Keep Money Laundering and Fraud out - TONBELLER® AG
Keep Money Laundering and Fraud out - TONBELLER® AG
Keep Money Laundering and Fraud out - TONBELLER® AG
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Whitepaper<br />
<strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)
A publication of: Tonbeller <strong>AG</strong><br />
© Tonbeller <strong>AG</strong>, 2010 All rights reserved.<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
The information in this document is subject to change with<strong>out</strong> notice.<br />
No part of this document may be reproduced, stored or transmitted in any form or by<br />
any means, electronic or mechanical, for any purpose, with<strong>out</strong> the express written<br />
permission of Tonbeller <strong>AG</strong>.<br />
Tonbeller <strong>AG</strong> assumes no liability for any damages incurred, directly or indirectly, from<br />
any errors, omissions or discrepancies between the software <strong>and</strong> the information<br />
contained in this document. Siron ® is a registered trademark of Tonbeller <strong>AG</strong>. All other<br />
trademarks or registered trademarks referenced are the property of their respective<br />
owners.<br />
1-2
Table of Content<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
1. Know your Customer (KYC)................................................................................. 1-4<br />
1.1 Know Your Customer Policies................................................................................. 1-5<br />
1.2 Regulations ........................................................................................................... 1-5<br />
1.2.1 Europe.................................................................................................................. 1-5<br />
1.2.2 Middle East ........................................................................................................... 1-6<br />
1.2.3 Africa .................................................................................................................. 1-6<br />
1.2.4 Asia/Pacific ........................................................................................................... 1-7<br />
1.2.5 Americas............................................................................................................... 1-8<br />
2. Know your Customer Procedures – A Stepwise Approach.................................. 2-9<br />
2.1 Step 1: Risk Assessment........................................................................................ 2-9<br />
2.1.1 Identify Risks....................................................................................................... 2-10<br />
2.1.2 Categorize Risks ................................................................................................. 2-11<br />
2.1.3 Assess Risks....................................................................................................... 2-12<br />
2.1.4 Assign Risks to Adequate Prevention Measures (Example Measures for Account<br />
Officers) .............................................................................................................. 2-13<br />
2.2 Step 2: Know your Customer................................................................................ 2-15<br />
2.2.1 Customer Acceptance.......................................................................................... 2-17<br />
2.2.1.1 Customer Identification Process (CIP)................................................................... 2-17<br />
2.2.1.2 Dynamic Know your Customer Questionnaire........................................................ 2-18<br />
2.2.1.3 PEP screening & watch list management .............................................................. 2-23<br />
2.2.1.4 Beneficial owner ............................................................................................ 2-25<br />
2.2.1.5 Definition <strong>and</strong> Control of Measures through Business Rules ................................... 2-26<br />
2.2.1.6 Initial Risk Scoring ............................................................................................ 2-28<br />
2.2.1.7 Case Management ............................................................................................ 2-29<br />
2.3 Step 3: Ongoing Customer Due Diligence ............................................................. 2-30<br />
2.3.1 Check stated behaviour with actual ....................................................................... 2-30<br />
2.3.2 Re-Calculation of the risk ..................................................................................... 2-31<br />
2.3.3 Increase Risk ...................................................................................................... 2-31<br />
3. Technical Requirements.................................................................................... 3-32<br />
4. Integration Scenarios......................................................................................... 4-34<br />
4.1 Scenario A: Siron ® KYC manages the whole KYC process ...................................... 4-34<br />
4.2 Scenario B: Siron ® KYC manages PEP & WL screening (web service)..................... 4-35<br />
4.3 Scenario C: KYC questionnaire is called via URL................................................... 4-35<br />
4.4 Special topic: H<strong>and</strong>ling of Customer Number......................................................... 4-35<br />
4.5 Batch Check: Data Requirements ......................................................................... 4-36<br />
5. Appendix ........................................................................................................... 5-37<br />
5.1 Glossary ............................................................................................................. 5-37<br />
1-3
1. Know your Customer (KYC)<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Know your customer (KYC) is the due diligence <strong>and</strong> bank regulation that financial institutions <strong>and</strong><br />
other regulated companies must perform to identify their clients <strong>and</strong> ascertain relevant information<br />
before doing business with them. In some countries, KYC is typically a policy implemented to conform<br />
to a customer identification program m<strong>and</strong>ated under the Bank Secrecy Act, USA PATRIOT Act <strong>and</strong><br />
3 rd EU Directive. Know your customer policies globally are becoming increasingly important to prevent<br />
identity theft fraud, money laundering <strong>and</strong> terrorist financing.<br />
The decision whether a customer is accepted or rejected is the easiest <strong>and</strong> earliest point to avoid the<br />
risk of money laundering. Customer acceptance thus becomes the first step in preventing money<br />
laundering <strong>and</strong> terrorist financing. It is imperative that institutions capture information ab<strong>out</strong> their<br />
customers background, their source of funds, business, domicile <strong>and</strong> the desired financial products in<br />
order to properly underst<strong>and</strong> the risk profile of a potential customer.<br />
One aspect of the KYC process is to verify that the customer is not listed as a known fraudster,<br />
terrorist or money launderer, e.g. by cross checking with the Office of Foreign Assets Control (OFAC)<br />
Specially Designated Nationals list. This list contains thous<strong>and</strong>s of entries <strong>and</strong> is updated at least<br />
monthly. In addition to the above mentioned sanctions lists, there are lists of third party vendors that<br />
track links between persons regarded as high-risk due to negative reports in the media or in public<br />
records.<br />
Beyond name matching, a key aspect of KYC controls is to monitor transactions of a customer against<br />
their recorded profile, the history of the customers account(s) <strong>and</strong> their transaction with peers in order<br />
to identify money laundering schemes.<br />
The KYC process is not solely focused on risk rating <strong>and</strong> controlling of transactions. Another important<br />
aspect is the customer identification process (CIP). To verify collected identification documents third<br />
party vendors provide software to scan <strong>and</strong> check their authenticity.<br />
Banks that use KYC monitoring for anti-money laundering (AML) purposes or for checks relating to<br />
counter the financing of terrorism (CFT) use research tools such as Siron ® AML <strong>and</strong> Siron ® FD (fraud<br />
detection). The thereby generated alerts identify unusual activity which is then subject to due diligence<br />
or enhanced due diligence (EDD) processes that use internal <strong>and</strong> external sources of information on<br />
the subject. This helps to determine whether a transaction or activity is suspicious <strong>and</strong> requires<br />
