Recommendations

1. 1. Assessing risks and applying a risk-based approach (New recommendation)
   • Countries should identify, assess and understand the money-laundering and terrorist-financing risks for the country, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.
   • Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money-laundering and countering the financing of terrorism (AML/CFT) regime and the implementation of risk-based measures throughout the FATF Recommendations.
   • Where countries identify higher risks, they should ensure that their AML/CFT regime adequately addresses such risks. Where countries identify lower risks, they may decide to allow simplified measures for some of the FATF Recommendations under certain conditions.
   • Countries should require financial institutions and designated non-financial businesses and professions (DNFBPs) to identify, assess and take effective action to mitigate their money-laundering and terrorist-financing risks.

This is a new, explicit recommendation, which perpetuates the principle of taking a risk-based approach. The FATF is keen for its members to adopt risk-based strategies to its AML regimes, which is further highlighted by the fact that this recommendation appears before the criminalisation of the money-laundering offence, which has been relegated to Recommendation 3.

By bringing this in as the first recommendation, the FATF is outing the onus on firms to implement such a risk-based regime and, as we shall discuss later, this may require the implementation of some form of money-laundering-deterrence monitoring software. The risk-based approach to implementation is, however, not without some measure of risk. If a risk-based approach results in less work being conducted in one area to enable more work to be conducted in another, then the risk exists that the initial analysis will be proven to be incorrect. In such cases, the firm will need to show that its procedures are not only compliant with local rules and regulations but also meet expectations that are likely to be developed with the benefit of hindsight.

The consequence of this is that while it is important to implement a risk-based approach, as we shall discuss again later, firms must ensure that their procedural and transactional documentation is adequate to provide a defence against an accusation that the risk-based approach was being used to enable a firm to “turn a blind eye” to potential money laundering.

1. 2. National cooperation and coordination (Previously addressed in Recommendation 31)
   • Countries should have national AML/CFT policies, informed by the risks identified, which should be reviewed regularly, and should designate an authority or have a coordination or other mechanism that is responsible for such policies.
   • Countries should ensure that policy-makers, the financial intelligence unit (FIU), law-enforcement authorities, supervisors and other relevant competent authorities, at the policy-making and operational levels, have effective mechanisms in place which enable them to cooperate, and, where appropriate, coordinate domestically with each other concerning the development and implementation of policies and activities to combat money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction.

This is more expansive than the 2003 recommendation. It does suggest that the local regime should be based on local risk analysis so that it is necessary for FIUs (or other appropriate bodies) to undertake a review of the risks that both financial crime and terrorist financing pose to their local markets. Of course, it would be helpful were this to be made public so that firms could then apply this within their implementation of the risk-based approach, but at present few countries have clearly set this out publicly.

1. 3. Money-laundering offence (Previously addressed in Recommendations 1 and 2)
   • Countries should criminalise money laundering on the basis of the Vienna Convention and the Palermo Convention.
   • Countries should apply the crime of money laundering to all serious offences, with a view to including the widest range of predicate offences.

The United Nations Conference for the Adoption of a Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances met at the Neue Hofburg in Vienna from 25th November to 20th December, 1988 and this resulted in what is now known as the Vienna Convention. This was published as the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances 1988, highlighting the limited focus of the convention. 106 countries participated in the convention. The convention itself consists of 34 articles including consideration of the labelling of exports and commercial documents. As such, this convention is for a wider audience than purely the financial community.

This particular article does warrant additional review. It states:

“Each party shall require that lawful exports of narcotic drugs and psychotropic substances be properly documented. In addition there is a requirement to document the quantity being exported, and the name and address of the exporter, the importer and, when available, the consignee. Each party is required to ensure that consignments of narcotic drugs and psychotropic substances being exported are not mislabelled.”

So the objective is to separate legal drug import and export from illegal trafficking through a labelling system.

The Palermo Convention dates from 8th January, 2001 and was again published by the United Nations. The United Nations were “deeply concerned by the negative economic and social implications related to organised criminal activities, and convinced of the urgent need to strengthen cooperation to prevent and combat such activities more effectively at the national, regional and international levels”. They also noted with deep concern the growing links between transnational organised crime and terrorist crimes. They sought to broaden the previous treaty to include other areas including terrorist financing and corruption and were seeking bilateral agreements between parties to enable better detection and investigation to occur. The organisation even went so far as to state the information that a cross-jurisdictional information request should include, as well as including the requirements for training of law-enforcement officers.

By including these conventions within this recommendation the FATF is seeking to highlight the importance of cooperation and also to reflect much of the work that has been conducted which should be included within local jurisdictional law. This FATF recommendation is considerably more succinct than the 2003 recommendations, even though the two conventions mentioned were passed prior to 2003. This, therefore, affords countries more freedom in the manner in which they criminalise money laundering.

1. 4. Confiscation and provisional measures (Previously addressed in Recommendation 3)

Countries should adopt measures similar to those set forth in the Vienna Convention, the Palermo Convention and the Terrorist Financing Convention, including legislative measures, to enable their competent authorities to freeze or seize and confiscate the following, without prejudicing the rights of bona fide third parties:

1. property laundered;
2. proceeds from, or instrumentalities used in or intended for use in, money laundering or predicate offences;
3. property that is the proceeds of, or used in, or intended or allocated for use in, the financing of terrorism, terrorist acts or terrorist organisations; or
4. property of corresponding value.

Such measures should include the authority to:

1. identify, trace and evaluate property that is subject to confiscation;
2. carry out provisional measures, such as freezing and seizing, to prevent any dealing, transfer or disposal of such property;
3. take steps that will prevent or void actions that prejudice the country's ability to freeze or seize or recover property that is subject to confiscation; and
4. take any appropriate investigative measures.

Countries should consider adopting measures that allow such proceeds or instrumentalities to be confiscated without requiring a criminal conviction (non-conviction-based confiscation), or which require an offender to demonstrate the lawful origin of the property alleged to be liable to confiscation, to the extent that such a requirement is consistent with the principles of their domestic law.

The International Convention on the Suppression of the Financing of Terrorism was adopted by the United Nations on 5th December, 1999. Focussing on legal definitions and penalties, the requirement for international cooperation and customer information requirements, it led to the development of the nine additional FATF terrorist-financing principles.

This recommendation requires legislation to be implemented to enable the competent authorities to seize the assets of money launderers or assets used in terrorist financing. Of course, there is normally different legislation regarding such matters, which usually covers all crime, not just money laundering. For example, direct theft of an asset (e.g. a car) would already typically be caught by such legislation. What this recommendation achieves is to extend this to all areas of money laundering and terrorist financing. It tends to result in competent authorities having the ability to seize physical property and bank accounts, as well as the high-profile cars.

In terms of development from the 2003 recommendations, this recommendation widens the scope of the previous recommendation by including the Terrorist Financing Convention (even though this was passed in 1999), expanding the freezing and seizing power to three instances rather than one, and including property involved in terrorist financing.

The peculiarity of this recommendation, which also appears in Recommendation 38, is the use of the word “instrumentalities” – in English, this word would not be used in this scenario. The Encarta English Dictionary defines instrumentalities as the plural of instrumentality, which is defined as “the quality or state of being instrumental”. The word “instruments” would appear to fit with the context of this recommendation and would make much more sense than “instrumentalities”, so we take “instrumentalities” to mean “instruments” here.

Terrorist Financing and Financing of Proliferation

1. 5. Terrorist financing offence (Previously addressed in Special Recommendation II)
   • Countries should criminalise terrorist financing on the basis of the Terrorist Financing Convention, and should criminalise not only the financing of terrorist acts but also the financing of terrorist organisations and individual terrorists even in the absence of a link to a specific terrorist act or acts. Countries should ensure that such offences are designated as money-laundering predicate offences.

This recommendation widens the scope of the previous special recommendation to include the financing of individual terrorists, whereas the 2003 recommendation only suggested that “each country should criminalise the financing of terrorism, terrorist acts and terrorist organisations”. This gives countries a wider scope to apply pre-emptive measures before a terrorist act has been committed, and gives countries the power to intervene even if they are unaware who a suspected terrorist is cooperating with. Of course, this recommendation is not binding – it is up to individual countries to pass legislation to make this effective. Without this, the recommendation is just an idea with no legal force.

1. 6. Targeted financial sanctions related to terrorism and terrorist financing (Previously addressed in Special Recommendation III)
   • Countries should implement targeted financial sanction regimes to comply with United Nations Security Council resolutions relating to the prevention and suppression of terrorism and terrorist financing. The resolutions require countries to freeze, without delay, the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either
     1. designated by, or under the authority of, the United Nations Security Council under Chapter VII of the Charter of the United Nations, including in accordance with Resolution 1267 (1999) and its successor resolutions; or
     2. designated by that country pursuant to Resolution 1373 (2001).

This recommendation expands on the previous special recommendation by specifying “targeted financial sanctions” in addition to the freezing requirements imposed by the resolutions.

