the challenges of setting up an effective aml/cft...
TRANSCRIPT
0|
The challenges of setting up an effective AML/CFT
compliance policy for a financial group
Yi-Chang Liu
CAMS-Audit Advanced Certification White Paper
March 2018
Disclaimer
The opinions and views of this white paper only express the author’s thought and do not necessarily
reflect any internal policies of the financial institution where he works for.
1|
Contents
1. Preface 2
2. Introduction 3
3. The Framework of group policy 5
3.1 Minimum requirements 6
3.2 Risk scoring and evaluation 8
3.3 Address and adjust 15
4. Regulatory differences and arbitrage 16
5. Communication and pre-warning alerts 17
6. Audit function 19
7. New business sector 20
8. Conclusion 21
2|
1.
Preface
Most of the anti-money laundering and countering financing of terrorism (AML/CFT)
compliance is focused on banking. In Taiwan, unlike other jurisdictions, a financial
holding company1 is authorized to set up in accordance of the “Financial Holding Law”
which covers different financial entities including banking, insurance, securities, trust,
asset management, leasing, futures and so on.
However, each entity’s regulatory authority is different from another. For example, the
banking sector and the insurance sector are regulated by Banking and Insurance
Bureaus of the Financial Supervisory Commission (FSC) of Taiwan2, respectively, which
implements a higher level of regulation on AML/CFT. Other entities like leasing or asset
management companies (AMC) are regulated by Ministry of Economic Affairs3 or
Ministry of Interior4, which according to their AML/CFT regulations; the compliance
requirement is lower than others. Therefore, the compliance methodology and
AML/CFT regulatory risk are much more complex for a financial group with various
entities.
This white paper will try to lay out proper practices beginning with the basic principles,
in hopes of sorting out a better solution for a holding company to comply efficiently
with Taiwan’s financial services regulatory landscape.
1 Financial Holding Company Act of Taiwan : Article 4 “Financial holding company" shall mean a company established in accordance with this Act and having a controlling interest in a bank, insurance company and/or securities firm. 2 The Financial Supervisory Commission (FSC) was established on 1 July 2004 as the competent authority responsible for development, supervision, regulation, and examination of financial markets and financial service enterprises in Taiwan. The FSC seeks to ensure safe and sound financial institutions, maintain financial stability, and promote the development of our financial markets. Since its establishment, the main goals of the FSC have been to: create a sound, fair, efficient, and internationalized environment for financial industry, strengthen safeguards for consumers and investors and help financial industry achieve sustainable development. 3 The Ministry of Economic Affairs is in charge of formulating and implementing economic policy. Its operational scope embraces trade, industrial development, water resources, investment, energy, mining, national corporations, commercial affairs, small and medium enterprises, intellectual property, standards and measurements. 4 Ministry of Interior is in charge of the nation’s internal affairs.
3|
A structure of a financial holdings company and its subsidiaries
2.
Introduction
A domestic financial holding company with foreign subsidiaries or branches is facing
regulations from different jurisdiction and regulatory authorities, which brings the
complexity of establishing, complying, supervising and auditing programs to it. Each
entity needs to meet its compliance level; for example, the banking AML/CFT
regulations are much stricter then regulations of trust, which would probably direct
illicit customers to invest through fund house, such as PE funds, instead of buying a
large insurance policy from bancassurance5 that implements higher level on know-
your-customer (KYC) process.
5 The process of using a Bank’s branch, sales network, and customer relationships to develop sales of insurance products http://siteresources.worldbank.org/FINANCIALSECTOR/Resources/Insurance_Bancassurance.pdf
4|
In believing that this is an accentuated problem, we need to build up an effective and
appropriate AML/CFT policy6 for a financial group7.
— What can a financial holding company do to navigate the complexity of the
regulatory landscape? Is the principle of general good always the best
solution?
This white paper will be focused on the establishment of a group level policy in Taiwan,
together with issues of risk assessment, identification, mitigation, communication and
enhancement of AML/CFT compliance.
A financial holding company that operates in multiple business sectors needs to
comply with a variety of laws and regulations from different regulatory authorities.
Each of these business sectors, while considering the different types of products it sells,
would have varying levels of risk which would in turn require different strengths of
compliance.
