Framework for Effective Risk-Based Supervision of Designated Non-Financial Businesses and Professions in Nigeria

1 FRAMEWORK FOR EFFECTIVE RISK BASED SUPERVISION OF DESIGNATED NON-FINANCIAL INSTITTUTIONS (DNFIs) IN NIGERIA BACKGROUND The overall effectiveness of a country’s AML/CFT regime requires recognition of the important synergies that exist between AML/CFT, prudential and business conduct supervision and between those supervisors and judicial/law enforcement authorities. AML/CFT examiners assess institution’s policies, procedures and controls for identifying and managing ML/TF risk, and take remedial action where appropriate. It is not a “tick the box” approach; it requires judgment in understanding the characteristics and situation of every designated non-financial institution. In the event that weaknesses in risk management programmes or breaches of laws or regulations are identified, AML/CFT examiners should apply a proportionate range of remedial actions to address the identified weaknesses including appropriate sanctions that may include designated non-financial penalties for more severe breaches of AML/CFT legal or regulatory requirements. The effectiveness of a country’s supervisory regime is based on a number of factors, as set out in the Immediate Outcome 3 of the FATF Methodology, including, but not limited to: a. How well does licensing, registration or other controls implemented by examiners or other authorities prevent criminals and their associates from holding, or being the beneficial owner of a significant or controlling interest or holding a management function in DNFBPs? How well are breaches of such licensing or registration requirements detected? b. How well do the examiners identify and maintain an understanding of the ML/TF risks in the designated non-financial and other sectors as a whole, between different sectors and types of institution, and of individual institutions?

2 c. With a view to mitigating the risks, how well do examiners, on a risk-sensitive basis, supervise or monitor the extent to which Designated Non-Designated non￾financial Institutions are complying with their AML/CFT requirements? d. To what extent are remedial actions and/or effective, proportionate and dissuasive sanctions applied in practice? e. To what extent are examiners able to demonstrate that their actions have an effect on compliance by designated non-designated non-financial institutions? f. How well do the examiners promote a clear understanding by Designated Non￾financial Institutions of their AML/CFT obligations and ML/TF risks? This Supervisory framework is therefore, necessary to serve as guide towards achieving an effective and efficient risk based supervision of the DNFBPs and improving the overall Nigerian AML/CFT compliance regime. The framework, if strictly followed, will ensure compliance with Recommendation 1 (assessing risks and applying risk-based approach), Recommendations 22 (regulation and supervision of DNFBPs), Recommendation 27 (powers of supervisors), Recommendation 34 (guidance and feedback), Recommendation 35 (sanctions), and Recommendation 40 (other forms of international cooperation), as well as Recommendation 2 (National cooperation and coordination). OBJECTIVES AND SCOPE The objective of this document is to describe the Nigerian AML/CFT framework to guide field examiners and other stakeholders in the fight against ML/TF with an aim to enhance Effective supervision and enforcement. It is an important component of an effective anti-money laundering and countering financing of terrorism (AML/CFT) regime. The framework comprises a wide range of measures that include preventive measures and related sanctions and other remedial actions that AML/CFT examiners (including regulators) can apply, as well as separate yet complementary measures and actions by law enforcement and/or other relevant competent authorities.

3 Various government agencies; including; SCUML, CAC, Federal Ministry of Budget and National Planning and the NFIU have supervisory functions in their Laws to monitor and supervise the DNFIs sector or a sub-sector of the DNFIs. The LEAs especially, the Economic and Financial Crimes Commission (EFCC), also have some level of oversight functions to ensure compliance or to enforce compliance. Although, there exist an effective communication and coordination between AML/CFT examiners and law enforcement agencies, it is necessary to document the DNFIs supervisory framework to serve as a guide for all stakeholders with supervisory or enforcement function to encourage uniformity of the procedure and to avoid overlapping responsibility as well as to encouraging cooperation and information sharing among stakeholders for better efficiency and effectiveness of the supervisory regime in Nigeria. SUPERVISION MODEL Nigeria adopted and uses the Integrated Approach in supervising the designated non-financial institutions and has equally added supervisory function to the NFIU for enhanced monitoring and supervision of the DNFIs for compliance. The integration of AML/CFT supervision with the designated non-financial intelligence functions is intended to provide strong synergies, allowing a more targeted supervision based on identified ML/TF risks. This calls for the execution of a MoU between SCUML and NFIU to jointly carry-out joint on site examination of DNFBPs periodically on a risk sensitive basis. While they share information on the outcome of spot/target examination that could be carried out separately, as the case may be. MARKET ENTRY CONTROLS. Market entry controls (e.g., licensing or registration) are meant to prevent criminals or their associates from owning, controlling, holding a significant or controlling interest, or holding a management function in a designated non￾financial institution. Such controls should be applied at the time of initial licensing or registration of the designated non-financial institutions, and also to the directors or members of senior management when new persons are appointed to these positions.

