How to prepare for Bank Negara Malaysia (BNM) AML/CFT Compliance Review – A checklist for busy professionals


On 31 Dec 2019, the Malaysia’s Bank Negara (BNM) has issued a new guideline on Anti-Money Laundering, Countering Financing of Terrorist (AML/CFT) and Targeted Financial Sanctions for Designated Non-Financials Businesses and Professions (DNFBPs) and Non-Bank Financial Institutions (NBFIs) ( i.e. the AML/CFT and TFS for DNFBPs and NBFIs ), to be effective on 1 Jan 2020.  

This new guideline now includes DNFBPs1 (or “professional firms”), in their obligations as reporting institutions, with respect to the requirements imposed under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA).

1 DNFPBs (or “professional firms”) refers to reporting institutions such as lawyers, accountants, auditors, company secretaries, trust companies, notaries public, real estate agents, dealers in precious stones/precious metals (PSMD) etc, who are subject to AML/CFT requirements as required by the AMLA.

With this new guideline, it is a requirement for professional firms to take all reasonable measures to mitigate the risk of ML/TF; and to ensure that the AML/CFT requirements under the AMLA are complied with. This new AML/CFT framework are in line with international requirements as promulgated by the Financial Action Task Force (FATF).  The FATF is an inter-governmental body that sets international standards on combating money laundering and terrorist financing.

To fulfil the above-mentioned obligations, professional firms must assess the ML/TF risk of their businesses, develop and implement the AML/CFT internal policies, procedures and controls (“IPPC” or “AML/CFT Compliance Programme”) on: risk assessment; customer due diligence (“CDD”) measures; ongoing monitoring of customers; suspicious transactions reporting; record keeping; and staff training, amongst other requirements. 

For their regulatory role, the competent authority Bank Negara Malaysia (BNM) and the respective Self-Regulatory Body (SRB) (collectively, the “Regulators”) have been entrusted with both the licensing regime for reporting institutions in their respective sectors, as well as the enforcement powers to conduct compliance inspections and impose disciplinary actions against professional firms that are non-compliant.  For the compliance inspections, Regulators will conduct on-site inspections on the business premises of licensees to ascertain whether the licensees have complied with the AMLA, including the inspection and making copies of records or documents, and making enquiries about any record or document relating to the business carried on, or any transaction carried out, by the licensees. (download here).

So how can professional firms (e.g. lawyers, accountants, auditors, company secretaries, trust companies, notaries pubic, real estate agents, dealers in precious stones/precious metal etc) prepare themselves for the AML/CFT compliance inspection by their Regulators?

Professional firms should take a closer look at and comply with the following regulations, as applicable to their industry sector:

  • Anti-Money Laundering, AntiTerrorism Financing and Proceeds of Unlawful Activities Act 2001 (“the AMLA”)  (download here ). 
  • Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions (DNFBPs) & Non-Bank Financial Institutions (NBFIs) (“AML/CFT and TFS for DNFBPs and NBFIs”) (download here ). 

We summarise the key areas where a professional firm should focus on to prepare for the AML/CFT compliance inspection.

 

AML/CFT Internal Policies, Procedures and Controls (IPPC)

First and foremost, professional firms should have adequate AML/CFT risk management, and AML/CFT internal Policies, Procedures and Controls (IPPC). Hence, professional firms should establish a policy document which we called the AML/CFT Policy. (Collectively, the IPPC is referred to as “AML/CFT Compliance Programme” in the regulatory AML/CFT guidelines for professional firms).

This policy should contain:

  • Customer Due Diligence (CDD) measures
  • Ongoing monitoring
  • making of suspicious transaction reports
  • record-keeping
  • risk assessment and management
  • audit of the internal policies, procedures and controls
  • monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
  • hiring and training of employees

If you are not sure how to develop an IPPC document, you can purchase the template here.

 

Management Oversight

What are the roles and responsibilities of the sole proprietor/partners/board of directors and management of a professional firm in preventing money laundering and terrorism financing?

It is recommended that the professional firm establish an organisational and reporting structure in relation to AML/CFT. The reporting structure should include a Compliance Officer, preferably also a Money Laundering Reporting Officer (MLRO), and an Internal Auditor. These are key persons who are responsible for AML/CFT and they should be named in the reporting structure as well as mentioned in the AML/CFT Policy.

The role of the Compliance Officer is to keep Management informed of the compliance and risk management matters as and when they deal with customers that are seemingly suspicious. Any suspicious trade should be reported to the Compliance Officer (or the MLRO if appointed) and he or she will escalate to Management if approval is required.

The audit function of a professional firm should be independent and adequately resourced, and be able to assess the effectiveness of its IPPC periodically.

Do note that all reporting institutions under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) are required to inform Bank Negara Malaysia (BNM) on the appointment or change in the appointment of the Compliance Officer pursuant to paragraph 11.5.3 of the Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for DNFBPs and NBFIs (AML/CFT and TFS for DNFBPs and NBFIs).

For the Compliance Officer Nomination Form to submit to BNM, download here.

