SOLOMON ISLANDS FINANCIAL INTELLEGENCE UNIT
Government of the Solomon Islands
MONEY LAUNDERING AND PROCEEDS OF CRIME ACT 2002
COMPLIANCE EXAMINATION MANUAL
Contents
OVERVIEW...............................................................................................................................6
PART 1 – ON‐SITE EXAMINATIONS....................................................................................7
On-site examinations...........................................................................................................7
Examination Objectives ......................................................................................................8
Considerations of size, scope and complexity ................................................................8
Developing a work plan .....................................................................................................9
Reliance on the work of others ....................................................................................10
PART 2 – PREPARATION FOR THE EXAMINATION.......................................................11
Examination Procedures ...................................................................................................11
Scoping an Examination ...............................................................................................11
Risk Based Approach.....................................................................................................11
Letter to the Institution requesting pre-examination Information ...............................12
Review Pre-examination Information..............................................................................12
Risk and Risk Assessment ...................................................................................................14
Selecting Examination Programs and Procedures........................................................15
Examination Management ..............................................................................................15
Examiner-In-Charge (EIC) Responsibilities ......................................................................16
Annex I: Risk Assessment Matrix..........................................................................................19
Annex II: Questionnaire to assist in developing a risk based approach .............................21
Compliance Questionnaire – Accountants, Lawyers...................................................21
Compliance Questionnaire - MSB/FX sector..................................................................27
Compliance Questionnaire – Real Estate Agents, Car Dealers, Jewellery shops ....32
Annex III: Letter of Request to an institution .......................................................................37
PART 3 – ON‐SITE EXAMINATION WORK.......................................................................41
Examination Approach.....................................................................................................41
2
Meeting with the institution’s management..................................................................41
For Large or High Risk Institutions ..................................................................................41
For Small Institutions........................................................................................................43
Procedures applicable to all financial institutions.........................................................43
Policies .............................................................................................................................43
AML / CFT Compliance Officer ....................................................................................44
Customer Acceptance Polices....................................................................................45
Customer Identification.................................................................................................45
Establishment of the relationship..............................................................................45
Politically Exposed Persons............................................................................................46
Transaction Testing .....................................................................................................47
Retention of Records .....................................................................................................47
Recognition and Reporting of Suspicious Transactions ............................................48
Cash Transaction Reporting .........................................................................................49
Transaction Testing .....................................................................................................49
Electronic Funds Transfer Reporting.............................................................................50
Transaction Testing .....................................................................................................50
Compliance and Internal Audit ...................................................................................50
Staff screening ................................................................................................................51
Staff Education and Training ........................................................................................52
Procedures for banks and money remitters...................................................................53
Funds Transfers ................................................................................................................53
Transaction Testing .....................................................................................................53
Remittances ....................................................................................................................54
Money Changing, Encashment and other Cash Transactions ...............................54
Trade Finance Activities ................................................................................................54
Transaction Testing .....................................................................................................55
3
Private Banking ...............................................................................................................55
Transaction Testing .....................................................................................................56
Trust and Asset Management Services .......................................................................56
Transaction Testing .....................................................................................................57
Non-resident clients .......................................................................................................58
Transaction Testing .....................................................................................................58
Non-Bank Financial Institutions .....................................................................................59
Money Services Businesses............................................................................................59
Transaction Testing .....................................................................................................60
Professional Service Providers.......................................................................................60
Transaction Testing .....................................................................................................61
Non-Governmental Organizations and Charities......................................................61
Transaction Testing .....................................................................................................61
Business Entities (Domestic and Foreign) ....................................................................62
Transaction Testing .....................................................................................................63
Cash-Intensive Businesses..............................................................................................63
Transaction Testing .....................................................................................................64
Casinos ................................................................................................................................64
Staff screening, awareness and training ....................................................................65
Effectiveness of independent monitoring and review processes ...........................66
Effectiveness of PEP policies .........................................................................................66
Effectiveness of Customer Due Diligence policies ....................................................67
Effectiveness of STR reporting .......................................................................................67
Effectiveness of CTR reporting......................................................................................67
Insurance Intermediaries, Brokers and Agents ..............................................................68
Transaction Testing.........................................................................................................68
PART 4 – POST EXAMINATION..........................................................................................70
4
Examination Conclusion ...................................................................................................70
Concluding meeting with management .......................................................................70
Report of Examination.......................................................................................................71
Letter to the institution on findings/observations...........................................................72
PART 5 – ADDITIONAL EXAMINATION PROCEDURES ...............................................74
Annex I: Cash Holdings .........................................................................................................76
Annex 2: Lending ....................................................................................................................79
Annex 3: Correspondent Banking..........................................................................................82
Annex 4: Private Banking/Trust activities .............................................................................87
Annex 5: Wire/Funds Transfer ...............................................................................................92
Annex 6: International Companies & Trust Companies ......................................................96
Annex 7: Politically Exposed Persons ..................................................................................101
Annex 8: Introduced Business..............................................................................................104
Annex 9: Terrorist Financing................................................................................................107
Annex 10: Internal Audit/Independent Review..................................................................109
Annex 11: Money Service Businesses ..................................................................................110
ATTACHMENT 1 – CDD Review Worksheet ....................................................................113
ATTACHMENT 2 ‐ AML Examination worksheet – Fund Transfers................................116
ATTACHMENT 3 ‐ CDD Worksheet: Checklist of Items to Observe...............................118
ATTACHMENT 4 – Sample letter to an institution ...........................................................120
5
OVERVIEW The aim of this manual is to provide guidance to examiners for carrying out
AML/CFT examinations of reporting institutions1 to ensure compliance with the
Money Laundering and Proceeds of Crime Act 2002 (the “MLPCA”).
An effective AML/CFT compliance program requires sound risk management;
therefore, the manual also provides guidance on identifying and controlling risks
associated with money laundering (ML) and financing of terrorism (FT). The manual
contains an overview of AML/CFT compliance program requirements, AML/CFT
risks and risk management expectations and examination procedures.
The manual has been prepared in a number of sections:
•
•
•
•
•
Part One provides a general overview of the on-site examination process and
issues to consider such as giving consideration to the size and complexity of
the reporting institution to be examined;
Part Two deals with the pre-planning process of the on-site examination;
Part Three addresses the performance of the on-site examination and risk
areas to be reviewed;
Part Four outlines the post-examination issues such as report writing;
Part Five of the manual outlines additional examination procedures which may
be employed depending on the scope of the examination.
As there is a significant amount of similarity in relation to the planning for an on-site
examination, irrespective of the class of reporting institution, no differentiation
between different reporting institutions has been made in Part Three of the manual.
Where appropriate, topics which are relevant to specific reporting institutions have
been separately considered (e.g. banks and MLPCA requirements in relation to
correspondent banking, insurers and the relationship with brokers and agents, and
casinos)
The manual also includes a number annexes designed to assist the SIFIU perform
its work and identify those higher risk reporting institutions. Attachments to the
manual include examples of worksheets and letters to institutions.
Finally the manual is forward-looking and includes some requirements currently not
provided for in the MLPCA (e.g. cash transaction reporting requirements).
AMLAT
November 2008
1
As defined under Section 2 of the Money Laundering and Proceeds of Crime Act 2002.
6
PART 1 – ON‐SITE EXAMINATIONS On‐site examinations Risk management systems generally look good on paper, but can be bad in practice.
It is therefore necessary for the SIFIU to undertake its own on-site work. These visits
can also allow the SIFIU to build up a view on “good” practice in particular areas of
AML/CFT risk management from peer group comparisons which gives a useful
benchmark for subsequent work. The process described in this manual can be
divided into three stages:
•
•
•
Pre-examination planning;
The examination; and
Post-examination assessment and reporting.
Each of these stages plays an integral part in the success of the on-site program,
and are discussed in greater detail in subsequent sections of this manual. The
following diagram provides an overview of each aspect of the visit process.
Planning
Institution
specific issues
Available
information
Internal planning
considerations
Letter to
i tit ti
Assess
information and
select files/area
Examination
Perform examination
• Opening meeting
• Review files
• Conduct interviews
• Closing meeting
Guidance on
best practice
Post examination
Internal reports to
management/superv
isory agency
Assessment
Letter to
institution
7
Examination Objectives The objectives of an AML/CFT examination are to:
a. Ascertain if adequate policies and procedures have been established for the
prevention of money laundering and/or combating the financing of terrorism in
accordance with the requirements under the Money Laundering and Proceeds
of Crime Act 2002;
b. Determine if the AML/CFT policies and procedures have been properly
applied and enforced;
c. Ascertain if the AML/CFT policies and procedures are subject to regular
reviews and determine the adequacy of such reviews; and
d. Ascertain compliance with Parts 2 of the MLPCA.
Considerations of size, scope and complexity It is important to remember when conducting a compliance examination or reviewing
a reporting institution’s policies and procedures to give due consideration to the
nature and scope of the institution’s activities. It is reasonable to expect that a bank
or a money remittance company, such as Western Union, should have policies and
procedures that meet all aspects of the MLPCA and have procedures, possibly
automated depending on the size of the institution, to monitor accounts and
transactions.
On the other hand, a small DNFBP (such as a casino, lawyer, accountant or a trust
company service provider) may not have automated monitoring systems. Again, the
degree of sophistication may vary depending on the size of these entities.
Regardless of this, these entities should perform a risk assessment of the customer
at the inception of a client relationship (and perform CDD) and the on-going working
relationship with the client should enable them to identify and detect changes in the
type of work or the nature of the client’s activities, particularly given that the lawyer’s
or accountant’s knowledge of the client and its business is developed through a long
term relationship.
Regardless of the size of the organisation or the nature of its activities, internal
controls should address the following:
•
Vulnerability: Provide increased focus on a reporting institution’s operations
(e.g. services, clients and geographic locations) that are more vulnerable to
abuse by money launderers.
8
•
•
•
•
•
•
•
•
•
•
•
•
Risk Assessment: Provide for a periodic review of the risk assessment and
management processes, taking into account the environment within which the
accountant or lawyer operates and the activity in the business environment.
Implementation:
Implement risk-based CDD, policies, procedures and
processes.
Higher risk clients: Provide for adequate controls for higher risk clients and
services as necessary, such as limits on the activity/service offer or
management approvals.
Responsibility: Designate an individual or individuals at an appropriate level
who is/are responsible for managing compliance with the MLPCA.
Compliance: Provide for an AML/CFT compliance function and review
program if appropriate given the scale of the organisation and the nature of
the reporting institution’s business.
Common controls: For those firms, which are part of groups, to the extent
possible there should be a common control framework.
Feedback:
Inform the principals of compliance initiatives, identified
compliance deficiencies and corrective action taken.
Continuity: Provide for continuity in the event of changes to management or
employees.
Updates: Focus on meeting all statutory record keeping and reporting
requirements, recommendations for AML/CFT compliance and provide for
timely updates in response to changes to legislation and the SIFIU’s
requirements.
Staff supervision: Provide for adequate supervision and support for staff
activity that forms part of the organisation’s AML/CFT compliance program.
Staff roles: Incorporate AML/CFT compliance into job descriptions and
performance evaluations of relevant personnel.
Training: Provide for appropriate training to be given to all relevant staff.
Jewellers, real estate agents and car dealer and other small reporting institutions,
should have an AML/CFT framework which incorporates the points above. It should
be tailored to the institution and the SIFIU will have to determine the adequacy of the
institution’s AML/CFT regime against the nature of its business. Issues of high staff
turnover need to be considered and the institution and both its existing and new staff
should be aware of their obligations under the MLPCA (e.g. staff training to ensure
that they obtain CDD information if required and reporting of suspicious
transactions).
Developing a work plan The SIFIU should develop a work plan which outlines a schedule of proposed
compliance examinations for the coming year. Scheduling of examinations should be
risk based and provide for follow-up examinations of those institutions where
9
deficiencies have been identified. Typically you should aim to examine larger
institutions/higher risk reporting institutions (such as banks) on a two-year cycle. For
other reporting institutions, e.g. the DNFBPs, such a cycle may not be achievable
especially if there is a large number of such entities.
The work plan should be developed on a risk-based approach and the selection of
institutions will be based on a number of factors such as STR reporting, market
feedback or intelligence it has gathered. For DNFBPs, the SIFIU should, as a first
step, send compliance questionnaires to these entities to assist it determine the
nature and scope of activities undertaken by these entities and the risk of ML/TF in
these reporting institutions.
For those entities supervised by the Central Bank of Solomon Islands (CBSI), the
SIFIU and the CBSI should develop a program of joint compliance examinations.
This will avoid unnecessary duplication of work. However, even if joint examinations
are conducted the SIFIU should not feel constrained to conduct its own examinations
if it judges it necessary because of concerns it has about an institution’s compliance
with the MLPCA (e.g. a sharp decline in STRs or other indicators which may lead the
SIFIU to suspect that an institution may be in breach of the MLPCA).
Reliance on the work of others The SIFIU may choose to rely on the work of others (e.g. internal auditors, external
auditors, supervisory agencies) to reduce the amount of work to be performed when
testing a reporting institution’s procedures. However the SIFIU will need to form a
judgement as to whether or not these parties can be considered as competent,
impartial and independent.
In deciding if it is appropriate to rely on the work of others, the SIFIU should consider
the following points in assessing the competence of others:
a. Whether the scope of work which was performed covers those AML/CFT risks
to be reviewed by the SIFIU;
b. Whether the persons who performed the work have sufficient knowledge of
AML/CFT issues;
c. Whether the persons are reliable;
d. Whether the reporting institution’s structure provides a framework for work to
be performed independently and impartially.
10
PART 2 – PREPARATION FOR THE EXAMINATION Examination Procedures Scoping an Examination Timely, efficient, and risk-focused examinations are essential to an effective on-site
examination program. Timely examinations ensure that the SIFIU (and the CBSI)
stays abreast of changes in the condition or management of an institution’s
AML/CFT program. A risk-focused examination ensures that the SIFIU and CBSI
examines those institutions that pose most risk to be misused for ML/FT more
frequently, and those with less risk, less frequently.
All examinations should be risk-focused, meaning that you spend more time looking
at higher risk areas within an institution and less time looking at low risk areas. Risk
can be based on a number of factors such as:
•
•
•
The nature of an institution’s operations – eg consider how criminals may try
to exploit any vulnerability in its financial products or AML controls;
The quality of management and staff or of its internal procedures; and
The adequacy of management and board to identify, manage and monitor
risk, and take timely action to remedy identified problems.
Risk Based Approach Risk-focused examinations will assist the SIFIU in ensuring the most efficient use of
its resources. Staffing should be appropriate to the size of the institution and the
scope of the review.
Scoping is an integral part of a risk-focused examination process. Scoping assists
examiners to understand an institution’s risk profile and potential vulnerabilities.
Examiners can then use that understanding to target higher risk areas for review and
to determine the appropriate examination procedures for that review. Scoping is the
planning process that enables the SIFIU to match the risk profile of an institution
against the required work program.
Scoping is the starting point of any examination and usually begins off-site. In brief,
scoping enables the examiner to understand the present risk profile of an institution
based on the following:
a. A review and analysis of prior examination reports and prior track record of
management.
11
b. Interviews with management.
c. An assessment of any relevant changes in business operations, staffing, or
external circumstances.
Based on this risk profile, the Examiner In Charge (EIC) will then determine the
appropriate areas to be examined, the depth of review required, the examination
procedures to use, and the personnel requirements. The EIC may modify an
examination scope based on findings during the course of an examination.
Scoping the examination consists of four stages:
a. Reviewing pre-examination information.
b. Conducting management interviews.
c. Reviewing information from other sources, for example the reporting
performance of the institution when considered against other institutions
operating in the same business sector;
d. Developing a risk assessment.
It is critical to the risk-focused examination process that the SIFIU conduct these
stages. Refer to Annex I for a Risk Matrix which could assist with the scoping of an
examination.
To assist the SIFIU in developing a risk based approach and also to gain a better
understanding of entities subject to the MLPCA, particularly the DNFBPs, Annex II
includes questionnaire that could be forwarded to DNFBPs. The questionnaire seeks
information on the institution’s business activities, as this pertains to the MLPCA, and
general AML/CFT awareness.
Letter to the Institution requesting pre‐examination Information A requesting letter (see Annex III) should be sent about 2 weeks before the actual
onsite visit. The timing will of course depend on the size of the institution to be
examined.
Review Pre‐examination Information Generally, the EIC begins the scoping process off-site, before the start of the
examination. Where possible the SIFIU should seek to leverage off work performed
by other agencies (e.g. read reports of recent on-site examinations by the CBSI).
A sample of items that the examiner may review off-site could include the following:
•
An institution’s file;
12
•
Prudential returns (for entities supervised by the CBSI);
•
Correspondence, e.g. DNFBPs should be asked to complete the
questionnaire (refer Annex II) which asks institutions to provide information on
the nature and scope of their business (such as the number of international
companies they have registered);
•
Unresolved issues from preceding examinations;
•
Application information – conditions of approval;
•
Documentation on supervisory and enforcement actions;
•
Consumer complaints;
•
Suspicious Transaction Reports;
•
Reporting statistics for the business to be examined and comparison with the
industry sector (Statistics can include transaction type profiles, customer
categories, geographical splits);
•
SIFIU or CBSI commentary on overall quality and attitude to reporting;
•
Changes in operations;
•
Changes in technology risk, systems and controls;
•
Minutes of board meetings;
•
Internal and external audits;
•
Compliance self-assessments;
•
Responses and corrective actions to previous examinations and audits;
•
News articles, including Internet sources; and
•
Technology.
When examiners arrive on-site for the examination, they should review additional
information that may affect the scope of the examination as soon as possible.
Examples of scoping materials commonly reviewed on-site include the following:
•
Relevant documents not available before the examination begins;
•
Board reports, board minutes, and management reports;
•
Internal audit reports, if applicable (and if not already reviewed off-site);
•
Compliance reviews and/or compliance self-assessments;
•
Business plan;
•
Operating budget;
13
•
Any new contracts (for example: use of 3rd party introducers, employment,
information systems, leases, etc.);
•
Any new or revised policies and procedures;
•
Any new product or delivery channel specifications (e.g. new branches) and
associated marketing plans;
•
Large cash transaction reports; and
•
STRs.
Risk and Risk Assessment The risk management principles that a reporting institution uses in traditional areas
(e.g. risk of fraud, theft, credit losses) should also be applied to assessing and
managing AML/CFT risk. Understanding its risk profile enables the institution to
apply appropriate risk management processes to its compliance program.
There are many effective methods for completing AML risk assessments. Therefore
examiners should not advocate a particular method or format in discussions with an
institution about its own risk assessment processes. In certain circumstances it may
be appropriate for the SIFIU to provide guidance to smaller reporting institutions to
assist such institutions to implement an effective AML/CFT regime. The institution’s
management should decide the appropriate method or format, based on the
institution’s risk profile. However, the chosen format should be easily understood by
all appropriate parties.
