Building a Robust Anti-Financial Crime Compliance Program

Financial crime is one of the growing concerns across the globe due to its ill effect on economy and society. The widespread use of technology has made it easy for criminals to conduct crimes and rapidly transfer ill-gotten money from one jurisdiction to another. The Designated Non-Financial Businesses and Professions (DNFBPs) and Virtual Assets Services Providers (VASPs) have understood the need to fight this menace, and they have carved out the Anti-Financial Crime Compliance Program to fight ML/FT effectively and comply with the legal requirements.

What Is the Anti-Financial Crime Compliance Program

Financial crime is the illegal use of financial systems, networks, and resources for unlawful purposes. There are several forms of financial crimes: fraud, money laundering, financing terrorism, insider trading, and so on. The perpetrators of such crimes are individuals or a group of individuals, such as cartels or syndicates, with an intention to generate unlawful gains from illicit activities.

The consequences of such crimes go far beyond just the financial risk, and there is a reputational risk associated with it as the public perception of the organisations would severely deteriorate. It may even lead to the permanent closure of a business.

Financial crime draws global attention as its impact is not restricted to the geographical jurisdiction of the victim organisation, as its impact flows throughout the economy. There is a likelihood that the money laundered in one country will be used for terrorism in another country. It could cause destabilisation of the economies, thereby hampering development.

These factors necessitate businesses such as DNFBPs and VASPs to develop and implement an Anti-Financial Crime (AFC) compliance program, which provides for compliance with the relevant and applicable laws, policies, and regulations.

An ‘Anti-Financial Crime Compliance Program’ (AFC) is a set of internal compliance measures, policies, and procedures established in an organisation. The AFC is intended to prevent, detect, and curb financial crimes of all kinds and mitigate the risks associated with them.

AML/CFT Regulatory Requirements in UAE

United Arab Emirates (UAE), one of the most significant economies in the Middle East and the entire globe, is a centre for international trade. Although UAE is a target destination for foreign investment, its wealth also makes it a target for criminals looking to take advantage of its financial system.

In UAE, the primary legislation concerning Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) is Federal Decree-Law No. (20) of 2018 On Anti-Money Laundering and Combating the Financing of Terrorism and Financing of Illegal Organisations (the “AML-CFT Law” or “the Law”).

According to the UAE’s AML Law, DNFBPs and VASPs must set up a thorough AML/CFT program that includes an AML policy for conducting Customer Due Diligence (CDD), sanctions screening, customer risk profiling, governance, and regulatory reporting, among other measures.

The AML policy, together with the procedures, systems, and controls, must be appropriate for the size and kind of business, according to the UAE’s AML Law.

Ensuring compliance with the terms of the UAE AML Law is the responsibility of the Senior Management of the business and its specially appointed AML Compliance Officer.

Overview of obligatory requirements of the UAE AML-CFT Law:

1. Registration on the goAML portal: goAML is a software portal for reporting suspicious transactions to the UAE Financial Intelligence Unit. DNFBPs and VASPs need to register using the portal.

2. Appointment of AML Compliance Officer (CO)/ Money Laundering Reporting Officer (MLRO): The DNFBPs and VASPs must appoint an AML CO/MLRO. The role of such a CO/MLRO is to ensure that the DNFBPs or VASPs are compliant with the applicable AML laws, develop training programmes for employees, manage the AML/CFT Programme, and report suspicious transactions involving money laundering, financing terrorism, and proliferation financing (ML/FT and PF).

3. Enterprise-Wide Risk Assessment (EWRA): DNFBPs and VASPs need to have in place an adequate and appropriate ML/FT and PF risk management process that identifies risk scenarios, assesses inherent risk and residual risk, analyses them, and determines suitable measures to bring down the inherent risks.

4. Developing AML Policy: The DNFBPs and VASPs need to have in place a comprehensive policy which provides for ML/FT and PF risk identification, mitigation, customer onboarding and customer exit policy, suspicious activities and transactions reporting (SAR/STR), record-keeping, governance, and measures to ensure compliance with targeted financial sanctions (TFS).

