kyc platform participant guide -...

Know Your Customer Participant Guide

Know Your Customer

Instructor Led Training

1


Table of ContentsCourse Overview......................................................................................................................................5

Importance of the AML and Sanctions Program...................................................................................8

Lesson 1: Know Your Customer.............................................................................................................9

Topic 1: Know Your Customer Components.......................................................................................10

Topic 2: Consequences of Non-Compliance.......................................................................................11

Topic 3: First, Second, and Third Lines of Defense...........................................................................12

Topic 4: Customers at State Street......................................................................................................13

Topic 5: Accounts...................................................................................................................................15

Topic 6: Customer Types.......................................................................................................................16

Topic 7: New and Existing Customers.................................................................................................21

Topic 8: Know Your Customer Lifecycle and Escalation...................................................................22

Topic 9: Opening an Account................................................................................................................24

Topic 10: Overview of the AML Toolkit................................................................................................26

Lesson 1: Summary................................................................................................................................28

Lesson 2: Customer Identification Program........................................................................................29

Topic 1: Customer Notice (US Customers Only)................................................................................30

Topic 2: Required Information for Customer Identification................................................................31

Topic 3: Customer Identification Program Exemptions and Simplified Due Diligence..................34

Topic 4: Customer Verification..............................................................................................................36

Topic 5: Material Discrepancies............................................................................................................41

Lesson 2: Summary................................................................................................................................42

Lesson 3: Customer Due Diligence......................................................................................................43

Topic 1: Standard CDD: Purpose of an Account................................................................................44

Topic 2: Standard CDD: Building Customer’s Anticipated Activity Profile......................................45

Topic 3: Standard CDD: Source of Funds...........................................................................................46

Topic 4: Standard CDD: Source of Wealth..........................................................................................48

Topic 5: Standard CDD: Screening......................................................................................................52

Topic 6: Targeted CDD: Customer Finances......................................................................................57

Topic 7: Customer Risk Rating.............................................................................................................58

Lesson 3: Summary................................................................................................................................602


Lesson 4: KYC Platform.........................................................................................................................61

Topic 1: Queues......................................................................................................................................63

Topic 2: Dashboards..............................................................................................................................64

Topic 3: Search Cases...........................................................................................................................65

Topic 4: Search Legal Entity.................................................................................................................67

Topic 5: Legal Entity Management Screen.........................................................................................69

Topic 6: Legal Entity Details..................................................................................................................70

Topic 7: Business Details......................................................................................................................71

Topic 8: Supplementary Details............................................................................................................73

Topic 9: Risks..........................................................................................................................................74

Topic 10: Status......................................................................................................................................75

Topic 11: Tasks.......................................................................................................................................76

Lesson 4: Summary................................................................................................................................78

Lesson 5: How to Conduct CIP and CDD............................................................................................79

Topic 1: Capturing Legal Entity.............................................................................................................80

Topic 2: Upload Requested Documents..............................................................................................94

Topic 3: Validate.....................................................................................................................................96

Topic 4: Enrich Client Data....................................................................................................................99

Topic 5: Upload Risk Rating Results..................................................................................................102

Topic 6: Complete AML.......................................................................................................................114

Topic 7: Approve for Account Opening..............................................................................................115

Lesson 5: Summary..............................................................................................................................117

Lesson 6: Enhanced Due Diligence...................................................................................................118

Topic 1: Required and Triggered Enhanced Due Diligence............................................................119

Topic 2: First Line of Defense Responsibilities.................................................................................120

Topic 3: General Enhanced Due Diligence Requirements..............................................................121

Topic 4: Source of Wealth...................................................................................................................122

Topic 5: Site Visits................................................................................................................................125

Topic 6: PEP Identification..................................................................................................................127

Topic 7: Enhanced Due Diligence Customer Profile Form..............................................................129

Topic 8: Risks and Mitigants...............................................................................................................130

Topic 9: Record Retention...................................................................................................................131

3


Topic 10: How to Conduct PEP Identification...................................................................................132

Topic 11: How to Conduct EDD..........................................................................................................135

Lesson 6: Summary..............................................................................................................................137

Lesson 7: Ongoing Reviews................................................................................................................138

Topic 1: Periodic Reviews...................................................................................................................139

Topic 2: How to Conduct Periodic Reviews for Low and Medium Risk Customers.....................140

Topic 3: How to Conduct Periodic Reviews for High Risk Customers...........................................142

Topic 4: Event Driven Reviews...........................................................................................................145

Topic 5: Examples of Trigger Events.................................................................................................146

Topic 6: Suspicious Activity.................................................................................................................147

Topic 7: Transaction Monitoring.........................................................................................................149

Topic 8: Employee Identification and Escalation of Suspicious Customer Behavior...................151

Topic 9: Sanctions Screening.............................................................................................................153

Topic 10: Sanctions Licenses.............................................................................................................159

Topic 11: Board and Senior Management Reporting.......................................................................160

Lesson 7: Summary..............................................................................................................................161

Participant’s Notes................................................................................................................................162

Abbreviations and Acronyms..............................................................................................................163

Glossary.................................................................................................................................................164

References............................................................................................................................................165

4


Course OverviewState Street exercises due diligence when establishing a relationship with a customer and carries out ongoing monitoring over the life of the relationship with a customer in order to identify and limit AML risk (referred to as Know Your Customer or KYC). KYC is composed of the Customer Identification Program (CIP), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) (if applicable), and the Customer Risk Rating. This training will provide you with the following:

What needs to be completed as part of KYC Why it need to be completed How to complete it using the KYC Platform

Day One Course Agenda

Time Lesson Title/Description

9:00 A.M. – 9:15 A.M. Introductions

9:15 A.M. – 10:30 A.M. Know Your Customer, CIP and CDD

10:30 A.M. – 11:30 A.M. KYC Platform

11:30 A.M. – 11:45 A.M. Q&A

11:45 A.M. – 12:00 A.M. Day Two Overview

Day Two Course Agenda

Time Lesson Title/Description

9:00 A.M. – 9:15 A.M. Recap from Day One

9:15 A.M. – 10:30 A.M. KYC Scenarios/hands on exercise

10:30 A.M. – 11:00 A.M. EDD

11:00 A.M. - 11:45 Ongoing Relationship

11:45 – 12:00 Conclusion

5


Course ObjectivesAfter completing this course, you will be able to:

Identity customers who maintain accounts and/or relationships with State Street.

Manage and mitigate AML, Sanctions, Compliance, Operational, Reputational, and Strategic risks a

customer poses throughout the customer lifecycle.

Conduct Customer Identification Program (CIP), Customer Due Diligence (CDD), Simplified Due

Diligence (SDD), and Enhanced Due Diligence (EDD), wherever appropriate on customers and their

Ultimate Beneficial Owners (UBOs) and related parties.

Determine the AML Customer Risk Rating (CRR) for new and existing customers and when to apply

enhanced due diligence for those customers who are deemed High Risk.

Comply with Sanctions regulations and report instances of suspicious activity.

Cooperate with regulatory and law enforcement authorities in criminal investigations, prosecutions,

and forfeiture actions relating to AML, Sanctions or other criminal activities.

Maintain proper records for five years.

Course PrerequisitesBefore taking up this course, you must undergo the following e-learning modules:

Know Your Customer at State Street Customer Identification Program Customer Due Diligence Enhanced Due Diligence Ongoing Relationship

6


Symbols Key for the PowerPoint Presentation

Icon Description

This slide will provide details about the learning Objectives in the course.

This slide will list all the topics in a lesson.

This slide will provide details about content covered in a topic.

This slide will include provide details about procedural steps for a particular process.

This slide will have the content included in a tabular format.

This slide will provide details of a discussion activity in the class.

This slide will include the discussion question for discussion in the class.

This slide will summarize the important points covered in the course.

This slide will include assessment questions for the course.

7


Importance of the AML and Sanctions Program Governments and regulatory agencies in jurisdictions impose specific requirements on financial institutions globally in order to combat money laundering, terrorist financing, tax evasion and other criminal activities (collectively referred to herein as “Money Laundering”).

Financial institutions must comply with all Anti-Money Laundering (AML) and Sanctions laws and regulations in jurisdictions of operation. Due to State Street’s international presence, the institution must comply with various AML and Sanctions regimes.

The purpose this training is to provide State Street’s Business Units with uniform and detailed guidance to prevent the Business Unit and its employees from involvement in money laundering, fraudulent activity, and the financing of terrorist activities.

It is the Business Unit who ultimately owns the risk any customer relationship poses to State Street. The AML requirements and controls in place for specific customer types and risk levels for the Business Unit to comply with State Street’s Global AML and Sanctions Policies.

8


Lesson 1: Know Your Customer

Topics

1. Know Your Customer Components2. Consequences of Non-Compliance3. First, Second, and Third Lines of Defense4. Customers at State Street5. Accounts6. Customer Types7. New and Existing Customers8. Know Your Customer Lifecycle and Escalation9. Opening an Account10. Overview of the AML Toolkit

IntroductionThe AML and Sanctions policies were developed using a Risk-Based Approach. This approach allows State Street to identify, assess, and understand the money laundering and terrorist financing risks that State Street is exposed to, by categorizing its customers as High, Medium, or Low.

The higher the risk, the more due diligence is required to prevent and mitigate these risks.

A critical part of this process is to Know Your Customer (KYC).

OverviewState Street is committed to complying with AML regulations, as implemented by the State Street AML and Sanctions Programs. KYC encompasses standards and procedures designed to ensure State Street knows with they are doing business with.

KYC is the process used by State Street to verify the identity of their customers. KYC is becoming increasingly important globally to prevent identity theft, financial fraud, money laundering, and terrorist financing. State Street is committed to complying with AML regulations, as implemented by the State Street AML and Sanctions policies.

The objective of KYC is to prevent State Street from being used, intentionally or unintentionally, by criminal elements for money laundering activities. Our policies and procedures enable State Street to know and understand our customers, and their financial dealings better. This helps State Street to manage their risks prudently.

9


Topic 1: Know Your Customer ComponentsOverviewKYC is comprised of the following three components:

Customer Identification Program (CIP)

This process is a risk-based approach designed to enable the First Line of Defense to form a reasonable belief that it knows the true identity of the customer. This process involves the collection and verification of a customer’s identification information before the customer is onboarded.

Customer Due Diligence (CDD)

This process allows the First Line of Defense to assess the AML and Sanctions risk associated with the customer and obtaining information sufficient to develop an understanding of normal and expected activity.

Enhanced Due Diligence (EDD)

This process provides for a closer review of High-risk customers. Their activities are reviewed more closely at the time the account is opened and more frequently throughout the term of the relationship.

10


Topic 2: Consequences of Non-ComplianceOverviewState Street has no tolerance for breaches within its AML and Sanctions Programs. The consequences of breaches can be significant and may include:

For State Street employees: Monetary fines (in millions of dollars)

Prison sentences (10 to 30 years)

For State Street: Monetary fines (in millions of dollars)

Reputational damage (“It takes twenty years to build a reputation and five minutes to destroy it.” (W.Buffet))

Cease and desist orders (Likely to weaken the solvency/earnings of the financial institution (FI))

11


Topic 3: First, Second, and Third Lines of DefenseOverviewTo support the activities within the Target Operating Model (TOM), the First, Second, and Third Lines of Defenses responsibilities have been changed.

The following table describes the responsibilities of the First, Second, and Third Lines of Defense.

Lines of Defense Who are They Responsibilities

First Line of Defense Business Unit and AML KYC CoE (Shared Services)

Ensure ongoing compliance is embedded into all relevant AML and Sanctions decisions and operations. Perform routine verification and provide AML Compliance with up to date information on AML and Sanctions key risks and control indicators.

Second Line of Defense AML Compliance

Perform Real Time Monitoring focused on particularly risky areas of AML, such as looking to identify suspicious activity.Conduct Ex Post Surveillance over the effectiveness of compliance controls embedded in the First Line of Defense and AML Compliance functions.

Third Line of Defense Corporate Audit

The responsibility of the Third Line of Defense is to conduct independent and regular reviews of State Street’s Global AML and Sanctions Programs including the AML Compliance function itself.

AML KYC CoE (Shared Services) is located in either India or Poland. The following table lists the Business Units supported by AML KYC CoE (Shared Services) (India and Poland).

India Poland

Global Ops USIS IIS WMS Global Credit

Services IMS

SSGM SSGX SSIA Finance GS-APAC SSgA

AIS GS-EMEA SSGM

12


Topic 4: Customers at State Street Overview

The following table describes the various customer types.

Type Definition

Non-Individuals

A Non-Individual is a lawful or legally standing organization (such as an association, corporation, partnership, proprietorship, or trust) existing independently and exercising powers independent of its members or beneficiaries – namely, the legal capacity to enter into agreements or contracts; assume obligations; incur and pay debts; sue and be sued; and accountability for illegal activities.

Individuals An Individual is a natural person (human being), group, or an Indian Tribe, who has rights and duties prescribed by law.

Once the Customer has been identified, additional parties also need to be identified. The following table describes the different parties that need to be identified.

Type Definition

Ultimate Beneficial Owners (UBOs)

Non-Individuals or Individuals who ultimately own or control a customer and/or the person on whose behalf a transaction is being conducted. UBOs may also called indirect owners, and include any person or entity that owns, has the right to vote, or has the power to sell or direct the sale of a class of the businesses voting securities of an immediate owner.

Controlling Parties

Non-Individuals or Individuals with direct or indirect control over the account created. These Non-Individuals and/or Individuals are connected to an account by virtue of having a degree of control over the funds within an account belonging to another individual or non-individual. "Control" means the power to exercise substantial influence over the management or policies of a company through contract or otherwise

Examples of controlling parties include, but are not limited to:

Investment Advisors

Members of The Board of Directors

General Partners

Executive Management – President, CEO and CFO

13

A customer is a person contracting directly with State Street for the provision of products and services.


The following table describes the different parties that need to be identified.

Type Definition

Associated Third Parties

Non-Individuals or Individuals connected to an account who do not directly contract with State Street, are not controlling parties, and do not have a significant ownership stake in the funds within the account.

Associated Third Party relationships may involve outsourced products and services, use of independent consultants, services provided by affiliates and subsidiaries, joint ventures, or other business arrangements where the bank has an ongoing relationship.

Examples of Associated Third Parties include, but are NOT limited to:

Beneficiaries of Pension Funds

Trustees

Intermediaries

Traders

Vendors

Trading and Counterparties

Nominal Owners

Settlors

Investment Advisors/Investment Managers/Introducers/Promoters (not considered customers)

14


Topic 5: AccountsOverviewAn account is a formal banking or brokerage relationship established to provide or engage in services, dealings, or other financial transactions. It includes a deposit account, a transaction or asset account, investment management account, credit account, or another extension of credit.

An account is a broad definition encompassing all products and services provided by State Street.

An account includes:

Safekeeping services Master custody services Master trust services Cash management services Accounting services Data processing, warehousing, and reporting services Performance, risk and compliance analytics services Investment management services and accounts Middle Office services Credit accounts, or another extensions of credit Deposit accounts Transaction or asset accounts

15


Topic 6: Customer Types

OverviewOnce the customer and the account have been identified, before we can determine what KYC requirements are needed, we need to determine the customer type.

The following table lists State Street’s customer types and their definitions.

Customer Type Definitions

Bank (Foreign and Domestic)

Banks are financial institutions licensed to receive deposits, and are categorized as either Retail/Commercial or Investment Banks. Retail/Commercial Banks manage deposits and withdrawals from customers, while Investment Banks provide services to clients. Custodial Banks are included in the definition of "Banks," however, financial institutions such as MSBs, insurance companies and Investment Advisors are not.

Charities, Religious Group and Non-Profit

Non-Profits are organizations that use surplus revenue to achieve goals rather than distributing the revenue as profits or dividends. Charities receive donations which are used to administer a specific program for the greater good. Charities are unique types of non-profit organizations in that the Charity administers funds to meet non-profit and philanthropic goals, as well as social well-being, and are exempt from federal income tax. Religious Groups also receive donations which are used to carry out specific programs related to the mission of the religious organization. Religious groups are also non-profits and are tax exempt.

Foundations/ Endowments

A foundation is a type of private tax-exempt nonprofit organization that supports charitable activities in order to serve the common good through grants. Foundations are often created with endowments, or money given by individuals, families or corporations, which may or may not be managed by an investment advisor. They generally make grants with the income earned from investing the endowments, and do not carry out their own programs. Foundations and Endowments do not have to operate for charitable purposes. Institutions such as hospitals or universities and those that generally have broad public support or actively function in a supporting relationship to such organizations are exempt from the definition of a Private Foundation.

Government, Government Agency and Central Bank/Monetary Authority

Governments, Government Agencies and Central Banks/Monetary Authorities are those Customers whose sole existence is to perform government functions. They are fully owned, established and operated by a local, regional or national government, and all activities performed by the Customer are in the public sector.

Hedge Fund, Private Equity and Venture Capital Fund(Closed-Ended)

Hedge Funds, Private Equity and Venture Capital Funds all pool and invest their clients’ money in an effort to make a positive return, and are generally characterized as posing a higher risk to Investors due to limited redemption cycles, ability to borrow against the funds capital and lack of regulatory oversight. The Investments are managed by the heads of each fund, and can be used to purchase debt or equity in a company.

Individual - Citizen/ Non-Citizen

All accounts opened solely for Individuals (and not companies), regardless of the Individual's country of citizenship, fall under the Customer Type of Individual-Citizen/Non-Citizen.

16




Insurance Company

All accounts opened for Customers in the business of offering any type of Insurance Policy to the public, regardless of whether or not the company is publically or privately held, should be classified under Insurance Companies.

Investment Advisor (Regulated)

Regulated Investment Advisors are comprised of Individuals registered with the SEC, State Securities Agency, FSA (or local equivalent) acting on behalf of a fund. A Regulated Investment Advisor is a person or group that makes investment recommendations or conducts securities analysis in return for a fee, whether through direct management of client assets or via written publications. Investment Managers act on behalf of a fund, and are responsible for executing the investments recommended by the Advisors. Promoters also fall within this definition as they are the individuals responsible for setting up funds. Typically, the promoter raises the cash for the fund but doesn't invest themselves (in many jurisdictions promoter regime currently only applies to UCITS funds).

Investment Advisor (Unregulated)

Unregulated Investment Advisors are comprised of Individuals not registered with the SEC, State Securities Agency, FSA (or local equivalent) acting on behalf of a fund. An Unregulated Investment Advisor is a person or group that makes investment recommendations or conducts securities analysis in return for a fee, whether through direct management of client assets or via written publications. Investment Managers act on behalf of a fund, and are responsible for executing the investments recommended by the Advisors. Promoters also fall within this definition as they are the individuals responsible for setting up funds. Typically, the promoter raises the cash for the fund but doesn't invest themselves (in many jurisdictions promoter regime currently only applies to UCITS funds).

Money Service Businesses (MSB)

Money Service Businesses are defined as those who, whether or not on a regular basis, act as currency dealers or exchangers, cash checks, issue traveler's checks, money orders or stored value, sell or redeem traveler's checks, money orders or stored value or transmit money. Traditional financial institutions who are regulated are exempt from the definition of MSB. In many jurisdictions, MSBs are subject to regulation.

Mutual Funds

Mutual Funds and Commingled Trusts are investment vehicles made up of a pool of funds collected from many investors for the purpose of investing in securities such as stocks, bonds, money market instruments and similar assets for the sole purpose of generating investor profit. Mutual Funds and Commingled Trusts are operated by money managers, who invest the fund's capital in accordance with objectives set out in the prospectus, and attempt to produce capital gains and income for investors. Mutual Funds are regulated by the SEC, FSA, or local equivalent, while Commingled Trusts are not.

Pension Plans

Pension Plans are a means for an employee to save for retirement. Pension plans allow for an employer to make contributions toward a pool of funds set aside for an employee's future benefit. The pool of funds is then invested on the employee's behalf, allowing the employee to receive benefits upon retirement. Pension plans can be set up by employers (private or public corporations), as well as a Government Agency.

17




Personal Investment Vehicle/ Personal Holding Company/ Personal Investment Company

Personal Investment Vehicles are investment entities which are privately owned. Private Investment Vehicles tend to be complex, and enable a high level of anonymity. Personal Holding Companies are corporations where at least 60% of the adjusted gross income for a tax year is income of the Personal Holding Company, and who have more than 50% of the value of the corporation's outstanding stock is directly or indirectly owned by five or fewer individuals. Personal Investment Companies are private limited companies used as long term investment vehicles and are subject to tax benefits due to the fact they are often located in offshore investment jurisdictions.

