these needs and promote industry growth.

The solution must be in a universal language understood across countries. Real-time customer identification and verification can be an advanced feature of such a tool. The aim must be to ensure smooth data collection and exchange between counterparties.

Further, the VDASP must make it a policy not to accept the transfer request unless the originator and beneficiary of the VDA transfer are adequately identified.

Niyeahma – Your Trustworthy AML Compliance Consultant

Niyeahma has been leading from the front in AML compliance. We help clients understand the requirements of AML regulations and comply with them. Together with you, we aim to prevent money laundering and terrorism financing threats to your business. So, we take a customised approach to make you AML compliant and protect you from financial crimes.

You can hire us for any or all of the following AML compliance services:

Conducting the Enterprise-Wide Risk Assessment to assess the ML/Ft exposure to your VDA activities
Developing and implementing an AML program for managing the ML/FT risks
Appointing an AML Principal Officer and assisting in setting up an AML compliance department
Creating transaction monitoring rules to detect suspicious VDA transfers timely

Thus, you can find all kinds of support related to AML compliance at Niyeahma.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Customer Due Diligence Requirement under IFSCA AML Guidelines

Navigating the AML Regulatory Framework in India

Customer Due Diligence Requirement under IFSCA AML Guidelines

Customer Due Diligence Requirement Under IFSCA AML Guidelines

As an international financial hub, the International Financial Service Centre in India provides a platform for businesses operating within to increase their customer base and expand their reach on a global scale. With global exposure, the risk of such businesses being used as vehicles or channels for furthering the movement of illicit proceeds or carrying out illegal activities (such as money laundering (ML), financing of terrorism (FT) and proliferation financing (PF) of weapons of mass destruction) also increases. Thus, the performance of adequate Customer Due Diligence measures is an integral part of the IFSCA anti-money laundering (AML) framework.

The ML/FT and PF risks may arise from various factors such as customers, geographies to which customers belong, delivery channels, modes of transaction, etc. The IFSCA has issued IFSCA Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer Guidelines, 2022 (IFSCA AML Guidelines), which provide for entities operating in the IFSC to conduct Customer Due Diligence process to mitigate the ML/FT and PF risks posed by customers.

Customer Due Diligence (CDD) enables businesses to check the legitimacy of their prospective customers by identifying and verifying their identity details and ensuring that the customers are indeed the persons or entities they claim to be. This safeguards their businesses against potential financial crime threats.

What Is Customer Due Diligence?

Customer Due Diligence is a process that includes identifying and verifying the customer and the beneficial owner (in the case of corporate customers) using reliable and independent sources. The CDD measures are focused on customer identification to check their authenticity and legitimacy. It includes a set of internal controls that help businesses establish a customer’s identity, determine the nature and purpose of transactions that the customer is likely to engage in and assess associated ML/FT, and PF risks the businesses may face when dealing with such customers.

Further, depending on the risk-based approach, the degree of strictness and scrutiny of the CDD measures shall vary according to the ML/FT and PF risks posed by various customers.

Role Of CDD In AML Regulatory Compliance

CDD is a crucial element of the IFSCA AML Guidelines as it helps verify the identity of customers, assess their risk profiles, and monitor their transactions to detect and prevent financial crimes. With the implementation of the CDD procedures, regulated entities can determine the varying levels of risk associated with different customers and establish the appropriate CDD measures for risk mitigation.

The CDD process provided under the IFSCA AML Guidelines maps out a comprehensive framework for addressing potential threats of ML/FT when engaging with both new and existing customers. Thus, it assists regulated entities in safeguarding themselves and maintaining compliance with regulatory requirements.

When Is CDD Required?

The CDD process is a must before establishing the business relationship to establish the identity of the prospective customer. Additionally, the regulated entity must undertake CDD measures on an existing customer if there are doubts regarding the authenticity and legitimacy of provided documents, data, or information. Further, CDD measures should be undertaken if the regulated entity comes across suspicions of ML/FT, a change in the customer’s risk rating, or any material change in the customer’s circumstances.

Thus, CDD is also crucial on an ongoing basis, in the course of the business relationships, to ensure that the customer’s identified profile holds good and that any changes in the identification details are immediately identified, which may pose an increased risk to the business.

Who All Are Subject To CDD By The IFSC Regulated Entities?

As per the IFSCA AML Guidelines, CDD measures must be adequately applied to all customers, whether individuals, legal persons, or legal arrangements, including the beneficial owners of such legal persons or arrangements.

Decoding The Customer Due Diligence Process

Customer Due Diligence is a necessary procedure that must be undertaken in a structured manner with utmost due care to better comply with the IFSCA AML Guidelines while achieving its objective of safeguarding the business against potential financial criminals. Here is a detailed note on the elements of the CDD process that you need to keep in mind:

Data Collection And Verification (Know Your Customer)

The first level of CDD involves identifying and verifying the customer’s identity and understanding the nature of the business. This process is generally known as “Know Your Customer” (KYC). The regulated entity must undertake the KYC process and seek information from its natural and legal customers.

After collecting the data, CDD’s next step is to verify all such customer information. It is essential to verify the information provided to check its adequacy and establish the authenticity of the customer and proposed business relationship. A customer with ill intentions of routing illicit funds may furnish information that may not be legitimate. Therefore, verification becomes crucial so that the regulated entity can mitigate risk by knowing the true identity of a customer and understanding the purpose of the transaction.

The critical components of the KYC are as follows:

1. Identification and Verification of Identity of Customer

A regulated entity must collect KYC information from the customers, whether a natural person or a legal structure.

2. Natural Person

This information typically includes a natural person’s full name, Unique Identification Number, date of birth, nationality, address, and contact details.

The regulated entity must verify the customer’s identity using reliable documents. To verify a natural person’s identity and resident address, a regulated entity must obtain that contains a photograph of the customer, name, unique identification number, date of birth, and nationality.

Additionally, a regulated entity can verify residential addresses based on OVD or recent utility bills, bank statements, etc.

3. Legal Person

A legal person established in whatever form must provide KYC information containing the full name and trading name, Unique Identification Number, registered or business address, principal place of business, date and place of incorporation. Furthermore, in cases where the customer is a legal person or legal arrangement, a regulated entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement.

The regulated entity shall verify the legal form, proof of existence, constitution, and document defining regulatory powers. For such purposes, a regulated entity must obtain a certificate of incorporation, partnership deed/agreement, trust deed, constitutional document, certificate of registration or any other document.

4. Identification and Verification of the Natural Person appointed to act on behalf of the Customer

A natural or legal person may appoint one or more natural persons to deal with on its behalf for business purposes. Therefore, a regulated entity needs to identify and verify such a person. All documents specified above should be obtained from appointed natural persons acting on behalf of the customer. Additionally, documents authorising the appointment of such a natural person should also be obtained, including power of attorney, resolutions passed by the governing body, etc.

5. Identification and Verification of Identity of Beneficial Owner

CDD measures should also use relevant information to identify the beneficial owner of the customer, who is a legal person or legal arrangement. This includes understanding the customer’s control or ownership structure.

For legal persons, the regulated entity should identify the natural persons exercising control over the entity through ownership. In case of uncertainty or no natural person owning the legal person, the regulated entity should identify the natural persons having effective control over it.

For legal arrangements like trusts, the information regarding beneficial owners includes the trust’s author, trustee, beneficiaries having a significant interest, and any other person exercising control over the trust.

The IFSCA AML Guidelines have prescribed certain percentage thresholds for varying legal structures to determine ownership or control rights. For example, a beneficial owner of a corporate entity is a person who holds more than 10% of the entity’s shares.

6. Information on the Purpose and Intended Nature of business relationship

When gathering customer information, a regulated entity must also obtain information regarding the purpose and intended nature of a customer’s business relationship. To collect such information, a regulated entity should employ methods that align with the risk level and complexity of the regulated entity’s business.

Name Screening

Sanction screening is a process to ensure that the regulated entity does not deal with the organisations and individuals sanctioned under the Ministry of Home Affairs, United Nations Security Council, and other relevant sanction lists, as per the firm’s risk-based approach.

Thus, name screening is performed primarily to check whether customers are designated under any local or international list of banned or sanctioned persons. For name screening, the regulated entity must scan the customer against the national list issued by the Ministry of Home Affairs, the UNSC sanctions list, or any other international sanction lists relevant to the particular business relationship.

Additionally, screening must be undertaken to identify if any customer is a Politically Exposed Person (PEP) or has connections with financial crime as captured in reliable adverse media sources.

The regulated entities must conduct the sanctions screening to reinforce the KYC process and identify any additional details that may impact the customer’s risk profile.

Customer Risk Profiling

The risk landscape related to customers is multifaceted and affected by various factors. Thus, customer risk profiling is essential as it establishes the customer’s risk profile and helps determine the level of due diligence required of every customer. The IFSCA AML Guidelines mandate that regulated entities assess the risk posed by each customer. In accordance with risk assessment, the regulated entity applies mitigation measures, adopting a risk-based approach.

Thus, the regulated entities must assess the level of ML/FT risk the customer poses to the business and determine its risk profile while establishing the business relationship or executing a transaction. Here is the list of parameters that must be considered to assess the customer risk systemically:

Timing and seasonality of transactions
Involvement of counterparties and intermediaries
Customer’s financial profile
Ownership and management structure
Nature and purpose of the business relationship
Location of customer
Nature of customer’s activities
Estimated size or value of the transaction

Based on these parameters, the regulated entities must determine the degree of customer involvement in a business relationship and classify the customers as high, medium, or low. With this risk allocation, the regulated entities can tailor the risk mitigation strategies for each customer to effectively mitigate the risk while staying compliant with the AML regulatory framework.

