4. Case Study of Mega International Commercial Bank
4.4. The Impacts of AML/CFT on the Operations of Mega Bank
4.4.2. Establish an Effective AML/CFT Program
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 12: Elements for Building a Business Culture of Compliance and Internal Control
Sources: Mega International Commercial Bank; 吳瓊佩 (2014)
4.4.2. Establish an Effective AML/CFT Program
Singapore has been deemed as a global financial center in Asia/Pacific region with the lowest domestic crime rates in the world, and it is also a member of both the FATF and APG. According to the fourth round FATF mutual evaluation report issued in September, 2016, the FATF assessed that Singapore has a strong framework for AML/CFT in terms of the level of compliance with the FATF 40 Recommendations and the level of effectiveness of Singapore’s AML/CFT system through the on-site visit from 17 November 2015 to 3 December 2015, which has made significant enhancements to its AML/CFT regime since its last FATF assessment in
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
2008 (MAS; FATF and APG 2016). In terms of the banking institutions, above everything, all banks in Singapore are required to establish and implement their own AML/CFT policies in line with their ML/TF risks, size, nature and complexity of their business and operations both in Singapore and overseas. Moreover, banks shall communicate these to all of their employees to ensure that they well understand their AML/CFT policies and educate them how to implement these into their business (ABS 2015).
Therefore, this thesis will undertake the AML/CFT regime in Singapore – The Association of Banks in Singapore (ABS) Guidelines on Anti-Money Laundering and Countering the Financing of Terrorism, which is in compliance with the Monetary Authority of Singapore (MAS) Notice and Guidelines – as a benchmark to discuss the counter-measures to combat ML/TF in Mega Bank as well as the whole banking industry in Taiwan in terms of building an effective AML/CFT program, including Know Your Customers (KYC), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), Sanctions Screening, Suspicious Activity Reporting (SAR), and Continuous Employee training.
Know Your Customers (KYC)
Alford (1993) states that The Basle Committee on Banking Supervision adopted a Statement of Principles regarding money laundering in 1988, which urged the banking sector to well establish a “Know-Your-Customer (KYC)” process for customer identification. It stated that the public confidence of the banking system would be undermined if any crime happened in association with negligence or direct involvement of the banking institutions, and thus bank
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
supervisors should be responsible to prevent the criminal use of the banking system. A sound KYC program is critical to protecting the soundness and integrity of the banking system, meanwhile, it also can keep the banks far away from criminals.
According to the Association of Banks in Singapore (ABS) Guidelines on Anti-Money Laundering and Countering the Financing of Terrorism – in compliance with the Monetary Authority of Singapore (MAS) Notice and Guidelines – banking institutions should assess the risks of each customer to determine the true identity of its customers before establishing a new business relationship with each other under a certain customer acceptance policy in line with its risk preference and tolerance. KYC is a critical process for the banking institutions to well understand the background of their customers, including their customer’s products, services, location, ownership structure, etc. to identify the high risk customers associated with money laundering and terrorist financing in order to further cooperate with law enforcement authorities (Alford 1993; ABS 2015). Alford (1993) also mentions that a successive KYC regime will discourage the use of the banking system by criminals since banks require the evidence of the true identity of customers as well as their businesses, and thus criminals will exploit other vehicles with least requirements to facilitate their money laundering. In other words, the KYC process can ensure the safety of the banking system and protect it from criminal activities.
