Keep Money Laundering and Fraud out - TONBELLER® AG

Whitepaper 

Keep Money Laundering and Fraud out - 

Know your Customer (KYC)

A publication of: Tonbeller AG 

© Tonbeller AG, 2010 All rights reserved. 

Whitepaper | Keep Money Laundering and Fraud out - 

Know your Customer (KYC) 

The information in this document is subject to change without notice. 

No part of this document may be reproduced, stored or transmitted in any form or by 

any means, electronic or mechanical, for any purpose, without the express written 

permission of Tonbeller AG. 

Tonbeller AG assumes no liability for any damages incurred, directly or indirectly, from 

any errors, omissions or discrepancies between the software and the information 

contained in this document. Siron ® is a registered trademark of Tonbeller AG. All other 

trademarks or registered trademarks referenced are the property of their respective 

owners. 

1-2

Table of Content 



1. Know your Customer (KYC)................................................................................. 1-4 

1.1 Know Your Customer Policies................................................................................. 1-5 

1.2 Regulations ........................................................................................................... 1-5 

1.2.1 Europe.................................................................................................................. 1-5 

1.2.2 Middle East ........................................................................................................... 1-6 

1.2.3 Africa .................................................................................................................. 1-6 

1.2.4 Asia/Pacific ........................................................................................................... 1-7 

1.2.5 Americas............................................................................................................... 1-8 

2. Know your Customer Procedures – A Stepwise Approach.................................. 2-9 

2.1 Step 1: Risk Assessment........................................................................................ 2-9 

2.1.1 Identify Risks....................................................................................................... 2-10 

2.1.2 Categorize Risks ................................................................................................. 2-11 

2.1.3 Assess Risks....................................................................................................... 2-12 

2.1.4 Assign Risks to Adequate Prevention Measures (Example Measures for Account 

Officers) .............................................................................................................. 2-13 

2.2 Step 2: Know your Customer................................................................................ 2-15 

2.2.1 Customer Acceptance.......................................................................................... 2-17 

2.2.1.1 Customer Identification Process (CIP)................................................................... 2-17 

2.2.1.2 Dynamic Know your Customer Questionnaire........................................................ 2-18 

2.2.1.3 PEP screening & watch list management .............................................................. 2-23 

2.2.1.4 Beneficial owner ............................................................................................ 2-25 

2.2.1.5 Definition and Control of Measures through Business Rules ................................... 2-26 

2.2.1.6 Initial Risk Scoring ............................................................................................ 2-28 

2.2.1.7 Case Management ............................................................................................ 2-29 

2.3 Step 3: Ongoing Customer Due Diligence ............................................................. 2-30 

2.3.1 Check stated behaviour with actual ....................................................................... 2-30 

2.3.2 Re-Calculation of the risk ..................................................................................... 2-31 

2.3.3 Increase Risk ...................................................................................................... 2-31 

3. Technical Requirements.................................................................................... 3-32 

4. Integration Scenarios......................................................................................... 4-34 

4.1 Scenario A: Siron ® KYC manages the whole KYC process ...................................... 4-34 

4.2 Scenario B: Siron ® KYC manages PEP & WL screening (web service)..................... 4-35 

4.3 Scenario C: KYC questionnaire is called via URL................................................... 4-35 

4.4 Special topic: Handling of Customer Number......................................................... 4-35 

4.5 Batch Check: Data Requirements ......................................................................... 4-36 

5. Appendix ........................................................................................................... 5-37 

5.1 Glossary ............................................................................................................. 5-37 

1-3

1. Know your Customer (KYC) 



Know your customer (KYC) is the due diligence and bank regulation that financial institutions and 

other regulated companies must perform to identify their clients and ascertain relevant information 

before doing business with them. In some countries, KYC is typically a policy implemented to conform 

to a customer identification program mandated under the Bank Secrecy Act, USA PATRIOT Act and 

3 rd EU Directive. Know your customer policies globally are becoming increasingly important to prevent 

identity theft fraud, money laundering and terrorist financing. 

The decision whether a customer is accepted or rejected is the easiest and earliest point to avoid the 

risk of money laundering. Customer acceptance thus becomes the first step in preventing money 

laundering and terrorist financing. It is imperative that institutions capture information about their 

customers background, their source of funds, business, domicile and the desired financial products in 

order to properly understand the risk profile of a potential customer. 

One aspect of the KYC process is to verify that the customer is not listed as a known fraudster, 

terrorist or money launderer, e.g. by cross checking with the Office of Foreign Assets Control (OFAC) 

Specially Designated Nationals list. This list contains thousands of entries and is updated at least 

monthly. In addition to the above mentioned sanctions lists, there are lists of third party vendors that 

track links between persons regarded as high-risk due to negative reports in the media or in public 

records. 

Beyond name matching, a key aspect of KYC controls is to monitor transactions of a customer against 

their recorded profile, the history of the customers account(s) and their transaction with peers in order 

to identify money laundering schemes. 

The KYC process is not solely focused on risk rating and controlling of transactions. Another important 

aspect is the customer identification process (CIP). To verify collected identification documents third 

party vendors provide software to scan and check their authenticity. 

Banks that use KYC monitoring for anti-money laundering (AML) purposes or for checks relating to 

counter the financing of terrorism (CFT) use research tools such as Siron ® AML and Siron ® FD (fraud 

detection). The thereby generated alerts identify unusual activity which is then subject to due diligence 

or enhanced due diligence (EDD) processes that use internal and external sources of information on 

the subject. This helps to determine whether a transaction or activity is suspicious and requires 

reporting to the authorities. 

Know Your Customer processes are also employed by regular companies of all sizes, for the purpose 

of ensuring their proposed agents, consultants or distributors anti-bribery compliance. Banks, insurers 

and export credit agencies are increasingly demanding that customers provide detailed anti-corruption 

due diligence information, to verify their probity and integrity. 

1-4

1.1 Know Your Customer Policies 



“Know your customer” regulations are valid in most countries since many years. The primary best 

practice on “know your customer”, “customer identification” and “customer due diligence” can be found 

in several international publications such as the 2003 FATF Recommendations on AML/CTF, the 

“customer due diligence” guidance notes from the Basel Committee on Banking Supervision and the 

3 rd EU Directive. This directive for example calls for several requirements that need to be fulfilled by 

the financial institutes: 

� Risk-based approach (see: 2.1 Step 1: Risk Assessment) to customer due diligence 

(3 rd EU Directive provides specification for Customer Due Diligence and Enhanced Customer 

Due Diligence) 

� Identification & verification of high-risk customers such as Politically Exposed Persons (see: 

2.2.1.3 PEP screening & watch list management) 

� Definition and control of beneficial ownership (see: 2.2.1.4 Beneficial owner) 

� Establishment of a risk profile (see: 2.2 Step 2: Know your Customer and following chapters) 

for each customer (legal entity or natural person) during customer acceptance and check for 

consistency during the ongoing customer due diligence process (see: 2.3 Step 3: Ongoing 

Customer Due Diligence) 

1.2 Regulations 

Those regulations and guidelines must be or already have been translated into national law. The 

status of implementing these regulations differs by region and country. A list of the regional regulations 

can be found in the following chapters. 