Here are the required or permitted modifications to the standard CDD measures as per IFSCA AML Guidelines, depending upon the degree and severity of the ML/FT risks:

Enhanced Customer Due Diligence (ECDD)

When a customer is identified as high-risk, there is increased ML/FT risk associated with them. Therefore, additional identity checks and verification measures are to be applied. These additional measures to be applied under ECDD include identifying and verifying the customer’s source of funds and wealth and seeking senior management approval before onboarding the customer or executing the transaction.

Simplified Customer Due Diligence (SCDD)

Simplified Due Diligence means applying relaxed identification checks and measures to manage risk when customers are designated low-risk. Therefore, SCDD measures allow regulated entities to adopt a process where lower ML/FT risk is adequately managed with optimal resource utilisation.

Ongoing Customer Due Diligence

The ongoing monitoring of the business relationship offers the regulated entity an opportunity to determine if the risks originating from the customer are still the same as identified at the time of customer onboarding. The ongoing CDD process allows for the regulated entities to monitor their customers’ profiles on an ongoing basis and assists the entities in timely spotting any fluctuation or change in the risks, empowering them to take prompt mitigation actions.

Periodic Updating of CDD

As part of ongoing CDD, the regulated entities must periodically review and update the customer’s documents and CDD information to reflect any necessary updates, such as a change in address or renewal of an important document such as a passport. Thus, as part of ongoing CDD, this period of CDD update measures shall ensure that customer information gathered remains updated and relevant to determine the customer’s existing risk profile.

The regulated entities should adopt a risk-based approach to conducting periodic CDD updates. According to the IFSCA AML Guidelines, the frequency of periodic CDD updates varies based on customers’ risk levels.

Record Keeping

This is the last step, which requires the regulated entities to maintain the CDD-related records adequately for six (6) years from the date the business relationship ends or the transaction is completed. Systematic record-keeping facilitates the regulated entities’ meeting of their reporting obligation and furnishing such details to the concerned authorities or any law enforcement agency immediately upon request.

What Happens When CDD Is Not Performed?

Onboarding customers without applying any CDD or inadequate measures can subject a regulated entity to severe risks such as reputation loss, compliance risk, and financial loss. It is mandated that a regulated Entity establishes a business relationship only after employing adequate CDD measures to identify the customer and associated risk. When a regulated entity cannot perform or complete the CDD process for a customer, the IFSCA AML Guidelines impose certain restrictions on the regulated entities, such as:

It should avoid opening an account and provide a service to the customer.
It must not conduct a transaction with or for the customer whose CDD has not been conducted.
When CDD measures are not undertaken, a Regulated Entity must terminate or suspend any business relationship with the customer.
A regulated entity must return any funds or assets received from the customer.

Furthermore, in such cases, it is crucial to assess whether the lack of CDD requires the submission of a Suspicious Transaction Report (STR).

Imposing these restrictions on a regulated entity where the CDD process is not properly conducted is to protect the business from inadvertently facilitating any transactions leading to ML/FT crimes.

Best Practices For Implementing Effective CDD Program

For implementing CDD measures effectively, here are a few points that a regulated entity should consider:

Including CDD Program Into Internal AML Policy And Procedures

The regulated entity should incorporate CDD procedures into its AML/CFT policies, procedures and controls to improve consistency in CDD measures implementation across the organization. The CDD program must detail the KYC process, the details to be obtained, the documents and sources to be relied upon for verification of the customer identity, the frequency of ongoing CDD and periodic review, etc.

The AML policy should also define staff roles and responsibilities in conducting CDD. This will promote clarity and compliance with regulatory requirements.

Appointing A Competent Person To Conduct CDD

It is essential that the person overseeing compliance with regulatory requirements is skilled and has the expertise to conduct CDD procedures. Customer-facing CDD staff should know basic CDD procedures, associated red flags, and ML/FT and PF typologies. Employing such a skilled person for CDD measures enhances the productivity and accuracy of the CDD process and brings efficiency to the AML efforts to protect the business.

Implementing Software And Tools For Conducting CDD Rd Of India

A regulated entity must consider employing suitable tools to streamline and improve the CDD process. These software include various aspects such as identity verification systems, collecting information from different sources, sanctions screening, systematic customer risk assessment, and ongoing transaction monitoring.

Employing Data Security Measures

CDD collects customers’ data, which needs to be handled carefully. Thus, while conducting CDD procedures, a regulated entity should include encryption protocols, controlled access to the data, and audits to prevent data breaches. Data security measures help businesses gain the trust of their customers and protect their data from unauthorised access. By implementing and making its customers aware of the regulated entity’s Data Protection and Privacy Policy, the regulated entity ensures it utilises and stores customer data solely for regulatory compliance, ensuring transparency and accountability in data handling practices.

Periodic CDD Reviews And Updates

As mentioned above, the IFSCA AML Guidelines provide for the periodic review of customers’ CDD files. A regulated entity must include a methodology and a system to conduct periodic reviews to keep up with changes related to customers’ business, wealth, and overall profile. Keeping up with new updates helps businesses be more vigilant towards suspicious activities and proactively identify and manage the risk.

CDD Training And Awareness Programs

As a regulatory requirement, the regulated entity must conduct regular training sessions and awareness programs to educate staff about processes, procedures, and the importance of CDD. This helps update employees with emerging AML trends and clarify their roles and responsibilities in ensuring compliance with regulations. Furthermore, training programs should be tailored to employees’ specific needs and roles, such as training programs for senior management, operational staff, and managers.

Conclusion

CDD is an essential factor for mitigating risks associated with ML/FT. An IFSCA-regulated entity that implements CDD practices can establish the identity of its customers, understand the nature of its business relationships, and assess the potential risks involved in the particular business relationship. Additionally, for better performance, best practices in CDD should be employed, such as incorporating a CDD program within the documented AML policy, employing adequate AML software to empower the CDD process, and conducting AML training for the staff.

Therefore, prioritizing CDD not only helps organisations comply with regulatory requirements but also safeguards their financial integrity and reputation.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

How can RegTech help streamline AML compliance?

To keep pace with the ever-evolving regulatory framework around anti-money laundering and the emerging sophisticated ways developed by financial criminals, the AML measures call for advanced technology and tools. This new tech-based solution growing in the market, specifically focusing on anti-money laundering or anti-financial crime regimes, is popularly known as Regulatory Technology or RegTech.

Let us understand what RegTech is and how RegTech can help the regulated entities streamline their AML Compliance.

What Is RegTech?

As mentioned above, RegTech is an abbreviation for regulatory technology, a solution developed using innovative technology to facilitate legal or regulatory compliance with the applicable regulations. RegTech brings in the power of emerging technologies like artificial intelligence and machine learning, data analytics, etc., modernizing the compliance function of the business with optimum automation.

The acceptance of RegTech solutions has grown tremendously over the years with increasing complexities of regulatory obligations and the need to align business operations with compliance processes.

RegTech enables the processing of huge data sets, managing compliance activities efficiently and on a timely basis with effective utilisation of resources and informed decision-making. RegTech solution includes customer identity verification functionality, gathering and monitoring the financial transactions, assessing and managing the customer and business risk, regulatory reporting and compliance management solution, etc.

Regulated entities must consider implementing an appropriate RegTech solution that complements the AML compliance function, reducing the risk of financial crime exploitation and regulatory non-compliance.

How Can RegTech Foster The AML Compliance Program?

In current times, where the financial crimes around misuse of technology and AML compliance obligations are growing, RegTech solutions come as a saviour with customized tools and software to address the financial crime risk and the challenges around AML compliance.

Following are the AML-compliant aspects where automation and RegTech support cannot be overlooked:

Customer Due Diligence (CDD) is an essential element of AML compliance, involving identifying the customer screening and assessing the risk posed by the customer. Here, RegTech solutions can be deployed for identity verification, screening the customer for sanctions, Politically Exposed Person (PEP) list and adverse media and determining the customer’s risk profiling based on the collected customer details. Moreover, this can also be integrated with the entity’s existing systems, like the Customer Relationship Management tool, automating the CDD process in real time.

Ongoing transaction monitoring is another crucial element of AML compliance, aimed at monitoring customer activities and financial transactions to identify red flags. With countless transactions taking place through the entity per day, manually monitoring the transactions and detecting unusual activities is challenging. The task of transaction monitoring becomes effective and efficient with RegTech, which can analyse vast volumes of data, including unstructured data, determine the patterns and predict the transactions to flag potential risks or anomalies. This enables the regulated entities to address the alerts or warning signals immediately and make necessary reports to the Financial Intelligence Unit on a timely basis.

Not limited to customer or transaction-related activities, RegTech solutions do provide functionalities to integrate these two into AML Enterprise-Wide Risk Assessment (EWRA), enabling the regulated entity to identify and manage the overall business exposure to money laundering and terrorist financing. With EWRA being updated on a real-time basis with every customer onboarded and transaction executed, the entity can stay on top of the entity’s ML/FT risk and promptly modify or upgrade the controls to mitigate the assessed risk.

Further, some RegTech solutions extend this transaction monitoring system to support automated reporting of the Suspicious Transaction Reports (STRs) of any other regulatory report with the authorities, using API. This feature ensures the quality and comprehensiveness of the reports submitted to the FIU or other supervisory bodies.

RegTech offers advanced technologies to regulated entities to simplify AML efforts, enhancing the efficiency and accuracy of overall AML compliance.

