In October 2022, the Wolfsberg Group, a non-governmental association of global banks, published an updated version of its Financial Crime Principles for Correspondent Banking. Originally published in 2014, the Wolfsberg Group compiled the document to provide “guidance and best practices” for correspondent banks, including setting out a distinction between “correspondent banking” and “correspondent relationships”. The new “Principles” also integrates a Frequently Asked Questions section that was previously not part of the same document.
Given the influence that the Wolfsberg Group has on global banking regulation, and anti-money laundering (AML) and counter-financing of terrorism (CFT) policy, it is important that correspondent banking service providers become familiar with the updated principles, and use them to update their AML/CFT solutions. With that in mind, let’s take a look at the key points from the updated document.
Who are the Financial Crime Principles for?
The updated Principles set out the risk-based due diligence measures that correspondent banks must implement when onboarding new customers or handling transactions for existing customers. More specifically, the Principles enable banks to conduct effective risk assessments of customers involved in correspondent banking relationships, and establish and maintain accurate risk profiles. The document also includes information for respondent banks, outlining what they should expect from their correspondent banking relationship.
The major focus of the updated document is on the types of activity that present the most risk for correspondent banks. The update introduces “the concept of a defined risk appetite for correspondent banking activity” and details factors that should be considered during periodic reviews of correspondent banking relationships, as they pertain to a service provider’s risk appetite.
What are the Correspondent Banking Financial Crime Principles?
Central to the updated financial crime principles is the need for correspondent banks to apply risk-based due diligence to their respondents. In practice this means that banks must assess each respondent to determine the level of risk they present, and then deploy AML compliance measures commensurate with that risk.
Under the Principles, the key risk indicators to consider during the due diligence process are as follows:
Geographic risk: Jurisdictions that have inadequate financial crime standards or poor regulatory supervision present a higher AML/CFT risk. Correspondent banks may refer to guidance from international regulatory bodies, such as the Financial Action Task Force (FATF) to determine what level of risk a particular jurisdiction presents, and factor that information into a risk assessment.
Branches, subsidiaries, affiliates: Where a correspondent bank provides services to its own affiliates, the level of due diligence applied should reflect the level of control the parent institution exerts. Banks should consider risk factors unique to its branches, subsidiaries, and affiliates when conducting risk assessments. The same principle should be applied to respondents that are not affiliates of a correspondent bank, where they have their own parent institutions.
Ownership and management: A respondent’s ownership and management structure typically affect its financial crime risk. Salient factors include whether a respondent is state or publicly owned, and the level of transparency with which management personnel operate. Executives should also be considered when assessing risk: politically exposed persons (PEP), for example, pose an elevated AML/CFT risk.
Products and services: The products and services that respondents offer to customers affect their financial crime risk. Works of art, for example, pose a higher level of AML risk than other types of goods and services, while a respondent’s ability to monitor their own transactions may also be relevant Similarly, the products and services that the correspondent bank offers to its respondents also affect financial crime risk: banks should consider their ability to monitor respondent transactions when assessing this risk factor.
Respondent customer base: The type of customers that a respondent serves can elevate its AML/CFT risk, especially when a “substantial part of its business income” is drawn from high risk customers. Correspondent banks must be able to assess the risk posed by respondent customers against their risk appetite.
Regulatory status and history: Correspondent banks should take “reasonable measures” to ensure that respondents are subject to suitable regulatory oversight within their jurisdiction. If the respondent has been subject to previous regulatory actions, such as criminal investigations, the correspondent bank should factor that information into their risk assessment.
Financial crime controls: Respondents that operate in jurisdictions with poor financial crime controls (FCC) pose a high AML/CFT risk. Correspondent banks should consider whether a jurisdiction’s FCC meet international standards and how effectively they counter the risk presented by other factors (such as customer base).
Shell Banks: Correspondent banks should confirm that a respondent is not a shell bank – that is, a bank with no physical presence in the country in which it is incorporated. Similarly, correspondent banks should confirm that the respondent does not provide services to, or have business arrangements with, shell banks.
Site visits: Correspondent banks should arrange a visit to a respondent bank’s premises “prior to or within a reasonable period of time” after establishing a business relationship, in order to “support the customer due diligence process”. If necessary, financial crime experts should also conduct visits.
Enhanced Due Diligence
Where correspondent banks deal with higher risk respondents, the Principles advise that they apply enhanced due diligence (EDD) in order to establish a greater understanding of the risks involved in the relationship. EDD measures typically involves a more intensive evaluation of the following factors:
Politically Exposed Persons: If PEPs are involved in the management or ownership of a Respondent, the correspondent bank should take steps to understand the PEP and the nature of their role.
Downstream FIs: Where a respondent offers its services to financial institutions (FI) that are domiciled within the same country as a respondent, that relationship is referred to as a “downstream FI”. Correspondent banks should “take reasonable steps” to understand the FIs that are downstream from respondents since each FI in the relationship will impact the risk assessment.
FAQ Update
The Wolfsberg Group incorporated a set of FAQs that were previously available in a separate document, into the updated 2022 Financial Crime Principles. The FAQs offer detailed information about correspondent AML/CFT measures, based on the Group’s perspective on current best practices. The FAQs also set out the Group’s perspective on how correspondent banking AML/CFT best practice should develop in the future.
The FAQs topics include reasons for the intensive regulatory scrutiny of correspondent banking, how the Principles apply to affiliates and EU member banks, and how to treat high risk respondents.
How to Comply with the Financial Crime Principles
The Financial Crime Principles heavily emphasise the importance of the risk-based approach to effective AML/CFT. That approach relies on the creation of accurate customer risk profiles, which means correspondent banking service providers must collect and analyse customer data on an ongoing basis. Given the sheer amount of customer data involved in correspondent banking AML/CFT, it is vital that service providers use suitable automated software to capture the relevant information.
Ripjar’s Labyrinth Screening platform gives correspondent banks the power and resources they need to manage their data challenges, and meet the standards set out by the Financial Crime Principles. Using Labyrinth, correspondent banks can screen their respondents against thousands of data sources, including sanctions lists, watchlists, and PEP lists, along with global adverse media in over 20 languages. Labyrinth integrates machine learning technology to blend structured and unstructured data in real time, and generate actionable intelligence to ensure that changes to respondent risk profiles are detected and flagged as soon as possible.
To learn more about correspondent banking AML/CFT compliance, contact us today.
The Financial Action Task Force (FATF) maintains a “black list” and “grey list” of countries that have “strategic deficiencies” in their anti-money laundering (AML) and counter-financing of terrorism (CFT) regimes.
Officially known as the High Risk Jurisdictions subject to a Call for Action, the FATF black list serves to alert financial service providers to the risks of doing business with certain countries, and to encourage the governments of those countries to take appropriate action to implement the FATF’s AML/CFT Recommendations. The FATF calls on member states to apply enhanced due diligence measures when dealing with customers from black list countries and to “apply counter-measures to protect the international financial system from the money laundering, terrorist financing, and proliferation financing (ML/TF/PF) risks” that they pose.
In addition to the black list, the FATF maintains a “grey list”, referred to as Jurisdictions under Increased Monitoring. Like the black list, the grey list sets out countries that have strategic AML/CFT deficiencies, but that are cooperating with the FATF by working through an action plan to address them expeditiously.
While inclusion on the grey list denotes an elevated level of AML/CFT risk, the FATF does not advise enhanced due diligence (EDD) when dealing with designated countries. However, in the UK and EU it is a legal requirement to apply EDD when customers are based in High Risk Third Countries or if transactions involve those countries. In the UK, HMT’s list of High Risk Third Countries is the FATF grey list. In the EU, the European Commission also largely bases its list on the grey list.
As the FATF conducts its periodic reviews and Mutual Evaluation Reports (MER), countries may be added to, and withdrawn from, the black and grey lists depending on the progress (or lack thereof) that they have made in addressing relevant issues. In October 2022, following a Plenary session, the FATF updated its black list and grey list to reflect the new global AML/CFT risk landscape. In order to remain compliant with domestic AML/CFT regulations, and to avoid potential criminal risks, financial services providers and other obligated entities should be familiar with the updated lists, and understand how to achieve compliance when dealing with customers from designated countries.
Recent changes to the FATF black list
Myanmar
In February 2020, Myanmar committed to an FATF action plan to address strategic deficiencies in its AML/CFT infrastructure. That plan expired in September 2021 and, after noting a “continued lack of progress” in addressing AML/CFT issues, the FATF added Mynamar to its Jurisdictions under Increased Monitoring in October 2022.
The FATF has identified key measures that Myanmar must implement in order to be removed from the black list. These include:
Demonstrating an improved understanding of key money laundering risks
Implementing risk-based on-site and off-site inspections
Demonstrating enhanced use of financial intelligence in money laundering investigations
Ensuring that money laundering is investigated and prosecuted in line with its risks
Demonstrating international cooperation in the investigation of transnational money laundering cases
Increasing the seizure of the proceeds of crime, and managing the seized assets to preserve their value prior to confiscation
Implementing targeted financial sanctions to combat weapons proliferation financing
Myanmar joins two other countries on the black list:
Democratic People’s Republic of Korea
Iran
Recent changes to the FATF grey list
The FATF has recently added the following countries to its Jurisdictions under Increased Monitoring:
United Arab Emirates: In a 2022 Plenary and Working Group Meeting, the FATF noted that the UAE had made progress in addressing its money laundering and terrorism financing risk. However, it also noted that more work was required to improve the country’s money laundering investigations and prosecutions, and so added the UAE to the grey list in October 2022.
