Circular No 303/2020
Dated 17 Sept 2020
To Members of the Malaysian Bar
Guidance Documents Issued by Bank Negara Malaysia
Bank Negara Malaysia (“BNM”), on 1 Sept 2020, had issued three documents as additional
guidelines for Reporting Institutions (“RIs”) when complying with the Anti-Money
Laundering and Countering Financing of Terrorism (“AML/CFT”) requirements, as listed
below:
(1) Guidance on Verification of Individual Customers for Customer Due Diligence
(“CDD”);
(2) Guidance on Beneficial Owner (“BO”);
(3) Frequently Asked Questions on AML/CFT and Targeted Financial Sanctions for
Designated Non-Financial Businesses and Professions & Non-Bank Financial
Institutions.
Please click here (see page 2 onwards) to view the guidance documents.
Should you have any enquiries relating to the guidance documents, please contact the
following BNM Officers:
(a) Amarjit Kaur Paridam Singh (03-2698 8044 ext 8836, [email protected]);
(b) Arni Jailun ((03-2698 8493 ext 8152, [email protected]); or
(c) Syaza Nadiah Azmi (03-2698 8044 ext 7401, [email protected]).
Thank you.
A G KALIDAS
Secretary
Malaysian Bar
Date: 1 September 2020
Guidance on Verification of Individual Customers for
Customer Due Diligence
Anti-Money Laundering, Countering Financing of Terrorism and
Targeted Financial Sanctions for Financial Institutions,
Designated Non-Financial Businesses and Professions and Non-Bank Financial
Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs)
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 1 of 17
TABLE OF CONTENTS
Part A: Overview
1.0 Foreword ....................................................................................................... 2
2.0 Objectives ....................................................................................................... 2
Part B: Guidance
3.0 CDD: Customer Identification and Verification ............................................... 4
4.0 Application of Risk-based Approach .............................................................. 6
5.0 Reliable and Independent Source of Documents, Information and Data ....... 8
6.0 Illustration of Application of Risk-based Approach ....................................... 13
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 2 of 17
Part A: Overview
1.0 Foreword
1.1 This Guidance is intended to provide clarification and recommended practices
in relation to identification and verification of the customer due diligence (CDD)
requirements under the Anti-Money Laundering, Countering Financing of
Terrorism and Targeted Financial Sanctions for Financial Institutions,
Designated Non-Financial Businesses and Professions and Non-Bank
Financial Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs) Policy
Documents (hereinafter referred to as Policy Documents).
1.2 The Guidance is not intended to replace any requirements in the
abovementioned Policy Documents. Reporting institutions should not regard
the information in the Guidance as exhaustive nor should it be used as evidence
of compliance.
1.3 Any updates to the Guidance will be notified to the reporting institutions from
time to time. Should there be any need to obtain further clarification or
explanation on the Guidance, enquiries may be mailed to the following
addresses:
(i) For FIs : [email protected]
(ii) For DNFBPs & NBFIs : [email protected]
2.0 Objectives
2.1 An effective CDD is the cornerstone of a robust AML/CFT and TFS program.
The CDD process involves identifying and verifying the identity of customers as
well as understanding the purpose and nature of business relationship.
2.2 The objective of this process is fundamentally to:
(a) prevent reporting institutions from creating anonymous and fictitious
accounts1; and
(b) assess the extent of money laundering and terrorism financing (ML/TF)
risks posed by customers and businesses, for the development of
appropriate controls and mitigation that commensurate with identified
risks.
1 Section 16 of the AMLA prohibits RIs to open or operate anonymous account or account which is in a fictitious,
false or incorrect name.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 3 of 17
2.3 Identification in the context of CDD refers to the process where reporting
institutions obtain information about customers in accordance with the Policy
Documents.
2.4 Verification refers to the process of confirming the customers’ information
collected at the identification stage against documents, data or information from
reliable sources, independent of the customers.
2.5 Reporting institutions are expected to determine the extent of verification,
depending on the identified ML/TF risks. For example, where there are higher
ML/TF risks, the extent to which information must be verified should expand,
while where ML/TF risks are lower, verification process may be more simplified.
2.6 This document aims to clarify the definition of customer’s identity, factors to
guide risk-based verification, types of reliable and independent sources of
documents, information and data, as well as suggested risk-based applications
for verification particularly with regard to individual customers, and where
applicable, to beneficial owners.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 4 of 17
Part B: Guidance
3.0 CDD: Customer Identification and Verification
3.1 The mandatory components of CDD as outlined in the Policy Documents entail
the following processes:
Paragraph 14 of the Policy Documents on CDD:
Identification of customer, beneficial owner and
whenever applicable, person conducting
transaction
Objective: To enable reporting institutions to
distinguish the individual from any other person they
are dealing with and whether the person is acting on
behalf of another.
Verification of the information through reliable and
independent documentation, electronic data or
any other measures deemed necessary
Objective: To ensure that the information about the
individual is accurate and up-to-date.
Understanding the purpose and nature of business
relationship between the reporting institutions and
the customer
Objective: To assess whether the business
relationship is in line with the reporting institutions’
expectation and to provide the reporting institutions
with a meaningful basis for ongoing monitoring.
3.2 Similar verification measures should be adopted for persons conducting
transactions on behalf of a customer.
Customer identification
3.3 Reporting institutions are required to obtain, at minimum, a prescriptive list of
identification information from customers and beneficial owners. However, it
should be noted that the list is non-exhaustive, hence additional information
may be obtained by reporting institutions, based on their risk appetite to
facilitate risk profiling, wherever necessary.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 5 of 17
Paragraph 14 of the Policy Documents:
Minimum list of identification information as outlined in
the Policy Documents2:
Full name;
National Registration Identity Card (NRIC), number or
passport number or reference number of any other
official documents of the customer or beneficial owner;
Residential or mailing address;
Date of birth;
Nationality;
Occupation;
Name of employer or nature of self-employment or
nature of business;
Contact number; and
Purpose of transaction.
Reporting institutions may obtain additional information
based on AML/CFT risks appetites
Example: e-mail address, gender, marital status.
What constitutes ‘identity’?
Identity refers to official identity that is based on
characteristics, attributes or identifiers of a person that
establish the person’s uniqueness in the population,
recognized by the country for regulatory or other official
purposes. The identity of an individual has a number of
principal and fixed aspects, which include given name, date
of birth, official identification number or biometric
characteristics e.g. facial and thumbprint.
There may also be information that are fluid but are central to
distinguish the identity of a person from the population,
particularly for persons with common names including
nationality, residential address, employment and business
career. This information, however, may change over time.3
2 For financial sector’s reporting institutions, lesser information may be obtained from customers if they qualify for Simplified CDD under the Policy Documents for FIs, that, include full name, NRIC, number or passport number or reference number of any other official documents of the customer or beneficial owner, residential or mailing address, date of birth, nationality. The ‘simplified CDD’ regime is not applicable to DNFBPs.
3 Refer to paragraph on Electronic Evidence.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 6 of 17
Customer Verification
3.4 Reporting institutions should verify information of their customers and beneficial
owners, collected during identification stage or at any point of the business
relationship, as per verification requirements.
3.5 Verification of identity must be based on documents or information obtained
from a reliable source, which is independent of the customer.
Documents, data or information issued or made available by
an official body are to be regarded as being independent of a
person even if they are provided or made available to the
reporting institutions by or on behalf of that person.
Additionally, for electronic or digital data and information, their
reliability and independence would depend on the assurance
levels of the systems or sources in light of ML/TF, fraud, and
other risks including cybersecurity risks4.
4.0 Application of Risk-Based Approach
4.1 Reporting institutions may adopt a risk-based approach to determine the
manner of performing verification, in ensuring it is satisfactorily completed:
(a) the extent or volume of information collected;
(b) types of reliable document, data and information; and
(c) the manner/technology used.
4.2 In this regard, reporting institutions should take into account any higher risk
circumstances as laid out in the Policy Documents5, which include, but are not
limited to:
(a) the nature of the product or service sought by customers;
(b) the nature and length of any existing or previous relationship between
customers and the reporting institutions;
4 Refer to paragraph on Electronic Evidence. 5 Please refer to paragraph 10 of the Policy Documents.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 7 of 17
(c) the nature and extent of any assurance from other reporting institutions
that may be relied on; and
(d) whether the customer is physically present.
4.3 For transactions involving cross-border wire transfer under Paragraph 19.2.1(a)
of the Policy Documents6, reporting institutions may rely on the residential
address or date of birth obtained and verified during the CDD process or during
on-going CDD, if the reporting institution is satisfied that such information are
up to date.
Beneficial owner
4.4 The verification process for a beneficial owner is different from an individual
customer. Although the identity of both customer and beneficial owner must be
verified through an independent and reliable source, reporting institutions are
only expected to take appropriate and reasonable measures so that they are
satisfied with the identity of the beneficial owner, having regard to ML/TF risks
associated with the customer and business relationship.
Framework for the application of risk-based approach
4.5 Reporting institutions should consider incorporating in their AML/CFT risk
management policies and procedures a framework for the application of risk-
based approach with regards to the verification of customers.
6 Applicable to PD for Financial Institutions only.
Recommended Practice for Reasonable Measures include:
Make use of records of beneficial owners in the public
domain, ask customers for relevant data, or require
evidence of the beneficial owner’s identity, on the basis
of documents or information obtained from a reliable
source which is independent of the customer.
In low risk situations, it may be reasonable for the
reporting institution to confirm the beneficial owner’s
identity based on the information supplied by the
customer. This may include a declaration confirming and
recognizing the identity of the beneficial owner, be it by
the customer, trustees or other persons whose identities
have been verified.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 8 of 17
5.0 Reliable and Independent Sources of Documents, Information and Data
5.1 There is no restriction on the form of evidence to be taken by reporting
institutions in verifying the identity. Reporting institutions may accept either
physical documents, electronic or digital information and data, or a combination
of both.
Documentary evidence
5.2 In the event where reporting institutions use documentary evidence to verify a
person’s identity, reporting institutions are encouraged to sight the original
copies of the documents and retain records of them, in line with record keeping
requirements in the Policy Documents.
5.3 Documents purporting to offer evidence of identity differ in their level of integrity,
reliability and independence and may come from a number of sources as
follows:
(a) Documents issued for the purpose of official identification bearing
photographs and without photographs;
(b) Documents issued by courts, government departments, public sector
bodies, or local authorities;
(c) Bank statements, or credit/debit card statements issued by regulated
financial sector in Malaysia; and
(d) Documents issued by other regulated organizations, for instance a
regulated utility company.
5.4 Reporting institutions are recommended to verify customers’ identity using the
following types of documents which are viewed as offering a high level of
reliability and independence for verification:
Recommended Practice
The framework may include:
a correlation list of the documents, information or data
accepted for each risk class.
assessment of the level of integrity, reliability and
independence of each document, data or information.
Where appropriate, the level of reliability required may
be the result of the combined use of two or more
supporting documents.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 9 of 17
Official and valid identification documents issued by
certain government departments with photograph
Features that contribute to reliability:
Primary identification document (ID) that is widely
recognised, used and accepted by government and
private sector in Malaysia as identification,
authentication and authorisation for specific services.
The photograph enables reporting institutions to
conduct visual review to reduce risk of impersonation
and identity theft.
Examples:
ID issued by the National Registration Department
including NRIC, MyTentera, MyPR, and MyKAS.
Passport issued by Immigration Department of
Malaysia.
Driving licence bearing photograph issued by the Road
Transport Department of Malaysia in view of its
interlinkages with NRIC.
5.5 Reporting institutions may also accept official and valid identification documents
issued by certain government departments without photograph. In this instance,
reporting institutions are recommended to increase the level of reliability and
corroborative value of the documents with other additional independent and
reliable documents as set out in paragraph 5.3 above.
Official and valid identification documents issued by
government departments without photograph, with
additional corroborating documents.
Examples, MyKid, birth certificate and pension card.
Features that contribute to reliability:
ID that is recognised by the government and private
sector in Malaysia as identification, authentication and
authorisation for specific services.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 10 of 17
Supported by corroborative documents such as –
In case of a child below the age of 12, ID of the
parent/guardian.
