implementing aml/cft audits relevant to fintech in...
TRANSCRIPT
Implementing AML/CFT Audits Relevant to FinTech in Financial
Institutions: Middle East Region/Jordan
By Mamoun Mahmoud Almashaqbah, CAMS
2 | P a g e
Table of Contents
Executive Summary............................................................................................................... 3
Introduction .......................................................................................................................... 3
Financial Technology (FinTech) ........................................................................................... 4
Overview .......................................................................................................................................4
Key FinTech Products and Services in Financial Institutions ........................................................4
Objectives of FinTech ...................................................................................................................5
Implications of FinTech for Banks and Banking AML/CFT Systems ..................................... 6 New Banking Products and Services .................................................................................................................... 6 De-risking ............................................................................................................................................................. 6 Customer Due Diligence (CDD) ........................................................................................................................... 6 Record Keeping .................................................................................................................................................... 6 Monitoring and Reporting Suspicious Transactions ............................................................................................. 7 Outsourcing and Partnering Risk .......................................................................................................................... 7
Applying AML/CTF Measures to Meet FinTech .................................................................... 7
Implications of FinTech for Bank Supervisors and Regulatory AML/CFT Frameworks ......... 9
The Relevance of Regulatory Frameworks ....................................................................................9
SupTech Opportunities .................................................................................................................9
Need for Cooperation ....................................................................................................................9
Central Bank of Jordan: Efforts to Meet FinTech ................................................................. 9
FinTech Regulatory Sandbox ...................................................................................................... 10
Financial Inclusion ...................................................................................................................... 10
Cybersecurity .............................................................................................................................. 10
AML/CFT Instructions ............................................................................................................... 10
Audit Relevance to FinTech Framework .............................................................................. 11
Audit Overview ........................................................................................................................... 11
Role of the Audit to Meet FinTech .............................................................................................. 12 Risk-Based Approach (RBA).............................................................................................................................. 12 IT Audit to FinTech ............................................................................................................................................ 14
AML/CFT Program to Enhance Audit Function ......................................................................... 15
Conclusion .......................................................................................................................... 17
References .......................................................................................................................... 19
Appendix no. (1) .................................................................................................................. 20
3 | P a g e
Executive Summary
In the last few years, interest in financial technology has grown significantly around the globe, and
in particular in Jordan, a part of the Middle East region, given the growth of electronic commerce
and technology in the area and the world. Meanwhile, attention to the subject of AML/CFT has
grown through the risks and challenges associated with financial technology products and services,
and as a result of the rapid development of technological innovations, which are characterized by
the interdependence of economies and the development of electronic payment systems that allow
the fast transfer of funds between countries.
This paper identifies the risks of using financial technology in money laundering and terrorist
financing operations in financial institutions, and how to deal with these risks by determining the
characteristics of banks’ effective AML/CFT procedures and programs.
This paper aims to highlight the role of internal audit function in examining AML/CFT procedures
and programs regarding financial technology products and services by using an audit risk-based
approach and IT audit. It also seeks to identify the role of regulatory authorities, particularly in
regard to Jordan’s experience in this field balancing between the support and encouragement of
innovation in the financial and banking sector, and also maintaining the integrity, robustness, and
transparency of the banking system.
Introduction
Financial technology (FinTech) may generate multiple risks that concern AML/CFT units’
managers and IT managers in financial institutions. Similarly, worry about the potential adverse
effects of reliance on financial technology extends to regulators, who have to assess the risks of
money laundering and terrorist financing resulting from dependence on technology.
Increasing reliance on technology in financial institutions opens new channels for hackers, money
launderers, and financiers of terrorism, who usually have the knowledge and very sophisticated
technological tools that some banks and financial institutions may not have, and that represents
one of the reasons for the complexity of the work of compliance units in banks and financial
institutions.
The risk-based approach in AML/CFT is one of the most effective mechanisms to achieve proper
AML/CFT measures under modern financial technology: by focusing on high-risk products,
services, business lines, and geographic areas that need enhanced due diligence (EDD) measures,
and applying simplified measures at lower-risk areas. This approach would encourage the opening
of bank accounts and change the path of remittances from the informal system to the formal
system, where proper controls and supervisory systems are in place. The FATF has modified its
recommendations with a view to implement the risk-based approach, and the commitment of banks
to conduct a comprehensive assessment of the risks of money laundering and terrorism financing
to customers and countries and geographic regions, products, services, processes, and service
delivery channels.
4 | P a g e
The compliance and AML/CFT function should be integrated with the overall risk management
framework of banks, and should provide policies, controls, and procedures to manage and reduce
the risks of money laundering and terrorist financing, as well as take EDD procedures consistent
with the degree of risk identified to customers.
