ACIP Shares AML/CFT Best Practices for FIs on Establishing Customers’ SOW and Addressing Wealth Management Risks

Introduction

The AML/CFT Industry Partnership (“ACIP“), a private public partnership to collaboratively identify, assess and mitigate money laundering (“ML“) and terrorism financing (“TF“) risks facing Singapore, has published the following best practices papers:

1. ACIP’s “Best Practices on Source of Wealth Due Diligence” paper (“SOW Paper“) shares best practices and guiding case studies for financial institutions (“FIs“) on conducting due diligence on their customers’ sources of wealth (“SOW“). These include the following best practices:

• • Adopt a tiered approach to SOW risk identification and corroboration for: (i) private banking and wealth management; (ii) retail banking; and (iii) corporate banking;
  • Execute risk mitigating measures and corroborate SOW, including the following SOW: (i) inheritances and gifts; (ii) business ownership; (iii) investment gains; (iv) sale of goods that are difficult to value; and (v) employment income;
  • Conduct ongoing monitoring of customers’ SOW; and
  • Ensure sufficient senior management oversight, including over: (i) risk appetite; (ii) escalation; (iii) governance; and (iv) risk mitigating measures.

2. ACIP’s “Best Practices in Relation to Risks in Wealth Management” paper (“WMR Paper“) shares best practices and guiding case studies for FIs on addressing the following six risk areas in their dealings with wealth management customers:

• • The use of wealth management structures, including complex structures and family offices;
  • Macroeconomic developments and events, with corresponding risks such as shifting client demographics, exposure to new risk typologies, and increased risks of clients shifting assets to take advantage of differing requirements across jurisdictions;
  • The increase in non-face-to-face (“NFTF“) onboarding arising from the increased digitalisation of FIs’ processes, in comparison with traditional face-to-face (“FTF“) onboarding;
  • Risks arising from a client’s nationality and residence, e.g. the holding of golden passport citizenships, or indicators of multiple nationalities;
  • Engagements of external asset managers (“EAMs“) or Financial Intermediaries (“FIMs“), which make it more challenging to detect red flags in the end-client relationships; and
  • The ongoing monitoring challenges posed by changes in the client profile across the client lifecycle (e.g. ongoing transactional and static data interactions by clients during the lifecycle).

The papers are intended for banks in Singapore, and other FIs in Singapore can take guidance from them as well. This Update outlines some of the key best practices recommendations of ACIP under the SOW Paper and the WMR Paper.  

Best Practices in SOW Paper

Adopt a Tiered Approach to SOW Risk Identification and Corroboration

For private banking and wealth management, this segment carries an inherently higher risk of exposure to ML/TF risks.

1. Establish SOW without exception: As part of the Know Your Customer (“KYC“) process, FIs are expected to establish the SOW of all customers and their beneficial owners in this segment.

2. Obtain and corroborate information: FIs should obtain the following information on the customer and beneficial owner, and corroborate this against documentary evidence and public information sources:

• • Background: How the client’s wealth was derived;
  • Investment history: E.g. types of investments, location, value and number of assets held, value of shareholdings, etc;
  • Business activities: E.g. nature, size, profitability and history; and
  • Professional career: E.g. length of career position held and annual income.

For retail banking, which typically poses inherently lower risk compared to private banking and wealth management, FIs can consider a two-tiered approach. This allows FIs to adopt a risk-proportionate SOW due diligence standard to address the level of SOW risk based on the customer’s attributes and identified risks, while maintaining controls to identify specific risk triggers on an ongoing basis.

1. Tier 1 – Baseline SOW due diligence: For customers who pose wealth risk, FIs should collect a base set of SOW information to establish an adequate understanding of the customer’s wealth journey and entire body of wealth, to determine and assess whether the customer presents material or high wealth risk.

2. Tier 2 – Full SOW due diligence: For the following categories of customers, FIs should consider collecting the base set of SOW information and, additionally, taking steps to corroborate the customer’s SOW:

• • Material or high wealth risk: Customers assessed to present material or high wealth risk;
  • Single-factor attributes: Customers who trigger at least one of the prescribed single-factor customer attributes, e.g.: (i) customers who are foreign politically exposed persons (“PEPs“) or their relatives and close associates (“RCAs“); or (ii) there is material adverse news related to the customer’s SOW or sources of funds (“SOF“); and
  • Multi-factor attributes: Customers who trigger a series of the prescribed multi-factor customer attributes, e.g.: (i) the customer’s assets under management (“AUM“), transaction throughput, or net worth cross the appropriate thresholds; (ii) the customer holds multiple citizenships or nationalities from golden passport jurisdictions; (iii) the customer’s characteristics and nexus to Singapore suggest pertinent SOW risk; (iv) the customer has transactional activity and nexus across multiple jurisdictions or high-risk jurisdictions; or (v) the customer’s ML/TF risk rating.

