Welcome to part 3 of our article series which is all about creating policies and procedures regarding AML/CFT. Once you have done a risk assessment of your organization and identified the various risks that are present in your organization, it is time for risk mitigation that is to implement different control measures to reduce the risk.
If it is sounding quite confusing then you may want to revisit our previous articles by following the link given below.
Click here to go to the previous article.
The control measures are usually two types: Manual and Technical.
The manual controls are the policies, procedures, checklists, forms that are mainly targeted to guide human behavior. They simply convey information regarding what employees are allowed to do and how should they do it to ensure consistent results are always achieved. For e.g, the KYC checklist ensures that the Customer Service Staff collects all the necessary information and documents at the time of customer on-boarding.
The technical control is used when human intervention is not possible, for instance, it is difficult for the users to look at every transaction of all customers manually, to search for suspicious transactions. Therefore, we need some kind of automated solution for monitoring transactions on the basis of some scenarios. Another example is, there are lots of sanction lists published by different international and government bodies like the UN sanction list, EU, HMT, OFAC, US, and so on. It is difficult to screen customers by going through each list one by one. Hence, we need an automated solution that will combine these sanction lists and perform customer screening against them.
Whatever the controls may be, either technical or manual you need to include them in policies. We are going to talk about following policies and procedure that are related to AML/CFT area and what provisions should it include to ensure that various risk relating to AML/CFT is mitigated.
- Anti –Bribery and Corruption Policy
- AML/CFT Policy
- AML/CFT Guideline
- AML/CFT Risk Assessment Framework
- Anti-Bribery and Corruption(ABC) Policy:
Although this is not directly related to AML/CFT, if you look at overall banking practices all over the world, it usually comes under the domain of AML/CFT. It can also be seen from the fact that many corresponding bank questionnaires include question-related ABC practices in the organization. The main objective of ABC is to prevent fraud and corruption from the employees within the organization but may be extended to external parties depending upon the nature of the organization as well as the legal framework in which the organization operates.
In general, ABC should include the following section, however, the main thing to remember here is, it is not in any way an exhaustive list, the content may be added or removed as per the organization’s need.
Major Highlights of Anti-Bribery and Corruption Policy.
- Introduction/objective: This usually includes a statement like “To promote a culture of ethical business practices and compliance with ABC requirements of the organization by providing guidance to all employees to prevent bribery and corruption in the bank.”
- Scope: This section includes to whom this policy is applicable, what type of transactions it covers, is it a separate policy or an integral part of another policy.
- Key Definitions: The major definition of terms like corruption, bribery, and others.
- Duties and Responsibilities: of different parties who have a direct impact on this policy.
- Mechanism of Bribery and corruption prevention: A risk-based approach should be applied to identify those areas in the organization which is susceptible to bribery corruption. They are usually following areas:
- General Logistic: This is most vulnerable to bribery and corruption, as this department usually purchases in high volume or high priced goods for the organization. There are always chances that the vendor may try to influence organization officials with various kickbacks to sell their products.
- Books and Records: Usually Staff who may be involved in stealing organization assets may try to hide such an offense by manipulating books. Some time, top-level management try to window dressing their financial statements to show either good or bad result to pull the wool over regulators or shareholder eyes.
- Gifts and Business Hospitality: It may be a normal practice where employees receive gifts of some kind from different customers during various occasions especially during the festive season. However, the line should be drawn when that gift and hospitality become excess to influence the individual staff’s decision. The best practice is to determine the threshold of gifts, beyond which approval should be taken.
- Others if required.
- Whistle Blowing: This section should list down the red flags regarding bribery and corruption which should be informed by staff to appropriate authority if observed. Whistleblowing is an important part of the anti-bribery corruption policy. This is because the major source of information for bribery and corruption happening in the organization is from the staff itself because bribery and corruption are intentional acts and perpetrators will go to great lengths to hide his/her criminal act. However, the perpetrator’s colleague will know him/her better than others and can detect anomalies in his/her behavior. Besides this, a whistleblower should be protected via anonymous reporting, identity should be made confidential. However, reporting should be made in good faith to protect the interest of the organization. There always seems to confusion between whistleblowing and breach of confidentiality. If the staff leak any confidential information of the organization in an unauthorized manner then that staff will be penalized under breach of confidentiality. Therefore, breach of confidentiality is a punishable offense while whistleblowing is encouraged.