Private Company

Private Companies are companies whose shares are not available for public purchase or listed on a stock exchange. Private companies may be regulated or unregulated, and can be established as Partnerships, Limited Liability Companies, Limited Partnerships, Corporations, Unincorporated Businesses or General Partnerships.

Public Company

Public Companies are companies whose shares are available for public purchase and listed on an approved stock exchange. All public companies are regulated, and can be established as Publically Traded Partnerships (limited public stock offering and ownership by partners which can be individuals or corporations) or Corporations.

Securities & Commodities (Broker/Dealer)

Securities and Commodities Broker/Dealers are firms or individuals who serve as Agents by executing orders to buy or sell securities or commodities on behalf of clients and charges them a commission for conducting trades.

Special Purpose Vehicle

Special Purpose Vehicles ("SPVs") are legal entities created to fulfill narrow, specific or temporary objectives usually created to isolate a company from financial risk. The SPV is usually a subsidiary company with an asset/liability structure and legal status that makes its obligations secure even if the parent company goes bankrupt. Regardless of whether or not the SPV's parent is private or public, Customers meeting this definition should be categorized as SPVs.

Supra National Organization

A Supranational Organization is an organization, or union of multiple countries whose members share in the decision-making and vote on issues pertaining to the wider grouping. Supranational Organizations are not considered Government Agencies due to the fact they are made up of multiple governments. Examples of Supranational Organizations include the United Nations and the European Union.

Trusts (Corp & Individual)

A Trust is a relationship whereby property is held by one party for the benefit of another. A trust is created by a settlor, who transfers some or all of his or her property to the trust. Trustee(s) hold that property for the trust's beneficiaries, who are Corporations, not Individuals. The trust itself is not a legal entity, but the relationship is formed for the benefit of a stand-alone company. The Trustee(s) are responsible for affairs attendant to the trust, which may include prudently investing the assets of the trust for the Corporate Beneficiaries; however the Trustee(s) sole purpose is not to create profit for the ultimate beneficiaries.

18




Trust (with Individual Beneficiaries)

A Trust is a relationship whereby property is held by one party for the benefit of another. A trust is created by a settlor, who transfers some or all of his or her property to the trust. Trustee(s) hold that property for the trust's Individual Beneficiaries, and has responsibility for affairs attendant to the trust, which may include prudently investing the assets of the trust. The trust itself is not a legal entity, but the relationship is formed for the benefit of a stand-alone company; the Trustee(s) sole purpose is not to obtain a profit for the Individual beneficiaries.

University, Hospital and University or Hospital Foundation

Universities are non-profit organizations established to provide education for students. Hospitals are non-profit organizations established to provide medical care for patients. For profit Universities and Hospitals are considered private companies. Universities and Hospitals can be private or public, and require government certification to be established. Universities and Hospitals with religious affiliations are also covered under this category. University or Hospital Foundations are nonprofit organizations set up for the benefit of a University or Hospital. They are exempt from the definition of a Private Foundation due to the fact that they have broad public support.

19


Prohibited CustomersState Street will not enter into a relationship with prohibited Non-Individuals or Individuals which includes:

Foreign Shell Banks Unregistered MSBs Numbered accounts or non-disclosed accounts Online gambling

Important Note If needed, use the Customer Translation table to map existing Business Unit Customer Types with the new State Street Customer Types.

Figure 1: Customer Translation Table

20


Topic 7: New and Existing CustomersOverviewCompleting KYC varies depending on whether the customer is New or Existing.

New customer: A new customer is a Non-Individual or an Individual contracting with State Street for the first time.

Existing customer: An existing customer is a Non-Individual or an Individual who currently holds a contract with State Street.

The following table defines some key terms that will be referenced throughout the KYC process.

Customer Type KYC

Account Holder

Non-Individual or Individual for which the account is opened.

Account Related CDD

Information collected during the CDD process related solely to account activity, which includes:

Expected account activity

Identification of all nominal owners of the account

The purpose for opening the account

Whether the relationship will be used as a Payable Through Account

Whether the relationship will be used for Nested Accounts

Sub-Account

Sub-Accounts (sometimes referred to as child accounts) are often used to compartmentalize Master Accounts (sometimes referred to as parent accounts) allowing for more detailed recordkeeping and organization. Many State Street Business Units utilize sub-accounts to support their internal or customer's operational purposes, for example, a foreign exchange customer with Sub-Accounts in different fiat currencies.

These Sub-Accounts have no AML obligations under the Global AML Policy; all AML responsibilities will be executed at the Master Account level. Sub-Accounts under this construct will not be included as part of KPI/KRI reporting.

21


Topic 8: Know Your Customer Lifecycle and Escalation LifecycleThe following table provides information related to the timelines associated for completing KYC.

Customer Type KYC Timing

New Customer

For new customers and accounts, CIP, CDD, AML Customer Risk Rating (CRR), and EDD, if applicable, must be conducted prior to opening an account and rendering services.

In the event that the new customer and account holder are separate legal entities, CIP, CDD, AML CRR, and EDD, if applicable, must be conducted on the contracting and account holder before the account is opened and services are rendered.

New Account Existing Customer Same as Account Holder

For existing customers who are establishing a new account with either the same or different division of State Street, where the contracting party is the same as the account holder, the existing customer’s CIP data must be verified before the account is opened and services are rendered.

CDD, AML CRR, and EDD, if applicable, must be completed within 30 calendar days of account opening.

The existing customer maintains its current risk rating until the risk rating for the new account is calculated. The new account risk rating is factored into the AML CRR upon completion.

Existing Customer Different from Account Holder

For existing customers who are establishing a new account with either the same or different Business Unit of State Street, where the contracting party is different from the account holder, the existing customer’s CIP (contracting entity’s CIP) data must be verified before the account is opened or services are rendered.

Customer and account related CDD, AML CRR, and EDD, if applicable, must be performed within 30 calendar days of account opening.

The existing customer maintains its current risk rating until the new risk rating for the new account is calculated.

The new account risk rating is factored into the AML CRR on completion, though the account is a separate legal entity entering the organization through the original customer.

Before opening the account and rendering services, CIP, CDD, AML CRR, and EDD, if applicable, must be conducted at both the customer and account level.

Existing Customer New Sub-Account

For existing customers opening a new sub-account, full KYC is only required when the master and sub-account are different legal entities and have different ultimate beneficial ownership. Additional guidance can be found in the AML and Sanctions Business Unit Standard Operating Procedures.

In instances where CDD is required for a sub-account, the existing customer’s CIP data must be verified before the sub-account is opened and services are rendered. CDD, EDD (if applicable), and AML CRR must be completed within 30 calendar days of account opening.

22


EscalationIf within 30 calendar days of account opening there is still outstanding information required to complete CIP, CDD or EDD, a plan to remediate the situation, signed by the Business Unit Executive Management Committee member, shall be submitted to the Global Chief AML Officer and the Chief Compliance Officer.

If, after 60 calendar days of account opening, there is still outstanding information required to complete the CDD or EDD process, a plan to terminate the customer (including a termination date) will be submitted to the full State Street Executive Management Committee for approval by Business Unit management.

Additionally, the Global Chief AML Officer will report to the AML Compliance Financial Intelligence Unit (FIU) all accounts with incomplete CDD or EDD after 60 calendar days from account opening (and any accounts terminated within this timeframe due to incomplete CDD or EDD) for consideration of SAR filing.

Figure 2: KYC Lifecycle Timeline

23


Topic 9: Opening an Account OverviewThe relationship with the customer begins when the account is opened and services are rendered.

There are three types of established relationships within State Street:

1. Custody Relationship/Account2. Bank Account 3. Services Rendered

The following table describes the type of established relationships within State Street.

Type of Account Description

Custody Relationship/Account

Overview:When describing a custody relationship, Business Units refers to its customers as “Bundled” or “standalone.”

Standalone: Term used when a Business Unit is the primary owner of the custody relationship.

Bundled: Term used when a Business Unit is NOT the primary owner of the custody relationship. In this case, the Business Unit is a secondary provider of products or services to an existing custody relationship with a different Business Unit.

Definition:No later than the day prior to the first transaction date on the account, it is considered an open “live” account.

Example: Initial Securities Movement on June 30, 20XX; KYC should be complete no

later than June 29, 20XX.

Therefore, in certain circumstances, an account can be opened and account numbers can be added to subscription documents in advance of a fund going live.

Bank Account

Overview:This is a traditional DDA account. This type of relationship is uncommon at State Street, due to our lack of retail banking operations, and comprises only a small percentage of our total relationships.

Definition:Once an account is ready to transact or is capable of receiving a deposit, it is considered an open “live” account.

Example: Once an account is open on the Hogan deposit system, it is considered an

open “live” account.

24


The following table describes the type of established relationships within State Street.

Type of Account Description

Services Rendered

Overview:These are “service” oriented activities provided to the customer.

Definition:The earlier of:

1) The date the contract has been signed, or

2) After the first service has been provided to the customer.

Examples: When the first State Street generated report from the account is delivered to

the customer.

When servicing commences, generally by way of a signed agreement noting that services should not be performed until the agreement is signed.

25


Topic 10: Overview of the AML Toolkit OverviewThe AML KYC Toolkit sets the foundation of our AML Program. The following table describes the components of the AML KYC toolkit.

Component Description

Global AML and Sanctions Policies

The Global Policies establish comprehensive policies, principles and standards to protect State Street’s, and its employees, shareholders’ and customers’ from exposure to AML and Sanctions risks.

Global AML and Sanctions Business Unit Standard Operating Procedures

The Global AML and Sanctions Business Unit Standard Operating Procedures are designed to assist the First Line of Defense in meeting regulatory expectations as well as State Street’s expectations on processes, activities, and controls defined as part of the AML and Sanctions’ control environment.

Customer Translation Table

The Customer Translation Table helps the Business Unit map their existing customer types to the new State Street customer types.

KYC Requirements Matrix

The KYC Requirements Matrix outlines the Policy requirements for KYC at State Street. It includes a description of each requirement including data and evidence that must be acquired, verified and recorded by customer type.

KYC Platform

The KYC Technology Platform is a tool created to:

Facilitate communication and workflow between Business Units and AML KYC CoE (Shared Services).

Provide a facility for uploading and storing of documents.

Create a record of compliance with KYC Procedures.

The KYC Technology Platform supports all components of KYC as well as risk rating calculations for customers, where State Street has a regulatory obligation.

KYC Platform functionality allows a user to:

Establish a Legal Entity.

Manage KYC tasks and workflow.

Upload documents to the customer’s file for evidence, including the AML risk rating and screening results.

Have one enterprise-wide record and repository to ensure compliance with AML regulations related to KYC.

26


The following table describes the components of the AML KYC toolkit.

Component Description

AML CRR

State Street’s policy requires the First Line of Defense to assess each customer’s money laundering risk.

A customer relationship includes accounts, products, services, and regulatory and geographic risks that vary across accounts; so each is addressed separately when conducting the risk rating.

An overall rating is assigned based on the evaluation of the customer’s characteristics.

Risk Forms (EDD Customer Profile and the Low/Medium and High Periodic Review Forms)

The EDD Customer Profile Form and the Periodic (Low/Medium or High) Review Forms are designed to provide the First Line of Defense uniform documents for use when executing either EDD or periodic review activities.

Discussion Question

What is the purpose of the Customer Translation Table, KYC Requirements Matrix, and Risk Forms

(EDD Customer Profile and the Low/Medium and High Periodic Review Forms)?

27


Lesson 1: Summary KYC is comprised of the following three components: CIP, CDD, and EDD. State Street has no tolerance for breaches within its AML and Sanctions Programs. The

consequences of breaches can be significant. To support the activities within the Target Operating Model (TOM), the First, Second, and Third Lines

of Defenses have been formed. A customer is a person contracting directly with State Street for the provision of products and

services. A customer can be either a Non-Individual or an Individual. An "account" is a formal banking or brokerage relationship established to provide or engage in

services, dealings, or other financial transactions, and includes a deposit account, a transaction or asset account, investment management account, credit account, or another extension of credit.

Once the customer and the account have been identified, before we can determine what KYC requirements are needed, we need to determine the customer type.

Completing KYC varies depending on whether the customer is New or Existing. The relationship with the customer begins when the account is opened and services are rendered. There are three types of established relationships within State Street: Custody Relationship/Account,

Bank Account, and Services Rendered. The AML KYC Toolkit comprises: Global AML & Sanctions Policies, Global AML and Sanctions

Business Unit Standard Operating Procedures, Customer Translation Table, KYC Requirements Matrix, KYC Platform, AML CRR, and Risk Forms (EDD Customer Profile and the Low/Medium and High Periodic Review forms).

28


Lesson 2: Customer Identification Program

Topics

1. Customer Notice (US Customers Only)

2. Required Information for Customer Identification

3. Customer Identification Program Exemptions and Simplified Due Diligence

4. Customer Verification

5. Material Discrepancies

IntroductionThe State Street Global AML Policy requires the First Line of Defense to implement CIP. The CIP includes risk-based procedures designed to enable the Business Unit to form a reasonable belief that it knows the true identity of each customer.

As per this policy:

The Business Unit must be able to identify the true identity of the customer. The Business Unit obtains and validates the identification information for each customer. The KYC Shared Service performs verification for each customer.

29

The First Line of Defense will utilize the AML KYC Requirements Matrix and the procedure template to determine what information must be obtained and verified for each customer type.


Topic 1: Customer Notice (US Customers Only)OverviewAll Business Units are required to provide U.S. customers with adequate notice that State Street is requesting information to verify their identity.

The customer notice should/will be:

Available in various forms depending on the manner in which the customer opens an account. Adequate if the Business Unit gives a general description of the identification requirements.

Adequate if the Business Unit provides it in a way that is reasonably designed to ensure that customers can see it or know about it before opening an account.

At a minimum, the following text needs to be provided:

Important Information about Procedures for Opening a New Account

To help the government fight the funding of terrorism and money laundering activities, law requires all FIs to obtain, verify, and record information that identifies each person who opens an account.”

30


Topic 2: Required Information for Customer IdentificationOverviewThe Business Unit must obtain and retain the following minimum identification information from each:

New customer seeking to open an account.

New person being added to an existing customer’s account.

Existing customer seeking to open a new account.

Each named individual in a joint/multi-party account is subject to CIP. If a new individual is added to the customer’s account, CIP information must be obtained for that person and the person’s identity must be verified.

The following table lists information required for customer identification.

Customer Required Information

Non-Individual

Full Business or Legal Entity Name (Contracting Party); Physical address and country:

- Principal place of business/ trading address- Local office - Other physical location

Identification number: - For U.S. Non-Individuals, the Employer Identification Number (EIN) must

be a Tax Identification Number (TIN)- For non-U.S. Non-Individuals, the foreign TIN or another government-

issued identification number, such as a corporate registration number must be obtained and the source documented.

Individual (WMS only)

Name Date of Birth Physical Address and Country (a P.O. box cannot be used in place of the

customer’s physical address) Identification Number:

- For a U.S. Individual, the identification number must be a TIN, which, for people, is a Social Security number (SSN).

- For non-U.S. Individuals, one or more of the following is required to open a customer account: An Individual TIN A passport number and country of issuance An alien identification card number; or A number and country of issuance of any other unexpired

government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard

Note: Exceptions to the P.O. box restriction can be sought by following the process outlined in Section 5.9 of the procedural template. If the individual does not have a residential street address or a business street address, any of the following may be recorded: Military Post Office box number; or in the unusual circumstance that none of the required information is available, residential or business street address of the next of kin may be accepted. Proof of relationship with the customer needs to be obtained and recorded.

31


The following table lists information required for customer identification.

Customer Required Information

Controlling Party and Associated Third Party

Full name

Date of birth (for individuals)

Job title

UBOs

Full name

Address, including Country

Date of birth

ID number

Note: This information is required for UBOs with 10% or more ownership.

Important Note

The timeline for collecting this information varies depending on whether it is a new customer, existing customer with new account etc.

Figure 3: KYC Lifecycle Timeline

Discussion Question

32


Should CIP be conducted for existing customer who is seeking to open an account with State

Street? If yes, why and if no, why not.

33


Topic 3: Customer Identification Program Exemptions and Simplified Due DiligenceOverviewA CIP exemption, often referred to as Simplified Due Diligence (SDD), is a reduced form of due diligence in specific circumstances only, and is considered appropriate for certain customers where the money laundering or terrorist financing risk is deemed to be lower.

SDD must adhere to relevant legislation, and in line with State Street’s AML Risk Assessment.

Customers qualifying for CIP exemption do not need to share copies of licenses or charters.

The following table provides details related to verification for exempted customers.

Exempt Customer Validation

Financial Institutions (FIs) with an approved regulator

Note: Accounts opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 (ERISA), or similar is excluded from the definition of an account and not subject to CIP.

Confirmation of the regulated status for FIs must be established through the regulator’s or self-regulatory organization’s website

Public Companies traded on an approved Stock exchange

Confirmation must include their listed status established through appropriate market data sources, such as Stock Exchange website, and supporting documentation obtained concerning exchange and registration.

Governmental entities Confirmation must provide documentation certifying their exempt status.

Important Notes If a customer is flagged as eligible for CIP Exemption/SDD, AML KYC CoE (Shared Services)

must validate and approve eligibility based upon the requirements. Evidence of this review and sign off, by a supervisor/manager as specified in local procedures, must be in writing and uploaded to the KYC Platform.

CIP Exemption/SDD does not preclude the necessity of performing due diligence on a customer. It simply precludes the necessity for having to verify the identity of a customer.

34


Discussion Question

Identity the roles of the Business Unit and AML KYC CoE (Shared Services) for customers that are

eligible for CIP exemptions.

35


Topic 4: Customer VerificationOverviewAs part of the CIP, AML KYC CoE (KYC Shared Services) must verify the customer identification information collected during the CIP, to form a reasonable belief that it knows the true identity of the customer.

Two types of verification methods are available: Documentary verification and Non-Documentary verification. AML KYC CoE (Shared Services) may use one or both of those methods when verifying the identity of customers.

The following table describes the Documentary and Non-Documentary Methods of verification.

Documentary Method Non-Documentary Method

Purpose

Methods that rely on verifying the customer’s identity through the inspection of physical documents.

Methods that rely on verifying the customer’s identity through the collection of customer information using non-documentary sources, for example:

Banker’s Almanac Bloomberg Bureau Van Dijk – ORBIS

Where to Locate the Requirements

Acceptable forms of documentary verification are outlined in the Global AML and Sanctions Business Unit Standard Operating Procedures.

Acceptable forms of non-documentary verification are outlined in the Global AML and Sanctions Business Unit Standard Operating Procedures.

36




Requirements

For an existing customer, identification may be verified by the following:

Unexpired existing documents on file Annotating the information and source, as long as such

documents meet current standards and were valid at the time obtained

Customer verification can be performed via a public domain using:

Email Faxed copy or hard copy

Note: If documents are not in English, a certification that confirms the appropriateness of the document may be relied upon.

Certain jurisdictions do not allow FIs to make a photocopy of a customer’s identification document.

If a photocopy or image of the document is not retained, a record must be made with a description for the relevant document.

If documentary verification is used, the following needs to be retained:

Description of the document that was used, noting the type of document

Any identification number contained in the document Place of issuance Date of issuance Expiration date

A copy or screen print of the non-documentary source should be retained.

If a copy of the non-documentary report or print screen is not retained, a record must be made to verify the identity of the customer, such as the name of the source and the unique identifier provided for future reference purposes. The record should include the following:

Date of the review of the non-documentary source Description of the method used Results, including if no record was found.

All non-documentary verification must be retained as part of the customer profile within the KYC Platform for five years after the record is made or longer, if required by local regulations. This may include:

The results of any measures undertaken to verify the identity of the customer.

The results of any measures undertaken to verify the identity of additional controlling persons.

A description of resolution of any substantive discrepancies that were discovered when verifying identifying information.

37




Use of Non-Standard Verification

If a Business Unit seeks to verify a customer’s identity using a documentary means that is not listed and additional CIP sources must be approved by the Global Chief AML Officer. The Global Chief AML Officer will determine if the identification document or non-documentary method proposed is acceptable, for this one-time situation. The Global Chief AML Officer’s approval must be documented and retained.

