A firm shall have in place procedures and guidelines in terms of measures for customer due diligence, monitoring, reporting and processing of personal data.
Procedures and guidelines to counteract money laundering and terrorist financing shall be risk-based and proceed on the basis of the firm's general risk assessment. That means that they shall be devised so as to manage and counteract the risks identified by the firm.
The procedures and guidelines shall be documented. In a group, the parent company shall establish common procedures and guidelines to apply throughout the entire group.
The bill for the new Anti-Money Laundering Act lists three categories of procedures and guidelines.
The first category has the purpose of providing guidance on which measures should be taken in different situations. Examples include verifying id, breaking down customers into risk classes, enhanced customer due diligence measures and monitoring activities and transactions. These procedures shall be risk-based.
The second category is linked to the firm's staff, such as background screening and staff training. This also includes procedures for protecting staff from threats, etc. ensuing from them performing controls and other measures to fulfil the firm's obligations under the Anti-Money Laundering Act.
The third category pertains to compliance and internal control functions. It is a matter of which duties are to be performed by the various functions –specially appointed executive, appointed officer for controlling and reporting obligations andindependent audit function. This also includes model risk management procedures.
If a firm has risk management models, for instance for risk management and risk classification of customers, there must be procedures in place to quality-assure and enhance the models used. A firm's model risk management procedures shall contain a description of the underlying theory and the assumptions that led to how the models were devised. Furthermore, firms shall have model validation procedures that ensure that they function as intended and serve their purpose (risk classification of customers, etc.).
There must be specific internal control functions. The firm must always appoint aappointed officer for controlling and reporting obligations . Also, a particular designated officer and an independent audit function must be appointed – if motivated in light of the size and nature of the business.
The particular designated officer is responsible for the implementation of the measures needed to comply with the Anti-Money Laundering Act and the regulations.
The function is responsible for
The particular designated officer is able to delegate certain tasks, or appoint one or several deputies. However, actual verification that the measures are indeed implemented in the operations, and reporting to the board and CEO of the firm, cannot be delegated.
There must always be a appointed officer for controlling and reporting obligations. It shall be placed within the firm and be independent in relation to the functions and areas it is to monitor and verify.
Basic duties consist of ongoing responsibility for controls, and ensuring that reporting to the Financial Intelligence Unit is carried out.
The function shall also
The responsibilities of the independent audit function include reviewing and evaluating the efficiency and appropriateness of
In this context, the function shall only perform its review based on the rules in the anti-money laundering regulations. What constitutes an "appropriate review" can be judged based on the needs of the firm in its business. The independent audit function shall report directly to the board of directors of the firm.
The independent audit function shall, in organisational terms, be separate from the functions and areas it is to monitor and control. Employees of the function may not participate in the work of other functions or in the operating activities.
The firm may outsource the tasks of the independent audit function. In such cases, it is important to remember that the firm is always responsible for the outsourced activities.