Frequently Asked Questions on Anti-Money Laundering
0 likes485 views
This document provides frequently asked questions (FAQs) on anti-money laundering (AML), countering financing of terrorism (CFT), and targeted financial sanctions (TFS) specifically for designated non-financial businesses and professions (DNFBPs) and non-bank financial institutions (NBFIs). It serves as a clarification tool for reporting institutions, covering topics like applicability, compliance programs, customer due diligence, and risk assessment, while detailing the responsibilities and procedures required under relevant legislation. The document is intended to be a resource and will be updated periodically by Bank Negara Malaysia.
More Related Content
Similar to Frequently Asked Questions on Anti-Money Laundering (20)
![International aml standards qatar case [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/internationalamlstandards-qatarcasecompatibilitymode-130310160137-phpapp02-thumbnail.jpg?width=560&fit=bounds)
Frequently Asked Questions on Anti-Money Laundering
- 1. Issue Date: 1 September 2020 Frequently Asked Questions on Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions & Non-Bank Financial Institutions (FAQs on AML/CFT and TFS for DNFBPs and NBFIs)
- 2. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 1 of 41 Introduction The Frequently Asked Questions (FAQs) are intended to provide clarification to reporting institutions on common queries in relation to the Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions and Non-Bank Financial Institutions Policy Document (Policy Document). These FAQs are not intended to replace any requirements in the Policy Document. Any refinements to the FAQs will be updated by Bank Negara Malaysia from time to time. Should you have any additional queries related to the Policy Document, please submit the queries via any of the following means: a. Mail : Director Financial Intelligence and Enforcement Department Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur b. Email : [email protected] Bank Negara Malaysia 1 September 2020
- 3. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 2 of 41 TABLE OF CONTENTS Introduction ................................................................................................................... 1 Glossary......................................................................................................................... 3 Applicability................................................................................................................... 4 Definition and Interpretation ........................................................................................ 4 Application of Risk-Based Approach .......................................................................... 6 AML/CFT Compliance Programme .............................................................................. 9 Customer Due Diligence (CDD).................................................................................. 16 Politically Exposed Persons ...................................................................................... 26 Reliance on Third Parties ........................................................................................... 26 Higher Risk Countries................................................................................................. 27 Cash Threshold Report (CTR).................................................................................... 28 Suspicious Transaction Report (STR)....................................................................... 29 Record Keeping........................................................................................................... 30 Management Information System (MIS) .................................................................... 31 Targeted Financial Sanctions .................................................................................... 31 Appendices ……………………………………………………………………………………36 APPENDIX A: Sector Specific CDD for REAs ........................................................... 37 APPENDIX B: Infographic on Higher Risk Countries............................................... 39
- 4. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 3 of 41 GLOSSARY No Abbreviation Description 1 AMLA Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 2 AML/CFT Anti-Money Laundering and Countering Financing of Terrorism 3 BO Beneficial Owner 4 CDD Customer Due Diligence 5 CTR Cash Threshold Report 6 DNFBPs Designated Non-Financial Businesses and Professions 7 DPMS Dealers in Precious Metals or Precious Stones 8 e-KYC Electronic Know Your Customer 9 FATF Financial Action Task Force 10 GLCs Government Linked Companies 11 IRA Institutional Risk Assessment 12 MIS Management Information System 13 ML/TF Money Laundering and Terrorism Financing 14 NRIC National Registration Identity Card 15 PCT Person Conducting Transaction 16 PEPs Politically Exposed Persons 17 REAs Registered Estate Agents 18 STR Suspicious Transaction Report 19 TFS Targeted Financial Sanctions 20 UNSC United Nations Security Council 21 UNSCR United Nations Security Council Resolutions
- 5. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 4 of 41 NO. QUESTION ANSWER Applicability 1 Do AML/CFT requirements apply to individual reporting institutions, such as accountants, company secretaries, lawyers and registered estate agents (REAs)? The AML/CFT requirements apply to all reporting institutions, and may be administratively developed by the accountants, company sectaries, lawyers and REAs at the firm level to ensure consistent application of AML/CFT requirements within the firm. However, some responsibilities under the AML/CFT requirements, such as the submission of suspicious transaction report still rest with the individual reporting institution. 2 Are all activities carried out by accountants, company secretaries, and lawyers subject to Part IV of the Anti-Money Laundering, Anti- Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)? For accountants, company secretaries and lawyers, Part IV of the AMLA is only applicable to those carrying on Gazetted Activities as published in P.U.(A) 340/2004 and P.U.(A) 293/2006. However, for lawyers, there could be circumstances of spill-over, in which the funds from litigation process may pass- through the client account, and hence form part of the Gazetted Activities. Definition and Interpretation Beneficial Owner 3 Does the definition of “beneficial owner” refer to the chains of shareholders and directors, and exclude the people who holds senior management position in a company, for example, Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Operating Officer (COO), or the similar kind of positions in the company? Generally, the first step of identifying the beneficial owner (BO) referred to in "…situations in which ownership or control is exercised through a chain of ownership..." is by identifying the shareholders and directors, not the individuals appointed as executives e.g. CEO, CFO, COO, unless these executives are also the shareholders or directors.
- 6. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 5 of 41 NO. QUESTION ANSWER The "chain" here is in relation to parent- subsidiary situations which extend across several levels, where the reporting institutions will need to review the entire chain of companies and subsidiaries to determine who is the ultimate beneficial owner of a particular customer that the reporting institution is dealing with. However, reporting institutions should be aware that for BO of a legal person, if the natural person cannot be identified through the controlling ownership interest, then the senior management of that legal person e.g. CEO, CFO, COO or similar position is to be identified as the BO. Details on the above sequential process to identify the BO can be found in paragraph 14.10.6 of the Policy Document. For further details on beneficial owner, please refer to the “Guidance on Beneficial Ownership” issued by the Bank Negara Malaysia. Please also refer to Part D of the Policy Document (Appendix 12). Legal Person 4 What are the different types of government linked companies (GLCs)? GLCs refer to entities where the government is: (a) the majority shareholder; or (b) the single largest shareholder; and/or (c) has the ability to exercise and influence major decisions such as appointment of board members and senior management.
