1 Extracts from the FATF Recommendations and relevant FATF guidance and best practices are reproduced with kind permission of the Financial Action Task Force.
The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its member jurisdictions. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF is, therefore, a “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.
The FATF has developed a series of recommendations that are recognised as the international standard for combating money laundering and the financing of terrorism and proliferation of weapons of mass destruction. They form the basis for a coordinated response to these threats to the integrity of the financial system and help ensure a level playing field. First issued in 1990, the FATF Recommendations were revised in 1996, 2001, 2003 and, most recently, in 2012 to ensure that they remain up to date and relevant, and they are intended to be for universal application.
The FATF monitors the progress of its members in implementing necessary measures, reviews money-laundering and terrorist-financing techniques and countermeasures, and promotes the adoption and implementation of appropriate measures globally. In collaboration with other international stakeholders, the FATF works to identify national-level vulnerabilities with the aim of protecting the international financial system from misuse.
The FATF's decision-making body, the FATF Plenary, meets three times per year.
In response to mounting concern over money laundering, the Financial Action Task Force on Money Laundering (FATF) was established by the G-7 Summit that was held in Paris in 1989. Recognising the threat money laundering posed to the banking system and to financial institutions, the G-7 Heads of State or Government and the President of the European Commission convened the Task Force from the G-7 member states, the European Commission and eight other countries.
The FATF was given the responsibility of examining money-laundering techniques and trends, reviewing the action which had already been taken at a national or international level and setting out the measures that still needed to be taken to combat money laundering. In April 1990, less than one year after its creation, the FATF issued a report containing a set of forty recommendations, which were intended to provide a comprehensive plan of action needed to fight money laundering. They still form the real basis for all money-laundering regulations worldwide and while they have now been updated, these original recommendations largely remain the key requirements.
In 2001, the development of standards in the fight against terrorist financing was added to the mission of the FATF, extending its role beyond pure money-laundering deterrence. As a consequence, in October 2001, the FATF issued eight special recommendations to deal with the issue of terrorist financing. The continued evolution of money-laundering techniques led the FATF to revise the FATF standards comprehensively in June 2003. In October 2004, the FATF published a ninth special recommendation, further strengthening the agreed international standards for combating money laundering and terrorist financing, resulting in the production of what came to be known as the 40+9 Recommendations.
In February 2012, the FATF completed a thorough review of its standards and published the revised FATF 40 Recommendations. The objective of this revision was to further strengthen global safeguards and also to protect the integrity of the financial system by providing governments with stronger tools to take action against financial crime. Of course, since the FATF does not have any legal standing in any country, this is really attempting to create a global level playing field in financial crime and terrorist-financing deterrence by creating international best practice, hoping that this will exert pressure for compliance. The recommendations have been expanded to deal with perceived new threats such as the financing of the proliferation of weapons of mass destruction, and to be clearer on transparency and tougher on corruption. The nine special recommendations on terrorist financing have now been fully integrated with the measures against money laundering. This has resulted in a stronger and clearer set of standards, albeit substantially unchanged in many areas.
The FATF, of course, has no global jurisdiction and consequently it is incumbent upon local rules and regulations to be implemented. As referred to above, the FATF does, however, conduct reviews of the level of compliance within jurisdictions to the FATF recommendations and this does provide some level of impetus for their implementation. These reports are publicly available on the FATF website. In this chapter we also identify whether these recommendations are new in 2012 or whether these are the existing recommendations from the 40+9 set.
The 40 current FATF recommendations are outlined below.
This is a new, explicit recommendation, which perpetuates the principle of taking a risk-based approach. The FATF is keen for its members to adopt risk-based strategies to its AML regimes, which is further highlighted by the fact that this recommendation appears before the criminalisation of the money-laundering offence, which has been relegated to Recommendation 3.
By bringing this in as the first recommendation, the FATF is outing the onus on firms to implement such a risk-based regime and, as we shall discuss later, this may require the implementation of some form of money-laundering-deterrence monitoring software. The risk-based approach to implementation is, however, not without some measure of risk. If a risk-based approach results in less work being conducted in one area to enable more work to be conducted in another, then the risk exists that the initial analysis will be proven to be incorrect. In such cases, the firm will need to show that its procedures are not only compliant with local rules and regulations but also meet expectations that are likely to be developed with the benefit of hindsight.
The consequence of this is that while it is important to implement a risk-based approach, as we shall discuss again later, firms must ensure that their procedural and transactional documentation is adequate to provide a defence against an accusation that the risk-based approach was being used to enable a firm to “turn a blind eye” to potential money laundering.
This is more expansive than the 2003 recommendation. It does suggest that the local regime should be based on local risk analysis so that it is necessary for FIUs (or other appropriate bodies) to undertake a review of the risks that both financial crime and terrorist financing pose to their local markets. Of course, it would be helpful were this to be made public so that firms could then apply this within their implementation of the risk-based approach, but at present few countries have clearly set this out publicly.
The United Nations Conference for the Adoption of a Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances met at the Neue Hofburg in Vienna from 25th November to 20th December, 1988 and this resulted in what is now known as the Vienna Convention. This was published as the United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances 1988, highlighting the limited focus of the convention. 106 countries participated in the convention. The convention itself consists of 34 articles including consideration of the labelling of exports and commercial documents. As such, this convention is for a wider audience than purely the financial community.
