Proposed Amendments to the Financial Crime Module for Bank and Investment Firm Licensees

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 1 of 9 Industry Comments General Comments: CBB’s Response Some banks requested CBB to issue a list of domestic PEPs and family members or associates. In the absence of such a list, some banks felt it would be difficult to establish an accurate and detailed coverage of all PEPs in Bahrain and their close associates and family members or companies under their ownership. In the absence of this list, some banks felt CBB should accept a best efforts basis compliance to the related requirements. The CBB has not seen any other FATF member regulator perform this role. This proposal is not within the scope of the CBB’s authority under the CBB Law 2006. A number of banks recommended that some terms used in the module should be defined: Family members of PEPs, Close associates of PEPs, Qualifying wire transfers and Money or value transfer service - for the purpose of FC-3.2 Guidance text has been inserted and the the definition of MVTS added to the Glossary. The term ‘qualifying’ has been deleted as the CBB does not set a lower limit for banks making transfers. Specific Comments Reference to the draft Directive: Comments CBB’s Response FC-B.2.1 Conventional bank licensees must apply the requirements in this Module to all their branches and subsidiaries operating both in the Kingdom of Bahrain and in foreign jurisdictions. Where local standards differ, the higher standard must be followed. One bank noted that the reference should be changed to FC-8.1. Noted. It will be changed to FC-8.1. One bank recommended that quoted sentence may also be added at the end. “policies and staff” The text will be changed to “AML/ CFT procedures, systems and controls”. Also, FC-2.1.2 mentions that the AML/ CFT systems and controls, and associated documented policies and procedures, should

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 2 of 9 Conventional bank licensees must pay particular attention to procedures in branches or subsidiaries in countries that do not or insufficiently apply the FATF Recommendations and do not have adequate AML/CFT systems (see also Section FC-7.1). cover standards for customer acceptance, on￾going monitoring of high-risk accounts, staff training and adequate screening procedures to ensure high standards when hiring employees. FC-B.2.4 Financial groups (e.g. a bank with a financing company subsidiary) must implement groupwide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. One bank wished to clarify what is meant by ‘Financing company’. “Financing company subsidiary” will be changed to “financial entity as a subsidiary”. Financial entities are detailed in PCD-1.1.2. FC-1.1.1 Conventional bank licensees must establish effective systematic internal procedures for establishing and verifying the identity of their customers and the source of their funds. Such procedures must be set out in writing and approved by the licensee’s Board of Directors and senior management and must be strictly adhered to. Some banks noted that their internal procedures only allow the Board (not senior management) to approve Policies and Procedures. It will be indicated that Senior Management is optional. FC-1.1.2B Conventional bank licensees must conduct ongoing due diligence on the business One bank noted that this must not be limited to just transactional level. Any changes to management structure must also be considered This paragraph is specific to transactions. See FC-1.1.2 above concerning changes to structure etc.

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 3 of 9 relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including, where necessary, the source of funds. for the same purpose. FC-1.4.5 Conventional bank licensees must identify and assess the money laundering or terrorist financing risks that may arise in relation to: (a) The development of new products and new business practices, including new delivery mechanisms, and (b) The use of new or developing technologies for both new and pre-existing products. One bank suggested that AML gap analysis of existing products and procedures might be done periodically (e.g. every two years). Noted but text has not been changed. FC-1.5.1 Conventional bank licensees must have appropriate risk management systems to determine whether a customer or beneficial owner is a domestic Politically Exposed Person (‘PEP’) or a person who is or has been entrusted with a prominent function by an international Certain banks noted that the amended rule is silent on foreign PEPs. Banks recommend that the word ‘domestic’ be removed from clause FC 1.5.1. This will remove any possible differential treatment between domestic and foreign PEPs. Foreign PEPs should also be covered. Therefore, the word “domestic” will be removed from the rule. Some banks requested clarification of the terms ‘beneficial owner’ and ‘international ‘Beneficial Owner’ is a term defined as part of the FATF glossary which should be referred to.