Before the violation incident of Mega Bank New York Branch, Taiwanese banking industry usually failed to well implement its KYC process due to the over-banking phenomenon, which exposed the banking system in Taiwan to the high risk of misuse by money launderers. In line
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
with the ABS Guidelines on AML/CFT, fully implementing the KYC process is a key to establish an effective AML/CFT program for the banking institutions. To establish an effective AML/CFT regime under the Risk-Based Approach (RBA) adopted by the FATF Forty Recommendations in 2012 (ABS 2015; FATF 2014), a sound KYC process initiates with the Customer Identification Program (CIP) involving collecting and verifying the information of the new customers, purpose of opening the account, source of funds, and verifying the related documents, followed by Customer Due Diligence (CDD) for low-risk customers and Enhanced Due Diligence (EDD) for higher-risk customers, which enables the banking system to well understand the true identity and risks of their customers for customer selection through risk assessment to protect the soundness and integrity of the whole banking system and prevent it from money laundering activities and terrorist financing (ABS 2015).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 13: AML KYC Onboarding Lifecycle
Source: Compliance Alert
Customer Due Diligence (CDD)
According to the ABS Guidelines on AML/CFT, banking institutions should adopt the Risk-Based Approach (RBA) in line with the FATF Recommendations while conducting the risk assessment of their customers. The RBA refers to the process driving a dynamic framework to address risk. The RBA would guide the customer due diligence (CDD) assessment and highlight high-risk concerns when evaluating the money laundering and terrorist financing risk of a new customer. Banking institutions generally assess the money laundering and terrorist financing
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
risk of a customer and assign a risk rating (e.g. low, medium, and high) to their customers at the CDD stage. Once a customer is onboarding, banks should use an RBA to not only review their transactional behavior and activities but also update the customer’s risk assessment. The CDD assessment may differ from customer types - CDD in investment banking may differ from that in private banking - and a great deal of other factors. In accordance with RBA, jurisdictions may allow simplified CDD measures to be applied for lower-risk customers, such as government entities, listed companies, etc. The CDD process is not only limited to sanctions screening but also business assessment, negative information, and politically exposed persons (PEPs) screening. A sound CDD program should consist of the following seven elements (ACAMS 2016; MAS 2015; ABS 2015):
(1) Customer Identification
To avoid establishing business relationship with shell companies and mitigate the risk of abuse by money laundering and terrorist financing activities, it is essential for banks to understand the true identity of their customers, including the substantive beneficial owners, owner structure, and business types. In accordance with the FATF standards, banks should not only identify customers but also verify their identity. Additionally, banks should find out the source of funds and purpose of the account. The banking institutions have to update CDD information after a periodic review or a material trigger event, whichever is earlier to ensure that the customer’s information, data, documents, and risk assessment they previously maintained remain relevant and up-to-date.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
(2) Profiles
Banks should create a transaction and activity profile for each of their customers. The profile should include sufficient information to facilitate future reviews between the anticipated and actual account activity to enable banks to identify suspicious activity based on comparing the actual activity to what the bank knows about the customer and nature of their business.
(3) Customer Acceptance
Banks should establish and implement their own customer acceptance policies and procedures to identify the types of customer with inherent or potential higher risks of money laundering and terrorist financing in line with the bank’s risk assessment. In addition, the bank’s customer acceptance policy should define circumstances under which the bank should not accept a new customer or should terminate a currently existing business relationship with the customer.
(4) Risk Rating
Banks should conduct risk assessment before establishing business relationship with a new customer with periodic review, or when a material trigger event occurs, whichever is earlier. A great deal of risk factors should be considered when determining risk (e.g. customer type, products and services, transaction type, and locations). Except for such a single factor constituting an illicit activity, no single factor alone should be used to determine risk. The banking institutions in Singapore are required to review their risk assessment at least once every two years or when a material trigger event occurs, whichever is earlier.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
(5) Monitoring
Monitoring is one of the essential methods to effectively manage the bank’s money laundering and terrorist financing risk, and thus banks should have appropriate systems in place to detect suspicious transactions. Banking institutions should monitor the customer’s accounts and transactions in accordance with their risk level.
(6) Investigation
Banks should perform investigation and examination of unfamiliar customer or unusual account activity, which should be consistent with anticipated activity for each customer in line with their occupation or business type.
(7) Documentation
Banks should keep the record and document the findings as evidence to prove the actions they did perform. Banks should ensure that everything obtained at the CDD stage is documented.
Both in Taiwan and Singapore, banking institutions are required to keep records of customer accounts for at least five years after termination of the business relationship or completion of such transactions, which is in accordance with the FATF 40 Recommendations (FATF 2012;
ABS 2015; The Bankers Association of the Republic of China 2017).