- 7. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 6 of 41 NO. QUESTION ANSWER The definition would also be applicable in instances where the government is not a single largest shareholder but is able to exercise control e.g. through golden shares (where the government is entitled to certain special rights). This may also include state-owned corporation (SOC) which is a body formed by the government through legal means to be able to take part in activities of a commercial nature. As activities of a state-invested entity (SIE) also involve investment on behalf of the government, they may be treated the same as SOCs and GLCs. Person Conducting the Transaction 5 What are the examples of person conducting the transaction (PCT)? PCT is defined in paragraph 6.2 of the Policy Document and refers to any natural person conducting or purporting to act on behalf of the customer, such as person depositing into another customer’s account or person undertaking a transaction on behalf of another person. Examples of PCT may include the following: (a) a company representative making payments on behalf of the company; or (b) a third party paying on behalf of a customer. Application of Risk-Based Approach Risk Assessment 6 Are reporting institutions required to submit their AML/CFT risk assessment information to Bank Negara Malaysia? Reporting institutions are generally not required to submit the AML/CFT risk assessment information to Bank Negara Malaysia. However, such report may be required to be submitted to Bank Negara Malaysia during supervisory visits or as and when required as part of supervisory or risk assessment.
- 8. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 7 of 41 NO. QUESTION ANSWER 7 What is the expectation for reporting institutions in conducting their institutional risk assessment (IRA)? Can the IRA be thematic and how frequent must it be conducted? Paragraph 10.2.1 of the Policy Document requires reporting institutions to identify, assess and understand their money laundering and terrorism financing (ML/TF) risk in relation to: (a) customers; (b) countries or geographical areas; (c) products, services, transactions or delivery channels; and (d) other relevant risk factors. Reporting institutions’ first IRA must be comprehensive, covering all the above mentioned parameters, i.e. customers, countries/geographical areas and products/ services/ transactions and delivery channel, at minimum. Reporting institutions may choose to update the IRA on a thematic basis. Reporting institutions may consider to set the frequency of the IRA on a specific period e.g. every 1 to 2 years or where circumstances have changed that may warrant a refresh of the IRA, e.g. material changes in risk profile, significant internal audit finding, changes in business direction, new typologies suggested by authorities or Financial Action Task Force (FATF), or when embarking in new technologies, etc. Reporting institutions may refer to the guidance documents on risk-based approach available in Part D of the Policy Document and guidance issued by the FATF which are available on its website at: http://www.fatf- gafi.org/
- 9. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 8 of 41 NO. QUESTION ANSWER 8 Is there a specific template to conduct the IRA? There is no standard template to conduct the IRA. Reporting institutions may refer to Appendix 9 of the Policy Document as a guidance to assist the conduct of ML/TF risk assessment collectively at the institutional level. While Appendix 9 has generally covered the basic requirements, it should not be treated as the sole reference in conducting the risk assessment as the list of factors or examples or criteria are not exhaustive. Risk Profiling 9 Are reporting institutions required to assess the ML/TF risks based on all criteria specified in Paragraph 10.4.2 of the Policy Document? In profiling the customers, reporting institutions are required to take appropriate steps to identify, assess and understand risks, by considering the relevant factors under Paragraph 10.2.1 of the Policy Document. In cases where some of the criteria are irrelevant to the reporting institution’s business, those criteria may not be considered in profiling and assessing the risks of the customers. 10 What is deemed as a valid justification when re-rating a customer’s risk from higher to lower? Should the reporting institution document the procedures for reference purposes? Reporting institutions are to assess the customers’ risk based on the type of customer, geographical location, products, services, transactions or delivery channels and other relevant factors (such as emerging threats, trends, change in behaviours, past suspicious transaction report experience, etc.). Reporting institutions are expected to consider the applicable factors at the stage of on-boarding and during re-rating to determine the risk of a customer. Reporting institutions are also expected to document internal customer risk profiling assessments, for record keeping and audit purposes.
- 10. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 9 of 41 NO. QUESTION ANSWER Reporting institutions may refer to the guidance provided in Part D of the Policy Document, in particular the Customer Due Diligence Form for suggested approach to conduct customer risk profiling. AML/CFT Compliance Programme Application for Small-sized Reporting Institution 11 When a reporting institution meets the small-sized definition, is the reporting institution exempted from implementing all AML/CFT requirements? Must the reporting institution apply for Bank Negara Malaysia’s approval? If a reporting institution meets the small-sized definition (please refer Appendix 2 of the Policy Document), the reporting institution can apply the simplifications and exemptions in relation to the AML/CFT Compliance Programme as per paragraph 11.1.1 of the Policy Document. Please note that the simplification or exemption does not apply to the substantive AML/CFT requirements, such as customer due diligence, suspicious transaction report, record keeping etc. Bank Negara Malaysia's approval prior to the application of the simplifications or exemptions is not required. Notwithstanding, Bank Negara Malaysia, may at any time, specify that a reporting institution is required to comply with any of the AML/CFT Compliance Programme. 12 For accountants and lawyers, is the small-sized reporting institution definition based on the number of practicing certificate holders undertaking Gazetted Activities? No, the definition is based on total number of practicing certificate holders in the firm, regardless of whether they undertake Gazetted Activities or otherwise. For example, a firm with 7 practising certificate holders, of which only 3 undertake Gazetted Activities, such a firm does not meet the small-sized reporting institution criteria.
