Chapter XI
Appendices
Before detailing each of the threats it is necessary to give
some thought to how the threat matrix is put together and its
implications. It is clear that the
matrix is divided into four quadrants.
The further an item is placed to the right, the greater its impact will
be on jurisdiction or firm. Similarly,
the higher up on the matrix the threat appears, the greater the likelihood of
its occurrence.
It would therefore fall to reason that the top right
quadrant presents the highest risk category:
Figure 3 – Threat Matrix , Highest risk category
But is the dedication of resources to mitigate these risks
the best utilisation of a firm’s time and effort? The argument is that if these risks are
completely mitigated then the firm will not suffer reputational damage as they
fall under the highest impact category.
But because it is very likely that this risk will affect a firm, then no
amount of resource allocation can effectively mitigate the risk. However, by addressing the risks posed by the
threats in the High Impact-Low Likelihood and High Likelihood-Low Impact
quadrants, the firm automatically mitigates the risks of this quadrant.
Figure 4 – Threat Matrix, Lowest risk category
Dedicating resources to mitigate low risk and low likelihood
threats would also be wasteful as these are unlikely to seriously impact on the
firm or its customers.
This leaves the firm facing two other quadrants, those of
high likelihood and little impact and those of high impact but low
likelihood. These are represented by the
top-left and bottom-right quadrants respectively;
Figure 5 – Threat Matrix, quadrants to tackle
It is by dedicating resources to each of these quadrants
that a firm can use its resources more effectively. Any systems of control implemented by a firm
to address the risks posed by these threats will have a tangible effect on the
number and impact of any occurrence.
The measures introduced by a firm to address the threats in
these two quadrants will automatically mitigate those that give rise to the
risks from the threats seen in the high impact, high likelihood quadrant.
This appendix outlines a sample rating methodology to score
each of the risk elements. Compliance
with this methodology is not compulsory where a firm already has a system in
place which adequately covers the requirements of the Notes. This appendix should be read, therefore, as a
guide to the implementation of new systems in a fairly simple business
environment.
Each firm will need to decide on their own methodology for
rating the risks as it applies to their own business environment and the
systems of control which it has in place to mitigate the risks that it faces.
As outlined in page 30, customer risk is defined primarily
by the nature of the customer’s source of income or wealth and how easy it
would be for the firm to verify this.
Taking, as an example, the customer risk for an individual
on this basis, the following risk rating scale for individuals could be
applicable to many firms;
Figure 6- Example of a simple risk rating methodology
for assessing customer risk.
As indicated above it is clear that the Notes impose upon
the firm an increasing obligation as to the level of Due Diligence required to
be conducted based upon the perceived risk posed by the customer. However, there is a point on this scale where
enhanced due diligence becomes a requirement.
Each firm will have its own views as to where on that scale
different customers fall and the range of customers will also vary depending on
the firm’s business.
Firms must have documented senior management’s decision on
the basis of such a rating methodology and its practice must be matched with
the methodology.
This rating scale can then be directly linked to the firm’s
internal procedures for obtaining due diligence evidence when establishing a business relationship.
Figure 7 – Linking Customer Risk with Due Diligence
Requirements.
Firms may also decide to have separate scales for each type
of customer type. For example, Figure 8 – Sample customer rating scale and Due Diligence requirements for
legal entities below shows the same rating scale being applied for
corporate and trust structures.
Where each of the above fits on the rating scale and where
the “line is drawn” for the firms risk tolerance is left up to the firm as is
the amount of documentary evidence to support the process. What is required is that the firm is able to
demonstrate how these have been arrived at.
Figure 8 –
Sample customer rating scale and Due Diligence requirements for legal entities
The following chart illustrates how the same methodology can
be applied to scoring for the risks of a product being offered to the customer.
Figure 9 - Sample product risk rating scale.
The due diligence requirements can be easily linked to the
risk score as is demonstrated below.
Figure 10 – Sample interfacing risk scale.
Figure
11 below demonstrates how an increasing risk posed by
the country of the source of wealth requires additional due diligence.
Figure 11 –
Sample country risk scale
The four risk elements (Customer, Country, Product and Interfacing)
must be combined in order to provide the firm with a risk profile for that
business relationship. This profile can
be combined with the firm’s own risk profile to easily identify where the firm
is required to conduct enhanced due diligence procedures (EDD).
