The Paper is a timely reminder to FIs of the importance of implementing a robust AML/CFT and outsourcing framework with ASPs, in order to ensure compliance with the MAS AML/CFT notices applicable to the FI, and the MAS Guidelines on Outsourcing.
We summarise the key findings and takeaways from the Paper.
Summary of the Paper
We highlight in the table below a summary of the key deficiencies revealed in MAS' series of thematic inspections, and MAS' expectations with respect to these areas of deficiencies:
| Outsourcing Process |
Key weaknesses identified |
MAS' expectations |
|
Engaging the ASP
|
Lack of a robust assessment of ASPs prior to engaging the ASPs. In particular:
- several CMIs did not have a formalised approach to assess the suitability and ability of ASPs to perform the required AML/CFT control functions; in some instances, due diligence was ad hoc in nature, with considerations overly geared towards cost considerations or the perceived reputation of the ASPs;
- many CMIs did not have a good understanding of ASPs' actual AML/CFT practices and failed to ensure they were in line with CMI's own policies and procedures and MAS' requirements; and
- lack of attention to contractual terms resulted in significant differences between the actual scope of AML/CFT control functions outsourced to the ASP and the CMI’s intention.
|
The Board and Senior Management to set the tone in requiring a robust assessment of ASPs as a crucial first step, which includes:
- implementing a formalised approach and a structured process with defined criteria to assess the suitability of ASPs to perform the required AML/CFT control functions (reputation, skill, experience and ability to comply with regulatory requirements and resources to perform the required functions);
- understanding the ASP’s actual AML/CFT practices, and conducting a gap analysis to ensure ASP practices are in line with the CMIs’ own policies and procedures and MAS’ requirements;
- understanding observations from recent audits of ASP's AML/CFT programmes and ensuring the ASP has implemented appropriate rectification measures;
- screening and other due diligence to ensure probity of the ASP;
- ensuring a well-defined outsourcing agreement which:
- sets out the roles and responsibilities clearly, prescribes performance, operational and controls standards,
- confers a right to audit the ASP and access relevant records of ASP, and
- ensures that the ASP implements controls to safeguard customer data; and
- ensuring proper documentation of assessments and approvals are kept, including basis for appointment and the timeframe for re-performance of due diligence
|
| Monitoring of ASP |
CMIs had no monitoring mechanisms to oversee their ASPs’ implementation of key AML/CFT control functions:
- inadequate regular monitoring: ASPs were not expected to provide regular management reports on execution of key AML/CFT control functions and money laundering and terrorist financing (ML/TF) risk issues, such as status reports on outstanding CDD and periodic reviews;
- no established escalation process: CMIs merely relied on the ad-hoc escalation of issues by ASPs of their own accord, without clearly-defined escalation process for ASPs to surface specific ML/TF issues such as sanctions hits or material changes to ASP's processes;
- CMIs did not conduct regular sample reviews to ensure effective implementation or arrange regular discussions with ASPs to ensure performance and control standards are met; and
- CMIs did not have a formalised approach to conduct regular post-appointment reviews of ASPs.
|
Board and Senior Management’s involvement to strengthen regular oversight over ASPs and to manage outsourcing risks through a combination of measures, including:
- an active role by the CMI’s AML/CFT compliance officer to ensure outsourced control functions are being performed as intended, and to note and regularly report key control issues to the Board and Senior Management;
- regular monitoring and defined escalation mechanisms to include:
- defining clear roles and responsibilities,
- status reports on the implementation of AML/CFT control functions, including status on periodic reviews due to be completed, remediation of any gaps identified, and
- escalation procedures on significant ML/TF issues, such as persistent delays in obtaining required Customer Due Diligence documents, changes in the ASP’s AML/CFT policies and procedures, and screening hits; and
- regular reviews, and properly documented, with defined metrics and ASP self-assessment questionnaire; quality assurance reviews or periodic on-site visits and timely follow-up with the ASP on agreed remediation actions.
|
Key takeaways
Although the Paper does not impose any new regulatory obligations, it does set out MAS’ supervisory expectations of sound practices where AML/CFT control functions are outsourced.
CMIs (and other FIs) are reminded that outsourcing of AML/CFT functions is material outsourcing[2]. Therefore, the risk management practices set out in the MAS Guidelines on Outsourcing should be closely adhered to, and CMI (and other FIs) should take appropriate steps to ensure that the outsourced AML/CFT functions continue to be managed as if they were performed by the FIs themselves, in line with the FIs' own AML/CFT policies and MAS' AML/CFT requirements. The Board and Senior Management remains ultimately responsible.
CMIs (and other FIs) should ensure that they conduct a robust assessment of their ASPs, and establish mechanisms to monitor and control the outsourcing arrangement on an ongoing basis, in order to avoid significant and negative impact on the CMIs’ operations, reputation or ability to comply with MAS’ regulations. These measures should include:
- conducting a gap analysis to ensure ASP's AML/CFT processes are in line with a CMI ( and other FIs)' own AML/CFT policies and MAS requirements;
- establishing a well defined service level agreement and appropriate standard operating procedures to address regular reporting and escalation procedures; and
- implementing a robust framework to conduct periodic due diligence and ongoing monitoring of ASPs.
We would be happy to advise you further on the adequacy of your current processes as well as any enhancements required to both align with MAS' recommended best practice and comply with the relevant notices and guidelines.
* * * * *
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
[1] https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Anti_Money-Laundering_Countering-the-Financing-of-Terrorism/Strengthening-Capital-Markets-Intermediaries-Oversight-over-AMLCFT-Outsourcing-Arrangements.pdf
[2] related to this, fund managers should be reminded that AML/CFT controls performed by fund administrators also constitute outsourcing
* * * * *
© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
