In this third part of our continuing series on Money Laundering, Terrorist Financing and Sanctions, Matthew Gamble explores ways that would help accountants or auditors develop a set of systems and controls to meet AML obligations…
IN THE first two parts of this series there was a refresher on money laundering, terrorism financing and sanctions, together with a discussion on suspicious activities and what to do with them, as well as the important role that the money laundering reporting officer plays.
In this third part, I want to explore how an accountant or auditor would go about developing a set of systems and controls to meet its obligations in respect of anti-money laundering (AML), terrorist financing and sanctions.
Perhaps the first and most important part to developing a set of systems and controls is to take stock of what are the risks facing your business from an AML, terrorist financing and sanction perspective.
What is needed for this stock take is to carry out a risk assessment.
Burden on firms
One of the major complaints about the Financial Action Task Force [on Money Laundering] (FATF) recommendations has been the unnecessary burden it has placed on firms. Firms have complained that asking for customer information on identity, beneficial owner, business rationale, source of funds and wealth have only made doing business that much harder. In effect, firms have become the unpaid policemen for governments in combating money laundering and terrorist financing.
I accept that if you require the same level of customer due diligence for all customers then you are placing an unnecessary burden. FATF has recognised this and has provided guidance on how to use the risk-based approach (RBA) to overcome this issue. However, from my experience, firms have failed to understand what is required to be done under this RBA. All too often a firm will move to the check-the-box approach and design a checklist of what documentary evidence it needs to gather on every new client regardless of the risk that new client poses from an AML, terrorist financing and sanction perspective.
What needs to be done before turning your mind as to what evidence should be gathered is to understand what are the AML, terrorist financing and sanction risks faced by the firm. From my own experience only the best firms carry out a risk assessment while the lazy firms gravitate to developing a checklist and then complain why they cannot get the evidence they themselves decided to collect!
What is the RBA?
The Dubai Financial Services Authority (DFSA) has embraced and reinforced the FATF’s approach to the RBA. In its recently released AML Rulebook, DFSA regulated Firms are required to apply the RBA to their AML, Counter-Terrorist Financing (CTF) compliance (collectively referred to as AML) which is proportionate to the risks to which a Firm is exposed to taking into account the nature of its business, customers, products, services and any other matter which may be relevant.
The general principle is that where there are higher risks of money laundering taking place, enhanced measures to manage and mitigate those risks should be implemented. Correspondingly, when the risks are lower simplified measures are permitted.
Adopting the RBA discourages a ‘tick box’ attitude to AML compliance and instead emphasises that there should be a clear and reasonable rationale for the measures taken by firms to manage and mitigate the AML risks which it faces. The process of applying the RBA will vary from firm to firm and it is important for a firm to tailor its processes to its individual risks.
The new DFSA AML Rulebook purposely does not prescribe, beyond what is contained in the AML module, on how a Firm should implement its RBA. The reason why it has done this is that no two firms are the same. Each Firm has its own business model and that business model will govern the types of products and or services it offers to its customers.
A cornerstone of the AML Rulebook is Chapter 4 which sets out the standard for risk- based assessments and applies to all decisions made by a firm in which a risk-based assessment is required.
The four elements of any risk based assessment are that they should be:
• objective and proportionate to the risks;
• based on reasonable grounds;
• properly documented; and
• reviewed and updated at appropriate intervals.
The DFSA has represented this concept as being the four main pillars supporting the ‘house of AML’. To me the concept reinforces the importance of completing and maintaining a risk assessment.
The DFSA believes that the risk assessment should be carried out in two parts. First look at the AML risks that arise from your business and then use that information to assess the AML risks that your clients bring.
Assessing Business Risk
A firm should identify and assess the money laundering risk its business is exposed to by taking into consideration the nature, size and complexity of its activities.
Factors to be considered when undertaking the assessment of business risk include, but should not be limited to:
- type of customers and their activities;
- countries or geographic areas in which a Relevant Person does business;
- products, services and activity profiles;
- distribution channels and business partners;
- the complexity and volume of transactions;
- the development of new products and new business practices, including new delivery mechanisms, channels and partners; and
- the use of new or developing technologies for both new and pre-existing products.
The process of identifying components of business risk involves a level of introspection and deliberation drawing on the collective experience within the firm, from senior management to operational staff.
Assessing Customer Risk
Having determined its business AML risk, a firm then needs to assess the AML risk posed by its customers.
The factors to be considered when undertaking an assessment of customer risk include, but should not be limited to:
- identifying the customer and any beneficial owner;
- obtain information on the purpose and intended nature of the business relationship;
- the nature of the customer, its ownership and control structure, and its beneficial ownership (if any);
- the nature of the customer business relationship with the Relevant Person;
- the customers country of origin, residence, nationality, place or incorporation or place of business;
- the relevant product service or transaction; and
- business risk assessment under Chapter 5 of the AML Module.
The Three Golden Rules
Finally, for those of you who have had the experience of my team carry out audit inspections of your Firm you would have heard the statement, “If it is not documented, then it is not done”. That same philosophy has been carried through to the new DFSA AML Rulebook. The obligation to document has been hardwired into the rulebook and no-one will be given the benefit of the doubt.
The three golden rules?
Document, document and document!
In this third part, the intention was to discuss the new approach. No longer will the completion of a checklist cut it, the DFSA will want to see the actual thought processes of firms and the documentation of those thoughts. The next part will discuss what you do once you have carried out your risk assessment.
Any opinions, statements or other information or content expressed or made in this article are those of the author and not the Dubai Financial Services Authority (DFSA), and the author’s opinions, statements or other information or content expressed in this article should not be viewed as any indication of the opinion, view or policy of the DFSA.