6 THE FATF RECOMMENDATIONS 2012 : 18 Financial institutions should be required to implement programmes against money laundering and terrorist financing. Financial groups should be required to implement group wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions should be required to ensure that their foreign branches and majority owned subsidiaries apply AML/CFT measures consistent with the home country requirements implementing the FATF Recommendations through the financial groups’ programmes against money laundering and terrorist financing. 7 Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries of Taiwan : Article 8 Financial holding companies and banking businesses which set up foreign branches (or subsidiaries), shall establish an additional group-level AML/CFT program, which shall include intra-group information sharing policies and procedures for AML/CFT purposes, based on the laws and regulations of countries or jurisdictions where the foreign branches (or subsidiaries) are located.
5|
However, considering a financial group’s ML/FT risk, we need to set up a general
program and policy that can sustain the high-risk business and also make sure the
lower-risk business, such as leasing or AMC meet the minimum requirements8. It is not
just about what a financial holding company should do or should not do, but what a
head office of the financial group can do to build a solid and effective compliance
program for its entities as a whole.
3.
The Framework of group policy
— Try to imagine that we are sitting in a classroom with AML/CFT officers
represent every business lines of a financial group. Can we request unanimously
every student in a classroom to be A-level?
An AML/CFT program needs to be well-thought-out, and its rules need to fit different
financial services with various regulatory risks. Such would be the case that a low-
risk customer who engages with AMC turns out to be a high-risk client doing business
with the commercial bank in a financial group. The fact may be even more complicated
if the client owns multiple passports who lives in a high-risk country but trading in a
low-risk country.
On the other hand, as to AMC, it does not need to do annual risk assessment according
to its AML/CFT regulation, where other business sectors need to do the assessment
every year in line with their regulations. Accordingly, in the aspect of risk assessment,
different business lines within a financial group would have different regulatory
strength to comply with. Under this circumstance, how can we set up an effective risk
appetite for a financial group if certain business sectors have different approach?
8 Originally from Basel Committee : Basel III is an internationally agreed set of measures developed by the Basel Committee on Banking Supervision in response to the financial crisis of 2007-09. The measures aim to strengthen the regulation, supervision and risk management of banks. Like all Basel Committee standards, Basel III standards are minimum requirements which apply to internationally active banks. Members are committed to implementing and applying standards in their jurisdictions within the time frame established by the Committee.
6|
A single financial institution with a single business line can precisely follow up the
regulations published by its authority. On the other hand, a financial group, with
multiple business lines, has to comply with different regulations published by different
authorities without standard practices that fit all, which can be very tricky. The truth
is that it is not practical to search for the same strength level of procedure and process,
in terms of the general good among these regulations or try to balance the compliance
standard by mitigate risk appetite9; for example, banking business cannot adopt with
the lower AML/CFT requirements of liability insurance or even AMC’s standard that
could jeopardize its AML/CFT compliance. However, if leasing company is requested to
comply with higher level of banking business, the intense KYC process could affect daily
business with its customers, which leads to revenue loss for customers walk-away.
3.1
Minimum requirements
It is clear that various subsidiaries have different regulations to comply with, which
means that there is no such enterprise-wide level guidance and policy can fits all
companies within a financial group. To what extent shall we set up a group standard,
rely on whether the inherent risk has been mitigated and the residual risk has been
fallen within the risk appetite. The crucial task is to understand the risks and what we
do to mitigate them. After assessing and evaluating risks, we can identify the risk that
we need to control and mitigate via building up an internal compliance standard.
Thus, it is crucial to list, categorize, and compare with all the applicable regulations
from each entity within a financial group. The baseline of regulations is not to mitigate
or set up same AML/CFT compliance measures, but to mingle and adjust compliance
levels as a whole.
9 Principles for an Effective Risk Appetite Framework by FSB : An effective risk appetite framework is the foundation of good risk management. A firm’s risk appetite represents the aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan, and this should be set out in written form in a risk appetite statement.
7|
It can be well explained by the 18th recommendation of “FATF 40 Recommendation
2012”; Internal controls and foreign branches and subsidiaries, Financial institutions
should be required to ensure that their foreign branches and majority-owned
subsidiaries apply AML/CFT measures consistent with the home country requirements
implementing the FATF Recommendations through the financial groups’ programmes
against money laundering and terrorist financing.; manifesting that home country
AML/CFT laws and regulations are the minimum requirements.