An AML risk assessment methodology generally involves two steps:
•
•
Firstly, identification of the specific risk categories (i.e., products, services,
customers, entities, transactions, and geographic locations) unique to the
institution. How vulnerable is each category to criminal abuse? How strong is
the criminal threat? and
Secondly, conducting a more detailed analysis of the data identified to better
assess the risk within these categories. In particular, what kind of control
strategies could be put in place to reduce any vulnerabilities?
In reviewing an institution’s internal risk assessment, the SIFIU should determine
whether management has considered all products, services, customers, entities,
transactions, and geographic locations, and whether management’s detailed
analysis within these specific risk categories was adequate. If the institution has not
developed a risk assessment, this fact should be discussed with management.
However, it must be remembered that not all institutions will have the resources to
devote to developing a complex framework.
14
Proper scoping (through document reviews, data analysis and management
interviews) allows the EIC to formulate initial conclusions about the institution’s
condition and risk profile. Using pre-examination information and management
interviews allows the EIC to formulate an initial assessment of:
•
The institution’s ML and TF risk;
•
Management and the board’s prior track record (e.g. in enforcing effective risk
management and compliance policies and systems);
•
Material changes in risk profile or operating strategy, and management’s
response to those changes (if applicable);
•
The institution’s internal controls, including technology risk controls, risk
management, and compliance management systems;
•
Responsiveness of management and the board in implementing corrective
action to risk management and compliance management deficiencies
identified in previous examinations, audits or reviews;
•
The institution’s efforts to stay abreast of and train the board, management,
and staff on safety and soundness and regulatory compliance developments.
Selecting Examination Programs and Procedures Based upon the risk assessment of the institution, the SIFIU should determine the
appropriate examination programs and procedures to use. Examples of standard
examination procedures including those addressing specific risk areas are contained
in the Part 5 of this manual.
Examiners should perform a more detailed review of areas with greater risk for
ML/FT or with deteriorating performance indicators and actively pursue any concerns
or red flags that are uncovered during the scoping and examination process. For
example, if risk factors require the examiners to go beyond tailored examination
procedures e.g. failure to submit STRs, they may use any examination procedures or
conduct any other type of procedures determined appropriate to assess risk They
may expand the depth of review of any given area as additional facts surface that
necessitate a more comprehensive review (e.g. interview extra customer service
staff about a specific problem).
Examination Management Effective management of the examination safeguards the examination process by
ensuring that the examination team meets the exam objectives and does so in an
efficient manner. The level and sophistication of examination management methods
and procedures will vary depending on the size, nature, and activities of the
institution.
15
Examiner‐In‐Charge (EIC) Responsibilities The EIC carries the primary responsibility for managing the examination. The EIC’s
responsibilities include:
•
Examination planning, organization, and implementation: The EIC is
responsible for scoping the examination, setting the examination objectives,
communicating the examination objectives to the examination team, and
ensuring that the exam team meets the examination objectives.
•
Clarify administrative arrangements: As part of the pre-examination
meeting and request letter, the EIC should discuss with the President/CEO, or
with a designated institution representative, some of the administrative
aspects of the examination, including:
o Time frames for receiving requested information.
o The availability of the examiners to answer questions from the staff
preparing requested information.
o Names of key contact people.
o Facilities.
o Hours for work.
o Use of equipment.
o The expected duration of the examination.
o Any planned interruptions (these should be kept to a minimum).
o Names of assisting examiners.
•
Assign responsibilities: The EIC must determine the expertise necessary
to perform certain aspects of the examination and make assignments
accordingly. Depending on the size of the examination, the EIC may delegate
certain management responsibilities to other examiners for efficiency and to
improve upon administrative and management skills of examiners. (An
AML/CFT examination may be part of a wider prudential examination of the
institution being conducted by the CBSI.)
•
Assign priorities to examination tasks: Maximize efficiency by
assigning one examiner to conduct or coordinate activities to avoid duplication
of effort whenever feasible. Determine optimal use of comprehensive reviews
across exam programs to ensure that review work is well targeted.
•
Brief the examination team: Clarify member’s respective assignments,
including their participation in examination segments that will involve
comprehensive reviews across examination programs and/or will
promote/allow for cross training.
16
•
Explain risk assessment: Explain the risk assessment and scoping
judgment relevant to each examiners’ assignment.
•
Review and update examination plans:
Discuss the effect of
information obtained and developed during the exam on the risk profile,
possible changes to the scope, opportunities for conducting comprehensive
reviews across examination programs, and the ability to meet assignment
deadlines throughout the examination. It may be necessary to adjust
assignments in light of new information. Monitor the progress of the
examination to achieve examination objectives in a timely manner and to
identify early adjustments to the scope, staffing, and completion date.
•
Provide guidance for examiners: they may need guidance, depending
on their experience and ability. The EIC should encourage questions and
ensure that someone is available to provide guidance. Depending on the size
of the job, the EIC should be familiar with the work performed by the
examiner(s) so that they can make fair and constructive evaluations of their
work.
•
Assign whole tasks: Whenever possible, assign examiners to program
areas that they can complete, including report pages and comments, before
leaving the assignment. This allows for efficiency and accountability and
provides necessary on-the-job training.
•
Monitor examiners’ performance: throughout the examination ensure
examiners are meeting objectives according to schedule and consistent with
the SIFIU’s standards for quality work. Early identification of work-related
problems also allows the examiners the opportunity to correct mistakes and to
immediately improve skills.
•
Remember EIC’s communication role: The EIC is the focal point for
communications on significant matters. Examiners and institutions must all
know how to communicate information and when to share information.
Examiners should communicate any significant changes to the scope and the
reasons for them and share significant findings and conclusions to avoid
duplicating efforts.
•
Communicate with other agencies: When other supervisory agencies
participate in an examination, maintain close communication with these
authorities.
•
Hold regular meetings: The EIC should schedule regular meetings with
the CEO to discuss the progress of the examination and to address any
issues of concern. Conduct the examination efficiently to minimize undue
disruption for the institution. For those entities supervised by the CBSI, the
EIC should convey any unresolved concerns management expresses about
examination progress to the CBSI. Allow for regular meetings with middle
17
management to discuss findings and questions, and avoid monopolizing the
time of the institution’s staff as much as possible. A professional and
considerate approach usually results in cooperation from the institution’s staff.
•
Exit meeting: The EIC should schedule an exit meeting with the institution’s
senior management to discuss examination findings, the examiner’s overall
conclusions, and recommendations.
•
Prepare Report of Examination (ROE). The report incorporates
examination findings and conclusions.
18
Annex I: Risk Assessment Matrix Examiners could use the following matrix, as appropriate, when assessing the
significance of AML/CFT risks in a financial institution.
Risk Drivers
Industry:
Low
Mature and well
established
Medium
High
Stable growth with Fast growing new
limited changes
entrant to the market
Business cycle
Industry:
Market strategy
Legal:
Corporate:
Senior
management
involvement
Corporate:
General attitude
to compliance
Corporate:
Management
structure
Aggressive marketing
strategy aiming to
rapidly grow customer
base. Often undercuts
competitors in an
attempt to build
customer base
Unlisted parent
Parent company
Parent company
company, controlled
operates in a
operates in
by family or private
regulated
regulated
markets/jurisdictions market/jurisdiction interests and in
but is not engaged markets/jurisdictions
and engaged in a
in the same
similar business
with weak regulations
business
No significant
changes to strategy
to attract new
customers
Responds to
changes in the
external market
High involvement of
management and
full support of
AML/CFT
compliance
initiatives
Moderate
involvement of
management and
limited support of
AML/CFT
compliance
initiatives
High regard to
compliance in
excess of minimum
requirements
Centralised with
one system across
all points of
business
Meeting
obligations
Minimal involvement
and no support for
AML/CFT compliance
initiatives
Marginal commitment
to compliance and
often exhibits noncompliance
Decentralised with Decentralised with
points of business
one system
operating under
across points of
different policies and
representation
procedures
which is modified
for each location
19
Corporate:
Stable customer
base
Customer base is
increasing
reflective of
strategic decisions
High number of ‘walkin’ customers from a
wide range of
geographic areas.
Few international
accounts or very
low volume of
currency activity in
the accounts.
Moderate level of
international
accounts with
unexplained
currency activity.
Large number of
international accounts
with unexplained
currency activity.
Customer base
Corporate:
Level of
business
Corporate:
Source of
business
Corporate:
Staffing
No transactions with Minimal
high-risk geographic transactions with
locations.
high-risk
geographic
locations.
Low turnover of key Low turnover of
key personnel, but
personnel or
frontline personnel
frontline personnel
in branches may
(i.e., customer
service
have changed.
representatives,
tellers, or other
branch personnel).
Significant volume of
transactions with
high-risk geographic
locations.
High turnover,
especially in key
personnel positions.
20
Annex II: Questionnaire to assist in developing a risk based approach Compliance Questionnaire – Accountants, Lawyers PART A
If operating as a sole practitioner: Your name and address
If answering as a partner, administrator or employee: Organization’s legal name and
operating name:
Head Office address:
Entity legal status (Select one only): Partnership, Limited Liability Partnership (LLP),
Corporation, (If other, specify __)
Please indicate the type of premises for the above address: Commercial / Retail,
Residential / Dwelling House, or (If other, specify)
Name and title of the individual completing questionnaire:
Contact information:
Business telephone:
Business fax:
E-mail:
A.1 Are your organisation’s products or services covered by the Money
Laundering and Proceeds of Crime Act (MLPCA)? Since the commencement
of the MLPCA, have you (operating as a sole practitioner) or your organization
(for which you are a partner, administrator or employee) engaged2 in or given
instructions, in respect to any of the activities carried on behalf of another
person or entity (other than your employer) as specified in the MLPCA?
No. None of the above activities apply (PLEASE COMPLETE THE FIRST PAGE
AND RETURN TO THE SIFIU)
2
Engaged in means to carry out the described activities. However, this does not mean that a formal
engagement letter needs to be drawn, or fees charged to be "engaged in" one of those activities. If an
accountant or lawyer carries out the activities, he/she is covered.
21
If you answered yes, please provide a summary of the above activities you are
engaged in and under what circumstances.
If you are operating as a sole practitioner, please proceed to question A9, otherwise
please continue to question A2.
A.2 Does your organization operate in any other location?
A.3 If you answered yes to question A2, indicate the name and address. If there is
not enough room below, attach a separate sheet to provide all the relevant
information, indicating that this information belongs in answer A3.
A.4 Is your organization a fully owned subsidiary of any other entity subject to the
Money Laundering and Proceeds of Crime Act? If so, what is the name and
address of the parent organization?
A.5 Does your organization own any other entities that are subject to the Money
Laundering and Proceeds of Crime Act? If so, what are the names and
addresses of these entities? If there is not enough room here, attach a
separate sheet to provide all the relevant information. Make sure to indicate
that this information belongs in answer A5.
A.6 Does your organization have an office outside of the Solomon Islands?
A.7 If you answered yes to question A6, list in which countries? If there is not
enough room here, attach a separate sheet to provide all the relevant
information. Make sure to indicate that this information belongs in answer A7.
A.8 Indicate the number of professional accounting members in your (check the
appropriate box) organization including details of the name of the accounting
society to which they belong:
A.9 What is your or your organization's primary bank? (Please provide name and
address).
22
A.10 What is your or your organization’s secondary bank? (Please provide name
and address).
A.11 Are you or your organization engaged in any other activities subject to the
Money Laundering and Proceeds of Crime Act? (e.g. foreign exchange, funds
transfer, real estate, etc.). If so, please list.
A.12 Indicate in what type of business you or your organization operates and the
approximate annual % of activity (gross revenue) it represents. (Check all that
apply) Annual % : External audit/review/compilation , Accounting and
bookkeeping, Management/administration , Bankruptcy/receiverships, Tax
services/consultant, Financial planning, Compliance review, Forensic
accounting, Computer consulting, Trust services, Legal advice, Litigation,
Conveyancing, Other (please specify)
A.13 What is your or your organization's approximate annual volume of business in
$ (in relation to the activities described in question A14)?
A.14 Please indicate the number of international companies, trust or other legal
entities you have established.
A.15 Please indicate the number of clients for whom you manage funds, act as a
director or secretary of a legal entity.
A.16 Please indicate the number of cash transactions in excess of the reporting
threshold specified in the MLPCA you have received within the past 12
months.
A.17 Have you or your organization been subject to an anti-money laundering
compliance review by your professional association since the commencement
of the MLPCA?
23
Part B
B.1 Have you or your organization fully implemented a compliance regime in your
organization?
B.2 If you answered no to question B1, at what stage of implementation is your or
your organization's compliance regime? If there is not enough room below,
attach a separate sheet to provide all the relevant information. Make sure to
indicate that this information belongs in answer B2.
B.3 Has a compliance officer been appointed to meet your or your organization's
reporting, record keeping and client identification obligations?
B.4 If you answered yes to question B3, please provide the name of the
compliance officer.
B.5 Does your compliance officer report directly to senior management of the
organization? (Senior management could be the owner or chief operating
officer of the business, any senior executive or any member of senior
management or the board of directors).
B.6 How do you or your organization keep up with any changes in reporting,
record keeping or client identification obligations? Media (newspaper,
television, etc.), Seminars, training or conferences, Other web sites, Other?
B.7 Have you consulted the SIFIU guidelines?
Part C
C.1 Do you or your organization have policies and procedures to ensure your
reporting, record keeping and client identification requirements are being met?
C.2 Are these policies and procedures in writing? If no, please describe.
24
C.3 Does your organization cross-reference the names of clients with any antiterrorism lists of names published by the UN or distributed by the SIFIU?
Part D
D.1 Have you or your organization implemented a process for reviewing your or
your organization's compliance policies and procedures to determine their
effectiveness?
D.2 Has such a review already been conducted for yourself or your organization?
D.3 If you answered yes to question D2, how often do you or your organization
conduct a review? More than once a year, Once a year, Less than once a
year.
D.4 If you answered yes to question D2, the review was conducted by: (Check all
that apply) Compliance officer, Internal Auditor, Consultant, External Auditor,
Other
D.5 If you answered yes to question D2, when was the review completed?
D.6 Are the results of the review documented?
Part E
E.1 Do you or your organization provide training regarding your reporting, record
keeping and client identification obligations?
E.2 If you answered yes to question E1, describe how the training is delivered.
Include information about the mode and frequency of delivery as well as a
general description of who is required to take the training. If there is not
25
enough room below, attach a separate sheet to provide all the relevant
information. Make sure to indicate that this information belongs in answer E2.
Mode of training: In a classroom with trainer/Seminar, Self-directed,
Computer-based, Other
Frequency of training: Yearly, More often than yearly (e.g., seasonally,
quarterly, etc.), When new staff is hired? In special circumstances? Other?
Who receives the training: All Staff, Brokers / Nominees / Managers, Sales
Representatives, Other
Type of material: Handouts, Test, Presentation or group discussion, Other?
26
Compliance Questionnaire ‐ MSB/FX sector Part A
Organization's legal name and Head Office address:
Please indicate the type of premises for the above Head Office address:
Commercial/Retail, Residential/Dwelling House, or (If other, specify)
Name and title of the individual completing questionnaire:
Contact information:
Business telephone:
Business fax:
E-mail:
A.1 Does your organization have branches operating in the Solomon Islands?
A.2 If you answered yes to A1, please list the locations of the branches (include
address, city, province/territory, etc.). If there is not enough room below,
attach a separate sheet to provide all the relevant information. Make sure to
indicate that this information belongs in answer A2
A.3 Does your organization have branches outside the Solomon Islands?
A.4 If you answered yes to question A3, please list the other countries where the
branches are located. If there is not enough room below, attach a separate
sheet to provide all the relevant information. Make sure to indicate that this
information belongs in answer A4.
A.5 Does your organization have agents operating in the Solomon Islands?
27
A.6 If you answered yes to A5, please list the name(s) and location(s) (include
address) of the agent(s) operating in the Solomon Islands. If there is not
enough room below, attach a separate sheet to provide all the relevant
information. Make sure to indicate that this information belongs in answer A6.
A.7 Are you an agent of any other organization?
A.8 If you answered yes to question A7, please list the name(s) of the
organization(s) you are an agent for? If there is not enough room below,
attach a separate sheet to provide all the relevant information. Make sure to
indicate that this information belongs in answer A8.
A.9 How many employees are there in your organization?
A.10 For the previous fiscal year, please indicate the approximate annual value of
all currency exchange and money services business you conducted. $ ____
A.11 What is the average size of these transactions?
A.12 Please indicate the number of cash transactions in excess of the reporting
threshold specified in the MLPCA you have received within the past
12 months.
A.13 Does your organization provide currency exchange and/or wire transfer
services to other Money Services Businesses or Foreign Exchange Dealers?
A.14 What is your organization's primary bank?
A.15 What is your organization's secondary bank?
28
A.16 Is your organization a subsidiary of any other entity subject to the Money
Laundering and Proceeds of Crime Act? If so, what is the name and address
of the parent organization?
A.17 Does your organization own any other entities that are subject to the Money
Laundering and Proceeds of Crime Act? If so, what are the name and address
of these entities? If there is not enough room here, attach a separate sheet to
provide all the relevant information. Make sure to indicate that this information
belongs in answer A15.
A.18 Please indicate if you are licensed in any of the following sectors. Check all
that apply: Life Insurance, Securities, Real Estate, Accounting
Part B
B.1 Have you or your organization fully implemented a compliance regime in your
organization?
B.2 If you answered no to question B1, at what stage of implementation is your or
your organization's compliance regime? If there is not enough room below,
attach a separate sheet to provide all the relevant information. Make sure to
indicate that this information belongs in answer B2.
B.3 Has a compliance officer been appointed to meet your or your organization's
reporting, record keeping and client identification obligations?
B.4 If you answered yes to question B3, please provide the name of the
compliance officer.
B.5 Does your compliance officer report directly to senior management of the
organization? (Senior management could be the owner or chief operating
officer of the business, any senior executive or any member of senior
management or the board of directors).
29
B.6 How do you or your organization keep up with any changes in reporting,
record keeping or client identification obligations? Media (newspaper,
television, etc.), Seminars, training or conferences, Other web sites, Other
B.7 Have you consulted the SIFIU guidelines?
Part C
C.1 Do you have policies and procedures to ensure your reporting, record keeping
and client identification requirements are being met?
C.2 Are your policies and procedures in writing?
C.3 Within the last twelve months, has your organization conducted financial
transactions with individuals or entities based in any of the countries on the
Financial Action Task Force (FATF) List of Non-Cooperative Countries or
Territories?
C.4 If you answered yes to question C3, which countries were involved and
approximately how many transactions were conducted with each country? If
there is not enough room below, attach a separate sheet to provide all the
relevant information. Make sure to indicate that this information belongs in
answer C4.