Democratic Republic of the Congo: Following insufficient progress implementing the recommendations on its 2021 Mutual Evaluation Report (MER), the FATF added the DRC to the grey list in October 2022.
Mozambique: While Mozambique made a political commitment to improve its AML/CFT deficiencies, the FATF noted that it had not made sufficient progress, and added it to the grey list in October 2022.
Tanzania: Like Mozambique, the FATF noted that Tanzania had made improvements to its AML/CFT infrastructure following its 2021 MER, but had not made sufficient progress in addressing key points in its action plan. Tanzania was added to the grey list in October 2022.
In December 2022, the FATF’s list of Jurisdictions under Increased Monitoring included the following countries:
Albania
Barbados
Burkina Faso
Cambodia
Cayman Islands
Democratic Republic of the Congo
Gibraltar
Haiti
Jamaica
Jordan
Mali
Morocco
Mozambique
Panama
Philippines
Senegal
South Sudan
Syria
Tanzania
Turkey
Uganda
United Arab Emirates
Yemen
How to comply with black list and grey list changes
Countries on the FATF black list and grey list present a high risk of money laundering, and firms should exercise extreme caution when doing business with companies within those jurisdictions. While all transactions involving black list countries require firms to implement enhanced due diligence measures, firms should also treat grey list countries with a high degree of caution due to the elevated risk of financial crime.
With this in mind, firms should review their compliance solutions to ensure that they are effectively applying the FATF AML/CFT recommendations. This means conducting risk assessments of each customer and then applying compliance measures, including ongoing screening and monitoring, that are commensurate with the risk profile that those customers present.
In order to establish an accurate risk profile, however, it will be necessary to collect and analyse a vast amount of customer data, drawn from a range of information sources, including internal due diligence, watchlists, sanction lists, politically exposed person lists, and international media. Ripjar’s Labyrinth Screening platform has been developed for exactly this purpose: Labyrinth enables firms to screen customers in real time against thousands of data sources, including sanctions and watchlists, and foreign media sources in over 20 languages. Integrating cutting-edge machine learning technology, Labyrinth is designed to help you adapt quickly to a changing risk landscape, including updates to the FATF black and grey lists, by seamlessly blending structured and unstructured data to generate actionable compliance intelligence.
To find out more about FATF black list and grey list screening, contact us today.
The Monetary Authority of Singapore (MAS), the city’s primary financial regulator, published its five-pronged National Strategy for Countering the Financing of Terrorism (CFT) on 7 October 2022. The Strategy serves as a roadmap for the development of action plans to counter the financing of terrorism through Singapore’s financial system, and emphasises the role of local law enforcement agencies with international partnerships and counterparts, reflecting the global nature of the terrorism threat.
MAS published the CFT strategy following a holistic assessment conducted in 2020. Following that assessment, the regulator identified Singapore’s key terrorism financing threats as stemming from “regional and international terrorist groups”, and from “radicalised individuals” operating alone. The CFT strategy was devised to enhance coordination between Singapore’s law enforcement agencies, government policy makers, supervisory agencies, regulators, and private sector organisations.
The five prongs of MAS’ CFT strategy are as follows:
1. Coordinated and Comprehensive Risk Identification
Under this prong of the CFT strategy, MAS will ensure that it takes a whole-of-government approach to preventing terrorism financing. In particular, MAS states that government agencies should work closely with each other through “already well-established cooperation committees and networks”. It states that these agencies should review the terrorism financing landscape on a regular basis, considering “current and emerging typologies, international standards and requirements, and inputs from the private sector and academia”.
2. Strong Legal and Sanctions Frameworks
Under the Strategy, MAS will put a comprehensive legal framework in place so that Singapore’s law enforcement authorities will be able to take “swift and effective action” against the financiers of terrorism, which may include terrorist organisations and terrorists themselves. MAS will also ensure that Singpaore’s financial sanctions framework matches international standards and conventions, and that there is a clear policy framework in place to help identify terrorists that are attempting to raise funds.
3. Robust Regulatory Regime and Risk Targeted Supervisory Framework
MAS will work to ensure that Singapore’s AML/CFT regulatory framework remains robust and resilient. Similarly, it will ensure that the city’s “risk-based supervisory framework” and private sector AML/CFT compliance requirements continue to meet international best practice standards, and the standards set out by the Financial Action Task Force (FATF).
As terrorism financing methodologies become more sophisticated, MAS will also work to improve Singapore’s surveillance and supervisory measures “through the use of data analytics and technological tools”. MAS will use those tools to collect and analyse data from global sources, and to “detect and target higher risk activities and entities” that may present terrorism financing threats.
4. Decisive Law Enforcement Actions
MAS notes that law enforcement agencies already have “an effective operational framework to investigate and prosecute” incidents of terrorism financing, but points out that there is still scope for greater inter-agency cooperation. To that end, the Strategy includes a commitment to enhance cooperation between Singapore’s law enforcement agencies in order to detect and investigate terrorism financing cases promptly.
MAS will also expand its collaboration with private sector businesses to “better detect and disrupt” terrorism financing. Similarly, it will work to enhance Singapore’s legal framework to ensure that terrorism financing investigations are prosecuted successfully.
5. International Partnerships and Cooperation
MAS notes the importance of international cooperation in the fight against terrorism financing. With that in mind, the Strategy will see MAS “continue to rigorously implement” international anti-money laundering and counter-financing of terrorism standards, which are set by bodies such as the FATF and the United Nations Security Council (UNSC). MAS will also continue to work and cooperate with other international jurisdictions, both seeking and providing legal assistance in order to “proactively tackle” funding flows associated with terrorist financing.
The Strategy states that MAS will use a range of mechanisms to achieve its CFT partnership and cooperation objectives, including entering into bilateral agreements, and using intelligence sharing platforms. As part of the Strategy, MAS restates Singapore’s commitment to contributing to the international fight against terrorism financing by taking “firm and resolute action” wherever it detects criminal activities.
MAS Compliance
MAS’ five pronged strategy underlines the importance of effective AML/CFT compliance for firms that operate within Singapore. The Strategy is still relatively new to the city-state’s regulatory landscape, so its immediate impact remains to be seen, but the details set out in the five prongs suggest that multilateral cooperation, with Singapore’s law enforcement agencies and with other private sector entities, will be central to AML/CFT regulatory framework going forward.
Risk based AML/CFT will also continue to underpin Singapore’s compliance landscape, meaning that firms must continue to implement effective automated customer screening and monitoring in order to detect criminal activities. Accordingly, in order to enable that level of risk-based compliance, and cooperation with other entities, firms in Singapore must be able to harness customer data quickly and efficiently.
Ripjar’s Labyrinth Screening platform has been developed to enable firms to achieve that compliance objective, with the capacity to screen thousands of data sources in real time, including sanctions lists, watch lists, and adverse media in over 20 languages. Labyrinth seamlessly blends structured and unstructured data, delivering actionable intelligence to help you firm understand when risk profiles change or when customers engage in suspicious activities, and then to act decisively to inform MAS in order to prevent terrorist activities
To learn more about compliance with MAS AML/CFT regulations, contact us today.
In September 2018, the Australian government announced funding for a $5.2 million initiative between the Australian Transaction Reports and Analysis Centre (AUSTRAC) and industry partners to produce “targeted national money laundering/terrorism financing risk assessments for Australia’s largest financial sectors” including two risk assessments for the remittance sector. The first would focus on independent remittance dealers (IRD) and the specific money laundering (ML) and terrorism financing risks (TF) that they face, while the second would focus on risks to “remittance network providers and their affiliates”.
In September 2022, AUSTRAC released the first of those risk assessments which drew from a comprehensive review of 1,100 intelligence reports and suspicious matter reports (SMR), 13% of which related to IRDs that “use their own products, platforms or system to provide remittance services directly to customers”. In the report, AUSTRAC points out that the IRD category refers to very large entities and very small entities: consequently, the risk assessment reflects the variety of ML/TF threats that collectively affect the industry.
AUSTRAC has stated that the risk assessment is not intended to be received as “targeted guidance or recommendations” for IRDs’ anti-money laundering (AML) and counter-financing of terrorism (CFT) compliance efforts. However, the regulator does expect IRDs to review the assessment and use it to:
Inform their in-house risk assessments
Improve their risk management systems
Improve their understanding of the wider risk landscape
With those factors in mind, let’s take a closer look at AUSTRAC’s IRD report, and examine some of its key highlights.
Remittance Providers’ ML/TF Threat Environment
As part of the risk assessment, AUSTRAC assessed the threat environment facing IRDs in Australia, which refers to “the nature and extent of money laundering, terrorism financing, and predicate offences associated with IRDs”. AUSTRAC classified the threat environment as presenting a “medium” risk but broke down its analysis across the different types of threat: money laundering, predicate offences, and terrorism financing.
Money Laundering
AUSTRAC assessed the money laundering threat environment to IRDs as presenting a “high” level of risk, with both larger and smaller Australian IRDs facing the same level of threat, including links to “serious and organised crime”.