- 11. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 10 of 41 NO. QUESTION ANSWER 13 For DPMS, does a company with less than 30 employees but annual sales turnover exceeding RM 10 million satisfy the small-sized reporting institution definition? No, under such scenario, the company is not a small-sized reporting institution and must implement the complete AML/CFT Compliance Programme requirements. Where a sector is subject to more than one criteria for definition of small-sized reporting institution, both criteria must be satisfied to apply the flexibility. If the company only meets one of the criteria and not the other, the company is not considered as a small-sized reporting institution. 14 What is the expectation when a firm meets the criteria for small-sized reporting institution in one year, but not in the subsequent year? The determination of whether a reporting institution meets the small-sized criteria shall be based on the figures at the end of the preceding calendar year, i.e. January to December. Hence, where the reporting institution does not meet the criteria as per the reference figures, the reporting institution must comply with the complete AML/CFT Compliance Programme. Compliance Management Arrangements at the Head Office 15 Is a small-sized reporting institution required to appoint a compliance officer? Yes, all reporting institutions, regardless of size, are required to appoint a compliance officer, as per section 19 of the AMLA. 16 For a small-sized reporting institution, can the Director or Manager act as the compliance officer? Yes, the reporting institution may appoint any individual with management responsibilities within the reporting institution to be the compliance officer. The person appointed must satisfy the criteria provided under paragraph 11.5 of the Policy Document. He or she must have the sole discretion and independence to evaluate and report suspicious transactions. The appointed compliance officer may also be carrying on other functions within the reporting institution.
- 12. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 11 of 41 NO. QUESTION ANSWER While the Policy Document does not provide a definition of “management” per se, the appointed compliance officer must have sufficient stature, authority and seniority within the reporting institution to participate and be able to effectively influence decisions relating to AML/CFT matters. 17 Must the appointed compliance officer be based within the reporting institution or can be from other subsidiaries within the Group? Reporting institution may appoint compliance officer from other subsidiaries within the Group provided that he or she fulfils the criteria provided under paragraph 11.5 of the Policy Document. Regardless whether the compliance officer is internally or externally appointed, the reporting institution remains responsible and accountable to ensure the effectiveness of the compliance functions. 18 For a reporting institution with branches, can the compliance officer be centralised at head office? Section 19(4) of the AMLA require reporting institutions to designate compliance officers at management level in each branch, for the purpose of application of AML/CFT compliance programme as well as reporting of suspicious transactions. Further, paragraph 11.5 of the Policy Document stipulates compliance management arrangements at Head Office including the requirement to notify Bank Negara Malaysia on the appointment or change in the appointment of compliance officer at Head Office. In this regard, reporting institutions are required to appoint a compliance officer at each branch, but are only required to notify Bank Negara Malaysia on the compliance officer appointed at the Head Office.
- 13. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 12 of 41 NO. QUESTION ANSWER Nevertheless, for some DNFBP sectors, branch offices operate independently of the Head Office. Under such scenario, each branch is required to notify Bank Negara Malaysia on the appointment of the compliance officer. 19 Must the appointed compliance officer be certified? No, AML/CFT certification is not compulsory for compliance officers, but highly encouraged to enable effective discharge of their responsibilities. 20 What is the reliable source of reference to assess whether the compliance officer is “fit and proper”? Reporting institutions may be guided by the examples provided under paragraphs 11.5.5, 11.5.6, 11.5.7 and 11.5.8 of the Policy Document when assessing the fitness and propriety of an individual to be appointed as a compliance officer. 21 In the event of failure to comply with requirements under Part IV AMLA or the Policy Document, will the compliance officer be held liable? Any employee of a reporting institution may be held personally liable for any failure to observe the AML/CFT requirements, in accordance with their respective job function, including the compliance officer. 22 Is there a due date for the appointment of a compliance officer? No, there is no specific due date for the appointment of a compliance officer. However, reporting institutions are required to appoint a compliance officer and notify Bank Negara Malaysia within 10 working days from the appointment, or for any change in the appointment. Employee Screening 23 Can screening be differentiated for different employees? Yes, the screening of employees can be differentiated on a risk-based basis, depending on the position, job scope or other relevant factors related to the employee.
- 14. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 13 of 41 NO. QUESTION ANSWER Reporting institutions are expected to assess their employees’ vulnerability to money laundering, terrorism financing, fraud and bribery risks, and use various sources of information to assist in the screening process to ensure that employees do not abuse their position or be vulnerable or used as a conduit to facilitate ML/TF activities. 24 What are the methods to conduct employee screening? Reporting institutions may choose any suitable method to conduct employee screening and be guided by methods provided in paragraph 11.7 of the Policy Document. Examples of methods for the conduct of employee screening may include face-to- face meeting, phone or video interviews, online checks, skills test, submission of documents or statutory declarations, criminal checks with relevant authorities, consumer credit reports, transaction monitoring, obtaining employment reference, etc. 25 Would trigger events such as transaction monitoring, periodic negative news screening suffice as the parameter for rescreening? The parameters and triggers for re-screening are to be determined by each reporting institution. Examples of best practices would include consideration of global watch list (including negative news screening), criminal checks with relevant authorities, transaction monitoring as well as credit reports and also changes in circumstances, either professionally or personally e.g. promotion, secondment to another division function, financial hardships, or staying in the same position for a long period of time, etc.
- 15. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 14 of 41 NO. QUESTION ANSWER Employee Training and Awareness Programmes 26 What forms of employee trainings are acceptable? Training should be conducted regularly and supplemented with refresher courses at appropriate intervals. Any form of training, e.g. classroom, online or webinar, are acceptable depending on the needs of the employee, the job function and responsibilities undertaken by the employee. Reporting institutions should have clear and comprehensive training contents. The training materials should be frequently reviewed to include any latest changes to the AML/CFT or other regulatory requirements. In addition, tests or examinations are highly encouraged to demonstrate higher levels of effectiveness. Where a reporting institution satisfies the small-sized reporting institution definition, a more simplified training approach can be adopted, including via on-the-job training. Reporting institutions are to ensure that the training provided to its employees is properly documented. Reporting institutions are also encouraged to contact their respective self-regulatory bodies, regulatory or licensing authorities and their relevant training institutes for AML/CFT training specific for their sectors. This could be as part of the on-going Continuing Professional Education (CPE) / Continuing Professional Development (CPD) programmes.
