Banks Act Circular 4/2004: General Guidance Notes on Anti-Money Laundering

2004-04-19 TO ALL CHIEF EXECUTIVE OFFICERS OF BANKS, BRANCHES OF FOREIGN BANKS AND MUTUAL BANKS BANKS ACT CIRCULAR 4/2004 GENERAL GUIDANCE NOTES WITH REGARD TO ANTI-MONEY LAUNDERING Quoted hereunder in this Circular are two guidance notes prepared by the Financial Intelligence Centre. Note 1, “General Guidance Note Concerning Identification of Clients” and Note 2, “Note on identification of existing clients”. Banks are requested to take cognisance of the contents of these two guidance notes and act accordingly. Banks are also requested to forward to this Office by 15 May 2004 their completed risk matrix of their client base coupled with the number of account holders that they have and how many of these have been verified in terms of the requirements of Section 21 of the Financial Intelligence Centre Act No. 38 of 2001. Furthermore, any submission to the Minister of Finance, as contemplated in Guidance Note 2, should also be forwarded to this Office by no later than 15 May 2004. Guidance Note 1: “General Guidance Note Concerning Identification of Clients Introduction Money Laundering is criminalised in section 4 of the Prevention of Organised Crime Act, 1998. The money laundering offence can basically be described as the performing of any act which may result in concealing the nature of the proceeds of crime or of enabling a person to avoid prosecution or in the diminishing of such proceeds. Apart from criminalising the activities constituting money laundering, South African law also contains a number of control measures aimed at facilitating the detection and investigation of money laundering. These are contained in the Financial Intelligence Centre Act, 2001. These measures are based on three basic principles of money laundering detection and investigation i.e. that: • intermediaries to the financial system must know with whom they are doing business, • the paper trail of transactions through the financial system must be preserved, and • possible money laundering transactions must be brought to the attention of investigating authorities.

2 The control measures introduced by the Financial Intelligence Centre Act, 2001 (“the Act”) include requirements for institutions to establish and verify the identities of their clients, to keep certain records, to report certain information and to implement measures that will assist them in complying with the Act. The majority of obligations under the Financial Intelligence Centre Act apply to “accountable institutions”. These are institutions which fall within any one of the categories of institutions listed in Schedule 1 to the Act. The Act also established the Financial Intelligence Centre as the agency responsible for the collection, analysis and disclosure of information to assist in the detection, prevention and deterrence of money laundering in South Africa. The Act empowers the Centre to provide guidance in relation to a number of matters. This Guidance Note has been prepared by the Centre to assist accountable institutions and supervisory bodies with the practical application of the client identification requirements of the Act. It is provided as general information only. This Guidance Note is not legal advice and is not intended to replace the Act and Money Laundering Control Regulations (“the Regulations”) issued under the Act in December 2002. Establishing and verifying identity – a risk-based approach? The Act prevents accountable institutions from establishing business relationships or entering into single transactions with their clients unless they have established and verified the identities of the clients concerned and of the agents and principals of their clients. The Act also requires institutions to verify an agent’s authority to act on behalf of a principal. The Regulations provide some detail on the identification and verification of most classes of clients an institution is likely to deal with. These are, for instance, natural persons, companies and close corporations, other legal persons, partnerships and trusts. The Regulations require institutions to obtain specific information concerning the identities of each of these categories of clients. The Regulations also indicate the manner in which the basic client identification particulars should be verified. For instance, an individual’s name and identity number should be verified by reference to an identity document. Other forms of verification are only acceptable if a person is, for a reason which is acceptable to the institution, unable to produce an identity document. Additional identification particulars, such as residential addresses, may be verified by reference to any information which can reasonably be expected to serve as verification for the particulars in question. The combination of the Act and the Regulations require that accountable institutions identify all clients with whom they do business unless an exemption applies in a given circumstance. However, institutions are not required to follow a one-size-fits-all approach in the methods they use and the levels of verification they apply to all relevant clients. In many instances in the Regulations reference is made to the fact that accountable institutions must verify certain particulars against information which can be reasonably expected to achieve such verification and is obtained by reasonably practical means, taking into account any guidance notes concerning the verification of identities which may apply. This means that in these specific instances an institution must assess what information may be necessary in order to achieve verification of the particulars in question and the means by which it can be obtained. The institution must then exercise its judgment and decide what the appropriate balance is between the level of verification and the most practical means to obtain such verification.

