On 24 August 2022, the Monetary Authority of Singapore (“MAS”) published an Information Paper on strengthening anti-money laundering and countering the financing of terrorism (“AML/CFT”) practices for External Asset Managers (“EAMs”). The paper sets out MAS’ supervisory expectations on the subject and includes good practices and illustrative examples observed from a series of thematic inspections conducted by MAS.
This Client Update provides a summary of the key observations and recommendations highlighted by MAS.
On a preliminary note, EAMs are fund manager companies (“FMCs”) that generally manage the assets of highnet-worth customers that are custodised with private banks on an advisory or discretionary basis, and/or manage funds that are sold to high-net-worth customers. The Information Paper follows a series of AML/CFT thematic inspections conducted by MAS on selected EAMs. At the outset, MAS stressed that EAMs should review their AML/CFT frameworks and controls against the expectations set out in the Information Paper. In turn, should EAMs observe any gaps in their frameworks and controls, specific remediation or enhancement measures should be implemented expeditiously.
MAS also highlighted that while the paper is premised on its inspections of EAMs, the takeaways are also applicable to other fund management business models. As such, all fund management companies should incorporate the learning points from the paper where relevant.
The following 5 broad areas were canvassed in the Information Paper:
(ii) Risk Assessment Frameworks;
(iii) Customer Due Diligence (“CDD”);
(iv) Enhanced CDD; and
(v) Suspicious Transactions Reporting
As an aside, while the Information Paper sets out the expectations of MAS on EAMs relating to their AML/CFT frameworks, it does not directly address the financial institutions, such as private banks, that deal frequently with EAMs in the course of their business, and what MAS’ expectation of them would be in this regard. Such financial institutions would be advised to look to other relevant MAS publications. In the case of private banks, this would be the Guidance on Private Banking Controls, which set out guidance on how private banks should carry out their due diligence checks when dealing with financial intermediaries including EAMs.
MAS is of the view that the board and senior management play an important role to maintain good governance and sound AML/CFT risk management. As such, the board and senior management should foster a strong AML/CFT culture within the EAMs and actively oversee the development and implementation of AML/CFT programs
It was generally observed that the board and senior management were aware that they were ultimately responsible for compliance with AML/CFT obligations and had a general understanding of these regulations. MAS observed several instances of good practices. For example, in some EAMs, the chief executive would personally approve the onboarding of all new customers. One chief executive would even have frequent discussions with the compliance team to ensure he was regularly updated on AML/CFT matters.
However, MAS also observed some areas of weaknesses. First, in some EAMs, the board and senior management failed to set the right tone from the top. In several cases, the senior management failed to account for the inadequacy of enhanced due diligence measures when onboarding higher ML/TF risk customers where the information obtained was inaccurate or insufficient. Furthermore, in one EAM, there were no mechanisms such as regular meetings to ensure that the board and senior management stayed on top of ML/TF issues. Key staff and representatives were also not disciplined or held accountable for their poor execution of AML/CFT controls. There were also repeat shortcomings that had been previously flagged out by MAS in a past inspection, which provided further evidence that the remediation measures taken by the EAM were ineffective.
Second, there were inadequate compliance and internal audit arrangements. For example, in one EAM, the board and senior management did not ensure that its second line of defence kept pace with its substantial growth in business. Its compliance resource was grossly insufficient and there were no AML/CFT audits performed by the internal audit function. In another case, the board and senior management allowed the internal audit to be performed by a non-independent person who had no relevant audit experience and knowledge of AML/CFT requirements. A handful of EAMs also failed to conduct any internal audits to assess the effectiveness of their AML/CFT policies, procedures, and controls.
Overall, MAS identified several key takeaways. Board and senior management should:
- set the right ML/TF risk culture and maintain adequate oversight of ML/TF matters;
- ensure that all three lines of defence are aware and accountable to their AML/CFT responsibilities and are equipped with the relevant knowledge to detect red flags; and
- ensure that its internal audit function is independent and adequately resourced with the relevant expertise.
3.Risk Assessment Frameworks
(A) Enterprise-wide risk assessment
MAS emphasised that an enterprise-wide risk assessment (“EWRA”) enables EAMs to understand their overall vulnerability to ML/TF risks and manage and mitigate such risks that may exist across its business units, product lines, and delivery channels.
In this regard, MAS highlighted several areas of weaknesses. First, in some cases, there was a failure to consider relevant risk factors in the EWRA. For example, one EAM failed to account for risk factors such as the number of higher ML/TF customers and political exposed persons (“PEPs”). Some EAMs also did not consider the aggregated volumes of their customers’ transactions which could potentially indicate heightened ML/TF. Furthermore, some EAMs also did not consider the ML/TF risks associated with the different products or services offered or the different delivery channels used such as where the EAM used technology or third parties to perform CDD.
