Applying the FATF International standards to Mobile...

Workshop on AntiWorkshop on Anti--Money Laundering and Combating the Money Laundering and Combating the Financing of Terrorism (AML/CFT)Financing of Terrorism (AML/CFT)

for Mobile Phone Financial Services (mfor Mobile Phone Financial Services (m--FS) FS)

Bangkok, Thailand, June 24Bangkok, Thailand, June 24--26, 200826, 2008

ApplyingApplying the FATF International the FATF International standards to Mobile Phone Financial standards to Mobile Phone Financial

ServicesServices

By PierreBy Pierre--Laurent Laurent ChatainChatainWorld BankWorld Bank

PDF created with pdfFactory Pro trial version www.pdffactory.com

http://www.pdffactory.com

Objectives of the Objectives of the presentationpresentation

II-- ObservedObserved Mitigation Mitigation responsesresponses and and theirtheirconsistencyconsistency withwith FATF FATF RecommendationsRecommendations

IIII-- Application of AML/CFT standards to All Application of AML/CFT standards to All mobile phone mobile phone financialfinancial services providersservices providers

IIIIII--Conclusion Conclusion



ObservedObserved mitigation mitigation responsesresponses and and theirtheirconsistencyconsistency withwith AML/CFT AML/CFT requirementsrequirements::

lessonslessons learnedlearned

MM--FS providers are applying measures to FS providers are applying measures to reduce risks within all jurisdictions visitedreduce risks within all jurisdictions visited

Mitigation practices are motivated by commercial Mitigation practices are motivated by commercial interest (managing fraud, credit, reputation and interest (managing fraud, credit, reputation and other risks)other risks)

Mitigation practices still reduce ML and TF Mitigation practices still reduce ML and TF abuseabuse



The different practices: how they meet the The different practices: how they meet the preventive requirementspreventive requirements

Licensing and registration processLicensing and registration processCustomer identificationCustomer identificationRecord KeepingRecord KeepingInternal control and monitoringInternal control and monitoringGuidelinesGuidelinesReporting obligationsReporting obligationsSupervision and oversightSupervision and oversightStaff trainingStaff training



Licensing and Registration ProcessLicensing and Registration Process

There is a common consensus that mThere is a common consensus that m--FS need to be FS need to be developed in a suitable regulatory environment developed in a suitable regulatory environment (Licensing and Registration)(Licensing and Registration)

Licensing and registration are key to preventing criminals Licensing and registration are key to preventing criminals from controlling an mfrom controlling an m--FS providerFS provider

FATF rec. # 23 and SR VI stress the need to have FATF rec. # 23 and SR VI stress the need to have proper licensing processes for proper licensing processes for FIsFIs

Procedures to ensure that mProcedures to ensure that m--FS providers, mainly FS providers, mainly TelCosTelCos, are acting with proper authorization and are , are acting with proper authorization and are subject to prudent regulatory rules (AML and CFT) were subject to prudent regulatory rules (AML and CFT) were observed in many of the jurisdictions visited. observed in many of the jurisdictions visited.



Licensing and Registration ProcessLicensing and Registration ProcessCountry casesCountry cases

MalaysiaMalaysia: Maxis is regulated not only as a Telco and an E: Maxis is regulated not only as a Telco and an E--money money issuer but also as a RSP issuer but also as a RSP ⇒⇒ subject to AML/CFT law and to the subject to AML/CFT law and to the Central Bank (BNM) ongoing supervisionCentral Bank (BNM) ongoing supervision

KoreaKorea: A Telco providing e: A Telco providing e--money services has to be licensed as a money services has to be licensed as a creditcredit--specialized financial institutionspecialized financial institution

MacaoMacao: A Telco providing financial services must be regulated by : A Telco providing financial services must be regulated by the Macao Monetary Authority and is subject to AML/CFT law (the Macao Monetary Authority and is subject to AML/CFT law (e.ge.gCTM and Bank of China)CTM and Bank of China)

PhilippinesPhilippines: G: G--XchangeXchange was granted a license to operate as an RSPwas granted a license to operate as an RSP

South AfricaSouth Africa: All m: All m--FS providers must hold a banking license and as FS providers must hold a banking license and as such, comply with Central Banksuch, comply with Central Bank’’s standards.s standards.



