emerging compliance risks: addressing rising trends … · emerging compliance risks: addressing...

Emerging Compliance Risks: Addressing Rising Trends in Financial Crimes and Terrorism Financing

3

Overview

The evolution and dynamic nature of the financial landscape and the current economic instability the world is facing has fuelled a rising trend in financial crimes and resulted in a tightening of global regulations. Recent events across the world clearly show that no nation is immune from the threat of terrorism and these terrorist activities require financing.

Technology may have brought advancements to many aspects of our lives, but it has also created a platform for unscrupulous parties to abuse the financial system for their own personal benefits. Cybercrime continues to escalate and it is evident that more criminals are exploiting the speed, convenience and anonymity of the internet to

commit a diverse range of criminal activities that transcend both physical and virtual borders and pose real threats to victims worldwide.

The 8th International Conference on Financial Crime and Terrorism Financing (IFCTF), entitled “Emerging Compliance Risks: Addressing Rising Trends in Financial Crimes and Terrorism Financing”, aimed to shed new light on emerging compliance risks facing the industry. The conference explored the modus operandi and the latest local and overseas trends in financial crimes and terrorism financing, as well as examined the regional and global regulatory responses in dealing with these emerging threats.

IFCTF 2016

Wan Mazlan Wan Johari Deputy Chief Compliance Officer, Bank Islam

The conference commenced with the opening remarks of Mr Wan Mazlan Wan Johari, Chairman of the Compliance Officers Networking Group (CONG) and Deputy Chief Compliance Officer, Bank Islam. He welcomed delegates to the 8th International Conference on Financial Crime and Terrorism Financing (IFCTF) 2016 and emphasised that the conference serves as a valued-added platform for the industry and that it has continuously provided delegates with insights and ideas on the latest developments and issues which require analysis and action. The conference has helped banks stay ahead of the curve.

Mr Wan Mazlan Wan Johari introduced this year’s conference theme, ‘Emerging Compliance Risks: Addressing Rising Trends in Financial Crimes and Terrorism Financing’. He said it will be interesting to learn business leaders’ perspectives on current compliance and risk management issues as well as the lessons learned from recent events such as the Panama Papers. He said that an excellent line-up of expert speakers, representing both local and international agencies, will be discussing a wide range of topics during the two-day conference.

The evolution and dynamic nature of the financial landscape and the current economic instability the world is facing has fuelled an increasing trend in financial crimes and

resulted in more global regulatory reforms. He stressed the importance of financial institutions responding swiftly and developing and implementing effective and robust compliance systems.

As the financial services industry faces numerous challenges which have led to new procedures and regulations, it has also become increasingly aware that good compliance is essential to maintain profitability and investor confidence. Compliance has evolved into a key strategic function that demands the attention of top management. Its role remains vital in ensuring that the financial system remains safe, secure and vibrant, working in partnership with stakeholders, regulators and law enforcement to stop the financial system from being exploited.

With the rising risk of terrorism financing in Malaysia, financial institutions need to be more vigilant during on-boarding and transaction monitoring and take timely actions to minimise the risks. At the same time regulators and law enforcement agencies need to be more dynamic in advising and sharing intelligence with financial institutions.

He concluded his welcome address by thanking the organising committee and the sponsors: LexisNexis Risk Solutions, Dow Jones, Swift, TESS International and Wong & Partners. He expressed his gratitude to the audience for attending the conference and encouraged them to actively participate in the sessions.

Welcome Address

4

Wan Mazlan Wan Johari


Keynote Address

YB Datuk Nur Jazlan bin Mohamed Deputy Minister, Ministry of Home Affairs

YB Datuk Nur Jazlan bin Mohamed, Deputy Minister, Ministry of Home Affairs, commenced his keynote address by thanking the conference organisers, Asian Institute of Finance (AIF) and the Compliance Officers Networking Group (CONG). He welcomed the audience and noted that the conference, which is a locally organised annual event, has continued to receive strong levels of participation from both the public and private sectors, renowned international experts, financial regulatory authorities and industry players year-on-year.

He was confident that the conference this year will once again provide insights that will lead to solutions to the current challenges faced by compliance and risk professionals. The theme for this year’s conference is ‘Emerging Compliance Risks: Addressing Rising Trends in Financial Crime and Terrorism Financing’ and its objective is to identify the modus operandi and related compliance risks of financial crimes and terrorism financing and to examine the regional and global responses in dealing with these crimes.

The Financial Action Task Force (FATF) in its 2015 mutual evaluation report acknowledged that Malaysia has achieved a good level of compliance with the FATF Recommendations. The successful development of an action plan to address the key issues identified during the evaluation and the continuing efforts to improve its anti-money laundering and counter- terrorism financing initiatives (AML/CTF), has resulted in Malaysia being granted membership of FATF in February 2016. The inclusion of Malaysia as a member of the FATF signifies the global recognition of Malaysia’s legal and regulatory framework in fighting financial crimes and terrorism financing.

He said that such recognition would enhance the country’s strategic position in gaining wider access to the global financial markets particularly the capital markets. Moving forward, this would further establish Malaysia as a finance and banking hub in the region. The immediate challenge is the increased scrutiny on Malaysia’s AML/CTF framework and the pledges that the country has made, specifically to prosecute money laundering cases. Against this backdrop the benefits of FATF membership cannot be underestimated.

Technology may have brought advancements to many aspects of our lives, but it has also created a platform for unscrupulous parties to abuse the financial system for their own personal benefits. Cybercrime continues to escalate and is ranked as the second most important economic crime as concluded in the PwC Global Economic Crime Survey 2016. On the domestic front, statistics from Cyber Security Malaysia for the period of January to August 2016 showed that 45% of the total reported cybercrimes are fraud-related and the trend is likely to increase by the end of the year. The statistics from the Royal Malaysia Police showed that there were 14,627 cases of online scams with economic losses amounting to RM1.09

5

YB Datuk Nur Jazlan bin Mohamed

“ Technology may have brought advancements to many aspects of our lives, but it has also created a platform for unscrupulous parties to abuse the financial system for their own personal benefits. ”

IFCTF 2016

billion reported in 2015. It is evident that more criminals are exploiting the speed, convenience and anonymity of the internet to commit a diverse range of criminal activities that transcend both physical and virtual borders and pose real threats to victims worldwide.

The future of technology is uncertain. What is new today will be superseded by the next generation of technology and connectivity tomorrow. However, what is certain is the need to manage the corresponding risks. Public and private sector stakeholders must act resiliently against these emerging trends and continue inter-agency collaboration towards eradicating financial crimes. Malaysia has put in place numerous task forces to counter financial crimes including the establishment of the national revenue recovery enforcement team and committees for financial frauds and scams. The cross-border issues relating to financial crimes and financial technology will be discussed further and addressed over the course of this two-day conference.

Recent events in the global landscape clearly show that no nation is immune from the threat of terrorism. The rise of non-state actors such as DAISH or Islamic State, Boko Haram and Al-Shabaab have caused instability and insecurity all over the world. In Malaysia, it is no longer sufficient to rely on existing provisions due to the current nature of such threats and the financial resources these non-state actors have at their disposal. The Malaysian government has enacted several new provisions such as the Prevention of Terrorism Act (POTA) 2015 and the Special Measures against Terrorism in Foreign Countries Act (SMATA) 2015 specifically to combat acts related to terrorism.

Money is the life blood for terrorism. Terrorists need substantial resources to actualise their ideology and vent their grievances against institutions, governments and innocent people. They require such resources to operate their training facilities, acquire weapons and travel to perpetuate their nefarious activities. The number of terrorist attacks has continued to rise and the correlation between such attacks and terrorism financing is significant. Hence, the requirement to detect, reduce and totally cut off the flow of finances to terrorist organisations is an absolute necessity.

In 2007, Malaysia joined the global movement in combating terrorism financing by acceding to the United Nation’s International Convention for the suppression of financing of terrorism. The foregoing development led to the amendment of the Anti-Money Laundering and Anti-Terrorism Financing Act (AMLATFA) 2001 to combat illegal financial flows. The existing legal framework for combating money laundering in Malaysia includes terrorism financing in its general scope as recommended by the Financial Action Task Force after the September 2011 attacks.

On the regional front, the South East Asian and Australian financial intelligence units put concentrated efforts into combating terrorist financing activities. The first terrorism

financing regional risk assessment for SEA and Australia was presented at the Counter Terrorism Financing Summit held in Nusa Dua, Bali in August 2016. The findings of the first terrorism financing regional risk assessment articulated four major terrorism financing risks to the region. The four risks are self-funding from legitimate sources, funding from non-profit organisations, cross-border movements of funds and external funding into the region. Deeper intelligence cooperation, stronger domestic and regional frameworks and a better understanding of high risk terrorism financing channels are needed to effectively deal with all these risks. We should also not discount the other channels which are forecast to pose an increasing risk over the medium term such as the use of social media and crowdfunding platforms for raising terrorism funds. We should be wary of the vulnerabilities within the remittance sector where the nature of this sector reduced the ability to detect suspicious transactions related to terrorism financing and resulted in relatively low reporting.

The challenge now is to distinguish between terrorism funding transactions and the large volume of legitimate ordinary daily financial transactions and to encourage continued involvement of the private sector in disrupting and preventing

terrorism financing. In line with the theme of the conference, it is only appropriate that critical regional regulatory expectations and cooperation within the financial sector are discussed in the context of preserving the integrity of the financial system.

He said that emphasis should be placed on the importance of cooperation and collaboration among regulators, the financial industry and law enforcement agencies to successfully move towards the shared goal of protecting the integrity of our financial

system against criminal abuse. It is about having the right people and the right processes, knowing who you are dealing with, understanding the risks that lie ahead and to be fully mindful of how technology can be abused.

