How to Assess and Manage Risk in Investment Fund Management

Investment fund risk

Risk management for providers of investment funds

The provision of investment funds can involve multiple parties: the fund manager, appointed advisers, the depositary and sub-custodians, registrars and, in some cases, prime brokers. Similarly, the distribution of these funds can involve parties such as tied agents, advisory and discretionary wealth managers, platform service providers and independent financial advisers.

The type and number of parties involved in the funds distribution process depends on the nature of the fund and may affect how much the fund knows about its customer and investors. The fund or, where the fund is not itself an obliged entity, the fund manager will retain responsibility for compliance with AML/CFT obligations, although aspects of the fund’s CDD obligations may be carried out by one or more of these other parties subject to certain conditions.

Funds can simply be a store of value for criminal asset to hide the asset from other jurisdictions. It is for this reason, these type of funds are attractive to a criminal element looking to hide money. The key is to identify who they are, where the asset is from and how it was funded – this is made more difficult by the obfuscation of who really owns the investment.

Investment funds may be used by persons or entities for ML/TF purposes:

  • Retail funds are often distributed on a non-face-to-face basis; access to such funds is often easy and relatively quick to achieve, and holdings in such funds can be transferred between different parties.
  • Alternative investment funds, such as hedge funds, real estate and private equity funds, tend to have a smaller number of investors, which can be private individuals as well as institutional investors (pension funds, funds of funds). Funds that are designed for a limited number of high-net-worth individuals, or for family offices, can have an inherently higher risk of abuse for ML/TF purposes than retail funds, since investors are more likely to be in a position to exercise control over the fund assets. If investors exercise control over the assets, such funds are personal asset-holding vehicles, which are mentioned as a factor indicating potentially higher risk in Annex III to Directive (EU) 2015/849.
  • Notwithstanding the often medium- to long-term nature of the investment, which can contribute to limiting the attractiveness of these products for money laundering purposes, they may still appeal to money launderers on the basis of their ability to generate growth and income.

This post is directed at:

  • Investment fund managers performing activities under Article 3(2)(a) of Directive (EU) 2015/849; and
  • Investment funds marketing their own shares or units, under Article 3(2)(d) of Directive (EU) 2015/849.
  • Other parties involved in the provision or distribution of the fund, for example intermediaries, may have to comply with their own CDD obligations and should refer to relevant chapters in these guidelines as appropriate.
  • The post, while EU centric, is good advice and a standard setter globally.

For funds and fund managers, our general risk management post may also be relevant.

Risk factors
Product, service or transaction risk factors

The following factors may contribute to increasing the risk associated with the fund:

  • The fund is designed for a limited number of individuals or family offices, for example a private fund or single investor fund.
  • It is possible to subscribe to the fund and then quickly redeem the investment without the investor incurring significant administrative costs.
  • Units of or shares in the fund can be traded without the fund or fund manager being notified at the time of the trade and, as a result, information about the investor is divided among several subjects (as is the case with closed-ended funds traded on secondary markets).

The following factors may contribute to increasing the risk associated with the subscription:

  • The subscription involves accounts or third parties in multiple jurisdictions, in particular where these jurisdictions are associated with a high ML/TF risk as defined in our generic risk post.
  • The subscription involves third party subscribers or payees, in particular where this is unexpected.

The following factors may contribute to reducing the risk associated with the fund:

  • Third party payments are not allowed.
  • The fund is open to small-scale investors only, with investments capped.

Customer risk factors

The following factors may contribute to increasing risk:

  • The customer’s behaviour is unusual, for example:
    • The rationale for the investment lacks an obvious strategy or economic purpose or the customer makes investments that are inconsistent with the customer’s overall financial situation, where this is known to the fund or fund manager.
    • The customer asks to repurchase or redeem an investment within a short period after the initial investment or before the payout date without a clear rationale, in particular where this results in financial loss or payment of high transaction fees.
    • The customer requests the repeated purchase and sale of shares within a short period of time without an obvious strategy or economic rationale.
    • The customer transfers funds in excess of those required for the investment and asks for surplus amounts to be reimbursed.
    • The customer uses multiple accounts without previous notification, especially when these accounts are held in multiple jurisdictions or jurisdictions associated with higher ML/TF risk.
    • The customer wishes to structure the relationship in such a way that multiple parties, for example non-regulated nominee companies, are used in different jurisdictions, particularly where these jurisdictions are associated with higher ML/TF risk.
    • The customer suddenly changes the settlement location without rationale, for example by changing the customer’s country of residence.
    • The customer and the beneficial owner are located in different jurisdictions and at least one of these jurisdictions is associated with higher ML/TF risk as defined in the general part of the guidelines.
    • The beneficial owner’s funds have been generated in a jurisdiction associated with higher ML/TF risk, in particular where the jurisdiction is associated with higher levels of predicate offences to ML/TF.

The following factors may contribute to reducing risk:

  • The customer is an institutional investor whose status has been verified by an EEA government agency, for example a government-approved pensions scheme;
  • The customer is a firm in an EEA country or a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

Distribution channel risk factors

The following factors may contribute to increasing risk:

  • Unclear or complex distribution channels that limit the fund’s oversight of its business relationships and restrict its ability to monitor transactions, for example the fund uses a large number of sub-distributors for distribution in third countries;
  • Uhe distributor is located in a jurisdiction associated with higher ML/TF risk as defined in the general part of these guidelines.

The following factors may indicate lower risk:

  • The fund admits only a designated type of low-risk investor, such as regulated firms investing as a principal (e.g. life companies) or corporate pension schemes.
  • The fund can be purchased and redeemed only through a firm, for example a financial intermediary, in an EEA country or a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

Country or geographical risk factors

The following factors may contribute to increasing risk:

  • Investors’ monies have been generated in jurisdictions associated with higher ML/TF risk, in particular those associated with higher levels of predicate offences to money laundering.
  • The fund or fund manager invests in sectors with higher corruption risk (e.g. the extractive industries or the arms trade) in jurisdictions identified by credible sources as having significant levels of corruption or other predicate offences to ML/TF, in particular where the fund is a single investor fund or has a limited number of investors.

Measures

The measures funds or fund managers should take to comply with their CDD obligations will depend on how the customer or the investor (where the investor is not the customer) comes to the fund. The fund or fund manager should also take risk-sensitive measures to identify and verify the identity of the natural persons, if any, who ultimately own or control the customer (or on whose behalf the transaction is being conducted), for example by asking the prospective investor to declare, when they first apply to join the fund, whether they are investing on their own behalf or whether they are an intermediary investing on someone else’s behalf.

The following paragraph is referenced elsewhere in this post and should be read carefully. It dictates the level of risk and measures to be applied in each circumstance.

The customer is:

  • (A) A natural or legal person who directly purchases units of or shares in a fund on their own account, and not on behalf of other, underlying investors; or
  • (B) A firm that, as part of its economic activity, directly purchases units of or shares in its own name and exercises control over the investment for the ultimate benefit of one or more third parties who do not control the investment or investment decisions; or
  • (C) A firm, for example a financial intermediary, that acts in its own name and is the registered owner of the shares or units but acts on the account of, and pursuant to specific instructions from, one or more third parties (e.g. because the financial intermediary is a nominee, broker, multi-client pooled account/omnibus type account operator or operator of a similar passive-type arrangement); or
  • (D) A firm’s customer, for example a financial intermediary’s customer, where the firm is not the registered owner of the shares or units (e.g. because the investment fund uses a financial intermediary to distribute fund shares or units, and the investor purchases units or shares through the firm and the firm does not become the legal owner of the units or shares).

In the situations described in bullet points ‘A’ and ‘B’ above, examples of SDD and EDD measures a fund or fund manager should apply in high-risk situations include:

  • Obtaining additional customer information, such as the customer’s reputation and background, before the establishment of the business relationship;
  • Taking additional steps to further verify the documents, data or information obtained;
  • Obtaining information on the source of funds and/or the source wealth of the customer and of the customer’s beneficial owner;
  • Requiring that the redemption payment is made through the initial account used for investment or an account in the sole or joint name of the customer;
  • Increasing the frequency and intensity of transaction monitoring;
  • Requiring that the first payment is made through a payment account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution or a regulated credit or financial institution in a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849;
  • Obtaining approval from senior management at the time of the transaction when a customer uses a product or service for the first time;
  • Enhanced monitoring of the customer relationship and individual transactions.

In lower risk situations, to the extent permitted by national legislation, and provided that the funds are verifiably being transferred to or from a payment account held in the customer’s sole or joint name with an EEA-regulated credit or financial institution, an example of the SDD measures the fund or fund manager may apply is using the source of funds to meet some of the CDD requirements.

SDD and EDD measures to be taken in situations described in bullet point ‘C’ above.

In the situations described in ‘C’ (above), where the financial intermediary is the fund or fund manager’s customer, the fund or fund manager should apply risk-sensitive CDD measures to the financial intermediary. The fund or fund manager should also take risk- sensitive measures to identify, and verify the identity of, the investors underlying the financial intermediary, as these investors are beneficial owners of the funds invested through the intermediary. To the extent permitted by national law, in low-risk situations, funds or fund managers may apply SDD measures similar to those described in the ‘pooled accounts section of our Retail Banking Risks post, subject to the following conditions:

  • The financial intermediary is subject to AML/CFT obligations in an EEA jurisdiction or in a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.
  • The financial intermediary is effectively supervised for compliance with these requirements.
  • The fund or fund manager has taken risk-sensitive steps to be satisfied that the ML/TF risk associated with the business relationship is low, based on, inter alia, the fund or fund manager’s assessment of the financial intermediary’s business, the types of clients the intermediary’s business serves and the jurisdictions the intermediary’s business is exposed to.
  • The fund or fund manager has taken risk-sensitive steps to be satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners. As part of this, the fund or fund manager should take risk-sensitive measures to assess the adequacy of the intermediary’s CDD policies and procedures, for example by referring to publicly available information about the intermediary’s compliance record or liaising directly with the intermediary.
  • The fund or fund manager has taken risk-sensitive steps to be satisfied that the intermediary will provide CDD information and documents on the underlying investors immediately upon request, for example by including relevant provisions in a contract with the intermediary or by sample-testing the intermediary’s ability to provide CDD information upon request.

Where the risk is increased, in particular where the fund is designated for a limited number of investors, EDD measures must apply and may include those set out above relating to higher risk (A and B in the bullet list)

SDD and EDD measures to be taken in situations described in bullet point ‘D’ above.

In the situations described in bullet point ‘D’ above, the fund or fund manager should apply risk-sensitive CDD measures to the ultimate investor as the fund or fund manager’s customer. To meet its CDD obligations, the fund or fund manager may rely upon the intermediary in line with, and subject to, the conditions set out in Chapter II, Section 4, of Directive (EU) 2015/849.

To the extent permitted by national law, in low-risk situations, funds or fund managers may apply SDD measures. Provided that the conditions listed in relation to the risk for a ‘C’ classified customer are met, SDD measures may consist of the fund or fund manager obtaining identification data from the fund’s share register, together with the information specified in Article 27(1) of Directive (EU) 2015/849, which the fund or fund manager must obtain from the intermediary within a reasonable time-frame. The fund or fund manager should set that time-frame in line with the risk-based approach.

Where the risk is increased, in particular where the fund is designated for a limited number of investors, EDD measures must apply and may include those set out in the measures for customers identified as bullet points ‘A’ and ‘B’ above.

How To Assess and Manage Risk with Wealth Management

Wealth Management

Guidelines to manage risk within wealth management

Wealth management is the provision of banking and other financial services to high-net- worth individuals and their families or businesses. It is also known as private banking. Clients of wealth management firms can expect dedicated relationship management staff to provide tailored services covering, for example, banking (e.g. current accounts, mortgages and foreign exchange), investment management and advice, fiduciary services, safe custody, insurance, family office services, tax and estate planning and associated facilities, including legal support.