Furthermore, every financial institution of Taiwan shall comply with the “Anti-Money
Laundering Regulations for Financial Institutions”, article 2; that after evaluating risk
level, the financial institution can take different action, mirroring each risk level to
effectively manage compliance procedures, which means not every procedure is in
need of same level compliance strength.
Accordingly, the holding company is obligated to rationalize group AML/CFT policy
across different business sectors so as to develop a group-wide minimum requirement,
such as banking level KYC approach and at least basic scenarios which helps group
companies to emerge in the course of clear rules to normal business. Whether which
rules should consist of basic requirements for all, if there is any room for appropriate
variance?
Nonetheless, we understand that risks from different business lines which compose
the group risk is in need of mitigation, whether each sector’s regulations are the same
or not. Besides finding group guidance, the most important thing is to establish
compliance culture that enhances the risk awareness of AML/CFT to all group staff.
8|
3.2
Risk scoring and evaluation
For the purpose of discovering basic and minimum requirements, we can try to
evaluate the risk level of each business sector with the scoring method10 that is widely
used and easy to understand. To identify the risk level of each business sector within
a financial group, the risk of each business line should be evaluated and calculated
separately so as to result in a group risk picture as a whole. By presenting them on the
compliance table, we can manage to set up a group standard of AML/CFT compliance
easier.
Below is a demonstration of (X: risk exposed; Y: stringency of regulatory compliance)
scoring methodology that presents the risk distribution within a financial group. The
risk that scores from 1(one) to the extent of very high as 5(five) represents the level of
inherent risk of each business entity by assessing its ML/CF risk exposed(X-axis) and
the stringency of its regulatory compliance as a whole(Y-axis).
The risk score of different business entities in a financial group:
risk
sector
1 2 3 4 5
Banking V
Security V
Insurance V
Trust V
AMC V
Leasing V
Futures V
10 The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption : “Due to the nature of each Business Division’s unique business activities, products and services (including transactions), client base and geographic footprint, a risk based approach is used to calculate inherent risk. Each risk factor is usually assigned a score which reflects the associated level of risk. Each risk area may then be assigned a weight which reflects the level of importance in the overall risk calculation relative to other risk areas. Similarly, each control may be assigned a weight which reflects the relative strength of that control."
9|
The risk scores of product lines in banking business
Banking
risk
product line
1 2 3 4 5
Saving V
Remittance V
Loan V
Wealth
management
V
Bancassurance V
OBU V
DBU V
The result of banking business risk scores is 4.
By simple average: (2+5+3+4+4+5+5)/7
The risk scores of product lines in security business
Security
risk
product line
1 2 3 4 5
Stock trading V
Wealth
management
V
OSU V
The result of security business risk score is 3.
By simple average: (2+3+4)/3
10|
The risk scores of product lines in insurance business
Insurance
risk
product line
1 2 3 4 5
Pension/Life V
Investment/Life V
Liability V
OIU V
The result of insurance business risk score is 3.5.
By simple average: (3+4+3+4)/4
The risk scores of product lines in trust business
Trust
risk
product line
1 2 3 4 5
Public fund V
PE fund V
The result of trust business risk score is 2.5.
By simple average: (2+3)/2
The risk scores of product lines in AMC business
AMC
risk
product line
1 2 3 4 5
Real estate trading
agency
V
The result of AMC business risk score is 2.
11|
The risk scores of product lines in leasing business
Leasing
risk
product line
1 2 3 4 5
Installments V
The result of leasing business risk score is 2.
The risk scores of product lines in futures business
Futures
risk
product line
1 2 3 4 5
Futures trading V
The result of futures business risk score is 2.
According to different risk scores for each product line, by using simple average
method, we can have the product risk score of each business entity. For example, the
banking ML/FT risk score is five times four equal to twenty, which is the final risk score
of banking entity.
With an assumption from Low (1-5), Medium (6-10), High (11-15), Very high (16-25),
we can figure out the different risk level of each business entity, thus to set up a group
standard, together with consideration of the stringency of regulatory compliance.