YB Datuk Nur Jazlan bin Mohamed further said that as a member of the Home Ministry team, the best advice that he could give to delegates would be to do their jobs with the highest levels of integrity, awareness and love for the nation. These, in his view, are the most important ingredients to make sure the country can continue to prosper. The ever increasing competitiveness in the world economy and meeting the regulatory needs resulting from global integration are the two factors that will determine the country’s future success. If the country is not part of the global financial system, it will not be able to raise capital and investments to further develop. The drop in the oil price over the last two years has shown that the country cannot rely on oil revenues in the future. Malaysia has to diversify and attract investment into the country. There is a need to reduce the criminal elements that are connected with investments into the country. Investments must to be used to build infrastructure, knowledge and education systems which will be a good base for future generations.

6

“ Recent events in the global landscape

clearly show that no nation is immune

from the threat of terrorism. ”


7

A View From Above – Leadership Perspectives on Compliance and Risk Management Issues and Challenges in the Financial Sector

PLENARY SESSION 1:

Panellists: Dr John LeeGroup Chief Risk Officer, Maybank Group

Irene Tan Country Head, Compliance, Standard Chartered Bank Malaysia Berhad

Wong Ai Ping Chief Compliance Officer, Hong Leong Bank Berhad

Moderator: YBhg Datuk John ZinkinManaging Director, Zinkin Ettinger Sdn Bhd

The panellists for this session were Dr John Lee, Group Chief Risk Officer, Maybank Group; Irene Tan, Country Head, Compliance, Standard Chartered Bank Malaysia Berhad; and Wong Ai Ping, Chief Compliance Officer, Hong Leong Bank Berhad.

The moderator, YBhg Datuk John Zinkin, Managing Director, Zinkin Ettinger Sdn Bhd, started the discussion by asking if the boards of banks are failing in their primary duty to protect the most important asset of the bank, which is its reputation. He felt that if a bank loses its reputation, it effectively loses the right to continue to do business. He referred to the cases of Bear Stearns and Lehman Brothers.

Ms Wong Ai Ping was of the opinion that Malaysian banks have not escaped international regulatory developments. She added that directors of Malaysian banks are aware that a compliance-driven model is the only realistic model for a sustainable banking business in the twenty-first century. Boards are aware that the reputational consequences of adverse regulatory findings are severe and they need to identify how best to allocate time and resources to this and implement meaningful change. With increasing regulatory expectations, it would be difficult to justify behaviour that was acceptable five to ten years ago. Important issues raised by financial scandals, such as payment protection insurance (PPI) and Wells Fargo in the US, have changed regulatory expectations as well as the expectations of compliance professionals.

YBhg Datuk John Zinkin said that tax avoidance was more acceptable ten years ago than today. In the UK, the government recently announced that money laundering and financial crime will be paramount in their new policies for banks. He asked how banks in Malaysia would deal with such changing expectations.

Ms Irene Tan felt that standards have evolved and what was previously acceptable is no longer acceptable today.

Regulators have also raised their standards and increased their scrutiny on banks. They have developed an enforcement framework to drive home the message that banks need to take compliance seriously. Board members no longer simply endorse what is presented to them, but instead ask questions and require real-time updates. They expect information to be succinctly provided in an easily understandable manner. Most boards now have independent directors who give a balanced view and are more conscious of how risk is managed. She

YBhg Datuk John Zinkin

“ Boards are aware that the reputational consequences of

adverse regulatory findings are severe and they need to identify

how best to allocate time and resources to this and implement

meaningful change. ”Wong Ai Ping

IFCTF 2016

felt that the role of the compliance officer is to help prioritise issues and assist the organisation to focus on high risk areas.

YBhg Datuk John Zinkin suggested that perhaps this evolution in standards reflected not only a change in regulatory or political expectations, but was a result of a change in values. Historically, consumers had to wait for what they wanted and anything worth having was worth waiting for and anything worth investing in was worth deferring expenditure for. Banks introduced credit cards and securitisation, thus taking away the need to wait. Banks are guilty of undermining a pillar of society, namely that deferred gratification is a fundamental part of society and investment and, as a result, consumers think that it is fine to have instant gratification. He suggested that society does have its own responsibilities in terms of values and that may explain why regulators have to overshoot.

Dr John Lee said that the challenge is to re-examine values as a whole and whether society today encourages unethical behaviour. Banks basically facilitate transactions people want to make, sometimes disregarding the processes in place. He referred to the Enron crisis where accountants failed to do their jobs, and to the Swiber Bonds issue in Singapore involving mis-selling. The increasing regulatory expectations are becoming onerous for both boards and banks. It is therefore important for regulators to establish a clear set of guidelines to find the right balance.

Ms Wong Ai Ping said that banks have a finite amount of resources in their compliance and risk management functions. The question is how to make best use of those resources? Should they issue more guidelines and expect compliance officers to digest and implement those guidelines? Should they conduct more regulatory investigations? Or should they engage with the industry to set a level of expectations that is realistic and sustainable? She suggested that in order to

be effective and sustainable and command respect in the regulated industry, a combination of all three is required.

YBhg Datuk John Zinkin asked the panel if they think that boards, and independent and non-executive directors in particular, are being asked to do more than they can manage within a short period of time.

Ms Irene Tan said that boards could lend support and question the robustness of the regulatory framework etc., but they could not be expected to monitor every part of the bank at all the times. Therefore, the duty to be compliant is every bank employee’s responsibility. Every new employee undergoes an induction where the code of conduct is built into their training. Despite all the controls, it ultimately comes down to each individual to be compliant.

Dr John Lee said the reason for more regulations and higher expectations of the board and in meeting compliance requirements, is because the banking industry as a whole has lost the trust of the society it serves. It is important to address the issue of trust and instil the right value system in the industry. For example, when hiring senior management roles there is a need to check if the recruit has the same values as the bank.

YBhg Datuk John Zinkin added that it is absolutely critical that the bank’s culture reinforces the idea that reputation comes first, character comes second and profits follow after that. He asked if it would make sense for chief compliance officers to be involved in setting key performance indicators (KPIs) when recruiting senior roles.

Ms Wong Ai Ping agreed that this was a good suggestion. From her experience in the UK, senior compliance management is involved in the vetting of senior appointments. She felt that if the thinking behind that requirement was implemented correctly, the ratio of people who are compliant will increase because the bank is involving key functions like chief compliance officers in the hiring process.

Ms Irene Tan added that a culture of values must be embedded in banking processes. For instance, banks must reward their sales force not only based on achieving their sales targets, but more importantly on the values they demonstrate in

8

Dr John Lee

“ The reason for more regulations and higher

expectations of the board and in meeting compliance requirements,

is because the banking industry as a whole has lost the trust of the society it serves. ”Dr John Lee


performing their jobs ethically. Values and certain compliance-related objectives must be made mandatory in setting KPIs.

Dr John Lee said the value system needs to be discussed openly and understood by every employee across the organisation to ensure it is fully practised. He felt that it was the collective responsibility of senior management, and to an extent the board, to set the right behaviour. It is about individual behaviour and ultimately everyone is expected to do the right thing. In the 1980s, banks were the pillars of society. Today banks need a value system to earn back society’s trust.

YBhg Datuk John Zinkin said that traders live in a win-lose world, investment bankers live for the deal and retail bankers live in a win-win world. When retail bankers were swamped by traders and investment bankers such as Bob Diamond (Ex-Barclays Capital), the whole banking culture changed.

Dr John Lee added that for investment bankers it is ultimately about shareholder returns. Therefore, there is always an expectation for continuous performance. Basic fundamentals show that to make higher returns, risks must be taken. So, if banks are showing higher returns it is obvious they are taking risks.

YBhg Datuk John Zinkin then proceeded to ask about target-setting in banks and how employees can comply with the KPIs set.

Ms Wong Ai Ping was of the view that banks are already ensuring that compliance is part of all employees’ KPIs. But that changing values need to be focused on. The question is how to take this to the next level.

Ms Irene Tan added that compliance is not about instilling a ‘fear’ culture where people just comply to avoid getting caught by compliance officers. Compliance must be used as the sensor for the organisation to foresee what can go wrong. For instance, surveillance technology has been

created to monitor transactions between traders and dealers to ensure that they do not indulge in any wrongdoing.

YBhg Datuk John Zinkin questioned if more resources are needed in compliance and whether more people are interested in becoming compliance officers.

Dr John Lee added that there is always an expectation that more resources are needed, whether in compliance or risk management. The reality is that there are not many candidates interested in these jobs.

Ms Irene Tan felt that there is a demand for compliance officers but not everybody is attracted to the role as it is viewed as onerous. Compliance cannot come up with a fool proof process because it deals with human beings – despite setting up rules, there will be one or two individuals who will refuse to comply. The important thing is to address the significant issues. She explained the lines of defence. The first line of defence is the roles and responsibilities of all employees. The second line is where it is less defined because within it there are other risk stewards including HR, technology and risk. All these functions play a role because each one is an expert on their own subject matter. So when it comes to making sure that the organisation is compliant, each function must play its role.

YBhg Datuk John Zinkin said that regulators will continue to have a role as they are needed in society and compliance will be required by regulators. He asked the panel to explain the problem of enforcing compliance within an organisation, including dealing with people who do not comply and the best way to handle the matter.

Ms Wong Ai Ping felt that cultural change in any organisation is difficult – behaviour is fundamentally driven by sales to meet and exceed targets. The need to create a compliant culture and ensure that employees are behaving in a compliant manner can be looked at from four angles. The first is remediation work. The second is business as usual that takes up more than the time allocated because products’, customers’ and regulators’ expectations are so complex. Third is the increasing need for more resources and fourth is planning for the future.

In relation to penalising employees, Ms Irene Tan explained that there must be an industry-wide effort to maintain and share a database of ‘blacklisted’ employees. Every organisation must take the matter seriously. If an employee resigns because he or she is being investigated,

Irene Tan

9

“ Compliance cannot come up with a fool proof process because

it deals with human beings – despite setting up rules, there will

be one or two individuals who will refuse to comply. ”Irene Tan

IFCTF 2016

10

then it should be made clear that the resignation is not accepted as a voluntary resignation but it was tendered to avoid disciplinary action. Thus, every organisation can collectively try and prevent ‘bad hats’ from staying in the industry and hopefully this will help banks rebuild trust.