reporting to the authorities.<br />
Know Your Customer processes are also employed by regular companies of all sizes, for the purpose<br />
of ensuring their proposed agents, consultants or distributors anti-bribery compliance. Banks, insurers<br />
<strong>and</strong> export credit agencies are increasingly dem<strong>and</strong>ing that customers provide detailed anti-corruption<br />
due diligence information, to verify their probity <strong>and</strong> integrity.<br />
1-4
1.1 Know Your Customer Policies<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
“Know your customer” regulations are valid in most countries since many years. The primary best<br />
practice on “know your customer”, “customer identification” <strong>and</strong> “customer due diligence” can be found<br />
in several international publications such as the 2003 FATF Recommendations on AML/CTF, the<br />
“customer due diligence” guidance notes from the Basel Committee on Banking Supervision <strong>and</strong> the<br />
3 rd EU Directive. This directive for example calls for several requirements that need to be fulfilled by<br />
the financial institutes:<br />
� Risk-based approach (see: 2.1 Step 1: Risk Assessment) to customer due diligence<br />
(3 rd EU Directive provides specification for Customer Due Diligence <strong>and</strong> Enhanced Customer<br />
Due Diligence)<br />
� Identification & verification of high-risk customers such as Politically Exposed Persons (see:<br />
2.2.1.3 PEP screening & watch list management)<br />
� Definition <strong>and</strong> control of beneficial ownership (see: 2.2.1.4 Beneficial owner)<br />
� Establishment of a risk profile (see: 2.2 Step 2: Know your Customer <strong>and</strong> following chapters)<br />
for each customer (legal entity or natural person) during customer acceptance <strong>and</strong> check for<br />
consistency during the ongoing customer due diligence process (see: 2.3 Step 3: Ongoing<br />
Customer Due Diligence)<br />
1.2 Regulations<br />
Those regulations <strong>and</strong> guidelines must be or already have been translated into national law. The<br />
status of implementing these regulations differs by region <strong>and</strong> country. A list of the regional regulations<br />
can be found in the following chapters.<br />
1.2.1 Europe<br />
Austria http://www.imf.org/external/pubs/ft/scr/2004/cr04238.pdf<br />
Belgium http://www.imf.org/external/pubs/ft/scr/2006/cr0672.pdf<br />
Czech<br />
Republic<br />
www.imf.org/external/pubs/ft/scr/2004/cr0446.pdf <strong>and</strong><br />
http://www.coe.int/t/dghl/monitoring/moneyval/Evaluations/round3/MONEYVAL(2006)21Rep-<br />
CZE3_en.pdf<br />
Denmark http://www.fatf-gafi.org/dataoecd/1/26/37588381.pdf<br />
Finl<strong>and</strong> http://www.fatf-gafi.org/dataoecd/20/46/39794392.pdf<br />
1-5
France http://www.imf.org.external/pubs/ft/scr/2005/cr05186/pdf<br />
Germany http:/www.imf.org/external/pubs/ft/scr/2004/cr04213.pdf<br />
Greece http://www.fatf-gafi.org/dataoecd/2/55/38987373.pdf<br />
Hungary http://www.imf.org/external/pubs/ft/scr/2005/cr05348.pdf<br />
Irel<strong>and</strong> http://www.fatf-gafi.org/dataoecd/63/29/36336845.pdf<br />
Italy http://www.fatf-gafi.org/dataoecd/52/29/36221355.pdf<br />
Luxembourg http://www.imf.org/external/pubs/ft/scr/2006/cr06164.pdf<br />
Netherl<strong>and</strong>s http://www.imf.org/external/pubs/ft/scr/2008/cr08171.pdf<br />
Norway http://www.fatf-gafi.org/dataoecd/9/52/43209579.pdf<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Pol<strong>and</strong> http://www.coe.int/t/dghl/monitoring/moneyval/Countries/Pol<strong>and</strong>_en.asp<br />
Portugal http://www.fatf-gafi.org/dataoecd/55/49/37708742.pdf<br />
Romania http://www.imf.org/external/pubs/ft/scr/2003/cr03389.pdf<br />
Spain http://www.fatf-gafi.org/dataoecd/52/3/37172019.pdf<br />
Sweden http://www.fatf-gafi.org/dataoecd/26/35/36461995.pdf<br />
Switzerl<strong>and</strong> http://www.fatf-gafi.org/dataoecd/29/11/35670903.pdf<br />
Turkey http://www.fatf-gafi.org/dataoecd/14/7/38341173.pdf<br />
UK http://www.fatf-gafi.org/dataoecd/55/29/39064399.pdf<br />
1.2.2 Middle East<br />
Bahrain http://www.imf.org/external/pubs/ft/scr/2007/cr07134.pdf<br />
Lebanon None<br />
Oman None. The Sultanate of Oman is a member of the Gulf Cooperation Council (GCC) which is<br />
a council of states located in the Arabian Peninsula. The GCC is a member of the FATF.<br />
Oman is therefore committed to adopting FATF prescriptions. The country was subject to<br />
FATF Mutual Evaluation in 2009.<br />
Qatar https://imf.org/external/pubs/ft/scr/2008/cr08322.pdf<br />
UAE http://www.fatf-gafi.org/dataoecd/47/55/41721938.pdf<br />
1-6
1.2.3 Africa<br />
Egypt None<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Ghana No. However, a law that was recently established contains a requirement that the Minister<br />
Kenya None<br />
of Finance should apply for membership of the Egmont Group within three months of the<br />
law being passed.<br />
S<strong>out</strong>h Africa Link (http://www.fic.gov.za)<br />
Zambia http://www.imf.org/external/pubs/ft/scr/2008/cr0841.pdf<br />
1.2.4 Asia/Pacific<br />
Australia http://www.fatf-gafi.org/dataoecd/60/33/35528955.pdf<br />
China http://www.fatf-gafi.org/dataoecd/33/11/39148196.pdf<br />
Hong Kong http://www.imf.org/external/pubs/ft/scr/2008/cr08360.pdf <strong>and</strong><br />
http://www.fatf-gafi.org/dataoecd/34/60/40918857.pdf<br />
India None: India is an Associate Member of FATF, being a member of The Asia Pacific group on<br />
Indonesia None<br />
<strong>Money</strong> <strong>Laundering</strong>. The Indian Financial Intelligence Unit is member of The Egmont Group.<br />
The country, however, has not been subject of a FATF Mutual Evaluation or IMF<br />
assessment exercise.<br />
Japan http://www.imf.org/external/pubs/ft/scr/2004/cr04187.pdf<br />
Malaysia http://www.apgml.org/documents/docs/17/Malaysian%20MER%20-<br />
Pakistan None<br />
Phillippines None<br />
%20FINAL%20August%202007.pdf<br />
Singapore http://www.imf.org/external/pubs/ft/scr/2004/cr04104.pdf <strong>and</strong> http://www.fatf-<br />
gafi.org/dataoecd/36/42/40453164.pdf<br />
S<strong>out</strong>h Korea http://www.fatf-gafi.org/dataoecd/22/54/43439553.pdf<br />
Taiwan http://www.apgml.org/documents/docs/17/Chinese%20Taipei%20MER2_FINAL.pdf<br />
Thail<strong>and</strong> http://www.apgml.org/documents/docs/17/Thail<strong>and</strong>%20DAR.pdf<br />
Vietnam None<br />
1-7
1.2.5 Americas<br />
Argentina http://www.gafisud.org/pdf/InformeArgentina.pdf<br />
Bolivia None<br />
Brazil http://www.imf.org/external/pubs/ft/scr/2005/cr05207.pdf<br />
Canada http://www.fatf-<br />
Cayman<br />
Isl<strong>and</strong><br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
gafi.org/document/58/0,3343,en_32250379_32235720_40199098_1_1_1_1,00.html<br />
http://www.cimoney.com.ky/section/regulatoryframework/default.aspxid=157<br />
Colombia http://www.fatf-gafi.org/dataoecd/5/3/40323928.pdf<br />
Jamaica None<br />
Mexico http://www.fatf-gafi.org/dataoecd/31/45/41970081.pdf<br />
Uruguay http://www.imf.org/external/pubs/ft/scr/2006/cr06435.pdf<br />
USA http://www.fatf-gafi.org/dataoecd/44/12/37101706.pdf<br />
1-8
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
2. Know your Customer Procedures – A Stepwise<br />
Approach<br />
KYC Life Cycle<br />
Step 1 Risk Assessment<br />
Step 2 Know-Your Customer / Customer Acceptance<br />
Step 3 Customer Due Diligence (Ongoing Customer Due Diligence):<br />
Simplified Due Diligence <strong>and</strong> Enhanced Due Diligence<br />
[Step 1-3] Continuous reassessment <strong>and</strong> improvement of process<br />
2.1 Step 1: Risk Assessment<br />
National laws regulate the organizational duties for audited companies, groups <strong>and</strong> financial holdings.<br />
These duties belong to the requirements for a proper conduct of business. Among them there are<br />
requirements for risk management <strong>and</strong> controlling as well as IT security measures <strong>and</strong> regulations for<br />
compliance. The responsibility of the top management <strong>and</strong> compliance managers is part of these<br />
duties. A company‘s risk analysis includes the company-specific risks of money laundering, financing<br />
of terrorism, fraud, etc., which are<br />
2<br />
3<br />
1<br />
2-9
� identified<br />
� categorized,<br />
� assessed<br />
� assigned to adequate prevention measures.<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
To manage risks one has to identify risk factors, categorize them (e.g. customer, product, transaction,<br />
country, processes etc.) <strong>and</strong> assess the danger they represent for the company. While defining these<br />
measures it is required to document the residual risk <strong>and</strong> how to h<strong>and</strong>le it. All these data are exposed<br />
in a risk analysis. In the risk analysis documentation of the process of identifying, categorizing, <strong>and</strong><br />
