2022-09-13
Added
The Monetary Authority of Singapore issued this circular to address critical deficiencies in AML/CFT controls observed during thematic reviews of Variable Capital Companies and their appointed eligible financial institutions. The regulator mandates that VCCs exercise robust oversight over their EFIs, including formal appointments and defined escalation processes, while requiring comprehensive customer risk assessment frameworks that account for diverse geographic and structural risks. Additionally, VCCs are required to implement enhanced due diligence for high-risk customers, ensure proper documentation of source of wealth and funds, and maintain ongoing monitoring to detect elevated risks post-onboarding.
Circular No.: AMLD 06/2022-1 Date: 22 September 2022 To the Directors of Variable Capital Companies (VCCs) Dear Sir/Madam ENHANCING ANTI-MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM (AML/CFT) CONTROLS IN THE VCC SECTOR A INTRODUCTION The VCC regime was launched on 15 January 2020. To ensure that VCCs are used for legitimate purposes, VCCs are required to have robust AML/CFT controls in place to detect and deter the flow of illicit funds through Singapore's financial system. In particular, VCCs are required1 to appoint an eligible financial institution (EFI) that is regulated and supervised by MAS to conduct the necessary AML/CFT checks and perform measures. 2 MAS conducted an industry-wide survey of VCCs in 2021, and followed up with a series of thematic reviews of how selected EFIs implemented AML/CFT controls for their respective VCCs. This Circular sets out MAS’ key observations from the survey and engagements, and our accompanying supervisory expectations2 that VCCs and their EFIs should note. B KEY OBSERVATIONS Insufficient oversight by VCCs of appointed EFIs 3 We observed that fund management companies (FMCs) which managed the VCCs as investment vehicles were also commonly appointed as their EFIs. In some cases, we noted that VCCs did not indicate that they had appointed an EFI even though it was a Notice requirement3 . 1 This requirement is in accordance with paragraph 4 of MAS Notice VCC-N01. 2 While this Circular is premised on the thematic engagements of EFIs, the takeaways are applicable and relevant to other types of financial institutions (FIs), with the appropriate calibrations. FIs should therefore incorporate learning points from this Circular, especially on timely gap analysis and regular training. FIs should also continue to implement appropriate AML/CFT controls that are commensurate with the nature and complexity of business. 3 Based on VCCs’ responses to the industry-wide survey in 2021. 10 Shenton Way MAS Building Singapore 079117 Telephone 65 6225 5577 Facsimile 65 6229 9229
2 VCCs should note that they remain ultimately responsible4 for fulfilling their AML/CFT obligations, and they need to exercise adequate oversight over their relationship with their EFIs. This include conducting adequate due diligence over EFIs and formally appointing them before the commencement of business operations and activities by the VCCs. VCCs should also ensure that the AML/CFT policies and procedures (P&Ps) implemented by their EFIs to mitigate money laundering and terrorism financing (ML/TF) risks are appropriate, and subjected to the approval of the directors of the VCCs. 4 During our engagements, we also noted instances where VCCs failed to put in place arrangements to oversee the ongoing implementation of AML/CFT controls by their EFIs – specifically, (a) in some instances, there was no agreed escalation process between its mandated EFI and the VCC to ensure pertinent issues were escalated to the VCC in a timely manner; and (b) in other cases where there was an escalation process, VCCs failed to specify sufficient details in the P&Ps – e.g. on the type of issues that should be escalated, the frequency of such updates, and the persons to be updated to assess needful mitigation measures. Further, where pertinent issues were escalated to VCCs, the VCCs did not require proper documentation of escalations of issues detected by EFIs. Overall, the lack of a defined escalation process for an EFI to surface pertinent ML/TF issues may result in the VCC failing to take timely and adequate risk mitigation measures. Inadequate customer ML/TF risk assessment frameworks and processes 5 VCCs need to conduct robust customer risk assessments to properly identify, understand and assess the ML/TF risks of their customers, so that they can apply the appropriate customer due diligence (CDD) and ongoing monitoring measures. However, during our engagements, we observed these key control lapses relating to VCCs’ conduct of customer risk assessments: a) Lack of a robust framework for assessing customers’ ML/TF risks where there was no guidance on the ML/TF risk factors that should be considered in practice, and how the ML/TF risk profile of customers would be determined. For example, in some cases, there was neither clear definition of complex ownership structures nor guidance on how their risks should be assessed. b) Failure to consider relevant risk factors in assessing country or geographic risks. We noted that some VCCs only considered countries that the FATF had identified to have weak measures to combat ML/TF risks when determining higher risk countries or jurisdictions. This was inadequate as the VCCs did not consider other country risk factors such as corruption, tax evasion, terrorism financing, etc. c) Customer risk assessments were not adequately documented. The failure to ensure such documentation by some VCCs was of concern, as it reflected a lack of attention 4 This is stipulated under paragraph 1-4-2 of the Guidelines to MAS Notice VCC-N01.