On the effects of de-globalisation, where anti-money laundering will have played a part, Dr John Lee said that regulatory authorities’ expectations of banks are from both compliance and risk management perspectives. There are also different competing objectives from stakeholders, customers, shareholders and employees.

On the issue of customers not wanting to understand a financial product and the risks involved, Dr John Lee explained that all customers want to hear is how much profit they will make. Money is made from taking risks. Banks must educate customers about their products and explain openly the risks involved which will help customers to make informed decisions.

Ms Wong Ai Ping said that financial literacy has improved in the UK through money advisory services led by the Financial Conduct Authority. Regulators can request key fact documents, product disclosure sheets and a summary of every single product a bank has. She said that money advisory services are encouraging customers to be more responsible for their own finances. Increasing consumer awareness is an issue. There are two types of consumers; one who will accept the blame for not reading the key facts and the other who will blame others when things go wrong. Ultimately, things will still go wrong no matter what checks and balances are put in place and there will always be a pocket of society who will blame the person who sold them the products.

YBhg Datuk John Zinkin asked to what extent is the compliance job now made harder by quantitative easing because it undermines half of the products that the bank is trying to sell and by its nature pushes people into riskier behaviour.

Ms Irene Tan said that not all customers can be treated as being at the same level of sophistication. Certain restrictions need to be imposed and internally banks need to act responsibly. For example, limits should be set for certain high risk products which cannot be sold to customers of a particular age or without significant understanding of the product There is a need to insist that customers must meet a suitability assessment or they will not be accepted. These are difficult points that compliance needs to implement in the business. She explained that compliance is not only the protector of banks, but it is needed to facilitate the business. However, a balance is required between the growth and compliance agendas.

Dr John Lee said that it goes back to the issue of ethics and ethical behaviour. It can end up being a question of interpretation as there are always ways around many things. It is about fundamental values or having a moral compass. Banks need to guide customers on ethical behaviour.

YBhg Datuk John Zinkin asked the panel whether it was a problem that the financial services sector has become speculative through derivatives and structured products.

Dr John Lee explained that derivative instruments were created because people were concerned about loans defaulting and to hedge risks. In his view, the product itself should not to be blamed, but rather the people who use the product are to be blamed.

Q & A Session The moderator asked the question on how banks should align their interests with clients’ interests and whether this could be the best guarantee to rebuild trust in the private banking industry.

Dr John Lee said that banks need to simplify their products and assess the needs of customers better. They need to rebuild trust by ensuring that customers understand what products they are purchasing and their risks.

YBhg Datuk John Zinkin quoted Peter Drucker in 1945 – ‘the purpose of business is to build and maintain satisfied customers’. He added that anyone who sets up a business should think of making the world a better place by looking after their customers. Then trust would start to rebuild. He concluded by saying that compliance officers have the best job in banks as they make sure the reputation of their bank is aligned with its customers’ interests.

Wong Ai Ping

“ Anyone who sets up a business should think of making

the world a better place by looking after their customers. ”Datuk John Zinkin


11

The Need for Greater Transparency: Lessons From the Panama Papers

Panellists: Ritu SarinExecutive Editor, Investigations, The Indian Express and Journalist Member of The International Consortium of Investigative Journalists (ICIJ)

David Shannon Principal Executive Officer, Asia Pacific Group on Money Laundering (APG), Australia

Moderator: YBhg Datuk Ahmad Hizzad bin BaharuddinDirector General, Labuan Financial Services Authority (LFSA)

The moderator started the session by introducing the panel and highlighting their diverse backgrounds and experience: Ritu Sarin from the International Consortium of Investigative Journalists (ICIJ) is a journalist who helped publish the ‘Panama Papers’ in India; and David Shannon is Principal Executive Officer of the Asia Pacific Group on Money Laundering (APG), a group that ensures countries meet international standards in respect to transparency.

YBhg Datuk Ahmad Hizzad bin Baharuddin explained that in today’s globalised world both companies and individuals are legally allowed to take advantage of the structural make-up of the international market through various programmes and incentives to plan their tax obligations. There are tax treaties all over the world including double-taxation treaties between countries, which are bilateral as opposed to multi-lateral arrangements. Some individuals and organisations capitalise on double taxation agreements by organising their entities, revenues and expenses in various countries, thus benefitting from these arrangements. In addressing these, there is an urgent need for transparency and more sharing of information to ensure that tax evasion is prevented.

Ms Ritu Sarin spoke about the Panama Papers and said that she has been collaborating with the ICIJ in relation to the leaked documents concerning offshore entities created by Panamanian law firm, Mossack Fonseca. The Panama Papers were the largest leak of confidential data ever and the biggest collaborative story in the history of investigative journalism. The size of the leak is several times larger than WikiLeaks – a staggering 11.5 million pages or 2.7 terabytes!

The Panama Papers contain details of 210,000 offshore companies formed by Mossack Fonseca in Panama over a 40-year period with some accounts being opened as late as 2016. The papers contain details of companies set up in 21 jurisdictions including in the Seychelles, Singapore and Hong Kong, and were analysed by over 250 journalists who collaborated on how to publish the papers.

The impact of the Panama Papers has been immense.

Many leaders, including Vladimir Putin, the Russian President, and Nawaz Sharif, the Pakistani Prime Minister, were mentioned during the investigation. Sigmundur David Gunnlaugsson, the Icelandic Prime Minister, was forced to resign following massive protests over the disclosure of the British Virgin Islands’ (BVIs) companies owned by him and his wife. One week after the leaking of the Panama Papers, tax officials from 28 countries met in Paris to develop a post-Panama Papers strategy. It is noteworthy that even tax authorities realised this was unprecedented. The headquarters of Mossack Fonseca were raided and more political leaders and celebrities came under scrutiny.

ICIJ set up a system for all members to access information relating to the Panama Papers. A search engine was created producing up to 35,000 results for just one issue. Journalists obtained documents that showed evidence of corruption including a case involving Denmark and a company called Electronica and another case linked to a company called Delaru. Both cases were exposed in the Panama Papers. In India, the Finance Minister set up a multi-disciplinary task

PLENARY SESSION 2:

“ The Panama Papers were the largest leak of confidential

data ever and the biggest collaborative story in the history of investigative journalism. ”Ritu Sarin

Ritu Sarin

IFCTF 2016

force specifically to look at the Panama Papers. Within days, 297 people who had been named by The Indian Express were summoned by the Income Tax Department.

With around 500 Indian figures named in the Panama Papers, one of the many challenges is getting details of investments, bank accounts and properties held by identified offshore entities. The Central Board of Direct Taxation (CBDT) has sent almost 300 inquiries to 12 offshore jurisdictions via the foreign tax and tax division (FTTD) with the majority sent to the BVIs. Investigating an offshore company is challenging as the data is not held by the government or the investigating agency.

The Reserve Bank of India has sent 20 cases to the enforcement directorate (ED) where it was discovered that the liberalised remittance scheme (LRS) norms had been flouted. Details from other jurisdictions are expected to flow in to India within the next few weeks. The real secrets and details of these offshore companies and their holdings will be revealed then.

Ms Ritu Sarin then turned to lessons learned from the Panama Papers and she said that the documents obtained have shown that people who were named in the Panama Papers, including non-resident Indians (NRIs), did not declare their offshore entities and tax returns as was required by the law. A massive investigation is currently taking place in India and journalists will continue to write more news stories based on the information obtained.

Mr David Shannon agreed that the Panama Papers were indeed one of the most significant developments, both in the region and globally, and they have resulted in the financial industry having to scrutinise the risks and complexities of corporate vehicles in relation to financial crime. He outlined that he would discuss the implications of the Panama Papers for financial institutions and the market, the lessons learned and how to respond effectively with the information available.

He introduced the Asia Pacific Group on Money Laundering (APG), a regional body for Asia Pacific similar to the Financial Action Task Force (FATF). APG has 41 member jurisdictions, including Malaysia, and all other ASEAN countries. Eleven of the members are also FATF members. APG’s active observers include the International Monetary

Fund, the World Bank, the Asian Development Bank and the United Nations (UN). APG’s role is to support members in implementing Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) international standards set by the FATF.

The Panama Papers have had, and will continue to have, a significant impact in relation to global policy considerations, from the transparency of tax regimes through to multi-jurisdictional tax treatment issues and international cooperation. The need for transparency and to protect the international economy from financial crime is an issue of financial stability. Hence, the G7, the G20 and other bodies have focused on transparency and global tax issues post the global financial crisis.

Mr David Shannon said that the Panama Papers is a major topic of discussion for governance bodies at a global level including the FATF and the Organisation for Economic Cooperation and Development (OECD). There is also an increased focus at a national level on the effectiveness of the standards set by these bodies. The UN continues to pursue AML/CFT standards as part of its agenda in relation to global security issues and the Panama Papers have landed right in the middle of these initiatives. He suggested that the Panama Papers can be seen as a manifestation of a globalised approach to international finance.

The OECD has listed a number of countries that do not meet the standards it sets, namely Guatemala, Kazakhstan, Lebanon, Liberia, Micronesia, Nauru, Trinidad and Tobago and Vanuatu. Many of these countries may have now implemented ‘sufficient’ instruments for automatic exchanges of information, but he questioned whether such a practice was the right recipe for prevention.

The FATF’s blacklisting process, or the international country risk guide (ICRG), has historically focused more on basic legal frameworks instead of offshore entities and issues of beneficial ownership and AML/CFT supervision of entities like Mossack Fonseca. Mr David Shannon stressed that there is insufficient global focus on effectively pursuing international cooperation to ensure transparency and to follow money trails. He also questioned whether financial institutions were adequately supported in their work to verify the customer due diligence (CDD) and know your customer (KYC) information for customers from foreign jurisdictions. He believes that the Panama Papers have highlighted the problems pertaining to offshore entities and the secrecy of jurisdictions, which presents challenges for compliance while conducting CDD work.