- 16. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 15 of 41 NO. QUESTION ANSWER Independent Audit Function 27 Can the Board level function be delegated to other Board level committees (i.e. audit or risk)? Yes, the function may be delegated to other Board level committees (i.e. audit or risk) so long as the committee is independent and the AML/CFT findings or issues relating to the adequacy and implementation of the AML/CFT policies and procedures are ultimately tabled to the Board. For example, the decision on frequency and scope of the audit can be delegated to the Board Audit Committee. 28 Who can undertake the independent audit function? The role of AML/CFT independent audit function can be undertaken internally by any officer, with relevant knowledge and expertise to carry out the function, who is independent of the compliance function (i.e. Compliance Officer). Alternatively, the reporting institution may also appoint external auditors to carry out the function. The appointment of an independent auditor, internal or external and its roles and responsibilities shall be determined by the Board or Senior Partners. In carrying out the independent audit review, as per paragraph 11.9.4 of the Policy Document, the auditors must, at a minimum, check and test the firm's compliance with AML/CFT policies, procedures and controls and the effectiveness or extent of its implementation when dealing with clients or on the necessary approvals by Board or Senior Partners, as well as assess whether the firm's current measures are in line with requirements under AMLA and the Policy Document.
- 17. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 16 of 41 NO. QUESTION ANSWER 29 When should the reporting institution conduct independent audit? Are reporting institutions required to conduct an annual audit? What is the scope? The frequency of the independent audit depends on the firm’s assessment of its ML/TF risk exposure and is determined by the Board or Senior Partners. On the scope of the independent audit, reporting institutions may refer to paragraph 11.9.6 of the Policy Document. Further, reporting institutions must also consider whether there were previous non- compliances under the AMLA which resulted in enforcement actions taken against the reporting institution. 30 Are reporting institutions no longer required to prepare an audit report and submit to the Financial Intelligence & Enforcement Department, Bank Negara Malaysia (FIED, BNM)? Yes, except for licensed casino and non- bank financial institutions, all other reporting institutions are no longer required to submit an annual audit report to FIED, BNM. However, reporting institutions must ensure that the audit report and necessary corrective measures undertaken are made available to FIED, BNM and the relevant supervisory authorities upon request. Customer Due Diligence (CDD) Verification 31 What sources of documents, data or information are deemed as reliable? Can a reporting institution seek BNM’s confirmation to determine the level of reliability? Verification can be a combination of various data points that the reporting institution deems to be “reliable and independent” which could cumulatively ensure the accuracy of customer and beneficial owner’s identification data. Any measures adopted should be subjected to the reporting institution’s internal governance process.
- 18. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 17 of 41 NO. QUESTION ANSWER Generally, the reporting institution is required to verify the identity of a customer through acceptable government issued documents with or without photograph (e.g. MyKad, MyKid, MyPR, OKU card, driving licence, birth certificate, marriage certificate), foreign passport, employee identification documents, etc. Alternatively, subject to the reporting institution’s assessment whether it is appropriate to mitigate the risks, reporting institutions may accept scanned or copy documentation and apply additional measures which include: (a) third party verification of identity from the client’s primary bank account provider, lawyer or accountant in accordance with paragraph 16 of the Policy Document; (b) corroborative evidence from Jabatan Pendaftaran Negara, Suruhanjaya Syarikat Malaysia and Central Credit Reference Information System (CCRIS) databases; (c) use of commercial providers to validate documentation provided; (d) use of new and robust technology solutions including but not limited to, biometric technologies which should be linked incontrovertibly to the customer; (e) through non face-to-face mechanisms e.g. video conference with customers and submission of selfies to compare the physical identity of a customer with scanned or photographed copies of identification documents; and/or (f) other reliable and independent source.
- 19. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 18 of 41 NO. QUESTION ANSWER Reporting institutions are expected to undertake adequate and reasonable measures to mitigate risks arising from the adoption of any non face-to-face mechanisms. For further details, please refer to the “Guidance on Verification of Individual Customers for CDD” issued by Bank Negara Malaysia. 32 For verification, are reporting institutions required to make a copy of the customer’s NRIC? Any documents requested or obtained during the CDD process should be kept and recorded to meet the record keeping requirement as set out under paragraph 21.1 of the Policy Document. The record keeping of these documents may be in the form of a photocopy, soft copy (scanned copy or snapped picture) or biometric record (such as Government Multi- Purpose Card Consortium (GMPC) verification, etc.). 33 What are the acceptable documents for verification of legal persons? Paragraph 14.10.4 of the Policy Document specifies the information that a reporting institution should obtain to identify and verify the identity of customers that are legal persons. The reporting institution is required to take adequate measures to confirm the identity of its customers which may include constituent documents, such as certificate of incorporation, and other searches available in the public registrar databases. 34 For foreign shareholders, what is the expectation on verification requirement? Reporting institutions are required to assess the relevant risks in verifying the foreign shareholders. Verification process must be on a reasonable basis, and can be satisfied by obtaining documents from foreign official public registers or by way of self-declaration by the client, depending on the reporting institution’s risk assessment in on-boarding such client.
- 20. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 19 of 41 NO. QUESTION ANSWER 35 What is the expectation if a public listed company is identified to be wholly owned by a GLC or a SOC company? Under such circumstance, the exemption on verification of the identity of directors and shareholders of that legal person applies (see paragraph 14.10.9 of the Policy Document). Reporting institutions are required to identify and maintain information relating to the identity of the directors and shareholders of the public listed company using reliable sources (see paragraph 14.10.10 of the Policy Document). Standard CDD 36 What is the expectation for reporting institutions in dealing with authorised persons? A person authorised must be represented with a letter of authority or director’s resolution from the legal person. Where it involves an authorised signatory, i.e. when a legal person opens an account, establishes business relations and authorises another person to conduct transactions on its behalf, the reporting institution must obtain documentary evidence on the appointment of such person and the specimen signatories and/or recognised digital signature of the person appointed. Reporting institutions must be guided by their risk assessment on what documentary evidence would suffice for the purposes of identifying and verifying the person authorised. Beneficial Owner 37 In the case of more than one person having more than 25% shareholding, are reporting institutions required to identify ultimate beneficial owner of all such shareholding? Yes, consistent with paragraph 14.10.6 (a) of the Policy Document, reporting institutions are required to identify directors or shareholders or partners with equity interest of more than 25%.