assessing the risk factors is done.<br />
Following this it has to be taken into consideration that the risk factors may result from many business<br />
segments. Since fraud <strong>and</strong> money laundering methods are continually refined, a risk analysis, whose<br />
result can be shown in a risk matrix for training purposes for creating awareness among the<br />
employees, is only a snapshot of the current situation. The risk analysis itself, however, is an ongoing<br />
process.<br />
2.1.1 Identify Risks<br />
Before a company can control risks they have to be identified. There is no scientific method or process<br />
that guarantees that all risks will be identified. The best way to approach the risk identification <strong>and</strong> to<br />
get an extensive overview of an institute-specific risk situation is a workshop session utilising the<br />
experience of different departments (compliance/AML unit, fraud analysts, internal audit, legal<br />
department, account manager, IT division …): Identifying risks is always a collaborative effort.<br />
Financial institutes typically classify risks as “threats”. The practice of risk identification focuses on<br />
reducing the probability <strong>and</strong> impact of threat. In case of customer acceptance the focus is on keeping<br />
all threats away from the institute in order to avoid any bad press (reputational damage).<br />
It is vital for an institute to be risk-aware. By being aware of possible risks, the institute will be able to<br />
prevent threats caused by money laundering, terrorist financing <strong>and</strong> fraud. Internal <strong>and</strong> external<br />
auditors will ask ab<strong>out</strong> the risk situation <strong>and</strong> the measures to prevent or minimize the risk or threat. It<br />
will be necessary to show them in a retraceable way which risks were identified <strong>and</strong> which measures<br />
were set-up to counter the risk.<br />
2-10
2.1.2 Categorize Risks<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Any practical process of risk assessment must group risks into a manageable number of categories:<br />
Customer Product Transaction Country (…)<br />
� Politically Exposed<br />
Persons<br />
� Non-Resident<br />
Aliens<br />
� <strong>Money</strong> Service<br />
businesses (e.g.<br />
check cashing, wire<br />
transmitter)<br />
� Gaming & Betting<br />
� Jewellery Business<br />
� Car, boat <strong>and</strong><br />
aircraft (equipment)<br />
dealers<br />
� Law, account <strong>and</strong><br />
medicals firms<br />
� Phone <strong>and</strong> debit<br />
card business<br />
� Off-Shore trust<br />
� (…)<br />
� Private Banking<br />
� Correspondent<br />
Banking<br />
� Trust<br />
Commercial<br />
� Retail where it<br />
involves high<br />
net worth<br />
individuals <strong>and</strong><br />
their corporate<br />
interests with<br />
personal <strong>and</strong><br />
discrete<br />
services<br />
� Online Banking<br />
� (…)<br />
� Cash<br />
Deposit<br />
� Wire<br />
Transfer<br />
� E-Bill<br />
Payment<br />
� Correspondent<br />
Bank<br />
Clearing<br />
� Offshore<br />
� (…)<br />
� Legal<br />
status<br />
� Economic<br />
situation<br />
� St<strong>and</strong>ing<br />
of the<br />
financial<br />
service<br />
industry<br />
� Exposure<br />
to<br />
financial<br />
crime <strong>and</strong><br />
money<br />
laundering<br />
� Corruption<br />
� (…)<br />
Most organizations find it useful to begin by describing the organizational structure of the bank. It is<br />
impossible to develop a set of risk categories that fit all organizations. Therefore money laundering<br />
<strong>and</strong> compliance officers (<strong>and</strong> TONBELLER’s consultants) partner with the risk owners from the<br />
different branches <strong>and</strong> departments from the organization to develop a specific set of categories. The<br />
example (shown in the table above – such as customer-, product-, transaction- <strong>and</strong> country-specific<br />
risk categories) represent a composite of what some of TONBELLER’s customers have used. A set of<br />
those categories can be tailored to a variety of the financial institute’s preferences. It is key to have a<br />
manageable number of risk categories to generate meaningful <strong>and</strong> valid information.<br />
Afterwards the financial institute describes the risk factors within each risk category (e.g. PEPs, certain<br />
account types, risky transaction types). Banks should be aware of risk combinations (for example: if a<br />
customer of a certain customer group uses a certain risky product…).<br />
Each risk factor has to be described in a retraceable way in order to provide a detailed document for<br />
internal <strong>and</strong> external auditors.<br />
(…)<br />
2-11
Headquarter<br />
Region – North<br />
Region East<br />
Branch N1<br />
Branch N2<br />
Branch N3<br />
Region S<strong>out</strong>h<br />
Region West<br />
Retail N1<br />
Private N1<br />
2.1.3 Assess Risks<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Customer Product Transaction<br />
PEP Current Account Cash Deposit<br />
The next step within the procedure is the determination of risk rating related to a recognized threat. In<br />
some countries legal authorities categorize risk ratings in different variants (such as in Germany where<br />
the legal authorities suggest using a 6-level risk rating: legal low, low, medium, high-medium, high,<br />
legal high). The table below presents a st<strong>and</strong>ard risk rating consisting of a 4-level risk rating approach:<br />
# Risk Level<br />
Low<br />
Medium<br />
High<br />
Legal High (e.g. PEPs)<br />
It’s required to evaluate for each organizational unit which risk is relevant. In addition a first risk rating<br />
based the probability of occurrence has to be assigned to each identified risk.<br />
In the next step of qualifying the risk also the damage, which may be caused once the risk is occurring<br />
has to be defined. After that it has to be decided if it is relevant, unacceptable or the risk will be<br />
accepted (so called “risk appetite” of the bank).<br />
2-12
Headquarter<br />
Region – North<br />
Branch N1<br />
Branch N2<br />
Branch N3<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Customer Product Transaction<br />
PEP Current Account Cash Deposit<br />
Retail N1 Medium Medium High<br />
Private N1 High Medium<br />
Region East Medium Medium<br />
Region S<strong>out</strong>h<br />
Region West Low<br />
2.1.4 Assign Risks to Adequate Prevention Measures<br />
(Example Measures for Account Officers)<br />
For each (minimum relevant) risk the measures to mitigate the risk have to be defined. So questions<br />
like: “Who is responsible for implementing which measure until when?”<br />
Some of these measures may be<br />
� Training measures (e.g. AML training)<br />
� Organizational briefing & code of conduct<br />
� Definition of a money laundering scenario (indicator) in Siron ® AML<br />
� Definition of a fraud scenario (indicator) in Siron ® FD<br />
� Definition of a special (high risk) customer group in Siron ® AML<br />
� …<br />
Also the effectiveness of each measure <strong>and</strong> the residual risk has to be described in a risk assessment.<br />
For measures that cannot be implemented immediately, the roadmap of how to mitigate the risk has to<br />
be defined.<br />
2-13
Structure of sample measures for account officers:<br />
Risk Level Measures for Customer Acceptance<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Low � Presentation of valid original identify documents<br />
� Establish purpose of account<br />
� Establish source of funds<br />
� Retain copies<br />
Medium � Above plus…<br />
High<br />
High – Legal<br />
� Check against sanction-/watch lists (…)<br />
� Send registered letter to customer at provided address. Retain signed<br />
return receipt<br />
� (…)<br />
� Above plus…<br />
� Independent verification of customer acceptance documents<br />
� Verification of source of funds<br />
� Interview with bank officer<br />
� Visit by bank officer to customer home or business<br />
� Approval from branch officer<br />
� Updating account information/documents every twelve months<br />
� (…)<br />
� Above plus…<br />
� Compliance alert<br />
� Approval from CEO<br />
� (…)<br />
2-14
2.2 Step 2: Know your Customer<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
The graph below displays a typical life cycle of a client: from the client on boarding process to the day<br />
to day monitoring of the customer compared against the initial recorded profile during customer<br />
acceptance. The initial recording of the stated behaviour is captured by using flexible questionnaires,<br />
which can be defined by the bank <strong>and</strong> are used during the customer acceptance procedure to<br />
determine the risk a potential customer posses for the financial institution.<br />
The stated behaviour of the customer during customer acceptance is compared to his or her actual<br />