There is a lot of pressure on some offshore financial centres to close secrecy loopholes and to have more checks in place to ensure they can identify beneficial owners. The global standards on transparency are a work-in-progress. However, the Panama Papers’ exposure of the use of offshore corporate vehicles has certainly moved the debate forward.

He explained that at the domestic level many countries lack the political will or capacity to focus on transnational financial crimes as it is both challenging and costly to get results, whether it is identifying and confiscating assets or conducting full-scale investigations. Countries need to better assess and understand the risks they face from corporate vehicles, both onshore and offshore, and respond to these risks. Malaysia, for instance, needs to better assess particular risks

12

David Shannon


and consider more sophisticated models within its jurisdiction.It is important to reset and re-calibrate how regulators

support the market in their work to verify and conduct CDD. The challenge has always been whether regulators need to do more with the market to help overcome challenges that might exist and obtain the right information to complete CDD with minimal costs. All jurisdictions need to improve the scope and effectiveness of their frameworks in relation to this. Malaysia is doing better than most. However, a strong AML/CFT framework matters little if company and trust laws limit transparency.

He believes that opportunities for collaboration are important. Even though the Panama Papers were initiated entirely by journalists, they have raised questions that relate to transparency and effectiveness in combating financial crimes. There is an opportunity for a more structured approach and for countries to consider ways in which there might be more opportunities to work with credible journalistic bodies, the research sector and other players.

The ICIJ initiative has added to the success of some policy initiatives and processes and has helped to identify what should be the priorities going forward. Overall, the Panama Papers have highlighted many issues and they provide an opportunity for compliance teams to gain a much better understanding in relation to the approach taken by offshore entities. There are a lot of data points to be added to CDD processes and there needs to be a lot more collaboration between the market and national regulators. A lot more work is required on the part of national governments and the international community. There is a lot of pressure at global, regional and national levels to be more effective in combating financial crimes and this hopefully can bring a much more realistic focus to what should be some of the priorities.

Mr David Shannon concluded by thanking the ICIJ for its work on the Panama Papers which, in his view, is incredibly important and will contribute to the future stability of the economy and the financial system.

Q & A SessionThe first question posed was on compliance issues arising from the Panama Papers. Ms Ritu Sarin explained that Mossack Fonseca had an elaborate compliance procedure and a PEP (politically exposed person) system. If a potential client was on the PEP system, he or she would not be eligible to

open an offshore company. The emails obtained from the firm revealed that, although they had a compliance system in place, hardly any potential clients were turned away.

The second question focused on how to ensure banks adhere to a certain global standard going forward. Mr David Shannon replied that Panama had no direct taxation regime of any kind for both individuals and companies. Therefore, when it came to company formation agents, they were not turned into tax issues as there was no formal tax jurisdiction. Company formation in a second or third jurisdiction is not necessarily an indicator of illegality and sometimes not even a risk. His advice was that it is incumbent on regulators to have a better understanding of where risks lie in order to guide the market and those in the compliance sector so that they can be more effective.

The third question was whether a very strong international enforcement agency was needed to combat financial crime. Mr David Shannon said that the power to implement the FATF recommendations sits with national governments as that is where the sovereignty lies – the powers of international bodies is derived entirely from nation states. In his view, the response to strengthen international enforcement is a constant work-in-progress to try to improve processes between states or jurisdictions to be fast enough and responsive enough to be effective against the risks faced.

The fourth question related to the FATF’s standards, policies and typologies over the last 20 years and if more could be done in terms of controls, systems, methodologies and standardisation across the industry, instead of having to rely on journalists to uncover things. Mr David Shannon replied that there is a serious debate between the standard-setter and the market about whether a prescription-based or a risk-based approach is required. In his opinion, the risk-based approach is the only way to be efficient and to be truly effective and this is the responsibility of the standard-setter. He explained that the Panama Papers will help push this agenda forward. He felt the risk-based approach needs to be better supported by risk information, including typologies.

13

“ At the domestic level many countries lack the political will

or capacity to focus on transnational financial crimes as

it is both challenging and costly to get results. ”David Shannon

YBhg Datuk Ahmad Hizzad bin Baharuddin

IFCTF 2016

Trade-Based Money Laundering: Tackling Emerging Risks

Panellists: Alan ChiuChairperson AML Committee, The Hong Kong Association of Banks, and Head of Financial Crime Compliance, Standard Chartered Bank (Hong Kong) Limited

Martin Muirhead Senior Financial Crime Advisor, PricewaterhouseCoopers, UK and Hong Kong

Moderator: David ShannonPrincipal Executive Officer, Asia Pacific Group on Money Laundering (APG), Australia

Mr David Shannon opened the session by noting that while there is much focus on retail banking, the trade finance area has many issues which need to be highlighted. He then briefly introduced the speakers.

Mr Alan Chiu started his presentation by commenting that trade-based money laundering (TBML) has received more attention over the last three years compared to the previous focus on cash-based money laundering (CBML). He said his presentation would cover the basics of TBML, challenges in detecting it and some best practices for banks to control it.

He provided background on TBML as one method of money laundering (the others being wire transfers and the physical movement of cash) and noted that the Financial Action Task Force (FATF) released a paper on TBML in 2006 and another on best practices in 2008. Since then, other international organisations in 2012 and 2013 have listed the TMBL risk areas.

The FATF’s definition of TBML is the process of disguising the proceeds of crime and moving value through the use of trade transactions in an attempt to legitimise their illicit origins or finance their activities. The financial crime risks in trade transactions are broadly categorised as money laundering (ML) or terrorism financing (TF), and includes fraud and sanctions or proliferation financing. TBML is difficult to detect because of: • The huge volume of global trade obscuring individual ML

transactions;• Complexity of trade finance transactions; • Commingling of illicit transactions and legitimate transactions.

He then described some of the basic modus operandi of TBML including:• Over and under-pricing of invoices;• Multiple invoicing;• Over and under-shipment of goods;• Phantom shipments;• Falsely describing goods and services.

Reference was made to a chart showing how TBML operates between buyers and sellers and a slide on the challenges faced, including: • Lack of specific TBML assessments;• Lack of internal controls, clear policies and procedure

documents for dealing with TBML risks;• Banks not having innovative and effective techniques

to assess ML risks in trade finance transactions – CBML systems are in place, but TBML requires more human effort to assess if ML is occurring;

• Inadequate use of customer due diligence (CDD) information;

CONCURRENT SESSION 1:

14

Alan Chiu

“ Trade-based money laundering (TBML) has received

more attention over the last three years compared to the previous

focus on cash-based money laundering (CBML). ”Alan Chiu


15

• Lack of management information on financial crime risks in trade finance business makes it hard to understand;

• Lack of TBML training – in practice, even experienced processing staff may only consider a transaction’s commercial risks and therefore fail to make appropriate enquiries about financial crime risks or to escalate potentially suspicious transactions;

• More focus on internal escalation for sanction concerns rather than TBML concerns;

• Legal and regulatory requirements related to financial crime might conflict with commercial obligations set out by the International Chamber of Commerce (ICC);

• The paper-based nature of TBML, based on the manual nature of trade transactions and the limitations of automated transaction monitoring in a trade context, with less focus in banks on ML previously.

Mr Alan Chiu explained the key principles of TBML controls and best practices including:• Institutional/business-level risk assessment of trade-related

activities and their controls;• Customer/transaction-level risk assessment;• Written policies and procedures setting out methodology

for assessing, monitoring and mitigating TBML risks;• Developing appropriate red flags – customer, documentary,

transaction and commodity – for frontline/operation staff to identify suspicious TBML activities;

• Review and escalation procedures;• Review and escalation reports based on red flags for

frontline/operation staff to identify suspicious TBML activities; • Rule-based exception reports based on red flags to detect

TBML;• Clear roles and responsibilities on control ownership;• Documentation on decisions relating to trade transactions;• Documentation of customer information relating to trade

transactions;• Management oversight to make regular reports and provide

management information to senior management.

In his view, banks have greatly improved their customer due diligence (CDD) conduct and review of trade activities. He explained the benefit of policies and procedures to clearly spell out who has control and responsibility for ML for trade activities.

Mr Alan Chiu then explained the principles of pre-transaction screening which includes methodologies to detect specific trade-based red flags, common trade typologies and scenarios and sanctions. Such red flags can be seen from the documentation of the transaction, trade routes and the nature of the commodities involved. Practices also include screening procedures in dealing with alerts relating to sanctioned/high risk countries, entities and vessels. In his view there is a need to set clear roles and responsibilities in the internal escalation procedure and formalising TBML control.When conducting an internal escalation, he said that there are three levels:• Level 1: Review by trade processors with good knowledge

of international trade, customers’ expected activities and sound knowledge of TBML’s red flags.

• Level 2: Staff with specialist expertise to further assess the merits of the escalation from level 1 as well as the relevant suspected activity itself, requiring extensive knowledge of TBML risks and appropriate use of third party data sources to verify key information.

• Level 3: The compliance/investigation team will determine if additional measures are required to mitigate any risk and whether a suspicious transaction report (STR) should be filed.

Banks should reject a transaction if unacceptable ML or TF risks arise.

In relation to post-transaction monitoring, he noted:• The objective is to identify unusual or suspicious

trade activities and patterns for further examination and investigation;

• When designing appropriate monitoring mechanisms, take into account the nature of trade-related products and services and the common TBML typologies and red flags;

• Monitoring trade transactions may involve higher levels of human effort/judgment to effectively identify unusual or suspicious activities, focusing on if there was any collusion between the buyer and the seller;

• Investigation analysts should review if there was collusion between the seller and the buyer, since the intended outcome of arrangements is often to obtain value in excess of what would be expected from an arm’s length transaction;

• Periodically assess and review transaction monitoring mechanisms taking into account changes in business operations and developments in TBML transactions.