Customer IdentificationCustomer Identification

The primary ML/TF risk related to MThe primary ML/TF risk related to M--FS (mFS (m--BSA and mBSA and m--Payment) is Payment) is anonymityanonymity

mm--FS providers (mFS providers (m--BSA) acquire new clients by opening accounts BSA) acquire new clients by opening accounts without the customer physical presence at a branch.without the customer physical presence at a branch.

The risk of anonymity is sometimes even greater when there is noThe risk of anonymity is sometimes even greater when there is nofaceface--toto--face relationship between the customer and the mface relationship between the customer and the m--FS FS provider provider

Unauthorized users may obtain access to mUnauthorized users may obtain access to m--BSA and conduct illicit BSA and conduct illicit transactions.transactions.

ML/TF risks may also materialize during or after client acquisitML/TF risks may also materialize during or after client acquisition ion due to the lack of ondue to the lack of on--going transaction monitoringgoing transaction monitoring

These risks however do not seem more prevalent in MThese risks however do not seem more prevalent in M--fsfs than other than other channels (e.g. Internet banking)channels (e.g. Internet banking)




According to FATF rec.#5, service providers that transfer According to FATF rec.#5, service providers that transfer money or value should take CDD/KYC measures by money or value should take CDD/KYC measures by identifyingidentifying the the customer and verifying the customercustomer and verifying the customer’’s s identityidentity

FATF FATF RecRec #8 specifically address the ML and TF risks #8 specifically address the ML and TF risks associated with new payment methods favoring anonymity associated with new payment methods favoring anonymity like mlike m--FS:FS:

““Financial Institutions [banks and nonFinancial Institutions [banks and non--banks] should pay banks] should pay special attention to any money launderingspecial attention to any money laundering threats that may threats that may arise from new or developing technologies that might favor arise from new or developing technologies that might favor anonymity, and take measures, if needed, to prevent their anonymity, and take measures, if needed, to prevent their use in money laundering schemeuse in money laundering scheme””




Several examples of risk mitigation practices in the jurisdictioSeveral examples of risk mitigation practices in the jurisdictions visited ns visited reflect the FATF Recommendations:reflect the FATF Recommendations:

Korea: Korea:

►►A customer needs to hold a bank account, A customer needs to hold a bank account, ►► come in person to a bank branch, come in person to a bank branch, ►► provide identification, and fill in a form (including details provide identification, and fill in a form (including details

of predefined accounts to transfer money) to receive an of predefined accounts to transfer money) to receive an ee--banking ID and password. banking ID and password.

►► A letter is then issued by the bank so that the customer A letter is then issued by the bank so that the customer can obtain the SIM from the can obtain the SIM from the TelCoTelCo. .

►► Service is available only to postService is available only to post--paid individual paid individual subscribers, not corporate clientssubscribers, not corporate clients

►► A foreign citizen is required to present a valid passport.A foreign citizen is required to present a valid passport.►► A copy of the letter is retained by the A copy of the letter is retained by the TelCoTelCo for billing for billing

purposes.purposes.




Philippines: Philippines:

►► Customers using GCustomers using G--CashCash need to register via their need to register via their mobile phones or the Internet. However, they may not mobile phones or the Internet. However, they may not deposit or withdraw funds until undergoing facedeposit or withdraw funds until undergoing face--toto--face face CDD, which can take place at a retail shop, an CDD, which can take place at a retail shop, an accredited business partner, or a partner bank.accredited business partner, or a partner bank.

Hong Kong SAR of China:Hong Kong SAR of China:

►► customers willing to use the mobile remittance service customers willing to use the mobile remittance service need to register their SIM card faceneed to register their SIM card face--toto--face with the face with the mobile phone operators. mobile phone operators.

►► Subscribers are required to present their national ID, Subscribers are required to present their national ID, which is equipped with security features and a chip with which is equipped with security features and a chip with biometric information. biometric information.




South Africa:South Africa:

►► allows nonallows non--faceface--toto--face customer acquisition face customer acquisition but requires that the mbut requires that the m--FS provider find other FS provider find other means to verify identity such as backmeans to verify identity such as back--checking checking customer information with a thirdcustomer information with a third--party database. party database.

