Introduction

• Banks and other financial institutions are at the heart of the global payment system. Criminals and terrorists use payment services of banks to finance their activities, or to convert funds linked to criminal activity to an untainted or laundered form. Though involvement with money laundering (ML) or financing of terrorism (FT) is an operational risk, management of this risk has become a separate subfield due to the intensity of regulatory attention to the issue, the significant level of fines, and the creativity of criminals and terrorists. The Basel Committee on Banking Supervision is issuing guidelines to help banks manage risks related to ML or FT.
• The Committee is committed to promoting the implementation of strong Anti Money Laundering and Countering Financing of Terrorism (AML/CFT) policies. It has published various documents in support of this commitment, including the Core Principles for effective banking supervision, which addresses the abuse of financial services.
• The Committee supports the adoption of standards set by the Financial Action Task Force (FATF). These guidelines are in line with the FATF standards and the Basel Core Principles for cross-border banking. They are intended to complement and support national implementation of the FATF standards, without modifying them. While the guidelines include cross-references to FATF standards, they are not included as a routine matter to avoid duplication.
• The Committee’s commitment to combating money laundering and the financing of terrorism aligns with its mandate to enhance financial stability through the regulation and supervision of banks worldwide. Effective ML/FT risk management is crucial for ensuring the safety and soundness of banks and the banking system as –
  • It protects the reputation of banks and national banking systems by preventing illicit activities such as money laundering and funding terrorism.
  • It maintains the integrity of the international financial system and supports government efforts to combat corruption and terrorism financing.
• According to the updated Core principles for effective banking supervision, all banks must have strict customer due diligence rules to prevent involvement in criminal activities. The absence of proper ML/FT risk management exposes banks to significant risks, including reputation, operational, compliance, and concentration risks. It is important to note that these risks are interconnected, and they can result in financial costs such as termination of funding, legal claims, investigation expenses, asset seizures, freezes, and loan losses.

Risk Assessment

• Banks should assess and understand the ML/FT risks inherent within their businesses and customer base –
  • All relevant risk factors at the country, sector, bank and business relationship levels should be considered. Characteristics of the customer base, products and services offered, and delivery channels should be considered.
  • For each customer or business relationship, a profile of normal activity should be built to support identification of abnormal activity.
  • The policies and procedures, including CDD (customer due diligence), customer acceptance, identification, and monitoring, should align with the risk assessment and the bank’s resulting risk profile.
  • Risk assessments should be documented and shared for potential inspection by authorities.
  • International banks should be attentive to national risk assessments and country reports.
• Banks must understand ML/FT risks related to customers, products, and services, using operational and external data. Residual risk should align with the bank’s risk profile based on risk assessments. The overall assessment and understanding should be demonstrable and acceptable to the bank’s supervisor.

Proper Governance Arrangements

• The board of directors must oversee policies for risk, risk management, and compliance, which includes ML/FT risk. They should have a clear understanding of ML/FT risks and receive timely, complete, and accurate information to make informed decisions.
• The board of directors should allocate explicit responsibility, considering the bank’s governance structure, to ensure effective management of policies and procedures. They should appoint a qualified chief AML/CFT officer with the necessary authority to oversee the AML/CFT function. This officer’s concerns should receive appropriate attention from the board, senior management, and business lines.

The Three Lines Of Defense

• In the context of AML/CFT, business units are the first line of defense, responsible for identifying and controlling risks. They must be informed about policies and procedures, and resources should be allocated accordingly.
  • Written policies and procedures must be communicated to all personnel, outlining their obligations and instructions, including reporting suspicious transactions.
  • Banks should screen and train staff regularly to ensure compliance with high ethical and professional standards. Training should be tailored to individual roles, functions, and risk profiles to effectively implement AML/CFT policies and procedures.
  • New employees should receive training promptly, and refresher training should be provided to keep staff informed and updated on their responsibilities and the level of risk present in the bank.
• The second line of defense includes the chief AML/CFT officer, compliance, human resources, and technology. They must monitor the effectiveness of first line management of ML/FT risks and compliance with all policies and procedures.
  • They conduct sample testing, review exception reports, and serve as the contact point for internal and external authorities.
  • To ensure impartial advice and unbiased judgments, the chief AML/CFT officer must avoid business line responsibilities, data protection, or internal audit functions. Objective procedures should be in place to handle AML/CFT concerns at the highest level in case of conflicts.
  • The chief AML/CFT officer may also be the chief risk officer or chief compliance officer, reporting directly to senior management or the board. They must report suspicious transactions and have sufficient resources for effective execution of their duties.
• Internal audit, as the third line of defense, evaluates risk management and controls independently. They report findings to the board’s audit committee through periodic AML/CFT policy assessments.
  • The bank should establish policies for auditing AML/CFT adequacy, staff implementation, compliance oversight, and training effectiveness.
  • Knowledgeable and skilled personnel should conduct audits, aligned with the bank’s risk profile.
  • Bank-wide AML/CFT audits should be conducted periodically, with proactive follow-up on findings. The auditing process should align with internal audit’s broader mandate, considering any prescribed AML/CFT requirements.
• External auditors can also play a crucial role in evaluating banks’ internal controls and procedures during financial audits, ensuring compliance with AML/CFT regulations and supervisory practices. If a bank uses external auditors for assessing the effectiveness of AML/CFT policies, it should ensure the audit scope matches its risks, and the assigned auditors possess the required expertise. The bank must exercise proper oversight over these engagements.

