Compliance - - PDF document

20/03/17 1

www.cfa.org.cy 1 www.cfa.org.cy 1

Compliance Workshop 1 - 2017

“Identification of clients, Complicate structures, Risk assessment & monitoring of transactions”

www.cfa.org.cy 2

Nassos Paltayian - Current Projects & Activities

• Father of 2 super babies
• Head of Compliance (Abacus)
• Information Security Officer (Abacus)
• Leading the DNFBPs module for the National Risk

Assessment

• Founding member and currently Vice Chairing the

ACAMS Cyprus Chapter

• Vice Chair of CFA AML committee
• Vice Chair of ICPAC Compliance committee
• Performing trainings & presentations on relevant

matters raising awareness – Approved by HRDA

• Cycling, Running, Reading, Liverpool & APOEL

20/03/17 2

www.cfa.org.cy 3

What is Money laundering?

Identification of clients, entities and other corporate vehicles

www.cfa.org.cy 4

The Compliance Professional

20/03/17 3

www.cfa.org.cy 5

Identification of clients, entities and other corporate vehicles

www.cfa.org.cy 6

Identification & Verification

• Identification – Who is the

shareholder of ABC Limited?

• Verification – Is Ms Smith the

shareholder of ABC Limited?

20/03/17 4

www.cfa.org.cy 7

Reasons to identify

• Fiduciary industry is based on trust
• One ingredient of trust is the fact that the

ASP knows its customers

• So we want to trust our clients having

clarified that they are not criminals

• We want them to trust us and we want to

trust them

• Pablo, Jose and the rest MUST be avoided!
• Legal requirements

www.cfa.org.cy 8

Cyprus Legislation

• The Prevention and Suppression of Money Laundering and

Terrorist Financing Laws of 2007, 2010, 2012 and 2013

• The Law regulating companies providing Administrative

Services and Related Matters of 2012, 2013, 2014 and 2015

20/03/17 5

www.cfa.org.cy 9

Cyprus Legislation – AML Law

• Sections:

60 - Application of CDD and identification procedures. 61 - Ways of application of CDD and identification procedures 62 - When to apply CDD and identification procedures 63 - Simplified CDD and identification procedures 64 - Enhanced due diligence measures 65 - Transactions on behalf of another person 66 - Prohibitions from cooperating with a shell bank or keeping anonymous accounts 68a - Due diligence and customer identification procedures and record keeping for countries outside the European Economic Area

www.cfa.org.cy 10

Cyprus Legislation – ASP Law

• ASP Law linked to AML Law
• Article 3 (7) “Scope of Application” ASP must have

identity of:

(1) All trustees, (2) The settler - settlor (3) All beneficiaries or information on the class of beneficiaries, (4) The protector (if applicable) (5) The fund manager, accountant, tax official (if applicable), And of course (6) the activities of the Trust.

20/03/17 6

www.cfa.org.cy 11

CySEC Directive

• Paragraphs 7 and 18 to 26 - Along the lines of

the legislation

• 21 (4) - No one document can be used for the

proof of identification and proof of address

• 23 (3) - Article 63 (1) (d) of the Law and setting

4 criteria to accept simplified DD

• Appendix 4 – Examples of High Risk Clients
• Appendix 5 – Examples of Client Identification

www.cfa.org.cy 12

ICPAC Directive

• Section 5 - Along the lines of the legislation
• 5.07 – In cases of change of ASP (ICPAC to ICPAC

regulation) this is evidence of identity and integrity

• 5.22 – Applicant for business relationship
• 5.35&6 – Highlights risks of individuals from high

risk countries (FATF & Moneyval)

• 5.38 – Address verification examples
• 5.58 – Clubs, societies and charitable institutions
• 5.59 – Local authorities and other public bodies
• 5.67 – Non-execution or delay in executing a

transaction

20/03/17 7

www.cfa.org.cy 13

CBA Directive

• Section 5 - Along the lines of the legislation
• 5.04 – In cases of change of ASP (CBA to CBA

regulation) this is evidence of identity and integrity

• 5.05 – When introduced by trustworthy source,

should not overlook CDD

• 5.34 – If no natural persons can be identified then

identify senior managers

• 5.37 – Principal Directors or partners must be

identified

• 5.41 – Trusts and other types of legal

arrangements

www.cfa.org.cy 14

Reliance on 3rd parties

If 3rd party consents for carrying out all or part of client identification and due diligence procedures as per the requirements of the EU Directive (or better), we reviewed processes and obtained evidence that this indeed happens BUT

Liability for compliance failure remains with us!

