Expert opinion

In today's digital space, the issues of security and liability of financial institutions are becoming extremely relevant. Ensuring a stable and secure financial system requires not only high-tech solutions but also an improved corporate culture of financial monitoring. Today, one of the main challenges facing financial institutions is the fight against money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction (AML/CFT). In this context, it is important not only to detect and stop such operations, but also to actively work on building an effective AML/CFT policy system. Only with the active participation and involvement of all levels of management of financial institutions can the tasks related to preventing and combating financial crimes be successfully accomplished. Read more about the important aspects of the corporate culture of financial monitoring and the AML/CFT policy system in the interview with Iryna Popova, Chairman of the Compliance and Financial Monitoring Committee of the Association of Ukrainian Banks, Executive Director of ACTSIVITIS FC LLC.

 

What are the main stages of building an effective policy system for preventing and combating money laundering, terrorist financing, and the financing of the proliferation of weapons of mass destruction (AML/CFT)? That is, what should financial institutions do to build an effective internal policy system in this area?

Let me start with the fact that the creation of this system is required by law. Therefore, a financial institution needs to appoint a responsible employee, create a separate AML/CFT structural unit, attract the necessary resources, develop and approve internal documents (IDs), conduct training, engage an audit, check the business reputation of the institution's employees, create a risk management system, and take other comprehensive measures that can help achieve the goal.

The legislation defines only general requirements for the risk management system, so financial institutions need to develop this system independently within their type and specifics of activity, describe and set up all processes in detail so that it functions effectively, and communicate AML/CFT responsibilities/roles to the employees of the institution in accordance with their functional responsibilities, because only as a result of an efficiently built process will such a risk management system be effective.

To what extent are financial companies currently ready to build such an internal system? After all, it may require the creation of a new structural unit and additional funding.

The question is not whether financial institutions are ready or not ready for these processes. The legislation has clearly stated that this should be done since 2020. Yes, there is a certain point where financial companies do not yet fully understand the importance of this process. Banks, unlike non-bank financial institutions, have been building an AML/CFT policy system for much longer, and financial companies are only now beginning to realize how important it is.

What is the role of internal documents on financial monitoring in building this independent system?

At the last meeting of the CBA's Compliance and Financial Monitoring Committee (CFM), I emphasized that internal documents play an important role, because the way the entire system of the institution functions depends on how well and in detail the internal documentation, certain regulations, procedures, and rules are drafted. If internal documents do not have clear rules, or if certain functionality, processes, and procedures are imperfectly described, the system itself will not function correctly.

So you need to create an instruction, certain rules of internal document flow on these issues for the system to work? Can we say that this is an internal standard that every financial institution should have?

Of course, it should be an internal standard. The legislation provides for the number of required procedures of the AML/CFT policy system. It can be argued that depending on the required number of employee procedures/procedures/methods, a financial institution determines for itself the set of internal rules according to which it will be able to fully and effectively function in compliance with the AML/CFT legislation.

What is the list of internal AML/CFT regulations?

The first thing I would like to point out is that the legislation does not provide for a complete and exhaustive list of AML/CFT documents. Each financial institution independently develops the number of internal regulatory documents that it considers necessary for the effective functioning of the internal system of combating money laundering and terrorist financing. These internal documents may be in the form of a single document or several, if it is convenient for the financial institution. The main thing is that they fulfill the main purpose - to ensure the functioning of the AML/CFT policy system.

From our own experience, it is still more advisable to have several internal regulatory documents rather than just one, which will help avoid a cumbersome form of the document that will only hinder the perception of its essence. As for the documents themselves, it is worth noting that the most important are the procedure for assessing and reassessing the institution's profile, the rules for conducting financial monitoring, the customer due diligence program, the training and professional development program for financial monitoring employees, and the procedure and mode of access to internal documents in the field of financial monitoring. It is also necessary to develop a program for implementing special economic measures, i.e. sanctions. Additionally, the company may implement such documents as regulations on the unit, job descriptions of employees involved in financial monitoring procedures, as well as other documents related to financial monitoring, in particular, annual plans, orders approving internal documents, lists of risky countries, memos, procedures, methodologies, etc. The availability of such documents is necessary not only for the effective operation of a financial institution, but also for proper argumentation of compliance with AML/CFT legislation to the regulator during inspections.

New rules and possibly additional responsibilities are sometimes difficult for employees to accept. After all, in some cases, they need to improve their skills and professional level. So how can you get employees to comply with these AML rules? What advice can be given to financial institutions to ensure that their employees understand the importance of a financial monitoring culture?

First, every employee of a financial institution must clearly understand the purpose of financial monitoring. Financial monitoring is not just about bureaucratic rules to be followed. In addition to the global goal of combating money laundering and terrorist financing, financial monitoring is aimed at protecting businesses from unscrupulous customers. This should be understood by all employees of a financial institution involved in financial monitoring procedures. Therefore, it is necessary to develop a corporate culture of financial monitoring. Today, sometimes, business does not understand financial monitoring, and financial monitoring does not understand business, and this distance must be overcome by building a culture of financial monitoring. Each department of a financial institution needs to understand the importance of the financial monitoring procedure, because only the coherence of all departments can bring an effective end result.