Current bank statements issued by banks including
development financial institutions licensed and
incorporated in Malaysia.
Current utility bills for specific duration as determined by
reporting institutions.
Quit rent and assessment notice as issued by state
municipal councils.
5.6 For foreigners, reporting institutions are recommended to accept only official
and valid foreign passport issued by a foreign government, and if applicable, a
visa to enter Malaysia.
In the event where foreigners are unable to produce passport,
such as refugees, reporting institutions should consider:
Keeping records of their assessment on the challenges
and proposed measures to verify the identity of the
customer (at minimum, the name or date of birth).
Accepting as identity evidence; a document, letter, or
statement from United Nations or its agency (examples,
United Nations High Commissioner for Refugees cards)
or appropriate person who knows the individual, that
indicates that the person is who she/he says she/he is.
5.7 Reporting institutions are advised to refrain from accepting an expired passport
and/or visa, if applicable, at the initial stage of establishing business relationship
with foreign customers.
Recommended Practice
Passport and other international documents should be
valid for a period for at least six (6) months before expiry
dates at the time of CDD. The validity of these
documents must be monitored as part of the on-going
due diligence process.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 11 of 17
5.8 Reporting institutions should take cognizance of the type of documents which
are more easily forged than others.
5.9 Reporting institutions should consider prescribing appropriate measures and
controls that leads to a reasonable conclusion that the documents presented
are not forged or falsified. This includes referring to other regulatory sources as
set out in paragraph 5.15 and additional measures in paragraph 5.16 below:
Electronic evidence
5.10 Reporting institutions may use electronic or digital data and information to verify
identity, for example digital identity or e-KYC solutions, either on its own or
taken together with documentary evidence.
5.11 Similar to documentary evidence, electronic or digital data and information are
also subject to the reliability and independence test.
5.12 In assessing whether an electronic or digital data and information is sufficiently
reliable and independent to prove identity for the purpose of CDD, reporting
institutions are recommended to:
(a) understand the assurance levels of the systems or sources including the
underlying data they relied on, technology, architecture and governance
to determine their reliability and independence;
Examples of Current Practice
Use of NRIC reader
FIs:
Reporting institutions commonly require NRIC for
identification and verification where the card terminal is
used to read biometric (thumbprint) and NRIC
information.
DNFBPs:
Businesses employ the use of NRIC reader that links
the NRIC to its holder via thumbprint to avoid misuse of
NRIC to conduct transactions such as false signing of
legal documents in the client’s capacity. There is also
an initiative at the association level to develop a system
that links details of the customer to the NRIC reader for
verification purpose. This system is being deployed by
the industry players.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 12 of 17
(b) given the assurance levels, make a risk-based determination of whether
it is appropriately reliable, independent in light of the ML/TF, fraud, and
other risks including cybersecurity risks; and
(c) fulfill requirements as set out in the Electronic Know-Your-Customer (e-
KYC) Policy Document7.
5.13 Reporting institutions are advised to incorporate within their AML/CFT risk
management policies and procedures information on-
(a) the assessment of factors in paragraph 5.12 above; and
(b) determination whether there is a need for additional measures as
specified in paragraph 5.16 to supplement the use of electronic evidence
in certain circumstances including in higher ML/TF risk situations or by
virtue of reporting institutions own AML/CFT, anti-fraud and general risk
management policies.
5.14 Reporting institutions shall document and record their internal assessments to
be made available to supervisors or the competent authority upon request.
5.15 Reporting institutions are encouraged to refer to policy documents or guidances
issued by Bank Negara Malaysia and other standard setting bodies, pertaining
to verification through this means.
Additional verification measures
5.16 Reporting institutions should consider applying additional verification measures
to mitigate the risk of impersonation fraud in circumstance where there is
uncertainty over the customers’ identity. This includes whenever:
(a) copies of original documents are used;
(b) customers are not met face-to-face in the process of establishing
relationship;
(c) there is a need to supplement the use of electronic or digital data and
information for verification; or
(d) there is doubt on the legitimacy and authenticity of the documents
provided by the customer.
7 BNM/RH/PD 030-10 Issued on: 30 June 2020
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 13 of 17
5.17 The additional verification measures may consist of anti-fraud measures that
the reporting institutions routinely undertake as part of their existing CDD
procedures.
5.18 The following are examples of additional measures, which are non-exhaustive
and should be undertaken to commensurate with the assessed ML/TF risks:
Corroborating copies of original documents with the
National Registration Department database or the
Immigration Department of Malaysia databases,
telecommunication companies, sanctions lists issued by
credible domestic or international sources.
Requiring the first payment to be carried out through an
account in the customer’s name with a bank incorporated
and registered in Malaysia.
Video or conference call with the customer prior to
opening the account and before transactions are
permitted, for the purpose of comparing the physical
identity of a customer with copies of original documents
and to verify additional aspects of identity information
collected during identification stage.
Internet sign-on following verification where the
customer uses security codes, tokens, or passwords,
which have been set up during account opening stage.
Copies of original documents to be certified by an
appropriate person. Appropriate persons refer to
solicitors, police, court officials, medical doctor,
commissioner of oath, notary, or any credible person
authorized to certify documents.
6.0 Illustrations of application of risk-based approach
Verification in ‘normal risk’ cases
6.1 “Normal risk” here refers to all situations that are not recognised as presenting
a high risk or low risk in the context of the individual risk assessment. In this
situation, reporting institutions may consider applying documentary and
electronic data, source and information as set out above, or a combination
thereof.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 14 of 17
Recommended practices:
For local customers, reporting institutions commonly
require NRIC for identification and verification, where the
card terminal is used to read biometric (thumbprint) and
NRIC information.
Where residential and NRIC address are different, utility
bills will be required from customers to justify such
mismatch.
Reporting institutions may also require supplementary
documents to justify account-opening purposes
(examples: university admission/ offer letter for student
accounts, employer referral letter for salary accounts,
etc.).
For student accounts, reporting institutions may also
establish a list of learning institutions in demarcating
level of ML/TF risk.
Similar requirements are applied to foreign nationals,
where the key difference is, passport and travel visa are
used as main photo-bearing government-issued
evidences for identity verification purposes.
Verification in ‘higher risk’ cases
6.2 “Higher risk” here refers to circumstances where reporting institutions assess
the ML/TF risks as higher, taking into account risk factors arising from customer,
country or geographic location of customer, type of product, service, transaction
or delivery channel8.
6.3 In higher risk situations, reporting institutions’ AML/CFT risk management
policies and procedures should consider only authorising the use of the
documents and information that offer the most reliable information, and where
appropriate, require the use of a combination of sources of documents, data
and information, to increase level of reliability and verification performed.
8 Description of ‘higher risk’ in paragraph 6 of the Policy Documents.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 15 of 17
Recommended Practices
Face-to-face verification
Reporting institutions to sight and make copies of valid official
identification documents with photograph, or in the case of a
foreigner, passports/visa.
Non face-to-face (electronic and digital source of data and
information)
Reporting institutions to heighten the assurance levels, by
assessing the necessity to conduct additional verification
measures to supplement verification.
6.4 Reporting institutions should be guided by the list of verification documents,
data or information which are acceptable in higher-risk situations based on a
thorough assessment to demonstrate that their high level of reliability is
appropriate in view of the high level risk and the nature of the ML/TF risk
incurred.
Verification in ‘low risk’ cases
6.5 Where relevant, if the risk assessment has established a case of low ML/TF
risk, and if reporting institutions’ AML/CFT risk management policies and
procedures explicitly specify that simplified due diligence measures can be
applied, or lead to the conclusion that the risk level is low, verification remains
obligatory. However, reporting institutions may develop appropriate and
proportionate measures in their AML/CFT risk management policies and
procedures in view of such lower risks.
6.6 Naturally, all reliable and independent sources of documents and information,
which the reporting institutions have identified as eligible for verifying the
identity of the customer in a normal risks business relationship, are also
applicable in low-risks situations.
However, although a copy or electronic image of a supporting document is
insufficiently reliable in itself to be accepted for verification, it could be accepted
in certain circumstances where the relationship is subject to strict limitations
and safeguards (e.g. limited features of products and services) that can reduce
ML/ TF risks.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 16 of 17
As an example, for insurance products assessed as low
risk products, reporting institutions may obtain attestation
from:
Village Head (“ketua kampung”);
Human resource department of the corporate customer
on the identity of insured members of group policies and
board of the corporate entity on the authorized person
representing the company; or
Third party administrator (TPA) or hospital for verification
at claims stage.
6.7 Reporting institutions are expected to include, in their due diligence procedures
and measures, a correlation table of the supporting documents required for
each class of reporting risk, as well as a list of the circumstances in which
certain supporting documents need not be submitted.
Guidance on Verification of Individual Customers for Customer Due Diligence
Page 17 of 17
OVERVIEW OF CDD PROCESS
Official Identity
Documentary evidence Electronic or digital data
Official ID issued by the government departments with photograph
Official ID issued by the government departments without photograph Supported with corroborative evidence: Documents issued by court, government departments, local authorities, regulated financial institutions, other RIs, or regulated utility companies
Copy of documentary evidence are used
IDENTIFICATION
VERIFICATION
RIs may determine extent of verification using risk-based approach (customer, country/geographical, product/service/transaction or delivery channel risk factors)
See paragraph 14 of the Policy Document on the
information to be obtained from customer/ beneficial owner
Understand level of trustworthiness and confidence (assurance) of data sources the providers relied on, technology, processes, governance and other safeguards
Customers’ identity verified non face-to-face
Electronic or digital ID verification, if
MEA
SUR
ES C
OM
MEN
SUR
ATE
WIT
H M
L/TF
RIS
KS
Face to face or otherwise, documentary or electronic sources of documents, data or information, verification
must be reliable, independent from customer
Beneficial owners
Individual Customer
Additional verification measures under paragraph 5.16 to 5.18 of this Guidance under these circumstances:
Reasonable measures to verify, may
include similar
verification as per
customer, or lesser having
regard to ML/TF risks
OR
Date: 1 September 2020
Guidance on Beneficial Ownership
Anti-Money Laundering, Countering Financing of Terrorism and
Targeted Financial Sanctions for Financial Institutions,
Designated Non-Financial Businesses and Professions and Non-Bank Financial
Institutions (AML/CFT and TFS for FIs, DNFBPs and NBFIs)
Guidance on Beneficial Ownership
Page 1 of 19
TABLE OF CONTENTS
Part A: Overview
1.0 Foreword ....................................................................................................... 2
2.0 Glossary and terms ......................................................................................... 2
Part B: Guidance
3.0 Introduction .................................................................................................... 3
4.0 Identification of Beneficial Owner ................................................................... 4
5.0 Methods to Identify Beneficial Owner ........................................................... 10
6.0 Verification of Beneficial Owner .................................................................... 13
7.0 Record Keeping on Beneficial Ownership .................................................... 15
8.0 Examples of Identification of Beneficial Owners .......................................... 16
Guidance on Beneficial Ownership
Page 2 of 19
Part A: Overview
1.0 Foreword
1.1 This Guidance is intended to provide clarification and recommended best
practices in relation to beneficial ownership obligation under the Anti-Money
Laundering, Countering Financing of Terrorism and Targeted Financial
Sanctions for Financial Institutions, Designated Non-Financial Businesses and
Professions and Non-Bank Financial Institutions (AML/CFT and TFS for FIs,
DNFBPs and NBFIs) Policy Documents.
1.2 The Guidance is not intended to replace any requirements in the
abovementioned Policy Documents. Reporting institutions should not regard the
information in the Guidance as exhaustive nor should it be used as evidence of
compliance.
1.3 Any updates to the Guidance will be notified to reporting institutions from time to
time. Should there be any need to obtain further clarification or explanation on
the Guidance, enquiries may be emailed to the following addresses:
(i) For FIs : [email protected] (ii) For DNFBPs & NBFIs : [email protected]
2.0 Glossary and Terms
2.1 Below are clarifications to the terms used in this Guidance:-
“Policy Document” refers to the Policy Document on AML/CFT and TFS for FIs.
Any corresponding provisions in other parts of the same Policy Document or in
the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs, shall be
reflected in the footnotes.
“Corporate Vehicles” refers to legal persons and legal arrangements.