As shown in Appendix
2 – Scoring Risk Elements, a firm may choose, for example to provide numerical
values to the different constituents of each element. In the example below, these have been given a
maximum score of 10 for each element. By
considering the characteristics of each constituent the total for each risk
element can be plotted on a simple chart.
Using preset criteria, the firm can quickly assess the risk
that a given business relationship poses to the firm. The example in Figure 12 shows an example where the proposed business
relationship profile is below the firm’s own risk profile. In this case the firm will only need to
perform the minimum due diligence requirements set out in these Notes and those
required by its own systems of control.
Figure 12 – Example of risk profiling where complete
customer profile fits with the firm’s risk tolerance.
However,
the same firm may be faced with a proposal to enter into a new business
relationship where the customer element of the risk profile exceeds the firm’s
own risk tolerance. Two things can
happen, the firm can refuse to transact this business, or, by conducting
additional due diligence checks on the customer, decide to accept it.
Figure 13 – Example of risk profiling where EDD is
required
A risk-profiling technique, as illustrated here, allows a
firm to quickly determine the risk posed by a business relationship. By combining the four risk elements into a
single chart, senior management can quickly and easily determine whether the
business relationship falls within the risk appetite of the firm and therefore
within the existing systems of control.
The jurisdictions that can be regarded as having equivalent legal
frameworks for due diligence requirements purposes fall into the categories of:
• EU Member
States
• EEA Countries
• UK
Crown Dependencies
All member countries of the European Union (which, for this
purpose, includes Gibraltar as part of the UK) are required to enact
legislation and financial sector procedures in accordance with the European
Money Laundering Directives.
However, EU Directives are drawn up as a series of
high-level requirements and significant variations currently exist in the
measures that have been taken to transpose the Directives into national laws
and regulations. It should also be noted
that, whilst many EU Member States are also members of FATF, some have not yet
implemented the revised FATF Recommendations that were approved and published
in June 2003 and that evaluations completed before this date will be based on
the 1996 version of the FATF Recommendations.
|
EU Member States
|
|
|
Austria
|
Latvia
|
|
Belgium
|
Luxembourg
|
|
Cyprus
|
Lithuania
|
|
Czech
Republic
|
Malta
|
|
Denmark
|
Netherlands
|
|
Estonia
|
Poland
|
|
Finland
|
Portugal
|
|
France
|
Slovakia
|
|
Germany
|
Slovenia
|
|
Greece
|
Spain
|
|
Hungary
|
Sweden
|
|
Ireland
|
United
Kingdom
|
|
Italy
|
|
All EEA countries and Switzerland have undertaken to
implement the European Money laundering Directives and some are also FATF
member countries. However, as with EU
Member States, variances can be expected to occur in the nature of their laws
and regulations to prevent money laundering and to counter terrorist financing
and the standards of compliance monitoring in respect of credit and financial
institutions will also vary.
EEA
Member Countries & Switzerland
Iceland
Liechtenstein
Norway
Switzerland
UK Crown Dependencies
The Isle of Man, Guernsey and Jersey (the UK Crown
Dependencies) all voluntarily undertake to implement anti-money laundering and
terrorist financing legislation, regulation, and financial sector measures that
meet international standards and that are broadly equivalent to the EU
Directive and measures in place within Gibraltar. Following successful FATF-style mutual
evaluations that were undertaken during 2000, IMF evaluations were completed on
all three jurisdictions in 2003.
The IMF evaluators made a number of recommendations for
change in each jurisdiction to bring them into line with the revised FATF
recommendations and these changes are currently being implemented.
In February 2000, FATF published a Report setting out the
criteria for identifying those countries and territories that are not cooperative
in the international fight against money laundering. In June 2000, June 2001 and September 2001,
following evaluations of a number of countries against this set of criteria,
the FATF published a list of jurisdictions that were identified as non-cooperative.
No new jurisdictions have been reviewed or added to the list since 2001.
When constructing their internal procedures, firms should
have regard to the need for additional monitoring procedures for transactions
from countries that remain NCCT classified.
Additional monitoring procedures will also be required in respect of
correspondent relationships with financial institutions from countries on the
non-cooperative country list. When
considering what additional procedures are required, firms should take into
account the following FATF assessment of the progress that has been made.
