I like to begin this article with the well know English proverb “too many cooks spoil the broth”. This usually happens when people don’t know what the soup is and how it should taste. They only knew the word ‘SOUP’. A similar context applies in designing and implementing AML/CFT system in the bank and other corporate sectors. Despite having said that, some organizations have done very admirable jobs but some had complicated their AML/CFT system with practicability almost to zero. This article is for the latter organization.
The whole AML/CFT system can be summarized in the following figure:
Looks simple enough right. Our aim here is to help you understand the concept of how AML/CFT works so that you can implement it in your organization as required.
The First thing you require is some kind of board-level AML/CFT committee to provide a tone from the top for establishing a culture of compliance. They should fully understand and support compliance efforts and provide adequate resources to compliance function to help them carry AML/CFT duties effectively. They should actively participate to mitigate AML/CFT deficiencies.
The board-level committee should approve the AML/CFT program. The program should be risk-based that high-risk areas should receive more priority while less effort will be spent on low-risk areas. The major components of the AML/CFT program are:
A. Internal Policies and Control
B. Designated Compliance Function
C. Employee Training
D. Audit Function
A. Internal Policies and Control
The Following are its sub-components
1. Know your customer
Know your customer is the main basis for AML/CFT programs. It includes the following:
1.1 Customer Due Diligence:
Customer Due Diligence or simply put customer identification begins while establishing a relationship with the customer. It has the following components.
1.1.1 Customer Identification:
This deal with collecting all the documents are required to uniquely identify your customer and to create a profile of that customer.
1.1.2 Customer Profile:
It should contain sufficient information about the income source of the individual along with the nature of the customer so that it provides a benchmark to compare anticipated versus actual account activity. In other words, enable the institution to identify suspicious activity.
1.1.3 Customer Risk Rating:
It deals with the assessment and grading of the risk presented by the customer’s account relationship. The risk classification can be based on geographical location in which the customer resides or conduct his business, product type like private banking may be high risk and customer type. On the basis of these risk classifications, a risk matrix can be developed by assigning a numeric value to each risk category. This will help to develop a risk profile of the customer as Prohibited, High Risk, Medium Risk, and Low Risk. The prohibited customer is usually terrorists or criminals while High Risk will be the PEP, those dealing in gold and ornaments.
Customer transactions should be monitored to identify any suspicious activities. The transaction monitoring also includes preparing the following reports.
2.1 Threshold Transaction Reporting (TTR):
Every FIU of each country has developed the guidelines for TTR, which should be followed to the letter.
2.2 Suspicious Transaction Reporting (STR):
Although guidelines are usually available for STR reporting by FIU Nepal, it is kind of subjective and discretionary. Therefore, the best method is to train front-line staff (usually called first defense) not necessarily the business desk staff, but Relationship Managers and other staff who usually are the direct point of contact of the customers.
2.3 Sanction Screening:
Sanction screening is the only tool available to identify and prevent terrorist activity. All wire transfers must be screened for verifying whether the applicant or beneficiary is found in the terrorist and sanction list provided by UN, OFAC, HMT, EU, and MOHA(Ministry of Home Affairs, Nepal). It is also necessary to screen customers before onboarding them in the organization.
Investigation and examination of unusual customer or account activity should be done if it is found inconsistent with anticipated activities for each client based on their occupation or type of business.
All the above process should be documented
Types of CDD
i. Simplified CDD
Simplified CDD is usually carried for low risk and the high-risk customer can be limited to simple identification procedures.
ii. Enhanced CDD
Enhanced CDD is carried for high-risk customers, which includes obtaining information like the source of information, beneficiary details. It is recommended for ECDD account, the first payment to be carried out through an account in the customer’s name with a bank subject to the similar CDD standard
B. Compliance Function
It is the second line of defense. The nature of the compliance function depends upon the organization’s nature, regulatory environment, and the specific risk of the organization. The department should have a compliance head with the appropriate authority. He/she is responsible for monitoring the AML/CFT program and maintaining its effectiveness.
C. Employee Training
An effective training program should not only explain the relevant AML/CFT laws and regulations but also cover the institutions’ policies and procedures used to mitigate money laundering risks including recent examples of money laundering and terrorism news. The training should not be one size fits all category, it should be managed separately on the basis of whom to train, what to train, how to train, when to train, and where to train.
D. Audit Function
Audit of the AML/CFT program should be conducted at least once a year to examine the adequacy of CDD policies, procedures, and processes as well as compliance with regulatory requirements. It is essential to find any deficiency that exists in the program and ensure the program remains effective. The compliance manager as well as the Board committee should act promptly on the observation and recommendation given by an audit.
Following topics should also be considered while developing a robust AML/CFT system in your organization.
Know Your Employee
It is necessary to have adequate knowledge of your employee. Background checks should be performed at the time of hiring staff as well as when the staff is promoted to a higher position, especially when he/she is going to appoint to positions where he/she can access confidential information.
Are Automated Solutions comforting or discomforting?
Automation is necessary, is vital, is efficient, but unfortunately, we are unable to utilize the full potential of automated software. There is an automated AML system that can perform CDD, transaction, swift sanction screening very efficiently and effectively. However, the problem arises when the organization does not know its requirements in the first place and are not able to mention their clear-cut specification in Request for Proposal. As a result, many organizations spend a lot of time on unnecessary customization of the system which causes the delay in the implementation, a further situation is aggravated when a system is unable to deliver results because of those customizations.
Whether to go for a Centralized or Decentralized KYC system
Usually, the organization has branches at a different location, each having its own Business Desk. Business desk staff acts as a point of contact for customers and open accounts and collects the documents. The main problem here is that the quality of KYC/CDD of the organization depends upon the understanding of the Business Desk Staff, further considering high turnover staff there is a never-ending learning curve. As a result, the centralized KYC system is more preferable. This will help to make the consistent KYC process as there will be no compromise in the collection of documents as all the staff in a centralized KYC system are specialized in their job. Staff turnover will be less impact. Further, any regulatory changes can be easily implemented since there is no need to train branch employees. Finally, it frees up the business desk employee’s time and they can now only act as Relationship Manager to deal with more customers which helps to increase the business of the organization.
The above is just the outline for implementing an effective AML/CFT system. Once you are familiar with the concept, you can add details as you wish. As per our earlier analogy of soup, the main ingredient for the chicken soup is chicken, the rest you can add as per your taste.
We, Risk Simplifiers is a team of expert AML/CFT professional, we help organizations to develop AML/CFT system, AML policies, and guidelines and also conduct AML/CFT audit.
Thank you for reading, please spread the word if you have found it useful.