The risk assessment suggested that the IRD sector was primarily exploited for the purposes of placing and layering illegal funds because of its specialisation in moving money quickly and at low cost over multiple transactions. High risk foreign money laundering jurisdictions for Australian IRDs included the UK, the US, China, and Nigeria, with most key money laundering predicate offences (such as fraud, trafficking, and tax evasion) originating in Australia.
AUSTRAC outlined the following common indicators of IRD money laundering:
Customers that are unable to explain their source of funds.
Customers using cash payments or multiple debit cards to fund their remittances.
Remittances sent through certain jurisdictions that do not match the customer’s profile.
Cash deposits in amounts just below reporting thresholds.
Seeming coordination between multiple customers opening new accounts.
Customers requesting personal details (such as names) to be omitted from transactions.
Recipients of remittances that have no apparent connection to the sender.
Terrorism Financing
The AUSTRAC risk assessment classified the IRD terrorism financing threat as ‘medium’. The classification reflects the relatively low number of terrorism-financing related alerts submitted by IRDs and represents a decrease from previous assessments, perhaps a result of changing terrorism financing methodologies. Despite the risk classification, AUSTRAC pointed out that IRDs were involved in 20% of all terrorism-financing intelligence reports in the review.
Key indicators of terrorism financing involving IRDs include:
Use of cash to fund remittances.
Remittances sent to high risk jurisdictions.
Enquiries from law enforcement or media organisations.
Reasons given for remittances including ‘charitable donation’ or ‘family support’.
Individual or non-profit organisation customers.
Predicate Offences
A predicate offence refers to a crime which generates illegal funds that must subsequently be laundered. The AUSTRAC report classified the threat to IRDs from predicate offences as “medium” and the regulator pointed out that the risk was predominantly against larger IRDs, reflecting their dominance in the sector.
The risk assessment identified the following key predicate offence threats to IRDs:
Fraud: IRDs are attractive targets for fraudsters because of their capacity to facilitate money transfers across the world with little prospect of recovery.
Scams: Criminals perpetrate a range of scams in Australia, including romance scams, false billing scams, and remote access scams, and request that victims send them money using IRD services.
Child exploitation: IRDs facilitate the rapid movement of funds to jurisdictions that carry a high risk of child exploitation crimes.
Drug trafficking: IRD services are exploited most commonly for small scale drug trafficking.
Tax evasion: IRDs are used for personal tax evasion as commonly as they are for corporate tax evasion.
IRD Vulnerabilities
The AUSTRAC risk assessment set out the inherent vulnerabilities of the IRD sector that criminals commonly target.
Customers: The IRD sector serves a diverse customer base, which includes a significant proportion of customers from ethnic communities which are likely to remit money for family support, community funding, and charitable donations. The IRD customer population includes a “moderate number” of higher risk customers, including known criminals, foreign customers, companies and trusts, and politically exposed persons (PEP).
Products and services: The IRD sector’s products and services represent a “high” ML/TF vulnerability as a consequence of their high exposure to cash and the speed with which they move funds between accounts. Similarly, some IRD services enable customers to exchange currencies, making it more difficult to track their origins.
Delivery channels: The risk assessment stated that the decline in face-to-face customer contact, and the shift to online or remote service as a consequence of the COVID-19 pandemic, was an increasingly significant vulnerability of the IRD sector. In particular, the anonymity and speed of online IRD services present opportunities for criminals to launder money successfully. AUSTRAC also identified the use of outsourced third party service providers in foreign countries as a vulnerability because of the added complexity that process adds to the remittance process.
Foreign jurisdictions: The IRD sector’s ongoing exposure to foreign jurisdictions represents an ML/TF vulnerability because of the inherent regulatory complexity of the cross-border movement of funds. Cross-border remittances also increase the likelihood of contact with high risk jurisdictions.
Consequences
AUSTRAC characterised the consequences of ML/TF in the IRD sector as “major”, and set out the effects of those crimes on the following individuals and groups:
Customers
The report suggests that criminal activity may have an increased impact on individual customers, causing both financial and emotional damage. Specific consequences include:
Personal and financial loss and emotional distress
Potential legal repercussions for victims
Increased compliance spends causing price increases for customers
Loss of services due to de-risking
Businesses
AUSTRAC suggests that ML/TF threats pose significant “financial, operational, and reputational risks” to the IRD subsector, including:
Financial losses and increased insurance costs
Reputational damage and difficulties establishing business relationships
Stricter regulatory oversight
Enforcement and legal actions, potentially with civil or criminal penalties
De-banking and de-risking
The Australian Financial System
The AUSTRAC review points out that ML/TF activities damage Australia’s international reputation and the country’s financial infrastructure. Specific consequences include:
Difficulties combating crime
Reduced government revenues
Increased financial and physical damage from predicate crimes
Increased financing of illegal activities as a result of undetected money laundering
Loss of confidence in the Australian IRD sector
National and International Security
The AUSTRAC review suggests that ML/TF in the IRD sector has the potential to impact national and international security interests, with consequences that include:
Gang related violence
Increased influence of drug trafficking organisations in foreign countries
Increased support for Australian foreign terrorists
Facilitation of terrorism in Australia and overseas
How to Reduce ML/TF Risk in IRDs
AUSTRAC notes that risk mitigation strategies vary significantly between IRDs, which means that some face a greater level of risk than others. While some IRDs have “relatively comprehensive risk mitigation strategies”, others have “unsophisticated approaches” with deficiencies in customer due diligence (CDD), staff training, and understanding of AUSTRAC AML/CFT obligations. The review sets out specific ways that Australian IRDs could enhance their risk mitigation measures, including:
Regular assessments of customer risk
Enhancements to CDD and screening processes
Comprehensive risk assessments for enterprise IRDs
Regular independent audits of risk management solutions
Employee training
The review identified enhanced risk assessments, CDD, and customer screening as crucial components of an IRD risk mitigation solution. Implementing those measures effectively as part of a compliance solution means IRDs must collect and analyse vast amounts of customer data, and be able to act quickly when suspicious activity is detected.
Ripjar’s Labyrinth Screening platform was developed to help IRDs and other financial service providers manage their risk mitigation requirements with speed, accuracy and efficiency, and achieve AUSTRAC compliance on an ongoing basis. Labyrinth Screening enables IRDs to screen customer names against thousands of news and adverse media sources, and international watchlists, in over 20 languages, in real time. Our platform is built with cutting-edge machine learning technology to seamlessly blend structured and unstructured data, and provide actionable intelligence.
To learn more about IRD screening and risk management solutions, contact us today.
The financial landscape changes constantly and, as new regulations and criminal trends affect global regulatory compliance, banks sometimes act to reduce the amount of risk they face through de-risking policies. While de-risking is a way to protect banks from criminal risk, it often represents a controversial compliance option since it can result in the exclusion of certain businesses from financial markets.
What is de-risking?
De-risking is the practice of declining or limiting financial services based on prevailing regulatory compliance requirements. More specifically, under a de-risking policy, a bank or financial service provider may adjust, end, or choose not to enter into a business relationship with a customer based on the compliance demands that doing so would present.
Since anti-money laundering regulations require banks to put policies and procedures in place to identify, prevent, and report financial criminal activities (such as money laundering and terrorism financing), de-risking represents an alternative option for those that cannot comply effectively with the rules. In most cases, de-risking is a commercially-motivated decision: a bank may decide that it is necessary to de-risk in order to be able to afford satisfactory financial compliance in other areas of its services.
There are no regulatory requirements for the way de-risking policies should be implemented. Financial institutions may apply de-risking measures broadly by restricting their services to entire categories of customer, or assess each customer’s risk level individually. Similarly, de-risking does not always mean that a financial institution limits their financial services: in some cases de-risking may be achieved by increasing compliance spending to boost performance. Some banks devote resources towards ongoing de-risking programmes which constantly assess the commercial viability of certain customer relationships and inform de-risking decisions.
Why is de-risking problematic?
While de-risking has regulatory and commercial benefits for banks, its exclusionary effects mean that many customers lose or are unable to gain access to the financial system. The de-risking process particularly affects organisations that are viewed as presenting a high money laundering risk, including money transfer businesses, non-profits, charities, correspondent banking services, and fintechs.
Many of the financial services affected by de-risking policies involve customers and clients that are located overseas, and so the practice disproportionately affects foreign customer groups, which may include vulnerable persons such as immigrants, refugees and asylum seekers, or legitimate businesses in developing countries that need access to international financial markets to grow. Studies by the World Bank have shown that de-risking takes place around the world but affects certain regions disproportionately, especially those with smaller countries or countries with only limited access to financial markets. With that in mind, the consequences of de-risking include:
Negative effects on financial inclusion. Customers that are unable to access financial markets are likely to remain in poverty and are less able to contribute to the economic growth of their country.
Humanitarian organisations may lose access to crucial financial services and be unable to provide aid to people and areas in need.
Customers that are unable to access higher quality banking services may be forced to use less-regulated banks. Similarly, criminals may resort to money laundering methodologies outside the scope of traditional AML/CFT controls.
When one bank de-risks, others may follow suit out of competitive necessity, creating significant knock-on effects for the financial system and undermining confidence in the wider financial sector.
