Complete Guide to Anti-Money Laundering (AML)

Anti-money laundering regulations refer to procedures and processes that are put in place by organisations across every industry to discourage and prevent potential criminals from performing money laundering, either on or via their premises.

Through various standard controls and directives, compliance with anti-money laundering best practices empowers employees to identify, report, and terminate money laundering activities, helping to protect their business, their community, and the economy – as well as preserving national security (since money laundering is associated with terrorist financing).

Complying with money laundering regulations involves several areas of operation and it’s important that employees are given the information they need to understand and comply with these responsibilities as far as they could impact their job role.

Here’s what you need to consider:

Due Diligence

All business interactions require effective due diligence. These are thorough checks that – put simply – are designed to verify your customers are who they say they are.

Performing due diligence helps organisations calculate the risk-level of a customer or supplier and flag any areas for concern, such as if they are a politically exposed person, have residency in a high-risk location, or have links to organised crime.

In order to know who you’re dealing with, where their funds originate, and who benefits from the intended transactions, then, it’s good practice to conduct due diligence checks at onboarding stage (before you agree to work with a new customer) and also at ongoing, regular intervals – including if any change in circumstance triggers concern.

Whilst some customers and suppliers require additional checks (known as ‘enhanced due diligence’), performing standard checks should protect both your organisation’s and your client’s interests/assets and help reduce or eliminate exposure to financial crime, including money laundering, fraud, and terrorist financing.

Following good due diligence practices means that customers can rest assured that you take their data privacy seriously and helps mitigate the risk of bad publicity, loss of reputation and legal consequences for your organisation. Remember, corporations and individuals are increasingly being held accountable for their due diligence practices and both can face high fines and, in extreme cases, even imprisonment if found to be criminally complicit in this respect.

Terrorist Financing

Just like it sounds, terrorist financing involves the funding and movement of money in order to finance terrorist operations. Terrorist activity can be financed through legal and illegal funds – from political donations to proceeds of crime – and terrorist financiers often exploit intermediaries in the legitimate economy to hide their activities and transfer funds (think financial institutions, charities, religious organisations, and other shell companies).

Because terrorist financing can be hard to detect (money can pass through many hands before reaching its final destination, spanning several territories), it’s important for employees to be able to recognise signs of potential terrorist financing and how to report them.

The techniques used by terrorist financers to move money are closely related to money laundering techniques and sometimes involve actual money laundering. The signs and red flags for terrorist financing therefore overlap with money laundering red flags.

Regulations and legislation criminalise direct funding of terrorism, as well as activities that can contribute to terrorist financing. While specific definitions of terrorist financing offences vary by jurisdiction, they generally include:

  • Knowing or having a reasonable suspicion that fundraising money or property may be used for terrorism. This may include making payments, giving loans, inviting others to make payments, or receiving payments that may be used to fund terrorism.
  • Using or acquiring money or other property for terrorist purposes or with reasonable suspicion that it will be used for terrorist purposes.
  • Entering into an agreement intended to make money or other property available to another person if it will or may be used for terrorist purposes.
  • Facilitating retention or control of terrorist property in any way. This might be on behalf of another person, by concealment, through moving it out of the jurisdiction, or via transfer.
  • Failing to report red flags, suspicions, or knowledge of terrorist financing activity.
  • Alerting a person or organisation that they are under suspicion or investigation for terrorism-related activities. This is known as tipping off.

Find out more about how to prevent terrorist financing.

Accounting red flags

As a professional working in the financial sector, accountants and other types of finance administrators often stand in the way of criminals who want to use their place of business to launder money.

Due to this, it is important for all financial professionals to arm themselves with knowledge and understand what to look out for to spot money laundering and what anomalies ought to ring alarm bells about unlawful intent to investigate further.

Empowering your employees with this information will help your organisation to work in compliance with the law and combat financial crime.

Here are some accounting red flags your employees need to know about:

  • Unusual or uncharacteristic behaviours from a known/loyal customer, for example, requiring multiple reminders about documentation when ordinarily the client is very prompt.
  • Seeming reluctant or unable to provide the necessary paperwork.
  • Documents not matching up with previously given information.
  • Invoicing anomalies, e.g., misspelling of critical details, unexplained gaps, or invoice address and head office address being different.
  • Negative remarks in the media concerning the individual and/or organisation in question.
  • Associations with politically exposed persons (PEPs).
  • Use of offshore bank accounts, particularly if the customer/supplier has no presence in the country.
  • Unusual transactions, e.g., clearing an account of funds and/or making multiple small cash deposits.

Politically Exposed Persons

A politically exposed person (PEP) is someone who currently holds, or has held, a prominent public office. Due to the nature of the position, the immediate relatives or close associates of PEPs are also considered to be ‘politically exposed’ and are subject to enhanced due diligence checks for anti-money laundering.

PEPs are considered higher risk due to their position and influence, which increases their potential involvement in money laundering, bribery, fraud, and terrorist financing.

Politically exposed persons may have access to state assets, they may be able to put processes in place to prevent the detection of money laundering or terrorist financing, or they may own or control financial institutions, businesses, or other enterprises that could be used to launder money or generate illicit profits.

