AML: compliance culture and reporting obligations
The Cyprus Securities Exchange Commission (CySEC) following a series of updates and issuing circulars along with relevant directives, is arguably putting emphasis on proactively encouraging firms to ensure compliance with the Anti-Money Laundering and Financing Terrorism (AML/CFT) Law. CySEC’s main objective is to ensure the establishment of high standards in investor protection, as well as the application of best practices by the obliged entities.
The regulator’s objective is supported by the introduction of the CySEC Directive for the Prevention and Suppression of Money Laundering and Terrorist Financing, which came into force in May 2019. The announcement of the Anti-Money Laundering examinations for those appointed as AML compliance officers, in all CySEC regulated entities followed suit in December, 2019. Additionally, we wait for the regulator to announce the transposition of the EU 5th Anti-Money Laundering Directive (AMLD) into national legislation.
In this commentary, SALVUS team provides guidance into the creation of a strong AML compliance culture within the organization and discusses the obligations of all stakeholders and their annual training requirements.
We further provide the gist of relevant key concepts in the AML examinations, for candidates preparing towards the AML certification examination.
Establish a strong compliance culture
All obliged entities should aim to establish a strong compliance environment, which will supersede the profit-making activities or other business priorities, designed to:
- comply with the relevant national regulatory framework,
- manage and mitigate the risks the entity is exposed to,
- protect the entity against ML and TF, while protecting the entity’s brand and reputation,
by employing the following:
- designate a Compliance officer to supervise the day-to-day procedures of the compliance function,
- implement a system of internal policies, controls and procedures, which is based on a risk-based approach (RBA),
- design an ongoing employee training program, and
- assign an independent audit function to monitor and evaluate on an ongoing basis the effectiveness of the policies, controls and procedures that have been implemented.
The Board of Directors (BoD)
The responsibilities of the entity start and end with embedding the compliance culture via the commitment of the Senior Management and the BoD, to:
– appoint a Compliance officer, an alternate Compliance officer*, an assistance Compliance officer (if required), and determine their duties and responsibilities within the risk management and procedures manual. Further, the entity must communicate to CySEC the names, positions and contact details of the appointed persons.
– determine the necessary policies, controls and procedures based on the entity’s risk assessment and risk appetite.
– approve the Internal AML policies, together with the entity’s manual where all AML procedures, policies and controls are stated. Further, the BoD to assess and approve the Compliance Officer’s Annual AML Report and take the necessary actions to remedy any weaknesses and/or deficiencies identified in the report.
– ensure all the policies, controls and procedures are communicated to all employees of the organization dealing with Clients’ transactions, and they are trained to ensure compliance with laws and regulations,
– establish a clear and quick reporting chain to ensure all suspicious transactions along with the relevant information is passed without delay to the Compliance Officer.
* The alternate Compliance officer can be outsourced, if the appointed officer is a natural person and not a legal person.
** An executive or non-executive director shall be designated and be responsible for the implementation and provisions of the AML/CFT Law, directives and circulars.
The Compliance function
The compliance function is comprised by the appointed Compliance officer, the alternate and assistants (if any) Compliance officers, who are responsible to:
– design the necessary policies, controls and procedures, as defined by the BoD, including the establishment of the customers’ acceptance policy, the risk management and AML procedures manual,
– monitor and assess the implementation of the established procedures, with the application of appropriate monitoring including on-site visits to the departments of the organization.
– provide guidance for corrective measures of identified weaknesses and informs the BoD where is necessary,
– maintain an up to date list of customers indicating their assessed risk level, personal information and the date of commencement of the business relationship. The list must be evaluated and updated at least annually,
– evaluate the systems and procedures applied by the approved third party obliged entity responsible for due diligence and customer identification, at least annually,
– acquire the required knowledge and skills for the improvement of the required policies and procedures. Further, provide guidance and support to the employees of the entity, to any branches and subsidiaries operate in or out of EEA. and organize training seminars* and education across all departments, at least once a year,
– evaluate and examine the information reported by employees** via the Internal Suspicious Report. The officer acts as the first point of contact with MOKAS and files a report to MOKAS via the GoAML system. If the officer decides not to notify MOKAS then must explain the reasons within the Internal Evaluation Report. A registry of all three reports must be maintained by the entity,
– prepare and submit to the CySEC the monthly prevention statement and the annual AML report.
* The Compliance officer shall design the training seminars in such way to include tests and minimum pass rates, in order to ensure the employees are fully informed and engaged.
** The employees’ legal obligation is fulfilled once they report the Internal Suspicious report.
Internal Audit function
The independent internal audit function shall review and evaluate, at least on an annual basis, the appropriateness, effectiveness and adequacy of the policies, practices, measures, procedures and control mechanisms applied for the prevention of ML and TF. The findings and observations of the internal auditor are submitted to the BoD which decides the necessary measures that need to be taken to ensure the rectification of any identified weaknesses and/or deficiencies. The meeting minutes of the Internal auditor’s report and the BoD decisions are submitted to CySEC.
Reporting Obligations
The entities must be aware of their internal obligations along with obligations to the relevant authorities towards ML and TF. Therefore, we summarize them below.
1. The monthly prevention statement is prepared by the Compliance officer and submitted to CySEC.
2. The annual AML report is prepared by the Compliance officer, is approved by the BoD and submitted to CySEC.
3. The annual internal audit report is submitted to the BoD and CySEC along with the meeting minutes,
4. The list of Customers and their risk level is assessed and updated at least annually,
5. Third party systems and their procedures are evaluated at least annually,
6. The Internal Suspicious Report must be used by the employees of the entity and submitted to Compliance officer,
7. The Internal Evaluation Report is used by the Compliance officer and kept internally,
8. The report to MOKAS GoAML system is submitted by the Compliance officer,
9. Training seminars must be designed and provided;
– to employees prior to commencing work,
– to all employees at least annually,
– to all employees when key updates and regulatory changes occur,
– to the BoD to assist them discharge their responsibilities
Lastly, the stakeholders of the entity are considered the most effective defence against money launderers. Thus the obliged entity must ensure that all stakeholders must be fully aware of their legal obligations according to the AML/CFT Law and CySEC’s Directive and any Circulars, by introducing a complete education and training program.
At SALVUS, we design tailored trainings for employees in different positions and different responsibilities as per the different ML and TF risks they come across. We support the AMLCO to design the structure and contents of the AML training program for each target audience of the organization. We remain at your disposal should you have any questions covered in this article.
The team at SALVUS is ready to support you get successfully prepared for the AML certification exam. The seminars will count towards your CPD requirement hours for 2020 – contact us at info@salvusfunds.com.
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.