Second, MAS observed that some EAMs failed to provide sufficient guidance on its EWRA methodology to staff. For example, some EAMs did not specify the thresholds for quantitative risk factors like “low”, “medium”, or “high”, which resulted in flawed assessments. In several instances, the EWRA was just treated as a checkbox ticking exercise and had no fields for staff to provide supporting reasons.
Third, there were also instances of inconsistent rating framework across individual customer risk assessments and EWRAs. One EAM was not consistent when assessing country risk, which was a common factor applied at both the individual customer and the enterprise-wide level. It incorrectly adopted a less stringent country risk classification in its EWRA compared to its individual customer risk classification. As a result, the ML/TF risks associated with its country exposure at the enterprise-wide level were understated.
Fourth, there were also instances where there were obvious errors. At one EAM, the EAM had indicated “nil” to risk factors such as the number of customers domiciled in jurisdictions where corruption or terrorism was prevalent and the presence of audit findings. These responses were plainly incorrect because the EAM did in fact have risk exposure to such customers, given the findings in its own recent internal audit report. Another EAM’s EWRA methodology was also flawed in that the aggregate of the risk factor percentages did not add up to 100%.
Lastly, MAS also observed that some EAMs took an unreasonable amount of time to update their EWRAs, with the longest time taken being four years.
MAS identified several key takeaways. EAMs should:
- consider all relevant risk factors, and account for its business model, target markets, and delivery channels when assessing ML/TF risks at the enterprise-wide level;
- ensure consistency in applying the risk assessment framework at both the individual customer level and the enterprise-wide level;
- provide adequate guidance and conduct proper reviews of EWRAs to ensure accuracy; and
- review and update their EWRA on a regular basis i.e. at least once every two years, or when material trigger events occur, whichever is earlier.
(B) Customer risk assessment
Customer risk assessment plays a crucial role in helping EAMs identify and asses the ML/TF risks posed by their customers and in turn apply the necessary level of CDD. The assessment should enable the EAMs to make an informed decision on whether to establish, continue, or terminate business relations with its customers.
It was generally observed that all EAMs had considered multiple risk factors to determine a customer’s overall ML/TF risk level. These include, but are not limited to the following: (i) the customer or beneficial owner’s (“BO”) place of domicile and nationality, (ii) the nature of employment or business, (iii) whether there was any PEP exposure, adverse news, or sanctions, (iv) complexity of ownership structure (for corporate customers), and (v) the type of product or service offered. Most EAMs adopted the use of quantitative methodology and rated customers as posing higher ML/TF risks if the aggregate risk score assigned to them exceeded a certain threshold and/or if certain high risk factors were met.
As regards the areas of weaknesses, the following was observed. First, in some cases, there was a failure to consider relevant risk factors in identifying higher ML/TF risk customers. For example, some EAMs only considered countries that the Financial Action Task Force (“FATF”) identified to have weak measures to combat ML/TF risks. These EAMs should have also reviewed other country-specific assessments by the FATF (e.g. mutual evaluation reports), and include countries with corruption and tax evasion risk concerns identified by other credible bodies (e.g. Transparency International, the Organisation for Economic Co-operation and Development). Moreover, some EAMs also did not properly define tax risk factors, as factors such as a customer’s participation in tax amnesty programmes were not accounted for.
Second, there were instances where customer risk assessment was poorly executed. MAS gave the example of a case where the customer had held dual citizenships in Country A (being a country in respect of which the FATF called for countermeasures) and in Country B. The customer was born in Country A but he subsequently relocated to Country B, and inherited his wealth from a family member who generated the wealth in Country A. The EAM only regarded the customer only to be a citizen of Country B and assigned a medium risk rating to the customer and did not apply enhanced CDD. This was wrong, said the MAS, because the EAM did not take into account the fact that the customer derived his wealth from Country A, a country of which he was also a citizen.
Second, some EAMs also failed to consider where customers had political exposure even though they were aware of the customers’ association with PEPs such as where a customer was the immediate family member of a senior political party member or a connected party to a senior executive of a state-owned enterprise.
On a related note, MAS had also observed one case where the EAM decided not to subject customers to enhanced CDD even where the BOs were plainly PEPs or close associates of PEPs.
Lastly, MAS highlighted that in one case, the EAM’s customer risk assessment framework was inherently flawed because its methodology enabled a foreign PEP not to be classified as a high risk customer. This contravened the regulatory requirement that all cases involving foreign PEPs have to be considered to be high risk cases and have to be subject to enhanced CDD.