De-risking can be a complex administrative process and may not be entirely effective in reducing a bank’s risk exposure. High risk customers that are declined services may be able to access others via a different branch of the same bank.
What are the alternatives to de-risking?
De-risking policies work against Financial Action Task Force (FATF) guidance that banks should take a risk-based approach to AML/CFT. In practice, the risk-based approach means that banks should assess the compliance risk that individual customers pose, and then adjust their compliance response accordingly. This approach enables banks to balance their compliance obligations with customer service considerations, and offer their services to as broad a customer base as possible.
With that in mind, banks may address some of the cost concerns that drive de-risking policies by implementing automated software solutions designed to streamline the compliance process. By automating customer data collection and analysis, for example, firms may build accurate risk profiles for their customers quickly and in large volumes, and use that information to make compliance decisions. Similarly, automated software enables firms to conduct transaction screening in seconds, establishing money laundering risk without compromising customer experiences.
Ripjar’s Labyrinth Screening platform is capable of screening customers against thousands of structured and unstructured data sources in real time, including sanctions and watchlists, and adverse media stories in 21 languages. Rather than declining services to customers as part of a de-risking strategy, Labyrinth Screening enables you to enhance customer safety and regulatory compliance, in a challenging financial landscape, and adapt quickly when new methodologies or regulatory responsibilities emerge.
To learn more about how Ripar can help you find alternatives to de-risking, contact us today.
Money launderers must disguise the origin of their illegal funds in order to avoid the anti-money laundering (AML) and counter-financing of terrorism (CFT) measures put in place to detect them. That requirement often leads to the use of third parties, so-called ‘money mules’ who are engaged to help launderers move funds between accounts. Money muling is an increasingly serious global problem: in 2021, an international investigation led by Europol, INTERPOL, and the European Banking Federation identified over 18,000 money mules, and led to the arrest of 1,803 people involved in criminal enterprises valued at a collective €67.5 million.
In response to the money laundering threat, in August 2022, INTERPOL launched its #YourAccountYourCrime campaign, an initiative to address money muling and remind financial institutions and the general public of their responsibility to keep their accounts safe from criminal misuse. With global authorities focusing on the detection and prevention of money muling, it’s more important than ever for financial institutions to understand what the crime entails and how to prevent it.
What is a money mule?
Money mules are people that conduct transactions on behalf of criminals in order to thwart AML/CFT controls and, in doing so, evade regulatory scrutiny. A money mule may be asked to receive money into their bank account or transfer money from their account to another, or may simply open a bank account in their name that other persons then use to move illegal funds.
While a small number of money mules may handle physical cash on behalf of money launderers, the vast majority of money muling takes place online. A Europol study revealed that over 90% of money mule transactions are related to cybercrimes and types of online fraud.
While money mules may act in exchange for commission or a fee, they may also be elderly or financially vulnerable people, such as immigrants or the unemployed, who have been coerced or incentivised into working on behalf of criminals. When they are recruited, some money mules may not be aware that they are acting on behalf of money launderers and end up participating in money laundering without initially realising they are involved in a crime.
The #YourAccountYourCrime campaign highlighted several key money mule recruitment methods:
Employment scams: A criminal may contact a prospective money mule with the offer of employment. In most cases, the ‘employee’ has not applied for the job and the money launderer ‘employer’ does not offer any details about their company or the proposed role on offer.
Romance scams: Prospective money mules may be contacted via social media or dating websites by money launderers posing as romantic partners.
Investment scams: Money mules may be contacted online with details of a lucrative investment scheme or quick, ‘no strings’ cash payments.
Identity theft: Money launderers may assume the identity of employees of banks or courier companies, or even acquaintances or relatives, in order to get individuals to hand over personal account details.
In person: Some money mules may be approached in person by money launderers.
How does money muling work?
Once recruited, money mules are used to handle illegally-obtained funds and typically receive their instructions over email or through social media messaging services. Money mule tasks may involve:
Opening a bank account (or multiple bank accounts) under their own name.
Establishing a company under their own name.
Receiving money into one of their bank accounts or transferring money to a third party bank account.
A money mule may be only a single component in a much larger and more complex laundering operation in which criminals introduce their illegal funds to the legitimate financial system through multiple entry points. After the money mule has moved the funds through the financial system, criminals will withdraw the cash in its laundered state.
How can financial institutions detect money muling?
Financial institutions must develop risk management solutions capable of detecting customers that are being used as money mules, and remain vigilant for certain financial behaviours. Red flag indicators that customers may be involved in money laundering include:
Customers that are unwilling or unable to pass customer due diligence checks.
Customers that are unfamiliar with the source of the funds moving through their account.
Multiple IP addresses associated with a single online bank account.
IP addresses originating from high risk money laundering jurisdictions.
Transfers of funds to and from high risk money laundering jurisdictions.
Deposits of funds into a bank account that are withdrawn rapidly.
Unusual patterns of transaction that do not match a customer’s risk profile.
From a regulatory compliance perspective, in order to detect and prevent money muling, firms should take a risk-based approach, assessing each customer individually and implementing the following AML/CFT measures and controls:
Know Your Customer: Firms should implement suitable Know Your Customer (KYC) processes at onboarding and throughout the customer relationship in order to build accurate risk profiles. As part of the customer due diligence (CDD) process, for example, firms should establish and verify customer identities by requiring the submission of official documents such as passports and driving licences.
Beneficial ownership: In addition to CDD, firms should establish the beneficial ownership of customer entities. If a money mule has opened a shell company on behalf of a third party, firms must take steps to identify the real owners of that company and ensure that its accounts are not being used to launder money.
Source of funds: Money mules often handle large amounts of cash on behalf of money launderers. Firms should attempt to establish the origin of a customer’s funds to ensure that they have obtained the money in a manner that aligns with their wealth profile.
Transaction screening: Money mules may engage in transactions on behalf of persons that have been targeted by economic sanctions or that are politically exposed persons (PEP). Accordingly, firms should screen transactions against the relevant sanctions and watch lists to reveal potential risk liability.
Adverse media screening: Information about a customer’s involvement in financial crime may be revealed by news media before it is confirmed by official sources. Accordingly, firms should screen customers for their involvement in adverse media stories, including stories from foreign news outlets.
Next generation risk screening
In order to detect and prevent money muling, firms must be able to collect and analyse large amounts of customer data quickly and efficiently. Ripjar’s Labyrinth Screening platform enables your firm to search thousands of data sources in real time, including adverse media screening in 21 languages. Labyrinth Screening incorporates next generation machine learning technology to process complex structured and unstructured data so that your firm knows as soon as possible when your customers’ risk profiles change.
To learn more about how Ripjar can help your firm deal with money mule risks, contact us today.
The Netherlands has the 17th largest economy in the world by GDP and attracts an array of international businesses, including a growing number of innovative fintech service providers. As a global financial hub, the Netherlands has also become a target for money launderers and other financial criminals, who seek to exploit the country’s financial system. To meet that threat, the Netherlands’ government implements a robust anti-money laundering (AML) and counter-financing of terrorism (CFT) framework, with significant penalties for firms that fail to comply. Dutch authorities emphasise their focus on regulatory compliance: in 2021, for example, Dutch Bank ABN Amro reached a €480m settlement with prosecutors after an investigation uncovered significant AML compliance failings.
AML regulations in the Netherlands represent an ongoing challenge. To ensure your company avoids penalties, it is important to understand the Netherlands’ AML/CFT infrastructure, and what it takes to achieve compliance.
What is the AFM?
The Netherlands’ primary financial regulator is the Authority for the Financial Markets, known as the Autoriteit Financiële Markten (AFM). Established in 2002 as a replacement for the Netherlands’ Securities Board, the AFM is an independent administrative authority that operates under the control of the Dutch Minister of Finance.
The AFM is responsible for supervising Dutch financial entities to ensure their compliance with AML regulations in the Netherlands. In that capacity, the AFM oversees the entire financial sector and its products and services, including “savings, investment, insurance, loans, pensions, capital markets, asset management, accountancy and financial reporting”. In order to achieve its supervisory objectives, the AFM has the authority to conduct inspections of Dutch financial institutions and, where necessary, enforce regulations by issuing warnings, filing reports with law enforcement agencies, and imposing fines and penalty payments.
The AFM shares its responsibilities with the Dutch central bank: De Nederlandsche Bank (DNB). The two entities work closely together, often sharing information. While the AFM focuses on supervising businesses in the Netherlands, and “promoting fair and transparent financial markets”, the DNB focuses on providing prudential supervision.
In conjunction with the DNB, the AFM is also responsible for issuing licences to all financial institutions that operate in the Netherlands. Firms in the Netherlands that wish to obtain a licence must meet a set of qualification criteria and complete the relevant application process.
Key AML Regulations in the Netherlands
The Netherlands’ main article of AML regulation is the Anti-Money Laundering and Anti-Terrorist Financing Act, known as Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft. The Act requires financial institutions in the Netherlands to take a risk-based approach to AML – as mandated by the Financial Action Task Force (FATF) which means they must perform risk assessments of individual customers and implement a range of compliance measures, including:
Identity verification: Firms in the Netherlands must establish and verify the identities of their customers as part of the customer due diligence process (CDD) in order to conduct an effective risk assessment. The identity verification process requires the collection of information such as names, addresses, dates of birth, and official company documentation.