20/03/17 8

www.cfa.org.cy 15

Financial Action Task Force - FATF

www.cfa.org.cy 16

FATF Recommendations

• Preventive Measures category (R9 – R23)
• R10 CDD: Identifying and verifying the Customer, the UBO,

the control structure, the purpose and perform monitoring

• f transactions – Interpretation specifically covers Trusts
• R11 Record keeping: At least 5 years
• R12 PEPs: Senior Management approval, Source of wealth,

Source of funds & Enhanced ongoing monitoring

• R15 New Tech: Assess risks in advance of launching new

tech products

• R17 Reliance on 3rd parties: Must ensure 3rd party is

regulated, its CDD meets local requirements and info can be made readily available

20/03/17 9

www.cfa.org.cy 17

FATF Recommendations

Recommendation 22 DESIGNATED NON-FINANCIAL BUSINESSES AND PROFESSIONS (DNFBPs)

CDD & Record-keeping requirements set out in Recommendations 10, 11, 12, 15, and 17, apply to Trust and company service providers – when they prepare for or carry out transactions for a client concerning the following activities: a) Formation of legal person b) Directorships or similar position in relation to legal persons c) Registered office, correspondence or administrative address for a legal person or arrangement d) Trustee or equivalent function for a legal arrangement e) Nominee shareholder for another person.

www.cfa.org.cy 18

Basel Committee on banking supervision

Established by the G-10’s central bank of governors in 1974 to promote sound supervisory standards worldwide. Today 38 members and 3 observers.

20/03/17 10

www.cfa.org.cy 19

Basel Committee on banking supervision In their “Customer Due Diligence for Banks” paper in 2001, they identified, amongst others, 4 key elements of KYC:

• 1. Customer identification
• 2. Risk Management
• 3. Customer Acceptance
• 4. Monitoring

www.cfa.org.cy 20

4th EU AML Directive – 2015/849 of 20 May 15

• (12) “There is a need to identify any natural person who exercises ownership or control
• ver a legal entity. In order to ensure effective transparency…”
• (13) “Identification and verification of beneficial owners should, where relevant, extend

to legal entities that own other legal entities, and obliged entities should look for the natural person(s) who ultimately exercises control through ownership or through other means of the legal entity that is the customer.”

• Provisions for a centralized UBO directory
• Fully aligned with substance and spirit of FATF Recommendations
• PEPs are high risk BUT should NOT be avoided – Preventive nature provisions not

criminal!

• Article 3 – Definitions including Beneficial Owner (25%), PEPs, Family members and
• thers
• Article 11 – Outlines when we obtain Due Diligence
• Article 13 – Identification
• Article 14 – Verification
• Articles 15-17 – Simplified Due diligence
• Articles 18-24 – Enhanced Due Diligence

20/03/17 11

www.cfa.org.cy 21

4th EU AML Directive – 2015/849 of 20 May 15

• Annex 1 - Risk variables considered to determine extent of customer due

diligence:

– Purpose of relationship – Level of Assets or Size of transactions – Regularity or duration of business relationship

• Annex 2 – Potential low risk factors:

– Customer (Publicly listed Cos, Public admins or Cos, Clients living in low risk areas) – Service (Services posing low ML risk) – Geographical (EU, 3rd countries with effective AML/CTF systems, low corruption and FATF ratings)

• Annex 3 – Potential high risk factors:

– Customer (Unusual circumstances, Living in high risk countries, Asset holding vehicles, Nominees or Bearer shares, Cash transactions, Complex structure) – Service (Services that favour anonymity, Non face to face clients, Unknown source of receipt of funds, New services, Use of new tech) – Geographical (Countries identified by credible sources (e.g FATF) as not having effective AML/CTF systems, having corruption, Sanctions, embargos by EU and UN, Terrorist activity support)

www.cfa.org.cy 22

KYC & KYE Know Your Client (KYC)

AML policies and procedures used to determine the true identity of a customer and the type of activity that is “normal and expected,” and to detect activity that is “unusual” for a particular customer. Many experts believe that a sound KYC program is one of the best tools in an effective anti-money laundering program.