1.2.1 Europe 

Austria http://www.imf.org/external/pubs/ft/scr/2004/cr04238.pdf 

Belgium http://www.imf.org/external/pubs/ft/scr/2006/cr0672.pdf 

Czech 

Republic 

www.imf.org/external/pubs/ft/scr/2004/cr0446.pdf and 

http://www.coe.int/t/dghl/monitoring/moneyval/Evaluations/round3/MONEYVAL(2006)21Rep- 

CZE3_en.pdf 

Denmark http://www.fatf-gafi.org/dataoecd/1/26/37588381.pdf 

Finland http://www.fatf-gafi.org/dataoecd/20/46/39794392.pdf 

1-5

France http://www.imf.org.external/pubs/ft/scr/2005/cr05186/pdf 

Germany http:/www.imf.org/external/pubs/ft/scr/2004/cr04213.pdf 

Greece http://www.fatf-gafi.org/dataoecd/2/55/38987373.pdf 

Hungary http://www.imf.org/external/pubs/ft/scr/2005/cr05348.pdf 

Ireland http://www.fatf-gafi.org/dataoecd/63/29/36336845.pdf 

Italy http://www.fatf-gafi.org/dataoecd/52/29/36221355.pdf 

Luxembourg http://www.imf.org/external/pubs/ft/scr/2006/cr06164.pdf 

Netherlands http://www.imf.org/external/pubs/ft/scr/2008/cr08171.pdf 

Norway http://www.fatf-gafi.org/dataoecd/9/52/43209579.pdf 



Poland http://www.coe.int/t/dghl/monitoring/moneyval/Countries/Poland_en.asp 

Portugal http://www.fatf-gafi.org/dataoecd/55/49/37708742.pdf 

Romania http://www.imf.org/external/pubs/ft/scr/2003/cr03389.pdf 

Spain http://www.fatf-gafi.org/dataoecd/52/3/37172019.pdf 

Sweden http://www.fatf-gafi.org/dataoecd/26/35/36461995.pdf 

Switzerland http://www.fatf-gafi.org/dataoecd/29/11/35670903.pdf 

Turkey http://www.fatf-gafi.org/dataoecd/14/7/38341173.pdf 

UK http://www.fatf-gafi.org/dataoecd/55/29/39064399.pdf 

1.2.2 Middle East 

Bahrain http://www.imf.org/external/pubs/ft/scr/2007/cr07134.pdf 

Lebanon None 

Oman None. The Sultanate of Oman is a member of the Gulf Cooperation Council (GCC) which is 

a council of states located in the Arabian Peninsula. The GCC is a member of the FATF. 

Oman is therefore committed to adopting FATF prescriptions. The country was subject to 

FATF Mutual Evaluation in 2009. 

Qatar https://imf.org/external/pubs/ft/scr/2008/cr08322.pdf 

UAE http://www.fatf-gafi.org/dataoecd/47/55/41721938.pdf 

1-6

1.2.3 Africa 

Egypt None 



Ghana No. However, a law that was recently established contains a requirement that the Minister 

Kenya None 

of Finance should apply for membership of the Egmont Group within three months of the 

law being passed. 

South Africa Link (http://www.fic.gov.za) 

Zambia http://www.imf.org/external/pubs/ft/scr/2008/cr0841.pdf 

1.2.4 Asia/Pacific 

Australia http://www.fatf-gafi.org/dataoecd/60/33/35528955.pdf 

China http://www.fatf-gafi.org/dataoecd/33/11/39148196.pdf 

Hong Kong http://www.imf.org/external/pubs/ft/scr/2008/cr08360.pdf and 

http://www.fatf-gafi.org/dataoecd/34/60/40918857.pdf 

India None: India is an Associate Member of FATF, being a member of The Asia Pacific group on 

Indonesia None 

Money Laundering. The Indian Financial Intelligence Unit is member of The Egmont Group. 

The country, however, has not been subject of a FATF Mutual Evaluation or IMF 

assessment exercise. 

Japan http://www.imf.org/external/pubs/ft/scr/2004/cr04187.pdf 

Malaysia http://www.apgml.org/documents/docs/17/Malaysian%20MER%20- 

Pakistan None 

Phillippines None 

%20FINAL%20August%202007.pdf 

Singapore http://www.imf.org/external/pubs/ft/scr/2004/cr04104.pdf and http://www.fatf- 

gafi.org/dataoecd/36/42/40453164.pdf 

South Korea http://www.fatf-gafi.org/dataoecd/22/54/43439553.pdf 

Taiwan http://www.apgml.org/documents/docs/17/Chinese%20Taipei%20MER2_FINAL.pdf 

Thailand http://www.apgml.org/documents/docs/17/Thailand%20DAR.pdf 

Vietnam None 

1-7

1.2.5 Americas 

Argentina http://www.gafisud.org/pdf/InformeArgentina.pdf 

Bolivia None 

Brazil http://www.imf.org/external/pubs/ft/scr/2005/cr05207.pdf 

Canada http://www.fatf- 

Cayman 

Island 



gafi.org/document/58/0,3343,en_32250379_32235720_40199098_1_1_1_1,00.html 

http://www.cimoney.com.ky/section/regulatoryframework/default.aspxid=157 

Colombia http://www.fatf-gafi.org/dataoecd/5/3/40323928.pdf 

Jamaica None 

Mexico http://www.fatf-gafi.org/dataoecd/31/45/41970081.pdf 

Uruguay http://www.imf.org/external/pubs/ft/scr/2006/cr06435.pdf 

USA http://www.fatf-gafi.org/dataoecd/44/12/37101706.pdf 

1-8



2. Know your Customer Procedures – A Stepwise 

Approach 

KYC Life Cycle 

Step 1 Risk Assessment 

Step 2 Know-Your Customer / Customer Acceptance 

Step 3 Customer Due Diligence (Ongoing Customer Due Diligence): 

Simplified Due Diligence and Enhanced Due Diligence 

[Step 1-3] Continuous reassessment and improvement of process 

2.1 Step 1: Risk Assessment 

National laws regulate the organizational duties for audited companies, groups and financial holdings. 