Many of the features typically associated with wealth management, such as wealthy and influential clients; very high-value transactions and portfolios; complex products and services, including tailored investment products; and an expectation of confidentiality and discretion are indicative of a higher risk for money laundering relative to those typically present in retail banking. Wealth management firms’ services may be particularly vulnerable to abuse by clients who wish to conceal the origins of their funds or, for example, evade tax in their home jurisdiction.

Firms in this sector should consider the following risk factors and measures alongside those set out in our general post on Risk Management.

Risk factors
Product, service and transaction risk factors

The following factors may contribute to increasing risk:

  • Customers requesting large amounts of cash or other physical stores of value such as precious metals;
  • Very high-value transactions;
  • Financial arrangements involving jurisdictions associated with higher ML/TF risk (firms should pay particular attention to countries that have a culture of banking secrecy or that do not comply with international tax transparency standards);
  • Lending (including mortgages) secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify;
  • The use of complex business structures such as trusts and private investment vehicles, particularly where the identity of the ultimate beneficial owner may be unclear;
  • Business taking place across multiple countries, particularly where it involves multiple providers of financial services;
  • Cross-border arrangements where assets are deposited or managed in another financial institution, either of the same financial group or outside of the group, particularly where the other financial institution is based in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions with higher levels of predicate offences, a weak AML/CFT regime or weak tax transparency standards.

Customer risk factors

The following factors may contribute to increasing risk:

  • Customers with income and/or wealth from high-risk sectors such as arms, the extractive industries, construction, gambling or private military contractors.
  • Customers about whom credible allegations of wrongdoing have been made.
  • Customers who expect unusually high levels of confidentiality or discretion.
  • Customers whose spending or transactional behaviour makes it difficult to establish ‘normal’, or expected patterns of behaviour.
  • Very wealthy and influential clients, including customers with a high public profile, non-resident customers and PEPs. Where a customer or a customer’s beneficial owner is a PEP, firms must always apply EDD in line with Articles 18 to 22 of Directive (EU) 2015/849.
  • The customer requests that the firm facilitates the customer being provided with a product or service by a third party without a clear business or economic rationale.

Country or geographical risk factors

The following factors may contribute to increasing risk:

  • Business is conducted in countries that have a culture of banking secrecy or do not comply with international tax transparency standards.
  • The customer lives in, or their funds derive from activity in, a jurisdiction associated with higher ML/TF risk.

Measures

The staff member managing a wealth management firm’s relationship with a customer (the relationship manager) should play a key role in assessing risk. The relationship manager’s close contact with the customer will facilitate the collection of information that allows a fuller picture of the purpose and nature of the customer’s business to be formed (e.g. an understanding of the client’s source of wealth, why complex or unusual arrangements may nonetheless be genuine and legitimate, or why extra security may be appropriate). This close contact may, however, also lead to conflicts of interest if the relationship manager becomes too close to the customer, to the detriment of the firm’s efforts to manage the risk of financial crime.

Consequently, independent oversight of risk assessment will also be appropriate, provided by, for example, the compliance department and senior management. It is particularly prudent to thoroughly ensure outsourced Compliance firms are well trained and up to date with current regulations, processes and practices – especially where they have a relationship with the relationship manager and no contact with the client.

Enhanced customer due diligence

The following EDD measures may be appropriate in high-risk situations:

  • Obtaining and verifying more information about clients than in standard risk situations and reviewing and updating this information both on a regular basis and when prompted by material changes to a client’s profile. Firms should perform reviews on a risk-sensitive basis, reviewing higher risk clients at least annually but more frequently if risk dictates. These procedures may include those for recording any visits to clients’ premises, whether at their home or business, including any changes to client profile or other information that may affect risk assessment that these visits prompt.
  • Establishing the source of wealth and funds; where the risk is particularly high and/or where the firm has doubts about the legitimate origin of the funds, verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth can be verified, by reference to, inter alia:
    • An original or certified copy of a recent pay slip;
    • Written confirmation of annual salary signed by an employer;
    • An original or certified copy of contract of sale of, for example, investments or a company;
    • Written confirmation of sale signed by an advocate or solicitor;
    • An original or certified copy of a will or grant of probate;
    • Written confirmation of inheritance signed by an advocate, solicitor, trustee or executor;
    • An internet search of a company registry to confirm the sale of a company.
  • Establishing the destination of funds.
  • Performing greater levels of scrutiny and due diligence on business relationships than would be typical in mainstream financial service provision, such as in retail banking or investment management.
  • Carrying out an independent internal review and, where appropriate, seeking senior management approval of new clients and existing clients on a risk-sensitive basis.
  • Monitoring transactions on an ongoing basis, including, where necessary, reviewing each transaction as it occurs, to detect unusual or suspicious activity. This may include measures to determine whether any of the following are out of line with the business risk profile:
    • Transfers (of cash, investments or other assets);
    • The use of wire transfers;
    • Significant changes in activity;
    • Transactions involving jurisdictions associated with higher ML/TF risk.
  • Monitoring measures may include the use of thresholds, and an appropriate review process by which unusual behaviours are promptly reviewed by relationship management staff or (at certain thresholds) the compliance functions or senior management.
  • Monitoring public reports or other sources of intelligence to identify information that relates to clients or to their known associates, businesses to which they are connected, potential corporate acquisition targets or third party beneficiaries to whom the client makes payments.
  • Ensuring that cash or other physical stores of value (e.g. travellers’ cheques) are handled only at bank counters, and never by relationship managers.
  • Ensuring that the firm is satisfied that a client’s use of complex business structures such as trusts and private investment vehicles is for legitimate and genuine purposes, and that the identity of the ultimate beneficial owner is understood.

Simplified customer due diligence

Simplified due diligence is not appropriate in a wealth management context.

How to Assess and Manage Risk in Retail Banking

Retail Banking

How to assess and manage AML and TF risk in Retail Banking

For the purpose of this post, retail banking means the provision of banking services to natural persons and small and medium-sized enterprises. Examples of retail banking products and services include current accounts, mortgages, savings accounts, consumer and term loans, and credit lines.

Due to the nature of the products and services offered, the relative ease of access and the often large volume of transactions and business relationships, retail banking is vulnerable to terrorist financing and to all stages of the money laundering process. At the same time, the volume of business relationships and transactions associated with retail banking can make identifying ML/TF risk associated with individual relationships and spotting suspicious transactions particularly challenging.

Banks should consider the following risk factors and measures alongside those set out in our general risk management post.

Risk factors

Product, service and transaction risk factors

The following factors may contribute to increasing risk:

  • The product’s features favour anonymity;
  • The product allows payments from third parties that are neither associated with the product nor identified upfront, where such payments would not be expected, for example for mortgages or loans;
  • The product places no restrictions on turnover, cross-border transactions or similar product features;
  • New products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and existing products where these are not yet well understood;
  • Lending (including mortgages) secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify;
  • An unusually high volume or large value of transactions.

The following factors may contribute to reducing risk:

  • The product has limited functionality, for example in the case of:
    • A fixed term savings product with low savings thresholds;
    • A product where the benefits cannot be realised for the benefit of a third party;
    • A product where the benefits are only realisable in the long term or for a specific purpose, such as retirement or a property purchase;
    • A low-value loan facility, including one that is conditional on the purchase of a specific consumer good or service; or
    • A low-value product, including a lease, where the legal and beneficial title to the asset is not transferred to the customer until the contractual relationship is terminated or is never passed at all.
  • The product can only be held by certain categories of customers, for example pensioners, parents on behalf of their children, or minors until they reach the age of majority.
  • Transactions must be carried out through an account in the customer’s name at a credit or financial institution that is subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.
  • There is no over-payment facility.

Customer risk factors

The following factors may contribute to increasing risk:

  • The nature of the customer, for example:
    • The customer is a cash-intensive undertaking.
    • The customer is an undertaking associated with higher levels of money laundering risk, for example certain money remitters and gambling businesses.
    • The customer is an undertaking associated with a higher corruption risk, for example operating in the extractive industries or the arms trade.
    • The customer is a non-profit organisation that supports jurisdictions associated with an increased TF risk
    • The customer is a new undertaking without an adequate business profile or track record.
    • The customer is a non-resident. Banks should note that Article 16 of Directive 2014/92/EU creates a right for consumers who are legally resident in the European Union to obtain a basic bank account, although the right to open and use a basic payment account applies only to the extent that banks can comply with their AML/CFT obligations and does not exempt banks from their obligation to identify and assess ML/TF risk, including the risk associated with the customer not being a resident of the Member State in which the bank is based.
    • The customer’s beneficial owner cannot easily be identified, for example because the customer’s ownership structure is unusual, unduly complex or opaque, or because the customer issues bearer shares.
  • The customer’s behaviour, for example:
    • The customer is reluctant to provide CDD information or appears deliberately to avoid face-to-face contact.
    • The customer’s evidence of identity is in a non-standard form for no apparent reason.
    • The customer’s behaviour or transaction volume is not in line with that expected from the category of customer to which they belong, or is unexpected based on the information the customer provided at account opening.
    • The customer’s behaviour is unusual, for example the customer unexpectedly and without reasonable explanation accelerates an agreed repayment schedule, by means either of lump sum repayments or early termination; deposits or demands payout of high-value bank notes without apparent reason; increases activity after a period of dormancy; or makes transactions that appear to have no economic rationale.

The following factor may contribute to reducing risk:

  • The customer is a long-standing client whose previous transactions have not given rise to suspicion or concern, and the product or service sought is in line with the customer’s risk profile.

Country or geographical risk factors

The following factors may contribute to increasing risk:

  • The customer’s funds are derived from personal or business links to jurisdictions associated with higher ML/TF risk.
  • The payee is located in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions known to provide funding or support for terrorist activities or where groups committing terrorist offences are known to be operating, and jurisdictions subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation.

The following factor may contribute to reducing risk:

  • Countries associated with the transaction have an AML/CFT regime that is not less robust than that required under Directive (EU) 2015/849 and are associated with low levels of predicate offences.

Distribution channel risk factors

The following factors may contribute to increasing risk:

  • Non-face-to-face business relationships, where no adequate additional safeguards – for example electronic signatures, electronic identification certificates issued in accordance with Regulation EU (No) 910/2014 and anti-impersonation fraud checks – are in place;
  • Reliance on a third party’s CDD measures in situations where the bank does not have a long-standing relationship with the referring third party;
  • New delivery channels that have not been tested yet.

The following factor may contribute to reducing risk:

  • The product is available only to customers who meet specific eligibility criteria set out by national public authorities, as in the case of state benefit recipients or specific savings products for children registered in a particular Member State.

Measures

Where banks use automated systems to identify ML/TF risk associated with individual business relationships or occasional transactions and to identify suspicious transactions, they should ensure that these systems are fit for purpose in line with the criteria set out in our generic risk assessment post. The use of automated IT systems should never be considered a substitute for staff vigilance.

Enhanced customer due diligence

Where the risk associated with a business relationship or occasional transaction is increased, banks must apply EDD measures. These may include:

  • Verifying the customer’s and the beneficial owner’s identity on the basis of more than one reliable and independent source.
  • Identifying, and verifying the identity of, other shareholders who are not the customer’s beneficial owner or any natural persons who have authority to operate an account or give instructions concerning the transfer of funds or the transfer of securities.
  • Obtaining more information about the customer and the nature and purpose of the business relationship to build a more complete customer profile, for example by carrying out open source or adverse media searches or commissioning a third party intelligence report. Examples of the type of information banks may seek include:
    • The nature of the customer’s business or employment;
    • The source of the customer’s wealth and the source of the customer’s funds that are involved in the business relationship, to be reasonably satisfied that these are legitimate;
    • The purpose of the transaction, including, where appropriate, the destination of the customer’s funds;
    • Information on any associations the customer might have with other jurisdictions (headquarters, operating facilities, branches, etc.) and the individuals who may influence its operations; or
    • Where the customer is based in another country, why they seek retail banking services outside their home jurisdiction.
  • Increasing the frequency of transaction monitoring.
  • Reviewing and, where necessary, updating information and documentation held more frequently. Where the risk associated with the relationship is particularly high, banks should review the business relationship annually.