Financial Technology (FinTech)
Overview
Financial Technology (FinTech) is defined as technology-enabled innovation in financial services
that could result in new business models, applications, processes, or products with an associated
material effect on the provision of financial services.1 In other words, financial technology is the
introduction of technology into traditional financial and banking services to improve their quality
and accessibility.
Banks are looking for ways to benefit from the adoption of financial technology in their operations,
but they are still focusing primarily on FinTech applications in payments processes (such as mobile
apps for online bill payment). But selection and application of appropriate financial technology
remains a challenge for banks, especially those with a weak innovative culture and regulations of
AML/CFT, due to the enormous complexity of illegal operations by money launderers and
financiers of terrorism who continually seek to take advantage of any flaw in access to financial
systems to achieve their illicit purposes.
Key FinTech Products and Services in Financial Institutions
The development of financial technology can be divided into two phases: the first phase is based
on payments and lending solutions that offer crowdfunding platforms, peer-to-peer lending
platforms, and payment solutions. Payment of bills has become more accessible and faster over
the Internet, mobile applications have replaced bank notes, and money transfer has become more
comfortable. The second phase has recently emerged through three key trends: international money
transfers, wealth management, and insurance.
Blockchain (digital technology), however, is still in its early stages and is likely to play a primary
role in future financial transactions. That requires banks and regulatory authorities to study these
developments carefully and determine their effects on markets, and their regulatory mechanisms,
to protect clients and reduce the risk of exploitation of these products and services in money
laundering and associated terrorist financing operations.
1 Financial Stability Board. (27 June 2017). “Financial Stability Implications from Fintech, Supervisory and Regulatory Issues that Merit Authorities’ Attention." Page 7.
5 | P a g e
The graph below shows the sectors of financial technology products directly relating to the core
banking services of banks:
Source2: Basel Committee on Banking Supervision (BCBS), “Sound Practices: Implications of Fintech developments for banks and bank supervisors.”
Objectives of FinTech
Financial technology brings many benefits to individual customers, businesses, banks, and the
economy, including the growth of digital commerce for companies, traders, and consumers, and
moving towards the non-monetary economy, which leads to integrating the informal economy into
the formal economy. However, the trend towards the non-monetary economy may facilitate money
launderers’ aims for transferring illegal money across countries in cases where financial
institutions and regulatory authorities lack the appropriate AML/CFT controls for keeping up with
this development in money transfer processes.
Financial technology will also lead to increased demand for retail banking and funding services,
as well as financial inclusion and access to new categories of non-bank customers. It will also
encourage non-bank customers to deal with financial technology and benefit from its banking and
economic opportunities. However, enforcement of AML/CFT controls can impact the access to,
and use of, financial services in countries due to increased costs of AML/CFT efforts, which may
result in the withdrawal of financial institutions from low-value transactions. Therefore, it is
important to search for ways to reduce the risks of money laundering and financing of terrorism
while enhancing financial inclusion.
2 Basel Committee on Banking Supervision (BCBS). (31 October 2017). “Sound Practices: Implications of Fintech developments for banks and bank supervisors.” Page 9. (A) Copy-trading, or social trading, is one of the ways Forex and commercial markets operate over the Internet in
general. It allows investors to trade by automatically copying positions opened and managed by another experienced investor’s trades in return for a simple commission.
(B) A robo-advisor is a self-guided online wealth management service that provides automated investment advice at low costs and low account minimums, employing portfolio management algorithms.
Credit, Deposit, and Capital-Raising Services
Crowdfunding
Lending marketplace
Mobile banks
Credit-scoring
Payments, Clearing, and Settlement Services
Mobile wallet
Peer-to-peer transfers
Digital currencies
Value transfer networks
Digital exchange platforms
Investment Managment Services
High-frequency trading
Copy-trading (A)
E-trading
Robo-advice (B)
6 | P a g e
Implications of FinTech for Banks and Banking AML/CFT Systems
New Banking Products and Services
Financial technology offers great opportunities for banks to innovate and provide value-added
services by introducing new products and services for their customers based on financial
technology. This includes expanding access to financial services for under-served consumers
(financial inclusion). Providing a better understanding of the products and services offered to them
leads to improving customer experience.
However, the nature and scope of banking risks, especially the risks of ML/FT, may changfrom
what has traditionally been understood due to expanding access to new markets and customers.
This leads to challenges in how to effectively implement AML/CFT mechanisms for these new
products and services.
Choosing appropriate products or services for banks and their customers should be based on
identifying risks in these new products and services before they are offered to customers, so banks
must appropriate AML/CFT monitoring procedures to avoid the adverse effects of new products
and services based on financial technology in case of inadequate AML/CFT procedures.
