This article first appeared in Forum, The Edge Malaysia Weekly on September 19, 2022 - September 25, 2022

Since the introduction of the ­Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA), the government has taken a phased approach in imposing anti-money-laundering reporting obligations on various intermediaries and entities in the country. 

While the initial phase of implementation was focused on financial institutions and capital market intermediaries, over the years, various other entities have been made reporting institutions (RIs) under the act. 

The wide array of RIs now includes financial institutions, stockbroking companies, fund managers and recognised market operators such as peer-to-peer platforms and cryptocurrency exchanges. Professionals such as lawyers, accountants and company secretaries, as well as various other entities, including trust companies, dealers in precious metals or precious stones, moneylenders, casinos and real estate agents, have been subject to AMLA reporting requirements for several years. 

The obligations imposed upon such reporting entities revolve around conducting “Know Your Customer” (KYC) checks when onboarding new clients, carrying out ongoing customer due diligence during the course of the relationship, reporting suspicious transactions and proper record keeping. 

These requirements are currently set out in Bank Negara Malaysia’s policy documents on Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions, and Designated Non-Financial Businesses and Non-Bank Financial Institutions, and Security Commission Malaysia’s Guidelines on Prevention of Money Laundering and Terrorism Financing for Reporting Institutions in the Capital Market. 

RIs are required to adhere to these rules not only to counter money laundering but also terrorism financing and proliferation financing, which is the financing of weapons of mass destruction. Wading through AMLA rules can appear cumbersome and overwhelming at times. But this need not be the case. 

This article seeks to point out five key points that RIs need to take heed of. 

A commonly held misconception among some RIs is that AMLA compliance is an operational matter and, as a result, it is often consigned to management without any meaningful oversight by the board. While intermediaries in the financial markets such as banks and broking firms have been RIs for several years, entities that have recently been gazetted may not appreciate the extent of the board’s role. 

Bank Negara’s policy documents make it clear that the board has to maintain accountability and oversight for establishing anti-money laundering and counter terrorism financing (AML/CFT) policies. 

In granular terms, what this means is that the board should not only approve AML policies but should assess the implementation of these policies. The board should also define the lines of authority and responsibility for implementing AML/CFT measures, and this has to be followed by regular reporting by senior management and the audit committee to the board. 

This feedback loop is critical because it ensures that AML issues and concerns are regularly cascaded up to the board. Just as the responsibility for good corporate governance starts with the board of a company, the underlying proposition is that nurturing an environment where employees take compliance issues seriously is one that must be fixed on the highest governing body in a company or firm. 

Just as the role of the board is clearly defined, it is critical to ensure that each of the moving parts within an RI’s operations are affixed with clear roles and responsibilities. This involves the following: 

• Senior management, who are accountable for the implementation and management of AML/CFT compliance programmes. This means that they are responsible for formulating the necessary policies, designing the mechanisms to monitor suspicious transactions and reporting to the board periodically on the AML risks faced and the internal controls in place to manage these risks. Senior management is also responsible for ensuring that AMLA training is conducted and a compliance officer is appointed. Employee training is particularly critical so employees are aware of how to spot red flags and know where to turn to in the event that they are faced with a suspicious transaction. 

• The compliance officer acts as the reference point within the firm on all AML/CFT matters. He or she has to maintain internal criteria for the detection and reporting of suspicious transactions and acts as the point person with Bank Negara’s Financial Intelligence and Enforcement Department for this purpose. 

• The internal AMLA auditor is required to carry out an independent audit to test the RI’s compliance with the law, relevant guidelines and internal AML/CFT policies, and to submit a report to the board outlining corrective measures where necessary. 

At this point, Bank Negara has not set out the frequency of the audit — this is left to the RI to decide based on its organisational needs. Given that this is a rapidly evolving sector, it is important that RIs keep abreast of developments in this space and ensure that the key staff involved in AMLA compliance are well-equipped to discharge their functions effectively. 

While Bank Negara’s policy documents provide specific requirements in terms of RIs’ obligations, it also eschews a “one-size-fits-all” approach. In line with global standards set by the Financial Action Taskforce (FATF), RIs are required to apply a risk-based approach in dealing with money laundering and terrorism financing threats. This is highly beneficial because what this means in practice is that RIs can design their AML processes around the nature of risks they face in conducting their business. 

The FATF, which Malaysia is a member of, is an independent inter-governmental body that develops and promotes policies to protect the global financial system against money laundering, terrorism financing and financing of proliferation of weapons of mass destruction (www.fatf-gafi.org). 

How then should businesses implement a risk-based approach in dealing with anti-money laundering compliance? 

One useful tool is for the RI to carry out an AML institutional risk assessment within the organisation. Risk assessments are often conducted within an organisation to identify business risks that a company faces in its day-to-day operations and to ensure that appropriate processes to manage these risks are in place. This tool can be similarly used in the context of AMLA compliance. 

Questions that one should pose in conducting an effective AML risk assessment should be on what are the most pressing AML risks that arise in the course of my business, and how these risks can be mitigated. 

Commonly identified risks as set out in Bank Negara’s policy documents are client risk, geographical risk and transaction risks. Examples of client risks are non-resident clients, clients with cash-intensive businesses, clients whose ownership structures are excessively complex or persons from locations known for high rates of crimes such as drug production or human trafficking. 

Another risk is geographical risk, which refers to the location of the business or the origin of customers. In this respect, the list of countries set out in the FATF website categorised as requiring a “call for action” and those under increased monitoring would need specific attention. It is important that RIs consistently update themselves on these lists given the need for enhanced due diligence where clients or transactions involve these jurisdictions. 

Similarly, product and transaction risks are gaining traction in light of the frenetic pace of development in financial products such as cryptocurrency and other digital assets. In fact, data has shown that total transaction volume in cryptocurrencies worldwide has grown to US$15.8 trillion in 2021, up 567% since 2020. Of this, the increase in illicit transaction volume was 79%, translating into US$14 billion worth of illicit funds. 

Amid this surge of interest in cryptocurrency and other digital assets, regulators have called for increased caution in this sphere. The FATF has also issued a specific policy document detailing the risks and types of controls that businesses should consider when dealing with new asset classes such as virtual currency. 

That said, having a high-risk rating does not automatically mean that the RI should not conduct business with a particular client. What it does mean is that specific controls must be in place to manage those risks. If, having applied the controls, the residual risk is low, this means that the risk assessment exercise that has been undertaken provides a basis for proceeding with the business relationship. 

In the next article, we will delve into the importance of collecting customer data and conducting due diligence on an RI’s customer to take note of any money-laundering red flags, as well as the importance of the anti-money laundering enforcement in the financial ecosystem. 

Shanti Geoffrey co-heads Christopher & Lee Ong’s White Collar Crime & Investigations Practice Group

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.