3. Collect base set of information: The base set of information should enable FIs to:

• • Understand wealth: Holistically understand a customer’s: (i) wealth journey, including the material SOW drivers and how the wealth was acquired (including the seed money); and (ii) entire body of wealth and composition of assets forming the same (e.g. asset types); and
  • Assess plausibility: Make a reasonableness or plausibility assessment of the customer’s representations and wealth journey.

4. Conduct dynamic review: FIs should also recognise that, in some instances, SOW-related risks and/or red flags may only become apparent during the business relationship, rather than from static attributes collected during onboarding.

Similarly, for corporate banking, FIs may consider a two-tiered approach. This ensures a robust risk assessment framework, while prioritising resources for higher-risk entities demonstrating higher wealth risks.

1. Tier 1 – Baseline SOW due diligence: For high-risk customers that do not otherwise present material SOW risks, SOW due diligence can be conducted at an entity level, to assess the propensity and extent of wealth risk for the entity and whether the need for Tier 2 due diligence arises. This entails collection of a base set of SOW information permitting a deeper understanding of:

• • Profile: The entity’s profile and business activities, to assess whether its size or net assets are broadly supported by its business activities; and
  • Initial funding sources: Including details on seed capital funding, where practicable.

2. Tier 2 – Full SOW due diligence: For all other high-risk customers (e.g. those identified as having significant personal wealth exposure or potential SOW concerns arising from Tier 1 due diligence), FIs should collect the base set of SOW information of customers and their ultimate beneficial owners (“UBOs“) and, additionally, take steps to corroborate this information.

3. Collect base set of information: The base set of information should enable FIs to:

• • Understand wealth: Understand: (i) an entity’s revenue, profitability, and overall financial health; and (ii) its key milestones and growth over the years; and
  • Assess plausibility: The above understanding should enable FIs to assess the plausibility of the entity’s claimed net assets and potential inconsistencies. FIs should also examine the legitimacy of the entity’s nature of business activities and evaluate the overall consistency of an entity’s profile against what was supplied during KYC.

4. Utilise collection methods: To collect this base set of information, FIs may take the following measures:

• • Obtain documents / alternatives: Request the entity’s audited financials. If the entity claims not to have these: (i) assess and document whether the reasons are valid and reasonable; and (ii) seek alternatives (e.g. unaudited or management financials, external reports);
  • Conduct benchmarking: Consider additional checks and benchmarks against independent sources to assess the plausibility of the entity’s representations; and
  • Verify against public information: Assess whether the entity has a substantial public footprint (which may provide comfort that its financials are indeed contributed by the stated business activities over time) and verify against public registers.

5. Adopt guiding principles: FIs can consider that the following types of entities typically present lower risks of personal wealth exposure and that Tier 1 due diligence may thus suffice for them:

• • Subject to disclosures: Entities that are subject to stringent regulatory disclosure and transparency-related requirements (e.g. on identification and review of beneficial owners, or on conducting KYC checks on customers and investors);
  • Subject to government oversight: Entities that are subject to strong government oversight (e.g. those primarily derived or funded by public funds or government resources);
  • Subject to regulatory oversight: FIs regulated by MAS or an equivalent regulator that adopts anti-money laundering and countering the financing of terrorism (“AML/CFT“) standards consistent with the Financial Action Task Force (FATF), or investment vehicles managed by such entities;
  • Non-materiality: Entities with non-material AUM, or where the intended or received funding from UBOs falls below a materiality threshold, thus posing lower ML/TF risks;
  • Lower-risk SOF: Entities with only a limited proportion of funding sourced from high-risk individuals (e.g. PEPs and RCAs who are not UBOs), thus reducing the risk of personal wealth exposure; and
  • Specific entities: FIs can consider the more detailed guidance prescribed, in determining whether to conduct Tier 1 or Tier 2 due diligence on specific entities, e.g.: (i) operating companies; (ii) investment companies such as private investment companies (“PICs“) and investment holding companies (IHCs); (iii) funds; and (iv) private trusts, foundations, Single Family Offices and Multiple Family Offices.

Importantly, for both retail banking and corporate banking segments, where FIs observe material SOW wealth risk from the customer: (i) FIs should consider applying SOW due diligence regardless of the customer’s ML/TF risk rating; (ii) FIs should reevaluate the ML/TF risk rating of the customer, and where appropriate, adjust the rating to reflect the heightened risks; and (iii) FIs should document the assessment outcome, and the rationale should there not be any adjustment to the rating.