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 4 of 9 organisation, both at the time of establishing business relations and thereafter on a periodic basis. Licensees must utilize publicly available databases and information to establish whether a customer is a PEP. organization’. Would NGOs and non-profit organizations also be considered? In addition, what would be the treatment of foreign embassies and their employees? The definition of international organization is a matter for banks to address. Generally such organizations are the UN, the OECD, multilateral development banks, pan￾governmental bodies such as the GCC or the EU or any body which has cross-border authority. Foreign embassies’ staff must be considered. Some banks wanted confirmation that this requirement relates to a government/quasi government entities rather than an international corporation. Correct. FC-1.5.3A In cases of higher risk business relationships with such persons, mentioned in Paragraph FC-1.5.1, conventional bank licensees must apply the measures referred to in (b), (d) and (e) of Paragraph FC-1.5.3. One bank wondered if the EDD measures referred to in FC- 1.5.3 (b), (d), (e) were minimum or maximum. The FATF recommendation requires enhanced on-going monitoring of the business relationship. It has been clarified that these are minimum measures. FC-1.5.4 ‘Politically Exposed Persons’ means individuals who are, or have been, entrusted with prominent public functions in Bahrain or a foreign country, or persons who are or have been entrusted with a prominent function by an international organisation, such as Heads of State or government, senior politicians, senior government, judicial or military officials, senior executives of state owned corporations or important political party officials. Business One noted that clarification/guidance is required with regards to Senior Executives of state owned corporations, which is understood to mean (Executive Directors, CEO & Executive Management); also it is not easy when identifying Bahraini PEPs to identify if the Ministry Officials are holding the rank of undersecretary or above, especially for Ministry of Interior or Military Officials. Such questions of rank are required as part of CDD. The customer must be asked to confirm position/rank.

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 5 of 9 relationships with family members or close associates of PEPs involve reputational risks similar to PEPs themselves. The definition is not intended to cover middle-ranking or more junior officials in the foregoing categories. Bahraini PEPs would include all Ministers, all MPs, and all Ministry officials with the rank of Undersecretary or above. FC-1.7 Enhanced Due Diligence: ‘Pooled Funds’ Some banks noted that it would be practically difficult for licensees to obtain a list of the beneficial owners of the funds and verify their identity due to confidentiality and/or regulatory issues. They suggested that if the professional intermediaries are complying with FATF recommendations then the requirement of obtaining list of beneficial owners and their verification can be dispensed with. Obtaining a list of the beneficial owners of the funds and looking beyond the intermediary and determining the identity of the beneficial owners or underlying clients may be difficult and is beyond the existing FATF recommendation. Therefore the existing text will be retained to follow existing FATF recommendation on the enhanced due diligence on pooled funds. FC-3.1.4 Banks must: (b) Carefully scrutinise inward transfers which do not contain originator information (i.e. full name, address and account number or a unique customer identification number). Licensees must presume that such transfers are ‘suspicious transactions’ and pass them to the MLRO for review for determination as to possible filing of an STR, unless (a), the originating institution is One bank asked what procedure should be followed if the Financial institution is unable to provide originator details? i.e. After the MLRO investigates, if the bank determines that it is not suspicious (e.g. some of the information is provided such as name, address but not the account number), can the bank then return the funds? Or, If the MLRO determines that that it is suspicious (e.g. remitter bank has not provided majority of the information), then the bank would file a STR with the authorities. However, does the bank have to then freeze the funds or return the Banks are expected to exercise judgment according to each situation. Two days is felt to be sufficient.

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 6 of 9 able to promptly (i.e. within two business days) advise the licensee in writing of the originator information upon the licensee’s request; or (b) the originating institution and the licensee are acting on their own behalf (as principals). funds to the remitter bank? Also, one bank felt that two days is sometimes not sufficient to obtain information from the remitter bank. FC-3.1.5 Information accompanying all qualifying wire transfers must always contain: (a) The name of the originator; (b) The originator account number where such an account is used to process the transaction; (c) The originator’s address, or national identity number, or customer identification number, or date and place of birth; (d) The name of the beneficiary; and (e) The beneficiary account number where such an account is used to process the transaction. Two banks suggested adding “or IBAN”. Also regarding FC-3.15 (c) one bank enquired what is meant by “customer identification number”? It is understood to be the Bank’s internal Customer ID number assigned to each customer. To be clarified or defined in the Glossary. Agree with adding “or IBAN”. This “customer identification number” is sometimes used by institutions in addition to individual account numbers. FC-3.1.13 The originating bank must not be allowed to execute the wire transfer if it does not comply with the requirements of One bank asked who would be the authority which would be enforcing this requirement. The CBB is the enforcing authority.

