The beginning of the year often marks a stressful period for the Money Laundering Compliance Officers (MLCO) and Obliged Entities under the relevant Prevention and Suppression of Money Laundering Activities Law (or equivalent “AML Law” of the specific jurisdiction under which the legal entity operates) as there are various regulatory requirements. Some of the duties are tight to deadlines set by the regulator and some others are preparational to set and prepare the new year for the Compliance Department of a regulated/obliged entity under the respective AML Law.
Such tasks include, but are not limited to,
- Composing and submitting (where relevant) the Annual Report of the Money Laundering Compliance Officer.
- Preparing the training program for the new year.
- Preparing the control plan and executing control tasks.
- Updating or composing the companies risk assessment regarding the risk exposure for money laundering and terrorist financing.
In this article, we want to emphasize the importance of the depicted duties and what these comprise of for a regulated entity.
All Obliged Entities (regulated entities) under the respective AML Law in their jurisdiction (e.g. Cyprus – Investment Firms (CIF), Crypto-Asset Services Providers (CASP), Alternative Investment Fund Managers (AIFM), Credit Institutions, Electronic Money Institutions, Corporate Services Provider, Law Firms etc.) must ensure, that these tasks are carried out in line with the requirements of the respective AML Law. These tasks are usually time-consuming, require collection of various data from different stakeholders and must be prepared with caution and attention to detail.
Failure to perform these regular tasks may lead to exposure for the Obliged Entity to the supervisory authority due to non-compliance with the respective AML Law. Incorporating and exercising a well-equipped Compliance Framework will avoid hefty fines for the Obliged Entity and create a Compliance Culture within the organization which details, that adherence to the AML Law and implementation thereof is of high importance. By doing so, the organization will be well prepared for inspections and annual audits as may be requested by the supervisor or the annual audit firm.
Further below, we want to highlight the importance of a few of the above-referred regular tasks and their importance.
The MLCO should report at least once per year to the Board of Directors about anti-money laundering and due diligence procedures applied and of any weaknesses and /or deficiencies identified during the year under review. Below are examples of what content should be covered in the Annual Report (non-exhaustive):
- Information for measures taken and/or procedures introduced for compliance with any amendments and/or new provisions of the respective Laws which took place during the year under review.
- Information on the inspections and reviews performed by the MLCO, reporting the material deficiencies and weaknesses identified in the policy, practices, measures, procedures and controls that the Company applies for the prevention of money laundering and terrorist financing. The report outlines the seriousness of the deficiencies and weaknesses, the risk implications and the actions taken and/or recommendations made for rectifying the situation.
- The number of internal suspicion reports submitted by employees to the MLCO possible comments/observations thereon.
- The number of suspicious activity reports submitted by the MLCO to the respective Financial Intelligence Unit, with information/details on the main reasons for suspicion and highlights of any particular trends.
- Information on the policy, measures, practices, procedures and controls applied in relation to high-risk customers as well as the number and country of origin of high-risk customers with whom a business relationship is established or an occasional transaction has been executed.
- Information on the systems and procedures applied for the on-going monitoring of customers.
- Information on the measures taken for the compliance of branches and subsidiaries of the Obliged Entity (if applicable), that operate in countries outside the European Economic Area, with the requirements in relation to customer identification, due diligence and record keeping procedures and comments/information on the level of their compliance with the said requirements.
- Information on the training courses/seminars attended by the MLCO and any other educational material received.
- Information on training/education and any educational material provided to employees during the year, reporting, the number of courses/seminars organized, their duration, the number and the position of the employees attending, the names and qualifications of the instructors, and specifying whether the courses/seminars were developed in-house or by an external organization or consultants.
- Results of the assessment of the adequacy and effectiveness of employee training.
- Information on the recommended next year’s training program.
- Information on the structure and staffing of the department of the MLCO as well as recommendations and timeframe for their implementation, for any additional staff and technical resources which may be needed for reinforcing the measures and procedures against money laundering and terrorist financing.
The Annual Report is prepared and submitted to the Board of Directors (or equivalent) latest until the end of the first quarter of each calendar year (some Obliged Entities have stricter timelines defined). Depending on the jurisdiction and the supervisory authority, the Annual Report of the MLCO must also be electronically submitted within certain deadlines to the supervisory authority (e.g. Cyprus Bar Association – end of March of each year).