Execute Risk Mitigating Measures and Corroborate SOW

1. Execute risk mitigating measures: For lower SOW risk retail banking and corporate banking customers falling under Tier 1, FIs may not need to perform full SOW corroboration in the same way that they would under Tier 2. However, FIs should still consider the following risk mitigation measures, to enable assessment of the reasonableness of the SOW information collected based on the customer’s representations:

• • Conduct benchmarking: Performing benchmarking exercises to assess the plausibility of the declared material SOW drivers in relation to comparable industries or businesses of similar size in the same location; and
  • Verify against public information: This includes (i) conducting internet searches for public information to verify the existence of SOW information provided by the customer; (ii) gathering information from reliable public sources regarding the customer’s financial position; and (iii) evaluating the reasonableness of the declared material drivers of SOW by comparing these against publicly available data.

2. Adopt tailored approach: Depending on the identity of the customer and information already available or obtainable from internal or external sources, FIs should tailor their approach to assess the reasonableness of the collected SOW information, while bearing in mind the overall customer experience.

3. Apply professional judgment: FIs should apply professional judgement in assessing and verifying the veracity of the SOW information, to ensure that there is a reasonable explanation for the customer’s economic, business, or commercial activities that led to the generation or significant contribution of the customer’s overall net worth.

4. Develop guidelines: FIs should consider developing guidelines regarding the use of benchmarks and assumptions, to ensure that these measures are reasonable, plausible, relevant, and appropriate for the specific risk profile and circumstances of each customer. Assumptions or extrapolations regarding historical income or profit should also reflect the customer’s unique circumstances.

5. Conduct alternative corroboration: Where there are genuine practical challenges in conducting SOW due diligence, FIs can consider: (i) assessing the customer’s ML/TF conduct history, especially for long-standing customers (e.g. any Suspicious Transaction Report (“STR“) filed or unusual account activity); and (ii) commissioning independent reports from third-party due diligence providers to aid the assessment of SOW risks.

6. Conduct dynamic review: FIs should review a customer’s SOW information regularly and during reviews of trigger events, to ensure that this remains relevant and updated and that the SOW risk levels are reviewed as appropriate.

7. Best practices for corroborating – inheritances and gifts:

• • Execute risk mitigating measures: FIs can consider the following risk mitigating measures for corroborating inheritances and gifts: (i) utilising public information and third-party confirmations from credible sources to establish the veracity of the gift; (ii) conducting plausibility assessments by requesting supporting evidence on the customer’s wealth journey, gift amount, relationship with the asset contributor and the asset contributor’s SOW; (iii) identifying material inconsistencies that may indicate fraudulent behaviour, during cross-verification checks throughout the customer lifecycle; and (iv) seeking senior management approval for maintaining relationships that are under scrutiny;
  • Conduct additional checks: FIs should establish (with supporting evidence to the extent practicable) the relationship between the asset contributors and customers, to the extent that it addresses the underlying plausibility of the gift, especially if there are doubts regarding the rationale of the gift. FIs should also consider the need to conduct a SOW assessment on the asset contributor, especially if he / she is a significant or material SOW contributor, to assess the legitimacy and reasonableness of the gift; and
  • Corroborate with documents / alternatives: FIs should consider the duration of which the customer has held the assets and establish guidance to evaluate whether the documentary evidence requested is sufficiently recent to be kept. If there is a lack of documentation due to the long passage of time, alternative methods for corroboration should be outlined.

8. Best practices for corroborating – business ownership: FIs can consider the following risk mitigating measures for corroborating business ownership:

• • Conduct benchmarking: Compare financial statements to industry averages or independent third-party benchmarks. Major deviations might indicate manipulation or atypical practices;
  • Conduct additional checks: Conduct additional due diligence if concerns are identified in any unaudited management accounts; and
  • Obtain documents / alternatives: Obtain several years’ worth of financial statements prior to performing benchmarking. For periods lacking readily available documents, FIs can consider extrapolating with appropriate adjustments and documenting the assumptions made and the basis for those assumptions.

9. Best practices for corroborating – investment gains: FIs can consider the following risk mitigating measures for corroborating investment gains:

• • Verify against public information: Utilise publicly available resources to conduct searches on market trends or prices and validate historical performances;
  • Obtain documents / attestations: Obtain: (i) historical portfolio statements to determine the plausibility and consistency of returns across the customer’s wealth journey; and (ii) attestation from the customer’s relationship manager (“RM“) based on their experience and engagements with the customer, if the RM has managed this relationship for a reasonable period of time; and
  • Understand investment experience: Understand the customer’s investment strategy and approach, while ensuring alignment with the customer’s depth of experience as a credible investor.

10. Best practices for corroborating – sale of goods that are difficult to value: FIs can consider the following risk mitigating measures for corroborating the sale of goods that are difficult to value (e.g. art, antiques, collectibles, web domains, non-fungible tokens (NFTs) or rare commodities):

• • Assess plausibility: Conduct a plausibility assessment and attempt to verify the legitimacy of the customer’s sale of a difficult-to-value asset;
  • Obtain documents: Request additional documents to corroborate the sale process (including the basis for the sale price, counterparty due diligence, the rationale for the sale, etc), evaluate submitted documents critically, take additional steps to verify the authenticity of the documents, and challenge the veracity of the documents if necessary;
  • Conduct additional checks: Conduct independent checks to ascertain the commercial viability of the sale, and conduct counterparty due diligence if necessary;
  • Apply professional judgment: Exercise professional, independent judgment to determine whether the sale makes commercial sense, including the plausibility of the sale price; and
  • Engage professionals: Engage the services of external professionals to advise on the likelihood of the transaction.