Simplified customer due diligence

In low-risk situations, and to the extent permitted by national legislation, banks may apply SDD measures, which may include:

  • For customers that are subject to a statutory licensing and regulatory regime, verifying identity based on evidence of the customer being subject to that regime, for example through a search of the regulator’s public register;
  • Verifying the customer’s and, where applicable, the beneficial owner’s identities during the establishment of the business relationship in accordance with Article 14(2) of Directive (EU) 2015/849;
  • Assuming that a payment drawn on an account in the sole or joint name of the customer at a regulated credit or financial institution in an EEA country satisfies the requirements stipulated by Article 13(1)(a) and (b) of Directive (EU) 2015/849;
  • Accepting alternative forms of identity that meet the independent and reliable source criterion in Article 13(1)(a) of Directive (EU) 2015/849, such as a letter from a government agency or other reliable public body to the customer, where there are reasonable grounds for the customer not to be able to provide standard evidence of
  • Identity and provided that there are no grounds for suspicion;
  • Updating CDD information only in case of specific trigger events, such as the customer requesting a new or higher risk product, or changes in the customer’s behaviour or transaction profile that suggest that the risk associated with the relationship is no longer low.

Pooled accounts

Where a bank’s customer opens a ‘pooled account’ in order to administer funds that belong to the customer’s own clients, the bank should apply full CDD measures, including treating the customer’s clients as the beneficial owners of funds held in the pooled account and verifying their identities.

Where there are indications that the risk associated with the business relationship is high, banks must apply EDD measures as appropriate.

However, to the extent permitted by national legislation, where the risk associated with the business relationship is low and subject to the conditions set out below, a bank may apply SDD measures provided that:

  • The customer is a firm that is subject to AML/CFT obligations in an EEA state or a third country with an AML/CFT regime that is not less robust than that required by Directive (EU) 2015/849, and is supervised effectively for compliance with these requirements.
  • The customer is not a firm but another obliged entity that is subject to AML/CFT obligations in an EEA state and is supervised effectively for compliance with these requirements.
  • The ML/TF risk associated with the business relationship is low, based on the bank’s assessment of its customer’s business, the types of clients the customer’s business serves and the jurisdictions the customer’s business is exposed to, among other considerations;
  • The bank is satisfied that the customer applies robust and risk-sensitive CDD measures to its own clients and its clients’ beneficial owners (it may be appropriate for the bank to take risk-sensitive measures to assess the adequacy of its customer’s CDD policies and procedures, for example by liaising directly with the customer); and
  • The bank has taken risk-sensitive steps to be satisfied that the customer will provide CDD information and documents on its underlying clients that are the beneficial owners of funds held in the pooled account immediately upon request, for example by including relevant provisions in a contract with the customer or by sample-testing the customer’s ability to provide CDD information upon request.

Where the conditions for the application of SDD to pooled accounts are met, SDD measures may consist of the bank:

  • Identifying and verifying the identity of the customer, including the customer’s beneficial owners (but not the customer’s underlying clients);
  • Assessing the purpose and intended nature of the business relationship; and
  • Conducting ongoing monitoring of the business relationship.

Risk Factors for Correspondent Banking

Correspondent Banking Risk

What are the risk factors for correspondent banking and what can we do to mitigate them? The following is advice taken from a range of EU institutes, including the European Banking Authority. The advice is best practice no matter the region it could be applied to.

Sectoral guidelines for correspondent banks

This post provides guidelines on correspondent banking as defined in Article 3(8)(a) of Directive (EU) 2015/849. Firms offering other correspondent relationships as defined in Article 3(8)(b) of Directive (EU) 2015/849 should apply these guidelines as appropriate.

In a correspondent banking relationship, the correspondent provides banking services to the respondent, either in a principal-to-principal capacity or on the respondent’s customers’ behalf. The correspondent does not normally have a business relationship with the respondent’s customers and will not normally know their identity or the nature or purpose of the underlying transaction, unless this information is included in the payment instruction.

Banks should consider the following risk factors and measures alongside those set out in our generic risk post.

Risk factors

Product, service and transaction risk factors

The following factors may contribute to increasing risk:

  • The account can be used by other respondent banks that have a direct relationship with the respondent but not with the correspondent (‘nesting’, or downstream clearing), which means that the correspondent is indirectly providing services to other banks that are not the respondent.
  • The account can be used by other entities within the respondent’s group that have not themselves been subject to the correspondent’s due diligence.
  • The service includes the opening of a payable-through account, which allows the respondent’s customers to carry out transactions directly on the account of the respondent.

The following factors may contribute to reducing risk:

  • The relationship is limited to a SWIFT RMA capability, which is designed to manage communications between financial institutions. In a SWIFT RMA relationship, the respondent, or counterparty, does not have a payment account relationship.
  • Banks are acting in a principal-to-principal capacity, rather than processing transactions on behalf of their underlying clients, for example in the case of foreign exchange services between two banks where the business is transacted on a principal- to-principal basis between the banks and where the settlement of a transaction does not involve a payment to a third party. In those cases, the transaction is for the own account of the respondent bank.
  • The transaction relates to the selling, buying or pledging of securities on regulated markets, for example when acting as or using a custodian with direct access, usually through a local participant, to an EU or non-EU securities settlement system.

Customer risk factors

The following factors may contribute to increasing risk:

  • The respondent’s AML/CFT policies and the systems and controls the respondent has in place to implement them fall short of the standards required by Directive (EU) 2015/849.
  • The respondent is not subject to adequate AML/CFT supervision.
  • The respondent, its parent or a firm belonging to the same group as the respondent has recently been the subject of regulatory enforcement for inadequate AML/CFT policies and procedures and/or breaches of AML/CFT obligations.
  • The respondent conducts significant business with sectors that are associated with higher levels of ML/TF risk; for example, the respondent conducts significant remittance business or business on behalf of certain money remitters or exchange houses, with non-residents or in a currency other than that of the country in which it is based.
  • The respondent’s management or ownership includes PEPs, in particular where a PEP can exert meaningful influence over the respondent, where the PEP’s reputation, integrity or suitability as a member of the management board or key function holder gives rise to concern or where the PEP is from a jurisdictions associated with higher ML/TF risk. Firms should pay particular attention to those jurisdictions where corruption is perceived to be systemic or widespread.
  • The history of the business relationship with the respondent gives rise to concern, for example because the amount of transactions are not in line with what the correspondent would expect based on its knowledge of the nature and size of the respondent.

The following factors may contribute to reducing risk: The correspondent is satisfied that:

  • The respondent’s AML/CFT controls are not less robust than those required by Directive (EU) 2015/849;
  • The respondent is part of the same group as the correspondent, is not based in a jurisdiction associated with higher ML/TF risk and complies effectively with group AML standards that are not less strict than those required by Directive (EU) 2015/849.

Country or geographical risk factors

The following factors may contribute to increasing risk:

  • The respondent is based in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to those jurisdictions
    • with significant levels of corruption and/or other predicate offences to money laundering;
    • without adequate capacity of the legal and judicial system effectively to prosecute those offences; or
    • without effective AML/CFT supervision.
  • The respondent conducts significant business with customers based in a jurisdiction associated with higher ML/TF risk.
  • The respondent’s parent is headquartered or is incorporated in a jurisdiction associated with higher ML/TF risk.

The following factors may contribute to reducing risk:

  • The respondent is based in an EEA member country.
  • The respondent is based in a third country that has AML/CFT requirements not less robust than those required by Directive (EU) 2015/849 and effectively implements those requirements (although correspondents should note that this does not exempt them from applying EDD measures set out in Article 19 of Directive (EU) 2015/849).

All correspondents must carry out CDD on the respondent, who is the correspondent’s customer, on a risk-sensitive basis. This means that correspondents must:

  • Identify, and verify the identity of, the respondent and its beneficial owner. As part of this, correspondents should obtain sufficient information about the respondent’s business and reputation to establish that the money-laundering risk associated with the respondent is not increased. In particular, correspondents should:
    • obtain information about the respondent’s management and consider the relevance, for financial crime prevention purposes, of any links the respondent’s management or ownership might have to PEPs or other high-risk individuals; and
    • consider, on a risk-sensitive basis, whether obtaining information about the respondent’s major business, the types of customers it attracts, and the quality of its AML systems and controls (including publicly available information about any recent regulatory or criminal sanctions for AML failings) would be appropriate. Where the respondent is a branch, subsidiary or affiliate, correspondents should also consider the status, reputation and AML controls of the parent.
  • Establish and document the nature and purpose of the service provided, as well as the responsibilities of each institution. This may include setting out, in writing, the scope of the relationship, which products and services will be supplied, and how and by whom the correspondent banking facility can be used (e.g. if it can be used by other banks through their relationship with the respondent).
  • Monitor the business relationship, including transactions, to identify changes in the respondent’s risk profile and detect unusual or suspicious behaviour, including activities that are not consistent with the purpose of the services provided or that are contrary to commitments that have been concluded between the correspondent and the respondent. Where the correspondent bank allows the respondent’s customers direct access to accounts (e.g. payable-through accounts, or nested accounts), it should conduct enhanced ongoing monitoring of the business relationship. Due to the nature of correspondent banking, post-execution monitoring is the norm.
  • Ensure that the CDD information they hold is up to date.

Correspondents must also establish that the respondent does not permit its accounts to be used by a shell bank, in line with Article 24 of Directive (EU) 2015/849. This may include asking the respondent for confirmation that it does not deal with shell banks, having sight of relevant passages in the respondent’s policies and procedures, or considering publicly available information, such as legal provisions that prohibit the servicing of shell banks.

In cases of cross-border correspondent relationships with respondent institutions from third countries, Article 19 of Directive (EU) 2015/849 requires that the correspondent also apply specific EDD measures in addition to the CDD measures set out in Article 13 of Directive (EU) 2015/849.

There is no requirement in Directive (EU) 2015/849 for correspondents to apply CDD measures to the respondent’s individual customers.

Correspondents should bear in mind that CDD questionnaires provided by international organisations are not normally designed specifically to help correspondents comply with their obligations under Directive (EU) 2015/849. When considering whether to use these questionnaires, correspondents should assess whether they will be sufficient to allow them to comply with their obligations under Directive (EU) 2015/849 and should take additional steps where necessary.

Respondents based in non-EEA countries

Where the respondent is based in a third country, Article 19 of Directive (EU) 2015/849 requires correspondents to apply specific EDD measures in addition to the CDD measures set out in Article 13 of Directive (EU) 2015/849.

Correspondents must apply each of these EDD measures to respondents based in a non-
EEA country, but correspondents can adjust the extent of these measures on a risk- sensitive basis. For example, if the correspondent is satisfied, based on adequate research, that the respondent is based in a third country that has an effective AML/CFT regime, supervised effectively for compliance with these requirements, and that there are no grounds to suspect that the respondent’s AML policies and procedures are, or have recently been deemed, inadequate, then the assessment of the respondent’s AML controls may not necessarily have to be carried out in full detail.

Correspondents should always adequately document their CDD and EDD measures and decision-making processes.