De-risking
Financial technology facilitates the access of a large group of customers to financial services
provided by banks, including high-risk customers. This increases the regulatory requirements for
strengthening the banks’ control and verification systems, especially concerning AML/CFT
standards. However, as a response to these challenges, many banks may end financial and banking
relationships with entire groups of clients or companies that are considered high-risk, rather than
performing KYC and due diligence procedures, especially when these relationships represent more
risk than potential profits (money transfer companies and trade finance).
This response may lead to forcing entities and individuals to transfer funds through less organized,
or unregulated, technological channels not subject to AML/CFT measures. The FATF
recommendations require financial institutions to terminate case-by-case relationships in areas
where the risk of money laundering and terrorist financing cannot be mitigated.
Customer Due Diligence (CDD)
Use of financial technology can lead to the provision of banking services to individuals and entities
by banks without meeting customers face-to-face, and this affects the customers’ due diligence
procedures and the verification process of the actual beneficiary of such accounts, such as prepaid
cards and peer-to-peer lending. Criminals may use information technology services for criminal
purposes, which requires the development of CDD procedures and know your customer (KYC)
forms flexible enough, using a risk-based approach, to meet AML/CFT requirements.
Record Keeping
Banks shall maintain records of domestic and international financial transactions so that such
records include due diligence data, EDD data, and risk assessment procedures for customers under
7 | P a g e
the period specified by the supervisory authorities. However, the nature and complexity of
technology-based transactions and services, and increasing customer demand for digital
transactions, leads to increased compliance risk that may make it difficult to obtain enhanced
documentation for banking operations for customers.
Monitoring and Reporting Suspicious Transactions
Monitoring of suspicious operations is one of the most effective AML/CFT procedures in financial
institutions in reducing ML/FT crimes, but new banking products and services resulting from the
development of financial technology will lead to an increase in banks’ need for developed systems
to monitor suspicious transactions, which may be costly. The speed of bank transactions can make
it difficult to report suspicious transactions on time, and thus the ability to detect suspicious
transactions before completion by money launderers.
Outsourcing and Partnering Risk
Financial technology applications may increase the difficulties in meeting compliance
requirements, particularly on AML/CFT obligations, if banks perform financial transactions on
behalf of clients of financial technology companies. If the customer makes payments using a bank
card or bank account, the bank is to some extent responsible for customer authentication and may
be responsible for covering fraudulent transactions. Distribution of products or services between
banks and financial technology companies will lead to less transparency on how transactions are
implemented and who is accountable for compliance.
Moreover, allowing financial technology companies to provide financial and banking services,
such as granting loans, accepting deposits, and carrying out money transfers, especially across
borders, will lead to the exit of these operations from the regulated banking sector to so-called
shadow banking, a less regulated industry or, perhaps, less transparent. This may prompt money
launderers and financiers of terrorism to resort to these channels; consequently, regulatory
authorities need to shift from traditional banking supervision to more advanced banking
supervision.
Applying AML/CTF Measures to Meet FinTech
AML/CFT measures could have adverse effects on access to, and use of, financial services through
financial technology applications if these measures are not carefully designed. Over-compliance
in financial institutions may lead to financial exclusion, which is a direct risk of ML/FT activities.
The FATF recommendations have the flexibility to assist financial institutions in getting rid of the
conduct of over-compliance with AML/CFT requirements and to enable supervisory authorities to
formulate effective and appropriate controls in the AML/CFT field, taking into account the
appropriateness of expanding access to financial services and familiarity with the various levels
and types of risks posed by multiple products. The challenge is to find an appropriate level of
AML/CFT measures in a balanced manner while keeping abreast of developments in financial
technology in a way that does not affect the share of banks in financial markets. Therefore,
8 | P a g e
AML/CFT measures must be adapted to products and services related to financial technology as
described below:
The AML/CFT programs in banks should include risk assessments of each product,
service, and activity related to financial technology, whether for new products or for
services being developed, so that banks can establish adequate controls to prevent money
launderers from exploiting these products and services for criminal activities.
Recommendation No. 15 of the FATF states that countries and financial institutions should
identify and assess the risks of ML/FT that may arise from the development of new
products and practices, including new means of providing services, to take appropriate
measures to manage and reduce those risks.3
Financial institutions must be able to demonstrate that CDD measures are in place and
effective in mitigating risks arising from indirect dealings with customers as a result of the
complexity of electronic transactions and their increasing volume under financial
technology. Therefore, it is essential to determine the nature of customers’ needs and the
degree of risk-taking using the risk-based approach, then implementing simplified
measures for low-risk customers and applying enhanced due diligence measures for high-
risk customers, under Recommendation No. 10 of the FATF.4
Maintain customer records according to the specified period (for example, five years by
the instructions of the supervisory authorities in Jordan) within digital databases so that
they can refer to it quickly and easily. The proposed procedures in this area are to assign
KYC procedures to a third party after examining this option from law enforcement
authorities so that there is a central database of customer data, which leads to saving costs
and efforts for the banks.