The requirement to freeze assets without delay poses some logistical problems. The regulator is unlikely to have the authority to freeze the assets of a customer of a bank, whereas the FIU or some other appropriately authorised body probably will have. However, this is entirely dependent on the laws of the country. In any case, a court application will still generally be required. Furthermore, an FIU will be dealing with all of the legal issues arising throughout a country, so some delay is inevitable. It will take time for the FIU to receive, assess and approve a freezing order, by which time the funds may have been moved freely by the customer.

Another issue this recommendation poses is the willingness of banks to freeze the assets of its customers. Where this is done and it turns out that the customer was not involved in criminal activity, there will inevitably be complaints, compensation and probably a loss of business for the bank. Financial institutions will understandably be unwilling to expose themselves to this risk, and any reluctance will cause further delay, contrary to the objectives of this recommendation.

A nineteen-page best practice paper accompanies this recommendation, outlining identification procedures, access to and freezing of prohibited funds. Example provisions appear below, but please refer to the guidance for the full text.

The best practice provides that “Recommendation 6 is intended to assist countries in implementing the targeted financial sanctions contained in the UN resolutions relating to the prevention and suppression of terrorism and terrorist financing. These resolutions require countries to freeze, without delay, the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either (a) designated by, or under the authority of, the United Nations Security Council (the Security Council) under Chapter VII of the Charter of the United Nations, including in accordance with the Al-Qaida/Taliban sanctions regimes; or (b) designated by that country or by a supra-national jurisdiction pursuant to UNSCR 1373. Such measures may be either judicial or administrative in nature.”

In terms of practical application, the guidance calls for “institutional arrangements allowing for close co-ordination among financial, intelligence and law enforcement authorities and the incorporation of the measures into the country's broader counter-terrorism policy. Countries should also have in place procedures to protect all sources of information, including intelligence and closed-source materials, used in the designation of persons and entities as being subject to the asset freeze measures.”

With regards to legal process, “measures to freeze terrorist funds or other assets may complement criminal proceedings against a designated person or entity, but are not conditional upon the existence of such proceedings. The measures serve as a preventive or disruptive tool when criminal proceedings are either not possible or not practical. This does not, of course, prevent freezing procedures as such forming a part of criminal procedures.”

For the effective implementation of an asset freeze, robust identifying information is essential. At the extreme end of the scale, poor quality identifiers are an obstacle to the enforcement of an asset freeze. Single-name identifiers, in particular, represent problems for enforcement. Best efforts should therefore be made to ensure as much identifying information as possible is provided upon designation, and that such information is updated as more identifying data become available. Where operational imperatives allow, jurisdictions may consider postponing a designation in situations where there is insufficient identifying information, until further information is available.

In order to implement the targeted financial sanction regimes required under Recommendation 6, including initiating, or making proposals for, designations, there will be a need to engage with a range of authorities (for example, Foreign Affairs, Justice, Treasury, Finance, Central Bank, Interior or Public Safety) and agencies (for example, security, intelligence, law enforcement, the FIU). Countries should have appropriate structures and procedures to ensure the effective implementation of the asset-freeze mechanism.

In order to comply with requirements to grant exemptions for access to frozen funds or other assets for basic or extraordinary expenses as set out in Resolution 1452 (2002) whilst still ensuring that the asset freeze is maintained, strong relationships and robust cross-government processes should be built and maintained.

In the UK, the Treasury's Asset Freezing Unit is responsible for designating terrorist freezing targets under Resolution 1373 (2001). More information on the Asset Freezing Unit and a consolidated list of asset freeze targets designated by the United Nations, European Union and United Kingdom under legislation relating to current financial sanction regimes are available in the relevant chapters of this book.

1. 7. Targeted financial sanctions related to proliferation (New recommendation)
   • Countries should implement targeted financial sanctions to comply with United Nations Security Council resolutions relating to the prevention, suppression and disruption of proliferation of weapons of mass destruction and its financing. These resolutions require countries to freeze, without delay, the funds or other assets of, and to ensure that no funds and other assets are made available, directly or indirectly, to or for the benefit of, any person or entity designated by, or under the authority of, the United Nations Security Council under Chapter VII of the Charter of the United Nations.

This recommendation is similar to Recommendation 6, and poses the same problems regarding freezing assets without delay. While this idea is desirable in theory, the logistics required may cause problems in practice.

1. 8. Non-profit organisations (Previously addressed in Special Recommendation VIII)
   • Countries should review the adequacy of laws and regulations that relate to entities that can be abused for the financing of terrorism. Non-profit organisations are particularly vulnerable, and countries should ensure that they cannot be misused:
     1. by terrorist organisations posing as legitimate entities;
     2. to exploit legitimate entities as conduits for terrorist financing, including for the purpose of escaping asset-freezing measures; and
     3. to conceal or obscure the clandestine diversion of funds intended for legitimate purposes to terrorist organisations.

This recommendation has not changed since the 2003 version, when it was completely new. It requires reviews to be conducted into not-for-profit organisations which could potentially be used for money laundering. The level of work required varies considerably between jurisdictions.

Linguistically, this recommendation refers to “non-profit organisations”. This is unusual, as the usual terms would be “charities” or “not-for-profit organisations”. Strictly speaking, any business which makes a loss is a non-profit organisation, although this is clearly not the intended meaning in this recommendation.

The recommendation also requires countries to think through the nature of the structures available within their legal jurisdiction, identifying non-profit organisations as an example. It may well be that there are other constructs within a specific jurisdiction that are particularly suitable for money laundering which would then be caught by this recommendation.

The interpretive notes to the recommendation define a non-profit organisation as “a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of ‘good works’”. There is no further definition of the subjective term “good works”, but it is clear from this definition that “non-profit organisation” is intended to mean the same thing as the more standard “not-for-profit organisation”. As with a number of instances in these recommendations, the language is perhaps not as clear as it could be.

An updated best practice was introduced in June 2013 in conjunction with the non-profit organisation sector; it aimed to prevent misuse of non-profit organisations for the financing of terrorism while, at the same time, respecting legitimate actions of NPOs.

Recommendation 8 should be implemented in line with Recommendation 1; that is, on the basis of a risk assessment. The interpretive note to Recommendation 8 requires countries to identify, prevent and combat terrorist misuse of non-profit organisations (NPOs) through a four-pronged approach involving:

1. outreach to the NPO sector concerning terrorist-financing issues;
2. supervision or monitoring of the NPO sector;
3. effective information gathering and investigation; and
4. effective capacity to respond to international requests for information about an NPO of concern.

These four elements (outreach, supervision, information gathering and investigation, and capacity to respond to international requests) apply to all NPOs, which are defined as a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of “good works”.

Regarding element (b) (supervision or monitoring), countries should take steps to promote effective supervision or monitoring of their NPO sector as a whole based on their domestic NPO sector review and risk assessment. In practice, countries should be able to demonstrate that the requirements of paragraph 5(b) of the INR8 apply to NPOs which account for (1) a significant portion of the financial resources under control of the sector, and (2) a substantial share of the sector's international activities. Countries should also take into account the work that is undertaken by NPOs in line with the oversight references outlined in the best practice paper.

Additionally, countries should ensure that any NPO falling within the FATF definition of a legal person or legal arrangement is also subject to the requirements of FATF Recommendation 24 or 25 respectively, on the transparency and beneficial ownership of legal persons and legal arrangements.

The guidance also provides specific best practice examples in areas including the monitoring and use of payments and activities, and the identification of beneficiaries.

Preventive Measures

1. 9. Financial institution secrecy laws (Previously addressed in Recommendation 4)
   • Countries should ensure that financial institution secrecy laws do not inhibit implementation of the FATF Recommendations.

This is perhaps one of the more contentious recommendations, and has not changed since 2003. Clearly, offshore and other financial centres have, for many years, taken advantage of data secrecy regulations to prevent disclosure of confidential information to enquiring regulatory agents. This recommendation sought to reduce the incidence of such approaches and more recent political pressure has resulted in greater relaxation of such secrecy rules in money-laundering or tax-evasion enquiries.

Its application has been fraught, with some disclosures by financial institutions in some countries actually being challenged by the courts and in some cases being found to be illegal. The offshore centres market their secrecy credentials to attract the business that they are seeking. This requirement begins to put all of this business activity potentially at risk.

The purposes of this regulation include the detection of tax evasion and the prevention of tax avoidance. Tax evasion means the illegal evasion of tax which is legitimately owed to the State, whereas tax avoidance is legally organising your affairs so that you owe the minimum amount of tax possible. Jurisdictions with stringent secrecy laws, such as Switzerland, are seen as particularly attractive to those who are employing either of these techniques, as being able to keep your affairs secret makes it difficult to detect any discrepancy in the amount of tax due. In addition to this, the recommendation also serves a more literal purpose. Being able to trace funds without being inhibited by secrecy laws will enable the authorities to find the source of any questionable assets, and in turn prevent money laundering.