Macao SAR of China :Macao SAR of China :

►► the introduction of the new electronic national the introduction of the new electronic national ID has strengthened the identification process. ID has strengthened the identification process.



Record KeepingRecord Keeping

FATF Recommendation 10FATF Recommendation 10 requires financial institutions requires financial institutions to maintain all necessary records on domestic and to maintain all necessary records on domestic and international transactions for at least five years following international transactions for at least five years following the completion of the transaction the completion of the transaction

mm--FS providers keep customer activity recordsFS providers keep customer activity records(Customer Detailed Records(Customer Detailed Records-- CDRsCDRs) similar to banks, ) similar to banks, payment system providers and payment system providers and RSPsRSPs. .

CDRsCDRs contain data related to a mobile operatorcontain data related to a mobile operator’’s system s system usage and include identification of each mobile callusage and include identification of each mobile call’’s s originating and receiving phone, duration, and other originating and receiving phone, duration, and other informationinformation



Record KeepingRecord Keeping

Malaysia:Malaysia:►► Maxis keeps records of transactions for active Maxis keeps records of transactions for active

customers on an ongoing basis. Once the customers on an ongoing basis. Once the relationship is terminated, the information is relationship is terminated, the information is archived for seven years. archived for seven years.

Hong Kong SAR of China:Hong Kong SAR of China:

►► AML regulations for AML regulations for RSPsRSPs require that records require that records be kept on all transactions over HK$ 8,000. be kept on all transactions over HK$ 8,000. However, transactions below HK$ 8,000 are However, transactions below HK$ 8,000 are recorded in the systems of the mobile RSP.recorded in the systems of the mobile RSP.



Internal controls and MonitoringInternal controls and MonitoringPromoting effective internal controls and monitoring Promoting effective internal controls and monitoring systems is critical for regulators and the industry. systems is critical for regulators and the industry.

FFRegulators and policymakers are tasked with ensuring Regulators and policymakers are tasked with ensuring that mthat m--FS is safe from abuse in order to facilitate FS is safe from abuse in order to facilitate acceptance by the general public. acceptance by the general public.

FF For the industry, robust internal surveillance For the industry, robust internal surveillance mechanisms are critical to protecting their business and mechanisms are critical to protecting their business and reputation, and to building confidence among customers.reputation, and to building confidence among customers.

FF FATF Rec.# 15 clearly requires financial institutions FATF Rec.# 15 clearly requires financial institutions (banks and non(banks and non--banks) to develop AML and CFT banks) to develop AML and CFT programsprograms



Internal controls and MonitoringInternal controls and Monitoring

Korea: Moneta Cash case (SK Telecom)Korea: Moneta Cash case (SK Telecom)

ØØ a closeda closed--settlement subscriber system allowed transfers of funds settlement subscriber system allowed transfers of funds among its subscribers, who rapidly expanded to 3 million. among its subscribers, who rapidly expanded to 3 million.

ØØ This service did not go through a bank, and insufficient internaThis service did not go through a bank, and insufficient internal l controls aggravated by a superficial supervisory framework resulcontrols aggravated by a superficial supervisory framework resulted ted in an IT security breach in 2004 in an IT security breach in 2004

ØØ SubscribersSubscribers’’ sensitive information became accessible through the sensitive information became accessible through the Internet and was used by unauthorized users for illicit transactInternet and was used by unauthorized users for illicit transactions ions

ØØ This caused a major setback in the market that led authorities tThis caused a major setback in the market that led authorities to o take prompt actiontake prompt action

ØØ Following this incident, Moneta Cash was discontinued Following this incident, Moneta Cash was discontinued




⇒⇒This case raised discussion about:This case raised discussion about:

--the regulation of privatelythe regulation of privately--owned settlement systems,owned settlement systems,--the need for stringent sanctions, andthe need for stringent sanctions, and--the importance of highthe importance of high--quality IT systems for banks and quality IT systems for banks and other institutions to safeguard electronic customer other institutions to safeguard electronic customer records and transactions.records and transactions.

⇒⇒ Following data leaks, eFollowing data leaks, e--finance regulations have become finance regulations have become more riskmore risk--sensitive insensitive in Korea.Korea.

