AML-2 AML-2 AML/CFT Systems and Controls
AML-2.1 AML-2.1 General Requirements
AML-2.1.1
Capital Market Licensees must implement programmes against money laundering and terrorist financing which establish and maintain appropriate systems and controls for compliance with the requirements of this Module and which limit their vulnerability to financial crime. These systems and controls must be documented and approved and reviewed annually by the Board of theCapital Market Licensees . The documentation, and the Board's review and approval, must be made available upon request to the CBB.Amended: January 2022
Amended: July 2016
Added: October 2010AML-2.1.2
The above systems and controls, and associated documented policies and procedures should cover standards for customer acceptance, on-going monitoring of high-risk accounts, staff training and adequate screening procedures to ensure high standards when hiring employees.
October 2010AML-2.1.3
Capital Market Service Providers must incorporate Key Performance Indicators (KPIs) to ensure compliance with AML/CFT requirements by all staff. The performance against the KPIs must be adequately reflected in their annual performance evaluation and in their remuneration (See also Paragraph HC-10.5.3).Added: April 2020AML-2.1.4
In implementing the policies, procedures and monitoring tools for ensuring compliance with Paragraph AML-2.1.3,
Capital Market Service Providers should consider the following:(a) The business policies and practices should be designed to reduce incentives for staff to expose theCapital Market Service Providers to AML/CFT compliance risk;(b) The performance measures of departments/divisions/units and personnel should include measures to address AML/CFT compliance obligations;(c) AML/CFT compliance breaches and deficiencies should be attributed to the relevant departments/divisions/units and personnel within the organisation as appropriate;(d) Remuneration and bonuses should be adjusted for AML/CFT compliance breaches and deficiencies; and(e) Both quantitative measures and human judgement should play a role in determining any adjustments to the remuneration and bonuses resulting from the above.Added: April 2020AML-2.2 AML-2.2 On-going Customer Due Diligence and Transaction Monitoring
Risk Based Monitoring
AML-2.2.1
Capital Market Licensees must develop risk-based monitoring systems appropriate to the complexity of their business, their number of clients and types of transactions. These systems must be configured to identify significant or abnormal transactions or patterns of activity. Such systems must include limits on the number, types or size of transactions undertaken outside expected norms; and must include limits for cash and non-cash transactions including transactions inaccepted crypto-assets .Amended: January 2022
Amended: January 2020
Added: October 2010AML-2.2.2
Capital Market Licensees risk-based monitoring systems should therefore be configured to help identify:(a) Transactions which do not appear to have a clear purpose or which make no obvious economic sense;(b) Significant or large transactions not consistent with the normal or expected behaviour of a customer; and(c) Unusual patterns of activity (relative to other customers of the same profile or of similar types of transactions, for instance because of differences in terms of volumes, transaction type, or flows to or from certain countries), or activity outside the expected or regular pattern of a customer's account activity.Amended: January 2022
Added: October 2010Automated Transaction Monitoring
AML-2.2.3
Capital Market Licensees must consider the need to include automated transaction monitoring as part of their risk-based monitoring systems to spot abnormal or unusual flow of funds. In the absence of automated transaction monitoring systems, all transactions above BD6,000 must be viewed as 'significant' and be captured in a daily transactions report for monitoring by the MLRO or a relevant delegated official, and records retained by theCapital Market Licensees for five years after the date of the transaction.Amended: January 2022
Added: October 2010AML-2.2.4
The CBB would expect larger
Capital Market Licensees to include automated transaction monitoring as part of their risk-based monitoring systems. See also Chapters AML-3 and AML-6, regarding the responsibilities of the MLRO and record-keeping requirements. Where theCapital Market Licensee is not receiving funds — for instance where it is simply acting as agent on behalf of a principal, and the customer is directly remitting funds to the principal — then theCapital Market Licensee may agree with the principal that the latter should be responsible for the daily monitoring of such transactions.Amended: January 2022
Added: October 2010Unusual Transactions or Customer Behaviour
AML-2.2.5
Where a
Capital Market Licensee's risk-based monitoring systems identify significant or abnormal transactions (as defined in paragraph AML-2.2.2 and rule AML-2.2.3), it must verify the source of funds for those transactions, particularly where the transactions are above the transactions threshold of BD6,000. Furthermore,Capital Market Licensees must examine the background and purpose to those transactions and document their findings. In the case of one-off transactions where there is no ongoing account relationship, theCapital Market Licensees must file a Suspicious Transaction Report (STR) if it is unable to verify the source of funds to its satisfaction (see Chapter AML-4).Amended: January 2022
Added: October 2010AML-2.2.6
The investigations required under rule AML-2.2.5 must be carried out by the MLRO (or relevant delegated official). The documents relating to these findings must be maintained for five years from the date when the transaction was completed (see also rule AML-6.1.1 (b)).