11. Best practices for corroborating – employment income: FIs can consider the following risk mitigating measures for corroborating employment income:

• • Conduct benchmarking: Compare the customer’s employment income to industry averages, using a plausible, matching and credible benchmark that is not significantly disparate from the customer’s specific SOW and circumstances. FIs can consider the following factors in selecting a benchmark: (i) country of employment; (ii) size and type of the business or industry; (iii) employment role and seniority; and (iv) the time period of the benchmark used; and
  • Conduct additional checks: Conduct additional due diligence checks if concerns are identified (e.g. where there are discrepancies between the customer’s narrative compared with public information).

Conduct Ongoing Monitoring

1. Adopt tailored approach: An FI’s approach for monitoring and reassessing SOW risk should be tailored to the specific characteristics of each business segment within each FI, considering the inherent risks and complexities of each segment. This ensures that an FI’s operational capacity and resources are focused on the areas that pose the greatest risk, while maintaining a proportionate strategy and response across all segments.

2. Conduct dynamic review: FIs should consider establishing measures to monitor and identify changes in customer circumstances, which would then trigger a risk assessment to recalibrate SOW risk. Ongoing monitoring should also consider the information gleaned from SOW establishment to facilitate the FI’s assessment of wealth risk and whether there is an emerging need to perform or reperform SOW corroboration. Some considerations for whether to perform or reperform SOW corroboration post-onboarding include:

• • Adverse news: Whether there is adverse news on the customer relating to their SOW;
  • Profile changes: Whether there are changes in the customer’s profile (e.g. exhibiting the single or multi-factor attributes listed above);
  • Abnormal funds: Whether there are injections of funds or abnormal fund flows passing through the account, where the value exceeds the appropriate threshold and/or is higher than the customer’s indicated SOW;
  • Outdated information: Whether there are indications suggesting that existing SOW information may be outdated, inaccurate or unreliable; and
  • New contributors: Whether the FI becomes aware of new SOW contributors or changes to the same.

3. Leveraging technology: FIs should explore leveraging technological enablers to enhance the effectiveness of ongoing monitoring of changes in the materiality of SOW risks, and to uplift their capabilities across the following spheres:

• • Data collection: E.g. digitising relevant data points to support: (i) ongoing monitoring; and (ii) development of data analytics to identify SOW profiles which require enhanced due diligence;
  • Risk detection: E.g. (i) using data analytics to detect risk signals on an ongoing basis; (ii) using artificial intelligence to detect potentially fraudulent documents; and (iii) using machine learning to identify higher risk cases based on dynamic attributes; and
  • Information sharing: Using technology to enable stronger information sharing within FIs and across business units, thus: (i) allowing the monitoring of related customer accounts holistically; and (ii) enabling a better understanding of risks associated within customer groups, identification of ML/TF risks and reporting of suspicious behaviours. To ensure that such information sharing is targeted and risk-driven at a reasonable scale, FIs can consider a progressive approach in implementing information sharing arrangements within and across their business units.

Ensure Senior Management Oversight

1. Clarify risk appetite: FIs should clearly define the risk appetite and parameters for the boundaries of risk acceptance, with a supporting governance process. In articulating these parameters, FIs should consider factors such as business segments, target markets, jurisdictions, customer profiles, etc, to determine the level of SOW due diligence requirements to reasonably ascertain the legitimacy of the funds and address the identified wealth risk. If the legitimacy of a customer’s or beneficial owner’s SOW cannot be reasonably ascertained, FIs are expected to establish additional risk mitigating measures or not proceed with establishing or maintaining business relations with the customer.

2. Clarify escalation: In defining the framework to govern the acceptance of SOW corroboration, FIs should consider and document when escalations to senior management are required. If: (i) the measures performed do not meet the FI’s SOW due diligence standards; or (ii) the residual risk of the customer’s uncorroborated SOW is assessed to fall outside the prescribed risk appetite, FIs should establish a mechanism to escalate such cases to senior management for approval before establishing or continuing the customer relationship.

3. Clarify governance:

• • Clarify matrices: FIs should establish clear escalation and approval matrices to govern the establishment or continuation of business relationships, where there are residual risk concerns relating to SOW corroboration. The framework should consider the materiality and severity of the risk concerns, and the impacted business segments, in escalating to the appropriate members of senior management or associated governance forums;
  • Clarify reporting: FIs should establish portfolio-level management information and risk reporting, to ensure that senior management can exercise close management oversight. Such reporting should ensure that appropriate information is provided to enable senior management to form a holistic understanding of risk within the portfolio and make timely and informed decisions. Such information should be refreshed regularly and reported for ongoing risk monitoring and management; and
  • Establish close feedback loops: FIs can consider close feedback loops to keep senior management apprised of customers where exceptional approvals have been granted, and to ensure proactive escalation to senior management of risks observed through a customer’s lifecycle.

