COREDO employees were contacted by a client who, for the sake of anonymity, will further be referred to as “Client A”. This client is an electronic money institution authorized to provide payment services, which at the time of applying to COREDO, had not yet started its activities and was interested in developing a complete AML system that would meet all the requirements of regulators and perform its main function — to protect the client’s company from the risk that its services will be used for illegal purposes.
Since Client A did not have any previously configured AML processes or policies, COREDO employees created a complete and effective AML system from scratch.
The fundamental approach to countering the risks associated with ML/TF is the so-called “risk-based approach”. The main idea is that the competent authorities and financial institutions should identify and assess the ML/TF risks to which they are exposed and take measures appropriate to these risks. In other words, risks are prioritized. This approach helps to reasonably allocate available resources and avoid damage associated with the most likely risks to which the organisation is exposed.
Developing an AML system for Client A, we were guided by a risk-based approach, and therefore, firstly, we carried out a detailed risk assessment. It consisted of the following stages:
At this stage, we have received from Client A a detailed description of his business, organisational structure and services that he provides.
We conducted an assessment of the client’s business based on the information received from him, as well as on the materials collected during our research. This assessment included the following:
This stage included identifying and planning the main measures for countering the identified risks and establishing effective protection mechanisms. Taking into account the previously stated wishes of Client A, we offered him the following:
After clarifying all the nuances, the client got acquainted with the results of the risk assessment and approved the proposed strategy for developing the AML system.
Onboarding is the process prior to establishing a business relationship with a customer or providing products or services that interest him. During the onboarding process, the organisation has two main tasks: to acquaint the client with the desired product and to “get to know” the client. In the context of the AML field, the primary goal is precisely the second task, that is, getting to know the client using the “Know Your Client” principle.
We set up the onboarding process so that Client A could clearly understand who the user of his product is and what he does, what risks this user may pose for Client A, how and for what purpose he will use the desired product, and where the funds to finance the transaction come.
Collaboration with Client A included the following steps:
Since Client A needed to receive detailed information about users, we developed a KYC questionnaire, which is one of the most effective methods for collecting structured data.
We recommend to our customers those identification methods allowed regarding of the AML law in the jurisdiction where their business is registered. In this case, the client was offered a choice of three identification methods: “face-to-face” identification, remote identification and identification using technologies. Client A has decided to use all three methods of identifying users, so we have defined a procedure for each method.
Next, it was necessary to determine which sources of information would be considered valid for confirming the identity of the users, so we compiled a list of requirements for the requested documents.
It is worth highlighting a very important stage of user identification — screening for sanctions restrictions or having the status of a politically exposed person (PEP). Although AML laws usually do not restrict organisations to any specific screening method, we recommend that our clients use special services that significantly speed up and automate the screening process. Therefore, in this case, we offered Client A several services to choose from.
Due diligence is a set of measures aimed at conducting a comprehensive check of clients for potential risks in terms of ML/TF.
The due diligence methodology for Client A was created in accordance with the risk-based approach, when the higher the potential risk of the user is, the more thorough the check will be and the more documents and information you need to receive. That is, we have developed measures for regular due diligence for low- and medium-risk ML/TF users and enhanced due diligence for high-risk users.
Also, Client A was offered the following due diligence tools:
As mentioned earlier, the choice of due diligence measures is based on a risk-based approach. Therefore, we developed a risk assessment system for individual users .
We proposed to assess risks using a specialized questionnaire that automatically calculates the risk profile of the users depending on the number of points scored. This questionnaire takes into account such risk factors as, for example:
The higher the number of risk factors inherent in the user, the higher his score will be. Further, depending on this score, his risk profile is determined: low, medium and high, or the so-called “reject” — a risk profile upon receipt of which Client A does not a set business relationship with the user and does not provide him with any products or services.
The monitoring process consists of two components: monitoring the information about the organisation’s customers, performed through continuous due diligence, and transaction monitoring.
We have provided Client A with outlines of certain scenarios that may arise during a business relationship and the types of checks that should be carried out if they occur. That is, to put it simply, Client A must apply the measures that have been developed if:
We have also created a basic set of measures that Client A will use when conducting mandatory continuous customer due diligence following the requirements of the regulators, which must be carried out at regular intervals to update information about the users.
As described above, the second component of continuous user monitoring is transaction monitoring, which includes manual or automated scanning of the transactions based on predefined parameters and scenarios, as well as taking into account certain triggers.
This monitoring aims to determine whether the user’s actual activity matches what is known about him and respond promptly if the client shows signs of suspicious activity.
At the request of Client A, we set up precisely the automated type of monitoring, as well as the corresponding trigger system. Since developing the own monitoring software requires a lot of investment, we suggested that the client uses the services of an existing service that was more accessible to him.
The benefit of this service is that the technical base for monitoring is already ready, but the help of our specialists was still needed in setting up scenarios and triggers that would correctly serve users’ activities, taking into account individual characteristics.
To effectively counter ML/TF, all employees directly or indirectly responsible for compliance with established measures must clearly understand their roles and responsibilities.
We assigned the roles of the Client A employees in accordance with the “Three Lines Model”, or “Three Lines of Defence Model”, which helps organisations coordinate the risk management processes through a clear distribution of their roles and responsibilities. This approach not only improves work efficiency but also helps avoid conflicts of interest, which is one of the most common internal risk factors in AML.