 

Customer Due Diligence (“CDD”)

The CDD requirements are set out in Part IV to the AMLA (“Reporting Obligations”).  Typically, a professional firm must carry out CDD measures in relation to a customer (where applicable):

  • at the outset of establishing or conducting a business relationship, conducting any transaction with a customer, or carrying out any activity for or on behalf of a customer, whether the customer is an occasional or usual customer; or
  • the transaction or activity to be carried out exceeds such amount as the BNM may specify; or
  • there is reasonable suspicion of the commission of a money laundering offence or a terrorism financing offence; or
  • there is reasonable doubt about the veracity or adequacy of previously obtained customer identification data.

CDD is intended to enable the professional firm to form a reasonable belief that it knows the true identity of each customer and, with an appropriate degree of confidence, knows the type of business and transactions the customer is likely to undertake. Depending on specific circumstances and risk profiles, professional firms may also need to conduct additional measures (referred to as Enhanced Customer Due Diligence (“EDD”)).

The CDD measures applicable to the professional firms are:

  • identifying the customer and verifying the customer’s identity using documents, data or information provided by a reliable and independent source;
  • where there is a beneficial owner in relation to the customer, identifying and taking reasonable measures to verify the beneficial owner’s identity, using the relevant information or data obtained from a reliable source, so that the professional firm is satisfied that it knows who the beneficial owner is, including in the case where the customer is a legal person or trust, measures to enable the professional firm to understand the ownership and control structure of the legal person or trust;
  • obtaining information on the purpose and intended nature of the business relationship (if any) established with the professional firm unless the purpose and intended nature are obvious; and
  • if a person purports to act on behalf of the customer, to identify the person and taking reasonable measures to verify the person’s identity, and to verify the person’s authority to act on behalf of the customer.

 

Risk Assessment

We recommend professional firms perform an overall risk assessment of its clients. Professional firms can assess clients’ risks based on the type of customers, type of services provided, types of transactions that the client engages in, or the countries or jurisdictions where the customers are from or in.

  • List down all the risk categories that are relevant to you. For example, (i) type of customer – money changers, (ii) type of service provided – acting as nominee director.
  • For each specific risk category, give a risk rating to it. You may want to rate, for each risk category, simply as Low Risk, Medium Risk or High Risk. Professional firms need to pay particular attention to those risk categories that they rate as Medium or High Risk because these risk categories will need to be mitigated with Enhanced CDD procedures and these procedures should be documented.
  • For each risk category, produce a set of risk mitigation procedures.

Up until this stage, the professional firms should go through their client lists and classify their clients based on the risk categories defined.  As the Regulator requires all professional firms to conduct CDD on their existing high risk clients by now, it is recommended that professional firms complete the following for all the high risk clients:

  • Ensure that CDD and Enhanced CDD forms are completed and signed by the customers.
  • Ensure that copies of identification documents are available and verified.
  • Perform screening on the customers to ensure that they are not blacklisted or Politically Exposed Persons (PEPs), Relatives or Close Associates (RCAs) of PEPs. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ.  All search results must be retained as documentary proof.

 

Suspicious Transaction Reporting

Based on suspicious transactions reporting statistics from the Financial Action Task Force (FATF), and the Financial Intelligence & Enforcement Department of Bank Negara Malaysia (FIED), professional firms in Malaysia are one of the industries which has the least number of suspicious transaction report (“STR”) reported.  (To see the FATF’s Mutual Evaluation Report Malaysia, Sept 2015, page 100, click here). 

  • If a professional firm has not reported an STR before, it should at least know how to report one if such an occasion arise. Professional firms should have proper escalating procedures being documented in the AML/CFT Policy. Professional firms are strongly encouraged to use the STR proforma forms or the e-reporting system named Financial Intelligence System (FINS) platform to report suspicious transactions. Please visit BNM website here for full details of the reporting forms, methods and advice.  For FINS website, please click here.  
  • Professional firms should also reference regularly to the BNM’s website on updates on Terrorists List, Alert List, United Nations Sanction List, latest information, publications & press releases as published by the relevant authorities in Malaysia, as well as the latest typologies work on methods, techniques and trends of money laundering and terrorist financing.  This will allow professional firms to stay abreast of alerts and updates on AML/CFT requirements and changes to the relevant lists of UN-designated individuals and entities, as well as other AML/CFT announcements, such as high risk jurisdictions identified by the Financial Action Task Force (FATF) etc.  (Please visit BNM website here).   
  • In addition, professional firms should also reference the websites of other supervisory authorities which have issued AML/CFT guidelines on their respective regulatees. The references and guidelines could be found at:
    • Ministry of Home Affairs. The MOHA website link is here;
    • The Ministry of International Trade & Industry. The MITI website link is here;
    • Securities Commission Malaysia. The SC website link is here
    • Malaysian Anti-Corruption Commission. The MACC website link is here;
    • Labuan Financial Services Authority. The LFSA website link is here

Every business dreads the news that the auditors or regulators are coming. Professional firms can manage the AML/CFT compliance inspection process proactively and reduce surprises when they cover the major areas mentioned above. An important thing to do is also to train and brief your staff of all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best and what is required according to the regulations. The approach to the review is to be truthful. If there is any shortcomings, work out the remedial actions with the inspectors.