These duties belong to the requirements for a proper conduct of business. Among them there are 

requirements for risk management and controlling as well as IT security measures and regulations for 

compliance. The responsibility of the top management and compliance managers is part of these 

duties. A company‘s risk analysis includes the company-specific risks of money laundering, financing 

of terrorism, fraud, etc., which are 

2 

3 

1 

2-9

� identified 

� categorized, 

� assessed 

� assigned to adequate prevention measures. 



To manage risks one has to identify risk factors, categorize them (e.g. customer, product, transaction, 

country, processes etc.) and assess the danger they represent for the company. While defining these 

measures it is required to document the residual risk and how to handle it. All these data are exposed 

in a risk analysis. In the risk analysis documentation of the process of identifying, categorizing, and 

assessing the risk factors is done. 

Following this it has to be taken into consideration that the risk factors may result from many business 

segments. Since fraud and money laundering methods are continually refined, a risk analysis, whose 

result can be shown in a risk matrix for training purposes for creating awareness among the 

employees, is only a snapshot of the current situation. The risk analysis itself, however, is an ongoing 

process. 

2.1.1 Identify Risks 

Before a company can control risks they have to be identified. There is no scientific method or process 

that guarantees that all risks will be identified. The best way to approach the risk identification and to 

get an extensive overview of an institute-specific risk situation is a workshop session utilising the 

experience of different departments (compliance/AML unit, fraud analysts, internal audit, legal 

department, account manager, IT division …): Identifying risks is always a collaborative effort. 

Financial institutes typically classify risks as “threats”. The practice of risk identification focuses on 

reducing the probability and impact of threat. In case of customer acceptance the focus is on keeping 

all threats away from the institute in order to avoid any bad press (reputational damage). 

It is vital for an institute to be risk-aware. By being aware of possible risks, the institute will be able to 

prevent threats caused by money laundering, terrorist financing and fraud. Internal and external 

auditors will ask about the risk situation and the measures to prevent or minimize the risk or threat. It 

will be necessary to show them in a retraceable way which risks were identified and which measures 

were set-up to counter the risk. 

2-10

2.1.2 Categorize Risks 



Any practical process of risk assessment must group risks into a manageable number of categories: 

Customer Product Transaction Country (…) 

� Politically Exposed 

Persons 

� Non-Resident 

Aliens 

� Money Service 

businesses (e.g. 

check cashing, wire 

transmitter) 

� Gaming & Betting 

� Jewellery Business 

� Car, boat and 

aircraft (equipment) 

dealers 

� Law, account and 

medicals firms 

� Phone and debit 

card business 

� Off-Shore trust 

� (…) 

� Private Banking 

� Correspondent 

Banking 

� Trust 

Commercial 

� Retail where it 

involves high 

net worth 

individuals and 

their corporate 

interests with 

personal and 

discrete 

services 

� Online Banking 

� (…) 

� Cash 

Deposit 

� Wire 

Transfer 

� E-Bill 

Payment 

� Correspondent 

Bank 

Clearing 

� Offshore 

� (…) 

� Legal 

status 

� Economic 

situation 

� Standing 

of the 

financial 

service 

industry 

� Exposure 

to 

financial 

crime and 

money 

laundering 

� Corruption 

� (…) 

Most organizations find it useful to begin by describing the organizational structure of the bank. It is 

impossible to develop a set of risk categories that fit all organizations. Therefore money laundering 

and compliance officers (and TONBELLER’s consultants) partner with the risk owners from the 

different branches and departments from the organization to develop a specific set of categories. The 

example (shown in the table above – such as customer-, product-, transaction- and country-specific 

risk categories) represent a composite of what some of TONBELLER’s customers have used. A set of 

those categories can be tailored to a variety of the financial institute’s preferences. It is key to have a 

manageable number of risk categories to generate meaningful and valid information. 

Afterwards the financial institute describes the risk factors within each risk category (e.g. PEPs, certain 

account types, risky transaction types). Banks should be aware of risk combinations (for example: if a 

customer of a certain customer group uses a certain risky product…). 

Each risk factor has to be described in a retraceable way in order to provide a detailed document for 

internal and external auditors. 

(…) 

2-11

Headquarter 

Region – North 

Region East 

Branch N1 

Branch N2 

Branch N3 

Region South 

Region West 

Retail N1 

Private N1 

2.1.3 Assess Risks 



Customer Product Transaction 

PEP Current Account Cash Deposit 

The next step within the procedure is the determination of risk rating related to a recognized threat. In 

some countries legal authorities categorize risk ratings in different variants (such as in Germany where 

the legal authorities suggest using a 6-level risk rating: legal low, low, medium, high-medium, high, 

legal high). The table below presents a standard risk rating consisting of a 4-level risk rating approach: 

# Risk Level 

Low 

Medium 

High 

Legal High (e.g. PEPs) 

It’s required to evaluate for each organizational unit which risk is relevant. In addition a first risk rating 

based the probability of occurrence has to be assigned to each identified risk. 

In the next step of qualifying the risk also the damage, which may be caused once the risk is occurring 

has to be defined. After that it has to be decided if it is relevant, unacceptable or the risk will be 

accepted (so called “risk appetite” of the bank). 

2-12

Headquarter 

Region – North 

Branch N1 

Branch N2 

Branch N3 



Customer Product Transaction 

PEP Current Account Cash Deposit 

Retail N1 Medium Medium High 

Private N1 High Medium 

Region East Medium Medium 

Region South 

Region West Low 

2.1.4 Assign Risks to Adequate Prevention Measures 

(Example Measures for Account Officers) 

For each (minimum relevant) risk the measures to mitigate the risk have to be defined. So questions 

like: “Who is responsible for implementing which measure until when?” 

Some of these measures may be 

� Training measures (e.g. AML training) 

� Organizational briefing & code of conduct 

� Definition of a money laundering scenario (indicator) in Siron ® AML 

� Definition of a fraud scenario (indicator) in Siron ® FD 

� Definition of a special (high risk) customer group in Siron ® AML 

� … 

Also the effectiveness of each measure and the residual risk has to be described in a risk assessment. 

For measures that cannot be implemented immediately, the roadmap of how to mitigate the risk has to 

be defined. 

