oversight framework for malaysia: approaches to...

1BANK NEGARA MALAYSIACENTRAL BANK OF MALAYSIA 1

Bali, Indonesia9 – 11 June 2008

Oversight Framework for Malaysia:Approaches to Customers’ Due Diligence (CDD)


Legal Framework

Oversight and Supervision

CDD Practices

Key Challenges

Content


Payment Systems Act (PSA) 2003

Legal Framework

Allow supervisors to access regulatees’books and records

Section 35Provides examination powerSection 34

To notify the Bank to operate payment system

Section 5

Permission to make payment outside Malaysia

Section 10

Permission to deal / quote foreign currency

Section 4

Exchange Control Act 1953


Anti Money Laundering and Anti Terrorism-Financing Act 2001 (AMLA)Came into operation effective 15 January 2002

Criminalises money laundering

Provides among others, for the following:

Money laundering offence

Financial intelligence

Reporting obligations of the reporting institutions

o Suspicious transaction reporting (STR)

o AML/CFT compliance programme

o Record keeping – 6 years

Investigation of ML/TF cases

Freezing, seizure and forfeiture of property

Combating the financing of terrorist (CFT) offences and freezing, seizure and forfeiture of terrorist property


Invocation on RSPs was carried out in stages….15 Apr 200215 Apr 2002

15 Apr 200315 Apr 2003

9 Mar 20079 Mar 2007

15 Nov 200615 Nov 2006

First stage – STR

In addition, RIs are subjected to:

Remaining reporting obligations in Part IV of the AMLA(covering among others S15 (Centralisation of Information),S16 (Identification of accountholder)

Standard Guidelines on AML/CFTAML/CFT Sectoral Guidelines 3 for Licensed Money Changers and/or Non-Bank Remittance Operators

Anti-Money Laundering and Anti-Terrorism Financing (Reporting Obligations) Regulations 2007 (AMLA Regulations)

S14(b) (Report by Reporting Institutions)S20 (Secrecy Obligation Overridden)S21 (Obligations of Supervisory or Licensing authority)S24 (Protection of Person Reporting) of the AMLA)


Issued in November 2006

Roles and responsibilities of Board of Directors/Senior Management

Formulate and approve AML/CFT policies and procedures

Appoint a compliance officer

Review and assess compliance with relevant AML/CFT laws and regulations

Ensure adequate resources to carry out AML/CFT measures

Provide staff training on AML/CFT

AML/CFT Guidelines


Roles and responsibilities of designated AML Compliance OfficerEstablishes internal AML/CFT programmeEnsures compliance by institution and staffAssesses AML/CFT mechanism, esp. customer due diligence (CDD) proceduresEnsures staff awareness of institution’s AML/CFT measuresReceives reports and feedback from other employees and submits STRs and requisite information to the FIUAssess the risk of money laundering in the institution’s products and services Has necessary knowledge and authority to effectively discharge his responsibilities

AML/CFT Guidelines


Supervisory Approach on RSP….

Broad Objectives• Promote migration of informal to formal remittance channel• Improve remittance service and increase competition• Ensure integrity of remittance service providers

• Comply with prudential and conditional (approval) requirements imposed by BNM

• Provide the necessary mechanism and control processes to ensure compliant with AML/CFT requirements

• Not used as conduit for ML/CFT activities• Provide reasonable assurance of system control and integrity

• Adopt a risk-based supervisory approach• Continuous surveillance based on periodic submission of statistical

and financial reporting• On-site supervision (part of annual supervisory plan)

Risk basedIncident based - act on complaint (e.g. frequent public complaint)On a surprise basis

• Stringent supervisory intervention for any breaches or non-compliant with prevailing law or guidelines by RSPs

Supervisory Approach….

Supervisory objectives to ensure that RSP….

Supervisory Balancing Act :Promote Ease of Migration to Formal Channel

vsCompliance with Regulatory Requirements


Supervisory Approach (cont.)

Adopt Risk Based

Differentiated Supervisory

Approach

Agile and Responsive

• Profile companies into 4 risk groups (low, moderate-low, moderate-high and high)

• Continuous risk assessment and validation

• Surveillance and supervision - based on companies’ risk profile, size and complexity

• Incident based approach• Surprise visit

• Surveillance through continuous monitoring and reporting by regulated entity

• Enforce varied supervisory intervention


Payment Systems Supervisory Life Cycle


Profiling of companies based on riskthey pose to the Bank’s objectives

Risk to the Bank’s objective = Impact x Probability

Risk rating to supervisors’ fair judgment

4 types of risk rating

Calculation of ProbabilityLikelihood of issues / events to occur

Assessment will be based on historical data, current emerging risks and future trends as well as market intelligence gathering

Calculation of ImpactDegree of issues / events tothe Bank’s objectives

Guiding principles for impact assessment

Risk Based Methodology

Low

GROUP 2(MODERATE

HIGH)

GROUP 1(HIGH)

GROUP 4(LOW)

GROUP 3(MODERATE

LOW)

RISK BASED QUADRANTSHigh

High

Low

IMPA

CT

PROBABILITY


Impact Assessment - Guiding Principles

Risk Based Methodology (cont.)

