After completing this reading, the candidate should be able to:

• Explain the best practices the Basel Committee recommends for the assessment, management, mitigation, and monitoring of money laundering and financing of terrorism (ML/FT) risks.
• Describe recommended practices for the acceptance, verification, and identification of customers at a bank.
• Explain practices for managing ML/FT risks in a groupwide and cross-border context.

In recent years, banks have taken center stage in the management of increasingly destructive criminal activities, particularly money laundering, and financial terrorism. Multiple banks have been fined for their failure to identify or report suspicious transactions. The Basel Committee has responded by introducing a raft of supervisory measures aimed at:

• Preventing and deterring the use of banks to launder illicit proceeds or to raise and transfer funds in support of terrorism. This has helped protect the reputation of banks and the banking sector as a whole.
• Preserving the integrity of the international financial system.

Essential Elements of Sound ML/FT Risk Management

The Core Principles for Effective Banking Supervision (2012) requires banks to:

“have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the banking sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities”.

The guidelines are as follows:

Assessment and Understanding of Risks

It is the responsibility of every bank to identify and evaluate money laundering (ML), and Financial terrorism (FT) risks it faces and subsequently develop effective defense policies. The assessment should sweep across all levels and business lines. At the core of this endeavor lies customer due diligence (CDD) – a comprehensive guide on how a bank should interact with and treat its customers to ensure that all transactions meet the required level of integrity. A bank should design policies for customer acceptance, due diligence, and continuous monitoring of all transactions processed through the bank and/or its affiliates.

Proper Governance Arrangements

The board of directors plays an integral role in the identification and management of various risks, including ML and FT. As such, the board should have a clear understanding of these risks so as to be in a position to make informed decisions. In this regard, the board should regularly be furnished with relevant risk reports.

It’s also the board’s responsibility to delegate roles and responsibilities in the most efficient and practical manner. In addition, the board should appoint a well-qualified chief AML/CFT (anti-money laundering (AMT) and Countering Financing of Terrorism) officer to oversee the entire AML/CFT function.

The Three Lines of Defense

To properly manage the AML/CFT function, there should be three lines of defense:

Line 1: Business Units

Business units should be charged with identifying, assessing, and controlling the ML/FT risks inherent in their business. All the relevant personnel in direct contact with clients should be furnished with clear policies and procedures that outline their obligations and instructions in various situations.

Also, staff recruitment process is part of the first line of defense. All incoming staff should be screened and vetted accordingly.

Line 2: Chief Officer in Charge of AML/CFT, the Compliance Function, and Human Resources or Technology

The chief AML/CFT officer should be in charge of the continuous monitoring of all ML/FT objectives. They should be the face of all AML/CFT operations and the individual to interact with all internal and external authorities.

Line 3: Internal Audit

The office of internal audit should regularly perform an independent assessment of the AML/CFT policies and procedures and seek to find out whether such policies are being followed to the letter.

Adequate Transaction Monitoring System

Every bank should have a monitoring system that tracks the activity of each and every account opened at the bank. The system should be designed such that it can detect changes in customer transactions or flag suspicious activity.

Recommended Practices for the Acceptance, Verification, and Identification of Customers at a Bank

Customer Acceptance Policy refers to the general guidelines banks follow in allowing customers to open accounts with them.

• Every bank should establish Know Your Customer (KYC) policies and procedures to help establish customers’ profiles and identify those that are likely to pose a higher risk.
• Some of the facts that should be established at the point of contact with a customer include their background, occupation (including politically exposed persons), country of origin, source of income, and residence.
• No accounts should be opened under anonymous or pseudo names or when the customer’s identity matches that of any person with known links to criminal activities.
• Customer acceptance should not be so restrictive that it denies the general public access to banking products.
• Account monitoring should be commensurate with the level of risk. For example, a bank should adopt enhanced due diligence when dealing with politically exposed persons or some other individuals with large account balances/cross-border transactions.
• Due diligence should apply to customers as well as appointed representatives, proxies, and beneficial owners.
• The best documents for verification of customer identity should be those most difficult to obtain illicitly. Additional requirements, such as a written declaration of identity, may be used. A bank should keep copies of all the documents used in the verification process.
• From the onset, it is important to establish a customer’s profile and behavior from the moment they open the account. That way, any suspicious activity can be easier to detect.
• Genuine suspicious transactions should promptly be reported to the relevant authorities.
• Once a customer or suspicious activity has been flagged, a bank should take additional steps to mitigate the risk of it being used for criminal activity. That may include freezing an account, a review of the customer’s identity and overall activity profile, and cooperation with law enforcement.