4. Execute risk mitigating measures: FIs can consider the following risk mitigating measures to address residual risks and to empower senior management to exercise their judgment effectively:

• • Impose restrictions: E.g. (i) limiting or restricting relationship expansion; (ii) imposing account-specific restrictions or product restrictions; and (iii) limiting the AUM that the customer can maintain with the FI;
  • Downgrade rating: Downgrading the customer’s AML/CFT risk rating; and
  • Require approval: Requiring senior management and/or compliance approval prior to transaction execution.

Best Practices in WMR Paper

Address Risks Associated with the Use of Wealth Management Structures

The use of wealth management structures can be for a number of legitimate reasons, and includes:

1. Complex structures: Where the relationships are identified as posing complexity risk, bearing in mind that such complexity can include:

• • Structural complexity: Related to the chain of beneficial ownership;
  • Operational complexity: E.g. by virtue of a client relationship which is primarily managed by professional external parties such as an EAM or FIM, which adds to the potential EAM or FIM engagement model risks outlined below;
  • Transactional complexity: E.g. clients trading through multiple entities, or using financial products to move value across and between multiple entities; and
  • Jurisdictional complexity: E.g. clients whose country of residence, country of incorporation of PIC, country of banking relationship, and country of transactional counterparties, may differ.

2. Family offices: Involving family office relationships which pose heightened risks due to the nature and prominence of the individuals, families, financial assets and transactions involved, rather than the structures themselves.

This section explores the following case studies involving risks associated with the use of such wealth management structures:

1. Adverse media PIC: A simple PIC where there is the presence of adverse media concerning the same.

2. Complex trust structure: A complex trust structure where professional tax advice that the prospects had received is provided to the FI.

3. Single Family Office: Prospective clients from a Single Family Office who are ostensibly a high net worth (HNW) family, but who do not have a public profile available to readily support their stated SOW. This results in potential risks such as the clients providing fictitious or fraudulent SOW information to support the account funding, and the risk of co-mingling assets of multiple parties under the guise of a single family.

4. Operating companies: Where a wealth management client requests either a dedicated commercial account for their operating entity, or an account for the operating entity whose use will be “combined” e.g. some wealth management activity and some commercial activity.

5. Family office management company: Where the family office’s administration or management entity’s account is being used for more frequent commercial transaction banking, which may go beyond the provision of the FI’s usual investment management services.

The best practices for FIs to address such risks are summarised below:

1. Understand structures: FIs should be conscious of the additional risks posed by the use of such structures, take commensurate steps to understand the client’s legal structures and their reasons for utilising them, and have in place the appropriate measures to mitigate the risks.

2. Understand impact: FIs should understand the intended transactions and consider whether the client’s legal structure will have any impact on matters such as tax transparency. 

3. Consider capital controls: FIs should consider whether the structure could facilitate the circumvention of capital controls. 

4. Engage internal experts: FIs should consider the need to engage internal subject matter experts (“SMEs“) on subjects such as tax, cross-border controls, or fraud, where potential risks are identified. FIs should also consider the involvement of internal SMEs to assess independent advice that clients may have obtained, rather than taking at face value that the clients’ independent advisors have alleviated all potential risks. 

5. Detect co-mingling risk: FIs should be conscious of the risk of co-mingling funds into Single Family Office vehicles.

6. Verify operating companies: FIs should obtain additional information in respect of operating companies, i.e. their nature, their location, and the counterparties of their operations. 

7. Establish onboarding expertise: FIs should consider having a defined process (e.g. a “competence centre” approach) for the onboarding of certain structures, such as funds. 

Address Risks Associated with Macroeconomic Developments and Events

Macroeconomic developments and events could drive the movement of capital, usually from less stable countries to other countries which are viewed to be more stable. These developments and events may also lead to: (i) restrictions being imposed against people and entities, either by the impacted country or by other countries seeking to minimise contagion risk (e.g. the imposition of sanctions against the nationals of a specific country); and (ii) capital flight, which may be indicative of illicit assets (e.g. when a government announces a crackdown against corruption).

This section explores the following case studies involving risks associated with such macroeconomic developments and events:

1. Fraudulent documentation: When the FI detects red flags, i.e. the possible use of potentially fictitious or fraudulent documentation, from some prospects seeking to transfer capital from the impacted location to Singapore.

2. Dormant SOW entity: When the SOW entity for prospects seeking to physically relocate to Singapore and to apply for a Singapore Employment Pass lacks commercial activity.

