9.1.1 Guidance on implementing a risk model

Introduction

This guidance for Trust Service Providers and Corporate Service Providers ("TSP" and "CSPs" or collectively "TCSPs"), has been prepared as a result of a request made by the Association of Corporate Service Providers ("ACSP") on behalf of its members.

The document looks at ways in which a licenceholder could develop its risk based approach to AML/CFT in response to the requirements of the Proceeds of Crime (Money Laundering) Code 2010 and the Prevention of Terrorist Financing Code 2011 ("the Codes"). It draws upon the existing guidance in the AML/CFT Handbook, which is familiar to licenceholders.

The guidance takes into account the findings of visits to TCSPs by the Commission's fiduciary supervision team. The principal findings of the visits were presented to ACSP members in mid-2010 and January 2011.

Following the presentations, an ACSP member asked if the Commission could provide more action-orientated guidance (as opposed to visit reports which are based on "exception reporting", or identifying problem areas).

The guidance sets out a relatively simple model. It is not compulsory to use this model. Many licenceholders, particularly larger licenceholders, already have more sophisticated processes in place. Using the model will not of itself guarantee a satisfactory outcome - any model is only as good as the data and the analysis that users put into it. As usual, we would remind licenceholders that responsibility for compliance with the Codes rests with the licenceholder.

This model in this document is based on nine points:

• Make use of typologies
• Identify more specific risks for your own business
• Identify the risks in business acceptance
• Identify control risks in the conduct of the business
• Record what you have done
• Identify client-specific risks
• Develop and apply a suitable recording mechanism
• Monitor client relationships
• Maintain an effective review cycle

Paragraph 2.4 of the AML/CFT Handbook includes a high-level summary of the risk-based approach to AML/CFT:

"A licenceholder must, under paragraph 3 of the Codes, undertake an assessment to estimate how vulnerable it is to money laundering and terrorist financing. In doing so it should consider the extent of its exposure to risk by reference to the nature, scale and complexity of its activities, its customers, products and services and the manner in which it provides these products and services to its customers, and the reliance which is placed on any third parties for elements of the CDD collected. These risks should be properly addressed by policies, procedures and controls.

The licenceholder should record and document its risk assessment. The assessment should be undertaken as soon as reasonably practicable after the relevant person commences business and regularly revisited and updated to keep it up to date. An annual reassessment might be appropriate for a dynamic, growing business, but this might not be necessary for an established business with static products and services. The risks identified at Section 2.8 may trigger such a reassessment."

1. Make use of typologies

Familiarity with the high level AML/CFT risks that are relevant to TCSP business will help you to identify more specific examples in your own risk model.

Paragraph 2.8 of the AML/CFT Handbook states:

"Licenceholders must ensure that appropriate staff keep abreast of relevant technological developments and identified methodologies in money laundering and terrorist financing schemes. This may involve reviewing papers from international bodies such as the FATF Typologies; warnings and information issued by regulators and law enforcement as well as information issued by industry bodies or trade associations."

TCSPs should consider:

• The FATF guidance on Risk Based Approach for TCSPs - June 2008;
• The FATF typology Money Laundering Using Trust and Company Service Providers - October 2010;

The FATF typology highlights a range of risks and offers real-life case studies. The typology also highlights the many challenges that TCSPs face in implementing AML/CFT measures effectively. See for example paragraphs 73 to 76 which refer to:

• the reliability of information obtained on customers/clients/beneficial owners;
• lack of resources for TCSPs to access intelligence tools such as World-Check and C6;
• smaller TCSP businesses . often do not have the capacity to fully apprise themselves of their obligations under AML/CFT legislation;
• the ability of TCSPs to gather reliable information on individuals and beneficial owners of companies and trusts;
• information on international actions to sanction individuals, companies or countries.

Paragraph 77 of the typology goes on to offer a list of "red flags" for risks (this is repeated at paragraph 141).

2. Identify specific risks for your own business

Consider the specific features of your business. What AML/CFT risks arise from this business?

The AML/CFT Handbook draws attention to typical risk types in section 2.4, notably at paragraphs 2.4.2, 2.4.5 and 2.4.6.