Article 19 of Directive (EU) 2015/849 requires correspondents to take risk-sensitive measures to:

  • Gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business, in order to establish the extent to which the respondent’s business exposes the correspondent to higher money-laundering risk. This should include taking steps to understand and risk-assess the nature of respondent’s customer base and the type of activities that the respondent will transact through the correspondent account.
  • Determine from publicly available information the reputation of the institution and the quality of supervision. This means that the correspondent should assess the extent to which the correspondent can take comfort from the fact that the respondent is adequately supervised for compliance with its AML obligations. A number of publicly available resources, for example FATF or FSAP assessments, which contain sections on effective supervision, may help correspondents establish this.
  • Assess the respondent institution’s AML/CFT controls. This implies that the correspondent should carry out a qualitative assessment of the respondent’s AML/CFT control framework, not just obtain a copy of the respondent’s AML policies and procedures. This assessment should be documented appropriately. In line with the risk-based approach, where the risk is especially high and in particular where the volume of correspondent banking transactions is substantive, the correspondent should consider on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.
  • Obtain approval from senior management, as defined in Article 3(12) of Directive (EU) 2015/849, before establishing new correspondent relationships. The approving senior manager should not be the officer sponsoring the relationship and the higher the risk associated with the relationship, the more senior the approving senior manager should be. Correspondents should keep senior management informed of high-risk correspondent banking relationships and the steps the correspondent takes to manage that risk effectively.
  • Document the responsibilities of each institution. This may be part of the correspondent’s standard terms and conditions but correspondents should set out, in writing, how and by whom the correspondent banking facility can be used (e.g. if it can be used by other banks through their relationship with the respondent) and what the respondent’s AML/CFT responsibilities are. Where the risk associated with the relationship is high, it may be appropriate for the correspondent to satisfy itself that the respondent complies with its responsibilities under this agreement, for example through ex post transaction monitoring.
  • With respect to payable-through accounts and nested accounts, be satisfied that the respondent credit or financial institution has verified the identity of and performed ongoing due diligence on the customer having direct access to accounts of the correspondent and that it is able to provide relevant CDD data to the correspondent institution upon request. Correspondents should seek to obtain confirmation from the respondent that the relevant data can be provided upon request.

Respondents based in EEA countries

Where the respondent is based in an EEA country, Article 19 of Directive (EU) 2015/849 does not apply. The correspondent is, however, still obliged to apply risk-sensitive CDD measures pursuant to Article 13 of Directive (EU) 2015/849.

Where the risk associated with a respondent based in an EEA Member State is increased, correspondents must apply EDD measures in line with Article 18 of Directive (EU) 2015/849. In that case, correspondents should consider applying at least some of the EDD measures described in Article 19 of Directive (EU) 2015/849, in particular Article 19(a) and (b).

How To Assess and Managing Risk – AML and TF

How to Assess and Manage Risk

The guidance in this post comes from the EU. It can and is applied globally as best practice.

Assessing and managing risk: general

These guidelines come in two parts. This part is general and applies to all firms. Part 2 is sector-specific. Both parts should be read in conjunction with each other to achieve the most rounded view-point, when reviewing risk for a specific sector of the industry (retail banking or Wealth Management as examples).

Firms’ approach to assessing and managing the ML/TF risk associated with business relationships and occasional transactions should include the following:

  • Business-wide risk assessments should help firms understand where they are exposed to ML/TF risk and which areas of their business they should prioritise in the fight against ML/TF. To that end, and in line with Article 8 of Directive (EU) 2015/849, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their customers. The steps firms take to identify and assess ML/TF risk across their business must be proportionate to the nature and size of each firm. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.

Customer Due Diligence (CDD)

  • Firms should use the findings from their business-wide risk assessment to inform their decision on the appropriate level and type of CDD that they will apply to individual business relationships and occasional transactions.
  • Before entering into a business relationship or carrying out an occasional transaction, firms should apply initial CDD in line with Article 13(1)(a), (b) and (c) and Article 14(4) of Directive (EU) 2015/849. Initial CDD should include at least risk-sensitive measures to:
    • identify the customer and, where applicable, the customer’s beneficial owner or legal representatives;
    • verify the customer’s identity on the basis of reliable and independent sources and, where applicable, verify the beneficial owner’s identity in such a way that the firm is satisfied that it knows who the beneficial owner is; and
    • establish the purpose and intended nature of the business relationship.
  • Firms should adjust the extent of initial CDD measures on a risk-sensitive basis. Where the risk associated with a business relationship is low, and to the extent permitted by national legislation, firms may be able to apply simplified customer due diligence measures (SDD). Where the risk associated with a business relationship is increased, firms must apply enhanced customer due diligence measures (EDD).

Obtaining a holistic view

  • Firms should gather sufficient information to be satisfied that they have identified all relevant risk factors, including, where necessary, by applying additional CDD measures, and assess those risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction. Firms should note that the risk factors listed in these guidelines are not exhaustive, and that there is no expectation that firms will consider all risk factors in all cases.

Monitoring and Review

  • Firms must keep their risk assessment up to date and under review. Firms must monitor transactions to ensure that they are in line with the customer’s risk profile and business and, where necessary, examine the source of funds, to detect possible ML/TF. They must also keep the documents, data or information they hold up to date, with a view to understanding whether the risk associated with the business relationship has changed.

Risk assessments: methodology and risk factors

A risk assessment should consist of two distinct but related steps:
a) the identification of ML/TF risk; and
b) the assessment of ML/TF risk.

Identifying ML/TF risk

Firms should find out which ML/TF risks they are, or would be, exposed to as a result of entering into a business relationship or carrying out an occasional transaction.

When identifying ML/TF risks associated with a business relationship or occasional transaction, firms should consider relevant risk factors including who their customer is, the countries or geographical areas they operate in, the particular products, services and transactions the customer requires and the channels the firm uses to deliver these products, services and transactions.

Sources of information

Where possible, information about these ML/TF risk factors should come from a variety of sources, whether these are accessed individually or through commercially available tools or databases that pool information from several sources. Firms should determine the type and numbers of sources on a risk-sensitive basis.

Firms should always consider the following sources of information:

  • The European Commission’s supranational risk assessment;
  • Information from government, such as the government’s national risk assessments, policy statements and alerts, and explanatory memorandums to relevant legislation;
  • Information from regulators, such as guidance and the reasoning set out in regulatory fines;
  • Information from Financial Intelligence Units (FIUs) and law enforcement agencies, such as threat reports, alerts and typologies; and
  • Information obtained as part of the initial CDD process.

Other sources of information firms may consider in this context may include, among others:

  • The firm’s own knowledge and professional expertise;
  • Information from industry bodies, such as typologies and emerging risks;
  • Information from civil society, such as corruption indices and country reports;
  • Information from international standard-setting bodies such as mutual evaluation reports or legally non-binding blacklists;
  • Information from credible and reliable open sources, such as reports in reputable newspapers;
  • Information from credible and reliable commercial organisations, such as risk and intelligence reports; and
  • Information from statistical organisations and academia.

Risk factors

Firms should note that the following risk factors are not exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.

Customer risk factors

When identifying the risk associated with their customers, including their customers’ beneficial owners, firms should consider the risk related to:

  • The customer’s and the customer’s beneficial owner’s business or professional activity;
  • The customer’s and the customer’s beneficial owner’s reputation; and
  • The customer’s and the customer’s beneficial owner’s nature and behaviour.

Risk factors that may be relevant when considering the risk associated with a customer’s or a customer’s beneficial owner’s business or professional activity include:

  • Does the customer or beneficial owner have links to sectors that are commonly associated with higher corruption risk, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement?
  • Does the customer or beneficial owner have links to sectors that are associated with higher ML/TF risk, for example certain Money Service Businesses, casinos or dealers in precious metals?
  • Does the customer or beneficial owner have links to sectors that involve significant amounts of cash?
  • Where the customer is a legal person or a legal arrangement, what is the purpose of their establishment? For example, what is the nature of their business?
  • Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or beneficial owner? Where a customer or their beneficial owner is a PEP, firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849.
  • Does the customer or beneficial owner hold another prominent position or enjoy a high public profile that might enable them to abuse this position for private gain? For example, are they senior local or regional public officials with the ability to influence the awarding of public contracts, decision-making members of high-profile sporting bodies or individuals who are known to influence the government and other senior decision-makers?
  • Is the customer a legal person subject to enforceable disclosure requirements that ensure that reliable information about the customer’s beneficial owner is publicly
  • For guidance on risk factors associated with beneficiaries of life insurance policies, please refer to ‘Insurance Risk’.
  • Is the customer a credit or financial institution acting on its own account from a jurisdiction with an effective AML/CFT regime and is it supervised for compliance with local AML/CFT obligations? Is there evidence that the customer has been subject to supervisory sanctions or enforcement for failure to comply with AML/CFT obligations or wider conduct requirements in recent years?
  • Is the customer a public administration or enterprise from a jurisdiction with low levels of corruption?
  • Is the customer’s or the beneficial owner’s background consistent with what the firm knows about their former, current or planned business activity, their business’s turnover, the source of funds and the customer’s or beneficial owner’s source of wealth?

The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owners’ reputation:

  • Are there adverse media reports or other relevant sources of information about the customer, for example are there any allegations of criminality or terrorism against the customer or the beneficial owner? If so, are these reliable and credible? Firms should determine the credibility of allegations on the basis of the quality and independence of the source of the data and the persistence of reporting of these allegations, among other considerations. Firms should note that the absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.
  • Has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have reasonable grounds to suspect that the customer or beneficial owner or anyone publicly known to be closely associated with them has, at some point in the past, been subject to such an asset freeze?
  • Does the firm know if the customer or beneficial owner has been the subject of a suspicious transactions report in the past?
  • Does the firm have any in-house information about the customer’s or the beneficial owner’s integrity, obtained, for example, in the course of a long-standing business relationship?

The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:

  • Does the customer have legitimate reasons for being unable to provide robust evidence of their identity, perhaps because they are an asylum seeker?
  • Does the firm have any doubts about the veracity or accuracy of the customer’s or beneficial owner’s identity?
  • Are there indications that the customer might seek to avoid the establishment of a business relationship? For example, does the customer look to carry out one transaction or several one-off transactions where the establishment of a business relationship might make more economic sense?
  • Is the customer’s ownership and control structure transparent and does it make sense? If the customer’s ownership and control structure is complex or opaque, is there an obvious commercial or lawful rationale?
  • Does the customer issue bearer shares or does it have nominee shareholders?
  • Is the customer a legal person or arrangement that could be used as an asset-holding vehicle?
  • Is there a sound reason for changes in the customer’s ownership and control structure?
  • Does the customer request transactions that are complex, unusually or unexpectedly large or have an unusual or unexpected pattern without an apparent economic or lawful purpose or a sound commercial rationale? Are there grounds to suspect that the customer is trying to evade specific thresholds such as those set out in Article 11(b) of Directive (EU) 2015/849 and national law where applicable?
  • Does the customer request unnecessary or unreasonable levels of secrecy? For example, is the customer reluctant to share CDD information, or do they appear to want to disguise the true nature of their business?
  • Can the customer’s or beneficial owner’s source of wealth or source of funds be easily explained, for example through their occupation, inheritance or investments? Is the explanation plausible?
  • Does the customer use the products and services they have taken out as expected when the business relationship was first established?
  • Where the customer is a non-resident, could their needs be better serviced elsewhere? Is there a sound economic and lawful rationale for the customer requesting the type of financial service sought? Firms should note that Article 16 of Directive 2014/92/EU creates a right for customers who are legally resident in the Union to obtain a basic payment account, but this right applies only to the extent that credit institutions can comply with their AML/CFT obligations.
  • Is the customer a non-profit organisation whose activities could be abused for terrorist financing purposes?

Countries and geographical areas

When identifying the risk associated with countries and geographical areas, firms should consider the risk related to:

  • The jurisdictions in which the customer and beneficial owner are based;
  • The jurisdictions that are the customer’s and beneficial owner’s main places of business; and
  • The jurisdictions to which the customer and beneficial owner have relevant personal links.