2-13

Structure of sample measures for account officers: 

Risk Level Measures for Customer Acceptance 



Low � Presentation of valid original identify documents 

� Establish purpose of account 

� Establish source of funds 

� Retain copies 

Medium � Above plus… 

High 

High – Legal 

� Check against sanction-/watch lists (…) 

� Send registered letter to customer at provided address. Retain signed 

return receipt 

� (…) 

� Above plus… 

� Independent verification of customer acceptance documents 

� Verification of source of funds 

� Interview with bank officer 

� Visit by bank officer to customer home or business 

� Approval from branch officer 

� Updating account information/documents every twelve months 

� (…) 

� Above plus… 

� Compliance alert 

� Approval from CEO 

� (…) 

2-14

2.2 Step 2: Know your Customer 



The graph below displays a typical life cycle of a client: from the client on boarding process to the day 

to day monitoring of the customer compared against the initial recorded profile during customer 

acceptance. The initial recording of the stated behaviour is captured by using flexible questionnaires, 

which can be defined by the bank and are used during the customer acceptance procedure to 

determine the risk a potential customer posses for the financial institution. 

The stated behaviour of the customer during customer acceptance is compared to his or her actual 

behaviour, derived from the core banking system and then is re-calculated. When a customer differs 

from the stated behaviour and posses an increased risk for the financial institution, the compliance 

department will be notified and can take appropriate action based on internal procedures. The whole 

process is dynamic and allows financial institutions to assess the risk of a customer on an ongoing 

basis. 

2-15



Image: The complete life cycle from customer acceptance to ongoing customer due diligence 

A Dynamic KYC questionnaire K Create alert for compliance and or account 

manager 

B Check against watch lists L Assign to employee 

C Collect ID documents M Perform Enhanced Due Diligence, 4-eyes 

principle (dual control) 

D Enter expiration date ID 

documentation 

E Use of 3 rd party application N Create alert for compliance and or account 

manager 

F Ultimate beneficial owner O Assign to employee 

G Escalation; EDD, 4-eyes 

principles 

H Deviation actual transaction 

bevaviors with stated 

I Change of non-financial 

elements, country, etc. 

J Calculate new risk level, if 

increased generate alert 

P Collect new documents, add new expiration 

date 

2-16

2.2.1 Customer Acceptance 



No account should be opened in the name of anonymous fictitious names. The challenges of KYC 

compliant client onboarding can now be consolidated and managed effectively in a single centralized, 

feature-rich solution. Siron ® KYC provides the capability required to enforce compliance policy while 

improving the efficiency of the customer acceptance process. With Siron ® KYC financial institutes are 

able to objectively identify those customers that carry higher than normal integrity risks for the bank. 

TONBELLER is supporting financial institutes to comply with “Know your Customer” regulations. By 

reading the following chapters you will get insights about the following tasks and KYC/customer 

acceptance requirements: 

� Banks shall classify customers into various risk categories (risk rating) during customer 

acceptance based on risk assessment (see 2.1.3 Assess Risks) 

� Each risk category has other acceptance criteria for each customer category (legal or natural 

person) (see 2.1.4 Assign Risk to Adequate Prevention Measures) 

� For the purpose of risk rating banks shall obtain the relevant information from customer at the 

time of customer acceptance (see 2.2.1.2 Dynamic Know your Customer Questionnaire) 

� Necessary checks shall be conducted before opening a new account to ensure that the 

identity of the customer does not match with any person with a known criminal background or 

with banned entities such as persons that are listed on an sanction-, watch-, black list (see 

2.2.1.3 PEP screening & watch list management) 

� Accept or reject customer after verifying the identity and after getting an understanding of the 

risks the potential customer poses to the bank 

2.2.1.1 Customer Identification Process (CIP) 

The customer identification process (CIP) is an integrated part of the “Know your Customer” process. 

As a financial institute’s CIP means that all customers (face-to-face & non-face-to-face) are properly 

identified through documented processes and that the identity of the potential client is verified during 

the customer acceptance by using reliable and independent source documents, data and information. 

The customer identification process provisions apply equally whether the client is a natural person or 

legal entity or company. However the identification requirements will vary between entity types: 

CIP – Natural Persons – What is needed? 

� Document proving the ID 

� Document proving address 

� Latest photograph 

� Document to verifying signature 

� … 

2-17

CIP – Legal persons – What is needed? 

� Verifying the legal status thru proper and relevant documents 



� Is the person who is purposing to act on behalf of the entity actually authorised to act? (Verify 

his ID, by using third party algorithms where applicable). 

� Understand the ownership and control structures – who is the ultimate beneficial owner? 

� … 

2.2.1.2 Dynamic Know your Customer Questionnaire 

Questions to be asked during customer acceptance have to be dynamic in two ways: 

(a) Questionnaires can be adjusted to the risk situation of the bank/institute 

over time: Once a new legal requirement or risk factor comes up, the bank would like to add new 

questions to be asked. Without any involvement of an IT department or database administrator the 

bank is able to add new questions, define the characteristics of the answer (selection, mandatory, 

character or numeric, …) and identify where to store the answer to that question. 

(b) Situation-depend variant for the questionnaire (see example below) 

The questionnaire has to be dynamic in an additional aspect: some questions will only be asked on 

dependency of previous answers. 

Example 

Within the KYC questionnaire the potential customer has to specify if he or she is a 

representative of a legal entity/company or a natural person. In case of the legal entity the 

authorized person will be asked different questions than the natural persons. The potential 

customer then has to provide details about the company such as the full legal name of the 

entity, country/date of incorporation, country of domicile (if other than country of incorporation), 

registration number, correspondence address and other information. Siron ® KYC is able to 

manage all different versions of a questionnaire within one single template valid for all 

dependencies. 

Other Examples 

� If the customer states to have foreign payments one might ask for the expected 

volume and the source country of funds. 

� For a corporate customer the structure of the beneficial owners has to be entered 

� … 

2-18



Image: Generate your institute-specific Know your Customer questionnaire(s) with Siron ® KYC 

2-19

KYC Questionnaire Designer 



At the development stage, KYC questionnaires can be designed by using the previously defined 

question types. The user can easily drag & drop those question types from the “Tool Box” (see image 

below) into his draft questionnaire in order to add new questions to his specific KYC questionnaire. 

During this conceptual design phase the KYC questionnaire can be stated as “inactive”. That means 

that the questionnaire is not available at the customer acceptance front desk. 

Text 

A text field can be included within the KYC questionnaire via drag & 

drop (e.g. in case that you would like to include data fields to gather 

basic information such as the first and last name of the potential 

customer) 

Numeric 

For questions where a numeric answer is expected. For example 

expected volume of foreign turnovers. 

Combo box 

For a selection of a list (one of many) e.g. list of professions or list of 

branches. 

