Oversight Framework for Malaysia: Approaches to Customers Due Diligence (CDD) Bali, Indonesia 9 11 June 2008 1 1
Content Legal Framework Oversight and Supervision CDD Practices Key Challenges 2 2
Legal Framework Payment Systems Act (PSA) 2003 Section 5 Section 34 Section 35 To notify the Bank to operate payment system Provides examination power Allow supervisors to access regulatees books and records Exchange Control Act 1953 Section 4 Section 10 Permission to deal / quote foreign currency Permission to make payment outside Malaysia 3 3
Anti Money Laundering and Anti Terrorism-Financing Act 2001 (AMLA) Came into operation effective 15 January 2002 Criminalises money laundering Provides among others, for the following: Money laundering offence Financial intelligence Reporting obligations of the reporting institutions o o o Suspicious transaction reporting (STR) AML/CFT compliance programme Record keeping 6 years Investigation of ML/TF cases Freezing, seizure and forfeiture of property Combating the financing of terrorist (CFT) offences and freezing, seizure and forfeiture of terrorist property 4 4
Invocation on RSPs was carried out in stages. 15 Apr 2002 15 Apr 2003 In addition, RIs are subjected to: First stage STR S14(b) (Report by Reporting Institutions) S20 (Secrecy Obligation Overridden) S21 (Obligations of Supervisory or Licensing authority) S24 (Protection of Person Reporting) of the AMLA) Remaining reporting obligations in Part IV of the AMLA (covering among others S15 (Centralisation of Information), S16 (Identification of accountholder) 9 Mar 2007 15 Nov 2006 Anti-Money Laundering and Anti-Terrorism Financing (Reporting Obligations) Regulations 2007 (AMLA Regulations) Standard Guidelines on AML/CFT AML/CFT Sectoral Guidelines 3 for Licensed Money Changers and/or Non-Bank Remittance Operators 5 5
Issued in November 2006 Roles and responsibilities of Board of Directors/Senior Management Formulate and approve AML/CFT policies and procedures Appoint a compliance officer AML/CFT Guidelines Review and assess compliance with relevant AML/CFT laws and regulations Ensure adequate resources to carry out AML/CFT measures Provide staff training on AML/CFT 6 6
AML/CFT Guidelines Roles and responsibilities of designated AML Compliance Officer Establishes internal AML/CFT programme Ensures compliance by institution and staff Assesses AML/CFT mechanism, esp. customer due diligence (CDD) procedures Ensures staff awareness of institution s AML/CFT measures Receives reports and feedback from other employees and submits STRs and requisite information to the FIU Assess the risk of money laundering in the institution s products and services Has necessary knowledge and authority to effectively discharge his responsibilities 7 7
Supervisory Approach on RSP. Broad Objectives Supervisory Approach. Promote migration of informal to formal remittance channel Improve remittance service and increase competition Ensure integrity of remittance service providers Adopt a risk-based supervisory approach Continuous surveillance based on periodic submission of statistical and financial reporting On-site supervision (part of annual supervisory plan) Risk based Incident based - act on complaint (e.g. frequent public complaint) On a surprise basis Stringent supervisory intervention for any breaches or non-compliant with prevailing law or guidelines by RSPs Supervisory objectives to ensure that RSP. Comply with prudential and conditional (approval) requirements imposed by BNM Provide the necessary mechanism and control processes to ensure compliant with AML/CFT requirements Not used as conduit for ML/CFT activities Provide reasonable assurance of system control and integrity Supervisory Balancing Act : Promote Ease of Migration to Formal Channel vs Compliance with Regulatory Requirements 8 8
Supervisory Approach (cont.) Adopt Risk Based Profile companies into 4 risk groups (low, moderate-low, moderate-high and high) Continuous risk assessment and validation Differentiated Supervisory Approach Surveillance and supervision - based on companies risk profile, size and complexity Incident based approach Surprise visit Agile and Responsive Surveillance through continuous monitoring and reporting by regulated entity Enforce varied supervisory intervention 9 9
Payment Systems Supervisory Life Cycle 10 10
Risk Based Methodology Profiling of companies based on risk they pose to the Bank s objectives Risk to the Bank s objective = Impact x Probability Risk rating to supervisors fair judgment 4 types of risk rating Calculation of Probability Likelihood of issues / events to occur Assessment will be based on historical data, current emerging risks and future trends as well as market intelligence gathering High IMPACT Low Low RISK BASED QUADRANTS GROUP 2 (MODERATE HIGH) GROUP 4 (LOW) GROUP 1 (HIGH) GROUP 3 (MODERATE LOW) PROBABILITY High Calculation of Impact Degree of issues / events to the Bank s objectives Guiding principles for impact assessment 11 11
Risk Based Methodology (cont.) Impact Assessment - Guiding Principles 1. Nature of business 2. Pervasiveness of business operations Linkages to financial system Customer base Size of liabilities Transaction volume 3. Compliance with prudential requirements Shareholders funds requirements RSP RM100k 4. Financial health 12 12
Brief Background on Profile of Non-Bank RSPs 21 RSPs (non-bank) and 113 branches (excluding POS M sia) Extreme range of business size Some have yet to commence operations (5 RSPs) Internet and computer-based Some use proprietary system, few rely on established network/system (International Money Transfer Operator) such as WU Heavy investment IT system, premises, branding, marketing, personnel, etc. 13 13
Customer Acceptance Policy Reporting institutions to formulate policies and procedures to address the establishment of business relationship with the customer Identify and assess risk of customers Have reasonable measures to address the different risks posed Risk profiling - factors to consider: Origin of customers and location of business; Background or profile of the customer; Nature of the customer s business/occupation; Structure of ownership (for a corporate customer); and Any other information suggesting that the customer is of higher risk. Continuously monitor the customers transaction activity pattern to ensure it is in line with the customer profile 14 14