Transaction Monitoring

• A bank should have a suitable monitoring system based on its size, activities, and risks. For most internationally active banks, effective monitoring may require an automated process. If a bank chooses not to use an IT system, it should document its decision and provide an effective alternative. The IT system should cover all customer accounts and transactions and facilitate trend analysis to identify unusual activities and prevent ML or FT.
• The IT system should provide accurate information to senior management, including changes in customer transaction profiles based on comprehensive and updated CDD information. Banks should be able to risk-rate customers, manage alerts, and use parameters reflecting their own risk situation. The IT system should enable the chief AML/CFT officer to access relevant information, and it should allow for generating alerts for unusual transactions, which the officer can further assess based on risk criteria.
• Internal audit should evaluate the IT systems’ appropriateness and effective use by the first and second lines of defense.

Customer Acceptance

• Banks must have clear customer acceptance policies and procedures that consider the risk posed by each customer based on the bank’s risk assessment. These policies should require due diligence appropriate to the level of risk associated with each customer.
• For lower-risk situations, simplified measures may be allowed, but the policy should not restrict access to banking services for financially or socially disadvantaged individuals.
• For higher-risk customers, enhanced due diligence is necessary, particularly for politically exposed persons (PEPs) and foreign PEPs. Senior management should approve entering or continuing business relationships with higher-risk customers.
• The customer acceptance policy should also outline conditions under which the bank would decline new business relationships or terminate existing ones.

Customer Identification And Verification

• Customer due diligence (CDD) applies to anyone who enters into a business relationship or carries out financial transactions with the bank, including persons acting on their behalf and beneficial owners. Banks must identify and verify customers in line with FATF standards.
• A bank must systematically identify and verify customers, beneficial owners, and representatives. Verification should use reliable, independent source documents or data, while non-documentary sources must align with the bank’s policies and risk profile. Written declarations from customers may be collected but not solely relied upon for verification. The bank should consider the customer’s risk level when determining the necessary due diligence measures. Identification must not be overlooked for non-face-to-face customers, and enhanced due diligence should be applied to customers from jurisdictions with AML/CFT strategic deficiencies if necessary.
• A bank should use customer identification and verification information to develop risk profiles for customers. These profiles should consider various factors, such as the purpose of the relationship, level of assets, transaction size, and regularity. By analyzing customer activity and behavior, the bank can identify unusual or suspicious actions. These risk profiles help determine if a customer is higher-risk, requiring enhanced CDD measures and controls. The profiles should also include details about the intended purpose of the relationship, expected activity level, transaction types, and the sources of funds or income. Any significant information collected should be used to update the bank’s risk assessment of the customer.
• A bank should obtain customer identification papers and any related CDD information, such as official documents (passports, ID cards), financial transaction records, and business correspondence. Additionally, the bank must obtain all necessary information to establish the customer’s identity, as well as that of any person acting on their behalf and beneficial owners. The extent of information required for verification depends on the risk assessment, including factors like customer type and account size. Higher-risk customers may require enhanced due diligence for identity verification, and in complex cases, additional identification measures may be necessary based on the overall risk level.
• When a bank cannot complete customer due diligence (CDD) measures, the bank should avoid opening accounts or initiating transactions. Risk management procedures should be applied with restrictions until verification is completed. If issues persist, the bank should close the account or limit access. In case of incomplete CDD, the bank should consider filing a Suspicious Transaction Report (STR). If suspicions of illicit funds arise, banks should not open accounts voluntarily and file an STR without notifying the customer.
• A bank should have procedures and capacity to identify designated entities or individuals (e.g., terrorists, terrorist organizations) in line with national legislation and relevant United Nations Security Council Resolutions (UNSCRs).
• When receiving funds from another bank under the same CDD standard, the bank should conduct its own due diligence to check for any concerns about illicit activities that might have led to the closure of previous accounts. If the bank suspects the applicant was denied banking facilities due to illicit activity concerns, it should treat them as higher-risk, implement enhanced due diligence, and consider filing an STR or declining the customer based on its own risk assessments and procedures.
• A bank must avoid opening accounts or conducting ongoing business with customers who demand anonymity or use fictitious names. Confidential numbered accounts should undergo the same CDD procedures as other customers, even if handled by selected staff.