If a Business Unit seeks to verify a customer’s identity using a non-documentary means that is not listed and additional CIP sources must be approved by the Global Chief AML Officer. The Global Chief AML Officer determines if the identification document or non-documentary method proposed is acceptable, for this one-time situation. The Global Chief AML Officer’s approval must be documented and retained.

38


The following table provides information related to acceptable non-individual documents, acceptable individual documents, and unacceptable documents.

Acceptable Non-Individual Documents Acceptable Individual Documents Unacceptable Documents

Acceptable identification documents for Non-Individuals include:

A copy of banking license (banks only)

For jurisdictions that do not issue physical banking licenses:

o A screenshot of the regulator’s website, confirming regulated status

o The issue date of license and permissions/restrictions associated, sufficient to confirm whether the counterparty is an offshore bank

For other foreign FIs other than banks, a copy of the license or authority under which the FI operates, issued by the country of incorporation

Articles of Incorporation

Articles of Association/Organization

Signed Limited Partnership Agreement

Signed General Partnership Agreement

LLC Operating Agreement

Full Trust Agreement or copies of relevant pages

Certificate of Trade or Business Name

Note: A full list of acceptable documents can be found in the KYC Requirements Matrix.

Acceptable identification documents for Individuals include:

Government Issued Identification Card

Driver’s License

Passport (any, with photograph)

US Passport Card (with photograph)

Military Identification or dependent’s Military Identification Card

Consular Identification Card

Tribal Identification Card


Unacceptable identification documents include:

Social Security Card, except for accounts for minors and seniors

Non-personalized cash cards

Student ID cards

Rail cards

Club membership cards


39


Discussion Question

Two types of verification methods are available: Documentary verification and Non-Documentary

verification. Which of these methods will AML KYC CoE (Shared Services) use when verifying the

identity and why?

40


Topic 5: Material DiscrepanciesOverviewIn the course of verifying the identity of a customer, material discrepancies may arise between:

Information obtained from the customer Information obtained during the verification process

Example: TIN or address that does not match with what the customer originally provided.

Resolving DiscrepanciesAML KYC CoE (Shared Services) may use one or more of the following steps to resolve such material discrepancies before the customer’s account is opened:

1. Confirm information received from the customer is correct.

2. Verify identity through additional means.

Escalating DiscrepanciesIf material discrepancies cannot be resolved, AML KYC CoE (Shared Services) is responsible for:

Alerting the Business Unit AML Officer Providing details of what customer information does not match, including the documentation

sources where the customer information can be found. Maintaining a record of such material discrepancies by documenting it and its resolution in the

customer’s profile.

If the material discrepancy cannot be resolved and verification cannot be completed, the customer’s account cannot be opened and the matter must be considered by AML Compliance for suspicious activity reporting.

Discrepancies not deemed to be material might include inability to verify an address – for instance, a recent change of resident/office.

All records related to the discrepancies made in the course of verifying identification of customers and how the discrepancy was resolved must be documented in the customer’s profile and maintained for a period of at least five years from the date of the record.

41


Lesson 2: Summary All Business Units are required to provide U.S. customers with adequate notice that State Street

is requesting information to verify their identity. The Business Unit must obtain and retain minimum identification information from each: new

customer seeking to open an account, or new person being added to an existing customer’s account, before the account is opened and services are rendered, and for an existing customer seeking to open a new account.

A CIP exemption, often referred to as SDD, is a reduced form of due diligence in specific circumstances only, and is considered appropriate for customers where the money laundering or terrorist financing risk is deemed to be lower.

After the Business Units gather the necessary information and documents, AML KYC CoE (Shared Services) must verify the identity of a customer through documentary or non-documentary means, or through a combination of both to form a reasonable belief that it knows the true identity of the customer.

In the course of verifying the identity of a customer, material discrepancies may arise between information obtained from the customer and information obtained during the verification process.

42


Lesson 3: Customer Due Diligence

Topics

1. Standard CDD: Purpose of an Account

2. Standard CDD: Building Customer’s Anticipated Activity Profile

3. Standard CDD: Source of Funds

4. Standard CDD: Source of Wealth

5. Standard CDD: Screening

6. Targeted CDD: Customer Finances

7. Customer Risk Rating

Introduction

The First Line of Defense assesses the AML and Sanctions risks associated with the customer by collecting and analyzing additional information and conducting name and country screening.

The First Line of Defense is responsible for obtaining and collecting customer information to:

Anticipate the types of transactions in which a customer is likely to engage.

Provide information that can be used in monitoring and reporting of suspicious activity.

Assess the money laundering and terrorist financing risks associated with a customer.

Obtain documentation that identifies whether that entity’s shares are held in bearer form or that the entity is authorized to issue bearer shares for privately-held legal entities.

The CDD process includes screening, risk rating and the KYC requirements by customer type. In addition, the CDD process outlines the required KYC information and identifies specific documentation and information requirements by customer type for both new and existing customers.

Standard CDD vs. Targeted CDDWithin CDD, there are two types:

1. Standard CDD: Completed for all customers, regardless of the Customer Type2. Targeted CDD: Completed only for certain Customer Types.

43

CDD begins with the identification and verification of the customer’s identity. In the CDD process, the Business Unit must obtain information and AML KYC CoE (Shared Services) which will validates the information provided by the Business Unit which will be sufficient to develop an understanding of normal and expected activity for the customer’s occupation, business operations, and financial situation.


Topic 1: Standard CDD: Purpose of an AccountOverviewThe Business Unit must:

Gather information about the customer’s anticipated activity. Ensure that information required is commensurate with the risk associated with the products and

services to be delivered and/or the customer segment. Include details of what products and services are being provided to the customer and intended

use of the product. Complete the applicable CDD process requirements and include the customer’s account profile in

the customer’s KYC file in the customer database system to ensure that the appropriate CDD information is captured to clearly evidence and document the CDD process.

Important Note Determining the purpose of an account is a qualitative assessment based on the information that is gathered from the customer. Within the KYC Platform, there is a list of reasons and you must choose the one that best fits the customer. (For example - Investments in Stock Market, Retirement Investments, Estate Planning etc.)

Discussion Question

While obtaining and collecting customer information during CDD, what details should the Business

Unit capture?

44


Topic 2: Standard CDD: Building Customer’s Anticipated Activity ProfileOverviewBefore the customer’s account opening process is complete, the Business Unit must collect information to cover:

Anticipated account activity - Reflect higher risk activities that are expected- Transactions that are not routine (i.e., a one-time transaction as a result of the sale of a

property or a loan disbursement) Source of funds Source of wealth

High-risk transactions will be documented as part of the customer profile and is a factor in determining the customer’s risk rating. High Risk transactions can include international wires to/from High-risk jurisdictions or international ACH transactions (IAT).

The Business Unit will accept only those customers whose source of funds and source of wealth can be reasonably established to be legitimate. In the case of UBOs, it may be necessary to establish the ultimate source of funds for the account and whose source of wealth should be subject to due diligence.

Refer to the AML KYC Requirements Matrix for relevant documentation that needs to be collected per category.

To help build the anticipated activity profile, the Business Unit must obtain the following information:

Country of formation/operations

Type of business

Products and services requested

Legal entity structure

Discussion Question

What information should the Business Unit collect before the customer’s account opening process is

complete?

45


Topic 3: Standard CDD: Source of FundsOverviewAs part of building the Customers anticipated account profile; the Business Unit must take adequate measures to establish the source of funds that are involved in the proposed relationship or occasional transaction.

This is not simply the name of the FI from where the funds are coming, but rather it is the source from which the customer came into possession of the funds. Identification of the source of funds contributes to the source of wealth for the customer.

The following table provides detailed information related to a customer’s source of funds.

Source of Funds

Purpose To establish the source of funds that are involved in the proposed relationship or occasional transaction.

Non-Individual/ Individual Documents

Below is a list of Non-Individual/Individual Documents:

Insurance payout Payroll 401K Gift Trust Internet payments

Domestic wire transfers Monetary instruments Cash deposits of foreign currency Cash deposits of local currency Foreign wire transfers Third-party check

Non-Individual Transactions

Examples of Unique Transactions include: Grant funding received from the federal government to fund solar power

transformation project.

Tax rebate received from the state government as part of a special agreement for job creation.

Continuous Transactions: Revenue from business operations and business investments in bonds.

Credit card receivables for products and services provided to customers.

Individual Transactions

Examples of Unique Transactions include: Settlement received from an insurance company and looking to invest the

funds for future use.

Proceeds from a bank account recently closed and used to open the same/similar type of account.

Inheritance received from a family member which will be a one-time event.

Continuous Transactions: Payroll deposits made into the account on a periodic basis, weekly, biweekly,

or monthly.

Pension or annuity payments made into the account on a monthly basis after retiring.

Revenue received from a small business owned and operated by the Individual.

46


Discussion Question

Settlement received from an insurance company and looking to invest the funds for future use. This is an instance of Non-Individual Transactions.

47


Topic 4: Standard CDD: Source of WealthOverviewIn order to evaluate the source of a customer’s wealth, the Business Unit should gather information relevant to the manner in which the customer’s assets were obtained. This is the accumulation of the customer’s net worth which includes, in part, the funds held by State Street.

For example, the information collected by the Business Unit will differ depending on whether the wealth was acquired through:

Investments or investment returns Ownership of a business Employment Professional practice or otherwise.

The following table provides detailed information related to a customer’s source of wealth.

Source of Wealth

Purpose To evaluate the source of a customer’s wealth.

Non-Individual Documents

Below is a list of Non-Individual Documents: Prospectus Annual reports Key investor information document Letter/contract note from previous investment company giving notification of

proceeds of maturing investment/claim Signed tax return from a certified accountant Completed sale contract Loan agreement Recent loan statements Letter from donor confirming details of gift and acknowledging the source of

the donated funds Legal sale document(s) (such as contract notes) Signed letter from the Attorney Signed letter from a certified accountant

Non-Individual Transactions

Below is a list of Non-Individual Transactions: Investments from new subscribers in a fund and earnings from the investment

of subscriber funds Investment returns from joint business ventures with well-known FIs and other

non-bank FIs Sale of an insurance company’s stock over a period of time to reduce the

overall risk exposure of the company Private company in the insurance industry recently sold its office buildings as

part of their plan to consolidate business operations to stay within the U.S. Public company in the non-bank financial services industry recently had their

initial public offering/stock market launch to institutional investors to raise capital to make an acquisition of a competitor for increased market share

48


The following table provides detailed information related to a customer’s source of wealth.

Source of Wealth

Individual Documents

Below is a list of Individual Documents: Last three months’ pay slips Confirmation from the employer of the income and bonuses for last two years Bank statements that clearly show receipt of the most recent three months’

regular salary payments from the named employer Latest accounts, if self-employed Grant of Probate with a copy of the will that must include the value of the

estate Loan agreement Recent loan statements Bank statements Letter from a donor confirming details of gift and acknowledging the source of

the donated funds

Individual Transactions

Below is a list of Individual Transactions:

Divorce settlement received that was used to fund the new account

Annual bonus received from the individual's current employer

Dividends received from stock held in a brokerage account on a quarterly basis

Alimony payments received on a monthly basis

49


ExampleThe tables below walks through a mutual fund example, the following 4 factors are used to satisfy the Source of Wealth requirement for a customer from the KYC Platform. The following factors work together to tell a story of the customer, from the identification of the customer type, nature of business, the sources, and the overall justification statement.

Customer Type Nature of the Business Source of Wealth Justification

This begins the KYC process defining the requirements for each customer type.

Identification of the customer type offers immediate, inherent information related to the customer itself. For example if the customer is an open ended mutual fund, it can be assumed already that the fund has many investors that participate or contribute to the fund, and that the assets are from the investors.

Mutual Fund Individuals Banks Investment Advisor

(regulated) Pension Fund Charity Endowment

The nature of business has a risk rating associated with it and is essential information to understanding the customer, as well as contributing to the understanding of the operations and reasonableness of the source of wealth.

The type of business in which the customer engages can be found through the SIC/NAICS/NACE codes which should already be entered in the KYC Platform (reused from requirement #21 in the KYC Platform). The industry of best fit for an open ended mutual fund, identified in the previous box example is in bold below.

525910 - Open-End Investment Funds

531 - Real Estate 525 - Funds, Trusts, and

Other Financial Vehicles 5251 - Insurance and

Employee Benefit Funds 525110 - Pension Funds 525930 - Real Estate

Investment Trusts

The source of wealth requirement states: Verify from the customer the source of wealth. (This is not simply the name of the institution from which the funds are coming, but the accumulation of the customer’s net worth, which includes, in part, the funds held by State Street).

Following the open ended mutual fund example, given that the fund has many investors and is a vehicle to make investments and returns for its investors the below options fit as sources of wealth for the fund, bolded below.

Pick list Drop Down of the various sources of wealth:

Investment Income/Returns Business Operations Subscriptions Government Donations Earnings (Sale of Shares) Earnings (Sale of Business) Earnings (Sale of Property) Earnings (Sale of Investments) Earnings (Maturing investments or policy claim) Earnings (Investment related income - e.g., dividends) Employment (Salaried) Employment (Retirement Income) Employment (Self-employed) Inheritance/Family Gift Insurance Proceeds/Settlement Divorce Settlement Winnings (Government Lottery) Winnings (Non-Government Lottery)

The source of wealth takes a number of factors into consideration. An assessment must be conducted utilizing the information collected from previous requirements during KYC. Factors contributing to the Source of Wealth's accuracy and reasonableness include:

From where the funds came; How the customer came into the funds; From whom, if received from another individual, or entity; When the funds were acquired; and The location(s) from where the funds came.

Free form text

The above parameters, combined with the industry, and customer type, as well as the sources of income over time lead to a narrative regarding the source of wealth. For example:

An Investment Manager recently brought in a Mutual Fund, which is an open-ended investment fund (525910), with thousands of investors, and is targeted for long term investment returns.

(This leads one to assess that a mutual fund which accepts a large amount of capital from investors to grow the investment returns is reasonable. This source of wealth is justified as one can expect that operations, fees, investments and earnings all contribute to the source of wealth, and the immediate source of funds are directly attributable to investments from new shareholders).

50


Discussion Question

Dividends received from stock held in a brokerage account on a quarterly basis. This is an instance of Individual Transactions.

51


Topic 5: Standard CDD: ScreeningOverviewAML KYC CoE Shared Services conducts screening on the names and countries associated with customers, all UBOs, and any other related and specified controlling parties, and associated third parties prior to opening the customer’s account.

Screening consists of the following searches:

Global, Local, and State Street Sanctions Lists World Check Iran Economic Interest Database (IEI Database) AML Compliance Counterparty AML Watch List Negative news Search (through World Check or another vendor) PEP Financial Crimes Enforcement Network (FinCEN) Section 311 Special Measures

Sanctions ScreeningsAt customer onboarding, names and countries of all customers, UBOs and any other related and specified controlling parties, and associated third parties must be screened for Sanctions purposes using the following lists:

Global, Local, and State Street Sanctions Lists

World Check IEI Database

AML Compliance Counterparty AML Watch List

After running the searches noted above, AML KYC CoE (Shared Services) will review all potential and partial search results. The Business Unit will review each potential match to determine whether the results are false positives or confirmed matches.

52


Negative NewsAll customers, UBOs and any other related and specified controlling parties, and associated third parties must be screened for negative news items, and once analyzed, should be designated as relevant or non-relevant.

Negative news can be classified as relevant negative news and non-relevant negative news.

The following table provides details related to relevant negative news and non-relevant negative news.

Relevant Negative News Non-Relevant Negative News

Relevant Negative News is when the customer poses a High-risk.

Generally, only negative information that reflects the reputation of the customer for legal or regulatory compliance is relevant, such as:

Criminal or regulatory enforcement actions

Money laundering or Sanctions violations

Other illegal activity that was conducted by or facilitated by the customer

Negative financial news or information about litigation with customers or competitors also generally is not relevant. Crimes committed against the customer generally may not be relevant, such as embezzlement and/or traffic violation. If there is any doubt whether negative news is relevant, the Business Unit AML Officer must be consulted.

In the case of a confirmed match and materiality, the Business Unit will contact the Business Unit AML Officer and AML Compliance Financial Intelligence Unit (FIU) on the same day.

Non-relevant negative news largely pertains to less significant instances of the activities described above. The offenses are typically isolated and/or minor in nature.

Non-relevant negative news corresponds to incidents that reflect no significant reputational, legal, or financial impact on the customer.

It should be noted that, multiple instances of a non-relevant behavior that appear to suggest control issues for an individual or institution may collectively be interpreted as relevant.

53


The following table lists examples of relevant and non-relevant negative news that includes but is not limited to a customer’s and/or related party’s established or reasonably substantiated connections.

Relevant Negative News Non-Relevant Negative News

Terrorist activity related to AML Misdemeanor criminal convictions or judgments

AML and Sanctions non-compliance Unremarkable civil awards, settlements or penalties

Violations of AML laws, regulations or sanctions Insignificant or extraneous litigation

Drug-related offenses due to cash intensive nature increases AML Risk

Rogue employee actions

Fraud related to AML Actions by former members of senior management

Bribery related to AML (especially relevant for PEPs)

Actions by more junior employees

Regulatory enforcement actions (e.g. cease and desist order, consent order, formal agreement)

Resolved minor disputes with third parties

Government/agency issued blacklists or watch lists as criminal activity increases money laundering risk

Small lapses in business practices

Law enforcement investigations (e.g. indictment, arrest, kickback, Ponzi scheme, counterfeiting) as criminal activity increases money laundering risk

Standard inconsequential industry-specific enforcements

Felonious criminal convictions or judgments (e.g. indictment, arrest, kickback, Ponzi scheme, counterfeiting) as criminal activity increases money laundering risk

The establishment of the customer as a Senior Public Official

Large civil awards or penalties due to increased risk of money laundering

Personal matters not relevant to the activities of our customer or related parties (e.g. infidelity or driving while under the influence)

Fines or settlements related to AML

Corrupt/unethical professional activity due to increased risk of money laundering

Disreputable published articles or reports as behavior indicates a potential increased money laundering risk

54


Politically Exposed Person (PEP)

PEP Definition

PEP Customer Onboarding

A PEP is defined as a current or former:

Senior official (i.e., individual with substantial authority over policy, operations, or use of government-owned resources) in the executive, legislative, administrative, military, or judicial branches of a foreign government whether elected or not

Senior official of a major foreign political party

Senior executive of a foreign government-owned commercial enterprise

A corporation, business, or other entity that has been formed by, or for the benefit of, any such Individual

A corporation, business, or other entity whereby more than fifty percent (%) of the board members or ownership rights are (controlled by) such individual(s)

An immediate family member of any such individual (i.e., spouse, parent, sibling, children, or spouse’s parents and siblings)

A person who is widely and publicly known (or actually known by State Street) to be a close associate of such individual, i.e., senior level advisor

Note: The term PEP refers to foreign and domestic Non-Individuals/Individuals.

State Street and Business Unit management are responsible for ensuring that State Street do not knowingly or unwittingly assist in hiding or moving funds that represent the proceeds of corruption by PEPs, where AML Compliance is responsible for monitoring the effectiveness of the control environment around PEPs at the Business Unit level.

After a PEP is identified through the CDD process, AML KYC CoE (Shared Services) should collect specific CDD information via the Business Unit or documentation related to the PEP and assess the associated AML risk.

In determining the level of risk, AML KYC CoE (Shared Services) should consider factors such as:

Official duties of the individual

Nature of the title (e.g., honorary or salaried)

Level of authority over government activities or other government officials

Access to significant government assets or funds

Control over the account

Negative news or other reports

55

In order to meet its regulatory obligations State Street is required to identify customers, and nominal or UBOs, who are PEPs. PEPs may generally be viewed as High-risk customers.

The following table provides detailed information related to a PEP.


FinCEN Section 311 Special MeasuresSection 311 of the USA PATRIOT Act (Section 311) grants the Secretary of the Treasury the authority, upon finding that reasonable grounds exist for concluding that a foreign jurisdiction, foreign FI, class of transaction, or type of account is of “primary money laundering concern,” to require domestic FIs and financial agencies (such as banks) to take certain “special measures” against the entity identified as a primary money laundering concern.

These special measures, which may be proposed and implemented by Treasury's FinCEN, range from requiring additional due diligence and special attention concerning particular account transactions among U.S. FIs to prohibiting the opening or maintenance of any correspondent or payable through accounts.