4 Examiners should ensure that all designated entities and their directors are fit and proper persons to conduct business and own businesses in Nigeria. They should also ensure that they are duly registered with the Corporate Affairs Commission and the Special Control Unit Against Money Laundering in Nigeria (SCUML). SCUML has stringent registration requirements and all DNFBPs must comply before they are on boarded, this includes: conducting sanction screening of applicants and having information of the company objectives, structure, directors and beneficial ownership of the business. (Refer to SCUML Registration Guidelines on www.scuml.org). Applications for registration may be rejected by SCUML for reasons of criminality, fitness or propriety, as well as taking appropriate action when applicants make misrepresentations that allow them to obtain a permit or license. Additionally, the CBN has directed all operators under their control not to allow DNFIs to fully operate account unless they produce evidence of registration with SCUML. Examiners should check for changes in ownership with the CAC and the filling of returns and other statutory reports with the CAC and SCUML respectively to ensure compliance with all applicable laws and regulations. They should also look out for red flags. Example of such red flags that should be looked out for during on boarding process includes but not limited to the following: Red flags  Similar name is on sanction list or domestic list or Crime Data Center List (name matching)  Entities not registered by CAC /SRO  Entities with non residence Nigerian as directors  Express trust  Nominee directors  Entities under criminal investigation  Entities intending to engage in business without the required license/permit  Having affiliation or subsidiary of companies subject to criminal investigation in other countries  Parent company or subsidiaries are in high risk countries

5  Operating in Free Trade Zone or Export Free Zone (EPZ)  Having all expatriates as directors and senior management level without Expatriate Quota or exceeding expatriate quota allocation. These red flags are some of the instances where examiners may seek information from law enforcement or share with the relevant authorities, information discovered by the examiners or any third party conducting a fit and proper test and/or background check. APPLICATION OF RISK BASED APPROACH BY DNFIs In a risk-based regime, designated non-financial Institutions will adopt controls relevant to their business model and assessed risks, and thus not all designated non-financial Institutions will adopt identical AML/CFT controls. Furthermore, isolated incidents of AML/CFT deficiencies that do not rise to a systemic risk level may not necessarily invalidate the integrity of an institution’s AML/CFT controls. At the same time, designated non-financial Institutions should understand that a flexible RBA does not exempt them from applying effective AML/CFT controls. The RBA is not intended to be a “zero failure” approach; there may be occasions where an institution has taken all reasonable measures to identify and mitigate ML/TF risks, but it is still used for ML or TF purposes. Additionally, when designated non-financial Institutions do not effectively mitigate the risks due to a failure to understand risks, implement an appropriate risk based approach, or failure of a risk-based programme that was not adequate in its design, the competent authorities should take action to ensure designated non-financial Institutions correct any deficiencies in risk management and improve future compliance with AML/CFT requirements RULES OF CONDUCTING RISK BASED SUPERVISION The examiner should take adequate measures to identify and understand the ML/TF risks faced by designated non-financial Institutions and sectors in Nigeria, and internationally. These risks include, at minimum, the ML/TF risks associated with designated non-financial institutions’ customers, products, geographical reach and delivery channels.

