Addressing AML Risks in Your Third-Party and Vendor/Supplier Relationships (Part II of III)
Global companies should incorporate AML risks into their risk analysis of their third-party distributors, agents and other intermediaries. The basic questionnaire, due diligence risk analysis, contractual provisions, training, and partner code of conduct should reflect attention to this risk.
To the extent that global companies rely on a network of third-party distributors and sub-distributors, global companies should include contractual provisions to flow-down policies and requirements to sub-distributors and other entities in the distribution chain.
Global companies also should examine their vendors and suppliers for potential AML risks. In contrast to its distribution channel, where global companies receive money, global companies’ AML risks are less significant in its supply chain because of the lower risk that a supplier’s supplier (or vendor’s vendor) may be involved in criminal activity and attempting to launder proceeds through the sale of a product or service.
Global companies face AML risk through two primary money laundering techniques: (1) trade-based money laundering, where criminals utilize cross-border transactions to obfuscate the source or destination of funds, and (2) third party payments, where money is given to or received from a different entity than the services were received from or provided to in order to transfer funds without utilizing traditional banking routes subject to tighter financial controls.
Despite the comparatively low AML risk, for significant vendors and suppliers, global companies should conduct appropriate AML due diligence as part of the procurement process and incorporate AML issues into the procurement due diligence process.
Similar to its distributors, global companies should leverage its relationships with its major vendors and suppliers and enlist the support of the vendors and suppliers to mitigate AML risks further down the supply chain.
KYC CDD Best Practices
“KYC” refers to the steps taken by a financial institution (or business) to:
- Establish the identify of the customer
- Understand the nature of the customer’s activities (primary goal is to satisfy that the source of the customer’s funds is legitimate)
- Assess money laundering risks associated with that customer for purposes of monitoring the customer’s activities
A best-practices KYC program will include the following:
- Customer Identification Program (CIP): collection, verification and recordkeeping of customer identification information and screening of customers against lists of known criminals.
A CIP is the starting point for any KYC process. In the financial institution context, a best practice is for the relationship manager to initiate the CIP process but coordinate and communicate with the due diligence manager.
- Basic Customer Due Diligence (“CDD”) is information obtained for all customers to verify the identity of a customer and asses the risks associated with that customer.
- Enhanced Due Diligence (“EDD”) is additional information collected for higher-risk customers to provide a deeper understanding of customer activity to mitigate associated risks. Customer risk assessments can be used to determine which level of due diligence to apply (CDD v. EDD).
In implementing this component, clear, defined processes are essential. A consistent method of onboarding third parties indicates that an organization takes KYC seriously. All processes should be thoroughly documented to create a strong audit trail of decisions made. A company should keep an internal database with approved and disapproved third parties, vendors and suppliers to avoid duplication of effort.
At a minimum, due diligence should confirm beneficial owners, sanctions list screening of beneficial owners and relevant entities, politically exposed persons (“PEP”) involvement, and other government database checks. To confirm whether or not an owner is a PEP, global companies should initially identify the owners of the customer, conduct reference checks, review database sources and Internet checks, and, if necessary, interview the individual and possibly other owners.
In determining what level of due diligence is appropriate (CDD v. EDD), a company should look for “red flags” relating to:
- Location of the business
- Occupation or nature of business
- Purpose of the business transactions
- Expected pattern of activity in terms of transaction types, dollar volume, and frequency
- Expected origination of payments and method of payment
- Articles of incorporation, partnership agreements and business certificates
- Understanding of the customer’s customers
- Identification of beneficial owners of an account or customer
- Details of other personal and business relationships the customer maintains
- Approximate salary or annual sales
- AML policies and procedures in place
- Third-party documentation
- Local market reputation through review of media sources
EDD steps may include senior management approval, additional due diligence investigations, on-site visits, contractual certifications, third-party audits, and source of funds certifications,
Conducting EDD on all customers is burdensome and undermines the purpose of a risk-based AML Program. By nature, some customers will inevitably present lower risks than others.
- Ongoing Monitoring: The ongoing monitoring function includes oversight of financial transactions and accounts based on thresholds developed as part of a customer’s risk profile.
Best practices for financial institutions include transaction monitoring systems and refreshing due diligence information every six to twelve months.