It’s worth mentioning that most PEPs do not abuse their position of power. However, these people are often targeted by those who wish to get close to them and abuse either them or their position of power. Therefore, PEPs are always considered to be high-risk clients and are often subject to a detailed background check and other enhanced due diligence.

Know Your Customer

Know Your Customer (KYC) standards are designed to protect financial institutions against fraud, corruption, money laundering, and terrorist financing. Indeed, for many organisations, KYC is the first and most crucial step of their AML compliance program and consists of the process used to verify a client’s identity, construct their risk-profile, and continuously monitor their account.

It’s important for organisations to carefully verify any customer’s identity, assess their risk, and understand their general financial habits as this makes it much more likely that any abnormalities and red flags will be identified. In turn, this allows organisations to act quickly and investigate any signs of money laundering (or other crimes) before the situation escalates.

There are three components of KYC:

  • Customer identification

This involves verifying a customer’s identity (i.e., that they are who they say they are) and usually calls for customers to share credentials such as name, date of birth, and address. In The UK, this commonly involves checking that the individual is on the electoral register and asking them to provide a current passport, full driving license, or birth certificate, as well as a utility bill, council tax bill, or mortgage statement.

  • Customer due diligence

Due diligence aims to uncover any potential risk to the organisation should the company agree to do business with a specific individual. For this reason, organisations will use the above information to check that the customer in question is not on any sanction lists, such as the one published by The International Criminal Police Organisation (Interpol). They will also want to check that the prospective customer is not Politically Exposed.

  • Continuous monitoring

It’s not enough to perform identity checks and customer due diligence just once. Rather, in order to gain a full understanding of how customers typically use their accounts – and to catch any irregularities and mitigate risks as they arise – financial institutions must complete continuous monitoring and checks across their clients’ accounts.

Financial Sanctions

Financial sanctions programmes operate across the world. Different countries or jurisdictions have their own financial sanctions and enforcement bodies, all with one common aim: to combat money laundering, terrorist financing, and financial crime.

Financial sanctions also play an important role in national security, foreign policy and international peace. Common types of financial sanctions include tariffs on imports, trade embargoes, asset freezes (to prevent access to funds), and restrictions on financial markets and services such as banking and investments.

Most financial sanctions programmes maintain lists of individuals and entities who are subject to financial sanctions. These individuals or entities are known as ‘targets’, ‘Specially Designated Nationals’ or ‘blocked persons’ by different sanctions regimes.

Financial sanctions enforcement bodies have international legal reach. Examples include the United Nation’s Security Council and the European Commission. Other bodies, such as The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury, and the Office of Financial Sanctions Implementation (OFSI) of the UK HM Treasury, enforce sanctions based on their laws, national security and foreign policy.

EU Legislation updates

Following 4MLD in 2017 and 5MLD in 2020, the Sixth Money Laundering Directive (6AMLD) was transposed into EU law in December 2020, with firms having until June 2021 to implement the changes.

6AMLD was intended to improve clarity and harmonisation among EU member states, but it also increased member states’ reporting duties (since money laundering continues to go widely undetected and this must be addressed).

Why was 5AMLD important?

This directive was designed to bolster the barriers brought in by 4AMLD in the fight against money laundering and terrorist financing. It achieved this by:

  • Increasing ownership transparency to prevent money laundering and terrorist financing inside organisations that previously could conceal their ownership structures.
  • Creating centralised bank account registers to increase and improve the capabilities of Financial Intelligence Units (FIUs) across Europe.
  • Legally defining cryptocurrencies and reducing the anonymity and risk associated with them.
  • Improving the cooperation and exchange of information between AML authorities and the European Central Bank
  • Broadening the criteria for the assessment of high-risk countries and applying standardised checks and monitoring across the board for these locations.

Why was 6AMLD important?

Only six months had passed since 5AMLD came into force when the EU extended this legislation even further by introducing the Sixth Anti-Money Laundering Directive (6AMLD). Its main aim was to expand the list of predicate criminalised offences (those crimes which are committed as a component of a more serious criminal act) and to increase the penalties for money laundering offences, e.g., heavy fines and imprisonment.

Unlike 5AMLD, the UK did not transpose 6AMLD into its domestic AML framework following the country’s withdrawal from the EU in January 2020. The key reason for this decision being the government’s understanding that the UK’s anti-money laundering systems are already compliant with many of the 6AMLD rules – in fact, the government believes ‘the UK already goes much further’ in many respects.

UK AML rules, for instance, already enforce longer sentences for certain money laundering offences (including imprisonment of up to 14 years in some cases) and UK law does include broader provisions relating to predicate offences than the specified crimes that qualify as predicate offences set out in 6AMLD

Final Word

In an ever-changing regulatory landscape, getting your employees up to speed on the latest AML regulations and how to spot money laundering is one of the most effective ways to protect your company and its assets from illegal activity. We hope this article has helped our readers understand what AML means and why it is important for your business. However, if there’s anything we can help you with, please do get in touch via email or on 01509 611019.

Check out our freshly updated, all new, anti money laundering collection!

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.