The following special measures can be imposed individually, jointly, in any combination and in any sequence:

Recordkeeping on and reporting of certain transactions

Collection of information relating to beneficial ownership

Collection of information relating to certain payable-through accounts

Collection of information relating to certain correspondent accounts

Prohibition or conditions on the opening or maintaining of correspondent or payable-through accounts

Discussion Question

Differentiate between Relevant Negative news and Non-Relevant Negative News. Support your answers with examples.

56


Topic 6: Targeted CDD: Customer FinancesOverviewFor all relevant customer types, the Business Unit seeks to obtain financial information, as a source of CDD information for the customer. It should be noted that obtaining these documents is mandatory for Financial Institutions (FIs).

The following table provides details related to Separate Annual Report and Consolidated Annual Report.

Separate Annual Report Annual Report Consolidated into Parent Report

The following should be documented from the company website, audited financial statements or provided by the entity:

Name of external auditors

Evidence of audit

The most recent audited financial statements, within the last two years

Jurisdictional equivalent to audited financials

Justification/attestation, approved by AML Compliance, for lack of information

Note: Some jurisdictions may not have these available due to jurisdictional regulations, in those instances, the jurisdictional equivalent; justification and an attestation are acceptable.

There may be circumstances where the customer is either a wholly or majority owned subsidiary or a Branch, that does not have its own separate annual report, but has their financial information consolidated into its Parent's report and accounts.

In these circumstances, the Parent’s consolidated report and accounts should be used, provided these are audited by a reputable auditor appropriate for the size and nature of the customer.

If the Business Unit has any concern in this regard, the matter should be referred to the Business Unit AML Officer for agreement or otherwise that the auditor is appropriate and the Parent’s financials may be relied upon.

Discussion Question

While obtaining financial information, as a source of CDD information for the customer, when should the Business Unit use the Parent’s consolidated report and accounts?

57


Topic 7: Customer Risk RatingOverviewAfter all of the necessary information has been obtained from the Business Unit, AML KYC CoE (Shared Services) risk rates the customer prior to opening the customer’s account to assess the AML Risk of conducting business with this customer.

The AML CRR:

Drives decisions to initiate, maintain, limit, or terminate particular customer relationships.

Triggers approval requirements for KYC and exception processes.

Effectively monitor High-risk customers by resource devotion.

Determines the frequency of periodic reviews.

Allows for the application of different levels and aspects of surveillance, including transaction monitoring.

AML KYC CoE (KYC Shared Services) classifies its customers as High, Medium, or Low based on the AML CRR scoring methodology and documents this score in the customer’s KYC file.

Figure 4: Risk Categories

58


Key Points The CDD process is designed to cover both new and existing customers.

In instances where an additional customer, controlling party or associated third party is added to a relationship after it is established, the Business Unit must document the additional KYC information when required, as part of the addition to the customer’s account relationship.

When a customer refuses to provide information this raises concerns in the context of the broader due diligence, these instances will be escalated to the Global Chief AML Officer via the Unusual Activity Report. The Global Chief AML Officer or delegate will determine whether the on-boarding should continue, based on the information the customer is refusing to provide and the overall due diligence results.

Discussion Question

What should be the acceptable course of action in instances where a customer refuses to provide

information requested per the process requirements?

59


Lesson 3: Summary Within CDD, there are certain tasks that need to be completed for all customers, no matter what

the Customer Type. We refer to this as Standard CDD.

The Business Unit will accept only those customers whose source of funds and source of wealth can be reasonably established to be legitimate. In the case of UBOs, it may be necessary to establish the ultimate source of funds for the account and whose source of wealth should be subject to due diligence.

Part of building the Customers anticipated account profile; the Business Unit must take adequate measures to establish the source of funds that are involved in the proposed relationship or occasional transaction.

In order to evaluate the source of a customer’s wealth, the Business Unit should gather information relevant to the manner in which the customer’s assets were obtained. This is the accumulation of the customer’s net worth which includes, in part, the funds held by State Street.

The third step in CDD is when the Business Unit conducts screening on the names and countries associated with customers, all UBOs, and any other related and specified controlling parties, and associated third parties prior to opening the customer’s account.

Negative news can be classified as relevant negative news and non-relevant negative news.

Section 311 of the USA PATRIOT Act (Section 311) grants the Secretary of the Treasury the authority, upon finding that reasonable grounds exist for concluding that a foreign jurisdiction, foreign FI, class of transaction, or type of account is of “primary money laundering concern,” to require domestic FIs and financial agencies (such as banks) to take certain “special measures” against the entity identified as a primary money laundering concern.


Once all the customer information is gathered from the customer, the Business creates a Separate Annual Report and Consolidated Annual Report.

After all of the necessary information has been obtained from the Business Unit, KYC Share Services risk rates the customer prior to opening the customer’s account to assess the AML Risk of conducting business with this customer.

60


Lesson 4: KYC Platform

Topics 1. Queues

2. Dashboards

3. Search Cases

4. Search Legal Entity

5. Legal Entity Management Screen

6. Legal Entity Details

7. Business Details

8. Supplementary Details

9. Risks

10. Status

11. Tasks

IntroductionBefore we get into specific procedural steps within CIP and CDD, we would first like to introduce you to the KYC Platform and discuss the standard functionality to help you navigate.

The Main Screen is the first screen that you will see when you log on. This screen allows you to search and manage new and existing cases.

The components of the KYC Platform Main Screen are:

1. Queues Tab: This tab allows you to manage and edit your existing cases.

2. Dashboard Tab: This tab allows you to view only the items that you are or have worked on.

3. Search Tab: This tab allows you to search for an existing Entity.

4. Search Details Section: This section allows you to enter search criteria to find if a case exists or does not exist.

5. Search Results Section: This section allows you to view the results displayed by the search entered in the Search Details.

61


Figure 5: KYV Platform Main Screen

Important NoteThis system is driven by user access and not all features will be available. For example, Team Tasks will only be viewed by managers.

62


Topic 1: QueuesOverviewThe Queues Tab has three sections that allow you to manage and edit existing cases.

63


Topic 2: DashboardsOverviewThe Dashboard Tab allows you to view only the items that you are or have worked on. The following table lists the steps you need to follow to view your Dashboard.

Step Action

1. Click Dashboard within the KYC Platform Main Screen.

2. Click My Dashboard icon to view My Dashboard Screen.

64

Course Title Participant Guide

Topic 3: Search CasesOverviewThe Search Tab allows you to search for existing Cases. The table below lists the steps you need to follow to search for cases.

Step Action

1. In the KYC Platform Main screen, click Search to view the Search icons.

2. To search Cases, click on the Search Cases icon.

3. In the Case Search screen, to search for a case, enter the following search criteria:

1. Case ID and/or2. Case Name and/or3. Customer Name

Note: This is a dynamic search, so you could input part of a name to get a set of search results.

65


The table below lists the steps you need to follow to search for cases.

Step Action

4. Once you enter the search criteria, click Search to view your search results.

66


Topic 4: Search Legal EntityOverviewThe Search Tab allows you to search for existing Legal Entities. The table below lists the steps you need to follow to search Legal Entities.

Step Action

1. In the KYC Platform Main screen, click Search to view the Search icons.

2. To search Legal Entities, click Search Legal Entity.

3. In the Legal Entity Search screen, to search for a Legal Entity, enter the following search criteria:

1. Legal Entity ID and/or2. Legal Entity Name and/or

Note: This is a dynamic search, so you could input part of a name to get a set of search results.

67


The table below lists the steps you need to follow to search Legal Entities.

Step Action

4. Once you enter the search criteria, click Search to view your search results.

5. To view the results, click the arrow next to the item.

Note: Only if the Entity exists will it appear in the Results. If the search results come back with no matches, you must Create New.

68


Topic 5: Legal Entity Management ScreenOverviewThe Legal Entity Management Screen is the screen where the Business unit will enter all of the KYC information/data and/or documentation for each customer. This screen is divided into five sections as follows:

1. Legal Entity Details 2. Business Details 3. Supplementary Details4. Risk 5. Status6. Tasks

Important Notes Fields with the red asterisk are mandatory fields and must be populated before you save and

move on. Fields that are grayed out, means this data was previously populated on the prior screen and

was carried over to this screen; users are not able to make any changes or updates to these fields.

69


Topic 6: Legal Entity DetailsOverviewThe Legal Entity Details section is specific information regarding where the Legal Entity was formed and/or incorporated. As well as, specific information on the Business Unit that is engaging in the relationship.

The following table provides details about the fields and their descriptions within this section.

Field Name Description

Legal Entity Type* The Customer Type of the Legal Entity

Legal Entity Name* The Legal Entity Name as it is reflected within the information/data/documentation you received from the Customer, for example a contract.

LEI Legal Entity Identifier is an industry identification number assigned to an entity.

Country of Incorporation

The country the Legal Entity was incorporated.

Date of Formation/ Incorporation

The date the Legal Entity was formed or incorporated.

State Street Business Unit

The Business Unit that is entering the Legal Entity/Customer/Account

Shared Services The location of the Shared Services that supports the Business Unit

ID KYC Platform Identification Number assigned to each KYC Tracking Case, generated by the system

GEMS ID GEMS Identification Number for Legal Entity from the GEMS System

State of Incorporation The state in which the Legal Entity is incorporated

Identification # The type of identification that the Legal Entity is using to verify identity:

Alien Identification Number Consular Identification Card EIN TIN

Foreign TIN Passport Number SSN

State Street Business Unit Location

What country the Business Unit is located

70


Latest Updated Date System driven date based on when updates are made

Topic 7: Business DetailsOverview The Business Details section is information that is specific to the Business of the Legal Entity.



Trade As Name(s) Official name the Legal Entity is traded as

Listed on Approved Exchange

Indicate whether the Legal Entity is listed on an approved Stock Exchange

Stock Exchange Indicate what Stock Exchange the Legal Entity is traded on

Regulated By Indicate the Regulator of the Legal Entity

Stock Symbol Indicate the Stock Symbol of the Legal Entity

CUSIP (US Only) A CUSIP is a nine-character alphanumeric code that identifies a North American financial security for the purposes of facilitating clearing and settlement of trades

ISIN/ SEDOL/ RIC (Non-US)

ISIN stands for International Securities Identification Number, which uniquely identifies a security. Securities for which ISINs are issued include bonds, commercial paper, stocks and warrants.

SEDOL stands for Stock Exchange Daily Official List, a list of security identifiers used in the United Kingdom and Ireland for clearing purposes. SEDOLs serve as the National Securities Identifying Number for all securities issued in the United Kingdom and are therefore part of the security's ISIN as well.

RIC stands for Reuters Instrument Code. Is a ticker-like code used by Thomson Reuters to identify financial instruments and indices.

Products and Services offered

Indicate the products and services that are offered by the Legal Entity

Source of Funds The source of funds refers to the origin of the particular funds or other assets which are the subject of the business relationship (e.g., the amounts being invested, deposited, or wired as part of the business relationship). This information will usually give an indication as to the

71


volume of wealth the customer would be expected to have, and a picture of how the customer acquired such wealth.

72




Source of Wealth The source of wealth refers to the origin of the customer’s entire body of wealth (i.e., total assets).

Initial On boarded Date

Date the Legal Entity started their relationship with State Street Corporation.

Primary Business Location

Geography where the Legal Entity conducts its business.

Other Stock Exchange

Indicates if the Legal Entity is traded on another Stock Exchange.

Other Regulated By Indicates if the Legal Entity is regulated by another regulator.

SIC SIC stands for Standard Industrial Classification, which is a system for classifying industries by a four-digit code.

NAICS NAICS stands for North American Industry Classification System used by business and government to classify business establishments according to type of economic activity (process of production) in Canada, Mexico, and the United States of America.

Purpose of Account Indicates why the Legal Entity requested to conduct business with State Street Corporation.

Other Source of Funds

Indicates if the Legal Entity has other Source of Funds to document.

Other Source of Wealth

Indicates if the Legal Entity has other Source of Wealth to document.

Legal Structure Indicate how the Legal Entity is legally structured

73


Topic 8: Supplementary DetailsOverviewThe Supplementary Details section is information that is specific to the expected activity in the account.



Investment Goals Indicate the investment goals of the Legal Entity

Nested Account Nested Accounts are a sub-set of accounts associated with, or having access to, correspondent accounts of foreign financial institutions. Risks arise when the foreign financial institution permits another financial institution, through the nested account, access to the account, because this allows foreign financial institutions to have anonymous access to a different jurisdictional banking system. Funds received are seen by the bank as coming from legitimate, established channels and its foreign correspondents.

Customer has up to date records?

Indicate whether the records provided by the Legal Entity are current

Schedule for Redemption

Indicate the schedule for redemptions; monthly or quarterly

Type of Trust Indicate the type of trust: Individual Trust, Family Trust, Corporate Trust

Value of Trust Indicate the value of the trust for which the account is being opened

Available Investment Options

Indicate the available investment options for the account.

Payable Through Account

This is a service offered by a jurisdiction’s banking entities to foreign banks, involving the banking entity opening a checking account for the foreign bank. The foreign bank may solicit customers that reside outside of certain financial markets who, for a fee, are provided with the means to conduct banking transactions in the new market through the foreign bank's account at the service providing banking entity.

Funding and disbursement criteria

Indicate how the legal entity is funded and how the disbursement criteria are considered, including what kind of beneficiary information is collected

74


Percentage of Redemption

Indicate the percentage of redemption

Topic 9: RisksOverviewThe Risk section is information that is specific to the results of screening and Customer Risk Rating.



Negative News All customers, UBOs, controlling parties, and associated third parties must be screened for negative news items, and once analyzed, should be designated as relevant or non-relevant. Not all negative news is relevant, i.e., would be relevant to the decision whether the customer poses a High AML Risk. Generally, only negative information that reflects on the reputation of the customer for legal or regulatory compliance is relevant, e.g., criminal or regulatory enforcement actions, money laundering or Sanctions violations, or other illegal activity that was conducted by or facilitated by the customer. Negative financial news or information about litigation with customers or competitors also generally is not relevant. Crimes committed against the customer generally may not be relevant, e.g., misdemeanor or traffic violation. If there is any doubt whether negative news is relevant, the Business Unit AML Officer must be consulted. (See the procedures document for full definition of Material negative News)

Authorized Signers Not being used

Owners Indicate whether a material match has been found for all Ultimate Beneficial Owners screened.UBO is an Individual or entity who has a level of control over, or entitlement to, the funds or assets in the account that, as a practical matter, enables the individual, directly or indirectly, to control, manage or direct the account.

The ability to fund the account or the entitlement to the funds of the account alone, however, without any corresponding authority to control, manage or direct the account (such as in the case of a minor child beneficiary), does not cause the individual to be a Beneficial Owner.

Risk Category Customer Risk Rating - Customer Risk Rating as used herein refers to the money laundering risk of the customer based upon State Street’s standard methodology.

Management Indicate whether a material match has been found for all Management personnel screened.

75


76


Topic 10: StatusOverviewThe Status section is information that is specific to that status of the case.



Edit Status Provides that the status of the customer’s case.

Last Verified Date Provides the previous date the Legal Entity/KYC Tracking Case completed the KYC Process. With initial entry this field will be greyed out until the KYC Process is completed.

77


Topic 11: TasksOverviewThe Task section is information that is specific to the seven tasks within the KYC Process.

The following table provides details about the tabs and their descriptions within this section.


Tasks The Tasks tab presents ‘in progress’ and ‘completed’ tasks related to the Case.

LE Roles The LE Roles Tab indicates the role of the Legal Entity: Customer, Account, or Customer and Account

Addresses The Addresses tab presents a full grid listing of all addresses associated to the Legal Entity. From the Addresses Tab, the users with the appropriate permissions can add addresses to an entity and perform a range of functions on addresses listed like view, edit, remove.

Documents The Documents tab presents a full grid listing of all documents associated to the KYC Tracking Case. From the Documents Tab, users with the appropriate permissions can add documents to an entity and perform a range of functions on documents listed like view, edit, remove the documents.

Comments The Comments Tab presents a grid listing of all comments associated to the case. From here users with the appropriate permissions can add comments and view the listing of comments already captured.

Note: comments added from the Case Details page section will also list here once the Case Details are saved.

History KYC Platform maintains a complete record of actions/operations that takes place to on the case in question.

Products This tab presents a full grid listing of all products added to a Legal Entity. Products will only be added to Legal Entities with the LE Role of Account. From the Products Tab, the users with the appropriate permissions can add products to the Legal Entity and edit the Product Details.

Associated Parties The Associated Parties tab presents Legal Entities linked manually to the KYC Tracking Case in context. Users can associate Legal Entities from this tab. This tab is where the user will link all Associated 3rd Parties, Controlling Parties and Beneficial Owners.

78


Within the KYC Platform, there are seven tasks that create the workflow for who, what, and when it needs to be done throughout the KYC onboarding process.

The following table provides details about these tasks.

Task Task Name Description Actor

1. Capture Legal Entity Data

1. Create Entity in KYC Platform2. Enter all customer information within the below

sections:- Customer Details- Business Details- Supplementary Details- Risk

3. Add LE Role – Customer/Account4. Add additional address(es)5. Add Product Details6. Add Associated 3rd Parties

Business Unit

2. Upload Request Documents

Upload all customer documents that were gathered during CIP and CDD

Business Unit

Assign KYC Tracking Case

Assign to Shared Services Shared

Services Manager

3. ValidateValidate and ensure that all required information and documentation has been gathered, satisfies all requirements and entered correctly.

Shared Services

4. Enrich Client Data

1. Performa. Customer Verification – Documentary or Non-

Documentaryb. Onboard Screenings – Sanctions List and Negative

News Screenings2. Capture evidence & upload as documents

Shared Services

Refer KYC Tracking Case

Refer Case back to previous Stage

- This can happen at any point during tasks #3-6

Shared Services Manager

5. Upload Risk Rating

1. Calculate Risk Rating in CRR Tool2. Upload results as documents3. Assign value in Products Details4. Assign value in Risk Rating Upload screen

Shared Services

6. Complete AML

1. Perform escalation for High Risk Rating Value2. Upload evidence/results as doc

Note: During this task, all escalations will be performed outside the KYC Platform and a record of the escalations and work completed by the BU and/or AML Compliance must be captured and uploaded into the KYC Platform.

Shared Services

7.Approve for Account Opening

1. Review2. Approve or Refer

Shared Services Manager

79


Lesson 4: Summary The components of the KYC Platform Main Screen are Queues Tab, Dashboard Tab, Search

Tab, Search Details Section, and Search Results Section.

The Queues Tab has three sections that allow you to manage and edit existing cases.

The Dashboard Tab allows you to view only the items that you are or have worked on.

The Search Tab allows you to search for existing Cases.

The Search Tab allows you to search for existing Legal Entities.

The Legal Entity Management Screen is the screen where the First Line of Defense will enter all of the KYC information/data and/or documentation for each customer.

The Legal Entity Details section is specific information regarding where the Legal Entity was formed and/or incorporated.

The Business Details section is information that is specific to the Business of the Legal Entity. The Supplementary Details section is information that is specific to the customer’s expected

account activity.

The Risk section is information that is specific to the results of the screenings and Customer Risk Rating.

The Status section is information that is specific to that status of the case.

Within the KYC Platform, there are seven tasks that create the workflow for who, what, and when it needs to be done throughout the KYC onboarding process.

80


Lesson 5: How to Conduct CIP and CDD

Topics 1. Capturing Legal Entity

2. Upload Requested Documents

3. Validate

4. Enrich Client Data

5. Upload Risk Rating Results

6. Complete AML

7. Approve for Account Opening

OverviewOnce all the information, data and/or documentation has been gathered the Business Unit will begin the first task of Capturing Legal Entity Data in the KYC Platform. During this task all customer information will be entered into the below sections:

Customer Details Business Details Supplementary Details Add LE Role – Customer/Account Add Product Details

Also, need to ensure that following is added if applicable:

Add additional address(es) Add Associated 3rd Parties

Important NoteIf, at any point during CIP and CDD, a material discrepancy is identified, the Business Unit should escalate the details of the material discrepancy to the Business Unit AML Officer for resolution. Material discrepancies can relate to customers refusing to provide information, conflicting customer information and/or inability to verify information.

81


Topic 1: Capturing Legal Entity OverviewThe following table lists the steps that the Business Unit needs to perform during Task 1 – Capturing Legal Entity.

Step Action

1. Provide notice to U.S. customers, including associated third parties, controlling parties, and UBOs, about the information State Street will be requesting to complete CIP.