October 2010AML-2.2.7
Capital Market Licensees must consider instances where there is a significant, unexpected or unexplained change in customer activity.Amended: January 2022
Added: October 2010AML-2.2.8
When an existing customer closes one account and opens another, the
Capital Market Licensees must review its customer identity information and update its records accordingly. Where the information available falls short of the requirements contained in Chapter AML-1, the missing or out-of-date information must be obtained and re-verified with the customer.Amended: January 2022
Added: October 2010AML-2.2.9
Once identification procedures have been satisfactorily completed and, as long as records concerning the customer are maintained in line with Chapters AML-1 and AML-6, no further evidence of identity is needed when transactions are subsequently undertaken within the expected level and type of activity for that customer, provided reasonably regular contact has been maintained between the parties and no doubts have arisen as to the customer's identity.
October 2010Ongoing Monitoring
AML-2.2.10
Capital Market Licensees must take reasonable steps to:(a) Scrutinize transactions undertaken throughout the course of that relationship to ensure that transactions being conducted are consistent with thecapital market licensee 's knowledge of the customer, their business risk and risk profile; and(b) Ensure that they receive and maintain up-to-date and relevant copies of the identification documents specified in Chapter AML-1, by undertaking reviews of existing records, particularly for higher risk categories of customers.Capital Market Licensees must require all customers to provide up-to-date identification documents in their standard terms and conditions of business.Amended: January 2022
Amended: October 2017
Added: October 2010AML-2.2.11
Capital Market Licensees must review and update their customer due diligence information at least every three years, particularly for higher risk categories of customers. If, upon performing such a review, copies of identification documents are more than 12 months out-of-date, theCapital Market Licensees must take steps to obtain updated copies as soon as possible.Amended: January 2022
Amended: October 2017
Added: October 2010AML-2.2.12
Capital Market Licensees must in addition to rules AML-2.2.10 and AML-2.2.11, maintain information and documents in respect to client transactions such as date of execution, value of transaction, type ofSecurities and identity of the counterparty.Amended: January 2022
Added: October 2010AML-2A AML-2A: Money Transfers and Accepted Crypto-asset Transfers
AML-2A.1 AML-2A.1 Applicability and CBB’s Approach to Transfer of Accepted Crypto-assets
AML-2A.1.1
The requirements of this Section, AML-2A.1, applies to
Capital Market Licensees (includingCrypto-asset licensees as well as third party service providers) if they act as anordering financial institution ,intermediary financial institution orbeneficiary financial institution .Amended: January 2022
Added: January 2020AML-2A.1.2
A third party service provider that provides
accepted crypto-asset transfers and/or electronic transfer of funds (wire transfer) on behalf of aCapital Market Licensee , irrespective of whether the third-party service provider is licensed by the CBB or not, must comply with the requirements of Paragraph AML-2A.1. ACapital Market Licensee is ultimately responsible for the functioning and activities of the third-party service provider and must ensure that the third party service provider meets all regulatory obligations as specified in this Section.Amended: January 2022
Added: January 2020CBB’s Approach to Transfer of Accepted Crypto-assets
AML-2A.1.3
As with financial payment methods,
accepted crypto-assets can be used to quickly move (transfer) funds globally and to facilitate a range of financial activities. Similar to mobile or internet based payment services and mechanism,accepted crypto-assets can be used to transfer funds in a wide geographical area with a large number of counterparties.Added: January 2020AML-2A.1.4
The CBB considers transactions involving transfer of
accepted crypto-assets as functionally analogous to wire transfer. Therefore,Capital Market Licensees (includingcrypto-asset licensees ), whenever their transaction, whether in fiat currency oraccepted crypto-assets , involves (i) a traditional wire transfer, or (ii) anaccepted crypto-asset transfer, must comply with the requirements of Paragraph AML-2A.2 unless stated otherwise.Amended: January 2022
Added: January 2020AML-2A.2 AML-2A.2 Transfer of Accepted Crypto-assets and Wire Transfer
Accepted Crypto-asset Transfer to be Considered as Cross Border Transfer
AML-2A.2.1