1. Nature of business2. Pervasiveness of business operations

• Linkages to financial system

• Customer base

• Size of liabilities

• Transaction volume

3. Compliance with prudential requirements• Shareholders’ funds requirements

RSP – RM100k

4. Financial health


Brief Background on Profile of Non-Bank RSPs

21 RSPs (non-bank) and 113 branches (excluding POS M’sia)

Extreme range of business size

Some have yet to commence operations (5 RSPs)

Internet and computer-based

Some use proprietary system, few rely on established network/system (International Money Transfer Operator) such as WU

Heavy investment – IT system, premises, branding, marketing, personnel, etc.


Customer Acceptance PolicyReporting institutions to formulate policies and procedures to address the establishment of business relationship with the customer

Identify and assess risk of customers

Have reasonable measures to address the different risks posed

Risk profiling - factors to consider:

Origin of customers and location of business;

Background or profile of the customer;

Nature of the customer’s business/occupation;

Structure of ownership (for a corporate customer); and

Any other information suggesting that the customer is of higher risk.

Continuously monitor the customers’ transaction activity pattern to ensure it is in line with the customer profile


The extent at the identification stage may be based on the following severity:

Background of the person and the suspicious circumstances in which the transaction was conducted

Type or form of transaction undertaken

New type of service/ product/new technology, which alters the delivery mode and transaction process - care must be taken to ensure that customer identification and verification requirements are adequately complied with

The type of customers

The reporting institution should adhere to the customer due diligence requirements as stipulated in the Standard Guidelines on AML/CFT

Where there is doubt on identification of the customer – RSP should not proceed with the transaction and lodge STR with FIU, BNM

Customer Due Diligence


Customer Due Diligence (cont.)

RSP should undertake the following:

Identify and verify the customer

Identify and verify beneficial ownership and control of such transaction

Obtain information on the purpose and intended nature of the business relationship/transaction

Conduct on-going due diligence and scrutiny, to ensure the information provided is updated and relevant

CDD should also be conducted, when:

Establishing a business relationship with the customer;

There is suspicion of ML or FT; or

There is doubts about the veracity or adequacy of previously obtained information.

If the customer fails to comply with the CDD requirements, reporting institution should not commence or should terminate such business relations with the customer


RSP is required to conduct CDD and transmit accurate and meaningful originator information for any transaction involving an amount equivalent to RM3,000 and above

Required to obtain and verify the originator’s information:

– Name

– Nationality

– National identification card/passport/Kad Jalan

– Account number (or unique reference number) / Privilege card

– Address

If remittance is facilitated through a bank, RSP is required to provide the originator’s information immediately upon request

For remittance/wire transfer received, RSP should ensure that complete originator’s information is provided. RSP should adopt risk-based approach for transaction with incomplete information.

Customer Due Diligence (cont.)

(Identity Card issued by Immigration Dept)


For Higher Risk Customers….Enhanced due diligence

Obtain more detailed information from the customer and through publicly available information (if available), on the purpose of transaction and source of fundsObtain approval from the Senior Management before establishing the business relationship with the customer

Examples of higher risk customersHigh net worth individualsFrom locations known for their high crime rate (e.g. drug producing, trafficking, smuggling)Countries or jurisdictions with inadequate AML/CFT laws and regulations such as the Non-Cooperative Countries and Territories (NCCT)Politically Exposed Persons (PEP)Legal arrangements that are complex – trust, nomineeCash-based businesses


Record KeepingKeep all records and documents

Transactions conducted

Customer due diligence

For at least 6 years* after:

Transaction has been completed or

The business relations with the customer have ended

Where the records are subjected to ongoing investigations or prosecution, they shall be retained beyond the stipulated retention period as specified

For audit trail, records shall include at least:

Identity of the customer and beneficiary

Form of transaction (e.g. by cash or by cheque)

Instruction and the origin and destination of fund transfers

Amount and type of currency

* As per AML/CFT guidelines


Have in place an adequate management information system to complement its customer due diligence

Provide timely information to detect any suspicious activity, which would include:Multiple transactions over a time frame

Large transactions

Anomaly in transaction pattern

Transactions exceeding any internally specified threshold.

Establish internal criteria (“red flags”) to detect suspicious transactions

Conduct enhanced due diligence and ongoing monitoring of transactions:That match the “red flags” list

From countries which have insufficiently implement the internationally accepted AML/CFT measures

All findings must be documented and made available to Bank Negara Malaysia and relevant supervisory authority

Ongoing Monitoring by RSP….


Examples of ‘Red-Flags’Transactions conducted are out of character with the usual conduct or profile of customers carrying out such transactions

Customer using different identifications each time conducting a transaction

A group of customers trying to break up a large cash transaction into multiple small transactions

Unwillingness to provide information

Same customer conducting a few small transactions in a day or atdifferent branches/locations

There are sudden or inconsistent changes in remittance/wire transfer sent/received transactions

Remittances/wire transfers from different customers/jurisdiction being sent to the same customer


Some of the Key Challenges…. Many small players with varied compliance cultureIT system lacking embedded AML/CFT control and reporting featuresUse of numerous disparate remittance IT system – not able to effectively track and monitor aggregated transaction limit and irregular pattern, holistically Promote use of a safe and secure channel (CDM, Internet banking)

However, CDM does not identify senderCrowded market – issue of business viability and sustainability (stiff competition, cost-conscious clients, rising overheads)Collaboration and co-operation with foreign International Money Transfer Operators – issues on cross border jurisdictionOwnership – concern over subsequent transfer of ownership / shareholding to “undesired elements” (fit and proper criteria)

oversight framework for malaysia: approaches to...

Documents