Firms should note that the nature and purpose of the business relationship will often determine the relative importance of individual country and geographical risk factors. For example:

  • Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant.
  • Where funds are received from, or sent to, jurisdictions where groups committing terrorist offences are known to be operating, firms should consider to what extent this could be expected to or might give rise to suspicion, based on what the firm knows about the purpose and nature of the business relationship.
  • Where the customer is a credit or financial institution, firms should pay particular attention to the adequacy of the country’s AML/CFT regime and the effectiveness of AML/CFT supervision.
  • Where the customer is a legal vehicle or trust, firms should take into account the extent to which the country in which the customer and, where applicable, the beneficial owner are registered effectively complies with international tax transparency standards.

Risk factors firms should consider when identifying the effectiveness of a jurisdiction’s AML/CFT regime include:

  • Has the country been identified by the Commission as having strategic deficiencies in its AML/CFT regime, in line with Article 9 of Directive (EU) 2015/849? Where firms deal with natural or legal persons resident or established in third countries that the Commission has identified as presenting a high ML/TF risk, firms must always apply EDD measures.
  • Is there information from more than one credible and reliable source about the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight? Examples of possible sources include mutual evaluation reports by the Financial Action Task Force (FATF) or FATF-style Regional Bodies (FSRBs) (a good starting point is the executive summary and key findings and the assessment of compliance with Recommendations 10, 26 and 27 and Immediate Outcomes 3 and 4), the FATF’s list of high-risk and non- cooperative jurisdictions, International Monetary Fund (IMF) assessments and Financial Sector Assessment Programme (FSAP) reports. Firms should note that membership of the FATF or an FSRB (e.g. MoneyVal) does not, of itself, mean that the jurisdiction’s AML/CFT regime is adequate and effective.
  • Firms should note that Directive (EU) 2015/849 does not recognise the ‘equivalence’ of third countries and that EU Member States’ lists of equivalent jurisdictions are no longer being maintained. To the extent permitted by national legislation, firms should be able to identify lower risk jurisdictions in line with these guidelines and Annex II of Directive (EU) 2015/849.

Risk factors firms should consider when identifying the level of terrorist financing risk associated with a jurisdiction include:

  • Is there information, for example from law enforcement or credible and reliable open media sources, suggesting that a jurisdiction provides funding or support for terrorist activities or that groups committing terrorist offences are known to be operating in the country or territory?
  • Is the jurisdiction subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation issued by, for example, the United Nations or the European Union ?

Risk factors firms should consider when identifying a jurisdiction’s level of transparency and tax compliance include:

  • Is there information from more than one credible and reliable source that the country has been deemed compliant with international tax transparency and information sharing standards? Is there evidence that relevant rules are effectively implemented in practice? Examples of possible sources include reports by the Global Forum on Transparency and the Exchange of Information for Tax Purposes of the Organisation for Economic Co-operation and Development (OECD), which rate jurisdictions for tax transparency and information sharing purposes; assessments of the jurisdiction’s commitment to automatic exchange of information based on the Common Reporting standard; assessments of compliance with FATF Recommendations 9, 24 and 25 and Immediate Outcomes 2 and 5 by the FATF or FSRBs; and IMF assessments (e.g. IMF staff assessments of offshore financial centres).
  • Has the jurisdiction committed to, and effectively implemented, the Common Reporting Standard on Automatic Exchange of Information, which the G20 adopted in 2014?
  • Has the jurisdiction put in place reliable and accessible beneficial ownership registers?

Risk factors firms should consider when identifying the risk associated with the level of predicate offences to money laundering include:

  • Is there information from credible and reliable public sources about the level of predicate offences to money laundering listed in Article 3(4) of Directive (EU) 2015/849, for example corruption, organised crime, tax crime and serious fraud? Examples include corruption perceptions indices; OECD country reports on the implementation of the OECD’s anti-bribery convention; and the United Nations Office on Drugs and Crime World Drug Report.
  • Is there information from more than one credible and reliable source about the capacity of the jurisdiction’s investigative and judicial system effectively to investigate and prosecute these offences?

Products, services and transactions risk factors

When identifying the risk associated with their products, services or transactions, firms should consider the risk related to:

  • The level of transparency, or opaqueness, the product, service or transaction affords;
  • The complexity of the product, service or transaction; and
  • The value or size of the product, service or transaction.

Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s transparency include:

  • To what extent do products or services allow the customer or beneficial owner or beneficiary structures to remain anonymous, or facilitate hiding their identity? Examples of such products and services include bearer shares, fiduciary deposits, offshore vehicles and certain trusts, and legal entities such as foundations that can be structured in such a way as to take advantage of anonymity and allow dealings with shell companies or companies with nominee shareholders.
  • To what extent is it possible for a third party that is not part of the business relationship to give instructions, for example in the case of certain correspondent banking relationships?

Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s complexity include:

  • To what extent is the transaction complex and does it involve multiple parties or multiple jurisdictions, for example in the case of certain trade finance transactions? Are transactions straightforward, for example are regular payments made into a pension fund?
  • To what extent do products or services allow payments from third parties or accept overpayments where this is would not normally be expected? Where third party payments are expected, does the firm know the third party’s identity, for example is it a state benefit authority or a guarantor? Or are products and services funded exclusively by fund transfers from the customer’s own account at another financial institution that is subject to AML/CFT standards and oversight that are comparable to those required under Directive (EU) 2015/849?
  • Does the firm understand the risks associated with its new or innovative product or service, in particular where this involves the use of new technologies or payment methods?

Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s value or size include:

  • To what extent are products or services cash intensive, as are many payment services but also certain current accounts?
  • To what extent do products or services facilitate or encourage high-value transactions? Are there any caps on transaction values or levels of premium that could limit the use of the product or service for ML/TF purposes?

Delivery channel risk factors

When identifying the risk associated with the way in which the customer obtains the products or services they require, firms should consider the risk related to:

  • The extent to which the business relationship is conducted on a non-face-to-face basis; and
  • Any introducers or intermediaries the firm might use and the nature of their relationship with the firm.

When assessing the risk associated with the way in which the customer obtains the products or services, firms should consider a number of factors including:

  • Is the customer physically present for identification purposes? If they are not, has the firm used a reliable form of non-face-to-face CDD? Has it taken steps to prevent impersonation or identity fraud?
  • Has the customer been introduced by another part of the same financial group and, if
  • so, to what extent can the firm rely on this introduction as reassurance that the customer will not expose the firm to excessive ML/TF risk? What has the firm done to satisfy itself that the group entity applies CDD measures to European Economic Area (EEA) standards in line with Article 28 of Directive (EU) 2015/849?
  • Has the customer been introduced by a third party, for example a bank that is not part of the same group, and is the third party a financial institution or is its main business activity unrelated to financial service provision? What has the firm done to be satisfied that:
    • The third party applies CDD measures and keeps records to EEA standards and that it is supervised for compliance with comparable AML/CFT obligations in line with Article 26 of Directive (EU) 2015/849;
    • The third party will provide, immediately upon request, relevant copies of identification and verification data, inter alia in line with Article 27 of Directive (EU) 2015/849; and
    • The quality of the third party’s CDD measures is such that it can be relied upon?
  • Has the customer been introduced through a tied agent, that is, without direct firm contact? To what extent can the firm be satisfied that the agent has obtained enough information so that the firm knows its customer and the level of risk associated with the business relationship?
  • If independent or tied agents are used, to what extent are they involved on an ongoing basis in the conduct of business? How does this affect the firm’s knowledge of the customer and ongoing risk management?
  • Where a firm uses an intermediary:
    • Are they a regulated person subject to AML obligations that are consistent with those of Directive (EU) 2015/849?
    • Are they subject to effective AML supervision? Are there any indications that the intermediary’s level of compliance with applicable AML legislation or regulation is inadequate, for example has the intermediary been sanctioned for breaches of AML/CFT obligations?
    • Are they based in a jurisdiction associated with higher ML/TF risk? Where a third party is based in a high-risk third country that the Commission has identified as having strategic deficiencies, firms must not rely on that intermediary. However, to the extent permitted by national legislation, reliance may be possible provided that the intermediary is a branch or majority-owned subsidiary of another firm established in the Union, and the firm is confident that the intermediary fully complies with group-wide policies and procedures in line with Article 45 of Directive (EU) 2015/849.9

Assessing ML/TF risk

Firms should take a holistic view of the ML/TF risk factors they have identified that, together, will determine the level of ML/TF risk associated with a business relationship or occasional transaction.

As part of this assessment, firms may decide to weigh factors differently depending on their relative importance.

Weighting risk factors

When weighting risk factors, firms should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction. This often results in firms allocating different ‘scores’ to different factors; for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek.

Ultimately, the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another. When weighting risk factors, firms should ensure that:

  • Weighting is not unduly influenced by just one factor;
  • Economic or profit considerations do not influence the risk rating;
  • Weighting does not lead to a situation where it is impossible for any business relationship to be classified as high risk;
  • The provisions of Directive (EU) 2015/849 or national legislation regarding situations that always present a high money laundering risk cannot be over-ruled by the firm’s weighting; and
  • They are able to over-ride any automatically generated risk scores where necessary. The rationale for the decision to over-ride such scores should be documented appropriately.

Where a firm uses automated IT systems to allocate overall risk scores to categorise business relationships or occasional transactions and does not develop these in house but purchases them from an external provider, it should understand how the system works and how it combines risk factors to achieve an overall risk score. A firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of ML/TF risk and it should be able to demonstrate this to the competent authority.

Categorising business relationships and occasional transactions

Following its risk assessment, a firm should categorise its business relationships and occasional transactions according to the perceived level of ML/TF risk.

Firms should decide on the most appropriate way to categorise risk. This will depend on the nature and size of the firm’s business and the types of ML/TF risk it is exposed to. Although firms often categorise risk as high, medium and low, other categorisations are possible.

Sanctions Screening Guidance

Sanctions Screening Guidance – Introduction

Sanctions screening is a control employed within Financial Institutions (FIs) to detect, prevent and manage sanctions risk. Screening should be undertaken as part of an effective Financial Crime Compliance (FCC) programme, to assist with the identification of sanctioned individuals and organisations, as well as the illegal activity to which FIs may be exposed. It helps identify areas of potential sanctions concern and assists in making appropriately compliant risk decisions.

In light of the continuous expansion and growing complexity of international sanctions regulations, this post will provide guidance to FIs as they assess the effectiveness of their sanctions screening controls, whether automated, manual or both. The post assumes that the reader has a basic understanding and familiarity with sanctions controls terminology, much of which is also covered in the Glossary at the end.

Transaction Screening and Customer Screening

Most FIs will deploy two main screening controls to achieve their objectives: transaction screening and customer screening. Transaction screening is used to identify transactions involving targeted individuals or entities. Customer or Name screening is designed to identify targeted individuals or entities during on-boarding or the lifecycle of the customer relationship with the FI. Together, transaction and customer screening are designed to form a robust set of controls for identifying sanctions targets. It should be recognised that there are a number of limitations in the way in which these controls are managed and should always be employed as part of a wider FCC programme.

As with the management of all financial crime risks, an FI should first identify and assess the sanctions risks to which it is exposed and implement a sanctions screening programme commensurate with its nature, size and complexity. In doing so, consideration needs to be given to:

  • The jurisdictions where the FI is located, and its proximity – geographically, culturally and historically – to sanctioned countries;
  • What customers the FI has – international or domestic, where those customers are located and what business they undertake;
  • The volume of transactions and distribution channels;
  • What products and services the FI offers and whether those products represent a heightened sanctions risk, for example, cross-border transactions, foreign correspondent accounts, trade related products or payable-through accounts;

This post sets out the use of sanctions screening as a control, the fundamentals of which are derived from legal and regulatory requirements and expectations, as well as global industry best practice. It is not intended to suggest all FIs should apply all elements in this post to the same level, rather, it attempts to demonstrate where sanctions screening can be an effective part of a wider sanctions compliance programme, where it has limitations as a control, and where a risk based approach is required, notwithstanding the strict liability nature of sanctions compliance.