Customer Due Diligence and Record-keeping

1. 10. Customer due diligence (Previously addressed in Recommendation 5)
   • Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names.
   • Financial institutions should be required to undertake customer due diligence (CDD) measures when:
     1. establishing business relations;
     2. carrying out occasional transactions:
        1. above the applicable designated threshold (US$/EUR 15,000); or
        2. that are wire transfers in the circumstances covered by the Interpretive Note to Recommendation 16;
     3. there is a suspicion of money laundering or terrorist financing; or
     4. the financial institution has doubts about the veracity or adequacy of previously obtained customer identification data.
   • The principle that financial institutions should conduct CDD should be set out in law. Each country may determine how it imposes specific CDD obligations, either through law or enforceable means.
   • The CDD measures to be taken are as follows:
     1. Identifying the customer and verifying that customer's identity using reliable, independent source documents, data or information.
     2. Identifying the beneficial owner, and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include financial institutions understanding the ownership and control structure of the customer.
     3. Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship.
     4. Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, their business and risk profile, including, where necessary, the source of funds.
   • Financial institutions should be required to apply each of the CDD measures under (a) to (d) above, but should determine the extent of such measures using a risk-based approach (RBA) in accordance with the Interpretive Notes to this recommendation and to Recommendation 1. Financial institutions should be required to verify the identity of the customer and beneficial owner before, or during the course of, establishing a business relationship or conducting transactions for occasional customers. Countries may permit financial institutions to complete the verification as soon as reasonably practicable following the establishment of the relationship, where the money-laundering and terrorist-financing risks are effectively managed and where this is essential not to interrupt the normal conduct of business. Where the financial institution is unable to comply with the applicable requirements under paragraphs (a) to (d) above (subject to appropriate modification of the extent of the measures on a risk-based approach), it should be required not to open the account, commence business relations or perform the transaction; or should be required to terminate the business relationship; and should consider making a suspicious transaction report in relation to the customer.
   • These requirements should apply to all new customers, although financial institutions should also apply this recommendation to existing customers on the basis of materiality and risk, and should conduct due diligence on such existing relationships at appropriate times.

The section regarding high-risk customers from the 2003 recommendation does not appear in the main body of the 2012 version, but is addressed in the interpretive notes. This new version of this recommendation obliges countries to set CDD obligations in law, whether this is through legislation or legally binding regulations. The requirement to understand the nature and purpose of a business relationship expands on the prior requirement to merely collect information, which is reflective of the advanced corporate and financial structures utilised today. The obligation not to open an account or commence business relations when CDD cannot be completed is also an extension of the 2003 recommendations.

The interpretive notes to this recommendation provide a large amount of additional guidance. For example, they give examples of potentially higher-risk situations (in addition to those set out in Recommendations 12 to 16):

1. Customer risk factors:
   1. The business relationship is conducted in unusual circumstances (e.g. significant unexplained geographic distance between the financial institution and the customer).
   2. Non-resident customers.
   3. Legal persons or arrangements that are personal asset-holding vehicles.
   4. Companies that have nominee shareholders or shares in bearer form.
   5. Businesses that are cash-intensive.
   6. The ownership structure of the company appears unusual or excessively complex given the nature of the company's business.
2. Country or geographic risk factors:
   1. Countries identified by credible sources, such as mutual evaluation or detailed assessment reports or published follow-up reports, as not having adequate AML/CFT systems.
   2. Countries subject to sanctions, embargos or similar measures issued by, for example, the United Nations.
   3. Countries identified by credible sources as having significant levels of corruption or other criminal activity.
   4. Countries or geographic areas identified by credible sources as providing funding or support for terrorist activities, or that have designated terrorist organisations operating within their country.
3. Product, service, transaction or delivery channel risk factors:
   1. Private banking.
   2. Anonymous transactions (which may include cash).
   3. Non-face-to-face business relationships or transactions.
   4. Payments received from unknown or un-associated third parties.

Guidance of this nature is essential to the success of the principle of taking a risk-based approach. There is an inevitable amount of perception and subjective opinion when assessing the risk posed by a particular customer, so standard risk indicators provide vital guidance. However, as these are only given as guidance, it would seem that they may fall short of standardising the risk-based approach. Their lack of legal force means that if a country does not agree with them, it is free to ignore them. However, were it to do so, this would appear within the country review conducted by the FATF. Generally, the approach is to achieve these requirements or to implement regulations that achieve the same objectives.

One question which remains unanswered in both the recommendation and the interpretive note is the extent to which compliance is required before it is satisfactory. For example, if a financial institution is unable to find one comparatively small piece of information but has a fairly comprehensive due diligence file, would this still be classed as incomplete? What if the institution chooses not to conduct adequate CDD, citing the fact that it is satisfied that the customer does not pose a serious risk and is therefore complying with its obligation to take a risk-based approach?

Regulators normally take a “reasonable man” approach to such circumstances, such that if the approach adopted by the firm is reasonable in the circumstances, this would not be seen as a breach of local regulations. However, if the omission was wilful with the intention of undermining the objectives of the regulations, then this would be considered a breach locally. In any case, where it is not possible or cost effective to obtain specific information, this should be documented by the firm together with the actions taken to mitigate the risk of abuse.

It should be noted that these are not the PEP rules, which are addressed in Recommendation 12.

1. 11. Record-keeping (Previously addressed in Recommendation 10)
   • Financial institutions should be required to maintain, for at least five years, all necessary records on transactions, both domestic and international, to enable them to comply swiftly with information requests from the competent authorities. Such records must be sufficient to permit reconstruction of individual transactions (including the amounts and types of currency involved, if any) so as to provide, if necessary, evidence for prosecution of criminal activity. Financial institutions should be required to keep all records obtained through CDD measures (e.g. copies or records of official identification documents like passports, identity cards, driving licences or similar documents), account files and business correspondence, including the results of any analysis undertaken (e.g. inquiries to establish the background and purpose of complex, unusual, large transactions), for at least five years after the business relationship is ended, or after the date of the occasional transaction.
   • Financial institutions should be required by law to maintain records on transactions and information obtained through the CDD measures.
   • The CDD information and the transaction records should be available to domestic competent authorities.

This regulation has undergone subtle but important changes. The phrase “should be required”, which appears twice, was simply “should” in the 2003 recommendation, and the new version obliges countries to incorporate these principles into domestic legislation, thereby increasing their enforceability. The obligation to keep all records has been strengthened from just an obligation to keep records, and the express inclusion of any analysis undertaken is coherent, with the emphasis on taking a risk-based approach. Furthermore, the reference to occasional transactions reflects the way modern business is done, and the obligation by law to maintain records further affirms the subtle strengthening of this provision.

This recommendation does not come with interpretive notes. For this reason, it seems particularly strange that no reference is made in the recommendation to enhanced due diligence (EDD), only to customer due diligence (CDD). While there are obligations to conduct enhanced due diligence in other recommendations (see Recommendation 12, for example), these instances do not make explicit reference to record-keeping.

Taken literally, this would seem to suggest that there are no record-keeping requirements for enhanced due diligence, which is, of course, incorrect. It would be logical to have the most stringent record-keeping requirements for the customers who pose the greatest risks, or at the very least equivalent record-keeping requirements to those imposed on standard customers, so we can only assume that “CDD” in this recommendation is to be taken as an umbrella term for all due diligence and therefore also includes EDD.

Additional Measures for Specific Customers and Activities

1. 12. Politically exposed persons (Previously addressed in Recommendation 6)
   • Financial institutions should be required, in relation to foreign politically exposed persons (PEPs) (whether as customer or beneficial owner), in addition to performing normal customer due diligence measures, to:
     1. have appropriate risk-management systems to determine whether the customer or the beneficial owner is a politically exposed person;
     2. obtain senior management approval for establishing (or continuing, for existing customers) such business relationships;
     3. take reasonable measures to establish the source of wealth and source of funds; and
     4. conduct enhanced ongoing monitoring of the business relationship.
   • Financial institutions should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person who is in, or has been entrusted with, a prominent function by an international organisation. In cases of a higher risk business relationship with such persons, financial institutions should be required to apply the measures referred to in paragraphs (b), (c) and (d).
   • The requirements for all types of PEP should also apply to family members or close associates of such PEPs.

The differentiation between foreign and domestic PEPs is a new addition to the recommendations, as is the extension of the PEP rules to beneficial ownership and to family members and close associates of PEPs. This narrows the scope for abuse of PEPs. The problem is, of course, in identifying family members and close associates. A brother-in-law, for example, might be difficult to identify, yet is a close family member by marriage.

Additional guidance on PEPs was released in June 2013. Key to the effective implementation of Recommendation 12 is the effective implementation of customer due diligence requirements: for financial institutions to know who their customers are. External sources of information for determining PEPs exist, such as commercial and other databases, and the paper provides some guidance on the use of these and other, external sources of information. However, these databases are not sufficient to comply with the PEP requirements, nor does the FATF require the use of such databases. PEPs are specifically addressed in Chapter 17.

When considering whether to establish or continue a business relationship with a PEP, the focus should be on the level of ML/TF risk associated with the particular PEP, and whether the financial institution or DNFBP has adequate controls in place to mitigate that ML/TF risk so as to avoid the institution being abused for illicit purposes should the PEP be involved in criminal activity. This decision should be taken on the basis of the customer due diligence process and with an understanding of the particular characteristics of the public functions that the PEP has been entrusted with. The decision to establish or continue a customer relationship with a PEP should be guided primarily by an assessment of ML/TF risks, even if other considerations, such as regulatory risk, reputational risk or commercial interests, are taken into account.

