Guidance for Conducting Periodic Reviews of Customer Relationships

THE CENTRAL BANK OF TRINIDAD AND TOBAGO GUIDANCE FOR CONDUCTING PERIODIC REVIEWS OF CUSTOMER RELATIONSHIPS ADDENDUM TO PART II SECTION 5.4 OF THE ANTI-MONEY LAUNDERING/ COMBATTING OF TERRORISM FINANCING (“AML/CFT”) GUIDELINE APRIL 09, 2025

1 ADDENDUM TO PART II SECTION 5.4 OF THE ANTI-MONEY LAUNDERING/ COMBATTING OF TERRORISM FINANCING (“AML/CFT”) GUIDELINE THE CENTRAL BANK OF TRINIDAD AND TOBAGO GUIDANCE FOR CONDUCTING PERIODIC REVIEWS OF CUSTOMER RELATIONSHIPS Introduction The Central Bank of Trinidad and Tobago (“Central Bank”) is issuing this supplementary guidance to Part II Section 5.4 of the Central Bank’s Guideline on Anti-Money Laundering and Combatting of Terrorism Financing (“AML/CFT”). This guidance sets out the Central Bank’s expectations in respect of the conduct of ongoing due diligence and periodic reviews of customer relationships.

1. Ongoing Monitoring and Review of ML/TF Risks Regulation 37 of the Financial Obligations Regulations 2010 (as amended) (“FOR”) requires a financial institution to monitor and conduct ongoing due diligence on existing customers on the basis of materiality and risk, taking into account the timing and adequacy of customer due diligence (“CDD”) information previously collected. Part II Section 5.4 of the AML/CFT Guideline requires a financial institution to, inter alia, “monitor transactions to ensure that these are in line with the customer’s risk profile and business and where necessary, examine the source of funds to detect possible ML/TF. Documents, data or information must be kept up to date on a risk-sensitive basis, with a view to understanding whether the risk associated with business relationship has changed.” Ongoing monitoring of customer relationships is a critical component of an effective AML/CFT/CPF1 risk management programme which: a) serves to maintain a proper understanding of a customer’s business activities, and ensures that there is consistency between expected and actual activity/ transactions; b) provides inputs for ongoing assessment of ML/TF/PF risks; and c) assists with detecting and reviewing unusual or suspicious activities and transactions. Ongoing monitoring should be conducted on all customer relationships. However, in line with a risk based approach, financial institutions have the flexibility to adjust the extent and depth of monitoring based on the customer’s ML/ TF/PF risk profile. Policies and procedures for ongoing monitoring must demonstrate that CDD measures and monitoring processes are appropriate and risk based. Maintaining relevant and up-to-date CDD data, documents and information is fundamental to conducting ongoing monitoring effectively, and for identifying changes to the customer’s risk profile. Importantly, identifying variances between expected and actual activity/transactions, depends on obtaining information on the nature and intended purpose of the business relationship at the outset of the relationship, to enable monitoring, detection and analysis of subsequent unusual and suspicious activity/transactions. The relevant CDD information that should be collected at the outset of a customer relationship is codified in Regulations 15, 16 and 17 of the FOR and additional guidance is provided in Part IV of the Central Bank’s AML/CFT Guideline. CDD information to be collected may include where applicable: a) the customer’s/beneficial owner’s business activities/occupation/employment; b) the geographical location of the customer’s/beneficial owner’s physical residence, business operations and assets; c) the ownership and control structure where the customer/beneficial owner of the customer is a legal person or legal arrangement; d) the types of financial products/services the customer may utilize; 1 AML/CFT/CPF means Anti-Money Laundering/Combatting the Financing of Terrorism/Countering Proliferation Financing. Therefore, ML/FT/PF shall be construed accordingly. 1 2 3