Guidance on Beneficial Ownership
Page 3 of 19
Part B: Guidance
3.0 Introduction
3.1 Since the early 2000s, there has been growing concern on the misuse of
corporate vehicles for criminal purposes. Criminals have been relying on different
corporate vehicles to conceal their illegal assets by maintaining a legitimate front.
This includes, among others, the usage of shell companies and the creation of
companies, partnerships, foundations, trusts and other types of corporate
vehicles with complex ownership and control structure, to avoid detection by
authorities. The lack of transparency on the ultimate beneficial owners of these
corporate vehicles became a hindrance to governments around the world in their
effort to effectively combat criminal activities.
3.2 In response, the Financial Action Task Force (FATF), an intergovernmental
body responsible for combatting money laundering, terrorism financing and other
related threats, has issued the FATF Recommendations requiring countries to
ensure that adequate, accurate and timely information on the beneficial
ownership of corporate vehicles is available and can be accessed by competent
authorities in a timely fashion. This includes the requirements to identify and
verify beneficial ownership information. Apart from the FATF Recommendations,
the FATF has issued various guidance on this topic including the “Guidance on
Transparency and Beneficial Ownership” and “Best Practices on Beneficial
Ownership for Legal Persons”, in October 2014 and October 2019 respectively.
3.3 As such, the reporting institutions under the Anti-Money Laundering, Anti-
Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA) play
an important role by obtaining beneficial ownership information which helps
prevent the misuse of corporate vehicles in the financial system. Identifying
beneficial owners benefit stakeholders, including:
Reporting
Institution
Reporting institutions are able to make appropriate assessments on
the level of money laundering and terrorism financing risks
associated with their customers, consequently leading to necessary
decision making on control measures required to contain these risks.
Financial
landscape
Ensuring and upholding the integrity of all sectors within the financial
landscape.
Country
Early detection of criminals hiding behind natural persons, legal
persons and legal arrangements, facilitate law enforcements’ efforts
and prevents money laundering and terrorism financing activities
from prospering.
Guidance on Beneficial Ownership
Page 4 of 19
3.4 Primarily, the obligations of a reporting institution on beneficial ownership
requirements are:
(a) Identifying a natural person who is the beneficial owner of the customer and
obtaining information that describes the ownership, control and structure of
the legal persons/ legal arrangements relating to the beneficial owner;
(b) Taking reasonable measures to verify the accuracy of the information
obtained and keeping records of all relevant documents;
(c) Conducting customer risk profiling to identify the risk category of the
beneficial owner; and
(d) Performing further regulatory obligations based on the risk category of the
beneficial owner such as CDD, sanction screening and high risk jurisdiction.
4.0 Identification of Beneficial Owner
4.1 Issues concerning beneficial owners having ultimate ownership and exercising
and/or having ultimate control are relevant to the following types of customers:
Legal persons
(a) Private and public companies;
(b) Bodies corporates;
(c) Government-linked companies;
(d) Partnerships;
(e) Foundations;
(f) Cooperatives;
(g) Associations such as clubs and societies; and
(h) Non-governmental organisations such as charities.
Legal arrangements
(a) Trust bodies/arrangement or other similar arrangements
Understanding beneficial ownership in different types of entities
A. Legal persons
In the context of legal persons, the concept of beneficial ownership
must be distinguished from the concepts of legal ownership and
control.
o Legal ownership refers to the natural or legal persons who,
according to the respective laws governing legal persons in
Malaysia (such as the Companies Act 2016 or the Labuan
Companies Act 1990), own the legal person.
o Control refers to the person with decision making ability within the
legal person who has the power to impose those decisions.
Guidance on Beneficial Ownership
Page 5 of 19
o Beneficial owner refers to the natural person who either ultimately
owns, through capital, assets or other means, or has control over
a legal person, be it directly or indirectly. A person who controls a
legal person may or may not have legal ownership per se.
Example of arrangements within a legal person that may
obscure beneficial ownership information:
(a) Bearer shares and bearer share warrants;
(b) Unrestricted use of legal persons as directors;
(c) Nominee shareholders and directors;
(d) Informal nominee shareholders and directors, such
as close associates and family; and
(e) Use of intermediaries in forming legal persons,
including professional intermediaries.
B. Legal Arrangements
In the context of legal arrangements such as trust, beneficial owner
refers to natural person(s), at the end of the chain, who ultimately owns
or controls the legal arrangement, including those persons who
exercise ultimate effective control over the legal arrangement.
In a trust, the legal title and control of an asset are separated from the
equitable interests in the asset. Hence, different persons might own,
benefit from, and control the trust, depending on the law and the
provisions of the document establishing the trust such as the trust
deed.
How a trust can conceal control of assets
a) created in one jurisdiction and used in another to hold
assets across jurisdictions to disguise the origins of
criminal proceeds.
b) used to enhance anonymity by completely
disconnecting the beneficial owner from the names of
the other parties including the trustee, settlor, protector
or beneficiary.
4.2 To determine the identity of beneficial owners of a customer, reporting institutions
should seek to understand the complexities of the customer’s ownership
structure, governance and/or arrangement at each layer. An entity may have
several beneficial owners, depending on its size and the complexity of its
structure and governance.
Guidance on Beneficial Ownership
Page 6 of 19
4.3 There may be more than one beneficial owner associated with a customer.
Reporting institutions’ regulatory obligations relating to beneficial ownership are
applicable on all the beneficial owners.
4.4 As outlined under Paragraph 6.2 of the Policy Document1, beneficial owner is
defined as a natural person:
(a) who ultimately owns a customer;
(b) who ultimately controls a customer;
(c) on whose behalf a transaction is being conducted2; and/or
(d) who exercises ultimate effective control over a legal person or
arrangement.
Legal persons
4.5 As provided in Paragraph 14A.9.6 of the Policy Document3, reporting institutions
should identify the beneficial owners of legal persons through the cascading
steps reflected below:
Step 1 Identify the natural person(s), if any, who ultimately have
controlling ownership interest in the legal person
(a) Having ultimate controlling ownership interest over an entity includes
having more than 25% ownership or equity interest in an entity4 which may
be observed, among others, through share capital or voting rights. The
ownership may either be direct ownership (through ownership of shares
within the entity itself) or indirect ownership (through chain of corporate
vehicles).
Having a golden share within an entity is similar to having ultimate
ownership of the entity, as it refers to 51% ownership.
1 Corresponding provision in Paragraph 6.2 in the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs.
2 Such a situation may exist where a transaction conducted by another person is structured in such a manner to deliberately avoid control or ownership transparency by the beneficial owner.
3 Corresponding provision in Paragraph 14B.11.12, 14C.10.7 and 14D.9.6 of the Policy Document as well as, Paragraph 14.10.6 of the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs
4 The requirement on more than 25% ownership threshold for beneficial ownership identification is issued under the AML/CFT Policy Document and should be differentiated with the beneficial ownership threshold set by other regulatory authorities which were set for other purposes.
Guidance on Beneficial Ownership
Page 7 of 19
Illustration 4.1
(left diagram) Direct ownership
(right diagram) Indirect ownership
As provided in Illustration 4.1, if
Company A is legally owned by
Company B (according to its
corporate registration information),
the beneficial owners are the natural
persons behind the Company B (or
behind the ultimate holding company
in the chain of ownership).
(b) There may also be circumstances where a natural person owns less than
25% direct shareholding in an entity but is identified as the beneficial owner
through his indirect and aggregated ownership of the entity, as reflected in
Illustration 4.2 below.
Illustration 4.2
Although all direct shareholders of
company A equally owns 20% of its
shares, Mr. Z is considered the
beneficial owner of Company A due
to his aggregated ownership of
Company R and Company S,
making Mr. Z the indirect owner of
40% of Company A.
(c) Shareholder may exercise control together with other shareholders,
including through any contract, understanding, relationship, intermediary or
tiered entity to increase control as illustrated in Illustration 4.3
Although all direct shareholders of
company A equally owns 20% of its
shares, Mr. D and Mr. E are
considered the beneficial owners
through their exerts of control over
the company collectively via
shareholders’ contract.
Illustration 4.3
Guidance on Beneficial Ownership
Page 8 of 19
In most circumstances, ownership over an entity implies control over the
entity, as ownership may come with the power and authority to take actions
and make decisions for the entity. Such a situation can be observed, among
others, where:
i. The natural person has majority voting power within the entity to make
decisions; or
ii. The natural person exercises his right to appoint or remove directors
or senior management, as a major shareholder.
(d) In implementing Step 1, a natural person identified as fulfilling the criteria in
(a) shall be identified as the beneficial owner. However, where there is
doubt that the person identified under Step 1 is not the beneficial owner; or
where no natural person has ultimate controlling ownership interest over the
legal person, the reporting institution shall carry out Step 2.
Step 2 Identify the natural person, if any, exercising control of the legal
person, through other means
(e) A natural person may also exercise effective control over an entity if he has
the powers and authority to take actions and make decisions for the entity,
including on matters relating to its financial affairs, financial relationships,
operations or other matters that may fundamentally affect the business or
direction of the entity, without having ownership interest over the entity.
Such powers may be attained through other means, such as:
i. Reflecting dominant influence to appoint or remove directors/ senior
management;
ii. Having the power of attorney over the entity;
iii. Owning stocks or rights over outstanding debts that are convertible
into voting equity;
iv. Participating in the financing of the enterprise; or
v. Having control through trusts, agreements, arrangements,
understandings, policies or practices, close and intimate family
relationships or if a company defaults on certain payments.
A natural person demonstrating control may be, among others, the entity’s
senior management, directors, authorised signatory, controller and etc.
Guidance on Beneficial Ownership
Page 9 of 19
Illustration 4.4
Ms. K has complete managerial powers
over Company F. Under Step 2, Ms. K is
the beneficial owner of Company F.
How-to
Where, in the course of identifying beneficial owners,
reporting institutions identified natural persons who exert
control over an entity but have no direct ownership or
apparent control over the entity, this assessment along with
the person suspected of being a beneficial owner, should be
recorded. Such a situation may be observed through:
a. personal connections to persons in positions of
power within the entity or persons who possess
ownership over an entity (close or intimate family
relationships and historical or contractual
associations)
b. participated in financing of enterprises which may
allow enjoyment or benefits from assets of the legal
person
c. In the case of MSB, executive staff who are
empowered to make important decisions on behalf
of the senior management
(f) In implementing Step 2, a natural person identified as fulfilling the criteria
under (e), shall be identified as the beneficial owner. However, where,
through Step 1, no natural person is identified to have ultimate ownership
interest over the legal person and through Step 2, no natural person is
identified to have and exercise, either directly or indirectly, control over the
entity, the reporting institution shall carry out Step 3.
Step 3 Identify the identity of natural persons holding the position of senior
management within the legal person
(g) “Senior management” are identified as persons who exercise executive
control over the daily or regular affairs of the legal person, which may
include, but are not limited to, directors, deputy directors, Board members,
chief executive officer, chief financial officer, chief operating officer, or any
other individual performing similar management functions.
Guidance on Beneficial Ownership
Page 10 of 19
4.6 In moving down the cascading steps in paragraph 4.5 above, reporting
institutions should ensure that they have identified either:
(a) the lack of a natural person under (a) as the ultimate owner of the entity;
and/or
(b) the lack of a natural person under (e) who exercises ultimate control over
the entity.
Good
practice
Reporting institutions should endeavour to record and keep
documentations reflecting all the findings in moving down the
cascading steps, as well as all shareholders identified throughout
the chain of ownership, leading to the ultimate beneficial owner.
Legal arrangements
4.7 For legal arrangements, persons with “ultimate control” over the legal
arrangement shall be identified as the beneficial owners. For example, in a trust,
such persons may include, among others, the trustee (person who manages the
trust), the settlor (the person who creates the trust), the protector (person
appointed by settlor to oversee the trustee) and the beneficiary (person who
benefits from the trust). The following are examples of positions denoting control
over a trust:
(a) A settlor with power to revoke the trust and return property of trust back to
the settlor;
(b) A protector with power to remove or appoint a trustee;
(c) An investment manager with power to direct the trustee’s action; and
(d) A person who benefits from the legal arrangement.