2. Obtain the following customer identification information:

Name

Physical address and country:

- Principal place of business/trading address

- Local office

- Other physical location

Date of birth (when applicable)

Identification number

3. Determine the Customer Type using the Translation table to map to the new State Street Customer Types.

Note: Once the Customer Type has been identified and jurisdiction is determined, access the KYC Requirements Matrix to collect all information required, including associated third parties, controlling parties and UBOs.

82


The following table lists the steps that the Business Unit needs to perform during Task 1 – Capturing Legal Entity.

Step Action

4. To access the KYC Requirements Matrix, go to the KYC Portal at the following location: https://community.statestr.com/sites/KYC-Portal/default.aspx.

5. Click on the KYC Requirements Matrix.

6. In the Customer Type section at the top of the Tool, select the appropriate Customer Type by clicking on the Customer Type once.

83

https://community.statestr.com/sites/KYC-Portal/default.aspx



Step Action

7. In the Jurisidcition section, follow the steps below:

1. Select Global Corporate Standard 2. Press and hold the Ctrl Key of the system and select Jurisdiction by clicking on

the name once.

Result: Both the Standard and additional Jurisdictional steps are displayed.

Notes:

If the Jurisdiction is not listed, select Global Corporate Standard Jurisdiction by clicking once, standard steps will be displayed.

At a minimum the Standard KYC Requirements must be followed, if a specific Jurisdiction has additional KYC Requirements all must be followed.

If a specific Jurisdiction requires less than the minimum, the minimum standard KYC Requirements must be followed.

8. In the KYC Element section, the tool defaults to list both CIP/CDD and EDD steps. If either CIP/CDD or EDD steps are not required, you can select the appropriate elements by clicking on the required element.

Note: To clear the KYC element selection, click the Clear Filter icon, the Tool will return to the default.

9. The KYC Requirements Matrix will display the search results and for each requirement the following information is provided:

Req # - unique id

Requirement Description – narrative description of the AML requirement

Data – required data or information

Evidence – acceptable types of requirements evidence

Customer Type – Identifies the Customer Type selected

Jurisdiction – Identifies the Jurisdiction(s) selected

KYC Element – Identifies the KYC Element(s) selected

Note: If the Step number contains a decimal and number after it, that Req # may replace or enhance the Req # it follows (example: Standard Req 3 requires that the physical address be obtained, the Jurisdictional enhancement 3.1 requires that the address also be verified.)

84



Step Action

10. After determining the customer type and gathering the required information, data and/or documentation, access the KYC Portal at the following location: https://community.statestr.com/sites/KYC-Portal/default.aspx

11. 1 In the KYC Portal, click KYC Platform.

85

https://community.statestr.com/sites/KYC-Portal/default.aspx



Step Action

12. Before we start to build the KYC case, we first need to deterimine if this customer already exists within State Street. Within the KYC Platform Main screen, click Search to view the Search icons.

Note: It is important to complete this step because if the customer already exists they could have KYC documents on file that could be leveraged.

13. To search Legal Entities, click Search Legal Entity.

86



Step Action

14. Within the Legal Entity Search tab, enter the following information:

1. Full legal name in the Legal Entity Name field

2. Select the Country of Jurisdiction in the Country list

3. Click Search

15. If the customer already exists another Business Unit has onboarded this customer, in this situation, you must review the KYC information, data and/or documentation to ensure it is valid and up-to-date.

16. If the customer does not exist, create new Legal Entity in the KYC Platform by clicking the Create New button to view the Add Legal Entity Screen.

87



Step Action

17. Within the Add Legal Entity Screen, select the Legal Entity Type which is the Customer Type.

18. Within the Add Legal Entity Screen, enter all information required to create a Legal Entity in the KYC Platform:

1. Complete all required fields denoted with an “*”2. Classify Legal Entity Role as a Customer3. Select Save

19. In the Customer Details screen, enter all additional information into the KYC Platform as required by the KYC Requirements Matrix

Remember: Fields with the red asterisk are mandatory fields and must be populated before you save and move on.

88



Step Action

20. In the Business Details screen, enter all additional information into the KYC Platform as required by the KYC Requirements Matrix.

Note: Not all fields within this section are required; it would depend on the customer type.

21. In the Supplementary Details screen, enter all additional information into the KYC Platform as required by the KYC Requirements Matrix.

22. Click Save for Later when all data entry fields have been completed.

89



Step Action

23. Navigate to the Tabs section at the bottom of the screen and within the LE Roles tab, click Create New to open up the Legal Entity Role Window:

24. In the Legal Entity Role window, complete the following:

1. Within the Legal Entity Role field, select Account2. Within the Role Status field, select Active3. Click Save.

Note: Once the Account role has been added, there should be two roles assigned to this Legal Entity; Customer and Account.

25. To enter additional addresses, select the Address tab; click Create New to open the Add Address window.

90



Step Action

26. In the Add Address dialog box, select/enter the following information:

1. Address Type2. Address Line 13. Town/City4. Country – Once this field is entered, the State/Country dropdown becomes available5. State/Country6. Click Save. The address will be added as an item in the Address tab.

27. Select the Products tab, select the following information:

1. Product Category2. Product Name3. State Street Contracting Entity4. Click Add

28. To enter detailed Product information, click on the Edit icon to view the Product Details screen.

Note: This section is where you select the products that the customer is purchasing from State Street.

91



Step Action

29. In the Product Details screen, enter the following information:

1. Product Details2. Expected Activity3. High Risk Transactions4. Click Save5. Click Back

Note: Do not enter the Risk Rating; this is completed by Shared Services.

30. Select the Associated Parties tab, click Create New.

31. Within the Association tab, under Association Details, select the Relationship.

32. Within the Associated Entity field, enter the Entity or select the Magnifying Glass to view a list of existing Legal Entities.

92



Step Action

33. If the Legal Entity exists, select it in the search results to add the association, and then click Select.

34. Click Save and Complete or click Save and Add Another to add another association.

35. If the Entity does not exist, click on Create New.

36. To add an Associated Third Party within the Add Legal Entity Screen, select the Legal Entity Type which is the Customer Type of the Associated Third Party.

93



Step Action

37. Within the Add Legal Entity Screen, for Associated Third Parties only the following is needed:

Full Name Date of Birth (Individuals Only) Job Title

Enter the following to add the Associated Third Party into the KYC Platform:

1. First Name2. Last Name3. Date of Birth (Individuals Only)4. State Street Business Unit – System requirement5. State Street Business Unit Location – System requirement6. Shared Services – System requirement7. Click on the Unknown Address box, the address is not required8. Click Save

38. Within the Additional Details section, complete the following

1. Add the Job Title into the Occupation field2. Click Save.

39. Once the Associated Party has been added now you have to associate it the Legal Entity. Follow steps 30 – 38 to complete.

40. Once Legal Entity Details and all tabs information has been entered, click Save and Complete.

Task 1 – Capturing Legal Entity Data is complete.

94


Topic 2: Upload Requested Documents OverviewOnce the Legal Entity has been created in the KYC Platform, and all information has been entered for the Legal Entity, the next task is to upload supporting documentation gathered.

The following table lists the steps that the Business Unit needs to perform during Task 2 – Uploading Request Documents.

Step Action

1. On the Tasks tab, click Refresh.

2. On the Documents tab, click Add Document.

3. In the Add a Document screen, in the Document Source list, select Uploaded Document.Note: The Add a Document screen will continue to add fields once a field is selected

95


The following table lists the steps that the Business Unit needs to perform during Task 2 – Uploading Request Documents.

Step Action

4. Enter the following information:

1. Click Browse and search for the appropriate document on local computer, the name of the Document will be auto-populated with the name of the file

2. Select the Document Category3. Select the Document Type (The Document Type values are driven by the Document

Category chosen)4. Click Save and Complete when document(s) have finished uploading (Click Save

and Add Another as appropriate)

5. On the Tasks tab, select Complete from the task icon.

Note: Once all documents are updated, the case is saved and sent to AML KYC CoE (Shared Services).

Task 2 – Upload Request Documents is complete.

96


Topic 3: Validate OverviewOnce Task 2 – Upload Request Documents has been completed, the KYC Tracking Case will be assigned to a AML KYC CoE (Shared Services) User by a Shared Service Manager.

The AML KYC CoE (Shared Services) User will validate that all required information has been gathered and entered into the KYC Platform correctly, and will also validate that all required documentation has been gathered, satisfies the document requirements, and has been uploaded to the KYC Platform.

The following table lists the steps that AML KYC CoE (Shared Services) needs to perform during Task 3 – Validate.

Step Action

1. On the My Tasks Queue tab, selects the All folder to find the case.

2. A list of assigned cases appears, select Navigate from the small icon to the right of the case to validate.

3. In the Legal Entity Management screen, validate that all required information has been entered into the Customer, Business and Supplementary Detail sections, per the KYC Requirements Matrix.

97



Step Action

4. On the LE Roles tab, validate the Legal Entity Roles.

5. On the Documents tab, open each document to validate information entered in the Legal Entity Management screen is correct (fields that were populated from customer documents).

6. On the Documents tab, validate that all required documents have been uploaded into the KYC Platform per the KYC Requirements Matrix (Accessible through the KYC Portal).

7. On the Documents tab, open each document by selecting Edit Document Properties from the icon to the right of each document.

8. Click the View Document link and validate that it satisfies document requirements:

1. Click, Current, Legible, signed and in full and Annotated if in language other than English.

2. Click Save3. Click Back to navigate to the Legal Entity Management screen.

9. On the Addresses tab, validate that all address information is correct.

10. On the Products tab, validate that all product information has been entered correctly as follows:

1. Validate product information is correct on the Products tab2. Navigate to the Product Details screen by clicking on the icon to the right of the

product3. Validate that all information entered in the Product Details screen is correct4. Click Back to navigate to the Legal Entity Management Screen

98



Step Action

11. On the Associated Parties tab, validate all Associated Parties have been added and all the information is correct as follows:

1. Validate product information is correct on the Associated Parties tab2. Navigate to the Product Details screen by clicking on the icon to the right of the

product, and selecting View3. Validate that all information entered in the Product Details screen is correct4. Click Back to navigate to the Legal Entity Management screen

12. Once all documents have been validated, navigate to the Tasks tab and complete the task by selecting Complete from the icon to the right of the task.

Task 3 – Validate is complete.

99


Topic 4: Enrich Client Data OverviewOnce Task 3 – Validate has been completed; the next task is Enrich Client Data.

To complete this task, the AML KYC CoE (Shared Services) User will perform:

Customer Verification, either by documentary or non-documentary means Perform the Onboard Screenings, consisting of the Negative News and List Screening.

All screening, including Customer Verification, will be performed in a system outside of the KYC Platform. It is required that results and evidence of the screenings be captured as a document, and then uploaded into the KYC Platform.

The following table lists the steps that AML KYC CoE (Shared Services) needs to perform during Task 4 – Enrich Client Data.

Step Action

1. To perform non-documentary verification, perform the following steps:

1. Navigate to the Non-documentary Verification system (Accessible through the KYC Portal)

2. Run verification screening in external system3. Capture results locally as a document4. Navigate to the KYC Platform through the KYC Portal5. Navigate to the My Tasks Queue on the left side of the screen and click Refresh,

then select All – All tasks assigned to the user will appear under the search results6. Select the Navigate icon to the right of the appropriate task in the Search Results –

this will bring the user to the Legal Entity Management screen

2. Navigate to the Documents tab to upload the results of the Customer Verification as a document, and then click Add Document.

100



Step Action

3. Under Document Details, enter the following information:

1. Select the Document Source value as Uploaded Document.2. Select the Document Direction as Inbound3. Type in the Document Name as appropriate4. Select the Document Category as KYC – this will drive the values of the Document

Type dropdown5. Select the Document Type as Screening6. Click Save

4. To perform Documentary Verification, perform the following steps:

1. Perform Customer Verification screening with identification documents provided by the customer

2. Capture results locally as a document3. Upload evidence in the KYC Platform as a document (See previous step for adding

document steps)

101



Step Action

5. To perform Onboard Screenings, perform the following steps:1. Navigate to the KYC Portal Collaborate.2. Navigate to the Onboard Screenings systems through the KYC Portal3. Perform List Screenings on Legal Entity and all Associations in external system

i. Capture screening results as a documentii. Upload evidence as a document in the KYC Platform (See previous step for

Adding a Document)4. Navigate to the KYC Portal through Collaborate5. Navigate to the Negative News Screening system through the KYC Portal6. Perform Negative News Screening on Legal Entity and all Associations in external

systemi. Capture screening results as a documentii. Navigate to the KYC Platform through the KYC Portaliii. Upload evidence as a document in the KYC Platform (See previous step for

Adding a Document

The Documents Tab should now have documents capturing the results of the following:

Customer Verification – Either Documentary or Non-documentary List Screening Negative News Screening

6. On the Tasks tab, In the KYC Portal, select Complete in the icon dropdown to the right of the task complete the task.

7. On the Tasks tab, click Refresh to bring up the next task Upload Risk Rating Result.

Task 4 – Enrich Client Data is complete.

102


Topic 5: Upload Risk Rating Results OverviewOnce Task 4 – Enrich Client Data has been completed; the next task is Upload Risk Rating Results.

Once the customer has been verified, Onboard Screenings have been completed, and results have been uploaded as evidence to the KYC Platform, the KYC Shared Service User will complete the next task of calculating the Risk Rating using the Customer Risk Rating Tool, and uploading the result to the KYC Platform.

The following table lists the steps that AML KYC CoE (Shared Services) needs to perform during Task 5 – Upload Risk Rating Results.

Step Action

1. Within the KYC Portal, click on the Customer Risk Rating (CRR) Tool tab.

2. To view the CRR Tool, complete the following:

1. Select the SSC CRR Spreadsheet2. Click on Download a Copy tab

103



Step Action

3. Follow the following steps to save the tool:

1. Click the File tab in the upper left-hand corner of the screen

2. Select Save As3. When prompted by the dialogue box, select which drive to save the tool

4. Click Save

4. The step-by-step instructions to use Customer Risk Rating tool are given on the Instruction tab.

5. Identify the appropriate KYC Customer Type using the Customer Translation Table.

104



Step Action

6. Click the grey Launch button to open the worksheet and start the risk scoring process.

7. Select the appropriate KYC Customer Type using drop-down menu.

Note: The Customer Type options are available in alphabetical order:

8. If not auto-populated, enter your full name (first, last/family). Also, enter your Employee ID.

9. Enter the name of the Legal Entity (See KYC Req. #1) in the given field.

105


The following table lists the steps that AML KYC CoE (KYC Shared Services) needs to perform during Task 5 – Upload Risk Rating Results.

Step Action

10. Enter the GEMS ID in the given field.

11. Enter the MCH ID if available; if this field is not applicable to the customer, please enter N/A.

12. Enter the date of the customer’s first account opening with State Street in DD-MMM-YYYY format, for example 12-APR-1996.

13. If there has been any relevant negative news identified about the customer (as defined in KYC Req. #17), select Yes from the Relevant Negative News drop-down menu. Otherwise, select No.

Note: KYC Req. #17: Conduct negative news screening on the customer (CDD Screening).

106



Step Action

14. Select No for customer types Government, Mutual Funds, Pension Plans, Investment Advisor (Regulated), Investment Advisor (Unregulated), Foundations/Endowments, Charities, SPVs, Hedge Fund & Private Equity, Sovereign Wealth Funds, Trusts (Corp & Ind), Universities and Supra National Organization.For all other customer types, if the customer can issue Bearer Shares (See KYC Req. #31) select Yes, otherwise select No.

Note: KYC req. #31: Obtain confirmation as to whether the legal entity issued bearer shares.

15. Select Yes if customer is listed on an exchange (See KYC Req. #10), otherwise, select No from the drop-down menu.

Note: KYC req. #10: Obtain documentation supporting whether the entity is listed on an exchange.

16. For customers listed on an exchange, please identify the country of the primary exchange on which the entity is listed – only single response allowed.

107



Step Action

17. Once a country has been selected, select the primary exchange on which the entity is listed from the drop-down menu. If not available, please select Other and specify which exchange.

18. For customer types Non-FI Public Company, Non-FI Private Company, Government, Investment Advisor (Unregulated), Foundations/Endowments, Charities, SPVs, Hedge Fund & Private Equity, Sovereign Wealth Funds, Trusts (Corp & Ind), Universities and Supra National Organizations select No proof obtained from the drop-down menu.

19. If proof of regulatory status has been obtained (See KYC Req. #9) select Proof obtained, otherwise, select No proof obtained from the drop-down menu.

Note: KYC req. #9: Validate documentation supporting the entity's current Regulatory Status.

108



Step Action

20. If Proof obtained, select the country and name of primary regulator from the drop-down menus – only single response allowed.If the primary regulator is not available, please select Other and specify which regulator has oversight of the entity.

21. Select applicable Industry and Industry code describing the entity's line or nature of business i.e., industry where the customer operates or invests in, from the drop-down menu (KYC Req. #21).

Note: In case of Governments, if it is related to central bank then select category Finance

and Insurance and specific code of 521110: Monetary Authorities-Central Bank Embassies use category Public Administration and specific code of 928120:

International Affairs Other government organizations except central banks and embassies use the

category Public Administration and select any of the specific codes. KYC req. #21: Obtain the industry code describing the Customer's line or nature of

business.

109



Step Action

22. Select the appropriate Legal Structure for the customer from the drop-down menu. (See KYC Req. #19).

Note: For customer type Governments, select Government (State-owned Body) or

Government (Municipality), for Government Agencies select Government (Agency) and for Central Banks/Monetary Authorities select Government (State-owned Body)

KYC Req. #19: Identify and verify completed legal documentation required for the creation of a legal entity in the customer's geography and/or state of operation to identify the legal structure.

23. Select the country where the company was incorporated per the legal documentation obtained (See KYC Req.#20).

Note: Domicile of Legal Entity vs Domicile of Government Entity will be automatically

displayed based on Customer Type chosen. KYC Req. #20: Obtain the date and domicile of formation/incorporation of the legal

entity.

110



Step Action

24. Select as many options as applicable for Geography where the entity conducts its business (KYC Req.#26), i.e., where the business operates or makes investments.

Note: If Governments, Government Agencies & Central Banks/Monetary Authorities,

then refer to KYC Req.#20. KYC Req. #26: Obtain the geography where the customer/legal entity conducts its

business.

25. Select the appropriate CRR Product Category.

26. Select Yes if Remote Deposit Capture (RDC) capabilities are provided as a service, otherwise select No.

27. Select the appropriate Contracting Location, i.e., the country where the contract was established for the product from the drop-down menu.

111



Step Action

28. Once all fields have been populated, click the Calculate and Save button in the lower left hand corner in order to calculate the customer risk rating. The tool will display a rating across from the Calculate and Save button.

29. A separate Excel document will be saved in the same directory as this tool in the following format: SSC_CRR_Version_Name_GEMSID_MCHID_Date_Time.xlsx

Note: If a warning appears prompting the user to escalate to Compliance, please email as an attachment to [email protected] for further review.

30. Once the risk rating is calculated, save the spreadsheet so it can be uploaded into the Customer’s file within the KYC Platform.

31. To upload risk rating results to the KYC Platform, navigate to the KYC Platform through the KYC Portal.

32. Navigate to the KYC Tracking Case –To Upload the Risk Rating Result.

112



Step Action

33. Navigate to the Documents tab and upload the Risk Rating Results as a document (See previous step for Adding a Document)

Select the Document Type value as Risk Rating Spreadsheet Click Save and Complete – this will bring the user to the Legal Entity

Management screen.

34. Navigate to the Products tab in the Legal Entity Management screen to assign the Risk Rating value at the Product Level, and then select Edit from the icon dropdown to the right of the product.

35. In the Product Details screen, complete the following:

1. Select the Risk Rating2. Click Save3. Click Back to navigate back to the Legal Entity Management screen.

36. Navigate to the Tasks tab in the Legal Entity Management screen and select the Navigate icon to the right of the task to navigate to the Upload Risk Rating Result screen.

113



Step Action

37. In the Upload Risk Rating Result screen, perform the following steps:

1. Select a value for each screening performed and then select the value for the Risk Rating Calculation

2. Click Save and Complete – The system will navigate to the Legal Entity Management screen where the Tasks tab will be updated to the next task Complete AML.

Note: Risk Category will not be entered in this screen. In Production, this field will be auto-populated with the value input in the Product Details screen.