Financial institutions and DNFBPs should consider whether they may be more vulnerable to domestic PEPs compared to foreign PEPs. For example, small financial institutions, with little or no exposure to foreign financial markets, which determine that they are dealing with a foreign PEP, should consider in detail the reasons why such a relationship is being started. Financial institutions which operate in domestic markets where there are known issues relating to corruption should consider whether their exposure to domestic PEPs may be higher than to foreign PEPs.

In all cases, where a financial institution or DNFBP suspects, or has reasonable grounds to suspect, that funds are the proceeds of criminal activity, an STR (suspicious transaction report) should be filed with the FIU.

A financial institution or DNFBP may perform the steps that are required for the implementation of the domestic/international organisation PEP requirements in concert as part of their procedures implementing Recommendation 10. Pursuant to Recommendation 12, financial institutions and DNFBPs are required to take reasonable measures as part of their internal controls to determine if a customer or beneficial owner is a domestic/international organisation PEP. To do this, financial institutions and DNFBPs should review, according to relevant risk factors, the CDD data collected pursuant to Recommendation 10.

In cases where the customer is determined to be a domestic/international organisation PEP, then financial institutions or DNFBPs should undertake a risk assessment of the PEP's business relationship. To this effect, they should notably gather sufficient information to understand the particular characteristics of the public functions that the PEP has been entrusted with and, in the case of an international organisation, the business model of that organisation. Information on international organisations, for example, may be found on their respective websites. The risk assessment should be a composite assessment of all the risk factors and needs to be done to determine if the business relationship with the PEP involves a higher risk. This assessment of the business relationship may take into account, among other factors (i) customer risk factors, (ii) country risk factors and (iii) product, service, transaction or delivery channel risks.

Additional factors to be taken into account should include the nature of the prominent public function that the PEP has, such as his or her level of seniority, access to or control over public funds and the nature of the position held.

1. 13. Correspondent banking (Previously addressed in Recommendation 7)
   • Financial institutions should be required, in relation to cross-border correspondent banking and other similar relationships, in addition to performing normal customer due diligence measures, to:
     1. gather sufficient information about a respondent institution to understand fully the nature of the respondent's business and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to a money-laundering or terrorist-financing investigation or regulatory action;
     2. assess the respondent institution's AML/CFT controls;
     3. obtain approval from senior management before establishing new correspondent relationships;
     4. clearly understand the respective responsibilities of each institution; and
     5. with respect to “payable-through accounts”, be satisfied that the respondent bank has conducted CDD on the customers having direct access to accounts of the correspondent bank, and that it is able to provide relevant CDD information upon request to the correspondent bank.
   • Financial institutions should be prohibited from entering into, or continuing, a correspondent banking relationship with shell banks. Financial institutions should be required to satisfy themselves that respondent institutions do not permit their accounts to be used by shell banks.

“Clearly understand”, under point (d), has replaced the requirement to document that appeared in the 2003 recommendations. While this is more beneficial in a practical sense, it does not suggest that there is any relaxation in the requirement to document everything under the record-keeping recommendation. Previously it would have been possible to have documented matters without considering whether they were appropriate and therefore suspicious. The change in the recommendation makes it clear that this is no longer the case.

The prohibition on entering a relationship with a shell bank is essentially a new requirement for the 2012 recommendations, although such rules had already been implemented by many jurisdictions.

1. 14. Money or value transfer services (Previously addressed in Special Recommendation VI)
   • Countries should take measures to ensure that natural or legal persons that provide money or value transfer services (MVTS) are licensed or registered, and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations. Countries should take action to identify natural or legal persons that carry out MVTS without a licence or registration, and to apply appropriate sanctions. Any natural or legal person working as an agent should also be licensed or registered by a competent authority, or the MVTS provider should maintain a current list of its agents accessible by competent authorities in the countries in which the MVTS provider and its agents operate. Countries should take measures to ensure that MVTS providers that use agents include them in their AML/CFT programmes and monitor them for compliance with these programmes.

This is more expansive than the 2003 recommendation, although not largely different substantively. The requirement to maintain a current list of agents is new, as is the express requirement to include agents in AML/CFT programmes. Western Union would be an example of an international MVTS.

In the UK, the requirement for MVTS to be licensed or registered by the FSA is implemented by the Payment Services Regulations 2009 (last updated in October 2012), which implemented the EU Payment Services Directive. Therefore, the UK was compliant with this recommendation before it was introduced. The FSA register can be found at http://www.fsa.gov.uk/register/psdFirmSearchForm.do.

1. 15. New technologies (Previously addressed in Recommendation 8)
   • Countries and financial institutions should identify and assess the money-laundering or terrorist-financing risks that may arise in relation to:
     1. the development of new products and new business practices, including new delivery mechanisms; and
     2. the use of new or developing technologies for both new and pre-existing products.
   • In the case of financial institutions, such a risk assessment should take place prior to the launch of the new products, business practices or the use of new or developing technologies. They should take appropriate measures to manage and mitigate those risks.

The 2003 recommendation was mainly concerned with anonymity, whereas this recommendation is considerably more thorough and wide-ranging. This reflects the technological era and the rise of cyber crime, as well as reiterating the need for a risk-based approach. It should be noted that this recommendation is very similar to a recommendation given by the Bank for International Settlements (BIS), which, in turn, reflected the pre-emptive part of the so-called Basel II rules which are in the process of being replaced by Basel III.

1. 16. Wire transfers (Previously addressed in Special Recommendation VII)
   • Countries should ensure that financial institutions include required and accurate originator information, and required beneficiary information, on wire transfers and related messages, and that the information remains with the wire transfer or related message throughout the payment chain.
   • Countries should ensure that financial institutions monitor wire transfers for the purpose of detecting those which lack required originator and/or beneficiary information, and take appropriate measures.
   • Countries should ensure that, in the context of processing wire transfers, financial institutions take freezing action and should prohibit conducting transactions with designated persons and entities, as per the obligations set out in the relevant United Nations Security Council resolutions, such as Resolution 1267 (1999) and its successor resolutions, and Resolution 1373 (2001), relating to the prevention and suppression of terrorism and terrorist financing.

The requirement to include meaningful information from the 2003 recommendations has been removed, as have the examples of information. This reduces the stringency of the recommendation, but was due to practical problems found in the nature of business conducted. However, the requirement to monitor for any missing beneficiary information has been added, as has the obligation to take freezing action and to follow the UN resolutions.

The requirement for basic information is set out in this recommendation, even though it would be impossible to transfer money without identifying a beneficiary. Without some identification it would be difficult to see how the MVTS would know where to send the money. The information required here is essential for money to be transferred, and without it the transaction would automatically fail, so this recommendation is really only of limited use. In many countries more stringent requirements are either implemented or are being planned.

Reliance, Controls and Financial Groups

1. 17. Reliance on third parties (Previously addressed in Recommendation 9)
   • Countries may permit financial institutions to rely on third parties to perform elements (a)–(c) of the CDD measures set out in Recommendation 10 or to introduce business, provided that the criteria set out below are met. Where such reliance is permitted, the ultimate responsibility for CDD measures remains with the financial institution relying on the third party.
   • The criteria that should be met are as follows:
     1. A financial institution relying upon a third party should immediately obtain the necessary information concerning elements (a)–(c) of the CDD measures set out in Recommendation 10.
     2. Financial institutions should take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay.
     3. The financial institution should satisfy itself that the third party is regulated, supervised or monitored, and has measures in place for compliance with CDD and record-keeping requirements in line with Recommendations 10 and 11.
     4. When determining in which countries the third party that meets the conditions can be based, countries should have regard to information available on the level of country risk.
   • When a financial institution relies on a third party that is part of the same financial group, and
     1. that group applies CDD and record-keeping requirements, in line with Recommendations 10, 11 and 12, and programmes against money laundering and terrorist financing, in accordance with Recommendation 18; and
     2. where the effective implementation of those CDD and record-keeping requirements and AML/CFT programmes is supervised at a group level by a competent authority, then
     relevant competent authorities may consider that the financial institution applies measures under (b) and (c) above through its group programme, and may decide that (d) is not a necessary precondition to reliance when higher country risk is adequately mitigated by the group AML/CFT policies.

The obligation to regard the level of country risk replaces an obligation to consider whether a country adequately applies the FATF Recommendations. While this is slightly more expansive in a substantive sense, this only really affirms the impetus on taking a risk-based approach. The financial group section is new for the 2012 recommendations, and reflects the importance of the large corporate structures that are now employed.

This recommendation raises two important points, the first of which relates to the ultimate responsibility for a CDD failure remaining with the financial institution that is relying on a third party. Regardless of how responsibility is delegated, it cannot be abrogated.