Know Your Employee (KYE)

AML policies and procedures for acquiring a better knowledge and understanding of the employees of an institution for the purpose of detecting conflicts of interests, money laundering, past criminal activity and suspicious activity. KYE is a key tool in detecting suspicious activity because employees can be accomplices of money launderers. ACAMS

20/03/17 12

www.cfa.org.cy 23

How to identify and verify in practice

• Ticking boxes is not enough
• Ask yourself if you are convinced of the

identification

• Take the extra step and ask “Does it

make sense?”

• UBO and other individuals
• Legal arrangements and Entities

leading to individuals

www.cfa.org.cy 24

Individuals

• Certified true copy of document proving identity
• Certified true copy of document proving residence
• Evidence re. source of funds
• Evidence re. Tax residence (good practice)
• Reference Letter (EDD)
• Background check strongly recommended

20/03/17 13

www.cfa.org.cy 25

Entities Certified true copy of document:

• 1. evidencing incorporation date
• 2. proving registered office
• 3. evidencing shareholders
• 4. showing directors/management
• 5. proving secretary/admin
• 6. governing affairs of entity
• 7. indicating organisation structure
• 8. evidencing good standing or incumbency
• 9. detailing functions of the entity
• 10. UBO identification
• 11. Other

www.cfa.org.cy 26

Other corporate vehicles – Trusts

• Settlor or Trustor – Individual or Entity

initiator

• Trustee – Individual or Entity holder
• Beneficiary – Individual or Entity

entitled to rights in Trust

• Protector – Individual or Entity with

rights over Trustee

20/03/17 14

www.cfa.org.cy 27

Other corporate vehicles – Foundations and other

• Founder - Individual or Entity

initiator

• Representative – Individual or

Entity representing

• Beneficiary - Individual or Entity

entitled to rights

www.cfa.org.cy 28

Enhanced Due Diligence

• Top Management Approval
• Reference Letters
• 2nd identification document
• More frequent review of economic

profile

• Schedule a meeting
• More training to servicing staff
• Tax advice

20/03/17 15

www.cfa.org.cy 29

Importance of documentation

If you do not document it…. it never happened!!!

www.cfa.org.cy 30

Complex structures – Example

Orange Limited (BVI)

The Great fruit salad Trust (CY)

Apple Limited (CY) Melon Limited (BVI) Settlor Mr Fruitovich (RU) Beneficiaries Ms Frutovich & Frutovich Jr Trustee Coconut ASP - No Protector 100% 100% 100%

20/03/17 16

www.cfa.org.cy 31

Complex structures – Example

www.cfa.org.cy 32

Use of Technology

• Background screening tools – Strongly recommended!
• Google and google alerts
• Other websites – Use with care!
• Also numerous solutions emerged re. Remote KYC

complying with Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS) effective since 1 July 2016.

20/03/17 17

www.cfa.org.cy 33

Key takeouts

• Compliance Professional – Super Pro
• KYC & KYE
• Identification is a statutory requirement
• Must lead to individuals with control
• Treatment of complex structures
• Documentation is a must
• Technology can help – Use wisely!

www.cfa.org.cy 34

Questions

20/03/17 18

www.cfa.org.cy 35

15 minute break

www.cfa.org.cy 36

Risk Assessment

20/03/17 19

www.cfa.org.cy 37

Is Risk Based Approach Compulsory?

• FATF – Yes (1st recommendation 2012)
• CYSEC Directive – Yes (Part IV)
• ICPAC Directive – Yes (Part 4)
• CBA Directive – Yes (Part 4)
• Cyprus AML Law – Yes (Article 58 d)
• 4th EU AML Directive – YES!
• Risk based approach is not a Rule based approach

(Tick the box)

www.cfa.org.cy 38

Risk Based Approach

20/03/17 20

www.cfa.org.cy 39

What Risk Based Approach?