Care must also be exercised and additional requirements
imposed in relation to any of the original 23 jurisdictions on the list and
particular attention paid to the reasons why the jurisdiction was
de-listed. In many cases a jurisdiction
may have been de-listed on the basis of commitments and undertakings given rather
than on actual progress to address the original deficiencies.
Myanmar (Burma) Additional FATF countermeasures that were imposed with
effect from 3 November 2003 were withdrawn in October 2004 because of the
progress that has been made, although the country remains on the NCCT list and
special attention to transactions and business is still required.
The UN Security Council maintains a range of country-based
financial sanctions that target specific individuals and entities connected
with the political leadership of targeted countries. Each UN sanctions regime
has a relevant Security Council Committee that maintains general guidance on
the implementation of financial sanctions and current lists of targeted persons
and entities. The list of currently applicable Security Council Resolutions can
be found at
www.un.org/Docs/sc/committees/INTRO.htm.
The EU directly implements all UN financial sanctions
against countries/regimes; it can also initiate autonomous measures under the
auspices of its Common Foreign and Security Policy. Detail on UN derived and EU
autonomous financial sanctions regimes (including targets) is available on the
European Commission’s sanctions website,
europa.eu.int/comm/external_relations/cfsp/sanctions/measures.htm.
In addition to the above, a number of countries and
territories, as well as undertakings and individuals connected to them, are
subject to sanctions and other measures under Gibraltar statute which requires
firms to take action to prohibit;
§
the export of goods to those countries or
territories
§
the transfer of technology
§
the facilitation of technical assistance
§
the facilitation of funds.
In certain circumstances, firms are required to freeze funds
from designated undertakings and/or individuals.
As the legislation prohibits the above unless a licence has
been granted, firms may find themselves participants in arrangements which
breach these provisions, through the activities of their customers, and as such
must take the necessary measures to ensure that these sanctions are not being
breached.
These restrictions are imposed under the Export Control Act
2005 and various Orders made there under.
At present the Orders that are in force are;
§
Export Control (Sanctions Etc) Order 2005 and
§
Export Control (Sanctions Etc) Order 2006.
The following is a summary of the measures that are
presently in force under these two Orders;
|
Country/Territory
|
Export of Goods
|
Transfer of Tech-nology
|
Technical Assistance
|
Making funds available
|
Freezing of Funds
(Designated under-takings and Individuals)
|
|
Angola
|
ü
|
ü
|
ü
|
|
|
|
Belarus
|
ü
|
ü
|
ü
|
|
|
|
Burma
|
ü
|
ü
|
ü
|
ü
|
|
|
Cote
d’Ivoire
|
ü
|
ü
|
ü
|
|
|
|
Democratic Republic of Congo
|
ü
|
ü
|
ü
|
|
|
|
Eritrea
|
ü
|
ü
|
ü
|
|
|
|
Ethiopia
|
ü
|
ü
|
ü
|
|
|
|
Indonesia
|
ü
|
ü
|
ü
|
|
|
|
Iraq
|
ü
|
ü
|
ü
|
|
|
|
Kuwait
|
ü
|
ü
|
ü
|
|
|
|
Lebanon
|
ü
|
ü
|
ü
|
|
|
|
Liberia
|
ü
|
ü
|
ü
|
ü
|
|
|
Macedonia,
and Serbia and Montenegro
|
ü
|
ü
|
ü
|
|
|
|
Moldova
|
|
|
|
ü
|
ü
|
|
Sierra
Leone
|
ü
|
ü
|
ü
|
|
|
|
Somalia
|
ü
|
ü
|
ü
|
|
|
|
Sudan
|
ü
|
ü
|
ü
|
|
|
|
Syria
|
ü
|
ü
|
ü
|
|
|
|
Uzbekistan
|
ü
|
ü
|
ü
|
|
|
|
Zimbabwe
|
ü
|
ü
|
ü
|
ü
|
ü
|
Further legislative provisions exist which impose
restrictions on carrying out transactions with Countries/Territories and designated
undertakings and/or individuals. For
example,
§
The Federal Republic of Yugoslavia
(Freezing of Funds and Prohibition on Investment) Regulations, 1999,
§
Burma (Freezing of Funds and Economic Resources)
(no.2) Regulations 2005.
