December 30, 2018

How to prepare for Financial Supervisory Commission (FSC) AML/CFT Compliance Inspection – A checklist for busy professionals

Since the implementation of the Financial Supervisory Commission’s (FSC)Regulations Governing Anti-Money Laundering and Counter the Financing of Terrorism for Certified Public Accountants (CPAs)” (linkin Nov 2018, it is a requirement for CPA firms to take all reasonable measures to mitigate the risk of ML/TF; and to ensure that the AML/CFT requirements under the Taiwan’s Money Laundering Control Act (MLCA) (link) are complied with.  This new AML/CFT framework is in line with international requirements as promulgated by the Asia / Pacific Group (APG on Money Laundering) and the Financial Action Task Force (FATF).  The APG, together with the FATF, are inter-governmental bodies that set international standards on combating money laundering and terrorist financing.

To fulfil the above-mentioned obligations, CPA & professional firms must assess the ML/TF risk of their businesses, develop and implement AML/CFT internal policies, procedures and controls (“IPPC”) on: risk assessment; customer due diligence (“CDD”) measures; ongoing monitoring of customers; suspicious transactions reporting; record keeping; and staff training. 

For its regulatory role, the FSC has been entrusted with both the licensing regime for CPA firms, as well as the enforcement powers to conduct compliance inspections and impose disciplinary actions against CPA firms that are non-compliant.  For the AML/CFT compliance inspections, FSC will likely conduct inspections on the business premises of CPA licensees to ascertain whether licensees have complied with the MLCA, including the inspection and making copies of records or documents, and making enquiries about any record or document relating to the business carried on, or any transaction carried out, by the licensees.

So how can CPA firms (or other professional firms in similar capacity, e.g. accountants, lawyers, notaries, land administration agents, estate agents, jewelry retailers, trust and company service providers etc.) prepare themselves for the AML/CFT compliance inspection by FSC, or by their respective Regulators?

CPA firms should take a closer look at and comply with the following regulations:

  • Taiwan’s Money Laundering Control Act (“the MLCA”) / 洗錢防制法  (download here in English; 中文版 link)
  • Financial Supervisory Commission’s (FSC) Regulations Governing Anti-Money Laundering and Counter the Financing of Terrorism for Certified Public Accountants 會計師防制洗錢及打擊資恐辦法. (download here in English: 中文版 link).
  • The Executive Yuan, Anti-Money Laundering Office’s (AMLO) Best Practice Guidance Notes on Implementing Anti-Money Laundering and Counter the Financing of Terrorism for Designated Non-financial Business & Professions (DNFBP) /  指定之非金融事業或人員執行防制洗錢及打擊資恐業務最佳指引. (download here in中文版 only) and the corresponding Risk Assessments Questionnaires / 風險評估 for CPAs. (download here in中文版 only)

We summarise the key areas where a CPA should focus on to prepare for the AML/CFT compliance inspection.


First and foremost, CPAs should have adequate AML/CFT risk management, and AML/CFT Internal Policies, Procedures and Controls (IPPC) – as required by Article 6 of the MLCA. Hence, CPAs should establish a policy document which we called the AML/CFT Policy.   

This policy should contain:

  • Customer Due Diligence (CDD) measures
  • Ongoing monitoring
  • making of suspicious transaction reports
  • record-keeping
  • risk assessment and management
  • audit of the internal policies, procedures and controls
  • monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
  • hiring and training of employees

If you are not sure how to develop a IPPC document, you can purchase the template here.

Customer Due Diligence (“CDD”)

The CDD requirements are set out in Article 7 of the MLCA. CDD is intended to enable the CPAs to form a reasonable belief that it knows the true identity of each customer and, with an appropriate degree of confidence, knows the type of business and transactions the customer is likely to undertake. Depending on specific circumstances and risk profiles, CPAs may also need to conduct additional measures (referred to as enhanced customer due diligence (“EDD”)).

The CDD measures applicable to the CPAs are:

  • identifying the customer and verifying the customer’s identity using documents, data or information provided by reliable and independent source;
  • where there is a beneficial owner in relation to the customer, identifying and taking reasonable measures to verify the beneficial owner’s identity so that the CPA is satisfied that it knows who the beneficial owner is, including in the case where the customer is a legal person or trust, measures to enable the CPA to understand the ownership and control structure of the legal person or trust;
  • obtaining information on the purpose and intended nature of the business relationship (if any) established with the CPA unless the purpose and intended nature are obvious; and
  • if a person purports to act on behalf of the customer, to identify the person and taking reasonable measures to verify the person’s identity, and to verify the person’s authority to act on behalf of the customer.