- 21. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 20 of 41 NO. QUESTION ANSWER 38 Are reporting institutions required to conduct CDD on holders of Redeemable Convertible Preference Shares (“RCPS”) for legal person customers? The requirement to conduct CDD on RCPS holders of a legal person client will depend on whether the RCPS holding could give rise to the holder having a controlling ownership interest, at minimum, with equity interest of more than 25 percent, as required under Paragraph 14.10.6(a) of the Policy Document and other conditions as stipulated under the same paragraphs (b) and (c). For example, after a certain specified period, the RCPS holders may redeem and hence resulting in the holders having controlling ownership interest in the legal person, which is when the beneficial ownership requirements on identification and verification of the persons apply. CDD : Clubs, Societies and Charities 39 Are reporting institutions required to conduct CDD on all of members for clients that are club, society or charity? No, for such clients, reporting institutions are required to conduct CDD on the persons with controlling ownership interests. This may include the office bearers (i.e. the Executive Committee) or any person authorised to represent the said club, society or charity, and any party who may have controlling ownership interest, and not its members per se. Please see paragraph 14.10.17 of the Policy Document. Simplified CDD 40 Can a DNFBP reporting institution conduct simplified CDD where ML/TF risks are assessed as low? No, simplified CDD is not applicable to DNFBP and NBFI reporting institutions. All DNFBPs and NBFI reporting institutions are required to conduct standard CDD when establishing business relations or conducting transactions with its customers or clients, as required under paragraphs 14.10 and 14A to 14H of the Policy Document.
- 22. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 21 of 41 NO. QUESTION ANSWER Enhanced CDD 41 Do reporting institutions need to establish source of fund or wealth for every customer? No. The requirement to obtain information on source of funds and/or source of wealth only applies when overall ML/TF risks are assessed as higher risk. Reporting institutions are not expected to establish source of funds or wealth for each and every customer or transaction. Generally, reporting institutions are required to enquire on source of funds and/or source of wealth, as part of the enhanced CDD under the following scenarios: after customer risk profiling, when a customer is assessed as having higher ML/TF risks, regardless of any amount of transaction; for all foreign politically exposed persons (PEPs) or when a domestic PEP is assessed as having higher ML/TF risks, in which case, both source of fund and wealth must be obtained; or when providing nominee services to the customers or clients, i.e. nominee shareholding, directorship or partnership services, by reporting institutions who are lawyers, accountants, company secretaries or trust companies. 42 What is the difference between “source of wealth” and “source of funds”? Information on the source of wealth and source of funds are good sources of monitoring for the reporting institutions.
- 23. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 22 of 41 NO. QUESTION ANSWER “Source of wealth” refers to the source of a person’s total assets. Documents and information that may reflect the source of wealth of a person include inheritance document, property title, copies of trust deeds, audited accounts, salary details, tax returns and bank statements. It may be possible to gather general information from commercial databases or other open sources. “Source of funds”, on the other hand, refers to the origin of a specific asset used in connection to the business relations with the reporting institution. Source of funds may be determined through enquiry on the customer. In the case of PEPs, both information on the source of wealth and source of funds are to be obtained. Understanding both the source of wealth and source of funds of a PEP is also necessary for on-going due diligence purposes where the aim is to ensure that the reason for the business relationship between reporting institutions, the PEP and the transactions undertaken on the PEP’s behalf, are commensurate with what one could reasonably expect from that PEP, given his/her particular circumstances. Non Face-to-Face Business Relationship 43 Can reporting institutions establish business relationships on non face- to-face basis? Yes, DNFBP and NBFI reporting institutions can establish non face-to-face business relationship with their clients, having put in place policies and procedures to address any specific risks associated with non face-to- face relationships.
- 24. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 23 of 41 NO. QUESTION ANSWER This includes appropriate measures for identification and verification of a client's identity that must be as effective as that for face-to-face client and implement monitoring and reporting mechanisms to identify potential ML/TF activities, as required under paragraph 14.14 of the Policy Document. Before such non face-to-face measures are implemented, reporting institutions are required to seek their Board’s approval (see paragraph 14.14.2 of the Policy Document). 44 Is Board approval required for each new product and services on- boarded via non face-to-face channel / e-KYC? The requirement for Board approval is connected to the risk levels of the product and services. If the process and procedures in place for the said products and services are the same, Board approval is only required once, for all product and services on-boarded via non face-to-face channel or e-KYC. A new approval would need to be obtained when there are changes to the ML/TF risk level of the parameters assessed by the reporting institution. 45 Is it a requirement for non face-to- face business arrangements implemented prior to the effective date of the Policy Document to be approved by the Board of the reporting institutions? The requirements for non face-to-face (non- FTF) do not have a retrospective effect. For non-FTF business relationships, reporting institutions shall ensure their non-FTF arrangements for customer identification and verification of identity is as effective as a face- to-face relationship. Should there be any changes to the ML/ TF risk levels, reporting institutions need to re- assess the parameter and may require a new Board approval.
