It is of paramount importance for financial institutions to
comprehend the operational aspect of applying anti-money laundering and
combating the financing of terrorism (AML) guidelines issued by any regulator.
It is no different in Hong Kong. Fortunately, Securities and Futures Commission,
Hong Kong (SFC) has on 26 January 2017 issued practical suggestions for licensed
corporations and associated entities to comply with their AML obligations. This
write-up provides a synopsis of the suggestions made by SFC to help in
practical application in a financial institution.
Role of senior management
The senior management has the primary stake in ensuring that their
organization maintains robust and effective AML processes and procedures. The
attitude of the senior management towards AML determines how the staff down the
line will view their responsibilities towards AML processes. It is now apparent
that the regulators are taking a view that the tone for AML processes in a firm
is set by the senior management. Therefore, senior management’s involvement in
all major decisions like institutional risk assessment, on-boarding of high
risk clients, regular monitoring and reporting should be apparent supported
with documents to facilitate an audit, if necessary.
Training and guidance
AML processes of a firm are as good as its AML training. Training
does not necessarily mean only instructor led session(s). Training also
involves feedback to the team on new situations and circumstances encountered
and how those situations were handled and the reasons for the action i.e.
sharing of the internal accumulated knowledge. It is often seen that ‘once a
year’ training is not sufficient to equip employees to comprehend the
complexities of the relevant AML issues. Every employee with some role on AML
process should mandatorily be first tested on their AML skills and knowledge
before being assigned to such a role. Further, the employees handling AML
processes should be encouraged to do self-reading to enhance their
knowledge and skill.
Further, the regulatory environment for AML is constantly evolving
and the practical impact of such changes must be appropriately drilled down to the
team. For example, the inter-linkages with other regulatory developments should
also be shared with AML staff. The recent proposal for disclosure of persons
with significant control of a company which will be a requirement as per
Company Ordinance is directly linked to AML.
In addition, the in-house AML manual must contain appropriate
policy level guidance and may also be updated with new insights gained from
time to time. This will ensure that the knowledge gained through operational
experience gets institutionalized and is available for future reference.
Completeness of due diligence to assess all AML risks
From operational perspective, due diligence is the most critical
requirement comprising many parameters and numerous factors in each parameter.
The vastness of the situations and circumstances likely to be faced
necessitates a mandatory documentation of these parameters and factors. The documentation
should take the form of policy guidelines rather than prescriptive document
covering all possible scenarios. Further, this has to be a live document to be
updated as and when necessary.
Due diligence is generally conducted from the perspective of four mandatory parameters i.e.
customer, products and services, location / country of origin and delivery /
distribution channel.
The documents collected for conducting due diligence like proof of
identity, utility bill, source of wealth and funds, references must be analyzed
for consistency. The source of wealth and funds must be counter-checked with
independent sources, while proof of identity must be run through third party
databases as well as random check on Google. Any information gathered by such
analysis must then be counter checked with the client for his feedback. PEP
status is a factor which must always be verified through independent source and
every PEP to be categorized as high risk.
It is critical that the application of AML process for each client
depicts an application of mind by AML responsible staff to all these parameters
for reaching to a conclusion and the risk rating. It is fine to use automated
risk rating applications to determine the overall risk rating for a client.
But, sometimes, a single factor may enhance the risk rating and this can be
achieved only through application of mind by AML staff and not through
automated risk rating system.
The due diligence process has to be robust to capture and analyze
all the relevant factors. Complex ownerships structures with a trust or a
foundation or a fund or structures with entities in multiple jurisdiction
without economic justification require detailed assessment to understand the
motive. Other relevant factors like cash-intensive businesses, non-face to face
clients, businesses like arms and ammunition, drugs, gambling, on-line gaming
etc. require special attention.
Further, whether a case requires simplified or an enhanced due
diligence should be determined on specific guidelines like PEP, jurisdiction,
business, complexity etc. And as more information gets collected for a case, a
holistic view needs to be taken to decide on the type of the due diligence. A
periodic review of each client, the frequency of which is a function of risk
rating, should be conducted. Any unusual pattern in the transactions undertaken
by a client can also trigger an unscheduled due diligence review.
Transaction monitoring, evaluation and reporting
A firm should use red-flags to identify suspicious or unusual
transactions requiring further investigation. Depending on the size of the
institution, the identification of the red-flags can be done manually or through
automated applications. Also, the red-flags themselves may also depend on the
nature of services provided by a firm. However, it is critical that the
red-flags are comprehensive
enough to generate the trigger. It is important that every triggered
transaction, irrespective of the reason for trigger, is brought to the notice of MLRO. And it
is MLRO’s responsibility to further investigate, evaluate and determine, on the
basis of all the parameters available for the client and the transaction,
whether a suspicious transaction report to authorities is required or not.
One important red-flag requiring special attention is payment
through third parties. This is something which should be enquired at the time
of on-boarding each client. If a possibility exists, then identification of
such third parties can be also be done at the on boarding stage itself. Any
deviation should show application of mind to the request of the client and
should have the approval of the senior management.
Audit trail
The main objective to comply with AML guidelines is to prevent the
use of a firm’s services for money laundering. How do we prove that a firm has
taken the required preventive measures? By maintaining an audit trail of the due
diligence process and the transaction so that it can be reconstructed if
necessary. The audit trail is kept by having physical or electronic records of
each and every process and decision made thereof.
It is possible that a firm has best of the intention and has
followed all the necessary processes. But for whatever reason if it failed to
maintain the audit trail, all its efforts will come to naught.
Institutional risk assessment (IRA)
IRA should be a periodic exercise, the frequency of which can vary on the basis of the size of a
firm. Large multi-product
and multi-service firms should involve all the relevant departments and an
assessment for IRA should be made for the organization as a whole. The IRA
should itself be categorized as
low, medium and high and this will depend on the percentage of the clients in
each of the three categories. The review should be of all relevant factors like
products and services, due diligence process, location of clients,
intermediaries, delivery of service and the risk categorization of the clients.
It is necessary that the outcome of the IRA should be reviewed and approved by
the senior management.
