Adrianna Cassar | Executive Director at Aspida Group Malta

Risk- Based Approach: The BRA:

Overall, Subject Persons have carried out BRAs and duly documented the assessment of their risk exposure. It was noted that the assessment of the inherent risks includes the evaluation of the complexity of the structures of corporate customers, and the jurisdictions they are connected to. This assessment should take into account other risk factors which Subject Persons are exposed to, including other services offered by them. As part of a thorough analysis, Subject Persons must consider the specific controls put in place to address specific ML/FT risks and assess them as thoroughly as possible.

54% of Subject Persons under review identified specific control measures. Subject Persons must identify the likelihood and impact of the risk materialising and adopt appropriate measures. From the 55% of the BRAs reviewed, the residual risk rating assigned to directorship services in the BRA was not calculated correctly when compared to the CSP’s operations. As it was noted, Subject Persons shall apply a more thorough approach when identifying and concluding the residual risk of their operations, which should be within their risk appetite.

Identifying the risks associated with jurisdictions one has links to is a core component of a BRA. It was noted that ONLY 27% of Subject Persons reviewed, identified all relevant jurisdictional connections, while 55% of Subject Persons assessed the geographical connections of customers/beneficial owners in the BRA by solely referring to a category without recording the specific jurisdictions in the document itself. It was emphasized that the BRA shall include a granular assessment of the jurisdictions that the Subject Person is exposed to.

Risk-Based approach: The CRA:

It was noted that all Subject Persons under review had CRA procedures in place, although only 47% of the CRAs were carried out prior to entering into the respective business relationships. It was stressed that Subject Persons need to ensure that all known risks they will be exposed to are assessed in the CRA prior to the provision of services so that the necessary level of CDD can be applied to effectively address the risks identified. Moreover, it was noted that 85% of the Subject Persons reviewed have specifically factored directorship services in their CRA methodology, although in some instances, directorship services were not considered separately but rather were factored in under the umbrella of CSP services. The FIAU stresses the importance of understanding and assessing each service provided to be able to clearly identify the threats and vulnerabilities of each service and subsequently apply adequate and commensurate measures to mitigate the same. The thematic review revealed that only 50% of the overall sample of files tested considered the geographical risk presented by the customer in the CRA. Subject Persons are reminded to include the geographical risk factor in their CRAs, as this will determine the level of ML/FT risk posed by the customer from a geographical aspect. Following the review, the FIAU identified both good and bad practices followed by Subject Persons.

CDD Measures:

It was positively noted that for over 95% of the files reviewed, Subject Persons had identified and verified both the customers and their beneficial owners. Subject Persons are reminded to ensure that data, information and documentation obtained as part of the CDD process are kept up to date, especially whenever there are changes in the involved parties of a particular corporate customer.

The purpose and intended nature of the business relationship:

Subject Persons must understand why a customer is requesting their services and/or products and how those services and/or products are expected to be used throughout the business relationship. When providing directorship services, Subject Persons shall obtain information on the nature and the anticipated level of the activity that is to be undertaken during the relationship. This needs to include the type of activity being carried out, the expected volume of transactional activity, projected turnover and proposed suppliers and customers to understand the eventual source of funds flowing through the customer company. Furthermore, this information is necessary for the Subject Person to be able to formulate an understanding of the typical transactional activity expected from the customer. This understanding is crucial for the carrying out of effective ongoing monitoring of the customer’s activities and transactions. Information of the anticipated level and nature of the activity that was to be undertaken throughout the respective business relationships was not obtained in only 14% of the files reviewed by the FIAU.

Enhanced Due Diligence (‘EDD’): Source of Wealth (‘SoW’) and Source of Funds (‘SoF’):

As per the FIAU Implementing Procedures, a Subject Person must collect information on a customer’s SoW and expected SoF at the outset of a business relationship. The SoW is identified at the beginning of the business relationship and this information shall be updated throughout. Subject Persons are required to identify and obtain information on the SoF of individual transactions when necessary, in accordance with the obligation of ongoing monitoring.

It was noted that EDD was not applied in some cases, while on other occasions EDD was not applied in line with the heightened risk of the customer business relationship, being observed in 19% of the cases in relation to the SoW and SoF. Following the collection of information on the SoW and SoF of the customer, the Subject Person needs to determine the extent to which that information must be substantiated by any further information and/or official documentation. This may be obtained both from the customer and/or reliable external sources and will allow the Subject Person to understand whether the funds used for the customer’s operations are legitimate and hence ensure that the company is not being used for the purpose of ML/FT. Where the collection of this information is deemed relevant, Subject Persons shall not obtain generic information. Hence, the mere reference to ‘business’, ‘employment’ or ‘inheritance’ will never be deemed sufficient to meet this obligation, independently of the risk presented.

It was noted that in 35% of high-risk business relationships, the FIAU identified issues relating to insufficient supporting documentation obtained by Subject Persons on their customers’ SoW and SoF. It was also observed that there were instances where Subject Persons relied too heavily on open-source information to corroborate the customer’s SoW and SoF information. Although Subject Persons may refer to open-source information as an additional measure for high-risk business relationships, this cannot be the only source of information relied upon, but sufficient documentation from other sources should be retained on file. The FIAU has identified good and bad practices followed by Subject Persons with respect to information and/or documentation that need to be requested to be provided by the customer.

Ongoing Monitoring of the Business Relationship – Scrutiny of transactions:

Subject Persons providing directorship services are expected to carry out ongoing monitoring of the business relationship. Scrutinising transactions is vital to ensuring the effectiveness of ongoing monitoring. It was noted that most of the Subject Persons reviewed (82%), had established policies and procedures on how to carry out transaction monitoring. In this regard, most of the Subject Persons incorporate transaction monitoring processes in their respective policies and procedures. As it was noted, transactions may be monitored in real time (pre-transaction monitoring), after the event (post-transaction monitoring) and on the basis of a customer’s specific profile. 55% of the Subject Persons under review adopted both pre and post transaction monitoring, while 27% only adopted pre-transaction monitoring and the remaining 18% only adopted post-transaction monitoring.

The Thematic Review also included a review of the Subject Person’s scrutiny of the transactions effected by their customers. Although overall it was clearly indicated that most Subject Persons carried out effective transaction monitoring, in 70 transactions (16% of the total transactions examined) the Subject Persons did not flag the transaction and so, no documentation to substantiate the rationale behind the transactions was obtained. This deficiency was noted in 3 out of 11 Subject Persons reviewed.

It was also noted that over 80% of Subject Persons and their staff attended training related to transaction monitoring during the past three years. The FIAU highlights the importance for Subject Persons to attend relevant training regularly. As it was noted, a training program which educates in the identification of unusual transactions and high-risk situations as applicable to the Subject Person is critical to the success and effectiveness of a Subject Person’s efforts at combatting ML/FT. The FIAU has identified good and best practices followed by Subject Persons pertaining to transaction monitoring.

Conclusion:

It was positively noted that Subject Persons are generally aware of their obligations and the importance of having a sound AML/ CFT control framework to mitigate the risks arising from the provision of directorship services. The FIAU expects that all CSPs to which the Thematic Review applies and their MLROs go through the Thematic Review and familiarise themselves with the findings and implement any updates to their internal controls as required to ensure that they do not incur weaknesses reported in the Thematic Report.

Aspida Insights is where we draw on our knowledge, experience and expertise in key business areas such as compliance and risk management, regulation and corporate governance to offer our thoughts, forecasts and advice on a range of topical issues or areas of client concern.