Business sector Risk score Risk level
Banking 20 Very high
Security 9 Medium
Insurance 14 High
Trust 7.5 Medium
AMC 2 Low
Leasing 4 Low
Futures 6 Medium
12|
After these, we can understand that the risk level of a banking entity is higher than
other sectors, such as an insurance company, within a financial group. Moreover, an
AMC company is at the lowest level compared with all other subsidiaries for its
business nature.
— Can we set up a same compliance level, in terms of mitigating the residual risk
for every entity to a consistent standard in a financial group?
The authority might raise the issue that there should be no risk appetite for legality,
which means business conducts need to comply fully with regulations because from
the expectations of the authority, regulations are the minimum requirement for every
entities, and every entity within a financial group shall obey laws and regulations
without any leeway. Thus, it is regarded that there should be no risk appetite as to
legality.
However, legal compliance is not black and white. The spirit and purpose of each
regulation is implied while considering the needs of the business. For instances, if
business of insurance agency merged into banking business, then bank customers
need abide by regulations of banking wealth management, in addition to regulations
that apply to the insurance agency. Also the stringency of compliance is higher for a
banking entity than that for an insurance agency.
Nonetheless, while a banking entity sells insurance products to its customers, it has to
comply with rules that regulate the insurance agency, despite the stringency of
compliance is lower than it would be for a bank. But it cannot satisfy the expectations
of the regulators because the banking entity should apply the same level of compliance
with banking regulations as it would for a customer of an insurance agency. Therefore,
we need to evaluate each business line with different regulations to decide the
appropriate risk appetite after mitigating the residual risk. In this case, if the bank
entity cannot set up a high level of insurance selling risk, then it can focus on pension
insurance products only, instead of investment insurance products that need more
internal control points with higher compliance cost.
13|
It is understood that every regulation has its residual risk which can be mitigated by
building up controlling mechanism or set up well control points, for instance measured
by its business scale, to fit its business need under circumstances of good compliance
policy and process. Each business line has its own regulations to comply with and the
risk level is not the same that depends on which financial sector it belongs to or what
kind of financial products it sells to its customers. Nonetheless, people from risk
department might suggest that in line with the group risk tolerance11 supported by
assumptive stress test, we can set up group ML/FT risk appetite as the chart below.
Furthermore, by mitigating compliance risk, it is suggested that an acceptable group
standard can balance both operational risk and the inherent risk, in terms of the
business volume.
Surely, we understand that group risk appetite driven by business can impact revenue.
However, as to legal compliance, there is no flexibility to mitigate for legality because
we cannot have risk any one business sector to break any laws and regulations. Unlike
risk assessment of regulatory compliance of AML/CFT, the inherent risk can be
mitigated to the level of acceptable risk appetite after we have reasonable control of
the residue risk.
11 Sound Practices for the Management and Supervision of Operational Risk, BIS :
“Internal audit should not simply be testing for compliance with board approved policies and
procedures, but should also be evaluating whether the Framework meets organizational needs and supervisory expectations. For example, while internal audit should not be setting specific risk tolerance or appetite, it should review the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances.”
14|
In addition, banking sector is riskier than security sector and the stringency of
compliance required by the financial authority is greater than other business sectors
as well. However, the risk of banking sector cannot be mitigated anyhow to be the
benchmark of other business sectors within the group, so-called a general good of
compliance12 . Otherwise the group general requirements can on the one hand be
fulfilled by the bank, but on the other hand make AMC harder to comply at the banking
regulatory level.
Under the circumstances above, the group compliance level should be the minimum
requirements to all of its entities. The compliance level of banking entity remains on
its higher standard requested by regulator, and AMC, together with leasing and futures
entity shall upgrade their compliance standard to the level of general good; therefore,
the group risk can be controlled as to the table below.
12 Freedom to Provide Services, EUR-Lex - l24227 – EN “A Member State may have recourse to the concept of the general good in order to enforce compliance with its own laws by an insurer wishing to carry on its business within its territory under either the right of establishment or the freedom to provide services.”
15|
3.3
Address and adjust
—By testifying and differentiating each subsidiary’s compliance standards, are we
facing the same ML/FT risk collectively?