Paragraph 2.4.2 of the AML/CFT Handbook (Organisational risk) addresses organisational factors which include:

• target market place;
• monetary strategies;
• business volumes;
• geographical areas of business activity;
• outsourcing aspects of regulated activity / compliance functions.

Paragraph 2.4.6 of the AML/CFT Handbook (Activity risk) advises licenceholders to consider risks inherent in the nature of the activity of the transaction, which may itself be a criminal transaction or involve corruption. It cites as an example the arms trade.

The following points should also be considered:

• Tax-related business is at risk from bogus tax schemes put forward to disguise the true motive;
• Where a process is being moved to a new technology - typically moved online - the change management should include an assessment of any changes to AML/CFT risk in line with paragraph 23 of the Codes.

Feedback from visits

• Visits have found that some licenceholders have noted the typology risks, but not applied them to their own specific customer base.
• Structures which are ostensibly tax-driven are not always supported by specialist and case-appropriate tax advice.
• Visits have found failures of procedures to address AML/CFT risks when technological change is taking place.
• Use of generic training has its place, but training and communication should also enable staff to understand where the licenceholder is most at risk.
• Some licenceholders have forgotten that their approach to risk should cover both AML/CFT risks and business risks as identified in rule 8.6 of the Financial Services Rule Book.

3. Identify the risks in business acceptance

Consider the risks involved in the business that you take on. How does your acceptance process address these?

This should take into account:

• Gathering the profile of intended activity;
• The extent of reliance upon third parties for information (e.g. certifiers or eligible introducers);
• The checks that are run;
• The control process for business acceptance;
• The control process for business rejection and termination of services.

Paragraph 2.4.5 of the AML/CFT Handbook (Product/service risk) notes that:

". The highest risk products or services are those with high values and volumes; those where unlimited third party funds can be freely received; or those where funds can regularly be paid to third parties without CDD on the third parties being obtained. For example, some of the highest risk products are those offering money transfer facilities through cheque books, wire transfers, deposits from third parties or other means. Corporate and personal current accounts and high value deposit/investment accounts naturally fall within this category. Wealth management and private banking facilities can be particularly vulnerable. .Licenceholders should also consider how they deliver products and services to their customers and the extent to which this might increase the risk. For example, risks are likely to be greater when relationships can be established remotely (non-face-to-face), or when they may be controlled remotely by the customer ("straight-through" processing of transactions)."

Feedback from visits

Visits have found that some licenceholders have not risk-assessed new business proposals in a timely manner and fed this into their acceptance decision.

4. Identify control risks in the conduct of the business

Consider the risks involved in the way ongoing business is handled. How strong are the controls and how good is the information that you gather?

Paragraph 2.4.5 of the AML/CFT Handbook (quoted more extensively above) cites relationships established non-face-to-face, or controlled remotely by the customer. Other situations which are higher risk, because the licenceholder has limited or delayed information and little or no control over the actions of others include:

• Companies / foundations to which "registered office only" or "registered agent-only2 services are provided;
• Companies with "split boards" in which some directors are supplied by the licenceholder and others are not (or equivalent in respect of foundations); and
• Widely drawn powers of attorney.

Feedback from visits

Visits have found that for unmanaged business some licenceholders do not distinguish between the business risks and the AML/CFT risks. Business risks are typically low, but increased AML risks arise from the lack of control and from reliance upon others for the provision of information.

5. Record what you have done

Having identified the risks involved in the ongoing business, develop a method for recording this in a suitable format.

Analysis of the business model can be used to identify particular types of business which may be more or less vulnerable to abuse. This provides a context for assessing the AML/CFT vulnerability of particular structures.

The method chosen should identify in each case:

• What the risk is;
• What mitigation or controls are being applied;
• The action plan if any additional mitigation or controls are proposed;
• A view of the relative seriousness of the risk and the effectiveness of any mitigation.

This structure can be adopted by the licenceholder's Board and used to brief staff.

Feedback from visits

Visits have found that the risks are not clearly recorded, or that having been recorded they are not reviewed at Board level or effectively communicated within the organisation.

6. Risk assessment of clients - Identify client-specific risks

Consider the specific risks within your book of clients. What AML/CFT risks arise from the profile of your clients?

