It is no longer a secret for professionals in the financial world, today they are under strict measures to identify financial fraud and fight money laundering. These legal provisions require professionals to set up a permanent monitoring system to identify all possible risks.
It should be remembered that regulators intensify their audits and sanctions year after year.
Constant developments in the KYC & AML/CTF field
The transposition into national law of the 6th European Directive (2018/1673) will take place no later than the 3rd of December 2020. In this context, we can expect to see FATF controls become more and more demanding.
At the same time, it must be assumed that the inspections on the AML/CTF component carried out by the regulators will be intensified at the European Union level.
This new AMLD6 covers four main topics:
- The harmonisation of primary offences
- The extension of responsibilities (the notion of complicity, greater involvement of legal persons)
- Tougher sanctions
- Better international cooperation
These regulatory changes provide an opportunity to review and update current AML/CTF policies and procedures to meet international standards.
A risk-based approach for customer due diligences (CDD)
A risk analysis approach remains the best tool to implement an effective anti-money laundering strategy that already meets the needs of new legislation. It also offers the opportunity to use the right tools at the right time. This approach is built on three key risk criteria:
- Risks related to customer
- Risks related to product
- Risks related to the country
This first risk analysis also allows you to adapt your level of due diligence: simplified CDD, CDD or Enhanced DD.
Customer Due Diligence
CDD - Customer Due Diligence that includes a few fundamentals:
- Identification and knowledge of the source of funds.
- The definition of customer acceptance in the context of specific products and services.
- Careful monitoring of accounts and transactions linked to risk study.
- The establishment of an inquiry to identify the possible unusual activities of a client.
- The implementation of a precise report covering all the results.
The CDD report must then incorporate a risk monitoring program. The latter is presented as a periodic analysis in order to monitor any changes that would occur in relation to the initial CDD information.
Enhanced Due Diligence
EDD - Enhanced Due Diligence is only necessary if the client is considered to be at high risk when reading the initial CDD report. For example, a political figure or politically exposed person (PEP) could be the subject of a thorough study that requires further verification. The deepening of the inquiry will focus on a few specific criteria.
Rigour and robustness: The investigations carried out during the CDD must be rigorous and robust in all tests. Among other things, it will be a question of documenting with evidences and detailed information.
Detailed documentation: The CDD report must be extensively documented. Regulators must have immediate access to the EDD report. This will require to ensure that the documentation process and the archiving process are strong and reviewed on a periodic basis.
Reasonable assurance: The EDD provisions require a reasonable assurance when defining KYC risk. Professionals who make the decision to get involved in a transaction must demonstrate that they have been sound and prudent in their decision.
Particular attention to PEP: these individuals hold positions that increase their exposure to corruption and money laundering. A detailed analysis of the source of funds must be carried out to cover this higher risk.
Implementing an internal framework to ensure compliance
Putting in place an internal framework and resources dedicated to the KYC & AML/CTF issues has become essential for all companies involved in financial transactions.
As described above, discipline requires in-depth investigations and the creation of detailed reports to demonstrate that risk measurement has been conducted in the most rigorous manner possible.
A clear definition of KYC is a key point in the financial institution's AML/CTF policy
The standards set by the regulators leave no room for improvisation. It is essential for financial actors to draft a policy that will aim to establish the minimum desirable framework for AML/CTF. The policy should define the level of expectation for:
- The definition of the applicable regulatory framework for the entity
- The customer acceptance policy.
- The list of procedures for identifying, assessing, monitoring, managing and mitigating the risks of money laundering or terrorist financing (initial KYC).
- Measures to prevent the misuse of products or the completion of transactions that promote anonymity.
- Procedures to follow the evolution of business relationships as well as transactions made for customers (on-going KYC).
- Procedures to be followed in cases of suspicion or reasonable grounds for suspicion of money laundering, associated underlying offence or financing of terrorism
- The staff selection policy guaranteeing the recruitment of employees according to defined criteria.