This particular article does warrant additional review. It states:
“Each party shall require that lawful exports of narcotic drugs and psychotropic substances be properly documented. In addition there is a requirement to document the quantity being exported, and the name and address of the exporter, the importer and, when available, the consignee. Each party is required to ensure that consignments of narcotic drugs and psychotropic substances being exported are not mislabelled.”
So the objective is to separate legal drug import and export from illegal trafficking through a labelling system.
The Palermo Convention dates from 8th January, 2001 and was again published by the United Nations. The United Nations were “deeply concerned by the negative economic and social implications related to organised criminal activities, and convinced of the urgent need to strengthen cooperation to prevent and combat such activities more effectively at the national, regional and international levels”. They also noted with deep concern the growing links between transnational organised crime and terrorist crimes. They sought to broaden the previous treaty to include other areas including terrorist financing and corruption and were seeking bilateral agreements between parties to enable better detection and investigation to occur. The organisation even went so far as to state the information that a cross-jurisdictional information request should include, as well as including the requirements for training of law-enforcement officers.
By including these conventions within this recommendation the FATF is seeking to highlight the importance of cooperation and also to reflect much of the work that has been conducted which should be included within local jurisdictional law. This FATF recommendation is considerably more succinct than the 2003 recommendations, even though the two conventions mentioned were passed prior to 2003. This, therefore, affords countries more freedom in the manner in which they criminalise money laundering.
Countries should adopt measures similar to those set forth in the Vienna Convention, the Palermo Convention and the Terrorist Financing Convention, including legislative measures, to enable their competent authorities to freeze or seize and confiscate the following, without prejudicing the rights of bona fide third parties:
Such measures should include the authority to:
Countries should consider adopting measures that allow such proceeds or instrumentalities to be confiscated without requiring a criminal conviction (non-conviction-based confiscation), or which require an offender to demonstrate the lawful origin of the property alleged to be liable to confiscation, to the extent that such a requirement is consistent with the principles of their domestic law.
The International Convention on the Suppression of the Financing of Terrorism was adopted by the United Nations on 5th December, 1999. Focussing on legal definitions and penalties, the requirement for international cooperation and customer information requirements, it led to the development of the nine additional FATF terrorist-financing principles.
This recommendation requires legislation to be implemented to enable the competent authorities to seize the assets of money launderers or assets used in terrorist financing. Of course, there is normally different legislation regarding such matters, which usually covers all crime, not just money laundering. For example, direct theft of an asset (e.g. a car) would already typically be caught by such legislation. What this recommendation achieves is to extend this to all areas of money laundering and terrorist financing. It tends to result in competent authorities having the ability to seize physical property and bank accounts, as well as the high-profile cars.
In terms of development from the 2003 recommendations, this recommendation widens the scope of the previous recommendation by including the Terrorist Financing Convention (even though this was passed in 1999), expanding the freezing and seizing power to three instances rather than one, and including property involved in terrorist financing.
The peculiarity of this recommendation, which also appears in Recommendation 38, is the use of the word “instrumentalities” – in English, this word would not be used in this scenario. The Encarta English Dictionary defines instrumentalities as the plural of instrumentality, which is defined as “the quality or state of being instrumental”. The word “instruments” would appear to fit with the context of this recommendation and would make much more sense than “instrumentalities”, so we take “instrumentalities” to mean “instruments” here.
This recommendation widens the scope of the previous special recommendation to include the financing of individual terrorists, whereas the 2003 recommendation only suggested that “each country should criminalise the financing of terrorism, terrorist acts and terrorist organisations”. This gives countries a wider scope to apply pre-emptive measures before a terrorist act has been committed, and gives countries the power to intervene even if they are unaware who a suspected terrorist is cooperating with. Of course, this recommendation is not binding – it is up to individual countries to pass legislation to make this effective. Without this, the recommendation is just an idea with no legal force.
This recommendation expands on the previous special recommendation by specifying “targeted financial sanctions” in addition to the freezing requirements imposed by the resolutions.
The requirement to freeze assets without delay poses some logistical problems. The regulator is unlikely to have the authority to freeze the assets of a customer of a bank, whereas the FIU or some other appropriately authorised body probably will have. However, this is entirely dependent on the laws of the country. In any case, a court application will still generally be required. Furthermore, an FIU will be dealing with all of the legal issues arising throughout a country, so some delay is inevitable. It will take time for the FIU to receive, assess and approve a freezing order, by which time the funds may have been moved freely by the customer.
Another issue this recommendation poses is the willingness of banks to freeze the assets of its customers. Where this is done and it turns out that the customer was not involved in criminal activity, there will inevitably be complaints, compensation and probably a loss of business for the bank. Financial institutions will understandably be unwilling to expose themselves to this risk, and any reluctance will cause further delay, contrary to the objectives of this recommendation.
A nineteen-page best practice paper accompanies this recommendation, outlining identification procedures, access to and freezing of prohibited funds. Example provisions appear below, but please refer to the guidance for the full text.
The best practice provides that “Recommendation 6 is intended to assist countries in implementing the targeted financial sanctions contained in the UN resolutions relating to the prevention and suppression of terrorism and terrorist financing. These resolutions require countries to freeze, without delay, the funds or other assets of, and to ensure that no funds or other assets are made available, directly or indirectly, to or for the benefit of, any person or entity either (a) designated by, or under the authority of, the United Nations Security Council (the Security Council) under Chapter VII of the Charter of the United Nations, including in accordance with the Al-Qaida/Taliban sanctions regimes; or (b) designated by that country or by a supra-national jurisdiction pursuant to UNSCR 1373. Such measures may be either judicial or administrative in nature.”
