Introduction

Since the introduction of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 ("AMLATFPUAA"), the Government has taken a phased approach in imposing anti-money laundering ("AML") reporting obligations on various intermediaries and entities in the country. Whilst the initial phase of implementation was focused on financial institutions and capital market intermediaries, over the years, various other entities have been made reporting institutions ("RIs") under the AMLATFPUAA. The wide array of RIs now include financial institutions, stockbroking companies, fund managers, and recognised market operators such as peer-to-peer platforms and cryptocurrency exchanges. Professionals such as lawyers, accountants and company secretaries and various other entities including trust companies, dealers in precious metals or precious stones, moneylenders, casinos, and real estate agents have been subject to AML reporting requirements for several years. The obligations imposed upon such reporting entities revolve around conducting "Know Your Customer" ("KYC") checks when onboarding new clients, carrying out ongoing customer due diligence during the course of the relationship, reporting suspicious transactions and proper recordkeeping. These requirements are currently set out in Bank Negara Malaysia's ("BNM") Policy Documents on Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions, and Designated Non-Financial Businesses and Non-Bank Financial Institutions, and the Securities Commission's ("SC") Guidelines on Prevention of Money Laundering and Terrorism Financing for Reporting Institutions in the Capital Market. RIs are required to adhere to these rules not only to counter money laundering but also terrorism financing ("TF") and proliferation financing ("PF") which is the financing of weapons of mass destruction.

Wading through AML rules can appear to be cumbersome and overwhelming at times. This, however, need not be the case. This Update seeks to point out five key points that RIs need to take heed of.

Tone at the top – the board is ultimately accountable

A commonly held misconception among some RIs is that AML compliance is an operational matter and as a result, it is often consigned to the management without any meaningful oversight by the Board of Directors ("Board"). While intermediaries in the financial markets such as banks and broking firms have been RIs for several years, entities who have recently been gazetted may not appreciate the extent of the Board's role. However, BNM's policy documents make it clear that the Board has to maintain accountability and oversight for establishing anti money laundering and counter terrorism financing ("AML/CFT") policies.

In granular terms, what this means is that the Board should not only approve AML policies but should assess the implementation of these policies. The Board should also define the lines of authority and responsibility for implementing AML/CFT measures and this has to be followed by regular reporting by senior management and the Audit Committee to the Board. This feedback loop is critical because it ensures that AML issues and concerns are regularly cascaded up to the Board. Just as the responsibility for good corporate governance starts with the Board of a company, the underlying proposition is that, nurturing an environment where employees take compliance issues seriously is one that must be fixed on the highest governing body in a company or firm.

AML compliance is not just the Compliance Officer's job

Just as the role of the Board is clearly defined, it is critical to ensure that each of the moving parts within an RI's operations are affixed with clear roles and responsibilities. This involves the following:

  • Senior management, who are accountable for the implementation and management of AML/CFT compliance programmes. This means that they are responsible for formulating the necessary policies, designing the mechanisms to monitor suspicious transactions and reporting to the Board periodically on the AML risks faced and the internal controls in place to manage these risks. Senior management is also responsible for ensuring that AML training is conducted and a Compliance Officer is appointed. Employee training is particularly critical so employees are aware of how to spot red flags and know where to turn to in the event that they are faced with a suspicious transaction.
  • The Compliance Officer acts as the reference point within the firm on all AML/CFT matters. He or she has to maintain internal criteria for the detection and reporting of suspicious transactions and acts as the point person with BNM's Financial Intelligence and Enforcement Department for this purpose.
  • The internal AML auditor is required to carry out an independent audit to test the RI's compliance with the law, relevant guidelines and internal AML/CFT policies, and to submit a report to the Board outlining corrective measures where necessary. At this point, BNM has not set out the frequency of the audit and this is left to the RI to decide based on its organisational needs.

Given that this is a rapidly evolving sector, it is important that RIs keep abreast of developments in this space and ensure that the key staff involved in AML compliance are well equipped to discharge their functions effectively.

A risk-based approach enables an optimum use of an RI's resources

While BNM's policy documents provide specific requirements in terms of the obligations of RIs, it also eschews a "one size fits all" approach. In line with global standards set by the Financial Action Taskforce1 ("FATF"), RIs are instead required to apply a risk-based approach in dealing with money laundering and terrorism financing threats. This is extremely beneficial because what this means in practice is that RIs can design their AML processes around the nature of risks that they face in conducting their business.

How then should businesses implement a risk-based approach in dealing with AML compliance? One useful tool is for the RI to carry out an AML institutional risk assessment within the organisation. Risk assessments are often conducted within an organisation to identify business risks that a company faces in its day-to-day operations and to ensure that appropriate processes to manage these risks are in place. This tool can be similarly used in the context of AML compliance. Questions that one should pose in conducting an effective AML risk assessment are – what are the most pressing AML risks that arise in the course of my business and how can these risks be mitigated?

Commonly identified risks as set out in BNM's policy documents are client risk, geographical risk, and transaction risks. Examples of client risks are non-resident clients, clients with cash intensive businesses, clients whose ownership structure is excessively complex or persons from locations known for high rates of crimes such as drug production or human trafficking. Another risk is geographical risk, which refers to the location of the business or the origin of customers. In this respect, the list of countries set out in the FATF website categorised as requiring a "call for action" and those under increased monitoring would need specific attention. It is important that RIs consistently update themselves on these lists given the need for enhanced due diligence where clients or transactions involve these jurisdictions. Similarly, product and transaction risks are gaining traction in light of the frenetic pace of development in financial products such as cryptocurrencies and other digital assets. In fact, data has shown that total transaction volume in cryptocurrencies worldwide has grown to US$ 15.8 trillion in 2021, up 567% since 2020. Of this, the increase in illicit transaction volume was 79%, translating to US$ 14 billion worth of illicit funds2 . Amid this surge of interest in cryptocurrencies and other digital assets, regulators have called for increased caution in this sphere. The FATF has also issued a specific policy document detailing the risks and types of controls that businesses should consider when dealing with new asset classes such as virtual currency3 .

Footnotes

1. The FATF, which Malaysia is a member of, is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorism financing and financing of proliferation of weapons of mass destruction. www.fatf-gafi.org

2. Chainalysis, Crypto Crime Report 2022

3. Virtual Assets and Virtual Asset Service Providers, FATF Updated Guidance for a Risk Based Approach, https://www.fatfgafi.org/media/fatf/documents/recommendations/Updated-Guidance-VA-VASP.pdf

To view the full article click here

Originally Published by Christopher & Lee Ong

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.