The values of such a list are being loaded from “reference lists”, which 

can be maintained via the parameter maintenance user interface 

(same like Siron ® AML) 

Option button 

An option box is a selection one out of many. Here the values are 

listed as a control where you can select the entry. Typically used if 

there are just a few values in the underlying reference list (example: 

customer type: private or corporate customer) 

Check box 

Allows to answer a Yes/No-question (example: do you expect foreign 

turnovers?) 

Date field 

For all questions where a calendar has to be displayed (e.g. date of 

foundation of a corporate customer) 

Country 

e.g. used for nationality 

Dividing line 

Allows separating the questions visually to multiple sections. 

File 

Allows to add files for adding attachments. 

2-20

Beneficial owners 

There are various setting options for every single question type: 



Allows to add 1 to n beneficial owners (especially for corporate 

customers). All beneficial owners will be checked against the PEP 

database. If one of them is a PEP, the underlying customer will be flagged. 

Question Title of question, which will be displayed at customer acceptance 

Default Include a default value 

Comparison 

Object 

In comparison objects the answers to the questions are stored. Comparison objects 

are used for 

� Definition of criteria for business rules (Siron ® KYC) 

� Definition of customer categories and indicators in Siron ® AML 

� Displaying the values in Siron ® AML’s analysis application 

Comment Only used for documentation purposes. 

Required A required question has to be answered and the customer data cannot be saved 

without answering this question. Example: “Customer type (private or corporate)” is 

such a question. 

Multi-Line For example descriptions can be entered in a multiline text field. 

Min. length If the bank does not allow answers below a certain limit of characters, the minimum 

length could be entered here (Example: last name has to min. 3 characters). 

Max. length The feature is used e.g. for compatibility reasons where a maximum length has to be 

Define 

dependencies 

set. 

There may be questions which depend on other previous answers. 

Example: Only a private customer will be asked for the birth date 

2-21



KYC Questionnaire – Benefits for the Ongoing Customer Due Diligence Process 

All information gathered through the KYC questionnaire will be available in the research process. One 

of the strong benefits of the Siron ® KYC solution is the possibility to check the stated behaviour of the 

‘customer’ against the real behaviour in order to identify suspicious activities (within the research 

systems Siron ® AML and Siron ® FD). 

Example 

During customer acceptance the customer supposedly indicated that he will not have any 

foreign payments or transaction. The AML or compliance officer now has the possibility to 

perform plausibility checks within the customer due diligence process (for details see: 2.3 Step 

3: Ongoing customer Due Diligence). In case that the customer actually performs a lot of 

foreign payments / transactions the research system now generates an alert to indicate that 

the customer gave false statements when answering the KYC questionnaire. 

Hint 

For more details see: 2.3.1 Check stated behaviour with actual 

2-22

2.2.1.3 PEP screening & watch list management 

PEP screening 



The core element of the customer acceptance process is to verify the customer identity of politically 

exposed persons (PEP). However, this includes unforeseen challenges since, in contrast to sanction 

lists there are no official PEP lists. Databases describing national and international politically exposed 

persons primarily differ in their volume, quality and integration. Data providers offer PEP lists with 

more than 1,2 million entries worldwide. 

How to make sure that the matching of voluminous data stocks with PEP databases returns qualified 

results? Identical names of a PEP and a customer always produce a hit although they might not be the 

same person („False Positives“). Primary identification criteria, such as birth date, place of birth, 

passport number or national identification number as well as secondary identification criteria, such as 

address or passport photograph, are used to optimize the matching procedure, thus reducing false 

positives as well as the effort of manual checking. Siron ® KYC has interfaces to all commercial 

database providers like World-Check, World Compliance, Dow Jones Watch List (formerly known as 

“Factiva”). 

Image: All applicable embargo regulations and legal requirements to identity PEPs are covered by Siron ® KYC 

After completing the KYC questionnaire, the customer acceptance officer has to start a screening 

process whereby the data from the questionnaire (such as first name, last name, place/date of birth) is 

matched against the PEP database. In case of legal entities or companies all beneficial owners are 

included in the screening process and checked against the PEP database. All matches are displayed 

in the system including links to additional information for an in-depth check. 

2-23

Watch list Management 



Identity fraud, crimes and terrorist activities are on the rise since a couple of years and becoming 

increasingly sophisticated. More than ever it is important to keep business free from criminals that 

could damage the organization’s reputation However challenging, it is imperative to get the sanctions 

program right as the fines for violations compliance can be substantial – both in terms of monetary 

penalties and reputational damage. Therefore organisations such as the “Office of Foreign Assets 

Control (OFAC)” an agency of the “United States Department of the Treasury” have published official 

and non-commercial sanction lists that include entries of restricted individuals and entities that banks 

should keep away from their products, channels and services. Similar lists like the EU-list, Her 

Majesties Treasury (HMT) watch list are available and provide a set of different entries of criminal 

persons and entities. All of these lists can be uploaded to Siron ® KYC in order to screen the initial 

customer data against those lists. Siron ® KYC uses enhanced search abilities (as described in the 

following chapter: Technical specification for PEP screening & watch list management). After 

screening the initial KYC data against the lists Siron ® KYC indicates the match strength of the 

customer data with the list entries and enables the customer acceptance officer to examine if the 

potential customer poses a serious threat to the bank 

Technical specification for PEP screening & watch list management 

Siron ® KYC comes with a fuzzy search engine allowing a wider search ability to identify high risk 

individuals who may attempt to disguise their identity beyond the known aliases. This fuzzy search not 

only detects name components that have been altered but also abbreviations, substitutions, modified 

writing patterns, deletions, acronyms or foreign translations. 

All actions at the decision level (for example the decision if the screened customer is a PEP or not) 

can be taken according to the principle of dual control. This will provide the decision-making process 

with a broader basis. The financial institute can decide to active the dual-control within the settings of 

Siron ® KYC. While the dual control functionality is active the first decision triggers a message to the 

second analyst who is in charge to confirm or reject the decision of his colleague. 

Siron ® KYC provides the users with retraceable, audit-proof information of the user’s screening results 

and decisions to satisfy compliance and audit requirements. 

2-24

2.2.1.4 Beneficial owner 



One of the key provisions in the e.g. 3 rd EU Directive is the requirement to identify beneficial owners 

and to verify the identity of those persons. According to a survey undertaken by the FATF, which 

formed the basis of the typology report, the most significant feature of the misuse of corporate vehicles 

[is] the hiding of the true beneficial ownership 1 . The typology report identified three sub-categories for 

the misuse of corporate vehicles: multi-jurisdictional structures of corporate entities and trusts, 

specialised intermediaries and professionals, nominees and shell companies. These corporate 

vehicles are ‘often’ used to primarily hide the origin and identity of the beneficial owner as well as the 

origin of the funds. Within the context of money laundering and fraud the identification and verification 

of beneficial ownership is a key concern for external auditors. 

