The CTF compliance methods and tools used by Institutions. Institutions should be cognizant of the AML/CTF systems, and accordingly use RBA to allocate resources, design and alter organizational structures, educate their workforce, and implement the procedures and policies that will prevent terrorist financing.
CTF Compliance Methods And Tools Used By Institutions
The levels of AML/CTF employed by a particular institution vary with the size and complexity of the institution. Institutions that deal directly with customers in low-risk-level industries can afford to have more relaxed measures than large, complex institutions that deal with a variety of clientele in high-risk industries and categories.
Some of the factors that should be considered in determining the type of AML/CTF protocols to be employed by a particular institution include:
- The scale, nature, size, and complexity of the business;
- The target market of the institution. Some markets are deemed inherently riskier, and as such warrant higher AML/CTF protocols. For example, industries with high cash turnover are considered inherently higher risk than industries that rely on non-cash instruments;
- The number of customers previously identified as high risk and the number of customers already identified to have been used to transfer funds to be used in financing terror;
- The geographical areas in which the institutions operate, particularly areas where corruption is endemic and where there is a record of terror-financing activities;
- The different routes through which the institution interacts which customers. Institutions, where third parties deal directly with customers, are associated with higher risk than institutions that only deal directly with their customers;
- The findings of any audits and reports made by national and international regulatory bodies;
- The laws and policies in place at the time in the country of jurisdiction;
- Money Laundering and Terrorism risks linked with foreign jurisdictions/conflict zones such as Afghanistan and Syria; and
- The reliability of correspondent partners.
CDD Used To Categorize The Risk Profile
Institutions should use individual risk assessments using customer due diligence as a tool to prevent establishing a partnership with persons conducting illicit business activity. Banks should use CDD and relevant information including the expected revenue of similar businesses to determine the risk profile of every individual client. The initial CDD is used to categorize the risk profile and includes:
- Identifying the customer, and where the customer is a company or institution as well as identifying the actual beneficial owners of the firm;
- Verifying the identities of the customers based on a reliable method at the very least to the minimum standards required by the law of the country in question; and
- Understanding and confirming that the business is legitimate and that the rate of returns or deposits is in line with expected returns in that industry again at the very least to the minimum standards required by the law of the country in question.
In this process, institutions should also screen the names through the lists of persons limited in their national law and those of the UN, Interpol, or any other relevant institution.
In instances where CDD conducted indicates a high-risk customer, further enhanced CDD can be taken that includes:
- Obtaining information from a wider variety of sources to confirm the legitimacy of the information provided. This can include local government records, judicial records, tax records, and public media information;
- Carrying out more comprehensive searches on the customers including ascertaining ownership of parent companies especially companies incorporated in offshore jurisdictions;
- Engaging private investigative or intelligence firms to ascertain whether the potential customer might be involved in criminal activities;
- Ascertaining the customer’s actual source of wealth or funds; and
- Getting additional information and documentation from the customer to verify their identity and business(es).
Where banks cannot obtain a comprehensive CDD, they are required to terminate any business relationship with the customer, and if the law so requires, report any such instance to the relevant authorities.
AML/CTF does not cease with CDD but is proceeded by ongoing monitoring to prevent terrorist financing. The institution must continuously ensure that the transactions made by the customer reflect the bank’s knowledge of the customer and reflect the actual nature and proceeds of the business expected of such a customer.
Monitoring should also note changes in the customer profile and behavior or product usage that might require the application of more intensive CDD measures. For example, an increase in the volume of cash transacted by a customer might necessitate more intensive CDD measures.
An institution should use peer-generated information to ascertain whether a particular customer’s transactions are in line with the industry expectations or should warrant extra attention.
To this end, institutions must create concrete criteria to determine what parameters are to be used to classify customers into different categories, and where automated systems are in place, such parameters should be built into the system.
In all this, fundamental systems are built-in for identifying and reporting suspicious activities to the relevant authorities promptly. These systems should always meet the minimum requirements for reporting suspicious activities in the jurisdictions in which the institution operates.
Controls To Be Centered
Banks are required to build robust internal control systems to ensure AML/CTF measures are met under the RBA. The Sound Management of Risk Related to Money Laundering and Financing of Terrorism document by the Basel Committee on Banking Supervision provides the benchmark standards of internal controls for financial institutions the world over. These controls should be centered around achieving the following:
- Making compliance a ‘core value’ of the banking institution. It should be hardwired into all the employees of the institution, and into all the policies that no business whatsoever shall be conducted outside AML/CTF protocols. It should be apparent even to potential customers that the institution cannot be used to finance terror;
- Create a robust communication network for reporting any notable events or records linked to AML/CTF through all relevant networks in the institutions. These networks should link the executive decision-makers with frontline workers and IT personnel effectively and promptly to act on any red flags; and
- Provide adequate resources to finance the necessary AML/CTF measures required.
Senior management should also vet their staff based on the risk profiles of the customers they deal with or shall potentially deal with. The institutions should ensure not only that their staff has adequate levels of skill and training to implement AML/CTF protocols but also have the integrity required to resist bribery and corruption.
The level of staff vetting should be directly correlated to the level of risk associated with their roles in the institution. Furthermore, potential conflicts of interest should be identified and resolved before they pose a serious risk to the implementation of AML/CTF protocols. Remuneration of workers should be commensurate to the level of risk they face to reduce any incentive for bribery and/or corruption.
AML/CTF Training
Institutions should implement an AML/CTF training that is:
- High quality and specifically designed to fit the institution’s risk profile and business needs;
- Obligatory to all staff who deal directly/indirectly with AML/CTF;
- Tailored to fit the different roles and profiles of different staff and to fit the unique roles of each department in the institution;
- Effective – the institution should have methods of testing the effectiveness of the training such as tests and post-training monitoring; and
- Continuous – it should not be a one-off training when the employee is initially hired. Regular refresher training is necessary.
In the grand scheme of things, the institutions should continuously review the AML/CTF protocols both at the employee level and at the customer level. To this end, AML/CTF should be an integral part of the institution’s continuous compliance systems and form a part of its internal and external audit portfolio.
Final Thoughts
An AML/CFT risk management program is one of many components of an institution’s overall risk management framework, which includes, to name a few, credit risk, interest rate risk, operational risk, compliance risks, and reputational risk. An efficient A risk management framework is critical to the safety and soundness of a financial institution, the financial system of a jurisdiction, and, ultimately, the integrity of the international financial system.