C.5 Does your organization cross-reference the names of clients with any antiterrorism lists of names published by the SIFIU?
Part D
D.1 Have you implemented a process for reviewing your organization's
compliance policies and procedures to determine their effectiveness?
D.2 Has such a review already been conducted for your organization?
30
D.3 If you answered yes to question D2, how often is a review conducted? More
than once a year, Once a year, Less than once a year
D.4 If you answered yes to question D2, the review was conducted by: (Check all
that apply): Compliance officer, Internal Audit, External Audit, Consultant,
Other ___
D.5 If you answered yes to question D2, when was the review completed?
D.6 Are the results of the review documented?
Part E
E.1 Does your company/organization provide training about your reporting, record
keeping and client identification obligations? If you answered yes to question
E1, answer question E2.
E.2 Describe how your training is delivered. Include information about the mode
and frequency of delivery as well as a general description of who is required
to take the training. If there is not enough room below, attach a separate
sheet to provide all the relevant information. Make sure to indicate that this
information belongs in answer E2.
Mode of training: In a classroom with trainer/Seminar, Self-directed,
Computer-based, Other
Frequency of training: Yearly, More often than yearly (e.g., seasonally,
quarterly, etc.) , When new staff is hired , In special circumstances, Other
Who receives the training: All Staff, Brokers / Nominees / Managers, Sales
Representatives, Other
Type of material: Handouts, Test, Presentation or group discussion, Other?
31
Compliance Questionnaire – Real Estate Agents, Car Dealers, Jewellery shops Part A
Company/Organization's legal name and address:
Please indicate the type of premises for the above address: Commercial/Retail,
Residential/Dwelling House, or (If other, specify)
Name of owner/broker/nominee:
Name and title of the individual completing questionnaire:
Contact information:
Business telephone:
Business fax:
E-mail:
A.1 Please indicate which, if any, of the following real estate activities your
organization is involved in? (Check all that apply: Residential Sales,
Commercial Sales, Property Management, or Other)
A.2
Does your company/organization engage in any of the following activities on
behalf of any person or entity in the course of a transaction concerning real
estate, jewellery or motor vehicles?
•
•
•
receiving or paying funds (i.e. accepting deposits);
depositing or withdrawing funds; or
transferring funds by any means
If you answered yes to any item in A2, please proceed and complete the
questionnaire. If you answered no to A2, you are not required to proceed with the
rest of the questionnaire. Please return the questionnaire completed to this point to
SIFIU in the prescribed manner. Thank you for your time and cooperation.
A.3 How many brokers _________ and sales representatives ___________ are
there in your entire company/organization?
32
A.4 Does your company/organization operate more than one office?
A.5 If you answered yes to A4, please provide the number of branch offices and
their addresses? If there is not enough room below, please attach a separate
sheet to provide all the relevant information. Make sure to indicate that this
information belongs in Answer A5.
A.6
What best describes your office: Corporate, Franchise, Independent Office,
or Other (please specify)
A.7 Please indicate the approximate number of customer transactions for your last
fiscal year: Please also indicate the approximate value of the transactions
conducted in your last fiscal year $: i.e. value of property(s) bought or sold
(e.g. 5 properties at $100,000 – value of transactions is $500,000); motor
vehicles brought or sold; value of jewellery brought or sold.
A.8 When conducting transactions, does your office accept cash? All references
to cash, means coin or paper money that is designated as legal tender in the
country of issue. In this context, cash also includes travellers cheques, bearer
bonds, money orders and postal notes.
A.9 Please indicate the number of cash transactions in excess of the reporting
threshold specified in the MLPCA you have received within the past 12
months.
Part B
B.1 Have you fully implemented an anti-money laundering (AML) compliance
regime in your company/organization?
B.2 If you answered no to question B1, please explain what aspects of the
compliance regime you have not implemented (if any). If there is not enough
33
room below, attach a separate sheet to provide all the relevant information.
Make sure to indicate that this information belongs in answer B2.
Part C
C.1 Have you appointed a compliance officer responsible for implementing your
AML compliance regime to meet your reporting, record-keeping and client
identification obligations?
C.2 If you answered yes to question C1, provide the compliance officer's name.
C.3 Does your compliance officer report directly to the broker/nominee/owner of
your business?
C.4 How does your company/organization keep up with any changes in reporting,
record-keeping or client identification obligations? E.g. SIFIU’s web site,
industry association, media (newspaper, television, etc.), seminars, training or
conferences, or other ways of keeping current?
Part D
D.1 Do you have policies and procedures to ensure your reporting, record keeping
and client identification requirements are being met?
D.2 Are these policies and procedures in writing? If so, please attach a copy.
D.3 Has your company/organization conducted financial transactions within the
last 12 months with individuals or entities based in any countries that have
high rates of crime and corruption, or have weak anti-money laundering
controls?
D.4 If you answered yes to question D3, which countries were involved and
approximately how many transactions were conducted with each country? If
there is not enough room below, attach a separate sheet to provide all the
34
relevant information. Make sure to indicate that this information belongs in
answer D4.
D.5 Does your company/organization cross-reference the names of clients with
any anti-terrorism lists of names distributed by the SIFIU?
Part E
E.1 Have you implemented a process for reviewing your AML compliance policies
and procedures to determine their effectiveness?
E.2 Has such a review already been conducted for your company/organization?
E.3 If you answered yes to question E2, how often do you plan on conducting a
review? More than once a year, Once a year, Less than once a year
E.4 If you answered yes to question E2, the review was conducted by: (Check all
that apply) Your Compliance Officer, External Auditor, Other Internal Auditor,
Other
E.5 If you answered yes to E2, when was the review completed?
E.6 Are the results of the review documented? If so, please attach a copy?
Part F
F.1 Does your company/organization provide training about your reporting, record
keeping and client identification obligations? (If you answered yes to question
F1, answer question F2).
F.2 Describe how your training is delivered. Include information about the mode
and frequency of delivery as well as a general description of who is required
35
to take the training. If there is not enough room below, attach a separate
sheet to provide all the relevant information. Make sure to indicate that this
information belongs in answer F2.
Mode of training: In a classroom with trainer/Seminar, Self-directed,
Computer-based, Other
Frequency of training: Yearly, More often than yearly (e.g., seasonally,
quarterly, etc.). When new staff is hired , In special circumstances
Who receives the training: All Staff, Brokers / Nominees / Managers, Sales
Representatives, Other
Type of material: Handouts, Test, Presentation or group discussion, Other?
36
Annex III: Letter of Request to an institution As part of the examination planning process, the EIC should prepare a request letter.
The following draft letter and list of materials that examiners may request or request
access to for to assist them undertake an AML/CFT examination is provided below.
This list should be tailored for the specific institution’s risk profile, nature and scope
of activities and the planned examination scope. Additional materials should be
requested as needed.
When drafting the letter to certain classes of reporting institution, such as lawyers
and accountants, it is recommended that the letter clearly state that you will be
looking at their activities (e.g. when they are acting on behalf of their clients
and representing individuals or entities), in connection with one or more of the
regulated activities as specified under the MLPCA. This will hopefully address
any concerns that these entities may have as to the nature of the compliance
examination, i.e. that the SIFIU is on a ‘fishing trip’ to obtain information on all of its
clients.
DRAFT LETTER
I am writing to confirm arrangements for an on-site anti-money laundering visit to
your [bank or business], commencing at [date & time]. It is anticipated that the onsite visit will take up to three to four days. The [supervisory authority] will be
represented by [name of staff].
The main purpose of the visit is to improve our understanding of the [bank’s or
businesses] policies and procedures in respect of anti-money laundering and to
undertake a review of your institution’s compliance with the Money Laundering and
Proceeds of Crime Act.
At the start of the visit we would appreciate hearing from you about:
•
•
•
•
•
The respective roles of each area of the business involved in anti-money
laundering;
Policies and procedures for dealing with money laundering;
Account opening procedures for [customers] [or, if a bank, corresponding
banks];
Sales/purchase of monetary instruments;
Account monitoring procedures;
37
•
•
•
•
Staff training related to money-laundering;
Compliance policies/procedures;
Reporting to senior Management/Head Office; and
Arrangements for review of anti-money laundering procedures.
During the course of the visit we propose to hold discussions with staff on antimoney laundering and operational issues. We will also spend some time reviewing a
random sample of accounts. This sample should include a selection on newly
opened accounts and existing accounts across a broad spectrum of account holders.
At the conclusion of the visit, we would appreciate the opportunity to clarify any
issues that have arisen and discuss our observations with you and your staff.
To aid our preparation and to minimize the amount of time required for the visit, it
would be helpful to receive a range of information before our arrival (see
attachment). I would appreciate receiving this information by [date] at: [address].
If you have any questions on the proposed visit please contact [name].
MATERIAL TO BE PROVIDED BEFORE VISIT
The following is a list of information you should consider requesting from the
organisation to be reviewed. Larger organisations (e.g. banks) should normally
provide all the information below, but you may wish to request a simpler range of
information from smaller reporting entities (e.g. a jeweller).
AML/CFT Compliance Program
•
•
•
•
•
Name and title of the designated compliance officer
Organization charts showing direct and indirect reporting lines.
Copies of resumés and qualifications of any person(s) serving in AML/CFT
compliance program oversight capacities .
Copies of the most recent written AML/CFT compliance program approved by
board of directors/or senior management, including customer identification
requirements, with date of approval noted in the minutes (where applicable).
Copies of the policy and procedures relating to all reporting and recordkeeping requirements, including suspicious activity reporting, compliance and
customer due diligence.
Independent Testing
•
•
Copies of the results of any audits or tests performed since the previous
examination for AML/CFT, including the scope or engagement letter,
management’s responses, and access to the work papers.
Access to the auditor’s risk assessment, audit plan (schedule), and program
used for the audits or tests.
38
Training
•
•
AML training documentation
AML training schedule with dates, attendees, and topics.
Risk Assessment
•
•
Copies of management’s AML risk assessment of products, services,
customers, and geographic locations.
List of identified high-risk accounts.
Customer Identification Program
•
•
•
•
•
•
•
•
List of accounts without customer identification.
File of correspondence requesting identification for the institution’s customers
(where applicable).
Written description of the institution’s rationale for customer identification
exemptions for existing customers who open new accounts.
List of new accounts covering all product lines (including accounts opened by
third parties) and segregating existing customer accounts from new
customers, for ___________. (Examiner to insert a period of time appropriate
for the size and complexity of the institution.)
List of any accounts opened in which customer identity verification has not
been completed, or any accounts opened with exceptions to the customer
identification requirement.
List of customers or potential customers for whom the bank [or your business]
took adverse action, on the basis of its KYC.
List of all documentary and non-documentary methods the bank uses to verify
a customer’s identity.
List of the financial institutions on which the institution is relying, if the
institution is using 3rd party introducers. The list should note if the relied-upon
financial institutions are subject to a rule implementing the AML/CFT
compliance program requirements and are regulated. In addition, the
institution should be asked to provide the following:
o Copies of any contracts signed between the parties.
o Copies of the CDD or procedures used by the other party.
o Any certifications made by the other party.
o Copies of contracts with financial institutions and with third parties that
perform all or any part of the bank’s CDD.
Suspicious Activity Reporting
•
Access to Suspicious Transaction Reports (STRs) filed with SIFIU during the
review period and the supporting documentation.
39
•
Any analyses or documentation of any activity for which a STR was
considered but not filed, or for which the institution is actively considering filing
a STR.
Monitoring Procedures
•
•
•
Description of expanded monitoring procedures applied to high-risk accounts.
Copies of reports used for identification of and monitoring for suspicious
transactions. These reports include, but are not limited to, suspected kiting
reports, cash activity reports, monetary instrument records, and funds transfer
reports.
If not already provided, copies of other reports that can help to identify
unusual transactions warranting further review.
o Institutions should provide the name, purpose, parameters, and
frequency of each report.
40
PART 3 – ON‐SITE EXAMINATION WORK This section of the manual outlines general examination procedures that should be
followed by the SIFIU. Annexes to Part 5 of the manual provide more specific
guidance in relation to examination procedures.
The procedures outlined below and other sections of the manual are generic
designed for application to all institutions subject to the provisions of the MLPCA and
as such should be considered as a framework rather than a strict set of rules to
be followed, meaning that the examination team should focus on meeting the
underlying objectives rather than just following the steps. The examination
team may need to add, reduce or modify the framework using judgement based on
the financial institution’s own circumstances and scope of business activities and the
results of its own risk assessment of the financial institution.
Examination Approach During an examination, examiners should employ two clear procedures.
•
First, they should establish that the reporting institution’s policies, procedures,
systems and controls for combating money laundering and financing of
terrorism are documented. Where appropriate these policies should be
endorsed by the institution’s head office/board/senior management.
•
Second, the examiners should be in a position to test all aspects of the
policies, procedures, systems and controls on a random or targeted sample
basis. When significant deficiencies are detected in the sample, the
examiners should extend the testing to establish whether the deficiencies are
systemic within the reporting institution.
Meeting with the institution’s management For Large or High Risk Institutions The initial interview should be held at the institution’s place of business and should
be attended by all personnel who will be involved in the examination.
The examination team should conduct detailed interviews with the President/CEO,
senior management, compliance officer, internal auditor, information security officer,
general counsel, or others responsible for AML/CFT, as applicable. Further
discussions will take place as needed throughout the duration of the examination.
41
Use the opening interview to confirm, modify, or supplement the preliminary
assessment about the institution’s risk profile, changes in risk profile, management’s
response to those changes, and management’s track record. All members of the
examination team should be present, but in their absence, those present should
communicate the results of the interviews to absent members. Discussions could
cover the impact on the institution’s AML/CFT procedures of the following:
•
•
•
•
•
•
•
•
•
•
•
•
Business strategic development and implementation.
Modifications of organizational structure and lines of responsibility.
Scope and effectiveness of employee training programs.
Variations in financial condition or risk profile, and operating performance in
comparison with the budget.
Changes in operations that could affect ongoing soundness and compliance
performance.
Significant internal or external audit findings, and management’s response to
those findings.
Actions taken to correct deficiencies identified in previous examinations,
audits or compliance self-assessments.
Management’s status in implementing a formal written compliance policy and
self-assessment.
Alteration of existing or development of new products.
Management’s adherence to, or departure from, formally established
procedures or standard practices.
Addition or removal of third-party service providers.
Adoption, deployment or modification of information technology platforms or
tools.
The interview process should be adapted to address the particular circumstances of
each institution in response to the pre-examination analysis. This process will assist
the examiners refine the scope of the examination and determine to what extent they
examine certain operations.
The institution should be advised of the purpose of the examination, and made
aware that questions should be answered. Physical arrangements should be made
by the institution for adequate work space and access to necessary equipment (e.g.
if the institution’s AML/CFT policy manual is only available on-line then the
examination team should be given access to a computer to review the policy
document). The institution should nominate a principal contact person for the SIFIU
examination team to liaise with.
The institution should be advised that examiners will only review information relative
to AML/CFT compliance. However, it should also be advised that if in the course of
the examination, information relative to possible violations of other laws or
42
regulations is discovered, a referral must be made to other supervisors such as the
CBSI. Any such notification should be documented.
Examiners should be aware that they should ask open-ended questions (for example
question that start with ‘what’, ‘why’, ‘who’, ‘when’, ‘where’) throughout the interview,
and not ask questions that invoke only a "yes" or "no" answer.
The examination should include interviews with key personnel and they should be
questioned as to their knowledge and training of the AML/CFT customer due
diligence, record keeping and reporting requirements. Each interview should be
documented in the examination file.
For Small Institutions Elements of the procedures for the large institutions could be adopted on a smaller
scale, depending on the size and complexity of the institution’s business. For
example: the size of the staffing of the compliance function may only include a
compliance officer and one other person.
The interview should identify any related institutions, branches, entities, or other
related entities operated/owned by the institution including ownership.
Ask open-ended questions throughout the interview. Do not ask questions that
require only a "yes" or "no" answer.
The examination should include interviews with key personnel and they should be
questioned as to their knowledge and training of the AML/CFT customer due
diligence, record keeping and reporting requirements. Each interview should be
documented in the examination file.
Procedures applicable to all financial institutions Policies Obtain and review a copy of the institution’s statement of policies and instruction
manual in relation to AML and CFT. Ensure that it contains the following required
elements:
•
•
•
•
•
a system of internal controls to ensure ongoing compliance;
record keeping and reporting requirements;
independent testing of AML/CFT compliance;
a specially designated person or persons responsible for managing AML/CFT
compliance; and
training for appropriate personnel.
43
Ensure that the board of directors or senior management of the institution are
involved in establishing appropriate AML and CFT policies and procedures. The
policy statement should:
•
•
•
•
sets out and explains the ethical and business reasons for combating money
laundering and the financing of terrorism;
makes clear the regulatory and legal consequences for failure to meet the
laws and the guidelines issued by the SIFIU;
addresses the specific requirements for each business area within the
institution; and
states clearly the allocation of responsibilities for the formulation and
implementation of the AML and CFT policies and procedures.
Ensure that there are written policies and procedures in respect of customer
acceptance, verification of customer identity, on-going monitoring of high risk
accounts and large cash transactions, risk management, retention of records, and
recognition and reporting of suspicious transactions.
Compare the institution’s policies, procedures and controls with those specified in
the MLPCA and the SIFIU’s guidelines, in particular, those requirements in relation
to implementation of customer acceptance policy, verification of customer identity,
on-going monitoring of high risk accounts and large cash transactions, risk
management, retention of records, and recognition and reporting of suspicious
transactions.
Identify any significant differences between the institution’s policies and the SIFIU’s
guidelines, and assess whether these differences weaken the intended effectiveness
of the overall system.
Confirm if all relevant staff have possession of the current statement of policies and
the instruction manual circulated by the management and evaluate the level of
awareness by interviewing a selection of staff at the head office and selected
branches where appropriate.
Discuss with the management, the compliance function and the internal auditor to
establish whether the statement of policies and instruction manual have been subject
to regular review and updating.
Confirm that the policy manual is updated to reflect changes in the institution's
business and its risk profile.
AML / CFT Compliance Officer The institution should designate at least one member of staff as a compliance
officer responsible for AML/CFT compliance. The officer should be a fit and proper
person with relevant knowledge and background. Accordingly, examiners should
44
ensure that the role and responsibilities of the AML/CFT compliance officer are
clearly defined, and determine that:
•
the role is set at a senior management level within the organization;
•
the role and responsibilities are clearly defined and documented;
•
the specific job holder has adequate experience and relevant training in
AML/CFT procedures;
•
the officer is authorized to have full access to all customer identification,
account and transactions records and other information necessary to perform
the AML/CFT compliance officer role;
•
there are appropriate reporting lines to the board and executive management,
as necessary: and
•
the reporting of suspicious transactions to the SIFIU is not subject to consent
or approval of any other person.