After conglomerating of financial entities, the issue of group level is always there,
that key standards are in need of adopting commonly, in terms of minimum
requirements and group risk appetite. For example, if we narrow down the issue from
entity risk to process risk, such as KYC, whether it needs to be at the same level in the
field of insurance and trust, which secures the fundamental internal risk before any
transaction.
However, can bank’s high-risk client do business with insurance company that
evaluates the client as middle risk? As to the aspect of business, of course, the answer
will be yes; only with certain enhanced procedure been done by the insurance
company. But for bancassurance mentioned above, the bank can sell life insurance
products to its customers via banking channels. Therefore, the bank is providing
insurance services as an insurance company does. The combination of regulations
from different business sectors is an example that the bank cannot only pay attention
to its own regulations but also the regulations relating to what services it can provide
under the umbrella of group cross-selling. And this is the main reason that we need a
group AML/CFT risk appetite and an effective group policy.
Furthermore, if it is appropriate to let insurance company know the client’s risk
level in banking business, will help other entities to mitigate ML/FT risk. Shall we have
one risk label to a single customer within a financial group to prevent risk arbitrage
taken by the customer, in terms of pre-warning alerts? And what can we possibly avoid
after the high-risk customer is tagged?
16|
4.
Regulatory differences and arbitrage13
—How can we prevent customers with intentions from choosing the less compliance
entity within a financial group to achieve ML/FT activities?
It is necessary to benchmark the bank’s risk level to that of its affiliates (i.e. the
subsidiaries of the holding company) in order to define the level of compliance. For
example, as a financial holdings company in Taiwan, the law of financial holding
company allows cross-selling and other trading within a financial group, whereas the
money mainly flows through banking system. Therefore; for the purpose of more
efficient AML/CFT compliance procedures, the high level of banking business can
mitigate group customer’s ML/FT risk substantially down to a reasonable level, instead
of keeping customers away for higher and repeating compliance requests while doing
KYC and KYP.
Consequently, would various levels drive group customers to do de-risk shopping, in
terms of choosing to trade with lower compliance business sector or product line? The
truth is that the arbitrage can be existed that not only the scenario above, but also the
authorities cannot prevent it effectively with different regulatory stringency as well.
However, with the group compliance policy, together with information sharing and
communication mechanism, we can avoid what might seem to happen above. Under
the higher KYC compliance stringency, banking entity can share its high risk customers
list to other entities within the group, so as to tag riskier customers who might do
business with lower compliance stringency entity. For instance, customer A transferred
unusually large numbers or with repetitive wire transfer patterns to banking entity and
evaluated as high risk customers as well. While customer A goes to AMC or Trust entity
in a financial group with a clean identity, AMC or fund house that evaluates customer
A as middle or low risk customer with lower regulatory compliance stringency will
allow customer A to buy and trade without doubt, even the customer is tagged as high
risk by bank as suspicious activity. Therefore, not knowing customer A’s risk status,
AMC or Trust entity might in another way make it easier for customer A to do possible
ML/FT activity.
13 ft.com/lexicon : This is where firms take advantage of loopholes in regulatory systems to avoid certain types of regulation. This can be achieved by conducting business, creating products and services in certain locations that are outside the purview of regulators.
17|
Thus, if proper inform ation is shared and communicated legally within the financial
group, AMC or Trust entity can have early alert relating to customer A, so as to stop
ML/FT activity efficiently and effectively.
5.
Communication and pre-warning alerts
In accordance with the 18th recommendation of FATF 40 Recommendation 2012;
Internal controls and foreign branches and subsidiaries, “Financial groups should be
required to implement group-wide programs against money laundering and terrorist
financing, including policies and procedures for sharing information within the group
for AML/CFT purposes”. Also under the regulation; “Implementation Rules of Internal
Audit and Internal Control System of Financial Holding Companies and Banking
Industries” enacted by FSC Taiwan, article 8 “Financial holding companies and banking
businesses which set up foreign branches(or subsidiaries), shall establish an additional
group-level AML/CFT program, which shall include intra-group information sharing
policies and procedures for AML/CFT purposes, based on the laws and regulations of
countries or jurisdictions where the foreign branches (or subsidiaries) are located.”
According to the above regulations, a financial holding company in Taiwan not only
needs to implement a group-wide AML/CFT program but also the information sharing
procedures.
