COREDO employees were contacted by a client who, for the sake of anonymity, will further be referred to as “Client A”. This client is an electronic money institution authorized to provide payment services, which at the time of applying to COREDO, had not yet started its activities and was interested in developing a complete AML system that would meet all the requirements of regulators and perform its main function — to protect the client’s company from the risk that its services will be used for illegal purposes.
Since Client A did not have any previously configured AML processes or policies, COREDO employees created a complete and effective AML system from scratch.
Risk assessment of the client’s activities and risks associated with the client’s users
The fundamental approach to countering the risks associated with ML/TF is the so-called “risk-based approach”. The main idea is that the competent authorities and financial institutions should identify and assess the ML/TF risks to which they are exposed and take measures appropriate to these risks. In other words, risks are prioritized. This approach helps to reasonably allocate available resources and avoid damage associated with the most likely risks to which the organisation is exposed.
Developing an AML system for Client A, we were guided by a risk-based approach, and therefore, firstly, we carried out a detailed risk assessment. It consisted of the following stages:
- Determining the scope and structure of the client’s activities.
At this stage, we have received from Client A a detailed description of his business, organisational structure and services that he provides.
- Assessment of potential risks inherent in the client’s activities.
We conducted an assessment of the client’s business based on the information received from him, as well as on the materials collected during our research. This assessment included the following:
- identification of risk factors for the use of products and services of the Client A for ML/TF purposes,
- identification of risk factors borne by users of Client A’s products and services,
- determination of the risk appetite, that is, the acceptable level of risk that Client A is ready to take on to achieve his strategic goals.
- Determination of risk monitoring and prevention mechanisms.
This stage included identifying and planning the main measures for countering the identified risks and establishing effective protection mechanisms. Taking into account the previously stated wishes of Client A, we offered him the following:
- To customize the onboarding process, including a methodology for conducting user identification, due diligence, and user risk assessment.
- To develop a process for monitoring users and their activities during the provision of products and services by Client A.
- To build a system of interaction between employees of Client A in accordance with the three Lines of Defense model, as well as develop a methodology for training and assessing the knowledge of these employees.
- To set up methods of external and internal audits, as well as reporting for effective administration by the company’s management.
- To develop internal AML procedures and policies for Client A to apply the previously listed methods effectively.
- Approval of the assigned strategy.
After clarifying all the nuances, the client got acquainted with the results of the risk assessment and approved the proposed strategy for developing the AML system.
Setting up the onboarding process
Onboarding is the process prior to establishing a business relationship with a customer or providing products or services that interest him. During the onboarding process, the organisation has two main tasks: to acquaint the client with the desired product and to “get to know” the client. In the context of the AML field, the primary goal is precisely the second task, that is, getting to know the client using the “Know Your Client” principle.
We set up the onboarding process so that Client A could clearly understand who the user of his product is and what he does, what risks this user may pose for Client A, how and for what purpose he will use the desired product, and where the funds to finance the transaction come.
Collaboration with Client A included the following steps:
- Establishment of the methods and tools for user identification.
Since Client A needed to receive detailed information about users, we developed a KYC questionnaire, which is one of the most effective methods for collecting structured data.
We recommend to our customers those identification methods allowed regarding of the AML law in the jurisdiction where their business is registered. In this case, the client was offered a choice of three identification methods: “face-to-face” identification, remote identification and identification using technologies. Client A has decided to use all three methods of identifying users, so we have defined a procedure for each method.
Next, it was necessary to determine which sources of information would be considered valid for confirming the identity of the users, so we compiled a list of requirements for the requested documents.
It is worth highlighting a very important stage of user identification — screening for sanctions restrictions or having the status of a politically exposed person (PEP). Although AML laws usually do not restrict organisations to any specific screening method, we recommend that our clients use special services that significantly speed up and automate the screening process. Therefore, in this case, we offered Client A several services to choose from.
- Development of customer due diligence measures.
Due diligence is a set of measures aimed at conducting a comprehensive check of clients for potential risks in terms of ML/TF.
The due diligence methodology for Client A was created in accordance with the risk-based approach, when the higher the potential risk of the user is, the more thorough the check will be and the more documents and information you need to receive. That is, we have developed measures for regular due diligence for low- and medium-risk ML/TF users and enhanced due diligence for high-risk users.
Also, Client A was offered the following due diligence tools:
- A compliance officer must fill out a questionnaire that serves as
- a checklist for information about a particular user. It helps to structure the data and conduct a general study of what Client A knows about the user, including a detailed analysis of his activities and sources of funding for these activities. It’s also a great way to archive information for later review.
