Compliance has increasingly been a focus of financial institutions over the past few years, whether dealing with new, post-recession regulations or rules relating to tax information exchange and money laundering. This focus has seen a swelling of ranks in banks’ compliance teams, most notably J.P. Morgan’s drive to hire 5,000 risk and compliance staff. Issues of money laundering made world news after HSBC paid a fine of US$1.9bn to settle accusations of laundering money for Mexican cartels. Consequently, having the correct policies and procedures in place is imperative for businesses in these fields and it pays to be familiar with the requirements.
The first step: risk profiling
Because to carry out full, detailed checks on every prospective and existing customer would be burdensome, most anti-money laundering (AML) regimes adopt a risk-based approach. This means that businesses subject to AML regulations must categorise their services, customers, and transactions according to the level of money laundering risk posed by each. All of these are subject to baseline checks (see below), but if any of these are considered to be high risk then enhanced checks are used. It is therefore important to understand and analyse the different risk factors.
Laws and industry best practice set out certain risk factors that are likely to make a customer appear to be high risk. Past the prescriptions in the applicable law, a business’s risk classifications and how it deals with them are a matter for it’s management and the company’s risk appetite. Examples of high-risk factors include:
- Politically-exposed persons (PEPs): these are individuals who hold, or have held, high office either in the financial institution’s country or elsewhere. Different rules may apply depending on whether the PEP is domestic, foreign, or involved related to an international organization;
- High risk countries: Customers from, resident in, or operating from countries considered to be high risk (for example by the Financial Action Task Force or the local regulator) are considered high risk by extension. Sanctioned countries like Iran and North Korea are also likely to be considered as high risk;
- Complex legal structures: If a legal structure makes it difficult to identify the individuals who control and benefit from the financial services involved, enhanced customer due diligence (ECDD) will be required;
- Cash transactions: Because it is difficult to trace the source of cash, special attention is required when accepting or making transactions in cash;
- Non-face-to-face transactions: Because it is harder to verify a person’s identity without them present, remotely-managed relationships are considered as a risk factor. This is why Healy Consultants’ advice on opening international bank accounts is so valuable.
Due diligence procedures
Before taking on any new clients, regulated companies must carry out the checks stipulated by law. Broadly speaking, this requires verifying the customer’s identity, domicile, legal capacity for acting, business purpose, and whether the relationship will involve frequent or occasional transactions. This must be done for all directors, beneficial owners and other individuals with substantial control of the company. In most cases, the threshold for “beneficial ownership” is a 25% or greater interest; however, institutions are free to set a lower threshold depending on their risk appetite.
To answer these questions and verify the responses, institutions like banks, investment managers and foreign exchange businesses ask individuals for original versions or certified copies of due diligence documents including:
- National ID cards;
- Other photographic ID;
- Proof of address;
- Details of the customer’s occupation and source of wealth (for example through a CV or other documentation); and
- Where acting on behalf of another, documentary evidence of that individual’s authority to do so.
If a company, trust, partnership or other legal structure is used, the following documents are often requested:
- Documents proving the existence and operating rules of the vehicle. Examples of such documents include:
- Certificate of incorporation and name change;
- Memorandum and articles of association;
- Deed of foundation;
- Operating agreement;
- Company constitution; and
- Certificate of incumbency.
- Documents proving the power of the company’s representatives to act on its behalf, e.g. a power of attorney; and
- Documents proving the company’s authorisation to carry out the proposed act, typically through a board resolution or a similar instrument specific to that structure.
For some legal structures, typically regulated or publicly-listed businesses, the requirement for documents proving the entity’s existence are often waived.
Enhanced due diligence
Where the analysis of risk factors results in a customer or transaction being identified as being higher risk, additional verification is required. Such measures can include:
- Using third-party resources to research the customer and beneficial owners. Thomson Reuters’ Accelus product is a popular database often used for this purpose;
- Gaining approval from the company’s compliance officers for beginning the business relationship. This step is often one of the largest causes of engagement delays for our clients;
- Requiring the first payment for the relationship to be made through another account in the customer’s name, held at an institution with equivalent compliance requirements. However, due to restrictions on the extent to which financial institutions can rely on third parties, it is best if the customer has an existing account with that institution in another jurisdiction.
Ongoing monitoring and reporting
A large part of financial service providers’ obligations under AML laws is keeping records of customers, transactions and the supporting customer due diligence. In almost all cases, such information is retained for at least six years. For each transaction, the following details are recorded and kept:
- The identity and address of the person in whose name the transaction is made;
- The identity and address of the beneficiary of the transaction;
- The identity of any accounts affected by the transaction, if any;
- The type of transaction (currency exchange, deposit, transfer, withdrawal, etc.); and
- The date, time and amount of the transaction.
Information on the creation and ownership of an account is kept for at least six years following the conclusion of that client relationship.
Reporting obligations arise if the financial service provider’s supervisory authorities begin an investigation, as well as in other cases involving high risk, suspicious or large transactions. Many jurisdictions require reports to be filed for transactions over a certain amount.
All of these rules make it difficult to open an account with a modern financial services business in most jurisdictions if carrying out international business. They also add complexity to starting and managing a financial services business, as compliance requires understanding the law and then creating and enforcing appropriate policies and procedures. It is with these points of friction that Healy Consultants can help our clients with opening bank accounts or starting their own financial firms. Our experts understand the requirements in such a way that we can smooth the process, although it is rarely simple in practice.