There are no set standards to conduct the CDD process. Banking institutions have to know their customers and further understand the purpose of their accounts via customer identification followed by customer verification. Each bank should establish its own CDD regime in
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
accordance with its size, nature of business, risk preference or tolerance, etc. Furthermore, each bank should implement its own policies and procedures to control and mitigate the money laundering and terrorist financing risks arose from the deferred completion of customer verification, including (ABS 2015):
Having limited financial services available to the customer.
Limiting the amount of the transactions undertaken by the customer.
Closely monitoring the customer’s transactions until completing the verification.
Once a bank is not able to complete customer verification at the CDD stage, the bank should terminate or not establish a business relationship with the customer, and determine whether it is necessary to file a SAR (Suspicious Activity Report). Certainly, the bank’s management must be kept posted on such occurrences.
Enhanced Due Diligence (EDD)
According to the ABS Guidelines on AML/CFT, banks should undertake the Enhanced Due Diligence (EDD) for high-risk customers identified at the CDD stage, which requires additional documents as well as more reviews to perform the further assessment. Such additional documents and reviews may also be triggered by other controls in the bank’s AML/CFT program, such as the occurrence of material trigger events or alerts from suspicious activities identified through transaction monitoring. In line with the international standards, banks should undertake the EDD process once a year or when a material trigger event occurs, whichever is earlier. The principle and procedure of the EDD assessment is not identical to a bank – EDD in
‧
corporate banking may differ from that in retail banking – the EDD assessment usually differs from the business segments of the bank (ABS 2015). The EDD assessments should consist of the following risk factors (ACAMS 2016):
(1) Customer Risk Factors
The business relationship is established under an unusual phenomenon, such as that the customer failed to explain the geographic distance between the bank and the customer.
Non-resident customers, such as walk-in customers with different nationalities.
Companies being used to be personal asset-holding vehicles.
Companies can issue bearer shares with nominee shareholders.
Cash-intensive businesses, such as restaurants, retail stores, parking lots, etc.
The company’s ownership structure appears unusual or over complex as compared to the nature of its business.
(2) Country or Geographic Risk Factors
Countries identified as high-risk jurisdictions or having inadequate AML/CFT regimes.
Countries subject to sanctions imposed by the OFAC, EU, UN, etc.
Countries identified as having a higher risk of drug trafficking, human/arms smuggling, corruption, fraud, financial crimes, or other criminal activities.
Countries or geographic areas identified as funding/supporting the terrorist activities, or having designated terrorist organizations operating within the country.
Countries sharing a common border and are known to have smuggling or illicit transactions.
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Geographic regions identified as having a higher risk of money laundering or financial crimes within the country.
(3) Product, Service, Transaction or Delivery Channel Risk Factors
Private banking business.
Cash based transactions with anonymity.
Business relationships or transactions with non-face-to-face customers.
Payment received from unknown or unrelated third parties.
In Taiwanese banking industry, banks are required to conduct the EDD program annually (The Bankers Association of the Republic of China 2017) whereas the CDD program is usually conducted every 2 to 5 years or when a material trigger event occurs, whichever is earlier. The rule may vary in different countries and banks. High-risk customers would expose the banking institutions to riskier circumstances of misuse by money laundering or terrorist financing activities, and thus high-risk customers and their transactions should be reviewed more strictly at account opening stage and more frequently during their business relationships with the bank as compared to low-risk customers for risk mitigation. Once if necessary, closely account and transaction monitoring should be taken to detect suspicious activities and transactions, if any, and report to supervisory authorities and law enforcement agency (ABS 2015).