What Are The Benefits Of Using RegTech For AML Compliance?

The following are the key benefits that a RegTech solution can offer to regulated entities with its powerful tools and automation:

Improved Efficiency Of The AML Compliance Processes

With automation and the capability to churn a large volume of data in a few seconds, the RegTech solution empowers the AML compliance Program of the regulated entity by reducing the time and effort for completing the AML compliance activities. RegTech automates the manual tasks, bringing in quality, speed and accuracy in AML compliance.

With proper tools and technologies, the regulated entities can:

automate the Customer Due Diligence process, making the customer onboarding process smooth while ensuring that no suspected financial criminal slip in the business operations,
process a large number of transactional data, monitoring the business activities in real-time to draw the trends and suspicious patterns and promptly generate an alert for cases warranting further investigation.

This automation reduces manual intervention, with immediate detection of risk indicators and elimination of human error, increasing the efficiency of the AML compliance function.

RegTech enables regulated entities to combine human brains and technological intelligence to run the AML compliance show, allowing optimal use of resources, adhering to the regulatory regime, and creating a robust shield against financial criminals.

Enhanced Accuracy And Reduced Non-Compliance Risk

RegTech solutions offer the power of artificial intelligence and data analytics capabilities that improve the accuracy of compliance tasks. With inherent characteristics of adapting and learning continuously, RegTech monitors the transaction, predicts the trends, and reduces the false positive, enabling the AML compliance team to invest more time investigating the genuine risk vulnerability.

With real-time triggers and alerts for compliance and potential red flags, the regulated entities can promptly handle and address suspicious transactions. This will help the entities prevent money laundering and terrorism financing while complying with the applicable provisions of the AML laws.

Improved Brand Image And Confidence

Deploying RegTech solutions demonstrates the entity’s commitment to fighting financial crime and safeguarding the economy. This boosts the entity’s reputation in the market, building trust and confidence in the business’s customers, stakeholders, and regulatory authorities.

RegTech gives wings to the business to fly high without worrying about the chain of compliance pulling it down, enhancing the effectiveness and efficiency of the AML compliance framework.

What Are The Best Practices For Implementing RegTech Solutions?

For the successful implementation of an appropriate RegTech solution, it is necessary to consider the following factors and adopt the best practices to make the most out of the investment in AML tools and systems:

Before choosing and deploying the RegTech solution, the AML compliance requirements must be mapped as per applicable laws (the Prevention of Money Laundering Act, 2002 (PMLA) or the IFSCA (AML, CFT, and KYC) Guidelines, 2022) and the industry in which the entity operates. Preparing a formal Business Requirements Document specifying the AML compliance obligations and the corresponding features and functionalities needed to meet these obligations is suggested.
As a lot of sensitive data is input into the solution, it is essential to evaluate its security and data privacy standards. The regulated entities must ensure that RegTech complies with data privacy requirements and adequate cybersecurity measures to avoid data breaches and maintain the entity’s reputation and customers’ confidence.
During the pre-implementation phase, the RegTech solution must be tested rigorously using sample data to train and fine-tune the technologies (like Artificial Intelligence or Money Learning) used in the solution. This will reduce the number of false positive alerts, saving time on unnecessary investigations.
RegTech must be checked for its compatibility with the existing systems of the entity. Integration between the two systems is crucial for ensuring the seamless flow of comprehensive and accurate data to stay AML compliant and detect the red flags at the earliest. The regulated entity must upgrade the legacy systems to integrate the required technologies.
The benefits of RegTech cannot be achieved in its true sense unless the compliance team of the entity understands and accepts the solution. The regulated entity must invest time and resources in imparting necessary RegTech training to the team on how the solution can streamline the AML compliance function.

With a systematic approach, the regulated entities can identify the apt RegTech solution and unlock its full potential to augment the AML compliance framework.

How Can Niyeahma Assist You In Leveraging The Benefit Of RegTech To Enhance AML Compliance?

With growing AML compliance requirements and the need to strike a balance between compliance and business activities, the value of RegTech cannot be discounted. With years of experience and understanding of AML compliance activities, AML India can assist the regulated entities subject to PMLA and IFSCA AML Guidelines, identify the right RegTech solution and implement the same spotlessly. AML India can also handhold during the implementation and post-implementation phase, ensuring you stay regulatory compliant and safeguard your business against financial crime vulnerabilities.

With careful implementation of the RegTech solution, let’s gear up for the impactful fight against money laundering and terrorism financing.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Navigating the AML Regulatory Framework in India

The crime of money laundering poses a significant threat to the integrity of the economy in India. To promote a healthy and safe business environment that is free of financial crime, India recognises the significance of combating illicit financial activities. To achieve this goal, India has adopted a robust framework of regulations and enforcement mechanisms to prevent money laundering and financial crimes within its borders. Businesses operating in India are required to develop a sound understanding of the AML regulatory framework, enabling compliance with the applicable AML laws and sector-specific guidelines.

Additionally, various supervisory authorities have issued guidelines laying down the best practices necessary to identify financial crime instances and mitigate the risks.

Applicability Of AML Law In India

The entities which are subject to AML laws in India are generally referred to as “reporting entities” or “regulated entities”. According to the Prevention of Money Laundering Act, 2002 (PMLA), a reporting entity includes a banking company, financial institution, intermediary or a person carrying on a designated business or profession.

Further, the PMLA also defines persons carrying on a designated business or profession. DNFBPs encompass individuals and entities operating as:

Casinos
Real estate agents
Dealers in precious metals and stones
Individuals who manage cash and securities for others
And any other entities designated by the Central Government through official notification

Recently, the scope of such DNFBPs has been extended to bring the following professionals under India’s AML regulatory framework, when carrying out specified activities in the course of the profession for or on behalf of its clients:

Chartered Accountants
Company Secretaries
Cost and Management Accountants

Moreover, the Ministry of Finance, exercising its power under PMLA, extended the compliance requirements provided in the PMLA to the Virtual Digital Assets Service Providers (VDA SPs).

Individuals and entities involved in the above mentioned businesses and professions need to ensure compliance with PMLA.

Why Is It Important For Businesses To Be Aware Of India’s AML Regulatory Framework?

The aforementioned businesses in India need to understand the AML regulatory framework so their business practice is aligned with the regulatory framework, making efforts to combat the potential financial crime risk to which their business is vulnerable. Here is a list of a few important reasons why businesses in India should be aware of India’s AML regulatory framework:

Establish Adequate Internal AML Compliance And Governance Structure

Having developed a sound understanding of India’s AML regulatory framework helps businesses formulate AML policies, procedures and controls, which enables its customer-facing personnel to detect and report suspicious activity related to financial crimes.

In order to have AML policies that are aligned with regulations and ensure better implementation of the same for preventing financial crimes.

The rigorous knowledge of AML regulatory framework helps businesses to know what to include in their AML policy to seamlessly integrate it in the operations, how frequently to update the policy and when to audit such AML policy.

Preserve Its Financial Integrity

Knowledge and awareness about AML regulations help businesses maintain financial integrity and implement mitigating measures against financial crimes. Additionally, comprehending the framework governing compliance helps businesses understand what compliance requirements they are supposed to implement.

Knowledge of AML regulations guards financial integrity, helps monitor financial transactions and restrain the business from being exploited by the criminals, and mitigate regulatory risks, and maintain trust with regulators and other stakeholders. This definitely safeguards business reputation in the marketplace.

Avoid Non-Compliance With AML Laws And Avoid Fines, Penalties And Reputational Loss

Understanding the AML regulatory framework helps businesses to know about penalties, fines and criminal charges they may face in case of non-compliance. The imposition of penalties not only leads to financial loss but also demeans the business’s reputation, which leads to business loss and hampers business relationships.

With a grasp of the regulatory framework, businesses could maintain compliance requirements and demonstrate their commitment to fighting global vices, which would help them to avoid penalties and maintain their reputation.

Implement AML Solutions, Tools And Technologies Tailored To Suit The Business

Implementation of AML tools, software and appropriate technologies makes AML compliance efficient and easy. An AML program includes procedures designed to guard against someone using business for the facilitation of financial crime. With knowledge of the regulatory framework, a business can implement the best AML solutions, which are programmed in such a way that incorporate various compliance aspects in its functions such as name screening tools help with sanctions compliance.

When tools come with integration features, then various operational functions such as customer onboarding can be integrated with name screening, KYC, customer due diligence process to help businesses automate their processes and optimize the use of the resources. Additionally, with the implementation of AML solutions that are aligned with the regulatory framework, businesses can improve their efficiency and keep a better check on business activities against potential ML/FT risks.

Foster A Culture Of Compliance And Appropriate Allocation Of Business Resources

A clear understanding of the regulatory framework helps businesses comply with regulations efficiently and thus makes business compliance-focused.

A compliance-focused culture flows from the top management or the senior management of the business. The businesses in India need to have in place adequate personnel training programs to ensure that right from top management, the AML compliance team and customer-facing team are appropriately trained with regard to the potential ML, FT and PF red flags and fulfil the responsibilities of identifying and reporting suspicious transactions to the FIU.

Therefore, businesses should be aware of regulations to foster a compliance-focused culture, which contributes to a positive societal impact. Additionally, businesses with knowledge about regulations know where the risk lies and what resources are required to manage the risks. Thus, they are better at allocating business resources.

Ease In Expanding Business Globally

Knowledge about regulatory frameworks helps enhance overall business performance. Given the global nature of financial crime risks, the awareness and compliance with AML regulations help in growth and create long-term opportunities worldwide.