5.0 Methods to Identify Beneficial Owner
5.1 Reporting institutions may seek to review the beneficial ownership information
relating to an entity, based on the following recommended source documents to
determine the ownership structure and governance of an entity. The following list
is non-exhaustive and reporting institutions are encouraged to explore
other possible sources of documents to review such information.
Type of legal
person/ legal
arrangement
Information relating to
beneficial ownership
Source documents
Private and public
companies/
Bodies corporate/
Partnership/
i. Legal vehicle (e.g.
corporate,
partnership etc)
Certificate of incorporation
Certificate of registration
Company constitution
Minutes of Board meeting
Guidance on Beneficial Ownership
Page 11 of 19
Type of legal
person/ legal
arrangement
Information relating to
beneficial ownership
Source documents
Government-
linked companies
ii. Shareholding
including
information on
parent company
and subsidiaries
information
iii. Direct or indirect
ownership
iv. Relationship to
conglomerates/
corporate groups
v. Company tree
Director’s and shareholder’s
resolution
Partnership agreement
Appointment/ Authorisation
letter
Senior management list
Company’s annual report and
annual return
Joint venture agreement,
shareholder’s agreements
and other related agreements
Director nomination
agreement
Register of member including
BO
Any other source documents
that sufficiently identifies the
beneficial owner
Trust arrangement i. Parties to the trust
ii. Persons involved in
the trust
establishment
iii. Administrator of the
trust
iv. Type of trust
Trust deed
Trust registration document
Cooperatives i. Management of the
cooperatives
ii. Rules governing
the cooperatives
Registration form of the
Cooperatives
By-laws of the cooperative
Minutes of General Meeting
Clubs/ Societies/
Foundations/
Charities/ NGOs
i. Rules governing the
clubs/ societies/
foundations/
charities/ NGOs
Constitution/ charter/ rules
Registration form
Minutes of meeting
List of members of committee
5.2 Depending on the type of legal person or legal arrangement, identity of beneficial
owners may be determined based on the following relationships:
Guidance on Beneficial Ownership
Page 12 of 19
Type of legal person/
legal arrangement
Relationships to be determined, if any
Companies
(Private & Public)
Shareholders
Senior management
Joint venture agreement
Persons with voting rights
Nominee directors/ shadow directors
Persons with power to appoint or remove directors
Other persons with interest within the company
Partnership Partners within the partnership
Other natural persons with effective control over
the partnership
Government linked
companies
o Government
investment linked
companies, state
based company etc.
Person authorised in the government to exercise
or influence decision making on the GLC
Other persons who exercise or influence decisions
over the GLC
Clubs/ Societies/
Foundations/ Charities/
NGOs/ Cooperatives
Office bearer (e.g. president, secretary, treasurer
or other committee)
Senior management/ management team
Other member with effective control over the club/
societies/ charities/ foundations/ cooperatives
Trust arrangement Settlor
Trustee
Protector
Beneficiaries or class of beneficiaries
Other natural persons with effective control over
the trust
5.3 Reporting institutions shall take all reasonable measures to identify their
customers’ beneficial owner and shall be satisfied, based on the measures taken,
that they know the ultimate beneficial owner.
5.4 Reporting institutions are recommended to examine as many levels of
information from the company structure as they deem necessary to accomplish
this. “Reasonable measures5”, in this situation, refer to practical, necessary and
appropriate steps taken in line with the reporting institutions’ risk assessment, at
best efforts basis.
5 Reporting institutions are recommended to translate the extent of reasonable measures they take into a clear set of internal policies and procedures for consistency of conduct and to guide their employees actions.
Guidance on Beneficial Ownership
Page 13 of 19
Illustration of
reasonable
measures on
best efforts
basis
In determining the beneficial owner of a company, the reporting
institution has taken a best efforts basis by thoroughly
enquiring the customer on information of beneficial owner,
obtaining all relevant documents relating to the customer,
reviewing all the relevant company documents and obtaining
information through online and offline publically available
sources including information maintained by public registrars.
5.5 Where the reporting institutions are unable to identify, or further verify, the
information of beneficial owners, including those who are foreign natural persons,
reporting institutions shall record that they have exhausted all reasonable
measures that may be taken to obtain such information. This may include
obtaining a statutory declaration from the customer on the identification of the
foreign beneficial owner.
Good
practice
Reporting institutions may choose to implement and adopt stricter
internal policies and procedures with regard to identification and
verification of beneficial ownership information. For example,
reporting institutions may choose to collect information of
shareholders with less than 25% ownership if they so wish.
5.6 Reporting institutions should identify and take reasonable measures to verify all
the information of the beneficial owner as required in the Policy Document.
6.0 Verification of Beneficial Owner
6.1 Reporting institutions shall use reliable and independent source documents6 to
verify the identity of beneficial owners.
6.2 Reporting institutions are expected to perform identification and verification of
beneficial owners at the on-boarding stage, as well as when there are any
changes to the beneficial ownership information. Depending on the risk
assessment of the customer and their beneficial owner, reporting institutions may
conduct a delayed verification of the beneficial owner, by adhering to the
requirements of the Policy Documents. Beneficial ownership obligation should
still be satisfied regardless of the level of risk associated with the customer and
beneficial owner.
6 Example of reliable and independent source documents are provided in the “Guidance on Verification of Individual Customers for CDD”. The list is not exhaustive and any other verification sources may be relied on, with due regard to be given to the requirements under the Policy Documents.
Guidance on Beneficial Ownership
Page 14 of 19
6.3 Similar to the identification process, reporting institutions should ensure that they
have taken all reasonable measures to verify the identity of the beneficial
owner(s) of their customer. This may include, but is not limited to, conducting
verification through independent documents provided by the customer, reliance
on public registries or government bodies, researching publicly available
information or arranging a face-to-face meeting with the beneficial owner to
corroborate the undertaking or declaration provided by the customer
Good
practice
Where reporting institutions are unable to verify the beneficial owner’s
identity, reporting institutions may manage the risks of customer’s
activities, by either limiting the activities of the customer, treating the
customer’s activities as high risk or apply enhanced on-going due
diligence on the customer, as per the best practices of other countries
6.4 Where a customer falls under the list of exempted legal persons listed under
Paragraph 14A.9.8 of the Policy Document7, reporting institutions are not
required to verify their directors or shareholders. Notwithstanding this, reporting
institutions are still required to identify and maintain the information relating to the
identity of the directors and shareholders, based on public register, reliable
sources or other information provided by the customer.
6.5 For foreign beneficial owners, where there is no existing independent and reliable
document submitted on the beneficial owner, reporting institutions may verify the
identity of the beneficial owners through open available sources. Reporting
institutions should reflect that they have exhausted all reasonable measures that
may be taken to verify the foreign beneficial owners’ identity.
Good
practice
Reporting institutions may conduct a self-assessment to determine
whether they have taken adequate steps to verify the beneficial
owner’s identity and whether they understands the rationale for the
beneficial owner’s use of complex corporate structures.
7 Corresponding provision in Paragraph 14B.11.14, 14C.10.9 and 14D.9.8 of the Policy Document as well as, Paragraph 14.10.9 of the Policy Document on AML/CFT and TFS for DNFBPs and NBFIs
Guidance on Beneficial Ownership
Page 15 of 19
7.0 Record Keeping of Beneficial Ownership
7.1 Reporting institutions shall obtain and retain records of beneficial owner
information in accordance with the requirements under the Policy Document. The
following are best practices on record keeping:
DO’s All records may be:
DON’T’s All records may NOT be:
retained and recorded in a readily auditable manner.
retained in a convoluted manner or parts of documents missing and untraceable.
retained as per requirement of maintaining court evidence.
retained without records on CTC/ veracity or acknowledgement of documents and/or recorded without reference to sources.
regularly updated through on-going due diligence.
updated only during on-boarding, without any further review or on-going due diligence throughout the course of business relationship.
retained consistently according to CDD & record keeping procedures for every process stage.
i.e. identification, verification, risk profiling of beneficial owners and updating & maintaining records of beneficial owners.
maintained without a standard operating procedure on CDD & record keeping.
i.e. no clear procedure on verification process, frequency of updating beneficial owner’s records and etc.
retained for at least 6
years from the date
customer cease
business relationship
with reporting
institution.
removed immediately
following cessation of
customer’s business
relationship.
Guidance on Beneficial Ownership
Page 16 of 19
8.0 Examples of identification of beneficial owners
Illustration 8.1
From the offset, there is no direct ownership by a natural person of more
than 25% of Company A’s shareholding. The beneficial ownership
breakdown once the complex structure is reviewed is as follows:
A Mr. W has 40% ownership of Company A and is a beneficial
owner
(10% direct ownership + 30% indirect ownership through Company R
and Company S)
B Mr Z has only 20% ownership of Company A and is not a
beneficial owner (direct ownership)
C Ms. Y has 25.6% ownership of Company A and is a beneficial
owner
(9.6% indirect ownership through Company T and Company Q and
16% indirect ownership through Company T and Company M)
Guidance on Beneficial Ownership
Page 17 of 19
Illustration 8.2
Based on the shareholding, there is neither a beneficial owner with 25%
or more shareholding nor is there any person with effective control over
the company apart from the senior management. In this case, the senior
management with control of decisions over Company A is Mr. X. Mr. X is
considered the beneficial owner for AML/CFT requirements purposes.
Where there is any doubt on other persons having effective control,
reporting institutions may take the effort to explore nature of relationship
between shareholders (i.e. spousal, familial relationship, power of
attorney relationship). For example, based on the above shareholding, if
Ms. M is the daughter of Mr. Z, Mr. Z may have effective control over
Company A even though there is no control through shareholding and
may be deemed the beneficial owner.
Similarly, if Mr. Y allows Mr. Z the power of attorney over his shareholding,
Mr. Z may also have effective control over Company A and may be
deemed the beneficial owner.
The relationships between the relevant stakeholders can be determined
and established if the reporting institution truly knows its customer, as
required through customer due diligence requirement. Reporting
institutions may practise best efforts basis in ensuring these information
are discovered.
Guidance on Beneficial Ownership
Page 18 of 19
Illustration 8.3
Based on the shareholding, Ms. P is the beneficial owner of Company A,
through her ownership of Company XX. The reporting institution having a
banking relationship with Company A has endeavoured to obtain all
necessary identification documents from Company A relating to Company XX
and Ms. P. In verifying those information, the reporting institution has
explored all online and offline platforms with publicly available information on
Ms. P such as news outlet and websites with company profiles such as
Reuters, Asian Nikkei Review etc., reflecting that verification has been
conducted on a best efforts basis.
As Ms. P is a foreign beneficial owner, the reporting institution should also
determine whether she is a citizen from high risk jurisdiction or whether she
falls within the sanctions list. If Ms. P falls under the category of high risk
customers requiring enhanced CDD, the reporting institution should also
determine, among others, the sources of funds and wealth of Ms. P.
The reporting institution has the option to choose not to establish or continue
business relationship with the customer if it is deemed that Ms. P is not within
the reporting institution’s risk appetite or if the reporting institution believe it
does not have the capacity to appropriately manage the increased risk in
relation to the customer/ Ms. P, in accordance with the institution’s business
decision.
Guidance on Beneficial Ownership
Page 19 of 19
Illustration 8.4
Trust XYZ has 100% ownership of Company A, with the trustee Ms. D holding the
shares as the titled legal owner. In such scenario, the BO of Company A is not Trust
XYZ, but rather the individuals that are parties to the trust (e.g. the settlor, protector,
trustee and beneficiary) and any other person exercising effective control of the
trust.
As one of the beneficiaries of Trust XYZ is not a natural person, i.e. Company F, the
BOs of Company F shall also be identified. As such, the BOs in this case for
Company A are Ms B, Mr. C, Ms. D, Mr. E and Mr. G.
Issue Date: 1 September 2020
Frequently Asked Questions on
Anti-Money Laundering, Countering Financing of Terrorism and
Targeted Financial Sanctions for Designated Non-Financial Businesses and Professions & Non-Bank Financial
Institutions
(FAQs on AML/CFT and TFS for DNFBPs and NBFIs)
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 1 of 41
Introduction
The Frequently Asked Questions (FAQs) are intended to provide clarification to reporting
institutions on common queries in relation to the Anti-Money Laundering, Countering
Financing of Terrorism and Targeted Financial Sanctions for Designated Non-Financial
Businesses and Professions and Non-Bank Financial Institutions Policy Document (Policy
Document).