In terms of practical application, the guidance calls for “institutional arrangements allowing for close co-ordination among financial, intelligence and law enforcement authorities and the incorporation of the measures into the country's broader counter-terrorism policy. Countries should also have in place procedures to protect all sources of information, including intelligence and closed-source materials, used in the designation of persons and entities as being subject to the asset freeze measures.”
With regards to legal process, “measures to freeze terrorist funds or other assets may complement criminal proceedings against a designated person or entity, but are not conditional upon the existence of such proceedings. The measures serve as a preventive or disruptive tool when criminal proceedings are either not possible or not practical. This does not, of course, prevent freezing procedures as such forming a part of criminal procedures.”
For the effective implementation of an asset freeze, robust identifying information is essential. At the extreme end of the scale, poor quality identifiers are an obstacle to the enforcement of an asset freeze. Single-name identifiers, in particular, represent problems for enforcement. Best efforts should therefore be made to ensure as much identifying information as possible is provided upon designation, and that such information is updated as more identifying data become available. Where operational imperatives allow, jurisdictions may consider postponing a designation in situations where there is insufficient identifying information, until further information is available.
In order to implement the targeted financial sanction regimes required under Recommendation 6, including initiating, or making proposals for, designations, there will be a need to engage with a range of authorities (for example, Foreign Affairs, Justice, Treasury, Finance, Central Bank, Interior or Public Safety) and agencies (for example, security, intelligence, law enforcement, the FIU). Countries should have appropriate structures and procedures to ensure the effective implementation of the asset-freeze mechanism.
In order to comply with requirements to grant exemptions for access to frozen funds or other assets for basic or extraordinary expenses as set out in Resolution 1452 (2002) whilst still ensuring that the asset freeze is maintained, strong relationships and robust cross-government processes should be built and maintained.
In the UK, the Treasury's Asset Freezing Unit is responsible for designating terrorist freezing targets under Resolution 1373 (2001). More information on the Asset Freezing Unit and a consolidated list of asset freeze targets designated by the United Nations, European Union and United Kingdom under legislation relating to current financial sanction regimes are available in the relevant chapters of this book.
This recommendation is similar to Recommendation 6, and poses the same problems regarding freezing assets without delay. While this idea is desirable in theory, the logistics required may cause problems in practice.
This recommendation has not changed since the 2003 version, when it was completely new. It requires reviews to be conducted into not-for-profit organisations which could potentially be used for money laundering. The level of work required varies considerably between jurisdictions.
Linguistically, this recommendation refers to “non-profit organisations”. This is unusual, as the usual terms would be “charities” or “not-for-profit organisations”. Strictly speaking, any business which makes a loss is a non-profit organisation, although this is clearly not the intended meaning in this recommendation.
The recommendation also requires countries to think through the nature of the structures available within their legal jurisdiction, identifying non-profit organisations as an example. It may well be that there are other constructs within a specific jurisdiction that are particularly suitable for money laundering which would then be caught by this recommendation.
The interpretive notes to the recommendation define a non-profit organisation as “a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of ‘good works’”. There is no further definition of the subjective term “good works”, but it is clear from this definition that “non-profit organisation” is intended to mean the same thing as the more standard “not-for-profit organisation”. As with a number of instances in these recommendations, the language is perhaps not as clear as it could be.
An updated best practice was introduced in June 2013 in conjunction with the non-profit organisation sector; it aimed to prevent misuse of non-profit organisations for the financing of terrorism while, at the same time, respecting legitimate actions of NPOs.
Recommendation 8 should be implemented in line with Recommendation 1; that is, on the basis of a risk assessment. The interpretive note to Recommendation 8 requires countries to identify, prevent and combat terrorist misuse of non-profit organisations (NPOs) through a four-pronged approach involving:
These four elements (outreach, supervision, information gathering and investigation, and capacity to respond to international requests) apply to all NPOs, which are defined as a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of “good works”.
Regarding element (b) (supervision or monitoring), countries should take steps to promote effective supervision or monitoring of their NPO sector as a whole based on their domestic NPO sector review and risk assessment. In practice, countries should be able to demonstrate that the requirements of paragraph 5(b) of the INR8 apply to NPOs which account for (1) a significant portion of the financial resources under control of the sector, and (2) a substantial share of the sector's international activities. Countries should also take into account the work that is undertaken by NPOs in line with the oversight references outlined in the best practice paper.
Additionally, countries should ensure that any NPO falling within the FATF definition of a legal person or legal arrangement is also subject to the requirements of FATF Recommendation 24 or 25 respectively, on the transparency and beneficial ownership of legal persons and legal arrangements.
The guidance also provides specific best practice examples in areas including the monitoring and use of payments and activities, and the identification of beneficiaries.
This is perhaps one of the more contentious recommendations, and has not changed since 2003. Clearly, offshore and other financial centres have, for many years, taken advantage of data secrecy regulations to prevent disclosure of confidential information to enquiring regulatory agents. This recommendation sought to reduce the incidence of such approaches and more recent political pressure has resulted in greater relaxation of such secrecy rules in money-laundering or tax-evasion enquiries.
Its application has been fraught, with some disclosures by financial institutions in some countries actually being challenged by the courts and in some cases being found to be illegal. The offshore centres market their secrecy credentials to attract the business that they are seeking. This requirement begins to put all of this business activity potentially at risk.