3 to record keeping that a proper risk assessment had been conducted as the due basis and trigger of needful risk mitigation measures. Failures to implement enhanced customer due diligence (ECDD) measures 6 VCCs should perform ECDD measures on all customers who are identified to pose higher ML/TF risks so as to mitigate and manage those risks. In particular, VCCs should conduct robust corroboration of their customers’ source of wealth (SOW) and source of funds (SOF) for higher risk customers, including customers who are politically exposed persons (PEPs). However, we noted an instance where the VCC did not put in place any P&Ps, in relation to the conduct of ECDD measures, as it explained that it would reject all high-risk customers. In addition, the same VCC did not put in place any measures to conduct ongoing monitoring of its business relations – including to obtain up-to-date CDD data, documents and information to ensure that its customers’ risk profile remained accurate. Ongoing monitoring is key to detecting customers that present higher ML/TF risks post-onboarding. In this regard, VCCs should have the relevant P&Ps in place for ongoing monitoring, as well as ECDD, to ensure that appropriate and timely risk mitigating measures are taken, should any customer’s risk become elevated. In another case, when the risk rating of a customer was subsequently revised to higher risk post-onboarding, the VCC did not obtain any documents and information to corroborate the customer’s SOW and SOF as required by the Notice. The lack of the requisite attention to higher risk accounts exposed those VCCs to heightened ML/TF risks. C CONCLUSION 7 VCCs should ensure that they have adequate oversight over their EFIs, in order to ensure the effective execution of AML/CFT frameworks, systems and controls5 , and remain vigilant to possible new ML/TF risk typologies in the sector. The key observations noted in this Circular should help VCCs to better understand their AML/CFT obligations. Therefore, VCCs should conduct gap analysis against the observations noted in this Circular as well as the January 2019 Guidance Paper6 to identify and address any effectiveness gaps including those by their EFIs. To enhance risk awareness, VCCs should also continue to ensure7 that their directors and staff are regularly and appropriately trained on ML/TF risk management8 . 5 Under paragraph 14.1 of the MAS Notice VCC-N01, a VCC shall “develop and implement adequate internal policies, procedures and controls, taking into consideration its ML/TF risks and the size of its business, to help prevent ML/TF and communicate these to its employees”. 6 Please refer to https://www.mas.gov.sg/regulation/guidance/guidance-to-cmi-on-enhancing-amlcft-frameworksand-control for the Guidance Paper issued to capital markets intermediaries. 7 Under paragraph 14.13 of the MAS Notice VCC-N01, a VCC shall “take all appropriate steps to ensure that its employees and officers (whether in Singapore or elsewhere) are regularly and appropriately trained on ⎯ (a) AML/CFT laws and regulations, and in particular, CDD measures, and detecting and reporting of suspicious transactions; (b) prevailing techniques, methods and trends in ML/TF; and (c) the VCC’s internal AML/CFT policies, procedures and controls, and the roles and responsibilities of employees and officers in combating ML/TF”. 8 There are AML/CFT courses offered by training providers accredited by the Institute of Banking and Finance (IBF), the national accreditation agency for financial sector competency.
4 8 Finally, we would like to remind FIs that it is crucial to detect and report suspicious transactions in a timely manner through ongoing supervision of their AML/CFT controls. To assist MAS and STRO to monitor and assess for any emerging VCC-related typologies, we request that FIs indicate “VCC_Circular_2022” in the “Notice Reference Number” field when filing STRs involving VCCs. Yours faithfully VALERIE TAY EXECUTIVE DIRECTOR ANTI-MONEY LAUNDERING DEPARTMENT