behaviour, derived from the core banking system <strong>and</strong> then is re-calculated. When a customer differs<br />
from the stated behaviour <strong>and</strong> posses an increased risk for the financial institution, the compliance<br />
department will be notified <strong>and</strong> can take appropriate action based on internal procedures. The whole<br />
process is dynamic <strong>and</strong> allows financial institutions to assess the risk of a customer on an ongoing<br />
basis.<br />
2-15
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Image: The complete life cycle from customer acceptance to ongoing customer due diligence<br />
A Dynamic KYC questionnaire K Create alert for compliance <strong>and</strong> or account<br />
manager<br />
B Check against watch lists L Assign to employee<br />
C Collect ID documents M Perform Enhanced Due Diligence, 4-eyes<br />
principle (dual control)<br />
D Enter expiration date ID<br />
documentation<br />
E Use of 3 rd party application N Create alert for compliance <strong>and</strong> or account<br />
manager<br />
F Ultimate beneficial owner O Assign to employee<br />
G Escalation; EDD, 4-eyes<br />
principles<br />
H Deviation actual transaction<br />
bevaviors with stated<br />
I Change of non-financial<br />
elements, country, etc.<br />
J Calculate new risk level, if<br />
increased generate alert<br />
P Collect new documents, add new expiration<br />
date<br />
2-16
2.2.1 Customer Acceptance<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
No account should be opened in the name of anonymous fictitious names. The challenges of KYC<br />
compliant client onboarding can now be consolidated <strong>and</strong> managed effectively in a single centralized,<br />
feature-rich solution. Siron ® KYC provides the capability required to enforce compliance policy while<br />
improving the efficiency of the customer acceptance process. With Siron ® KYC financial institutes are<br />
able to objectively identify those customers that carry higher than normal integrity risks for the bank.<br />
TONBELLER is supporting financial institutes to comply with “Know your Customer” regulations. By<br />
reading the following chapters you will get insights ab<strong>out</strong> the following tasks <strong>and</strong> KYC/customer<br />
acceptance requirements:<br />
� Banks shall classify customers into various risk categories (risk rating) during customer<br />
acceptance based on risk assessment (see 2.1.3 Assess Risks)<br />
� Each risk category has other acceptance criteria for each customer category (legal or natural<br />
person) (see 2.1.4 Assign Risk to Adequate Prevention Measures)<br />
� For the purpose of risk rating banks shall obtain the relevant information from customer at the<br />
time of customer acceptance (see 2.2.1.2 Dynamic Know your Customer Questionnaire)<br />
� Necessary checks shall be conducted before opening a new account to ensure that the<br />
identity of the customer does not match with any person with a known criminal background or<br />
with banned entities such as persons that are listed on an sanction-, watch-, black list (see<br />
2.2.1.3 PEP screening & watch list management)<br />
� Accept or reject customer after verifying the identity <strong>and</strong> after getting an underst<strong>and</strong>ing of the<br />
risks the potential customer poses to the bank<br />
2.2.1.1 Customer Identification Process (CIP)<br />
The customer identification process (CIP) is an integrated part of the “Know your Customer” process.<br />
As a financial institute’s CIP means that all customers (face-to-face & non-face-to-face) are properly<br />
identified through documented processes <strong>and</strong> that the identity of the potential client is verified during<br />
the customer acceptance by using reliable <strong>and</strong> independent source documents, data <strong>and</strong> information.<br />
The customer identification process provisions apply equally whether the client is a natural person or<br />
legal entity or company. However the identification requirements will vary between entity types:<br />
CIP – Natural Persons – What is needed?<br />
� Document proving the ID<br />
� Document proving address<br />
� Latest photograph<br />
� Document to verifying signature<br />
� …<br />
2-17
CIP – Legal persons – What is needed?<br />
� Verifying the legal status thru proper <strong>and</strong> relevant documents<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
� Is the person who is purposing to act on behalf of the entity actually authorised to act? (Verify<br />
his ID, by using third party algorithms where applicable).<br />
� Underst<strong>and</strong> the ownership <strong>and</strong> control structures – who is the ultimate beneficial owner?<br />
� …<br />
2.2.1.2 Dynamic Know your Customer Questionnaire<br />
Questions to be asked during customer acceptance have to be dynamic in two ways:<br />
(a) Questionnaires can be adjusted to the risk situation of the bank/institute<br />
over time: Once a new legal requirement or risk factor comes up, the bank would like to add new<br />
questions to be asked. With<strong>out</strong> any involvement of an IT department or database administrator the<br />
bank is able to add new questions, define the characteristics of the answer (selection, m<strong>and</strong>atory,<br />
character or numeric, …) <strong>and</strong> identify where to store the answer to that question.<br />
(b) Situation-depend variant for the questionnaire (see example below)<br />
The questionnaire has to be dynamic in an additional aspect: some questions will only be asked on<br />
dependency of previous answers.<br />
Example<br />
Within the KYC questionnaire the potential customer has to specify if he or she is a<br />
representative of a legal entity/company or a natural person. In case of the legal entity the<br />
authorized person will be asked different questions than the natural persons. The potential<br />
customer then has to provide details ab<strong>out</strong> the company such as the full legal name of the<br />
entity, country/date of incorporation, country of domicile (if other than country of incorporation),<br />
registration number, correspondence address <strong>and</strong> other information. Siron ® KYC is able to<br />
manage all different versions of a questionnaire within one single template valid for all<br />
dependencies.<br />
Other Examples<br />
� If the customer states to have foreign payments one might ask for the expected<br />
volume <strong>and</strong> the source country of funds.<br />
� For a corporate customer the structure of the beneficial owners has to be entered<br />
� …<br />
2-18
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Image: Generate your institute-specific Know your Customer questionnaire(s) with Siron ® KYC<br />
2-19
KYC Questionnaire Designer<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
At the development stage, KYC questionnaires can be designed by using the previously defined<br />
question types. The user can easily drag & drop those question types from the “Tool Box” (see image<br />
below) into his draft questionnaire in order to add new questions to his specific KYC questionnaire.<br />
During this conceptual design phase the KYC questionnaire can be stated as “inactive”. That means<br />
that the questionnaire is not available at the customer acceptance front desk.<br />
Text<br />
A text field can be included within the KYC questionnaire via drag &<br />
drop (e.g. in case that you would like to include data fields to gather<br />
basic information such as the first <strong>and</strong> last name of the potential<br />
customer)<br />
Numeric<br />
For questions where a numeric answer is expected. For example<br />
expected volume of foreign turnovers.<br />
Combo box<br />
For a selection of a list (one of many) e.g. list of professions or list of<br />
branches.<br />
The values of such a list are being loaded from “reference lists”, which<br />
can be maintained via the parameter maintenance user interface<br />
(same like Siron ® AML)<br />
Option button<br />
An option box is a selection one <strong>out</strong> of many. Here the values are<br />
listed as a control where you can select the entry. Typically used if<br />
there are just a few values in the underlying reference list (example:<br />
customer type: private or corporate customer)<br />
Check box<br />
Allows to answer a Yes/No-question (example: do you expect foreign<br />
turnovers?)<br />
Date field<br />
For all questions where a calendar has to be displayed (e.g. date of<br />
foundation of a corporate customer)<br />
Country<br />
e.g. used for nationality<br />
Dividing line<br />
Allows separating the questions visually to multiple sections.<br />
File<br />
Allows to add files for adding attachments.<br />
2-20
Beneficial owners<br />