The purposes of this regulation include the detection of tax evasion and the prevention of tax avoidance. Tax evasion means the illegal evasion of tax which is legitimately owed to the State, whereas tax avoidance is legally organising your affairs so that you owe the minimum amount of tax possible. Jurisdictions with stringent secrecy laws, such as Switzerland, are seen as particularly attractive to those who are employing either of these techniques, as being able to keep your affairs secret makes it difficult to detect any discrepancy in the amount of tax due. In addition to this, the recommendation also serves a more literal purpose. Being able to trace funds without being inhibited by secrecy laws will enable the authorities to find the source of any questionable assets, and in turn prevent money laundering.
The section regarding high-risk customers from the 2003 recommendation does not appear in the main body of the 2012 version, but is addressed in the interpretive notes. This new version of this recommendation obliges countries to set CDD obligations in law, whether this is through legislation or legally binding regulations. The requirement to understand the nature and purpose of a business relationship expands on the prior requirement to merely collect information, which is reflective of the advanced corporate and financial structures utilised today. The obligation not to open an account or commence business relations when CDD cannot be completed is also an extension of the 2003 recommendations.
The interpretive notes to this recommendation provide a large amount of additional guidance. For example, they give examples of potentially higher-risk situations (in addition to those set out in Recommendations 12 to 16):
Guidance of this nature is essential to the success of the principle of taking a risk-based approach. There is an inevitable amount of perception and subjective opinion when assessing the risk posed by a particular customer, so standard risk indicators provide vital guidance. However, as these are only given as guidance, it would seem that they may fall short of standardising the risk-based approach. Their lack of legal force means that if a country does not agree with them, it is free to ignore them. However, were it to do so, this would appear within the country review conducted by the FATF. Generally, the approach is to achieve these requirements or to implement regulations that achieve the same objectives.
One question which remains unanswered in both the recommendation and the interpretive note is the extent to which compliance is required before it is satisfactory. For example, if a financial institution is unable to find one comparatively small piece of information but has a fairly comprehensive due diligence file, would this still be classed as incomplete? What if the institution chooses not to conduct adequate CDD, citing the fact that it is satisfied that the customer does not pose a serious risk and is therefore complying with its obligation to take a risk-based approach?
Regulators normally take a “reasonable man” approach to such circumstances, such that if the approach adopted by the firm is reasonable in the circumstances, this would not be seen as a breach of local regulations. However, if the omission was wilful with the intention of undermining the objectives of the regulations, then this would be considered a breach locally. In any case, where it is not possible or cost effective to obtain specific information, this should be documented by the firm together with the actions taken to mitigate the risk of abuse.
It should be noted that these are not the PEP rules, which are addressed in Recommendation 12.
This regulation has undergone subtle but important changes. The phrase “should be required”, which appears twice, was simply “should” in the 2003 recommendation, and the new version obliges countries to incorporate these principles into domestic legislation, thereby increasing their enforceability. The obligation to keep all records has been strengthened from just an obligation to keep records, and the express inclusion of any analysis undertaken is coherent, with the emphasis on taking a risk-based approach. Furthermore, the reference to occasional transactions reflects the way modern business is done, and the obligation by law to maintain records further affirms the subtle strengthening of this provision.
This recommendation does not come with interpretive notes. For this reason, it seems particularly strange that no reference is made in the recommendation to enhanced due diligence (EDD), only to customer due diligence (CDD). While there are obligations to conduct enhanced due diligence in other recommendations (see Recommendation 12, for example), these instances do not make explicit reference to record-keeping.
Taken literally, this would seem to suggest that there are no record-keeping requirements for enhanced due diligence, which is, of course, incorrect. It would be logical to have the most stringent record-keeping requirements for the customers who pose the greatest risks, or at the very least equivalent record-keeping requirements to those imposed on standard customers, so we can only assume that “CDD” in this recommendation is to be taken as an umbrella term for all due diligence and therefore also includes EDD.
The differentiation between foreign and domestic PEPs is a new addition to the recommendations, as is the extension of the PEP rules to beneficial ownership and to family members and close associates of PEPs. This narrows the scope for abuse of PEPs. The problem is, of course, in identifying family members and close associates. A brother-in-law, for example, might be difficult to identify, yet is a close family member by marriage.
Additional guidance on PEPs was released in June 2013. Key to the effective implementation of Recommendation 12 is the effective implementation of customer due diligence requirements: for financial institutions to know who their customers are. External sources of information for determining PEPs exist, such as commercial and other databases, and the paper provides some guidance on the use of these and other, external sources of information. However, these databases are not sufficient to comply with the PEP requirements, nor does the FATF require the use of such databases. PEPs are specifically addressed in Chapter 17.
When considering whether to establish or continue a business relationship with a PEP, the focus should be on the level of ML/TF risk associated with the particular PEP, and whether the financial institution or DNFBP has adequate controls in place to mitigate that ML/TF risk so as to avoid the institution being abused for illicit purposes should the PEP be involved in criminal activity. This decision should be taken on the basis of the customer due diligence process and with an understanding of the particular characteristics of the public functions that the PEP has been entrusted with. The decision to establish or continue a customer relationship with a PEP should be guided primarily by an assessment of ML/TF risks, even if other considerations, such as regulatory risk, reputational risk or commercial interests, are taken into account.
Financial institutions and DNFBPs should consider whether they may be more vulnerable to domestic PEPs compared to foreign PEPs. For example, small financial institutions, with little or no exposure to foreign financial markets, which determine that they are dealing with a foreign PEP, should consider in detail the reasons why such a relationship is being started. Financial institutions which operate in domestic markets where there are known issues relating to corruption should consider whether their exposure to domestic PEPs may be higher than to foreign PEPs.