5. Customer Due Diligence (CDD): Businesses need to obtain relevant information and documents from their customers for verification from individuals and entities they wish to conduct business with, along with the details of the directors, partners, and shareholders of corporate entity to find out the ultimate beneficial owner (UBO) and rule out the possibility of such a beneficial owner being a sanctioned individual. They must create a template for KYC, capturing the necessary customer details, which are to be filled in by customers prior to onboarding.

6. Customer Risk Assessment and Profiling: This includes the assessment and classification of customers derived from the degree of risk posed by them to the business. This risk assessment is performed based on customer-specific risk, transaction-specific risk, customer jurisdiction-specific risk, product/service-specific risk, and delivery channel-specific risk.

7. Enhanced Due Diligence (EDD): The AML regulations require businesses to carry out EDD when the customer is classified as high-risk. The process of EDD entails obtaining additional documents from the customer for review, ensuring customer identity in multiple ways, obtaining top management approval, and collecting information such as Sources of Funds (SoF) and Sources of Wealth (SoW).

8. Sanction Screening: Businesses need to have in place adequate measures to ensure compliance with the TFS regulations. Regulated entities should prepare and implement a Sanctions Compliance Program (SCP). The SCP must determine which software the business uses for carrying out sanctions screening or whether it relies on manual screening. The SCP must provide for the actions to be taken and the reports to be filed in case of a confirmed match or partial match.

9. goAML Reporting: The various reports include Suspicious Transaction Report (STR), Suspicious Activity Report (SAR), High-Risk Country (HRC) Report, High-Risk Country Activity (HRCA) Report, Dealers in Precious Metals and Stone Report (DPMSR), Fund Freeze Report (FFR) (in case of the confirmed match), Partial Name Match Report (PNMR), and Real Estate Activity Report (REAR).

10. Record Keeping: AML regulations require businesses to maintain records of the entire customer onboarding process, including CDD, EDD, sanctions screening, and all AML compliance exercise measures for a specified period by a relevant regulatory authority. Some of these records also include customer verification records, records pertaining to ongoing monitoring, and other specified records.

In case of non-compliance, an investigation will be initiated, or hefty regulatory penalties ranging from AED 50,000 to AED 10,000,000 will be levied, and/or licenses will be terminated, and the business will be closed. Other than the regulatory sanctions, there will be reputational damage and financial risk.

Why Do You Need an Anti-Financial Crime Compliance Program?

1. Protection Against Financial Crimes:

Businesses, such as DNFBPs and VASPs, need to safeguard themselves and their clients by enforcing AFC measures within the organisation and eliminating unethical behaviour through stringent anti-financial crime rules and internal controls.

 2. Compliance with the Regulatory Framework:

The DNFBPs and VASPs must fulfil a wide range of regulatory and compliance requirements. Non-compliance with applicable laws and regulations will result in the materialisation of financial crime taking place through the business and will attract penalties and reputational risk.

3. Maintain Integrity and Safeguard Credibility:

To maintain the integrity and credibility of the business, strong AFC compliance programs are required to assist organisations in improving their public image. By following compliance guidelines, organisations can showcase their dedication to business ethics that uphold the confidence and trust of customers.

4. Risk Management:

Financial loss from fraud and other financial crimes is decreased by effective AFC compliance policies. One of the AFC Compliance Program’s subsets is Financial Crime Risk Management, which ensures AFC compliance, identifies and assesses financial crime risk, creates reports, mitigates financial crime threats, and regularly monitors existing customers for change in their customer profiles, resulting in a change in the financial crime risk-rating.

5. Combatting Varied Financial Crimes:

The existence of a wide range of financial crimes emphasises the need for an AFC compliance program.

