• AML/CFTR Part 3.2 AML/CFTR Part 3.2 Customer risk

    Note for Part 3.2

    This Part relates to the risks posed by the types of customers of a firm.

    Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.1 Risk assessment for customer risk

      (1) A firm must assess and document the risks of money laundering, terrorism financing and other illicit activities posed by different types of customers.

      Examples of types of customers
      1 salaried employees with no other significant sources of income or wealth
      2 publicly listed companies
      3 legal arrangements
      4 PEPs
      (2) The intensity of the CDD and ongoing monitoring conducted for a particular customer must be proportionate to the perceived or potential level of risk posed by the relationship with that customer.

      Example

      The duration of the relationship with the customer and the frequency of transactions may affect the intensity of CDD and ongoing monitoring.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.2 Policies etc for customer risk

      A firm must have policies, procedures, systems and controls to address the specific risks of money laundering, terrorism financing and other illicit activities posed by different types of customers.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.3 Scoring business relationships — types of customers

      A firm must include, in its methodology, a statement of the basis on which business relationships with customers will be scored, having regard to the different types of customers it has (and proposes to have).

      Example

      The risk to the firm from a salaried employee whose only transactions are derived from electronic payments made by the employee's employer are likely to be much lower than the risk to the firm from an individual whose transactions are cash-based with no discernible source for those funds.

      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.4 Persons associated with terrorist acts etc — enhanced CDD and ongoing monitoring

      (1) This rule applies to a customer of a firm if the firm knows or suspects that the customer is an individual, charity, non-profit organisation or other entity:
      (a) that is associated with, or involved in, terrorist acts, terrorism financing or a terrorist organisation; or
      (b) that is subject to sanctions or other international initiatives.
      (2) Irrespective of the risk score otherwise obtained for the customer, the firm must conduct enhanced CDD and enhanced ongoing monitoring for the customer.

      Note See rule 4.2.2 (What is ongoing monitoring?) and rule 4.3.13 (Ongoing monitoring required).
      (3) A decision to enter into a business relationship with the customer must only be taken with senior management approval after enhanced CDD has been conducted.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.5 Measures for PEPs

      A firm must, as a minimum, adopt the following measures to reduce the risks associated with establishing and maintaining business relationships with PEPs:
      (a) the firm must have clear policies, procedures, systems and controls for business relationships with PEPs;
      (b) the firm must establish and maintain an appropriate risk management system to decide whether a potential or existing customer, or the beneficial owner of a potential or existing customer, is a PEP;

      Examples of measures forming part of a risk management system
      1 seeking relevant information from customers
      2 referring to publicly available information
      3 having access to, and referring to, commercial electronic databases of PEPs
      (c) decisions to enter into business relationships with PEPs must only be taken with senior management approval after enhanced CDD has been conducted;
      (d) if an existing customer, or the beneficial owner of an existing customer, is subsequently found to be, or to have become, a PEP—the relationship may be continued only with senior management approval;
      (e) the firm must take reasonable measures to establish the sources of wealth and funds of customers and beneficial owners identified as PEPs;
      (f) PEPs must be subject to enhanced ongoing monitoring.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)
      Amended by QFCRA RM/2020-1 (as from 15th August 2020)

    • AML/CFTR 3.2.6 Legal persons, legal arrangements and facilities—risk assessment process

      (1) A firm's risk assessment process must include a recognition of the risks posed by legal persons, legal arrangements and facilities.

      Examples of legal persons
      1 companies
      2 partnerships
      Example of legal arrangement

      express trust

      Examples of facilities
      1 nominee shareholdings
      2 powers of attorney
      (2) In assessing the risks posed by a legal person or legal arrangement, a firm must ensure that the risk profile of the person or arrangement takes into account the risks posed by any beneficial owners, officers, shareholders, trustees, settlors, beneficiaries, managers and other relevant entities.
      (3) In assessing the risks posed by a facility, a firm must ensure that the facility's risk profile takes into account the risks posed by any reduction in transparency, or any increased ability to conceal or obscure.
      (4) Subrules (2) and (3) do not limit the matters to be reflected in the risk profile of a legal person, legal arrangement or facility.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.2.7 Measures for persons in terrorist list

      (3) A firm must, from the outset of its dealings with an applicant for business and on an ongoing basis during the business relationship, check whether the person is listed:
      (a) under a relevant resolution of the UN Security Council; or
      (b) in a Terrorist Designation Order published by the National Counter Terrorism Committee of the State.
      (4) If the person is listed, the firm:
      (a) must not establish, or continue, a relationship with, or carry out a transaction with or for the person;
      (b) must make a suspicious transaction report to the FIU; and
      (c) must immediately tell the Regulator.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)