Yes. This time it involved a DNFBP in Singapore. By the way, DNFBP refers to Designated Non-Financial Businesses and Professionals. Full news article link HERE.
Basically, a Chartered Accountant/Corporate Services Provider in Singapore provided company incorporation services and had held various appointments (director and secretary) in over 100 business entities in Singapore.
Of these 100 over business entities, the authorities discovered that an entity which the accused was acting as director for had between April 11 and May 28, 2012, $403,867 in stolen money deposited into the company's bank account, and $795,802 was transferred out, to accounts in China, Morocco, the United States, Geneva and Hong Kong. This entity was setup by a Romanian man that the accused had not met before.
In passing sentence, the Judge said the accused failed to exercise "reasonable diligence" when incorporating the company, and also "breached practically all of his obligations as a director subsequent to incorporation". The accused is sentenced to 2 year jail.
As a CSP registered as Filing Agent with ACRA in Singapore, there are KYC/AML obligations stipulated in the following links:
These regulations and guidelines prescribed clearly the expectation of Filing Agent when incorporating entities in Singapore. Succinctly, they are very similar to rules that the banks and financial intermediaries are familiar with. After all, these are all based on FATF Recommendations.
In my view, these rules sit just beneath the mother of all relevant AML rules in Singapore, Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act (CDSA). Interesting side point to note is that CDSA started with only drug trafficking as the primary crime. In 1999, there were 182 other serious crimes. As at 10 Nov 2015, there are 418 such other serious crimes.
Current practitioners should note that there are numerous offences under Companies Act, Income Tax Act and Securities and Futures Act deemed as “serious crimes” as well.
The mentality of practitioners should not be limited to think that the need to perform proper due diligence on their new and existing customers under these regulatory obligations is just whether they are terrorists or not. This is because CDSA coupled with Terrorism (Suppression of Financing) Act are very comprehensive and far-reaching legislations in Singapore.
What Exactly Is Required?
Leaving directors' obligations under Companies Act aside and focus on "reasonable diligence", one has to dwell into the 3 pieces of rules listed above to satisfy oneself (and the regulators of course) that reasonable diligence is performed.
This entails adopting a risk-based approach in one's due diligence process.
Is Screening Alone Sufficient?
Some may suggest that screening for PEP and Sanction is all you need to do. Is this true? Absolutely NOT. I would say that for anyone to suggest this being sufficient, borderlines being negligent, unprofessional and misleading contrary to what's stipulated in the rules. One simply needs to take some time to read these regulations and guidelines to know what I am saying.
Risk-Based Approach and Risk Assessment
Taking a risk-based approach and performing risk assessment are stipulated as requirements in the rules. It is NOT OPTIONAL [period]!
A typical risk assessment methodology entails the identification of a list of risk factors, quantifying and measuring the risks, assessing and analysing the risks, reviewing the risks and eventually looping back to identification of risks for on-going reviews. Unlike banks and financial intermediaries, this is no easy feat for DNFBPs with no regulatory expertise and experience in this field.
Options and Way Forward
In my other post last month, Penny Wise, Pound Foolish, I've elaborated 4 options available when faced with this AML challenge: (1) Fight (do it properly); (2) Pretend to Fight (make wrong assumptions of all clients are low risk, and do very minimal); (3) Flight (de-risk or exclude); (4) Suicide (bring on the risk of non-compliance).
I would say that DNFBPs in Singapore are at the 4-way crossroad at the moment. The regulatory landscape has been set and rules are in place since 15 May 2015. The 1-year "honeymoon" period for rules to sink in and for practitioners to implement the necessary steps is coming to an end soon.
Whichever route one takes accords with different consequences. Ultimately, it is the registered Filing Agent who takes the regulatory responsibility (as well as the personal, professional and corporate liability) of doing the right thing (or wrong thing).
At the end of the day, when questioned by regulators or prosecutors for potential AML-related offences, unless you are the perpetrator of the crime, it is often almost essential that you are able to back yourself up by demonstrating reasonable due diligence has been performed.
This would include (1) taking a defendable risk-based approach and perform consistent risk assessment, (2) screening for PEP, Sanction, Media; (3) record-keeping and audit trail of why and how diligence is performed and by who; (4) on-going due diligence based on risk-assessment; (5) having a robust policy and procedures (that will protect you); (6) training your staff.
One thing for sure is that regulation is going to get more complicated in this space over time so choosing the Fight option is a smarter way to go.
In my numerous meetings with DNFBPs, a few claim that all their clients are locals and therefore, everyone is low risk. Deep-down, I believe they do struggle with validating and proving it to themselves that this is hardly a defendable conclusion to make. For those DFNBPs with eagle-sharp eyes (and those who are diligent enough to read the rules), somewhere in there says this:
"....steps to risk-based approach.... document the risk assessment, keeping it up to date and provide the risk assessment information to ACRA when required to do so...."
How do you conjure up a documented risk assessment for production to regulator if you haven't methodologically carried it out when you on-board customers? That continues to baffle me.