What is KYC?
KYC, Know Your Customer, has evolved in its importance to become an integral part of any business providing corporate services to their customers. As it suggests, KYC, in simple terms, is to know your customer well enough to ensure that they are clean and not involved/have been involved in criminal offences such as money laundering (ML) and financing of terrorism (FT). The fundamental procedure of KYC includes a traditional due diligence form of the individuals and their business.
According to the UNODC (United Nations Office on Drugs and Crime), the estimated amount of money being laundered annually is 2 – 5% of global GDP, or US$800 million – US$2 trillion and this total amount has consistently increased over the years.
As money laundering activities rise, the importance of KYC and AML procedures increases simultaneously. Several jurisdictions have tightened their regulations on KYC and AML practice, and not paying heed to them will result in unwanted and unnecessary fines for you and your business. Besides a regulatory obligation, it is also a moral obligation of businesses to have a comprehensive procedure.
Regulatory Requirements in Singapore
Singapore is a part of the FATF (Financial Actions Task Force), an intergovernmental organization that combats money laundering. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF is therefore a “policy-making body” which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.
The law requires all CSPs (Corporate Service Providers) and RFAs to have an IPPC (Internal Policies, Procedures and Controls). The purpose of this document is to outline the measures that a CSP or RFA takes internally to prevent themselves from engaging with any customers with criminal affiliations, mainly against money laundering and financing of terrorism. As per the ACRA, the IPPC should cover the following areas:
a. Customer due diligence measures and ongoing monitoring
RFAs and CSPs have to identify their customers and agents and verify their identities based on documents, data and information. These are usually passports, identification cards or driving licenses. They should do the same in the case where there is a beneficial owner who is not the customer. This does not hold true when the beneficial owner is in relation to a customer that is a Singapore government entity, listen on the Singapore Exchange, a foreign government entity, an entity listed on a stock exchange outside Singapore, a financial institution in Singapore or incorporated or established outside Singapore.
For customers in foreign companies where the jurisdiction doesn’t allow the FA to obtain corporate documents, it should have the foreign company’s identity, it should have the foreign company’s identity verified independently by a person responsible in that foreign jurisdiction for the regulation of these companies.
These checks are generally carried out before the establishment of a business relationship (if not before, the FA must do so within 14 days of engagement) and when there is a suspicion of money laundering or financing of terrorism.
ACRA has provided a Customer Acceptance Checklist under Annex C of the AML/CFT Guidelines, 2015, that adheres to the minimum requirements of KYC checks. It is recommended that RFAs and CSPs adopt this checklist and customise it to suit their business.
A registered FA and CSP should also conduct on-going monitoring of their existing business relationships by keeping a close eye on the transactions being undertaken, keeping and maintaining the documents and data by ensuring they are up to date and accurate. KYC checks for these business relationships must be done in regular intervals and especially when there is material change in the customer’s business such as change in directorship.
b.Making of suspicious transaction reports
A registered FA should have procedures put in place to report suspicious transactions. The minimum areas to be covered, as per ACRA, are:
- Persons to whom they have to report
- Avenue to report suspicious transactions
- Information required to be a suspicious transaction
- Timeliness of suspicious transaction
The compliance officer or senior management is required to report to the Suspicious Transaction Reporting Office of the Commercial Affairs Department within 15 days of the case being detected.
A registered FA is required to keep all the documents and data of the customer due diligence that is carried out pre business engagement, as well as the ones of ongoing monitoring. All these records must be kept for a period of 5 years after the business relationship has ended. The data should be kept in an organised format to the discretion of the FA and must be readily available for examination by the ACRA.
d.Risk Assessment and Management
All FA’s must apply a risk-based approach that allows them to vary the magnitude of the customer due diligence and ongoing monitoring. As per the ACRA, the registered FA should take the following steps at minimum in applying a risk-based approach:
- Identify the money laundering and financing of terrorism and proliferation risks faced by the registered FA
- Assess the risks identified according to various categories, for example, customers (including their layers of structures, scale of activities), services or transactions provided, and countries or territories where the customers are from or in
- Design different extent of controls (for example, different extent of customer due diligence measures for different categories of customers) to mitigate the assessed risks
- monitor the implementation of these controls and enhance them if necessary;
- document the risk assessment, keep it up to date and provide the risk assessment information to ACRA when required by ACRA
e. Audit of the internal policies, procedures and control
A registered FA shall establish internal policies and procedures to audit the IPPC in order to regularly assess the effectiveness of the IPPC. These audits can also be outsourced to an external auditing entity or an internal auditor that is sufficiently independent to remove any element of bias.
f. Monitoring and management of compliance with, and the internal communication of, the internal policies, procedures and controls
A registered FA should have internal communications procedures to communicate its IPPC, appoint an employee or office in a management position as one of its compliance officers in relation to anti money laundering and countering the financing of terrorism and proliferation measures. The compliance officer must be trained, qualified, and has adequate resources and timely access to all customer records and other relevant information which he requires to discharge his functions.
g. Hiring and training employees
As per the ACRA, a registered FA, when it comes to their employees, shall:
- Implement screening procedures for the hiring of fit and proper person as employees
- Ensure that its employees are trained on the laws and methods for the prevention of money laundering and financing of terrorism and proliferation
- Ensure that its employees are trained on its IPPC, including the roles and responsibilities of employees and officers of registered FA in relation thereto.
For more detailed information on these guidelines, please refer to the original document issued by ACRA here.
How will Argus Help?
As outlined above, there is a lot that goes into an IPPC and materializing it yourself can take out time from your already busy schedule. Argus can help your business write up a complete and comprehensive set of guidelines that will put forth a very effective AML/CFT programme. Not only will we ensure it meets the regulatory requirements of institutions such as ACRA, but also tailor it to your business based on its internal functions. Our team of experienced professionals is ready to help you. Contact us now.