Sei sulla pagina 1di 42

Module 10:

Customer Due Dilligence (CDD) and

Risk Profiling


Learning objectives
The purpose of this module is to:


explain the nature of CDD

outline the practical steps needed to carry out effective CDD
discuss the value to the organisation of effective CDD
outline the benefits of a risk-based approach to CDD
provide a framework for the application of risk-based CDD
explain the requirements for enhanced due dilligence (EDD)
enable the application of monitoring and CDD
understand the meaning and importance of beneficial partnership
understand the obligations on an organisation in respect of record keeping

What is CDD?
Customer Due Diligence (CDD) information comprises the information about a client
that enables an organisation to assess the extent to which that client exposes it to a
range of risks, including the risk of involvement in money laundering. CDD is often
referred to as KYC (Know Your Customer) information, although the terminology has
developed, as KYC was often associated with the client identification process, commonly
thought of as the passport and two utility bills approach to CDD. CDD is a far more
holistic concept than basic client identification measures, and encompasses a wider
range of information and processes, which need to be gathered, verified and assessed
throughout a client relationship.
More particularly, CDD information generally comprises information on the following
aspects of a client relationship.

Who is the client?

What are the geographical locations of the clients


assets, and

business interests?
What is the nature of the clients business interests/occupation?
What is the commercial rationale for the relationship between the client and the
organisation (what is the client seeking to achieve)?
What is the clients source of funds?
What is the clients source of wealth?
What has been the historical pattern of the clients relationship activity with
the business, and has it been consistent with what was expected at the outset
of the relationship?
Is the current or proposed activity consistent with the clients prole and
commercial objectives?


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism



The value of CDD information

There are two stages to beneting from CDD information. The rst is to obtain it and
use it to decide whether to acquire a prospective client; the second, which is what is
usually referred to as CDD, is to use the information actively to facilitate the effective
monitoring of client relationships for unusual and potentially suspicious activity.
The key to obtaining maximum value from CDD information is to use it. The mistake
nancial services businesses commonly make is to obtain and document CDD
information, but then fail to refer to it before conducting transactions. Such mistakes
can prove to be costly.
Consider the following example.
An offshore Corporate Service Provider (CSP) manages and controls a client company
that its les show was set up for investment holding purposes.
Three years after its incorporation, the company enters into an agency agreement for
the procurement of contracts and receives large commission payments.
No questions are raised by the CSP, which fails to take account of the CDD information
on its own les that indicates that the company was not set up to trade.
It later transpires that the agency activity was illegal, and that the commissions
received were the proceeds of crime.
The directors of the CSP are asked to explain why they did not regard it as unusual
for an investment holding company that they were managing and controlling to
begin trading. They are unable to provide an acceptable explanation.


Taking a risk-based approach to CDD

CDD information is not only valuable in assessing potential exposure to the risk
of money laundering; it is essential to the assessment and avoidance of a range of
additional risks, all of which (including money laundering) are interrelated.
The Financial Action Task Force (FATF) Recommendation 5 (see Course Appendix VI), the
Third European Directive (Appendix III), the Basel CDD paper, (Appendix V), IAIS Guidance
Paper 5, and the IOSC AML Principles paper explicitly envisage that financial institutions
will take a risk-based approach to AML. It is important to understand, however, that
applying a risk-based approach to client identification does not remove any underlying
responsibility for verifying a clients identity, it merely allows a firm to modify and simplify
and, in higher-risk cases, increase the method of identity verification.
A risk-based approach to AML involves the following aspects:


risk identification and assessment identifying the money laundering (and

associated legal, regulatory and reputational) risks facing the firm, given its
customer, product and service profile and having regard to available information,
including published typologies; assessing the potential scale of those risks and of
the possible impact if they crystallise
risk mitigation identifying and applying measures effectively to mitigate the
material risks emerging from the assessment
risk monitoring putting in place management information systems and keeping
up to date with changes to the risk profile through changes to the business or to
the threats it faces, and

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

documentation having policies and procedures that cover the above and
ensure effective accountability from the board and senior management down.


The UK JMLSG Guidance Notes89 advise that:

A risk-based approach is one that takes a number of discrete steps in assessing the most
cost-effective and proportionate way to manage the money laundering and terrorist
financing risks faced by the firm. These steps are:

identify the money laundering and terrorist financing risks that are relevant to the firm
assess the risks presented by the firms particular:



delivery channels

geographical areas of operation

design and implement controls to manage and mitigate these assessed risks, and
monitor and improve the effective operation of these controls; and record
appropriately what has been done and why.

Risk assessment is a continuous process: policies and procedures must be reviewed and
updated to ensure they are still effective.

3.1 The benefits of a risk-based approach

A risk-based approach places the responsibility on financial institutions and their boards
and senior management to identify, assess, mitigate and monitor their money laundering
risks on a considered and continuing basis and to ensure that they have adequate
controls in place to manage those risks. It is therefore not a soft option but it does allow
firms to be flexible on where they concentrate their efforts. A risk-based approach:

allows managers to differentiate between their clients in a way that matches the
risk in their particular business
allows senior management to apply its own approach to the firms procedures,
systems and controls, in particular circumstances
helps to produce a more cost-effective system, and
ensures that attention and resources can be concentrated where there is the
greatest risk.

3.2 The MLRO role in AML risk assessment

The MLRO must play a principal role in determining the institutions risk strategy and risk
assessment policies and procedures. In the UK the Financial Skills Partnership (formerly
known as the Financial Services Skills Council) Standards90 states that in assessing and
mitigating the money laundering risks relevant to the business, the MLRO must be able to:

assess the probability and potential impact of different types of money

laundering activities that may affect the organisation
determine the jurisdictional scope of the regulatory and legislative environment
in which the firm operates
complete a risk assessment of the organisation that takes into account external
events and threats and firm-specific risks, including staff risks
assess the risks that are external to the organisation but that directly or indirectly
affect its business or control risks
identify any gaps in the information available about the money laundering risks
faced by the organisation and locate this information

89. 2010 Guidance paragraph 4.2.

90. The Financial Skills Partnership originally created the standards in 2006 and these were revised in 2011, see


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


develop a risk-mitigation programme to address issues identified by the

risk assessment
ensure that the risk-mitigation programme is proportionate to the risks posed, in
terms of their potential impact and probability, and
review the risk assessment at regular, agreed intervals and when specific events
may affect the assessment.

3.3 Understanding different money laundering risks

3.3.1 Criminal risk of money laundering

It must be appreciated that the risk of money laundering applies at both an
organisational and an individual employee level.
3.3.2 Regulatory risk
This is the risk that a regulatory authority will impose a sanction, upon either an
organisation or an officer thereof, for failing to comply with the regulatory standards
applicable in a particular industry sector. A variety of different forms of sanction can be
applied, including:

the imposition of conditions upon a licence (conditions can be in a variety of

different forms, e.g. removal of a particular officer or employee, implementation
of remedial action)
withdrawal of a licence, and
removal of an individuals authorisation to operate within the financial sector.

Where the criminal risk of money laundering materialises, some form of regulatory risk
may also materialise.
3.3.3 Legal risk
This is the risk of exposure to litigation; it can occur in a variety of guises, including
action for breach of a constructive trust, or a breach of contract.
3.3.4 Reputational risk
This is the risk that the reputation of an organisation will be damaged in such a way that
it will be regarded less positively, or even damaged to such an extent that the business
is forced to close. Reputational damage always follows the materialisation of criminal or
regulatory risk.
3.3.5 Compliance risk
This can take on a variety of meanings but is often used to refer to the risk that a business
will fail to adhere to its own internal compliance procedures. The impact of such a risk
can result in both legal and regulatory liability as well as giving rise to the expense of
remediation to correct any past business failures. The concept of compliance risk will
become more significant when operating in a principles-based regime where more
generic regulation places increasing emphasis on businesses to devise internal compliance
arrangements appropriate to the nature and complexity of their own activities.
3.3.6 Concentration risk
This is a risk that generally applies in respect of both the assets and the liabilities
of banks. The risk is either that the assets of a bank will be too greatly concentrated
on certain borrowers or groups of related borrowers, or the risk that the liabilities of
the bank will be too concentrated on a small group or groups of depositors. This can
arise when criminals become the principal depositors and engage in capital flight to
avoid detection.


Module 10: Customer Due Dilligence (CDD) and Risk Profiling

3.3.7 Liability risk
This risk usually results from the materialisation of legal risk and the subsequent
establishment of blame on the part of an organisation. Liability risk can also result in
reputational and regulatory risk.


3.3.8 Credit risk

This is the risk that funds obtained fraudulently will not be repaid.
3.3.9 Operational risk
This is the risk that systems and controls may be compromised owing to internal
collusion or the infiltration of the organisation by criminals.
3.3.10 Financial risk
This risk concerns the cost of defending a charge of money laundering and clearing
ones name with the regulator, which can be significant both in real costs and in
management resources.

3.4 The questions to be asked

The risks posed by clients differ according to the number and type of risk factors within a
relationship. The risks posed by an ordinary retail bank current account for a local resident
earning RM40,000 per annum with an obvious source of funds and regular standing
order or direct debit expenditure will not be as great as the risks of a relationship with a
non-resident PEP wishing to invest RM10 million through an offshore trust in a munitions
company based in a former Soviet satellite state. The amount of CDD information required
in the latter example, both at the outset and throughout the duration of the relationship,
will be far greater, in order for an organisation to be able to assess and monitor the risk.
In order to tailor its policies and procedures to the particular AML risks that the
institution faces, the MLRO and senior management will need to ask themselves a
number of questions.
3.4.1 What risk is posed by the firms customers?
For example, MLROs should evaluate the risk of:

complex business ownership structures, which can make it easier to conceal

underlying beneficiaries, where there is no legitimate commercial rationale
an individual in a public position and/or location which carries a higher exposure
to the possibility of corruption (e.g. a PEP)
customers based in, or conducting business in or through, a high-risk jurisdiction
e.g. a jurisdiction with higher levels of corruption or organised crime, or a
jurisdiction known to be a drug production/distribution or trans-shipment point,
or a jurisdiction that appears on sanctions lists
customers engaged in a business which involves significant amounts of cash, and
customers that work in high-risk industries, for example, the arms trade,
pharmaceuticals, telecommunications, construction, mineral extraction or
gambling or are involved in public contracts.