Establish whether the AML/CFT compliance officer has conducted regular review to
test completeness of customer account opening documentation, adequacy of CDD
and whether transaction records can be retrieved within a reasonably short period of
time.
Examiners should also establish whether results of the checking and reviews done
by appropriate staff in monitoring the activities of high-risk accounts/unusual
transactions are provided to the AML/CFT compliance officer on a timely basis.
Customer Acceptance Polices Select a sample of new accounts opened and check that the basic account-opening
requirements for customers with low risk and higher requirements with extensive due
diligence for those high-risk customers have been followed properly.
Customer Identification Establishment of the relationship
Select a sample of new accounts opened in respect of:
•
•
•
•
•
3
personal customers;
corporate and other business customers3;
introduced business;
trust, nominee and fiduciary accounts or client accounts opened by
professional intermediaries;
non-face-to-face customers;
These include, for example, non-profit organizations and foundations.
45
•
•
politically exposed persons; and
correspondent banking;
Check that procedures for account opening have been followed properly, in
particular, the areas highlighted below.
•
•
•
•
•
•
•
•
there is evidence from independent and reliable sources that verify the identity
and address;
original documentation has been seen, and that copies have been certified to
confirm that they correspond with the originals;
procedures exist for checking that complete and proper documentation has
been received and reviewed;
accounts have not been operated before all relevant information has been
received and reviewed, or that any exceptions to this rule have been
approved by senior management with a written explanation of the
circumstances;
client profiling information has been received, relating, for example, to account
usage, source of funds, and association with other customers of the
institution;
for corporate and other non-personal accounts, procedures have been
adopted both to establish the status of the company, and to verify the identity
of beneficial owners, directors and any relevant officers with signatory powers;
proper consideration has been given as to whether or not the customer might
fall within a high risk category; and
approval for the account to be opened has been received from the appropriate
level of management.
Politically Exposed Persons The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with senior foreign political figures, often referred to as “politically
exposed persons” (PEPs), and management’s ability to implement effective riskbased due diligence, monitoring, and reporting systems. (While the MLPCA and
international requirements refer to ‘foreign’ PEPs, institutions should be encouraged
to apply similar standards to domestic PEPs).
1. Review the risk-based policies, procedures, and processes related to PEPs.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s PEP accounts and the risks they present.
3. Assess whether the risk-based controls are adequate to reasonably protect
the institution from money laundering and terrorist financing.
Review the procedures for opening PEP accounts. Identify management’s role in the
approval and ongoing risk-based monitoring of PEP accounts.
46
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors PEP
relationships, particularly those that pose a high risk for money laundering.
Determine whether the institution’s system for monitoring PEPs for suspicious
activities, and for reporting of suspicious activities, is adequate given the institution’s
size, complexity, location, and types of customer relationships.
Transaction Testing
On the basis of the institution’s risk assessment of its PEP relationships, as well as
prior examination and audit reports, select a sample of PEP accounts. From the
sample selected, perform the following examination procedures:
Determine compliance with regulatory requirements and with the institution’s
established policies, procedures, and processes.
•
•
Review transaction activity for accounts selected. If necessary, request and
review specific transactions.
If the analysis of activity and customer due diligence information raises concerns,
hold discussions with institution management.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with PEPs.
Retention of Records Check a sample of accounts to establish whether the records have been adequately
kept for account opening and in support of the entries in the accounts.
1. Review the document retention policy.
2. Ensure that the institution keeps all records of customer information, including
entries of the accounts and details of transactions involving fund transfer for at
least 6 years (without prejudice to the stipulations in other laws and
regulations) from the date of the transaction notwithstanding that the
customers may have terminated the business relationship with the institution
subsequent to the transactions.
3. Ensure also that the institution keeps records of the identification data
obtained through the customer due diligence process for at least 6 years
(without prejudice to the stipulations in other laws and regulations as
appropriate) after termination of business relationship.
4. Evidence should be kept of decisions of whether unusual transactions should
be reported should also be kept for at least 6 years after the termination of the
business relationship.
47
Review the means by which the records are maintained (e.g. paper vouchers,
electronic systems, microfiche) and their location (onsite or remote location), and
assess whether they can be retrieved easily in response to future enquiries from the
authorities.
Determine whether the manner in which the records are retained provides an
effective audit trail for the customers' transactions and the method for updating of
customer related information.
Recognition and Reporting of Suspicious Transactions Check that the systems in place to detect unusual or suspicious patterns of activity
have been followed properly in accordance with the institution's established policies,
and validate their effectiveness.
Check that the control systems for monitoring higher risk accounts identified
according to the customer acceptance policy of institutions have been followed
properly.
Assess the suitability and effectiveness of the management information system for
identifying promptly any transactions that require review.
Review the general procedures for handling cash transactions.
Establish that a register of internal reports of suspicious transactions is maintained
by the AML/CFT Compliance Officer and review the register to determine if:
•
•
•
•
proper recording has been made of suspicious cases reported by staff;
evidence of acknowledgement has been given to the staff;
prompt action has been taken and recorded. Assess the average time taken
for a case to be reported to the SIFIU.
for cases where no report has been made to the SIFIU, the reasons for not
doing so have been recorded. Examiners should assess whether the decision
is reasonable. If internal guidelines have been given or established to help
assess if a case should be reported to the SIFIU, check that they are
reasonable and have been followed properly.
Ensure that the channel for reporting suspicious transactions is clearly specified in
writing and communicated to all personnel.
Where an institution requires the use of standard forms for reporting by staff, review
the reports made by staff and trace a sample of these reports to the Register
maintained by the AML/CFT Compliance Officer to ensure adherence to the
institution’s established procedures for internal reporting.
Select a sample of cases that have been reported to the SIFIU, and determine if the
procedures as established by the institution for reporting have been adhered to, and
that the information is complete and relevant.
48
If a clean record has been maintained in the Register (or if there appears to be an
unusually low level of internal reports), establish why no report has been made by
staff and ensure that the management and staff are aware of their duties to report
suspicious cases and that they have a fair knowledge on what constitutes a
suspicious case.
Cash Transaction Reporting Check that the systems are in place to identify and report cash transactions in
excess of the reporting threshold of the MLPCA in accordance with the institution's
established policies, and validate their effectiveness.
Check that the institution have performed CDD requirements in accordance with the
institution's established policies, and validate their effectiveness.
Check that the control systems for monitoring large cash transactions.
Review the general procedures for handling cash transactions.
Transaction Testing
The objective is to assess the adequacy of the institution’s systems to identify and
report cash transactions in excess of the reporting threshold of the MLPCA,
knowledge of the risks associated with accepting large amounts of cash, and
management’s ability to implement effective due diligence, monitoring, and reporting
systems.
1. Review the policies, procedures, and processes related to accepting large
cash transactions.
2. Evaluate the adequacy of the policies, procedures, and processes given the
extent of the institution’s cash based activities and the risks they represent.
From a review of management information systems (MIS) determine whether the
institution effectively identifies and monitors large cash transactions.
1. Obtain a list of large cash transactions from the institution and cross reference
this against CTRs submitted to the SIFIU.
2. Determine if the institution can aggregate cash transactions across its various
points of representation.
3. Determine what steps the institution implements in relation to large cash
transactions that are just below the reporting threshold, i.e. transactions
structured to avoid being reported.
Determine whether the institution’s system for accepting large cash transactions
accounts for suspicious activities, and for reporting of suspicious activities, is
adequate given the institution’s size, complexity, location, and types of customer
relationships.
49
Electronic Funds Transfer Reporting Check that the systems are in place to electronic funds transfers in excess of in
excess of the reporting threshold of the MLPCA in accordance with the institution's
established policies, and validate their effectiveness.
Check that the institution have performed CDD requirements in accordance with the
institution's established policies, and validate their effectiveness.
Check that the control systems for monitoring electronic funds transfers.
Transaction Testing
The objective is to assess the adequacy of the institution’s systems to identify and
report electronic funds transfers in excess of the reporting threshold of the MLPCA,
the risks associated with conducting electronic funds transfers, and management’s
ability to implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to electronic funds
transfers.
2. Evaluate the adequacy of the policies, procedures, and processes given the
extent of the electronic funds transfers and the risks they represent.
From a review of management information systems (MIS) determine whether the
institution effectively identifies and monitors electronic funds transfers.
1. Obtain a list of large electronic funds transfers from the institution and cross
reference this against EFTRs submitted to the SIFIU.
2. Determine if the institution can aggregate electronic funds transfers across its
various points of representation.
3. Determine what steps the institution implements in relation to electronic funds
transfers that are just below the reporting threshold, i.e. transactions
structured to avoid being reported.
Determine whether the institution’s system for performing electronic transfers to
identify suspicious activities, and for reporting of suspicious activities, is adequate
given the institution’s size, complexity, location, and types of customer relationships.
Compliance and Internal Audit Review the compliance and/or internal audit plan, programs and scope to determine
if independent testing is comprehensive, accurate and adequate. The compliance
review / internal audit should address the following:
•
overall integrity and effectiveness of the AML/CFT compliance program, including
policies, procedures, and processes;
50
•
•
•
•
•
•
•
adequacy of account-opening and "Know-Your-Customer" (KYC) policies and
procedures and whether they comply with internal requirements and legal
requirements;
AML/CFT record-keeping requirement;
identification and reporting of suspicious transactions implementation;
personnel adherence to the institution’s AML/CFT policies, procedures, and
processes
appropriate transaction testing/monitoring, with particular emphasis on high-risk
operations (products, service, customers, and geographic locations);
training adequacy, including its comprehensiveness, accuracy of materials, the
training schedule, and attendance tracking; and
integrity and accuracy of management information systems (MIS) used in the
AML/CFT compliance program.
Assess the adequacy of the frequency and the timeliness of such audits.
Ensure that there are clearly defined procedures and responsibilities for following up
and rectifying exceptions identified by the internal audit process.
Review the exceptions and deficiencies identified in the last report and follow them
up with the internal audit head and senior management to ensure that such
deficiencies have been rectified.
Assess the competence, resources and independence of the compliance and/or
internal audit function.
Determine the extent of the testing to be conducted, in the light of the adequacy of
the work done by the compliance function and/or internal auditors and their
competence and independence. In case the work done by these functions is
adequate and the functions are highly competent and independent, examiners may
need to carry out only minimal checking. On the contrary, examiners will have to
conduct a comprehensive checking to ensure compliance with policies and
procedures.
Staff screening Obtain the institutions human resources policy to determine whether the following
elements are in place in respect of:
1. Pre-employment screening to ensure that potential employees are ‘fit and
proper’ and have not been convicted of any criminal activities or are
associated with persons involved in criminal activities;
2. Conflicts of interest and if staff are required to disclose any interests they may
have which could affect their work;
3. If mechanisms are in place to ensure that information obtained in 1 & 2 above
is updated on a regular basis; and
51
4. Policies and procedures to report internal fraud or other activities which could
suggest that staff are behaving in a manner which is suggestive of criminal
activity.
Staff Education and Training Obtain the institution’s training program to determine whether the board of directors
and senior management have put adequate importance on ongoing education,
training, and compliance and, whether relevant and ongoing training program on
AML/CFT procedures is available to staff as follows:
•
•
•
•
•
•
for all staff – there should be a general awareness of the applicable laws and
regulations and the institution's policies and procedures to combat money
laundering and financing of terrorism.
for new staff – they should be educated, as part of their induction process, in
the importance of KYC policies and the basic requirements at the institution.
for all customer contact staff - who deal with customers and/or their
transactions, they should be trained to verify the identity of new customers, to
exercise due diligence in handling accounts of existing customers on an ongoing
basis and to detect individual suspicious transactions and patterns of suspicious
activity.
for supervisory staff – they should be trained in skills in monitoring proper
execution of the policies and procedures;
for staff with compliance and audit functions – the training should focus
on the corresponding fields
regular refresher training for all relevant staff – to ensure that staff are
reminded of their responsibilities and are kept informed of prevailing techniques,
methods and trends in money laundering and financing of terrorism.
Review the training material to assess its clarity, scope, relevance and accuracy.
Determine the comprehensiveness of training and whether it has considered specific
risks of individual business lines.
Assess whether the training material is in a form that is easily used by the staff, and
can be readily accessed for reference and revision on a continuous basis by all
relevant staff.
Establish that the training is delivered by the AML/CFT Compliance Officer or
another suitably knowledgeable member of staff, or, where appropriate, by external
resource persons.
Ensure that attendance is taken at the training sessions and that a regular schedule
of update sessions is maintained by the institution.
As appropriate, conduct discussions with staff of the institution (e.g. tellers, fund
transfer personnel, loan personnel, compliance officers, internal auditors, and other
52
relevant staff) to assess their knowledge of AML/CFT policies and regulatory
requirements.
Procedures for banks and money remitters Funds Transfers The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with funds transfers, and management’s ability to implement
effective monitoring and reporting systems. The examination should review the
policies, procedures, and processes related to funds transfers to:
•
•
Evaluate the adequacy of the policies, procedures, and processes given the
institution’s funds transfer activities and the risks they present.
Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors high-risk
funds transfer activities.
Evaluate the institution’s risks related to funds transfer activities by analyzing the
frequency and dollar volume of funds transfers in relation to the institution’s size, its
location, and the nature of its customer account relationships.
Determine whether an audit trail of funds transfer activities exists. Determine
whether an adequate separation of duties or other compensating controls are in
place to ensure proper authorization for sending and receiving funds transfers and
for correcting postings to accounts.
Determine whether the institution’s system for monitoring funds transfers suspicious
activities, and for reporting of suspicious activities, is adequate given the institution’s
size, complexity, location, and types of customer relationships. Determine whether
suspicious activity monitoring and reporting systems include:
•
•
•
•
Funds transfers purchased with currency.
Transactions in which the institution is acting as an intermediary.
Transactions in which the institution is originating or receiving funds transfers
from foreign financial institutions, particularly to or from jurisdictions with strict
privacy and secrecy laws or those identified as high risk.
Frequent currency deposits and subsequent transfers, particularly to a larger
institution or out of the country.
Transaction Testing
On the basis of the institution’s risk assessment of its funds transfer activities, as well
as prior examination and audit reports, select a sample of high-risk funds transfer
activities, which may include the following:
53
•
•
•
Funds transfers purchased with currency.
Transactions in which the institution is acting as an intermediary.
Transactions in which the institution is originating or receiving funds transfers
from foreign financial institutions, particularly to or from jurisdictions with strict
privacy and secrecy laws or those identified as high risk.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with funds transfer activity.
Remittances Select a sample of outward remittances to places outside the Solomon Islands and
inward remittances from places outside the Solomon Islands, and ensure that the
procedures established for customer identification have been adhered to in
accordance with the requirements of the MLPCA and guidelines.
Money Changing, Encashment and other Cash Transactions Select a sample of money changing, encashment and/or other cash transactions and
check that the procedures established for such transactions have been followed
properly in accordance with the MLPCA and guidelines.
Trade Finance Activities The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with trade finance activities, and management’s ability to implement
effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to trade finance
activities.
2. Evaluate the adequacy of the policies, procedures, and processes governing
trade finance-related activities and the risks they represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
Evaluate the adequacy of the due diligence information the institution obtains for the
customer’s files. Determine whether the institution has processes in place for
obtaining information at account opening, in addition to ensuring current customer
information is maintained.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors the trade
finance portfolio for suspicious or unusual activities, particularly those that pose a
higher risk for money laundering.
54
Determine whether the institution’s system for monitoring trade finance activities for
suspicious activities, and for reporting of suspicious activities, is adequate, given the
institution’s size, complexity, location, and types of customer relationships.
Transaction Testing
On the basis of the institution’s risk assessment of its trade finance portfolio, as well
as prior examination and audit reports, select a sample of trade finance accounts.
From the sample selected, review customer due diligence documentation to
determine whether the information is commensurate with the customer’s risk. Identify
any unusual or suspicious activities.
Verify whether the institution monitors the trade finance portfolio for potential UN
violations and unusual transactional patterns and conducts and records the results of
any due diligence.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with trade finance activities.
Private Banking The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with private banking activities, and management’s ability to
implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to private banking
activities.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s private banking activities and the risks they represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From a review of management information systems (MIS) reports (e.g., customer
aggregation, policy exception and missing documentation, customer risk
classification, unusual accounts activity, and client concentrations) and internal risk
rating factors, determine whether the institution effectively identifies and monitors
private banking relationships, particularly those that pose a higher risk for money
laundering.
Determine whether the institution’s system for monitoring private banking
relationships for suspicious activities, and for reporting of suspicious activities, is
adequate given the institution’s size, complexity, location, and types of customer
relationships.
55
Review the private banking compensation program. Determine whether it includes
qualitative measures that are provided to employees to comply with account opening
and suspicious activity monitoring and reporting requirements.
Review the monitoring program used to oversee the private banking relationship
manager’s personal financial condition and to detect any inappropriate activities.
Transaction Testing
On the basis of the institution’s risk assessment of its private banking activities, as
well as prior examination and audit reports, select a sample of private banking
accounts. The sample should include the following types of accounts:
•
Politically exposed persons (PEPs).
•
Private Investment Companies (PICs), international business corporations
(IBCs), and shell companies.
•
Offshore entities.
•
Cash-intensive businesses.
•
Import or export companies.
•
Customers from or doing business in a high-risk geographic location.
•
Customers listed on unusual activity monitoring reports.
•
Customers who have large dollar transactions and frequent funds transfers.
From the sample selected, perform the following examination procedures:
•
Review account opening documentation and ongoing due diligence information.
•
Review account statements and, as necessary, specific transaction details.
•
Compare expected transactions with actual activity.
•
Determine whether actual activity is consistent with the nature of the customer’s
business.
•
Identify any unusual or suspicious activity.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with private banking relationships.
Trust and Asset Management Services The objective is to assess the adequacy of the institution’s policies, procedures,
processes, and systems to manage the risks associated with trust and asset
management services, and management’s ability to implement effective due
diligence, monitoring, and reporting systems.
56
1. Review the policies, procedures, and processes related to trust and asset
management services.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s trust and asset management activities and the risks they
represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
Review the institution’s procedures for gathering additional identification information,
when necessary, about the settlor, grantor, trustee, or other persons with authority to
direct a trustee, and who thus have authority or control over the account, in order to
establish a true identity of the customer.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors trust and
asset management relationships, particularly those that pose a high risk for money
laundering.
Determine how the institution includes trust and asset management relationships in a
institution-wide or, if appropriate, enterprise-wide AML/CFT aggregation systems.
Determine whether the institution’s system for monitoring trust and asset
management relationships for suspicious activities, and for reporting of suspicious
activities, is adequate given the institution’s size, complexity, location, and types of
customer relationships.
Transaction Testing
On the basis of the institution’s risk assessment of its trust and asset management
relationships, as well as prior examination and audit reports, select a sample of highrisk trust and asset management services relationships. Include relationships with
grantors and co-trustees, if they have authority or control, as well as any high-risk
assets such as Private Investment Companies (PICs) or asset protection trusts.