The content below gives an overview of the beneficial owner definition and explains how Siron ® KYC 

can help you in the verification and documentation process of beneficial owners: 

Beneficial Owner (General definition/US) 

� The individual who enjoys the benefits of owning a security or property, regardless of whose 

name the title is in (US) 

Beneficial Owner (EU Definition) 

� In case of corporate entities natural person who 

� Ultimately owns/controls a legal entity through direct/indirect ownership/control over a 

sufficient percentage a shares/voting rights…a percentage of 25% +1 share shall be 

deemed sufficient 

� Otherwise exercises control over the management 

� In case of legal entities (e.g. foundations) and legal arrangements (e.g. trusts) 

administering/distributing funds 

� Natural person(s) who is the beneficiary of at least 25% of the property (determined) 

� Class of person(s) in whose main interest the legal arrangement/entity is set up (not yet 

determined) 

� Natural person(s) who exercises control over at least 25% of the property 

Identification / verification of beneficial owner 

� When establishing a business relationship 

� During ongoing business relationship at regular intervals 

� If suspicious transaction occur 

� When doubt about veracity /relevance of previously obtained information 

1 FATF Typology Report; the Misuse of Corporate Vehicles, Including Trust and Company Service 

Providers, 13 October 2006, FATF/OECD, Paris, 2006, p. 2. 

2-25



� If transactions in relation to the customer’s business partner seem suspicious � Know your 

customer’s customer 

Recording Beneficial Owner information in KYC profile with Siron ® KYC 

� The dynamic questionnaire enables the customer acceptance officer to record all information 

about the beneficial owner(s) 

� The interface to gather the information about the beneficial owner can be adjusted and 

designed individually 

� During the initial risk rating all beneficial owner(s) are also checked against the 3 rd party 

application which means that the recorded profiles are matched against watch-, sanctions-, 

black- and PEP databases. 

Checking the Beneficial Owner information with Siron ® KYC 

The system allows to add 1 to n beneficial owners (especially for corporate customers). All beneficial 

owners will be checked against the PEP database. If one of them is a PEP, the underlying customer 

will be flagged. 

Image: Record information on the beneficial owners in the KYC questionnaire and automatically 

screen the information against 3 rd party applications such as watch and sanction lists 

2.2.1.5 Definition and Control of Measures through Business Rules 

Rules and policies for the customer acceptance can be stored within Siron ® KYC. The system delivers 

a risk rating and specific introductions for the further course of procedure within the customer 

2-26



acceptance process after the initial person check. Not only PEP databases and sanction/watch lists 

generate a risk rating: The user is able to define specific scenarios in order to classify the risk rating of 

the potential customer. With the help of business rules it is possible to determine the impact of data 

from the customer acceptance process. For this purpose the following comparison objects are 

available: 

� All data fields of the customer acceptance questionnaire 

� Results of the check against sanction lists 

� Results of the check against PEP data bases 

After matching customer data with the business rules the system automatically delivers the following: 

� Risk classification for the potential customer 

� Instruction: e.g. give compliance officer a call, refuse acceptance of potential customer, limit 

product usage, …(see example for a business rule below [Image]) 

� Optional: Send an email to a defined recipient. 

Image: Example of a business rule “Channel of distribution Broker…” 

2-27

Example 



A customer opening the account via a distribution channel “broker” who does not explain the 

reason for opening the account should be classified as high-risk customer. 

Optional: In addition the system Siron ® KYC can notify the customer acceptance officer that he 

has to take instructions (customer specific): e.g. call the compliance department, request more 

information … 

All business rules can be easily generated and adjusted without the support of IT. Therefore 

Siron ® KYC provides a dialog to set-up the criteria (comparison object, operator and value range) for 

the business rule. 

2.2.1.6 Initial Risk Scoring 

As shown in the previous section a new customer has to be risk rated immediately. For this task the 

business rules are used. Should there be a match at multiple business rules for a new customer 

during customer acceptance, then the rule with the highest risk counts for the customer. Risk 

classification is the base for follow-up decisions and for the ongoing risk customer due diligence 

fulfilled via Siron ® AML or Siron ® FD. 

2-28

2.2.1.7 Case Management 



As regulations call for a retraceable documentation of all information it is necessary to maintain proof 

of all the steps taken to identify the identity of the new/potential customer. Therefore each customer 

entered via Siron ® KYC’s questionnaire will be recorded and displayed via case management. 

Image: The case management provides the big picture about all hits in PEP databases, watch- and sanction lists 

as well as the risk rating and the instructions how to proceed with the potential customer 

The case management capabilities from Siron ® KYC enable the compliance officer to 

� Systematically facilitate investigations and capture and display all information relevant to the 

case 

� Facilitate assignment of cases to a second analyst (dual control) 

� Via the selection hits or no-hits overwrite the systems match to a sanction list entry or PEP 

database entry 

� Use a pre-defined workflow for the management and resolution of cases 

2-29



2.3 Step 3: Ongoing Customer Due Diligence 

2.3.1 Check stated behaviour with actual 

All information captured for a new customer via Siron ® KYC are stored in Siron ® KYC’s data base. They 

are attached to the customer’s record and published to Siron ® AML via comparison objects. With the 

integration of Siron ® KYC to Siron ® AML the system allows to use up to 170 new comparison objects 

containing the answers of the new customers entered via the customer acceptance questionnaire. 

This allows to compare the initial stated behaviour of the customer against the real behaviour of the 

customer in the ongoing monitoring. 

Example 

To receive a low risk scoring the customer initially states not to do any foreign transactions. 

Due to the low risk classification the customer will be accepted. The ongoing monitoring 

records any transaction of the customer. If the real customers behaviour (recorded by 

Siron ® AML) diverges from the initial statements (recorded by Siron ® KYC), then an AML alert is 

being raised. 

Sample Case of Fraud Detection 

Further more the integration of Siron ® KYC to Siron ® FD (fraud detection) allows to detect 

fraudulent behaviour at the customer acceptance process. If there is a significant divergence 

of real behaviour to initially stated behaviour and many cases like this come up for the same 

customer acceptance officer, then his behaviour has to be questioned. 

2-30

2.3.2 Re-Calculation of the risk 



Siron ® KYC calculates the initial risk. After customer acceptance Siron ® AML (in combination with 

Siron ® Profile 2 ) records the customer’s real behaviour (due to his transactions and profile data). Based 

on this real behaviour the risk will be recalculated. Any divergence of the initial risk to the ongoing 

recalculated risk will be visible. 

