BALANCING COMPLIANCE WITH CUSTOMER SATISFACTION
• Cost of compliance
• ID fraud stats
• On-boarding challenges
• Passing a FIC inspection
• Characteristics of a good RMCP
• CDD & RegTech
• Conclusion
AGENDA
COST OF COMPLIANCE INTERNATIONALLY
COST OF COMPLIANCE INTERNATIONALLY
COST OF COMPLIANCE INTERNATIONALLY
COST OF COMPLIANCE INTERNATIONALLY
KPMG SURVEY
FINES FOR AML INTERNATIONALLY
SAFPS STATS PRESENTED
ID FRAUD
• Statistics from DHA • 1 Individual 9 different names
• 1 individual 26 ID Books
• 1 woman 3 046 children
• What is ID theft used for? • UIF
• Medical Aid
• Insurance
• Bank accounts
• Retail accounts
• Money Laundering
FUTURE TECH FOR VERIFYING ID
• Voice recognition
• Facial recognition
• Retinal recognition
• Behavioral biometrics such as keystroke recognition
• Heart rhythm
• Ear Geometry
• Vein matching – finger of palm
• SA’s Regulatory framework
• Financial Intelligence Centre (FIC) established 2002
• SARB responsible for managing national money and banking system – including the adherence to laws and regulations. Includes FIC Act
• FIC act amended in 2017 – incremental effective dates for implementation
• FIC applies to • Accountable institutions
• Supervisory bodies such as FSB, Law Societies, Gambling Board etc
• Reporting Institutions
• Amendments to definition of Accountable Institutions notice issued Sept 2016– anticipated end of April 18
• New inclusions • Credit Providers, money / value transfer providers, virtual currency axchanges, accountants, Co-
operatives, Auctioneers, short term insurers etc.
South Africa and KYC Compliance
• SA has emerged as a growing economic force
• Economy growing every year
• Financial sector well developed • +- 30 banks , 4000 branches, Mutual banks & foreign banks
• Member of good standing of Financial Action Task Force (FATF)
• Member of Eastern & Southern Africa Anti-Money Laundering Group (ESAAMLG)
• SARB has imposed fines approximately R100m over 2 years • Found non-compliant with KYC, proper recordkeeping & reporting suspicious and unusual
transactions
• Banks not deliberately defying regulators, but does show importance of KYC
South Africa and KYC Compliance cont
Financial Watchdog stats Sept ‘17
• Purpose of FIC – To safeguard the Integrity of SA’s financial system – prevent it from being abused
• FIC Amendment Act – bring SA in line with Fin Action Task Force – global standards for combating money laundering and terror financing
• R149m transactions blocked by FIC in 2016
• 1 525 matters referred for inspection
• 358 412 reports received for suspicious/ unusual transactions
• 3 326 Accountable and Reporting Institutions reported
• 5m financial transactions reported
The FIC Inspection
• Inspections • Don’t just comply –show that you comply
• Be aware of your rights and obligations
• Auction Alliance case judgement – resulted into legislative amendments
• Enforcements
• Inspections
How does an AI pass a FICA inspection
• Key inspection power amendments
• Business Premises of licensed AI
• Inspector can enter premises of registered AI without a search warrant
• Can also enter without search warrant if licensed / authorised by Supervisory body
• To conduct inspection for determining compliance
• Private Residence of licensed AI
• Must have search warrant
• Private Residence of unlicensed business – with a search warrant – if inspector believes that premises used for business to which FIC applies
• Consent overrides requirement for warrant
FIC Inspection powers amendments
Change to Risk based approach – requires FIC/SB to change the inspection approach : • Does RMCP sufficiently identify risk for it being used for AML/ Terror financing? • How does the RMCP mitigate that risk? • Does RMCP comply with FIC Act, Guidance notes, Directives and formal
requirements? • Does AI adhere to its own RMCP? • Thoroughness and processes of procedures to be tested • FIC will probably ask for RMCP – Could result in fully fledged investigation • RMCP most valuable tool for AI’s to reveal compliance • Inspection costs may be recovered from AI/ Reporting Institutions
What and how will FIC/ SB inspect
Characteristics of a good RMCP
• Sect 42 of FICA – 2 Oct 2017 - Internal rules scrapped - RMCP in
• AI must develop, document, maintain and implement a programme for Risk Management and Compliance iro AML
• RMCP must enable AI to: • Identify
• Assess
• Monitor
• Mitigate
• Manage
Risk of money laundering or financing of terrorism
RMCP – General introductory comments
• “AI’s ability to apply risk-based approach effectively is largely dependent on
quality of it’s RMCP” –stated by FIC
• Customer friendly approach to compliance is required – smooth on-boarding, minimum costs, maximum protection to risks identified
• FIC does not favour de-risking – consumers not to be prejudiced
• FIC/ Supervisory bodies (SB) will request copies of RMCP – poorly drafted and constructed RMCP’s likely to result in formal inspections
• NB –Board of Directors and Snr Management must take ownership, responsibility, accountability and approve RMCP
• RMCP must be more than a policy – also processes and “how to” guide
RMCP – General introductory comments - cont
• Description of Board/ Snr Management’s accountability
• Appointment of Snr person to ensure Compliance
• Appropriate training for employees – understand their obligations
• Regular / timely information to Board / Snr Management
• Document AI’s risk management policies and risk profile ito AML/ TF risks
• Decision-making processes ( incl when ) decisions will be escalated to higher authority
FIC guidance -RMCP
• Measures to ensure Money Laundering risks are taken into account ito daily
operation of AI: • Development of new products
• Taking on new clients
• Changes to the AI’s business profile
• RMCP must speak to complexity of business and its products/ services
• Group of companies may implement group-wide RMCP – internal processes, systems and controls must be tailored for different entities where appropriate
• RMCP must be communicated throughout AI
• Must be reviewed on a regular basis
FIC guidance -RMCP cont
• How AI determines if person is prospective or existing client
• How AI ensures that it does not do business with anonymous client
• How AI identifies and verifies different types of clients and why
• How and why AI will comply with CDD requirements
• RMCP must provide for how and where required records are kept
• Must enable AI to determine when a transaction/ activity is reportable to FIC
• How RMCP will be implemented in branches / subsidiaries or other operations of AI on foreign countries
• AI must indicate in RMCP if any requirements is not applicable to it and reason why.