Firms should ensure that the provisions of these statutory
instruments are not being breached through the activities of their customers.
(To be completed by an Eligible Introducer
conducting relevant financial business)
NAME
OF APPLICANT: ......................................................................................
ADDRESS
OF APPLICANT:
......................................................................................
......................................................................................
......................................................................................
...................................................................................................................................
I/WE
CERTIFY THAT in accordance with the provisions of the Gibraltar Crime
(Money Laundering and Proceeds) Act
2007 and the Guidance Notes as amended from time to time, or
equivalent legislation to implement the EC Directive.
1 We have verified the identity of the
Applicant and confirm that documentary evidence has been obtained and identity
checks have been undertaken to confirm that the applicant(s) name(s) and
address(es) as shown on the Applicant Form(s) is correct.
2
We
have verified the original documentation and the information contained
therein. We attach copies of the
documentation to this certificate, confirm that any additional KYC original
documentation will be retained in our records, and that we will make these
available on request to yourselves without delay upon request.
3 The Applicants(s) is/are applying on
his/her own behalf and not as nominee, trustee or in a fiduciary capacity for
any other person.
Name of Eligible Introducer: ....................................................................................
FSC Licence/Authorisation Number: ..........................................................................
This form may only be signed by two
senior officers of the Eligible Introducer.
Signed: ........................................... Full
Names:
Job Title: Date:
Signed: ........................................... Full
Names:
Job Title: Date:
............................................................
APPENDIX F1
Notes To An Eligible Introducer Completing The Applicant
Introduction Certificate
1. The full name
and address of the applicant must be given at the top of the Certificate. The wording may be either adapted for joint
account holders or a separate certificate completed for each. [Where the applicant is a Trust, a separate
Certificate must be completed in respect of each Trustee or settlor whose
identity has been verified].
2. The complete
Certificate may be used by the institution as evidence of the identity and
address of the applicant, and should be retained on file by the institution for
the required period.
3. Although
identity must be verified without applying any exemptions or concessions that
might be normally available to the Introducer, it is not necessary for the
Introducer, to provide details of how the verification was carried out.
4. The
Certificate must be signed by senior officers of the Eligible Introducer and
details of the Introducer’s firm, etc., inserted as shown. If an incomplete Certificate is received, it
should be returned immediately to the Eligible Introducer for completion.
To: (Address of bank
or building From:
[stamp of branch
society to which request is sent) sending the letter]
Dear Sirs
REQUEST FOR VERIFICATION OF CUSTOMER
IDENTITY
[Please Note: This is not a Status
Enquiry]
In accordance with
the Gibraltar
Crime (Money Laundering and Proceeds) Act 2007 and Drug Trafficking Offences Act 1995
and the Anti Money Laundering Guidance Notes we write to request your
verification of the identity of our prospective customer detailed below.
Note: This form should be used in exceptional
cases only and not as part of normal procedures. Requests for the verification of identity
should only be sought from another financial institution if such verification
cannot be obtained from other sources. Enquiring institutions may be asked to
explain what enquiries have already been made to verify identity
independently.
FULL NAME OF
CUSTOMER:
Title
(MR/MRS/MISS/MS) SPECIFY
Address including
postcode: ....................................................................................
(as given by
customer)
Date of birth (if
known) Account Number:
Example of
customer’s signature:
Please respond
positively and promptly by returning the tear-off portion below
----------------------------------------------------------------------------------------------------------------------
To: The Manager
(originating branch) From:
(branch stamp)
Request for
verification of the identity of [title and full name of customer]
With reference to
our enquiry dated we:
1. Confirm that the above customer *is/is
not known to us.
2. *Confirm/cannot confirm the address
shown in your enquiry.
3. * Confirm/cannot confirm that the
signature reproduced in your enquiry appears to be that of the above customer.
The above information is given in
strict confidence for the purpose of
Crime (Money Laundering and Proceeds) Act 2007 Drug Trafficking Offences Act 1995 Regulations,
for
your private use only, and without any guarantee or responsibility on the part
of this bank/building society* or its officials.