- 25. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 24 of 41 NO. QUESTION ANSWER Failure to Satisfactorily Complete CDD 46 Can reporting institutions continue business relationship with its customer in the event of a failure to obtain the complete CDD information? Reporting institutions must obtain all CDD information (9 data points) as specified in paragraph 14.10.1 of the Policy Document before continuing any business relationship. In the event of a failure to obtain the complete information, reporting institutions must not continue the business relationship or transaction with the customer and must consider lodging a suspicious transaction report. However, where a reporting institutions form suspicion of ML/TF and reasonably believe that performing CDD may tip-off the customer, the reporting institutions are permitted to proceed to establish business relation or transaction without completing the CDD process, document the basis of not completing the CDD process and immediately lodge a suspicious transaction report. Specific CDD : Lawyers 47 Are lawyers acting on behalf of the seller required to conduct CDD on both the seller and purchaser? The CDD obligation does not extend to both parties to a sale and purchase transaction but applies to the client of the lawyer. If the lawyer is representing a seller, CDD applies on the seller and vice-versa. However, in the course of facilitating the transaction, if any suspicion arises on either party to the transaction, i.e. seller or buyer, the reporting institution may consider submitting a suspicious transaction report on either party to FIED, BNM.
- 26. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 25 of 41 NO. QUESTION ANSWER Specific CDD : Dealers in Precious Metals and Stones 48 Are DPMS reporting institutions required to conduct CDD on their customers for the following transactions?: the transaction involves other goods being sold by the DPMS and does not involve any sale of precious metals nor precious stone; or the transaction involves the sale of precious metals or stones together with other types of goods, however, the value of the precious metals or stones is less than RM50,000. DPMS reporting institutions are required to conduct CDD on customers and persons conducting the transaction when engaging in any cash transaction equivalent to RM50,000 and above, including: in a single transaction or through several transactions in a day that appear to be linked and across all branches of the reporting institution; aggregate payments over a period of time for a single purchase; or for both buying and selling of precious metals or precious stones from or to customers. In view of the above, CDD is not applicable if the transaction does not involve sale of precious metals or precious stones. Specific CDD : Registered Estate Agents (REAs) 49 Are REAs required to conduct CDD on both purchaser and seller, or landlord and tenant of a property in the case of co-broke or co-agency transaction, where both, purchaser and seller, or landlord and tenant are respectively represented by REAs? In the event of a co-broke or co-agency transaction, the REAs are required to conduct CDD on their respective client. For example, REA A representing the purchaser is required to conduct CDD on the purchaser; and REA B representing the seller is required to conduct CDD on the seller. In the absence of co-broke or co-agency arrangement, REA is required to conduct CDD on both parties to a property or tenancy transaction. Please refer to Appendix A for illustration.
- 27. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 26 of 41 NO. QUESTION ANSWER Specific CDD : Licensed Gaming Outlet 50 Can the winning fund be paid to third party instead of to the winner? The AML/CFT requirements do not restrict third party payment. However, in the case that the payment is above RM50,000, the reporting institution must conduct CDD on the third party i.e. either as person conducting the transaction or beneficial owner. Politically Exposed Persons 51 What is the extent of checking required to ascertain information on close associates or family members of PEPs, as a basic internet search may not reveal the required information? Does Bank Negara Malaysia maintain a central database of PEPs? Reporting institutions are encouraged to develop internal references or database in identifying family members or close associates of PEPs. Alternatively, reporting institutions may also refer to public or commercial databases and supplement this with a customer’s self-declaration. Bank Negara Malaysia does not maintain a central database on PEPs, family members and close associates of PEPs. 52 To what extent is the reporting institution required to identify the connectivity to a PEP especially where the connection with close associate can be through multiple layers e.g. close associates of PEP setting up a company with another person(s), work colleagues, etc.? The identification of close associates should be on a best effort basis, based on information obtained and available to the reporting institutions and subject to the risk assessment of the reporting institution. In the case of personal relationships, this can be deduced based on the social, economic and cultural context which can determine the closeness of the relationship. Reliance on Third Parties 53 Can reporting institutions rely on third parties to conduct CDD? Reporting institutions may rely on third parties for the conduct of CDD or to introduce business provided that the relationship between the reporting institution and the third party must be governed by an arrangement that clearly specifies the rights, responsibilities and expectations of all parties, as required under paragraph 16.5 of the Policy Document.
- 28. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 27 of 41 NO. QUESTION ANSWER Nevertheless, the conduct of CDD is the ultimate responsibility of the reporting institution, and must ensure that it is able to obtain the CDD information from the third party, immediately, upon request. Sharing of data is allowed strictly for CDD purposes and subject to prerequisites stated in the above paragraphs. Reporting institutions are to take note that ‘third parties’ in the context of paragraph 16 refers to another reporting institution supervised by Bank Negara Malaysia. It does not include outsourcing or agency relationships because the outsourced service provider or agent would be regarded as synonymous with the reporting institution. 54 What form of “attestation” is required from the third party under paragraph 16.6 of the Policy Document? The “attestation” can be in any form that is mutually agreed by both parties. The “attestation” should clearly specify the rights, responsibilities and expectations of all parties and satisfy the requirements stated under paragraph 16 of the Policy Document. Higher Risk Countries 55 How do reporting institutions deal with higher risk countries? Paragraph 17 of the Policy Document deals with higher risk countries that are called for by the FATF or by the Government of Malaysia as well as other jurisdictions that have strategic AML/CFT deficiencies for which they have developed an action plan with the FATF. This includes conducting enhanced CDD and applying effective countermeasures, when required. For further details on dealing with customers from higher risk countries, please see Appendix B.