3 The use of expressions in the Regulations such as “can reasonably be expected to achieve such verification” and “is obtained by reasonably practical means” may therefore be taken as an indication that in those specific instances a risk-based approach to the verification of the particulars in question may be applied. This implies that the greater the risk, the higher the level of verification, and the more secure the methods of verification used, should be. In other words, in the instances where expressions such as “can reasonably be expected to achieve such verification” and “is obtained by reasonably practical means” are used in the Regulations, the balance between the accuracy of the verification required on the one hand, and the level of effort invested in the means to obtain such verification on the other, has to be commensurate with the nature of the risk involved in a given business relationship or transaction. Applying a risk-based approach to the verification of the relevant particulars implies that an accountable institution can accurately assess the risk involved. It also implies that an accountable institution can take an informed decision on the basis of its risk assessment as to the appropriate methods and levels of verification that should be applied in a given circumstance. An accountable institution should therefore always have grounds on which it can base its justification for a decision that the appropriate balance, referred to above, was struck in a given circumstance. Accurately assessing the relevant risk means determining, firstly, how the reasonable manager in a similar institution would rate the risk involved with regard to a particular client, a particular product and a particular transaction, and secondly, what likelihood, danger or possibility can be foreseen of money laundering occurring with the client profile, product type or transaction in question. It is imperative that the money laundering risk in any given circumstance be determined on a holistic basis. In other words, the ultimate risk rating accorded to a particular business relationship or transaction must be a function of all factors which may be relevant to the combination of a particular client profile, product type and transaction. The assessment of these risk factors should best be done by means of a systematic approach to determining different risk classes and identify criteria to characterise clients and products. In order to achieve this an accountable institution would need to document and make use of a risk framework. A risk matrix could serve as a tool to provide an objective basis to the assessment of several risk indicators. An example of a risk matrix which may be used in relation to banking services is attached hereto. (Please note that this is an example of the format of a risk matrix which might be used by accountable institutions. The contents of this example might not suit your institution without further customization and should not be regarded as complete or final. It is important that the weightings enable adequate segmentation and prioritization of risk which will depend on the customer and product profile of each institution.) Once a proper risk assessment is done an institution must put in place measures to isolate the different risk classes and to ensure that procedures which are appropriate only for lower risk classes are not applied in relation to higher risk classes. Due regard needs to be paid to the practicability of segregating different risk categories. As with all risk management, an institution’s risk framework needs to be regularly updated and supported with documentation to enable and ensure compliance within each institution.” Guidance Note 2: “Note on identification of existing clients Section 21(2) of the Financial Intelligence Centre Act, 2001, (“the Act”) will prevent an accountable institution from conducting a transaction in the course of an existing business relationship with a client after 30 June 2004 if it has not established and verified the identity of the client.

4 As from 1 July 2004, the Act will prevent accountable institutions (such as banks) from entering into new transactions with clients who had established relationships with them before 30 June 2003. Accountable Institutions will only be able to do so if they have the required information about the identities of those clients and have confirmed the correctness of that information. In other words, an accountable institution which has already obtained and verified the required information from its existing clients would be able to continue transacting with those clients as from 1 July 2004. Accountable Institutions which do not have the required information or verification before that date will first have to obtain it before they would be allowed to conduct transactions with existing clients subsequent to 1 July 2004. Full compliance with this “Know Your Customer (KYC)” requirement presents a particular problem in the banking industry. It may disrupt the business relations and transactions between a bank and its clients, and between clients of different banks. The prohibition against transacting with unidentified clients exists in primary legislation. Neither the Centre nor any supervisory body is in a position to excuse or pardon non-compliance with the legal obligations of accountable institutions. The Centre naturally expects accountable institutions to comply with these obligations. There are only two possible ways in which a disruption of the business of accountable institutions can be avoided in terms of the law. Firstly, Parliament may pass an Amendment Act to amend the timeframe for the coming into force of the relevant provisions of the Act. This is not possible since Parliament will not resume its activities in time for such an Amendment Act to be passed. Secondly, the affected accountable institutions may petition the Minister of Finance for an appropriate exemption under the Act for more time to continue transacting with existing clients while updating the verification on those clients. The most appropriate course of action would be a middle ground between these two extremes. A via media approach would entail an appropriately structured exemption on terms, which would achieve two objectives simultaneously, namely: • to avoid a large-scale disruption of business in the banking industry, and • to move the industry to full compliance through a series of targets and objectives, which are acceptable to the Minister and role players, such as the banking supervisor, the FIC and the National Treasury. The FIC recommends that any request to the Minister for an exemption be well motivated to explain clearly: • what accountable institutions have been doing since the passing of the legislation in order to prepare for the identification of existing clients; • what the nature is of the obstacles preventing those accountable institutions from identifying existing clients before they would be required to transact with them and • what the volume is of outstanding or unverified information concerning existing clients; • what their strategic plan is to obtain and verify the required information in respect of the various categories of their clients, and the expected time frames within which they aim to achieve this.

5 A framework aimed at preventing, detecting, investigating and prosecuting money laundering must contain three basic elements: • intermediaries to the financial system must know with whom they are doing business; • the paper trail of transactions through the financial system must be preserved; and • possible money laundering transactions must be brought to the attention of investigating authorities. In this context, it is therefore of the utmost importance that sufficient identification information is available on the persons involved in financial transactions. Where these financial transactions make up a money-laundering scheme, it then becomes imperative to ensure that adequate records of the nature of those transactions and the persons involved, are kept.” E M Kruger Registrar of Banks The previous circular issued was Banks Act Circular 3/2004 dated 5 March 2004.