To defend the market from criminal enterprises, drug dealers, corrupt public officials, and terrorists, governments came up with a counter-move—defensive regulatory AML and KYC policy that has to be adopted by all financial businesses. To do so, you have to learn how to translate these intricate rules into a real compliant company process.
If you don’t know where to start, follow our template to figure out your company’s AML flow each step at a time.
Anti-Money Laundering (AML) policy is a combination of measures used by a financial institution to stop the reintroduction of the proceeds of illegal activities. The implementation of such rules is mandatory and overseen by regulatory authorities.
Business AML policy is often a combination of the FATF recommendations and locally introduced laws. The location of a business determines its regulatory authority that oversees the implementation of the appropriate controls and issues fines for non-compliance. Ex. BaFin in Germany, FINTRAC in Canada, MAS in Singapore.
Having experienced developing AML policies for financial institutions ourselves, we have gained a first-hand perspective on what it takes and what works the best for business. This template is based on the US Bank Secrecy Act (BSA), EU 4th Anti-Money Laundering Directive (AMLD4), and FATF recommendations.
First, a business must introduce three main statements.
These are the three pillars on which a company builds the foundation for everything else.
At this point, a business needs to nominate a compliance officer—a company member responsible for everything concerning the business’s AML program. State their name, qualifications, and responsibilities.
Here a company describes how they will be able to satisfy financial intelligence units and law enforcement requests for information on criminal activity. A company must describe its actions and procedures that will be initiated upon such a demand from the authorities and how a company is going to document the situation.
This part is dedicated to the process of sharing the accumulated AML data with other financial entities to identify and prevent money laundering elsewhere. The policy must describe a secure and confidential process that will not allow for data leaks.
Before entering a business relationship or opening an account for a client, financial companies must verify that the person they are working with is not on any sanction or blocklist. One example of such is the US Specially Designated Nationals List (SDN).
A company must state what would be the standard procedure for checking their clients through these lists and establish their awareness of the latest changes.
Identity check is the central part of an AML compliance policy. Here a company must specify a list of comprehensive and reliable measures that will help them accurately verify the identities of their clients upon opening an account or registering in their service. There are 8 major points to correctly establish this part of a business AML policy.
The first step of identity verification is to ask a person to submit the relevant data. The company must determine what data they will find sufficient for the check of individual, corporate and high-risk clients.
There are many cases of people rejecting to share sensitive information fearing data leaks. For that, a company needs to state how it will handle cases when a customer intentionally rejects the request for information or submits a false name, address, etc.
A company must state the means they will use to verify their client’s identities. It could be via documents, biometrics, or both, with the use of a verification software, or manually.
Here a company must indicate how long it will take to verify a client and its policy regarding the restriction on transactions for unverified accounts.
An AML policy must include a strategy for those occasions when a client is impossible to identify — restrict them from opening an account, limit their transactions, or block them entirely.
This part refers to the measures taken to keep track of all AML-related procedures and documents, including the format of identity verification and its results. A company should also mention how long these documents will be kept (according to the relevant regulatory requirements). Under BSA and AMLD4 it is 5 years.
Here a company describes the system they use to adequately notify clients about the necessity of identity verification and its results.
The last point under identity verification would be to describe the process of client identification and information handling if the data will be verified by a different organization.
This step is about the measures taken as a part of customer due diligence (CDD) for those identified as beneficial owners, senior management, politically exposed persons (PEP), etc. A company should also specify the basis of its risk rating system, how it determines whether the case requires simplified due diligence, customer due diligence, or enhanced due diligence.
Here, it would be necessary to add when a customer triggers adverse media or sanctions list checks, be subject to ongoing monitoring.
Lastly, a very important part of an AML policy is to promptly respond to the detection of suspicious activity and correctly form a compliant declaration—Suspicious Activity Report (SAR). A company must specify the necessary information that needs to be mentioned in the report alongside the deadlines. As an example, BSA gives 30 days to file a report before issuing a fine.
This sample template can be conveniently used for businesses, however, there is more to add to an all-round anti-money laundering policy.
Sumsub automated KYC/AML solution and expert advice have helped over 1,000 businesses to develop a compliant AML policy that always leaves regulators satisfied with the installed controls.