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 7 of 9 Paragraphs FC-3.1.11 and FC￾3.1.12. FC-3.1.16 An intermediary bank must take reasonable measures to identify cross-border wire transfers that lack required originator information or required beneficiary information. Such measures must be consistent with straight-through processing. One bank noted that this requirement would be performed on a best effort basis. The CBB notes that this is the responsibility of the MLRO. FC-3.1.19 For qualifying wire transfers, a beneficiary bank must verify the identity of the beneficiary, if the identity has not been previously verified, and maintain this information in accordance with Paragraph FC￾7.1.1. One bank noted that in some countries who applied the IBAN, it is allowed to credit funds based on the IBAN number only without further checking of beneficiary name, provided that the IBAN received is valid as per their country specification set up. Is the same accepted by the CBB or the bank must make sure that the IBAN and the beneficiary name are matched? The bank must verify identity by the means identified in FC-1. FC-3.2 Remittances on behalf of other Money or Value Transfer Service (MVTS) Providers There was some confusion over the use of the word ‘other’. Banks were confused as to whether these requirements applied to just their own customers or to remittances provided to the customers of other entities too. The word “other” has been deleted. These requirements apply to all remittances. FC-4.2.1 The MLRO is responsible for: (i) Maintaining all necessary CDD, transactions, STR and staff training records for the required periods (refer to Section FC-7.1). One bank noted that CBB should consider amending to add “Ensuring that the conventional bank licensing has the necessary controls in place for maintaining all necessary CDD, transaction, …” as it is not possible for the MLRO to be responsible for maintaining the CDD, transaction Agreed

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 8 of 9 records etc. for the required periods. FC-4.3.1 Conventional bank licensees must take appropriate steps to identify and assess their money laundering and terrorist financing risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels). They must document those assessments in order to be able to demonstrate their basis, keep these assessments up to date, and have appropriate mechanisms to provide risk assessment information to the CBB. The nature and extent of any assessment of money laundering and terrorist financing risks must be appropriate to the nature and size of the business. Two banks requested more clarification of what is expected under the scope of an annual compliance review, particularly in relation to AML risk assessments. Each bank must work out its own AML risk assessment as part of good risk management. Also is this assessment different from the AML review which is done by the external auditors? If so, who should do this, and is it internally or independent third party? And should the formal report be given to CBB? The assessment of money laundering and terrorist financing risks mentioned in this rule must be made internally by the MLRO and is different than the AML review done by the external auditors. FC-5.3 Contacting the Relevant Authorities One bank recommended that FC-5.3 be amended to take account of circular EDFIS/022/2013 dated 25 June 2013 which requires banks to use the online reporting system to file STRs, and to discontinue STRs in paper format. Noted. Module FC will be amended to be in line with this new procedure. FC-8.1.3 Conventional bank licensees must apply enhanced One bank requested examples of which relationships and transactions would require such Enhanced due diligence is a subjective matter and differs from as each case dictates. It is not

Consultation on Proposed Amendments to Module FC Industry Comments and Feedback April 2014 Page 9 of 9 due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries where such measures are called for by the FATF. The type of enhanced due diligence measures applied must be effective and proportionate to the risks. (EDD) measures. appropriate to provide examples in case banks believe enhanced CDD only applies in these specific cases. One bank noted that its internal procedures contain a high risk country list, which adheres to FATF’s recommendation. The existence of a high risk country would affect the assessment and rating of a customer, pursuant to their internal risk-based-approach methodology. But this risk factor would not by itself prompt enhanced due diligence requirements. This seems inconsistent with the module. The bank may have to amend procedures.