• Money Laundering: The goal of money laundering is to conceal the source of proceeds of illegal gains. Its primary goal is to deceitfully enter the funds obtained by illicit means into the legitimate financial system.
• Financing Terrorism: The provision of funds to finance terrorism and conduct terrorist activities is known as financing terrorism. Money laundering and financing terrorism are similar, as both involve criminals hiding the flow of money inside the established financial system.
• Fraud: Fraud is an act of intentional deceit to make any unlawful gains or cause unlawful losses. Investment scams, insurance fraud, and identity theft are a few examples of fraud as a financial crime.
• Corruption and Bribery: Corruption is the misuse of authority to further personal or political benefit, including financial gain, by acting outside the bounds of such authority. The flip side of corruption is bribery. It occurs when a group unlawfully provides an authority figure with financial gains in return for special consideration when making choices that have an impact on the public.
• Embezzlement: The theft or misappropriation of money entrusted to someone is known as embezzlement. This may happen in several contexts, including profit-making businesses and charitable institutions.
• Tax Evasion: Tax evasion is a financial crime that involves an entity purposefully avoiding paying their taxes or paying less in taxes than they owe. One can evade taxes in several ways. One is to knowingly withhold disclosing income that is subject to taxation.
• Insider Trading: Insider trading involves trading in the stocks of a company in the securities market by persons who have access to unpublished price-sensitive information of such company. Unpublished price-sensitive information is information that is unavailable in the public domain but, once made available, will severely affect the price of the securities of the company to which the information is related.

Challenges of an Anti-Financial Crime Compliance Program

The challenges faced by businesses during the effective implementation of the Anti-Financial Crime Compliance Program are:

• Complex Regulatory Environment: Compliance specialists in DNFBPs and VASPs are required to navigate through a complex web of constantly evolving laws, rules, and guidelines, including sanctions regimes, CDD and KYC guidelines, AML legislation, Data Protection and Data Privacy laws enforced by several national and international organisations wherever the business operates.
• Technological Developments: To conceal their illegal activity, criminals involved in financial crime are using more sophisticated technology, such as encryption, artificial intelligence, and synthetic ID. AFC compliance teams need to implement equally advanced technology to efficiently identify and stop financial crimes from happening.
• Data management: DNFBPs and VASPs need to manage enormous volumes of data from many sources, which may be quite difficult. Compliance teams need to gather, handle, and evaluate data quickly and securely to detect questionable behaviours. These data management exercises and the data itself need to be recorded and maintained according to relevant regulatory requirements.
• Cost of Compliance: Medium-sized and small businesses may find AFC compliance measures to be costly. It’s always difficult to strike a balance between the expense of compliance and the requirement for efficient risk management.
• Cyber Attacks: Financial crimes encompass a wide range of offences, including but not limited to credit card or debit card theft, account access theft, identity fraud, and other related activities. The chance of cyber security breaches and being a victim of assaults like ransomware, malware, phishing, and denial of service attacks is rather high, even if DNFBPs and VASPs have the toughest security standards in place.

Essential Elements of an Anti-Financial Crime Compliance Program

1. Risk Assessment

The risk of financial crime requires the utmost attention and importance in the risk management framework of organisations. The steps involved in financial crime risk management include:

• Identification: The professionals involved in the AFC team should have a questioning mind and be always alert to conditions that may indicate any hints of financial crime and, with the use of their knowledge and expertise, should be capable of taking immediate actions in a confidential manner.
• Assessment: This is the process of analysing, categorising, and prioritising financial crime risks. By allotting risk scores based on the likelihood of an event occurring and the gravity of its consequences, financial crime risks are categorised into high-, medium-, and low-risk ratings.
• Mitigation: This step involves finding various methods to respond to the risks and reduce their impact on the organisation. There are various risk mitigation measures, such as risk avoidance, retention, reduction, and transfer. Technology such as finance-crime detection software and data analytics must be employed to detect the traces of the crime according to the nature, size, and requirements of the organisation.
• Monitoring and Reviewing Risks: Risk management is an ongoing and ever-evolving process. To adapt to the changing environments and regulatory requirements and stay updated, the business needs to continuously monitor and review the risk management process.
• Reporting Risks: Risk management must be documented at every phase for future reference and to fulfil regulatory reporting obligations.