Hence, MAS identified the following 3 key takeaways. EAMs should:
- be cognisant of regulatory guidance and ensure that all relevant risk factors are duly incorporated in its customer risk assessment framework;
- consider pertinent and credible information to assess the ML/TF risks posed by customers/BOs, including PEPs (and family members or close associates of PEPs); and
- execute the customer risk assessment framework regularly to ensure all higher ML/TF risk customers are appropriately identified and subjected to enhanced CDD measures.
4.Customer Due Diligence
(A) On-boarding of new customers
Generally, MAS had observed that most EAMs had a structured approach in place to ensure that they had performed the necessary verification and screening checks to identify the customer and any BOs. This was usually done by way of customer onboarding forms and checklists which would then be signed off the approving parties. All EAMs also subscribed to commercial screening databases to identify adverse information on their customers. Some examples of better CDD practices that were noted include where EAMs completed all onboarding CDD measures prior to signing any asset management mandate or Limited Power of Attorney. Some EAMs also performed internet searches to complement the searches done through their screening databases.
However, MAS also noted several areas of weaknesses. First, there were inadequacies in identifying customers and their connected parties or BOs. In one case where the EAM was appointed by the trustee to be the investment manager of investment-linked policies, the EAM had wrongly identified the insurance company to be the customer when the correct party identified to be the customer should be the trustee.
Second, in some cases, there was also a lack of justification for deferring the completion of CDD measures in some cases. MAS stated that the identity of a customer should be verified before the mandate has been signed as that is the point in which business relations are established. If not, the EAM must assess if the deferral was essential in order not to interrupt the conduct of business operations and whether ML/TF risks could still be effectively managed.
Lastly, in some cases, MAS also observed inadequacies in the screening process itself. For instance, some EAMs did not have a framework in place for an independent review of screening results and hence, this increased the risk of errors. There was also a lack of documentation of screening results observed in some EAMs.
Here, the MAS identified the following key takeaways. EAMs should:
- ensure that its customers and all relevant parties of the customers (e.g. BOs and connected parties) are properly identified;
- ensure that the verification of customers is completed before establishing business relations, and if not, there should be proper justification as to why the deferral is essential and the EAM must demonstrate it can still effectively mitigate ML/TF risks. Nonetheless, the completion of the outstanding verification should not exceed 3o business days after the establishment of business relations; and
- document their screening results properly and ensure that such results are subject to independent reviews.
(B) Transaction monitoring
Transaction monitoring enables EAMs to detect and report suspicious transactions that are inconsistent with the EAMs knowledge of the customer’s business and risk profile. MAS highlighted that one good example was where the EAM expressly informed its customers that the accounts under its management should solely be used for investment purposes and not for any other purposes such as personal transactions, and the EAM regularly monitored the accounts.
However, several weaknesses were observed by MAS. First, in some cases there were inadequacies in the design of the transaction monitoring framework. For example, some EAMs neither established any parameters/thresholds nor tailored these reviews in accordance with its customers’ risk profiles. Most EAMs also did not require their customers to explain the transfer of funds even where the amounts were significant and involved third parties.
In other cases, there was also a failure to detect suspicious transactions across multiple managed accounts belonging to the same BOs. In this case, an EAM had failed to detect a series of third party transfers alternating between two separately managed accounts belonging to the same BO, which had suspiciously come from a source that was not in line with its declared source of wealth and source of funds. However, this matter was not escalated to determine if a suspicious transaction report should be filed.
Next, there was also a failure in some cases to detect suspicious transactions involved in interconnected managed accounts. In this case, there were multiple deposits and trades in a single stock within a few months by a group of customers. The EAM had failed to investigate this further despite the total amounts not being in line with the customers’ background, net worth, and income level. The EAM also failed to detect anomalies in the trades executed even though there were signs that the customer could be connected to the company they had traded in and that irregularities had been flagged by the custodian bank.
Lastly, in some cases, there was also a failure to follow up on anomalies concerning personal transactions in investment management accounts. In one case, a customer used the funds in an account that was to be independently managed by the EAM to purchase some antique books from brokers that were not in the business of dealing in antique books. However, the EAM failed to follow up on this anomaly and did not escalate this internally.
MAS identified the following three key takeaways. EAMs should:
- implement a proper transaction monitoring framework (which should include risk based parameters and thresholds) to promptly detect and report suspicious or unusual patterns of transactions;
- review transactions holistically across multiple managed accounts belonging to the same BOs or group of interconnected managed accounts, as the transactions could be structured to avoid detection; and
- scrutinise all transactions through the customers’ managed accounts, with special attention to those involving third parties, flagged by custodian banks for potential issues, or exhibit complex or unusual patterns.
(C) Periodic Review
Periodic reviews of business relations are crucial to ensure that CDD data and documents are relevant and up to date. MAS observed that most EAMs kept to their stipulated review frequency, with higher risk customers accorded more frequent reviews. These reviews were generally performed by the EAM’s compliance function and reviewed by senior management where necessary.