Businesses that have a better understanding of global AML compliance standards perform better and grow with partnerships and collaborations. Even at a global level, an AML compliance-oriented business gets easy access to markets and country entry, which helps in the expansion of business.

Principal Statutory Regulations For AML In India

To combat financial crimes and help the regulated entities navigate and implement adequate risk mitigation measures, the Government of India has introduced various laws and rules.

Prevention Of Money Laundering Act (PMLA) Of 2002

The Prevention of Money Laundering Act, 2002 (PMLA) is the primary law that governs AML/CFT regulations and guidelines in India.

The PMLA contains comprehensive provisions to combat money laundering (ML), financing of terrorism (FT) and proliferation financing of weapons of mass destruction (PF), which include empowering various relevant authorities such as the Enforcement Directorate (ED), Central Bureau of Investigation (CBI), or Financial Intelligence Unit – India (FIU–IND) to detect, investigate, and prosecute money laundering offences in a timely and effective manner.

The amendments introduced in the PMLA must be considered. With frequent advancements in the financial market and technology across various sectors, new threats of potential ML/FT and PF have developed.

Accordingly, the PMLA has undergone various amendments from time-to-time to address emerging ML/FT and PF risks and ensure continuous alignment with international standards and recommendations issued by the Financial Action Task Force (FATF).

The timely amendments to the PMLA have ensured its relevance and effectiveness in combating evolving financial crimes.

Prevention Of Money Laundering Rules (Maintenance Of Records) Rules, 2005

Complementing the PMLA, the Prevention of Money Laundering Rules (Maintenance of Records) Rules, 2005 (PMLA Rules) is another allied regulations brought into force to enable the prohibition of money laundering activities in India. The PMLA Rules provide operational guidelines for implementing the provisions of the PMLA.

These rules lay down procedures for anti-money laundering compliance, including customer due diligence, record-keeping, and reporting of suspicious transactions.

PMLA Allied Laws

The Unlawful Activities (Prevention) Act, 1967
Weapons of Mass Destruction and Their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005
The Conservation of Foreign Exchange and Prevention of Smuggling Activities Act, 1974 The Benami Transactions (Prohibition) Act, 1988
Sector-specific AML Guidelines Issued by Competent Authorities such as the Directorate General of India-Indirect Taxes and Customs
The Indian Penal Code, 1860
Code of Criminal Procedure, 1973
The Narcotic Drugs and Psychotropic Substances Act, 1985

Directives And Guidelines Issued For AML Compliance

In addition to the principal legislations, the various governing authorities have also released specified guidelines for different categories of reporting entities according to the nature of their activities. Some of these guidelines include:

Guidelines for Reporting Entities (Real Estate Agents) under the Prevention of Money Laundering Act, 2002 (Guidelines for Real Estate Agents)
AML/CFT Guidelines for Reporting Entities (Dealers in Precious Metals and Precious Stones) under the Prevention of Money Laundering Act, 2002 (Guidelines for DPMPS)
IFSCA (Anti Money Laundering, Counter Terrorist-Financing and Know Your Customer) Guidelines, 2022 for units operating in GIFT City, Gandhinagar
AML & CFT Guidelines for Reporting Entities providing services related To Virtual Digital Assets
AML & CFT Guidelines for Professionals with Certificates of Practice from ICAI, ICSI and ICMAI
Master Circulars issued by Reserve Bank of India
Guidelines on Anti-Money Laundering Standards and Combating the Financing of Terrorism Obligations of Securities Market Intermediaries

Regulated Authorities Overlooking AML Laws

Various regulatory authorities in India are responsible for providing frameworks to combat ML/FT. Provided below is the list of authorities working to combat financial crimes:

Ministry Of Finance

The Ministry of Finance is the primary regulatory authority in India, which looks after the financial system, including AML/CFT. Within its body, the Department of Revenue is responsible for drafting laws, policies and guidelines for various financial systems, including the framework for AML/CFT laws.

Additionally, the Ministry of Finance works in collaboration with other authorities in India by providing directions to ensure that the financial system in India follows AML regulations.

Reserve Bank Of India

The Reserve Bank of India, which is the central bank of the country, plays a crucial role by providing consultancy to the central government in prescribing the procedure for maintaining and furnishing information by the reporting entity for compliance with the provisions of the PMLA.

The RBI has also released comprehensive guidelines on Know Your Customer (KYC) and related compliances, to assist the financial institutions in effectively combating financial crimes.

Security Exchange Board Of India

The Security Exchange Board of India (SEBI) is the central authority for the securities market in India. It monitors the stock market to prevent money laundering and financial crimes in the securities market.

SEBI has released “Guidelines on Anti-Money Laundering Standards and Combating the Financing of Terrorism /Obligations of Securities Market Intermediaries”, as mentioned above, which details the various AML measures the security market players have to adhere to protecting the integrity of the India’s securities market.

Insurance Regulatory And Development Authority Of India

The Insurance Regulatory and Development Authority of India (IRDAI) is a regulatory body for the insurance industry in India. It makes sure that insurance companies implement measures for AML/CFT.

In the context, IRDAI also releases details guidelines on AML/CFT compliance for insurance companies and agents operating in India.

International Financial Services Centres Authority

The International Financial Service Centre (IFSC) is set up to develop India as a global investors’ hub. With IFSC entities’ global exposure in terms of business activities and customers, the risk of financial crime becomes more worrisome.

Strong AML program implementation in IFSC entities must be ensured to overcome this risk. To safeguard the business and the economy against ML/FT vulnerabilities, the IFSCA releases AML/CFT regulations and ensures that regulated entities adhere to them.

AML Enforcement Through Specialized Agencies

Various agencies have been constituted in India to prevent money laundering and terrorism financing. Following is the list of agencies working towards the prevention of financial crimes:

Enforcement Directorate

The Enforcement Directorate (ED) is a financial investigation agency under the Ministry of Finance. It investigates offences relating to money laundering and violations of foreign exchange laws and is responsible for the enforcement of provisions laid down under the PMLA.

Financial Intelligent Unit India (FIU-IND)

The Financial Intelligence Unit is a national agency that receives, processes and analyses suspicious financial transactions in India. Just like the ED’s role, the PMLA 2005 has conferred power on FIU-IND to implement the provisions of the Act. All regulated entities, for the purpose of compliance with PMLA, are required to furnish information to FIU-IND to prevent financial crimes in the country.

Cooperation With International Agencies For Combating Financial Crimes

With the advancement in technology and globalisation, there has been a rise in cross-border financial transactions. Thus, international agencies are working with the country to limit cross-border money laundering and terrorism financing.

It is important for businesses involved in export-import or cross-border trade to have relevant knowledge of these regulatory frameworks for compliance measures in combating money laundering and terrorism financing.

Knowledge of these international regulations helps businesses involved in international trade safeguard the integrity of financial transactions, protect the business against criminal activities, and preserve the security of the global financial system.

One such international agency working with India for AML/CFT is FATF.

The Financial Action Task Force (FATF) sets international standards and recommendations for combating money laundering, terrorist financing, and other financial crimes. India became a member of the FATF in 2010 to implement a more advanced regulatory system for AML/CFT.

As a member, India implements these recommendations and cooperates with FATF and other member countries to combat money laundering and related crimes effectively. Businesses in India, when implementing AML policies, procedures, and controls, need to adopt a risk-based approach, including other recommendations by FATF, such as compliance with Targeted Financial Sanctions (TFS), reporting to FIU, etc. to ensure that its AML compliance measures are at par with FATF standards that are globally recognised.

Let’s Safeguard India With Thorough Understanding Of AML Regulatory Framework!

Awareness and compliance with India’s AML regulatory framework are imperative for businesses operating in India. In order to combat ML/FT, businesses in India have to adopt an effective anti-money laundering policy through collaboration and cooperation among different authorities and agencies. With such stringent regulations, guidelines, and measures, India aims to prevent money laundering activities, protect the integrity of its financial system, and contribute to global efforts to combat money laundering and terrorism financing.

Therefore, AML compliance not only safeguards businesses from legal and reputational risks but also acts as a guardian for financial integrity and maintaining accountability in the financial ecosystem.

FAQs On AML Regulatory Framework In India

The Prevention of Money Laundering Act 2002, along with the Prevention of Money Laundering Rules 2005, which were issued under it, form the primary framework for the anti-money laundering laws in India.

Multiple authorities oversee AML enforcement in India. However, the Enforcement Directorate under the Department of Revenue, Ministry of Finance and FIU-IND under the Ministry of Finance are responsible for enforcing the provisions of PMLA 2002.

PMLA 2002 applies to all persons and covers individuals, companies, firms, an association of persons or a body of individuals working as a banking company, financial institution, intermediary or a person carrying on a designated business or profession.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 9+ years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.

Reach Out to Jyoti

Article India

Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

Sanctions Screening Requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022

Sanctions Screening Requirements Under IFSCA (AML, CFT And KYC) Guidelines, 2022

The International Financial Services Centres Authority (Anti-Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, provides detailed guidance on the Sanctions Screening Requirements for the entities operating within the IFSCA. The IFSCA (AML, CFT and KYC) Guidelines, 2022, apply to every regulated entity recognised, licensed, or registered by the IFSCA and to the regulated entities authorised by it to the extent specified. Further, these guidelines’ provisions also apply to the regulated entity’s financial group to the extent specified in Chapter XII of the guidelines. This article provides essential insights into the sanctions screening requirements under IFSCA (AML, CFT and KYC) Guidelines, 2022.

