Assessment of Ongoing Due Diligence Process (Wwft and Sw)

Answer

Under the Wwft institutions are required to constantly monitor their business relationships and the transactions carried out during the existence of such relationships. In addition, institution are required under the Rtsw to have in place an administrative system and internal control measures that enable them to enforce sanctions legislation. In assessing the ongoing due diligence process at institutions under the Wwft and the Rtsw, DNB examines the following topics:

• how customer data are updated (periodic review);
• how transactions are monitored;
• how unusual transactions are detected; and
• how sanctions list screening is carried out.

Periodic review process

Under section 3, subsections 2(d), and section 8, Wwft an institution is required to constantly monitor its business relationships and to ensure that the particulars of the customer, the ultimate beneficial owner and other persons about whom data have been collected are kept up to date. It also follows from Section 14, paragraph 4, of the Prudential Rules Decree (Besluit Prudentiële Regels or Bpr) that the institution must have in place procedures and measures for the analysis of customer data, for example in order to detect unusual patterns of transactions. This also means that customers and the products or services they obtain from the institution should be monitored.

To this end the institution must periodically update the information about the customer and, if necessary, the customer's risk profile using adequate, risk-based measures. The institution's policy and procedures should specify how this information is to be updated and how often. A clear cycle should be indicated for each risk category or type of customer, for example at least once a year for high risk cases, at least once every two to five years for medium risk cases and every five years for low risk cases, or where a review is triggered by a clearly defined event (event-driven review). The institution should also define moments and signs that will prompt a customer review.

Examples of elements in an adequate process

• The bank has linked its customer base to the trade register of the Chamber of Commerce. This means that certain customer data are kept up to date and changes to customer data which may prompt a customer review can be identified more quickly.
  
  
• When searching for external signs about customers (i.e. bad press), the bank enters the name of the customer in combination with other search terms, for example fraud and money laundering.
  
  
• In the periodic review the bank institution examines the state of the customer's account over the past year.

Examples of deficiencies in the process

• Little or no attention is paid to low-risk customers, even when changes occur.
  
  
• The bank fails to carry out a customer review even where a review would seem warranted by transaction monitoring or external signs.
  
  
• The search for external signs is inadequate and as a result reviews occur too late, if at all.
  
  
• The periodic review of customers and the monitoring of transactions are regarded as separate rather than complementary processes, as a result of which the transaction history is not examined during the periodic review.

Transaction monitoring process

Under Sections 2a, 3 subsection 2(d) and 9, subsection 3, Wwft and Section 14, paragraph 4, Bpr, the institution is required to monitor customers' transactions. The institution must have in place procedures and processes for continuously monitoring customers' accounts, activities and transactions and their financial conduct, and for detecting unusual patterns of transactions and transactions which by their nature entail an increased risk of money laundering or terrorist financing.

For this purpose it must have an efficient system (manual or automated) for checking whether all striking and potentially unusual transactions are detected. The system has a clear and extensive list of business rules which are revised at defined times and when the law changes. The risk profile drawn up for each customer has an impact on the monitoring and activities of the customer.

Examples of elements in an adequate process

• The bank draws up a risk profile for each customer and a transaction profile to match each type of customer risk profile.
  
  
• The bank has carefully conceived, differentiated scenarios and business rules, including limits geared specifically to clients and types of clients.
  
  
• The bank is an organisation that learns from experience and from the experience of others (e.g. credit card companies) and refines its scenarios and rules in the light of this experience.
  
  
• The bank periodically tests the effectiveness of the transaction monitoring process and carries out trend analyses. The results of the trend analyses are taken into account in scenarios and rules.

Examples of deficiencies in the process

• The bank's business rules contain high transaction limits and are mainly focused on cash transactions.
  
  
• In carrying out its transaction monitoring the bank does not take special account of high-risk countries, including countries on the warning list of the Financial Action Task Force (FATF).
  
  
• The bank has insufficient capacity to assess alerts and has no access to older alerts that have already been investigated or closed.
  
  
• In the case of decentralised monitoring the bank fails to ensure that staff have adequate knowledge of the Dutch market and are able to access all information and fails to check the quality of the transaction monitoring and provide for staff to be adequately trained in such monitoring.
  
  
• Monitoring is not carried out frequently and is not clearly scheduled.

Process of detecting unusual transactions

Under Sections 2a, 16 and 23 Wwft, the bank has a duty to report unusual transactions to the Dutch financial intelligence unit (FIU-NL). For this purpose the bank must draw up and supply to its staff a detailed list of relevant indicators (red flags) for detecting unusual transactions. Special attention is paid in this connection to unusual patterns of transactions and transactions which by their very nature present a greater risk of money laundering or terrorist financing.

Examples of an element in an adequate process

• The bank has developed a policy on how to record notifications received from FIU-NL in the customer risk profile.

Example of a failing in the process

• The only red flags notified to the staff are references to the objective and subjective indicators designated pursuant to the Decree containing provisions on the scope of the Wwft (Uitvoeringsbesluit Wwft).

Process of sanction screening

Under Article 2 of the Rtsw the bank should take organisational and internal control measures to ensure compliance with sanctions regulations. The bank should translate the sanctions regulations and internal sanctions policy into appropriate procedures and measures (also designed to take account of the jurisdictions in which it operates). It should screen against the sanctions lists all names and other relevant data of natural and legal persons contained in the customer file (including the ultimate beneficial owner, authorised agent, beneficiary, etc.). Customers should be screened at the time of acceptance, periodically and whenever changes are made to the customer base or sanctions lists.

Examples of elements in an adequate process

• In screening its customers the bank uses not only the sanctions lists but also its own lists compiled from relevant criteria such as the names of certain regions, place names, seaports, ship names and names of customers with whom the relationship has been discontinued.
• The bank has a clear policy on all countries subject to sanctions and its staff are aware of developments in sanctions regulations.

Examples of weaknesses in the process

• Persons and entities on the suppression lists are not screened periodically or when changes are made to the EU or Dutch sanctions lists.
• No up-to-date sanctions lists are used.