Martin Muirhead

IFCTF 2016

He then referred to trade-related CDD requirements:• CDD is particularly important for banks to manage and

monitor the risks associated with customers on an ongoing basis;

• CDD facilitates the assessment and identification of anomalies;• Key customer information includes:

- business nature – such as major products, services and markets;

- delivery/transportation mode;- major suppliers and buyers;- anticipated account activities;- anticipated major methods and terms of payment

and settlement;- internal customer risk assessment ratings;- any previous STRs-filed and adverse news;

• Regular update of CDD records.

As to risk awareness and TBML training, he explained: • Relevant staff (relationship managers, trade operation

teams, trade product teams and staff with control functions such as compliance, risk and internal audit) must understand TBML is real and that it has negative societal consequences;

• Training topics should cover typical trade transactions and structures to ensure key trade-related concepts are understood as well as typical TBML typologies and common red flags, internal trade controls and rationales, emerging risks and trends of TBML and case studies;

• Role-based training should be conducted to educate staff about specific risks and responsibilities applicable to them.

Mr Martin Muirhead began by explaining that TF is one of the typologies mentioned by the FATF and referred to the effectiveness agenda which he felt was important in detecting TBML. The key questions to determine are, ‘How did we get here and why is it the way it is now’.

He noted that TBML concerns regulators and law enforcement agencies worldwide. The increased focus on CTF also impacts trade financial crime risk management. The documentary credit process evolved from the days of the quill pen and lengthy shipping, voyages with poor communications en route. If the process was designed today it would look rather different. The way it has evolved has

resulted in the use of multiple data types from free text in bills of lading to structured data in swift messages. The challenge is the large amounts of documentation involved.

He noted that the modus operandi presented earlier mainly does not work because banks do not effectively know/understand the customer, business environment risks and norms, which are required to manage AML risks. It is necessary to have trained staff who are curious. The ability to know your customer is complicated by the many parties who can be involved in a transaction, over many jurisdictions, with varying risks such as sanction rules and AML/TF risks. Banks should ask questions as to whether the transaction makes sense.

Other challenges arise from the evolutionary design of the documentary credit process. It is very hard to bring together all the requisite information, internal and external, to allow well trained teams to make good decisions on risk. Mr Martin Muirhead said that to effectively manage risks banks need to understand the environment in which customers/potential customers are operating in by knowing the country and risks under which customers are working as well as accessing trading country risk reports and trading information.

As for knowing the environment, it is important to know the risks/red flags from regulators and apply these sensibly and understand them by collaborating with other banks (for example, the UK joint money laundering intelligence task force (JMLITF) has trade finance as one of four priority areas of focus), local regulators and law enforcement.

As for knowing if a transaction or customer is valid, he said that it is crucial to look at the country and the customer in question and shared the example of the Polly Peck International

16

David Shannon

“ The ability to know your customer is complicated by

the many parties who can be involved in a transaction, over

many jurisdictions, with varying risks such as sanction rules

and AML/TF risks. ”Martin Muirhead


(PPI) case. In this case, the company head, Asil Nadir (from Northern Cyprus), knew Margaret Thatcher as well as a junior UK defence minister and bankers. Many banks were impressed with his business methods and wanted to lend money. The company CFO became uneasy because one of PPI’s main business operations was to pack bananas and ship them to Europe and the worldwide figures showed that PPI’s subsidiary was shipping 200% of the world banana production. PPI later collapsed when a scam was exposed but banks at that time did not look deeply into the transactions to see the red flags.

The session then focused on the challenges of Know Your Customer (KYC). Here it is important to know the customer, their business, who they are dealing with, and to understand the nature of the business, as well as the goods and the countries involved. The requirements to manage risks include gathering sufficient information about the customer and the business including screening for sanctions, tracking negative news for indications of risk regarding the customer or the business and asking if the business overall makes sense, as well as whether the bank knows the counter-parties and the risks they bring.

For example, as per MAS guidelines, banks can track the ship routes and progress of the ships from beginning to end to ensure that claimed voyages are actually sailed. This looks at the risk of transhipment of cargo and illicit stops along the way. Systems such as Purpletrac by Polestar will track ships by satellite and will screen all parties for sanctions risks.

Other information would be around the prices of goods – where the need is to access external information for market prices to compare to those on the LC documentation. The same process is needed to identify in free text descriptions of possible dual-use goods and be able to effectively and correctly action any alerts.

This challenge of bringing together multiple relevant data sources to a well-trained decision maker with the necessary auditable process is the biggest challenge for banks. The lack of experienced people in the market suggests that some form of country utility may be worth exploring to bring together the expertise (say on dual use goods) and de-risk the bank operations.

Finally, Mr Martin Muirhead explained that it is important to obtain data in the right format that is readable. He predicted that there will be enhanced analytics, particularly data-sharing across banks and countries. He also emphasised the use of blockchain to provide assurance of customer or goods validation and for the security of the transaction in question. For example, he highlighted the partnership between DBS Bank and Standard Chartered to develop a distributed ledger for simpler and more transparent transactions in trade finance. Q & A SessionThe first question asked was whether Islamic banks comply with AML/CTF as they use commodity-based transactions.

Mr Martin Muirhead could not comment on Islamic banking as he had no experience in that field. However, in regards to the question about commodities, he answered that banks need to be aware of prices and particularly of any over-pricing or fictitious value, which is how ML is normally conducted.

Mr David Shannon explained that Malaysia is advanced in terms of Islamic banking, but that AML/CFT obligations apply to Islamic banking and takaful equally to other sectors in Malaysia. From evaluations, there are ups and downs in the levels of compliance in markets. In his view, price information and transparency is a challenge regardless of the sector.

He then asked about the opportunities and barriers in bringing specialists together in relation to compliance and trade finance.

Mr Alan Chiu said that coming from the compliance side he tends to look at things from a negative view point. He explained that the perspective of trade finance staff has always been about commercial obligations, but this mindset needs to change. He mentioned that in some banks there are clauses where, if the transaction was found to be illegal, then the payment could be stopped immediately. There is a need to train staff to be aware that now there is a legal responsibility to report any suspicious transactions.

Mr Martin Muirhead added there would be better results if parties worked together. Proper risk assessments should be conducted from the ML perspective. He felt that rather than adopting an adversarial approach, parties should work together with the mutual understanding from the board that all are expected to manage the risk for the bank.

The next question was as to how banks can work together with regulators in developing guidance material.

In Mr Martin Muirhead’s view, to make a sensible difference, all parties should come together and establish best practices and invite regulators to discuss the laws that need to be changed. Rather than keeping regulators at arm’s length, everyone needs to work together for the same end.

Mr Alan Chiu added that the first step is to have a guidance paper and gave the example of Hong Kong’s paper on TBML. He advised that if the banking industry had guidelines then all banks would have to adhere to those best practice principles which would be helpful to them.

The last question was what should be the key focus on preventing ML/TF through trade finance channels.

Mr Martin Muirhead said that AML and financial crime is not just an individual bank issue but affects a country as a whole. He advised that banks, regulators and law enforcers need to work together with the aim of keeping society safe.

Mr Alan Chiu’s concluding remarks were that TBML is a new interesting area of focus and that as banks catch up on TBML there will be a lot of changes in the future. His view was that TBML will become more focused and more efforts will be made by banks to prevent ML and TF in this area.

17

“ Price information and transparency is a challenge regardless of the sector. ”David Shannon

IFCTF 2016

Martin Smith

Cross-Border Transactions in Facilitating the Illicit Flow of Funds


18

Panellists: Martin SmithHead of Compliance & Risk, Asia Pacific, Travelex Limited

Christopher Foye Market Planning Manager, LexisNexis Risk Solutions

Sammy Pang Assistant Country Attache, Drug Enforcement Administration Special Agent, US Embassy, Malaysia

Moderator: Yunos YusopHead and Vice President, AML/CFT Department, AFFIN Banking Group

Moderator Mr Yunos Yusop, in introducing the topic, noted that according to reports the illicit flow of finance from developed countries is in the trillions. This region has particular issues related to Islamic State.

Mr Martin Smith began his presentation by introducing Travelex, a foreign exchange company which is present in 27 countries worldwide and he pointed out that in most countries where Travelex operates, it also acts as an agent for the remittance company Western Union. Therefore, Travelex is exposed to lot of potential money laundering (ML) and terrorism financing (TF) risks, including cross-border transactions. Of these, the movement of cash through remittance and money services businesses (MSBs) is the greatest risk as cash is easy to distribute and exchange around the world. He noted that a number of MSBs are not as stringent as banks and other finance institutions. There are also differences between countries; for example, identification is required in Australia if you buy A$1,000 cash, in the UK if you buy £10,000 and in Singapore if you buy S$5,000. Criminals take advantage of these different standards between countries to launder money and often use MSBs, who unwittingly move the cash without knowledge of the origins of the money. Some criminals do pose as MSBs with the sole purpose of laundering money. The latter have no intention of running a legitimate business and lower the reputation of other MSBs.

He suggested that the lessons learned for regulators can be categorised into licensing, developing the anti-money laundering framework and consumer protection. In his view, regulators are talking more frequently to industry players, including big banks and MSBs and working with them to find the best method of regulation, although this has taken a long time. He has seen this happen in China, Hong Kong and Malaysia. He also emphasised that regulators talk to each other and compare notes all the time.

In terms of licensing, there is some variation in the approach of countries. For instance, China is focusing on offshore developments and recently visited the UK to look at its frameworks. Hong Kong is implementing legislation to regulate prepaid cards as these are being widely used for terrorism financing.