Apart from the IFSCA (AML, CFT and KYC) Guidelines, 2022, the regulated entities need to pay due consideration to the following laws, rules and regulations:

The Prevention of Money-Laundering Act, 2002
Prevention of Money Laundering (Maintenance of Records) Rules, 2005
The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005
Unlawful Activities (Prevention) Act, 1967 (UAPA)

What Are Sanctions?

Sanctions are restrictive measures countries and international organisations employ to restrict specific geographies, entities, and individuals from carrying out certain activities. The primary aim behind imposing such sanctions is to mitigate various risks related to national security, peace, human rights violations, and illicit activities.

Who Imposes Sanctions?

At the international level, there are various bodies which impose sanctions. Countries sometimes impose sanctions on individuals, entities, and other geographies. The major international bodies imposing sanctions are:

Major International Bodies Imposing Sanctions

The UNSC
The Ministry of Home Affairs (MHA), India – Unlawful associations, terrorist organisations, individual terrorists
Office of Foreign Assets Control (OFAC)
His Majesty’s Treasury (HMT)
The European Union (EU)

What Are The Risks Mitigated By Imposing Sanctions?

Countries resort to the imposition of Sanctions to target and mitigate risks like:

Terrorist Activities
Weapons of Mass Destruction (WMD) Proliferation Activities
Human Rights Violations
The Annexation of Foreign Territory
Destabilisation of a Sovereign Country
Cyber-Attacks

What Are The Various Forms Of Sanctions?

Sanctions take multiple forms, including financial restrictions, trade embargos, and travel bans.

What Are The Various Types Of Sanctions?

Today, sanctions are of various types. The UNSC and various countries have enforced various sanctions to enforce specific restrictive measures to protect their interests. Here is the list of types of sanctions to counter money laundering, terrorist financing, proliferation of weapons of mass destruction and proliferation financing:

Economic Sanctions

The primary purpose behind enforcing Economic Sanctions is to cause an economic impact on the sanctioned individual, entity, or country. Economic sanctions cause ongoing damage to the sanctioned person/entity/country as they increase costs and hardships around trade. Such economic sanctions are enforced in a variety of ways:

Diplomatic Sanctions

Diplomatic Sanctions are political measures a country takes to stop having diplomatic relationships with another country. Such actions include calling off ties with a country, limiting the presence of ambassadors, etc.

Military Sanctions

These trade penalties target a country to discourage its military procurement and financing. Arms embargoes, and military-related trade restrictions are the common examples of such military sanctions.

How Do Sanctions Work?

When the Government of India imposes a sanction, the regulated entities in India must abide by it. Further, the regulated entities have to abide by the UNSC sanctions. They must ensure proper systems and procedures to meet t Sanctions compliance.

Suppose positive matches are found during sanctions screening. In that case, the regulated entities must not proceed with the related transaction and report it to the relevant authorities.

The relevant authorities will then take necessary actions like freezing assets and preventing entry into or transit through India.

Who Must Comply With Sanctions?

As per the IFSCA (AML, CFT and KYC) Guidelines, regulated entities which are licensed, recognised, registered, or authorised by the IFSCA and financial group of the regulated entity to such extent as specified in Chapter XII of the guidelines shall comply with the sanctions screening requirements.

What Is Sanctions Screening?

Sanctions Screening is an important control to counter money laundering and terrorist financing risks. Sanctions screening is a vital element of the Know Your Customer and Customer Due Diligence Process, which helps mitigate ML/TF risks.

Why Is Sanctions Screening Required?

Sanctions screening is required to ensure that the regulated entity does not end up dealing with a sanctioned individual or entity. Further, it is also required to ensure that the risks associated with the high-risk jurisdictions and sanctioned countries are adequately identified, assessed, and mitigated before onboarding a customer or entering into a fresh transaction with such customers.

Money laundering and Terrorist Financing are global menace. They affect countries, companies, and individuals in a variety of ways. By conducting a Sanctions List check before onboarding a customer or entering into a transaction with the customer, the regulated entity could fight and mitigate ML/TF risks. Further, the relevant authorities can be notified, and actions can be taken against the criminals.

It’s a regulatory requirement for IFSC-based entities to perform sanctions list checks as a part of their customer due diligence process.

Who Should Be Screened As A Part Of Sanctions Compliance?

Customers, suppliers, third parties, employees, ships, aircraft, and UBOs must be screened to comply with sanctions screening requirements.

The Importance Of Sanctions Compliance Policy

The reporting entities must have a defined Sanctions Compliance Policy. The sanctions compliance policy helps meet regulatory requirements and identify sanctions-related risks. A formal Sanctions compliance policy helps maintain a uniform way to counter ML/TF/ and PF risk.

A sanctions screening program is a set of written policies and procedures that help you comply with IFSCA (AML, CFT, and KYC) Guidelines concerning sanctions compliance. Further, the sanctions screening program is drafted keeping in view the nature and size of your business, available resources, risk-based approach adopted by your company, regulatory requirements, and international best practices. It provides you with a detailed guideline as to sanctions screening concerning:

KYC and CDD checks
Transaction Monitoring
Ongoing Sanctions Screening
Adhoc Name Screening

Key Components Of A Sanctions Screening Program

1. Governance

The sanctions screening program should lay down a sound governance framework wherein the responsibilities of the principal officer and the top management need to be defined, the program’s overall management needs to be described, and the procedures around it need to be laid down.

2. Risk-Based Approach

The sanctions screening program should revolve around the risk-based approach taken by the firm. The sanctions lists, procedures, and resources deployed should be commensurate with the associated risks and help keep the overall risk within the company’s risk appetite limit.

3. Regulatory Framework

The sanctions screening program should refer to the underlying laws, rules, and regulations. The legal requirements should be clearly mentioned to avoid misinterpretation.

4. Name Screening Procedures

The name screening procedures, whether manual or automated, need to be described, the sanctions lists to be referred to, the procedures related to high-risk customers, and the escalation matrix should be clearly outlined.

5. KPI Based Periodic Review

The sanctions screening program should be reviewed periodically, and a KPI-based review will help understand its efficiency.

6. Technology

The name screening software parameters configuration, access rights, workflow, sanctions database update frequency, etc., need to be identified and outlined.

7. Case Management Methodology

Most Sanctions screening software provides case management functionality where the partial and full hits trigger a notification for the principal officer to intervene, evaluate risks, and decide on onboarding a customer or maintaining a business relationship.

8. Regulatory Reporting

The regulatory reporting requirements around sanctions screening must be clearly defined, along with the deadlines and responsibilities around it.

How Is Sanctions Screening Performed?

The compliance department checks customers, suppliers, employees, and third parties a business deals with against the relevant Sanctions Lists. For IFSCA-based entities, the primary requirement is to screen against the UNSC and MHA lists. However, depending on the regulated entity’s risk-based approach, other relevant sanction lists like OFAC and HMT may also be considered.

When To Conduct Sanctions Screening To Comply With IFSCA (AML, CFT And KYC) Guidelines

The regulated entities must perform sanctions screening before onboarding a customer or entering into a business relationship, and on a periodic basis.

Best Practices Around Timing Of Sanctions Screening

Before onboarding a customer
Before entering into a business relationship
Before making a transaction
During ongoing CDD reviews
Upon change in customer’s information
Upon a change in the sanctions list
On a daily basis

Sanctions Screening Process

Sanctions screening is vital to ensuring that the regulated entity is not dealing with the organisations and individuals sanctioned under MHA, UNSC, and the other relevant sanction lists per the firm’s risk-based approach. The regulated entities follow the following sanctions screening process to counter their ML/TF risks and comply with the IFSCA (AML, CFT and KYC) Guidelines, 2022.

KYC

Here, the regulated entity collects KYC information from the customers. This information, in the case of natural persons, typically includes:

Full name, including any aliases
Unique Identification Number (such as an Identity card number, passport number, etc.)
Date of birth
Nationality
Legal Domicile
Current residential address (other than a post office box address)
Contact details such as personal, office or work telephone numbers.

If a customer is a legal person or legal arrangement, a Regulated Entity shall obtain at least the following information:

The full name and any trading name
Unique Identification Number (i.e., Tax identification number or equivalent where this exists)
incorporation number or business registration number
Registered or business address, and if different, its principal place of business
Date of establishment, incorporation or registration
Place of incorporation or registration

Further, in cases where the customer is a legal person or legal arrangement, a Regulated Entity shall also identify the legal form, constitution and powers that regulate and bind the legal person or legal arrangement. In addition, the Regulated Entity shall also identify and screen the related parties or connected parties of such customers and should remain apprised of any changes to connected parties. For identification of the connected parties, a Regulated Entity shall obtain at least the following information about each related or connected party:

full name, including any aliases; and
Unique Identification Number (such as an Identity card number, passport number, etc.).

The KYC analyst then verifies this information against the original documents and communicates with the customer to fulfil requirements for any missing information or documents.

Screening

Now, the Screening Analyst performs screening of the customer details against the UNSC list and MHA list at a minimum and identifies matches, if any. He also includes other sanction lists like OFAC and HMT as per the risk-based approach taken by the entity. Such screening can be conducted using sanctions screening software, which maintains the latest database of sanctions individuals and entities from various sanctions lists. The screening must be performed when onboarding a customer, entering a business relationship, and periodically.

Investigation

If there are matches while screening a customer, the screening analyst has to investigate such matches and decide if they are true matches. He can refer the case to the risk analyst for false matches for necessary risk assessment purposes. For true matches, the case is forwarded to the principal officer for necessary reporting purposes.