- The exact definition of the respective responsibilities of the various staff functions in respect of AML/CTF as well as the procedure for appointing the key functions (chief compliance officer, money laundering reporting officer…).
- The procedure for reporting internal violations of AML/CTF professional obligations through a specific, independent and anonymous way.
- The communication procedures put in place with the board of directors, external auditors, the regulator, the financial intelligence unit...
- Any other parameters necessary to establish an internal operational framework consistent with the risk measurement.
The appointment of a KYC/AML chief officer
As a reminder, Directors are responsible for validation and approval of AML policies and can be criminally liable in case of default. The review of Directors relies on reporting issued by the Chief Compliance Officer (CCO) or Money Laundering Reporting Officer (MLRO).
Therefore, to ensure that internal guidelines and policies are respected, it is essential to appoint a CCO or MLRO who will ensure application of the procedures and the completeness and reliability of the information collected. The CCO / MLRO mission includes:
- Ensuring correct application of policies and procedures.
- Monitoring the legal and regulatory framework to update the policies consequently.
- Continuous monitoring to ensure that processes work correctly.
- Reporting evaluation of the AML/CTF framework to the supervisory bodies such as the board of directors, the regulator or the financial auditor.
Anti-money laundering and on-going training
Internal guidelines and processes must be understood by the operational teams directly involved in KYC/AML. They must also have an appropriate knowledge of money laundering schemes in order to be able to identify them and be able to report suspicious transactions to their hierarchy or directly to their country's financial intelligence unit (FIU).
It is agreed that training must be part of an ongoing process. Compliance standards are regularly updated. It is therefore essential to set up a training when recruiting a new employee but also to have regular training for all employees.
It is a best practice to have an annual training following a significant change in the KYC/AML law or in the KYC/AML regulation.
Controlling your KYC/AML processes
Who has never sinned out of overconfidence? Yet, practice shows that it is when one thinks that everything is under control that approximations take hold and that the risks of errors are likely to appear.
It is the role of your internal auditor, which can be outsourced, to give you the assurance that your processes comply with regulatory and management requirements. The internal auditor will also play an important role in improving your controls by regularly tracking potentially identified weaknesses. The internal audit must be recorded in a report to be communicated to the Board of Directors.
Your KYC & AML/CTF procedures may also be reviewed by various external stakeholders such as your financial auditor, your regulator or the tax authorities. In the context where the regulator or tax authorities would identify significant weaknesses, they would be likely to penalise them.
The only way to prove that all your diligences are carried out correctly is to materialise the controls performed at all levels, operational, manager, compliance officer, internal audit, board of directors. Solid documentation is the key to proving the existence of controls to a third party.
Automation of your KYC to improve your AML/CTF processes
In addition to internal departments made up of professionals trained in KYC/AML procedures, it appears to be highly recommended by the regulator to deploy technologies developed to support human action related to the KYC processes. The FATF also encouraged companies to have automation systems in place to control their customers to identify AML/CTF risk in the most efficient manner.
If human judgment cannot yet be substituted, automation can take place in many areas of expertise. For example, computer tools will be able to be used in:
- Customer identification
- Ultimate Beneficial Owner identification
- Continuous validation of customer information
- Screening watch lists
- Tracking transactions
- Detection of suspicious activity
- Investigative report editing automation
- The effectiveness assessment of the AML program
Your ability to easily integrate AML/CTF controls into your onboarding process can make it a competitive advantage in the long run.
To make it short, using automation within the process streamlines costs, reduces the risk of omission and reduces human resource costs to perform tasks with a low value proposition.
Our checklist to help you set up and optimize your AML/CTF processes
As a legal tech player in the automation of the KYC processes, we propose a checklist of the steps to be taken to help you set up and optimize your AML/CTF processes.
This AML/CTF compliance list can help you assess the status of your compliance and update your current policies and procedures.