To defend the market from criminal enterprises, drug dealers, corrupt public officials, and terrorists, governments came up with a counter-move – defensive regulatory AML and KYC policy that has to be adopted by all financial businesses. To do so, you have to learn how to translate these intricate rules into a real compliant company process.
If you don’t know where to start, follow our template to figure out your company’s AML flow each step at a time.
What is an AML policy
Anti-money laundering policy is a combination of measures used by a financial institution to stop the reintroduction of the proceeds of illegal activities. The implementation of such rules is mandatory and overseen by regulatory authorities.
Who regulates the process
Business AML policy is often a combination of the FATF recommendations and locally introduced laws. The location of a business determines its regulatory authority that oversees the implementation of the appropriate controls and issues fines for non-compliance. Ex. BaFin in Germany, FINTRAC in Canada, MAS in Singapore.
Our AML policy
Having experienced developing AML policies for financial institutions ourselves, we have gained a first-hand perspective on what it takes and what works the best for business. This template is based on the US Bank Secrecy Act (BSA), EU 4th Anti-Money Laundering Directive (AMLD4), and FATF recommendations.
Step 1: defining the purpose of the policy
First, a business must introduce three main statements.
- Definition for money laundering and terrorist financing;
- Reasons why the policy is necessary;
- Regular regulatory reviews to stay within regulatory demands.
These are the three pillars on which a company builds the foundation for everything else.
Step 2: appointing an AML officer
At this point, a business needs to nominate a compliance officer — a company member responsible for everything concerning the business’s AML program. State their name, qualifications, and responsibilities.
Step 3: reporting to the Financial Intelligence Unit (FIU)
Here a company describes how they will be able to satisfy financial intelligence units and law enforcement requests for information on criminal activity. A company must describe its actions and procedures that will be initiated upon such a demand from the authorities and how a company is going to document the situation.
Step 4: sharing data with financial institutions
This part is dedicated to the process of sharing the accumulated AML data with other financial entities to identify and prevent money laundering elsewhere. The policy must describe a secure and confidential process that will not allow for data leaks.
Step 5: screening across sanction lists
Before entering a business relationship or opening an account for a client, financial companies must verify that the person they are working with is not on any sanction or blacklist. One example of such is the US Specially Designated Nationals List (SDN).
A company must state what would be the standard procedure for checking their clients through these lists and establish their awareness of the latest changes.
Step 6: verifying client’s identity
Identity check is the central part of an AML compliance policy. Here a company must specify a list of comprehensive and reliable measures that will help them accurately verify the identities of their clients upon opening an account or registering in their service. There are 8 major points to correctly establish this part of a business AML policy.
1) What personal data is gathered
The first step of identity verification is to ask a person to submit the relevant data. The company must determine what data they will find sufficient for the check of individual, corporate and high-risk clients.
2) What if a client submits false data or no data at all
There are many cases of people rejecting to share sensitive information fearing data leaks. For that, a company needs to state how it will handle cases when a customer intentionally rejects the request for information or submits a false name, address, etc.
3) What is done to verify the information
A company must state the means they will use to verify their client’s identities. It could be via documents, biometrics, or both, with the use of a verification software, or manually.
4) What is the time limit for the check and waiting list terms
Here a company must indicate how long it will take to verify a client and its policy regarding the restriction on transactions for unverified accounts.
5) What if a client can’t be verified
An AML policy must include a strategy for those occasions when a client is impossible to identify — restrict them from opening an account, limit their transactions, or block them entirely.
6) What is done to keep record of AML processes
This part refers to the measures taken to keep track of all AML-related procedures and documents, including the format of identity verification and its results. A company should also mention how long these documents will be kept (according to the relevant regulatory requirements). Under BSA and AMLD4 it is 5 years.
7) What is the client notification process
Here a company describes the system they use to adequately notify clients about the necessity of identity verification and its results.
8) What if identity verification is outsourced to a third party
The last point under identity verification would be to describe the process of client identification and information handling if the data will be verified by a different organization.
Step 7: performing customer due diligence (CDD)
This step is about the measures taken as a part of CDD for those identified as beneficial owners, senior management, politically exposed persons (PEP), etc. A company should also specify the basis of its risk rating system, how it determines whether the case requires simplified due diligence, customer due diligence, or enhanced due diligence.
Here, it would be necessary to add when a customer triggers adverse media or sanctions list checks, be subject to ongoing monitoring.
Step 8: filling out suspicious activity reports
Lastly, a very important part of an AML policy is to promptly respond to the detection of suspicious activity and correctly form a compliant declaration—Suspicious Activity Report (SAR). A company must specify the necessary information that needs to be mentioned in the report alongside the deadlines. As an example, BSA gives 30 days to file a report before issuing a fine.