After completing this reading, the candidate should be able to:
- Explain best practices recommended by the Basel Committee for the assessment, management, mitigation and monitoring of money laundering and financial terrorism (ML/FT) risks.
- Describe recommended practices for the acceptance, verification and identification of customers at a bank.
- Explain practices for managing ML/FT risks in a group-wide and cross-border context, and describe the roles and responsibilities of supervisors in managing these risks.
- Explain policies and procedures a bank should use to manage ML/FT risks in situations where it uses a third party to perform customer due diligence and when engaging in correspondent banking.
In recent years, banks have taken center stage in the management of increasingly destructive criminal activities, particularly money laundering and financial terrorism. Multiple banks have been fined for their failure to identify or report suspicious transactions. The Basel Committee has responded by introducing a raft of supervisory measures aimed at:
- Preventing and deterring the use of banks to launder illicit proceeds or to raise or move funds in support of terrorism, thereby protecting the reputation of banks and the banking system as a whole
- Preserving the integrity of the international financial system
Essential Elements of Sound ML/FT Risk management
The Core Principles for Effective Banking Supervision (2012) requires banks to:
“have adequate policies and processes, including strict customer due diligence (CDD) rules to promote high ethical and professional standards in the banking sector and prevent the bank from being used, intentionally or unintentionally, for criminal activities”.
The guidelines are as follows:
Assessment and understanding of risks
It is the responsibility of every bank to identify and evaluate money laundering (ML) and Financial terrorism (FT) risks it faces and develop commensurate defense policies. The assessment should sweep across all levels and business lines. At the core of this endeavor lies customer due diligence (CDD) – a comprehensive guide on how the bank should interact and treat its customers to ensure that all transactions meet the required level of integrity. The bank should design policies for customer acceptance, due diligence, and continuous monitoring of all transactions processed through the bank and/or its affiliates.
Proper Governance Arrangements
The board of directors plays an integral role in the identification and management of various risks, including ML and FT. As such, the board should have a clear understanding of these risks so as to be in a position to make informed decisions. In this regard, the board should regularly be furnished with the relevant risk reports.
It’s also the responsibility of the board to delegate roles and responsibilities in the most efficient and practical manner. In addition, the board should appoint a well-qualified chief AML/CFT (anti-money laundering (AMT) and Countering Financing of Terrorism) officer to oversee the entire AML/CFT function.
The Three Lines of Defense
To properly manage the AML/CFT function, there should be three lines of defense:
Line 1: Business units
Business units should be charged with identifying, assessing, and controlling the ML/FT risks inherent in their business. All the relevant personnel in direct contact with clients should be furnished with clear policies and procedures that outline their obligations and instructions in various situations.
Also part of the first line of defense is the staff recruitment process. All incoming staff should be screened and vetted accordingly.
Line 2: Chief Officer in charge of AML/CFT, the compliance function, and human resources or technology
The chief AML/CFT officer should be in charge of the continuous monitoring of all ML/FT objectives. They should be the face of all AML/CFT operations and the individual to interact with all internal and external authorities.
Line 3: Internal audit
The office of internal audit should regularly perform an independent assessment of the AML/CFT policies and procedures and seek to find out whether such policies are being followed to the letter.
Adequate Transaction Monitoring System
Every bank should have a monitoring system that tracks the activity of each and every account opened at the bank. The system should be designed such that it can be able to detect changes in customer transactions or flag suspicious activity.
Recommended Practices for the Acceptance, Verification, and Identification of Customers at a Bank.
Customer Acceptance Policy refers to the general guidelines followed by banks in allowing customers to open accounts with them.
- Every bank should establish Know Your Customer (KYC) policies and procedures to help establish the profile of customers and identify those likely to pose a higher risk.
- Some of the facts that should be established at the point of contact with the customer include their background, occupation (including politically exposed persons), country of origin, source of income, and residence.
- No accounts should be opened under anonymous or fictitious names or when the identity of the customer matches that of any person with known links to criminal activities.
- The customer acceptance should not be too restrictive such that it denies the general public access to banking products.