There are various setting options for every single question type:<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Allows to add 1 to n beneficial owners (especially for corporate<br />
customers). All beneficial owners will be checked against the PEP<br />
database. If one of them is a PEP, the underlying customer will be flagged.<br />
Question Title of question, which will be displayed at customer acceptance<br />
Default Include a default value<br />
Comparison<br />
Object<br />
In comparison objects the answers to the questions are stored. Comparison objects<br />
are used for<br />
� Definition of criteria for business rules (Siron ® KYC)<br />
� Definition of customer categories <strong>and</strong> indicators in Siron ® AML<br />
� Displaying the values in Siron ® AML’s analysis application<br />
Comment Only used for documentation purposes.<br />
Required A required question has to be answered <strong>and</strong> the customer data cannot be saved<br />
with<strong>out</strong> answering this question. Example: “Customer type (private or corporate)” is<br />
such a question.<br />
Multi-Line For example descriptions can be entered in a multiline text field.<br />
Min. length If the bank does not allow answers below a certain limit of characters, the minimum<br />
length could be entered here (Example: last name has to min. 3 characters).<br />
Max. length The feature is used e.g. for compatibility reasons where a maximum length has to be<br />
Define<br />
dependencies<br />
set.<br />
There may be questions which depend on other previous answers.<br />
Example: Only a private customer will be asked for the birth date<br />
2-21
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
KYC Questionnaire – Benefits for the Ongoing Customer Due Diligence Process<br />
All information gathered through the KYC questionnaire will be available in the research process. One<br />
of the strong benefits of the Siron ® KYC solution is the possibility to check the stated behaviour of the<br />
‘customer’ against the real behaviour in order to identify suspicious activities (within the research<br />
systems Siron ® AML <strong>and</strong> Siron ® FD).<br />
Example<br />
During customer acceptance the customer supposedly indicated that he will not have any<br />
foreign payments or transaction. The AML or compliance officer now has the possibility to<br />
perform plausibility checks within the customer due diligence process (for details see: 2.3 Step<br />
3: Ongoing customer Due Diligence). In case that the customer actually performs a lot of<br />
foreign payments / transactions the research system now generates an alert to indicate that<br />
the customer gave false statements when answering the KYC questionnaire.<br />
Hint<br />
For more details see: 2.3.1 Check stated behaviour with actual<br />
2-22
2.2.1.3 PEP screening & watch list management<br />
PEP screening<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
The core element of the customer acceptance process is to verify the customer identity of politically<br />
exposed persons (PEP). However, this includes unforeseen challenges since, in contrast to sanction<br />
lists there are no official PEP lists. Databases describing national <strong>and</strong> international politically exposed<br />
persons primarily differ in their volume, quality <strong>and</strong> integration. Data providers offer PEP lists with<br />
more than 1,2 million entries worldwide.<br />
How to make sure that the matching of voluminous data stocks with PEP databases returns qualified<br />
results? Identical names of a PEP <strong>and</strong> a customer always produce a hit although they might not be the<br />
same person („False Positives“). Primary identification criteria, such as birth date, place of birth,<br />
passport number or national identification number as well as secondary identification criteria, such as<br />
address or passport photograph, are used to optimize the matching procedure, thus reducing false<br />
positives as well as the effort of manual checking. Siron ® KYC has interfaces to all commercial<br />
database providers like World-Check, World Compliance, Dow Jones Watch List (formerly known as<br />
“Factiva”).<br />
Image: All applicable embargo regulations <strong>and</strong> legal requirements to identity PEPs are covered by Siron ® KYC<br />
After completing the KYC questionnaire, the customer acceptance officer has to start a screening<br />
process whereby the data from the questionnaire (such as first name, last name, place/date of birth) is<br />
matched against the PEP database. In case of legal entities or companies all beneficial owners are<br />
included in the screening process <strong>and</strong> checked against the PEP database. All matches are displayed<br />
in the system including links to additional information for an in-depth check.<br />
2-23
Watch list Management<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Identity fraud, crimes <strong>and</strong> terrorist activities are on the rise since a couple of years <strong>and</strong> becoming<br />
increasingly sophisticated. More than ever it is important to keep business free from criminals that<br />
could damage the organization’s reputation However challenging, it is imperative to get the sanctions<br />
program right as the fines for violations compliance can be substantial – both in terms of monetary<br />
penalties <strong>and</strong> reputational damage. Therefore organisations such as the “Office of Foreign Assets<br />
Control (OFAC)” an agency of the “United States Department of the Treasury” have published official<br />
<strong>and</strong> non-commercial sanction lists that include entries of restricted individuals <strong>and</strong> entities that banks<br />
should keep away from their products, channels <strong>and</strong> services. Similar lists like the EU-list, Her<br />
Majesties Treasury (HMT) watch list are available <strong>and</strong> provide a set of different entries of criminal<br />
persons <strong>and</strong> entities. All of these lists can be uploaded to Siron ® KYC in order to screen the initial<br />
customer data against those lists. Siron ® KYC uses enhanced search abilities (as described in the<br />
following chapter: Technical specification for PEP screening & watch list management). After<br />
screening the initial KYC data against the lists Siron ® KYC indicates the match strength of the<br />
customer data with the list entries <strong>and</strong> enables the customer acceptance officer to examine if the<br />
potential customer poses a serious threat to the bank<br />
Technical specification for PEP screening & watch list management<br />
Siron ® KYC comes with a fuzzy search engine allowing a wider search ability to identify high risk<br />
individuals who may attempt to disguise their identity beyond the known aliases. This fuzzy search not<br />
only detects name components that have been altered but also abbreviations, substitutions, modified<br />
writing patterns, deletions, acronyms or foreign translations.<br />
All actions at the decision level (for example the decision if the screened customer is a PEP or not)<br />
can be taken according to the principle of dual control. This will provide the decision-making process<br />
with a broader basis. The financial institute can decide to active the dual-control within the settings of<br />
Siron ® KYC. While the dual control functionality is active the first decision triggers a message to the<br />
second analyst who is in charge to confirm or reject the decision of his colleague.<br />
Siron ® KYC provides the users with retraceable, audit-proof information of the user’s screening results<br />
<strong>and</strong> decisions to satisfy compliance <strong>and</strong> audit requirements.<br />
2-24
2.2.1.4 Beneficial owner<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
One of the key provisions in the e.g. 3 rd EU Directive is the requirement to identify beneficial owners<br />
<strong>and</strong> to verify the identity of those persons. According to a survey undertaken by the FATF, which<br />
formed the basis of the typology report, the most significant feature of the misuse of corporate vehicles<br />
[is] the hiding of the true beneficial ownership 1 . The typology report identified three sub-categories for<br />
the misuse of corporate vehicles: multi-jurisdictional structures of corporate entities <strong>and</strong> trusts,<br />
specialised intermediaries <strong>and</strong> professionals, nominees <strong>and</strong> shell companies. These corporate<br />
vehicles are ‘often’ used to primarily hide the origin <strong>and</strong> identity of the beneficial owner as well as the<br />
origin of the funds. Within the context of money laundering <strong>and</strong> fraud the identification <strong>and</strong> verification<br />
of beneficial ownership is a key concern for external auditors.<br />
The content below gives an overview of the beneficial owner definition <strong>and</strong> explains how Siron ® KYC<br />