Beneficial ownership verification: The CDD process should extend to the beneficial ownership of customer entities. Beneficial ownership checks are required to ensure that customers are not using corporate infrastructure or shell companies to conceal financial crimes.
Transaction screening: Firms in the Netherlands should screen customer transactions against the relevant risk data sources, including beneficial ownership registries, politically exposed person (PEP) lists, and sanctions lists.
Adverse media: Firms in the Netherlands should screen customers against global adverse media sources which may reveal changes in risk profile before that information is confirmed by official sources. Depending on risk exposure, it may be necessary to implement adverse media screening on a global scale, with name searches conducted in a range of foreign languages.
Anti-Money Laundering Directives: As a member of the EU, the Netherlands must implement the anti-money laundering directives (AMLD). The AMLD are released periodically by the European Parliament and include a range of updated AML/CFT measures that member states must transpose into domestic legislation. The latest directive, the Sixth Anti-Money Laundering Directive (6AMLD), came into effect in June 2021, introducing the following AML/CFT measures:
A harmonised list of 22 predicate offences for money laundering, including the 2 new offences of environmental crime and cyber-crime.
An expansion of the criminal scope of money laundering. Under 6AMLD, aiding and abetting money laundering now also falls under the definition of the offence of money laundering.
An extension of criminal liability for money laundering to legal persons. In practice, this means that companies (including management and senior executives) may be held liable for money laundering offences committed by individual employees.
An increase in the criminal penalty for money laundering. Under the new rules, money laundering offences must carry a minimum prison term of 4 years.
New ‘dual criminality’ rules to facilitate the joint prosecution of money laundering offences in different countries.
Recent AML Developments in the Netherlands
The AFM and the DNB keep firms in the Netherlands up to date with the latest AML/CFT regulatory developments. Key recent updates include:
Enforcement actions: The AFM publicises enforcement actions and the monetary penalties that it imposes for compliance failures. In June 2022, the AFM imposed compliance penalties on Revo Capital Management amounting to over €150,000 for infringements of the Wwft.
Ukraine sanctions: Following Russia’s invasion of Ukraine in February 2022, the DNB published guidance for firms in the Netherlands regarding new sanctions against Russia and Russian individuals.
Fintech: The AFM and the DNB publish guidance and recommendations regarding the regulations of fintech products and services, including cryptocurrencies and cryptocurrency service providers. In 2019, for example, both regulators called for the introduction of an international regulatory framework for cryptocurrencies, and for a national licensing regime for cryptocurrency exchanges. In June 2022, the EU announced it had reached an agreement on a Europe-wide crypto regulation framework, known as Markets in Crypto Assets (MiCA).
Next Generation Risk Management in the Netherlands
Ripjar’s Labyrinth Screening platform can help firms in the Netherlands reduce their compliance burden and streamline their screening processes. Labyrinth Screening enables firms to search thousands of risk data sources, including foreign news sources, in real time, in 21 languages. Incorporating next generation name matching technology, Labyrinth Screening enables you to react to changes in legislation or emerging criminal methodologies quickly and efficiently and be informed as soon as your customers’ risk profiles change.
Contact us to discuss how Ripjar can support your AML compliance in the Netherlands
Ransomware is a type of malicious software that encrypts a target computer or network so that its owners cannot access their stored data. The criminals in control of the ransomware then demand money – a ransom – from their victims in order to enable access. Since ransomware attacks take place online, victims rarely know who they are paying ransoms to, or understand the regulatory compliance risks associated with such payments. In 2021, it is estimated that ransomware cost global businesses around $20 billion, with that figure expected to rise to over $256 billion by 2031. However it is notoriously difficult to gauge the real costs as many organisations will not admit to paying a ransom.
In response to the significant criminal threat, global regulators and law enforcement authorities are increasing their focus on detecting and preventing ransomware attacks by imposing a range of penalties against those that launch them. In the case of state sponsored attacks, that also includes imposing sanctions. However, whatever actions regulators take, it is crucial that organisations remain vigilant by understanding ransomware risks and how to avoid falling victim to an attack.
Ransomware and Global Sanctions
Ransomware attacks are a popular criminal methodology amongst international criminals – and are often used to work around the restrictions imposed by international economic sanctions.
The crippling effect of ransomware attacks mean that their victims may be inclined to make ransom payments to unknown criminals in order to free their data, despite the potential sanctions risk associated with doing so. Ransomware is such an effective way of thwarting sanctions measures and raising illegal funds that many ransomware attacks are sponsored by the governments of sanctioned countries, and deployed as part of extensive criminal campaigns targeting organisations in the media, energy, communications, and financial industries.
Recent examples of state-sponsored ransomware attacks include North Korea’s ‘Maui’ ransomware attack on US healthcare organisations in 2021, and Russia’s ‘NotPetya’ ransomware attack on Ukraine in 2017, which originally targeted financial, energy, and government networks but subsequently spread indiscriminately into Europe and back into Russia.
OFAC Ransomware Sanctions 2022
In September 2022, the US Treasury’s Office of Foreign Assets Control (OFAC) announced that it was imposing sanctions against several individuals and entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The sanctions followed an OFAC investigation that revealed the individuals and entities were behind a series of ransomware attacks against networks owned by US and global organisations. OFAC was also able to link the attacks to a number of Iranian state-sponsored hacking groups, known to cybersecurity entities as Nemesis Kitten, DEV-0270, APT35, Charming Kitten, Phosphorus APT, and Tunnel Vision. The ransomware attacks perpetrated by those groups included:
An attack on a New Jersey municipality in February 2021 that exploited a Fortinet vulnerability.
An attack on Microsoft Bitlocker in March and April 2021, in which decryption keys were held for ransom. Numerous small businesses were impacted by the attack.
An attack on a US children’s hospital in June 2021 in which a group gained supervisory control of the network and of data acquisitions systems.
A series of attacks from June to September 2021 targeting transportation, healthcare, emergency services, education, and energy providers.
The IRGC-linked group sanctioned by OFAC is made up of employees and associates of Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company. The list includes:
Managing directors Mansour Ahmadi (Najee Technology) and Ahmad Khatibi Aghda (Afkar System).
Employees of Najee Technology and Afkar System: Mojtaba Haji Hosseini, Mohammad Shakeri-Ashtijeh, Mo’in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Ali Agha-Ahmadi, and Mohammad Agha Ahmadi.
Individuals linked to NET Peygard Samavat Company – as a result of links to the IRGC and the Iranian Ministry of Intelligence and Security.
OFAC’s sanctions mean that the assets of the Iranian persons designated have been frozen in the US, and US persons are prohibited from doing business with them. US firms that violate OFAC sanctions risk significant criminal penalties, while non-US firms risk being sanctioned themselves.
OFAC emphasised the damage that ransomware causes in the US, revealing that the cost of attacks reached “over $590 million in 2021” (up from $416 million in 2020). The US government suggests that figure does not reflect the true cost of the attacks which also covers the disruption of critical systems and ordinary businesses.
Ransomware Risks
The global ransomware threat is a significant anti-financial crime (AFC) priority – especially given the risk of violating sanctions by paying the criminals behind attacks. In March 2022, the Association of Certified Anti-Money Laundering Specialists (ACAMS) released a report on its Global Ransomware Risks Survey, which took in respondents from public and private sector organisations. The report set out a number of key findings, including:
Only 40% of respondents believed their organisation was shielded from ransomware attacks.
Only 41% of respondents considered ransomware attacks as part of their sanctions compliance programs.
Only 24% of respondents were familiar with the potential sanctions compliance risk of paying ransoms to criminals.
Only 20% of respondents felt that their government authorities were doing a good job of protecting companies against ransomware attacks.
Almost 50% of respondents believed that they would be targeted by a ransomware attack in the next 12 months.
The ACAMS report reveals a need for firms around the world to strengthen their sanctions compliance programmes to account for the ransomware threat. In practice, this means implementing suitable cyber-security measures to detect and prevent ransomware attacks, and – should an attack happen – ensuring that they do not violate sanctions compliance regulations by making ransom payments. Firms may address the ransomware sanctions compliance risk in a variety of ways, including:
Reviewing their networks regularly for vulnerabilities to ransomware and other cyber-attacks.
Either directly or working with a Managed Security Service Provider (MSSP), implementing appropriate cyber-security measures across their network, including software solutions and employee training.
Implementing a ransomware sanctions compliance response should an attack take place.
Involving sanctions compliance teams and anti-money laundering (AML) teams in ransomware compliance policies and procedures.
Investing in ransomware insurance.
The ACAMS study revealed that only 24% of respondents were aware of the point at which they should elevate a ransomware attack to a financial crime compliance priority, while only 53% of respondents were aware of the terms of their ransomware insurance – and what they needed to do to comply with the terms of their coverage.
Ransomware Compliance
Addressing the sanctions compliance risk associated with ransomware requires firms to make decisions about customers and risk factors quickly. To meet that challenge, firms must collect and analyse a vast amount of data, and use that data to inform compliance processes before and during a potential ransomware attack. In practice, this means implementing an automated software platform as part of a sanctions compliance solution.