• A Compliance program should be Risk Based
• Assess risks of the company and each client
• High risk : High allocation of resources on that

area

• Low risk : Low allocation of resources on that area
• Ineligible : Deterring factors to accept a client
• Flexible – Effective – Proportional
• Every time we have a significant change in the

client set up risk must be reassessed

www.cfa.org.cy 40

How to set up a risk assessment process

Board of Directors must decide the RISK APPETITE

• f the firm and communicate

it to the Compliance Officer!

20/03/17 21

www.cfa.org.cy 41

How to set up a risk assessment process

• Risk appetite is a Strategic decision and this is

reflected in policies and procedures

• A statement/client acceptance policy to be

approved by the Board of Directors

• Top management must be involved!
• The tone at the top must point the direction

www.cfa.org.cy 42

How to set up a risk assessment process

• How much risk are we facing?
• How much risk can we take?
• How much risk do we want to take?
• How much risk will we take?

20/03/17 22

www.cfa.org.cy 43

Risk Levels

• Not Acceptable
• High
• Normal
• Low

www.cfa.org.cy 44

How to set up a risk assessment process

• Establish categories/questions to be assessed
• Ideally closed questions to avoid subjectivity
• For each category/question:

– Establish what is not acceptable as client – Identify high risk elements – Identify low risk elements – Allocate a score for Low, Normal, High and Not acceptable

20/03/17 23

www.cfa.org.cy 45

Scoring of the risk assessment process

• Allocation of scores can be really tricky
• Total scoring of each client must be grouped

to classes required by your regulator

• Some elements may on their own classify the

client as high risk (e.g PEP) so must provide for that in Risk assessment process

• Some elements may be Not Acceptable

www.cfa.org.cy 46

Test the risk assessment process

• Pilot testing is a MUST
• Ensure Risk Assessment is balanced and

reflective

• Test – Tune – Test – Tune – Test - Implement
• Flexible – Effective – Proportional

20/03/17 24

www.cfa.org.cy 47

How to maintain the risk assessment process

• What is appropriate now may not be in the

future

• Dynamic environment
• Risk Assessment process must be up to date

with risks faced

• E.g Ukraine sanctions or Changes in countries
• Maintenance is crucial!

www.cfa.org.cy 48

General Risk categories

• Geographic
• Client
• Service

20/03/17 25

www.cfa.org.cy 49

Geographic risk

www.cfa.org.cy 50

General Risk categories - Geographic

• FATF – Public Statements (High risk

countries)

• Transparency International - Corruption

index

• US State Dept – International Narcotics

Control Strategy Report

• Sanctions – EU, UN & US
• EU lists coming up!

20/03/17 26

www.cfa.org.cy 51

General Risk categories - Geographic

• Lists can be used to establish a prearranged

scoring system

• Geographical info can be used to rate risks of:

– UBO Nationality – Client company jurisdiction – Operations of client company – Client company main associates – Other links of client company

www.cfa.org.cy 52

Client risk

20/03/17 27

www.cfa.org.cy 53

General Risk categories - Client

• Key characteristics of the client/company must be broken down
• Identify what is more important for you
• Turnover of client company
• Field of operations
• Method of banking
• Group structure
• Total fees
• Character of client and associates
• Regularity or duration of client relationship
• Awareness of AML & CTF rules and regulations – Regulated?
• Risk averse Vs Risk lover
• Organised
• Charities

www.cfa.org.cy 54

Services risk

20/03/17 28

www.cfa.org.cy 55

General Risk categories - Services

• Director
• Secretary
• Trustee
• Registered office
• Bank Signatory
• Escrow
• Other

www.cfa.org.cy 56

High risk/Not acceptable characteristics

• PEPS
• Casinos
• Arms dealers
• Set up that helps anonymity
• Cash-intensive businesses
• Client relationships with high risk countries
• Bearer shares
• General POAs
• Complex structures

20/03/17 29

www.cfa.org.cy 57

Low risk characteristics

• Listed entities in reputable stock exchanges
• Regulated entities in reputable jurisdictions
• Use of banks from reputable jurisdictions

www.cfa.org.cy 58

Fundamental parameters for Cyprus Fiduciary Market

• Source of wealth
• Taxation – Does the client really

know what he/she is doing?