can help you in the verification <strong>and</strong> documentation process of beneficial owners:<br />
Beneficial Owner (General definition/US)<br />
� The individual who enjoys the benefits of owning a security or property, regardless of whose<br />
name the title is in (US)<br />
Beneficial Owner (EU Definition)<br />
� In case of corporate entities natural person who<br />
� Ultimately owns/controls a legal entity through direct/indirect ownership/control over a<br />
sufficient percentage a shares/voting rights…a percentage of 25% +1 share shall be<br />
deemed sufficient<br />
� Otherwise exercises control over the management<br />
� In case of legal entities (e.g. foundations) <strong>and</strong> legal arrangements (e.g. trusts)<br />
administering/distributing funds<br />
� Natural person(s) who is the beneficiary of at least 25% of the property (determined)<br />
� Class of person(s) in whose main interest the legal arrangement/entity is set up (not yet<br />
determined)<br />
� Natural person(s) who exercises control over at least 25% of the property<br />
Identification / verification of beneficial owner<br />
� When establishing a business relationship<br />
� During ongoing business relationship at regular intervals<br />
� If suspicious transaction occur<br />
� When doubt ab<strong>out</strong> veracity /relevance of previously obtained information<br />
1 FATF Typology Report; the Misuse of Corporate Vehicles, Including Trust <strong>and</strong> Company Service<br />
Providers, 13 October 2006, FATF/OECD, Paris, 2006, p. 2.<br />
2-25
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
� If transactions in relation to the customer’s business partner seem suspicious � Know your<br />
customer’s customer<br />
Recording Beneficial Owner information in KYC profile with Siron ® KYC<br />
� The dynamic questionnaire enables the customer acceptance officer to record all information<br />
ab<strong>out</strong> the beneficial owner(s)<br />
� The interface to gather the information ab<strong>out</strong> the beneficial owner can be adjusted <strong>and</strong><br />
designed individually<br />
� During the initial risk rating all beneficial owner(s) are also checked against the 3 rd party<br />
application which means that the recorded profiles are matched against watch-, sanctions-,<br />
black- <strong>and</strong> PEP databases.<br />
Checking the Beneficial Owner information with Siron ® KYC<br />
The system allows to add 1 to n beneficial owners (especially for corporate customers). All beneficial<br />
owners will be checked against the PEP database. If one of them is a PEP, the underlying customer<br />
will be flagged.<br />
Image: Record information on the beneficial owners in the KYC questionnaire <strong>and</strong> automatically<br />
screen the information against 3 rd party applications such as watch <strong>and</strong> sanction lists<br />
2.2.1.5 Definition <strong>and</strong> Control of Measures through Business Rules<br />
Rules <strong>and</strong> policies for the customer acceptance can be stored within Siron ® KYC. The system delivers<br />
a risk rating <strong>and</strong> specific introductions for the further course of procedure within the customer<br />
2-26
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
acceptance process after the initial person check. Not only PEP databases <strong>and</strong> sanction/watch lists<br />
generate a risk rating: The user is able to define specific scenarios in order to classify the risk rating of<br />
the potential customer. With the help of business rules it is possible to determine the impact of data<br />
from the customer acceptance process. For this purpose the following comparison objects are<br />
available:<br />
� All data fields of the customer acceptance questionnaire<br />
� Results of the check against sanction lists<br />
� Results of the check against PEP data bases<br />
After matching customer data with the business rules the system automatically delivers the following:<br />
� Risk classification for the potential customer<br />
� Instruction: e.g. give compliance officer a call, refuse acceptance of potential customer, limit<br />
product usage, …(see example for a business rule below [Image])<br />
� Optional: Send an email to a defined recipient.<br />
Image: Example of a business rule “Channel of distribution Broker…”<br />
2-27
Example<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
A customer opening the account via a distribution channel “broker” who does not explain the<br />
reason for opening the account should be classified as high-risk customer.<br />
Optional: In addition the system Siron ® KYC can notify the customer acceptance officer that he<br />
has to take instructions (customer specific): e.g. call the compliance department, request more<br />
information …<br />
All business rules can be easily generated <strong>and</strong> adjusted with<strong>out</strong> the support of IT. Therefore<br />
Siron ® KYC provides a dialog to set-up the criteria (comparison object, operator <strong>and</strong> value range) for<br />
the business rule.<br />
2.2.1.6 Initial Risk Scoring<br />
As shown in the previous section a new customer has to be risk rated immediately. For this task the<br />
business rules are used. Should there be a match at multiple business rules for a new customer<br />
during customer acceptance, then the rule with the highest risk counts for the customer. Risk<br />
classification is the base for follow-up decisions <strong>and</strong> for the ongoing risk customer due diligence<br />
fulfilled via Siron ® AML or Siron ® FD.<br />
2-28
2.2.1.7 Case Management<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
As regulations call for a retraceable documentation of all information it is necessary to maintain proof<br />
of all the steps taken to identify the identity of the new/potential customer. Therefore each customer<br />
entered via Siron ® KYC’s questionnaire will be recorded <strong>and</strong> displayed via case management.<br />
Image: The case management provides the big picture ab<strong>out</strong> all hits in PEP databases, watch- <strong>and</strong> sanction lists<br />
as well as the risk rating <strong>and</strong> the instructions how to proceed with the potential customer<br />
The case management capabilities from Siron ® KYC enable the compliance officer to<br />
� Systematically facilitate investigations <strong>and</strong> capture <strong>and</strong> display all information relevant to the<br />
case<br />
� Facilitate assignment of cases to a second analyst (dual control)<br />
� Via the selection hits or no-hits overwrite the systems match to a sanction list entry or PEP<br />
database entry<br />
� Use a pre-defined workflow for the management <strong>and</strong> resolution of cases<br />
2-29
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
2.3 Step 3: Ongoing Customer Due Diligence<br />
2.3.1 Check stated behaviour with actual<br />
All information captured for a new customer via Siron ® KYC are stored in Siron ® KYC’s data base. They<br />
are attached to the customer’s record <strong>and</strong> published to Siron ® AML via comparison objects. With the<br />
integration of Siron ® KYC to Siron ® AML the system allows to use up to 170 new comparison objects<br />
containing the answers of the new customers entered via the customer acceptance questionnaire.<br />
This allows to compare the initial stated behaviour of the customer against the real behaviour of the<br />
customer in the ongoing monitoring.<br />
Example<br />
To receive a low risk scoring the customer initially states not to do any foreign transactions.<br />
Due to the low risk classification the customer will be accepted. The ongoing monitoring<br />
records any transaction of the customer. If the real customers behaviour (recorded by<br />
Siron ® AML) diverges from the initial statements (recorded by Siron ® KYC), then an AML alert is<br />
being raised.<br />
Sample Case of <strong>Fraud</strong> Detection<br />
Further more the integration of Siron ® KYC to Siron ® FD (fraud detection) allows to detect<br />
fraudulent behaviour at the customer acceptance process. If there is a significant divergence<br />
of real behaviour to initially stated behaviour <strong>and</strong> many cases like this come up for the same<br />
customer acceptance officer, then his behaviour has to be questioned.<br />
2-30
2.3.2 Re-Calculation of the risk<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Siron ® KYC calculates the initial risk. After customer acceptance Siron ® AML (in combination with<br />
Siron ® Profile 2 ) records the customer’s real behaviour (due to his transactions <strong>and</strong> profile data). Based<br />
on this real behaviour the risk will be recalculated. Any divergence of the initial risk to the ongoing<br />
recalculated risk will be visible.<br />
2.3.3 Increase Risk<br />