In all cases, where a financial institution or DNFBP suspects, or has reasonable grounds to suspect, that funds are the proceeds of criminal activity, an STR (suspicious transaction report) should be filed with the FIU.
A financial institution or DNFBP may perform the steps that are required for the implementation of the domestic/international organisation PEP requirements in concert as part of their procedures implementing Recommendation 10. Pursuant to Recommendation 12, financial institutions and DNFBPs are required to take reasonable measures as part of their internal controls to determine if a customer or beneficial owner is a domestic/international organisation PEP. To do this, financial institutions and DNFBPs should review, according to relevant risk factors, the CDD data collected pursuant to Recommendation 10.
In cases where the customer is determined to be a domestic/international organisation PEP, then financial institutions or DNFBPs should undertake a risk assessment of the PEP's business relationship. To this effect, they should notably gather sufficient information to understand the particular characteristics of the public functions that the PEP has been entrusted with and, in the case of an international organisation, the business model of that organisation. Information on international organisations, for example, may be found on their respective websites. The risk assessment should be a composite assessment of all the risk factors and needs to be done to determine if the business relationship with the PEP involves a higher risk. This assessment of the business relationship may take into account, among other factors (i) customer risk factors, (ii) country risk factors and (iii) product, service, transaction or delivery channel risks.
Additional factors to be taken into account should include the nature of the prominent public function that the PEP has, such as his or her level of seniority, access to or control over public funds and the nature of the position held.
“Clearly understand”, under point (d), has replaced the requirement to document that appeared in the 2003 recommendations. While this is more beneficial in a practical sense, it does not suggest that there is any relaxation in the requirement to document everything under the record-keeping recommendation. Previously it would have been possible to have documented matters without considering whether they were appropriate and therefore suspicious. The change in the recommendation makes it clear that this is no longer the case.
The prohibition on entering a relationship with a shell bank is essentially a new requirement for the 2012 recommendations, although such rules had already been implemented by many jurisdictions.
This is more expansive than the 2003 recommendation, although not largely different substantively. The requirement to maintain a current list of agents is new, as is the express requirement to include agents in AML/CFT programmes. Western Union would be an example of an international MVTS.
In the UK, the requirement for MVTS to be licensed or registered by the FSA is implemented by the Payment Services Regulations 2009 (last updated in October 2012), which implemented the EU Payment Services Directive. Therefore, the UK was compliant with this recommendation before it was introduced. The FSA register can be found at http://www.fsa.gov.uk/register/psdFirmSearchForm.do.
The 2003 recommendation was mainly concerned with anonymity, whereas this recommendation is considerably more thorough and wide-ranging. This reflects the technological era and the rise of cyber crime, as well as reiterating the need for a risk-based approach. It should be noted that this recommendation is very similar to a recommendation given by the Bank for International Settlements (BIS), which, in turn, reflected the pre-emptive part of the so-called Basel II rules which are in the process of being replaced by Basel III.
The requirement to include meaningful information from the 2003 recommendations has been removed, as have the examples of information. This reduces the stringency of the recommendation, but was due to practical problems found in the nature of business conducted. However, the requirement to monitor for any missing beneficiary information has been added, as has the obligation to take freezing action and to follow the UN resolutions.
The requirement for basic information is set out in this recommendation, even though it would be impossible to transfer money without identifying a beneficiary. Without some identification it would be difficult to see how the MVTS would know where to send the money. The information required here is essential for money to be transferred, and without it the transaction would automatically fail, so this recommendation is really only of limited use. In many countries more stringent requirements are either implemented or are being planned.
The obligation to regard the level of country risk replaces an obligation to consider whether a country adequately applies the FATF Recommendations. While this is slightly more expansive in a substantive sense, this only really affirms the impetus on taking a risk-based approach. The financial group section is new for the 2012 recommendations, and reflects the importance of the large corporate structures that are now employed.
This recommendation raises two important points, the first of which relates to the ultimate responsibility for a CDD failure remaining with the financial institution that is relying on a third party. Regardless of how responsibility is delegated, it cannot be abrogated.
Any bank which fails to comply with its CDD responsibilities is likely to suffer reputational damage, particularly if financial penalties are imposed; HSBC is a recent example of this. With this in mind, a bank, when applying a risk-based approach, must implement the necessary controls prior to delegating work conducted in this respect, since it retains the risk should anything go wrong. The approach to be conducted is essentially the same as with any other outsourcing relationship entered into by the financial institution and we would recommend the Risk in Outsourcing paper promulgated by the Bank for International Settlements (BIS) as representing best practice in this regard.
The other important point arising from this recommendation relates to a major change, since there is now the ability to rely on other CDD from your own group. This is extremely helpful for international corporate due diligence, and will streamline the process during international transactions and the formation of business relationships. However, to obtain approval under this exemption, the firm would have to prove that it meets standards set by the host regulator and that compliance with this exemption does not prejudice the home regulator.
The specifications regarding what should be included in the requisite programme appeared in the 2003 recommendations, but have now been removed and included in the interpretive notes only. This recommendation is considerably more succinct than the two it replaces, but is largely similar from a substantive perspective.
The obligation to take a risk-based approach has been specifically included in the 2012 recommendations, and the details regarding the nature of the enhanced customer due diligence (EDD) to be undertaken are included in the interpretive notes. The 2003 recommendations expressly referred to transactions that have no apparent purpose, but this has now been removed from the body of the recommendation and is instead included in the interpretive notes.