This should take into account more than merely whether the standard information on identity and address is held.

AML/CFT Handbook paragraph 2.4.3 Customer Risk highlights the need for clear customer acceptance policies and procedures. It recommends:

• a system of risk grading which includes a description of the types of customer that are likely to pose a higher than average risk of money laundering and terrorist financing.
• CDD requirements at the outset of a relationship and thereafter should then be tailored proportionally according to the perceived risks.

Such a system should be clear, properly understood by staff and consistently applied.

Feedback from visits

Visits have found that some TCSPs do not have a clear plan for what additional measures to apply when business is rated as higher risk. These must at least correspond to the requirements of paragraph 8(3) of the Codes.

7. Develop and apply a suitable recording mechanism

Having formed a view of the risks involved in the client base, develop a method for recording this in a standard format, which allows comparison across the client base.

This could take into account, for example:

• Whether standard information on identity and address is held;
• A benchmark of the expected normal activity of the client (e.g. annual turnover or extent of investment portfolio);
• Whether the client is a PEP;
• What risk factors have led to a requirement for enhanced CDD;
• Whether a higher level of CDD is actually held;
• An overall risk rating;
• The date of the last review of the risk rating;
• Action points with responsibility and timescales for completion;
• A process for tracking the action points and ensuring they are completed;
• An indicator that an event has arisen which could require a review of the rating.

Feedback from visits

Visits have found that some models turn out to be too complex for their users and not well enough explained. Examples include: . Complicated rating systems;

• Rating systems which are not properly understood by TCSP staff;
• No provision for overrides;
• Overrides being applied without explanation;
• Failure to track and follow-up actions.

8. The monitoring and review process - Monitor client relationships

Set up an effective process for both ongoing monitoring and for structured, periodic reviews. Ensure these are clearly dated and actions are followed-up.

This should include a planned review process with signed and dated reviews. A typical process might include:

• A standard review cycle for clients with a normal risk profile;
• A more frequent review cycle for clients with a higher risk profile;
• Identifying and highlighting abnormal activity by the client;
• Whether the client is a PEP;
• Any other risk factors that lead to a requirement for enhanced CDD;
• Whether a higher level of CDD is held;
• An overall risk rating;
• Checks of activity against the profile at acceptance or at the most recent review;
• The date of the last review of the risk rating;
• Any relevant action points with timescales for completion;
• A process for tracking the action points and ensuring they are completed.

Feedback from visits

Visits have found that in practice licenceholders sometimes fail to identify that a change to a structure or to the activities of a client entity has produced a corresponding change to its AML/CFT risk.

9. Maintain an effective review cycle

Set up a process for feeding back information from case reviews into your business risk assessment and your client risk assessment process.

The initial risk review process will be set up from generic risk factors and initial impressions of the risks faced. Licenceholders should be ready to update and improve this initial view as the handling of real situations improves their information and knowledge.

Set a realistic timetable, which the organisation is resourced to deliver.

Consider existing processes and whether the AML/CFT review can be linked into them. Is there already an annual review or an audit review?

Feedback from visits

Visits have found that some assessments are not signed and dated, meaning that nobody knows whether a risk assessment is up to date.

9.1.2 Features or activities increasing the risk of a TCSP relationship

Features or activities that increase the risk of a TCSP relationship include:

• Complex networks of trusts and/or nomineeships and/or legal persons;
• Complex structures that go across a number of different jurisdictions;
• Trading entities, particularly where the client retains some control and where there is difficulty in monitoring movement of goods and services;
• Legal persons and trusts that involve high value goods and / or transactions;
• Structures that are involved in higher risk activities e.g. mining, oil, pharmaceuticals;
• Structures or clients that are involved with or connected to higher risk jurisdictions;
• Involvement of PEPs in the structures;
• Clients that request cash deposits and /or cash collections;
• Clients that request split boards (i.e. boards with external directors) (or equivalent in respect of foundations) so that they can exhibit or exercise control;
• Clients who request third party signatories on bank accounts;
• Beneficial owners who wish to retain control over assets through powers delegated from the board;
• Requests for credit cards issued to the beneficial owner (or other third parties);
• Contracts (negotiated by client) not provided in original format for directors and company records;
• Requests for non-interest bearing loans to beneficiaries or beneficial owner which are later written off;
• Settlement of property into trust from 3rd parties;
• Requests from beneficiaries for payments to 3rd parties;
• Client does not provide requested information but says that he has carried out the necessary checks;
• Client exhibits unusual behaviour - either is aggressive to junior staff (seeks out weakest link) or is over friendly and never queries actions or fees.