Legislative (FICA) Requirements
• RMCP must endure regulatory scrutiny – it may reveal AI’s weaknesses. AI
will be held accountable for compliance with FIC Act as well as their RMCP
• RMCP must display AI’s understanding of it’s business, products and services being abused for purposes of ML / TF
• Must apply their mind and show application of mind
• Why RBA, CDD, CIV , RMCP, Sanction screening? To provide the FIC with great quality Fin Intelligence Reports. All about information and intelligence
• A well drafted RMCP may just avert the eye of the Regulator or relevant SB
Conclusions on RMCP
Customer Due Diligence
No anonymous clients!
• AI’s must not establish business relationship or conclude a single transaction with an anonymous client / client with a fictitious name
• Transaction < R5 000 – full scope of CDD not required
• Request minimum information – Name, ID, Contact number
• NB – Sect 20A applies even where single transaction > R5 000
Customer Due Diligence
• CDD starts with knowing the Identity of your client
• AI must in the course of establishing a business relationship, or entering into a single transaction – establish and verify the identity of the client
• Also applies to person representing the client
• Verification takes place during course of conduction the single transaction / business relationship & must be completed by the time the transaction is concluded
• Greater freedom to choose how to identify clients & means to verify the information
• CIV must be aligned to RMCP
Identification and Verification
• Obtain information re future transactions that will be performed in course of
business relationship – are consistent with the knowledge of that prospective client: • Nature and intended purpose of the business relationship concerned
• Source of the funds to be used in the course of the business relationship
• AI must conduct ongoing due diligence – including monitoring of transactions to check for inconsistent activities
• AI must repeat verification steps – if it doubts the veracity or adequacy of previously obtained information
• If AI cannot conduct CDD –may not establish business relationship or conclude single transaction. Must terminate existing business relationship – consider STR under S29.
Other Due Diligence requirements
Foreign Prominent Public Officials & Domestic Prominent Influential Persons
• Obtain snr Management approval for establishing business relationship
• Take reasonable steps to establish source of wealth/ funds
• Conduct enhanced due diligence monitoring of business relationship
• FIC – Foreign PIP’s always a high risk – Domestic PIP’s not necessarily
• FIC provided some sites that may assist in identifying who is Foreign and Domestic PIP
• FIC Act also applies to immediate family members and known close associates of a person in a foreign or domestic PIP.
Other Due diligence requirements cont.
• Apply your mind and show application of mind
• Scrutinise amendments – what is states & what, by design, is omitted
A well drafted RMCP may just
avert the eye of the Regulator.
Conclusion cont
• FIC Guidance notes – allows for AI’s to outsource verification identification
• Obligation to comply and accountability lies with the AI
• Processing of Personal Information for FICA may only be done within confinements of PoPIA
• Processing and further processing of Personal Information of a client for purposes of FICA is allowed in PoPIA
• But – be cautious of 3rd Party data sources – may have obtained personal information about a client without the client’s consent or knowledge.
• Who is allowed to hold Personal information – refer to NCA definition of Consumer Credit Information as well
Utilisation of Third party/ Data
• RegTech – utilising technology for Regulation / Compliance
• Most important for use of technology to do CDD/ CIV • Data Components
• Data Sources
• Matching Algorithms
• Data housing
• Def of Consumer Credit Information
• Def of Personal Information
• South Africa has unique datasets and profile of consumers – make sure that the solutions are designed specifically for the South African market.
RegTech for CDD/ KYC/CIV
• Challenges around data leaks
• Proposal to utilise data that sits in secure environment
• Credit Bureau – optimal to provide this function
• Data providers/ vs credit providers submitting data
• Allowable data sources for Credit Bureaus • Credit Providers – no consent needed – compulsory
• Data Providers- with consent
• Public Data
• Reminder – you have to notify FIC if you are utilising 3rd Party providers to assist with your compliance requirements.
RegTech for CDD/ KYC/CIV
ONBOARDING BEGINS BEFORE ACC IS OPENED
• User-Friendly • Shortest, friction free process • Easy to complete and comply • Workflow to be easy and staff friendly
• Build Relationships • Interact, assist, understand
• Keep records up to date • Periodic automated monitoring and updating
• Avoid inconsistencies • Clearly defined processes and standards
• Educate • All staff to be up to date with compliance if they are required to make decisions
• Tick all compliance boxes - RMCP
ONBOARDING FOR KYC/AML TIPS
• Cost for compliance is high
• Fraud is rife
• Why RBA, CDD,CIV, RMCP, Sanction screening etc? • To provide FIC with great quality Financial intelligence Reports • All about information and intelligence
• AI’s have greater freedom under RBA and with CDD than before – with freedom comes greater responsibility and greater need for application of mind
• Invest in good on-boarding tools that will enhance customer experience.
CONCLUSION
Questions