An equally important element is a competent approach to employee training, so Client A was offered a system for training and evaluating new staff, considering their activities and structure. In accordance with local AML law, training must be carried out at least once a year. Therefore, we also offered the client the opportunity to take an annual course with the subsequent certification from COREDO.
A necessary component of any AML system is setting up the organisation’s external and internal reporting. External reporting usually consists of filing a Suspicious Activity Report (SAR) — a notification of suspicious user activity, which is sent to the relevant government authorities.
To fulfill this obligation correctly, organisations need to set up an effective transaction monitoring system and develop adequate procedures that will detail the SAR filing process and, most importantly, signs of suspicious user activity. Therefore, we have incorporated the required information into Client A’s AML policy and included a methodology for identifying suspicious activity and filing SARs in the employee training program. The training included, among other things, the analysis of individual cases from the practice of COREDO employees.
Internal reporting implies the submission of reports on the results of operational activities in the AML area to the organisation’s management. The goal is to inform top management about the current situation to introduce further improvements and, if necessary, eliminate existing shortcomings.
Since there are a several requirements for such reports, the client was offered a template for compiling such reports, and rules that regulate the detail and regularity of reporting were introduced into the AML policy of the company.
The basic tools for monitoring the operation of the AML system are external and internal audits that support the organisation’s third line of defence. Internal audit is often carried out by the top management of the organisation (if there is no separate position of an auditor in the company), and external — by an independent auditor. An external audit is necessary to avoid the previously mentioned conflict of interest.
We have created a methodology for conducting internal audits and a template for documenting the results of audits for the client’s management. Also, the client was offered assistance in passing future external audits, including support in passing the check with the regulator.
The AML policy is a document describing the internal control rules regarding money laundering and terrorist financing and is mandatory for every company whose activities are regulated by AML law. This document is intended as a practical guide for employees of an organisation, so it is often required that the instructions comply with the AML law and describe the procedures established by law. At the same time, the instructions must have the form of an understandable, practical guide. That is, the AML policy is not a formal document.
Organisations often underestimate the role of regulations and develop a template document, which is just an abbreviated citation of legislative acts, without a detailed description of the AML procedures applied. Unfortunately, this approach is incorrect since the prescriptions simply do not fulfill their function.
For Client A, we have created the prescriptions that describe the main elements and processes of the formed AML system and the risk assessment methodology. In addition, we have developed several manuals that regulated individual processes in more detail and had the character of applied instructions for each company employee.
An equally important requirement for the AML systems is the correct record-keeping following the principle of retrospective recoverability — that is, all processes must be documented and stored in such a way that even after a certain period, the reasons for the occurrence and the progress of the process would be clear, it must be understandable which resources were involved, who were the responsible persons, what conclusions were drawn, etc. The more detailed the recreation of the course of certain events can be, the better it is from the point of view of the AML area.
That is why the development of an AML system for Client A included, among other things, setting up a record-keeping system, namely the form of storage (printed, electronic, on cloud storage, etc.), setting up access to this information to avoid disclosure of the personal data, storage period and methods of systematization of the information.
A key element in creating a truly effective AML system was the desire of Client A to implement all the proposed processes per our recommendations and subsequent compliance with the established procedures. From the beginning of the cooperation, the client provided us with all the requested information and later actively provided additional information when needed.
After the previously proposed processes were approved, Client A was provided with support in their implementation. We held a series of consultations for the compliance employees, where we analyzed in detail all the steps for interacting with the client at the onboarding stage, in particular:
Also, at the stage of setting up the transaction monitoring system, as mentioned earlier, our specialists offered Client A some options for scenarios and triggers that would signal suspicious activity. During their development, we considered the individual characteristics of the client’s activity and his potential users. During the setup, Client A made his wishes and suggestions, which we always took into account. Then the system went through a series of tests until both the client and our employees were satisfied with the result. After that, staff training was conducted again.
During the implementation of the “Three Lines Model”, all client employees were assigned their job responsibilities and the positions they occupy in certain lines of defence, as well as the functions of these lines. Client A was interested in the effective implementation of this model, so we developed a separate guide for workers to understand its basic principles.
After the launch of the AML system, we actively helped the client’s employees and held regular consultations.
Since the customized processes were implemented in accordance with our recommendations, we provided assistance only with training at first. However, over time, due to external factors, it was necessary to update some processes, so we continued to cooperate with Client A on a long-term basis, gradually updating and supplementing the AML system.
We especially note that the processes developed for Client A turned out to be so effective, among other things, because all our recommendations were fully followed, and the client continues to adhere to them.
Thanks to the fruitful collaboration, the company, which had no previous experience interacting with AML processes or policies, received the full-fledged AML system that includes all the necessary elements. A KYC questionnaire and special methods for monitoring information about clients and their activities were developed and implemented, a system of external and internal reporting, as well as a data storage system, were set up, and all relevant AML policies were developed.
Client A has been cooperating with us for more than two years. Over the years, his business has expanded, and more than a dozen employees have gained knowledge and skills in the AML field. They managed to improve the quality of work and increase the security of the services provided. Thanks to a thoughtful approach, the roles and responsibilities of the staff are clearly defined, which eliminates internal conflicts and increases work efficiency.
Productive cooperation with Client A continues at this time. The constant updating and extension of the AML system allow the company to fully comply with the changing requirements of the regulator to fulfill all AML/CFT requirements and tasks with the greatest speed, efficiency and accuracy.