Capital Market Licensees (includingcrypto-asset licensees ) must consider all transfers ofaccepted crypto-assets as cross-border transfer rather than domestic transfer.Amended: January 2022
Added: January 2020Outward Transfers
AML-2A.2.2
Capital Market Licensees must include all requiredoriginator information and requiredbeneficiary information details with the accompanying transfer ofaccepted crypto-assets and/or wire transfer of funds they make on behalf of their customers.Amended: January 2022
Added: January 2020AML-2A.2.3
For purposes of this Section,
originator information refers to the information listed in Subparagraphs AML-2A.2.7 (a) to (c) and beneficiary information refers to the information listed in Subparagraphs AML-2A.2.7 (d) and (e).Added: January 2020Inward Transfers
AML-2A.2.4
Capital Market Licensees must:(a) Maintain records (in accordance with Chapter AML-6 of this Module) of alloriginators information received with an inward transfer; and(b) Carefully scrutinize inward transfers which do not containoriginator information (i.e. full name, address and account number or a unique customer identification number).Capital Market Licensees must presume that such transfers are ‘suspicious transactions’ and pass them to the MLRO for review for determination as to possible filing of STR, unless (i) theordering financial institution is able to promptly (i.e. within two business days) advise thelicensee in writing of the originator information upon thelicensee’s request (Refer to Paragraph AML-2A.2.5); or (ii) theordering financial institution and the licensee are acting on their own behalf (as principal).Amended: January 2022
Added: January 2020AML-2A.2.5
The period of 2 business days provided to
ordering financial institution by theCapital Market Licensees under Paragraph AML-2A.2.4(b)(i) to furnish theoriginator information is only applicable while undertaking fund transfer (traditional wire transfer) and must not be used in case of transfer ofaccepted crypto-assets .Amended: January 2022
Added: January 2020AML-2A.2.6
While undertaking accepted crypto-asset transfer, a
Capital Market Licensees must ensure that theordering financial institution transmits theoriginator andbeneficiary information immediately (Refer to Paragraph AML-2A.2.9).Amended: January 2022
Added: January 2020Accepted Crypto-asset Transfer and Cross Border Wire Transfer
AML-2A.2.7
Information accompanying all
accepted crypto-asset transfer as well as wire transfer must always contain:(a) The name of theoriginator ;(b) The originator account number (e.g. IBAN or crypto-asset wallet) where such an account is used to process the transaction;(c) The originator’s address, or national identity number, or customer identification number, or date and place of birth;(d) The name of thebeneficiary ; and(e) The beneficiary account number (e.g. IBAN or crypto-asset wallet) where such an account is used to process the transaction.Added: January 2020AML-2A.2.8
Where a
Capital Market Licensees undertakes a transfer ofaccepted crypto-asset , it is not necessary for the information referred to in Paragraph AML-2A.2.7 to be attached directly to theaccepted crypto-asset transfers itself. The information can be submitted either directly or indirectly.Amended: January 2022
Added: January 2020AML-2A.2.9
A
Capital Market Licensee while undertaking transfer ofaccepted crypto-asset must ensure that the requiredoriginator andbeneficiary information is transmitted immediately and securely.Amended: January 2022
Added: January 2020AML-2A.2.10
For the purposes of Paragraph AML-2A.2.9, “Securely” means that the provider of the information must protect it from unauthorized disclosure as well as ensure that the integrity and availability of the required information is maintained so as to facilitate recordkeeping and the use of such information by
financial institution . The term “immediately” means that the provider of the information must submit the required information simultaneously or concurrently with the transfer itself of theaccepted crypto-asset .Added: January 2020AML-2A.2.11
The CBB recognises that unlike traditional fiat currency wire transfer, not every