AML/CFT programs must rely on advanced, automated, analytical, and digital processes
and tools in the monitoring of financial transactions, and in the reporting of suspicious
transactions, as well as the use of advanced digital solutions to ensure data quality, speed,
and efficiency to extract meaningful conclusions in a manner that enables suspicious
transactions to be disclosed and reported in a timely manner.
Regulate the relationship between banks and financial technology companies so as to
determine the responsibility of compliance of each party in taking the necessary measures
to AML/CFT, in a way that does not affect the ability of banks to attract customers of
financial technology companies and maintain an appropriate level of the banks’ shares in
the financial markets.
3 FATF. “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation – The FATF Recommendations.” Paris. (2012). Page 15. 4 FATF. “International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation – The FATF Recommendations.” Paris. (2012). Page 12.
9 | P a g e
Implications of FinTech for Bank Supervisors and Regulatory AML/CFT
Frameworks
The Relevance of Regulatory Frameworks
Supervisory authorities for banks and financial activities should carefully study developments in
financial technology and determine its impacts on markets and regulatory mechanisms to protect
clients and reduce risks in money laundering and terrorist financing by facilitating safe access to
new products and activities. The supervisory authorities should review the current regulatory and
supervisory frameworks and consider whether the frames and laws are proportionate to each other
to achieve an appropriate balance between taking advantage of the development of financial
technology and implementing adequate controls in AML/CFT. Therefore, there may be a need for
a comprehensive policy response at the national level, based on the guidance provided by the
standards bodies (FATF, MENAFATF, and Basel Committee on Banking Supervision).
SupTech Opportunities
Supervisory authorities have to adopt efforts to explore the potential of new technologies to
improve AML/CFT techniques and processes in line with financial technology products and
services, where supervisory technology (SupTech) solutions can facilitate and enhance compliance
with AML/CFT rules. Identity verification technology (including electronic fingerprinting) may
provide effective and secure identity authentication methods. Value chain managed by supervisory
authorities can be used to build a database that serves KYC procedures, provided that this
repository is easily accessible by many users.
Need for Cooperation
As new technologies increasingly operate across borders, international cooperation between
supervisory authorities, such as AML/CFT units and central banks, is critical to ensure effective
controls, to enhance opportunities, and to reduce the risk of money laundering and terrorist
financing that may arise from legislation disparity. There is an exchange of experiences and best
practices among countries to assist in guiding the most effective regulatory frameworks, taking
into account the circumstances of each country. Institutions with a membership structure with
countries from all over the world, such as FATF and MENAFATF, play an essential role in
collecting information from all countries to develop international standards in the field of
AML/CFT and regulatory oversight of banking services delivery.
Central Bank of Jordan: Efforts to Meet FinTech
Supervisory authorities have to balance between supporting financial technology and developing
controls that limit the risks of technology-based products and services. In this regard, the Central
Bank of Jordan believes in the necessity of keeping up with rapid developments in FinTech to
serve the banking and financial sector in a manner that ensures safety, resiliency, and stability by
continuous support for entrepreneurship in the FinTech sector.
10 | P a g e
In line with Central Bank’s aim to be a FinTech hub in the region, it is considered one of the
pioneers in the Middle East region in adopting innovations of FinTech through efforts to encourage
keeping up with developments in technology and issuing legislation and regulations that protect
the customers of financial technology products and services, mainly in the AML/CFT field.
FinTech Regulatory Sandbox5
The Central Bank of Jordan established the FinTech Regulatory Sandbox in February 2018. It is
considered a safe and controlled trial environment that allows businesses or entrepreneurs to
examine and test innovative and sophisticated financial products and services, as well as guidance
required to access different creative channels and technology incubators in Jordan. The sandbox
supports innovations using the latest global technology, including blockchain technology, with
priority for applications that enhance access to digital financial services with ease, efficiency, and
security, while taking measures to implement cybersecurity requirements.
Financial Inclusion6
The National Strategy for Financial Inclusion was established in Jordan in 2016. The CBJ took the
lead in this process with the support of the public and private sector to ensure cooperation in the
development and implementation of a series of initiatives in this regard, especially in remote areas,
by studying the expansion of using digital credit, then studying its legislative effects. Financial
technology, and using blockchain technology, is the central pillar of this strategy.
Cybersecurity
In 2018, CBJ issued instructions of cybersecurity for banks, financial institutions, credit
information companies, and MFIs that, under the CBJ umbrella, enhance the ability to respond to
cyberattacks. The instructions aim to enable banks, institutions, and companies to continue to
provide services and carry out operations safely, as well as motivate them to invest in cybersecurity
due to its important role in achieving a technological renaissance serving the national economy.