• Face to Face meeting
• Size of Assets
• Familiarity with foreign jurisdiction
• Duration of relationship

20/03/17 30

www.cfa.org.cy 59

Pros & Cons of Risk Based Approach

• Pros

– Identification of risk – Effective utilization of resources – Better decision making

• Cons

– Costly (initial set up & maintenance) – Judgement element - if not set up correctly could give false assurance – Admin is huge for small cos

www.cfa.org.cy 60

Culture of Compliance

• Strongest control you can have to

mitigate risk

• Does not come overnight
• Senior Management MUST be

involved

• Takes time
• Patience!

20/03/17 31

www.cfa.org.cy 61

Culture of Compliance

www.cfa.org.cy 62

Key takeouts

• RBA is a statutory requirement
• Risk Appetite is decided by the Board of

Directors

• Geographic risk
• Client risk
• Service risk
• Compliance may be an expensive sport…
• Non Compliance is even more expensive!

20/03/17 32

www.cfa.org.cy 63

Questions

www.cfa.org.cy 64

15 min break

20/03/17 33

www.cfa.org.cy 65

Monitoring of transactions

www.cfa.org.cy 66

Transaction monitoring

• Type of activities to be monitored may

vary RBA

• Frequency of monitoring may vary RBA
• Transaction monitoring could be:

a) Manual b) Automated c) Hybrid

20/03/17 34

www.cfa.org.cy 67

Transaction monitoring

• Who performs the monitoring of transactions?
• If humans, they need to know as a minimum:

– What Money Laundering is – What Terrorist Financing is – Who are the sanctioned entities or individuals

in order to identify and report it

• Training is a must!
• If machines, they need to be well calibrated

www.cfa.org.cy 68

AML Issues

• Main risk of Money Laundering for ASPs is layering

stage

• Initial KYC is of fundamental importance
• Obtain as much info as possible from the start

– Avoid bothering the client again – Have a clear view of the operations of the client – Source of wealth

• Suspicion – Investigate
• Info from Associate – Investigate

20/03/17 35

www.cfa.org.cy 69

Terrorist Financing Issues

• Terrorist Financing is extremely difficult to trace
• Significant differences from ML

– Motive – Profit Vs Ideological – Trail – Cyclical Vs Linear – Money – Dirty Vs Clean & Dirty – Detection focus – Transactions Vs Relationship

• If you have a lead give it straight away
• Reasonable Judgment must be exercised

www.cfa.org.cy 70

Sanctions Issues

3 bodies of most important sanctions setters:

• 1. EU Commission – EU

http://eeas.europa.eu/cfsp/sanctions/consol- list/index_en.htm

• 2. United Nations – UN

https://www.un.org/sc/suborg/en/sanctions/un-sc- consolidated-list

• 3. Office of Foreign Assets Control (OFAC) – US

https://www.treasury.gov/resource- center/sanctions/Pages/default.aspx

20/03/17 36

www.cfa.org.cy 71

Sanctions Issues focus on EU Commission & Ukraine crisis

• Sanctions related to Ukraine crisis
• Started since 17 March 2014
• Individuals – Visa bans and Asset freezing
• SOE– On financing and re-financing (Issue of

bonds, loans and other, trading of equities and other financial products issued prior to 31 July 2015)

• Ukrainian battalions – On financing
• Renewed

www.cfa.org.cy 72

Sanctions Issues focus on UN

• Total 15
• Al Qaida, Taliban, Iran, Iraq and Kuwait,

Erithrea and Somalia, Liberia, Peoples republic of Kongo, Ivory Coast, Sudan, People Republic of North Korea, Libya, Guinea-Bissau, Lebanon, Central African Republic and Yemen.