— While banking entity filing STRs to Financial Intelligence Unit (FIU), whether
other subsidiaries need to know the change of group customers’ risk status?
For example, customer A, who brings large amount of cash to buy life insurance
product is unable to explain the originality of the cash. By reporting STR to FIU and
change the risk level of customer A, banking entity is liable to share this information
to other subsidiaries, preventing customer A goes into trust entity to invest funds with
the rest of the cash. Therefore, if banking entity fails to share this information to other
subsidiaries, customer A with ML/FT intention will continuously go to trust or AMC to
buy funds or real estate, while trust or AMC does not realize customer A is at high risk
with STR record.
18|
Therefore, if the information of customer A’s risk level is shared, other subsidiaries
within the group will have chance to know customer A’s intention in advance and take
appropriate procedures to prevent ML/FT activities on a timely basis.
Financial holding company as a whole engages in cross-selling business; that makes
one single customer to embrace with financial services at one stop shopping, which
means bank customer can buy insurance products with banking channels and security
customer can buy insurance products with its channels as well. However, the risk rating
of certain customer from banking or security entity would not possibly be the same
for each authority regulates differently with different level of compliance stringency.
Therefore, it is better for each entity to know mutual customer’s risk level, not only to
provide more accurate and precise service, but also safeguard entity’s AML/CFT
control. For instance, the risk level of security customer will be triggered to riskier level
while the customer is identified or evaluated as high risk customer by bank entity.
— Can risk status be shared and communicated within a financial group in Taiwan?
In accordance with Money Laundering Control Act of Taiwan, article 17; public officers,
employed personnel shall not disclose or deliver documents, pictures, information or
objects relating to reported transactions suspected, which in terms of each company
in a financial group cannot release STR or SAR details to any third party, even within
the financial group.
However, as a financial holding company complying with Implementation Rules of
Internal Audit and Internal Control System of Financial Holding Companies and
Banking Industries, article 8; “a group-level AML/CFT program, which shall include
intra-group information sharing policies, manifesting that the relevant information
needed to be shared within the group”.
19|
For the reasons above, consequentially, certain personal information of high risk
customers could be labelled and shared group-wide to reduce chances of compliance
arbitrage. Under the interests of group AML/CFT, the barrier of privacy, in terms of
Chinese wall, should be over legally to the extent of identifying high risk persons and
companies to make sure the alerting level of current customers is the same within a
financial group. Thereafter, customers with intention of ML/FT can have no chances by
selecting AMC or leasing entity thinking the compliance stringency is much less and
the ML/FT transaction or activity is much easier to achieve than the banking entity
within the group.
Eventually, setting up a level of group standard or risk appetite is not just a one-time
matter. We need to review and re-evaluate on a regular basis and the useful data and
information comes from gathering of auditing reports, so as to let us understand the
risk, learn from the part as well.
6.
Audit function
Part of the corner stone of group AML/CFT compliance is based on the audit reports
from authority and internal auditors. A well-organized internal audit program will help
to secure internal control. And an effective risk assessment should be an ongoing
process, not just an annual or one-time activity, such as improving certain matters in
the audit reports.
By reconciling audit opinions with risk assessment results, we can ascertain and
identify where the riskier operation is and try to mitigate it with appropriate action
plans. By doing so, we can have a much clearer picture of group AML/CFT risk, which
is useful to make the foundation of the AML/CFT program much more solid.
The audit reports can also show the change of every entity’s AML/CFT risk by
identifying its matters needed to improve. Once identified, we can enhance the riskier
entity’s compliance level to avoid possible AML/CFT deficiency. Thus emphasizing the
importance of an effective audit function to support and maintain the group
framework of internal control.
20|
Auditing is an ongoing process for AML/CFT internal control, together with SAR/STR,
that draws a clear map of the risk to both management and board members.. With a
well audit function, we can have an on-trend group policy and standard, that suitable
for current legal environment as well.
7.
New business sector
-What steps shall we take to include a new business sector?