3.4.2 What risk is posed by a customers behaviour?

For example:

when there are requests to associate undue levels of secrecy with a transaction
situations where the origin of wealth and/or source of funds cannot be
easily verified or where the audit trail has been deliberately broken and/or
unnecessarily layered, and
the unwillingness of non-personal customers to give the names of their
businesss real owners and controllers.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


3.4.3 How does the way the customer comes to the firm affect the risk?
For example the MLRO should evaluate the risks of:

one-off transactions as compared with business relationships

introduced business, depending on the effectiveness of the due diligence carried
out by the introducer
non-face-to-face acceptance, and
companies based in jurisdictions with poor regulatory controls, high levels
of corruption or jurisdictions known to have excessive secrecy or lack of
transparency in respect of financial entities and transactions.

3.4.4 What risk is posed by the products/services the customer is using?

For example the MLRO should:

consider whether the product features can be used for money laundering or
terrorist financing, or to fund other crime
consider whether the products allow or facilitate payments to third parties
understand that the main risk may be that inappropriate assets might be placed
with, or moved from, or through, the firm, and
consider the risk if a customer migrates from one product to another within the firm.

3.5 Assessing the effect of the countermeasures in place

An AML/CTF risk assessment is not a one-off event. Risks change as do client activities
and profiles, and the institutions products, services and the method of delivery will
also evolve. It is generally recommended by national and international bodies that the
institution should re-visit its risk assessment at least annually.
As part of its continuous review, a financial institution should have some means of
assessing whether its risk-based approach and countermeasures are working effectively.
The result of the review and any improvements or changes that need to be made
should be included in the MLRO annual report. The matters that will need to be taken
into account when assessing the effect of the strategy should include:

whether the procedures to identify changes in client characteristics are

satisfactory and whether the changes are being adequately documented
whether the vulnerabilities of the various products and services have changed
and whether new products and services have been adequately risk assessed
the extent to which staff awareness-raising and training is resulting in a sufficient
degree of understanding and competence
the results of the compliance monitoring arrangements and action that has been
taken as a result of any reports raised
whether sufficient information is being given to senior management to enable
the AML risks to be managed, and the action to be taken by senior management
in response, and
the effectiveness of the liaison with regulatory and law enforcement agencies
and whether improvements can be made.

3.6 Implementing a risk-based approach

How a risk-based approach is implemented will depend on the institutions operations
structure and the answers to the questions set out in the previous section.
There are a range of client, product and delivery mechanism characteristics that, when
taken together, can indicate the level of money laundering or terrorist financing risk
inherent in the particular customer relationship. Each individual institution must decide, on
the basis of its risk assessment, the level of identity verification, additional CDD information
and frequency of monitoring that are required. The background and rationale behind

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

all decisions and the procedures put in place to implement them will need to be clearly
documented. In particular, the arrangements for higher and lower-risk clients need to be
fully documented, particularly to justify the need for simplified or enhanced due diligence.


In June 2011 the Institute of International Finance (IIF) published a report entitled
Implementing Robust Risk Appetite Frameworks to Strengthen Financial Institutions. The IIF
states that the objective of its report is to provide insights and practical recommendations to
the different stakeholders in the design and implementation process of these frameworks. In
particular, the report contains recommendations for different levels of the management.

Board directors: this includes the need for such directors to ensure that they are
able to engage fully with firms risk and risk appetites.
Senior management: this includes the need for senior management to set the
tone and lead discussion regarding risk appetite.
The risk management function: for example, the need for risk management to
provide clarity of concept, definition and support regarding risk and risk appetite
within an organisation.

In addition, the IIF reports key recommendations to firms include that:

firms should initiate a dialogue across businesses, risk, IT, and operations on how
to redesign the risk IT architecture to fill gaps in functionality, especially with
respect to simulations, including stress-testing
firms should consider establishing a single point of responsibility to oversee the
development of new risk applications
firms should develop data collection capabilities that provide senior
management with timely views of the whole firms exposures to any given firm or
sector, and
firms should aim to create a common data model, including standard definitions
of all risk-related data and, where appropriate, also consider the consolidation of
their data into a small number of data warehouses.

The report offers practical insights and case studies on how embedding a risk appetite
into the firm can be achieved.

4. CDD in Malaysia
4.1 AMLATFA provisions
In Malaysia requirements, under section 16 of AMLAFTA, specify that a reporting institution:

Shall maintain accounts in the name of the account holder; and

Shall not open, operate or maintain any anonymous account or any account which is
in a fictitious, false or incorrect name.

A reporting institution shall:



Verify, by reliable means, the identity, representative capacity, domicile, legal

capacity, occupation or business purpose of any person, as well as other identifying
information on that person, whether he be an occasional or usual client, through the
use of documents such as identity card, passport, birth certificate, drivers licence and
constituent document, or any other official or private document, when establishing or
conducting business relations, particularly when opening new accounts or passbooks,
entering into any fiduciary transaction, renting of a safe deposit box, or performing any
cash transaction exceeding such amount as the competent authority may specify; and
Include such details in a record

A reporting institution shall take reasonable measures to obtain and record information
about the identity of the person on whose behalf an account is opened or a transaction


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


is conducted if there are any doubts that any person is not acting on his own behalf,
particularly in the case of a person who is not conducting any commercial, financial or
industrial operations in the foreign State where it has its headquarters or domicile.
For purposes of this section person shall include any person who is a nominee, agent,
beneficiary or principal in relation to a transaction.

4.2 Customer acceptance policies

There is an obligation on all reporting entities to develop customer acceptance policies
and procedures in order to know their customer and the nature of the customers
business. To this end the reporting entity should identify and evaluate the potential
risk posed by a customer. A risk profile is required, particularly, in respect of high-risk
customers such as PEPs and high-net-worth individuals.
In conducting a risk-profiling exercise, the reporting organisation should take into
account, as a minimum, the following factors:91

the origin of the customer and the location of the business

background and profile of the customer
nature of the customers business
structure of ownership for a corporate customer
information indicating the customer is high risk.

Reporting institutions should ensure that the CDD information that they hold on the
customer is regularly reviewed and updated, especially when there are changes in the
circumstances of the individuals business or employment.92
The general principle when conducting CDD on a customer is to ensure that there is
satisfactory evidence and proper records relating to the identity and legal existence of the
potential customer. The documentary support materials should be reliable and independent.

4.3 Customer due diligence procedures

Reporting institutions should conduct CDD wherever:

a new business relationship is established

cash or occasional transactions in excess of RM50,000 are being transacted
(banking activities only)
there is any suspicion of money laundering or terrorist financing
the nature of the previously supplied information by the customer is questionable
the transaction involves a new type of service or product or a new technology
of delivery
a wire transfer is used and the amount exceeds RM3,000.

In conducting CDD the minimum requirements to be undertaken include:

identification and verification of the customer

identification and verification of any beneficial ownership and control of a transaction
the purpose and nature of the business relationship or transaction, and
continuing due diligence and scrutiny

If a customer fails to provide the necessary information or fails to cooperate with the
reporting entity then this constitutes suspicious activity in itself and any new relationship
should be inserted and the lodging of an STR considered. Occasionally a period of
grace, circa 14 days, may be given where there is genuine reason for non-production of
information and the risk category of the customer is low.

91. See Malaysia Standard Guidelines on AML/CFT Sections 4 and 5

92. See Malaysia AML/CFT Sectoral Guidelines on Banking and Financial Institutions, Section 2

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

As a general principle, the extent of CDD required varies according to the risks
associated with the type of customer, the nature of the service or product or the type of
transaction undertaken.



The practical application of CDD

It is worth repeating the fundamental reasoning behind why CDD is performed. It is the
foundation of a good AML regime that assists in the prevention and detection of criminal
activity and those behind such activity. As such it is important that firms ensure they have:

identified the customer (including beneficial owners)

verified that identity, and
recorded and kept up to date sufficient information (at least the reason for the
relationship) and data on their customers to assist in the detection of potentially
suspicious activity.

It is also expected this will be carried out in a risk-based way in order that firms can
apply resources to CDD appropriately. For example, the level of CDD and resources
applied to a salaried individual working for a multinational company who wants a credit
card should differ considerably from that of an SME based in a country with a reputation
for high levels of corruption and poor regulation that is seeking a series of products
including trade finance and large term deposits.
In some firms this may be relatively straightforward, if the customer base is small, and the
product offering and geographic footprint are limited. For others it presents a considerable
challenge to differentiate the risk posed by the many types of potential customer.
A key area of challenge for many firms is the interpretation of what regulations mean
when they use phrases such as understanding the nature of business or the purpose and
reason for opening the account. The first table below looks at how firms may consider
explaining to those of their staff responsible for CDD how these could be interpreted.
Table 4.1: The practical application of regulatory expectations

Practical application

Understand the
nature and details
of the business

A demonstration that a firm clearly does know the

customers business activities.
Generic descriptions such as general merchandising, general
imports and exports, real estate, etc. are not sufficient. There
should be more description, as in the examples below.


Retail sale of electrical products for domestic use

washing machines, TVs, DVD players as well as kitchen
and other smaller home-use appliances (toasters,
hairdryers). Mr A and his two sons have been the
owners of the company since 1998; with Mr A being
the main person running the business and the
decision-maker of the company.
Import and export of roller skates since 2006. Main
countries where the imports are sourced are China
and Taiwan, and exports are mainly to European
countries (>50% to Germany).

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


An understanding of
the business activities

Document in detail the customers business activities, going

beyond the description above.

Are there business divisions if so what are they?

Describe any major clients of the customer.
Describe any major suppliers to the customer.
Describe any competitors of the customer.
Describe the main countries or regions where the
customer does business.

The purpose and reason Demonstrate understanding of the customers need for
for opening the account the services and/or products to be provided, as in the
or establishing
examples below
the relationship
Customer needs a collection product to manage
retail receipts.
Customer needs trade finance facilities to support
import-export business between China and Europe.
(iii) Customer needs a short-term finance facility to support
operations during quiet periods in the property market.
As such the products that the customer will use could be:
Trade Finance LCs, Export documentary collection, etc.,
Financial Markets FX, bonds, interest rate swaps, equity
derivatives, etc., Cash Management current account with
cheque books, overdraft, etc.
An understanding of
the anticipated volume
of activity for
the products used by
the customer

Demonstrate understanding of the how the customer

intends to use the products that will be provided.