6 When assessing ML/TF risk, Designated Non-Designated non-financial Institutions, examiners should analyze and seek to understand how the ML/TF risks they identified affect them; the risk assessment therefore provides the basis for the risk-sensitive application of AML/CFT measures. Ongoing AML/CFT supervision comprises assessing the quality of controls designed to detect and deter ML and TF based on the assessed risks, including controls that are required by law or regulation. Such supervision is applied through off-site and on-site examinations, which can include questionnaires and dedicated meetings. The risk profiles of supervised entities should be reviewed periodically, including where there has been a change in circumstances, such as changes in management or business activities. Additionally, when determining the approach to supervision in a particular sector, in line with the RBA, examiners should consider the capacity and AML/CFT experience of the sector being supervised. Examiners may have greater expectations of sectors with greater AML/CFT capacity and which, in turn, should inform the examiner’s approach. In other words, what constitutes an effective supervisory approach for the Real Estate sector may not be a suitable approach for other types of Designated Non￾Financial Institutions Designated Non-Financial Institutions that are assessed as higher ML/TF risk by examiners should be subject to closer supervision, such as more frequent and/or more comprehensive AML/CFT examinations/inspections (e.g., where there are indications that a ML/TF risk may have crystallized). There should be an analysis and decision process underpinning this risk-based AML/CFT supervision. RULES FOR EFFECTIVE SUPERVISION

1. be risk-based, focusing on both major prudential and conduct of business risks, as well as a wide range of other risks, such as compliance risk, reputational risk, legal risk and ML/TF risks;
2. be the result of a combination of off-site and on-site supervision;

7 3) be based on having appropriate access to all the books and records of each supervised designated non-financial institution sufficient to collect the widest range of information that a examiner needs; 4) include the international element of Designated Non-Designated non-financial Institutions or groups operating across borders by allowing for international cooperation (including arrangements for the sharing of confidential information with foreign counterparts). SUPERVISORY EXAMINATION AND MONITORING PROCESSES Nigeria has in place clear and adequate methodologies and procedures for off-site supervision and on-site inspections. Off-site monitoring tools include (self assessment) questionnaires on the policies, procedures and controls in place in Designated Non-Financial Institutions. On-site assessment tools include, but not limited to assessing the adequacy of AML/CFT controls, such as management reporting and oversight. It also includes the assessment a review of the designated non-financial institution’s internal or external audits. Examiners should interview members of the Board of Directors, staff of various levels of seniority and with different functions (e.g. senior management; compliance; internal audit/control functions; and customer-facing staff), assess procedures and policies in place and/or conduct testing (e.g., review of customer files, testing effectiveness of a transaction monitoring system, suspicious activity reporting, training and integrity of staff) to assess effective implementation of the designated non-financial institution’s policies and controls. Sample testing is a particularly important tool when examining for compliance, both for risk- based and rules-based requirements. The examiners should ensure that officers carrying out AML/CFT inspections are adequately trained and have up-to-date knowledge of AML/CFT issues. In addition to supervision at individual Designated Non-Financial Institutions, the examiner should, conduct risk-based assessments across all or part of a designated non-financial sector where the examiner considers the risks warrant

8 this approach: for example, where a group of designated non-financial Institutions face the same threats and vulnerabilities. The examiner should conduct consolidated AML/CFT supervision of the overseas branches and subsidiaries of Designated Non-Financial Institutions headquartered in Nigeria via off-site supervision and on-site inspections. The examiner should also take risk-sensitive measures to inspect or review Designated Non-Financial Institution’s governance and controls over third party service providers where AML/CFT measures are outsourced to others as agents of the Designated Non-Financial Institution, in order to determine whether the inspected Designated Non-Financial Institution’s arrangements comply with its AML/CFT obligations. DOMESTIC COORDINATION, COOPERATION AND INFORMATION EXCHANGE To ensure timely exchange of information to facilitate the discharge by each authority of its responsibilities, all AML/CFT examiner and relevant agencies stakeholders in the fight against ML/FT meet at the Inter-Ministerial Committee (IMC) meetings to address AML/CFT issues and share vital information. They have also executed a MoUs among themselves. The issues discussed and resolved are disseminated to all concerned via the representatives of the various agencies for necessary actions and feedback is given to the secretariat of the IMC and follow up action is taken by the IMC where necessary to ensure compliance by the relevant agency. Some of the content of the MoUs especially those with the NFIU includes; exchange of information including information on the quality of reports and information on entities; individuals and their transactions; joint policy actions etc). Federal Ministry of Industry, Trade and Investment, Federal Ministry of Justice and other relevant ministries do collaborate on policy issues, preparation of laws, regulations and guidance, not exclusively directed at Designated Non-Financial Institutions) There is also a special relationship between the Corporate Affairs Commission (CAC), Self-Regulatory Bodies/Organizations, Law Enforcement Agencies and SCUML.