Management Oversight

What are the roles and responsibilities of the sole proprietor/partners/board of directors and management in preventing money laundering and terrorism financing?

It is recommended that the CPA establish an organisational and reporting structure in relation to AML/CFT. The reporting structure should include a Compliance Officer, preferably also a Money Laundering Reporting Officer (MLRO), and an Internal Auditor. These are key persons who are responsible for AML/CFT and they should be named in the reporting structure as well as mentioned in the AML/CFT Policy.

The role of the Compliance Officer is to keep Management informed of the compliance and risk management matters as and when they deal with customers that are seemingly suspicious. Any suspicious trade should be reported to the Compliance Officer (or the MLRO if appointed) and he or she will escalate to Management if approval is required.

The audit function of a CPA should be independent and adequately resourced, and be able to assess the effectiveness of its IPPC periodically.

Risk Assessment

We recommend CPAs perform an overall risk assessment of its clients. CPAs can assess clients’ risks based on the type of customers, type of services provided, types of transactions that the client engages in, or the countries or jurisdictions where the customers are from or in.

  • List down all the risk categories that are relevant to you. For example, (i) type of customer – money changers, (ii) type of service provided – acting as nominee director.
  • For each specific risk category, give a risk rating to it. You may want to rate, for each risk category, simply as Low Risk, Medium Risk or High Risk. CPAs need to pay particular attention to those risk categories that they rate as Medium or High Risk because these risk categories will need to be mitigated with Enhanced CDD procedures and these procedures should be documented.
  • For each risk category, produce a set of risk mitigation procedures.

Up until this stage, the CPAs should go through their client lists and classify their clients based on the risk categories defined.  As the FSC requires all CPAs to conduct CDD on their existing high risk clients by 9 November 2018, it is recommended that CPAs complete the following for all the high risk clients:

  • Ensure that CDD and Enhanced CDD forms are completed and signed by the customers.
  • Ensure that copies of identification documents are available and verified.
  • Perform screening on the customers to ensure that they are not blacklisted or Politically Exposed Persons (PEPs), Relatives or Close Associates (RCAs) of PEPs. This can be done either by doing Google searches or searching commercial AML/CFT databases like SentroWeb-DJ.  All search results must be retained as documentary proof.

Suspicious Transaction Reporting

Reporting suspicious transactions, including attempted transactions, to the relevant central competent authorities governing target businesses, comes under Article 10 of MLCA. Based on suspicious transactions reporting statistics from the Taiwan Ministry of Justice Investigation Bureau (MJIB), DNFBPs including CPAs & professional firms, is one of the industries which has the least number of suspicious transaction report (“STR”) reported.

  • If a CPA has not reported an STR before, it should at least know how to report one if such an occasion arise. CPAs should have proper escalating procedures being documented in the AML/CFT Policy. CPAs are strongly encouraged to use the STR proforma forms (click here for the relevant link) to report suspicious transactions to the MJIB. Please visit MJIB website here.
  • CPAs should also reference regularly to the MJIB’s website on updates on Terrorists List, Alert List, United Nations Sanction List, latest information, publications & press releases as published by the relevant authorities in Taiwan, as well as the latest typologies work on methods, techniques and trends of money laundering and terrorist financing.  This will allow CPAs to stay abreast of alerts and updates on AML/CFT requirements and changes to the relevant lists of UN-designated individuals and entities, as well as other AML/CFT announcements, such as high risk jurisdictions identified by the Financial Action Task Force (FATF) etc.  (Please visit MJIB website here). 
  • In addition, CPAs should also reference the Executive Yuan’s Anti-Money Laundering Office (AMLO) website on the latest information, publications & press releases on Taiwan’s AML/CFT regime and strategies.  The AMLO is responsible for organizing national policies and corresponding guidelines for anti-money laundering, and for monitoring the preparations of the APG’s Mutual Evaluation.  The Office, directed by Minister without Portfolio, coordinates the entire country’s policy-making and conducts risk-analysis assessment, also monitors all related party’s implementations, duly represents co-operation of expertise and resources from the public and the private sector, gathers specialists from different government agencies. The AMLO website link is here.

Every business dreads the news that the auditors or regulators are coming. CPAs can manage the AML/CFT compliance inspection process proactively and reduce surprises when they cover the major areas mentioned above. An important thing to do is also to train and brief your staff of all the policies and procedures before the inspectors arrive. The goal of the review is to understand what the inspectors want and to give them the assurance that you have done your best and what is required according to the regulations. The approach to the review is to be truthful. If there is any shortcomings, work out the remedial actions with the inspectors