Guidance to CMI on enhancing AML/CFT frameworks and controls

24 January 2019 | Asia | Articles

MAS released a guidance paper on 4 January 2019, following their AML/CFT inspections on CMIs. The paper includes the framework of their inspections, areas of improvements for CMIs to adopt, and case studies of lapses identified during the inspections. If this impacts your firm, read our summary of the key findings below.

MAS AML/CFT inspection framework

MAS applies a three-pillar framework in their AML/CFT inspections:

• Governance – the important role of Board and Senior Management (BSM) in management of AML/CFT risks
• Risk awareness – the CMI’s ability to identify and escalate issues, and determine appropriate risk mitigation measures
• Execution – effective and timely execution of AML/CFT controls.

Governance

The BSM must have active oversight on AML/CFT matters. The BSM should also ensure that AML/CFT policies are up-to-date, the CMI’s three lines of defence are suitably qualified and adequately resourced, and that reporting and escalation mechanisms are implemented.

The following are key findings from MAS’ AML/CFT inspections:

• Insufficient appreciation of AML/CFT by BSM, who as a result aren’t devoting enough attention to AML/CFT
• Failure by the BSM to make sure that frameworks around AML/CFT are adequate
• Failure to make sure compliance management and resourcing arrangements are appropriate
• Lack of independent audit arrangements and monitoring of remediation of audit findings

The MAS further highlighted the importance of the Enterprise Wide Risk Assessment (EWRA). The EWRA is an AML/CFT requirement that all CMIs are required to put in place. The EWRA should be updated on a regular basis, either every two years or when there are material changes. The MAS highlighted that some CMIs do not take into consideration the specific risks that the CMI faces. CMIs were found to have adopted template formats of EWRA, without tailoring it to their own risks.

CMIs are also required to maintain an independent internal audit function. The MAS found that a few CMIs were not in line with this regulatory requirement, with compliance functions doubling up as an audit function or not CMIs not maintaining an audit function. The MAS reminded CMIs that an external audit function doesn’t assess the effectiveness of the CMI’s AML/CFT policies and adherence to it,  which therefore also doesn’t meet MAS requirements.

Risk awareness

BSM and staff should have strong risk awareness and understand their AML/CFT obligations. Sufficient training and guidance should be provided and AML/CFT responsibilities must be clearly assigned.

The following are key findings from MAS’ AML/CFT inspections:

• Inability of first line of defence (customer facing staff) to detect ML/TF red flags
• Lack of awareness concerning Suspicious Transaction Reporting (STR) obligations
• Inadequate awareness of tax-related ML risk

CMIs need to be alert to red flags and promptly take mitigation measures. MAS observed that poor risk awareness was due to the lack of emphasis from BSM on the importance of AML/CFT and lack of training on specific risks or red flags tailored to the CMI’s business model and risk profile. MAS also emphasized the importance of clear accountability for AML/CFT issues.

With numerous countries increasingly adopting the Common Reporting Standard, CMI’s should be more aware of tax-related ML risk. Tax crimes are designated as a predicate offence to money laundering. So, CMIs must file STRs if they’re aware of or suspect that their customers’ funds could be proceeds of tax crimes.

Execution

The effectiveness of a CMI’s AML/CFT controls is dependent upon the quality of execution. CMIs should ensure that there’s an implementation of process and controls, and that these are carried out properly by staff.

The following are key findings from MAS’ AML/CFT inspections:

• Reliance on third parties to conduct CDD without adequate oversight
• Inadequacies in Source of Wealth (SOW) and Source of Funds (SOF)
• Deficiencies in ongoing monitoring framework

While CMIs can rely upon third parties to complete CDD, CMIs must make sure that the third party’s policies and procedures meet AML/CFT standards and that they immediately obtain the documents gathered for CDD. Reliance cannot be placed on third parties for ongoing monitoring.

MAS also highlighted the enhancements needed in the risk assessment and risk mitigation measures for complex structures. Clarity should be provided in determining how a complex structure impacts AML/CFT risk assessment. CMIs must also identify the natural persons controlling and having beneficial ownership of control structures. MAS outlined several additional due diligence measures that CMIs can consider, which can be found in the full paper.

How we can help

• We can design your AML/CFT risk assessment procedures to make sure you consider various types of risks, for example, country risk, customer risk, product risk
• We can prepare an EWRA for you that is tailored to your specific risks
• We can conduct Internal Audits, to ensure that you are meeting MAS’ AML/CFT regulations
• We can provide AML Training to staff, which would incorporate risks specific to you
• Conduct a Gap Analysis, with special focus on the areas of improvement raised by the MAS