These FAQs are not intended to replace any requirements in the Policy Document.
Any refinements to the FAQs will be updated by Bank Negara Malaysia from time to time.
Should you have any additional queries related to the Policy Document, please submit the
queries via any of the following means:
a. Mail : Director Financial Intelligence and Enforcement Department Bank Negara Malaysia Jalan Dato’ Onn 50480 Kuala Lumpur
b. Email : [email protected]
Bank Negara Malaysia 1 September 2020
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 2 of 41
TABLE OF CONTENTS
Introduction ................................................................................................................... 1
Glossary ......................................................................................................................... 3
Applicability ................................................................................................................... 4
Definition and Interpretation ........................................................................................ 4
Application of Risk-Based Approach .......................................................................... 6
AML/CFT Compliance Programme .............................................................................. 9
Customer Due Diligence (CDD) .................................................................................. 16
Politically Exposed Persons ...................................................................................... 26
Reliance on Third Parties ........................................................................................... 26
Higher Risk Countries ................................................................................................. 27
Cash Threshold Report (CTR) .................................................................................... 28
Suspicious Transaction Report (STR) ....................................................................... 29
Record Keeping ........................................................................................................... 30
Management Information System (MIS) .................................................................... 31
Targeted Financial Sanctions .................................................................................... 31
Appendices ……………………………………………………………………………………36
APPENDIX A: Sector Specific CDD for REAs ........................................................... 37
APPENDIX B: Infographic on Higher Risk Countries ............................................... 39
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 3 of 41
GLOSSARY
No Abbreviation Description
1 AMLA Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001
2 AML/CFT Anti-Money Laundering and Countering Financing of Terrorism
3 BO Beneficial Owner
4 CDD Customer Due Diligence
5 CTR Cash Threshold Report
6 DNFBPs Designated Non-Financial Businesses and Professions
7 DPMS Dealers in Precious Metals or Precious Stones
8 e-KYC Electronic Know Your Customer
9 FATF Financial Action Task Force
10 GLCs Government Linked Companies
11 IRA Institutional Risk Assessment
12 MIS Management Information System
13 ML/TF Money Laundering and Terrorism Financing
14 NRIC National Registration Identity Card
15 PCT Person Conducting Transaction
16 PEPs Politically Exposed Persons
17 REAs Registered Estate Agents
18 STR Suspicious Transaction Report
19 TFS Targeted Financial Sanctions
20 UNSC United Nations Security Council
21 UNSCR United Nations Security Council Resolutions
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 4 of 41
NO. QUESTION ANSWER
Applicability
1 Do AML/CFT requirements apply to
individual reporting institutions,
such as accountants, company
secretaries, lawyers and registered
estate agents (REAs)?
The AML/CFT requirements apply to all
reporting institutions, and may be
administratively developed by the
accountants, company sectaries, lawyers
and REAs at the firm level to ensure
consistent application of AML/CFT
requirements within the firm.
However, some responsibilities under the
AML/CFT requirements, such as the
submission of suspicious transaction report
still rest with the individual reporting
institution.
2 Are all activities carried out by
accountants, company secretaries,
and lawyers subject to Part IV of the
Anti-Money Laundering, Anti-
Terrorism Financing and Proceeds
of Unlawful Activities Act 2001
(AMLA)?
For accountants, company secretaries and
lawyers, Part IV of the AMLA is only
applicable to those carrying on Gazetted
Activities as published in P.U.(A) 340/2004
and P.U.(A) 293/2006.
However, for lawyers, there could be
circumstances of spill-over, in which the
funds from litigation process may pass-
through the client account, and hence form
part of the Gazetted Activities.
Definition and Interpretation
Beneficial Owner
3 Does the definition of “beneficial
owner” refer to the chains of
shareholders and directors, and
exclude the people who holds
senior management position in a
company, for example, Chief
Executive Officer (CEO), Chief
Financial Officer (CFO), Chief
Operating Officer (COO), or the
similar kind of positions in the
company?
Generally, the first step of identifying the
beneficial owner (BO) referred to in
"…situations in which ownership or control is
exercised through a chain of ownership..." is
by identifying the shareholders and directors,
not the individuals appointed as executives
e.g. CEO, CFO, COO, unless these
executives are also the shareholders or
directors.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 5 of 41
NO. QUESTION ANSWER
The "chain" here is in relation to parent-
subsidiary situations which extend across
several levels, where the reporting
institutions will need to review the entire
chain of companies and subsidiaries to
determine who is the ultimate beneficial
owner of a particular customer that the
reporting institution is dealing with.
However, reporting institutions should be
aware that for BO of a legal person, if the
natural person cannot be identified through
the controlling ownership interest, then the
senior management of that legal person e.g.
CEO, CFO, COO or similar position is to be
identified as the BO.
Details on the above sequential process to
identify the BO can be found in paragraph
14.10.6 of the Policy Document.
For further details on beneficial owner,
please refer to the “Guidance on Beneficial
Ownership” issued by the Bank Negara
Malaysia.
Please also refer to Part D of the Policy
Document (Appendix 12).
Legal Person
4 What are the different types of
government linked companies
(GLCs)?
GLCs refer to entities where the government
is:
(a) the majority shareholder; or
(b) the single largest shareholder; and/or
(c) has the ability to exercise and influence
major decisions such as appointment of
board members and senior
management.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 6 of 41
NO. QUESTION ANSWER
The definition would also be applicable in
instances where the government is not a
single largest shareholder but is able to
exercise control e.g. through golden shares
(where the government is entitled to certain
special rights).
This may also include state-owned
corporation (SOC) which is a body formed by
the government through legal means to be
able to take part in activities of a commercial
nature. As activities of a state-invested entity
(SIE) also involve investment on behalf of the
government, they may be treated the same
as SOCs and GLCs.
Person Conducting the Transaction
5 What are the examples of person
conducting the transaction (PCT)?
PCT is defined in paragraph 6.2 of the Policy
Document and refers to any natural person
conducting or purporting to act on behalf of
the customer, such as person depositing
into another customer’s account or person
undertaking a transaction on behalf of
another person.
Examples of PCT may include the following:
(a) a company representative making
payments on behalf of the company; or
(b) a third party paying on behalf of a
customer.
Application of Risk-Based Approach
Risk Assessment
6 Are reporting institutions required
to submit their AML/CFT risk
assessment information to Bank
Negara Malaysia?
Reporting institutions are generally not
required to submit the AML/CFT risk
assessment information to Bank Negara
Malaysia. However, such report may be
required to be submitted to Bank Negara
Malaysia during supervisory visits or as and
when required as part of supervisory or risk
assessment.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 7 of 41
NO. QUESTION ANSWER
7 What is the expectation for
reporting institutions in conducting
their institutional risk assessment
(IRA)? Can the IRA be thematic
and how frequent must it be
conducted?
Paragraph 10.2.1 of the Policy Document
requires reporting institutions to identify,
assess and understand their money
laundering and terrorism financing (ML/TF)
risk in relation to:
(a) customers;
(b) countries or geographical areas;
(c) products, services, transactions or
delivery channels; and
(d) other relevant risk factors.
Reporting institutions’ first IRA must be
comprehensive, covering all the above
mentioned parameters, i.e. customers,
countries/geographical areas and products/
services/ transactions and delivery channel,
at minimum. Reporting institutions may
choose to update the IRA on a thematic
basis.
Reporting institutions may consider to set the
frequency of the IRA on a specific period e.g.
every 1 to 2 years or where circumstances
have changed that may warrant a refresh of
the IRA, e.g. material changes in risk profile,
significant internal audit finding, changes in
business direction, new typologies
suggested by authorities or Financial Action
Task Force (FATF), or when embarking in
new technologies, etc.
Reporting institutions may refer to the
guidance documents on risk-based approach
available in Part D of the Policy Document
and guidance issued by the FATF which are
available on its website at: http://www.fatf-
gafi.org/
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 8 of 41
NO. QUESTION ANSWER
8 Is there a specific template to
conduct the IRA?
There is no standard template to conduct the
IRA. Reporting institutions may refer to
Appendix 9 of the Policy Document as a
guidance to assist the conduct of ML/TF risk
assessment collectively at the institutional
level.
While Appendix 9 has generally covered the
basic requirements, it should not be treated
as the sole reference in conducting the risk
assessment as the list of factors or examples
or criteria are not exhaustive.
Risk Profiling
9 Are reporting institutions required to
assess the ML/TF risks based on all
criteria specified in Paragraph
10.4.2 of the Policy Document?
In profiling the customers, reporting
institutions are required to take appropriate
steps to identify, assess and understand
risks, by considering the relevant factors
under Paragraph 10.2.1 of the Policy
Document. In cases where some of the
criteria are irrelevant to the reporting
institution’s business, those criteria may not
be considered in profiling and assessing the
risks of the customers.
10 What is deemed as a valid
justification when re-rating a
customer’s risk from higher to
lower? Should the reporting
institution document the procedures
for reference purposes?
Reporting institutions are to assess the
customers’ risk based on the type of
customer, geographical location, products,
services, transactions or delivery channels
and other relevant factors (such as emerging
threats, trends, change in behaviours, past
suspicious transaction report experience,
etc.).
Reporting institutions are expected to
consider the applicable factors at the stage of
on-boarding and during re-rating to determine
the risk of a customer. Reporting institutions
are also expected to document internal
customer risk profiling assessments, for
record keeping and audit purposes.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 9 of 41
NO. QUESTION ANSWER
Reporting institutions may refer to the
guidance provided in Part D of the Policy
Document, in particular the Customer Due
Diligence Form for suggested approach to
conduct customer risk profiling.
AML/CFT Compliance Programme
Application for Small-sized Reporting Institution
11 When a reporting institution meets
the small-sized definition, is the
reporting institution exempted from
implementing all AML/CFT
requirements? Must the reporting
institution apply for Bank Negara
Malaysia’s approval?
If a reporting institution meets the small-sized
definition (please refer Appendix 2 of the
Policy Document), the reporting institution
can apply the simplifications and exemptions
in relation to the AML/CFT Compliance
Programme as per paragraph 11.1.1 of the
Policy Document.
Please note that the simplification or
exemption does not apply to the substantive
AML/CFT requirements, such as customer
due diligence, suspicious transaction report,
record keeping etc.
Bank Negara Malaysia's approval prior to the
application of the simplifications or
exemptions is not required.
Notwithstanding, Bank Negara Malaysia,
may at any time, specify that a reporting
institution is required to comply with any of
the AML/CFT Compliance Programme.
12 For accountants and lawyers, is the
small-sized reporting institution
definition based on the number of
practicing certificate holders
undertaking Gazetted Activities?
No, the definition is based on total number
of practicing certificate holders in the firm,
regardless of whether they undertake
Gazetted Activities or otherwise. For
example, a firm with 7 practising certificate
holders, of which only 3 undertake Gazetted
Activities, such a firm does not meet the
small-sized reporting institution criteria.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 10 of 41
NO. QUESTION ANSWER
13 For DPMS, does a company with
less than 30 employees but annual
sales turnover exceeding RM 10
million satisfy the small-sized
reporting institution definition?
No, under such scenario, the company is not
a small-sized reporting institution and must
implement the complete AML/CFT
Compliance Programme requirements.
Where a sector is subject to more than one
criteria for definition of small-sized reporting
institution, both criteria must be satisfied to
apply the flexibility. If the company only
meets one of the criteria and not the other,
the company is not considered as a
small-sized reporting institution.
14 What is the expectation when a firm
meets the criteria for small-sized
reporting institution in one year, but
not in the subsequent year?
The determination of whether a reporting
institution meets the small-sized criteria
shall be based on the figures at the end of
the preceding calendar year, i.e. January to
December. Hence, where the reporting
institution does not meet the criteria as per
the reference figures, the reporting
institution must comply with the complete
AML/CFT Compliance Programme.
Compliance Management Arrangements at the Head Office
15 Is a small-sized reporting institution
required to appoint a compliance
officer?