2.3.3 Increase Risk 

Due to the previous section any divergence will be visible. Especially the increase of the risk level is 

important. 

If many cases like that (low risk during customer acceptance, higher risk in ongoing monitoring) show 

up with certain characteristics (e.g. for the same customer acceptance officer), this may give a hint to 

a fraudulent event. 

2 Siron ® Profile is an add-on for the research systems Siron ® AML and Siron ® FD and extends the functionality by 

dynamically allocate each customer into so-called peer groups. A peer group consists of people where factors 

like educational or social class match. Another indicator might be the frequency of transactions or the amount of 

money they transfer per month. Siron ® Profile identifies significant changes in the behaviour of a customer and 

thus possible cases of money laundering and fraud. 

2-31

3. Technical Requirements 

Supported Databases 



� Microsoft SQL Server (as of version 2005) 

� Oracle (as of version 9) 

� DB2 (minimum version 8.2.2 – Fixpack 9) 

Data base drivers � JDBC-driver (for the used data base) 

� ODBC-driver (Microsoft Windows OS) 

Application-Server 

(Parameter Definition) 

Application Server 

Scoring Run 

Minimal Requirements: 

� Pentium 4, min. 2,4 GHz or comparable 

� 1 GB harddisk 

� 2 GB RAM 

Recommended: 

� Current multi-core CPU (e.g. Intel Core i7 or AMD 

Opteron K10) since several cores are used in multi-user 

operation 

Supported Operating Systems 

� Windows: Windows Server, version 2003 and above (32 

Bit and 64 Bit) 

� SUSE Linux Enterprise, as of version 9 (32 Bit and 64 Bit) 

� Redhat Enterprise, as of version 5.4 (32 Bit and 64 Bit) 

� Solaris 10 Sparc 

Minimal Requirements 

� Pentium 4, min. 2,4 GHz, or comparable 

� 2 GB RAM 

� 10 GB harddisk 3 

Recommended 

� Multi-Core CPU (e.g. Intel Core i7 or AMD Opteron K10) 

since several cores are used in multi-instance operation 

� Apache Tomcat, as of version 6.0 

� Java Development Kit (JDK), as of version 5.0 

3 The disk space initially required for the database can be calculated as follows: Data area (100 MB per 100.000 

persons to be checked) & log area (25 MB per 100.000 persons to be checked). Application server supporting at 

least Java 2 Platform Enterprise Edition (J2EE), version 1.3, e.g. Apache Tomcat, as of version 5.5. Java 

Development Kit (JDK), as of version 5.0 

3-32

Supported Application Servers: 



� Apache Tomcat as of version 5.5 (Provided on DVD) 

� IBM Web Sphere 

� BEA Weblogic 

� Oracle Application Server 

Supported Operation Systems: 

� Windows: Windows Server, as of version 2003 (32 Bit and 

64 Bit) 

� SUSE Linux Enterprise, as of version 9 (32 Bit and 64 Bit) 

� Redhat Enterprise, as of version 5.4 (32 Bit and 64 Bit) 

� AIX 5.3 and 6.1 

� Solaris 10 SPARC 

3-33

4. Integration Scenarios 



Siron ® KYC can be used in 3 different ways depending on the features and capabilities of the current 

existing customer acceptance system of the bank. See down below the 3 potential integration 

scenarios and when to use which: 

Image: Different scenarios who to integrate Siron ® KYC in your existing IT landscape 

4.1 Scenario A: Siron ® KYC manages the whole KYC 

process 

This is the easiest way to use Siron ® KYC. Independent from the core banking’s customer acceptance 

process, the user has to call Siron ® KYC’s questionnaire to enter the new customers data. Data will be 

checked via KYC-scoring (against PEPs, sanction lists and business rules). The entered data and the 

risk classification will be stored in Siron ® KYCs data base. The user’s instructions displayed to the 

frontend user. No integration to the customer acceptance process necessary. 

4-34



4.2 Scenario B: Siron ® KYC manages PEP & WL 

screening (web service) 

If the banks existing customer acceptance process already provides a flexible and dynamic 

questionnaire to capture all data for a new customer, then this integration method will be used. 

The customer acceptance officer will not see Siron ® KYC’s dynamic questionnaire, because all data 

will be entered in the existing customer acceptance system. From that system Siron ® KYC will be 

called via a web service to perform all necessary checks (against PEPs, sanction lists and business 

rules). The new customers risk classification will be stored in Siron ® KYC’s data base and risk 

classification and the users instructions will be returned to the customer acceptance system (as a 

return from the web service). 

4.3 Scenario C: KYC questionnaire is called via URL 

This scenario is for banks, which are having a powerful customer acceptance system that covers most 

of the questions to a new customer, but not all. 

Some answers will be entered to the existing customer acceptance system. At a certain stage, the 

customer acceptance system will call Siron ® KYC via a web address (a URL) and pass on all already 

entered data as parameters). Under the web address the rest of the dynamic questions will be 

displayed to be completed in Siron ® KYC’s dynamic questionnaire. 

All entered data and the risk classification will be stored in Siron ® KYC’s database and instructions will 

be passed on to the frontend user. 

4.4 Special topic: Handling of Customer Number 

In many cases the customer number is not known during customer acceptance. For these situations 

Siron ® KYC is able to generate an artificial customer number. 

When later on the “real” customer number is being assigned by the core banking system or the 

customer acceptance system, Siron ® KYC can be called via a web service to replace the artificial 

customer number by the real customer number (within Siron ® KYC’s data base). 

4-35

4.5 Batch Check: Data Requirements 



Siron ® KYC does not only handle the customer acceptance process. It does also allow to check the 

complete existing customer stock against PEP data and against sanction lists. 

For that Siron ® Financial Solutions unique generic standard data interface for customer data can be 

used. The interface for customer data contains all relevant data which are necessary to know the 

customer (e.g. name, address, profession, nationality and much more). 

In case there’s any data which is not part of the standard data interface, Siron ® KYC also provides a 

generic interface, where the bank can add on any individual data for the customer, which has to be 

checked. 

Hint 

Further information: See Siron ® KYC systems documentation on the generic standard data 

interface of Siron ® KYC. 

4-36

5. Appendix 

5.1 Glossary 

2003 FATF 

Recommendation 

3 rd EU Directive 

4-eyes principle 

Alias 

AML 

Bank Secrecy Act 

Basel Committee on 

Banking Supervision 



In response to mounting concern over money laundering, the Financial Action 

Task Force on Money Laundering (FATF) has published the Forty 

Recommendations on money laundering and the 9 Special Recommendations 

on Terrorist Financing (40+9 Recommendations). Together, the 2003 FATF 

Recommendations set the international standard for anti-money laundering 

measures and combating the financing of terrorism. 