3. Money services businesses: When: (i) money services businesses from a high-risk jurisdiction, where the client has no known business or financial nexus, are being used to enable funds to be remitted out of the source country and brought to Singapore; and (ii) there is third-party funding of wealth management accounts by individuals or parties from high-risk jurisdictions with no known nexus to the client.

4. Sanctions risks: When international sanctions measures are being taken against a particular country, and additional transaction restrictions are being applied by certain jurisdictions against specific persons.

The best practices for FIs to address such risks are summarised below:

1. Monitor changes:

• • Monitor ML/TF risk changes: FIs should consider implementing measures to monitor changes in ML/TF risks, by monitoring news and macro-level fund flows to / from jurisdictions impacted by macroeconomic developments, and assessing whether their processes, controls, and ML/TF frameworks remain effective;
  • Monitor risk appetite: FIs should consider implementing measures to review their risk appetites for customers or prospective customers who have a nexus to the jurisdictions impacted by the macroeconomic developments and events; and
  • Monitor transactions: FIs should further consider how they can detect the changes in their transaction flows and client books, and how they assess, mitigate and report arising risks to senior management. 

2. Monitor country-level risk: FIs should consider having a country-level risk assessment for their key markets, with clear parameters and risk appetite statements agreed by senior management.

3. Monitor sanctions: FIs need to be able to react in a timely manner to either sanctions or ratings changes, and have appropriate tools to monitor lists, supranational bodies, and news information, to make macro-level decisions. 

4. Adopt group-wide approach: FIs may consider implementing restrictive measures on a group-wide basis, rather than on a country-by-country basis, to reduce the risk of Singapore accepting the assets of individuals who are unable to bank elsewhere. 

5. Consider contagion risk: FIs should consider whether there is contagion risk and identify the appropriate measures to be taken in respect of, for example, customers in countries which are neighbouring the primary impacted countries. 

6. Consider concentration risk: FIs should consider performing targeted reviews on specific markets with a view to identify exposure, and in particular, concentration of risks on certain desks.

7. Obtain early warning: FIs should make appropriate use of monitoring tools over macro-level transaction data to provide potential early warning of events which have not yet become public, and where the data may provide insights into a potentially emerging risk. 

8. Information sharing: Where FIs have a retail presence or other business division, they should consider sharing findings from transaction monitoring across business divisions, as the risks identified in the retail space may give early warning about the risks which may come to the private banking business later.

Address Risks Associated with NFTF Onboarding

Even in the wealth management space which is ordinarily characterised by high-touch relationship management, FIs increasingly use video conferencing solutions as a NFTF means of customer onboarding, thereby replacing the FTF meeting. Nevertheless, the use of FTF customer onboarding is still a prevalent practice in this space at present.

The best practices for FIs to address the risks associated with NFTF and FTF onboarding are summarised below:

1. Train staff: FIs should consider whether RMs should follow a specific format for identity (“ID“) verification in FTF meetings. FIs should provide training and guidance for RMs, for ID verification steps to be carried out during FTF meetings in a structured way, identification of passport characteristics, common indicators of fraud, or any measures which can be taken to validate the authenticity and originality of a physically handled ID document.

2. Ensure robust measures: FIs should assess whether their NFTF measures are sufficiently robust to replace a physical meeting. FIs should also consider whether the existing processes and checks applied are sufficiently robust to address the fraud and impersonation risks which may exist even in the absence of remote technology usage.

3. Apply restrictions: FIs should consider applying markers on accounts opened through NFTF measures or applying restrictive measures between account opening and FTF verification.

4. Validate IDs: FIs should consider whether additional methods of ID validation and authentication are required where certification is performed remotely. If the real-time remote or video conference is intended to be used for the purpose of verifying the prospect against their ID document, and for the purpose of verifying the ID document (i.e. no additional “certified true copy” of the ID document will be obtained separately from an independent professional), FIs should consider how best to ensure the authenticity of the document through the use of ID validation steps, and how to capture, store and retrieve the relevant parts of the call for future reference.

5. Conduct additional checks: FIs should take note of Circular AMLD 01/2022. Where FIs have used “MyInfo” to identify and verify the identity of foreigners based in Singapore, they should consider supplementing this approach with additional checks (such as the sighting of original documents) to verify passport details that are not currently available on “MyInfo”.

6. Conduct live verification: To mitigate the risks of fraud and impersonation when using video conferencing as a means to onboard customers instead of physical meetings, FIs should put in place appropriate controls during the video conferencing process to verify the identity of the customer and the authenticity of the ID documents sighted via video conferencing, e.g. require the use of control questions to be answered by the customer.

Address Risks Arising from a Client’s Nationality and Residence 

While there are many legitimate reasons why clients may have opted to hold a different nationality to their original place of birth, it does lead to risks (including name change risk) and could indicate individuals who use changes of nationality to evade detection from authorities.