Yes, all reporting institutions, regardless of
size, are required to appoint a compliance
officer, as per section 19 of the AMLA.
16 For a small-sized reporting
institution, can the Director or
Manager act as the compliance
officer?
Yes, the reporting institution may appoint any
individual with management responsibilities
within the reporting institution to be the
compliance officer. The person appointed
must satisfy the criteria provided under
paragraph 11.5 of the Policy Document. He
or she must have the sole discretion and
independence to evaluate and report
suspicious transactions.
The appointed compliance officer may also
be carrying on other functions within the
reporting institution.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 11 of 41
NO. QUESTION ANSWER
While the Policy Document does not provide
a definition of “management” per se, the
appointed compliance officer must have
sufficient stature, authority and seniority
within the reporting institution to participate
and be able to effectively influence decisions
relating to AML/CFT matters.
17 Must the appointed compliance
officer be based within the reporting
institution or can be from other
subsidiaries within the Group?
Reporting institution may appoint compliance
officer from other subsidiaries within the
Group provided that he or she fulfils the
criteria provided under paragraph 11.5 of the
Policy Document.
Regardless whether the compliance officer is
internally or externally appointed, the
reporting institution remains responsible and
accountable to ensure the effectiveness of
the compliance functions.
18 For a reporting institution with
branches, can the compliance
officer be centralised at head
office?
Section 19(4) of the AMLA require reporting
institutions to designate compliance officers
at management level in each branch, for the
purpose of application of AML/CFT
compliance programme as well as reporting
of suspicious transactions.
Further, paragraph 11.5 of the Policy
Document stipulates compliance
management arrangements at Head Office
including the requirement to notify Bank
Negara Malaysia on the appointment or
change in the appointment of compliance
officer at Head Office.
In this regard, reporting institutions are
required to appoint a compliance officer at
each branch, but are only required to notify
Bank Negara Malaysia on the compliance
officer appointed at the Head Office.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 12 of 41
NO. QUESTION ANSWER
Nevertheless, for some DNFBP sectors,
branch offices operate independently of the
Head Office. Under such scenario, each
branch is required to notify Bank Negara
Malaysia on the appointment of the
compliance officer.
19 Must the appointed compliance
officer be certified?
No, AML/CFT certification is not compulsory
for compliance officers, but highly
encouraged to enable effective discharge of
their responsibilities.
20 What is the reliable source of
reference to assess whether the
compliance officer is “fit and
proper”?
Reporting institutions may be guided by the
examples provided under paragraphs 11.5.5,
11.5.6, 11.5.7 and 11.5.8 of the Policy
Document when assessing the fitness and
propriety of an individual to be appointed as
a compliance officer.
21 In the event of failure to comply with
requirements under Part IV AMLA
or the Policy Document, will the
compliance officer be held liable?
Any employee of a reporting institution may
be held personally liable for any failure to
observe the AML/CFT requirements, in
accordance with their respective job
function, including the compliance officer.
22 Is there a due date for the
appointment of a compliance
officer?
No, there is no specific due date for the
appointment of a compliance officer.
However, reporting institutions are required
to appoint a compliance officer and notify
Bank Negara Malaysia within 10 working
days from the appointment, or for any
change in the appointment.
Employee Screening
23 Can screening be differentiated for
different employees?
Yes, the screening of employees can be
differentiated on a risk-based basis,
depending on the position, job scope or
other relevant factors related to the
employee.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 13 of 41
NO. QUESTION ANSWER
Reporting institutions are expected to
assess their employees’ vulnerability to
money laundering, terrorism financing, fraud
and bribery risks, and use various sources
of information to assist in the screening
process to ensure that employees do not
abuse their position or be vulnerable or used
as a conduit to facilitate ML/TF activities.
24 What are the methods to conduct
employee screening?
Reporting institutions may choose any
suitable method to conduct employee
screening and be guided by methods
provided in paragraph 11.7 of the Policy
Document.
Examples of methods for the conduct of
employee screening may include face-to-
face meeting, phone or video interviews,
online checks, skills test, submission of
documents or statutory declarations,
criminal checks with relevant authorities,
consumer credit reports, transaction
monitoring, obtaining employment
reference, etc.
25 Would trigger events such as
transaction monitoring, periodic
negative news screening suffice as
the parameter for rescreening?
The parameters and triggers for re-screening
are to be determined by each reporting
institution.
Examples of best practices would include
consideration of global watch list (including
negative news screening), criminal checks
with relevant authorities, transaction
monitoring as well as credit reports and also
changes in circumstances, either
professionally or personally e.g. promotion,
secondment to another division function,
financial hardships, or staying in the same
position for a long period of time, etc.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 14 of 41
NO. QUESTION ANSWER
Employee Training and Awareness Programmes
26 What forms of employee trainings
are acceptable?
Training should be conducted regularly and
supplemented with refresher courses at
appropriate intervals. Any form of training,
e.g. classroom, online or webinar, are
acceptable depending on the needs of the
employee, the job function and
responsibilities undertaken by the employee.
Reporting institutions should have clear and
comprehensive training contents. The
training materials should be frequently
reviewed to include any latest changes to
the AML/CFT or other regulatory
requirements. In addition, tests or
examinations are highly encouraged to
demonstrate higher levels of effectiveness.
Where a reporting institution satisfies the
small-sized reporting institution definition, a
more simplified training approach can be
adopted, including via on-the-job training.
Reporting institutions are to ensure that the
training provided to its employees is properly
documented.
Reporting institutions are also encouraged to
contact their respective self-regulatory
bodies, regulatory or licensing authorities and
their relevant training institutes for AML/CFT
training specific for their sectors. This could
be as part of the on-going Continuing
Professional Education (CPE) / Continuing
Professional Development (CPD)
programmes.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 15 of 41
NO. QUESTION ANSWER
Independent Audit Function
27 Can the Board level function be
delegated to other Board level
committees (i.e. audit or risk)?
Yes, the function may be delegated to other
Board level committees (i.e. audit or risk) so
long as the committee is independent and the
AML/CFT findings or issues relating to the
adequacy and implementation of the
AML/CFT policies and procedures are
ultimately tabled to the Board.
For example, the decision on frequency and
scope of the audit can be delegated to the
Board Audit Committee.
28 Who can undertake the
independent audit function?
The role of AML/CFT independent audit
function can be undertaken internally by any
officer, with relevant knowledge and
expertise to carry out the function, who is
independent of the compliance function (i.e.
Compliance Officer). Alternatively, the
reporting institution may also appoint external
auditors to carry out the function. The
appointment of an independent auditor,
internal or external and its roles and
responsibilities shall be determined by the
Board or Senior Partners.
In carrying out the independent audit review,
as per paragraph 11.9.4 of the Policy
Document, the auditors must, at a minimum,
check and test the firm's compliance with
AML/CFT policies, procedures and controls
and the effectiveness or extent of its
implementation when dealing with clients or
on the necessary approvals by Board or
Senior Partners, as well as assess whether
the firm's current measures are in line with
requirements under AMLA and the Policy
Document.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 16 of 41
NO. QUESTION ANSWER
29 When should the reporting
institution conduct independent
audit? Are reporting institutions
required to conduct an annual
audit? What is the scope?
The frequency of the independent audit
depends on the firm’s assessment of its
ML/TF risk exposure and is determined by
the Board or Senior Partners.
On the scope of the independent audit,
reporting institutions may refer to paragraph
11.9.6 of the Policy Document. Further,
reporting institutions must also consider
whether there were previous non-
compliances under the AMLA which resulted
in enforcement actions taken against the
reporting institution.
30 Are reporting institutions no longer
required to prepare an audit report
and submit to the Financial
Intelligence & Enforcement
Department, Bank Negara Malaysia
(FIED, BNM)?
Yes, except for licensed casino and non-
bank financial institutions, all other
reporting institutions are no longer required
to submit an annual audit report to FIED,
BNM.
However, reporting institutions must ensure
that the audit report and necessary corrective
measures undertaken are made available to
FIED, BNM and the relevant supervisory
authorities upon request.
Customer Due Diligence (CDD)
Verification
31
What sources of documents, data
or information are deemed as
reliable? Can a reporting institution
seek BNM’s confirmation to
determine the level of reliability?
Verification can be a combination of various
data points that the reporting institution
deems to be “reliable and independent” which
could cumulatively ensure the accuracy of
customer and beneficial owner’s identification
data. Any measures adopted should be
subjected to the reporting institution’s internal
governance process.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 17 of 41
NO. QUESTION ANSWER
Generally, the reporting institution is required
to verify the identity of a customer through
acceptable government issued documents
with or without photograph (e.g. MyKad,
MyKid, MyPR, OKU card, driving licence,
birth certificate, marriage certificate), foreign
passport, employee identification documents,
etc.
Alternatively, subject to the reporting
institution’s assessment whether it is
appropriate to mitigate the risks, reporting
institutions may accept scanned or copy
documentation and apply additional
measures which include:
(a) third party verification of identity from
the client’s primary bank account
provider, lawyer or accountant in
accordance with paragraph 16 of the
Policy Document;
(b) corroborative evidence from Jabatan
Pendaftaran Negara, Suruhanjaya
Syarikat Malaysia and Central Credit
Reference Information System (CCRIS)
databases;
(c) use of commercial providers to validate
documentation provided;
(d) use of new and robust technology
solutions including but not limited to,
biometric technologies which should be
linked incontrovertibly to the customer;
(e) through non face-to-face mechanisms
e.g. video conference with customers
and submission of selfies to compare
the physical identity of a customer with
scanned or photographed copies of
identification documents; and/or
(f) other reliable and independent source.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 18 of 41
NO. QUESTION ANSWER
Reporting institutions are expected to
undertake adequate and reasonable
measures to mitigate risks arising from the
adoption of any non face-to-face
mechanisms. For further details, please refer
to the “Guidance on Verification of Individual
Customers for CDD” issued by Bank Negara
Malaysia.
32 For verification, are reporting
institutions required to make a copy
of the customer’s NRIC?
Any documents requested or obtained during
the CDD process should be kept and
recorded to meet the record keeping
requirement as set out under paragraph 21.1
of the Policy Document.
The record keeping of these documents may
be in the form of a photocopy, soft copy
(scanned copy or snapped picture) or
biometric record (such as Government Multi-
Purpose Card Consortium (GMPC)
verification, etc.).
33 What are the acceptable
documents for verification of legal
persons?
Paragraph 14.10.4 of the Policy Document
specifies the information that a reporting
institution should obtain to identify and verify
the identity of customers that are legal
persons.
The reporting institution is required to take
adequate measures to confirm the identity of
its customers which may include constituent
documents, such as certificate of
incorporation, and other searches available in
the public registrar databases.
34 For foreign shareholders, what is
the expectation on verification
requirement?
Reporting institutions are required to assess
the relevant risks in verifying the foreign
shareholders.
Verification process must be on a reasonable
basis, and can be satisfied by obtaining
documents from foreign official public
registers or by way of self-declaration by the
client, depending on the reporting institution’s
risk assessment in on-boarding such client.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 19 of 41
NO. QUESTION ANSWER
35 What is the expectation if a public
listed company is identified to be
wholly owned by a GLC or a SOC
company?
Under such circumstance, the exemption on
verification of the identity of directors and
shareholders of that legal person applies (see
paragraph 14.10.9 of the Policy Document).
Reporting institutions are required to identify
and maintain information relating to the
identity of the directors and shareholders of
the public listed company using reliable
sources (see paragraph 14.10.10 of the
Policy Document).
Standard CDD
36 What is the expectation for
reporting institutions in dealing with
authorised persons?
A person authorised must be represented
with a letter of authority or director’s
resolution from the legal person.
Where it involves an authorised signatory,
i.e. when a legal person opens an account,
establishes business relations and
authorises another person to conduct
transactions on its behalf, the reporting
institution must obtain documentary
evidence on the appointment of such person
and the specimen signatories and/or
recognised digital signature of the person
appointed.
Reporting institutions must be guided by
their risk assessment on what documentary
evidence would suffice for the purposes of
identifying and verifying the person
authorised.
Beneficial Owner
37 In the case of more than one person
having more than 25%
shareholding, are reporting
institutions required to identify
ultimate beneficial owner of all such
shareholding?