Consideration has been given to topics such as what is meant by sanctions screening, looking at both reference data and transaction screening, the timing of screening, technology and the use of automated systems, the criteria for alert investigation, as well as testing and quality assurance.

What is Sanctions Screening?

Data accuracy and relevance
Data accuracy and relevance

Sanctions screening is a control used in the detection, prevention and disruption of financial crime and, in particular, sanctions risk. It is the comparison of one string of text against another to detect similarities which would suggest a possible match.

It compares data sourced from an FI’s operations, such as customer and transactional records, against lists of names and other indicators of sanctioned parties or locations.
These lists are typically derived from regulatory sources and often supplied, updated and maintained through external vendors specialising in the amalgamation, enhancement, formatting and delivery of these lists.

FIs may also augment these with lists of sanctions relevant terms, names or phrases, identified through their own operations, research or intelligence.
The generation of an alert as a result of the process of screening is not, by itself, an indication of sanctions risk. It is the first step towards detecting a risk of sanctions exposure, which can be confirmed or discounted with additional information to evaluate whether the similarities in the text reveal a true sanctions match.

While this concept sounds simple, it can be complex when it comes to determining what actually constitutes a “true match” across a range of variables such as alphabets, languages, cultures, spelling, abbreviations, acronyms and aliases. When screening is automated, additional complexities are introduced such as “fuzzy matching” algorithms, workflows and match rules.

A Programmatic Approach to Sanctions Screening

Software specialist
Software specialist

While this post focuses on screening as a control to manage sanctions compliance risk, screening as a control is not sanctions specific and should be deployed as part of an integrated risk based FCC programme.

Sanctions Screening Programme

Fundamental pillars of an FCC programme, including key enabling functions, should be applied to screening, not in isolation, but in conjunction with other financial crime risk prevention and control processes:

  • Policies and Procedures – defining requirements for what must be screened, in what context and at which frequency, and how alerts should be adjudicated, paying particular attention on how to resolve alerts where information is unavailable, incomplete or potentially unreliable.
  • Responsible Person – ensuring appropriate skills and experience in understanding the nuances of often arcane sanctions requirements and how these might influence screening outcomes and decisions, as well as the technical capabilities of screening software.
  • Risk Assessment – applying risk based decisions to resolve specific questions of what data attributes to screen, when to screen, what lists to use and how exact or “fuzzy” to set the screening filter. The decision making and governance structure needs to be clearly articulated, documented and supported by analysis and testing. This is addressed in more detail below.
  • Internal Controls – implementing screening control processes requires an understanding of the various methodologies and technologies available and their operational consequences. There is no clearly defined approach to technology or configuration that is better or worse, and each will have its own strengths and limitations. Understanding those strengths and limitations is critical. FIs are expected to document how their screening systems are configured in order to demonstrate that the configuration is reasonably expected to detect and manage the specific sanctions risks to which the FI is exposed and, importantly, to ensure transparency of any system limitations or risk based decisions which the screening controls are not designed to detect.
  • Testing – conducted to validate that the screening system is performing as expected and to assess its effectiveness in managing the specific risks articulated in the FI’s Risk Assessment. Regular testing of the system should be supported by metrics, analysis and reporting.

Applying a Risk Based Approach

Data accuracy and relevance
Data accuracy and relevance

Sanctions screening can never detect every possible sanctions risk due to the wide range of variables in which a string of text could be altered and still convey the same meaning. Sanctions screening is dependent on a range of factors, including the type, availability, completeness and quality of data, as well as the inherent sanctions risks to which an FI, its products, customers and services are exposed.

Consequently, the effectiveness of screening as a control will vary between FIs, even where FIs are using the same third-party screening solution, and screening is not necessarily appropriate for all products and services. Screening, therefore, requires a programmatic approach through which each FI must assess its own risks in order to define the manner, extent and circumstances in which screening is employed. This process of evaluating the risk to the design, configuration and maintenance of a screening programme is built around the following core principles:

  • Articulate the specific sanctions risk the FI is trying to prevent or detect within its products, services and operations. For example, a global FI may determine that its policy is to prohibit any dealing with any party sanctioned by the U.S., the U.N., the E.U., its home country and any number of its core jurisdictions of operations. A smaller FI operating only in one country, however, may determine that its policy is limited to complying with the sanctions laws of the sole jurisdiction in which it operates.
  • Identify and evaluate the inherent potential exposure to sanctions risk presented by the FI’s products, services and customer relationships. For example, screening may be more meaningful to mitigate sanctions risk in the context of cross-border payments between a potentially wide range of parties, as opposed to payments between parties within the same jurisdiction, where all account holders are required by law to be compliant with that jurisdiction’s sanctions and KYC requirements. In the latter, the KYC, on-boarding processes and regulatory requirements are known and consistent, lessening the incremental value of transaction screening as a control.
  • A well-documented understanding of the risks and how they are managed through the set-up and calibration of the screening tool. For example, with list based sanctions programmes, the red flag is the presence of the sanctioned party’s name, which is readily available to detection through screening of customers and transactions. By contrast, for certain Sectoral Sanctions programmes, only a defined subset of activities is prohibited, and screening payments for targeted parties will not detect the sectoral sanctions risk without further additional information about the specific underlying activity and, therefore, may not be appropriate or effective.
  • Assess where, within the FI, the information is available in a format conducive to screening. For example, transactions solely containing International Securities Identification Number (ISINs). In some cases, an FI may identify that the information within its operations is insufficient to assess a screening alert and distinguish a true match from a false match. In these cases, the FI may need to consider alternative controls or adopt new business processes. In other cases, the FI may decide not to screen a category of information because this specific information, while in a format conducive to screening, is not sufficiently actionable to manage sanctions risk. In these situations, the FI should implement alternative controls to identify and manage the sanctions risk.

Screening Technology and Generating Productive Alerts

What is often thought of as a simple name-matching process can be a complex set of processes in which data is transferred from several, often disparate, technology systems and sanctions lists for comparison, using matching algorithms and risk based alert creation rules intended to ensure compliance with multiple regulatory regimes.

For larger or more complex FIs, there is an expectation that the screening programme will require the use of a technology application that includes certain core functionalities to ensure appropriate alert creation by, and governance over, the screening process. Such functionalities include the capability to implement risk based screening rules, generate good quality alerts for review, provide relevant metrics and reporting, ensure data integrity and facilitate independent testing and validation. A robust operating model employs expertise from IT, Operations and FCC working together to ensure appropriate alert generation and adjudication.

For further information on Sectoral Sanctions see OFAC FAQs,

Principles for Generating Productive Alerts

Identifying and implementing risk based screening decisions, in order to maximise alert quality and minimise the number of low quality or irrelevant alerts, should be undertaken prior to the deployment of a new screening system and thereafter on an on-going basis. Risk based decisions may include:

  • Lists – an FI may establish criteria and technology processes to ensure that lists are only screened against a subset of data relevant to a specific jurisdiction (see List Management – below)
  • Exclusions – the addition of a party that poses low sanctions risk to a list of parties omitted from screening; or the use of conditional screening rules using list data or source data attributes
  • Suppression – use of suppression rules or “Good Guys” lists to manage common false positive alerts requiring unnecessary manual review
  • Data – removal of reference data from screening once the data is no longer risk relevant
  • A governance framework should contain the documented rationale for risk based decisions, such as those made in support of the creation of screening rules and threshold settings, as well as the risk acceptance or remediation efforts in relation to material deficiencies or changes.

Alert Generation and Review

The core aspect of any screening application is alert generation. The screening application must clearly present an alert for review by trained sanctions personnel. While the application’s workflow may vary according to many factors, including reviewer expertise or an FI’s risk tolerances (for example, whether the review process involves a maker-checker/four-eye requirement), the application must present all relevant data from the FI and the sanctions lists for decision making and allow reviewers to make a decision based on the validity of that data and, thereafter, record relevant rationale.

Metrics and Reporting

Centralised data repository

Personnel with responsibility for governance and oversight of the screening application and processes should receive risk-relevant metric reporting that enables the identification of sanctions and operational risk, as well as any data integrity issues. Such metrics may include, for example, the number of alerts generated by list, by jurisdiction, by business, or the identification of unintended data and list omissions.
This reporting and documentation should be used to disseminate relevant information to stakeholders.

Independent Testing /Validation

FIs should deploy an independent risk based testing regime to ensure that the screening application generates expected alerts, threshold settings and/or screening rules to forego or suppress undesirable alerts in accordance with the FI’s risk appetite. Similarly, the accuracy and completeness of the data used in the screening process should be reviewed to ensure the integrity of data uploaded.
Independent testing may be carried out by qualified teams with appropriate technology expertise in internal audit, an independent group within the FI’s compliance division, a third-party vendor engaged for this purpose or a combination of these. The screening application may also be submitted for consideration as a model and, if so considered, any associated governance framework.
The results of testing should be reviewed at a minimum by the team within the FI with primary responsibility for sanctions compliance, which should determine whether risk acceptance or remediation is appropriate with respect to any relevant findings.

Data Integrity

The aggregation of data from multiple sources for sanctions screening creates the possibility that data integrity issues may arise. An FI should consider establishing processes to ensure source and list data used in the screening process is both accurate and complete.

Internal Technology Build or Vendor Selection

Successful implementation of a sanctions screening application requires an FI either to build the screening application internally or to source it from a vendor. As each FI’s size, geographic presence, business and technology environment are unique, this determination must be derived from an analysis of identified sanctions risks and functional requirements.
Elements to be considered from a risk standpoint include:

  • The sophistication and configurability of the matching software
  • Availability of screening rules to optimise alert creation/suppression
  • Support for the screening or transformation of data in non-Latin characters
  • Ad hoc, one-off or manual screening functionality
  • Workflow configurability
  • Availability of metrics reporting

From a functional standpoint, consideration should be given to the volume of data to be screened; support for multiple local or a single centralised installation; the existence of, or support for, data integrity processes, and the ability of the application to integrate effectively within an FI’s technology infrastructure.

Once risk and functional requirements have been identified, an FI should achieve a balance between the standard vendor functionality and configurability of a purchased solution against the cost to build and maintain a more bespoke application internally. It is critical to understand whether sufficient compliance and technology expertise and resources exist within the FI or chosen vendor (and will continue to exist) to sustain the design, build and/or implementation processes, while remaining well-informed on emerging sanctions risks that arise as a result of evolving regulatory frameworks or business expansion and strategy.

Reference Data/Customer or Name Screening
– What is Reference Data Screening?

Reference data screening is the process of screening the information an FI collects and maintains on the parties it does business with, or specific types of products and services it offers. While it is often referred to as “name” or “customer” screening, the concept of reference data screening encompasses any data set within the FI’s operations, separate from its transactional records, that may present a relevant sanctions risk indicator and be conducive to detection through screening on a periodic basis.
The most common types of reference data relevant for sanctions screening include:

  • Customers, including all parties, whose identity is collected by an FI to meet its Know Your Customer (KYC) and Customer Due Diligence (CDD) standards, such as beneficial owners and related or connected parties
  • Employee data
  • Third-party service providers, for example, vendors, landlords of FI-occupied premises, tenants of FI-owned premises
  • International Securities Identification Numbers (“ISIN”) or other sanctions-relevant identifying features of assets held in custody by the FI
  • Recipients of the FI’s corporate donations or sponsorship

Determining Sanctions Relevant Attributes in Reference Data

Not all the data elements within an FI’s records are relevant for sanctions screening. When determining what reference data should be screened, an FI should identify and differentiate the data within its operations and records that are relevant to sanctions risks, how they are relevant, and ensure they are conducive to effective screening. For example, the names of individuals and entities with whom the FI has a relationship are relevant for screening against name based sanctions lists; however, they are not relevant for geographically based sanctions programmes.