Directive 2005/60/EC of the European Parliament and of the Council of 26 

October 2005 on the prevention of the use of the financial system for the 

purpose of money laundering and terrorist financing: 

http://eur- 

lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2005:309:0015:01:EN:HTML 

Actions requiring approval by two persons, each being held accountable. 

A false name used to conceal one’s identity. 

Anti-Money Laundering: A set of procedures, laws or regulations to stop the 

practice of generating income through illegal actions. In most cases money 

laundering hide their actions through a series of steps that make it look like 

money coming from illegal or unethical sources was earned legitimately. 

The Bank Secrecy Act of 1970 (or BSA, or otherwise known as the Currency 

and Foreign Transactions Reporting Act) requires financial institutions in the 

United States to assist U.S. government agencies to detect and prevent money 

laundering. 

The Basel Committee on Banking Supervision is an institution created by the 

central bank Governors of the Group of Ten nations. The Basel Committee 

formulates broad supervisory standards and guidelines and recommends 

statements of best practice in banking supervision in the expectation that 

member authorities and other nations' authorities will take steps to implement 

them through their own national systems, whether in statutory form or 

otherwise. 

5-37



Beneficial Owner The natural person(s) who ultimately owns or controls a customer and/or the 

person on whose behalf a transaction is being conducted. It also incorporates 

those persons who exercise ultimate effective control over a legal person or 

arrangement. 

Business Rule A Business rule usually is a statement that defines or constrains some aspect 

of the business. TONBELLER uses this term for the rules and policies that can 

be stored within the system. When carefully managed, this business rules can 

help the organization to e.g. better comply with legal requirements, reduce 

costly mistakes and improve communication. 

CDD Customer Due Diligence: Supervisors around the world are increasingly 

recognising the importance of ensuring that their banks have adequate controls 

and procedures in place so that they know the customers with whom they are 

dealing. Adequate due diligence on new and existing customers is a key part of 

these controls. Without this due diligence, banks can become subject to 

reputational, operational, legal and concentration risks, which can result in 

significant financial cost. 

CIP Customer Identification Program: According to provisions of the USA Patriot 

Act, all financial institutions must verify the identity of individuals wishing to 

conduct financial transactions. The law was implemented by regulations in 

2003 which require financial institutions to develop a Customer Identification 

Program (CIP) appropriate to the size and type of its business. The CIP must 

be incorporated into the bank's Bank Secrecy Act/Anti-money laundering 

compliance program, which is subject to approval by the financial institution's 

board of directors. 

Code of Conduct A code of conduct is a set of rules outlining the responsibilities of or proper 

practices for an individual or organization. 

CTF Counter Terrorism Financing: CFT includes the combating of terrorist acts, and 

of terrorists and terrorist organisations. 

Dual Control See 4-eyes principle 

ECDD Enhanced Customer Due Diligence: High-risk customer (like PEPs) must 

always be subject to the enhanced due diligence measures, and thus all 

companies are required to have risk-sensitive measures in place to recognize 

and monitor high-risk customers. 

False Positive When a customer is incorrectly flagged as suspicious during the AML/CTF 

monitoring. 

5-38



Fuzzy Search A computer search that returns not only exact matches to the search request, 

but also close matches that include text sequences that have been altered but 

also abbreviations, substitutions, modified writing patterns, deletions, acronyms 

or foreign translations. 

HMT HM Treasury, in full Her Majesty's Treasury, informally The Treasury, is the 

United Kingdom government department responsible for developing and 

executing the British government's public finance policy and economic policy. 

Identify Documents An identity document (also called a piece of identification or ID) is any 

document which may be used to verify aspects of a person's personal identity. 

KYC KYC is typically a policy implemented to conform to a customer identification 

program mandated under the Bank Secrecy Act, USA PATRIOT Act and 3 rd EU 

Directive. Know your customer policies are becoming increasingly important 

globally to prevent identity theft fraud, money laundering and terrorist financing. 

Legal Person Bodies corporate, foundations, partnerships, or associations, or any similar 

bodies that can establish a permanent customer relationship with a financial 

institution or otherwise own property. 

Natural Person In jurisprudence, a natural person is a human being, as opposed to an artificial, 

legal or juristic person, i.e., an organization that the law treats for some 

purposes as if it were a person distinct from its members or owner. 

OFAC The Office of Foreign Assets Control (OFAC) is an agency of the United States 

Department of the Treasury under the auspices of the Under Secretary of the 

Treasury for Terrorism and Financial Intelligence. OFAC administers and 

enforces economic and trade sanctions based on U.S. foreign policy and 

national security goals against targeted foreign states, organizations, and 

individuals. 

PEP Politically Exposed Persons: Individuals who are or have been entrusted with 

prominent public functions in a foreign country, for example Heads of State or 

of government, senior politicians, senior government, judicial or military 

officials, senior executives of state owned corporations, important political party 

officials. Business relationships with family members or close associates of 

PEPs involve reputational risks similar to those with PEPs themselves. The 

definition is not intended to cover middle ranking or more junior individuals in 

the foregoing categories. 

Risk Assessment Risk assessment is a step in a risk management procedure. Risk assessment 

is the determination of quantitative or qualitative value of risk related to a 

concrete situation and a recognized threat. 

5-39



Sanction list Lists from authoritative sources such as the Office of Foreign Assets Control 

(OFAC); Bank of England; European Union (EU); and Office of the 

Superintendent of Financial Institutions (OSFI) clearly identify high-risk 

individuals and businesses. These include known terrorists, fraudsters, money 

launderers, and politically exposed persons (PEPs) as well as blacklisted 

persons, companies or countries. 

Sarbanes Oxley Act The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced 

highly significant legislative changes to financial practice and corporate 

governance regulation. It introduced stringent new rules with the stated 

objective: "to protect investors by improving the accuracy and reliability of 

corporate disclosures made pursuant to the securities laws". 

Shell Companies A company incorporated in a jurisdiction in which it has no physical presence 

and which is unaffiliated with a regulated financial group. 

USA Patriot Act The USA Patriot Act (“Patriot Act”) is an Act of the U.S. Congress and signed 

into law by President W. Bush on October 26, 2001. The title of the Act is a 

contrived acronym, which stands for “Uniting and Strengthening America by 

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 

of 2001”: http://frwebgate.access.gpo.gov/cgi- 

bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf 

WL Watch lists (WL) are non-commercial lists of suspected terrorists 

and criminals. 

5-40

Keep Money Laundering and Fraud out - TONBELLER® AG

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?