2. Governance

A firm tone at the top of the organisation is closely related to comprehensive financial crime risk management and oversight systems. The ultimate responsibility to implement a robust AFC program lies with the top management. It is also advised that the organisation make an external statement about how it is handling the risks of financial crime, such as in its annual report.

The Board of Directors should also approve the nomination of a suitably competent Financial Crime Reporting Officer or Compliance Officer by senior management to oversee financial crime matters. The Anti-financial Crime Compliance Officer shall satisfy the need for an officer with a sharp eye for identifying and reporting any such suspicious conduct to the proper authorities, both inside and outside the entity, in an impartial, fair, and transparent way.

Regulated entities may include a three-line defence model within their organisational framework for risk management.

• The first line of defence is the business operations, which perform initial risk management activities at the time of onboarding a client.
• The second line of defence consists of the many risk and compliance roles that management has developed. They oversee first-line risk management, conduct control testing, establish organisation-wide policies, and help with training delivery.
• The internal audit function typically handles the third line of defence, which entails independent assurance of first and second-line operations.

3. AML/CFT Policies and Procedures

Businesses must identify vulnerabilities and put controls and procedures in place to prevent and mitigate financial crimes. Key elements of AML/CFT policies and procedures consist of:

• Customer Due Diligence (CDD): CDD entails gathering personal data, verifying a customer’s identity using biometrics or documents, and comparing customer information to the database to validate documents.
• Enhanced Due Diligence (EDD): EDD entails additional document review, regular identification verification, and additional database verifications for high-risk clients.
• Sanctions Program: The practice of screening people, organisations, and Politically Exposed Persons (PEPs) against sanction lists to verify compliance with sanctions requirements is known as sanction screening. A sanctions list is a list of people, organisations, or nations that have been placed under restrictions or sanctioned by international organisations or governments. These constraints may be in the form of monetary limits, travel prohibitions, restrictions on trade, and more.
• Transaction Monitoring: The practice of tracking, monitoring, and assessing financial transactions is known as transaction monitoring. Transaction monitoring looks for suspicious transactions, trends, or patterns that could point to money laundering or the funding of terrorism. Financial crimes, including money laundering, financing terrorism, and fraud, are becoming more and more risky as the world’s financial systems grow larger and more intricate.

4. Regulatory Reporting

Submission of various reports to regulatory authorities to fulfil compliance with AML/CFT and TFS requirements, as well as other financial crime prevention legislation, is known as regulatory reporting for financial crime compliance. Usually, these reports consist of SAR, STR, HRC, HRCA, FFR, PNMR, DPMSR, and REAR to name a few.

Non-compliance with these requirements may result in serious consequences, such as fines and harm to the organisation’s reputation.

5. Staff Training

Every employee of DNFBPs and VASPs should get frequent training on the significant risks associated with financial crime, such as AML/CFT, KYC, bribery and corruption, and penalties.

Employees participating in financial crime risk management across all three lines of defence should get more focused and comprehensive financial crime training. The level of information required for various teams, as well as the delivery method, should be considered.

Conclusion

Anti-financial crime measures such as training the employees, adopting the technology, compliance with the law in true letter and spirit, and acting with reasonable, diligent, and professional care at every level will significantly contribute towards the prevention and detection of financial crime with ease.

This blog has attempted to cover the meaning of an anti-financial crime compliance program, the need for it, and its key elements, including risk management, compliance officers, compliance teams, governance, roles and responsibilities, and staff training.

It is a holistic approach that requires each member of the organisation, ranging from the top management to the entry-level employees and every department of the organisation, to implement such internal policies as may be required for their scope and type of work, which leads to safeguarding the entire organisation and ultimately the financial sector and the economy from the atrocities of financial crime.