9 INTERNATIONAL COORDINATION AND COOPERATION There should be Regular or Ad-hoc cooperation and/or exchange of information in a timely manner, pursuant to specific requests from competent supervisory authorities in other countries. Examination of foreign establishments of Designated Non-Financial Institutions with the assistance of the supervisory authorities of the host country and indirect cooperation with non-counterparts, in line with best practice. The NFIU plays a vital role in this area by utilizing the Egmont Secured Web (ESW). Memoranda of understanding, consolidated supervision agreements between Nigeria and host supervisors of foreign-owned Designated Non-Financial Institutions, or other form of agreement which address cooperation and information exchange between authorities in different countries; Nigeria is an active member of FAFT and the Egmont Group and participated in various international conferences and plenary. Nigeria is signatory to many multilateral and bilateral agreements and Mutual Legal Assistance Treaty (MLAT). REMEDIAL ACTIONS Communication to Designated Non-Financial Institutions: There is an existing effective means of communication between Examiners and Designated Non-Financial Institutions when issues arise, so that the Designated Non-Financial Institutions understand what their failings and shortcomings are, what examiners expect (including the remedial action required), and the time frame within which possible remedial work/actions must be completed. Examiners should appropriately escalate issues to senior management and/or the Board of Directors in instances where required remedial actions respond to major issues, are of high impact or where previous supervisory intervention has not been effective. Examiners should determine whether their finding is an isolated incident caused by a specific factor/issue or a systemic risk at the Designated Non-Financial Institution, or across the sector, and communicate their views to the relevant designated non-financial institutions.

10 RANGE OF TOOLS USED, COMPREHENSIVENESS AND ESCALATION PROCESS The examiners have the power to apply a wide range of supervisory measures, such as warnings, action letters, limitations and conditions for activities of the designated non-financial institution, which may be progressive in severity, requiring Designated Non-Designated non-financial Institutions to remedy AML/CFT control deficiencies and any breach of AML/CFT obligations or failure to mitigate ML/TF risks in a timely manner. The examiner may require the designated non-financial institution to obtain an independent audit/test of their policies, procedures and controls in place to ensure compliance with applicable rules, regulations and guidance. In the case of Designated Non-Financial Institutions under the consolidated supervision of foreign regulatory authorities (supervisor), the host examiner may send findings to the home examiner and head/parent office of the Designated Non-Financial Institution so that they are aware of the weaknesses identified and to seek their co-operation to ensure that the Designated Non-Financial Institution rectifies the weaknesses noted during the inspection. The examiner may follow up with external/internal auditors of the Designated Non-Financial Institution and request them to follow up on the correction of weaknesses and the adequacy of the remedial measures taken by the Designated Non-Financial Institution. CONSISTENCY The examiner should work closely with Designated Non-Financial Institutions in order to be satisfied that the targets and deadlines of the remedial actions are well understood and capable of remediating the identified issues within acceptable timeframes. Follow-up of implementation of remedial actions should be systematic and there should be an appropriate response where Designated Non-financial Institutions fail to fix the identified problems in a timely manner. Follow-up actions include utilizing inspection/examination information to track progress in supervised entities over time. The examiner should apply consistent