It is interesting to note that the FATF equates higher risk to non-compliance with FATF Recommendations. This takes no account of the country's financial crime record, political stability or any other circumstances which would make the country a high-risk jurisdiction with which to do business. As far as the FATF is concerned, if they comply with its recommendations, they're safe. It is difficult to see how this is consistent with the impetus on taking a risk-based approach.
The list of higher-risk countries, according to FATF compliance, appears at the end of this chapter. There are a number of other sources of what might best be described as higher-risk countries and we would refer you to Transparency International as being one primary source for such information. Its current list is included as an appendix to this book.
This recommendation amalgamates the two previous recommendations by incorporating both criminal activity and terrorist financing, which is used as an umbrella that is then expanded on in the interpretive notes.
The term “promptly” is not defined in the interpretive notes to this provision, which is unhelpful. In theory, it could mean immediately, by the end of the business day, within 48 hours or within five, seven or ten working days. Accordingly, it is for the firm to be able to justify that it undertook the reporting once it was in a position to do so without obvious delay.
This recommendation also fails to address the amount of information required to be supplied with a report. For example, if you have suspicions without formal information to back this up, then this recommendation could be taken to suggest that you are still obliged to report. Generally, without information there would not be sufficient data to support a suspicion and no report would therefore be made.
However, if you are in the process of collating information, it is unclear when the ideal time to report would be – i.e. immediately, when you have some information or when you have all of the relevant information. The local FIU would normally provide guidance in such cases and helplines are normally available to the MLRO in cases of concern.
This recommendation has not changed since the 2003 recommendations, apart from its number. Paragraph (a) provides the protection that the officers require. Of course, paragraph (b) could become a problem were allegations made against a firm that had actually reported its suspicion. It would be in the position of being unable to respond to allegations and newspaper stories without breaching legal provisions and this could result in unfortunate consequences.
It is important for information services, such as newspapers and information providers, to appreciate this issue and consider the implications when they are making allegations.
This recommendation has not changed since 2003, apart from the numbering.
This composite recommendation seeks to broaden the money-laundering requirements beyond the financial services sector, picking up accountants, lawyers, casinos, estate agents and trust providers, amongst others. This then leads to an interesting issue as to who within the relevant jurisdiction actually takes ownership of the regulation in such areas. Sometimes it is obvious, as may be the case for chartered accountancy or legal practices, whereas in other cases the business area may actually be unregulated. Are casinos and real estate agents regulated in all countries? Accordingly, it will be important for the financial institution to verify the legal regulatory structure that is in place in all such cases.
Many countries have actually taken these provisions further. In the UK, for example, chartered accountants and auditing firms are subject to these provisions. Regulatory bodies tend to have their own rules which are much more detailed than the ones provided by this recommendation, despite being a subset of the FATF rules.
The exemption when legal or professional privilege applies has been moved to the interpretive notes. Other than that, there has been no change to this recommendation from those appearing in 2003.
This recommendation has been expanded since 2003. Terrorist financing has been included with the requirement to prevent the misuse of companies for money laundering, which is a continuous theme of expansion throughout the recommendations. Furthermore, the specification that companies able to issue bearer shares should be subject to effective money-laundering-deterrence measures has been expanded, to specifically include companies able to issue bearer share warrants or those which allow nominee shareholders or nominee directors. Although this highlights areas where the FATF has identified a need for enhanced monitoring, there is a risk that, by implication, it could exclude companies not mentioned here.
The requirement for financial institutions to identify beneficial ownership has been extended to DNFBPs by this recommendation. Furthermore, in the 2003 recommendation countries “could” consider measures to facilitate access to beneficial ownership, which has now been replaced by the obligatory “should”. This marks a slight expansion and the expectation of increased enforceability of this recommendation.
This recommendation has only added the references to terrorist financing and DNFBPs to the 2003 recommendation. Furthermore, the requirement to consider measures to facilitate access to beneficial ownership and control information has been strengthened from “could” in 2003; the word “should” in 2012 now makes this an obligation.
Financial supervisors should be able to impose the necessary legal or regulatory requirements under this recommendation, as well as competent authorities. This affords countries more freedom in implementing this recommendation, and suggests an acceptance that the end result (the implementation) is more important than the method (which body implements it).
The prohibition on terrorist financing, as well as money laundering, has been included in this recommendation, which is a standard change. There is also a prohibition on the establishment or operation of shell banks, which complements the prohibition on entering into a correspondent banking relationship with a shell bank from Recommendation 13. However, it does seem strange that the shell bank recommendations appear in two different recommendations, 13 recommendations apart.
This recommendation has been expanded, but not substantively changed since 2003. There is more detail regarding sanctions – dealt with further in the subsequent recommendations – which highlights the importance of compliance with this provision.
The final section outlining the sanctions available to the supervisor or SRB has been added to the recommendation. As with the previous recommendation, this strengthens the regulation and, in theory, deters non-compliance. However, in practice, there could be local practical problems here if some of the areas are not currently regulated.
This recommendation has been reworded, but not substantively changed since 2003.
This recommendation has been expanded considerably, with law-enforcement agencies now being required to take proactive action and have wider and more comprehensive powers than existed under the previous recommendation. While there has been no substantive change as such, the scope of this recommendation has been expanded.
The second section of this recommendation is new, and significantly expands the powers of competent authorities to combat money laundering and terrorist financing. The first section has also undergone minor alterations, expanding the scope of the 2003 recommendation.