From the sample selected, perform the following examination procedures:
•
Review account opening documentation to ensure that adequate due diligence
has been performed and that appropriate records are maintained.
•
Review account statements and, as necessary, specific transaction details.
Compare expected transactions with actual activity.
•
Determine whether actual activity is consistent with the nature of the customer’s
business and the stated purpose of the account.
•
Identify any unusual or suspicious activity.
57
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with trust and asset management relationships.
Non‐resident clients The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with transactions involving accounts held by non-residents, and
management’s ability to implement effective due diligence, monitoring, and reporting
systems.
•
Review the institution’s policies, procedures, and processes related to dealing
with non-residents.
•
Evaluate the adequacy of the policies, procedures, and processes given the
institution’s dealings with non-residents and the risks they represent.
•
Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors high-risk
non-residents’ accounts.
Determine whether the institution’s system of monitoring such accounts for
suspicious activities, and for reporting of suspicious activities, is adequate based on
the complexity of the institution’s relationships with non-residents, the types of
products used by non-residents, the home countries of these clients, and the source
of funds and wealth for these clients.
Transaction Testing
On the basis of the institution’s risk assessment of its dealings with non-residents, as
well as prior examination and audit reports, select a sample of high-risk such
accounts. Include the following risk factors:
•
An account for resident or citizen of a high-risk jurisdiction.
•
Account activity is substantially currency based.
•
A non-resident who uses a wide range of the institution’s services, particularly
correspondent services.
•
A non-resident for whom the institution has filed a Suspicious Transaction Report
(STR).
From the sample selected, perform the following examination procedures:
•
Review the customer due diligence information, including customer identification
program information, if applicable.
58
•
Review account statements and, as necessary, transaction details to determine
whether actual account activity is consistent with expected activity. Assess
whether transactions appear unusual or suspicious.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with non-resident accounts.
Non‐Bank Financial Institutions The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with accounts of non-bank financial institutions (NBFIs), and
management’s ability to implement effective monitoring and reporting systems.
Determine the extent of the institution’s relationships with NBFIs and, for institutions
with significant relationships with NBFIs, review the institution’s risk assessment of
this activity.
1. Review the policies, procedures, and processes related to NBFI accounts.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s NBFI activities and the risks they represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors NBFI
accounts.
Determine whether the institution’s system for monitoring NBFI accounts for
suspicious activities, and for reporting of suspicious activities, is adequate given the
nature of the institution’s customer relationships.
Money Services Businesses Determine whether the institution has policies, procedures, and processes in place
for accounts opened or maintained for money services businesses (MSBs) to:
•
•
•
•
•
Confirm registration, if required.
Confirm licensing, if applicable.
Confirm agent status, if applicable.
Conduct a risk assessment to determine the level of risk associated with each
account and whether further due diligence is required.
Determine whether the institution’s policies, procedures, and processes to assess
risks posed by MSB customers effectively identify higher risk accounts and the
amount of further due diligence necessary.
59
Transaction Testing
On a basis of the institution’s risk assessment of its MSB accounts, as well as prior
examination and audit reports, select a sample of high-risk MSB accounts. From the
sample selected, perform the following examination procedures:
•
•
•
Review account opening documentation and ongoing due diligence information.
Review account statements and, as necessary, specific transaction details.
Compare expected transactions with actual activity.
Determine whether actual activity is consistent with the nature of the customer’s
business and identify any unusual or suspicious activity.
On a basis of examination procedures completed, including transaction testing, form
a conclusion about the adequacy of policies, procedures, and processes associated
with MSB relationships.
Professional Service Providers The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with professional service provider relationships, and management’s
ability to implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to professional
service provider relationships.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s relationships with professional service providers and the risks
these relationships represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors
professional service provider relationships. (MIS reports should include information
about an entire relationship. For example, an interest on lawyers’ trust account may
be in the name of the law firm instead of an individual. However, the institution’s
relationship report should include the law firm’s account and the names and
accounts of lawyers associated with the trust account.
Determine whether the institution’s system for monitoring professional service
provider relationship’s suspicious activities, and for reporting of suspicious activities,
is adequate given the institution’s size, complexity, location, and types of customer
relationships.
60
Transaction Testing
On the basis of the institution’s risk assessment of its relationships with professional
service providers, as well as prior examination and audit reports, select a sample of
high-risk relationships. From the sample selected, perform the following examination
procedures:
•
•
•
Review account opening documentation and a sample of transaction activity.
Determine whether actual account activity is consistent with anticipated (as
documented) account activity. Look for trends in the nature, size, or scope of the
transactions, paying particular attention to currency transactions.
Determine whether ongoing monitoring is sufficient to identify potentially
suspicious activity.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with professional service provider relationships.
Non‐Governmental Organizations and Charities The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with accounts of non-governmental organizations (NGOs) and
charities, and management’s ability to implement effective due diligence, monitoring,
and reporting systems.
1. Review the policies, procedures, and processes related to NGOs.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s NGO accounts and the risks they represent.
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors high-risk
NGO accounts.
Determine whether the institution’s system for monitoring NGO accounts for
suspicious activities, and for reporting of suspicious activities, is adequate given the
institution’s size, complexity, location, and types of customer relationships.
Transaction Testing
On the basis of the institution’s risk assessment, its NGO and charity accounts, as
well as prior examination and audit reports, select a sample of high-risk NGO
accounts. From the sample selected, perform the following examination procedures:
61
•
•
•
•
•
Review account opening documentation and ongoing due diligence information.
Review account statements and, as necessary, specific transaction details.
Compare expected transactions with actual activity.
Determine whether actual activity is consistent with the nature of the customer’s
business.
Identify any unusual or suspicious activity.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with NGO accounts.
Business Entities (Domestic and Foreign) The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with transactions involving domestic and foreign business entities,
and management’s ability to implement effective due diligence, monitoring, and
reporting systems.
1. Review the institution’s policies, procedures, and processes related to
business entities.
2. Evaluate the adequacy of the policies, procedures, and processes given the
institution’s transactions with business entities and the risks they present.
3. Assess whether the controls are adequate to reasonably protect the bank
from money laundering and terrorist financing.
Review the policies and processes for opening and monitoring accounts with
business entities. Determine whether the policies adequately assess the risk
between different account types. For example, determine whether policies
differentiate between shell companies and foreign business entities.
Determine how the bank identifies and, as necessary, completes additional due
diligence on business entities. Assess the level of due diligence the bank performs
when conducting its risk assessment.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the bank effectively identifies and monitors high-risk
business entity accounts.
Determine whether the bank’s system for monitoring business entities for suspicious
activities, and for reporting of suspicious activities, is adequate given the activities
associated with business entities.
62
Transaction Testing
On the basis of the bank’s risk assessment of its accounts with business entities, as
well as prior examination and audit reports, select a sample of these accounts.
Include the following risk factors, if possible:
•
•
•
•
•
•
•
An entity organized in a high-risk jurisdiction.
Account activity that is substantially currency based.
An entity whose account activity consists primarily of circular-patterned funds
transfers.
A business entity whose bearer shares are not under the institution’s or trusted
third-party control.
An entity that uses a wide range of the institution’s services, particularly trust and
correspondent services.
An entity owned or controlled by other nonpublic business entities.
Business entities for which the institution has filed STRs.
From the sample selected, obtain a relationship report for each selected account. It
is critical that the full relationship, rather than only an individual account, be
reviewed.
Review the due diligence information on the business entity. Assess the adequacy of
that information.
Review account statements and, as necessary, specific transaction details. Compare
expected transactions with actual activity. Determine whether actual activity is
consistent with the nature and stated purpose of the account and whether
transactions appear unusual or suspicious. Areas that may pose a high risk, such as
funds transfers, private banking, trust, and monetary instruments, should be a
primary focus of the transaction review.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with business entity relationships.
Cash‐Intensive Businesses The objective is to assess the adequacy of the institution’s systems to manage the
risks associated with cash-intensive businesses and entities, and management’s
ability to implement effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to cash-intensive
businesses.
2. Evaluate the adequacy of policies, procedures, and processes given the
institution’s cash-intensive business activities in relation to the institution’s
cash-intensive business customers and the risks that they represent.
63
3. Assess whether the controls are adequate to reasonably protect the institution
from money laundering and terrorist financing.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the institution effectively identifies and monitors cashintensive businesses and entities.
Determine whether the institution’s system for monitoring cash-intensive businesses
for suspicious activities, and for reporting of suspicious activities, is adequate given
the institution’s size, complexity, location, and types of customer relationships.
Transaction Testing
On the basis of the institution’s risk assessment of its cash-intensive business and
entity relationships, as well as prior examination and audit reports, select a sample of
cash-intensive businesses. From the sample selected, perform the following
examination procedures:
•
•
•
•
Review account opening documentation information, if applicable, and a sample
of transaction activity.
Determine whether actual account activity is consistent with anticipated account
activity.
Look for trends in the nature, size, or scope of the transactions, paying particular
attention to currency transactions.
Determine whether ongoing monitoring is sufficient to identify potentially
suspicious activity.
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with cash-intensive businesses and entities.
Casinos The aim of the examination is to assess the effectiveness of the casino operator’s
AML/CFT internal controls through an assessment of the following:
1. The adequacy of the casino operator’s AML/CFT policies and procedures
including consideration of whether senior management is aware of staff
training programs and is willing to allocate budget and resources to ensure
that staff are aware of the casino’s AML/CFT policies and procedures;
2. The effectiveness of the casino operator’s internal control over AML/CFT,
including compliance with AML/CFT policies and procedures;
3. Compliance with reporting requirements; and
4. Procedures to identify and report suspicious transactions.
64
To assist the SIFIU effectively undertake its compliance responsibilities, the SIFIU
should obtain an understanding of the casino operator’s business and its internal
controls through:
1. Reviewing the casino operator’s AML/CFT policies and procedures;
2. Documenting the flows in different areas of the business that are vulnerable to
money laundering and terrorist financing;
3. Identifying the control environment and assessing the risks;
4. Liaising with those members of the casino operator’s staff responsible for
AML/CFT compliance; and
5. Interviewing members of staff to test their knowledge of the casino operator’s
policies and procedures.
The SIFIU should also develop a risk assessment of the casino based on the
following:
1. The adequacy of the casino operator’s internal procedures to mitigate the
risks that arise from monetary transactions to protect the casino from being
used as a mechanism for money laundering and/or terrorist financing;
2. The casino operator’s ability to obtain identification information from
customers based on a risk profile of customers (e.g. low value players of slot
machines versus high-rollers) and to provide audit trails of transactions which
will be effective for any further investigation;
3. The casino operator’s ability to filter high-risk customers or transactions;
4. The effectiveness of identifying, reviewing and reporting suspicious
transactions.
In addition to performing the procedures outlined in the section “Policies” in this Part
of the manual, the SIFIU should also incorporate the following areas to review in its
compliance examinations of casinos.
Staff screening, awareness and training The SIFIU should evaluate whether the following elements are in place in respect of:
5. Pre-employment screening to ensure that potential employees are ‘fit and
proper’ and have not been convicted of any criminal activities or are
associated with persons involved in criminal activities;
6. Conflicts of interest and if staff are required to disclose any interests they may
have which could affect their work;
7. If mechanisms are in place to ensure that information obtained in 1 & 2 above
is updated on a regular basis; and
65
8. Policies and procedures to report internal fraud or other activities which could
suggest that staff are behaving in a manner which is suggestive of criminal
activity.
The SIFIU should test the above areas through a review of policies, interviews with
staff to ascertain the effectiveness of training, reviews of training logs and schedules
and the ability of staff to identify suspicious transactions. In this regard, areas the
SIFIU should consider include:
1. How staff detect suspicious transactions;
2. How staff deal with circumstances where customers refuse to provide
identification; and
3. How staff maintain confidentiality to ensure that customers do not become
aware that a suspicious transaction report has been prepared.
Effectiveness of independent monitoring and review processes The SIFIU should ensure that the independent review process:
1. Is conducted by parties independent of the AML/CFT compliance section;
2. That persons conducting the review are competent and have the appropriate
training/background;
3. Is conducted on a regular basis;
4. What testing and procedures are employed on the gaming areas;
5. If deficiencies identified are followed up in a timely manner and that a plan of
corrective action is put in place; and
6. Whether senior management have access to reports.
Effectiveness of PEP policies The SIFIU should review policies and, if appropriate assess the casino’s database
and evaluate:
1. At what point the screening process is done;
2. Whether the database has been developed internally, how often it is updated
and how it is kept up to date and maintained with lists of PEPs;
3. How the casino deals with:
a. Overseas PEPs;
b. Known money launderers, fraudsters, terrorists;
c. Persons with criminal records relating to financial crimes;
d. Individuals who may have been blacklisted by the casino or other
casinos operating in the Solomon Islands; and
e. Members of family of casino employees.
4. Procedures employed by the casino to understand the source of funds and
66
5. If the casino has any other procedures to identify and monitor persons of
concern.
To test the casino’s policies and procedures the SIFIU should:
1. Select a sample of customers who have been identified as PEPs;
2. Review documentation obtained by the casino on PEPs including
identification documents and the source of funds;
3. Whether the volume of funds brought into the casino by the PEP are
suggestive of unexplained sources of wealth or inconsistent with the income
of persons occupying similar positions.
Effectiveness of Customer Due Diligence policies The SIFIU should review the casino’s CDD policies through:
1. The selection of list a customers (the customers selected should have one or
more transaction that involves cheques, bank drafts or foreign currency);
2. Obtain and review documentation obtained by the casino on these customers;
3. In cases where the casino has opened an account for the customer, if had
was opened in terms of the casino’s policy; and
4. For those customers who have had a long standing relationship with the
casino, how the casino ensures that the information it has on that customer is
updated.
5. How the casino identifies if there has been a change in the customer’s gaming
behaviour or monitors if there is an indication of minimal play and requests for
cashing out.
Effectiveness of STR reporting The SIFIU should review the casino’s STR policies through:
1. A review of STR reporting processes to ensure that staff are fully aware of
their obligations and understand what constitutes a suspicious transaction;
2. Interview staff to determine if they are encouraged to report suspicious
transactions; and
3. A review of the STR log and evaluate the decision making process in relation
to those STRs that the casino’s compliance officer decides not to submit to
the SIFIU.
In addition, the SIFIU should compare the level of STRs reported across casinos to
determine if it is indicative of a lack of awareness on AML/CFT issues.
Effectiveness of CTR reporting The SIFIU should review the casino’s CTR policies through:
67
1. A review of CTR reporting logs against large cash transactions received and
reports submitted to the SIFIU to ensure that no CTRs are missing;
2. Interviewing staff to ensure that they are aware of their obligations to report
large cash transactions;
3. Ensuring that staff who receive cash (at either gaming tables or at the cashier
desk) are aware of the reporting requirements and that they obtain all
necessary identification documentation; and
4. Review internal reports to management to ascertain if management consider
if any patterns of activity have been identified that constitute potential
suspicious activity that should be reported to the SIFIU.
In addition, the SIFIU should compare the level of CTRs reported across casinos to
determine if it is indicative of a lack of awareness on AML/CFT issues.
Insurance Intermediaries, Brokers and Agents Insurance companies are different to banks in that they do not normally have a direct
relationship with a customer. Typically, but not always, customers arrange insurance
through an intermediary, such as a broker or agent. The objective is to assess the
adequacy of the insurance company’s systems to manage the risks associated with
insurance intermediaries, brokers and agents management’s ability to implement
effective due diligence, monitoring, and reporting systems.
1. Review the policies, procedures, and processes related to intermediaries,
brokers and agents’ relationships.
2. Evaluate the adequacy of the policies, procedures, and processes given such
activities and the risks that they present.
3. Assess whether the controls are adequate to reasonably protect the company
from money laundering and terrorist financing.
From a review of management information systems (MIS) and internal risk rating
factors, determine whether the insurance company effectively identifies and monitors
the relationships, particularly those that pose a high risk for money laundering.
Determine whether the company’s system for monitoring the relationships for
suspicious activities, and for reporting suspicious activities, is adequate given the
company’s size, complexity, location, and types of customer relationships.
Transaction Testing On the basis of the company’s risk assessment of such activities, as well as prior
examination and audit reports, select a sample of high-risk intermediaries, brokers
and agents’ accounts. When selecting a sample, examiners should consider the
following:
•
•
New relationships with intermediaries, brokers and agents.
The method of generating funds, policyholders, etc (e.g., Internet, cold calling,
etc.).
68
•
•
•
•
•
Types of customers (e.g., non-resident or offshore customers, politically
exposed persons, or non-residents).
An intermediary, broker or agent that has appeared in the company’s
Suspicious Transaction Reports (STRs).
Subpoenas served on the company for a particular intermediary, broker or
agent.
Foreign funds providers.
Unusual activity.
Review the customer due diligence information on the intermediary, broker or agent.
For intermediaries, brokers and agents who are considered high risk (e.g., they
solicit foreign funds, market via the Internet, or are independent brokers), assess
whether the following information is available:
•
•
•
•
•
•
Background and references.
Business and marketing methods.
Client-acceptance and due diligence practices.
The method for or basis of the broker’s compensation or bonus program.
The broker’s source of funds.
Anticipated activity or transaction types and levels (e.g., funds transfers).
On the basis of examination procedures completed, including transaction testing,
form a conclusion about the adequacy of policies, procedures, and processes
associated with intermediaries, brokers or agents.
69
PART 4 – POST EXAMINATION Examination Conclusion The EIC is responsible for reviewing and compiling the examination findings and
ensuring the conclusions and comments of the inspection, which will be presented to
the institution’s management, present a concise and balanced portrayal of an
institution’s condition and future prospects.
The assessment about the adequacy or otherwise of an institution’s ML/TF risk
management systems should reflect the overall examination findings and
conclusions and should be updated in the SIFIU’s file. The EIC should ensure that
the institution takes prompt corrective action for any problems found during the
examination and closely monitor the institution’s condition for any recurrence of
these or new problems.
Concluding meeting with management At the conclusion of the visit, the team should discuss their impressions of the
institution and form some views on the adequacy, prudence and effectiveness of its
risk management systems before delivering the report to management. This is
important as will ensure that the team has understood issues and also it allows the
team to identify examples to cite to the institution. It is no good going into the closing
meeting and making vague statements such as ‘there is a problem with …’.
Management will challenge you and it is therefore important to be able to back up
any statements with facts. It needs to be stressed that examiners are only looking at
a small sample of the institution’s business so it is reasonable to assume that if the
problems exist in a small sample then there could be bigger problems.
These judgments will be based on:
•
•
•
Findings from file reviews;
Information gained from discussions; and
Comparisons with other institutions.
The closing meeting is normally held with the institution’s CEO and other senior staff.