Mr Martin Smith then spoke about money mules who receive and transfer funds on behalf of criminals. In the 1980s, Colombian drug lords used mules to make small deposits in accounts they had set up in the US, making it difficult for law enforcement authorities to identify and monitor the people behind it. Now the internet and social media are being used. University and college students are a primary target and sometimes their identities are stolen and bank accounts set up in their names without their knowledge. The use of money mules is developing, including 36 mules that were arrested in Singapore in 2016 and the hacking of mobile phone funds.


Mr Christopher Foye emphasised that instead of dwelling only on ML and TF aspects, it is important to acknowledge the MSB sector’s positive role in the financial system and society. For example, many migrant workers from poor communities are able to send money home to their families.

He then highlighted one piece of analysis he has seen that one in every three dollars goes to countries that are deemed non-cooperative. He referred to the use of traveller’s cheques and the informal ‘hawala’ network to fund terrorism activities. He also mentioned the US arrest of Somalis in 2013 for using an MSB to fund Al-Shabab and the cancellation of a remittance licence in the Philippines in 2016 because of involvement in the Bangladesh Bank heist.

Mr Christopher Foye then discussed MSBs and what criminals look for in terms of cross-border transactions, namely:(1) Simple mechanisms which do not require stringent Know

Your Client (KYC) requirements;(2) Keeping costs as low as possible;(3) Low risk of the funds being intercepted or discovered.

For example, a drug trafficker who wants to move a significant volume of cash to a particular destination will look for a suitable mechanism to perform the transaction safely. Although MSBs have thresholds, multiple remittances can be performed and the speed with which money can be sent from point A to B also makes them attractive. However, despite these perceived reasons for criminals to use MSBs, in reality there are still regulators overseeing the industry as well as industry associations and compliance functions within MSBs. Malaysia has taken steps to monitor the sector through legislation such as the Financial Services Act 2013, Islamic Finance Services Act 2013 and the Money Services Business Act 2011 as well as re-licencing activity within the MSB sector over the last few years, and through the national risk assessment which confirms the inherent risk of this sector and collaboration with the industry association.

In this context he asked what are the risks involved. First, there are still unlicenced MSBs in all countries. Second, there are informal money transfer networks such as ‘hawala, which, even if discovered, do not have records showing illicit proceeds as generally transactions are shown as occurring between two brokers rather than the actual sender and beneficiary. Third, smaller MSBs may not think it is cost effective to have a compliance function and adequate technology to monitor transactions.

He also looked at the potential means used by criminals to transfer illicit money through MSBs. The classic method is called smurfing, transferring low value amounts to beneficiaries repeatedly. More complex and difficult to detect is where a group of individuals use multiple MSBs to send funds out to a group of beneficiaries. Other methods include: the use of money mules; use of phishing emails, such as the Romeo and Juliet scam (online dating) to defraud individuals of money or get account details; the use of fictitious products and services; using cybercrime to target employees responsible for making wire transfers in a company and then disguising payments through that company system; and job advertisements or payments, particularly to university/college students, for use of their accounts.

Mr Christopher Foye raised another concern which is that in multiple countries financial institutions do not provide banking services to MSBs and ‘de-risk’ them, as has happened in cases in the UK and US. The concern is that a whole sector of the financial system is excluded and therefore access becomes even harder and this will actually cause more

Christopher Foye

19

“ In multiple countries financial institutions do not provide

banking services to MSBs and ‘de-risk’ them, as has happened in cases in the UK and US. ”Christopher Foye

IFCTF 2016

risks. An analysis has been done in Malaysia whereby foreign banks are seen to be de-risking MSBs, but he does not believe that Malaysian banks are doing it.

In terms of lessons, he believes that the first is around the risk-based approach where the debate is how to effectively implement it taking other variables into account while keeping it up to date. ID authentication can be helpful to check if a document is fake or real. Another lesson is effective risk screening, which is putting in place a screening system that enables identification of potentially bad actors in the public domain. Ideally, there should be a detailed wide screening platform which screens against sanctions and various other lists and also enables the creation of an industry blacklist of those known to be bad actors. This would encourage greater collaboration and information sharing.

Looking at the compliance function, Mr Christopher Foye noted that generally a customer is viewed in isolation in terms of a bank’s history and relationship with that customer and his transactions with the bank. If information about the customer’s interactions with other institutions could be gathered in a safe way that protects the data, banks could make more informed decisions. He believes that information sharing needs to be continuously mentioned because that is a significant way that things could be improved and developed, together with greater collaboration between regulators and enforcement agencies, associations and the industry as a whole to ensure that there is better mutual understanding.

Mr Sammy Pang introduced himself as an experienced criminal investigator with the US Drug Enforcement Administration (DEA), whose mission is to disrupt and dismantle drug trafficking organisations. Historically, the DEA’s focus was on the seizure and disposal of drugs, but it has expanded its role in the last decade to targeting drug trafficking organisations through pursuit of their assets.

He noted that in investigating money laundering he has seen traffickers from different countries work together and political or religious factors do not play a role. Further, money laundering is very difficult to prove and usually by the time law enforcement contacts a bank, it has identified the underlying predicate crime (drug trafficking, corruption, prostitution, etc.) behind the money laundering.

Mr Sammy Pang then gave a brief overview of the US federal codes and requirements, including currency transaction reports (CTRs) required to be filed by banks

for transactions above a certain amount and suspicious activity reports (SARs). Another legal tool for investigation is the ‘Sting Provision’ which allows enforcement officers to represent money as being from the proceeds of specified unlawful activity (such as drug proceeds or the profits from other illegal activities). Defendants must engage in the financial transaction with the intent to carry out the specified unlawful activity or to conceal or disguise the nature, location, source, ownership or control of the property. The provision allows for an undercover law enforcement officer to pose as a drug dealer and if the defendant agrees to launder the purported drug proceeds, he or she can be prosecuted. Under US law, each illegal transaction from taking money, depositing it in an account to wiring it to a third party is considered a separate violation that can be prosecuted.

He then shared a real case called ‘Operation Rush Hour’ where officers infiltrated a worldwide professional organisation laundering money. It took five years to complete and utilised investigative tools such as surveillance, GPS tracking devices, telephone interceptions and confidential sources. To conduct the undercover operation to dismantle the entire organisation, the DEA was permitted to act as if it was a real money launderer, meeting the money mules, taking the cash drug profits and depositing it into accounts created with fake identification.

Mr Sammy Pang said that the movement of concealed money across borders is difficult to detect and can often only be detected through extensive joint operations with other countries. In this case the cash was concealed in boxes of laundry detergent and the traffickers drove the cash across the border into Mexico and put the cash into MSBs. With the assistance of the Mexican government, Mexican agents conducted surveillance on some of these MSBs and found that some were legitimate while others operated for the purpose of money laundering. Next the DEA informed the money launderers that moving bulk cash across the border is very risky and asked them to provide accounts in which to wire the money. After the money launderers saw that their money transfers were successful and were not seized, they requested the undercover agents to move more money and provided more accounts to send the ‘dirty money’ to.

Wire instructions were received from all over the world and a reverse operation was conducted whereby law enforcement acted as money launderers and gave out government funds, presented as drug proceeds, to criminals for laundering. This investigation involved 10 countries and 20 different accounts all over the world. Some accounts were in jurisdictions with limited transparency and strong privacy laws where it is very easy to create a company and open a bank account and most of these countries do not have extradition/mutual assistance agreements with the US.

In 2013 the DEA and the Israeli police executed simultaneous arrest operations in Los Angeles and Tel Aviv, with additional arrests in the Netherlands and Belgium. The Israeli operation resulted in the recovery of tear gas and hand grenades, M16 magazines, bombs and TNT.

20

“ Money laundering is very difficult to prove and usually by

the time law enforcement contacts a bank, it has identified the

underlying predicate crime. ”Sammy Pang


Mr Sammy Pang then set out the evidence for the money laundering prosecutions and shared that direct evidence of knowledge and intent is often not available so prosecutors usually rely on indirect or circumstantial evidence, but the totality of such circumstantial evidence is vital for prosecutions.

He next discussed the concept of ‘wilful blindness’, which is not a defence for failing to follow the law and highlighted the increasing importance in the US of ‘know your customer’s customer’, where banks are seriously reviewing the accounts of their customer’s customer. Also earlier this year a compliance officer of MoneyGram was fined USD$1 million for not following the company’s compliance regulations and a US court ruled that the officer can also be liable in the civil courts.

Q & A SessionMr Sammy Pang was asked whether it was easy to transport physical cash in containers. He replied that cash can be moved fairly easily. He noted that some of the biggest ports

in the world receive millions of containers at customs and border control and possibly only around two percent of all containers entering the US and some of the free trade zones in the world are being inspected. In certain ports and free trade zones investigators and police have very limited jurisdiction and containers enter easily, contents can be moved from container to container and then imported into the country originally intended. Also he pointed out that a million dollars in hundred dollar bills can easily fit into a briefcase.

The second question was directed to Mr Martin Smith in regards to MSBs for which the level of customer due diligence (CDD) undertaken is obviously less stringent than for banks. A bank must perform CDD prior to the transaction and for certain types of customers this could take days or even weeks. People know that CDD is stricter in banks and so some may deliberately move to MSBs to carry out transactions, which is in a way shifting the risk to MSBs. But ultimately, where the MSB needs to transfer the bulk of funds to do the settlement, then it would have to involve a bank as funds cannot be settled across the MSB, and so the bank still assumes the risk. However, the bank does not assume the risk for the underlying clients, but the risk directly from that particular MSB. Then the question is how robust was the CDD undertaken by the MSB and how comfortable is the bank in accepting any money laundering risk for those MSBs that it accepts as clients.