- A list of documents must be requested when confirming the available data about the user, as well as a list of other sources of information that can be considered valid for these purposes.
- Ways to assess the reputation of the users by analyzing various independent sources of information, as well as specialized services for monitoring public information.
- Web compliance checklist, which contains clear requirements for users’ Internet platforms and helps to assess the compliance of these platforms.
- Development of a user risk assessment system.
As mentioned earlier, the choice of due diligence measures is based on a risk-based approach. Therefore, we developed a risk assessment system for individual users .
We proposed to assess risks using a specialized questionnaire that automatically calculates the risk profile of the users depending on the number of points scored. This questionnaire takes into account such risk factors as, for example:
- the location of the user or the geographical area in which his activities are conducted;
- type of the activity and turnover of the user;
- whether the user is a politically exposed person or a sanctioned person;
- the complexity of the control and ownership structure if the user is a corporate body;
- the complexity of the distribution channel, etc.
The higher the number of risk factors inherent in the user, the higher his score will be. Further, depending on this score, his risk profile is determined: low, medium and high, or the so-called “reject” — a risk profile upon receipt of which Client A does not a set business relationship with the user and does not provide him with any products or services.
Development of the monitoring methods
The monitoring process consists of two components: monitoring the information about the organisation’s customers, performed through continuous due diligence, and transaction monitoring.
We have provided Client A with outlines of certain scenarios that may arise during a business relationship and the types of checks that should be carried out if they occur. That is, to put it simply, Client A must apply the measures that have been developed if:
- the user reports a change in the previously declared identification information;
- the user declares a change in the previously stated activity;
- the user reports changes in his control or ownership structure;
- the user shows signs of suspicious behavior, etc.
We have also created a basic set of measures that Client A will use when conducting mandatory continuous customer due diligence following the requirements of the regulators, which must be carried out at regular intervals to update information about the users.
As described above, the second component of continuous user monitoring is transaction monitoring, which includes manual or automated scanning of the transactions based on predefined parameters and scenarios, as well as taking into account certain triggers.
This monitoring aims to determine whether the user’s actual activity matches what is known about him and respond promptly if the client shows signs of suspicious activity.
At the request of Client A, we set up precisely the automated type of monitoring, as well as the corresponding trigger system. Since developing the own monitoring software requires a lot of investment, we suggested that the client uses the services of an existing service that was more accessible to him.
The benefit of this service is that the technical base for monitoring is already ready, but the help of our specialists was still needed in setting up scenarios and triggers that would correctly serve users’ activities, taking into account individual characteristics.
Distribution of the duties and training of the employees
To effectively counter ML/TF, all employees directly or indirectly responsible for compliance with established measures must clearly understand their roles and responsibilities.
We assigned the roles of the Client A employees in accordance with the “Three Lines Model”, or “Three Lines of Defence Model”, which helps organisations coordinate the risk management processes through a clear distribution of their roles and responsibilities. This approach not only improves work efficiency but also helps avoid conflicts of interest, which is one of the most common internal risk factors in AML.
An equally important element is a competent approach to employee training, so Client A was offered a system for training and evaluating new staff, considering their activities and structure. In accordance with local AML law, training must be carried out at least once a year. Therefore, we also offered the client the opportunity to take an annual course with the subsequent certification from COREDO.
Setting up a system of external and internal reporting
A necessary component of any AML system is setting up the organisation’s external and internal reporting. External reporting usually consists of filing a Suspicious Activity Report (SAR) — a notification of suspicious user activity, which is sent to the relevant government authorities.
To fulfill this obligation correctly, organisations need to set up an effective transaction monitoring system and develop adequate procedures that will detail the SAR filing process and, most importantly, signs of suspicious user activity. Therefore, we have incorporated the required information into Client A’s AML policy and included a methodology for identifying suspicious activity and filing SARs in the employee training program. The training included, among other things, the analysis of individual cases from the practice of COREDO employees.
Internal reporting implies the submission of reports on the results of operational activities in the AML area to the organisation’s management. The goal is to inform top management about the current situation to introduce further improvements and, if necessary, eliminate existing shortcomings.
Since there are a several requirements for such reports, the client was offered a template for compiling such reports, and rules that regulate the detail and regularity of reporting were introduced into the AML policy of the company.
Setup of the control system
The basic tools for monitoring the operation of the AML system are external and internal audits that support the organisation’s third line of defence. Internal audit is often carried out by the top management of the organisation (if there is no separate position of an auditor in the company), and external — by an independent auditor. An external audit is necessary to avoid the previously mentioned conflict of interest.