Task 5 – Upload Risk Rating is complete.

114


Topic 6: Complete AML OverviewOnce Task 5 – Upload Risk Rating has been completed; the next task is AML Complete.

The following table lists the steps that AML KYC CoE (Shared Services) needs to perform during Task 6 – Complete AML.

Step Action

1. If NO escalation is required, navigate to the Tasks tab in the Legal Entity Management screen and select Complete from the icon to the right of the task.

2. Click Refresh to bring up the next task Approve for Account Opening – this will move the KYC Tracking Case to the Shared Services Manager’s task queue.

The Complete AML task is now complete.

Task 6 – Complete AML is complete.

115

The purpose of the Complete AML Task is to capture any escalations that are required if the Risk Rating Value is High. All escalations will be performed outside the KYC Platform, and a record of the escalations and work completed by the Business Unit and Compliance will be captured as documents and uploaded to the KYC Platform.


Topic 7: Approve for Account Opening OverviewOnce Task 6 – Complete AML has been completed; the next task is Approve for Account Opening. This is the final task of the KYC AML Process in the KYC Platform.

The AML KYC CoE (Shared Services) Manager will review all information and documents that have input into the KYC Tracking Case before providing final approval.

The following table lists the steps that AML KYC CoE (Shared Services) Manager needs to perform during Task 7 – Approve for Account Opening.

Step Action

1. Navigate to the KYC Platform through the KYC Portal.

2. To review and approve, complete the following:

1. From the Work Queue on the left of the screen, click KYC Tracking2. Click Review & Approve – This will bring up all KYC Tracking Cases that are in

the Review & Approve stage.3. Click on the ID Link to the left of the correct Case – This will bring up the Case

Details screen.

116


The following table lists the steps that AML KYC CoE (Shared Services) Manager needs to perform during Task 7 – Approve for Account Opening.

Step Action

3. In the Case Details screen, click the Navigate icon to the right of Approve for Account Opening Task – This will bring up the Manager Review screen.

4. In the Manager Review screen, click the Navigate icon to the right of one of the previously completed tasks – This will bring up the Legal Entity Management Screen.

5. Perform final review of KYC Tracking Case.

6. Once the review is complete, navigate to the Tasks Tab and select the “Navigate” icon to provide approval on the Manager Review Screen

1. Select the Review Outcome as Approve.2. Select the next review date based on the Risk Rating assigned to the KYC

Tracking Case.3. Click Save and Complete.

Task 7 – Approve for Account Opening is complete. The KYC Tracking Case has now been Approved and Completed. The Approve for Account Opening task is now complete. KYC AML Process is Complete.

117


Lesson 5: Summary Within CDD, there are certain tasks that need to be completed for all customers, no matter what

the Customer Type, referred to as Standard CDD. Before the customer’s account opening process is complete, the Business Unit must collect

information to cover anticipated account activity, source of funds, and source of wealth. Part of building the Customers anticipated account profile; the Business Unit must take adequate

measures to establish the source of funds that are involved in the proposed relationship or occasional transaction.

In order to evaluate the source of a customer’s wealth, the Business Unit should gather information relevant to the manner in which the customer’s assets were obtained. This is the accumulation of the customer’s net worth which includes, in part, the funds held by State Street.

The third step in CDD is when the Business Unit conducts screening on the names and countries associated with customers, all UBOs, and any other related and specified controlling parties, and associated third parties prior to opening the customer’s account.

Negative news can be classified as relevant negative news and non-relevant negative news. Section 311 of the USA PATRIOT Act (Section 311) grants the Secretary of the Treasury the

authority, upon finding that reasonable grounds exist for concluding that a foreign jurisdiction, foreign FI, class of transaction, or type of account is of “primary money laundering concern,” to require domestic FIs and financial agencies (such as banks) to take certain “special measures” against the entity identified as a primary money laundering concern.


For all relevant customers, the Business Unit seeks to obtain financial information, as a source of CDD information for the customer. It should be noted that obtaining these documents is mandatory for FIs.

After all of the necessary information has been obtained from the Business Unit, AML KYC CoE (Shared Services) risk rates the customer prior to opening the customer’s account to assess the AML risk of conducting business with this customer and decide any risk mitigating strategies using CRRM.

The components of the KYC Platform Main Screen are Queues Tab, Dashboard Tab, Search Tab, Search Details Section, and Search Results Section.

118


Lesson 6: Enhanced Due Diligence

Topics 1. Required and Triggered Enhanced Due Diligence2. First Line of Defense Responsibilities3. General Enhanced Due Diligence Requirements4. Source of Wealth5. Site Visits6. PEP Identification7. Enhanced Due Diligence Customer Profile Form8. Risks and Mitigants9. Record Retention10. How to conduct PEP Identification11. How to conduct EDD

IntroductionEDD is a process that provides for a closer review of High-risk customers. EDD is required for High-risk State Street customers based on the AML Customer Risk Rating (CRR) and certain High-risk customer types notwithstanding the AML CRR.

EDD may be necessary when issues:

Arise in the course of conducting CDD (such as relevant negative news is identified). Are covered through account/transaction monitoring and require the AML CRR to be elevated to

High-risk.

119


Topic 1: Required and Triggered Enhanced Due DiligenceOverviewEDD is critical to identify a High-risk customer’s anticipated transactions.

A High-risk customer’s activities should be reviewed more closely at the time the account is opened and more frequently throughout the term of the relationship.

The following table provides details related to Required EDD and Triggered EDD.

Required EDD Triggered EDD

EDD is always required for customers rated High and for the following customers types, regardless of their AML CRR, including but not limited to:

Correspondent accounts for Foreign Financial Institutions (FIs) (as required by Section 312 of the USA PATRIOT Act)

Correspondent accounts for Foreign Banks (as required by Sections 313 and 319(b) of the USA PATRIOT Act)

Foreign private banking customers (as required by Section 312 of the USA PATRIOT Act)

Note: For additional guidance on required information, data, and/or documentation for customer types, refer to the AML KYC Requirements Matrix in the AML Toolkit.

Customer accounts not subject to EDD requirements at the time of account opening may later become subject to EDD requirements if:

The customer’s risk attributes and the AML CRR has changed, as a result of information updates during a periodic or event driven review of the relationship or other information that comes to the Business Unit’s or AML Compliance’s attention.

Material risk-related information, adverse or otherwise, concerning the customer is identified and elevates the AML CRR.

AML Compliance increases the AML CRR.

Discussion Question

EDD is always required for certain customer types notwithstanding their AML CRR. Provide two

examples of customer types for which EDD is mandatory.

120


Topic 2: First Line of Defense ResponsibilitiesOverviewAfter completing CDD and determining that the customer is High-risk or the customer type requires mandatory EDD, AML KYC CoE (Shared Services) must perform EDD that involves:

Investigative and analytic due diligence with respect to High-risk customers.

Reviewing transactions of existing customers as identified through the High-risk review process.

121


Topic 3: General Enhanced Due Diligence Requirements OverviewTo better understand the risks posed by a customer who requires EDD, the Business Unit obtains additional information about the customer, UBOs, and any other related and specified controlling parties and associated third parties.

For UBOs, the First Line of Defense collects information on beneficial owners with ten percent (%) (for High-risk) or more ownership of the entity, based on State Street's policy requirements, through documentary means.

This includes:

AML KYC CoE (Shared Services) uses the KYC Requirements Matrix to determine what information, data, and/or documentation is required by customer type and jurisdiction and provides to AML Compliance to so they can do the following:

Identify the risks posed by the customer. Prescribe any unique mitigants that may need to be implemented.

Discussion Question

How does AML KYC CoE (Shared Services) determine what information, data, and/or

documentation is required by customer type and jurisdiction for certain customer types

notwithstanding their AML CRR.

122

Name Address including country Date of birth ID number


Topic 4: Source of WealthOverviewPart of CDD is to identify the Source of Wealth, and for high risk customers Source of Wealth needs to be verified. The customer’s source of wealth is a combination of data points collected through the KYC process. The information collected will differ depending on whether the wealth is acquired through:

Ownership of a business Employment or professional practice Inheritance Investments

Documentation that contains information can be used in conjunction with other data points to validate the customer’s source of wealth.

The following table provides details about the type of documents are used to identify the source of wealth for a customer.

Non-Individual Individual

Letter/contract note from previous investment company giving notification of proceeds of maturing investment/claim

Signed tax return from a certified accountant

Completed sales contract

Loan agreement

Recent loan statements

Letter from donor confirming details of a gift and acknowledging the source of the donated funds

Legal sale document(s) (such as contract notes)

Signed letter from the Attorney

Signed letter from a certified accountant

Last three months’ pay slips

Confirmation from the employer of income and bonuses for last two years

Bank statements that clearly show receipt of the most recent three months’ regular salary payments from the named employer

Latest accounts, if self-employed

Grant of Probate (with a copy of the will) that must include the value of the estate

Loan agreement

Recent loan statements

Bank statements

Letter from a donor confirming details of gift and acknowledging the source of the donated funds

123


Attributes contributing to the accuracy and reasonableness of the customer’s source of wealth include:

From where the funds came

How the customer acquired the funds

From whom, if received by an individual or entity

When the funds were acquired

The location(s) from where the funds came

Source of wealth can be either Reasonable or Unreasonable.

The following table provides a Reasonable Example and an Unreasonable Example to help determine a customer’s source of wealth.

Reasonable Example Unreasonable Example

A Regulated Investment Advisor in the non-bank financial services industry (NAICS: 523930) recently had their initial public offering/stock market launch to investors to raise capital for an acquisition of a competitor for increased market share.

(This leads one to conclude that a financial institution has recently accepted a large amount of investments from investors to grow the company. This source of wealth is reasonable as one can expect that operations, fees, investments, and earnings all contribute to the source of wealth, whereas the immediate source of funds from the offering are directly attributable to investments from new shareholders).

Therefore, the following must be included:

Customer Type + Nature of Business + Source(s) of Wealth + Justification = Reasonable Assessment that the source of wealth is accurate

An unregulated Investment Manager located in Spain, whose profile had traditionally been investing in equities, is now heavily investing in Chilean mines, and wants to expand investments into the landscaping industry in Qatar. (This leads one to ask the question of why an investment manager is changing his investment profile from consistent investment in equities to investments in High-risk industries and countries without providing a reasonable explanation).

124


Discussion Question

What is the criterion for collecting information from a customer to determine his/her source of

wealth?

125


Topic 5: Site VisitsOverviewSite visits are an important part of the EDD process for MSBs, and other customer types, to confirm the veracity of the information provided by the customer.

The following table provides information about Site Visits, Trigger Events, Report Requirements, and Key Elements.

Task Description

Site Visits

The Business Unit AML Officer performs site visits at the customer’s primary place of business at the onset of the relationship and annually thereafter. Information collected during the course of a site visit is NOT limited to the following examples:

Establishing the physical location of the customer

Validating the existence of a Compliance Officer

Evaluating the AML training material

Assessing that operations are in line with the expectations for that customer type

Validating the presence of a current AML Program

Affirming that the personnel representing the customer are present

Trigger Events

A site visit may be trigged by events identified by the First Line of Defense and escalated to the Business Unit AML Officer, or directly by concerns raised through processes within AML Compliance.

Some examples of trigger events include:

Events that may indicate a heightened AML risk, such as regulatory action, relevant negative news, and additions to Sanctions lists.

Transaction monitoring findings and SAR filings.

Customers in High-risk jurisdictions, determining that the Parent does not have either financial control of the account or adequate oversight over the activity of the subsidiary in question.

The impact of such trigger events on site visitation requirements depends on the specifics of the trigger event and is determined by the Business Unit AML Officer in discussions with the Business Unit Chief Operating Officer and/or delegate and AML Compliance.

Note: Where a site visit is determined to be appropriate as a result of a SAR filing, care must be taken to avoid “tipping off” the customer.

126


The following table provides information about Site Visits, Trigger Events, Report Requirements, and Key Elements.

Task Description

Report Requirements

Details of site visits are recorded, which at a minimum must include:

Date of the site visit

Customer name and location

Names of all parties who attended the meetings

Subject of such meetings

Outcomes of the meetings

Description of the business location

Identified risk factors

Key Elements

The key elements of site visits remain a confident understanding of the:

Customer

Personnel associated with it

AML Program and controls

Operations that are in line with what would be expected

Risk factors include:

Lack of transparency into operations and oversight of the customer’s activities

No physical location

Constantly putting off the visit

Unavailability of Compliance personnel

The full copy of the report is added to the customer’s KYC profile.

Discussion Question

When can the site visits be triggered?

127


Topic 6: PEP IdentificationOverviewState Street is not prohibited from establishing relationships with PEPs, or from establishing relationships with customers who have PEPs within their organizational structure, unless there is reliable information that the PEP is improperly profiting from his/her public office.

Customer accounts for all PEPs require the application of EDD. Reasonable steps must be exercised to identify customers who are PEPs prior to opening the customer’s account.

PEPs may be identified through the checks against local or regional lists, which are conducted at the time the customer’s account is opened.

PEP MatchesIn the event that a match occurs, AML KYC CoE (Shared Services) must review the match and eliminate any false potential name matches.

In the case of a possible or confirmed match, AML KYC CoE (Shared Services) must review the match and provide documentation and an explanation as to why the match is either a false positive or confirmed match, and keep the record on file.

Any potential matches must be escalated to the OFAC/Sanctions Central Monitoring, if there is any question about the customer’s PEP status.

If a PEP is identified in overnight or periodic batch screening, AML KYC CoE (Shared Services) has 30 calendar days to conduct EDD using the KYC Requirements Matrix and obtain required approvals.

128


EDD for PEPsWhen it has been determined that a customer is or has a PEP associated with it, additional KYC must be performed on the PEP. The information, data and/or documentation required to complete the additional KYC is detailed in the KYC Requirements Matrix. AML KYC CoE (Shared Services) completes the following:

Reviews and verifies the required information, data, and/or documentation received and the Business Unit contacts the customer for any remaining information that is missing.

Verifies information, data, and/or documentation received is valid and performs EDD prior to informing AML Compliance using the Enhanced Due Diligence Customer Profile.

During the course of the relationship, the level and nature of risk associated with the PEP account may change.

AML Compliance, in conjunction with the First Line of Defense, is responsible for conducting ongoing High-risk customer reviews throughout the course of the relationship, if the customer is a PEP entity or the individual customer is a PEP.

PEP accounts along with High-risk accounts are re-assessed within six months of account opening and annually thereafter.

Discussion Question

What is the role of AML Compliance for PEP customers?

129


Topic 7: Enhanced Due Diligence Customer Profile FormOverviewDuring the onboarding process, if a customer is designated as High-risk, the Business Unit must send all KYC information, data, and/or documentation to AML Compliance via an AML Enhanced Due Diligence Customer Profile, which must contain the reason for rating the customer as High-risk.

AML Compliance is responsible for reviewing the AML Enhanced Due Diligence Customer Profile, to determine the unique mitigants required to onboard the customer and rendering an opinion via an FIU Assessment.

130


Topic 8: Risks and MitigantsOverviewFor customers requiring EDD, the First Line of Defense may open a customer’s account only after the:

Business Unit Chief Operating Officer, equivalent, and/or delegate approves the request. Money Laundering Reporting Officer (MLRO) where applicable, receives and acknowledges their

review of the risks and any unique mitigants in the FIU assessment from AML Compliance.

Unique mitigants are based on the situation and circumstances specific to each customer and may consist of one or more controls that are:

Established at onboarding Performed throughout the existence of a High-risk account, such as enhanced transaction

monitoring, which could dictate tighter algorithms or more frequent review cycles.

Important NoteOnly the Business Unit AML Officer can override the AML CRR for Medium and Low-risk customers and only the AML Compliance FIU can override the AML CRR of a High-risk customer.

The following are examples of potential mitigants that may be used for monitoring High-risk customers:

Enhanced transaction monitoring

Documenting existing relationships

Repute and/or verification of customer directors

Site visits

Ongoing screening of key principles, Ultimate Beneficial Owners (UBOs) outside of automated sanctions screening

Discussion Question

Identify the controls that may apply to unique mitigants.

131


Topic 9: Record RetentionOverviewAs a requirement, all customer facing businesses, support functions, and control functions must maintain records of a customer’s identity, transactions, and other significant records.

This ensures that legal and regulatory requirements in the jurisdictions in which it operates are met thereby ensuring confidentiality, bank secrecy, and data protection.

AML records must be maintained for a minimum of five years (from the end of the customer relationship in the case of identity records) or longer, if local regulation requires.

Records must be stored to facilitate adequate access and retrieval in a timely manner.

Discussion Question

State Street’s record retention policy requires that AML records must be maintained for a minimum

of five years. State the reason for retaining these records.

132


Topic 10: How to Conduct PEP IdentificationOverviewThe following table lists the steps that the First Line of Defense performs during PEP identification and screening.

Step Action Owner

1. Enter the following information into WorldCheck and check the following information against local or regional lists in {insert list screening tool} for non-individual customers at the time of onboarding:

Full legal and any “trading as” name;

City and country of registered office address in country of incorporation; and

City and country of business address (if different from registered address).

AML KYC CoE (Shared Services)

2. Enter the following information into WorldCheck and check the following information against local or regional lists in {insert list screening tool} for individual customers at the time of onboarding:

Full legal name (last name, first name, and middle initial); and

City and country of residence.


3. Enter the following information into WorldCheck and check the following information against local or regional lists in {insert list screening tool} for other related parties (if applicable) at the time of onboarding:

Information required to be identified in relation to third parties (such as Beneficial Owners, controlling parties, and associated third parties) each as defined in the Global AML Policy, must be screened at the time of account opening.


133


The following table lists the steps that the First Line of Defense performs during PEP identification and screening.

Step Action Owner

4. Compare the name of the customer or related party being screened to the name of the PEP identified in WorldCheck or local or regional lists in {insert list screening tool}. If no combination of the first and last names of the individual or

entity matches the PEP, this should be considered a “Negative Match” (as defined below) and there is no need to proceed to the next steps.

It is important to also compare the name of the individual or entity identified being screened to all alternate names, or “AKA” shown for identified PEPs.

In the case of businesses/organizations, perform this analysis for the business/organization name:

Compare the individual’s Date of Birth (“DOB”) with those shown for identified PEPs.

Compare the individual’s or entity’s identification data to that shown for the identified PEP.

If information is sufficient to clear the potential match cannot be obtained, the potential match should be forwarded to the respective Business Unit.


5. If a potential match is received, determine which of the below four scenarios applies:

1. Two or more pieces of the individual’s or non-individual’s demographic data (including the name) match to that of the identified PEP. This should be considered a “Positive Match” and must be forwarded to OFAC/Sanctions Central Monitoring

2. There is no demographic data provided in the PEP list or database. Since there is insufficient information to resolve the potential match, it should be forwarded to OFAC/Sanctions Central Monitoring who will consult with the source issuing the PEP list or database.

3. The PEP list or database provides demographic data, but demographic data is missing from the individual or entity’s record. The Business Unit maintaining the account that generated the potential match must obtain the missing data to evaluate the match status.

4. There is enough data on both, the individual or entity being screened and the PEP list or database to determine that it is not a match. Specifically, nothing on either record, other than the name or portions of the name, matches. This should be considered a “False Positive Match” and documented accordingly.


134


The following table lists the steps that the First Line of Defense performs during PEP identification and screening.

Step Action Owner

6. Conduct supplemental EDD and obtain required approvals within 30 calendar days for PEPs identified in overnight or periodic batch screening.

Business Unit and AML KYC CoE (Shared Services)

7. Complete these steps at the time of a customer periodic review and all trigger events.


135


Topic 11: How to Conduct EDDOverviewThe following table lists the steps that the First Line of Defense performs during EDD.

Step Action Owner

1. Collect the EDD requirements based on the AML KYC Requirements Matrix if necessary.

Business Unit

2. Review the information, data and/or documentation received from the customer and update the customer’s KYC file in the KYC Platform with this information.

Business Unit

3. Verify the customer’s source of wealth from the documentation compiled.


4. Request additional documentation to complete the Source OF Wealth verification when appropriate.

Business Unit

5. Identify beneficial owners with a 10 percent (%) or greater ownership interest.


6. Utilize business applications and public domain (open source) data to review and validate the provided documentation to ensure that the customer information is accurate.


7. Conduct site visits for MSBs and other customer types where applicable and document the information obtained in a report.