Any bank which fails to comply with its CDD responsibilities is likely to suffer reputational damage, particularly if financial penalties are imposed; HSBC is a recent example of this. With this in mind, a bank, when applying a risk-based approach, must implement the necessary controls prior to delegating work conducted in this respect, since it retains the risk should anything go wrong. The approach to be conducted is essentially the same as with any other outsourcing relationship entered into by the financial institution and we would recommend the Risk in Outsourcing paper promulgated by the Bank for International Settlements (BIS) as representing best practice in this regard.

The other important point arising from this recommendation relates to a major change, since there is now the ability to rely on other CDD from your own group. This is extremely helpful for international corporate due diligence, and will streamline the process during international transactions and the formation of business relationships. However, to obtain approval under this exemption, the firm would have to prove that it meets standards set by the host regulator and that compliance with this exemption does not prejudice the home regulator.

1. 18. Internal controls and foreign branches and subsidiaries (Previously addressed in Recommendations 15 and 22)
   • Financial institutions should be required to implement programmes against money laundering and terrorist financing. Financial groups should be required to implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions should be required to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements implementing the FATF Recommendations through the financial groups' programmes against money laundering and terrorist financing.

The specifications regarding what should be included in the requisite programme appeared in the 2003 recommendations, but have now been removed and included in the interpretive notes only. This recommendation is considerably more succinct than the two it replaces, but is largely similar from a substantive perspective.

1. 19. Higher-risk countries (Previously addressed in Recommendation 21)
   • Financial institutions should be required to apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries for which this is called for by the FATF. The type of enhanced due diligence measures applied should be effective and proportionate to the risks. Countries should be able to apply appropriate countermeasures when called upon to do so by the FATF. Countries should also be able to apply countermeasures independently of any call by the FATF to do so. Such countermeasures should be effective and proportionate to the risks.

The obligation to take a risk-based approach has been specifically included in the 2012 recommendations, and the details regarding the nature of the enhanced customer due diligence (EDD) to be undertaken are included in the interpretive notes. The 2003 recommendations expressly referred to transactions that have no apparent purpose, but this has now been removed from the body of the recommendation and is instead included in the interpretive notes.

It is interesting to note that the FATF equates higher risk to non-compliance with FATF Recommendations. This takes no account of the country's financial crime record, political stability or any other circumstances which would make the country a high-risk jurisdiction with which to do business. As far as the FATF is concerned, if they comply with its recommendations, they're safe. It is difficult to see how this is consistent with the impetus on taking a risk-based approach.

The list of higher-risk countries, according to FATF compliance, appears at the end of this chapter. There are a number of other sources of what might best be described as higher-risk countries and we would refer you to Transparency International as being one primary source for such information. Its current list is included as an appendix to this book.

Reporting of Suspicious Transactions

1. 20. Reporting of suspicious transactions (Previously addressed in Recommendation 13 and Special Recommendation IV)
   • If a financial institution suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity, or are related to terrorist financing, it should be required, by law, to report promptly its suspicions to the FIU.

This recommendation amalgamates the two previous recommendations by incorporating both criminal activity and terrorist financing, which is used as an umbrella that is then expanded on in the interpretive notes.

The term “promptly” is not defined in the interpretive notes to this provision, which is unhelpful. In theory, it could mean immediately, by the end of the business day, within 48 hours or within five, seven or ten working days. Accordingly, it is for the firm to be able to justify that it undertook the reporting once it was in a position to do so without obvious delay.

This recommendation also fails to address the amount of information required to be supplied with a report. For example, if you have suspicions without formal information to back this up, then this recommendation could be taken to suggest that you are still obliged to report. Generally, without information there would not be sufficient data to support a suspicion and no report would therefore be made.

However, if you are in the process of collating information, it is unclear when the ideal time to report would be – i.e. immediately, when you have some information or when you have all of the relevant information. The local FIU would normally provide guidance in such cases and helplines are normally available to the MLRO in cases of concern.

1. 21. Tipping off and confidentiality (Previously addressed in Recommendation 14)
   • Financial institutions, their directors, officers and employees should be:
     1. protected by law from criminal and civil liability for breach of any restriction on disclosure of information imposed by contract or by any legislative, regulatory or administrative provision, if they report their suspicions in good faith to the FIU, even if they did not know precisely what the underlying criminal activity was, and regardless of whether illegal activity actually occurred; and
     2. prohibited by law from disclosing (“tipping off”) the fact that a suspicious transaction report (STR) or related information is being filed with the FIU.

This recommendation has not changed since the 2003 recommendations, apart from its number. Paragraph (a) provides the protection that the officers require. Of course, paragraph (b) could become a problem were allegations made against a firm that had actually reported its suspicion. It would be in the position of being unable to respond to allegations and newspaper stories without breaching legal provisions and this could result in unfortunate consequences.

It is important for information services, such as newspapers and information providers, to appreciate this issue and consider the implications when they are making allegations.

Designated Non-financial Businesses and Professions

1. 22. DNFBPs: customer due diligence (Previously addressed in Recommendation 12)
   • The customer due diligence and record-keeping requirements set out in Recommendations 10, 11, 12, 15 and 17 apply to designated non-financial businesses and professions (DNFBPs) in the following situations:
     1. Casinos – when customers engage in financial transactions equal to or above the applicable designated threshold.
     2. Real estate agents – when they are involved in transactions for their client concerning the buying and selling of real estate.
     3. Dealers in precious metals and dealers in precious stones – when they engage in any cash transaction with a customer equal to or above the applicable designated threshold.
     4. Lawyers, notaries, other independent legal professionals and accountants – when they prepare for or carry out transactions for their client concerning the following activities:
        1. buying and selling of real estate;
        2. management of client money, securities or other assets;
        3. management of bank, savings or securities accounts;
        4. organisation of contributions for the creation, operation or management of companies;
        5. creation, operation or management of legal persons or arrangements, and buying and selling of business entities.
     5. Trust and company service providers – when they prepare for or carry out transactions for a client concerning the following activities:
        1. acting as a formation agent of legal persons;
        2. acting as (or arranging for another person to act as) a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;
        3. providing a registered office, business address or accommodation, correspondence or administrative address for a company, a partnership or any other legal person or arrangement;
        4. acting as (or arranging for another person to act as) a trustee of an express trust or performing the equivalent function for another form of legal arrangement;
        5. acting as (or arranging for another person to act as) a nominee shareholder for another person.

This recommendation has not changed since 2003, apart from the numbering.

This composite recommendation seeks to broaden the money-laundering requirements beyond the financial services sector, picking up accountants, lawyers, casinos, estate agents and trust providers, amongst others. This then leads to an interesting issue as to who within the relevant jurisdiction actually takes ownership of the regulation in such areas. Sometimes it is obvious, as may be the case for chartered accountancy or legal practices, whereas in other cases the business area may actually be unregulated. Are casinos and real estate agents regulated in all countries? Accordingly, it will be important for the financial institution to verify the legal regulatory structure that is in place in all such cases.

Many countries have actually taken these provisions further. In the UK, for example, chartered accountants and auditing firms are subject to these provisions. Regulatory bodies tend to have their own rules which are much more detailed than the ones provided by this recommendation, despite being a subset of the FATF rules.

1. 23. DNFBPs: Other measures (Previously addressed in Recommendation 16)
   • The requirements set out in Recommendations 18 to 21 apply to all designated non-financial businesses and professions, subject to the following qualifications:
     1. Lawyers, notaries, other independent legal professionals and accountants should be required to report suspicious transactions when, on behalf of or for a client, they engage in a financial transaction in relation to the activities described in paragraph (d) of Recommendation 22. Countries are strongly encouraged to extend the reporting requirement to the rest of the professional activities of accountants, including auditing.
     2. Dealers in precious metals and dealers in precious stones should be required to report suspicious transactions when they engage in any cash transaction with a customer equal to or above the applicable designated threshold.
     3. Trust and company service providers should be required to report suspicious transactions for a client when, on behalf of or for a client, they engage in a transaction in relation to the activities referred to in paragraph (e) of Recommendation 22.

The exemption when legal or professional privilege applies has been moved to the interpretive notes. Other than that, there has been no change to this recommendation from those appearing in 2003.

Transparency and Beneficial Ownership of Legal Persons and Arrangements

1. 24. Transparency and beneficial ownership of legal persons (Previously addressed in Recommendation 33)
   • Countries should take measures to prevent the misuse of legal persons for money laundering or terrorist financing. Countries should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities. In particular, countries that have legal persons that are able to issue bearer shares or bearer share warrants, or which allow nominee shareholders or nominee directors, should take effective measures to ensure that they are not misused for money laundering or terrorist financing. Countries should consider measures to facilitate access to beneficial ownership and control information by financial institutions and DNFBPs undertaking the requirements set out in Recommendations 10 and 22.

This recommendation has been expanded since 2003. Terrorist financing has been included with the requirement to prevent the misuse of companies for money laundering, which is a continuous theme of expansion throughout the recommendations. Furthermore, the specification that companies able to issue bearer shares should be subject to effective money-laundering-deterrence measures has been expanded, to specifically include companies able to issue bearer share warrants or those which allow nominee shareholders or nominee directors. Although this highlights areas where the FATF has identified a need for enhanced monitoring, there is a risk that, by implication, it could exclude companies not mentioned here.