There were several notable areas of weaknesses observed by MAS. First, one EAM continued to retain a customer suspected of ML/TF risks. In this case, the customer was alleged to be involved in bribery, but despite this, the EAM continued to retain the customer and failed to justify the reasons for doing so.
Second, one EAM also had ineffective execution of its ML/TF risks to monitor ongoing business relations as while it had measures in place, these measures were neither rigorously nor effectively implemented. For example, while it conducted regular reviews of its customers, these reviews failed to account for changes in the customer’s accounts or adverse information flagged from screening reports. This EAM also failed to review relevant CDD data and information (e.g. residential address) of the customer and their relevant parties.
MAS identified two key takeaways here. EAMs should:
- perform a robust assessment on the risk mitigation measures where there are reasonable grounds for suspicion that existing business relations with the customers are connected with ML/TF. If the customer is retained, the reasons for doing so should be properly substantiated, documented, and approved by the board and senior management.
- ensure that the periodic reviews consider all relevant ML/TF risk areas and regularly assess whether CDD measures imposed are still commensurate with the customers’ updated risk profiles.
5.Enhanced Customer Due Diligence
Enhanced CDD measures are required to be performed on customers of higher ML/TF risks. These measures include seeking approval from senior management to establish or continue business relations with the customer, establishing the source of wealth and source of funds of the customer and its BOs, and conducting enhanced monitoring of business relations during the course of business relations. Such measures enable senior management to make informed decisions on whether to maintain or exit business relations with customers. It was observed that generally most EAMs had a framework to subject customers with higher ML/TF risks to enhanced CDD measures.
Two main areas of weaknesses were observed by MAS here. First, in some cases, there was a failure to promptly identify and conduct enhanced CDD on higher risk customers by one EAM. In one particular case, despite being aware of adverse information relating to the customer, the EAM did not classify the customer as high risk. Further down the line, the EAM’s compliance team was apprised of this adverse information. However, all that was done by the EAM’s compliance team was to reclassify the customer’s risk rating to “high” but yet no further action was actually taken to subject the customer to enhanced CDD, following the risk reclassification.
Second, there were cases where customers’ sources of wealth and/or sources of funds were not corroborated. Some EAMs did not obtain any documentation or information but merely relied on the customers’ representations. Additionally, some EAMs failed to check that the documents or information obtained from the customer did in fact substantiate the customers’ declared source of wealth and source of funds. In one case, a higher ML/TF risk customer attributed his source of wealth and source of funds to his employment income, investments, and rental income. However, the EAM did not obtain any supporting documents to substantiate this, and instead, made several arbitrary and unsubstantiated assumptions concerning the customer’s savings and rate of returns in his investments.
MAS re-emphasised that EAMs must ensure that customers or BOs posing higher ML/TF risks are promptly identified and subjected to enhanced CDD measures and perform adequate independent verification of the customer or BO’s source of wealth and source of funds to assess its legitimacy. EAMs should also assess whether the measures taken to obtain and corroborate the information provided are sufficient and reasonable.
6.Suspicious Transaction Reporting
EAMs are required to file Suspicious Transaction Reports (“STRs”) with the Suspicious Transaction Reporting Office whenever there are transactions suspected of being connected with ML/TF and must do so within 15 working days of the case being flagged as suspicious.
MAS observed that generally speaking, most EAMs considered and referred to the Guidelines to Notice SFA 04- N02 on Prevention of Money Laundering and Countering the Financing of Terrorism. These include situations where the customer failed to justify the purpose of a transaction when queried and where the transactions were not consistent with the usual activities of the customer. Most EAMs had also established escalation procedures, where suspicious transactions were brought to the attention of senior management, who would then decide on whether a STR should be filed. Moreover, in addition to filing an STR, most EAMs would also review business relations and the risk classification of the customer, and request for additional documents to independently verify the source of wealth and source of funds to assess if the customer should be retained.
However, some STRs were not filed even in circumstances when they were clearly required – for instance, where the customers were known to be involved in ongoing legal proceedings involving alleged money laundering or where the custodian bank had already raised to the EAM concerns about the legitimacy of the customer’s funds.
Overall, MAS reminded all EAMs that they should file an STR on a customer as long as they know or have reasonable grounds to suspect any property of the customer could be connected to ML/TF.
Based on what is stated in the Information Paper, it would appear that overall, there is significant room for EAMs to improve their AML/CFT frameworks.
Ultimately, the key message from MAS is that EAMs must continue to strive to enhance their AML/CFT frameworks given their inherent vulnerability to ML/TF risks in dealing with high-net-worth customers.
A copy of the MAS Information Paper on Strengthening AML/CFT Practices for EAMs can be obtained here.