Anti-Money Laundering Risks for Global Companies

Anti-Money Laundering Risks for Global Companies (Part I of III)

BY MICHAEL VOLKOV · NOVEMBER 27, 2017

Non-financial institution companies operating in the global marketplace face ever-increasing risks of money laundering. Sophisticated criminal organizations have developed their own mechanisms and strategies to skirt money laundering rules and regulations.

The Justice Department has targeted transnational organized crime for investigation and prosecution. As a consequence, non-financial institutions have to examine their policies and procedures to protect against handling proceeds of criminal activity or otherwise facilitating money-laundering operations.

Money Laundering Statutes

The complex set of money laundering statutes and regulations apply to “financial institutions,” as defined under Title 31 of the United States Code. However, non-financial institutions are subject to two basic AML criminal statutes, 18 United States Code Sections 1956 and 1957. The Department of Justice can initiate criminal and/or civil actions under 18 USC §1956. In view of these requirements, companies need to conduct an AML risk assessment to tailor its AML program; and adopt KYC best practices as part of its AML compliance program.

The Bank Secrecy Act (“BSA”) and the USA PATRIOT Act are the two primary U.S. AML laws that apply to “financial institutions.” The BSA was designed to deter secret banking activities abroad and to provide an audit trail by establishing regulatory reporting and recordkeeping requirements for financial institutions. The USA PATRIOT Act enhanced requirements for AML Programs and expanded the coverage of AML laws to certain non-banking financial institutions.

U.S. businesses are subject to two basic AML statutes, 18 USC §1956 and §1957.

Under Section 1956, it is unlawful to “conduct[] or attempt[] to conduct” a financial transaction with proceeds known to be derived from illegal activity. The statute sets forth a variety of predicate illegal acts for purposes of the money laundering statute, including FCPA violations.

Under Section 1957, it is illegal to conduct a monetary transaction in an amount greater than $10,000 with property known to be derived from criminal activity.

Violations of Section 1956 are punishable by imprisonment for not more than 20 years; Section 1957 carries a maximum penalty of imprisonment for 10 years.

Under the civil forfeiture statute, any property “involved in” a money laundering transaction, or “traceable” to property involved in such a transaction, may be subject to forfeiture. Civil forfeiture may also be sought with respect to proceeds derived from or traceable to any offense that the money laundering statute defines as “specified unlawful activity” – a category that includes felony violations of the FCPA.

These two money-laundering statutes have broad application and can apply to companies and individuals who knowingly, or with “willful blindness,” conduct a prohibited financial transaction. It is not necessary for the person or entity to know the specific unlawful activity that generated the illegal proceeds or facilitated the illegal activity.

Key Elements of an AML Compliance Program

A risk assessment should be the first step to design an AML compliance program. Once a risk assessment has been performed, a company should design its compliance program to target resources toward the highest risks. Key elements of a compliance program are:

• Board and senior management support and reinforcement
• Customer risk assessments
• Know Your Customer (“KYC”) program
• Designated AML compliance officer with appropriate resources
• Dedicated, skilled resources including technology
• AML training customized to different audiences
• Robust reporting requirements that includes metrics to measure and monitor risks
• Ongoing monitoring and periodic independent testing of the effectiveness of the program

Customer risk assessments are intended to identify the level of inherent risk in different types of customers. The Federal Financial Institutions Examination Council’s BSA/AML Examination Manual cautions not to “define or treat all members of a specific category of customer as posing the same level of risk.”

Customer risk assessments are usually conducted at the inception of a new client relationship and should be re-evaluated when new, relevant information is learned, or when a customer expands into a new high-risk area, or adverse media is discovered.

Financial institutions are directed to consider the following when assessing money-laundering risks of customers:

• Occupation or nature of business
• Method/ channel of account opening (e.g. face-to-face, mail, Internet)
• Length of relationship with client
• Prior experience with and knowledge of customer and his/her/its transactions
• Source(s) of income
• Type(s) of product(s)/ service(s) provided
• Expected pattern of activity and actual activity in terms of transaction types, dollar volume and frequency
• Geographic considerations (e.g. residency or principal place(s) of business, incorporation, citizenship, origination/ destination of funds, location of primary customers)
• Status as or relationship with other high-risk individuals/ entities (e.g. PEPs).

Non-financial institution companies have unique anti-money laundering risk profiles. Global companies do not process as many financial transactions as a financial institution. However, global companies conduct financial transactions with third parties and their vendors and suppliers. In the second part of this posting, we will examine these risks and mitigation strategies.

Addressing AML Risks in Your Third-Party and Vendor/Supplier Relationships (Part II of III)

BY MICHAEL VOLKOV · NOVEMBER 28, 2017

Global companies should incorporate AML risks into their risk analysis of their third-party distributors, agents and other intermediaries. The basic questionnaire, due diligence risk analysis, contractual provisions, training, and partner code of conduct should reflect attention to this risk.

To the extent that global companies rely on a network of third-party distributors and sub-distributors, global companies should include contractual provisions to flow-down policies and requirements to sub-distributors and other entities in the distribution chain.

Global companies also should examine their vendors and suppliers for potential AML risks. In contrast to its distribution channel, where global companies receive money, global companies’ AML risks are less significant in its supply chain because of the lower risk that a supplier’s supplier (or vendor’s vendor) may be involved in criminal activity and attempting to launder proceeds through the sale of a product or service.

Global companies face AML risk through two primary money laundering techniques: (1) trade-based money laundering, where criminals utilize cross-border transactions to obfuscate the source or destination of funds, and (2) third party payments, where money is given to or received from a different entity than the services were received from or provided to in order to transfer funds without utilizing traditional banking routes subject to tighter financial controls.