The requirement for financial institutions to identify beneficial ownership has been extended to DNFBPs by this recommendation. Furthermore, in the 2003 recommendation countries “could” consider measures to facilitate access to beneficial ownership, which has now been replaced by the obligatory “should”. This marks a slight expansion and the expectation of increased enforceability of this recommendation.

1. 25. Transparency and beneficial ownership of legal arrangements (Previously addressed in Recommendation 34)
   • Countries should take measures to prevent the misuse of legal arrangements for money laundering or terrorist financing. In particular, countries should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries, that can be obtained or accessed in a timely fashion by competent authorities. Countries should consider measures to facilitate access to beneficial ownership and control information by financial institutions and DNFBPs undertaking the requirements set out in Recommendations 10 and 22.

This recommendation has only added the references to terrorist financing and DNFBPs to the 2003 recommendation. Furthermore, the requirement to consider measures to facilitate access to beneficial ownership and control information has been strengthened from “could” in 2003; the word “should” in 2012 now makes this an obligation.

Powers and Responsibilities of Competent Authorities, and Other Institutional Measures

1. 26. Regulation and supervision of financial institutions (Previously addressed in Recommendation 23)
   • Countries should ensure that financial institutions are subject to adequate regulation and supervision and are effectively implementing the FATF Recommendations. Competent authorities or financial supervisors should take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in, a financial institution. Countries should not approve the establishment, or continued operation, of shell banks. For financial institutions subject to the Core Principles, the regulatory and supervisory measures that apply for prudential purposes, and which are also relevant to money laundering and terrorist financing, should apply in a similar manner for AML/CFT purposes. This should include applying consolidated group supervision for AML/CFT purposes. Other financial institutions should be licensed or registered and adequately regulated, and subject to supervision or monitoring for AML/CFT purposes, having regard to the risk of money laundering or terrorist financing in that sector. At a minimum, where financial institutions provide a service of money or value transfer, or of money or currency changing, they should be licensed or registered, and subject to effective systems for monitoring and ensuring compliance with national AML/CFT requirements.

Financial supervisors should be able to impose the necessary legal or regulatory requirements under this recommendation, as well as competent authorities. This affords countries more freedom in implementing this recommendation, and suggests an acceptance that the end result (the implementation) is more important than the method (which body implements it).

The prohibition on terrorist financing, as well as money laundering, has been included in this recommendation, which is a standard change. There is also a prohibition on the establishment or operation of shell banks, which complements the prohibition on entering into a correspondent banking relationship with a shell bank from Recommendation 13. However, it does seem strange that the shell bank recommendations appear in two different recommendations, 13 recommendations apart.

1. 27. Powers of supervisors (Previously addressed in Recommendation 29)
   • Supervisors should have adequate powers to supervise or monitor, and ensure compliance by, financial institutions with requirements to combat money laundering and terrorist financing, including the authority to conduct inspections. They should be authorised to compel production of any information from financial institutions that is relevant to monitoring such compliance, and to impose sanctions, in line with Recommendation 35, for failure to comply with such requirements. Supervisors should have powers to impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict or suspend the financial institution's licence, where applicable.

This recommendation has been expanded, but not substantively changed since 2003. There is more detail regarding sanctions – dealt with further in the subsequent recommendations – which highlights the importance of compliance with this provision.

1. 28. Regulation and supervision of DNFBPs (Previously addressed in Recommendation 24)
   • Designated non-financial businesses and professions should be subject to regulatory and supervisory measures as set out below:
     1. Casinos should be subject to a comprehensive regulatory and supervisory regime that ensures that they have effectively implemented the necessary AML/CFT measures. At a minimum:
        1. casinos should be licensed;
        2. competent authorities should take the necessary legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, holding a management function in, or being an operator of, a casino; and
        3. competent authorities should ensure that casinos are effectively supervised for compliance with AML/CFT requirements.
     2. Countries should ensure that the other categories of DNFBPs are subject to effective systems for monitoring and ensuring compliance with AML/CFT requirements. This should be performed on a risk-sensitive basis. This may be performed by:
        1. a supervisor, or
        2. an appropriate self-regulatory body (SRB), provided that such a body can ensure that its members comply with their obligations to combat money laundering and terrorist financing.
   • The supervisor or SRB should also:
     1. take the necessary measures to prevent criminals or their associates from being professionally accredited, or holding or being the beneficial owner of a significant or controlling interest or holding a management function, e.g. through evaluating persons on the basis of a “fit and proper” test; and
     2. have effective, proportionate and dissuasive sanctions in line with Recommendation 35 available to deal with failure to comply with AML/CFT requirements.

The final section outlining the sanctions available to the supervisor or SRB has been added to the recommendation. As with the previous recommendation, this strengthens the regulation and, in theory, deters non-compliance. However, in practice, there could be local practical problems here if some of the areas are not currently regulated.

Operational and Law Enforcement

1. 29. FIUs (Previously addressed in Recommendation 26)
   • Countries should establish an FIU that serves as a national centre for the receipt and analysis of:
     1. suspicious transaction reports; and
     2. other information relevant to money laundering, associated predicate offences and terrorist financing, and for the dissemination of the results of that analysis.
   • The FIU should be able to obtain additional information from reporting entities, and should have access on a timely basis to the financial, administrative and law-enforcement information that it requires to undertake its functions properly.

This recommendation has been reworded, but not substantively changed since 2003.

1. 30. Responsibilities of law-enforcement and investigative authorities (Previously addressed in Recommendation 27)
   • Countries should ensure that designated law-enforcement authorities have responsibility for money-laundering and terrorist-financing investigations within the framework of national AML/CFT policies. At least in all cases related to major proceeds-generating offences, these designated law-enforcement authorities should develop a proactive parallel financial investigation when pursuing money laundering, associated predicate offences and terrorist financing. This should include cases where the associated predicate offence occurs outside their jurisdictions. Countries should ensure that competent authorities have responsibility for expeditiously identifying, tracing and initiating actions to freeze and seize property that is, or may become, subject to confiscation, or is suspected of being proceeds of crime. Countries should also make use, when necessary, of permanent or temporary multi-disciplinary groups specialised in financial or asset investigations. Countries should ensure that, when necessary, cooperative investigations with appropriate competent authorities in other countries take place.

This recommendation has been expanded considerably, with law-enforcement agencies now being required to take proactive action and have wider and more comprehensive powers than existed under the previous recommendation. While there has been no substantive change as such, the scope of this recommendation has been expanded.

1. 31. Powers of law-enforcement and investigative authorities (Previously addressed in Recommendation 28)
   • When conducting investigations of money laundering, associated predicate offences and terrorist financing, competent authorities should be able to obtain access to all necessary documents and information for use in those investigations, and in prosecutions and related actions. This should include powers to use compulsory measures for the production of records held by financial institutions, DNFBPs and other natural or legal persons, for the search of persons and premises, for taking witness statements and for the seizure and obtaining of evidence.
   • Countries should ensure that competent authorities conducting investigations are able to use a wide range of investigative techniques suitable for the investigation of money laundering, associated predicate offences and terrorist financing. These investigative techniques include: undercover operations, intercepting communications, accessing computer systems and controlled delivery. In addition, countries should have effective mechanisms in place to identify, in a timely manner, whether natural or legal persons hold or control accounts. They should also have mechanisms to ensure that competent authorities have a process to identify assets without prior notification to the owner. When conducting investigations of money laundering, associated predicate offences and terrorist financing, competent authorities should be able to ask for all relevant information held by the FIU.

The second section of this recommendation is new, and significantly expands the powers of competent authorities to combat money laundering and terrorist financing. The first section has also undergone minor alterations, expanding the scope of the 2003 recommendation.

1. 32. Cash couriers (Previously addressed in Special Recommendation IX)
   • Countries should have measures in place to detect the physical cross-border transportation of currency and bearer negotiable instruments, including through a declaration system and/or disclosure system.
   • Countries should ensure that their competent authorities have the legal authority to stop or restrain currency or bearer negotiable instruments that are suspected to be related to terrorist financing, money laundering or predicate offences, or that are falsely declared or disclosed.
   • Countries should ensure that effective, proportionate and dissuasive sanctions are available to deal with persons who make false declaration(s) or disclosure(s). In cases where the currency or bearer negotiable instruments are related to terrorist financing, money laundering or predicate offences, countries should also adopt measures, including legislative ones consistent with Recommendation 4, which would enable the confiscation of such currency or instruments.

Obviously, monies moving across borders could be inappropriate, therefore the FATF has introduced these requirements which are broader than the requirements in the original recommendations.

The placing of this recommendation seems strange. It does not make sense to have this recommendation in the middle of the recommendations about sanctions. Instead, it would seem much more logical to place this recommendation much earlier, with the correspondent banking or other payment system provisions.