While the data elements contained in the addresses for these parties (most commonly, cities and countries) are relevant for screening against geographic sanctions programmes, these same address attributes are also relevant as identifiers in name based, list based programmes to differentiate a true name match from a false name match.

An FI should also define other data elements that may be relevant for sanctions screening in some situations and not others. Date of birth, for example, is relevant as a distinguishing factor to assess a true match from a false match on an individual and might be used for screening in combination with another attribute, such as name. In each case, FIs should weigh up the relative incremental value of screening the data element against the reliability of the data, and whether an alert against the data will meaningfully assist in detecting or preventing a sanctions risk that would not be reasonably detected through other controls, or by screening different data attributes.

Manner, Timing and Frequency of Sanctions Screening

An FI’s reference data is typically maintained in electronic files. It is most effective when screened through an automated process and repeated at defined intervals. The use of manual screening can be considered when the risk is sufficiently low, and where the reference data cannot be sourced reliably, either electronically or in a format necessary for automated screening. For example, if an FI has identified only a small population of names requiring screening, it may choose to forego investing in an automated screening system and instead manually input these names into an online screening filter.

An FI’s policies and procedures should clearly define when reference data screening takes place. As a general principle, screening should be done when establishing a new relationship, to ensure the relationship is permissible, and then at regular intervals, either upon a trigger event or as customer and/or list information changes, to validate that the relationships remain permissible. Where either internal or external data sets change frequently, periodic screening may be as often as daily, but longer intervals between periodic rescreening may be acceptable in situations where change is less frequent or the risk of a potential sanctions exposure is low.

Transactions/Message Screening

Transaction screening refers to the process of screening a movement of value within the FI’s records, including funds, goods or assets, between parties or accounts.

Transaction Screening, including Payments and Trade

Transaction monitoring
Bank Transaction monitoring

In order to determine the scope of transaction screening relevant for sanctions risk management, an FI should focus on those transactional records necessary to the movement of value between parties and at a point in the transaction where detection of a sanctions risk is actionable to prevent a violation. Consideration should be given to higher sanctions risks factors, such as:

  • Cross-border transactions
  • The currency used as part of the transaction
  • The routing of the transaction

Screening cross-border payments prior to completing the transaction is common practice and known as screening in real-time. By contrast, screening domestic payments in real-time may be unnecessary for FIs that are subject to the same local regulatory requirements, including the jurisdictions’ local sanctions and KYC requirements when on-boarding clients. For these FIs, imposing screening at the time of each transaction is likely to be duplicative and less likely to identify any new or additional risk indicators.

However, an FI that is also subject to a different jurisdiction and regulatory mandate would likely want to assess its applicable requirements and decide to screen its transactions to address that specific risk. An FI also may decide to screen a defined set of transactions, where it assesses the sanctions risks within the local economy or financial system to be outside of its own risk tolerance.

Data Elements within Transactions

An FI should initially assess which transaction types are relevant for sanctions screening. In the same way as reference data, it should then identify which attributes within those records are relevant for sanctions screening and the context in which they become relevant. Names of parties involved in the transaction are relevant for list based sanctions programmes, whereas addresses are more relevant to screening against geographical sanctions programmes and can be used as identifying information to help distinguish a true match from a false match. Other data elements, such as bank identification codes, may be relevant for both list and geographically based sanctions programmes.

In a sanctions context, some data elements are more relevant when found in combination with other attributes or references. For example, detection of sectoral sanctions risk typically requires detection of multiple factors, such as those where both the targeted parties and the prohibited activities are involved. Many controls may not be capable of detecting both factors simultaneously and, therefore, may not be effective.

In addition, certain data elements offer little or no risk mitigation through screening, for example, amounts, dates and transaction reference numbers have no relevance from a screening perspective.
Some of the most common transactional attributes screened include:

  • The parties involved in a transaction, including the remitter and beneficiary
  • Agents, intermediaries and FIs
  • Vessels, including International Maritime Organisation (IMO) numbers, normally in Trade Finance related transactions
  • Bank Names, Bank Identifier Code (BIC) and other routing codes
  • Free text fields, such as payment reference information or the stated purpose of the payment in Field 70 of a SWIFT message
  • International Securities Identification Number (ISINs) or other risk relevant product identifiers, including those that relate to Sectoral Sanctions Identifications within securities related transactions
  • Trade finance documentation, including the:
    • Importer and exporter, manufacturer, drawee, drawer, notify party, signatories
    • Shipping companies, freight forwarders
    • Facilitators, such as insurance companies, agents and brokers
    • FIs, including Issuing / Advising / Confirming / Negotiating / Claiming / Collecting / Reimbursing / Guarantor Banks
  • Geography, including a multitude of addresses, countries, cities, towns, regions, ports, airports, such as:
    • Within SWIFT Fields 50 and 59
    • Place of taking in Charge / Place of Receipt / Place of Dispatch / Place of Delivery / Place of Final Destination
    • Country of origin of the goods /services / country of destination / country of transhipment
    • Airport of Departure / Destination

Manner, Timing and Frequency

Transaction screening should be performed at a point in time where a transaction can be stopped and before a potential violation occurs. This typically occurs at a number of points in the lifecycle of a transaction, but certainly prior to executing any commitment to move funds. Particular attention should be directed to any points within the transactional process where relevant information could be changed, modified or removed in order to undermine screening controls.

Transactional records are typically found in large volumes and within business processes predicated on speed of execution. These transaction types are generally in electronic form and conducive to systemic, automated screening. Some transaction types, however, still rely on documentation in various formats and varying methods of presentation. These may require manual screening processes, where relevant information is physically added into a system for screening.

Trade finance documents often require this type of manual screening, although, more advanced information capture techniques are increasingly available, including Optical Character Recognition (OCR), where documents are scanned and then automatically transposed into a system prior to screening. OCR requires quality assurance validation to ensure the information has been captured fully and accurately.

Certain paper based transactions, such as paper cheque clearing, where the volumes can be high and the manual screening process creates high rates of errors, may rely on controls other than screening, such as KYC processes, where the sanctions risks for the product are assessed as being low.

List Management

Sanction list
Sanction list

Screening is dependent on data sets and lists of sanctions indicators, against which an FI looks for potential matches within its reference and transactional data. These lists must be accurate, reliable, up-to-date, refreshed frequently and relevant to the risks the FI is attempting to manage. These lists are generated both by external authorities and created internally based on the FI’s own information and knowledge about its exposure to sanctions risks.

List management refers to the end-to-end process of determining and managing regulatory and internal lists used for screening. Rigorous list management promotes screening which is consistent with the FI’s risk appetite, including the identification of potential sanctioned targets.

The following considerations are relevant to effective list management, and each should be well-documented and reviewed on a regular basis, to ensure the FI’s chosen approach remains in line with its risk appetite:

  • List selection – determine which sanctions related lists are relevant for screening. This should include regulatory lists, for example, the OFAC and E.U. lists, as well as other lists designed to comply with regulatory requirements and to manage risk.
    • Such lists may include internal or private lists of individuals/entities/terms known to have a sanctions nexus, lists of geographic terms including cities, towns, regions and ports or banking terms (for example, BICs), lists of prohibited securities and prohibited goods, where applicable.
    • List selection may depend upon multiple variables, including the type of data being screened or whether transactions are domestic or cross-border. For example, screening against lists of prohibited goods is currently unlikely to be conducted outside the context of trade finance transactions, or trade finance transactions likely do not need to be screened against sanctioned securities.
    • FIs should consider the impact that the introduction of new lists and terms, which could generate significant alert volumes, or spikes, may have on operational risk.
  • Sourcing of lists – determine which lists are to be generated internally and which lists are best sourced from external vendors, and the processes for generating/ingesting such lists.
  • List maintenance – determine the processes for adding and removing lists or entries to internal lists, where screening is no longer required or where the result is within risk appetite. Determine appropriate controls to ensure lists remain up-to-date and that only appropriate individuals can add or remove lists or list entries.
  • Data enhancement – determine whether certain list entries should be modified or enhanced based on additional information.
  • Whitelisting – determine the management of rules for automatically eliminating potential hits caused by the interaction of certain list terms and frequently encountered data, for example, customer names which have already been confirmed as false positives.
  • Geographic scope of list application – determine which lists should be screened in all jurisdictions of an FI’s operations and which, if any, could be screened only locally, within a certain jurisdiction or jurisdictions.
  • “Exact matching” versus “fuzzy logic” – determine which lists should be deployed within the screening filter on an exact match basis, and which would use fuzzy matching.
  • Frequency of screening – determine the frequency or the triggers for static data screening. For example, additions to lists and changes in customer data.

Regulatory Sanctions Lists

FIs typically source regulatory lists either from a third-party provider or directly from regulators. The use of a third-party can offer the FI a broad enrichment of data in a standard format and avoids duplicate entries that appear on multiple lists.

FIs should consider the means to ensure the quality and timeliness of updates made to the lists they screen against, including the following factors:

  • Delays between regulatory sanctions list updates and vendor provided screening list updates
  • Enrichment of listed terms; for example, foreign language name variations or addition of BIC codes for listed FIs.

When new designations are published on regulatory lists, the key priority for a list management function is to ensure the names are implemented into screening as quickly and accurately as possible.

Internal Lists

Internal lists are often referred to as ‘Private lists’ or ‘Grey lists.’ These are lists of individuals and entities which may present a financial crime risk to the FI, and have been identified through an FI’s internal procedures or intelligence. These names are generated and maintained internally within an FI’s risk appetite and, ideally, applied in screening for a set time frame, dependent on the risk.

Long term effectiveness of internal lists often depends on the data quality of entries added. Toward that end, an FI should consider the minimum inclusion criteria for internal list entries to be operationally effective, including minimum data attributes and quality, to complement alert investigation procedures and improve risk identification. Regular reviews of entries are helpful to ensure intelligence does not become stale or outdated.

Identifying Information and Weak Aliases

Along with entries on a list, certain identifying information is often provided to assist in distinguishing a true match from a false positive. This information does not need to be screened. It is provided to assist with the assessment of an alert. This includes attributes such as date of birth, nationality (where legally permissible) and place of birth.

In addition to identifying information, some authorities provide additional ancillary information of varying utility that can be useful to help distinguish a true match from a false positive. This ancillary information may include “weak aliases,” or “low quality aliases,” and describes broad or generic names of sanctions targets that often will add little value in confirming a match. These weak aliases may include ‘nicknames’ and common acronyms. It is not expected, nor is it typically productive, to screen against weak aliases.


Weak aliases can be identified into one of the categories below:

  • Character length (shorter strings are assumed to be less effective in screening than longer strings)
  • The presence of numbers in an alias (digits 0-9)
  • The presence of common words that are generally considered to constitute a nickname (example: Ahmed the Tall)
  • References to geographic locations in the alias
  • The presence of very common prefixes in a name where the prefix was one of only two strings in a name (example: Mr. Smith)

Historical Reviews (Lookbacks)

While the consideration of a lookback is not exclusively a sanctions control, an FI may identify potential sanctions risk where a sanctions related data point may have been previously undetected by the screening system, for example, as a result of a name variation. In these instances, the FI should consider whether or not:

  • Changes to the sanctions screening system (for example, configuration or lists) are warranted, and
  • A historical review (“lookback”) should be performed.
  • In considering a lookback to identify transactions that have already been processed, an FI should give strong consideration as to whether such a review would be useful to the FI and/or public policy interests.