AML/CFT In Group Wide And Cross-Border Context

• For effective ML/FT risk management in multiple jurisdictions, banks must consider host country legal requirements. Each banking group should develop group-wide AML/CFT policies and procedures consistently applied and supervised across all branches and subsidiaries. Local-level policies and procedures should align with the group’s broader policies while adhering to the host jurisdiction’s specific requirements. If host country requirements are stricter, the branch or subsidiary should be allowed to adopt and implement them.
• Overall, the focus should go beyond strict compliance with laws and regulations to encompass the identification, monitoring, and mitigation of group-wide risks. Efforts should be made to maintain information flow aligned with global AML/CFT policies, despite necessary local policy modifications. Robust information sharing among head office, branches, and subsidiaries is vital. As per FATF Standards, if the host country hinders the proper implementation of AML/CFT standards, the chief AML/CFT officer should notify the home supervisors. Additional actions, like closing operations in the host country, may be considered if necessary.
• Implementing group-wide AML/CFT procedures faces challenges with restrictions on sharing customer information across borders. However, it is crucial for effective monitoring and ML/FT risk management that banks are authorized to share such information with their head offices or parent banks, with appropriate legal protection, including both branches and subsidiaries.
• The bank must thoroughly understand and document all customer risks, updating them regularly based on the level and nature of risk. Factors like location, transaction patterns, and product usage should be considered, setting criteria to identify higher-risk customers. These criteria should be applied across the bank, its branches, subsidiaries, and outsourced activities. The collected information should guide the design of appropriate group controls to mitigate risks, involving additional customer data, tighter monitoring, frequent updates, and staff visits to customer locations.
• Compliance and internal audit staff, including the chief AML/CFT officer, or external auditors should assess the bank’s adherence to group policies and procedures, evaluating the effectiveness of centralized CDD policies and information sharing requirements within the group. Internationally active banking groups should have a strong internal audit and global compliance function to monitor the overall application of the bank’s global CDD and assess the effectiveness of policies and information sharing within the group. The chief AML/CFT officer is responsible for group-wide compliance with relevant AML/CFT policies and controls nationally and internationally.
• A bank should not rely on introducers with lower AML/CFT standards than its own. It must monitor and evaluate the AML/CFT standards of the referring bank’s jurisdiction. Relying on an introducer from the same financial group is possible if they adhere to the same standards and are supervised at the group level. Nonetheless, the bank should obtain customer information from the referring bank to report any suspicious transactions to FIUs if necessary.
• The banking group’s head office must have access to relevant information to enforce group- wide AML/CFT policies and procedures. Each office in the group should adhere to minimum AML/CFT policies consistently defined by the head office and Committee guidelines, with adjustments made to address variations in risk. Local monitoring policies should be implemented, complemented by information-sharing with the head office and other branches regarding high-risk accounts and activities. The bank should integrate information on customers, beneficial owners, and funds involved to effectively manage ML/FT risks arising from accounts. A chief AML/CFT officer should be appointed for the entire group to oversee AML/CFT strategy and ensure compliance with requirements nationally and abroad. The group AML/CFT officer should continuously monitor compliance and take necessary measures for the whole group.
• Banks must oversee information sharing within the group. Subsidiaries and branches should provide the head office with information on higher-risk customers and relevant activities promptly. The bank’s group-wide standards should outline the process for identifying, monitoring, and reporting suspicious activity. Policies and procedures should consider data protection laws and govern the evaluation of risks posed by reported activity. The bank should be responsive to requests for customer information from law enforcement, supervisory authorities, and FIUs. Supervisors can request details on the bank’s global customer risk management process, ML/FT risk assessment, AML/CFT policies, and information-sharing arrangements.
• Mixed financial groups with banking, securities, and insurance businesses face additional challenges in implementing ML/FT risk management controls compared to deposit-taking and lending operations. These groups should have the capability to monitor and share customer information across the entire organization and be vigilant about customers using services from different sectors. Differences in activities and relationships between sectors may necessitate variations in AML/CFT requirements, particularly when cross-selling products and services to customers from different business arms. The appropriate AML/CFT requirements for each relevant sector should be applied accordingly.