The source
of funds

Demonstrate understanding of the origin of funds to be

used/received throughout the relationship. In practice
that means the activity from which the funds are
ultimately derived, e.g. the customers business activities
or sale of assets.

Consider providing a range of monthly activity for each

product indicated. For example, Export L/Cs HK$xx, USD/Yen
FX US$ yy, Outgoing payments Euro$ zz, etc. This could be
determined from available information (e.g. copies of recent
financial statements).

Description such as Business proceeds would be fine if there

is information available, for example, financial statements
demonstrating a business that generates such proceeds. For
other customers more description is required, for example,
proceeds from media business that generates RMx of annual
sales and has a record operating income of RMy in 2011.
The next set of tables and situations provide practical examples of CDD that may
be applied in most situations (excepting those already given above). These are only
theoretical examples of a risk-sensitive approach to CDD. Firms should develop and
design an approach dependent on the actual money laundering risk derived by a ML
risk assessment, any subsequent customer risk rating methodology employed and
extant regulations or internal requirements.


Module 10: Customer Due Dilligence (CDD) and Risk Profiling

Table 4.2: Practical applications of guidelines on individual customers
Individual Customers

Practical Applications

Standard Guidelines

To verify the identity of the individual documents that

describe the full name and either date of birth or residential
address are the desired method.

Full name
NRIC passport
Permanent and
mailing address
Date of birth

Sectoral guidelines

In certain cases, the individual required to be verified is wellknown (e.g. well-known businessman often in the public
domain) and sighting of any document as mentioned above
may not be always be practical. Although all efforts should be
taken to obtain such documents, where this is not practical,
reliance may be made on any publicly available documents
containing photographs of the individual. However, this
process may be risky at times when the opening of account
is via an intermediary/third party acting on behalf of the
individual VVIP. The third party has not had the privilege of a
face to face with the VVIP and thus it will not be able to confirm
to the bank that the VVIP is the same as that in the photo.

Name of
employer or
nature of self
nature of business 1.
number (home,
office. Mobile)

best practice


Anticipated level
and number of
The purpose of, 2.
and reasons for
opening, the
account (if not
implicit in the
products taken)
Source of wealth

Preferred document to verify identity

A government-issued document which contains the
name, photograph and either the residential address
or date of birth. For example:

driving licence
NRIC for Malaysian/permenant resident
ID Card issued by Electoral Office.

Other methods


A government-issued document without a

photograph, incorporating full name and
supported by
a second document either government issued, or
issued by a judicial authority, a public sector body
or authority, or another AML regulated firm, which
incorporates the customers full name and either
his residential address or his date of birth.

Examples of second document

Instrument of a court appointment such as

liquidator or grant of probate
Tax demand letter or statement from
government departments or local bodies
Bank or credit/debit card statements (should
be current within last 3 months) issued by
a regulated financial sector firm in an
equivalent jurisdiction)
Utility bill (should be current within last
three months)


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism



In some jurisdictions electronic data sources (not pure

credit bureaus) can provide the necessary verification
without involving the customer. To rely on an
electronic confirmation, it is necessary to achieve:

one match on an individuals full name and

current address
from a secondary check, a second match on
an individuals full name and either his current
address or his date of birth.

Appropriate evidence such as a relevant print out or

agency report must be retained.

PO Boxes are not generally acceptable as a

residential address. In those countries where PO
Boxes are commonly used, such as the Middle East,
the residential address must, at the very least, be a
recorded description. PO Boxes are acceptable as
mailing addresses.

Table 4.3: Other less common situations for Individuals


Non face-to-face
opening account.
(Where customer is
not met personally
while opening account,
e.g. request through
mail, Internet)

While the documents obtained and seen may be similar

to those required in normal individual circumstances
it is important to try and obtain some independent
corroboration of that which may include having them
certified by other banks, lawyers, accountants, diplomatic
missions, Commissioners of Oaths or Notary Public,
diplomatic missions; or allowing uncertified documents
provided the first payment to the account is carried out
through an account in the customer's name with a bank
from an equivalent jurisdiction.

Customers who
cannot provide
standard evidence
(such as customers in
low-income groups;
with legal, mental or
physical inability to
manage their affairs;
people under care of
others; dependent
spouses or minors;
students, refugees,
migrant workers;
and prisoners)

There are good reasons why such customers are unable to

provide the documentation for verification but who, quite
correctly, are entitled to financial services and should not be
excluded. In these cases, alternate methods of verification
may be used, examples being:

letter from relevant authorities, in case of recipients

of government benefits/financial support such as
unemployment benefit/old age pension
letter from Care Home Manager or employer
letter from prison authorities or police
letter from educational institution.
a letter or statement of reference from a person of good
social standing such as a doctor, a teacher, a lawyer, an
accountant, certifying his knowledge of that person is
who he claims to be is the lowest level of verification that
is acceptable.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

Table 4.4: Practical application of guidelines for corporate customers
Corporate Customers


Practical application

Standard Guidelines

Certificate of
of Directors/
for any person
to represent
the company/
to identity of
the person
to represent
the company/
business in the
dealings with
the reporting

The articles should be supplied and a copy taken

(certified true copies/duly notarised copies may be
accepted) or other reliable references to verify identity
of the corporate customer.

Certified true copies/duly notarised copies of Form

24 and 49 as prescribed by Companies Commission
of Malaysia or equivalent documents for foreign
incorporation, may be accepted.

Identification evidence is required wherever an

individual shareholder has a majority or more than
25% of a controlling interest in the entity.

A reporting institution should conduct a risk review of

any organisation about which it has doubts, e.g. basic
searches and enquiries to ensure the organisation has
not been or is not in the process of being dissolved
or liquidated. The authenticity of information can be
checked with the companies commission of Malaysia.

The reporting institution should identify the

beneficial owner of the corporate customer and
know the ownership and control structure of the
corporate customer in order to detect any unusual
circumstances concerning changes to the company/
business structure or ownership or payment profile of
its account.

On the basis of the risk profiling conducted on

the customer, reporting institutions should take
reasonable measures to verify the beneficial owner of
the corporate customer.

The reporting institution is not required to obtain a

copy of the Memorandum and Articles of Association
or certificate of incorporation or to identify or verify
the directors and shareholders of corporate customers
which fall under the following categories:


public listed companies/corporations (including

foreign companies listed in exchanges
recognised by Bursa Malaysia Securities Berhad)
subjected to regulatory disclosure
government-linked companies in Malaysia
state-owned corporations and companies
in Malaysia

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism




financial institutions licensed under the Islamic

Banking Act 1983, the Takaful Act 1984, the
Banking and Financial Institutions Act 1989, the
Insurance Act 1996, the Securities Commission
or the Labuan Offshore Financial Services
Authority, or
prescribed institutions under the Development
Financial Institutions Act 2002 and supervised
by Bank Negara Malaysia

Table 4.5: CDD requirements in relation to privately owned entities


Applies to private companies,

partnerships and unincorporated
businesses (Not falling under any of
the Special Categories
given below)

Information and verification

Privately owned
Record names of all directors,
partners, proprietors
Unwrapping ownership
Record names of all beneficial
owners identified through the
unwrapping process
Record names of shareholders
owning at least 25% of the
shares/capital or voting rights
Record names of all authorised
Nature and details of the
Purpose and reason for opening
the account or establishing
the relationship
The anticipated volume of
activity for the products used
by the customer
Whether the customer
conducts business with any
countries subject to sanctions.

Standard CDD requirements

Type of Customer

evidence from the annual

audited report or other
independent source that
confirms the subsidiary status
of the customer, AND
attach a copy, where
applicable, of the regulators
internet page or FIs licence to
establish the regulated status
of the parent FI.

A streamlined approach could

be acceptable:

Where the customer is a majorityowned subsidiary (i.e. more than 50%

ownership) of regulated Financial
Institution (FI) or Listed Corporate
(regulated market).

Source of funds
Record names of shareholders
owning at least 10% of the
shares/capital or voting rights
Record names of all beneficial
owners at 10% level
Detailed description of the
business activities
Conduct additional media

Practical application considerations

and challenge areas

Enhanced CDD requirements

Module 10: Customer Due Dilligence (CDD) and Risk Profiling




Privately owned Significant and WellEstablished Private Entities (SWEPEs).

Authority of authorised
signatory(ies) to open and
operate the account


Record names of all directors,

partners, proprietors
Record names of shareholders
owning at least 25% of the
shares/capital or voting rights
(where a limited company)
Record names of all
beneficial owners
Record names of all
authorised signatories
Nature and details of
the business
Purpose and reason for
opening the account or
establishing the relationship
The anticipated volume of
activity for the products used
by the customer

Source of funds
Detailed description of the
business activities
Conduct additional
media searches

Consider further checks on the

identity of one or more controlling
directors (e.g. managing director),
partner or proprietor typically the
director with authority to operate
the account.





a long history in their

substantial public
information about them
and their principals
and controllers
with information on
beneficial ownership (at
25% level) information
in the public domain;
good reputation

SWEPEs may be
limited companies,
sole proprietorships or
partnerships. A SWEPE
should have:




Identities of all principal

beneficial owners owning at
least 25% of the shares/capital
or voting rights.


Identity of Customer entity.


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism

and Charities

Whether the customer conducts

business with any countries
subject to the controls in the
Group sanctions procedures

Identity of Customer entity.

Authority of authorised
signatory(s) to open and
operate the account.

Source of funds
Describe how members or
associates use or benefit from
the club/society/charity
Conduct additional
media searches

Certificate of registration
Legal status of the club/society

company, trust, etc.

Purpose of the club/society
Record names of all officers
Verification enhancements
Record names of all
authorised signatories
Purpose and reason for opening Identity of all the officers
the account or establishing
the relationship
The anticipated volume of
activity for the products used
by the customer
Whether the customer
conducts business with any
countries subject to the
controls in the Group
sanctions procedures

Information and Verification



Professional society for lawyers

or accountants: the members
objective is to maintain their
professional qualification status.

Describe how members or associates

use or benefit
from the club/ society.
For example:

Due Diligence practical ideas

Minutes authorising the appropriate

officer(s) to open and operate
the account.

Certified copy of constitutional

documents or equivalent of the club/
society for identity and legal status.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling



Recreational club: the
members are entitled to the
use of the recreational facilities,
e.g. golf courses. available in
the country as well as overseas
where the club operates.
Where the club operates in
different countries, record all
the geographic locations.