‧
identifying and mitigating the money laundering and terrorist financing risks. Banking institutions should have an effective screening system in place with database covering the sanctions lists of UN, OFAC, EU, HM Treasury (i.e. The UK government’s economic and finance ministry), HKMA (Hong Kong Monetary Authority), MAS, etc. and the local sanctions lists to detect any individuals and entities who are sanctioned or suspected to get involved in money laundering or terrorist financing activities and document the results of screenings as well as assessments of potential matches. Banks should periodically review their database of sanctioned parties to ensure that they maintain up-to-date sanctions lists, set lower screening thresholds since a 100% match setting is not acceptable, and thus an assessment of potential matches is necessary. Before establishing a business relationship with a new customer, banks should conduct sanctions screening to ensure that the customer and their related parties are not sanctioned. If a bank has a positive hit against a sanctions list, it should halt all action on the account and assess whether it is required to freeze the funds or other assets of the sanctioned parties without delay and prior notice. Meanwhile, banks should also consider filing a SAR, reassessing the customer’s risk rating and whether to terminate the business relationship with the customer (ABS 2015; ACAMS 2016).To mitigate the money laundering and terrorist financing risks and enhance sanction compliance, Mega Bank has conducted sanctions screening for all of local US-dollar transactions since August, 2017 given that it acts as the settlement bank of local US dollars in Taiwan, and these
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
US-dollar transactions would ultimately be settled in its New York Branch, which is in the US and subject to the surveillance of the US authorities concerned. Therefore, Mega Bank conducts day-to-day sanctions screening to check for the possibility of money laundering and terrorist financing and hits against sanctions lists to meet the international standards (Commercial Times).
Suspicious Activity Reporting (SAR)
In line with the ABS Guidelines on AML/CFT, a Suspicious Activity Report (SAR) is made when a bank knows or has reason to suspect that funds or wealth is directly or indirectly linked to criminal activities. Ongoing monitoring and review of customer’s accounts and transactions enables banks to identify suspicious activity, eliminate false positives and report promptly genuine suspicious transactions. Therefore, banks should have adequate and effective systems in place to undertake daily transaction monitoring and report suspicious activity. The system should be risk-based given that there are hundreds of thousands of transactions in the banking institutions every day. The determinant risk factors should contain customer’s firm’s size, location, frequency and size of transactions, nature of its business, types and geographic location of its customers, etc.
Banks should report suspicious activity to the appropriate law enforcement agency and supervisory authorities without notifying any parties involved in the transaction reported and under investigation. Banks are mandatory to file a SAR and timely submit to the relevant law
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
enforcement agency and supervisory authorities to ensure prompt disclosures where funds or wealth suspected to be the criminal proceeds remain in the account. Additionally, disclosure of such suspicious activity is not treated as a breach of “banking secrecy” against customers under the statutory protection for the filing bank as well as its employees.
Bank should consider filing a SAR if it receives any negative information about a customer regarding criminal activities. Filing a SAR not only facilitates investigation by the authorities but also urges the bank to take preventive measures against the customer. Once suspicion has been raised related to a business relationship or an account, in addition to filing a SAR, appropriate action should be taken to adequately mitigate the bank’s risk of misuse by criminal activities, including a review of the risk level of the customer, account, or even the business relationship itself. Appropriate action - such as cooperation with law enforcement agency and supervisory authorities - should be approved by the appropriate level of management to determine how to handle the business relationship with the customer, taking all relevant risk factors into account (ACAMS 2016; Bank for International Settlements (BIS) 2017; ABS 2015).
Continuous Employee Training
According to the ABS Guidelines on AML/CFT, a vigorous AML/CFT infrastructure should also include an effective AML/CFT training program. Banks are required to institute periodical training programs to educate their employees on AML/CFT issues. In addition to explaining the relevant AML/CFT laws and regulations, an effective AML/CFT training program should
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
also consist of the bank’s AML/CFT policies and procedures for risk mitigation as well as the common methods and typologies used for money laundering and terrorist financing. In addition, banks should train their employees to detect potential money laundering or terrorist financing activities as well as educate them about what to do if they encounter such transactions. A bank should adopt a training program in accordance with its size, nature of its business, etc. In addition, different business segments should adopt adequate training programs tailored to their job functions and responsibilities. In spite of seniority, all staff should be trained, including directors and management, and thus banks should provide appropriate training programs aimed at different levels. Periodical refresher training should be undertaken every one or two years for existing employees, and training for new employees should be undertaken as soon as possible to ensure that all staff is familiar with the bank’s AML/CFT policies and procedures with regular updates. Also, banks are required to maintain training records for internal and external auditing (ACAMS 2016; BIS 2017; ABS 2015).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Figure 14: Elements for Establishing an Effective AML/CFT Program
Sources: The Association of Banks in Singapore (ABS)