Reporting

The Principal Officer needs to verify the information, and he needs to identify if the positive match concerns Section 12A of “The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005” or Section 51A of the “Unlawful Activities (Prevention) Act, 1967”.

The regulated entity must not carry out a transaction with such designated individual or entity and submit the full particulars of the transaction, funds, financial assets, or economic resources by email, FAX, and Post to the applicable authorities, without delay, i.e. preferably on the same business day but not later than 24 hours in any case. For detailed information on reporting requirements, check Sanctions Screening reporting requirements.

Ongoing Monitoring

Sanctions check is not a one-time exercise. It’s an everyday effort as the sanctions lists are dynamic. Various Name Screening Software available in the market helps regulated entities run scheduled automated screenings. The principal officer is alerted for further due diligence if matches are found.

Duties Of Principal Officer In Complying With Sanctions Screening Requirements

The principal officer, along with the designated director, must ensure that the regulated entity remains compliant with the IFSCA (AML, CFT, and KYC) requirements and that the entity takes the required sanctions screening measures to counter Money Laundering, Terrorist Financing, and Proliferation Financing risks.

Consequences Of A Sanctions Breach

Failure to comply with IFSCA (AML, CFT, and KYC) guidelines severely affects regulated entities. Apart from regulatory fines and penalties, if the entity breaches an international sanction, it will have a far-reaching impact on its ability to do international business.

Manual Screening Vs Automated Screening

The regulated entities can conduct sanctions screening manually or use the software. The manual screening processes are error-prone, as one could erroneously refer to the old sanctions list or overlook a true match. Further, keeping track of ever-changing sanctions lists and conducting screening against them is too difficult.

Automated screening software helps one carry out screenings against the updated sanctions database and perform ongoing monitoring by scheduling a screening.

No matter what screening method is employed, the regulated entities have to maintain proper records around screening to meet regulatory requirements.

Choosing A Sanctions Screening Software

Choosing a sanctions screening software requires due consideration of various factors as it goes a long way in ensuring regulatory compliance with the IFSCA (AML, CFT and KYC) Guidelines, 2022. The right screening software will help reduce false positives, handle high volumes, and provide transliteration functionality.

Sanctions Lists And Obligations

The regulated entity must assess its legal obligations to finalise the name screening software. For IFSCA (AML, CFT and KYC) Guidelines, 2022 compliance, it is necessary that the AML software supports MHA and UNSC lists. Further, it should also support PEP screening and Adverse Media searches.

Integration Capabilities

The sanctions screening software should provide APIs to integrate it with the CRM or KYC software to provide a seamless user experience.

Training

The screening software vendor must provide adequate training around the use of the software and refresher training periodically to keep up with the version upgrades.

Database Refresh

Knowing how often the screening software vendor refreshes his database is essential. The smaller the duration, the higher the quality of the data.

Screening Software Features

The screening software should have a user-friendly interface, reporting capabilities, batch screening functionality, ongoing monitoring capabilities, case management and workflow functionalities.

Vendor Reliability

It is essential to know the vendor’s reliability, which can be judged from various parameters like the number of years in business, reference customers, testimonials, customer support, and the frequency of version upgrades.

Customisation Capabilities

The screening software should be customisable to meet the reporting entity’s unique requirements.

What Are The Challenges In Sanctions Screening?

There are various challenges associated with sanctions screening. Most of them stem from the fact that sanctions are dynamic in nature, and multiple bodies are issuing them.

1. Sanction Lists Are Dynamic

Sanction Lists are dynamic in nature. They keep changing in line with the geo-political tensions, criminal activities, and national and international security concerns. It makes it very difficult for SMEs to keep up with these changes and the regulatory requirements around them.

2. Complicated Sanctions Regime

Sanction regimes are complicated in nature. Sanctions could be imposed on countries, entities, individuals, ships, and aircraft.

3. Technological Issues

Technological solutions helping sanctions screening need to be validated. Most come with a proprietary database aggregating sanctions data from multiple sources. Since no single data source exists, reliability concerns exist around the implemented technological solutions.

4. Difficult To Identify UBOs

It is just too difficult to identify the Ultimate Beneficial Owners and screen them against the sanction lists due to the absence of a corporate registry and foul play by criminals.

5. Multiple Bodies Issuing The Sanctions

There are multiple national and international bodies issuing sanctions. There is no single way to keep track of all of them, and sometimes, it becomes too difficult to implement the same despite one’s willingness to comply with regulatory requirements.

6. Under/Over Screening

Due to a wide variety of sanction regimes, international trade, local laws, and complexity around identifying UBOs, there is always a risk of under-screening or over-screening.

7. Customer Friction

Sanctions screening requires the collection of data before onboarding or concluding a transaction. It results in delays in the execution of a transaction, causing customer dissatisfaction and loss of revenue for businesses.

8. Lack Of Resources

Small and medium-sized businesses often struggle with resources, and sanctions compliance becomes an extra cost for them.

Conclusion

The IFSCA (AML, CFT and KYC) Guidelines require regulated entities to perform sanctions screening to counter money laundering, terrorist financing, and proliferation financing risks. The entries must implement a proper sanctions screening program and screening software to meet the legal obligations

The regulated entities must adopt a risk-based approach and screen their customers, suppliers, employees, and third parties. If any positive matches are found, reporting must be made to the relevant authorities, and records must be maintained for at least 5 years

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

Common Mistakes by Chartered Accountants in AML Compliance

Chartered Accountants (CAs) manage accounting, auditing, and financial reporting services for clients, set up a company, assist in operating and managing the operations and client’s funds, etc. These services make them vulnerable to the risks of money laundering. In response, you must apply AML measures to manage and prevent risks. However, Chartered Accountants must avoid the most common mistakes during the AML compliance journey.

To avoid these mistakes, you must be aware of them. Our blog helps you with a list of common AML compliance mistakes by Chartered Accountants. The blog explores the applicable AML regulations for practicing Chartered Accountants. It also discovers the red flags the CAs may observe, indicating the potential involvement of money laundering (ML), terrorism financing (TF), and other financial crime risks such as proliferation financing (PF).

AML Regulations Applicable To Chartered Accountants In India

The primary AML laws applicable to Chartered Accountants in India are:

a. The Prevention of Money Laundering Act, 2002 (PMLA)

In this context, it is essential to note that the notification issued under the PMLA provides that the practising Chartered Accountants would be construed as “Designated Non-Financial Businesses and Professions” when conducting financial transactions in relation to the following activities in the course of their profession and on behalf of the client:

buying and selling of any immovable property
managing of client’s money, securities, or other assets
management of bank, savings, or securities accounts
organisation or arranging for any contributions to the creation, operation or management of client’s companies
creation, operation or management of companies, LLP or trusts
buying and selling of business entities

b. The Unlawful Activities (Prevention) Act, 1967

c. The Weapons of Mass Destruction and Delivery Systems (Prohibition of Unlawful Activities) Act, 2005

d. FIU-India’s AML & CFT guidelines for professionals with certificates of practice from ICAI, ICSI, and ICMAI

e. International Financial Service Centre Authority (AML, CFT, and KYC) Guidelines, 2022 (for the CAs registered with IFSCA and practising from IFSC)

f. Several rules and circulars of FIU-India govern their operations in alignment with PMLA

The above regulations and rules require the Chartered Accountants to adopt the following measures for mitigating the ML/FT risks:

Understand your business’s risk exposure by performing risk assessments
Develop appropriate AML/CFT policies, procedures, and controls
Conduct adequate KYC and Customer Due Diligence processes for identifying the customer before onboarding
Screen your customers and employees against sanctions, PEPs, and watchlists
Conduct enhanced customer due diligence of high-risk customers
Perform ongoing monitoring of the transactions and business relationships (customers’ re-KYC during the business relationship and consistency between transactions and overall risk profile)
Appoint a designated director and a principal officer to handle the AML activities
Conduct AML training for employees
File the reports on suspicious transactions to FIU-India
Do not tip off the clients on any suspicious transaction reported to authorities
Maintain records for at least five years (six years for IFSCA-regulated CAs)

You must follow each of these requirements to prevent financial crimes. You can only manage them by avoiding the most common mistakes in AML compliance. Let’s look into these mistakes individually so you can sidestep them.

Mistakes By Chartered Accountants In AML Compliance

The common AML compliance mistakes by Chartered Accountants include the following:

Lack Of Awareness Of AML Requirements

As a practising Chartered Accountant in India, you must fulfil the AML obligations. But how will you follow these requirements if you don’t know them? So, you must have complete knowledge of AML requirements you need to adhere to. Lack of awareness of AML laws is a mistake by CAs in AML compliance.

When you are aware of them, you know what obligations you need to follow. You must understand the activities notified as subject to AML compliance and be in a position to adequately separate the same from the general services which are not included in PMLA.

You must know the deadlines, formats, and procedures of submissions. Also, information on the best practices of each AML procedure – KYC, CDD, transaction monitoring, and others will make your compliance smoother.

So, have a complete awareness of these crucial points of AML.

Forgetting To Take A Risk-Based Approach To AML Compliance

The Indian AML regulations need you to conduct business risk assessments. Herein, you identify the risks to your business from:

Customers
Transactions
Geographies/jurisdictions
Nature of services (specifically the ones included in the definition of the “Designated Non-Financial Businesses and Professions” of the PMLA)
Delivery channels

Take a risk-based approach to determine appropriate AML measures based on these risks. These AML measures must align with your AML requirements. These measures help you prevent, manage, or mitigate the identified risks.