AML/CFT Instructions
The Central Bank issued updated instructions of AML/CFT for banks in 2018. These amended the
instructions in force since 2010 after the National AML/CFT Committee approved it. The new
instructions came in response to the amendments to the recommendations of FATF for 2012 and
developments in domestic and international markets, and to strengthen the AML/CFT framework
in the Kingdom. One of the most important amendments introduced in the new instructions is to
enhance the risk-based approach in AML/CFT efforts and oblige banks to conduct a
comprehensive AML/CFT assessment on an annual basis.
5 Central Bank of Jordan, “FinTech Regulatory Sandbox”. 6 Central Bank of Jordan, “The Financial Inclusion National Strategy Project”.
11 | P a g e
The box below demonstrates other instructions issued by the Central Bank of Jordan in the field
of FinTech:7
Audit Relevance to FinTech Framework
Audit Overview
The development and diversification of banking services as a result of the increased reliance on
financial technology requires that banks pay particular attention to internal control systems to cope
with this development, which accompanies exposure to new risks in the field of ML/FT. Internal
control systems should be highly efficient to protect assets of the bank and comply with laws and
instructions issued by supervisory authorities and management. Accordingly, attention is
increasingly paid to the internal audit as an independent function that verifies the bank’s
compliance with appropriate controls to AML/CFT relevant to technological innovations.
The best way to achieve an appropriate level of AML/CFT audit is to ensure that compliance
management has regular interaction with business and product development teams, and that the IT
department has a role in identifying appropriate systems for products and services related to
financial technology by verifying the ability of compliance to:
Identify current and potential risks and regulatory requirements before launching new
products or services or developing existing products.
7 Central Bank of Jordan, Web Site, (http://www.cbj.gov.jo/).
- CBJ is banning dealing in Cryptocurrencies due to its high risk to customers, financial institutions and
the national economy. It carefully monitors all developments on the Cryptocurrencies and conducts
research and studies in cooperation with other central banks and with international institutions to find
out how to benefit from these currencies and to establish adequate controls to prevent the exploitation
of these currencies in ML/FT.
- Issuing of mobile payment instructions to restructure payment and settlement systems in the Kingdom
that lead to developing electronic payment channels to serve a wide range of citizens and residents in
the Kingdom, as well as issuing an electronic system within the financial services technology to pay
bills to enable consumers to view and pay their bills from any place through their bank accounts.
- Issuing of the Cloud Computing Guide which includes an explanation of the cloud computing concept,
its core features, deployment models, service models, and guidelines on some of the significant issues
financial institutions need to consider when using this technology, including cloud computing
governance, risk management, sustainability, and mechanisms used to protect their data in a safe and
effective way.
- Issuing of instructions concerning the requirements of electronic payment and transfer companies to
regulate the work of these companies and setting appropriate controls to ensure that these companies
comply with the supervisory requirements of the Central Bank including AML/CFT instructions12.
- Issuing the instructions of information management and its associated technology for all banks in Jordan
in 2016 to promote adoption of sound management standards in information management technology
according to international best practices in this regard for banks operating in the Kingdom.
12 | P a g e
Conduct a regular review and risk assessment of the financial institution’s products and
services.
Prioritize these risks and assess the effectiveness of existing controls to address these risks
for each particular product, service, a segment of customers, and geographic areas.
Identify automated systems that can be used to detect suspicious transactions and assess the
effectiveness of such systems.
The financial institution should be able to identify additional controls necessary to improve audit
procedures in such a way as to allow financial institutions to develop new products and services
without exceeding AML/CFT requirements and allocate adequate resources to ensure the
effectiveness of the audit function. This includes, as appropriate, investments in technology, staff,
and training.
Banking laws in Jordan require banks’ internal audit departments to review the structure of the
internal control systems at least once a year. The AML/CFT law also stipulates the necessity of
allocating an independent and qualified staff within the internal audit departments to test
compliance with the internal policies, procedures, and controls to AML/CFT for banks.
Role of the Audit to Meet FinTech Internal audit plays a significant role in assuring that financial institutions adequately identify the
risks of financial technology associated with AML/CFT and maintain procedures, processes, and
internal control systems to mitigate these risks effectively. The primary objectives of the AML
audit include:
Specifying weaknesses in compliance, AML/CFT programs, and deficiencies in control of
products and services related to financial technology and assistance in improving
AML/CFT programs.
Identifying deficiencies in technology-based systems and helping to identify areas for
improvement in these systems.
Assisting management in identifying money laundering and terrorist financing offenses
associated with each type of product and service, identifying probabilities for how these
products will be exploited in ML/FT, and proposing controls to prevent from using these
products for illegal purposes.
Identifying opportunities and methods to help management make AML/CFT program
improvements continued and sustainable.
Risk-Based Approach (RBA)
The intensity of control and attention that internal audits apply to new technologies in the
AML/CFT field should be linked to the scale of the risks they pose to the financial institution,
where the examination of financial operations resulting from financial technology products
requires an understanding the nature of these developments and their impact on the institution.