The member companies of a financial group will not always be the same as to organic
and inorganic growth that new entities include by mergers and acquisitions or new
business and product lines be lounged. Even a banking entity could invest other
FinTech14 company or factoring sectors. Thus, it is important when a new business line
or subsidiary is included; we could evaluate and situate it step by step as suggested as
followed:
1) Verify if it is in the scope of financial services
2) Score its risk and define its inherent risk by its applicable regulations
3) Set up its risk level after mitigation
4) Collect every laws and regulations in relating to its AML/CFT compliance
5) Gap analysis to see if its above or below the group AML/CFT standard
6) Make sure if its residual risk fall within group risk appetite
7) Embody its internal procedure and process to cope with its authority’s request
and group policy as well
8) Emerge it into group AML/CFT high risk information sharing system
9) Combined its AML/CFT report to its board and holding company’s board
10) Include it in a group audit program
14 From Wikipedia, the free encyclopedia : Financial technology (FinTech or fintech) is the new technology and innovation that aims to compete with traditional financial methods in the delivery of financial services.
21|
8.
Conclusion
The goal of group AML/CFT compliance policy is to set up acceptable and reasonable
risk levels for each different entity. The ultimate goal will be a consistent level of
compliance such that no compliance gap will exist between business sectors. By doing
so, customers with ML/FT intention will have no chance to do risk arbitrage. No matter
who the customer is, where a customer is doing business, or who the customer is
transacting with, the activity will be identified, reported and labelled.
Furthermore, with the help of AML/CFT compliance system, securities and leasing
entities can monitor and surveil their trading on a timely basis to the extent of banking
compliance level. Also the AMC entity can adhere to higher group-level requirements
consistent to other financial institutions within the financial group by tuning its
AML/CFT system.
AML/CFT is not just a compliance issue among financial institutions but a nation-wide
safety issue. The laws and regulations of privacy and personal data protection should
be de-regulated for the public good. Not just by the shared mechanism of grouping
high risk cases, but by opening up to the extent of more detailed information of
suspicious activities or transactions types to other financial institutions outside the
group within the same jurisdiction Therefore, for instance, the ML/FT risk of third party
transactions can be mitigated and identified efficiently on an early stage.
It seems a lot to do to set up an effective group policy, even require the authority to
de-regulate to the information sharing mechanism among financial services providers.
But in the long run, once a suspicious customer or activity has been discovered,
financial institutions can be more vigilant and make the customer’s ML/TF intention
that much harder to achieve. Not only the financial order and national safety can be
secured, but also the cost of each financial institution can be saved because the same
evaluation and level finding process will not repeat again.
22|
Reference
1. The 18th Recommendation of FATF 40 Recommendation 2012
2. Financial Holding Company Law of Taiwan
3. Implementation Rules of Internal Audit and Internal Control System of Financial
Holding Companies and Banking Industries of Taiwan
4. Money Laundering Control Act of Taiwan
5. Personal Information Protection Act of Taiwan
6. Regulations Governing Anti-Money Laundering of Financial Institutions of Taiwan
7. Guidance for A Risk-Based Approach/Effective supervision and enforcement by
AML/CFT supervisors of the financial sector and law enforcement by FATF, October
2015
http://www.fatf-gafi.org/media/fatf/documents/reports/RBA-Effective-supervision-and-
enforcement.pdf
8. Principles for an Effective Risk Appetite Framework by FSB, 17 July 2013
http://www.fsb.org/2013/11/r_131118/
9. Basel III : international regulatory framework for banks by BIS
https://www.bis.org/bcbs/basel3.htm
10. The Wolfsberg Frequently Asked Questions on Risk Assessments for Money
Laundering, Sanctions and Bribery & Corruption by The Wolfsberg Group, 2015
http://www.wolfsberg-principles.com/pdf/faq/Wolfsberg-Risk-Assessment-FAQs-2015.pdf
11. Sound Practices for the Management and Supervision of Operational Risk, Issued
for comment by BIS, 25 February 2011
https://www.bis.org/publ/bcbs183.pdf
12. Freedom to Provide Services, EUR-Lex - l24227 – EN
http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=LEGISSUM:l24227
13. Regulatory Arbitrage and the Efficiency of Banking Regulation by Pierre Boyer
and Hubert Kempf, University of Oxford, 15 Jun 2016
14. BIS Working Papers No 655, The FinTech Opportunity by Thomas Philippon, August
2017
https://www.bis.org/publ/work655.pdf