Despite the comparatively low AML risk, for significant vendors and suppliers, global companies should conduct appropriate AML due diligence as part of the procurement process and incorporate AML issues into the procurement due diligence process.

Similar to its distributors, global companies should leverage its relationships with its major vendors and suppliers and enlist the support of the vendors and suppliers to mitigate AML risks further down the supply chain.

KYC CDD Best Practices

“KYC” refers to the steps taken by a financial institution (or business) to:

• Establish the identify of the customer
• Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
• Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities

A best-practices KYC program will include the following:

• Customer Identification Program (CIP): collection, verification and recordkeeping of customer identification information and screening of customers against lists of known criminals.

A CIP is the starting point for any KYC process. In the financial institution context, a best practice is for the relationship manager to initiate the CIP process but coordinate and communicate with the due diligence manager.

• Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
• Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. Customer risk assessments can be used to determine which level of due diligence to apply (CDD v. EDD).

In implementing this component, clear, defined processes are essential. A consistent method of onboarding third parties indicates that an organization takes KYC seriously. All processes should be thoroughly documented to create a strong audit trail of decisions made. A company should keep an internal database with approved and disapproved third parties, vendors and suppliers to avoid duplication of effort.

At a minimum, due diligence should confirm beneficial owners, sanctions list screening of beneficial owners and relevant entities, politically exposed persons (“PEP”) involvement, and other government database checks. To confirm whether or not an owner is a PEP, global companies should initially identify the owners of the customer, conduct reference checks, review database sources and Internet checks, and, if necessary, interview the individual and possibly other owners.

In determining what level of due diligence is appropriate (CDD v. EDD), a company should look for “red flags” relating to:

• Location of the business
• Occupation or nature of business
• Purpose of the business transactions
• Expected pattern of activity in terms of transaction types, dollar volume, and frequency
• Expected origination of payments and method of payment
• Articles of incorporation, partnership agreements and business certificates
• Understanding of the customer’s customers
• Identification of beneficial owners of an account or customer
• Details of other personal and business relationships the customer maintains
• Approximate salary or annual sales
• AML policies and procedures in place
• Third-party documentation
• Local market reputation through review of media sources

EDD steps may include senior management approval, additional due diligence investigations, on-site visits, contractual certifications, third-party audits, and source of funds certifications,

Conducting EDD on all customers is burdensome and undermines the purpose of a risk-based AML Program. By nature, some customers will inevitably present lower risks than others.

• Ongoing Monitoring: The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.

Best practices for financial institutions include transaction monitoring systems and refreshing due diligence information every six to twelve months.

Incorporating AML Compliance Into a Compliance Program (Part III of III)

BY MICHAEL VOLKOV · NOVEMBER 29, 2017

Global companies should implement an AML program and KYC practices that follow the general outline for best practices, though it does not need to be as rigorous as a financial institution.  For most companies, AML risks can be addressed in existing policies and procedures and would not require extensive additions to a compliance program.

However, a company has to document its risk assessment, mitigation strategies and implementation.  It requires some time and attention but for most companies should be a relatively minor burden in comparison to other more significant risks.  A basic AML program for non-financial institutions is an important back up to other more critical compliance program elements, and provides important protections against real and significant reputational risks.

A program that focuses on clearly defining processes to carry out the three key KYC areas (CIP, Due Diligence and Ongoing Monitoring) should be tailored to address the specific risks identified through a formalized risk assessment program.

A basic AML and KYC process should include the following:

1. Distributor and Reseller Information: Global companies should collect relevant information from its customers to enable a customer risk assessment based on the specific factors outlined above. Pubic data and intelligence databases should be employed as part of the assessment process.
2. CDD v. EDD Process: Global companies have to define in advance a process for distinguishing between CDD and EDD requirements for AML risks. It is important for global companies to conduct a risk assessment and use that risk assessment to identify relevant factors to determine whether to conduct a CDD or EDD for a specific distributor or reseller. The projected revenues, the geographic location, beneficial owners of the distributor or reseller, and possible PEP involvement will be important factors in this analysis.
3. Beneficial Owners: It is important, for anti-corruption, sanctions and AML compliance that global companies identify the beneficial owners of its distributors and resellers. That can be a very challenging process, especially in high-risk countries such as Russia and China. Each beneficial owner has to be screened for corruption, sanctions and AML risks.
4. Flow-Down Compliance: While global companies do not deal directly with sub-distributors or resellers, global companies should consider taking some steps to ensure that its distributors verify information and monitor transactions with resellers. In addition, global companies may build into its anti-corruption due diligence program a set of questions or follow up issues to collect information needed to assess AML risks among selected resellers. This information could be shared with distributors to increase monitoring of high-risk resellers.
5. Monitoring and Auditing: Global companies should incorporate into its monitoring and/or auditing programs a process to identify relevant trends and transactions that may raise AML risks. For example, if a distributor is expected to engage in a range of transactions and subsequently conducts numerous transactions well-above the expected range, global companies should have a mechanism to trigger notification of compliance staff so that follow-up inquiries can be made as to the reasons for the transactions.
6. Policy and Contract Review: Global companies’ existing policies and procedures should be reviewed for consistency and definition of its AML compliance program and policies and procedures. Similarly, global companies should review all of its written contracts with distributors, resellers, vendors and suppliers to ensure that AML risks, responsibilities, termination procedures and audit rights are addressed.
7. Documentation: Global companies have to maintain documents related to its AML compliance program, including due diligence, monitoring and auditing activities. Documentation is critical for evaluating its AML program as well as protecting companies from government investigation and enforcement actions.

reference: https://blog.volkovlaw.com/2017/11/anti-money-laundering-risks-global-companies-part-iii/