Therefore, an internal audit should follow a risk-based approach to prioritize examination in
13 | P a g e
emerging technology areas, while applying a continuous measure and monitoring high-priority
technological risks.
The advantage of a risk-based approach is to optimize resources available to the financial
institutions by focusing on high-risk products and services that could have a significant impact on
the financial institution’s reputation in case money launderers and financiers of terrorism exploit
these products.
A risk-based approach (RBA) means that banks understand the risks of ML/FT to which they are
exposed, including risks associated with financial technology, and have applied audit measures to
AML/CFT procedures by focusing on high-risk areas in relation to customers, countries,
geographic regions, products, services, and service delivery channels, and implementing
simplified measures where risks are lower in return, in accordance with FATF Recommendations.
The risk-based approach to auditing AML/CFT measures includes:
Identifying the type and nature of ML/FT risks in the bank’s financial operations related to
financial technology and assessing the risks of financial activities and customers using
specific elements (products, services, distribution channels, geographic regions, customers,
business relationships, and other relevant factors). Understanding customers’ needs and their
relevance to the bank’s products and services are vital to an adequate anti-money laundering
function.
Verifying that the compliance department and the risk department of the bank carry out self-
assessments of risks on an annual basis, review the results of the evaluation, and verify the
effectiveness of risk mitigation procedures, particularly risks resulting from financial
technology.
Verifying adequacy of procedures KYC and developing to keep up with new financial
technology tools.
Reviewing compliance policies and AML/CFT measures to ensure that they have been
updated to reflect the current regulatory environment in line with developments in financial
technology, and requirements of regulatory authorities in particular.
Reviewing business practices and staff training to ensure that they reflect a strong knowledge
of existing regulations related to financial technology.
Reviewing the adequacy of AML/CFT measures in transactions with financial technology
companies and their clients, evaluate the ability of compliance management, and achieve an
appropriate level of compliance procedures for these companies.
Verifying the effectiveness of continuous monitoring systems of transactions and business
relationships according to the level of risk assessed and using sampling methodologies and
appropriate sample sizes based on risk.
Verifying the adequacy of applying CDD procedures, identification, and evaluation of risks
related to high-risk areas, and applying EDD procedures and focusing on them.
Applying periodic reviews of high-risk customers for updating information, conducting
checks, and reviewing overall transactions activity for reasonableness.
14 | P a g e
Ensuring that the results and defects are handled in a timely and appropriate manner by
management.
Ensuring that staff experience in AML/CFT management is adequate and that the AML team
receives regular training, including training on any developments in products related to
financial technology.
Verifying that there a strong compliance culture of the financial institution as a whole and
that procedures for reporting anti-money laundering problems to the board of directors are in
place, as appropriate.
Checking the effectiveness of compliance and AML/CFT management in monitoring and
reporting suspicious activities, and in reviewing the quality of investigations, SARs, and other
issues.
Assessing the design efficiency and operational effectiveness of key operations consistent
with the AML/CFT manual.
Making clear recommendations that address the main cause of any problems with final
reports.
Tracking the results and submitting previous results for review or examination.
Keeping the worksheets documents and planning documents.
Modifying internal audit procedures in accordance with changes in risk data, including tested
areas and test methods.
IT Audit to FinTech
Information technology (IT) auditing is an important part of the overall framework for auditing
anti-money laundering, especially in light of increasing products and services related to
innovations in financial technology, in order to determine the extent to which appropriate
automated systems are used in the AML/CFT operations efficiently and effectively in line with
financial technology.
The main tasks of the IT audit are to evaluate existing systems to protect the bank’s information,
including anti-money laundering and terrorist financing systems. This way, an IT audit is used to
assess the ability of an organization to protect its information assets and to distribute information
to authorized parties properly. Thus, the IT audit aims at assessing whether:
Anti-money laundering systems in the organization are available to work at all times when
needed.
Disclosure of information in the AML/CFT systems is only for authorized users, such as
compliance and AML/CFT departments, and involved staff at the bank.
The information provided by the systems is always accurate, reliable, and timely, capable of
delivering indicators of suspicious transactions, providing quantitative and qualitative analysis
of the statements of movements carried out by all customers, and protecting the bank from
hacking operations.
IT auditors should be fully aware of the risks of money laundering and terrorist financing
operations and should receive appropriate and continuous training.
15 | P a g e
AML/CFT Program to Enhance Audit Function
Board of Directors
and Senior
Management
Oversight
- The board of directors has established a comprehensive AML/CFT
program, which includes all the bank’s activities and products,
including those related to financial technology.
- The board of directors is familiar with the comprehensive risk
assessment, including ML/FT, and has adopted appropriate
measures to reduce these risks.
- The board has approved appropriate AML/CFT policies and
procedures for the bank’s risks.