Business Unit AML Officer

8. Add the site visit report to the customer’s KYC file in the KYC Platform.


9. Use Prime and WorldCheck to screen the related parties (UBOs, controlling parties, and associated third parties) information against all required lists as specified in Section 4.5.5, Screening.


10. Contact the customer for any additional outstanding information, data and/or documentation needed as a result of a potential match.

Business Unit

11. Escalate any potential matches which cannot be dispositioned to AML Compliance for review.


12. If, based on the results of the screenings, AML and/or Sanctions policies and guidelines will dictate the relationship is prohibited, terminate the relationship.

Business Unit

13. Capture all information, data and/or documentation compiled during the gathering of requirements.


136


The following table lists the steps that the First Line of Defense performs during EDD.

Step Action Owner

14. Send an email to AML Compliance FIU that the Enhanced Due Diligence Customer Profile is available for review in the KYC Platform. The Enhanced Due Diligence Customer Profile must contain the reason for rating the customer or account High Risk.


15. Evaluate the risks presented in the Enhanced Due Diligence Customer Profile by the Business Unit and assign any relevant unique mitigants to manage the risks, which will be captured in the Financial Intelligence Unit Assessment.

AML Compliance FIU

16. Request any required additional documentation or mitigants from the Business Unit.

AML Compliance FIU

17.Contact the potential customer, if required, to gather sufficient information to answer the specific questions from AML Compliance FIU.

Business Unit

18.

Complete the Financial Intelligence Unit Assessment.

This will include the enhanced procedures required to onboard the High AML Risk customer and outline the monitoring and any other unique mitigants the Business Unit will implement to monitor the account in the case of endorsement.

AML Compliance FIU

19. Notify the Business Unit of endorsement or notice of non-endorsement to onboard the customer.

AML Compliance FIU

20.

Review and acknowledge the risks and any unique mitigants in the Financial Intelligence Unit Assessment and decide to either continue with procedural steps and complete the account opening process, or in the case of non-endorsement, work with AML Compliance FIU to discuss what parameters would be necessary to open the account.

Business Unit

21.

Sign off on the Financial Intelligence Unit Assessment to accept the risk presented by the customer at the Business Unit level and retain the documentation along with the KYC information in the KYC Platform.

Business Unit Chief Operating Officer, equivalent and/or delegate

22.

Review, acknowledge, and if applicable approve of the risks and unique mitigants in the Financial Intelligence Unit Assessment when customers are Risk Rated High. Send the approved FIU Assessment back to AML KYC CoE (KYC Shared Services).

Money Laundering Reporting Officer (MLR”)

23. Upload the FIU Assessment to the KYC file in the KYC Platform. AML KYC CoE (Shared Services)

24. If the customer is accepted, open the account. Business Unit

25. If the customer is rejected, retain the signed rejection of the customer in the customer’s KYC file in the KYC Platform.

Business Unit

137


Lesson 6: Summary A High-risk customer’s activities should be reviewed more closely at the time the account is

opened and more frequently throughout the term of the relationship.

After completing CDD and determining that the customer is High-risk or the customer type requires mandatory EDD, AML KYC CoE (Shared Services) must perform EDD.

To better understand the risks posed by a customer who requires EDD, the Business Unit obtains additional information about the customer, UBOs, and any other related and specified controlling parties and associated third parties.

AML KYC CoE (Shared Services) uses the KYC Requirements Matrix to determine what information, data, and/or documentation is required by customer type and jurisdiction.

The information collected to determine a customer’s source of wealth will differ depending on whether the wealth is acquired through ownership of a business, employment or professional practice, inheritance, and investments.

Source of wealth can be either Reasonable or Unreasonable.

Site visits are an important part of the EDD process for MSBs, and other customer types, to confirm the veracity of the information provided by the customer.

PEPs may be identified through the checks against local or regional lists, which are conducted at the time the customer’s account is opened.

When it has been determined that a customer is or has a PEP associated with it, additional KYC must be performed on the PEP. The information, data and/or documentation required to complete the additional KYC is detailed in the KYC Requirements Matrix.

Unique mitigants are based on the situation and circumstances specific to each customer and may consist of one or more controls.

AML records must be maintained for a minimum of five years (from the end of the customer relationship in the case of identity records) or longer, if local regulation requires.

138


Lesson 7: Ongoing Reviews

Topics 1. Periodic Reviews2. How to Conduct Periodic Reviews for Low and Medium Risk Customers3. How to Conduct Periodic Reviews for High Risk Customers4. Event Driven Reviews5. Examples of Trigger Events6. Suspicious Activity7. Transaction Monitoring8. Sanctions screening 9. Sanctions Licenses10. Board and Senior Management Reporting

IntroductionOnce the Customer has been onboarded, there are many activities that are required to maintain the ongoing relationship with the customer. These activities ensure that the KYC information we have on file is accurate, that we are monitoring our AML and Sanctions risks, and that State Street remains compliant with its AML and Sanctions Program as well as the regulations that drive it.

The following activities are included in ongoing relationship:

Periodic Reviews

Event Driven Reviews

Suspicious Activity

Transaction Monitoring

Ongoing Sanctions Screening

Board and Senior Management Reporting

139


Topic 1: Periodic ReviewsOverviewIn accordance with State Street’s Global AML Policy, the Business Unit and the AML KYC CoE (Shared Services) will conduct risk-based periodic reviews on all customers in order to ensure KYC information is accurate and revise where appropriate the customer’s risk rating. Business Units will be notified of upcoming reviews 90 days prior to the due date of the review, according to the established timeline by risk level (below), by the Shared Service.

AML KYC CoE (Shared Services) will initiate and complete, in conjunction with AML Compliance and the Business Unit, periodic reviews of customer accounts in accordance with the below schedule:

Customer Type Frequency

High-risk Customer Every year; the first review should be scheduled after six months from the date in which the entity’s status in the KYC Platform reflects “complete.”

Medium-risk Customer

Every two years

Low-risk Customer Every three years

The timeline for conducting periodic reviews begins when a customer has been fully onboarded and approved.

Discussion Question

Do you think periodic reviews of medium risk customer should be done annually instead of every two

years? Will it help to identify more customers with financial irregularities?

140


Topic 2: How to Conduct Periodic Reviews for Low and Medium Risk CustomersOverviewThe following table lists the steps that the First line of defense performs for low and medium risk customers.

Step Action Owner

1. Contact the appropriate Business Unit representative 90 calendar days in advance of the Periodic Review.

Remember: Low is every three years and Medium is every two years.


2. Enter all data elements into the required/specific fields in the Periodic Review Form and retain the form in the KYC Platform after obtaining all required information, data and/or documentation per the AML KYC Requirements Matrix.


3. Review the information, data, and/or documentation received from the customer, including beneficial ownership.


4. Contact the customer if any of the required information, data, and/or documentation for the Periodic Review Form cannot be obtained.

Business Unit

5. Validate that all customer KYC information is up to date and accurate in the customer’s KYC file in the KYC Platform and all customer profiles and associated cases (e.g. alerts, investigation and remediation results) are up to date and accurate.


6. Determine if there are any material changes to the customer’s original information.


7. Re-screen the following customer (account/account holder) and associated party information against all the required lists as noted in Section 4.5.5, Screening, using Prime and Worldcheck:

Customer’s full name/business name;

Parent holding companies;

Owners of the business;

Board of Directors;

Senior Management; and

Country of domicile and country of residence, for the individuals for whom it is required to be obtained as part of onboarding per the KYC Requirements Matrix, should also be reviewed to ensure the BU does not enter into a relationship with prohibited countries. See the Global Sanctions Policy for more information.


8. Review the actual activity against the previously documented expected profile.

Business Unit

141


The following table lists the steps that the First line of defense performs for low and medium risk customers.

Step Action Owner

9. Document findings where actual activity is expected based on what State Street knows about the customer and what is documented in the customer’s KYC profile in the KYC Platform. Any known major changes in expected behavior will be included in the KYC profile in the KYC Platform. If customer activity has not deviated from expected activity, use actual transactional activity as a baseline going forward.

Business Unit

10. Where acceptable reasons for the variance between expected and actual activity cannot be obtained, escalate the matter to the Business Unit AML Officer for review.

Business Unit

11. Provide guidance on next steps, which may include recommending a change to the CRR, completing a UAF, and/or exiting the relationship in a timely manner. The Periodic Review will be suspended until further advice has been provided.


12. Progress the profile according to the advice from the Business Unit AML Officer including any agreed updates to the customer account profile.


13. Review the updated customer KYC profile for potential changes in the risk rating to determine if the CRR should be revised.


14. Review the CRR when information indicates that the customer has a material change. See Section 4.5.8 for information on CRR.

Enter all applicable customer information into CRR Tool in order to generate the CRR. Validate that all data elements have been entered completely and accurately.

Generate the CRR and save the results in the KYC Platform.


15. Forward the completed Periodic Review Form to the Business Unit Chief Operating Officer, equivalent and/or delegate for review and sign off.


16. Sign off on the Financial Intelligence Unit Assessment to accept the risk presented by the customer at the Business Unit level and retain the documentation along with the KYC information in the KYC Platform.


17. Record all findings and attach all documentation to the KYC profile in the KYC Platform.


142


Topic 3: How to Conduct Periodic Reviews for High Risk CustomersOverviewThe following table lists the steps that the First line of defense performs for high-risk customers.

Step Action Owner

1. Contact the appropriate Business Unit representative 90 calendar days in advance of the six month or annual Periodic Review.


2. Enter all data elements into the required/specific fields in the Periodic Review Form and retain the form in the KYC Platform after obtaining all required information, data and/or documentation per the AML KYC Requirements Matrix.


3. Review the information, data, and/or documentation received from the customer, including beneficial ownership.


4. Contact the customer if any of the required information, data, and/or documentation for the Periodic Review Form cannot be obtained.

Business Unit

5. Validate that all customer KYC information is up to date and accurate in the customer’s KYC file in the KYC Platform and all customer profiles and associated cases (e.g. alerts, investigation and remediation results) are up to date and accurate.


6. Determine if there are any material changes to the customer’s original information.


7. Re-screen the following customer (account/account holder) and associated party information against all the required lists as noted in Section 4.5.5, Screening, using Prime and WorldCheck:

Customer’s full name/business name;

Parent holding companies;

Owners of the business;

Board of Directors;

Senior Management; and

Country of domicile and country of residence, for the individuals for whom it is required to be obtained as part of onboarding per the KYC Requirements Matrix, should also be reviewed to ensure the BU does not enter into a relationship with prohibited countries. See the Global Sanctions Policy for more information.


8. Review the actual activity against the previously documented expected profile.

Business Unit

143


The following table lists the steps that the First line of defense performs for high-risk customers.

Step Action Owner

9. Document findings where actual activity is expected based on what State Street knows about the customer and what is documented in the customer’s KYC profile in the KYC Platform. Any known major changes in expected behavior will be included in the KYC profile in the KYC Platform. If customer activity has not deviated from expected activity, use actual transactional activity as a baseline going forward.

Business Unit

10. Identify and document discrepancies between expected and actual activity (e.g., changes in transactional frequency/patterns, transactions to/from High Risk jurisdictions, negative news identified). If customer activity has not deviated from expected activity, use actual transactional activity as a baseline going forward.


11. Where acceptable reasons for the variance cannot be obtained (e.g., the activity is not consistent with the understanding of the relationship), escalate to AML Compliance and the Business Unit Chief Operating Officer, equivalent, and/or delegate.


12. Provide guidance on next steps which may include filing a SAR, changing the CRR and/or exiting the relationship. The Periodic Review will be suspended until further advice has been provided.

AML Compliance FIU

13. Progress the profile according to the advice from AML Compliance FIU including any agreed updates to the customer account profile.


14. Review the risks and mitigating activities and/or controls to ensure they are implemented as outlined in the EDD Customer Profile and/or customer file as documented in the KYC Platform.


15. Complete a full review of the customer to validate the: Correct risk rating is assigned; Appropriate controls and unique mitigants are in place; Controls and unique mitigants have been adhered to; and

Relationship remains within its risk appetite.


16. Send an email to AML Compliance FIU when the Periodic Review Form for High Risk Customers is available for review.


17. Evaluate the risks presented in the Periodic Review Form by the Business Unit and assign any relevant unique mitigants to manage the risks, which will be provided via email to the Business Unit.

AML Compliance FIU

18. Request any required additional documentation or mitigants from the Business Unit.

AML Compliance FIU

19. Contact the customer, if required, to gather sufficient information to answer the specific questions from AML Compliance FIU.

Business Unit

20. Sign the Review.Comment on the Periodic Review Form if applicable.

AML Compliance FIU

144


The following table lists the steps that the First line of defense performs for high-risk customers.

Step Action Owner

21. Notify the AML KYC CoE (Shared Services) of endorsement or notice of non-endorsement of the Periodic Review Form.

AML Compliance FIU

22. Notify the Business Unit of completion of the Periodic Review Form by AML Compliance FIU.


23. Review and acknowledge the risks and any unique mitigants provided by AML Compliance FIU.

Business Unit

24. Provide the Periodic Review Form to the Business Unit Chief Operating Officer, equivalent and/or delegate and the MLRO, in certain jurisdictions, for review and sign off.


25. Sign off on the High Risk Periodic Review form to accept the risk presented by the customer at the Business Unit level and retain the documentation along with the KYC information in the KYC Platform.


26. Review and sign off on the risks and mitigating activities and/or controls to ensure they are implemented as outlined in the EDD Customer Profile and/or customer file as documented in the KYC Platform.

MLRO

27. Receive formal approval prior to increasing or decreasing the risk rating to or from High Risk as a result of Periodic Review.






145


Topic 4: Event Driven ReviewsOverviewThe event driven review process involves reviewing issues arising from customer and transaction monitoring and screening. These issues will be handled at the time they arise. An event driven review may be warranted before the next scheduled periodic review due to certain trigger events or changes related to the customer or related parties.

Where concerns are raised through these processes, these will be escalated to the Business Unit AML Officer who will determine the required course of action, which may result in closing the customer’s account, refreshing of the KYC file, or modifying the risk rating.

An event is any activity that could negatively impact the overall AML and/or Sanctions risks associated with the customer.

The Business Unit identifies an event through:

Manual monitoring

Information provided by the customer or from other sources

If an event is identified, the Business Unit conducts an event driven review depending on the type of event, and should notify AML KYC CoE (Shared Services) and AML Compliance.

An event driven review resets the scheduled periodic review.

Discussion Question

How does the Business Unit identify an event?

146


Topic 5: Examples of Trigger EventsOverviewSome examples of trigger events include:

The customer or related parties are added to Global or applicable Local Sanctions lists

The customer’s or related parties’ country information changes to a Sanctioned country

Payments to or from the customer are blocked or rejected for Sanctions reasons

Information is received that suggests the customer is attempting to circumvent Sanctions or is associated with Sanctioned parties

New customer relationships (i.e., change in ownership structure)

The customer undergoes a change to the legal structure/formation of the business (i.e., going public or changing from a non-profit to a for-profit business)

Suspicious account activities

The customer identifies additional controlling parties, associated third parties, or signers

If it is determined, as part of the review, that enough information has changed to warrant a change to the AML CRR, the change will be documented in the customer’s profile only after a risk rating has been generated using the most current customer information.

The following table describes the actions required for Low, Medium, and High-risk customers.

For customers who were Low or Medium-risk and have become High-risk

For customers who were High-risk and have

become Low or Medium-risk

For customers who were Low-risk and are now considered

Medium-risk, and for customers who were Medium-risk and are now considered

Low-risk

The First Line of Defense conducts EDD and obtains the required signoffs from AML Compliance, Money Laundering Reporting Officer (MLRO) (where applicable), and the Business Unit Chief Operating Officer, equivalent and/or delegate.

The First Line of Defense conducts CDD. Moving to a lower risk rating requires signoffs from AML Compliance MLRO (where applicable), and the Business Unit Chief Operating Officer, equivalent and/or delegate.

The First Line of Defense obtains approval from the Business Unit Chief Operating Officer, equivalent and/or delegate.

147


Topic 6: Suspicious ActivityOverviewIt is the responsibility of all State Street employees to detect and prevent money laundering by escalating any activity or information that could possibly be associated with money laundering to management.

During the course of business, all State Street employees must be vigilant in the fight against money laundering and terrorist financing by being alert and aware of unusual activities or “red flags” associated with potential suspicious activities.

It is State Street’s policy to identify, investigate, and report suspicious activities in a complete, accurate, and timely manner.

State Street employees must not knowingly or through willful blindness aid and abet individuals, who attempt to violate or circumvent money laundering laws or the State Street Global AML Policy, by providing:

Advice Facilitating customer transactions using personal accounts Conducting transactions that break or obscure the audit trail

Breaches of the State Street Global AML Policy may result in disciplinary action, up to and including dismissal, civil, and/or criminal penalties.

Suspicious Activity DefinedSuspicious activities are defined in several ways and can involve funds derived from illegal activities:

Intended or conducted to hide or disguise funds or assets derived from illegal activities.

Designed to evade AML regulatory requirements.

Suspicious activities can appear to serve no business or apparent lawful purpose, and the financial institution can determine no reasonable explanation for a transaction after examining all available facts. Suspicious activities can also involve use of a FI to facilitate criminal activities.

AML Compliance monitors suspicious activities or patterns that may be inconsistent with the anticipated or expected activities for a particular customer or account.

These activities may include:

Incoming/outgoing wires Journals of funds and securities Deposits, withdrawals, and/or asset movements

148


Red FlagsIdentifying red flags is an integral part of the AML and Sanctions Compliance Programs. State Street employees’ understanding of, and ability to recognize, red flags is vital to ensure timely and adequate identification and escalation of unusual or suspicious activities.

The following table lists the steps that the First line of defense performs for identifying Red Flags.

Step

Action Owner

1. Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible unusual or suspicious activities as defined in the AML and Sanctions Compliance Programs

Business Unit

2. If a red flag, or series of red flags, is detected, document it using the Unusual Activity Form (UAF). The UAF should include:

Description of what has happened; Documentation of when it happened (list the specific

transactions/activities, dates and supporting documentation); and Description of why the transaction/activity is unusual.

Business Unit

3. Submit the UAF to AML Compliance FIU, the Business Unit AML Officer/MLRO and/or Business Unit Manager or equivalent in line with local requirements via email and confirm receipt.

Business Unit and Business Unit AML Officer

4. Any inquiries from AML Compliance FIU or Business Unit AML Officer following the UAF must be promptly responded to via email and receipt must be confirmed.

AML Compliance FIU and Business Unit AML Officer

5. Ensure AML Compliance FIU communication takes place, to enable AML Compliance to periodically update the AML and Sanctions Compliance Programs to reflect possible changes/additions in red flags.

Business Unit, Business Unit AML Officer and AML Compliance FIU

Important Notes Identifying one or more red flags in customer or transaction activity does not in and of itself

indicate suspicious activity (money laundering and/or terrorist financing). However, additional care needs to be taken, including notifying your immediate supervisor or your Business Unit AML Officer.

If not explained through further review, red flags must always be researched and investigated. It is the responsibility of all State Street employees to be alert to unusual activity and report the same.

149


Topic 7: Transaction MonitoringOverviewAML Compliance FIU monitors account activity for unusual size, volume, pattern, or type of transactions, taking into account risk factors and red flags that are appropriate to each Business Unit.

Monitoring can be conducted through Automated Monitoring or Manual Monitoring.

Automated Monitoring Manual Monitoring

The AML Compliance Financial Intelligence Unit (FIU) uses a Windows® based desktop application to monitor customer account activity for the purpose of determining whether abnormal transaction patterns are present. This application filters, compiles, summarizes transaction data, and identifies instances of potentially suspicious behavior.

The Business Unit identifies suspicious behaviors by conducting manual monitoring of customer and account related activity.

Automated MonitoringThe AML Compliance FIU uses ASSIST//CK®, a Windows® based desktop application, to monitor customer account activity for the purpose of determining whether abnormal transaction patterns are present.

Whenever abnormal patterns are identified, the AML Compliance FIU will contact the Business Unit who:

Receives an information request from the AML Compliance FIU by email; and

Ensures a timely and accurate follow up of this information request, as detailed in the request itself.

ASSIST//CK® generates exception reports based on the degree to which actual activity exceeds pre-defined transaction profiles. On a monthly basis, account exceptions are referred by the AML Compliance FIU to the Business Unit representative responsible for the reported account. The exception report is also sent to the Business Unit AML Officer.