9.1.3 Suspicious situations, features or activities

Fiduciaries should understand the purposes and activities of the structures in relation to which they are appointed or to which they provide services. If they are unable to do so, they should consider whether a suspicion is raised that assets are, or represent, the proceeds of crime.

If a fiduciary is unable to obtain an adequate explanation of the following features, or any other feature which causes it concern, suspicion could be raised:

• transactions which lack economic purpose (for example, sales or purchases at undervalued or inflated prices; payments or receipts being split between a large number of bank accounts or other financial services products; companies consistently making substantial losses);
• no clear legitimate purpose for using a trust (such as asset protection, estate planning);
• transactions which are inconsistent (for example, in size or source) with the expected objectives of the structure;
• arrangements established with the stated objective of legitimate tax planning, but where there is insufficient evidence of suitable independent advice from a qualified practitioner and of such disclosure to the relevant tax authorities as is required to be made under the laws of another jurisdiction. Such arrangements may be (i) a device to disguise the motivation behind a complex structure created for layering purposes; or (ii) intended to be legitimate but badly executed (and hence fail and/or become illegal);
• structures or transactions set up or operated in an unnecessarily secretive way, for example, involving "blind" trusts, bearer shares, endorsed cheques, cash or other bearer instruments or use of P.O. Boxes;
• lack of clarity about beneficial ownership or interests or difficulties in verifying identity of persons with ownership or control;
• unwillingness to disclose the source of assets to be received by a trust or legal person;
• unwillingness for the fiduciary to have the degree of information and control which it needs to fulfil its duties;
• use of overly wide or general powers of attorney in a manner which dilutes the control of a company's directors (or equivalent in respect of foundations).

When considering whether these or other features cause suspicion, fiduciaries should obtain documentary evidence where appropriate and record explanations they receive.

In addition to performing adequate CDD before commencement of the relationship, the fiduciary should, on an ongoing basis, monitor the activities of the structures to which it provides services.

9.2.1 Introduction

Vigilance should govern all the stages of the bank's dealings with its customers, including: account opening; non-account holding customers; safe custody and safe deposit boxes; deposit-taking; lending; transactions into and out of accounts generally, including by way of electronic transfer (wire transfer) and automated cash deposits into third party accounts.

It needs to be borne in mind that loan and mortgage facilities (including the issuing of credit and charge cards) may be used by launderers at the layering or integration stages. Secured borrowing is an effective method of layering and integration because it puts a legitimate financial business (the lender) with a genuine claim to the security in the way of those seeking to restrain or confiscate the assets.

Banks that undertake transactions for persons who are not their account holders should be particularly careful to treat such persons (and any underlying principals) as verification subjects.

Vigilance should govern all the stages of the bank's dealings with its customers, including: account opening; non-account holding customers; safe custody and safe deposit boxes; deposit-taking; lending; transactions into and out of accounts generally, including by way of electronic transfer (wire transfer) and automated cash deposits into third party accounts.

Particular precautions need to be taken in relation to requests to hold boxes, parcels and sealed envelopes in safe custody. Where such facilities are made available to non-account holders, the identification and verification procedures set out in the Handbook should be followed.

9.2.2 Suspicious situations, features or activities

If a bank is unable to obtain a satisfactory explanation from the customer in the event of the following situations, features, or activities, or any other features which cause it concerns, suspicion could be raised.

When considering whether these or other features cause suspicion, banks should obtain documentary evidence where appropriate and record explanations they receive.

