Section 42 of the current Act refers to the ‘formulation and implementation of internal rules’. The Amendment Bill will look to replace this with the amended section 42 ‘Risk Management and Compliance Framework’. The substituted section 42 will require an accountable institution (AI) to develop, document, maintain and implement a programme for anti-money laundering and counter-terrorist financing risk management and compliance. The programme must enable the accountable institution to identify, assess, monitor, mitigate and manage its risks of being involved in or facilitating money laundering or financing of terrorist activities.
Elements of the Programme
The programme in its entirety will have to set out the processes the institution will use or put in place in order to ensure that the institution and all persons within the institution know which processes and procedures to follow in order to identify, and ultimately prevent, money laundering and terrorist activities. It is therefore important that the AI’s programme is customised in a way that suits its business requirements and processes, taking into consideration the type of clients that the business deals with and the products and services offered. The programme which is implemented must therefore be understood and practically applied by all persons within the institution.
Here are a few of the elements which will have to be included in the programme to demonstrate how the AI intends fighting financial crime on a continuous basis:
- The programme must provide the manner in which the AI will determine if a person is a prospective client or a client who has established a business relationship or entered into a single transaction.
- The identification, verification and all other customer due diligence processes to be followed. A risk-based approach should be applied to these processes so that more stringent processes are followed for those clients, products or services which are higher risk. The programme must also set out the manner in which the AI will conduct ongoing due diligence (This was previously set out in Part II:CDD). The AI will also have to set out its additional due diligence measures in respect of legal persons, trusts, partnerships and prominent influential persons.
- Also very important is that the AI sets out the manner in which it will examine and approach complex, unusually large transactions and unusual patterns of transactions which do not have an apparent business or lawful purpose. An AI will therefore have to indicate how it will practically do so within the specific business and how staff will identify and handle these type of transactions.
- The manner in which AIs will terminate an existing business relationship where it is unable to conduct ongoing due diligence.
- The manner in which the AI will determine whether a prospective client is a ‘foreign prominent public official’ or a ‘domestic prominent influential person’.
- The AI must also set out the steps it will take to ensure that the Programme is implemented in all branches, subsidiaries or operations of the AI in foreign countries. The AI must ensure that the documented Programme is available to all staff who are involved in any form of transaction or activity to which the Act will apply. Developing and documenting the Risk Management and Compliance Programme is, in itself, not enough. The test for ‘implementation’ is whether the processes which have been documented are actually being followed in each area of the business.
In the recent FIC roadshow, it was highlighted that a common area of non-compliance lies in AIs having a documented set of internal rules which are not customised according to the people and processes of the business. As mentioned, it is critical that the procedures set out in the internal rules are practically applied by all staff. Failure to do this has been the reason for some AIs being issued with administrative fines during 2016.
The FIC expects that the internal rules are aligned with the specific business and it may therefore not be a document with a general approach or a template which has not been adjusted for the specific business. Similarly, once the Amendment Bill is enacted, the Compliance and Risk Management Programme will need to be unique to the business, its clients, products and services.