This section explores the following case studies involving risks arising from a client’s nationality and residence:

1. Golden passport: Where a client holds a “citizenship by investment” passport (i.e. a golden passport) and a Singapore S-Pass.

2. Change of nationality: Where there has been a change of a client’s nationality to a golden passport country.

3. Contradictory information: Where the client’s nationality documentation is contradicted by information gathered through ongoing monitoring.

The best practices for FIs to address such risks are summarised below:

1. 1. Assess rationale: FIs should assess the rationale for the client’s holding additional or alternative nationalities, e.g. assess the client’s rationale for holding a golden passport or dual nationality and consider additional due diligence such as SOW corroboration. FIs should also consider the following potential risks which may need to be mitigated as a result:

• • Misrepresentation of domicile: For “citizenship by investment” schemes which do not require an individual to be physically present in a country, there is an increased risk that a client may use such documentation to misrepresent their country of domicile, thus raising potential tax risks;
  • Evasion of investigation: Individuals may have taken on an additional or alternative nationality in order to evade investigation or censure in their home location;
  • Name change risks: For clients who take on a new nationality, there are risks in relation to the client having changed their name in their application for the second nationality; and
  • Impermissible additional nationalities: There are risks that a client may hold more than one nationality despite the laws of their home country not permitting such additional nationality to be held.

2. Obtain information: At onboarding, FIs should request information on all nationalities held by a customer, including previously relinquished nationalities. FIs should also proactively obtain additional information where clients present ID documents from a golden passport country, which can help to mitigate risks around unknown prior names and nationalities and ensure that they hold wholesome and meaningful client information for ongoing risk measures such as name screening.

3. Consider name change risks: On a risk-based approach, FIs should consider obtaining a renunciation certificate or other source documents to mitigate name change risks.

4. Monitor high-risk countries: FIs should consider compiling a list of high-risk countries based on The Organisation for Economic Co-operation and Development’s (OECD’s) lists and other factors (e.g. less transparent tax controls in that country). 

5. Corroborate information: FIs should take reasonable measures to triangulate information provided by clients in respect of nationality, residence and country nexus against client static data as well as dynamic transactional data. FIs should also be aware of information sources that may be used to obtain additional information on, for example, individuals who have made citizenship applications.

Address Risks Arising from Engagements of EAMs or FIMs 

EAMs or FIMs may be engaged by clients to handle administrative financial matters such as account openings and ongoing investment management of a wealth management relationship through the holding of a Power of Attorney (“POA“) on the end-client’s account. This is part of a legitimate service offering to the end-client. However, compared to other referral relationships, the EAM or FIM engagement may pose heightened risks because:

1. Reduced contact: The FI is likely to have significantly more contact with the EAM or FIM than with the end-client, as the intermediary typically manages the client’s investment portfolio under the POA and is a primary point of ongoing contact for the customer. A “bad actor” can thus avoid detection by minimising contact points with the FI, using the EAM or FIM in between to obscure his intent and identity (e.g. to provide documents or information to meet KYC requirements).

2. Familiarity with requirements: EAMs and FIMs may be more familiar with the FI’s or the industry’s requirements on KYC and SOW corroboration and thus more able to assist a client to meet onboarding standards.

3. Access to legitimate data: EAMs and FIMs have the benefit of access to other legitimate clients’ data and documentation, which provides them with the additional opportunity for legitimate documents to be repurposed or forged and presented to the FI for a different client.

4. Financially incentivised: EAMs and FIMs are financially incentivised through the payment of fees to assist end-clients to open accounts and to manage those accounts on an ongoing basis.

This section explores the following case studies involving risks arising from engagements of EAMs or FIMs:

1. Network of linked individuals: Where there are suggestions that: (i) an EAM or FIM represents a network of linked individuals (e.g. same email address format, similar addresses, etc); (ii) the account funding is inconsistent with the FI’s understanding of the clients; and (iii) the EAM or FIM suggests that an expedited account opening process could lead to lucrative additional clients for the FI (i.e. haste is often used as a tool to force errors or less diligent review).

2. Concentration of risk events: Where there is a concentration of risk events under a single EAM or FIM, such as: (i) discrepancies in the corroboration documentation, document dates and signatory names; and (ii) similar patterns for referrals of end-clients under the same EAM or FIM (e.g. the end-clients having moved to the same residential development, having similar SOW writeups, having similar stories in respect of how they purportedly derived their wealth, etc).

The best practices for FIs to address such risks are summarised below: 

1. Satisfy regulatory obligations: FIs should at all times satisfy their regulatory KYC obligations, independently of whether the EAM or FIM is subject to equivalent regulatory requirements. Relationships with end-clients must always be subject to due diligence checks and procedures by the FI as set out in MAS’ AML/CFT requirements.

2. Establish internal controls: FIs should have in place effective internal controls (referencing MAS’ Guidelines on Risk Management Practices – Internal Controls) as well as strong measures at the individual staff level (Guidelines on Fit and Proper Criteria) to mitigate such referral and partnership relationship risks.