If you forget to take a risk-based approach, you treat all risks equally. That means you are making the same efforts in fighting them. It does not make sense if you conduct the same procedures for high-risk and low-risk customers. So, forgetting to take a risk-based approach to AML compliance is a critical mistake by Chartered Accountants in AML compliance.

Not Aligning The AML Policies With The Regulatory Expectations

You create your AML policies per your requirements under the AML laws. This is what alignment with regulatory expectations means. If you don’t align, it might lead to non-compliance. Maybe more money laundering risks, a drop in your reputation, and financial instability.

So, the lack of alignment of AML policies with regulatory expectations is a mistake by Chartered Accountants in AML compliance.

When you align them, you achieve the following:

Compliance with regulations saves you from fines, legal sanctions, and reputational damages.
Commitment to ethical business practices, integrity, and transparency, improving credibility.
Global AML compliance, leading to international cooperation and business expansion possibilities.
Prevention of risk exposure to money laundering, proliferation financing, and terrorism financing.
Reduction in illicit money flow, resulting in financial stability and integrity.
Better management and mitigation of risks affecting your business.
Enhanced collaboration and cooperation between entities, regulators, and stakeholders against financial crimes.

So, alignment with regulations is necessary for all these benefits to your business, country, and the world.

Disregarding Client Acceptance Principles

What’s the purpose behind conducting KYC and CDD? It’s about knowing your customers better. Know their identities, addresses, sources of funds, beneficial owners, and other details. All these details help you spot suspects.

But before this, you must define your customer acceptance. You must know what levels of information on each criterion make a customer acceptable. And what indicators in customer data points make them unacceptable. For example, customers from sanctioned countries are not okay. Customers from jurisdictions with weak AML measures are okay but subject to specific stringent AML measures.

So, you must define the criteria for accepting and rejecting a client, adopting a well-defined customer risk profiling methodology. You must take a risk-based approach to it. Consider their business’s nature, complexity, volume and frequency of transactions, reputation, and other factors. Also, regular tracking of these factors helps you consider the changes.

Missing it means you take a judgment call on a case-to-case basis. You might turn out to be wrong in some of the cases. So, disregarding a clear definition of client acceptance principles is a mistake by Chartered Accountants in AML compliance.

Neglecting Proper Procedures Of KYC, CDD, Screening, And Transaction Monitoring

One essential way of achieving AML compliance is the seamless performance of KYC, CDD, and transaction monitoring. If you commit to these processes, you can generate desired outcomes pertaining to uncovering the identity of the customer and the risk they pose to the business. So, make it a practice to execute proper KYC, CDD, and screening procedures. Neglecting these processes is a common mistake in AML compliance by CAs.

With KYC and CDD, you can know your customers better. So, ensure that you perform these processes diligently. Collect all the possible details. Verify them with customer-submitted documents and other third-party sources. For customer screening, consider the latest watchlists of sanctions, PEPs, and terrorists. Match them according to all criteria to get accurate results.

Similarly, define your method well for ongoing transaction and business relationship monitoring. Determine the transaction rules based on the red flags or warning signs of suspicious transactions. Only with proper, well-defined processes can you achieve the desired outcomes.

Absence Of Knowledge Of The Red Flags Of Suspicious Transactions In Your Business

The nature of accountancy and audit business makes it vulnerable to money laundering. Your association with clients for financial, advisory, and legal matters exposes you to financial crimes. There are specific factors that are warning signs of these risks. You must be aware of these warning signs of the danger of illicit activities.

Ignorance of this factor is a mistake in AML compliance by Chartered Accountants.

So, you must know the common and industry-specific red flags, like:

The unusual nature of the transaction, inconsistent with the client’s profile
Large-sized transactions with no apparent reasons
Unusual patterns in a transaction/s, varying from the usual ones
Complex business structure
Reluctance to answer your questions on transactions or identities
Clients from high-risk industries or geographies
Use of shell companies for several transactions
Inaccurate or fraudulent documentation
Client avoiding face-to-face meetings
The client is a PEP or related to a PEP
Client with unexplained sources of wealth

All these are crucial factors for you to know about. Knowing them lets you spot suspicious transactions and take further action.

Overseeing The Need For Timely And Format-Specific Submission Of STRs

The PMLA Act and the guidelines require CAs to file STR via their statutory regulatory bodies (SRBs), i.e., the Institute of Chartered Accountants of India.

You must submit these reports in the required format with all the necessary details. You must report these transactions immediately once suspicion is identified. It can be a suspicious transaction or only an attempt at it, irrespective of the value involved.

So, the rule requires you to submit accurate, complete, and on-time STRs. Failing to submit STRs on time or submitting inaccurate or incomplete STRs is a common AML compliance mistake by Chartered Accountants.

Tipping Off The Client On STR Filed To FIU-India

The PMLA Act, IFSCA Guidelines and other regulations do not want the clients to know about STRs filed against them. If you tip off the client before or after filing the STR, they will try to save themselves.

So, avoid informing the client about any STR filing against their transaction. If you think the client might get an inkling of the suspicion by collecting more details during due diligence, avoid doing that. Just collect all possible transaction details and file an STR to FIU-India. Tipping off the client would be a lapses by Chartered Accountants in AML compliance.

Ignoring The Periodic Review Of Policies, Due Diligence, And Risk Assessments

Your AML policies cannot stay stagnant. You must change them with respect to changes in regulations and other factors. So, ignoring the periodic review of AML policies is a common mistake by CAs in AML compliance.

Reviewing them keeps them up-to-date with the ever-changing regulatory requirements and growing business practices. You must keep them relevant to the changes in risks and threats to your business. Thus, reviews make you move in the right direction of compliance and risk management.

Moreover, by regular reviews, you can identify weaknesses and gaps in AML compliance. Thus, you can improve your AML policies to remove the gaps and improve their effects on financial crimes. You make them more productive, efficient, and robust.

Forgetting To Maintain Documentation And Records

Whatever you do for AML compliance – the activities – are also critical for future use in your AML compliance journey, like your KYC, CDD, transaction monitoring, risk assessments, and customer screening. These are the proof of your compliance with AML requirements. So, saving their records and documents is crucial.

You must maintain these records for five years after the business relationship or transaction ends (this minimum period for record-keeping is six years for entities registered with IFSCA). Also, maintain them in proper format and in a manner that enables easy access and retrieval. Generally, authorities refer to these records during audits and investigations. Also, you might need them to check a customer’s past risk profile or other details.

So, forgetting to maintain proper documentation of AML measures is a common AML compliance oversight by Chartered Accountants.

These are the common mistakes by Chartered Accountants in AML compliance. You must avoid committing these mistakes in your AML compliance framework. This is how you can improve your AML efforts and prevent financial crimes. If you need an AML consultant to help you in your journey or advice on the best AML measures for your business, AML India is right here.

AML India – Your Partner For Professional AML Consulting Services

AML India leads you on the path of AML compliance in India. We identify your AML requirements and provide our proven solutions and services for compliance. You can take your AML efforts to the next level by associating with us. This is possible through our services of:

Creating and implementing AML policies, procedures, and controls
Performing KYC, CDD, and screening of customers
Monitoring transactions
Imparting AML training to employees
Identifying suitable AML software solutions for your business

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

AML lapses by Senior Management: Staying cautious to foster AML Compliance

The role of senior management of the regulated entity is very crucial in ensuring compliance with the AML regulatory landscape, whether it is the Prevention of Money Laundering Act, 2002 or the International Financial Service Centre Authority (AML, CFT and KYC) Guidelines, 2022.

Senior management drives the entity’s AML function by setting the right tone at the top and showing no tolerance towards money laundering instances or AML non-compliance.

The underlying AML responsibilities imposed upon the senior management of any regulated entity include:

Ensuring compliance with the applicable regulatory framework, whether PMLA or the IFSCA (AML, CFT, and KYC) Guidelines,
Reviewing and approving the internal AML policies, procedures, systems, and controls, including the adoption of the risk-based approach,
Overseeing the implementation of relevant AML policies, procedures, and controls,
Approving the onboarding of and execution of transactions with high-risk customers, including Politically Exposed Persons (PEPs),
Regularly reviewing the details about the operations and effectiveness of the entity’s AML procedures, systems, and controls,
Appointing a competent person as Principal Officer,
Overseeing the AML measures implemented within the organization,
Promoting a strong compliance culture within the organization.

With such a pivotal part to play, the senior management of the regulated entity cannot afford to go wrong in their decisions and actions around AML function.

The blog discusses the key mistakes or errors that senior management must avoid to establish an accurate, comprehensive, and effective AML compliance regime.

Mistakes To Avoid By Senior Management In AML Compliance

AML compliance is everyone’s responsibility in a regulated entity, including every member of the senior management.

The management must oversee the regulated entity’s fulfilment of the AML compliance obligations imposed by the law.

The following are the common mistakes that the senior management must be cautious and mindful of in the AML compliance journey:

Lack Of Awareness Of The Latest Amendments In The AML Laws And Applicable Guidelines

Senior management must stay up-to-date with the latest guidelines and the compliance directives issued by the authorities. By this, the senior management knows about the measures to be applied and the reporting to be made with theFIU-IND. Only with updated regulatory awareness can the senior management develop a plan or strategy for AML compliance execution.

With outdated know-how, the senior management would not be in a position to envisage the newer controls and the regulatory obligations entrusted upon the entity, resulting in exploitation by criminals and non-compliance penalties.

If deprived of such updates and recent legal changes, the entity’s compliance efforts will be half-baked, exposing it to money laundering threats. So, having enough awareness and knowledge of the relevant AML rules, guidelines, and notifications is inevitable.