In September 2022, following OFAC’s sanctions announcement, cyber-security firm Secureworks confirmed the link between the designees and the IRGC. The confirmation followed a similar Secureworks Counter Threat Unit (CTU) investigation in May 2022 that revealed a link between ransomware attacks from the Cobalt Mirage group and the Iran-linked Phosphorus APT group.
As part of a next-generation risk management approach, Labyrinth Intelligence and Labyrinth Screening are two powerful tools used in the fight against ransomware and other types of financial crime. Integrating cutting-edge knowledge graph and machine learning technology, Labyrinth enables firms to make sense of complex, diverse, structured and unstructured data. It also enables real-time searches against thousands of global data sources including sanctions lists, watchlists, and adverse media sources, in 22 languages, seamlessly blending data to deliver actionable compliance intelligence.
In a constantly shifting sanctions and regulatory landscape, Labyrinth offers a way for firms to stay on top of customer activities and adapt quickly to emerging risks such as ransomware.
To learn more about how Ripjar can help your firm address ransomware risks, contact us today.
When financial service providers detect suspicious activity, their understanding of that activity may be limited by their own perspective, and represent only a glimpse of a wider criminal enterprise. That limitation offers criminals the chance to use different financial institutions to perpetrate money laundering schemes, layering deposts of illegal funds and exploiting a lack of awareness between organisations to evade anti-money laundering (AML) or counter-financing of terrorism (CFT) controls.
To address the money laundering threat, banks and other financial institutions must participate in a collaborative culture, sharing data and information (within the parameters of data protection laws) that might aid in the detection of money laundering. The Financial Action Task Force (FATF) includes information sharing in its 40 Recommendations, and releases guidance on how governments may facilitate information sharing in the private sector. In July 2022, the FATF released a report into data sharing between private institutions with the goal of helping jurisdictions “responsibly enhance, design and implement information collaboration initiatives”.
The 2022 report sets out the potential benefits and challenges involved in information sharing, along with advice on the integration of technology platforms to help firms better collaborate in the fight against money laundering.
Why is sharing information important for AML?
The FATF report included a range of case studies that demonstrated the effectiveness of information sharing for AML/CFT purposes. In particular, the report highlighted examples of firms struggling to identify a “complex suspicious transaction pattern” but then using shared information from other institutions to expose money laundering activity – or, conversely, remediate transactions as safe. Information sharing is even more important on a global scale, since money launderers may seek to use regulatory disparities between jurisdictions to move illegal funds across borders without triggering AML alerts.
What are the benefits and challenges of information sharing?
Information sharing delivers a number of important AML compliance benefits including:
Structuring and layering: Closer coordination between financial service providers may prevent criminals from introducing illegal funds into the financial system in different accounts or via different institutions, in amounts below AML reporting thresholds.
Cybercrime: When criminals use internet-enabled fintech products to launder money or commit cyber-crimes, firms may be able to identify them by sharing certain data, including, for example, IP addresses that have previously been associated with criminal activity.
Criminal methodologies: Financial institutions may be able to share information about new money laundering methodologies or compliance blindspots that helps the wider financial community identify criminal activity.
Despite the clear AML utility, inter-organisational information sharing also involves a spectrum of administrative and legal challenges:
Data privacy: Most jurisdictions have implemented strict data privacy regulations, such as the EU’s General Data Protection Regulation (GDPR) that limit what organisations can do with the information they hold on their customers. While firms may use personal data to meet AML/CFT compliance obligations they must be careful to adhere closely to data handling rules.
Technology limitations: While firms may be willing to share information, their technological infrastructure may prevent them from doing so. Technology limitations may require firms to upgrade or change compliance software.
Scope: Firms may struggle to determine the scope of their information sharing requirements and capabilities. Data privacy regulations may also limit the scope of the information that can be shared.
Competition: Firms may be reluctant or unwilling to share information out of caution that they suffer adverse business consequences for doing so, or lose a competitive edge against rivals.
Information sharing initiatives between financial institutions
The FATF’s report suggests that private sector firms may be encouraged to participate in information sharing practices via specially designated government initiatives. These initiatives provide secure platforms for private sector institutions to collaborate within clear regulatory objectives and data protection limitations.
In 2015, the UK established the Joint Money Laundering Intelligence Task Force (JMLIT), characterised as “a partnership between law enforcement and the financial sector to exchange and analyse information relating to money laundering and wider economic threats”. JMLIT currently has over 40 private sector financial institutions that work with the UK’s Financial Conduct Authority (FCA) and law enforcement agencies such as the NCA and HMRC.
In order to prepare to participate in information sharing initiatives, the FATF suggests that firms should:
Become familiar with the data sharing technologies that the initiative will involve, including understanding interoperable data formats.
Assess internal data protection and privacy (DPP) policies to ensure alignment with national regulatory standards.
Implement data sharing agreements with other parties involved in the initiative in order to set out participatory expectations.
Engage and communicate regularly with the financial and law enforcement authorities tasked with supervising the data sharing initiative.
Develop indicators or metrics for measuring success as participants in the data sharing initiative.
Innovations in data sharing
Information sharing initiatives encourage a culture of collaboration and strengthen collective efforts to detect and prevent financial crimes across the world. Similarly, collaborative initiatives may offer individual financial institutions access to valuable AML innovations.
In 2022, for example, the FCA launched a study into the potential for algorithmically-generated “synthetic data” as a way to expand access to data in the private sector, and create novel opportunities for firms to share data. Synthetic data would also avoid many of the data protection challenges that affect or prevent firms sharing personal customer data. The US is also exploring data and information sharing innovations: in January 2021, the Anti-Money Laundering Act 2020 introduced new requirements for US financial institutions and authorities to develop “appropriate frameworks for information sharing” backed by suitable security measures.
One of the wealthiest countries in Europe and the world, France has an economy that attracts diverse business interests, including international banks and fintechs. Unfortunately, the prominence of its economy also makes France a target for criminals, who seek to launder money, finance terrorist activities, and commit financial crimes.
In response to that criminal threat, the French government imposes a range of strict anti-money laundering (AML) and counter-financing of terrorism (CFT) regulations on its financial institutions. In order to avoid compliance penalties and contribute to the fight against financial crime, firms operating in France should understand how to meet those compliance obligations efficiently.
Who are France’s Financial Regulators?
France has established a number of financial supervisory authorities. These include:
Autorité des Marchés Financiers
The Autorité des Marchés Financiers (AMF) is France’s main financial supervisory authority and is responsible for regulating the country’s “financial marketplace, its participants, and the investment products distributed via its markets”. The AMF has the authority to “monitor and where necessary, inspect, investigate and enforce” in order to ensure that firms within French jurisdiction operate in compliance with financial regulations. The AMF also participates in the development of AML/CFT regulations in Europe, and plays a role in the European Securities and Markets Authority (ESMA).
Autorité de Contrôle Prudentiel et de Résolution
An independent administrative authority, the Autorité de Contrôle Prudentiel et de Résolution (ACPR) is responsible for regulating France’s banking and insurance businesses under the direct authority of the Banque de France. Like the AMF, the ACPR focuses on protecting France’s financial stability by monitoring compliance with AML/CFT regulations, maintaining a dialogue with financial sector organisations, and representing France in global financial organisations.
Traitement du renseignement et action contre les circuits financiers clandestins
The Traitement du renseignement et action contre les circuits financiers clandestins (TRACFIN) operates under the authority of the French Ministry of Finance. Its mission is to maintain the health of the French economy by fighting against financial crime, money laundering and the financing of terorism. Under that remit, TRACFIN is responsible for the analysis and investigation of suspicious activity reports submitted by French financial institutions.
Financial Action Task Force
As a member of the Financial Action Task Force (FATF), the French government transposes FATF guidance into domestic legislation, to be enforced by financial authorities such as the AMF. Accordingly, firms in France must take certain fundamental regulatory steps to achieve regulatory compliance, including developing an AML/CFT solution, taking a risk-based approach to AML/CFT, and appointing a money laundering officer responsible for overseeing internal compliance processes and communicating with financial authorities.
What are France’s Key AML/CFT Regulations?
French AML/CFT compliance involves the following key regulations and controls:
French Law: The French Monetary and Financial Code and the French Criminal Code criminalise money laundering and terrorism financing in France.
The AMF General Regulation: The General Regulation sets out the AML/CFT compliance rules that all French institutions must follow. The AMF regularly updates the general regulation to incorporate changes to French and European law.
AMF Recommendations: The AMF periodically releases specific guidance on aspects of AML/CFT laws. Recent AMF recommendations include:
AMF Doc-2019-15: Guidance on implementing a risk-based approach to AML/CFT.
AMF Doc-2019-16: Guidance on establishing beneficial ownership.
AML Doc-2019-17: Guidance on screening for politically exposed persons (PEP).
AML Doc-2019-18: Guidance on the reporting of suspicious activity to TRACFIN.
The Sixth Anti-Money Laundering Directive: As an EU member-state, France must implement the anti-money laundering directives (AMLD) which are updated regularly to ensure regulatory parity across the continent. The latest directive is the Sixth Anti-Money Laundering Directive (6AMLD) which came into effect on 3 June 2021 and introduced the following key regulatory changes:
A harmonised list of 22 money laundering predicate offences, including the two new predicate offences of environmental crime and cyber-crime.