$$ \textbf{greatestFigure 1 – Know Your Customer (KYC)} $$

AML/CFT in a Group-wide Context

• In a group-wide context, both local and cross-border AML/CFT requirements should be met. Group-wide policies should be observed at the branch or subsidiary levels and still pay homage to host country policies and procedures.
• In case of conflict between the group’s requirements and local/host requirements, the latter takes precedence. It’s the group’s responsibility to ensure that local policies do not negatively impact its ability to identify and mitigate ML and FT risks.
• There should be constant sharing of information among subsidiaries and the head office.
• Where the minimum regulatory or legal requirements of the home and host countries differ, offices in host jurisdictions should apply the higher standard of the two.
• A bank should keep group-wide customer profiles and transaction history. All customer details should be updated regularly.
• A bank’s compliance department and the chief AML/CFT officer should ensure that the group’s policies and procedures are applied across the board. They should also ensure that the different subsidiaries constantly share information.
• When liaising with other banks or groups on business matters, the group should ensure that it adheres to its own standards, particularly when the standards of the business partner are less strict.

 The Role of Supervisors

• The Committee expects supervisors to apply the Core principles for effective banking supervision to banks’ ML/FT risk management in a manner consistent with and supportive of the supervisors’ overall supervision of banks.
• Supervisors should adopt a risk-based approach to supervising banks’ AML/CFT functions. To do that successfully, they should have a deep understanding of all the risks in their jurisdiction and their potential impact.
• For higher-risk lines, supervisors should apply specialized expertise and additional procedures to ensure effective review. They should come up with a supervisory schedule for each bank guided by each bank’s risk profile.
• Supervisors have the mandate to ensure that banks in their charge maintain sound ML/FT risk management to protect the integrity of both the banks and the financial system as a whole.
• When monitoring groups, the supervisor should ensure compliance across all branches and subsidiaries. They should also ensure that all subsidiaries comply with both group and jurisdictional laws and that where there’s a conflict between the two, stricter law applies.
• Supervisors have a duty to safeguard customer confidentiality throughout.

Using Another Bank, Financial Institution, or Third Party to Perform Customer Due Diligence

In certain situations, banks may be allowed to rely on third parties with regard to customer due diligence (CDD). In these circumstances, the third party will most likely have an already established business relationship with the customer. A bank can rely on a third party for the following aspects:

• Customer identification and verification.
• Identification and verification of the beneficial owner.
• Information pertaining to the nature of the intended business relationship.

However, it is important to note that not all third parties are eligible for such reliance. In some jurisdictions, banks can only rely on CDD from fellow banks and financial institutions. In certain scenarios, the magnitude and size of transactions built upon third-party CDD may be limited.

Relevant criteria for assessing reliance include:

• The third-party should be subject to the same level of supervision and regulation as the bank.
• There should be a written document acknowledging the bank’s reliance on the other party’s CDD processes.
• A bank should document its reliance and establish a review process for such a relationship.
• A bank could request the third party to demonstrate that its AML/CFT program is as strict, at least, as that of the bank.
• A bank must give due consideration to adverse public information questioning the third party’s AML/CFT processes or history.
• Reliance on a third party should be viewed as a potential risk factor.
• A bank should conduct periodic checks to ensure that the third party’s CDD process is as comprehensive as its own.
• The bank should reserve the right to terminate a CDD reliance with a third party if the third party fails to apply adequate CDD to their customers.

Practice Question

Bank Z is a mid-sized financial institution that has recently experienced a surge in suspicious transactions. The bank’s internal investigation team has been overwhelmed with the increasing volume of cases to review. Despite having policies and procedures in place for identifying, investigating, and reporting suspicious transactions, Bank Z has struggled to keep up with the workload and maintain compliance with anti-money laundering (AML) and combating the financing of terrorism (CFT) regulations.

In response to the situation, Bank Z’s management is considering implementing changes to improve the efficiency and effectiveness of its suspicious transaction reporting process.

Which of the following measures should Bank Z prioritize to enhance its reporting of suspicious transactions?

1. Streamline the internal investigation process by reducing the number of false positives and promptly reporting genuine suspicious transactions.
2. Reallocate resources from other departments to the internal investigation team to handle the increasing volume of cases.
3. Amend the bank’s policies and procedures to lower the reporting threshold for suspicious transactions to capture more potential cases.
4. Implement an automatic system to report all suspicious transactions directly to law enforcement agencies and the Financial Intelligence Unit (FIU)

The correct answer is A.

Ongoing monitoring and review of accounts and transactions enable banks to identify suspicious activity, eliminate false positives, and report genuine suspicious transactions promptly. By focusing on streamlining the internal investigation process, Bank Z can improve the efficiency and effectiveness of its suspicious transaction reporting process, ensuring compliance with AML/CFT regulations.

Option B, reallocating resources from other departments, may provide temporary relief but does not address the root cause of the problem, which is the need for an efficient and effective investigation process. Option C, lowering the reporting threshold, could increase the workload and exacerbate the issue by generating more potential cases to investigate. Option D, implementing an automatic system without internal investigation, could compromise the quality of reports and lead to a high volume of false positives being reported to law enforcement agencies and the FIU.