⇒⇒After the Moneta Cash experience, Korea introduced new After the Moneta Cash experience, Korea introduced new ee--regulations that recognized the inherent ML and TF regulations that recognized the inherent ML and TF risks related to mrisks related to m--FSFS




MacaoMacao::

►► mm--FS transfers outside of the same bank or abroad FS transfers outside of the same bank or abroad are not permittedare not permitted

►► accounts need to be preaccounts need to be pre--registered with the bank and registered with the bank and initiated by faceinitiated by face--toto--face contact before making transfers.face contact before making transfers.

Philippines:Philippines:

►► Providers impose limits on the amount of mProviders impose limits on the amount of m--FS FS transactions to reduce ML risks.transactions to reduce ML risks.




Malaysia:Malaysia:

►► MaybankMaybank, an m, an m--FS provider, has a FS provider, has a specialized group dedicated to risk management specialized group dedicated to risk management in electronic products in electronic products

►► The group plays an active role in developing The group plays an active role in developing new products and monitors automated controls new products and monitors automated controls for fraud and ML detection in this new channel.for fraud and ML detection in this new channel.



GuidelinesGuidelinesFATF Rec. # 25 requires competent authorities to establish FATF Rec. # 25 requires competent authorities to establish guidelines that will assist financial institutions to implement guidelines that will assist financial institutions to implement and comply with their AML and CFT obligations.and comply with their AML and CFT obligations.

At a minimum, the guidelines should give assistance on issues At a minimum, the guidelines should give assistance on issues covered under the relevant FATF Recommendations including:covered under the relevant FATF Recommendations including:

FFa description of ML and TF techniques and methods and,a description of ML and TF techniques and methods and,

FF any additional methods that these institutions could take to any additional methods that these institutions could take to ensure that their AML and CFT measures are effectiveensure that their AML and CFT measures are effective

Few of the jurisdictions visited had issued guidelines to Few of the jurisdictions visited had issued guidelines to specifically address ML and TF issues.specifically address ML and TF issues.



GuidelinesGuidelinesHong Kong:Hong Kong:

►► HKMA issued supervisory guidelines that are applicable to HKMA issued supervisory guidelines that are applicable to electronic banking services and include inter alia, Internet banelectronic banking services and include inter alia, Internet banking king services, and mobile banking services.services, and mobile banking services.

Korea:Korea:

►► The Financial Supervisory Service issued guidelines to banks The Financial Supervisory Service issued guidelines to banks that offer mthat offer m--BSA services to address IT security and other internal BSA services to address IT security and other internal control matters. control matters.

Macao:Macao:

►► the Monetary Authority of Macao is in the process of drafting the Monetary Authority of Macao is in the process of drafting guidelines on electronic financial services, including mguidelines on electronic financial services, including m--FS, to FS, to emphasize internal risk management practices that allows for emphasize internal risk management practices that allows for service development of the Internet, ATM, phone banking, and mservice development of the Internet, ATM, phone banking, and m--FS FS in a safe environment. in a safe environment.



Reporting ObligationsReporting Obligations

Reporting suspicious transactions or activities is Reporting suspicious transactions or activities is critical to a countrycritical to a country’’s ability to utilize financial s ability to utilize financial information to combat ML and TF and other financial information to combat ML and TF and other financial crimes.crimes.

►►FATF Rec. # 13 stipulates that if a financial institution FATF Rec. # 13 stipulates that if a financial institution suspects or has reasonable grounds to suspect that suspects or has reasonable grounds to suspect that funds are the proceeds of a criminal activity or are funds are the proceeds of a criminal activity or are related to terrorist financing, it should be required to related to terrorist financing, it should be required to report the incident promptly to the countryreport the incident promptly to the country’’s FIU.s FIU.

►► Therefore, reporting obligations are particularly Therefore, reporting obligations are particularly relevant to mrelevant to m--FS because most suspicious activities are FS because most suspicious activities are identified identified exex--postpost..



Reporting ObligationsReporting ObligationsHong Kong:Hong Kong:

TelCosTelCos are reporting entities under the AML and CFT regime. are reporting entities under the AML and CFT regime.

Korea:Korea:

mm--FS providers are also subject to the regime as reporting FS providers are also subject to the regime as reporting institutions to the Korean FIU (institutions to the Korean FIU (KoFIUKoFIU).).