During the meeting, the SIFIU will outline the impressions, observations and
comments of the team’s assessment of the institution’s AML/CFT risk management
systems. This provides an opportunity to raise any outstanding issues, and gives the
institution the opportunity to comment on the examination team’s thoughts and clarify
any matters that may have been misunderstood.
70
The institution should also be informed of the process following the visit and that a
letter will be sent to the institution formally advising the SIFIU’s
observations/concerns.
Report of Examination The report of examination (ROE) should describe any problem with the procedures
maintained by the institution. The ROE will form the basis of the letter/report which
the SIFIU sends to the institution after the examination. If the appropriate it should
state clearly where the institution has either:
1. Failed to establish and maintain procedures that are reasonably designed to
assure and monitor the institution’s compliance with AML/CFT requirements;
and/or
2. Failed to correct any problem with the procedures which was previously
reported to the institution in a report of examination.
The SIFIU, and the CBSI if appropriate, may impose sanctions or take other
regulatory actions such as impose fines for the violation of the MLPCA and the
regulations prescribed under the MLPCA. The ROE and letter to the institution
should clearly set out the SIFIU’s recommendations to the institution, strategy for
follow-up on remedies to address weaknesses identified and timing of corrective
actions. It should also set out cases recommended for investigation of suspicious
activities if necessary, as well as recommendations for the institution to file STR
reports to the SIFIU.
The ROE should include a conclusion regarding the adequacy of the institution’s
AML/CFT compliance program4, discuss the effectiveness of each of these elements
of the institution’s compliance program, and indicate whether the program meets all
the regulatory requirements by providing the following:
•
•
•
•
A system of internal controls.
Independent testing for compliance.
A designated/compliance person to coordinate and monitor the AML/CFT
compliance program.
Training of relevant personnel.
The examiner should ensure that work papers are prepared in sufficient detail to
support issues discussed in the report of examination (ROE) and the letter to the
institution. Written comments should cover only areas or subjects pertinent to the
examiner’s findings and conclusions. All significant findings must be included in the
4
The AML/CFT compliance program must also include a written customer due diligence Program
(CDD) appropriate for the institution’s size, location, and type of business.
71
ROE. If applicable and, subject to resource constraints, the examiner should prepare
a discussion of the following items.
•
•
•
•
Describe whether the institution’s policies and procedures meet regulatory
requirements.
Describe the board of directors’ and senior management’s commitment to
AML/CFT compliance. Consider whether management has the following:
o A strong AML compliance program fully supported by the board of
directors/partners of the institution.
o A requirement that the board of directors is kept informed of
compliance efforts, audit reports, any compliance failures, and the
status of corrective actions.
Describe whether the institution’s policies, procedures, and processes for
STR filings meet the regulatory requirements and are effective.
Describe the institution’s recordkeeping policies, procedures, and processes.
Indicate whether they meet the requirements.
Concerning the structure of the ROE, the following headings are offered as a guide:
o
o
o
o
o
o
o
o
o
Introduction
Executive Summary
Senior executive or Board involvement in AML
Policies and procedures
Suspicious transaction reporting
Customer Due Diligence
Record Keeping
Staff awareness and training
Performance or audit testing
Letter to the institution on findings/observations The letter provides the institution with formal advice of observations of the
examination. The letter should not contain any matters that were not raised at the
closing meeting, although there may be circumstances in which matters have
subsequently come to light and require clarification. As noted in the section above,
this letter will be based on the report of the examination. Alternatively, it may be a
covering letter to which the report of the examination is attached.
In drafting the letter care should be taken to avoid any favourable comment or
endorsement of a bank’s system – issues should be expressed as observations
rather than praise or criticism. The institution should be invited to comment on
observations made and, where remedial or other action is required to be taken, the
SIFIU should set a date by which time the institution should respond and the SIFIU
should ensure compliance with the requirement.
72
Subject to secrecy concerns, reports of examinations should be copied to the
institution’s board or Head Office and, if appropriate the CBSI.
A sample of a letter to a reporting institution of findings arising from an examination
is included in Attachment 4.
73
PART 5 – ADDITIONAL EXAMINATION PROCEDURES This Part of the manual provides additional guidance to assist examiners perform
on-site work and as such it builds on subjects covered in Part 3 of the manual.
Examiners will have to modify some aspects of these ‘templates’ to reflect different
classes of financial institution. Some of these additional guidance notes are industry
specific will others are applicable to all classes of financial institution subject to the
provisions of the MLPCA. Additional guidance material covers the following topics:
Annex 1 – Cash holdings (relevant to banks)
Annex 2 – Lending (relevant to banks)
Annex 3 – Correspondent banking (relevant to banks)
Annex 4 – Private Banking (relevant to banks)
Annex 5 – Wire/Funds Transfers (relevant to banks and money service providers)
Annex 6 – International companies & Trust companies (relevant to banks,
accountants and lawyers)
Annex 7 – Politically Exposed Persons (all classes of financial institution)
Annex 8 – Introduced Business (all classes of financial institution)
Annex 9 – Terrorist Financing (all classes of financial institution)
Annex 10 – Internal Audit/Independent testing (all classes of financial institution)
Annex 11 - Money Service Businesses
As noted in Part 2 of this manual, the examination objectives across each of these
areas can be summarised as:
1. To assess the adequacy of existing risk management policies, practices,
procedures and training governing the area being reviewed with respect to
ML/FT risks.
2. To determine if the staff of the financial institution, e.g. including employees,
officers and directors are operating in compliance with their internal policies
and procedures. These policies and procedures should at a minimum reflect
the requirements of the MLPCA and any guidelines issued by the SIFIU.
74
3. To determine the scope and adequacy of work performed by the internal and
external audit functions in addressing AML/CFT activities as they relate to the
business area/activity.
4. To determine that institution’s senior management is informed of the status
and exposure relative to the business area/activity with regard to ML/FT.
5. To determine if the activity are being adequately monitored.
6. To determine compliance with relevant laws and regulations.
7. To initiate corrective action when policies, practices, procedures or internal
controls are deficient or when violations of law or regulations have been
discovered.
Included as attachments, are work sheets designed to assist examiners complete
aspects of the on-site examination (i.e. aspects of the examination relating to
transaction testing such as reviewing account opening documentation or wire
transfers).
It is important to note that these worksheets along with the templates (Annexes 1 to
11), provide guidance on the issues to look for when reviewing files/conducting onsite examination. It is important therefore when reviewing files or completing
the work-program not to simply fill in the line sheets, but instead to think
about each aspect of the individual file or examination component relative to
the institution’s AML/CFT risk management systems.
75
Annex I: Cash Holdings Every bank maintains a certain amount of currency, and accepts cash deposits from
account holders. On certain occasions the bank may accept cash from non-account
holders to facilitate wire/funds transfers or other banking services. The amount of
cash will vary from bank to bank, depending on the anticipated needs of customers.
Banks must be especially diligent when accepting or completing cash transactions,
to ensure that they are not enabling this placement of cash from crime into the
system. Care must be taken to determine the source of the cash.
Procedures
Comments/Work Papers
Internal Control Inquiries:
1. Has the Board of Directors adopted
written AML/CFT policies and
procedures governing cash transactions?
2. Are these policies reviewed and
approved by the Board of Directors?
3. What is the date of the last revision of
the policy?
4. Does the bank provide training to staff to
help them acquire the skills to detect
money laundering through cash
transactions? How often?
5. Does the Internal Audit Department
review the cash/teller areas for money
laundering concerns?
6. What system is in place to monitor large
volumes of cash transactions, both for
the bank as a whole and on an individual
account basis?
7. What procedures does the bank have in
place for determining if a loan drawdown
in cash of an amount in excess of the
MLPCA
reporting
threshold
is
76
suspicious?
8. What procedures does the bank have in
place to ensure that the nature of cash
withdrawals in excess of the reporting
threshold specified in the MLCPA (large
cash transaction) is fully justified?
9. Does the branch have records reflecting
the cash shipped to and from
correspondent banks and between bank
branches?
10. What is the procedure in place for
reviewing those records (logs)?
11. Is a review performed of the teller cash
transactions
to
identify
unusual
transactions, volumes, etc.?
12. Is a review performed of the teller
transactions to detect cash deposits into
several accounts that are subsequently
consolidated into one account for further
disposition, e.g. wire transfer?
13. What other procedures are performed
that would identify trends, consistency,
etc. in cash deposits?
14. Do the tellers ask the customer the
“source” of large cash deposits? Is that
information recorded on the deposit slip
or some other bank record? If the source
of the cash seems unusual to the teller,
what is the process that the teller
follows?
15. Does the bank accept cash from noncustomers to initiate funds transfers or
other transactions?
Testing Procedures:
1. Select a sample of __ days, and review
teller operations, including daily cash
registers, tapes, computer-generated
reports and other documents that
support cash activity to identify unusual
activity. Ensure that the ATM teller
77
information is included in this sample.
2. Determine the use of the cash (deposit,
wire transfer, purchase of monetary
instruments, etc.) for the above sample.
3. Obtain and review the management
information systems’ (MIS) reports used
to monitor suspicious activity.
4. Review and determine the adequacy of
the bank’s system for monitoring,
identifying, reviewing and reporting
suspicious activity as it relates to cash
transactions.
78
Annex 2: Lending The credit/lending function of financial institutions is seldom thought of as a channel
for money laundering activities. However, recent investigations have discovered that
the granting of credit to customers can facilitate money-laundering activities. Bulk
repayments to a loan, a sudden payoff of a large loan without proper explanation as
to the source of repayment or the transferring of proceeds from a line of credit to
countries where the customer does not normally do business could indicate possible
money laundering activities, as could loans secured by cash or negotiable collateral
without adequate explanation of the purpose of the loan.
Procedures
Comments/Work Papers
Internal Control Inquiries:
1. Has the Board of Directors adopted
written AML/CFT policies and
procedures for credit extension and loan
administration?
2. Are these policies reviewed and
approved by the Board of Directors?
3. What is the date of the last revision of
the policy?
4. Does the bank provide training to staff to
help them acquire the skills to detect
money laundering in the credit/lending
area? How often?
5. Does the Internal Audit Department
review the credit/lending area for money
laundering concerns?
6. Are
copies
of
identification
documentation obtained in support of the
loan application law maintained in the
customer loan file?
7. Are the loan files reviewed on a periodic
basis or when a change to the customer
information is made to ensure continued
79
compliance CDD obligations?
8. Does the bank have a process for
checking the source, nature and type of
the collateral offered by the borrowers to
ascertain its source and lawfulness?
9. Does the bank have a process in place
for reviewing non-scheduled loan
payments, pay downs, pre-payments,
and early payoffs to determine if the
source of repayment appears reasonable
and is consistent with the information
obtained at the time the loan was
granted?
Testing Procedures:
1. Obtain the credit/lending policies and
procedures and review for adequacy and
inclusion of AML/CFT issues, including
the retention period of required
credit/lending information.
2. Select a sample of credits/loans granted
within the last 12 months, or since the
last AML/CFT examination. Ensure that
the sample includes loans to both
individuals and businesses, and also
includes credits/loans granted to “high
risk” customers, activities, etc.
3. For the credit/loan file sample selected in
Step 2, perform the following steps:
•
•
Review the obtained customer
information for both borrowers and
guarantors for compliance with the
MLPCA, and with bank policies and
procedures customer identification
and verification procedures.
Verify the stated loan purpose
against documentation in file and
determine that final disposition of the
credit/loan
proceeds
was
in
accordance with the stated purpose.
Pay particular attention to whether
the proceeds were unexpectedly
channeled for a difference purpose
80
•
•
•
or transferred to an offshore
jurisdiction.
Review the performance of the
loans, paying particular attention to
the repayment record. Determine
that payments are being made in
accordance with the terms of the
loan.
Compare the initial cash flow
projections to the actual repayment
history for consistency, and note any
irregularities, such as large cash pay
downs, pre-payments, and early
repayments. Determine if inquiry was
made by bank personnel into any
irregular payments received and that
any
unresolved
inquiries
or
unexplained payment sources were
brought to the attention of the Money
Laundering Reporting Officer or
designated individual, for further
investigation and reporting.
Ensure that loan customers have
submitted financial statements in
accordance with the loan covenants.
Compare the results of the business
operations to the expected activity
obtained at the time the loan was
granted for reasonableness.
4. Obtain a listing of the loans secured by
cash or negotiable collateral. Select a
sample of these loans, review the loan
files and discuss with the lending officer
the rationale for granting the loan under
these circumstances.
81
Annex 3: Correspondent Banking Each bank must assess the level of risk associated with each of its cross-border
correspondent banking and other similar account relationships through proper due
diligence. Sufficient information should be gathered to fully understand the nature of
the respondent's business. The level of perceived risk in each account relationship,
including the availability of the account to third parties, should dictate the nature of
risk management. Cross-border correspondent banking business would be
considered higher risk especially where banks do not fully understand the nature of
the respondent banks’ business, or where the respondents are shell banks or are
located in jurisdictions which have weak AML/CFT regimes.
It is important to ensure that the banks have written policies and procedures outlining
the authority, rules and framework in which to operate and administer cross-border
correspondent banking relationships effectively.
Procedures
Comments/Work Papers
Internal Control Inquiries:
1. Has the Board of Directors adopted written
AML/CFT policies governing cross-border
correspondent banking activities?
2. Does the Board of Directors review and
approve the policies at least annually to
determine their adequacy in light of
changing conditions?
3. Is Senior Management approval required
before establishing a new cross-border
correspondent banking relationship?
4. How are the responsibilities for the
respondent and co-respondent institutions
documented?
5. Is the Bank prohibited from establishing
cross-border correspondent relationships
with offshore or “Shell” banks? Does the
bank obtain documentation to ensure that
82
the applicant correspondent bank is not a
shell bank?
6. Does management determine that the
correspondent bank is not located in a
jurisdiction that does not adequately apply
international AML/CFT standards? Does the
policy prohibit doing business with banks
located in these jurisdictions?
7. How does management determine if the
correspondent bank has an effective
AML/CFT program and if there is effective
regulatory supervision within the jurisdiction
of the correspondent bank?
8. Does the bank maintain a file for each
correspondent banking relationship,
recording the performance of customer due
diligence (CDD) measures?
9. Is the information file verified and updated
on a regular basis? If so, how often is this
process performed?
10. Does the cross-border correspondent
relationship involve the maintenance of
“payable through accounts”? If so, is the
bank satisfied that its customer (the
respondent financial institution):
• Has performed all normal CDD
obligations for its customers that have
direct access to the accounts of the
correspondent financial institution, and
• The respondent financial institution is
able to provide relevant customer
identification data upon request.
11. Does the bank have procedures in place for
closing the correspondent accounts if
required documentation is not obtained
within the specified time frames?
12. Has the bank closed any correspondent
83
accounts due to noncompliance?
13. Does management determine if the
correspondent account is accessible by third
parties and if so, is recordkeeping adequate
to determine who has access to the
account? How do they identify the third
party?
14. Does the bank have a system in place to
monitor activity in correspondent bank
accounts in order to identify suspicious
activity?
15. Does the bank assess on a consistent basis
the frequency, type, and volume of account
activity and whether the activity is consistent
with management’s expectations through
the use of the above system?
Testing Procedures:
1. Determine the scope of the examination
based on an evaluation of internal control
information received above and gathered
through interview and the work performed
by internal/external auditors.
2. Obtain the correspondent banking policies
and procedures and review for adequacy
and inclusion of AML/CFT issues. Determine
if the policies and procedures are reviewed,
updated and approved on a regular basis.
3. Review any specific issues raised both in
the internal and external audit reports and
examination reports and determine that
corrective action has been taken or is in
progress.
4. Obtain a list of all correspondent banking
accounts and determine whether shell
accounts are maintained. If shell bank
correspondent accounts are maintained,
these should be closed.
84
5. Select a sample of ____ correspondent
banking accounts, established since the last
inspection and perform the following review:
a) Determine if the institution has obtained
the following information as part of its
CDD program for each correspondent
banking relationship:
• Nature of the correspondent bank’s
business.
• Pattern of ownership (if not publicly
traded) and management information
regarding the correspondent bank.
• Financial statements, creditworthiness,
and verification of the correspondent’s
banking license.
• Publicly available information regarding
the reputation of the institution and
quality of supervision.
• Evaluation of the overall adequacy of
banking supervision in the jurisdiction of
the respondent bank.
• A clear and documented understanding
of the nature, frequency and volume of
expected transactions between the
institution and the correspondent bank.
• Assessment of the correspondent’s
AML/CFT controls to determine if they
are adequate and effective.
• Approval of senior management before
establishing new correspondent
relationships to ensure that the CDD
procedures were performed, including
verification that the correspondent bank
is not located in a money laundering
haven.
b). Evaluate the adequacy of the
information obtained above and note any
exceptions.
6. Select a sample of _____ correspondent
banking monitoring reports or
documentation of account transaction review
and determine that items identified as
unusual were investigated and resolved.
85
Review the decision made by bank
management for appropriateness and
determine that sufficient and proper
documentation has been maintained to
support the judgment as to whether or not
the transaction was suspicious.
7. Review the reports selected in Step 6 for
possible suspicious activity that was not
identified by bank officials. Determine why
the activity was not identified.
8. For transactions determined to be
suspicious by management in Step 6,
determine whether the activity was reported
to the Financial Intelligence Unit, as well as
senior management of the bank.
9. Select a sample of _____ correspondent
bank accounts that were established before
the current examination period and review
the bank’s on-going due diligence efforts to
maintain the customer profile and
documentation updated.
10. If the correspondent banking account is
used as a payable-through-account by third
parties, review the internal control systems
in place and the adequacy of risk
management systems to determine the
identity of the person who has such access.
11. Discuss the results of the review with
appropriate bank officials and follow up on
outstanding items.
12. Update work papers with information that
will facilitate future examinations and follow
up.
86
Annex 4: Private Banking/Trust activities Because private banking and trust activities expose banks to greater reputation and
legal risks than some other area, examiners must make sure that banks have the
necessary risk management systems, controls, and measures in place to identify,
measure, control, and monitor ML and FT risks. For this type of activity, the banks
should be required to perform enhanced due diligence measures.
Private banking and trust services consist of comprehensive financial services
offered to high net worth individuals. A private banking account is commonly defined
as an account (or any combination of accounts) that: i) requires a minimum
aggregate deposit of funds or other assets over an established amount; ii) is
established on behalf of one or more individuals who have a direct or beneficial
ownership interest in the account; and iii) is assigned to, or is administered or
managed by, in whole or in part, an officer, employee, or agent of a financial
institution acting as a liaison between the financial institution and the direct or
beneficial owner of the account.
It is important to ensure that the banks have written policies and procedures outlining
the authority, responsibilities, rules and framework in which to operate and
administer the private banking and trust functions effectively.
Procedures
Comments/work papers
Internal Control Inquiries:
1. Has the board of directors adopted
written AML/CFT policies governing
private banking and trust operations?