The extent at the identification stage may be based on the following severity: Background of the person and the suspicious circumstances in which the transaction was conducted Type or form of transaction undertaken New type of service/ product/new technology, which alters the delivery mode and transaction process - care must be taken to ensure that customer identification and verification requirements are adequately complied with The type of customers Customer Due Diligence The reporting institution should adhere to the customer due diligence requirements as stipulated in the Standard Guidelines on AML/CFT Where there is doubt on identification of the customer RSP should not proceed with the transaction and lodge STR with FIU, BNM 15 15
Customer Due Diligence (cont.) RSP should undertake the following: Identify and verify the customer Identify and verify beneficial ownership and control of such transaction Obtain information on the purpose and intended nature of the business relationship/transaction Conduct on-going due diligence and scrutiny, to ensure the information provided is updated and relevant CDD should also be conducted, when: Establishing a business relationship with the customer; There is suspicion of ML or FT; or There is doubts about the veracity or adequacy of previously obtained information. If the customer fails to comply with the CDD requirements, reporting institution should not commence or should terminate such business relations with the customer 16 16
RSP is required to conduct CDD and transmit accurate and meaningful originator information for any transaction involving an amount equivalent to RM3,000 and above Required to obtain and verify the originator s information: Name Nationality National identification card/passport/kad Jalan Account number (or unique reference number) / Privilege card Address Customer Due Diligence (cont.) If remittance is facilitated through a bank, RSP is required to provide the originator s information immediately upon request For remittance/wire transfer received, RSP should ensure that complete originator s information is provided. RSP should adopt risk-based approach for transaction with incomplete information. (Identity Card issued by Immigration Dept) 17 17
Enhanced due diligence For Higher Risk Customers. Obtain more detailed information from the customer and through publicly available information (if available), on the purpose of transaction and source of funds Obtain approval from the Senior Management before establishing the business relationship with the customer Examples of higher risk customers High net worth individuals From locations known for their high crime rate (e.g. drug producing, trafficking, smuggling) Countries or jurisdictions with inadequate AML/CFT laws and regulations such as the Non-Cooperative Countries and Territories (NCCT) Politically Exposed Persons (PEP) Legal arrangements that are complex trust, nominee Cash-based businesses 18 18
Keep all records and documents Transactions conducted Customer due diligence For at least 6 years* after: Record Keeping Transaction has been completed or The business relations with the customer have ended Where the records are subjected to ongoing investigations or prosecution, they shall be retained beyond the stipulated retention period as specified For audit trail, records shall include at least: Identity of the customer and beneficiary Form of transaction (e.g. by cash or by cheque) Instruction and the origin and destination of fund transfers Amount and type of currency * As per AML/CFT guidelines 19 19
Have in place an adequate management information system to complement its customer due diligence Provide timely information to detect any suspicious activity, which would include: Multiple transactions over a time frame Large transactions Anomaly in transaction pattern Transactions exceeding any internally specified threshold. Establish internal criteria ( red flags ) to detect suspicious transactions Conduct enhanced due diligence and ongoing monitoring of transactions: Ongoing Monitoring by RSP. That match the red flags list From countries which have insufficiently implement the internationally accepted AML/CFT measures All findings must be documented and made available to Bank Negara Malaysia and relevant supervisory authority 20 20
Examples of Red-Flags Transactions conducted are out of character with the usual conduct or profile of customers carrying out such transactions Customer using different identifications each time conducting a transaction A group of customers trying to break up a large cash transaction into multiple small transactions Unwillingness to provide information Same customer conducting a few small transactions in a day or at different branches/locations There are sudden or inconsistent changes in remittance/wire transfer sent/received transactions Remittances/wire transfers from different customers/jurisdiction being sent to the same customer 21 21
Some of the Key Challenges. Many small players with varied compliance culture IT system lacking embedded AML/CFT control and reporting features Use of numerous disparate remittance IT system not able to effectively track and monitor aggregated transaction limit and irregular pattern, holistically Promote use of a safe and secure channel (CDM, Internet banking) However, CDM does not identify sender Crowded market issue of business viability and sustainability (stiff competition, cost-conscious clients, rising overheads) Collaboration and co-operation with foreign International Money Transfer Operators issues on cross border jurisdiction Ownership concern over subsequent transfer of ownership / shareholding to undesired elements (fit and proper criteria) 22 22
23 23