• where a customer is reluctant to provide normal information or provides only minimal, false or misleading information;
• where a customer provides information which is difficult or expensive for the bank to verify;
• opening an account with a significant cash balance and/or subsequent substantial cash deposits, singly or in accumulations without a plausible and legitimate explanation;
• unusual cash deposits without apparent cause, particularly where such deposits are subsequently withdrawn or transferred within a short time;
• frequent small or modest cash deposits which taken together are substantial;
• making use of a third party to deposit cash or negotiable instruments, particularly if these are promptly transferred between client or trust accounts;
• the collection (either within the Isle of Man or in another country or territory) of significant cash sums singly or in accumulations without a plausible and legitimate explanation;
• where a deposit appears to be credited to an account only for the purpose of supporting the customer's order for a bankers' draft, money transfer or other negotiable or readily marketable money or bearer instrument;
• where deposits are received from other banks and the bank is aware of a regular consolidation of funds from such accounts prior to a request for onward transmission of funds;
• the avoidance by the customer or its representatives of direct contact with the bank (such as the use of night safes to make large cash deposits);
• the use of nominee accounts, trustee accounts or client accounts which appear to be unnecessary for or inconsistent with the type of business carried on by the underlying principal;
• the use of numerous accounts for no clear commercial reason where fewer would suffice (so serving to disguise the scale of the total deposits);
• the use by the customer of numerous individuals (particularly persons whose names do not appear on the mandate for the account) to make deposits;
• frequent switches of funds between accounts in different names or in different countries or territories;
• matching of payments out with deposits paid in on the same or previous day;
• substantial withdrawal from a previously dormant or inactive account;
• substantial withdrawal from an account that incurs a significant penalty which would normally be avoided;
• use of bearer instruments outside a recognised dealing system in settlement of an account or otherwise;
• where there appears to be no reasonable explanation to retain an account in a different jurisdiction to that of the customer; and
• where a customer declines to provide information which normally would make him eligible for valuable credit or other premium banking services (which benefit the customer); or where he inexplicably avoids normal banking facilities, such as higher interest rate facilities for larger credit balances.

9.2.3 Timing of Identification and Verification of Identity

Section 4.13 of the Handbook provides general guidance on the timing of identification and verification of identity. Additional guidance for banks is provided below.

9.2.3.1 "During the formation" of a business relationship

There is no formal definition of "during the formation" of a business relationship contained in the AML / CFT Handbook or Codes. For a bank accepting deposits it is considered that:

• issuing an account number to a customer (e.g. following receipt of an application form and loading customer details onto the system) whether as "pending" or otherwise constitutes forming a business relationship but it is recognised that the relationship may not yet be fully established.
• accepting funds into an account also constitutes forming a business relationship (where no withdrawals or transfers can be made) but again it is recognised that the relationship may not yet be fully established.

9.2.3.2 Use of "pending accounts"

"Pending accounts" may be used for operational purposes. In addition, issuing account numbers before an account has been fully signed-off and made live can also be used. Two common scenarios are covered below:

Applications received with partial but not complete (or totally acceptable) CDD

This category does not include merely the receipt of an application form with no other documentation (see below). Verification of identity must have been completed (the Handbook only allows the verification of identity to be absent in very exceptional circumstances). Source of funds must have been established.

Examples of the common issues which a bank may face in completing the account sign-off include:

• problems with certification
• missing address verification documents
• lack of full information on application forms

These can be treated as "pending accounts" and account numbers issued to the customer. Funds may be received into these accounts but no withdrawals can be made until the account take-on process is satisfactorily completed and the "pending" status removed.

In summary, the above can be used where there may be a minor issue to address before the account can be fully signed-off.

Applications received with no CDD

Banks sometimes receive completed application forms (whether by post or online) without any supporting CDD documents. Banks may issue an account number to the customer and treat the account as a "pending account".

In order to mitigate the increased risk when operating "pending accounts" in this scenario (i.e. in the absence of satisfactory verification of identity documents and / or information on source of funds etc) banks must ensure that:

• No funds are allowed into the account (i.e. a "no deposits flag" or similar must be in place). The system must be able to physically prevent the straight through application of funds to the account. The customer should be made aware that funds will not be accepted until full CDD is held. If funds are received (electronically or by cheque) the bank must have a process in place to deal with this. The bank must either delay the application of funds / cashing of the cheque until the account has been signed off, or return the funds / cheque.
• Identity verification documents must be in place and source of funds established (unless there are exceptional circumstances as per section 4.13 of the Handbook) before funds are allowed to be received into the account. An appropriately experienced member of staff must remove the "no deposits flag" to enable funds to be received (the account may at this point still be blocked for withdrawals if it has not fully been signed off).