Due to the previous section any divergence will be visible. Especially the increase of the risk level is<br />
important.<br />
If many cases like that (low risk during customer acceptance, higher risk in ongoing monitoring) show<br />
up with certain characteristics (e.g. for the same customer acceptance officer), this may give a hint to<br />
a fraudulent event.<br />
2 Siron ® Profile is an add-on for the research systems Siron ® AML <strong>and</strong> Siron ® FD <strong>and</strong> extends the functionality by<br />
dynamically allocate each customer into so-called peer groups. A peer group consists of people where factors<br />
like educational or social class match. Another indicator might be the frequency of transactions or the amount of<br />
money they transfer per month. Siron ® Profile identifies significant changes in the behaviour of a customer <strong>and</strong><br />
thus possible cases of money laundering <strong>and</strong> fraud.<br />
2-31
3. Technical Requirements<br />
Supported Databases<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
� Microsoft SQL Server (as of version 2005)<br />
� Oracle (as of version 9)<br />
� DB2 (minimum version 8.2.2 – Fixpack 9)<br />
Data base drivers � JDBC-driver (for the used data base)<br />
� ODBC-driver (Microsoft Windows OS)<br />
Application-Server<br />
(Parameter Definition)<br />
Application Server<br />
Scoring Run<br />
Minimal Requirements:<br />
� Pentium 4, min. 2,4 GHz or comparable<br />
� 1 GB harddisk<br />
� 2 GB RAM<br />
Recommended:<br />
� Current multi-core CPU (e.g. Intel Core i7 or AMD<br />
Opteron K10) since several cores are used in multi-user<br />
operation<br />
Supported Operating Systems<br />
� Windows: Windows Server, version 2003 <strong>and</strong> above (32<br />
Bit <strong>and</strong> 64 Bit)<br />
� SUSE Linux Enterprise, as of version 9 (32 Bit <strong>and</strong> 64 Bit)<br />
� Redhat Enterprise, as of version 5.4 (32 Bit <strong>and</strong> 64 Bit)<br />
� Solaris 10 Sparc<br />
Minimal Requirements<br />
� Pentium 4, min. 2,4 GHz, or comparable<br />
� 2 GB RAM<br />
� 10 GB harddisk 3<br />
Recommended<br />
� Multi-Core CPU (e.g. Intel Core i7 or AMD Opteron K10)<br />
since several cores are used in multi-instance operation<br />
� Apache Tomcat, as of version 6.0<br />
� Java Development Kit (JDK), as of version 5.0<br />
3 The disk space initially required for the database can be calculated as follows: Data area (100 MB per 100.000<br />
persons to be checked) & log area (25 MB per 100.000 persons to be checked). Application server supporting at<br />
least Java 2 Platform Enterprise Edition (J2EE), version 1.3, e.g. Apache Tomcat, as of version 5.5. Java<br />
Development Kit (JDK), as of version 5.0<br />
3-32
Supported Application Servers:<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
� Apache Tomcat as of version 5.5 (Provided on DVD)<br />
� IBM Web Sphere<br />
� BEA Weblogic<br />
� Oracle Application Server<br />
Supported Operation Systems:<br />
� Windows: Windows Server, as of version 2003 (32 Bit <strong>and</strong><br />
64 Bit)<br />
� SUSE Linux Enterprise, as of version 9 (32 Bit <strong>and</strong> 64 Bit)<br />
� Redhat Enterprise, as of version 5.4 (32 Bit <strong>and</strong> 64 Bit)<br />
� AIX 5.3 <strong>and</strong> 6.1<br />
� Solaris 10 SPARC<br />
3-33
4. Integration Scenarios<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Siron ® KYC can be used in 3 different ways depending on the features <strong>and</strong> capabilities of the current<br />
existing customer acceptance system of the bank. See down below the 3 potential integration<br />
scenarios <strong>and</strong> when to use which:<br />
Image: Different scenarios who to integrate Siron ® KYC in your existing IT l<strong>and</strong>scape<br />
4.1 Scenario A: Siron ® KYC manages the whole KYC<br />
process<br />
This is the easiest way to use Siron ® KYC. Independent from the core banking’s customer acceptance<br />
process, the user has to call Siron ® KYC’s questionnaire to enter the new customers data. Data will be<br />
checked via KYC-scoring (against PEPs, sanction lists <strong>and</strong> business rules). The entered data <strong>and</strong> the<br />
risk classification will be stored in Siron ® KYCs data base. The user’s instructions displayed to the<br />
frontend user. No integration to the customer acceptance process necessary.<br />
4-34
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
4.2 Scenario B: Siron ® KYC manages PEP & WL<br />
screening (web service)<br />
If the banks existing customer acceptance process already provides a flexible <strong>and</strong> dynamic<br />
questionnaire to capture all data for a new customer, then this integration method will be used.<br />
The customer acceptance officer will not see Siron ® KYC’s dynamic questionnaire, because all data<br />
will be entered in the existing customer acceptance system. From that system Siron ® KYC will be<br />
called via a web service to perform all necessary checks (against PEPs, sanction lists <strong>and</strong> business<br />
rules). The new customers risk classification will be stored in Siron ® KYC’s data base <strong>and</strong> risk<br />
classification <strong>and</strong> the users instructions will be returned to the customer acceptance system (as a<br />
return from the web service).<br />
4.3 Scenario C: KYC questionnaire is called via URL<br />
This scenario is for banks, which are having a powerful customer acceptance system that covers most<br />
of the questions to a new customer, but not all.<br />
Some answers will be entered to the existing customer acceptance system. At a certain stage, the<br />
customer acceptance system will call Siron ® KYC via a web address (a URL) <strong>and</strong> pass on all already<br />
entered data as parameters). Under the web address the rest of the dynamic questions will be<br />
displayed to be completed in Siron ® KYC’s dynamic questionnaire.<br />
All entered data <strong>and</strong> the risk classification will be stored in Siron ® KYC’s database <strong>and</strong> instructions will<br />
be passed on to the frontend user.<br />
4.4 Special topic: H<strong>and</strong>ling of Customer Number<br />
In many cases the customer number is not known during customer acceptance. For these situations<br />
Siron ® KYC is able to generate an artificial customer number.<br />
When later on the “real” customer number is being assigned by the core banking system or the<br />
customer acceptance system, Siron ® KYC can be called via a web service to replace the artificial<br />
customer number by the real customer number (within Siron ® KYC’s data base).<br />
4-35
4.5 Batch Check: Data Requirements<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Siron ® KYC does not only h<strong>and</strong>le the customer acceptance process. It does also allow to check the<br />
complete existing customer stock against PEP data <strong>and</strong> against sanction lists.<br />
For that Siron ® Financial Solutions unique generic st<strong>and</strong>ard data interface for customer data can be<br />
used. The interface for customer data contains all relevant data which are necessary to know the<br />
customer (e.g. name, address, profession, nationality <strong>and</strong> much more).<br />
In case there’s any data which is not part of the st<strong>and</strong>ard data interface, Siron ® KYC also provides a<br />
generic interface, where the bank can add on any individual data for the customer, which has to be<br />
checked.<br />
Hint<br />
Further information: See Siron ® KYC systems documentation on the generic st<strong>and</strong>ard data<br />
interface of Siron ® KYC.<br />
4-36
5. Appendix<br />
5.1 Glossary<br />
2003 FATF<br />
Recommendation<br />
3 rd EU Directive<br />
4-eyes principle<br />
Alias<br />
AML<br />
Bank Secrecy Act<br />
Basel Committee on<br />
Banking Supervision<br />
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
In response to mounting concern over money laundering, the Financial Action<br />
Task Force on <strong>Money</strong> <strong>Laundering</strong> (FATF) has published the Forty<br />
Recommendations on money laundering <strong>and</strong> the 9 Special Recommendations<br />
on Terrorist Financing (40+9 Recommendations). Together, the 2003 FATF<br />
Recommendations set the international st<strong>and</strong>ard for anti-money laundering<br />
measures <strong>and</strong> combating the financing of terrorism.<br />
Directive 2005/60/EC of the European Parliament <strong>and</strong> of the Council of 26<br />
October 2005 on the prevention of the use of the financial system for the<br />
purpose of money laundering <strong>and</strong> terrorist financing:<br />
http://eur-<br />
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2005:309:0015:01:EN:HTML<br />
Actions requiring approval by two persons, each being held accountable.<br />
A false name used to conceal one’s identity.<br />