The above tables set out a significant proportion of the type of CDD situations likely to be encountered whatever the type of regulated industry in which
a firm may operate in. The CDD requirements relate to individuals or non-individuals and, as mentioned, the above situations provide practical albeit
theoretical CDD considerations in a risk based way.

Identity and
legal status of the club/society
Identity of the officers
(number of signatories) who
have authority to operate an
account or to give instructions
concerning the use
or transfer of funds
or assets
Verification that the person
has been
duly authorised by the club/
society to open and operate
the account.
The reporting institution
should closely scrutinise the
accounts of clubs, societies and
charities for discrepancies.



Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

There are other types of customer that could introduce specific risks. This may be
because they are required by regulation to have enhanced due diligence conducted or
because it is not entirely clear exactly who the customer is for CDD purposes.


Consider the following examples:

Mrs A wishes to open a joint current account with her husband. She works in a call
centre and her husband is an employed plumber. They are resident in the country
where they are opening the account and will be depositing an initial sum of RM2,000.
They expect to deposit around RM3,000 monthly from salary payments.
The above is a good example of a situation where a standard set of due diligence
procedures would apply.
Mr B wants to open current and savings account with an initial deposit of RM50,000.
He is a Philippine national but resident in Malaysia where he is a senior diplomat.
This may well be an Enhanced Due Diligence scenario. It would have to be determined
whether Mr B is a PEP and if so this would be an automatic enhanced due diligence
situation (EDD) requiring more in-depth consideration of Mr Bs actual source of wealth.

6. Assessing CDD risk

6.1 Who is the customer and what is meant by the identification of
beneficial owners?
The application of CDD is required when an institution, covered by the regulations,
enters into a business relationship with a customer or, at times, potential customer.
This will include occasional, one off transactions even though this may not constitute
an actual business relationship as it is defined.
The general approach taken is that a customer is a party or parties with whom a
business relationship is established or for whom a one off transaction is carried out. The
term business relationship applies where a professional, commercial relationship will
exist with an expectation by the firm that it will have an element of duration.
The important issues to focus on are that:

even where there is no business relationship but only a one off transaction,
CDD will still be required, and
CDD will also be required where a business relationship is established yet there
are no transactions (e.g. advisory services).

6.1.1 Beneficial owners

The principle behind this requirement is that criminals will attempt to disguise and/
or hide the actual ownership of assets through the use of complex structures with
numerous entities and/or beneficial owners.
The requirement is for firms to identify who the actual beneficial owners are and, on a
risk-sensitive basis, verify the identity of such beneficial owners.
In meeting this requirement firms need to be aware of the risk behind such complex
structures and probe sufficiently well to satisfy themselves that those claiming to be beneficial
owners are, in fact, actual beneficial owners and not acting on someone elses behalf.


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


A beneficial owner may be defined as:

The natural person who ultimately owns or controls a customer (whether through
direct or indirect ownership and control, including through bearer share holdings),
or the natural person on whose behalf a transaction or activity is being conducted, or
the natural person who exercises ultimate effective control over the management of a
legal entity.
There are some practical challenges to understanding the identity of the customer for
CDD purposes.

There are circumstances where a number of parties may be involved in a business

relationship or transaction (e.g. a syndicated loan) where for each individual firm
they may not all be customers.
The actual CDD requirements to be applied in the numerous customer type
situations vary.
There can be difficulties working out exactly who are beneficial owners within
more complex organisation and entity structures.

Practical approaches to all types of CDD and examples of more complex CDD situations,
including beneficial ownership, are considered later in this module providing potential
solutions to these challenges.

6.2 FATF and beneficial ownership

6.2.1 The FATF requirements

Beneficial ownership is a major area of contention in AML/CTF globally. Although the
FATF recommendation is clear as to its expectations even FATF member countries have
not found it an easy matter to cover in domestic AML/CTF regulations.
The FATF recommendation on beneficial ownership is found in recommendation five
which says that financial institutions should verify the identity of the customer and
beneficial owner before or during the course of establishing a business relationship
or conducting transactions for occasional customers. The definition of beneficial
ownership used by the FATF says that the beneficial ownership is a reference to the
natural person(s) who ultimately owns or controls a customer and/or the person on
whose behalf a transaction is being conducted. It also incorporates those persons who
exercise ultimate effective control over a legal person or arrangement.
The World Bank compiled data regarding the compliance of countries with
recommendation five and it makes for interesting reading. Even FATF member countries
have difficulties with compliance with recommendation five with 71% of members only
partially compliant during the current round of mutual evaluations.
6.2.2 The World Banks Puppet Masters Report 2011
This report argues that beneficial ownership should be understood as a material and
substantive concept and not just a legal definition. The reports view is that beneficial
ownership is a reference to the de facto control over a corporate vehicle.93
The report contends that the focus should be on two factors when identifying
beneficial ownership:

The control exercised; and

The benefit derived.

Law enforcement searches for the individual who benefits from a structure when
they investigate complex and opaque structures and money flows.94 A legal person

93. Executive Summary page 3 World Bank's Puppet Masters Report 2011.
94. World Bank's Puppet Masters Report 2011 page 18

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

cannot be a beneficial owner because it can never be an ultimate controller. An ultimate
controller is always an individual.95


The essence of beneficial ownership is not ownership but control. It is important not to
confuse the concept of legal ownership with the concept of control.96
A formal approach, based on percentage thresholds of ownership may yield useful
information about ultimate ownership or control and may lead to identification of
people of interest who possesses information regarding the beneficial owners. However,
the percentage approach has significant limitations.
The report makes the point that beneficial ownership cannot be resolved without
knowing more about the context. Therefore simple rules or formulas whilst helpful are
not of themselves dispositive of the issue.97
The Wolfsberg Group has aligned itself to a substantive approach to beneficial
ownership rather than a formal one.98
The Report noted that many corporate vehicles are established solely to gain access
to financial institutions.99 The provision by financial institutions of services that may be
used for receiving, holding, or conveying the illicit proceeds of corruption is a critical
part of the laundering process. Hence the nexus between beneficial ownership and
legal entities and ML/TF risk is plain to see.100
6.2.3 Common practice
The Puppet Masters Report made the following findings regarding the KYC information
typically present in Financial Institutions files:

Identity documentation for the legal entity almost always present.

A physical address for the account almost always present.
Documentation that provides evidence of agency to represent the legal entity almost always present.
Information about individuals who hold more than a certain percentage of
equitable interest in the legal entity often present.
Information about shareholders and directors often present.
Records of meetings granting authority to open an account or perform a
transaction sometimes present.
Documented compliance logs covering name checking, transaction monitoring
and trend analysis sometimes present.
Information from independent sources to verify information captured from the
customer sometimes present.
The identity of the beneficial owners rarely present.

Reports on mis-use of corporate vehicles

The following reports have catalogued the abuse of corporate vehicles:

UNODCs report Financial Havens, Banking Secrecy and Money Laundering in

1998 (UNODC was then called UNODCCP).
The European Commissions report Protecting the EU Financial System from the
Exploitation of Financial Centres and Off shore Facilities by Organised Crime
published in 2000.

95. World Bank's Puppet Masters Report 2011 page 19.

96. World Bank's Puppet Masters Report 2011 page 19.
97. World Bank's Puppet Masters Report 2011 page 19.
98. See Wolfsberg Group's FAQs on ownership.
99. World Bank's Puppet Masters Report 2011 page 97. 24 World Bank's
100. World Bank's Puppet Masters Report 2011 page 97.


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


The OECD report Behind the Corporate Veil: Using Corporate Entities for Illicit
Purposes 2001.
The International Trade and Investment Organization and the Society of Trust and
Estate Practitioners report Towards a Level Playing Field: Regulating Corporate
Vehicles in Cross-Border Transactions in 2002.
The FATFs report The Misuse of Corporate Vehicles in 2006.
The Caribbean FATF-style regional bodys report Money Laundering Using Trust
and Company Service Providers on Money Laundering in 2010.

6.2.4 Bearer shares

Bearer shares are shares in companies which are in the form of certificates. Whoever is in
possession of the certificate is the owner of the shares. Most jurisdictions have reformed
their laws on bearer shares, with some moving through a phasing out stage. Today,
according to the World Banks research no bank with any sort of basic due diligence
procedures would knowingly conduct business with free-floating bearer shares.101
6.2.5 Trusts versus companies
The World Bank found in their Puppet Masters report that trusts were only used in 5% of
the 150 cases of grand corruption that it investigated. Those schemes that were found
were predominantly in the U.S.A., the Bahamas, the Cayman Islands and Jersey.102
6.2.6 Fictitious entities and unincorporated economic organisations
The World Bank conducted research as part of the Puppet Masters Report looking at
entities which have not undergone a formal incorporation process and which only have
the most tenuous separation from their controllers. The benefit of using these types of
entities lies in the fact that the authorities cannot track their existence. These entities
vary from those that once might have had a legitimate use to blatant deceit involving
fictitious companies not incorporated anywhere. Some cases involving these types of
entities also involved collusion by bankers. Some involved false or forged documents.
6.2.7 Rationale for complex ownership structures
Often other legal entities are interposed as the owners of shares in a company, or
are the beneficiaries of trusts. Reporting entities need to understand the rationale
for complex structures because the absence of a rationale that makes sense is a risk
indicator for money laundering or terrorism financing.103
6.2.8 Professional nominees
If a reporting entity believes that they are dealing with a nominee director or
shareholder or other officer then attention needs to be paid to the persons behind the
nominee. This will be evidenced in trust deeds, indemnification of agent contracts and
power of attorney declarations and declarations of trust executed between the nominee
and the beneficial owner.
6.2.9 Surrogates and professional nominees
A surrogate (or front man) is a person connected to a beneficial owner whose name
attracts less attention than the beneficial owner. The beneficial owner might be a corrupt
PEP or a criminal or connected with terrorism financing. Through the use of a surrogate
who is acting on the instructions of the beneficial owner, the beneficial owner avoids
detection. The links between front men and beneficial owners may be very varied. But
the bond relies on either a high degree of trust or a strong enforcement capability.
Professional nominees are persons (individuals and legal entities) that act in a nominee
capacity for a fee. They might act as directors or shareholders or other formal officers of


101. World Bank's Puppet Masters Report 2011 page 43.

102. World Bank's Puppet Masters Report 2011 page 44.
103. One compliance officer was cited in e Puppet Masters Report as using a three layer complexity test as a quick and dirty
rule of thumb. Use of more than three layers of legal entities between the beneficial owners and the entity should trigger
a step burden of proof requirement. World Bank's Puppet Masters Report 2011 page 56.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

a company. The liability of nominees is misunderstood a director will be liable under
the laws of the country in which they perform actions and under the laws of the country
in which the company is incorporated irrespective of their nominee status. Nominees
will normally have a contract which limits their authority and limits their liability and
requires them to follow the instructions of the principal. This exposes the nominee to
taking actions which they might not realise are illegal.


