DFSA publishes analysis and guidance on the new annual money laundering return
The Dubai Financial Services Authority has published analysis and guidance on the new annual money laundering return.
The DFSA has taken a long, hard look at the first iteration of the new style of money laundering returns submitted and has taken the time to analyse the information submitted, give further guidance on key issues and provide some detail on both good and poor practices.
The main issues arising include the lack of consistent senior management sign-off of the new anti-money laundering (AML) return. The DFSA reported that a "significant number" of firms did not properly identify their senior management and/or failed to obtain their acknowledgement and sign-off as is required by the new requirements.
Senior managers should be aware that the required sign-off is one way they can demonstrate appropriate oversight and responsibility for the firm's compliance with its AML obligations.
In the area of customer due diligence most firms were able to document and provide evidence of the processes in place when onboarding new customers and such steps were generally seen as being well-articulated and clear. Areas where firms needed to review their approach included the need to conduct continuing customer due diligence procedures such as transaction monitoring.
Business AML risk
The DFSA found that the quality of firms' AML risk assessment documentation varied considerably, ranging from "very good to very poor". Specific areas for improvement included the need for firms to tailor their assessments to their business activities and to obtain buy-in from all relevant areas of the business, including senior managers, compliance and the business lines. The DFSA has spelt out examples of good and poor practice. Among the good practices found were:
- Risk assessments which included input, discussion and acknowledgement from compliance, business lines heads and senior managers and provided details of how to mitigate each risk.
- Individual consideration of relevant risk factors, e.g., complex company or legal structures, risks posed by potential customers from particular jurisdictions, risks posed by specific products including trade finance and private wealth management.
- References to material and information supporting the analysis of AML risks, such as the Financial Action Task Force (FATF) mutual evaluations reports, corruption indexes and AML indexes.
- An analysis of individual AML risks with conclusions on the likely impact these risks might have on the business.
- Identification of risks requiring additional due diligence and, equally as useful, the identification of areas where the risks were lower and where simplified measures could therefore be adopted.
Poor business AML risk practices included:
- Some firms had failed to undertake any of the required assessment or had simply referenced their AML policies and procedures, which did not contain any assessment of AML risks.
- Poor-quality assessments of business AML risks included assessments which merely re-stated the requirements of the rulebook without any tailored considerations of how these factors affected the firm. These assessments were vague, and so high-level that they could not have provided the firm with any assistance in formulating their risk-based AML compliance programmes.
- Some firms provided generic risk management reports which were not AML-specific.
Assessment of customer AML risk
The DFSA found that most firms had a good grasp of the factors to be taken into account when assessing the specific risks posed by customers. That said, some customer assessments placed too great an emphasis on the country of origin of the customer without giving due consideration to the associated product or service risk.
Issues were also seen in the quality of documentation, and the DFSA identified the need for firms to maintain a complete suite of evidence, to enable all information known about the customer to be shared within the firm. As with the assessment of business AML risk, the DFSA has set out some good and poor practice examples. The good practice examples include:
- A clearly-documented formula and methodology for risk-rating customers, with differing and specific weightings placed on different risk elements such as product risk, quantum of customer investment and politically exposed person (PEP) status.
- The development and implementation of the methodology set out above into databases, spreadsheets and other electronic systems to enhance automation efficiencies and ensure consistent application and documentary evidence of the assessment.
- The use of the guidance provided by the DFSA regarding factors that may indicate a customer poses a higher risk of money laundering or, where such guidance is not applicable, the reasons for not considering the guidance should be documented.
- Organised lists of customers, categorising their AML risk, and using such lists to inform their continuing customer due diligence such as risk reviews and screening.
Poor customer AML risk practice examples include:
- Failure to document the reasoning behind the risk rating assigned to a customer.
- Sole or over-reliance on jurisdiction or country risk when determining a customer's risk rating. Such an approach fails to take into account that not all individuals from the same country will present the same overall AML risk.
- Firms taking a blanket approach to risk rating customers, either assigning all customers a standard risk or high risk regardless of individual risk elements. This was more prevalent in firms with small customer numbers but can result in either not enough, or too much, customer due diligence being undertaken. This is also likely to become problematic should customer numbers increase.
Overall, the DFSA has concluded that the analysis of the 2014 AML returns reiterates its continued focus on AML related risks. The regulator is considering a specific financial crime thematic review which could focus on:
- Risk-based approach: ensuring risk-based assessments undertaken are objective and proportionate, based on reasonable grounds, properly documented and reviewed and updated at appropriate intervals.
- Continuing customer due diligence: assessing the appropriateness and quality of continuing customer due diligence, in particular continuing risk reviews and transactions monitoring.
- Suspicious activity reporting: improving the internal escalation process for the notification of suspicious activities and transactions and enhancing the quality of external suspicious activity reports submitted to the Anti-Money Laundering Suspicious Cases Unit of the Central Bank of UAE.
Compliance tips and next steps
There are many points for firms to take from the DFSA analysis and guidance on the first submission of the new style of AML returns. First and foremost is that the DFSA has been deliberately lenient with firms regarding this first round of submissions and has stated that it anticipated the "first round of annual returns would present a number of improvement opportunities". The DFSA has also made it crystal clear that it expects firms to learn from the findings of the analysis and will have "higher expectations for improvements in the timeliness and quality of future submissions".
The reference to higher expectations is a warning shot, and one to be taken extremely seriously by all firms, particularly in the light of the April 2015 fine imposed on the Dubai International Financial Centre branch of Deutsche Bank. The Deutsche Bank branch was fined $8.4 million and agreed to a number of directions. The branch settled early in the enforcement process, without which the fine would have been $10.5 million.
The crux of the issue was whether or not the firm was advising and arranging for customers rather than simply referring and introducing them to other part of the group. The private wealth management business of the branch was deemed to have misled the DFSA as to its activities. The firm finally confirmed to the DFSA in January 2014 that the business was in fact advising and arranging for customers (with all of the associated regulatory requirements regarding client on-boarding and the prevention of money laundering).
The guidance also aims to help firms to assess the adequacy of their financial crime systems and controls and remedy deficiencies, as well as to adopt a more effective, risk-based and outcomes-focused approach to mitigating financial crime risk. As such, some of the suggestions and practices (both good and poor) may be a useful additional source of assistance for DFSA-regulated firms when assessing the adequacy of their risk-based approach to AML compliance.
Susannah Hammond is a regulatory intelligence expert in the Compliance, Audit and Risk division of Thomson Reuters Governance Risk and Compliance; the views expressed are her own.
DFSA - ANNUAL ANTI-MONEY LAUNDERING RETURN ANALYSIS AND GUIDANCE (APRIL 2015)