Obviously, monies moving across borders could be inappropriate, therefore the FATF has introduced these requirements which are broader than the requirements in the original recommendations.
The placing of this recommendation seems strange. It does not make sense to have this recommendation in the middle of the recommendations about sanctions. Instead, it would seem much more logical to place this recommendation much earlier, with the correspondent banking or other payment system provisions.
Additionally, the idea that a country can have measures to detect bearer negotiable instruments is fanciful, which is reinforced by the suggestion that this could be done through a declaration or disclosure system. Large amounts of currency will inevitably take up space in a suitcase, and would be possible, albeit potentially difficult, to find. Bearer negotiable instruments, however, can be single pieces of paper, which would be easy to hide in a suitcase or large file. If, for example, a corporate trainer was giving a presentation in another country and was shipping handouts of his 600 PowerPoint slides for 20 delegates, that could easily generate 3,000 pieces of paper. It would be entirely impractical for a customs official to check every side of every page to ensure that no bearer negotiable instruments had been hidden in one of the packs.
It also seems strange that this recommendation seeks to restrain bearer negotiable instruments. Even if they were previously used to launder illegitimate funds, the instrument could have been purchased legitimately on the market for value by an innocent purchaser. Restraining the instrument in this instance would be shutting the stable door long after the horse had bolted with a saddlebag full of the proceeds of crime.
Further on this point, no courier would ever agree to these recommendations, in case a bearer negotiable instrument is included in documents they are shipping. A courier is a transporter with no involvement in the business of its clients, and would not agree to take the risk of having legitimate documents confiscated, which would place itself in breach of contract.
To comply with these requirements a firm should implement a series of policies and procedures which provide a programme that should be conducted in such cases. This would highlight such instruments as requiring a higher level of due diligence due to the ease of transfer; but the same is also true of other assets including coins and paintings, for example.
This recommendation has undergone minor reductions, but no substantive changes have been made since 2003. The reference to reviewing the effectiveness of the systems using the statistics no longer appears in this recommendation, but the same obligation is imposed by Recommendation 2.
In 2012 this obligation has been extended to supervisors and SRBs, but this is the only change which has been made to this recommendation.
Of course, in designing such guidelines some authorities will add additional requirements of which the international bank must be aware. Clearly, different authorities respond in differing ways with varying levels of information, but at least this recommendation sets the objective clearly. In some countries, by the time a response is received from the regulatory agency the money launderer will be long gone, effectively undermining the entire process.
The scope of this provision has been extended, as directors and senior management were not specifically covered by the 2003 recommendation. This is consistent with the strengthening of various other recommendations, and making management personally liable for non-compliance will inevitably make the recommendations more effective. The reference to a “range” of sanctions is also new, and enhances this point.
The scope of the legislation countries are required to implement has been expanded, but this is inevitable given that some of these conventions were passed after the 2003 recommendations were released. In principle, however, this recommendation has not changed since 2003.
The requirements relating to mutual legal assistance have been expanded considerably since 2003. Mutual legal assistance was covered in the 2003 recommendations, but not in this level of detail and not with this level of force. This reflects the worldwide, cross-jurisdictional and cross-border nature of modern money laundering, and that mutual legal assistance is vital to an effective AML regime.
The requirements relating to non-conviction-based confiscation proceedings are new to the FATF Recommendations, and are also introduced in Recommendation 4. Developing the previous recommendation, this expands the scope of the mutual legal assistance.
The scope of this recommendation has been expanded by introducing numerous procedural requirements, which will enhance the efficiency and the overall effectiveness of extradition requests. This is an essential part of AML sanctions, and is complicit with the strengthening of this area highlighted in the previous recommendations.
The phrase “without undue delay”, in relation to countries dealing with extradition requests, may not be practical. An example of this was the recent case involving five terrorism suspects including Abu Hamza, where one of the suspects, Babar Ahmad, was charged with money laundering. The extradition process from the UK took eight years, as there were many legal and human rights issues to be tried. Given the nature of the legal system, with various domestic and European appeal courts including the Court of Appeal, the Supreme Court and the European Court of Human Rights, there will be cases where it is simply impossible to extradite a suspect “without undue delay”.
Parts of this recommendation have been incorporated into other recommendations on sanctions, so this recommendation now appears shorter. However, as with the previous sanctions recommendations, it has been enhanced. The references to MOUs are new, and there are various minor linguistic alterations making this recommendation more forceful.
The following lists outline the jurisdictions which the FATF considers to be high risk, in accordance with their level of compliance with AML procedures. The lists were correct as of May 2014.
The FATF calls on its members and other jurisdictions to apply countermeasures to protect the international financial system from the ongoing and substantial money-laundering and terrorist-financing (ML/TF) risks emanating from the jurisdictions.
Jurisdictions with strategic AML/CFT deficiencies that have not made sufficient progress in addressing the deficiencies or have not committed to an action plan developed with the FATF to address the deficiencies. The FATF calls on its members to consider the risks arising from the deficiencies associated with each jurisdiction, as described below.
* Kenya and Tanzania are now identified in the FATF document Improving Global AML/CFT Compliance: On-going Process due to their progress in substantially addressing their action plan agreed upon with the FATF.
The Basel Committee on Banking Supervision, sitting within the Bank for International Settlements, is the leading global standard-setter for worldwide banking regulation and supervision. Its mandate is to strengthen the regulation, supervision and practices of banks worldwide, with the purpose of enhancing financial stability. In full support of the Financial Action Task Force Recommendations, the Committee issued a paper entitled Sound management of risks related to money laundering and financing of terrorism in January 2014, which provides a framework of regulatory best practice broadly based on the FATF Recommendations.