Front men cannot hide behind banking secrecy laws or legal professional privilege and
are more likely to cooperate if pursued by law enforcement.104
2.6.10 Trust and corporate service providers (TCSPs)
Reporting entities that deal with companies and trusts established outside Malaysia
should read section 4.3 of Trust and Company Services Providers in the Puppet Masters
Report. TCSPs are crucial to the formation of corporate vehicles and trusts and thus in
their licit and illicit use. In addition to handling the incorporation of establishment of
the vehicle they may also handle renewal fees, provide mail- forwarding facilities, virtual
office facilities, act as registered local agents, resident secretaries, nominee services, as
well as acts as intermediaries and introducers to financial institutions.105 Their business
models vary enormously across this spectrum of services.
Many TCSPs promote their services promising anonymity or secrecy, qualities which are
attractive to those seeking to protect their assets from creditors and former spouses as
well as those involved in money laundering, terrorism financing or predicate crimes to
money laundering.

6.3 Continuous Monitoring and CDD

While ongoing monitoring of a business relationship is a general regulatory requirement
seen as applying to the transactions conducted over the accounts of a customer it is
also, either by actual regulation or expectation, related to keeping the CDD data and
information a firm retains on customers relevant and up to date. Again this is accepted
to be on a risk-sensitive basis.
Ensuring that customer information is relevant and up to date is also a requirement
contained within data protection legislation and regulation.
There is no expectation for firms re-verify the identity of a customer (unless there are
doubts or new information e.g. the previous Identity Document used is missing or no
record of it retained or there is a new executive director or partner).
This ongoing monitoring has seen the emergence in many firms of periodic customer
reviews which, in a risk-sensitive environment, creates their own challenges.

What should such a review cover?

When should it occur?
Should it apply across all customers?

It is clearly common sense to be able to identify when a customers behaviour would

make a firm reconsider the money laundering risk associated with the customer (e.g.
one who becomes a PEP or attracts adverse media attention in relation to a criminal
investigation for financial crime). The challenge is how, in a risk-sensitive way, this
monitoring of customer behaviour, as well as keeping customer data and information
up to date, can be made operationally effective yet efficient. This is looked at in the
section below.

104. World Bank's Puppet Masters Report 2011 page 63

105. World Bank's Puppet Masters Report 2011 page 84


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


CDD must be completed on any individual who alternately owns or controls a

transaction which has been entered into by a person who is not the person carrying
that transaction. Enhanced due dilligence will be needed if the beneficial owner or
controller is a Politically Exposed Person (PEP).

6.4 High-risk customers

Enhanced due diligence (EDD) is required for high-risk customers. More detailed
enquiries and information are required in respect of these individuals, and senior
management sign-off is advisable before embarking on a business relationship with
such an individual.
The Malaysian Standard Guidelines on AML/CTF highlight some examples of high-risk
customers. These include:

high-net-worth individuals
non-resident customers
customers from locations known for their high rates of crime (e.g. drug
producing, trafficking, smuggling)
customers from countries or jurisdictions with inadequate AML/CTF laws and
regulations as highlighted by the FATF
customers that are involved in legal arrangements that are complex (e.g.
trusts, nominees)
businesses/activities identified by the FATF as of higher money laundering and
financing of terrorism risk

6.4.1 Mandatory high-risk Politically exposed persons (PEP)

One of the most prominent risks to the financial services sector is the risk posed by
public officials, their associates and family members. There have been a number of
damaging high-profile money laundering scandals within the private banking sector,
and involving PEPs, the most notorious in the UK being General Abacha.
The danger posed by PEPs is that a financial institution may be exposed to property
that has been generated by corrupt practices. Regardless of any criminal or civil liability,
which will undoubtedly arise, the high profile of such cases can expose any professional
business or financial institution that becomes involved to an enormous reputational and
regulatory risk.
PEPs are generally defined as:
individuals who are or have been entrusted with prominent public functions in a foreign
country, for example Heads of State or of government, senior politicians, senior government,
judicial or military officials, senior executives of state owned corporations, important
political party officials.
The definition of PEP extends to members of an officials family, and close associates, and
to any business (incorporated or unincorporated) with which the official has a relationship.
The European third, and latest, Directive assists further by defining PEPs as:


heads of state, heads of government, ministers and deputy or assistant ministers

Members of Parliament
members of supreme courts, of constitutional courts and of other high-level
judicial bodies whose decisions are not generally subject to further appeal,
except in exceptional circumstances
members of courts of auditors and of the boards of central banks

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

ambassadors, chargs daffaires and high-ranking officers in the armed forces

members of the administrative, management or supervisory bodies of stateowned enterprises.


Immediate family members include:

the spouse
any partner considered by national law as equivalent to the spouse
the children and their spouses or partners
the parents.

Close associates are likely to include:

any natural person who is known to have joint beneficial ownership of legal
entities and legal arrangements, or any other close business relationship with
the PEP
any legal entity or legal arrangement whose beneficial owner is the PEP alone
and which is known to have been set up for the benefit of the PEP.

One significant challenge is whether to include domestic PEPs in this definition. While
most regulators only refer to foreign PEPs many financial services groups, especially
those that operate across borders, have set aside this exclusion. The FATF encourages
countries to include domestic PEPs in their definition.
Knowing whether or not a client is a PEP is an essential element of CDD for all
relationships. Many firms now employ databases to assist in the identification of PEPS.
The recently published (2011) FSA thematic review of Banks Management of High Money
Laundering Risk Situations has commented that firms need to seriously consider whether
the use of such databases should be their sole method of identifying PEPs or whether
they need additional methods to assist in this process.
For instance, a relationship managers personal knowledge of the customer could be
viewed as a critical source of information. In addition, a PEP may be identified through
methods including:

checking names against external databases

Internet searches (e.g. Google), and
newspaper/media reports.

Nonetheless, databases are merely a tool to assist in identifying potential PEPs and any
hits can only be used as a reference/guide for determining whether an individual is
actually a PEP. In addition, the absence of a match from online research is not a reason
to ignore the possibility that a person is a PEP.
Given the potentially high money laundering risk posed by PEPs there are enhanced
due diligence (EDD) requirements that should include an understanding of, as well as
information, and corroboration of:

source of wealth (the economic activities that have generated the clients net worth)
source of funds (the origin and means of transfer for monies that are accepted for
the account)
the commercial rationale for the arrangement/relationship, and
the need to conduct enhanced continuous monitoring of a business relationship.

Additionally, PEP relationships should have senior management sign off or approval.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


While there is no requirement, firms should consider involving money laundering

practitioners (e.g. MLRO) in the on-boarding approval process for PEPs.
The Malaysian Standard Guidelines on Anti Money Laundering and Counter Financing
of Terrorism, section 5.9, recommends that all reporting institutions should create a risk
management framework to determine whether current or new customers are PEPs and
to conduct appropriate due diligence to establish this. The role of senior management
in determining whether a business relationship with a PEP should be entered into or
continued is seen as a critical issue. PEPs should be subject to enhanced and on-going
due diligence throughout any relationship.
6.4.2 Mandatory high-risk correspondent banking
Regulations in most countries require additional due diligence measures in relation to
correspondent banking relationships (see also Module 5, section 1.3.1).
Correspondent banking can be defined as:
the provision of banking-related services by one bank (the Correspondent) to another
bank (the Respondent) to enable the Respondent to provide its own customers
with cross-border products and services with which it cannot provide them itself,
typically owing to lack of an international network. In other words, a Correspondent
is effectively an intermediary for the Respondent and executes/ processes/ clears
payments/transactions for customers of the Respondent.
Money laundering risks in correspondent banking relationships arise because:

the correspondent has limited information about the entire transaction.

the correspondent is often dependent on the due diligence processes conducted
by its respondent bank. The correspondent does not have a direct relationship
with the underlying clients for the transaction and can not therefore assess if the
underlying transaction is consistent with the business profile of the client.

In the vast majority of cases it is appropriate to treat a relationship with another

bank as a correspondent banking relationship. It is extremely difficult to identify and
continually monitor for changes to circumstances where there may not be an actual
correspondent relationship and merely a principal to principal relationship (e.g.
transactions conducted between the parties even if they settle through SWIFT or
capital markets, foreign exchange).
The level of enhanced due diligence requirements to apply to correspondent banking
relationships should include consideration of and, as applicable, responses from the
respondents on some or all of the following factors.


The AML risks in the country of establishment and the country of operation of
the customer (whichever is higher).
The transactions that the customer will support for its customers.
Is it a downstream correspondent clearer (i.e. the Respondent that receives
correspondent banking services from the Correspondent and itself provides
correspondent banking services to other financial institutions in the same
currency as the account it maintains with its Correspondent)?
Whether it gives its clients access to the firms correspondent accounts.
The businesses undertaken by the Respondent such as:

private banking as sole business

private banking/HNW wealth management alongside other business lines

Internet only

current account and third-party payments/wires

trade finance.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

The Respondents customer base:

retail customers domestic

retail customers international

corporate customers domestic

corporate customers international

financial institutions domestic

financial onstitutions international

MSBs/money transmission service

shell companies.
The Respondents ownership:

controlled by a PEP, or

publicly quoted on a recognised market.

The AML regulation to which the Respondent is subject:

operating with an offshore banking licence

operating in an equivalent jurisdiction

parent is regulated in an equivalent jurisdiction.


In order to obtain credible responses to the above firms should seriously consider
using an appropriate questionnaire (one based on the Wolfsberg Questionnaire for
correspondent banking). However, firms also need to ensure their processes do not
encourage a mere tick box approach with common answers being applied to the
questionnaires year after year.
The Malaysian Sectoral Guidelines for Banking and Financial Institutions prescribe that
in respect of correspondent banking the procedure below shall be followed.