- 29. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 28 of 41 NO. QUESTION ANSWER Reporting institutions should refer to the FATF website for the latest list of higher risk countries or the latest circular issued by Bank Negara Malaysia and any change in that requirements at: https://amlcft.bnm.gov.my. 56 Where can reporting institutions source for a list of higher risk countries issued by the Government of Malaysia? Bank Negara Malaysia will publish any higher risk countries that have been officially specified by the Government of Malaysia, by way of circular. Such specification has yet to be made at the date of the publication of this FAQ. 57 Are reporting institutions refrained from providing services to customers from higher risk countries subject to a call for action by FATF? Reporting institutions are not refrained from dealing with customers originating from countries that are subjected to a call for action by the FATF. Clients from such countries are subjected to more stringent CDD requirements as stipulated under the Policy Document. Cash Threshold Report (CTR) 58 Are all reporting institutions under the AMLA required to submit CTRs? At the time of publication of this FAQ, CTR obligation of RM25,000 and above in a day, pursuant to section 14(1)(a) of the AMLA, is applicable only to banking institutions, selected prescribed development financial institutions, Lembaga Tabung Haji and licensed casino. Other reporting institutions are not yet required to submit CTR. Nevertheless, Bank Negara Malaysia will continue to conduct assessments on reporting institutions from time to time. Reporting institutions will be notified if the CTR obligations become applicable to them.
- 30. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 29 of 41 NO. QUESTION ANSWER Suspicious Transaction Report (STR) Reporting Mechanism 59 Can a senior management of the reporting institution, who is not the appointed compliance officer evaluate and report suspicious transaction to FIED, BNM? Only the appointed compliance officer has the sole discretion and independence to evaluate and report suspicious transactions to FIED, BNM. In this regard, the reporting institution must ensure that the appointed compliance officer has the sufficient stature, authority and seniority within the reporting institution to be able to make effective AML/CFT related decisions, including STR submission. 60 What is the threshold for reporting of suspicious transaction? There is no threshold for reporting of suspicious transaction. It is based on any suspicion that arises when establishing business relationship or conducting a transaction regardless of any amount. However, a reporting institution may set an internal threshold based on the reporting institution’s own risk assessment. 61 Should reporting institutions continue to submit STRs for the same customer or should reporting institutions update the details in the previous STR case filed? As per paragraph 19.2.10 of the Policy Document, where an STR has been lodged, reporting institutions may opt to update or make a fresh STR as and when a new suspicion arises. Reporting institutions are encouraged to submit a new STR if there is new critical information. Where a new STR is submitted, reporting institutions should include the previous reference number (or date of submission, if submitted manually) as part of the reporting description. Internally Generated STRs 62 What is the duration for the reporting institutions to maintain the internally generated reports and supporting documents? These reports and supporting documents are to be kept for at least 6 years, as specified under the Record Keeping requirements in paragraph 21.3 of the Policy Document.
- 31. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 30 of 41 NO. QUESTION ANSWER 63 Can reporting institutions maintain internally generated reports in soft copy form, e.g. excel format? Reporting institution must ensure that any internal STRs and supporting documents or records must be made available to the relevant supervisory authorities upon request, as required under paragraph 19.4.2 of the Policy Document. The information must be maintained in a form that is admissible as evidence in court pursuant to the Evidence Act 1950. Record Keeping 64 Is record keeping requirement applicable to attempted customer? The record keeping requirement is only for existing customers who have entered business relationship with reporting institutions, and not applicable on attempted customers. However, if an STR has been submitted on an attempted transaction or customer, the relevant records must be kept and be made available if required by law enforcement agencies or the supervisory or competent authorities. 65 Where documents are kept in multiple different forms (e.g. physical copies or in electronic format), what are the expectation on the requirements? Reporting institutions must ensure that all the retained forms of record keeping remain relevant and are kept up-to-date. They must also conform to section 15 of the AMLA on centralisation of information collected to provide timely information to reporting institutions to enable detection of irregularities and/or any suspicious activity. The information must also be maintained in a form that is admissible as evidence in court pursuant to the Evidence Act 1950.
- 32. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 31 of 41 NO. QUESTION ANSWER Management Information System (MIS) 66 Is there any restriction for reporting institutions to keep their MIS’ server offshore? There is no restriction on how the centralisation of CDD information and transaction monitoring should be performed, as long as the MIS is able to provide the reporting institutions with timely information and enable the reporting institution to detect any irregularity. In addition, the reporting institutions must be able to provide records, when required by the supervisory or competent authorities or law enforcement agencies, in a timely manner. Reporting institutions need to assess and satisfy themselves that such arrangement of the infrastructure is in compliance with other secrecy obligations pertaining to customer information, where applicable. Targeted Financial Sanctions Definition 67 What is the definition of “without delay”? “Without delay”, in respect of maintenance of sanctions list and freezing, blocking and rejecting is ideally within a matter of hours of designation by the United Nations Security Council (UNSC) or its relevant Sanctions Committee or the Minister of Home Affairs. The aim is to prevent the flight or dissipation of funds or other assets which are linked to terrorists, terrorist activities, financing of terrorism or financing of proliferation of weapons of mass destruction. Reporting institutions may refer to the following websites for the lists: UNSCR Lists: https://www.un.org Domestic List: http://www.federalgazette.agc.com.my
- 33. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 32 of 41 NO. QUESTION ANSWER Maintenance of Sanctions List 68 How often does the UNSCR Lists and Domestic List get updated? How can reporting institutions know when there is an update? Reporting institutions are required to keep updated with the UNSCR Lists and Domestic List, which is updated without any specific intervals. In this regard, reporting institutions shall refer the UNSCR and Ministry of Home Affairs' website (and the relevant subsidiary legislation or Gazette Orders) regularly to ensure the lists maintained remain updated and relevant. 69 Does the delisting of individuals and entities from UNSCR list automatically remove them from the Domestic List? No. Removal from UNSCR list does not automatically mean that the entities are removed from the Domestic List. The delisting from Domestic List will only take effect upon publication of the Gazette to declare the removal of such specified entities through the relevant subsidiary legislation issued by the Minister of Home Affairs. Sanctions Screening 70 Are reporting institutions required to screen every director, shareholder, nominee and company names against the UNSCR Lists and Domestic List for legal person customers? Reporting institutions are required to conduct sanctions screening on existing, potential or new customers against the UNSCR Lists and Domestic List which state names and particulars of specified or designated entities as declared by the UNSC or Minister of Home Affairs, as part of the customer due diligence process and on-going due diligence. For customers which are legal persons, reporting institutions are required to screen the name of the customer, i.e. companies, bodies corporate, foundations, partnerships, or associations and other similar entities, as well as the beneficial owners, i.e. directors, shareholders including nominees, against the sanctions lists.