An expansion of the definition of money laundering to include aiding and abetting.
An extension of criminal liability for money laundering to include legal persons such as companies – effectively ensuring management employees share responsibility for the criminal actions of individual employees.
Increased punishments for money laundering, including a minimum prison sentence of four years.
The introduction of information sharing requirements between different EU jurisdictions to better facilitate criminal convictions.
How to Comply with French AML Regulations
AML compliance should be a significant priority for firms in France. Under the risk-based approach, firms must conduct risk assessments of individual customers and implement automated software systems capable of managing the data collection requirements of French AML regulations. In practice, an effective AML/CFT solution in France involves:
Customer identification: Firms should conduct suitable customer due diligence (CDD) to identify their customers and build accurate risk profiles.
Beneficial ownership: Firms should conduct beneficial ownership checks to ensure that customers are not using corporate structures or shell companies to disguise money laundering.
Transaction screening: Firms should screen customer transactions against relevant lists and registers – including politically exposed persons (PEP) lists, beneficial ownership registers, and international sanctions lists, such as the EU’s consolidated list.
Adverse media screening: Changes in customer risk profiles may be reported in media sources before they are confirmed by official sources. With that in mind, firms in France should implement an adverse media screening solution to capture stories from around the world that involve their customers.
Recent AML/CFT Developments in France
The AMF publishes the latest updates to French AML/CFT regulation on its news page. Key recent developments include:
MiCA: In July 2022, the AMF publicised the provisional agreement on the EU’s new crypto regulatory framework, known as Markets in Crypto Assets (MiCA). The framework will regulate crypto-assets and stablecoins across the bloc, along with new compliance requirements for cryptocurrency exchanges. The framework will replace France’s existing PACTE law.
ESG data: In June 2022, the AMF reiterated its call for a Europe-wide regulatory framework for environmental social and governance (ESG) data. The call reflects the increasing significance of ESG data in financial risk management. The AMF suggested that a centralised EU ESG data resource would guarantee “harmonised supervision”.
Ukraine sanctions: Following Russia’s unprovoked invasion of Ukraine, the AMF publicised guidance for French firms regarding the enforcement of sanctions against Russia and against Russian individuals. In April 2022, the AMF issued guidance on new economic sanctions against Russia which directly affected French asset management companies.
Next Generation Compliance
Our Labyrinth Screening platform enables firms in France and around the world to enhance their AML/CFT compliance performance. Labyrinth Screening incorporates next generation machine learning technology to match customer names across thousands of global data sources, including PEP lists, sanctions lists and adverse media sources, in 21 languages. Use our cutting-edge risk management technology to adapt to new regulations and emerging risks in a challenging global landscape.
One of the wealthiest countries in Europe and the world, Austria is a business destination for hundreds of multinational organisations including banks and fintechs. While Austria’s economic status attracts international investment, it also creates a range of criminal challenges, including money laundering and the financing of terrorism.
To address those threats and protect its financial system, the Austrian government has implemented a range of strict anti-money laundering (AML) and counter-financing of terrorism (CFT) regulations. As a member of the European Union, Austria’s AML/CFT landscape is aligned with the rest of the bloc – which means that it also implements the EU’s Anti-Money Laundering Directives.
In order to comply with Austrian AML/CFT regulations, companies in Austria must understand their regulatory obligations, and their relationship with regulatory authorities.
What is the FMA?
The Financial Market Authority (FMA) is Austria’s financial supervisory authority. Established in 2002, the FMA provides supervision for all financial service providers in Austria, including banks, insurance companies, pension companies and investment firms. The FMA works to ensure that Austrian companies comply with the country’s financial regulations and implement suitable internal measures and controls to detect and prevent money laundring and terrorism financing.
As an ‘integrated’ authority, the FMA handles all regulatory procedures ‘under one roof’ – from issuing licences to obligated entities and conducting ongoing supervision, to working with law enforcement authorities in AML/CFT investigations.
The FMA also works with its international counterparts, particularly those across the EU, to serve the interest of Austria, and to contribute to the global fight against money laundering.
What are Austria’s Key AML Regulations?
Austria’s EU membership requires it to implement the money laundering regulations set out in the Anti-Money Laundering Directives (AMLD) in its domestic AML/CFT legislation. Austria is also a member of the Financial Action Task Force (FATF) which imposes a number of fundamental AML/CFT requirements, including the need to treat money laundering as a crime, to establish a national AML/CFT supervisory authority, and for firms to take a risk-based approach to AML/CFT.
WIth those requirements in mind, Austria has criminalised money laundering under its criminal code and has implemented the following key AML/CFT regulations:
The Financial Markets AML Act: The AML Act is intended to prevent the misuse of Austria’s financial system for money laundering and terrorism financing – and was introduced in 2017 following the EU’s Fourth AMLD. The Act requires companies in Austria to put suitable risk-based AML/CFT measures and controls in place and to report suspicious activity to the FMA.
The Beneficial Owners Register Act: In response to the Fifth AMLD requirement that member states create publicly available beneficial ownership registers, Austria passed the Beneficial Owners Register Act.
The FMA has issued a range of supplementary AML/CFT regulations in order to address money laundering and terrorism financing threats, including:
Regulation on Savings Associations (SpVV)
School Savings Schemes Due Diligence Regulation (Schulspar-SoV)
Online Identification Regulation (Online-IDV)
Regulation on Due Diligence for Fiduciary Accounts (AndKo-SoV)
Corporate Provision Funds Risk Analysis and Due Diligence Regulation (BVK-RiSoV)
Life Insurance Due Diligence Regulation (LV-SoV)
How to Ensure Your AML Compliance in Austria
Following FATF Guidance, the FMA requires firms in Austria to put a risk-based AML/CFT solution in place to detect and address criminal threats. The risk-based approach requires firms to conduct risk assessments on individual customers in order to build an accurate risk profile and identify higher risk customers that warrant more intensive AML/CFT scrutiny. With those considerations in mind, AML compliance in Austria should entail the following processes:
Identity verification: Firms should establish and verify the identities of their customers by collecting suitable customer due diligence information such as names, addresses, dates of birth, and relevant company information. Beneficial ownership should also be established.
Transaction screening: Firms should screen customer transactions for signs of suspicious activity that may be indicative of money laundering.
Sanctions screening: Firms must ensure that they are not doing business with the targets of international sanctions. Accordingly, they should screen customers against relevant international sanctions lists, including the EU consolidated list.
PEP screening: Politically exposed persons (PEP) such as elected officials, government employees, or members of the military pose a higher risk of money laundering. Firms should screen their customers against PEP lists at onboarding and throughout the business relationship.
Adverse media: Many news outlets report on AML/CFT risks factors, such as sanctions risk or involvement in organised crime, before that information is confirmed by official sources. With that in mind, firms should implement an adverse media screening solution in order to capture news stories from around the world that involve their customers. Adverse media screening software should be able to search across foreign language news sources and take into account the relevance and quality of those sources.
Recent AML/CFT Developments in Austria
While 6AMLD is now in effect, the EU recently announced an overhaul of its AML/CFT framework. The update will introduce ‘an ambitious package of legislative proposals’ and serve as an update to 6AMLD. As an EU member, Austria must implement the regulatory requirements of the updated 6AMLD, which include:
The introduction of cross-border asset registers.
A proposal for an Financial Intelligence Unit (FIU) joint analysis framework to aid cross-border AML investigations across the EU.
New guidance on the type of information that should be held in beneficial ownership registers.
The establishment of a public body with a duty of oversight over self-regulatory bodies.
The introduction of National Risk Assessments (NRA) to be conducted every four years.
New whistleblower protections including strengthened data privacy rules.
Next Generation AML Technology
Ripjar’s Labyrinth Screening solution has been designed to enhance the risk management process and make AML/CFT compliance in Austria faster and simpler. Harness next generation name-matching software to screen customers in real time, drawing data from global sanctions, watch lists and adverse media sources across 21 languages. Use AI-enabled AML technology to inform risk decisions and ensure your business stays ahead of its obligations in a changing regulatory landscape.
The Financial Action Task Force (FATF) has applied its anti-money laundering (AML) and counter-financing of terrorism (CFT) standards to virtual assets and virtual asset service providers (VASP) since 2019. The intergovernmental body has noted that virtual assets have “the potential to radically change the financial landscape” but that regulators must also become familiar with a “new vocabulary” in order to effectively address the criminal threats that the technology brings.
Regulatory Progress
The FATF has issued periodic updates and guidance on how its standards should be applied to virtual assets and VASPs, with a heavy focus on Recommendation 16, also known as the ‘Travel Rule’. Recommendation 16 requires private sector institutions to trace both the originators and recipients of funds when they are sent across borders, and maintain suitable records of those transactions.
In practice the Travel Rule requires firms to implement suitable Know Your Customer (KYC) measures, including capturing names, addresses, and account numbers in order to establish the identity of customers and counterparties. In the context of virtual assets, service providers must ensure they collect this information despite the anonymity challenges associated with cryptocurrency transactions.
As of 2022, the FATF noted that the vast majority of jurisdictions had not passed the relevant laws necessary to implement the Travel Rule for virtual assets. A 2022 FATF report revealed that, since June 2021, of 98 responding jurisdictions only 29 had passed virtual asset Travel Rule legislation and only 11 had implemented any enforcement or supervisory measures. The report suggests that the level of Travel Rule implementation amongst non-reporting FATF jurisdictions is likely to be slower than reporting jurisdictions.