When entering such a business relationship, the reporting institution should

capture and assess at the minimum the following information on the respondent
institution, to determine the reputation and quality of supervision:

board of directors and the management

business activities and products
applicable legislation, regulations and supervision, and
AML/CFT measures and control.


The reporting institution should establish or continue a correspondent banking

relationship with the respondent institution only it if is satisfied with the
assessment of the information gathered.


The reporting institution should also document the responsibilities of the respective
parties in relation to the correspondent banking relationship, in particular, matters
in relation to customer due diligence for all products and services.


The decision and approval to establish or continue a correspondent banking

relationship should be made at the Senior Management level.


The reporting institution should ensure that such correspondent banking

relationship does not include any respondent institution that has no physical
presence and which is unaffiliated with a regulated financial group (e.g. shell banks).


Where a correspondent banking relationship involves the maintenance of

payable-through account, the reporting institution should be satisfied that:

the respondent institution has performed all the normal obligations on

its customers that have direct access to the accounts of the reporting
institution, and

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism



the respondent institution is able to provide relevant customer

identification data upon request by the reporting institution.

In addition, the reporting institution should pay special attention to

correspondent banking relationships with respondents institution from countries
highlighted by the internationally recognised AML/CFT bodies, such as FATF, as
insufficiently implementing the internationally accepted AML/CFT measures,
which would require enhanced due diligence to assess the money laundering
and financing of terrorism-associated risks.

6.5 Automatic low-risk situations

Most regulations now allow for a form of simplified due diligence in the lowest risk
situations. For example the UK JMLSG Guidance provides the following explanation of
simplified due diligence:
Simplified due diligence means not having to apply CDD measures. In practice, this means not
having to identify the customer, or to verify the customers identity, or, where relevant, that of
a beneficial owner, nor having to obtain information on the purpose or intended nature of the
business relationship. It is, however, still necessary to conduct ongoing monitoring of the business
relationship. Firms must have reasonable grounds for believing that the customer, transaction or
product relating to such transaction falls within one of the categories set out in the Regulations,
and may have to demonstrate this to their supervisory authority. Clearly, for operating purposes,
the firm will nevertheless need to maintain a base of information about the customer.
Simplified due diligence may be applied to:

certain other regulated firms in the financial sector in equivalent jurisdictions

(those jurisdictions providing a level of regulation equivalent to EU standards.
companies listed on a regulated or recognised market (which have been listed
and defined under MiFID Committee of European Security Regulators) and
provided it can be confirmed that other such exchanges comply with the
European requirements
beneficial owners of pooled accounts held by notaries or independent
legal professionals
UK public authorities
community institutions
certain life assurance and e-money products
certain pension funds
certain low-risk products
child trust funds.

What this means in practice is that if the nature of business being conducted fits within
one of the above categories a firm may apply a lighter touch in terms of the extent of
CDD undertaken.
This approach may provide opportunities to reduce costs and remove paperwork from
account opening processes. For example, in respect of a simple term assurance life
insurance policy, minimal documents and information may be collected at account
opening, with greater checks in place at the claim payout stage.
Nonetheless, it is important to note that any such decision must be carefully
documented and be justifiable in the eyes of the regulators. An example of this
challenge concerns financial institutions and the apparent contradiction relating to
correspondent banking.


Module 10: Customer Due Dilligence (CDD) and Risk Profiling

6.6 Assessing money laundering risk in all other circumstances


Again, most regulations require firms to assess their own money laundering risk in all
other cases and apply a risk-based approach to the level of due diligence to be applied.
This has seen many manifestations over the years of money laundering regulation,
such as the application of High, Medium and Low risk ratings by some firms, just High
and Low by others and still other firms categorising even further to High High, High
Medium, etc.
There is no right or wrong categorisation provided the approach is proportionate to the
overall money laundering risks encountered by the firm, which will depend on the type
of business it is in (e.g. insurance, money transfer, eMoney, credit provision) and the
scale of its operation (e.g. domestic, international).
The considerations above will determine the level of sophistication required for risk
assessment and whether to employ the assistance of an automated system in the process.
However a firm applies its risk-based approach there is a regulatory expectation that
a number of factors will be considered when applying a risk-based approach to all
other customers.
6.6.1 Clients deemed to be unacceptable
A firm, in considering money laundering risks, regulations and guidance may consider
certain types of relationship as unacceptable to them. An example of one that FATF
refers to would be shell banks (defined as banks that: (i) do not conduct business at
a fixed address in a jurisdiction in which they are authorised to engage in banking
activities; (ii) do not employ one or more individuals on a full-time business at this fixed
address; (iii) do not maintain operating records at this address; (iv) are not subject to
inspection by the banking authority that licensed it to conduct banking activities; and
(v) are unaffiliated with a regulated financial group).
Quite clearly another example would be individuals or entities that are on relevant
sanctions lists issued by countries in compliance with UN resolutions or those to which
countries have applied sanctions unilaterally (UK, US and others).
To capture such individuals and entities many firms now use name screening systems
and processes. In many situations these systems will also capture other adverse
information from media reports as well as identifying PEPs (see section 6.3 above).
It is a matter for firms how they use such intelligence in their risk-based approach to
CDD but it should seriously be considered as an ingredient in any risk assessment.
Having determined those clients that are unacceptable, along with those that will
require mandatory EDD or be allowed Simplified Due Diligence (as described in section
6.4 above) the large population remaining needs to be risk rated on the basis of a
number of factors, which may include those discussed in section 6.6.2 below.
6.6.2 Risk-rating clients

the product offering of the firm and the product taken up by a customer
geographic risk (e.g. whether the country is renowned for narcotics production
and/or distribution)
the customer type (e.g. salaried, sole proprietor, specific professions)
whether the customer is resident or non-resident
any adverse information gleaned from name screening
the delivery channels offered (e.g. no face-to-face interaction)

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


the various segments a customer may be aligned to in the firm (e.g. large
multinational corporates, small to medium enterprises (SME), Private Banking)
the type of business of a customer (e.g. cash intensive), and
the length of time the customers business has been in operation.

There are a number of external reference points to assist in the determination of risk in
these areas.

Geography or jurisdiction
Information may be given from: FATF Mutual Evaluation Reports, Transparency
International Corruption Perception Index (CPI), CIA The World Factbook, International
Narcotics Control Strategy Reports (INCSR), and official lists of High Intensity Drug
Trafficking Areas (HIDTA), High Intensity Financial Crime Areas (HIFCA) FINCEN Jurisdictions
of Primary Money Laundering Concern, and Countries subject to OFAC Sanctions.

Product types FATF typologies

This matrix of risk ingredients poses many challenges for firms in assessing the level of
money laundering risk each customer may bring to the firm not just at account opening
but also for future monitoring and the need to keep customer information up to date.
It is for firms to determine how simple or complex this risk assessment needs to be.
Some firms have automated systems with scoring weightages for ingredients such
as these listed above. Others have a more binary approach where, for example, a
customer involved in a high risk business will automatically become High Risk and
subject to Enhanced Due Diligence.
As mentioned above whatever approach is applied should be clear and proportionate
to the overall money laundering risks.
The result of the application of a risk methodology is a customer base that has been
suitably risk rated to show those customers that are Higher Risk and require enhanced
levels of due diligence, those that can be allowed a simplified level of due diligence and,
the balance, those that would have a normal level of due diligence applied to them
referred to as standard due diligence in the UK.
Let us consider a few examples of the various types of risk.
Product example High or Low Risk?
Corporate Treasury Forex Service
The conversion and transfer of currency deposits, both for trade/commercial purposes
and as part of speculative/trading strategy. Often large sums involved.
The above product has third party payments, allows additional payments, is
international in nature and often involves complex parties to the product, so it should
be considered High-Risk albeit that cash is rarely involved.
Product High or Low Risk?
Life insurance
Benefit paid on death of Policy Holder.


Module 10: Customer Due Dilligence (CDD) and Risk Profiling

There is no early surrender value, the payments are by regular premiums with no thirdparty payments allowed for longer term periods and with additional fraud controls, so
this product would be seen as Low Risk.


Client example high or Low Risk

Company A is a Hong Kong registered Building Group doing business in Hong Kong
and Indonesia. It was founded nine months ago by directors and shareholders Johnny
Quan and Carol Chan.
The level of risk will be determined by factors such as (a) whether either of these
individuals is a PEP, the fact that it is a new company and the countries in which it does
business as well as the type of business. Even if there are no PEPs in this scenario it
could still be deemed high risk owing to the Indonesia risk (on the basis of Indonesias
ruling on the corruption perception index of Transparency International) and the fact
that the building sector has some reputation for corrupt practices.

6.7 Corroborating source of wealth (SoW)

In most countries that have AML legislation and regulation the application of the law
and/or regulation extends to both the bank and all its employees and in many situations
requires firms to establish their customers source of wealth, although they offer little or
no practical guidance on what this may actually entail.
Results of the recent (2011 published) FSA thematic review of how banks manage
higher-risk relationships confirmed the view that generic SoW descriptions are not
acceptable savings, profits from investments, inheritance, business dealing, sale of
business are insufficient proof of legitimacy of the wealth opposed to criminal activity.
Additional information must be gathered to demonstrate that adequate due diligence
has been undertaken. Further steps must be taken to gain assurance that wealth has not
been obtained from criminal activity. In a case where the source of wealth is obvious
(e.g. a monthly salary that is credited to the account), there is no further corroboration
There could also be instances where more detailed corroboration is required, such as
from client interviews, background checks and documentary evidence all of which are
valid approaches to corroborating the source of wealth.
In considering exactly what steps are appropriate it is worthwhile considering how well,
with hindsight, the following questions could be answered.

Are you convinced that the funds and wealth can be reasonably established to
be legitimate?
Can you independently obtain the evidence of the clients source of wealth for
higher-risk accounts and relationships?
Are you able to establish the relationship between the client and the third party
where accounts are funded by a third party?
Do you continue asking and go all the way in seeking clarity wherever the
circumstances are unclear or account structures are complex?

There is a wide array of sound practices to answer these questions and be satisfied that
a customers source of wealth has been corroborated. These could include:

in depth interviewing
collection of documentary information
reference to publicly available information.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


6.7.1 In-depth Interviewing

In many cases where interviews are conducted with clients, a comprehensive note of
the interview with detailed responses to the questions above would be sufficient but
in other cases it may not (e.g. a PEP from a jurisdiction with a reputation for corruption)
and more independent means of corroboration would be required.
It is again for firms to create detailed procedures, as far as is practicable, for those
situations that warrant more independent corroboration.
Other sources of independent corroboration would be to seek documentary evidence
or wealth or by reference to publicly held information.