*delete as applicable.
|
To: Gibraltar Financial Intelligence Unit
Suite 832 Europort
Fax: 70233 Tel: 70211 / 70295
|
From:
|
|
|
Tel:
|
|
|
Fax:
|
DISCLOSURE UNDER THE
DRUG TRAFFICKING OFFENCES ACT 1995, CRIME (MONEY LAUNDERING AND
PROCEEDS) ACT 2007 AND/OR THE TERRORISM ACT
|
Your
Ref:
|
GFIU Ref.
DIS:GEN\
|
Incident Date:
|
|
Main Subject (Person)
|
|
Surname(s)
|
|
|
Forename(s)
|
|
|
Address
|
|
|
Telephone(s)
|
|
|
Aliases
|
|
|
Gender
|
Male FORMCHECKBOX Female FORMCHECKBOX
|
|
Nationality
|
|
|
Passport Number
|
|
|
ID Card Number
|
|
|
Date of Birth
|
|
|
Place of Birth
|
|
|
Occupation
|
|
|
Place of Work
|
|
or Company
|
Name
|
|
|
Registered
Address
|
|
|
Incorporation No.
|
|
|
Type of Business
|
|
|
Other Particulars
|
|
Account(s) Disclosed On
|
Number
|
|
|
Held at
(Institution)
|
|
|
Sort Code
|
|
|
Account Type
|
|
|
Date Opened
|
Date Closed
|
|
|
|
2nd Account
|
Number
|
|
|
Held at
(Institution)
|
|
|
Sort Code
|
|
|
Account Type
|
|
|
Date Opened
|
Date Closed
|
|
|
|
Associate(s) - Person
|
Surname(s)
|
|
|
Forename(s)
|
|
|
Aliases
|
|
|
Gender
|
Male FORMCHECKBOX Female FORMCHECKBOX
|
|
Nationality
|
|
|
Passport Number
|
|
|
ID Card Number
|
|
|
Date of Birth
|
|
|
Place of Birth
|
|
|
Occupation
|
|
|
Place of Work
|
|
|
Reason for
Association
|
|
Associate(s) - Company
|
Name
|
|
|
Registered
Address
|
|
|
Incorporation No.
|
|
|
Type of Business
|
|
|
Other Particulars
|
|
|
Reason for
Association
|
|
Constructive Trust FORMCHECKBOX
Suspicion
Transaction Details
|
Amount
(Currency)
|
Source (account, sort-code, institution, account name)
|
Destination (account, sort-code, institution, account
name)
|
Type (cheque, cash, SWIFT)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you require more space, please continue
on a separate disclosure form
Submitted By (MLRO) Signature
Date Submitted ____/___/20___
This page has been
left blank intentionally
To
: the
Board/Partners
Of
: name
of firm
Period
of report
from
: dd
MMMM yyyy
to
: dd
MMMM yyy
Presented
to the Board/Partners on : dd MMMM
yyyy
Re :
Annual Report by the MLRO to the Board on the effectiveness of the firm’s
systems of control in relation to managing money laundering/terrorist financing
risk.
As required by the Guidance Notes on the
prevention of money laundering and terrorist financing I submit to the
Board/Partners of the firm the Annual Report which is required by Requirement
10 of the said notes.
The Board is reminded that under Requirement
11 this report must be formally considered and must take any necessary action
to remedy deficiencies identified in it, in a timely manner.
1. Summary
The following summarises the requirements of
the notes;
a. Numbers and types of internal suspicious
transaction reports that have been made internally and the number of, and
reasons why, these that have or have not
been passed onto GFIU;
b. Areas where the operation of AML/CFT
controls should be improved, and proposals for making appropriate improvements;
c. Progress of any significant remediation
programmes (if any); and
d. Outcome of any relevant quality assurance
or internal audit reviews of the firm’s AML/CFT processes, as well as the
outcome of any review of the firm’s risk assessment procedures
2. Threat Matrix
The board is also asked to review the
existing threat matrix (attached) for its continued applicability and to
suggest, if appropriate, amendments.
3. Systems of Control
The Board must review the attached Compliance
Report against requirements of these Anti-Money Laundering and Terrorist
Financing Notes and where deficiencies have been identified to set out the
action plan to correct or improve the systems of control.
Signed
Money
Laundering Reporting Officer
Date
Signed
Senior Manager with Money
Laundering/Terrorist Financing Prevention responsibilities
Date