Absence Of A Positive AML Compliance Culture In The Entity

Is AML compliance a cost centre?

The answer is NO. Treating AML compliance as a “cost centre” is a wrong philosophy. The fact that it involves costs is true, but it saves you from the threats of financial crimes. It improves customers’ trust in you, boosts your business reputation, and protects the financial system and economy from risks.

When everyone in the entity, from top to bottom, is ready to commit towards preventing, managing, or mitigating money laundering risks, an AML compliance culture is created.

To create such a positive AML compliance culture, the senior management must:

Define risk appetite and zero-risk-tolerance statements for the entity. These statements let the employees know the senior management’s expectations around AML compliance. Senior management must consistently promote this message in their actions across the entity.
Promote employee training and engagement in AML and keep open communication channels accessible for the employees to raise their questions and concerns around money laundering or AML measures,
Understand the why, what, and how of AML compliance initiatives. Support the AML efforts of the entity and propagate the value AML compliance generates for the business.
Lead by example by displaying your non-tolerance of AML non-compliance.

By employing these tactics, the senior management can effectively discharge its duty of promoting a robust AML culture within the organization and achieving the AML compliance goal.

When the senior management fails to establish a positive AML culture, the entity is bound to experience failures in the AML efforts, resulting in increased vulnerabilities and non-compliance penalties.

Neglecting Constant Communication On AML Compliance Status And Actions Taken

Just building a strong AML culture is not enough. The Principal Officer and the other stakeholders must periodically update the senior management on the entity’s AML compliance status. So, communication is a crucial ingredient.

Leadership support and input are necessary for AML compliance. The management must have all the necessary data points and information to present the inputs and feedback for enhancing the AML function. This includes information on the effectiveness and operations of the existing AML policies, procedures and controls, risk-high business relationships, any identified compliance deficiencies, etc.

Thus, with two-way open communication possibilities, the senior management can timely receive the AML complaint issues to its attention and suggest and implement adequate corrective actions.

If senior management establishes and maintains such a quick and smooth communication flow, achieving AML compliance would not be challenging.

No Integration Of AML Requirements With Business Processes

AML compliance is one of the critical business functions and a goal as well. It helps the senior management achieve its goals of being a legally compliant entity with a positive brand image and a bunch of loyal and satisfied customers, as in present times, AML-compliant entities attract customers and have a good reputation in the market.

But this is possible when the AML objectives are ingrained well into the business goals.

So, making AML compliance a part of the business operations is very important. For example, the regulated entities must conduct KYC before onboarding a new customer. So, the customer acquisition team must ensure the completion of timely KYC and customer due diligence before establishing the business relationship rather than driving the customer relationship and onboarding separately. While onboarding the customer or executing a transaction, if any suspicion is spotted, the same must be investigated, and necessary action must be taken. Core business functions cannot be and should not be demarcated from the AML measures.

Thus, the senior management must take the necessary steps to integrate the AML procedures into the day-to-day business operations. These must work in a flow with no distraction to regular business. Such “business as usual” features of AML processes ensure better compliance outcomes.

Not Allocating Enough Budget, Time, And Resources To The AML Framework

What is needed to adhere to AML regulations in India?

Enough budget.
Proper tools and systems.
Skilled resources.
Adequate time.

The senior management is responsible for meeting these AML resource requirements. Without the availability of adequate resources, the Principal Officer would not be in a position to manage the timely and comprehensive AML compliance. Lack of adequate resources yields inappropriate results, such as gaps in customer identification, insufficient measures to monitor transactions and spot the risk indicators or incomplete reporting to the Financial Intelligence Unit (FIU-IND).

As with every business function, AML compliance also deserves a proper resource set-up, requiring investment around the following:

Proper technological systems for various AML tasks like customer identification, monitoring, etc.
Competent Principal Officer and the right team to support the officer
Investment in AML training to create awareness
Time and energy investment around reviewing the AML function and remediating the gaps

If the senior management ignores this aspect or misses any critical AML resource requirements, the entity might not achieve the desired future state of compliance.

The investment is made on the appropriate resources, and the regulated entity ensures:

It stays regulatory compliant and avoids penalties
Ensure qualitative and comprehensive measures for safeguarding the business against potential money laundering instances
Enhances the customers and stakeholders confidence in the business
Builds a strong reputation
Reduces the changes of errors in compliance, saving time and cost of error

Missing Out On AML Audit Framework

The AML Principal Officer will create the AML framework, including policies, procedures, and controls. With the senior management’s approval, the same shall be adopted and executed by the staff across the organization.

But what after the execution? What about its performance?

An often-ignored aspect of AML compliance is the performance measurement of the effectiveness and operating capabilities of the AML systems and controls. For this, the senior management must adopt and implement an independent AML audit function that focuses on monitoring the AML framework to:

Identify the loopholes with the AML initiatives of the Principal Officer
Recommend the enhancement in the procedures and policies to prevent financial crimes

With such a review function, senior management can implement the regulatory-compliant AML framework and avoid possible non-compliance.

Ignoring The Background Check Of People In The Compliance Team

Senior management may not necessarily be directly involved in the appointment of every member of the AML compliance function. But should definitely take charge of the appointment of the Principal Officer.

The senior management must ensure that higher hiring standards are adopted for all the employees, specifically the AML compliance team. Appropriate screening and employee background verification must be done to ensure that only ethical, compliance-driven and clean people (with no financial crime or any other criminal history) are onboarded.

Any lapses in employee screening processes will increase exposure to money laundering and other threats. It will deteriorate the business’s reputation, and customers will lose trust.

How Can Niyeahma Help You?

The senior management of the regulated entities must understand the common errors generally committed by the personnel in a similar role, harming the AML efforts. Pay attention to the points mentioned in this blog. If you need help overcoming these challenges, Niyeahma is here to assist.

Niyeahma is a prominent provider of AML compliance services in India. Our AML professionals and consultants take care of every AML activity for you. Be it documenting the AML policies and process, performing CDD, AML training, or conducting the Enterprise-Wide Risk Assessment, we handle all. We create a customized AML framework for your business and ensure its successful execution.

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

Reach Out to Pathik

Article India

Roadmap to AML/CTF/CPF Audit Readiness

The Meaning and Significance of an Independent AML/CTF/CPF Audit

What is an Independent AML/CTF/CPF Audit

Significance of an Independent AML/CTF/CPF Audit

When Should AML/CTF/CPF Audit be conducted?

Scope of an independent AML Audit

Roadmap to AML/CTF/CPF Audit Readiness

Finalisation of Requisites for an Independent AML Auditor

Preparation of Information and documents

Conclusion

Niyeahma – Your Trustworthy AML Compliance Consultant

Reach Out to Jyoti

Behind the Veil: Common Methods of Money Laundering Uncovered

Banking Companies and Financial Institutions as Channels for Money Laundering

Structuring, Smurfing and Micro-structuring:

Electronic transfer of money:

Private Banking:

Correspondent Banking:

Offshore Banking:

Non-Banking Financial Companies as Channels for Money Laundering

Money Laundering through Credit Card:

Money Laundering through Payment Service Providers:

Money Laundering through Virtual Digital Assets Service Providers (VDA SPs):

Money Laundering through Money Service Businesses:

Money Laundering through Securities or Insurance service providers:

Designated Non-Financial Businesses and Professions as Channels for Money Laundering

Real Estate:

Dealers in Precious Metals, Precious Stones and other High-value goods:

Accountants and Lawyers:

Trusts and Company Service Providers:

Trade-Based Money Laundering

Over-invoicing and under-invoicing:

Over shipping, short shipping or ghost shipping:

Black Market Trades:

Money Laundering through Corporate Vehicles

Shell Companies:

Shelf Companies:

Trusts:

Other Typologies

Money Mules:

Cyber Money Laundering:

Commingling:

Informal Value Transfer Systems (IVTFs)

Conclusion

Niyeahma – Your Trustworthy AML Compliance Consultant

Reach Out to Jyoti

Excellence in EDD for high-risk customers: Common slip-ups You can’t Afford to Commit

Characteristics of High-Risk Customers in India

Regulations for Enhanced Due Diligence in India

Usual slip-ups in Enhanced Due Diligence Procedure

Inadequate data on customers for enhanced investigation

No reference to reliable data sources to verify customers’ identities

Trusting only technology over humans or vice versa

Conducting Due Diligence only once during the entire relationship

Using outdated lists of PEPs, sanctions, and terrorists to match customers

Failure to retain records of EDD

Forgetting to build a collaborative environment for an efficient EDD process

Overlooking the escalation of suspicious cases of transactions with high-risk customers

Missing to plan for data protection and confidentiality

Not investing in the audit and quality review of EDD procedures

Niyeahma contribution to your AML compliance

Reach Out to Jyoti

FATF travel rule compliance requirements for VDASPs in India

What Is The FATF Travel Rule?

India’s Adoption Of The FATF Travel Rule In AML

Collecting The Necessary Information

Originator

Beneficiary

Role Of VDASPs Involved In The Transfer

Originating VDASP

Beneficiary VDASP

Intermediary VDASP

Retaining The Obtained Information

When Information About The Originator Or Beneficiary Is Not Available

Counterparty Due Diligence

Challenges Of FATF Travel Rule Compliance And Solutions

Challenges

Solutions For Challenges

Niyeahma – Your Trustworthy AML Compliance Consultant

Reach Out to Jyoti

Money Laundering through Virtual Digital Assets Service Providers (VDA SPs):