9.3.1 Investment Funds

Investment funds may be open to abuse by people seeking to launder money. The risk of that abuse is increased by the fact that most transactions for subscription, redemption or transfer will not be conducted on a face-to-face basis, and to a similar extent the risk is mitigated by the fact that where some transactions are not conducted on the face-to-face basis, they will typically involve a regulated introducer, in the Isle of Man or elsewhere.

To the extent that introducers are regulated in the Isle of Man, or in an equivalent jurisdiction listed in Appendix C to the Handbook, then financial services businesses may follow the procedures outlined in sections 4.9 and 4.10 as appropriate.

In order to mitigate the risks of money laundering, firms should take steps to identify any third party subscribers or payees or refuse to accept or make third party payments. Furthermore, most retail investors use these products for medium and long term savings, which makes short-term investment or high turnover unusual and often relatively straightforward to monitor. Where a risk assessment indicates the risks of money laundering are mitigated or low, then the relevant funds may be considered to be low risk in terms of their use for money laundering purposes. Investors in institutional funds, including private equity funds, may be considered to be of lower risk than their retail counterparts by virtue of the restricted types of investor, rather than the product features. Notwithstanding such consideration it is still necessary to know the identity of such investors.

9.3.1.1 Suspicious situations, features or activities

Since most investment is made for medium and long-term objectives, transactions suggesting that improper use is being made of an investment fund will tend to centre on transactions with very short holding periods (particularly where the investor appears uninterested in mitigating the effect of initial charges).

Transactions in open-ended funds, or initial subscriptions at the launch of a closed-ended fund, where funds are to be received from a third party or repaid to a third party, require enhanced due diligence. Funds should not in general be accepted from or paid to a third party without that third party having had its identity verified by the relevant provider of services to the investment fund.

9.3.2 Discretionary and advisory asset management

In terms of risks associated with money laundering and terrorist financing, there is little distinction between discretionary and advisory asset management activities. In both cases the customer will usually need to have been subject to full assessment at take on, both in order to verify identity and source of funds, and it will in any case be necessary to review the customer's objectives in order to assess, for other regulatory reasons, the suitability of transactions undertaken or recommended for the customer.

9.3.2.1 Suspicious situations, features or activities

Consideration should be given to undertaking enhanced due diligence where there are frequent and unexplained additions to the investment portfolio, and or where there are frequent and unexplained requests for assets to be realised and the funds paid away. As with investment funds, receipt of funds from, or remission of funds to, third parties should not be undertaken unless there is a satisfactory explanation for the arrangement and the identity of the third party has been verified by the service provider.

9.3.3 Other Investment Businesses

Investment businesses may provide stock broking services and also act as interface between the investor and other investment product providers. As with discretionary and advisory asset managers, these investment businesses will need to have set up, under the Isle of Man's Financial Services Rule Book, a full customer agreement with any potential customer and will need to assure themselves of the suitability of any recommendation they make. They will therefore need to have researched and verified the customer's identity, source of funds and investment objectives in order to provide that service in accordance with the requirements of the Rule Book and the Handbook.

"Execution Only" arrangements, in which the service provider is not required to assess the suitability of any transaction for the customer, can be a feature of this investment business. Nevertheless the investment businesses are still required to undertake CDD under the Codes including verifying a customer's identity and establishing the source of funds.

9.3.3.1 Suspicious situations, features or activities

Investment businesses need to be vigilant as to the source and use of the assets which they are invited to trade. In particular, they will need to make enquiries in circumstances where there are sudden and unexplained additions to, or transfers from, the client's investment portfolio.

Investment businesses will need to be on enquiry in circumstances where the client appears indifferent to the profit or loss generated by trading activities.

They will also need to make enquiries where the client transfers, and asks the investment business to dispose of, assets which were not acquired through that investment business, since transfers of assets off market may provide a vehicle for the laundering of money.