11 policies with respect to remedial actions, while taking into account the specific characteristics of the designated non-financial institution. The examiner should apply comparable, proportionate solutions to similar issues/cases. Where more than one competent authority is responsible for supervising the same Designated Non-Financial Institution, those examiners should coordinate to ensure that a consistent and coordinated approach is being taken to AML/CFT supervisory and compliance issues. SUPERVISORY ENFORCEMENT ACTIONS There is available a broad range of enforcement measures available to the examiner. These Sanctions are meant to be effective, dissuasive and proportionate, and must be applied by different examiners in a consistent manner, providing legal certainty to the supervised entities. The examiner should escalate the action if remedial measures are not taken adequately and/or within reasonable timeframes as agreed with the designated non-financial institution. There is available range of both administrative and criminal sanctions to be used by examiners in Nigeria. Administrative/criminal sanctions, may, involve; withdrawal of the capacity to be a fit and proper manager, imposition of a temporary limitation to business activities, imposition of a restriction or cancelation of business licenses for the most egregious misconduct, to referral to law enforcement or judicial authorities for suspected criminal violation of AML/CFT preventive measures, including with respect to TFS. The sanctions are meant to be both punitive to penalize past behavior as well as remedial and preventive, to compel designated non-financial Institutions to take action to prevent future compliance failures and to promote future compliant behaviors It should be applied to legal as well as natural persons (i.e. the persons in charge of the administration or the management of the designated non-financial institution); and

12 The sanctioned entities and the individuals should be published in at least Two (2) National dailies and as a consolidated report or as rulings of individual cases to promote transparency as well as guidance. The examiner should proportionately sanction Designated Non-Financial Institutions for AML/CFT breaches in a fair and consistent manner. While the sanction applied to each case would be determined, taking into account a range of factors, including the seriousness of the breach and the extent to which the behavior was deliberate or reckless, the examiner should refer all serious cases to the Sanctions Committee for further action. Where there are severe AML/CFT weaknesses, poor management oversight and/or significant breaches of AML/CFT laws and regulations, and where the examiner does not have authority to take appropriate enforcement measures against the Designated Non-Financial institution, the examiner should forward the case to the appropriate competent authority. This implies that, if the NFIU for example observes the above mentioned weaknesses in a DNFI’s operations, it should refer those observations to SCUML for necessary action. Where the examiner finds or assumes criminal offences in activities of Designated Non-Financial Institutions, it should notify the EFCC for necessary action IMPACT OF SUPERVISION ON COMPLIANCE Ideally, the results of follow-up actions will demonstrate that supervisory actions are having a positive impact on the compliance of supervised entities. In other words, follow-up actions should show that the supervised entity has responded to supervisory concerns in a timely manner (e.g., by correcting deficiencies, or implementing more robust AML/CFT controls) and is mitigating its ML/TF risks better. Follow-up actions in Nigeria; include using inspection/examination information and review of the supervised entities’ audit reports to track progress over time. Optimal usage of findings: The examiner should facilitate sharing of the findings of AML/CFT inspections among its officers to ensure consistency of supervisory actions/measures. Where the AML/CFT supervision is carried out by different authorities, (SCUML, NFIU, CAC or SROs) they should discuss and share the relevant AML/CFT information,

13 exchange on AML/CFT supervision and ensure consistency in applying AML/CFT standards. Periodic review: The examiner should also take the results of follow-up actions into account when reviewing a sector or particular entity’s risk profile, and use this information for the purposes of fine tuning and recalibrating its inspection plans and supervisory approach, as needed, in order to mitigate current ML/TF risks. Entities conducting Designated Non-Financial activity underground (i.e., without proper authorization) are identified, moved into the formal Designated Non-Financial system (i.e., registered or licensed), and/or sanctioned, as appropriate. PROMOTING A CLEAR UNDERSTANDING OF AML/CFT OBLIGATIONS AND ML/TF RISKS SCUML has effective information processes that ensure clear, relevant, meaningful and up-to-date AML/CFT-related information is made available to Designated Non-Financial Institutions. Information provided by SCUML to DNFIs in various ways, and includes; changes to the AML/CFT-related legal framework, explanation of the AML/CFT regulatory requirements, relevant typologies, updates on ML/TF vulnerabilities, risks and threats, and regulatory expectations. For example, if a detected risk is new, such risks should be assessed and relevant information should be shared with Designated Non-Financial Institutions and SCUML should determine whether additional guidance or other action is necessary. Interpretation of AML/CFT obligations is made consistent to impact the effectiveness of the supervisory regime. Information is targeted for audience to specific audience, and include guidance (international and domestic), updates, formal and informal meetings. (Refer to guidance notes issued by SCUML) INFORMATION PROCESSES Disclosure of information to Designated Non-Financial Institutions by SCUML is based on a clear understanding of ML/TF risks (including vulnerabilities and threats) present at both national and international level, specifically within the designated non-financial sector as a whole and within each of its subsectors; it is