The FATF found that the delay in the implementation of the Travel Rule in some jurisdictions was a result of undeveloped or in-progress virtual asset regulatory regimes, or a lack of domestic expertise in Travel Rule compliance.
Travel Rule Implementation
Both the FATF’s research and open source reports suggest that the private sector has led in the implementation of the Travel Rule, often going beyond requirements for the public sector. Private sector VASPs are taking advantage of novel technological solutions to achieve Travel Rule compliance, with a focus on interoperability with other AML/CFT solutions, and the need to scale with global solutions implemented by counterparts.
Despite the private sector progress, the FATF has highlighted a number of challenges affecting Travel Rule implementation. These include:
Some Travel Rule compliance solutions are only compatible with certain types of virtual assets.
Some VASPs, along with counterparties or third-party service providers, require approval over Travel Rule compliance solutions.
A lack of consensus over which solution (or solutions) will meet FATF and local compliance obligations.
A lack of shared and clear information about VASP Travel Rule obligations from official sources.
The FATF has acknowledged that many VASPs are still in the very early stages of Travel Rule implementation. In order to accelerate that process, the FATF has emphasised the need to engage with jurisdictional authorities and the private sector, and encourage the further development of solutions “that are global, interoperable, and can accommodate for nuances across national requirements.”
Emerging Issues and Risks
The need for VASPs to implement the Travel Rule has grown more urgent as a result of developments on the cryptocurrency landscape. The FATF has set out some of the key emerging risks and market developments:
Decentralised finance
FATF research suggests that decentralised finance (DeFi) markets have grown significantly from 2021-22, with increasing use of stablecoins and cross-chain bridge software. The FATF has stated that it will continue to monitor DeFi developments to ensure that AML/CFT standards remain relevant.
Non-fungible tokens
Like DeFi markets, use of non-fungible tokens (NFT) has also increased, along with opportunities for criminals to use them to launder money. The FATF notes that the increase in active wallets trading in NFTs and disparities in the way NFTs are defined across jurisdictions has created new AML/CFT risks.
Peer-to-peer payments
The FATF has noted that peer-to-peer (P2P) payments of virtual assets potentially fall outside the scope of the AML/CFT recommendations – and will continue to monitor emerging risks.
Stablecoins
As stablecoin liquidity increases, so do the potential risks to consumers. The FATF has stated that it will “continue to facilitate discussion between jurisdictions and other standard setting bodies” on VASP regulation implementation issues as they relate to stablecoins.
Sanctions evasion
The FATF has recognised the potential for the anonymity of virtual assets to aid attempts at sanctions evasion – although liquidity limitations have prevented this happening on a large scale. With that in mind, the FATF has noted that the Travel Rule is vital in helping VASPs identify counterparties involved in transactions.
Ransomware
The criminal use of virtual assets is often linked to ransomware money laundering, with criminals using non-compliant VASPs to transform illegal proceeds. In addition to implementing the Travel Rule, the FATF has highlighted opportunities to use blockchain analytics technology to trace ransomware-related money laundering.
VASP Compliance: Next Steps
The FATF has urged member states and jurisdictions to “lead by example” in order to promote the implementation of the Travel Rule by encouraging VASPs to share knowledge and good practices. In particular, the FATF has highlighted the importance of technological solutions in achieving Travel Rule compliance and especially in cross-border compliance. Similarly, the FATF suggests that the private sector should work to “facilitate interoperability across Travel Rule technological solutions”.
In order to comply with the Travel Rule, and adapt to the changing landscape of virtual asset regulations, VASPs and other obligated entities must implement suitable risk management solutions to analyse vast amounts of customer and transaction data. Ripjar’s Labyrinth platform is designed with that requirement in mind, integrating advanced screening software and machine learning systems capable of capturing data in real time from across the world – and ensuring that your organisation is informed as soon as its risk exposure changes.
To learn how Ripjar can help you comply with the FATF’s virtual assets guidance, contact us today.
On 1 July 2022, T. Raja Kumar became the first Singaporean president of the Financial Action Task Force (FATF), succeeding the outgoing German Presidency of Dr Marcus Pleyer. President Kumar brings a depth of experience to his role at the head of the inter-governmental anti-money laundering authority, including senior leadership roles in Singapore’s police force and Ministry of Home Affairs. Kumar described his new position as “an honour and a privilege” and stated that the FATF Singapore Presidency would “focus on enhancing the effectiveness of anti-money laundering and counter-terrorist financing measures across FATF member jurisdictions and the wider Global Network”.
Reinforcing FATF partnerships with FATF-stye regional bodies (FSRB)
Given the important role that the FATF plays in setting global anti-money laundering (AML) and counter-financing of terrorism (CFT) policy and regulations, it is important that banks and financial institutions become familiar with the FATF’s objectives under the Singapore Presidency.
With that in mind, we’re taking a closer look at the key points of interest raised in the FATF’s recently published Objectives for 2022-2024.
Cyber-Enabled Crime
The FATF Singapore Presidency recognised that cyber-enabled crime (cybercrime) has dominated the financial compliance landscape since 2020 – and will only continue to increase in sophistication. If authorities do not implement strategies to address the threat, the Singapore Presidency notes that more criminal organisations will engage in cybercrime, and pose a growing threat to global financial stability.
Given that threat, and the potential for criminals to take advantage of new technologies to perpetrate sophisticated crimes, the Singapore Presidency will introduce a new initiative focusing on money laundering and terrorism financing strategies that are linked to cyber-enabled crimes such as frauds and scams. The initiative will:
Seek to understand the challenges associated with cybercrime AML/CFT.
Analyse the types of money laundering techniques used in relation to cybercrime.
Identity appropriate tools to fight cybercrime, including data analytics and industry partnerships.
Highlight best practices to help FATF members learn how to fight cybercrime-related money laundering and terrorism financing.
Global AML Measures
The FATF Singapore Presidency has announced that “increasing the effectiveness of AML/CFT measures” will be a key focus of its role. It has committed to continuing and completing the FATF’s existing work plans which include a review of FATF standards to ensure that they remain relevant and up to date, and undertaking groundwork for the fifth round of FATF mutual evaluations. In more detail, the work plans will include:
Virtual assets: The FATF will monitor the new money lanudering and terrorism financing risks relating to virtual assets and virtual asset service providers (VASP). The work will include the implementation of best practices and mitigation measures, and efforts to ensure that countries are able to apply FATF recommendations to virtual assets.
Beneficial ownership: The FATF will oversee the completion of new guidance on amendments to FATF recommendations on beneficial ownership information for trusts and other legal arrangements.
Data analytics: The FATF will promote the adoption of data analytics by financial authorities by “sharing and focusing on” case studies.
Risk awareness: The FATF will continue to raise awareness of money laundering and terrorism financing risks associated with environmental crime, the illegal wildlife trade, and grand and systemic corruption.
Strategic Review outcomes: Following the FATF Strategic Review in April 2022, the Singapore Presidency will work to implement the relevant outcomes. This effort will include updating training materials and making sure that financial experts are available to conduct effective mutual evaluations and reviews based on these new areas of assessment focus.
In continuing the FATF’s work plans, the Singapore Presidency will also focus on strengthening a culture within the FATF that identifies best practices quickly and that drives AML/CFT effectiveness by sharing knowledge.
Additional AML/CFT Priorities
In addition to the key cyber-enabled crime initiative and the implementation of ongoing FATF work plans, the Singapore Presidency has committed to a number of additional operational initiatives.
Asset Recovery
The FATF Singapore Presidency has indicated that it will help countries enhance asset recovery related to financial crimes – and in particular from “fraud, scams, and ransomware”. The FATF will conduct an assessment of current asset recovery networks in order to develop strong operational systems and to encourage “substantive changes” in the way that countries approach the asset recovery process. The effort will include increased collaboration between the FATF, FSRBs and asset recovery networks, and cooperation with strategic partners such as the UN, the IMF and INTERPOL. The FATF will convene a Global Roundtable with law enforcement agencies, regulators and investigators in order to focus on actionable changes.
FSRB Partnerships
Building on the work of the German Presidency, the FATF Singapore Presidency will seek to closely partner with FSRBs in order to strengthen the FATF’s Global Network in the fight against money laundering and the financing of terrorism. The Singapore Presidency will aim to focus on the specific needs of FSRBs, their current levels of expertise, and the next round of mutual evaluations.
FATF Compliance
The FATF Singapore Presidency’s priorities indicate a growing focus on the risk of cybercrime, and a need for banks and financial service providers to respond to the sophistication of criminal money laundering methodologies. With that in mind, organisations should seek to implement a risk management solution capable of capturing a broad range of risk data in a constantly-changing regulatory environment, and do so with a global perspective by incorporating information from foreign sources.
Ripjar’s Labyrinth Screening solution is designed to meet that requirement, integrating cutting-edge compliance technology and machine learning tools. Labyrinth includes next generation adverse media screening enabling clients to match customer names against a spectrum of foreign language news stories and stay informed of changes to risk profiles – before that news is confirmed by domestic outlets or even official sources.