We have created a methodology for conducting internal audits and a template for documenting the results of audits for the client’s management. Also, the client was offered assistance in passing future external audits, including support in passing the check with the regulator.
Development of AML policies and record-keeping methods
The AML policy is a document describing the internal control rules regarding money laundering and terrorist financing and is mandatory for every company whose activities are regulated by AML law. This document is intended as a practical guide for employees of an organisation, so it is often required that the instructions comply with the AML law and describe the procedures established by law. At the same time, the instructions must have the form of an understandable, practical guide. That is, the AML policy is not a formal document.
Organisations often underestimate the role of regulations and develop a template document, which is just an abbreviated citation of legislative acts, without a detailed description of the AML procedures applied. Unfortunately, this approach is incorrect since the prescriptions simply do not fulfill their function.
For Client A, we have created the prescriptions that describe the main elements and processes of the formed AML system and the risk assessment methodology. In addition, we have developed several manuals that regulated individual processes in more detail and had the character of applied instructions for each company employee.
An equally important requirement for the AML systems is the correct record-keeping following the principle of retrospective recoverability — that is, all processes must be documented and stored in such a way that even after a certain period, the reasons for the occurrence and the progress of the process would be clear, it must be understandable which resources were involved, who were the responsible persons, what conclusions were drawn, etc. The more detailed the recreation of the course of certain events can be, the better it is from the point of view of the AML area.
That is why the development of an AML system for Client A included, among other things, setting up a record-keeping system, namely the form of storage (printed, electronic, on cloud storage, etc.), setting up access to this information to avoid disclosure of the personal data, storage period and methods of systematization of the information.
The Client A’s cooperation
A key element in creating a truly effective AML system was the desire of Client A to implement all the proposed processes per our recommendations and subsequent compliance with the established procedures. From the beginning of the cooperation, the client provided us with all the requested information and later actively provided additional information when needed.
After the previously proposed processes were approved, Client A was provided with support in their implementation. We held a series of consultations for the compliance employees, where we analyzed in detail all the steps for interacting with the client at the onboarding stage, in particular:
- what information and documentation must be obtained from users for correct identification;
- how to use user screening services concerning sanctions or PEP status;
- what information and documentation should be obtained during due diligence and how to process this request;
- how to fill out a due diligence questionnaire, a web compliance checklist and a questionnaire to determine the client’s risk profile;
- how the above procedures change in case of continuous controls;
- what is the protocol of actions in non-standard situations, for example, when the user receives the “Reject” status based on the results of the risk assessment, does not want to cooperate, or the information declared earlier turned out to be false, etc.;
- where and how to keep records of user files.
Also, at the stage of setting up the transaction monitoring system, as mentioned earlier, our specialists offered Client A some options for scenarios and triggers that would signal suspicious activity. During their development, we considered the individual characteristics of the client’s activity and his potential users. During the setup, Client A made his wishes and suggestions, which we always took into account. Then the system went through a series of tests until both the client and our employees were satisfied with the result. After that, staff training was conducted again.
During the implementation of the “Three Lines Model”, all client employees were assigned their job responsibilities and the positions they occupy in certain lines of defence, as well as the functions of these lines. Client A was interested in the effective implementation of this model, so we developed a separate guide for workers to understand its basic principles.
After the launch of the AML system, we actively helped the client’s employees and held regular consultations.
Since the customized processes were implemented in accordance with our recommendations, we provided assistance only with training at first. However, over time, due to external factors, it was necessary to update some processes, so we continued to cooperate with Client A on a long-term basis, gradually updating and supplementing the AML system.
We especially note that the processes developed for Client A turned out to be so effective, among other things, because all our recommendations were fully followed, and the client continues to adhere to them.
Thanks to the fruitful collaboration, the company, which had no previous experience interacting with AML processes or policies, received the full-fledged AML system that includes all the necessary elements. A KYC questionnaire and special methods for monitoring information about clients and their activities were developed and implemented, a system of external and internal reporting, as well as a data storage system, were set up, and all relevant AML policies were developed.
Client A has been cooperating with us for more than two years. Over the years, his business has expanded, and more than a dozen employees have gained knowledge and skills in the AML field. They managed to improve the quality of work and increase the security of the services provided. Thanks to a thoughtful approach, the roles and responsibilities of the staff are clearly defined, which eliminates internal conflicts and increases work efficiency.
Productive cooperation with Client A continues at this time. The constant updating and extension of the AML system allow the company to fully comply with the changing requirements of the regulator to fulfill all AML/CFT requirements and tasks with the greatest speed, efficiency and accuracy.