- 34. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 33 of 41 NO. QUESTION ANSWER 71 In conducting sanctions screening, reporting institutions may perform name searches based on a set of possible permutations. What does this refer to? This refers to various ways of conducting search against the UNSCR Lists and Domestic List, for example, varying sequence and order of keywords of a name or the use of different spelling of a name, to prevent unintended omissions. Further, to eliminate false positives, reporting institutions may make enquiries for additional information and identification documents from the customer or credible sources to assist in determining whether the potential match is a true match or may direct any query to FIED, BNM, in the case of similar or common names. Dealing with False Positive 72 Must reporting institutions match all identifiers for parameters of a true match or could matching at least 2 of the identifiers be sufficient? Reporting institutions are required to ascertain that potential matches are true matches and not false positives. It is the reporting institution’s responsibility to take further measures or steps (e.g. make further inquiries for additional information, etc.) to determine whether the potential match is a true match. Reporting institutions are to ensure that the identifiers are strong and corroborative for the reporting institution to make their own assessment on the parameters used to ensure true matches. Related Parties 73 Who would fall under the definition of “related parties”? Related party refers to: (a) person related to the funds, other financial assets or economic resources that are wholly or jointly owned or controlled, directly or indirectly, by a designated person; and (b) a person acting on behalf or at the direction of a designated person.
- 35. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 34 of 41 NO. QUESTION ANSWER Based on the above, it may extend to shareholders, directors, authorized person, senior management and also the beneficial owner. Freezing, Blocking and Rejecting – Customers and Related Parties 74 In the event of name match after funds have been deposited into the reporting institution’s clients account, how are such funds to be treated? Reporting institutions are required to hold or freeze funds deposited by a listed individual or entity into their clients’ account until its delisting or the sanction is uplifted. 75 In relation to targeted financial sanctions, are reporting institutions allowed to inform the customer why their accounts or transactions have been frozen, blocked or rejected? Reporting institutions are only allowed to inform the customer on the reason why the account or transaction has been frozen, blocked or rejected for publicly listed names, e.g. under the Gazette Orders, UNSCR Lists, etc. 76 Is there a need for the reporting institution to freeze a loan or financing account or pawn items in the event of name match against the sanction lists? A loan / financing account should not be frozen and can continue to receive repayments. However, when the repayment is completed, the property, pawn items or vehicle, if any, must not be redeemed, transferred or sold. 77 Can reporting institutions transfer any funds from a frozen account to the Registrar of Unclaimed Moneys under the Unclaimed Moneys Act 1965? Funds are to remain frozen as long as the specified entities remained listed. No dealing with the funds is allowed, which includes the transfer of funds to the Registrar of Unclaimed Moneys. 78 Can reporting institutions decide to freeze, block or reject any positive matches with individuals or entities listed in other unilateral sanctions lists? In relation to unilateral sanction list such as those by the US Department of Treasury, the decision whether to freeze, block, reject or conduct transaction with persons listed under the unilateral list should be based on the reporting institution’s own assessment and its risk appetite. Reporting institutions may consider submitting STR on any positive name match with individuals or entities listed in other unilateral sanctions list.
- 36. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 35 of 41 NO. QUESTION ANSWER Allowable transactions 79 Are reporting institutions permitted to receive payments for loan or financing account of the specified entities? Yes. Reporting institutions are permitted to receive payments into the specified entities loan or financing accounts. However, should the payment be for the purchase of assets, the assets should remain frozen even after the full settlement of the financing facilities i.e. no transfer of ownership to the specified entity or a third party. In the event of any non-payment of loans, the reporting institution shall not proceed with legal action or any subsequent court process without prior application to, and approval by: (a) the Minister of Home Affairs for Domestic List and UNSCR Lists for terrorism financing; or (b) the Strategic Trade Controller for UNSCR Lists for proliferation financing and others sanctions regime. 80 Can reporting institutions close any account where loans are not serviced? Reporting institutions may close any account where loans are not serviced, only upon approval from: (a) the Minister of Home Affairs for Domestic List and UNSCR Lists for terrorism financing; or (b) the Strategic Trade Controller for UNSCR Lists for proliferation financing and others sanctions regime. Reporting on Positive Name Match 81 In the event of a positive match, are reporting institutions required to submit STR to FIED, BNM in addition to the submission of a TFS determination report? Yes. Submission of STR is still required in addition to submission of TFS determination report. The STR should contain further information beyond the information reported in the TFS determination report, for example, details of related transactions or parties.
- 37. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 36 of 41 NO. QUESTION ANSWER 82 If there is no name match with the specified entity or designated person, is a reporting institution still required to submit the determination and periodic reporting forms? Reporting institutions are not required to submit determination or periodic reporting form in the event of no name match with the specified entity or designated person. Appendices Forms and Template 83 Are the forms and templates intended as a guide or must be incorporated in the reporting institution’s policies and procedures? It is a combination of guidance and compulsory to be used forms, as follows: Forms or template under Appendices 3, 4 and 9 are intended as guidance, which can be amended and incorporated as part of the policies and procedures accordingly. Forms under Appendix 5 for suspicious transaction reporting, as well as Appendices 6A, 6B, 7A and 7B for targeted financial sanctions reporting must be adopted as is.
- 38. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 37 of 41 APPENDIX A
- 39. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 38 of 41 Sector Specific CDD for REAs CDD on both parties to a property sale and purchase or tenancy transactions
- 40. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 39 of 41 APPENDIX B
- 41. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 40 of 41 End of document.
- 42. FAQs on AML/CFT and TFS for DNFBPs and NBFIs Page 41 of 41 This page has been intentionally left blank.