2 ADDENDUM TO PART II SECTION 5.4 OF THE ANTI-MONEY LAUNDERING/ COMBATTING OF TERRORISM FINANCING (“AML/CFT”) GUIDELINE THE CENTRAL BANK OF TRINIDAD AND TOBAGO GUIDANCE FOR CONDUCTING PERIODIC REVIEWS OF CUSTOMER RELATIONSHIPS e) the expected type, volume, frequency and value of activity that would be conducted utilizing the financial institution’s products and services; f) the beneficial owners, controllers, directors and signatories2; and g) the customer’s counterparties, related third parties and the nature of their relationships with the customer/ beneficial owner. 2. Conducting Periodic Reviews of Customer Relationships Part II Section 5.4 of the Central Bank AML/CFT Guideline states that “financial institutions should re-assess their ML/TF risks at least every three years and may consider setting a mandatory date for review.” Section 5.4 advises that in addition to a financial institution periodically re-assessing its ML/TF risks, it must also inter alia, periodically re-assess its customers’ ML/TF risks. In addition, the section states that customer risk assessments should be reviewed at least annually for higher risk customers but advises that a material change in the customer’s business operations or risk profile should also prompt a review. Section 5.4 did not specify a time period for re-assessment of lower risk customers’ ML/TF risk profile. However, the Central Bank advises that as a pragmatic approach, the frequency of periodic reviews for customers other than high risk customers, may be based on trigger events or, in the absence of a trigger event, at a minimum, the review should be undertaken every three (3) years for standard or medium risk customers, and every five (5) years for low risk customers. Financial institutions must ensure that they have implemented effective and appropriate policies and procedures for the event-driven and scheduled reviews of customer relationships. Employees must be provided with specific training and procedures on how to undertake the periodic reviews. Policies and procedures for conducting periodic due diligence reviews should, at a minimum, address the following: a) the proactive utilisation of customer contact points as an opportunity to update CDD information; b) risk-based procedures for ensuring that beneficial ownership information for legal persons and legal arrangements is accurate and updated within a reasonable period following any change; c) clearly articulated due diligence review procedures to be undertaken for low risk customers to be distinguished from the due diligence applicable for standard, medium or high risk customers. This should include the extent and type of CDD data, documents and information that should be updated for each customer category on a risk basis, including: • when identity information, source of funds or wealth should be verified; • when additional investigations or requests for information should be made regarding a customer’s business or the reasons for a transaction; and • how much transactional history, types of transactions should be reviewed; d) the circumstances that would trigger a review, including: • changes in legislation or internal policies; • material changes in legal or beneficial ownership of a legal person or arrangement, its directors, or authorized signatories, which should prompt an update to the due diligence information/documents for the relevant natural persons; • changes in other relevant data, such as name, registered address, business operations of a legal person or arrangement; 2 Examples of identifying information that should be collected include the full legal name, nationality(ies), date and place of birth, residential address, national identification number and document type. 4 5 6

3 ADDENDUM TO PART II SECTION 5.4 OF THE ANTI-MONEY LAUNDERING/ COMBATTING OF TERRORISM FINANCING (“AML/CFT”) GUIDELINE THE CENTRAL BANK OF TRINIDAD AND TOBAGO GUIDANCE FOR CONDUCTING PERIODIC REVIEWS OF CUSTOMER RELATIONSHIPS • business expansion through mergers and acquisitions or into new markets/customer segments; • requests for new financial products or services; • legal proceedings against a customer or beneficial owner; • discovery of materially adverse information such as reports of allegations or investigations of fraud, corruption or other crimes; • qualified opinion from an independent auditor on the financial statements of a legal person; • transaction activity that deviates from established norms; • adverse information received from a competent authority; e) For insurance companies and intermediaries, additional circumstances that may trigger a review include inter alia: • insurance claims applications; • early surrender requests or policy cancellations during the cooling off or cancellation period; • overpayment of insurance premiums; • changes in the type of insurance product; • changes to the duration or amount of coverage; • changes in beneficiaries; • change of address • changes of payment method or amount; • requests for payments to third parties; • subsequently discovered adverse information about an insurance applicant, beneficial owner of an applicant, controller or beneficiary. f) an assessment of whether the account activity is consistent with the purpose and anticipated account activity established at on-boarding, and whether the account activity is consistent with the customer’s established source of funds/business operations and where applicable, their source of wealth; g) screening of the customer, (or the policyholder and named beneficiaries) directors, authorized signatories and the legal and beneficial owners against designated sanctions lists and to identify new PEP relationships; h) conducting open source searches to identify adverse indicators that may elevate the risk profile; i) reassessment and if applicable, re-categorization of the customer’s risk rating upon material updates to CDD information, obtained either through a trigger event or scheduled review; j) obtaining and maintaining evidence of senior management approval for changes to the customer risk rating and for the continuation of business relationships with PEPs and high risk customers; k) the action required when appropriate CDD documentation or information is not obtained during the review, including the steps and timelines that may be taken to obtain such documentation or information, and actions to be taken to mitigate ML/TF/PF risk when CDD information cannot be obtained after reasonable efforts have been made to update the information; l) documentation of the findings and outcomes of the periodic reviews, including documentation of the rationale to maintain or change the customer’s risk rating; m) determination of whether account activity, adverse media alerts or outcomes of the review represent unusual or suspicious activity requiring further investigation; enhanced monitoring or the termination of the customer relationship; or reporting to the FIUTT; and n) independent audit reviews of the quality and effectiveness of CDD reviews and updates.