Mr Martin Smith replied that Bank Negara Malaysia has lifted the standards within the MSB industry and Travelex has been a big part of it that is, having the right laws, the right CDD and bringing in systems that monitor behaviour. His organisation has a risk-based approach even though the law says that only transactions over RM3,000 need to be identified. They look for patterns of behaviour and if they are suspicious of a certain customer they will not deal with them. In addition, banks look very closely at remittance companies, which is related to the de-risking issue with MSBs, and it depends on how much credibility the MSB has – as an agent of Western Union, even his organisation is subject to incredible due diligence every year because of US government monitoring. He added that without a bank account a remittance company cannot do any business, but MSBs will probably never have the same standard of CDD as at a bank. Furthermore, the de-risking of MSBs by banks could mean illegal activity is driven underground, such as through ‘hawalas’.

Yunos Yusop

21

“ CDD is stricter in banks and so some may deliberately move

to MSBs to carry out transactions, which is in a way shifting

the risk to MSBs. ”Martin Smith

IFCTF 2016

Panellists: Md. Khairul AnamThe then Deputy Director and at present Joint Director of Bangladesh Financial Intelligence Unit (BFIU)

Michael Eubanks Special Agent, Federal Bureau of Investigation (FBI) (Malaysia)

Dato’ Dr Haji Amirudin bin Abdul Wahab Chief Executive Officer, CyberSecurity Malaysia (CSM)

Moderator: Zainal Abidin MaarifRisk Specialist (Technology Risk), Bank Negara Malaysia

Technology is fundamental in defining the economic prosperity of any nation. But with technology also comes the threat of cybercrime which is rapidly increasing and becoming more sophisticated. Cybercrime is a threat to national security, economic prosperity and individual safety. The World Economic Forum says that a significant proportion of cybercrimes go undetected for an average of eight months, which is enough time for the perpetrators to erase all audit logs and evidence. Cyber-attacks are imminent and have become a fixture in the global landscape.

To discuss this in detail, moderator Mr Zainal Abidin Maarif introduced the panellists Md. Khairul Anam, Michael Eubanks and Dato’ Dr Haji Amirudin bin Abdul Wahab.

Mr Md. Khairul Anam said that the growing threat of cybercrime includes the ‘skimming’ racket in Bangladesh which was perpetrated by foreigners who used ‘skimming’ devices in ATM machines and cloned ATM cards to withdraw money. PricewaterhouseCoopers (PwC) has announced that the cost of cybercrime in the UK has reached £3.14 million. These incidents show that the world is rapidly becoming a victim of cybercrime.

In a very recent incident, USD$81 million in illegal wire transfers sent via Bangladesh Bank’s SWIFT system sent shock waves across the global banking community prompting an

urgent need to identify and eliminate the threat of online fraud. This incident is similar to one in Banco del Austro in Ecuador where USD$12.2 million was stolen in January 2015 and in another case where USD$13 million was stolen from Taiwan Cooperative Bank in July 2016.

He said that in the Bangladesh Bank case, the theft was detected through the bank’s logs only a few days after the incident as on the day it occurred, Friday, 5 February 2016, it was a bank holiday. He explained that the hackers had carefully planned the hacking during the weekend. He further described how out of 70 transactions processed only five were successful. One of the unsuccessful transactions was due to a spelling error and this saved the bank USD$20 million.

The bank conducted an in-house investigation and informed various parties including the Bangladesh Financial Intelligence Unit (BFIU), the Federal Reserve Bank (FRB) of New York, the World Bank, the Bangladesh government, as well as the Pan Asia Banking Corporation (PABC), the Sri Lanka Government and Rizal Commercial Banking Corp (RCBC), Philippines, as part of the final forensic review. They also engaged a law firm to assess legal grounds for recovery and an IT infrastructure and SWIFT System remediation service. The police started investigations on 16 March 2016.

Mr Md. Khairul Anam believes that the hacks were part of a criminal masterplan with the premeditated intention of carrying out cross-border hacking. Bank accounts had been set up months before the hacking took place. He said cyber criminals are always one step ahead and constantly developing new software to perpetrate crimes. He stressed that compliance plays a major role in verifying the details of account holders and the monies paid to them.

Mr Michael Eubanks said that before joining the FBI he was a software developer. When he first started working on cybercrime, he found the scene very primitive. He noticed that criminals created malware which was barely functional. However, over time, he has seen groups of criminals coming together and

The Growing Threat of Cyber Crime PLENARY SESSION 3:

22

“ In the Bangladesh Bank case, the theft was detected through the bank’s logs only a few days

after the incident as on the day it occurred, it was a bank holiday ”Md. Khairul Anam

Md. Khairul Anam


using their specialties to create advanced products and later to market and distribute these products. As time progressed, these criminals started looking for distribution platforms.

He shared two salient points. First, criminals have turned their activity into a business which they have built through trial and error over the past 15–20 years. Often the same criminals commit crimes which are all related. The platforms on which their businesses are run and distributed are vast.

In the past there was a cyber underground, a closed forum where criminals conducted business by exchanging stolen data. In order to do business on that platform, individuals had to have some sort of credentials or identification. Nowadays there are numerous market places to conduct illegal business, for instance the Silk Road and the Dark Net.

It is difficult for law enforcement officers to track illegal marketplace activities because criminals present themselves as businessmen who are doing business legitimately. Their organisations have valid names and team structures in place – for example there is a criminal organisation called ‘Underground Corporation’.

Criminals are not just developing computer software or malware, they are offering services as well. One of the services offered is translation to aid criminal activities like hacking. Others include reshipping, postage and money laundering services. Various networks of criminals have learned their skills from the same sources in the cyber underground and the Bangladesh Bank case is an example of a network implementing these skills. Cybercrime has evolved from hacking and stealing money to include stealing identities and credentials of account holders as well.

Mr Michael Eubanks explained that law enforcement officials are aware of the existence of malware. He explained that in most instances if one individual was caught, he would be replaced by another due to the diverse network in criminal organisations. His experience has shifted from looking at malware to looking at the organisation behind the crime.

The second point that he wanted to share was that all criminal businesses maintain ordinary business records, just like normal businesses. Cyber criminals have organised themselves as though they are running a business. It is now easier for an individual to become a cyber criminal and steal data because the market is maturing.

He concluded by advising that compliance should look at all business transactions, especially fraudulent ones. When looking at data segments across industry sectors, it is important to pay attention particularly to failed transactions that were stopped because they were identified as being fraudulent and intended to be used as criminal accounts. It is equally important to pay attention to successful transactions.

Dato’ Dr Haji Amirudin bin Abdul Wahab said that he would discuss new types of cyber-attacks on financial institutions, lessons learned from the Bangladesh Bank case, the emerging threat of data breaches and data confidentiality issues, the growing challenges presented by cyber criminals, including the use of both traditional and alternative payment methods to aid illegal activities, and the role of technology in helping prevent and detect cyber financial crimes.

He said that cyber criminals will use whatever means they can to achieve their motives. This includes criminals who change their techniques when technologies change. He stressed that while information and communications technology (ICT) has brought about developments like big data, social networks and cloud computing, the darker side of ICT and its threats must also be recognised and dealt with.

Cyber criminals will continue to pursue high profile targets such as CEOs and senior management and find opportunities to make money from whatever institutions they can. Typically, criminals know their targets and develop a customised plan on how and when to strike. He made reference to the Bangladesh Bank incident where USD$81 million was stolen. This type of attack is termed as an ‘advanced persistent threat’. He also gave the example of ‘Dark Hotel APT’ malware which targets CEOs by using the hotel’s internet facility. He said because of its convenient accessibility, wifi is open to vulnerabilities. He gave another example of ‘cyber espionage’ which typically targets senior level executives from large global companies.

He highlighted two types of threats. The first threat was in terms of security risks and threats unique to mobile devices where the use of wifi hotspots exposes these devices to ‘man in the middle’ attacks. Mobile spyware, which is more difficult to detect than desktop spyware, cellular network exploitation with weak GSM encryption, the open source nature of operating systems such as Android, social engineering, app stores etc., are all vulnerabilities cyber criminals have studied and looked into as possible opportunities.

He further explained that the hacking of Bangladesh Bank was due to malware installed in the bank’s computer system. Many companies do not realise that their computer systems are infected with malware. Firewalls such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are no longer sufficient. He explained that an ‘advanced persistent threat’ actually enables such malware to infect a system and remain undetected. In some countries, malware such as AP30 can sit quietly in a system for up to 10 years before being detected. This threat is serious and cannot be

23

“ Nowadays there are numerous market places to conduct illegal business, for instance the Silk Road and the Dark Net. ”Michael Eubanks

“ Cybercrime is a threat to national security, economic

prosperity and individual safety. ”Zainal Abidin Maarif

IFCTF 2016

24

cleaned up by anti-virus software. He said that in Malaysia there are over one million malware infected ports, with 30,000 in the Klang Valley alone.

The next threat discussed was regarding data breaches. The emerging threat of data breaches and data confidentiality issues includes brand, regulatory, financial and operational impacts. Operational impacts, for instance, could require the mobilisation of all staff to conduct damage control. The growing challenge of using both traditional and alternative payment methods to aid illegal activities includes the use of the Dark Net, where criminal activities go undetected.

He suggested that a more adaptive strategy, as opposed to a corrective one, was required. There is a need for oganisations to detect malware in their computer systems by being proactive and adopting best practices. Another emerging malware threat in Malaysia is called ‘ransomware’. Dato’ Dr Haji Amirudin bin Abdul Wahab said that CSM conducts the CyberSafe training programme to create cyber security awareness among employees.

He explained that under section 399 of the Criminal Procedure Act 2009, CSM is the only agency recognised as an expert witness to provide evidence in court. Its digital forensic lab is accredited by the American Society of Crime Lab Directors (ASCLD). Apart from digital forensics, CSM has also embarked on research innovation in a number of areas including bio-metrics, multimedia mobile, big data, cyber

threat and memory forensics. CSM works closely with Bank Negara Malaysia (BNM), the Anti-Corruption Agency Malaysia (SPRM), the Malaysian Communications and Multimedia Commission (MCMC) and the police.