3. Leverage network analytics: FIs should perform reviews and consider the use of network analytics to identify common red flags in EAM or FIM end-client relationships. Among the tools available to FIs is the analytic assessment of clients’ static data and transactional activity to identify hidden connected networks.

4. Leverage detection methods: FIs should consider detection methods for common addresses, telephone details, or email addresses across clients, to identify potentially connected networks.

5. Leverage STR analytics: FIs should consider STR trend analysis and appropriate consequence measures, where a concentration of risk events is emanating from specific markets, desks, RMs, EAMs or FIMs. FIs can also benefit from having metrics on the risks, red flags and STRs identified at a desk, RM, FIM or EAM level, in order to identify potential cluster or concentration risks which can be assessed in a timely manner.

6. Apprise senior management: FIs should bring risk typologies from STR trend analysis to appropriate senior management forums, for awareness and to promote better understanding and detection across other markets and desks.

Address Challenges in Ongoing Monitoring 

Alongside robust onboarding controls to screen out “bad actors”, the ongoing monitoring of all customers is a critical component of an FI’s AML/CFT framework. Ongoing monitoring includes the combined efforts of: (i) name and media screening; (ii) transaction monitoring; and (iii) the monitoring of changes in client static data information (e.g. changes in nationality, location, or even material changes in the client’s wealth profile).

This section explores the following case studies involving challenges in ongoing monitoring:

1. Material client profile changes: Where there are material changes to a client’s profile, including the client’s stated level of wealth, during the client lifecycle.

2. Material outbound, unusual payment: Where: (i) the client requests a material outbound payment ostensibly for a property purchase in a country where the client would not ordinarily be expected to purchase a material asset; (ii) the payment of proceeds is to the purported seller (as opposed to a lawyer or conveyancing professional); and (iii) there is adverse news indicating that the transfer might be linked to illegal gambling – These are indications that pre-execution transaction checks and documentation (instead of only post-execution checks and documentation) may be necessary, to provide for more timely identification of potential concerns and an opportunity for clients to provide additional information and documentation when necessary.

3. Interconnection with suspicious client: Where there is an interconnection of other clients with one client who has been identified as providing potentially fraudulent documentation – These are indications that network analytics and multi-factor analytics may be necessary, to identify connections across the clients via commonalities.

The best practices for FIs to address such ongoing monitoring challenges are summarised below:

1. Scrutinise first-party transactions:

• • Obtain documents: FIs should subject first-party transactions to appropriate levels of scrutiny considering the amount and source countries involved, and obtain supporting documents as necessary;
  • Assess transactions: From a transaction monitoring perspective, FIs should ensure that they remain vigilant to anomalies in transactional behaviour, even for predominantly first-party transactions. Such transactions can still trigger further assessment if the details of the transactions are inconsistent with the FI’s understanding of the client, their circumstances, or the expected use of their account, e.g. funds received into a client account from a same-name account held in an unusual jurisdiction to which the client has no known connection;
  • Consider holistically: Especially for first-party transactions, FIs should consider additional non-financial and non-transactional data points (i.e. other than fund movements) which should be incorporated into their ongoing monitoring approach, to detect and identify potentially connected clients or transactions which may require further review; and
  • Leverage analytics: FIs can consider multi-factor data analytics and network analytics to look at non-financial indicators to identify: (i) networks and clusters; (ii) potential connections between clients through commonalities and hallmarks; and (iii) clients or groups of clients to be subject to additional transactional review. The use of multi-factor analytics effectively avoids an ever-increasing creation of rules-based or threshold-based alerts, which erodes the effectiveness of systems and reviewers alike.

2. Corroborate SOF: FIs should focus their corroborative efforts on SOF, e.g. obtaining and examining documents supporting material transactions.

3. Compare against profile: FIs should compare clients’ transactional flows against the client-specific profile on an ongoing basis, i.e. not just against preset thresholds.

4. Implement alerts for material client profile changes:

• • FIs should consider alerting methods in respect of clients whose profiles change materially during a client lifecycle, and trigger the appropriate review, approval and redocumentation processes; and
  • Material changes in the client’s profile during the client lifecycle (e.g. the introduction of previously unmentioned SOW to the client profile, or unexpected increases in the client’s net worth) should be monitored and subjected to enhanced scrutiny, SOW corroboration requirements, and consideration of plausibility or whether the changes present red flags which require escalation for consideration of an STR.

Concluding Words

ACIP’s best practices papers set out welcome guidance for FIs in adhering to their regulatory obligations in the areas of SOW due diligence and addressing wealth management risks. FIs should consider how best to adopt these best practices into their policies, processes and operations, to the extent practicable and appropriate.

If you have any queries on ACIP’s best practices and/or their implications for your organisation, please reach out to our Team set out on this page.