2. Are these policies reviewed and updated
at least annually by the Board of
Directors in light of changing conditions?
3. Does the bank maintain files for all
customers that conduct private banking?
4. Is the file information confirmed and
updated on a regular basis? If so, how
often is this process performed?
5. Does the Bank require all appropriate
information required to identify the
customer and verify the information
87
obtained from the customer before
establishing the account relationship?
6. Before establishing the account, does
the bank ascertain the identity of the true
and beneficial owners of the account,
along with the source of funds deposited
into the account?
7. For trust accounts, does the bank also
ascertain the beneficiary name, the
settler’s name and the trustee’s name?
8. Does the bank perform a review of all
new account documents to ensure that
adequate due diligence is being
performed and documented at account
opening?
9. Does the bank have in place a system to
monitor missing file documentation? If
the appropriate documentation is not
obtained within the required timeframe, is
the account closed?
10. Are
private
banking/trust
account
relationships
approved
by
senior
management?
11. Does management perform enhanced
due diligence on private banking and
trust customers and transactions?
12. Does
bank
management
obtain
information on the clients' source of
wealth and source of funds?
13. Does the bank obtain references from
known third parties, including previous
banking relationships?
14. Does the bank verify the good standing
and legal establishment of business
customers?
15.Does the Bank require visits to places
of business to corroborate that the
business actually exists? Are written
contact/visitation reports documenting
88
such visits required and included in the
customer account file?
15. Does the bank have a system in place to
monitor private banking and trust
transaction activity in order to identify
unusual account activity?
16. Does the bank report suspicious activity
timely and through the proper channels
once it has been identified?
17. Does the bank apply enhanced due
diligence
measures
for
accounts
established by or on behalf of politically
exposed persons (PEP), an immediate
family member, or close associate, to
guard against laundering the proceeds of
crime?
18. Does the scope and work of the auditors
(internal/external) include an evaluation
of internal controls and customer due
diligence measures with respect to
ML/FT risks?
19. Does the bank have systems in place to
conduct enhanced ongoing monitoring of
private
banking/trust
business
relationships?
20. Does the bank have a formal training
program in place? If so, does it include
private banking/trust activities?
89
Testing Procedures:
1. Obtain the private banking and trust
policies and procedures and review for
completeness, adequacy, Board of
Directors’ approval and inclusion of
AML/CFT
issues.
Policies
and
procedures should include at a minimum:
• The acceptance and approval of new
accounts
• Referral requirements
• Determination of source(s) of wealth
• Determination of the source(s) of
funds, and
• Determination of the level and type of
expected account activity.
2. Select a sample of _____ private
banking and trust accounts opened since
the previous examination and review the
files for completeness of information and
documentation as required by the
MLPCA.
3. Document the procedure followed by the
Bank for performing ongoing due
diligence and monitoring private banking
and trust account activity for unusual
transactions, including the frequency of
the review, adequacy of the reports to
capture the relevant account activity,
level of bank official performing the
review, follow-up procedures, etc.
4. Select a sample of _____ monitoring
reports and determine that items
identified as unusual were examined and
results properly documented. Review the
decision made for appropriateness and
determine that sufficient and proper
documentation has been maintained to
support the conclusion as to whether or
not the transaction was suspicious.
5. Review the reports selected in Step 4 for
possible suspicious activity that was not
identified by Bank officials. Determine
90
why the activity was not identified.
6. For transactions determined to be
suspicious, determine that the activity
was reported to the appropriate
competent authorities, as well as senior
management of the bank.
7. Discuss the results of the examination
with senior management and follow up
on outstanding issues.
8. Update work papers with information that
will facilitate future examinations and
follow up.
9. Obtain a copy of the training program
and courses delivered addressing the
areas of private banking/trust. Review
the frequency, content of the courses
and coverage of training provided.
Ensure that all individuals responsible to
private
banking/trust
aspects
are
receiving timely and ongoing training.
91
Annex 5: Wire/Funds Transfer Wire/Funds transfers are frequently used as a vehicle to facilitate money laundering,
due to the speed, liquidity and global reach of the transfer systems. It is important to
ensure that the banks have written policies and procedures outlining the authority,
rules and framework in which to facilitate and administer wire/funds transfers
effectively.
Procedures
Comments/Work Papers
Internal Control Inquiries:
1. Has the Board of Directors adopted
written AML/CFT policies and
procedures for wire/funds transfer
transactions?
2. Are these policies reviewed and
approved by the Board of Directors?
3. What is the date of the last revision of
the policy?
4. Does the bank provide training to
staff to help them acquire the skills to
detect illicit wire/funds transfer
transactions?
5. Does the Internal Audit Department
audit the wire/funds transfer area for
money laundering concerns?
6. Does the bank send or receive
wire/funds transfers to or from
financial institutions abroad?
7. Do bank personnel check the wires to
determine
that
the
amounts,
frequency
and
countries
are
consistent with the business and
occupation of the customer?
92
8. Does the bank retain wire/funds
transfer records in accordance with
mandated
recordkeeping
requirements of the AML law?
9. Does the bank originate wire/funds
transfers for non-account holders?
10. If yes, what information is captured
and retained regarding the sender or
recipient?
11. If cash is accepted for wire/funds
transfers, does the bank require
proper identification and maintain
documentation?
12. Does the bank have procedures in
place for monitoring accounts with
wire/funds transfer activity?
13. Does the bank capture and retain the
following customer information for
each wire/funds transfer originated by
an account holder?
•
•
•
•
•
•
Name and address of originator
Amount of payment
Execution date of the payment order
Payment instructions
Identity of the beneficiary bank
As many of the following items as are
received with the payment order:
o Name and address of the
beneficiary
o Account number of the beneficiary
o Any other specific identifier of the
beneficiary
6. Are MIS (computer system) reports
available to bank personnel to aid in the
wire/funds transfer review process?
7. Is
the
MLRO/Compliance
involved in the review process?
Officer
8. If unusual transactions or trends are
noted during the monitoring process, are
93
these investigated and resolved with
involvement from the MLRO/Compliance
Officer?
Testing Procedures:
1. Obtain the wire/funds transfer policies
and procedures and review for
adequacy and inclusion of AML law
and regulation provisions, including
the retention period of required
wire/funds transfer information.
2. Analyze the volume of wire/funds
transfer activity within the bank since
the last examination. Does the
volume appear reasonable given the
bank’s size, location and nature of
customer account relationships? Is
the volume reasonable as compared
to previous volume activity over a
comparable period?
3. Select a sample of existing accounts
with wire/funds transfer activity and
review the activity for a determined
period of time. Review the account
activity for consistency with the stated
purpose and use of the account
obtained at account opening, trends,
high volumes and amounts, etc.,
noting items that may appear unusual
warranting additional investigation.
Certain warning signals to note would
include:
•
•
•
Customers
who
experience
increased
wire/funds
transfer
activity when previously there has
been no regular wire/funds transfer
activity.
International wire/funds transfers for
accounts with no history of such
wire/funds transfers or where the
stated business of the customer
does not warrant such activity.
Customers who receive many small
incoming wire/funds transfers or
deposits of checks and money
94
•
orders then request wire/funds
transfer to another city or country.
Customers who use wire/funds
transfers to move large amounts of
money to a bank secrecy haven
country.
Perform follow up on unusual activity
identified through the above review.
4. Select a sample of outgoing
wire/funds transfers from the original
transfer request forms (select for
account and non-account holders)
and determine if the required
information
is
being
obtained,
transmitted and retained.
5. Select a sample of incoming and
outgoing wire transfers transacted
since the last examination and test for
compliance with bank policies and
procedures relating to AML.
95
Annex 6: International Companies & Trust Companies Because international companies’ and trusts’ activities may expose banks to greater
reputation and legal risks than some other areas, inspectors must make sure that
banks have the necessary risk management systems, controls, and measures in
place to identify, measure, control, and monitor ML/FT risks. For this type of activity,
the banks should be required to perform enhanced due diligence measures that
would identify the ultimate beneficial owners.
Procedures
Comments/Work Papers
Internal Control Inquiries
1. Has the board of directors adopted written
AML/CFT policies governing international
business companies and trust operations?
2. Are these policies reviewed and updated at
least annually by the Board of Directors in
light of changing conditions?
3. Does the reporting institution maintain files
for all international business companies and
trusts?
4. Is the file information confirmed and updated
on a regular basis? If so, how often is this
process performed?
5. Does the reporting institution obtain all
appropriate information required to identify
the customer, and verify the information
obtained from the customer before
establishing the account relationship?
6. Before setting up the account, does the
reporting institution ascertain the identity of
the true and beneficial owners of the
account, along with the source of funds to
be deposited in the account?
96
7. For international business companies, does
the reporting institution also ascertain the
shareholder’s name, director’s name and
secretary’s name?
8. For bearer share companies and nominee
shareholder companies, are the ultimate
beneficial owners identified?
9. For trust accounts, does the reporting
institution also ascertain the ultimate
beneficiary’s name, the settlor’s name and
the trustee’s name?
10. Does the reporting institution undertake a
review of all new account documents to
ensure that adequate due diligence has
been performed and documented at account
opening?
11. Does management perform enhanced due
diligence on international business company
and trust customers?
12. Does the reporting institution have in place a
system to monitor missing file
documentation? If the appropriate
documentation is not obtained within the
required timeframe, is the account closed?
13. Are international company/trust account
relationships approved by senior
management?
14. Does the reporting institution’s management
obtain information on the clients' source of
wealth and source of funds?
15. Does the reporting institution obtain
references from known third
parties/intermediaries, including previous
banking relationships?
97
16. Does the reporting institution verify the good
standing and legal establishment of
business customers?
17. Does the reporting institution require visits to
places of business to corroborate that the
business actually exists? Are written
contact/visitation reports documenting such
visits required and included in the customer
account file?
18. Does the reporting institution have a system
in place to monitor international business
company and trust transaction activity in
order to identify unusual account activity?
19. Does the reporting institution report
suspicious activity in a timely manner and
through the proper channels once it has
been identified?
20. Does the reporting institution apply
enhanced due diligence measures for
accounts established by or on behalf of
politically exposed persons (PEP), an
immediate family member, or close
associate, to guard against laundering the
proceeds of crime?
21. Does the scope and work of the auditors
(internal/external) include an evaluation of
internal controls and CDD measures with
respect to ML/FT risks?
22. Does the reporting institution have systems
in place to conduct enhanced ongoing
monitoring of international business
company/trust business relationships?
23. Does the reporting institution have a formal
training program in place? If so, does it
98
cover international business company/trust
activities?
Testing Procedures
1. Obtain the policies and procedures for
the reporting institution’s international
business company and trust activities
and review for completeness, adequacy,
Board of Directors’ approval and
inclusion of AML/CFT issues. Policies
and procedures should include at a
minimum:
•
•
•
•
•
The acceptance and approval of new
accounts;
Referral requirements;
Determination of source(s) of wealth;
Determination of the source(s) of
funds; and
Determination of the level and type of
expected account activity.
2. Select a sample of _____ international
company and trust accounts opened
since the previous examination and
review the files for completeness of
information and documentation as
required by the applicable laws and
regulations.
3. Document the procedure followed by the
reporting institution for performing
ongoing due diligence and monitoring
international business company and trust
account activity for unusual transactions,
including the frequency of the review,
adequacy of the reports to capture the
relevant account activity, level of bank
official performing the review, follow-up
procedures, etc.
4. Select a sample of _____ monitoring
reports and determine that items
identified as unusual were examined and
results properly documented. Review the
decision made for appropriateness and
determine that sufficient and proper
documentation has been maintained to
support the conclusion as to whether or
99
not the transaction was suspicious.
5. Review the reports selected in Step 4 for
possible suspicious activity that was not
identified by bank officials. Determine
why the activity was not identified.
6. For transactions determined to be
suspicious, determine that the activity
was reported to the SIFIU, as well as
senior management of the bank.
7. Obtain a copy of the training program
and courses delivered addressing the
areas of international business
companies/trusts. Review the frequency,
content of the courses and coverage of
training provided. Ensure that all
individuals responsible for international
business company/trust aspects are
receiving timely and ongoing training.
8. Discuss the results of the examination
with senior management and follow up
on outstanding issues.
9. Update work papers with information that
will facilitate future examination and
follow up.
100
Annex 7: Politically Exposed Persons Politically Exposed Persons (PEPs) are individuals who are or have been entrusted
with prominent public functions in a foreign country, for example, Heads of State or
of government, senior politicians, senior government, judicial or military officials,
senior executives of state owned corporations, important political party officials.
Business relationships with family members or close associates of PEPs involve
reputational risks similar to those with PEPs themselves. The definition is not
intended to cover middle ranking or more junior individuals in the foregoing
categories.
It is important to ensure that banks and other institutions have appropriate risk
management systems to determine whether the customer is a PEP; require senior
management approval for establishing business relationships with such customers;
take reasonable measures to establish the source of wealth and source of funds;
and conduct enhanced ongoing monitoring of the business relationship.
Procedures
Comments/Work Papers
Internal Control Inquiries
1. Does the reporting institution have
written AML/CFT KYC procedures for
PEPs?
2. Does the reporting institution use
comprehensive data sources to identify
PEPs, such as software programs, e.g.,
WorldCheck, national lists, international
lists?
3. Do the owners or Board of Directors or
the Board’s nominee review the policies
at least annually to determine their
adequacy in light of changing conditions?
4. Does the reporting institution apply
enhanced due diligence measures for
accounts established by or on behalf of
PEPs, an immediate family member, or
close associate, to guard against
laundering of the proceeds of crime?
5. Does the reporting institution take
reasonable measures to establish the
101
source of funds and wealth?
6. Does the reporting institution conduct
ongoing monitoring of PEP account
transactions?
7. Is a suspicious transaction report filed
with the SIFIU for any suspicious
transactions or trends detected?
8. How many suspicious reports have been
filed since the last examination?
Testing Procedures
1. Obtain the reporting institution’s policies
and procedures and review for adequacy
and inclusion of AML/CFT issues relating
to PEPs. Policies and procedures should
include at a minimum:
a. The acceptance and approval of new
accounts by senior management
b. Determination of source(s) of wealth
c. Determination of the source(s) of
funds, and
d. Determination of the level and type of
expected account activity.
2. From your sample of _______ customer
accounts opened since the previous
examination is the customer a PEP? If
“no” stop here. If “yes” go to Step 3.
3. Was senior management approval
obtained for opening of the account?
4. Was the source(s) of wealth and/or
fund(s) adequately identified and
verified?
5. Does the customer profile include the
expected level and type of account
activity?
6. Document the procedure followed by
the reporting institution for performing
ongoing due diligence and monitoring
PEP account activity for unusual
transactions, including the frequency of
102
the review, adequacy of the reports to
capture the relevant account activity,
level of the bank official performing the
review, and follow-up procedures.
7. Select a sample of _____ PEP
monitoring reports and determine that
items identified as unusual were
examined
and
results
properly
documented. Review the decision made
for appropriateness and determine that
sufficient and proper documentation
has been maintained to support the
conclusion as to whether or not the
transaction was suspicious.
8. Review the reports selected in Step 7
for possible suspicious activity that was
not identified by employees of the
reporting institution. Determine why the
activity was not identified.
9. For transactions determined to be
suspicious, determine that the activity
was reported to the FIU, as well as
senior management of the reporting
institution.
10. Obtain a copy of the training program
and courses delivered addressing the
area of PEPs. Review the frequency,
content of the courses and coverage of
training provided. Ensure that all
individuals
responsible
for
PEP
accounts are receiving timely and
ongoing training.
11. Discuss the results of the examination
with senior management and follow up
on outstanding issues.
12. Update work papers with information
that will facilitate future examinations
and follow up.
103
Annex 8: Introduced Business Intermediaries can be financial institutions, DNFBPs or other reliable persons or
businesses that introduce business to reporting institutions.
Procedures
Comments/Work Papers
Internal Control Inquiries
1. Does the reporting institution have adequate
written AML/CFT know-your-customer
procedures for use of intermediaries?
2. Does the reporting institution conduct
adequate due diligence on its intermediaries
which include requirements that:
a. they
are
subject
to
adequate
supervision?
b. they have measures in place to conduct
CDD?
c. they operate in countries that adequately
apply the FATF recommendations?
3. Does the reporting institution immediately
obtain intermediary necessary CDD
information from the intermediary for
intermediary introductions?
4. Does the reporting institution require
confirmation from the intermediary that
copies of identification data and other
relevant CDD documentation will be made
available from the intermediary upon request
without delay?
5. Does the reporting institution recognize that
it is ultimately responsible for customer
identification and verification of intermediary
introductions?
Testing Procedures
1. Obtain the reporting institution’s policies and
procedures and review for adequacy and
inclusion of AML/CFT issues relating to
intermediaries. Policies and procedures
should include at a minimum:
104
a. Due diligence on intermediaries;
b. Requirement to immediately obtain CDD
information for intermediary
introductions;
c. Requirement for confirmation from the
intermediary that copies of identification
data and other relevant CDD
documentation will be made available
from the intermediary upon request
without delay; and
d. Acceptance that the bank is ultimately
responsible for customer identification
and verification of intermediary
introductions.
2. From your sample of _______ customer
accounts opened since the previous
examination was the customer introduced by
an intermediary? If “no” stop here. If “yes” go
to Step 3.
3. Was due diligence conducted on the
intermediary that include:
a. they
are
subject
to
adequate
supervision?
b. they have measures in place to conduct
CDD?
c. they operate in countries that adequately
apply the FATF Recommendations?
4. Did the reporting institution immediately
obtain from the intermediary the necessary
CDD information?
5. Does the file contain a confirmation letter
from the intermediary that copies of
identification data and other relevant CDD
documentation will be made available from
the intermediary upon request without
delay?
6. Obtain a copy of the training program and
courses delivered addressing the area of
use of intermediaries. Review the frequency,
content of the courses and coverage of
training provided. Ensure that all individuals
responsible for opening accounts using
105
intermediaries are receiving timely and
ongoing training.
7. Discuss the results of the examination with
senior management and follow up on
outstanding issues.
8. Update work papers with information that
will facilitate future examinations and follow
up.
106
Annex 9: Terrorist Financing Procedures
Comments/Work Papers
Internal Control Inquiries
1. Does the reporting institution have written
procedures for CFT?
2. Does the reporting institution have any
software or databases which monitor for
possible terrorist financing activities or is it
done manually? If “yes”, list.
3. Does the reporting institution regularly
receive updated “terrorist” lists from the
SIFIU (or other agencies)?
4. If “yes”, does the reporting institution
regularly update its database using these
lists?
Testing Procedures:
1. Obtain the reporting institution’s policies and
procedures and review for adequacy and
inclusion of CFT issues. Policies and
procedures should include:
a. Checks against the appropriate lists
whether manually or through a
computerized database of software
program.
b. Reporting of suspicious activities,
including attempted transactions.