Additionally, the idea that a country can have measures to detect bearer negotiable instruments is fanciful, which is reinforced by the suggestion that this could be done through a declaration or disclosure system. Large amounts of currency will inevitably take up space in a suitcase, and would be possible, albeit potentially difficult, to find. Bearer negotiable instruments, however, can be single pieces of paper, which would be easy to hide in a suitcase or large file. If, for example, a corporate trainer was giving a presentation in another country and was shipping handouts of his 600 PowerPoint slides for 20 delegates, that could easily generate 3,000 pieces of paper. It would be entirely impractical for a customs official to check every side of every page to ensure that no bearer negotiable instruments had been hidden in one of the packs.

It also seems strange that this recommendation seeks to restrain bearer negotiable instruments. Even if they were previously used to launder illegitimate funds, the instrument could have been purchased legitimately on the market for value by an innocent purchaser. Restraining the instrument in this instance would be shutting the stable door long after the horse had bolted with a saddlebag full of the proceeds of crime.

Further on this point, no courier would ever agree to these recommendations, in case a bearer negotiable instrument is included in documents they are shipping. A courier is a transporter with no involvement in the business of its clients, and would not agree to take the risk of having legitimate documents confiscated, which would place itself in breach of contract.

To comply with these requirements a firm should implement a series of policies and procedures which provide a programme that should be conducted in such cases. This would highlight such instruments as requiring a higher level of due diligence due to the ease of transfer; but the same is also true of other assets including coins and paintings, for example.

General Requirements

1. 33. Statistics (Previously addressed in Recommendation 32)
   • Countries should maintain comprehensive statistics on matters relevant to the effectiveness and efficiency of their AML/CFT systems. This should include statistics on the STRs received and disseminated; on money-laundering and terrorist-financing investigations, prosecutions and convictions; on property frozen, seized and confiscated; and on mutual legal assistance or other international requests for cooperation.

This recommendation has undergone minor reductions, but no substantive changes have been made since 2003. The reference to reviewing the effectiveness of the systems using the statistics no longer appears in this recommendation, but the same obligation is imposed by Recommendation 2.

1. 34. Guidance and feedback (Previously addressed in Recommendation 25)
   • The competent authorities, supervisors and SRBs should establish guidelines, and provide feedback, which will assist financial institutions and designated non-financial businesses and professions in applying national measures to combat money laundering and terrorist financing, and, in particular, in detecting and reporting suspicious transactions.

In 2012 this obligation has been extended to supervisors and SRBs, but this is the only change which has been made to this recommendation.

Of course, in designing such guidelines some authorities will add additional requirements of which the international bank must be aware. Clearly, different authorities respond in differing ways with varying levels of information, but at least this recommendation sets the objective clearly. In some countries, by the time a response is received from the regulatory agency the money launderer will be long gone, effectively undermining the entire process.

Sanctions

1. 35. Sanctions (Previously addressed in Recommendation 17)
   • Countries should ensure that there is a range of effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, available to deal with natural or legal persons covered by Recommendations 6, and 8 to 23 that fail to comply with AML/CFT requirements. Sanctions should be applicable not only to financial institutions and DNFBPs, but also to their directors and senior management.

The scope of this provision has been extended, as directors and senior management were not specifically covered by the 2003 recommendation. This is consistent with the strengthening of various other recommendations, and making management personally liable for non-compliance will inevitably make the recommendations more effective. The reference to a “range” of sanctions is also new, and enhances this point.

International Cooperation

1. 36. International instruments (Previously addressed in Recommendation 35 and Special Recommendation I)
   • Countries should take immediate steps to become party to and implement fully the Vienna Convention, 1988; the Palermo Convention, 2000; the United Nations Convention against Corruption, 2003; and the Terrorist Financing Convention, 1999. Where applicable, countries are also encouraged to ratify and implement other relevant international conventions, such as the Council of Europe Convention on Cybercrime, 2001; the Inter-American Convention against Terrorism, 2002; and the Council of Europe Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime and on the Financing of Terrorism, 2005.

The scope of the legislation countries are required to implement has been expanded, but this is inevitable given that some of these conventions were passed after the 2003 recommendations were released. In principle, however, this recommendation has not changed since 2003.

1. 37.  Mutual legal assistance (Previously addressed in Recommendation 36 and Special Recommendation V)
   • Countries should rapidly, constructively and effectively provide the widest possible range of mutual legal assistance in relation to money-laundering, associated predicate offences and terrorist-financing investigations, prosecutions and related proceedings. Countries should have an adequate legal basis for providing assistance and, where appropriate, should have in place treaties, arrangements or other mechanisms to enhance cooperation. In particular, countries should:
     1. Not prohibit, or place unreasonable or unduly restrictive conditions on, the provision of mutual legal assistance.
     2. Ensure that they have clear and efficient processes for the timely prioritisation and execution of mutual legal assistance requests. Countries should use a central authority, or another established official mechanism, for effective transmission and execution of requests. To monitor progress on requests, a case management system should be maintained.
     3. Not refuse to execute a request for mutual legal assistance on the sole ground that the offence is also considered to involve fiscal matters.
     4. Not refuse to execute a request for mutual legal assistance on the grounds that laws require financial institutions to maintain secrecy or confidentiality.
     5. Maintain the confidentiality of mutual legal assistance requests they receive and the information contained in them, subject to fundamental principles of domestic law, in order to protect the integrity of the investigation or inquiry. If the requested country cannot comply with the requirement of confidentiality, it should promptly inform the requesting country.
   • Countries should render mutual legal assistance, notwithstanding the absence of dual criminality, if the assistance does not involve coercive actions. Countries should consider adopting such measures as may be necessary to enable them to provide a wide scope of assistance in the absence of dual criminality.
   • Where dual criminality is required for mutual legal assistance, that requirement should be deemed to be satisfied regardless of whether both countries place the offence within the same category of offence, or denominate the offence by the same terminology, provided that both countries criminalise the conduct underlying the offence.
   • Countries should ensure that, of the powers and investigative techniques required under Recommendation 31, and any other powers and investigative techniques available to their competent authorities:
     1. all those relating to the production, search and seizure of information, documents or evidence (including financial records) from financial institutions or other persons, and the taking of witness statements; and
     2. a broad range of other powers and investigative techniques
     are also available for use in response to requests for mutual legal assistance, and, if consistent with their domestic framework, in response to direct requests from foreign judicial or law-enforcement authorities to domestic counterparts.
   • To avoid conflicts of jurisdiction, consideration should be given to devising and applying mechanisms for determining the best venue for prosecution of defendants in the interests of justice in cases that are subject to prosecution in more than one country.
   • Countries should, when making mutual legal assistance requests, make best efforts to provide complete factual and legal information that will allow for timely and efficient execution of requests, including any need for urgency, and should send requests using expeditious means. Countries should, before sending requests, make best efforts to ascertain the legal requirements and formalities to obtain assistance.
   • The authorities responsible for mutual legal assistance (e.g. a Central Authority) should be provided with adequate financial, human and technical resources. Countries should have in place processes to ensure that the staff of such authorities maintain high professional standards, including standards concerning confidentiality, and should be of high integrity and be appropriately skilled.

The requirements relating to mutual legal assistance have been expanded considerably since 2003. Mutual legal assistance was covered in the 2003 recommendations, but not in this level of detail and not with this level of force. This reflects the worldwide, cross-jurisdictional and cross-border nature of modern money laundering, and that mutual legal assistance is vital to an effective AML regime.

1. 38. Mutual legal assistance: freezing and confiscation (Previously addressed in Recommendation 38)
   • Countries should ensure that they have the authority to take expeditious action in response to requests by foreign countries to identify, freeze, seize and confiscate property laundered; proceeds from money laundering, predicate offences and terrorist financing; instrumentalities used in, or intended for use in, the commission of these offences; or property of corresponding value. This authority should include being able to respond to requests made on the basis of non-conviction-based confiscation proceedings and related provisional measures, unless this is inconsistent with fundamental principles of their domestic law. Countries should also have effective mechanisms for managing such property, instrumentalities or property of corresponding value, and arrangements for coordinating seizure and confiscation proceedings, which should include the sharing of confiscated assets.

The requirements relating to non-conviction-based confiscation proceedings are new to the FATF Recommendations, and are also introduced in Recommendation 4. Developing the previous recommendation, this expands the scope of the mutual legal assistance.