20/03/17 37

www.cfa.org.cy 73

Sanctions Issues

• EU are not the only ones that effect us due to

Global Financial System (OFAC – $US accounts)

• Transactions must be checked regarding

sanctions

• Client may not be sanctioned but engage in

transaction with sanctioned entity

• Enormous impact thus must identify!
• If identified review in detail and document

findings

• If in doubt contact the Ministry of Finance

www.cfa.org.cy 74

Internal Investigation

20/03/17 38

www.cfa.org.cy 75

Internal Investigation

• Triggered by:

–Compliance Department –STR or SAR –Client –Associate –Regulator –FIU (MOKAS)

www.cfa.org.cy 76

Internal Investigation

• Need to:

a) Review documentation b) Discuss with relevant parties and c) Compose a dossier with ALL info

• Dossier is of fundamental importance!
• Need of retrieval of info at a later stage

100%

• Documentation must be organised
• Beware of tipping off

20/03/17 39

www.cfa.org.cy 77

Importance of documentation

If you do not document it…. it never happened!!!

www.cfa.org.cy 78

Documentation

• Internal investigation or Review of

transaction - Whatever the outcome it must be documented

• Reasons why this was not suspicious or
• Reasons why it is suspicious
• Will need to go back to your files in future
• Always beware of Tip off offence and

communicate to colleagues!

20/03/17 40

www.cfa.org.cy 79

Red flags

www.cfa.org.cy 80

Red flags - Identification

• Refusal to provide identification documents
• Provision of strange identification documents
• No evidence of source of wealth
• Address provided may be in the middle of

nowhere

• No record of past employment
• Claim of representing authorities without

evidence

• Background search revealing issues
• Sanctions

20/03/17 41

www.cfa.org.cy 81

Red flags – Client behaviour

• Acting in an abnormal manner or seems to have a hidden

agenda

• Enquiries on record keeping policy
• Enquiries on suspicious transactions reporting process
• Reluctance to proceed with a transaction following

enquiries from ASP on transaction

• Unusual gratuity gifts to employees
• PEP client contacts ASP on behalf of a close family member
• Client contact person claims to act on behalf of client and

does not present a Power of Attorney or other documentation

www.cfa.org.cy 82

Red flags – Transactions

• Payment of bills in cash
• Unexpected visit to premises with requests to

transfer assets

• General Power of Attorney
• Unusual or unexplainable transactions or financial

performance

• Conducting of business transactions with criminals

20/03/17 42

www.cfa.org.cy 83

Red flags – Economic profile variance

• Requests for transactions outside the

economic profile of the company:

Countries & areas of operations Nature of transactions Size of transactions Method of banking Size of assets Reasoning for business relationship Different contact persons Other

www.cfa.org.cy 84

Red flags – Employee activity

• Develops a very close relationship with certain

clients

• Receives frequently gifts from client of large value
• Rapid change in lifestyle without reason
• Frequently overrides internal controls or

established approval authority

• Avoids taking holidays
• Overtime for no reason
• Reluctant to discuss or share client info with team

20/03/17 43

www.cfa.org.cy 85

Key takeouts

• AML issues
• CTF issues
• Sanctions
• Internal investigations
• Documentation
• Red flags

www.cfa.org.cy 86

Useful Links

• FATF 40 recommendations: http://www.fatf-

gafi.org/media/fatf/documents/recommendations/ pdfs/FATF_Recommendations.pdf

• FATF on DNFBPs: http://www.fatf-

gafi.org/media/fatf/documents/reports/RBA%20for %20TCSPs.pdf

• EU Directive: http://eur-lex.europa.eu/legal-

content/EN/TXT/PDF/?uri=CELEX:32015L0849&fro m=EN

20/03/17 44

www.cfa.org.cy 87

Questions

www.cfa.org.cy 88 www.cfa.org.cy 88

• CYPRUS FIDUCIARY ASSOCIATION

Business Address: 115 Griva Digeni Avenue, 3101 Limassol, Cyprus P.O. Box 58159, 3731 Limassol, Cyprus Tel.: +357 25 590086 Fax: +357 25 590089 E-mail: info@cfa.org.cy Website: www.cfa.org.cy