In making this determination, consideration should be given to:

  • A clear understanding of what is the root cause
  • Whether the matter is an isolated, one-time event or is it likely to occur again, in order to inform the necessary activity and the consequences if it is repeated
  • Does the risk warrant mitigation? If yes, what steps need to be taken to mitigate the risk? For example, configuration changes, list content, non-screening controls
  • Is there a public policy or law enforcement interest in the identification of historical transactions and subsequent disclosure of those transactions/parties involved?
  • Mitigating factors for potential enforcement actions and regulatory disclosure
  • Detecting possible conduct issues
  • Identifying customer behaviour or patterns that pose increased sanctions risk

Conclusion

In summary, sanctions screening is a key control in the prevention of financial crime risk which FIs may otherwise be exposed to. It is essential that it is implemented and maintained as part of a wider set of financial crime compliance controls and within the risk appetite of the FI.

While recognising the need to meet regulatory and legal obligations, and demanding the highest standards of effectiveness in identifying sanctioned parties and locations, FIs should seek to adopt a risk based approach to sanctions screening and to consider all aspects of a comprehensive sanctions screening control framework, as follows:

  • The FI must have a robust FCC programme with a clear strategy in respect of sanctions screening, to mitigate the risk of being exposed to sanctioned parties and countries.
  • The FI’s approach should recognise that while sanctions screening is a primary control, it has its limitations and should be deployed alongside a broader set of non-screening controls to be truly effective.
  • It is important for FIs to document their systematic approach to screening by linking it directly to their risk appetite statements.
  • The accuracy and completeness of the FI’s own data is central to an effective and efficient sanctions screening process.
  • Technology remains a key enabler in the effectiveness of identifying financial crime risk through screening, more efficiently and on a real-time basis.
  • Robust governance and oversight mechanisms must be put in place across the FIs to ensure transparency of risk decisions to key stakeholders and risk owners.
  • The FI should ensure that people involved in the end-to-end risk event management are suitably trained, supervised and that the appropriate levels of quality control and assurance are in place to ensure compliance with requirements.
  • Robust management information should be made available to management to report effectiveness, trends and performance.

Glossary

Alert Spike is a substantial increase in the number of alerts generated. A spike could be caused by, for example, remediation exercises, changes or updates to policies, procedures or Watchlists.

Four-Eye Review means that a certain activity, for example, a decision/transaction must be approved by at least two people (Maker and Checker). This dual control mechanism is used to increase transparency and ensure quality of reviews and subsequent decisions.

Fuzzy Matching is a varied and algorithm based technique to match one name (a string of words), where the contents of the information being screened is not identical, but its spelling, pattern or sound is a close match to the contents contained on a list used for screening.

Customer or Name Screening is the screening of full legal name and any other name provided by the customer, such as known aliases, against applicable official sanctions lists. Operational Risk is the risk of potential reduction, deterioration or breakdown of services provided by an FI caused by deficiencies in information systems or internal processes, human errors, management failures or disruptions from external events.

Sectoral Sanctions – in July 2014, the U.S. Office of Foreign Assets Control (OFAC) and the European Union introduced new Ukraine and Russia-related sanctions programmes prohibiting certain types of transactions with targeted entities in the finance, energy and defence sectors, as well as entities owned by 50% or more by the targets. OFAC refers to these sanctions as Sectoral Sanctions Identifications. Sectoral Sanctions Identifications aim to identify persons operating in sectors of the economy that may be subject to sectoral sanctions, deals and transactions that are prohibited.

Transaction Screening is the process of screening a movement of value within the FI’s records, including funds, goods or assets, between parties or accounts. In order to mitigate risk associated with trade finance transactions and international wire transfers, FIs conduct real-time screening of cross-border transactions against Sanctions Lists, where any of the Sending Bank, Originating Bank, Receiving Bank, Intermediary Bank or Beneficiary Bank are located in different countries.

True Match is a screening result, where the characters contained within the information being screened match the details of a designated entity on a list that is in scope for screening.

Weak Aliases/Low Quality Aliases is a term for a relatively broad or generic alias (including ‘nicknames’ and common acronyms) that may generate a large volume of false hits when such names are run through a computer-based screening system. It is not expected, nor is it typically productive, to screen against weak aliases.

What to do when you uncover Money Laundering

Gold is an easy asset to use to launder value. It’s high value, easy to transport and can be moulded into any shape you desire. For the super rich criminal, it is a go to element of value to store criminal assets.

None of that is shocking. What is shocking, is when a big four audit and accountancy firm gets involved in a very, very blatant money laundering scandal. Like EY did.

In this post we will examine what happened, explore the person involved and ask questions or pose suggestions to cause Compliance Operators to think about what they would do in the position of the central player, Amjad Rihan, a person who stood up against the odds to try and secure ethical business practice.

Amjad Rihan was respected. He was good at his job and had shown talent in a short tenure with EY. He was promoted to a partner position in the EY Dubai operation, paying $50,000 into the firm to secure it.

In 2013 he was required to conduct an ‘Assurance Audit’ of a jeweller and gold dealer called ‘Kaloti Jewellery International’. The purpose of such an audit is to provide an independent written view on the quality and propriety of the audit client’s business practices. An assurance audit is not a financial audit but shares some of the characteristics of one. The word “assurance” is used because the auditor’s written views are intended to assure a reader of the auditor’s assurance report that the audit client’s business practices, in the auditor’s independent view, are as stated in the report.

Clearly, any professional putting a signature on a report such as this is asserting credibility to the business under audit. They are effectively lending the auditor’s respectability to the business under audit – to assign weight to their honesty and ethical business practices through the respectability of the auditor.

Charged with that Amjad set about his task. He had a small team working with him and they quickly uncovered what was effectively gold smuggling out of Morocco. The method used was simple. Coat the gold in a thin veneer of silver to convince Customs at the border it was silver being transported and not gold. This was to avoid the regulations and bar on exporting gold from Morocco. All the paperwork exporting the metal was identified as Silver leaving Morocco but imported into UAE as Gold. In addition to this irregularity Kaloti had taken part in cash transactions in 2012 to the value of $5.2 billion.

With one cash transaction for an eye watering $750 million – in cash!

Gold is recognised as a ‘conflict mineral’ internationally, meaning scrutiny on its trade should be more thorough. This is because of the points made above, ease of transport of high value, maliable and convertable easily. It is known to be used for terrorist financing and in the exchange of criminal assets.

There was no doubt, questions as to the standard of business were raised due to these suspicions. In fact during the trial EY accepted the suspicions around laundering of money and gold were present. I would go further.

It’s not just suspicious to be trading in cash for gold. It isn’t just suspicious that gold, deliberately disguised as silver was exported from Morocco.

This is money laundering. Period.

Yet when Amjad tried to raise this within EY, no one wanted to know. Various attempts to get him to re-write his findings were made, in a fudge to curry the favour of Kaloti, and more importantly the circule of influence around the company that went to the top of Dubai society. The route to the top was through an organisation called the DMCC. The Dubai Metals and Commodities Centre – a ‘sort of’ regulator in the Kingdom. They were part of the government machinery and tried, consistently, to have the cash trading and gold smuggling issues removed from the EY report.

Clearly EY were in a difficult position – but not one that could not have been thought through in a pre-considered way. It is not unfeasible when operating in a country that has no reason to trade in gold other than for its attractive nature as to its ability to be laundered, and as a safe haven as a store of value in troubled economic times. It’s also required, in good practice, to properly complete EDD when you look at the bare facts in this case.

  • Gold – mineral of conflict
  • High value
  • Wealthy business
  • International Trade
  • Gold trading in a country that doesn’t produce it

Gold trading in a country that has no gold mines is a known and publicised red flag for money laundering and terrorist financing. Compliance staff at EY will have (or should have) known this before the company even set offices up in the Kingdom. And this for me is the morally bankrupt nature of what EY did. They sent an auditor in, even if they operated without suspicion at that stage, with a high potential he would uncover ‘discrepancies’ with no apparent plan as to how they would handle those discrepancies.

For me, this is the problem with firms seeking to ‘do business’ without a proper process to manage ethical, moral and legal issues. It is a step too far to put an honest man, who had paid several thousand into the business to attain partner status, under undue pressure to conflict his ethical and honest nature – just to secure business. The risk he faced was insurmountable. He could ‘fudge’ the report and produce a ‘bill of good health’ for Kaloti. Essentially being bribed to do so. At risk if he didn’t was his investment into the firm and his whole present and future career.

Mr Rihan choose the ethical and honest route.

Mr Rihan is now global news. His image is across the media and his story well documented. How this impacts his future remains to be seen, ‘not a company man’, ‘can’t be trusted’ and other potential slurs could (probably will) follow him as he tries to secure employment elsewhere. And those slurs have followed him already.

I am sure the sole searching within EY will go deep. But will it remedy the past ills of the company? I doubt it. Money is the ultimate motivator, and if as an intelligent business, they couldn’t foresee potential conflicts when the contract to audit Kaloti was signed then, to be frank, would you trust a single audit they conduct in the future?

Due diligence springs to mind.

This is the central issue for EY. The more negative press you get relating to the ethical issues at the heart of this saga, the less people are likely to trust your future ‘audits’.

Of course, I am sure the marketing department and PR people will be working overtime to remove this stain on EY’s history but the sad fact of corporate life nowadays is repeated scandal after repeated scandal. Corporate level entities just do not seem to grasp the damage to reputation when they fail to do due diligence before they enter a contract and plan for an exit if they uncover clear criminal behaviour.

It seems the plan is to send in a partner, who is financially bought in and has risk at his door, in an unwritten strategy to have him shoulder the burden for any negative outcome. Reporting lines to senior people is managed to reduce the written trail and remove them from the risk. The business is set up to distinctly try and reduce risk throughout the group as they have entities separated by registration in separate jurisdictions.

Yet the judge in the trial, his Hon Justice Kerr, faced with four elements of the EY corporate set up as defendants, saw through this and rightly held the case had English jurisdiction – a line of defence EY’s lawyers tried to pursue, claiming Mr Rihan wasn’t entitled to English jurisdiction.

In the end Mr Rihan was awarded $11 million. That is a lot of money. But rightly awarded to compensate Mr Rihan for standing up for ethical and honest business and for being constructively dismissed from EY. His future now secure again (pending an appeal, which is likely).

What lessons can be learned?

For those in corporate business several lessons can be taken from this.

  • Ensure you do due diligence when clear risks are present in a contract and have a plan to manage them. With an exit strategy.
  • Provide support to your employees who will be under intolerable pressure and it is you that has created it.
  • Start from worst case scenario. While you save one business contract you put thousands of others at risk if you fudge ethics and integrity.
  • Protect your reputation not the contract.
  • Protect your people not the contract.
  • Consider the future not the present.

For those in roles that are compliance related:

  • Document everything, timed and dated.
  • Save all records off the organisation’s system.
  • Have someone have your back – and tie them to it by copying communications to them.
  • Question the plan and exit strategy before you start.
  • Confirm and test the due diligence.
  • Collate everything and ensure senior managers are copied in. They can’t ‘un-know, what you know’.

In a world that wrestles with ethics on a daily basis, the choices aren’t always linear. For this reason it is important when you come across unethical or criminal behaviour you report it, in written form, through the right internal channel. If you’re met with a closed system of either outright negation or denial, do not go back for another go.

Continue your role and do it in the best way possible but record everything. This can be uncomfortable and even make you feel treachourous, but if and when the issues you know come out you need a way to explain what you did, when you did it and why. It also provides you with a body of evidence if you believe the course of action is to report what you have found externally.

Report via our encrypted and anonymous platform – by email – by mobile app – by web contact form and by hotline. We encrypt all communications to military grade and you can maintain your anonymity.