- The existence of a board audit committee, as well as a compliance
committee and risk committee, that is informed about all reports
submitted by supervisory departments in the bank and is
responsible for verifying that the executive management has
processed such reports.
- There is a reliable and effective MIS system assuring that the bank
has sufficient flexibility to accommodate technological
developments in banking services.
AML/CFT Policies
and Procedures
- Comprehensive and appropriate AML/CFT policies and
procedures to reduce the risk of dealing with high-risk customers
and high-risk products/services.
- Policies and procedures have been updated to include the risks
associated with financial technology products and meet the latest
supervisory requirements for AML/CFT.
- The implementation of policies and procedures is very consistent
and effective, including but not limited to: (customer acceptance,
updating of customer data, record keeping, and monitoring and
reporting of suspicious transactions).
Risk Management
Program
- Risk management systems should be comprehensive to identify
and control all ML/FT risks effectively posed by businesses,
including risks associated with customers and products/services
related to financial technology, geographic location, and
distribution channels.
- Conduct periodic assessments of money laundering risks,
contribute to the development of new products, business lines, and
geographic markets, and carefully examine money laundering risks
associated with these products/services.
Internal Controls and
Compliance Function
- The bank has an independent internal audit function reporting to
the audit committee of the board of directors or the board of
directors, reviewing and testing the AML/CFT program and
CDD/KYC policies and procedures, with an AML/CFT risk-based
audit plan including audit of compliance management, and the plan
16 | P a g e
developed in accordance with developments in financial
technology.
- Independent compliance function supported with sufficient
resources approved by the board of directors and reporting to the
board or compliance committee
- Consistent and highly effective compliance function with the
ability of the compliance officer to manage the AML/CFT program
and monitor risky transactions with sufficient control systems for
detecting and reporting suspicious transactions in a timely manner
Resources and
Training
- There is a specific annual budget dedicated to AML/CFT approved
by the board of directors in line with the needs and risks of the
bank, provided that the budget is sufficient to accommodate control
and monitoring procedures for products and business lines
associated with financial technology.
- The audit and compliance team has specialized training in
AML/CFT and in dealing with techniques related to financial
technology.
- There should be participation by the board of directors and senior
management in training about AML/CFT.
- There is a mechanism for communicating laws or new changes
relating to AML/CFT to employees in the bank; in addition, to
present AML/CFT training courses for all employees who deal
directly with customers.
Use the Technology - AML/CFT programs today must rely on sophisticated analytical
and digital processes and tools since they cannot meet anti-money
laundering requirements using outdated and inefficient manual
processes in light of the developments in the innovations of
financial technology.
- Banks should use advanced digital solutions to extract, audit, and
analyze large amounts of structured and unstructured information
to reach a meaningful conclusion in AML/CFT.
Appendix No. (1) contains examples of innovative digital and
analytical techniques that can improve anti-money laundering
efforts.8
8 Source: Jeff Ingber and Armen Kherlopian, Genpact. “Five AML technologies you must understand.” (January 7, 2017)
17 | P a g e
Conclusion Reliance on financial technology in banking services does not conflict with AML/CFT
requirements, but requires banks and supervisory authorities to consider how to balance and
enhance the integrity and stability of the banking system and maintain the market share of banks,
while minimizing the risk of innovation on the financial sector through the development of
appropriate laws, legislation, and procedures, including AML/CFT regulations, without hindering
beneficial innovations in financial services.
Optimizing the financial technology while maintaining the integrity and reputation of banks and
their financial operations is achieved through banks’ efforts to examine potential risks of new
banking products and services associated with financial technology to understand weaknesses, to
develop appropriate controls, and through continuous monitoring of these products and services.
Banks should implement proper due diligence and risk management procedures, monitoring and
reporting of suspicious transactions, and record keeping while developing these procedures in line
with financial technology.
The responsibilities of each party should be identified concerning compliance and agreed-on
service levels and audit rights in relation to banks’ agreements with any third party, including IT
companies and financial technology services companies, so that banks can attract these companies
and their customers while maintaining an appropriate level of AML/CFT controls.
Banks should have a comprehensive AML/CFT program that clearly defines the responsibility of
the board of directors, executive management, risk management, compliance departments, and
internal audit function to achieve an adequate AML/CFT procedure related to financial technology.
Banks should develop AML/CFT policies and procedures to identify, manage, and control risks
associated with using financial technology, with providing adequate resources and continuous
training for compliance staff.
Banks must have an effective IT function capable of handling the risks of new technologies and
implementing effective control environments needed to properly support financial innovations in
coordination with risk management and compliance function at the bank.
An internal audit function with sufficient experience and resources should examine the efficiency
and effectiveness of AML/CFT systems and their ability to address the risks associated with
financial technology, then provide management with reports on weaknesses to be addressed and
implement appropriate controls for it. A specialized IT audit team should test AML/CFT systems
and their ability to protect the bank's assets from piracy and to prevent the exploitation of the
bank’s services and products by money launderers.