6.8 Ongoing monitoring and the risk-based approach

Most firms have established a policy of performing a review of their customers at
various times, based on the original risk rating given to a customer (see risk-based
approach in section 3 above). It is quite common to see examples of reviews in
one-year, three- year and five-year cycles where the review looks to ascertain:

whether the current risk rating is correct

whether the transactions operating over the accounts are generally in line with
what would be expected for that customer and seeking explanations where there
appear to be any concerns or inconsistency with those expectations, and
whether there any gaps in the CDD that require remediation, including changes
to the profile that could affect the activity within the accounts.

Additionally similar reviews would be expected at appropriate prompts or triggers such as:

when an STR is about to be filed

when material new information comes to light (e.g. client is identified as a PEP)
significant product changes by the customer (e.g. move to high-risk products), and
when a dormant account is re-activated (appropriate also for fraud prevention).

These processes appear totally sensible in a relationship-managed environment with

dedicated relationship managers who have regular contact with their customers
or clients. By contrast in the mass market retail customer segment with potentially
millions of customers this is a challenging proposition.
Given a risk-based approach, firms should consider how best to meet the ongoing
monitoring requirements, particularly as they relate to keeping information and data up
to date in larger mass market retail environments. A series of steps could include:

a continuous risk profiling mechanism (i.e. a system that considers risks

continuously and re-rates the customers accordingly,
continuous transaction monitoring (manual or automated), and
regular customer contact (including the use of online facilities) be that by the
customer or initiated by the firm.

6.9 Recent emerging thoughts on CDD

In June 2011 the UK FSA produced the results of its thematic review into Banks
Management of High Money Laundering Risk Situations (PEPS, Correspondent Banking
and wire transfers) and a Consultation Paper on Financial Crime. As a general finding it
is evident that the regulatory bar has been raised as regards the level of enhanced due
diligence expected in high-risk scenarios. There are clear expectations that firms should:


identify adverse information on their customers or the customers

beneficial owners

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

have a programme of regular and clearly recorded ongoing monitoring that

includes updating the due diligence on file
have a more robust approach to identifying PEPs in respondent banks and
understanding the level of influence such PEPs may have
carefully consider the risks of PEPs in relation to corruption and, then adequately
identify PEPs and implement appropriate Enhanced Due Diligence requirements
(i.e. avoid too much reliance on external PEP list providers to identify PEPs without a
proper consideration of the actual risk of corruption that individuals may pose and
thus qualify them as PEPs, e.g. wider family which may be outside the rigid definition)
ensure that relationship managers and others responsible for recommending
potentially high-risk customers provide balanced reports that articulate not just
the positive revenue potential but also adverse media.


In short, there should not be a one size fits all approach to CDD in higher-risk situations.
Some of the more challenging issues here relate to PEP identification (e.g. how widely
one should look beyond the internationally understood definition) and whether firms
could or should re-visit those lists periodically and consider removing the PEP status (i.e.
once a PEP always a PEP, or not?).
Another move in regulators expectations as regards CDD is their desire for banks to do
more extensive vetting of beneficial account-owners who have minority stakes but still
are able to exert control.
Also in relation to CDD, regulators increasingly expect banks to include a proactive element
in their risk management programme for AML governance. This expectation is most acute
in the transaction and monitoring context, but it is increasingly extending to CDD. Financial
institutions are now expected to implement procedures to monitor customer behaviours
and subject them to periodic testing and evaluation and amend customer risk ratings
accordingly (i.e. a customer originally risk rated as Medium Risk should be considered for
a move to High Risk if developments warrant it (e.g. one who suddenly receives funds
from High Risk jurisdictions). One significant challenge here is the ability of firms to take
meaningful data on expected activity, record it and measure behaviour against it.
The areas of ML risk related to criminality are also expanding as regulator expectations
increase so that firms are identifying, for example, possible nuclear proliferation. These
new areas pose real challenges for firms, not least in their ability to understand what
exactly they may be looking for. This will require firms to have more detailed knowledge
of various business sectors.
Much of the above would, for simplicity, have firms consider extending the lists of the
types of relationship they would designate an unacceptable to on-board i.e. take out
the risk completely. At the same time, however, regulators are averse to seeing blanket
exclusions based on a single risk factor. Instead, they expect firms to have nimble risk
assessment processes.
Some argue the risk-based approach merely complicates the situation and that a
standard, prescriptive, rules-based approach to CDD would take away the potential
for differing interpretations of the level of CDD to be applied. An example given is the
difficulty of applying a risk-based approach yet at the same time needing to satisfy
sanctions legislation where the requirements are absolute.
The UK governments recent response to a review of the current AML regulations
(June 2011) was that the risk-based approach was largely welcomed and that a pure
rules-based prescriptive approach would encourage a tick box method of CDD, actual
consideration of money laundering risk would decline and criminals could concentrate
on meeting these limited tests.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


There are other challenges in CDD related to the customer experience. For example
having to provide ID documents to different parties in the same transaction (e.g. buying
a house estate agent, solicitor and bank). The ability to rely on the identification
performed by another institution has not taken hold as much as expected or allowed in
the regulations. The perception is that this is due to a lack of confidence in firms to rely
on others (this can also happen within the same firm).
One area with significant scope for change in the near future concerns much better
clarity on beneficial ownership. What is clear is that bodies such as the FATF, World
Bank, Anti Corruption NGOs and Global Witness and Transparency International expect
institutions to do more.
The issue in question is the need for firms to go beyond establishing legal ownership
but ascertaining the true beneficial ownership. This also applies to where PEPs attempt
to hide their actual control of entities. Again the expectation is for firms to dig deeper
to find potentially criminal beneficial owners and corrupt PEPs. The challenge again is
how deep and to what level?
A comparison of CDD requirements across major jurisdictions such as US, UK, HK and
Singapore shows how the FATF desire and pressure to see a level playing field with
global standards is working. The general requirements for CDD are fairly standard with
only minor differences related to for example:

The level of percentage ownership for unwrapping (10% v 25%)

Simplified due diligence for corporates depending on which exchanges they
are listed;
Periodic review/or refreshment of CDD e.g. India requires new CDD
documentation to be obtained periodically which is more stringent than
most jurisdictions;
Whether the nature and purpose of the relationship is necessary;
The ability to not apply CDD for small one off transactions

6.10 Malaysian Standard Guidelines and Sectoral Guidelines for

Banking and Financial Institutions
Both sets of guidelines emphasise the importance of CDD in the fight against money
laundering and give clear guidance on key areas that need to be addressed by the
MLRO. Both sets of guidelines are in the Course Appendices and should be studied
in depth.

7. Record-keeping
7.1 Policy Issues
A principal objective of all AML/CTF legislation around the world is the successful
prosecution of money launderers and financiers of terrorism. That can only be achieved
if reporting entities keep adequate records of what they know about customers and
what transactions they do.
Records hold the data that identifies people, customers and the transactions they do.
Records are the base data which supplies information for transaction monitoring and
reporting purposes.
Records are used to assist investigations into alleged money laundering or terrorism
financing prior to filing suspicious matter reports and also by law enforcement.
Records are used as critical evidence in criminal prosecutions of money launderers and
terrorist financiers.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

An AML/CTF regime could not be effective without a requirement that records are
made, retained, and are retrievable and searchable.


Separately, a reporting entity needs to keep records of its AML/CTF actions in order
to demonstrate to regulators that it has complied with its obligations. Otherwise a
reporting entity cannot prove the level and quality of its compliance.
Record-making and keeping is critical to the management of an AML/CTF regime.

7.2 The record-keeping environment of reporting entities

Few reporting entities have strong control of their record-keeping functions. Customers can
communicate with reporting entities in many ways email, telephone, mail, face to face,
chat, internet forms, application forms and even social media such as Twitter and Facebook.
Any communication that a customer has with a reporting entity may be relevant to AML/
CTF. It is certainly always relevant to what a reporting entity knows about that customer.
Keeping all of this data under control and in retrievable formats is an impossible task.
There is no option to take a risk-based approach to record-keeping. If the AML/CTF legislation
says that a record must be kept, it must be kept for all of the instances that it occurs.
Record-keeping is a broad topic extending well beyond retention of records.
Record-keeping directly impacts on the quality of an AML/CTF Program since it is
the place where all of the information and data that a reporting entity has about a
customer resides.

7.3 Overlap with FATCA

The pending FATCA requirements include the obligation to perform paper searches for
indicia of connections with the U.S.A. This will challenge the record-keeping processes
of many reporting entities.

7.4 Records contain ML/TF risks

The information that a reporting entity will be regarded as knowing because it is stored
in its records represents ML/TF risks, sanctions risks and FATCA risks. For example an
IP address or a sending facsimile number may tell a reporting entity where a person is
physically located when providing a transaction instruction which in turn throws up
country ML/TF risk, sanction risk and FATCA risk.
Records are therefore both helpers and problem areas. The challenge a reporting entity faces
is to define the universe of information types and their possible relevance to these risks.

7.5 Retention and retrieval processes

It is easy with record-keeping to think of paper records being stored as paper or as
scanned documents. In fact most reporting entities retain records in many different
ways, including as electronic records within business systems. This discussion treats
record-keeping as including the many ways to store electronic data as well as hard copy
and scanned copy information.
Rapid retrievability may be needed because:

The regulator wants reporting entities to confirm that they do or do not have
a relationship with a certain person (most likely in a terrorism financing event
or investigation).
Law enforcement is seeking information about persons whom it is investigating
or whose assets it is seeking to confiscate or restrain.
The regulator is conducting an on-site review and seeking access to records as
part of that visit.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


7.6 Record-keeping - Malaysia

There is a statutory obligation upon reporting institutions under AMLATFA to keep records
detailing information on transactions for a minimum period of six years (sections 13-18).
This applies, in particular, to all relevant records obtained during due diligence procedures.
In circumstances where the records are subject to on-going investigations or court
prosecutions they shall be retained beyond the six year period until such records are no
longer relevant to the issue (Malaysia Standard Guidelines on AML/CTF, Section 6).