Macao:Macao:

Providers are required to indicate in the STR the channel used, Providers are required to indicate in the STR the channel used, including mincluding m--FS. FS.

Philippines:Philippines:

Reporting of Reporting of STRsSTRs by mby m--FS providers is conducted electronically, FS providers is conducted electronically, and is required for all transactions above 500,000 Pesos (US$ and is required for all transactions above 500,000 Pesos (US$ 11,200) 11,200)



Supervision and oversightSupervision and oversight

FFFATF Rec. # 23 stresses the need for all providers of FATF Rec. # 23 stresses the need for all providers of financial services to be subject to adequate regulation financial services to be subject to adequate regulation and supervision and supervision

FF ““at a minimum, businesses providing a service of at a minimum, businesses providing a service of money or value transfer (money or value transfer (……) should be licensed or ) should be licensed or registered, and subject to effective systems for registered, and subject to effective systems for monitoring and ensuring compliance with national monitoring and ensuring compliance with national requirements to combat ML and TFrequirements to combat ML and TF””

FF Although the Recommendation does not specifically Although the Recommendation does not specifically mention mmention m--FS, mFS, m--FS providers should be monitored FS providers should be monitored because they are enabling value transfersbecause they are enabling value transfers



Supervision and oversightSupervision and oversight

Hong Kong:Hong Kong:

HKMA has set up a specific department to HKMA has set up a specific department to supervise electronic financial servicessupervise electronic financial services

Korea:Korea:

The Financial Supervisory Service checks if The Financial Supervisory Service checks if banks are providing mbanks are providing m--FS safely. FS safely.



Staff TrainingStaff Training

FATF Rec. 15 requires financial institutions to establish ongoinFATF Rec. 15 requires financial institutions to establish ongoing g employee training to ensure that employees are kept informed of employee training to ensure that employees are kept informed of new developments, including information on current methods, new developments, including information on current methods, techniques and trends in ML and TF techniques and trends in ML and TF

►►Philippines:Philippines:

cashingcashing--in or in or --out of funds from a mobile phone is conducted out of funds from a mobile phone is conducted exclusively by licensed partners that must undergo AML and CFT exclusively by licensed partners that must undergo AML and CFT training delivered directly by the Philippine FIU staff. Such trtraining delivered directly by the Philippine FIU staff. Such training aining allows for a reasonable level of trust in the conduct of KYC allows for a reasonable level of trust in the conduct of KYC procedures at the counter. procedures at the counter.

►► South Africa:South Africa:

agents of agents of WizzitWizzit--Bank of Athens must be trained and certified for Bank of Athens must be trained and certified for AML and CFT. AML and CFT.



IIII-- Application of AML and CFT Standards Application of AML and CFT Standards to All mto All m--FS ProvidersFS Providers

The breakdown of AML and CFT The breakdown of AML and CFT obligations among varying providers is obligations among varying providers is ambiguous ambiguous

All mAll m--FS providers should be classified as FS providers should be classified as FATF financial institutions FATF financial institutions

scope of AML and CFT obligations to be scope of AML and CFT obligations to be applied to applied to TelCosTelCos



The breakdown of AML and CFT obligations The breakdown of AML and CFT obligations among varying providers is ambiguousamong varying providers is ambiguous

►►In some cases like In some cases like mm--fINFOfINFO or mor m--BSA: AML and BSA: AML and CFT obligations fall under the bank responsibility CFT obligations fall under the bank responsibility as the primary and unique mas the primary and unique m--FS providerFS provider

►► For mFor m--Payment or mPayment or m--Money: The line between Money: The line between services offered by financial and services offered by financial and telecommunication providers has become telecommunication providers has become blurred blurred

►► Fieldwork showed that Fieldwork showed that TelCoTelCo AML and CFT AML and CFT obligations are applied unequally in the obligations are applied unequally in the observed jurisdictions.observed jurisdictions.



The breakdown of AML and CFT obligations The breakdown of AML and CFT obligations among varying providers is ambiguousamong varying providers is ambiguous

The majority of The majority of TelCoTelCo mm--FS perform some FS perform some KYC and CDD measures KYC and CDD measures

None are designed specifically to address None are designed specifically to address ML and TF concerns.ML and TF concerns.