14 also targeted, practical, up-to-date, easy to understand and apply; in fact, crucial information are translated into the major native languages. The SCUML website is easy to navigate and include a dedicated page for AML/CFT preventive measures, including TFS issues. SCUML is also engaged in an on-going dialogue with SROs and operators of Designated Non-Financial Institutions. Information on decisions taken at the National Advisory Council is disseminated via the principal officers of respective SROs representative of the Council. Feedback is received by SCUML in a clear, useful, and delivered in a timely fashion. Guidance or expectations are communicated industry-wide through written materials, such as case studies or poor/better practices, or industry-wide training/seminars, so that all Designated Non- financial Institutions are informed of good practices. The SCUML consult the industry when proposing to make new regulations or regulatory amendments, and respond to and clarify issues raised by the industry. LAW ENFORCEMENT While examiners focus on the process of implementing prevention and detection measures in the designated non-financial sector, law enforcement covers investigations, prosecution, and more public punishments for criminal violations that also serve as industry-wide deterrence. Actions taken by law enforcement (EFCC) complement effective compliance and supervision – in other words, they take over where SCUML’s mandates end. LAW ENFORCEMENT MECHANISMS Nigeria allows law enforcement agency to bring forth criminal charges for ML/TF based on the predicate activity or criminal conduct. A Designated Non-Financial /effective management of ML/TF risks in the institution. To the extent that the failures in the institution result in violations of law or regulation, it may also be subject to criminal sanctions DIRECT ACTION BY LAW ENFORCEMENT

15 An action that is not prompted by supervisory action and undertaken independently from ongoing supervisory action is a direct standalone action. In this mechanism, law enforcement authorities that uncover possible involvement in criminal activity by Designated Non-Financial Institutions open a criminal investigation to determine if the Designated Non-Financial Institution is wittingly or unwittingly involved in the activity, and if the Designated Non-Financial Institution is complying with AML/CFT laws and regulations that are designed to prevent criminal abuse. Law enforcement action may extend to investigate criminal activity by those that abuse the Designated Non-Financial Institution. Effective coordination should be encouraged between law enforcement and examiners as an action may have a de-stabilizing impact for globally systemically important DNFBPs especially the NPOs. LAW ENFORCEMENT COORDINATION (DOMESTIC AND CROSS BORDER) Law enforcement authorities should coordinate their actions with examiners and other law enforcement bodies. Coordination allows competent authorities to take action under their authorities and promote information sharing between them. The level of coordination may also depend on information sharing practices (e.g., law enforcement authority’s or other examiner’s access to STR information for the purpose of supervising implementation of the STR reporting requirements and quality of STRs, transparency of legal persons and arrangements, assessing risk, etc.) and the particular circumstances of the action (e.g., the types of action, whether criminal or civil, or whether other examiners are also investigating the same conduct). Dialogues should be encouraged among the relevant authorities before public enforcement actions. When violations of AML/CFT regulatory requirements by Designated Non-Designated non-financial Institutions are investigated and prosecuted by law enforcement, coordination between examiners and law enforcement should be strongly encouraged. The broad objectives of maintaining designated non-financial market stability and preserving the rights of consumers may require a examiner to carefully consider what kind of actions to take and whether they should be publicized or not. Actions by examiners and law enforcement authorities represent separate but

16 complementary components of a country’s overall regulation of its designated non-financial sector.