The paper divides its recommendations across three lines of defence against money laundering.
The paper states that the front-office staff acting in a client-facing role should be considered the first line of defence against financial crime. They are in charge of identifying, assessing and controlling the risks of their business, and should know and carry out the policies and procedures and be allotted sufficient resources to do this effectively. The obligations fall both on the staff, who should remain vigilant at all times to apply the principles without alerting the clients, and the senior management, to select appropriate staff and ensure that adequate guidance and training to fulfil the role bestowed on them is available.
The senior management and compliance team form the second line of defence against money laundering. The chief officer in charge of AML/CFT should have the responsibility for ongoing monitoring of the fulfilment of all AML/CFT duties by the bank. This implies sample testing of compliance and review of exception reports to alert senior management or the board of directors if it is believed management is failing to address AML/CFT procedures in a responsible manner. The chief AML/CFT officer should be the contact point regarding all AML/CFT issues for internal and external authorities, including supervisory authorities or FIUs.
While this may be a good idea in principle, its application will inevitably vary depending on the size of the institution. The chief AML officer of a major organisation will find it particularly difficult to monitor all AML obligations, and so this will usually be delegated to staff working closer to the front-office operation.
The internal audit function provides the third line of defence, and plays an important role in independently evaluating the risk management and controls. It discharges its responsibility to the audit committee of the board of directors or a similar oversight body through periodic evaluations of the effectiveness of compliance with AML/CFT policies and procedures. The guidance provides that a bank should establish policies for conducting audits of (a) the adequacy of the bank's AML/CFT policies and procedures in addressing identified risks; (b) the effectiveness of bank staff in implementing the bank's policies and procedures; (c) the effectiveness of compliance oversight and quality control including parameters of criteria for automatic alerts; and (d) the effectiveness of the bank's training of relevant personnel. Senior management should ensure that audit functions are allocated staff who are knowledgeable and have the appropriate expertise to conduct such audits. Management should also ensure that the audit scope and methodology are appropriate for the bank's risk profile and that the frequency of such audits is also based on risk. Periodically, internal auditors should conduct AML/CFT audits on a bank-wide basis. In addition, internal auditors should be proactive in following up their findings and recommendations. As a general rule, the processes used in auditing should be consistent with the internal audit's broader audit mandate, subject to any prescribed auditing requirements applicable to AML/CFT measures.
While this is an important part of the AML deterrence regime, the hands-off, reactive and intermittent nature of internal audit means that by the time any suspicious activity is found, it may be too late. Instead, this line of defence serves to plug any gaps in the front-line first and second lines of defence.
The sound practices paper largely follows the FATF proposals. There are, however, a couple of sections which do provide some useful additional guidance.
Under the above heading the BIS states:
“The bank should have a thorough understanding of all the risks associated with its customers across the group, either individually or as a category, and should document and update these on a regular basis, commensurate with the level and nature of risk in the group. In assessing customer risk, a bank should identify all relevant risk factors such as geographical location and patterns of transaction activity (declared or self-stated) and usage of bank products and services and establish criteria for identifying higher-risk customers. These criteria should be applied across the bank, its branches and its subsidiaries and through outsourced activities. Customers that pose a higher risk of ML/FT to the bank should be identified across the group using these criteria. Customer risk assessments should be applied on a group-wide basis or at least be consistent with the group-wide risk assessment. Taking into account differences in risks associated with customer categories, group policy should recognise that customers in the same category may pose different risks in different jurisdictions. The information collected in the assessment process should then be used to determine the level and nature of overall group risk and support the design of appropriate group controls to mitigate these risks. The mitigating factors can comprise additional information from the customer, tighter monitoring, more frequent updating of personal data and visits by bank staff to the customer location.”
Again, the risk-based approach is emphasised, but I would particularly highlight the mention made of outsourced activities. It needs to be recognised that such activities are still the responsibility of the bank even if not conducted by the bank. Accordingly, the same standards of risk management and due diligence should be applied.
Within this section the following paragraphs appear:
“Regardless of its location, each office should establish and maintain effective monitoring policies and procedures that are appropriate to the risks present in the jurisdiction and in the bank. This local monitoring should be complemented by a robust process of information-sharing with the head office, and if appropriate with other branches and subsidiaries regarding accounts and activity that may represent heightened risk.”
“To effectively manage the ML and FT risks arising from such accounts, a bank should integrate this information based not only on the customer but also on its knowledge of both the beneficial owners of the customer and the funds involved. A bank should monitor significant customer relationships, balances and activity on a consolidated basis, regardless of whether the accounts are held on-balance sheet, off-balance sheet, as assets under management or on a fiduciary basis, and regardless of where they are held. The FATF standards have now also set out more details relating to banks' head office oversight of group compliance, audit and/or AML/CFT functions. Moreover, if these guidelines have been conceived primarily for banks, they might be of interest for conglomerates (including banks).”
Again, the risk-based approach is emphasised, an approach the BIS takes in most of its pronouncements. The issue of monitoring on a consolidated basis can cause difficulties for a bank. Many banks do not have identical computer systems operating in every jurisdiction, and consequently account-naming conventions can vary. This could result in complexities in appreciating global consolidated exposures. Accordingly, financial institutions do need to have a clear data strategy and account-naming convention to deal with such matters; a task which should not be underestimated.
The remaining matters in this paper essentially repeat matters that have already been referred to in this book.