Anti-<strong>Money</strong> <strong>Laundering</strong>: A set of procedures, laws or regulations to stop the<br />
practice of generating income through illegal actions. In most cases money<br />
laundering hide their actions through a series of steps that make it look like<br />
money coming from illegal or unethical sources was earned legitimately.<br />
The Bank Secrecy Act of 1970 (or BSA, or otherwise known as the Currency<br />
<strong>and</strong> Foreign Transactions Reporting Act) requires financial institutions in the<br />
United States to assist U.S. government agencies to detect <strong>and</strong> prevent money<br />
laundering.<br />
The Basel Committee on Banking Supervision is an institution created by the<br />
central bank Governors of the Group of Ten nations. The Basel Committee<br />
formulates broad supervisory st<strong>and</strong>ards <strong>and</strong> guidelines <strong>and</strong> recommends<br />
statements of best practice in banking supervision in the expectation that<br />
member authorities <strong>and</strong> other nations' authorities will take steps to implement<br />
them through their own national systems, whether in statutory form or<br />
otherwise.<br />
5-37
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Beneficial Owner The natural person(s) who ultimately owns or controls a customer <strong>and</strong>/or the<br />
person on whose behalf a transaction is being conducted. It also incorporates<br />
those persons who exercise ultimate effective control over a legal person or<br />
arrangement.<br />
Business Rule A Business rule usually is a statement that defines or constrains some aspect<br />
of the business. TONBELLER uses this term for the rules <strong>and</strong> policies that can<br />
be stored within the system. When carefully managed, this business rules can<br />
help the organization to e.g. better comply with legal requirements, reduce<br />
costly mistakes <strong>and</strong> improve communication.<br />
CDD Customer Due Diligence: Supervisors around the world are increasingly<br />
recognising the importance of ensuring that their banks have adequate controls<br />
<strong>and</strong> procedures in place so that they know the customers with whom they are<br />
dealing. Adequate due diligence on new <strong>and</strong> existing customers is a key part of<br />
these controls. With<strong>out</strong> this due diligence, banks can become subject to<br />
reputational, operational, legal <strong>and</strong> concentration risks, which can result in<br />
significant financial cost.<br />
CIP Customer Identification Program: According to provisions of the USA Patriot<br />
Act, all financial institutions must verify the identity of individuals wishing to<br />
conduct financial transactions. The law was implemented by regulations in<br />
2003 which require financial institutions to develop a Customer Identification<br />
Program (CIP) appropriate to the size <strong>and</strong> type of its business. The CIP must<br />
be incorporated into the bank's Bank Secrecy Act/Anti-money laundering<br />
compliance program, which is subject to approval by the financial institution's<br />
board of directors.<br />
Code of Conduct A code of conduct is a set of rules <strong>out</strong>lining the responsibilities of or proper<br />
practices for an individual or organization.<br />
CTF Counter Terrorism Financing: CFT includes the combating of terrorist acts, <strong>and</strong><br />
of terrorists <strong>and</strong> terrorist organisations.<br />
Dual Control See 4-eyes principle<br />
ECDD Enhanced Customer Due Diligence: High-risk customer (like PEPs) must<br />
always be subject to the enhanced due diligence measures, <strong>and</strong> thus all<br />
companies are required to have risk-sensitive measures in place to recognize<br />
<strong>and</strong> monitor high-risk customers.<br />
False Positive When a customer is incorrectly flagged as suspicious during the AML/CTF<br />
monitoring.<br />
5-38
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Fuzzy Search A computer search that returns not only exact matches to the search request,<br />
but also close matches that include text sequences that have been altered but<br />
also abbreviations, substitutions, modified writing patterns, deletions, acronyms<br />
or foreign translations.<br />
HMT HM Treasury, in full Her Majesty's Treasury, informally The Treasury, is the<br />
United Kingdom government department responsible for developing <strong>and</strong><br />
executing the British government's public finance policy <strong>and</strong> economic policy.<br />
Identify Documents An identity document (also called a piece of identification or ID) is any<br />
document which may be used to verify aspects of a person's personal identity.<br />
KYC KYC is typically a policy implemented to conform to a customer identification<br />
program m<strong>and</strong>ated under the Bank Secrecy Act, USA PATRIOT Act <strong>and</strong> 3 rd EU<br />
Directive. Know your customer policies are becoming increasingly important<br />
globally to prevent identity theft fraud, money laundering <strong>and</strong> terrorist financing.<br />
Legal Person Bodies corporate, foundations, partnerships, or associations, or any similar<br />
bodies that can establish a permanent customer relationship with a financial<br />
institution or otherwise own property.<br />
Natural Person In jurisprudence, a natural person is a human being, as opposed to an artificial,<br />
legal or juristic person, i.e., an organization that the law treats for some<br />
purposes as if it were a person distinct from its members or owner.<br />
OFAC The Office of Foreign Assets Control (OFAC) is an agency of the United States<br />
Department of the Treasury under the auspices of the Under Secretary of the<br />
Treasury for Terrorism <strong>and</strong> Financial Intelligence. OFAC administers <strong>and</strong><br />
enforces economic <strong>and</strong> trade sanctions based on U.S. foreign policy <strong>and</strong><br />
national security goals against targeted foreign states, organizations, <strong>and</strong><br />
individuals.<br />
PEP Politically Exposed Persons: Individuals who are or have been entrusted with<br />
prominent public functions in a foreign country, for example Heads of State or<br />
of government, senior politicians, senior government, judicial or military<br />
officials, senior executives of state owned corporations, important political party<br />
officials. Business relationships with family members or close associates of<br />
PEPs involve reputational risks similar to those with PEPs themselves. The<br />
definition is not intended to cover middle ranking or more junior individuals in<br />
the foregoing categories.<br />
Risk Assessment Risk assessment is a step in a risk management procedure. Risk assessment<br />
is the determination of quantitative or qualitative value of risk related to a<br />
concrete situation <strong>and</strong> a recognized threat.<br />
5-39
Whitepaper | <strong>Keep</strong> <strong>Money</strong> <strong>Laundering</strong> <strong>and</strong> <strong>Fraud</strong> <strong>out</strong> -<br />
Know your Customer (KYC)<br />
Sanction list Lists from authoritative sources such as the Office of Foreign Assets Control<br />
(OFAC); Bank of Engl<strong>and</strong>; European Union (EU); <strong>and</strong> Office of the<br />
Superintendent of Financial Institutions (OSFI) clearly identify high-risk<br />
individuals <strong>and</strong> businesses. These include known terrorists, fraudsters, money<br />
launderers, <strong>and</strong> politically exposed persons (PEPs) as well as blacklisted<br />
persons, companies or countries.<br />
Sarbanes Oxley Act The Sarbanes-Oxley Act was signed into law on 30th July 2002, <strong>and</strong> introduced<br />
highly significant legislative changes to financial practice <strong>and</strong> corporate<br />
governance regulation. It introduced stringent new rules with the stated<br />
objective: "to protect investors by improving the accuracy <strong>and</strong> reliability of<br />
corporate disclosures made pursuant to the securities laws".<br />
Shell Companies A company incorporated in a jurisdiction in which it has no physical presence<br />
<strong>and</strong> which is unaffiliated with a regulated financial group.<br />
USA Patriot Act The USA Patriot Act (“Patriot Act”) is an Act of the U.S. Congress <strong>and</strong> signed<br />
into law by President W. Bush on October 26, 2001. The title of the Act is a<br />
contrived acronym, which st<strong>and</strong>s for “Uniting <strong>and</strong> Strengthening America by<br />
Providing Appropriate Tools Required to Intercept <strong>and</strong> Obstruct Terrorism Act<br />
of 2001”: http://frwebgate.access.gpo.gov/cgi-<br />
bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf<br />
WL Watch lists (WL) are non-commercial lists of suspected terrorists<br />
<strong>and</strong> criminals.<br />
5-40