1. 39. Extradition (Previously addressed in Recommendation 39)
   • Countries should constructively and effectively execute extradition requests in relation to money laundering and terrorist financing, without undue delay. Countries should also take all possible measures to ensure that they do not provide safe havens for individuals charged with the financing of terrorism, terrorist acts or terrorist organisations. In particular, countries should:
     1. ensure money laundering and terrorist financing are extraditable offences;
     2. ensure that they have clear and efficient processes for the timely execution of extradition requests including prioritisation where appropriate. To monitor progress of requests, a case management system should be maintained;
     3. not place unreasonable or unduly restrictive conditions on the execution of requests; and
     4. ensure they have an adequate legal framework for extradition.
   • Each country should either extradite its own nationals, or, where a country does not do so solely on the grounds of nationality, that country should, at the request of the country seeking extradition, submit the case, without undue delay, to its competent authorities for the purpose of prosecution of the offences set forth in the request. Those authorities should take their decision and conduct their proceedings in the same manner as in the case of any other offence of a serious nature under the domestic law of that country. The countries concerned should cooperate with each other, in particular on procedural and evidentiary aspects, to ensure the efficiency of such prosecutions.
   • Where dual criminality is required for extradition, that requirement should be deemed to be satisfied regardless of whether both countries place the offence within the same category of offence, or denominate the offence by the same terminology, provided that both countries criminalise the conduct underlying the offence.
   • Consistent with fundamental principles of domestic law, countries should have simplified extradition mechanisms, such as allowing direct transmission of requests for provisional arrests between appropriate authorities, extraditing persons based only on warrants of arrests or judgments, or introducing a simplified extradition of consenting persons who waive formal extradition proceedings. The authorities responsible for extradition should be provided with adequate financial, human and technical resources. Countries should have in place processes to ensure that the staff of such authorities maintain high professional standards, including standards concerning confidentiality, and should be of high integrity and be appropriately skilled.

The scope of this recommendation has been expanded by introducing numerous procedural requirements, which will enhance the efficiency and the overall effectiveness of extradition requests. This is an essential part of AML sanctions, and is complicit with the strengthening of this area highlighted in the previous recommendations.

The phrase “without undue delay”, in relation to countries dealing with extradition requests, may not be practical. An example of this was the recent case involving five terrorism suspects including Abu Hamza, where one of the suspects, Babar Ahmad, was charged with money laundering. The extradition process from the UK took eight years, as there were many legal and human rights issues to be tried. Given the nature of the legal system, with various domestic and European appeal courts including the Court of Appeal, the Supreme Court and the European Court of Human Rights, there will be cases where it is simply impossible to extradite a suspect “without undue delay”.

1. 40. Other forms of international cooperation (Previously addressed in Recommendation 40)
   • Countries should ensure that their competent authorities can rapidly, constructively and effectively provide the widest range of international cooperation in relation to money laundering, associated predicate offences and terrorist financing. Countries should do so both spontaneously and upon request, and there should be a lawful basis for providing cooperation. Countries should authorise their competent authorities to use the most efficient means to cooperate. Should a competent authority need bilateral or multilateral agreements or arrangements, such as a Memorandum of Understanding (MOU), these should be negotiated and signed in a timely way with the widest range of foreign counterparts. Competent authorities should use clear channels or mechanisms for the effective transmission and execution of requests for information or other types of assistance. Competent authorities should have clear and efficient processes for the prioritisation and timely execution of requests, and for safeguarding the information received.

Parts of this recommendation have been incorporated into other recommendations on sanctions, so this recommendation now appears shorter. However, as with the previous sanctions recommendations, it has been enhanced. The references to MOUs are new, and there are various minor linguistic alterations making this recommendation more forceful.

3.3 FATF HIGH-RISK COUNTRIES

The following lists outline the jurisdictions which the FATF considers to be high risk, in accordance with their level of compliance with AML procedures. The lists were correct as of May 2014.

The FATF calls on its members and other jurisdictions to apply countermeasures to protect the international financial system from the ongoing and substantial money-laundering and terrorist-financing (ML/TF) risks emanating from the jurisdictions.

• Iran
• Democratic People's Republic of Korea (DPRK).

Jurisdictions with strategic AML/CFT deficiencies that have not made sufficient progress in addressing the deficiencies or have not committed to an action plan developed with the FATF to address the deficiencies. The FATF calls on its members to consider the risks arising from the deficiencies associated with each jurisdiction, as described below.

• Algeria
• Ecuador
• Ethiopia
• Indonesia
• Kenya^*
• Myanmar
• Pakistan
• Syria
• Tanzania^*
• Turkey
• Yemen.

^* Kenya and Tanzania are now identified in the FATF document Improving Global AML/CFT Compliance: On-going Process due to their progress in substantially addressing their action plan agreed upon with the FATF.

3.4 SOUND MANAGEMENT OF RISKS RELATED TO MONEY LAUNDERING AND FINANCING OF TERRORISM

The Basel Committee on Banking Supervision, sitting within the Bank for International Settlements, is the leading global standard-setter for worldwide banking regulation and supervision. Its mandate is to strengthen the regulation, supervision and practices of banks worldwide, with the purpose of enhancing financial stability. In full support of the Financial Action Task Force Recommendations, the Committee issued a paper entitled Sound management of risks related to money laundering and financing of terrorism in January 2014, which provides a framework of regulatory best practice broadly based on the FATF Recommendations.

The paper divides its recommendations across three lines of defence against money laundering.

3.4.2 The Second Line of Defence

The senior management and compliance team form the second line of defence against money laundering. The chief officer in charge of AML/CFT should have the responsibility for ongoing monitoring of the fulfilment of all AML/CFT duties by the bank. This implies sample testing of compliance and review of exception reports to alert senior management or the board of directors if it is believed management is failing to address AML/CFT procedures in a responsible manner. The chief AML/CFT officer should be the contact point regarding all AML/CFT issues for internal and external authorities, including supervisory authorities or FIUs.

While this may be a good idea in principle, its application will inevitably vary depending on the size of the institution. The chief AML officer of a major organisation will find it particularly difficult to monitor all AML obligations, and so this will usually be delegated to staff working closer to the front-office operation.

3.4.3 The Third Line of Defence

The internal audit function provides the third line of defence, and plays an important role in independently evaluating the risk management and controls. It discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. The guidance provides that a bank should establish policies for conducting audits of (a) the adequacy of the bank's AML/CFT policies and procedures in addressing identified risks; (b) the effectiveness of bank staff in implementing the bank's policies and procedures; (c) the effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and (d) the effectiveness of the bank's training of relevant personnel. Senior management should ensure that audit functions are allocated staff who are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the bank's risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations. As a general rule, the processes used in auditing should be consistent with the internal audit's broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures.

While this is an important part of the AML deterrence regime, the hands-off, reactive and intermittent nature of internal audit means that by the time any suspicious activity is found, it may be too late. Instead, this line of defence serves to plug any gaps in the front-line first and second lines of defence.

The sound practices paper largely follows the FATF proposals. There are, however, a couple of sections which do provide some useful additional guidance.

3.4.4 Risk Assessment and Management

Under the above heading the BIS states:

“The bank should have a thorough understanding of all the risks associated with its customers across the group, either individually or as a category, and should document and update these on a regular basis, commensurate with the level and nature of risk in the group. In assessing customer risk, a bank should identify all relevant risk factors such as geographical location and patterns of transaction activity (declared or self-stated) and usage of bank products and services and establish criteria for identifying higher-risk customers. These criteria should be applied across the bank, its branches and its subsidiaries and through outsourced activities. Customers that pose a higher risk of ML/FT to the bank should be identified across the group using these criteria. Customer risk assessments should be applied on a group-wide basis or at least be consistent with the group-wide risk assessment. Taking into account differences in risks associated with customer categories, group policy should recognise that customers in the same category may pose different risks in different jurisdictions. The information collected in the assessment process should then be used to determine the level and nature of overall group risk and support the design of appropriate group controls to mitigate these risks. The mitigating factors can comprise additional information from the customer, tighter monitoring, more frequent updating of personal data and visits by bank staff to the customer location.”

Again, the risk-based approach is emphasised, but I would particularly highlight the mention made of outsourced activities. It needs to be recognised that such activities are still the responsibility of the bank even if not conducted by the bank. Accordingly, the same standards of risk management and due diligence should be applied.

3.4.5 Policies and Procedures

Within this section the following paragraphs appear:

“Regardless of its location, each office should establish and maintain effective monitoring policies and procedures that are appropriate to the risks present in the jurisdiction and in the bank. This local monitoring should be complemented by a robust process of information-sharing with the head office, and if appropriate with other branches and subsidiaries regarding accounts and activity that may represent heightened risk.”

“To effectively manage the ML and FT risks arising from such accounts, a bank should integrate this information based not only on the customer but also on its knowledge of both the beneficial owners of the customer and the funds involved. A bank should monitor significant customer relationships, balances and activity on a consolidated basis, regardless of whether the accounts are held on-balance sheet, off-balance sheet, as assets under management or on a fiduciary basis, and regardless of where they are held. The FATF standards have now also set out more details relating to banks' head office oversight of group compliance, audit and/or AML/CFT functions. Moreover, if these guidelines have been conceived primarily for banks, they might be of interest for conglomerates (including banks).”

Again, the risk-based approach is emphasised, an approach the BIS takes in most of its pronouncements. The issue of monitoring on a consolidated basis can cause difficulties for a bank. Many banks do not have identical computer systems operating in every jurisdiction, and consequently account-naming conventions can vary. This could result in complexities in appreciating global consolidated exposures. Accordingly, financial institutions do need to have a clear data strategy and account-naming convention to deal with such matters; a task which should not be underestimated.

The remaining matters in this paper essentially repeat matters that have already been referred to in this book.