Yes, consistent with paragraph 14.10.6 (a) of
the Policy Document, reporting institutions
are required to identify directors or
shareholders or partners with equity interest
of more than 25%.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 20 of 41
NO. QUESTION ANSWER
38 Are reporting institutions required to
conduct CDD on holders of
Redeemable Convertible
Preference Shares (“RCPS”) for
legal person customers?
The requirement to conduct CDD on RCPS
holders of a legal person client will depend on
whether the RCPS holding could give rise to
the holder having a controlling ownership
interest, at minimum, with equity interest of
more than 25 percent, as required under
Paragraph 14.10.6(a) of the Policy Document
and other conditions as stipulated under the
same paragraphs (b) and (c).
For example, after a certain specified period,
the RCPS holders may redeem and hence
resulting in the holders having controlling
ownership interest in the legal person, which
is when the beneficial ownership
requirements on identification and verification
of the persons apply.
CDD : Clubs, Societies and Charities
39 Are reporting institutions required to
conduct CDD on all of members for
clients that are club, society or
charity?
No, for such clients, reporting institutions are
required to conduct CDD on the persons with
controlling ownership interests. This may
include the office bearers (i.e. the Executive
Committee) or any person authorised to
represent the said club, society or charity,
and any party who may have controlling
ownership interest, and not its members per
se. Please see paragraph 14.10.17 of the
Policy Document.
Simplified CDD
40 Can a DNFBP reporting institution
conduct simplified CDD where
ML/TF risks are assessed as low?
No, simplified CDD is not applicable to
DNFBP and NBFI reporting institutions. All
DNFBPs and NBFI reporting institutions are
required to conduct standard CDD when
establishing business relations or conducting
transactions with its customers or clients, as
required under paragraphs 14.10 and 14A to
14H of the Policy Document.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 21 of 41
NO. QUESTION ANSWER
Enhanced CDD
41 Do reporting institutions need to
establish source of fund or wealth
for every customer?
No. The requirement to obtain information on
source of funds and/or source of wealth only
applies when overall ML/TF risks are
assessed as higher risk. Reporting
institutions are not expected to establish
source of funds or wealth for each and every
customer or transaction.
Generally, reporting institutions are required
to enquire on source of funds and/or source
of wealth, as part of the enhanced CDD under
the following scenarios:
after customer risk profiling, when a
customer is assessed as having higher
ML/TF risks, regardless of any amount of
transaction;
for all foreign politically exposed persons
(PEPs) or when a domestic PEP is
assessed as having higher ML/TF risks, in
which case, both source of fund and
wealth must be obtained; or
when providing nominee services to the
customers or clients, i.e. nominee
shareholding, directorship or partnership
services, by reporting institutions who are
lawyers, accountants, company
secretaries or trust companies.
42 What is the difference between
“source of wealth” and “source of
funds”?
Information on the source of wealth and
source of funds are good sources of
monitoring for the reporting institutions.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 22 of 41
NO. QUESTION ANSWER
“Source of wealth” refers to the source of a
person’s total assets. Documents and
information that may reflect the source of
wealth of a person include inheritance
document, property title, copies of trust
deeds, audited accounts, salary details, tax
returns and bank statements. It may be
possible to gather general information from
commercial databases or other open
sources.
“Source of funds”, on the other hand, refers
to the origin of a specific asset used in
connection to the business relations with the
reporting institution. Source of funds may be
determined through enquiry on the customer.
In the case of PEPs, both information on the
source of wealth and source of funds are to
be obtained.
Understanding both the source of wealth and
source of funds of a PEP is also necessary
for on-going due diligence purposes where
the aim is to ensure that the reason for the
business relationship between reporting
institutions, the PEP and the transactions
undertaken on the PEP’s behalf, are
commensurate with what one could
reasonably expect from that PEP, given
his/her particular circumstances.
Non Face-to-Face Business Relationship
43 Can reporting institutions establish
business relationships on non face-
to-face basis?
Yes, DNFBP and NBFI reporting institutions
can establish non face-to-face business
relationship with their clients, having put in
place policies and procedures to address any
specific risks associated with non face-to-
face relationships.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 23 of 41
NO. QUESTION ANSWER
This includes appropriate measures for
identification and verification of a client's
identity that must be as effective as that for
face-to-face client and implement monitoring
and reporting mechanisms to identify
potential ML/TF activities, as required under
paragraph 14.14 of the Policy Document.
Before such non face-to-face measures are
implemented, reporting institutions are
required to seek their Board’s approval (see
paragraph 14.14.2 of the Policy Document).
44 Is Board approval required for each
new product and services on-
boarded via non face-to-face
channel / e-KYC?
The requirement for Board approval is
connected to the risk levels of the product
and services.
If the process and procedures in place for the
said products and services are the same,
Board approval is only required once, for all
product and services on-boarded via non
face-to-face channel or e-KYC.
A new approval would need to be obtained
when there are changes to the ML/TF risk
level of the parameters assessed by the
reporting institution.
45 Is it a requirement for non face-to-
face business arrangements
implemented prior to the effective
date of the Policy Document to be
approved by the Board of the
reporting institutions?
The requirements for non face-to-face (non-
FTF) do not have a retrospective effect. For
non-FTF business relationships, reporting
institutions shall ensure their non-FTF
arrangements for customer identification and
verification of identity is as effective as a face-
to-face relationship.
Should there be any changes to the ML/ TF
risk levels, reporting institutions need to re-
assess the parameter and may require a new
Board approval.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 24 of 41
NO. QUESTION ANSWER
Failure to Satisfactorily Complete CDD
46 Can reporting institutions continue
business relationship with its
customer in the event of a failure to
obtain the complete CDD
information?
Reporting institutions must obtain all CDD
information (9 data points) as specified in
paragraph 14.10.1 of the Policy Document
before continuing any business relationship.
In the event of a failure to obtain the
complete information, reporting institutions
must not continue the business relationship
or transaction with the customer and must
consider lodging a suspicious transaction
report.
However, where a reporting institutions
form suspicion of ML/TF and reasonably
believe that performing CDD may tip-off the
customer, the reporting institutions are
permitted to proceed to establish business
relation or transaction without completing
the CDD process, document the basis of
not completing the CDD process and
immediately lodge a suspicious transaction
report.
Specific CDD : Lawyers
47 Are lawyers acting on behalf of the
seller required to conduct CDD on
both the seller and purchaser?
The CDD obligation does not extend to both
parties to a sale and purchase transaction but
applies to the client of the lawyer. If the lawyer
is representing a seller, CDD applies on the
seller and vice-versa.
However, in the course of facilitating the
transaction, if any suspicion arises on either
party to the transaction, i.e. seller or buyer,
the reporting institution may consider
submitting a suspicious transaction report on
either party to FIED, BNM.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 25 of 41
NO. QUESTION ANSWER
Specific CDD : Dealers in Precious Metals and Stones
48 Are DPMS reporting institutions
required to conduct CDD on their
customers for the following
transactions?:
the transaction involves other
goods being sold by the DPMS
and does not involve any sale of
precious metals nor precious
stone; or
the transaction involves the sale
of precious metals or stones
together with other types of
goods, however, the value of the
precious metals or stones is less
than RM50,000.
DPMS reporting institutions are required to
conduct CDD on customers and persons
conducting the transaction when engaging in
any cash transaction equivalent to RM50,000
and above, including:
in a single transaction or through several
transactions in a day that appear to be
linked and across all branches of the
reporting institution;
aggregate payments over a period of time
for a single purchase; or
for both buying and selling of precious
metals or precious stones from or to
customers.
In view of the above, CDD is not applicable if
the transaction does not involve sale of
precious metals or precious stones.
Specific CDD : Registered Estate Agents (REAs)
49 Are REAs required to conduct CDD
on both purchaser and seller, or
landlord and tenant of a property in
the case of co-broke or co-agency
transaction, where both, purchaser
and seller, or landlord and tenant
are respectively represented by
REAs?
In the event of a co-broke or co-agency
transaction, the REAs are required to conduct
CDD on their respective client. For example,
REA A representing the purchaser is
required to conduct CDD on the purchaser;
and
REA B representing the seller is required
to conduct CDD on the seller.
In the absence of co-broke or co-agency
arrangement, REA is required to conduct
CDD on both parties to a property or tenancy
transaction. Please refer to Appendix A for
illustration.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 26 of 41
NO. QUESTION ANSWER
Specific CDD : Licensed Gaming Outlet
50 Can the winning fund be paid to
third party instead of to the winner?
The AML/CFT requirements do not restrict
third party payment. However, in the case
that the payment is above RM50,000, the
reporting institution must conduct CDD on the
third party i.e. either as person conducting the
transaction or beneficial owner.
Politically Exposed Persons
51 What is the extent of checking
required to ascertain information on
close associates or family members
of PEPs, as a basic internet search
may not reveal the required
information? Does Bank Negara
Malaysia maintain a central
database of PEPs?
Reporting institutions are encouraged to
develop internal references or database in
identifying family members or close
associates of PEPs. Alternatively, reporting
institutions may also refer to public or
commercial databases and supplement this
with a customer’s self-declaration.
Bank Negara Malaysia does not maintain a
central database on PEPs, family members
and close associates of PEPs.
52 To what extent is the reporting
institution required to identify the
connectivity to a PEP especially
where the connection with close
associate can be through multiple
layers e.g. close associates of PEP
setting up a company with another
person(s), work colleagues, etc.?
The identification of close associates should
be on a best effort basis, based on
information obtained and available to the
reporting institutions and subject to the risk
assessment of the reporting institution.
In the case of personal relationships, this can
be deduced based on the social, economic
and cultural context which can determine the
closeness of the relationship.
Reliance on Third Parties
53 Can reporting institutions rely on
third parties to conduct CDD?
Reporting institutions may rely on third
parties for the conduct of CDD or to introduce
business provided that the relationship
between the reporting institution and the third
party must be governed by an arrangement
that clearly specifies the rights,
responsibilities and expectations of all
parties, as required under paragraph 16.5 of
the Policy Document.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 27 of 41
NO. QUESTION ANSWER
Nevertheless, the conduct of CDD is the
ultimate responsibility of the reporting
institution, and must ensure that it is able to
obtain the CDD information from the third
party, immediately, upon request.
Sharing of data is allowed strictly for CDD
purposes and subject to prerequisites stated
in the above paragraphs.
Reporting institutions are to take note that
‘third parties’ in the context of paragraph 16
refers to another reporting institution
supervised by Bank Negara Malaysia. It does
not include outsourcing or agency
relationships because the outsourced service
provider or agent would be regarded as
synonymous with the reporting institution.
54 What form of “attestation” is
required from the third party under
paragraph 16.6 of the Policy
Document?
The “attestation” can be in any form that is
mutually agreed by both parties.
The “attestation” should clearly specify the
rights, responsibilities and expectations of all
parties and satisfy the requirements stated
under paragraph 16 of the Policy Document.
Higher Risk Countries
55
How do reporting institutions deal
with higher risk countries?
Paragraph 17 of the Policy Document deals
with higher risk countries that are called for
by the FATF or by the Government of
Malaysia as well as other jurisdictions that
have strategic AML/CFT deficiencies for
which they have developed an action plan
with the FATF.
This includes conducting enhanced CDD and
applying effective countermeasures, when
required.
For further details on dealing with customers
from higher risk countries, please see
Appendix B.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 28 of 41
NO. QUESTION ANSWER
Reporting institutions should refer to the
FATF website for the latest list of higher risk
countries or the latest circular issued by Bank
Negara Malaysia and any change in that
requirements at: https://amlcft.bnm.gov.my.
56 Where can reporting institutions
source for a list of higher risk
countries issued by the
Government of Malaysia?
Bank Negara Malaysia will publish any higher
risk countries that have been officially
specified by the Government of Malaysia, by
way of circular.
Such specification has yet to be made at the
date of the publication of this FAQ.
57 Are reporting institutions refrained
from providing services to
customers from higher risk
countries subject to a call for action
by FATF?
Reporting institutions are not refrained from
dealing with customers originating from
countries that are subjected to a call for action
by the FATF. Clients from such countries are
subjected to more stringent CDD
requirements as stipulated under the Policy
Document.