When the Business Unit representative receives an exception report from the AML Compliance FIU, the Business Unit must complete the following:

Step

Action Owner

1. Review the customer’s KYC file in the KYC Platform, particularly the expected activity.

Business Unit

2. Review the customer transaction history in {insert account transaction system}.

Business Unit

3. Determine whether activity identified in the exception report is outside the normal, expected activity for the account.

Business Unit

4. Inform the AML Compliance FIU of potentially suspicious/unusual activity. Business Unit

5. Investigate the case to determine if a suspicious activity report is required AML

150


or if no further action is necessary. Compliance FIU

151


When the Business Unit representative receives an exception report from the AML Compliance FIU, the Business Unit must complete the following:

Step

Action Owner

6. Provide the Business Unit with further guidance on how to address the exception, documented in the UAF.

AML Compliance FIU

7. Respond to the AML Compliance FIU within ten (10) calendar days. Business Unit

Manual MonitoringThere are instances where the Business Unit will identify suspicious behaviors by conducting manual monitoring of customers and customer’s accounts related to activity.

The Business Unit must adhere to procedures for monitoring customer accounts. This can also include identifying potentially suspicious customer behavior highlighted in red flags.

The following table lists the steps that the Business Unit performs for identifying suspicious behaviors by conducting manual monitoring.

Step

Action Owner

1. Assess whether customer activity or behavior triggers a red flag based on unusual or suspicious behavior identified.

Business Unit

2. Review the customer’s KYC file in the KYC Platform, particularly the expected customer activity.

Business Unit

3. Review the customer transaction history in {insert account transaction system}.

Business Unit

4. Determine whether the activity is outside the normal, expected activity for the account.

Business Unit

5. Document manual monitoring results in the UAF, including:

Describing what has happened (details of reason to start monitoring activities).

Documenting when it happened (list the specific transactions and supporting documentation).

Listing arguments whether or not this activity is suspicious.

Business Unit

6. Submit UAF to the AML Compliance FIU, Business Unit AML Officer, and/or Business Unit Manager so that a case may be opened and investigated.

Business Unit

Important NoteState Street may receive inquiries and requests from law enforcement or regulatory agencies to maintain and monitor a customer’s account(s).The Business Unit must enhance these procedures, where necessary, to comply with requirements of the regulatory and law enforcement bodies in their jurisdiction, and to notify the AML Compliance Regional Head of all such requests.

152


Topic 8: Employee Identification and Escalation of Suspicious Customer BehaviorOverviewIf a State Street employee identifies an activity he/she knows or has reason to believe is unlawful, otherwise potentially suspicious, or abnormal customer activity, within one business day, the employee must:

Step

Action Owner

1. Notify the AML Compliance FIU, Business Unit AML Officer/MLRO and/or Business Unit Manager.

Business Unit

2. Notification must be in writing, utilizing the UAF. The UAF should include:

Description of what has happened. Documentation of when it happened (list the specific

transactions/activities, dates and supporting documentation). Description of why the transaction/activity is unusual.

3. Submit the UAF to AML Compliance FIU, and/or MLRO (where available) via email and confirm receipt.

Business Unit and Business Unit AML Officer

4. Any inquiries from AML Compliance FIU or Business Unit AML Officer following the UAF must be promptly responded to via email and receipt must be confirmed.

AML Compliance FIU and Business Unit AML Officer

5. Upon receiving a UAF, AML Compliance FIU or equivalent will review the document and decide if the suspicious activity documentation requires additional information and/or warrants filing a report with the appropriate authorities in the form of a Suspicious Transaction Report or Suspicious Activity Report (STR/SAR) (or jurisdictional equivalent). When a STR/SAR is warranted, the AML Compliance FIU will follow the local governance structure for reporting purposes by informing the local MLRO or the SAR Review Committee (in the U.S.).

Business Unit, Business Unit AML Officer and AML Compliance FIU

Important Notes Employees should not attempt to perform their own review or investigation before referring

potentially suspicious activity. At the same time, employees should maintain a file which provides the identity of the individual or entity in question, the type of activity, and why it is considered unusual or questionable.

After submitting the UAF, the employee may be contacted by the Business Unit AML Officer or the AML Compliance FIU during the course of an investigation.

Throughout the investigation, STRs/SARs are strictly confidential, and a State Street employee’s disclosure regarding the consideration of a STR/SAR filing is strictly prohibited. Under no circumstances may any employee inform any person known to be or suspected of being involved

153


in the illegal or suspicious activity that the activities are believed to be suspicious or are being reported internally or to government authorities.

Impact on Customer RelationshipWhen suspicious activity has been identified, the Business Unit must:

Determine whether it will terminate the customer relationship (in some cases this may be done in consultation with law enforcement).

If suspicious activity continues, State Street may be required by law to report suspicious activity periodically via a STR/SAR.

If law enforcement requests that State Street continue the relationship while investigating the matter:

State Street must receive a letter from the investigating agency stating the purpose of the request; and

The non-U.S. Business Unit AML Officer must confirm that honoring the request is in accordance with local AML laws and regulations and obtain guidance from Legal Counsel.

If State Street files a STR/SAR on a customer, several courses of action may be taken that may require additional action by the Business Unit. These include:

Accelerating periodic or event-driven reviews

Limiting account activity of customers who have been investigated

Increasing monitoring on further account activity

Suspending payments

Closing an account(s)/terminating the customer relationship

The appropriate State Street employees (General Counsel, AML Compliance and Business Unit management, and in certain cases, in consultation with law enforcement) must determine if the customer relationship is to be terminated as a result of the identified suspicious activity.

154


Topic 9: Sanctions ScreeningOverviewOngoing Sanctions screening is automated and performed by OFAC/Sanctions Central Monitoring, and is mainly focused on existing customer screening and third party screening.

AML KYC CoE (Shared Services) must screen the customer, both Non-Individuals and Individuals, for potential matches with Sanctioned countries at the time of onboarding.

Names and locations of the following must be screened:

Customer and other related party names, such as collective investment vehicle name, pension fund name, name of corporation for corporate cash

Beneficial Owners/Shareholders/Underlying Customers

The following table lists the steps that AML KYC CoE (Shared Services) performs to screen the customer.

Step

Action Owner

1. Check the names and locations of the following against the applicable Sanctions lists, as noted in Section 4.5.5, Screening, using Prime and WorldCheck:

Customer and other related party names and country (i.e., collective investment vehicle name, pension fund name, name of corporation for corporate cash).

Beneficial Owners/Material Shareholders names and country.


2. Check the names of the following against the applicable Sanctions lists using Prime and WorldCheck:

Controlling parties and associated third parties.


3. Enter the following information into Prime for individual customers:

Full legal name (last name, first name, and middle initial); and

City and country of residence.


4. Enter the following information into Prime for other related parties (if applicable):

Refer to the KYC Requirements Matrix for the related parties’ information to be captured and Appendix G.

Information required to be identified in relation to third parties (such as Beneficial Owners) each as defined in the Global AML Policy, must be screened at the time of account opening.


5. Perform investigative steps to determine whether the customer or related party being screened is the individual or entity against whom the various government have leveled sanctions if a potential match is identified.


155


The following table lists the steps that AML KYC CoE (Shared Services) performs to screen the customer.

Step

Action Owner

6. Compare the name of the customer or related party being screened to the name of the sanctioned party. If no combination of the first and last names of the individual or entity matches those of the sanctioned party, this should be considered a Negative Match (as defined below) and there is no need to proceed to the next steps.

It is important to also compare the name of the individual or entity identified being screened to all alternate names, or “AKA” shown for the sanctioned party.

In the case of businesses/organizations, perform this analysis for the business/organization name.

Compare the individual’s DOB (Date of Birth) and POB (Place of Birth if applicable/available) with those shown for the sanctioned party.

Compare the individual’s or entity’s identification data to that shown for the sanctioned party.

If information sufficient to clear the potential match cannot be obtained, the potential match should be forwarded to the respective Business Unit.


7. If there is a potential match, determine which of the below four scenarios applies:

1. Two or more pieces of the individual’s or non-individual demographic data (including the name or jurisdiction) match to that of the sanctioned party or OFAC sanctioned country. This should be considered a “Confirmed Match” and must be forwarded to OFAC/Sanctions Central Monitoring.

2. There is no demographic data provided in the Sanctions List since there is insufficient information to resolve the potential match, it should be forwarded to the non-U.S. Business Unit AML Officer who will consult with the relevant governmental body that issues the Sanctions List directly.

3. The Sanctions List provides demographic data, but demographic data is missing from the individual or entity’s record. The Business Unit maintaining the account that generated the potential match must obtain the missing data to evaluate the match status.

4. There is enough data on both, the individual or entity being screened and the Sanctions List to determine that it is not a match. Specifically, nothing on either record, other than the name or portions of the name, matches. This should be considered a “Negative Match” and documented accordingly.

Confirmed match between customer’s jurisdiction and prohibited country according to OFAC or jurisdictional equivalent. Escalate to OFAC/Sanctions Central Monitoring immediately.


156


MatchesThe following table provides details about a Confirmed Match and False Positive Match.

Confirmed Match False Positive Match

A confirmed match is a Non-Individual or an Individual whose exact name, plus at least one other item of personal data, specifically the date of birth, identification number, or physical address and country (Individual)/physical and legal address (entity) match to an entry in the Sanctions lists.

Example:A transaction is processed in the name of Kindhearts. As identification located in the SWIFT message, Kindhearts included a corporate address, 125 East Main Street, Toledo OH in the details field. A match is identified to an OFAC SDN, named Kindhearts for Charitable Humanitarian Development with the same address. Since the name and address match exactly to the information in the OFAC SDN list, this is an example of a confirmed match.

A false positive match is a Non-Individual or an Individual whose name matches an entry in one of the Sanctions lists, but the accompanying personal data does not match.

Example:In a periodic update to the SDN list, OFAC adds a name with the following description:

“ABBAS, Adbul Hussein, Italy (individual) [IRAN]”

In a review of our previously cleared transactions, we identify a potential name match for a customer Issac Hussein. Issac Hussein receives monthly payments. The filter matched the last name of the individual or entity identified in the payment message with the last name of the designated individual in the Sanctions list. This instance would be considered a false positive match because the name of the individual or organization identified in the payment message and designee in the Sanctions list do not match.

Sanctions ClearingPotential matches are to be addressed with immediacy regardless of whether related to a customer or customer’s customer. Potential matches should be cleared within one (1) business day, from the day they were generated in the Sanctions screening system.

In case of a potential match at a minimum, the following activities need to be performed by AML KYC CoE (Shared Services):

Step

Action Owner

1. Assess the quality of the potential match by evaluating how much of the list’s name is matching against the transaction’s and the other identifying information provided such as date of birth, passport number, address, etc.


2. If the potential match is deemed to be a false positive, the explanation is recorded in Prime and the KYC Platform. If any research material or information was used to clear a hit, then this is saved electronically in Prime and the KYC Platform.


3. If the potential match is deemed to be a confirmed match with an individual or entity on a Sanctions List, the AML KYC CoE (Shared Services) must immediately notify OFAC/Sanctions Central Monitoring by opening a case in Prime.


157


AML KYC CoE (Shared Services) must always save research material and information used to assess the potential match in the customer information management system and customer’s KYC file. Documentation supporting the match assessment, including arguments and conclusions, needs to be filed. Additionally all confirmed matches escalated, including documentation, need to be documented by AML KYC CoE (Shared Services).

All State Street employees must use uniform documentation when notating any cleared or confirmed Sanctions match. The following annotation standards have been outlined:

Match of False Positive Annotations Examples

Confirmed MatchThe individual or entity identified in the new or ongoing Sanctions screening matched that of theSanctions Lists.

The individual or entity, XXX, identified in the new or ongoing Sanctions screening, matched that of the Listed individual or entity, XXX.

False Positive

The individual or entity identified in the new or ongoing Sanctions screening matched that on the Sanctions List, which was determined to be a false positive based upon address/location not matching the Sanctions list.

The individual, Tony Blair, located in Livingston, Zambia, identified in the new or ongoing Sanctions screening as a potential match, was determined to be a false positive based upon location/address not matching the Sanctions List individual, Anthony Charles Lynton Blair, London, England.

False Positive

The individual or entity identified in the new or ongoing Sanctions screening matched that on Sanctions Lists, where the potential match was determined to be a false positive based upon name and nationality/address not matching the Sanctions List.

The individual, Tony Frederick Blair, of Livingston, Zambia, identified in the new or ongoing Sanctions screening had a potential match, but was determined to be a false positive based upon name not matching the Sanctions List individual, Anthony Charles Lynton Blair of the United Kingdom.

158


Escalation ProcessWhen Sanctions related alerts, whether identified at onboarding or ongoing screening, are not timely cleared, the following escalation process will be followed by AML Compliance:

Timeframe Escalating parties

After five calendar daysVP – Business Unit

Business Unit Sanctions Compliance Officer

GS Compliance Mailbox

After ten calendar days

SVP – Business Unit


Senior Compliance Officer

Global Chief AML Officer


After fifteen calendar days

EVP – Business Unit


Senior Compliance Officer

Global Chief AML Officer

Chief Compliance Officer


Exception ReportsOn a weekly basis, OFAC/Sanctions Central Monitoring sends through a list of all aged alerts to the Business Unit. The Business Unit must review the alerts using the information in {insert customer database system} and {insert account transaction system}. The Business Unit will disposition alerts within one business day and return the results to OFAC/Sanctions Central Monitoring. Should the Business Unit fail to address aged alerts, OFAC/Sanctions Central Monitoring will initiate the escalation process that includes notification of Business Unit management, and AML Compliance including the Business Unit AML Officer, the Business Unit Sanctions Compliance Officer and the Global Chief AML Officer.

The Business Unit, upon receipt of such emails from OFAC/Sanctions Central Monitoring, must research and annotate open alerts, and respond within one business day after performing the following tasks:

Step

Action Owner

1. Review the alert to determine what part of the transaction is causing the hit on the Sanctions List.

Business Unit

2. Assess the quality of the match by reviewing how much of the List is matching the customer’s information.

Business Unit

3. Refer to KYC documentation in KYC Platform to see if additional information provided such as date of birth, passport number, country of residence, country of incorporation, etc. is also a match with information in

Business Unit

159


the transaction.

160


The Business Unit, upon receipt of such emails from OFAC/Sanctions Central Monitoring, must research and annotate open alerts, and respond within one business day after performing the following tasks:

Step

Action Owner

4. Record the explanation for hits deemed to be false positive in Prime and save the research materials supporting the decision in Prime.

Business Unit

5. Record the explanation for hits deemed to be confirmed matches with an individual or entity on a Sanctions List in Prime and save the research materials supporting the decision in Prime.

Business Unit

6. Use the annotation standards identified above to draft a response to OFAC/Sanctions Central Monitoring detailing findings.

Business Unit

7. Email the response to OFAC/Sanctions Central Monitoring and the Business Unit Sanctions Compliance Officer within one business day of receipt of the exception report.

Business Unit

Discussion Question

AML KYC CoE (Shared Services) must screen the customer, both Non-Individuals and Individuals, for potential matches with Sanctioned countries at the time of onboarding. Provide some examples of sanctioned countries.

161


Topic 10: Sanctions LicensesOverviewA license is an authorization from governmental authorities (such as OFAC) to engage in a transaction that otherwise would be prohibited. There are two types of licenses:

1. General Licenses: Authorizes a particular type of transaction for a class of persons without the need to apply for a license.

2. Specific Licenses: A written document issued by the governmental authority to a particular person or entity, authorizing a particular transaction in response to a written license application.

General LicensesIf a customer states that a transaction is covered by a general license, the Business Unit is required to consult with AML Compliance and receive confirmation of the license prior to trade settlement or rendering services. AML Compliance will coordinate with Corporate Legal and Legal counsel to determine if the general license applies to State Street and if the transaction is permissible.

Specific LicensesIf a specific license is granted to a customer, the Business Unit must adopt additional procedures to ensure that the terms of the license are met on an ongoing basis. These procedures must include:

Step Action

1. Uploading a copy of the license to the KYC Platform.

2. Including the license number on all transactions.

3. Ongoing monitoring of compliance with the parameters of the license.

4. Monitoring the license expiration, as applicable.

In cases where the customer provides a specific license to a Business Unit, the Business Unit must email the following information to AML Compliance and the Business Unit Sanctions Compliance Officer:

1. Customer name

2. Account number(s)

3. License number

4. Copy of the license

5. Copy of the transaction request

AML Compliance must check the validity of that license with the issuing authority, before completing the transaction.

Important NoteIf a customer wants to engage in a transaction prohibited by Sanctions regulations, the Business Unit Sanctions Compliance Officer must notify AML Compliance. AML Compliance can provide the Business Unit with information on how the customer can request a specific license with the regulator.

The Business Unit must not settle trades or render services until the license is granted by the regulator. If a license is granted, the Business Unit is responsible for adopting and developing

162


additional internal procedures to ensure that the terms of the license are met with guidance from the Business Unit Sanctions Compliance Officer.

163


Topic 11: Board and Senior Management ReportingOverviewAML and Sanctions reporting to the board supports State Street’s AML and Sanctions Compliance Program that:

Outlines the governance structure, policies, procedures, and standards of State Street. Ensures compliance with all relevant laws, codes, rules, regulations, and standards of good

business practice.

The First Line of Defense is responsible for gathering relevant AML and Sanctions data for senior management and board reporting. Data can be provided on an ongoing basis, or based on ad hoc requests from either senior management and/or AML Compliance.

AML Compliance maintains a list of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), which it collects from the First Line of Defense.

In addition to KRI/KPI metrics, AML Compliance and/or State Street management may request information related to:

AML and Sanctions projects and initiatives. Records of AML and Sanctions related training.

The following table provides details about KRI/KPI for Accounts, Activity, and Assessments.

Accounts Activity Assessments

Customers (Customers) Accounts Funded Accounts Missing

Risk Rating Funded Accounts Missing

Documentation Overdue Normal Risk

Account Reviews Overdue Higher Risk

Account Reviews Normal Risk Accounts High Risk Accounts High Risk Accounts

Approved High Risk Accounts

Declined Accounts in High Risk

Jurisdictions Accounts where UBO is a

PEP Accounts for Other High

Risk Business Unauthorized Investors

Positive Sanctions Hits Sanctions Cases 1-5

Days Sanctions Cases 6-30

Days Sanctions Cases 30+

Days Potentially Suspicious

Referrals to the FIU Number Of Exceptions >

30 Days Number Of Exceptions >

60 Days Number Of Exceptions >

90 Days SARs Filed (by Event

Type) 314(a) Positive Hits 314(b) Positive Hits PEP Cases Aged 0-30

Days PEP Cases Aged 31-60

Days PEP Cases Aged 61-90

Days PEP Cases Aged 91+

Days

AML-Related Regulatory Examinations

AML-Related Regulatory Issues Receive

AML-Related Regulatory Issues Outstanding

AML-Related Corporate Audit Issues Received

AML Related Corporate Audit Issues Outstanding

Future Regulatory AML-Related Examinations Expected in Current

164


Lesson 7: Summary In accordance with State Street’s Global AML Policy, AML KYC CoE (Shared Services) conducts

risk-based periodic reviews on all customers to ensure the KYC information is accurate and revises the customer’s risk rating, if appropriate. Business Units will be notified of upcoming reviews 90 days prior to the due date of the review.

An event driven review may be warranted before the next scheduled periodic review due to certain trigger events or changes related to the customer or related parties.

During the course of business, all State Street employees must be vigilant in the fight against money laundering and terrorist financing by being alert and aware of unusual activities or “red flags” associated with potential suspicious activities.

AML Compliance FIU monitors account activity for unusual size, volume, pattern, or type of transactions, taking into account risk factors and red flags that are appropriate to each Business Unit.

Ongoing Sanctions screening is automated and performed by OFAC/Sanctions Central Monitoring, and is mainly focused on existing customer screening and third party screening.

The First Line of Defense is responsible for gathering relevant AML and Sanctions data for senior management and board reporting. Data can be provided on an ongoing basis, or based on ad hoc requests from either senior management and/or AML Compliance.

AML Compliance maintains a list of Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), which it collects from the First Line of Defense.

165


Participant’s Notes

166


Abbreviations and AcronymsIf any abbreviations and acronyms, list here

167


GlossaryIf any glossary terms, list here

168


References If any references or source documents are available, list here

169