Once again, for employees to work effectively, it is necessary that these procedures/procedures/methods are described and communicated to everyone correctly and correctly, and therefore there should be effective internal communication, ongoing training to ensure that employees understand their responsibilities and procedures. Some financial institutions make, let's say, a mistake when they duplicate the legal provisions in the LCR when describing the internal financial monitoring procedure, literally copying them. While financial monitoring employees understand the legal requirements and the essence of the internal AML/CFT documents of a financial institution, businesses do not always manage to understand everything due to the complexity of the wording. In order to avoid such misunderstandings, financial monitoring procedures should be defined in the most accessible language in the internal documents of the financial company and clearly state all the necessary procedures and the purpose of their implementation.

What liability is provided for by law for a financial institution's failure to properly fulfill its obligation to develop and implement AML/CFT CDD?

The law provides for liability for failure to update documents in a timely manner, for their proper implementation and for bringing to liability, which is confirmed by the NBU's inspection statistics. Failure to properly fulfill the obligation to develop and implement AML/CFT CDD is currently the most common violation detected by the regulator. The fine for such a violation is symbolic - up to three thousand tax-free minimums, which is UAH 51 thousand. However, if the described procedures are not followed by the financial institution, this may be considered as improper operation of the risk management system, and in this case, the maximum fine is provided, which may amount to millions of hryvnias. Based on the above, the AML/CFT BODs are extremely important, as they affect the construction of the entire internal risk management system. In any case, a fine is a loss for a financial institution. Ignoring the implementation of the AML/CFT BAM, which should take into account the peculiarities, directions and specifics of the institution's activities, the characteristics of different types of customers, as well as the implementation of a risk-based approach by the institution, may lead to an inadequate risk management system, which also entails reputational risks for the financial institution, as these are interrelated things.

Let's talk about such an important package of documents as a client file. What are the peculiarities and difficulties faced by financial institutions when preparing a client file?

The customer file is not an AML/CFT STR, but if we draw an analogy, the customer file can probably be compared to an STR in terms of importance. At the same time, sometimes there are more difficulties with a client file than with an MLA. Why is this so? Because there is a legal definition of a client file, but it is not detailed, but rather general. The client file includes all documents, all information about the client and business relations with him. This is practically all we have from the basic definition of what a client file is. Probably, not every financial institution fully understands what documents should be included in the client file. A financial institution may have one vision, and the regulator, when it comes to inspect, may have a completely different vision.

Is there no clear list of required documents that should be kept in the client's file?

Unfortunately, the legislation does not really define the entire list of documents that should be contained in the client file in the AML/CFT sense. There are only requirements for identification data that must be available by category of client. At the same time, the NBU, when it comes to checking compliance with AML/CFT legislation, wants to receive from the financial institution a client file that contains all documents/information regarding the client and business relations with him, in particular: contracts, acts, other documents related to financial transactions, documents on pledge, surety, etc.

In your opinion, are there any gaps in the legislation? Do you think it needs to be finalized at the legislative level?

On the one hand, it can be called a certain gap in the law, on the other hand, it is not. This is a debatable issue. But I think it would be the right approach for each financial company to define in its internal internal regulations what a client file is, its content, types (if necessary), and the procedure for its storage.

What can be attributed to additional information that should be contained in the client file?

In order to collect additional information about the client and business relations with him/her, both official/reliable sources and public sources can be used. Additional information can be collected through various commercial Internet resources that use official information, work with certain databases, and public sources can also be used. Media screening, which is essentially the use of public sources, is gaining popularity.

At the same time, you should not trust all the information available on the Internet, it should be taken critically. A financial institution should define its internal procedures and determine which sources it uses and considers reliable. Since not all publicly available information is reliable and using unreliable information, a financial institution may unreasonably refuse to conduct financial transactions and/or establish (continue) business relations with clients.

We have also encountered the need to critically analyze information from the Unified State Register of Court Decisions, namely, to analyze information on criminal proceedings, because the degree of risk that may affect the client can only be understood after analyzing such information, and not by identifying the fact of the existence of criminal proceedings as such. Thus, the mere existence of criminal proceedings does not allow for objective conclusions. Therefore, it is always necessary to study this information and critically evaluate it. Why did such criminal proceedings appear? What is the status of the client? Is there a verdict and what has been established in it?

Therefore, the advice to all colleagues is to check and analyze criminal proceedings involving the client so that in the event of regulatory inspections, you have the necessary information (preferably in the form of conclusions) and you can demonstrate the sufficiency of the measures taken and document it.

To summarize our conversation today, can we say that when building an effective AML/CFT policy system, a financial institution should not reduce the process to one employee or one structural unit, but should do it comprehensively, building effective interaction with all structural units?

Yes, of course. There should be three lines/levels of protection in building such a system. And I can tell you that the more employees involved in this system, the better. A financial monitoring employee needs to understand many issues: legal, business, and accounting. But a financial institution has specialized specialists. For example, a lawyer will analyze criminal cases much better, and an accountant can better evaluate a particular financial statement.