accepted crypto-asset transfer involves (or is bookended by) two institutions (crypto-asset entities or financial institution). In instances in which anaccepted crypto-asset transfer involves only one financial institution on either end of the transfer (e.g. when anordering financial institution sendsaccepted crypto-assets on behalf of its customers, theoriginator , to abeneficiary that is not a customer of abeneficiary financial institution but rather an individual user who receives theaccepted crypto-asset transfer using his/her own distributed ledger technology (DLT) software, such as an unhosted wallet), the financial institution must still ensure adherence to Paragraph AML-2A.2.7 for their customer. The CBB does not expect that financial institutions, when originating anaccepted crypto-asset transfer, would submit the required information to individual users who are not financial institutions. However, financial institutions receiving anaccepted crypto-asset transfer from an entity that is not a financial institution (e.g. from an individual accepted crypto-asset user using his/her own DLT software, such as an unhosted wallet), must obtain the required originator information from their customer.Added: January 2020Domestic Wire Transfer
AML-2A.2.12
Information accompanying domestic wire transfers must also include
originator information as indicated for cross-border wire transfers, unless this information can be made available to thebeneficiary financial institution and the CBB by other means. In this latter case, theordering financial institution need only include the account number or a unique transaction reference number, provided that this number or identifier will permit the transaction to be traced back to theoriginator or thebeneficiary .Added: January 2020AML-2A.2.13
For purposes of Paragraph AML-2A.2.12, the information should be made available by the
ordering financial institution within three business days of receiving the request either from thebeneficiary financial institution or from the CBB.Added: January 2020AML-2A.2.14
It is not necessary for the recipient institution to pass the originator information on to the
beneficiary . The obligation is discharged simply by notifying thebeneficiary financial institution of the originator information at the time the transfer is made.Added: January 2020Responsibilities of Ordering, Intermediary and Beneficiary Financial Institutions
Ordering Financial Institution
AML-2A.2.15
The
ordering financial institution must ensure that wire transfers as well asaccepted crypto-asset transfers contain required and accurate originator information, and requiredbeneficiary information.Added: January 2020AML-2A.2.16
The
ordering financial institution must maintain alloriginator andbeneficiary information collected in accordance with Paragraph AML-6.1.1.Added: January 2020AML-2A.2.17
The
ordering financial institution must not execute the wire transfer oraccepted crypto-asset transfer if it does not comply with the requirements of Paragraphs AML-2A.2.15 and AML-2A.2.16.Added: January 2020Intermediary Financial Institutions
AML-2A.2.18
For cross-border wire transfers and
accepted crypto-asset transfers, financial institutions processing an intermediary element of such chains of wire transfers and/oraccepted crypto-asset transfers must ensure that alloriginator andbeneficiary information that accompanies a wire transfer andaccepted crypto-asset transfer is retained with it.Added: January 2020AML-2A.2.19
Where technical limitations prevent the required
originator orbeneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, a record must be kept, for at least five years, by the receiving intermediary institution of all the information received from theordering financial institution or anotherintermediary financial institution .Added: January 2020AML-2A.2.20
An
intermediary financial institution must take reasonable measures to identify cross-border wire transfers andaccepted crypto-asset transfer that lack requiredoriginator information or requiredbeneficiary information.Added: January 2020AML-2A.2.21
An
intermediary financial institution must have effective risk-based policies and procedures for determining:(a) When to execute, reject, or suspend a traditional wire transfer lacking requiredoriginator or requiredbeneficiary information; and(b) The appropriate follow-up action.Added: January 2020Beneficiary Financial Institution
AML-2A.2.22
A
beneficiary financial institution must take reasonable measures to identify cross-border wire transfers as well asaccepted crypto-asset transfer that lack requiredoriginator or requiredbeneficiary information. Such measures may include post-event monitoring or real-time monitoring where feasible.Added: January 2020AML-2A.2.23
For wire transfers as well as
accepted crypto-asset transfer, abeneficiary financial institution must verify the identity of thebeneficiary , if the identity has not been previously verified, and maintain this information in accordance with Paragraph AML-6.1.1.Added: January 2020AML-2A.2.24
A
beneficiary financial institution must have effective risk-based policies and procedures for determining:(a) When to execute, reject, or suspend a traditional wire transfer lacking requiredoriginator or requiredbeneficiary information; and(b) The appropriate follow-up action.Added: January 2020