- Investigation: The responsible party to investigate bribery and corruption-related activities should be determined. This party will make on-site visits, collect documents, make queries, interview related parties, and prepare a report for submitting to the management. This party will only recommend what actions to be opt-in in this case. The final decision to take action will always rest with the management. Also, a mechanism should be developed so that fraud cases are reported to BOD.
- Training: Enterprise-wide training should be conducted to ensure that every staff member is aware and has understood that policy. The further policy should be kept in the intranet, share drive where this policy can be easily accessed.
- Monitoring: Audit Department or any other department should ensure whether the policy has been compiled within the organization or not. Further, they should also review the policy to identify any loopholes within that policy and suggest for improvement.
Let us dig into the major factor that governs the AML/CFT regime of an organization that is AML/CFT policy. How effective is your AML/CFT regime depends upon how comprehensive is your AML/CFT policy. AML/CFT policy usually is prepared to include brief information regarding the control measures and they are not very long, merely about 20-40 pages. An organization willing to draft AML/CFT policy may want to include the following components.
- Key Concepts: Definition of key concepts or technical jargon that are frequently used in policy and manual which may be otherwise difficult to understand.
- Scope, Need, and Objectives: Every policy should have these components. The major objectives of the policy are to provide a guideline for the functioning of the AML/CFT Department, carry out AML/CFT program, defining the roles and responsibilities of every staff and department who have a stake in the AML/CFT interest of the organization.
- Concept of Money Laundering and Terrorism Financing: This section should give a brief introduction to money laundering and terrorism financing. What are the key differences between them including how these offenses are carried, also, general methods to prevent them?
- Legal and Regulatory Framework: In order for the policy to be valid, it should be made according to Anti-Money Laundering rules and regulations enacted by the country.
- Risk: This section should detail the various risks to the organization because of the inability to implement the policy. For e.g., the organization has to pay fines which is both legal and financial risk which may lead to reputation risk if it is widely publicized in the media.
- Risk-Based Approach: Every organization should have identified the areas that are more vulnerable to ML/FT. As per best practices, there are four risk factors, they are as follows:
- Product and services that any organization offer to its customers.
- Geography location of any customer.
- Different customer types that the organization provides services to.
- Transaction and Delivery channels.
- Customer Acceptance, Customer Termination, Transaction Monitoring: Different subsections may be written to include procedures for Customer Acceptance, Customer Relationship Termination. Further, how should transaction monitoring be carried out? The brief introduction of process of transaction monitoring that may be either automatic or manual screening. In addition to this, the organization may give an introduction regarding what type of reporting that the organization needs to do to its regulators like TTR and STR.
- Trade-Related: Brief Introduction regarding Trade-based money laundering and wire transfer, correspondent relationships should be given that are susceptible to money laundering.
- Know your employee: This is another main section of the policy, as an organization put more effort into knowing their customer, they tend to forget to focus the devil within. If the organization hires corrupt staff then these staff may lead to loss which may be higher than loss due to customers, because staff usually enjoy various privileges and have access to different sensitive areas of the organization. Therefore, an organization should have a clear recruitment process with proper background checks, reference checking, and so on.
- Know your Agent: The organization may choose to outsource various functions like Remittance, marketing, to various third parties. Even though they have delegated their responsibility to these third parties, they still need to be accountable for their actions. Further, it is not necessary for the outsourcing agency will perform the same level of Customer Due Diligence as a bank. Therefore, the proper control of the agent is necessary.
- Tipping Off: There should be a separate section about tipping off, what does it mean and what actions will be taken against the staff who are involved in tipping off.
- Roles and Responsibilities: There may be a section to include the roles and responsibilities of different parties involved in AML/CFT like the roles of AML/CFT Head, Anti-Money Laundering Committee Unit, and other department heads.
- Training: There should be a section regarding training. It should include whom to train when to train, how to train.
- Penalty and Violation: No policy is complete with the Penalty and Violation Section that is, every staff should be made aware of what actions will be taken against him/her if there is a breach of that policy. Also, if there are regulatory sanctions, you need to mention it here. This can be a deterrent factor to ensure staff will comply with the policy.
- Other Miscellaneous matter
Thank you for reading. In the next lecture, I will talk in great detail about AML/CFT procedures/Manual.