Annual Training Program
The Annual Training Program must be prepared by the MLCO and shall ensure that the employees are fully aware of their legal obligations according to the respective AML Law, as well as the relevant provisions regarding the Personal Data Protection Law (depending on the respective jurisdiction the Obliged Entity operates under). The Training Program must ensure that employees are aware and familiarized with the policies and procedures of the Obliged Entity. The education and training program considers the following:
- The timing and content of the training provided to the employees of the various departments will be determined according to the needs of the Obliged Entity. The frequency of the training can vary, depending on key factors such as changes in the legislation, regulation, professional guidance (domestic and international), the Obliged Entity’s risk profile, procedures, service lines and other.
- The training program aims at educating the Obliged Entity’s employees on the latest developments in the prevention of money laundering and terrorist financing, including the practical methods and trends used for this purpose.
- The training program will have a different structure for new employees, existing employees and for different departments of the Obliged Entity according to the services that they provide. On-going training shall be given at regular intervals to ensure that the employees are reminded of their duties and responsibilities and kept informed of any new developments.
The design of the training program shall aim to create an AML Compliance Culture within the organization, avoiding tick the box approaches and always paying special attention to the risk-based approach. Different training methods can be selected but must be suitable to the specific training needs identified (e.g. webinars, in-house training, external consultants etc.).
In addition, the MLCO must receive in-depth training concerning all aspects of the respective Laws and the Directives and other relevant directives, regulations or similar, as well as recent developments on the field. The training must enable the MLCO to update internal procedures in an effective manner. In some jurisdictions, the MLCO and the Alternate MLCO must receive a set number of hours per year specialised training, relevant to their function (e.g. Cyprus – Law Firms – MLCO at least 10 hours). The attendance of the set hours per year specialised training is also mandatory for the renewal of the MLCO Certification (relevant for Cyprus – automatically renewed if at least 10 hours per year of training has taken place). The MLCO is responsible to include information in respect of his/her education and training program(s) attended during the year in his/her Annual Report.
Control Plan and Performance of Controls
The MLCO must develop a control plan in alignment with the risk-based approach and the specific services, products and transactions offered and customers served by the Obliged Entity. The control plan should include the following (non-exhaustive):
- Controls regarding the adherence to defined Customer Due Diligence policies and procedures.
- Controls regarding the adherence to defined Ongoing monitoring policies and procedures.
- Controls regarding the adherence to defined policies and procedures regarding the reporting (internal/external) of suspicious activities.
- Controls regarding the adherence of record keeping policies and procedures.
- Controls regarding the effectiveness and efficiency of transaction monitoring solutions/rules.
The control size depends on the activities and services offered as well as on the size of the Obliged Entity. It is important for all executed controls to use defined control sheets, which state the subject of control, the date of execution, the area and topic checked, the name of the person who performed the control, the scope of the control performance and lastly the outcome of the control performance.
It is each Obliged Entity’s’ obligation and responsibility to ensure that the above-mentioned task of examples are regularly performed and documented. These contribute to the development of a Compliance Culture within the Firm which is the strongest and most important safeguard the Firm has in the fight against money laundering, terrorist financing and financial crime.
Defined deadlines must be strictly adhered to.
Vasiliou Law can assist in executing the above and other required regular tasks. We are in the strong position to provide guidance and assistance with the preparation, execution and documentation of the aforementioned. In addition, we can also assist with other related services and tasks for the fulfillment of the AML/CFT requirements. These may also include one off support with analyses and processing of cases for transaction monitoring, assessment of PEP and sanction cases, suspicious activity report preparations or similar case handling.
Note: The above are selective examples and the listing is non-exhaustive. The article has been composed with a general approach to the subject. The examples are of general description. The precise requirements for each Obliged Entity may differ depending on the respective type of Obliged Entity (e.g. Credit Institution, Cyprus Investment Firms (CIF), Crypto-Asset Services Providers (CASP), Administrational Service Provider (ASP) etc.). The article refers to the general requirements regarding the specific task.