There is no consensus on how to There is no consensus on how to implement AML and CFT international implement AML and CFT international standards among the telecom industrystandards among the telecom industry



All mAll m--FS providers should be classified as FATF FS providers should be classified as FATF financial institutionsfinancial institutions

FATF does not contain specific provisions governing FATF does not contain specific provisions governing AML/CFT obligations for AML/CFT obligations for TelcosTelcos

Grounds to believe that Grounds to believe that TelcosTelcos should be subject to should be subject to AML/CFT obligationsAML/CFT obligations

For For mm--fINFOfINFO or mor m--BSA: no ambiguityBSA: no ambiguity

MM--Payment and MPayment and M--Money: ambiguity is lifted by applying Money: ambiguity is lifted by applying the FATF the FATF ““functional definitionfunctional definition””



All mAll m--FS providers should be classified as FATF financial FS providers should be classified as FATF financial institutionsinstitutions

The FATF has established two basic types of institutions The FATF has established two basic types of institutions subject to AML and CFT obligations, financial institutions subject to AML and CFT obligations, financial institutions and and DNFBPsDNFBPs

DNFBPsDNFBPs: (a) Casinos, (b) Real estate agents, (c) : (a) Casinos, (b) Real estate agents, (c) Dealers in precious metal, (d) Dealers in precious Dealers in precious metal, (d) Dealers in precious stones, (e) Lawyers, notaries and other independent stones, (e) Lawyers, notaries and other independent legal professionals and accountants, (f) Trust and legal professionals and accountants, (f) Trust and Company service providers Company service providers

Financial Institutions: any person or entity who provides Financial Institutions: any person or entity who provides its customers with transfer of money or values services, its customers with transfer of money or values services, or issues and manages means of payment, or issues and manages means of payment, inter aliainter alia, , electronic money. electronic money.



All mAll m--FS providers should be classified as FATF FS providers should be classified as FATF financial institutionsfinancial institutions

FF Three of the identified business models out of four Three of the identified business models out of four consist of a consist of a TelCoTelCo providing customers with a means to providing customers with a means to transfer money (Mtransfer money (M--BSA, MBSA, M--Payment and MPayment and M--Money)Money)

FF The European Union has classified Electronic Money The European Union has classified Electronic Money Institutions (Institutions (ELMIsELMIs) as a sub category of credit ) as a sub category of credit institutions. Electronic money Electronic money can be institutions. Electronic money Electronic money can be considered an electronic surrogate for coins and considered an electronic surrogate for coins and banknotes, stored on an electronic device and is banknotes, stored on an electronic device and is generally intended for the purpose of effecting electronic generally intended for the purpose of effecting electronic payments of limited amounts payments of limited amounts

⇒⇒TelCosTelCos providing mproviding m--FS should be considered as FS should be considered as ““financial institutions,financial institutions,”” as defined by the FATFas defined by the FATF



ConclusionConclusion

FFTelCosTelCos should be classified in the financial should be classified in the financial institution category as defined by the FATF and institution category as defined by the FATF and comply with the same AML/CFT obligationscomply with the same AML/CFT obligations

FF For mFor m--Money and mMoney and m--Payments, a Payments, a TelCoTelCo should be should be legally considered as the primary financial service legally considered as the primary financial service provider, and as such, they should ensure that:provider, and as such, they should ensure that:–– customers are identified, customers are identified, –– such transactions are monitored,such transactions are monitored,–– the service agent is supervised, andthe service agent is supervised, and–– in case of suspicion, the relevant authorities are in case of suspicion, the relevant authorities are

properly informedproperly informed



ConclusionConclusion

FF AML and CFT procedures for mAML and CFT procedures for m--FS FS providers should be designed in proportion providers should be designed in proportion to assessed risks to assessed risks

FF TelCosTelCos should only be responsible for should only be responsible for certain AML and CFT obligations based on certain AML and CFT obligations based on the service provided and their role in the service provided and their role in providing it providing it

FF This approach will also allow policy makers This approach will also allow policy makers and regulators to set the minimum and regulators to set the minimum requirements to apply to requirements to apply to TelCosTelCos



QuestionQuestion



Date post:	08-Mar-2018
Category:	Documents
Upload:	phamquynh
View:	213 times
Download:	0 times

Applying the FATF International standards to Mobile...

Documents