The risk-based approach is an effective means of implementing AML/CFT measures in light of
increasing categories and users of financial technology and their objectives through implementing
EDD measures for high-risk transactions, customers, business lines, and geographic areas. In
contrast, the application of simplified due diligence procedures in low-risk areas increases the
effectiveness of audit on AML/CFT measures.
18 | P a g e
Banking supervisory authorities should review their regulatory and supervisory frameworks,
especially in AML/CFT, in light of risks arising from financial technology products, so that these
frameworks are sufficiently proportionate to ensure the protection of consumers and the banking
sector alike.
Supervisory authorities can explore the possibilities of new technologies and make use of them to
improve their methods and processes in the field of banking supervision, especially in the
AML/CFT field. International cooperation between supervisory authorities is essential through the
coordination of supervisory activities of cross-border IT operations, as well as an exchange of
experiences, and authorities should consider whether it is appropriate to implement similar
approaches or practices in AML/CFT efforts.
19 | P a g e
References 1. Financial Stability Board (June 27, 2017) "Financial Stability Implications from FinTech,
Supervisory and Regulatory Issues that Merit Authorities’ Attention”.
2. Basel Committee on Banking Supervision (BCBS) (October 31, 2017) “Sound Practices:
Implications of fintech developments for banks and bank supervisors”.
3. Jeff Ingber and Armen Kherlopian, Genpact (January 7, 2017) “Five AML technologies you
must understand”.
4. FATF (October 2014) “Risk-based approach guidance for the banking sector”.
5. FATF (2012) “International Standards on Combating Money Laundering and the Financing
of Terrorism & Proliferation—The FATF Recommendations”, Paris.
6. P.Haran, A white paper, ACAMS, “Augmenting the AML Audit Toolkit to Strength Cyber and
AML Controls.”
7. IMF, staff discussion note, (June 19, 2017) “Fintech and Financial Services: Initial
Considerations”.
8. Financial Conduct Authority (March 31, 2017), “New Technologies and Anti-money
Laundering Compliance” The UK.
9. Jay Smith, CAMS-Audit “Does one size fit all? The modernization of an AML Audit into a
Financial Crime Audit.”
10. Karen Gifford & Michael Barr & Aaron Klein, Brookings (April 17, 2018) “Enhancing anti-
money laundering and financial access: Can new technology achieve both?”.
11. IMF Policy Paper, (October 11, 2018) “The Bali Fintech Agenda”.
12. Central Bank of Jordan, Payment Systems Legislations.
13. Central Bank of Jordan (2018), AML/CFT Regulations.
14. Financial Conduct Authority (May 12, 2015) “Copy trading”, The UK.
15. Central Bank of Jordan, “Central Bank of Jordan unveils its support to the financial technology
(FinTech) sector and stresses on the Cryptocurrencies ban”.
16. Central Bank of Jordan, “FinTech Regulatory Sandbox”.
17. Central Bank of Jordan, “The Financial Inclusion National Strategy Project”.
18. Central Bank of Jordan, Web Site, (http://www.cbj.gov.jo/).
20 | P a g e
Appendix no. (1)
Examples of Innovative Digital and Analytical Techniques That Can Improve
Anti-money Laundering Efforts
Cognitive
computing
The key concept of cognitive computing is making computer systems
understand more of what the user wants: digital assistants that can manage
large amounts of structured and unstructured information. The key benefit
of cognitive computing is the ability to enhance assessment of AML risk.
The technology does so by presenting information, such as data used to build
customer profiles, in a timely, natural, and usable way. Graph analytics Graph analytics explores relationships between individuals by analyzing
relationship patterns among varied data types through the understanding of
shared customer attributes. It can also determine relationships among AML
documents to make connections and flag anomalies. Machine learning Machine learning is primarily about pattern detection; the system acquires its
own rules, based on the data and patterns found. Risk scoring presents a good
example of the benefits of machine learning. A key requirement is that during
the system’s training phase, data on known high-risk customers, products, and
geographies are presented as examples. The system then leverages its learning to
risk-score based on patterns not initially obvious or appearing merely random. Cloud computing The use of a virtual private cloud can help significantly with the rationalization
of disparate data sources both within and external to an institution. Using cloud
computing facilitates accessing, bringing together, and enriching, needed data in
performing know your customer, beneficial ownership, or other required AML
remediation activities. Robotic process
automation
With RPA, software robots emulate the login, point, click, and copy-and-paste
actions of a human user in a rapid but specified sequence. The advantage for
AML systems is that the data can stay disparate, as each robot has its own
credentials and is tackling the inherent multiple system inefficiencies through
speed and repetitions.