Cash Threshold Report (CTR)
58 Are all reporting institutions under
the AMLA required to submit
CTRs?
At the time of publication of this FAQ, CTR
obligation of RM25,000 and above in a day,
pursuant to section 14(1)(a) of the AMLA, is
applicable only to banking institutions,
selected prescribed development financial
institutions, Lembaga Tabung Haji and
licensed casino.
Other reporting institutions are not yet
required to submit CTR.
Nevertheless, Bank Negara Malaysia will
continue to conduct assessments on
reporting institutions from time to time.
Reporting institutions will be notified if the
CTR obligations become applicable to them.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 29 of 41
NO. QUESTION ANSWER
Suspicious Transaction Report (STR)
Reporting Mechanism
59 Can a senior management of the
reporting institution, who is not the
appointed compliance officer
evaluate and report suspicious
transaction to FIED, BNM?
Only the appointed compliance officer has
the sole discretion and independence to
evaluate and report suspicious transactions
to FIED, BNM.
In this regard, the reporting institution must
ensure that the appointed compliance officer
has the sufficient stature, authority and
seniority within the reporting institution to be
able to make effective AML/CFT related
decisions, including STR submission.
60 What is the threshold for reporting
of suspicious transaction?
There is no threshold for reporting of
suspicious transaction. It is based on any
suspicion that arises when establishing
business relationship or conducting a
transaction regardless of any amount.
However, a reporting institution may set an
internal threshold based on the reporting
institution’s own risk assessment.
61 Should reporting institutions
continue to submit STRs for the
same customer or should reporting
institutions update the details in the
previous STR case filed?
As per paragraph 19.2.10 of the Policy
Document, where an STR has been lodged,
reporting institutions may opt to update or
make a fresh STR as and when a new
suspicion arises.
Reporting institutions are encouraged to
submit a new STR if there is new critical
information. Where a new STR is submitted,
reporting institutions should include the
previous reference number (or date of
submission, if submitted manually) as part of
the reporting description.
Internally Generated STRs
62
What is the duration for the
reporting institutions to maintain the
internally generated reports and
supporting documents?
These reports and supporting documents are
to be kept for at least 6 years, as specified
under the Record Keeping requirements in
paragraph 21.3 of the Policy Document.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 30 of 41
NO. QUESTION ANSWER
63 Can reporting institutions maintain
internally generated reports in soft
copy form, e.g. excel format?
Reporting institution must ensure that any
internal STRs and supporting documents or
records must be made available to the
relevant supervisory authorities upon
request, as required under paragraph 19.4.2
of the Policy Document. The information must
be maintained in a form that is admissible as
evidence in court pursuant to the Evidence
Act 1950.
Record Keeping
64 Is record keeping requirement
applicable to attempted customer?
The record keeping requirement is only for
existing customers who have entered
business relationship with reporting
institutions, and not applicable on attempted
customers.
However, if an STR has been submitted on
an attempted transaction or customer, the
relevant records must be kept and be made
available if required by law enforcement
agencies or the supervisory or competent
authorities.
65 Where documents are kept in
multiple different forms (e.g.
physical copies or in electronic
format), what are the expectation on
the requirements?
Reporting institutions must ensure that all the
retained forms of record keeping remain
relevant and are kept up-to-date. They must
also conform to section 15 of the AMLA on
centralisation of information collected to
provide timely information to reporting
institutions to enable detection of
irregularities and/or any suspicious activity.
The information must also be maintained in a
form that is admissible as evidence in court
pursuant to the Evidence Act 1950.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 31 of 41
NO. QUESTION ANSWER
Management Information System (MIS)
66 Is there any restriction for reporting
institutions to keep their MIS’ server
offshore?
There is no restriction on how the
centralisation of CDD information and
transaction monitoring should be performed,
as long as the MIS is able to provide the
reporting institutions with timely information
and enable the reporting institution to detect
any irregularity. In addition, the reporting
institutions must be able to provide records,
when required by the supervisory or
competent authorities or law enforcement
agencies, in a timely manner.
Reporting institutions need to assess and
satisfy themselves that such arrangement of
the infrastructure is in compliance with other
secrecy obligations pertaining to customer
information, where applicable.
Targeted Financial Sanctions
Definition
67 What is the definition of “without
delay”?
“Without delay”, in respect of maintenance of
sanctions list and freezing, blocking and
rejecting is ideally within a matter of hours of
designation by the United Nations Security
Council (UNSC) or its relevant Sanctions
Committee or the Minister of Home Affairs.
The aim is to prevent the flight or dissipation
of funds or other assets which are linked to
terrorists, terrorist activities, financing of
terrorism or financing of proliferation of
weapons of mass destruction.
Reporting institutions may refer to the
following websites for the lists:
UNSCR Lists:
https://www.un.org
Domestic List:
http://www.federalgazette.agc.com.my
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 32 of 41
NO. QUESTION ANSWER
Maintenance of Sanctions List
68 How often does the UNSCR Lists
and Domestic List get updated?
How can reporting institutions know
when there is an update?
Reporting institutions are required to keep
updated with the UNSCR Lists and Domestic
List, which is updated without any
specific intervals.
In this regard, reporting institutions shall refer
the UNSCR and Ministry of Home Affairs'
website (and the relevant subsidiary
legislation or Gazette Orders) regularly to
ensure the lists maintained remain updated
and relevant.
69 Does the delisting of individuals
and entities from UNSCR list
automatically remove them from
the Domestic List?
No. Removal from UNSCR list does not
automatically mean that the entities are
removed from the Domestic List. The
delisting from Domestic List will only take
effect upon publication of the Gazette to
declare the removal of such specified entities
through the relevant subsidiary legislation
issued by the Minister of Home Affairs.
Sanctions Screening
70 Are reporting institutions required to
screen every director, shareholder,
nominee and company names
against the UNSCR Lists and
Domestic List for legal person
customers?
Reporting institutions are required to conduct
sanctions screening on existing, potential
or new customers against the UNSCR Lists
and Domestic List which state names and
particulars of specified or designated entities
as declared by the UNSC or Minister of Home
Affairs, as part of the customer due diligence
process and on-going due diligence.
For customers which are legal persons,
reporting institutions are required to
screen the name of the customer, i.e.
companies, bodies corporate, foundations,
partnerships, or associations and other
similar entities, as well as the beneficial
owners, i.e. directors, shareholders including
nominees, against the sanctions lists.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 33 of 41
NO. QUESTION ANSWER
71 In conducting sanctions screening,
reporting institutions may perform
name searches based on a set of
possible permutations. What does
this refer to?
This refers to various ways of conducting
search against the UNSCR Lists and
Domestic List, for example, varying sequence
and order of keywords of a name or the use
of different spelling of a name, to prevent
unintended omissions.
Further, to eliminate false positives, reporting
institutions may make enquiries for additional
information and identification documents
from the customer or credible sources to
assist in determining whether the potential
match is a true match or may direct any query
to FIED, BNM, in the case of similar or
common names.
Dealing with False Positive
72 Must reporting institutions match all
identifiers for parameters of a true
match or could matching at least 2
of the identifiers be sufficient?
Reporting institutions are required to
ascertain that potential matches are true
matches and not false positives. It is the
reporting institution’s responsibility to take
further measures or steps (e.g. make further
inquiries for additional information, etc.) to
determine whether the potential match is a
true match.
Reporting institutions are to ensure that the
identifiers are strong and corroborative for the
reporting institution to make their own
assessment on the parameters used to
ensure true matches.
Related Parties
73 Who would fall under the definition
of “related parties”?
Related party refers to:
(a) person related to the funds, other
financial assets or economic resources
that are wholly or jointly owned or
controlled, directly or indirectly, by a
designated person; and
(b) a person acting on behalf or at the
direction of a designated person.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 34 of 41
NO. QUESTION ANSWER
Based on the above, it may extend to
shareholders, directors, authorized person,
senior management and also the beneficial
owner.
Freezing, Blocking and Rejecting – Customers and Related Parties
74 In the event of name match after
funds have been deposited into the
reporting institution’s clients
account, how are such funds to be
treated?
Reporting institutions are required to hold or
freeze funds deposited by a listed individual
or entity into their clients’ account until its
delisting or the sanction is uplifted.
75 In relation to targeted financial
sanctions, are reporting institutions
allowed to inform the customer why
their accounts or transactions have
been frozen, blocked or rejected?
Reporting institutions are only allowed to
inform the customer on the reason why the
account or transaction has been frozen,
blocked or rejected for publicly listed names,
e.g. under the Gazette Orders, UNSCR Lists,
etc.
76 Is there a need for the reporting
institution to freeze a loan or
financing account or pawn items in
the event of name match against
the sanction lists?
A loan / financing account should not be
frozen and can continue to receive
repayments. However, when the repayment
is completed, the property, pawn items or
vehicle, if any, must not be redeemed,
transferred or sold.
77 Can reporting institutions transfer
any funds from a frozen account to
the Registrar of Unclaimed Moneys
under the Unclaimed Moneys Act
1965?
Funds are to remain frozen as long as the
specified entities remained listed. No dealing
with the funds is allowed, which includes the
transfer of funds to the Registrar of
Unclaimed Moneys.
78 Can reporting institutions decide to
freeze, block or reject any positive
matches with individuals or entities
listed in other unilateral sanctions
lists?
In relation to unilateral sanction list such as
those by the US Department of Treasury, the
decision whether to freeze, block, reject or
conduct transaction with persons listed under
the unilateral list should be based on the
reporting institution’s own assessment and its
risk appetite.
Reporting institutions may consider
submitting STR on any positive name match
with individuals or entities listed in other
unilateral sanctions list.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 35 of 41
NO. QUESTION ANSWER
Allowable transactions
79 Are reporting institutions permitted
to receive payments for loan or
financing account of the specified
entities?
Yes. Reporting institutions are permitted to
receive payments into the specified entities
loan or financing accounts. However, should
the payment be for the purchase of assets,
the assets should remain frozen even after
the full settlement of the financing facilities
i.e. no transfer of ownership to the specified
entity or a third party.
In the event of any non-payment of loans, the
reporting institution shall not proceed with
legal action or any subsequent court process
without prior application to, and approval by:
(a) the Minister of Home Affairs for Domestic
List and UNSCR Lists for terrorism
financing; or
(b) the Strategic Trade Controller for
UNSCR Lists for proliferation financing
and others sanctions regime.
80 Can reporting institutions close any
account where loans are not
serviced?
Reporting institutions may close any account
where loans are not serviced, only upon
approval from:
(a) the Minister of Home Affairs for Domestic
List and UNSCR Lists for terrorism
financing; or
(b) the Strategic Trade Controller for
UNSCR Lists for proliferation financing
and others sanctions regime.
Reporting on Positive Name Match
81 In the event of a positive match, are
reporting institutions required to
submit STR to FIED, BNM in
addition to the submission of a TFS
determination report?
Yes. Submission of STR is still required in
addition to submission of TFS determination
report. The STR should contain further
information beyond the information reported
in the TFS determination report, for example,
details of related transactions or parties.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 36 of 41
NO. QUESTION ANSWER
82 If there is no name match with the
specified entity or designated
person, is a reporting institution still
required to submit the
determination and periodic
reporting forms?
Reporting institutions are not required to
submit determination or periodic reporting
form in the event of no name match with the
specified entity or designated person.
Appendices
Forms and Template
83 Are the forms and templates
intended as a guide or must be
incorporated in the reporting
institution’s policies and
procedures?
It is a combination of guidance and
compulsory to be used forms, as follows:
Forms or template under Appendices 3, 4
and 9 are intended as guidance, which
can be amended and incorporated as part
of the policies and procedures
accordingly.
Forms under Appendix 5 for suspicious
transaction reporting, as well as
Appendices 6A, 6B, 7A and 7B for
targeted financial sanctions reporting
must be adopted as is.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 37 of 41
APPENDIX A
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 38 of 41
Sector Specific CDD for REAs
CDD on both parties to a property sale and purchase or tenancy
transactions
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 39 of 41
APPENDIX B
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 40 of 41
End of document.
FAQs on AML/CFT and TFS for DNFBPs and NBFIs
Page 41 of 41
This page has been intentionally left blank.