An AML framework is made up of a few components much like your automobile which functions due to the orchestral coordination of its components. In this write-up, we endeavour to list down the ten core components of an effective AML framework. In our subsequent writeups, we will delve deeper into each of these components.
Component #1 – Business Risk Assessment (BRA)
DNFBPs should have a BRA for each of its business verticals. For example, a firm offering taxation services and bookkeeping services should have these two business verticals covered either through a single BRA or two BRAs – one each for taxation and bookkeeping.
Component #2 – Procedure Manuals
Having identified and assessed the business-wide risks through a BRA, the DNFBPs must implement internal policies, controls, and procedures to mitigate those risks.
Component #3 – Customer identification & verification
Typically, a KYC (Know Your Customer) form is used to gather personal details of the prospects or customers. At this stage, DNFBP is required to identify their clients, collect ID documents (e.g., copy of passport), and verify them (e.g., original sighting of the passport)
Component #4 – Sanctions screening
Before engaging in a business relationship with a prospect, it is imperative to check that the prospect is not a designated person or entity. DNFBPs are required to check the prospect’s name against the UAE terrorist list and UN sanctions list. If the prospect (or client) is identified as a designated or sanctioned person, then the DNFBP should decline to offer its services and report to the Financial Intelligence Unit (FIU) through an appropriate report (FFR or PNMR).
Component #5 – Customer Risk Assessment (CRA)
Every customer poses a unique risk to the business. Their risks should be assessed by the DNFBPs using the risk factors namely, customer risk, geography risk, product risk, delivery channel risk, transaction risk, or any other risk.
Component #6 – Customer Due Diligence (CDD)
The extent of due diligence differs based on the risk classification in the above step. Additional background checks are employed for high-risk customers who get classified as EDD (Enhanced Due Diligence). The end state of CDD is the decision by DNFBP to either provide or not provide its services to the prospect/client.
Component #7 – Customer / Transaction monitoring
DNFBPs are required to monitor for changes in their clients’ circumstances. For example, a person with no political connections could suddenly take up a political assignment triggering an EDD. Similarly, DNFBPs must monitor for any high-risk transactions initiated by their clients. For example, a client receiving or making payment using virtual assets (cryptocurrencies) may warrant an EDD. DNFBPs should continue to monitor for red-flag indicators during the entire client lifecycle.
Component #8 – Reporting suspicious activities and transactions (SAR / STR)
Suspicious behaviour or activities identified while monitoring their clients, DNFBPs should file a Suspicious Activity Report (SAR) with the Financial Intelligence Unit (FIU) through the goAML platform. Similarly, if suspicion is noted in their clients’ transactions, a Suspicious Transaction Report (STR) should be filed.
Component #9 – Staff Training
Any documented framework or procedure is effective only if its staff members are trained adequately. A prudent understanding of AML risks facing the DNFBP is necessary for the Compliance Officer (CO) to embed a culture of risk management across the organization. A clear understanding of the controls is necessary for all the staff members to identify and mitigate the ML / TF risks in the processes. Therefore, periodical training is necessary at all levels within the DNFBP.
Component #10 – Record-keeping
The AML regulation requires that every DNFBP should abide by the statutory record-keeping requirements. All the documents that form part of the AML framework should be maintained for a period of 5 years after completing the transaction or post-closure of the relationship with their clients.
Conclusion:
Merely having these components alone will not guarantee an effective AML framework. It is necessary that each of the components listed above should operate effectively. Therefore, DNFBPs must have a competent CO to oversee the framework and periodically report its status to senior management. Frequent communication from the top to the employees on ML/TF risks facing the organization widely improves the risk management culture. COs must ensure that they file regulatory reports like AML/CFT reports, REAR, DPMSR, etc. on a timely basis.
In our follow-up series, we will see how to effectively design each of these components so that the overall framework operates effectively.
These components are depicted in the below exhibit.