7.7 Elements of good record-keeping

7.7.1 Scope
Many reporting entities fail to define what information must be kept and what may be
discarded. This results in everything being kept, but not necessarily kept in a way which
is retrievable when required. The paper search requirement of FATCA will add additional
stress to such an approach.
It is essential to define what records must be kept and what may be discarded. This
allows for an orderly destruction of records and information which is not required to
meet legal and regulatory obligations. Reporting entities should then follow through
with regular records destruction processes in accordance with their policies. Approval
from internal or external lawyers should be sought on record-keeping policies to protect
against risks of improper record destruction.
7.7.2 Understand the rationale for the collection of data
Reporting entities collect the data elements about persons, customers and transactions
for a variety of purposes, including business, marketing, regulatory and compliance
purposes. When deciding what data elements are being collected for AML/CTF purposes
(which give rise to record-keeping obligations) the hierarchy of selection should be:

Is this data element required for business reasons?

If no, is this data element required for any regulatory or compliance purposes
other than AML/CTF?
If no, is this data element required for AML/CTF?
If the answer is no to each question then the data element should not be created
or collected.

If the answer is yes to the first two questions as well as yes for AML/CTF purposes,
then the record-keeping requirements for all those purposes must be understood and
complied with.
7.7.3 All information held has meaning for AML/CTF
All information held by a reporting entity about a customer, their transactions, and
about persons associated with the customer is information that must be understood for
AML/CTF purposes. It might be irrelevant or it might be relevant, it might be of marginal
significance or highly significant.
Controls are therefore essential around what information is captured and how it is
understood and managed.
Even if information is gathered for business purposes and has no immediate nexus to an
AML/CTF procedure it still must be understood and analysed in terms of its relevance to
the identification of ML/TF risk or neutralised. It ought not to be ignored.
A starting point when designing ML/TF risk assessments and controls is to understand
what information they do know about their customers. This information will either have
the presence of absence of risk indicators and red flags.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

7.7.4 Single or composite views of customer and ML/TF risks
In an ideal world a reporting entity will be able to see all of the information it holds
about a customer. In that same ideal world it will be able to see all of the information
it holds that relates to an ML/TF risk or to an ML/TF risk indicator or red flag. Few if any
reporting entities have this kind of data storage or record-keeping in place.


Instead there are many repositories for data and information and it is also kept in many
different formats which may not be amenable to merger.
The objective of the single or composite view is to consolidate customer data in such
a way that the reporting entity and its systems has a complete understanding of the
customer, its relationships, its transactions, and any related transaction. Pursuit of this
objective is driven by cost, competing projects and the business and regulatory benefits.
For some reporting entities the first step towards a single view of a customer is to move
from separate account identifiers to also have unique identifiers for each customer.
Where a reporting entity cannot uniquely identify each customer and natural person
it needs to consider mapping techniques so that different identifiers used by different
systems for the same customer or natural person can find each other. Otherwise the
reporting entity cannot see the full relationship it has with the customer.
7.7.5 Duplicates and close matches
Closely aligned with a single customer view capability is the ability to be able to
routinely monitor for duplicate customer names, close matches as well as customers
sharing contact details such as an address or telephone number. These could be the red
flags of false identity where a person is running a number of identities with the same
reporting entity.
7.7.6 Changes to customer information
The obligation to keep the original information gathered during a customer acceptance
procedure is not changed if a customer changes an element of information captured
during that procedure. For example, a customer may change its registered office
address. The reporting entity is still required to keep the original address within its
record-keeping processes for the required period.
7.7.7 Customer type
An ML/TF risk assessment may treat some customer types as higher ML/TF risk than
others, for example, private companies, trusts, foundations and unincorporated
structures. It follows that in an ideal world, a reporting entity would be able to see the
customer type of its customers. Few reporting entities can achieve this. Some may
partially achieve it through searches for key words in customer names, but this is only as
precise as the naming conventions used for customer names.
7.7.8 Record-keeping and list scanning
Record-keeping issues arise with list scanning:

What lists were scanned on any one day or by an one scan?

What results were provided by the scanning?
What records were kept of alert management during scanning?

If a reporting entity does not keep or have access to the lists as scanned on any one
day or in any scan then there is no evidence to support the results in the event of
subsequent regulatory enquiry.
If the scanning results are not kept to support the final scanning result then the
reporting entity does not have the evidence to prove the basis for the results of the scan.

Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


If alerts are managed without recording the reasons for decisions then the reporting
entity cannot prove why an alert was handled the way that it was.
Lists change frequently. Best practice record-keeping would be to keep the old versions
of the lists. Where a reporting entity performs list scanning through a vendor, these
matters may become service levels or business functions that must be met by the
successful vendor.
7.7.9 Customer authentication
The processes by which customers authenticate themselves may be embedded in
transaction records which means they will also be kept as part of the transaction record
for six years from the date of the transaction. Authentication records may contain
information which is about physical location at the time of a transaction instruction (for
example an IP address, or a sending facsimile number) which is information a reporting
entity may need to manage for AML/CTF and sanctions and FATCA purposes.
7.7.10 Retrieval capability
Retrieval approaches will differ by record type. Customer identification procedures at
a minimum need to be retrievable by customer name and ideally by customer type.
Transactions at a minimum need retrievable by customer name and account.
7.7.11 Aggregation capability
The board of a reporting entity and senior management have an oversight responsibility
regarding the AML/CTF function. A record-keeping consideration is what data can be
extracted and aggregated to provide management information reporting. Examples of
aggregated data could include:

Percentage customer identification procedures completed correctly in

reporting period.
Number of high ML/TF risk customers accepted during reporting period.
Number of positive alerts (after investigation) from list scanning.
Number of suspicious matter reports filed during reporting period.
Number of enhanced customer due diligence procedures completed during
reporting period.

Each of the above examples calls for planning in the record-keeping procedure phase of
AML/CTF Program implementation and management.
This kind of reporting can be used to assess whether or not key staff with AML/CTF
responsibilities have met their compliance gateways or obligations.
7.7.12 Staff access rights
Certain data generated within the AML/CTF Program should be protected by restricted
access (whether electronic or physical) such as:

Case investigations.
Suspicious matter reports.
Meeting minutes of customer acceptance and exit committees.
Due diligence reports commissioned from third parties.
Monitoring parameters for monitoring of employees.
Sensitive parameters such as the parameters used to search for structuring behaviour.
A customers ML/TF risk rating (this might not be relevant to all businesses).

7.7.13 Privacy access rights

Where a customer or associated person who is an individual seeks access to information
held about them under Privacy Laws care needs to be taken regarding the release of

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

certain documents in order to avoid tipping off offences. All case investigation records
and suspicious matter reports should be withheld. An enhanced customer due diligence
could not necessarily be withheld but may need to be redacted to exclude references to
suspicion and the filing of any suspicious matter report.


7.7.14 Decisions
A reporting entity will make many decisions in the operation of its AML/CTF Program.
Examples of decisions are:

Acceptance (or rejection) of a new high ML/TF risk customer.

Exiting a customer which is exhibiting excessive ML/TF risk.
Analysis of information during enhanced customer due diligence.
Changing an ML/TF risk rating for a customer or a product or a channel.
Deciding that an unusual matter is or is not suspicious.

Decisions made should be recorded with sufficient detail so that the reasons for making
the decisions are documented and available if the decision is reviewed in retrospect.
Recording decisions should be done in language which a reporting entity is prepared to
see published in a public forum and/or to defend in a regulatory or judicial proceeding.
7.7.15 Best practice for record-keeping procedures
The following elements are best practice for record-keeping procedures:

The procedure is documented and freely available.

Staff are trained in the procedure.
The procedure clearly defines what must be kept and what does not need to
be kept.
The procedure describes the action that staff should take in respect of records
which do need to be kept.
The procedure describes the action that staff should take in respect of records
which do not need to be kept.
Staff are given personal accountability for compliance with the
record-keeping procedures.
New products and processes include consideration of the AML/CTF
record-keeping requirements.
Record-keeping requirements are included in the outsourcing agreements with
external parties.
Compliance with record-keeping is sampled regularly and spontaneously.


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism




Assess the adequacy of the risk proling procedures within your organisation.
How could they be improved?
Assess the CDD procedures in your organisation. What use is made of KYC
information throughout the duration of each client relationship?
Draft a memorandum to senior management explaining the types of risk faced
by your business and what can be done to reduce them.
Consider how the value of KYC and the reasons for it are communicated to
employees within your organisation. Is there a danger that it suffers from the
CDD image problem? If so, how can this be overcome?
Consider what measures your organisation takes to ascertain whether a client
is a PEP.
Write a short paper for senior management explaining PEP risk and how your
organisation can protect against it.
Evaluate how criminals seek to hide the proceeds of crime in complex financial
structures where beneficial ownership is difficult to trace.
Write a short paper summarising how your organisation records and keeps its
customer information. Identify any short comings in the system.
Read the World Bank Puppet Masters report, 2011.

Module 10: Customer Due Dilligence (CDD) and Risk Profiling

Self-assessment questions


What are the essential elements of CDD?

What is the relationship between CDD and risk?
Identify ve types of risk faced by banks.
Identify ve factors that determine the extent to which a particular client
relationship exposes a nancial services business to risk.
Describe what is meant by PEP risk.
What is meant by Enhanced Due Dilligence; when is it used?
What measures would you normally take to corroborate a clients source
of wealth?
What specific risks are posed by a correspondent banking relationship?
Give a definition of beneficial ownership.
Why are the FATF concerned about beneficial ownership issues?
What is the statutory requirement in Malaysia on the length of time customer
records need to be kept?


Advanced Certification in Anti Money Laundering and Counter Financing of Terrorism


Module outcomes
By the end of this unit you should:


understand the importance of CDD/KYC information to the protection of

an organisation from risk
appreciate the importance of CDD/KYC information in assessing and
managing risks and the MLROs role in the processes
understand the value of risk-proling clients and the benefits of a
risk-based approach
appreciate the different types of factor that can increase the risk prole of
a client
be able to recognise a PEP, and know how to reduce the risks associated
with PEPs
be able to establish a regime for monitoring client activity and formulate
policy to maintain and develop this
understand the benefits of, and how to conduct, a risk-based approach to CDD
understand how criminals hide the proceeds of crime using complex
financial structures
understand the regulatory requirements applicable to a reporting entity in
respect of record-keeping