How to prepare for ACRA AML/CFT review – A checklist for busy professionals

Share...Share on Facebook5Share on Google+0Tweet about this on TwitterShare on LinkedIn5

<updated to the latest ACRA RFA Guidelines dated 30 Sep 2017>
Since the implementation of the ACRA (Amendment) Act in 2014, ACRA has engaged audit firms to conduct independent Anti-Money Laundering/ Countering the Financing of Terrorism (AML/CFT) reviews for Registered Filing Agents (RFAs) or Corporate Service Providers (CSPs). Under the new AML/CFT framework, it is a requirement for CSPs to develop and implement Internal Policies, Procedures and Controls (IPPC) to comply with Financial Action Task Force (FATF) recommendations on combating of money laundering and terrorism financing.

So how can CSPs (or other professional firms in similar capacity, e.g. auditors, accountants, lawyers, etc.) prepare themselves for the AML/CFT review?

CSPs should take a closer look at and comply with the following regulations:

  • Part II, First Schedule of the ACRA (Filing Agents and Qualified Individuals) Regulations, for the prevention of money laundering and financing of terrorism (download here).
  • Guidelines for Registered Filing Agents (download here).

We summarise the key areas where a CSP should focus on to prepare for the AML/CFT review.

Self-Assessment Form

Before the ACRA-appointed reviewers conduct their on-site visit, CSPs are required to complete the Self-Assessment Form (which can be downloaded here).  The review will be based on the responses in this form.  It is important to note that higher weightage is given on Section C – Internal Policies, Procedures and Controls (IPPC) and Section D – Customer Due Diligence of the Self-Assessment Form.  The CSP should review the questions in the Self-Assessment Form, and ensure that if any of the responses is “Yes”, the CSP must be able to support it with documentary proof.

AML/CFT Policy (IPPC)

First and foremost, CSPs should have adequate AML/CFT risk management Internal Policies, Procedures and Controls (IPPC). Hence, CSPs should establish a policy document which we called the AML/CFT Policy.

This policy should contain:

  • Customer Due Diligence (CDD) measures and on-going monitoring
  • making of suspicious transaction reports
  • record-keeping
  • risk assessment and management
  • audit of the internal policies, procedures and controls
  • monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
  • hiring and training of employees

ACRA is kind enough to give some guidances on AML/CFT policy in Annex A of the Guidelines for Registered Filing Agents. However, CSPs should not just use this per se but customise it according to their own existing procedures.

Management Oversight

What are the roles and responsibilities of the sole proprietor/partners/board of directors and management in preventing money laundering and terrorism financing?

It is recommended that the CSP establish an organisational and reporting structure in relation to AML/CFT. The reporting structure should include a Compliance Officer, preferably also a Deputy Compliance Officer and an Internal Auditor. These are key persons who are responsible for AML/CFT and they should be named in the reporting structure as well as mentioned in the AML/CFT policy.

The role of the Compliance Officer is to keep Management informed of the compliance and risk management matters as and when they deal with customers that are seemingly suspicious. Any suspicious trade should be reported to the Compliance Officer and he or she will escalate to Management if approval is required.

The audit function of a CSP should be independent and adequately resourced, and be able to assess the effectiveness of its IPPC periodically.

Risk Assessment

We recommend CSPs perform an overall risk assessment of its clients. CSPs can assess clients’ risks based on the type of customers, type of services provided, types of transactions that the client engages in or the countries or jurisdictions where the customers are from or in.

  • List down all the risk categories that are relevant to you. For example, (i) type of customer – money changers, (ii) type of service provided – acting as nominee director.
  • For each specific risk category, give a risk rating to it. You may want to rate, for each risk category, simply as Low Risk, Medium Risk or High Risk. CSPs need to pay particular attention to those risk categories that they rate as High Risk because these risk categories will need to be mitigated with Enhanced CDD procedures and these procedures should be documented.
  • For each risk category, produce a set of risk mitigation procedures.

Up until this stage, the CSPs should go through their client lists and classify their clients based on the risk categories defined.  As ACRA requires all CSPs to conduct CDD on their existing high risk clients by 15 May 2016, it is recommended that CSPs complete the following for all the high risk clients:

  • Ensure that CDD and Enhanced CDD forms are completed and signed by the customers.
  • Ensure that copies of identification documents are available and verified.
  • Perform screening on the customers to ensure that they are not blacklisted or Politically Exposed Persons (PEPs),Relatives or Close Associates (RCAs) of PEPs. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ.  All search results must be retained as documentary proof.

Suspicious Transaction Reporting

Based on suspicious transactions reporting statistics from Commercial Affairs Department (CAD), CSPs is one of industries which has the least number of suspicious transaction report (“STR”) reported.

  • If a CSP has not reported an STR before, it should at least know how to report one if such an occasion arise. CSPs should have proper escalating procedures being documented in the AML Policy. CSPs should sign up for an account for Suspicious Transaction Report Online Lodging System (“STROLLS”). You can visit STRO here to sign up for a STROLLS account.
  • CSPs should also subscribed to AML/CFT and Targeted Financial Sanctions section of the Monetary Authority of Singapore (MAS) website, so as to receive alerts and updates on AML/CFT requirements and changes to the relevant lists of UN-designated individuals and entities. By subscribing to the website, the Company will stay abreast of other AML/CFT announcements, such as high risk jurisdictions identified by the Financial Action Task Force (FATF). You can visit MAS website here to subscribe.
  • In addition, CSPs should subscribe to the Inter-Ministry Committee on Terrorist Designation website for information about terrorist designation and the legislation for countering of terrorism.  The website link is here.

Every business dreads the news that the auditors or regulators are coming. CSPs can manage the AML/CFT review process proactively and reduce surprises when they cover the major areas mentioned above. An important thing to do is also to train and brief your staff of all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best and what is required according to the regulations. The approach to the review is to be truthful. If there is any shortcomings, work out the remedial actions with the inspectors.