2. From your sample of _______ customer
accounts opened since the previous
examination, was the customer a suspected
terrorist after performing a thorough check
against the various lists? If “no”, stop here
and go to Step 6. If “yes”, go to Step [3?].
3. Was the account opened? If “yes”, was
there any reason noted on the file?
4. Was an STR filed with the FIU?
107
5. How many STRs relating to terrorist
financing have been filed with the SIFIU
since the last examination?
6. Obtain a copy of the training program and
delivered addressing the area of use of CFT.
Review the frequency, content of the
courses and coverage of training provided.
Ensure that all individuals responsible for
opening and monitoring of accounts are
receiving timely and ongoing training relating
to CFT.
7. Discuss the examination results with senior
management and follow up outstanding
issues.
8. Update work papers with information that
will facilitate future examinations and follow
up.
108
Annex 10: Internal Audit/Independent Review Testing Procedures:
1) Review the reporting institution’s written
internal
audit/independent
review
procedures and determine that the internal
audit function provides for compliance with
the MLPCA. If the institution does not have
an internal audit function, determine that a
program of management reviews or self
audits has been established which include
the requirements of the MLPCA. Do audit
procedures/independent reviews:
a) Confirm the integrity and accuracy of the
systems for the reporting of large
currency transactions?
b) Include a review of tellers’ work?
c) Confirm the integrity and accuracy of the
institution’s record keeping activities?
d) Include steps necessary to ascertaining
that the institution is conducting an ongoing training program?
2) If violations or serious deficiencies from the
previous examination, has your review
determined that corrective action has been
taken?
109
Annex 11: Money Service Businesses Money service businesses are non-bank financial institutions that primarily buy and
sell notes and coins, purchase and sell traveller’s cheques and sell local currency by
discounting credit cards. As the exchange houses deal exclusively in currency
(foreign and domestic), anti-money laundering measures are a critical aspect in their
operations and in the examination approach to monitoring their activities. Money
service businesses (MSB) are required to have AML/CFT policies.
In addition, banks which deal with such businesses should ensure that these
entities are subject to enhanced due diligence as well as account monitoring.
Procedures
Comments/Work Papers
Internal Control Inquiries
1. Have the owners or Board of Directors of the
MSB adopted written AML/CFT policies
governing currency exchange in compliance
with applicable laws that govern their
activities?
2. Do the owners or Board of Directors or the
Board’s nominee review the policies at least
annually to determine their adequacy in light
of changing conditions?
3. Has the MSB appointed a unit or individual
with responsibility for coordinating internally
and articulating externally the issues related
to money laundering?
4. Are customer information files or other
records (e.g., receipts) maintained regarding
the identity of the customer and other
requested information?
5. Is the information retained adequate to
determine the amount of currency received
in each transaction?
6. Is the customer information retained in
accordance with the record retention
requirements of the law (6 years)?
110
7. Is a suspicious transaction report filed with
the SIFIU for any suspicious transactions or
trends which are detected?
8. How many suspicious reports have been
filed since the last examination?
9. Does the MSB file CTR reports with the
SIFIU?
10. Does the MSB conduct business with
occasional customers? If so, what are the
preventive measures in place?
Testing Procedures
1. Obtain the MSB’s policies and
procedures and review for adequacy and
inclusion of AML/CFT issues.
2. Obtain the used receipt books or other
identification documentation and perform
the following as they relates to customer
identification practices:
a. Determine if the identity of the customer
has been obtained to verify the legal
existence and structure of the customer.
Obtain the following information:
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Customer name
Customer address
Means of customer identity
verification
Date of transaction
Amount and currencies transacted
Proof of incorporation/registration in
the case of unnatural persons
Source of funds
b. Determine, based on the transaction
records, if the records show any
suspicious transactions or trends with
regard to currency exchanges.
3. Review the MSB’s processes and criteria
for suspicious transaction report filings
and determine if they are in compliance
with regulations.
111
4. Based on the procedures performed
above in item 2, determine if any
situations had emerged that required
filing a suspicious activity report. If so,
was the report properly filed?
5. Discuss the results of the examination
with senior management and follow up
on outstanding issues.
6. Update work papers with information that
will facilitate future examination and
follow up.
112
ATTACHMENT 1 – CDD Review Worksheet CDD REVIEW WORKSHEET
REPORTING INSTITUTION:
LOCATION:
DATE:
REVIEWER:
NAME OF CUSTOMER:
(Include names of directors, shareholders, settler, trustee and beneficiaries where
applicable. Also include name of beneficial owner of the account if different)
ADDRESS:
OPENED:
Date:
By (name of officer):
Approved by (title/position if different to the account opening officer):
Within delegation?
VERIFICATION DOCUMENTATION
(List type of documents (including relevant information such as passport number, issue
date and issuing authority) relied upon by the institution and also if copies are attached to
account opening form):
INTRODUCED BUSINESS:
(Was this customer introduced to the institution by a 3rd party introducer)
Date:
Name of introducer:
Are CDD documents available for review?
113
NATURE OF BUSINESS/REASON FOR ACCOUNT:
(Has the institution established the nature of the business/reason for the account being
opened)
ENCHANCED DUE DILIGIENCE:
(by whom, date, and reason)
RISK RATING AND INTERNAL REVIEW:
(Date, frequency, evidence of account monitoring by institution)
Risk rating:
NON-COMPLIANCE WITH CDD POLICY:
(If any)
SOURCE OF FUNDS
(include amount, currency and date received)
Initial amount:
Ongoing deposits:
(Are these consistent with the nature of the customer’s business)
Frequency:
DISBURSEMENTS
(Include amount, currency and dates)
Recipients:
rd
(Where these are 3 parties, is there evidence that the institution understands the reason
for the payment?)
Timing:
114
LAST RECORDED TRANSACTION:
Date:
Amount:
Nature:
CASH TRANSACTION REPORTING
(Have cash transactions over the reporting threshold been reported to the SIFIU)
Date(s):
Amount(s):
Currency:
Internal identifier (if applicable):
SUSPICIOUS TRANSACTION REPORTING:
Date of report to SIFIU:
If a STR was prepared but a decision was made not to submit the STR to the SIFIU have
the reasons been documented?
OTHER COMMENTS:
115
ATTACHMENT 2 ‐ AML Examination worksheet – Fund Transfers FUNDS TRANSFERS - REVIEW WORKSHEET
REPORTING INSTITUTION:
LOCATION:
DATE:
REVIEWER:
NAME OF CUSTOMER:
(Include names of directors, shareholders, settler, trustee and beneficiaries where
applicable. Also include name of beneficial owner of the account if different)
TRANSACTION INFORMATION:
Name and address of originator:
Amount of funds transfer:
Date of funds transfer:
Any payment instructions:
The identity of the beneficiary’s bank:
Name and address or account number of the beneficiary:
Source of funds:
VERIFICATION DOCUMENTATION
(List type of documents (including relevant information such as passport number, issue
date and issuing authority) relied upon by the institution and also if copies are attached to
account opening form):
Is the customer an existing customer?
If not, what CDD did the bank undertake?
NATURE OF BUSINESS/REASON FOR TRANSACTION:
(Has the institution established the nature of the business/reason for the transaction and
sighted supporting documentation, if necessary?)
116
ENCHANCED DUE DILIGIENCE:
(by whom, date, and reason)
NON-COMPLIANCE WITH CDD POLICY:
(If any)
CASH TRANSACTION REPORTING
(Have cash transactions over the reporting threshold been reported to the SIFIU)
Date:
Amount:
Currency:
Internal identifier (if applicable):
ELECTRONIC FUNDS TRANSFER REPORTING
(Have transactions over the reporting threshold been reported to the SIFIU)
Date:
Amount:
Currency:
Internal identifier (if applicable):
SUSPICIOUS TRANSACTION REPORTING:
Date of report to SIFIU:
If a STR was prepared but a decision was made not to submit the STR to the SIFIU have
the reasons been documented?
OTHER COMMENTS:
117
ATTACHMENT 3 ‐ CDD Worksheet: Checklist of Items to Observe ELEMENTS
ITEMS TO OBSERVE
Does the institution seek to identify the customer
including the beneficial owner of the
account/relationship?
The institutions should consider the type of client,
i.e. individual, corporate entity, trust etc.
Has the institution obtained and verified the address
ADDRESS
of the customer?
OPENING/ESTABLISHMENT Who approved the account/relationship?
Was it within their delegation (e.g. is the customer a
DATE
PEP and was the decision to open the account
taken by senior management?)
Did the institution obtain all required CDD
VERIFICATION
documents?
DOCUMENTATION
Did the institution verify the authenticity of
documents?
Were copies of these documents readily available to
examiners?
Are these documents in English?
Are the documents valid?
Are the documents readable?
If the account was opened through a 3rd party
INTRODUCED BUSINESS
introducer are all CDD documents available?
Does the institution have a contractual arrangement
with the introducer?
Has the institution obtained copies of relevant CDD
documents?
Does the institution understand the nature of the
NATURE OF BUSINESS
business and why the customer has established the
RELATIONSHIP
relationship?
Did the institution undertake enhanced due
ENCHANED DUE
diligence of the customer and if so why?
DILIGENCE
NAME OF CUSTOMER
118
RISK RATING & INTERNAL
REVIEW
NON-COMPLIANCE WITH
CDD POLICY
SOURCE OF FUNDS
DISBURSEMENTS
CASH TRANSACTIONS
REPORTING
ELECTRONIC FUNDS
TRANSFER REPORTING
SUSPICIOUS
TRANSACTION REPORTING
OTHER COMMENTS
Is the logic behind the grading decision properly
documented?
Where gradings are changed, is the basis for the
change documented and are account officers
informed of amendments?
Is the grading system working effectively?
Is the grading assigned consistent across all
related counterparties?
Is there evidence of on-going monitoring of
transactions?
How frequent is this monitoring and what steps are
performed by the bank?
Is the account granted within set credit parameters
(e.g. customer acceptance policy)?
Does the institution understand and verify the
source of funds?
Are transactions consistent with the customer’s
business/statements made when the relationship
was established?
Are disbursements consistent with statements
made when the relationship was established?
When funds are transferred to a 3rd party does the
institution seek to understand the reason for the
payment?
Has the institution reported to the SIFIU as
required?
Has the institution reported to the SIFIU as
required?
Do these reports cover both inward and outward
transfers?
Are decisions not to report to the SIFIU
documented?
Is there evidence of regular contact with client?
Is the information contained in the account opening
file consistent with that contained in the
management information reports and the materials
provided to us before the visit?
Is the information contained in the file easy to
follow?
Are there any comments on the file which have a
bearing on the overall management of the account?
For example, critical comments by senior
management or ML/TF review staff.
General observations can also be made.
119
ATTACHMENT 4 – Sample letter to an institution Managing Director
XYZ Bank Limited
Dear Sir or Madam:
Anti-Money Laundering Inspection Report
I am writing to inform you of our main observations and recommendations following
our recent on-site examination of your organisation’s compliance with AML/CFT
policies and procedures.. I would like to express our appreciation for the ready
cooperation we received from you and your colleagues. Overall, the visit is useful in
providing an understanding of the bank’s AML procedures and the general overview
of the bank’s AML policy.
As discussed, the main purpose of the visit was not to review files with the view to
identify instances of money laundering. Rather, the purpose of the visit was to review
policies to understand how XYZ Bank deals with AML. Also we assess the policy
against the requirements of [legislation, guideline]. Against this background we have
identified a number of areas, outlined below, where we believe the bank needs to
strengthen its policy.
We understand that your bank’s AML policies and guidelines are being updated and
we recommend that the revised document bring together all relevant aspects of AML
practices followed by the bank together with statutory and regulatory requirements.
We would also recommend that the bank ensure that local currency-denominated
transactions and accounts are monitored with the same degree of rigor as are
foreign currency transactions and accounts.
The following are the main observations arising from the visit.
AML Policy
a) There was confusion in relation to exemptions from screening requirements
granted to customers. During the course of our visit we became aware of a
number of exemptions approved in April 200X. We were informed that in
practice such exemptions were not used and that these exemptions would be
revoked as all foreign currency transactions are subject to review. However,
in discussion with other staff it became apparent that there is an informal
practice of granting exceptions. We are advised that these arrangements
would be reviewed and formalized if considered appropriate. We recommend
that if the bank decides to exempt customers from screening requirements
that it maintain a list of such customers and review the list on a regular basis.
In addition, the bank will need to ensure that, in granting such exemptions, it
can also comply with the requirements of [legislation].
120
b) In our view the policy document could be enhanced by including references to
the [legislation] and in particular the penalty provisions of the [legislation].
c) Under the [legislation], all STRs are to be reported to the Financial
Intelligence Unit [FIU], not the [supervisor] as currently stated in the bank’s
policy. A more effective implementation of the bank’s AML policies would
likely strengthen the bank’s capacity to identify and report suspicious
transactions.
d) There is no provision in the AML policy on the treatment of correspondent
banks and introduced customers. Some confusion exists between the view of
the Managing Director and what happens (eg., for introduced customers).
There is need for this area to be spelled out clearly in the policy. In relation to
correspondent banks, we understand that your head office reviews/approves
the opening of such accounts. This arrangement should be incorporated in
the local policy.
e) As required under [legislation, guideline], the customer acceptance policy
must spell out clearly the type of customers that the bank does not want to
deal with (i.e. politically exposed persons, etc,). At present the policy only
lists those countries that are on the watch list.
f) We noted instances where ex-Bank customers were “accepted” without being
subjected to AML account opening requirements. We note management’s
response that steps have now been put in place to get all these files in order.
More generally, we would encourage the bank to update information on those
clients that established accounts with the bank before the introduction of the
enhanced AML requirements in [jurisdiction]. We appreciate that this would
lead to a risk-based exercise in dealing with these customers.
2. Compliance Officer
a) We understand that at present, compliance officers review around 5 files per
day with the main focus on ensuring that account opening procedures are
complied with. While this forms an important aspect of AML requirements, we
also recommend that monitoring should be extended to include a review of
transactions to ensure these are consistent with information given when the
account was opened. This is an important aspect of “know your customer”
policy and the role of compliance, as outlined in [legislation, guideline].
b) More generally it would be useful if the compliance section maintain reports
on STRs received and “rejected” to assist in focusing training. We were also
informed that the compliance officers prepare reports in relation to the reviews
of accounts that they undertake, and these reports form part of the reporting
process to senior management.
As previously requested, we would
appreciate being provided with copies of such reports to enable us to gauge
the extent of work undertaken by the compliance office.
121
c) In addition the bank’s policy specifies that a number of AML reports are to be
prepared. We would appreciate being provided with a copy of these reports.
Reporting
a) We were told that the managing director is provided with a number of internal
compliance reports on AML issues to enable him or her to complete his risk
management compliance reports. However as noted above, we have yet to
be furnished with copies of such reports.
Customer Identification
b) One of the important components of customer identification is the ability to
carry out physical checks to verify the existence of a customer’s business.
From our review of the files and discussions held, it would appear that the
bank does not do this, particularly in respect of foreign companies. We were
informed that the bank takes comfort from the fact that [jurisdiction] is small
and everyone generally knows what’s happening in town. However, as you
would appreciate this is not satisfactory in relation to meeting your AML
requirements.
c) On-going account monitoring is recommended as outlined in [legislation,
guideline]. The bank needs to carry out visits on, say, an annual basis to
verify the existence of the business of each customer. For foreign companies
wishing to open accounts the bank will need to consider steps to ensure that
the business exists and that transactions remain consistent with the
company’s stated business.
d) One of the requirements of your bank’s customer check list is getting a
banker’s opinion. We noted that where customers tick the ‘No’ response this
does not seem to have raised any concern. We were told that consideration is
being given to making the banker’s opinion a mandatory requirement, a move
which we would recommend.
e) Review of the constitutions of international companies which have accounts
revealed that they provide for the issuance of bearer shares. As suggested in
[legislation, guideline], we recommend that the bank put in place
arrangements to ensure immobilization of such shares.
Account monitoring
a) As outlined in [legislation, guideline], on-going monitoring is an essential
aspect of effective KYC procedures. A computer reporting system needs to be
put in place to enable the on- going monitoring of transactions. At the moment
this is done on a manual basis for all transactions. Establishing a central
monitoring system will provide a more efficient means of monitoring account
activities. While tellers’ worksheets are reviewed at the end of the day there is
no mechanism that would allow the bank to identify a series of transactions
made just below the reporting ‘thresholds’. We understand that consideration
122
is being given to improving systems to allow monitoring by transaction size,
etc., and we encourage such an initiative. We would appreciate being
advised of developments.
b) It was noted that the bank has mechanisms in place to review foreign
currency accounts activities (i.e., transactions above [a threshold] are
reported); however, the same level of due diligence is not applied to local
currency accounts. In our view, the same level of due diligence should also
be applied to the local currency accounts.
c) It was evident from a number of files reviewed that verification of the source of
funds does not take place. To assist in the on-going monitoring of accounts
banks should, as outlined in [legislation, guideline], be aware of the source of
funds. This is not only required for large transactions but for any transactions
that appear to be suspicious in nature.
d) We were told that the bank only conducts checks when a significant
transaction occurs. However, we understand that, in many circumstances
where the officer in charge knows a customer, the background checks and the
confirmation of the source of funds requirement are waived. This could
potentially lead to breaches of the [legislation, guideline].
e) In some instances where transactions patterns differed from those originally
advised to the bank, clients were asked to send in a revised account opening
form. In our view, this does not address the issues of understanding the
source of funds or change in activity. The bank should not process
transactions unless the customer’s background and the source of funds are
fully made known to the bank.
f) Whilst we have been told that a list of “named persons” exists in the bank, our
discussions with a number of people revealed that the list is not readily
accessible. In our view, the “named person” database should be accessible
to all officers who are directly involved with AML matters.
6. Training required
a) AML training needs to be coordinated better. This is evident from the fact that
one department developed its own training documents. Although the
compliance office was aware of this, it would have been useful if it had been
reviewed by the compliance office to ensure that it is consistent with the
bank’s policies and regulatory & statutory requirements. In our opinion, the
compliance department should contribute to the development of AML training
documents in the future.
b) Training programs should be on a regular basis. Under the current policy, a
period of three years is stated. In our view this is too long and training should
occur at more regular intervals (say 6 months) especially for those staff in
high risk areas, e.g., tellers and those involved in the sale and purchase of
monetary instruments.
123
c) We understand that much of the bank’s AML training is carried via computer
updates, although this may be supplemented by ad-hoc training in some
sections. In our view the introduction of new policies should be supplemented
by formal face-to-face training.
d) We suggest that the current training document should also address the AML
requirements set out in [legislation, guideline].
e) The training document is not dated although from discussion held, it was
confirmed that the material was last presented in 200X. For continuity
purposes, this document needs to be dated and updated to reflect changing
policies and procedures.
For your records, attached is a list of the customer files reviewed during the visit.
Yours sincerely,
124