- Account monitoring should be commensurate with the level of risk. For example, the bank should adopt enhanced due diligence when dealing with politically exposed persons or some other individuals with large account balances/cross-border transactions.
- Due diligence should apply to customers as well as appointed representatives, proxies, and beneficial owners.
- The best documents for verification of customer identity should be those most difficult to obtain illicitly. Additional requirements such as a written declaration of identity may be used. The bank should keep copies of all the documents used in the verification process.
- From the onset, it is important to establish a customer’s profile and behavior from the moment they open the account. That way, any suspicious activity can be easier to detect.
- Genuine suspicious transactions should promptly be reported to the relevant authorities.
- Once a customer or suspicious activity has been flagged, the bank should take additional steps to mitigate the risk of the bank being used for criminal activity. That may include freezing an account, a review of the customer’s identity and overall activity profile, and cooperation with law enforcement.
AML/CFT in a Group-Wide Context
- In a group-wide context, both local and cross-border AML/CFT requirements should be met. Group-wide policies should be observed at the branch or subsidiary levels and still pay homage to host country policies and procedures.
- In case of conflict between the group’s requirements and local/host requirements, the latter takes precedence. It’s the responsibility of the group to ensure that local policies do not negatively impact its ability to identify and mitigate ML and FT risks.
- There should be constant sharing of information among subsidiaries and the head office.
- Where the minimum regulatory or legal requirements of the home and host countries differ, offices in host jurisdictions should apply the higher standard of the two
- The bank should keep group-wide customer profiles and transaction history. All customer details should be updated regularly.
- The bank’s compliance department and the chief AML/CFT officer should ensure that the group’s policies and procedures are applied across the board. They should also ensure that the different subsidiaries constantly share information.
- When liaising with other banks or groups on business matters, the group should ensure that it adheres to its own standards particularly when the standards of the business partner are less strict.
The Role of Supervisors
- The Committee expects supervisors to apply the Core principles for effective banking supervision to banks’ ML/FT risk management in a manner consistent with and supportive of the supervisors’ overall supervision of banks.
- Supervisors should adopt a risk-based approach to supervising bank’s AML/CFT functions. To do that successfully, they should have a deep understanding of all the risks in their jurisdiction and their potential impact
- For higher-risk lines, supervisors should apply specialized expertise and additional procedures to ensure effective review. They should come up with a supervisory schedule for each bank guided by each bank’s risk profile.
- Supervisors have a mandate to ensure that banks in their jurisdiction maintain sound ML/FT risk management to protect the integrity of both the banks and the financial system as a whole.
- When monitoring groups, the supervisor should ensure compliance across all branches and subsidiaries. They should also ensure that all subsidiaries pay homage to both group and jurisdictional laws, and that where there’s a conflict between the two, the stricter law applies.
- Supervisors have a duty to safeguard customer confidentiality throughout
Using Another Bank, Financial Institution or Third Party to Perform Customer Due Diligence
In certain situations, banks may be allowed to rely on third parties with regard to customer due diligence (CDD). In these circumstances, the third party will most likely have an already established business relationship with the customer. A bank can rely on a third party for the following aspects:
- Customer identification and verification
- Identification and verification of the beneficial owner
- Information pertaining to the nature of the intended business relationship
However, it is important to note that not all third parties are eligible for such reliance. In some jurisdictions, banks can only rely on CDD from fellow banks and financial institutions. In certain scenarios, the magnitude and size of transactions built upon third-party CDD may be limited.
Relevant criteria for assessing reliance include:
- The third party should be subject to the same level of supervision and regulation as the bank
- There should be a written document acknowledging the bank’s reliance on the other party’s CDD processes.
- The bank should document its reliance and establish a review process for such a relationship
- The bank could request the third party to demonstrate that its AML/CFT programme is as strict at least as that of the bank.
- The bank must give due consideration to adverse public information questioning the third party’s AML/CFT processes or history
- Reliance on a third party should be viewed as a potential risk factor
- The bank should conduct periodical checks to ensure that the third party’s CDD process is as comprehensive as the bank’s
- The bank should reserve the right to terminate a CDD reliance with a third party if the third party fails to apply adequate CDD on their customers.