He concluded by stating that Malaysia’s approach to combating cybercrime and staying ahead of cyber criminals is to adopt methods that are innovative, aggressive, adaptive and collaborative. This is very important as cyber is a borderless issue. Strengthening public-private partnerships would enhance industrial research via collaboration between governments and industry-academia, both domestically and globally. Such an approach must cover the entire ecosystem, not just policies and processes, but also people in particular, as he believed that people are the weakest link.

Q & A SessionThe moderator asked the panelists how the opening of accounts by mules could be identified and eliminated.

Mr Michael Eubanks said he has seen the evolution of mule accounts over time. Initially accounts were opened by criminals and their associates but nowadays criminal organisations recruit mules to open accounts on their behalf. The increase in identity theft has led to the opening of more online accounts. He said that law enforcement uses mule accounts as critical evidence.

Dato’ Dr Haji Amirudin bin Abdul Wahab added that changes in technology allow online accounts to be opened using prepaid methods. Some of the approaches to be taken to address this issue and to minimise risk include adopting best practices, implementing proper regulations and working closely with law enforcement and technical agencies.

On the issue of ‘assumed breach policies’ and areas organisations need to focus on, Dato’ Dr Haji Amirudin bin Abdul Wahab explained that CSM has cyber defence and forensic (DEF) tools that detect and eradicate threats. He said that organisations, especially in the financial services sector should be encouraged to use these types of capabilities. It is likely that many organisations are unaware that their systems may be infected with malware that has been silently collecting information. This poses a risk to the organisation and to the country in terms of national security.

“ Malaysia’s approach to combating cybercrime and

staying ahead of cyber criminals is to adopt methods that are

innovative, aggressive, adaptive and collaborative. ”Dato’ Dr Haji Amirudin bin Abdul Wahab

Zainal Abidin Maarif

Dato’ Dr Haji Amirudin bin Abdul Wahab


FinTech: Facilitative or Disruptive Technology?

Panellists: Aznan Abdul AzizDirector, Financial Sector Development Department, Bank Negara Malaysia

Christopher Foye Market Planning Manager, LexisNexis Risk Solutions

Gerben Visser Co-Founder & CEO, The Singapore FinTech Consortium

Moderator: Dato’ Shahrul Nazri Abdul RahimGroup Head, Group Corporate Development, CIMB Group

Mr Aznan Abdul Aziz started the session by showing some video clips to demonstrate the trends in FinTech start-ups, focusing on how banks are affected.

One of the main aspects of FinTech is the removal of the middle man through applications such as peer-to-peer (P2P) lending, cloud funding and blockchain. Mr Aznan Abdul Aziz’s example was a P2P currency exchange start-up in France which enables a person via a phone app to find other travellers with currency they want to exchange. He said why go to a licenced money changer if you can change currency with other travellers and not pay a commission for it. He did note that there are risks involved with such applications, for example susceptibility to counterfeit currencies.

His next observation was that most FinTech players do not target the entire, nor significant parts of the business chain, but only areas they are good at. He mentioned a start-up in Singapore, ‘SoCash’, which provides a convenient cash withdrawal method for customers and banks at a much lower cost than deploying ATMs. Another example was the use of WhatsApp messenger and similar apps to communicate with banks, so instead of using specific banking apps (such as Maybank2u), a person can ‘chat’ with their service providers and perform transactions. Such apps have lower costs and less compliance requirements.

Returning to the original question as to whether FinTech is disruptive, he responded affirmatively, but in a good way as it is likely to be more convenient for consumers. He mentioned the regulatory sandbox framework discussion paper issued in June which creates a facilitative environment to test new innovations, but also carries possible risks and failures. His personal view was that, as with other applications such as Airbnb or iflix, it will not be that disruptive as changes would not happen quickly. For example, with Uber in the taxi industry there has been perhaps a loss of taxi fares, but in reality people might be less open to trying this new technology. Similarly, he believes banks will not be displaced because they have a track record and history, and therefore the disruption may not be as severe as perceived.

Mr Aznan Abdul Aziz said as FinTech companies often start small, the likelihood of causing damage to public consumers is low and they will not be subject to regulation. However, as they grow, the likelihood of causing damage increases which then requires regulation.

Reverting to the ‘sandbox’, he said a good way to think of it is as a safe environment within which the rules can be relaxed. The key thing is the outcome of those rules in preventing crime and terrorism. He pointed out that there are three components to the sandbox: eligibility criteria as a filtering mechanism, safeguards that should be put in place and regulatory flexibilities that offer room to innovate. Regulatory sandboxes cannot be used to circumvent existing regulations and therefore they are not suitable for activities or solutions already allowed under existing

PLENARY SESSION 4:

25

“ Most FinTech players do not target the entire, nor significant parts of the business chain, but only areas they are good at. ”Aznan Abdul Aziz

Aznan Abdul Aziz

IFCTF 2016

regulations. In addition, the bank will also provide an ‘informal steer’ to guide individuals and FinTech companies.

The eligibility criteria suggests the solution be genuinely innovative. Deployment of the solution will not be allowed if there is any prohibition under existing laws or regulations or where it is wholly or partly incompatible with applicable regulatory requirements. The solution needs the clear potential to contribute to the development of Malaysia’s financial sector and to enhance financial institutions’ efficiency or risk management and controls and to provide significant benefits to the Malaysian economy and consumers. Due diligence is conducted to verify the viability of the solution and the associated risks. Similarly, applicants need resources to mitigate and control potential risks and losses arising from offering the solution. The solution should be planned to be offered commercially in Malaysia.

Examples of safeguards include: adequate disclosure of the potential risks to participating customers and confirmation of their understanding of the risks; limiting the individual and/or aggregate value or frequency of transactions; restricting participation to targeted customers and the duration of the testing period; availability of a consumer redress mechanism; adequate resources to undertake testing and analyse the consequences of failure. In addition to safeguards proposed or offered by the applicant, the bank may impose additional safeguards as it sees fit.

The minimum standards include maintaining adequate oversight and control arrangements, maintaining appropriate risk management systems and processes, having in place appropriate customer protection safeguards and having adequate financial capability. Additional conditions may be imposed by the bank taking into account risks peculiar to the respective organisation.

Another example given was electronic verification or onboarding. Benefits include the acceleration of onboarding and reducing friction as well as supporting financial inclusion. A current regulatory requirement is for face-to-face verification.

Q & A sessionThe first question was that as a number of countries are using the sandbox concept, what insight could the speaker give on collaboration with other regulators who are using this approach. Mr Aznan Abdul Aziz said that although BNM has not yet started doing this, it is within its longer-term plan. Some collaboration between regulators has been noticed. He suggested a way forward would be sharing the results from one country with regulators in another.

The second question was whether momentum was picking up for the current initiative in Malaysia and what his key observations were. Mr Aznan Abdul Aziz said he was aware that bigger banks are setting up incubators and some even providing mentorship and guidance to FinTech companies. In his view, Bank Negara Malaysia (BNM) should work with and support banks in terms of resources and advice on the applicable rules and regulations.

The third question was on the stand of regulators with regards to bitcoin. What were BNM’s plans regarding bitcoin and its implementation in Malaysia? Mr Aznan Abdul Aziz replied that currently digital currency is not regulated in Malaysia by BNM or any related authorities. BNM’s present advice for consumers is to be aware of the risks and act accordingly. If areas happen to fall under those regulated by BNM, such as money returns and remittances, then BNM’s approval is required.

Mr Christopher Foye’s focus was on the risk perspective and looking at the current trends in relation to the question, ‘why and how does FinTech emerge’?

He looked back at the emerging trends following the financial crisis in 2008 with banks more reluctant to lend money to small businesses and immense pressure consequently

Christopher Foye

26

“ From a consumer’s perspective, they believe that there is a lack

of transparency around processes when dealing with financial

institutions and they would prefer to deal with companies who

are open about their processes and procedures. ”Christopher Foye


placed on them in terms of operating cash flow. He also looked at the expectations of ‘millennials’ in terms of how they interact with companies and the customer experiences they expect.

He pointed out that from a consumer’s perspective, they believe that there is a lack of transparency around processes when dealing with financial institutions and they would prefer to deal with companies who are open about their processes and procedures.

Mr Christopher Foye noted that when he speaks about FinTech, he was not only referring to start-up companies but also to technology trends within the banking sector. He pointed out that there are a number of interesting developments relating to blockchain. One of which was a pilot partnership project called Utility Settlement Point among four banks using blockchain along with LexisNexis Risk Solutions’ (LNRS) partnership with a company to detect illicit activity on the dark web.

He identified other areas of interest including artificial intelligence (AI), neuro-linguistic programming, big data and biometrics as well as device assessment and how these technologies affect the customer onboarding process. FinTech companies had shown that they were able to utilise technology and automation to provide a seamless customer experience. This had spurred banks to re-look at their own processes.

Mr Christopher Foye believes the potential threat to financial services companies will come from larger technology providers such as Tencent, WeChat and WePay in China who have the resources, scalability and expertise. Outside of China, there are other providers like Amazon.

The risks based on research and his personal opinion include data protection and data security, market risks, as well

as understanding the business model and corporate structure of FinTech companies. In his view, consumer protection is an important aspect.

Mr Christopher Foye emphasised that there is a need for closer collaboration and cooperation among regulators as FinTech companies can currently operate differently in different regulatory environments. There are cases where FinTech companies become successful in a country due to the unregulated environment but may pose a risk in another country with more stringent regulations.

Q & A SessionOn the question of how artificial intelligence (AI) would

impact banking and financial institutions and if humans would be replaced by AI, Mr Christopher Foye was of the view that AI would not impact financial organisations currently as regulators will not be comfortable with the technology and its risks. He agreed that AI has potential if the regulatory environment changes.

Mr Gerben Visser commended Mr Christopher Foye on his holistic presentation of FinTech innovations. Mr Gerben Visser’s presentation comprised an overview from a bottom-up perspective.

He briefly summarised the mission of the FinTech Consortium in Singapore as follows – ‘Building Singapore’s FinTech ecosystem by promoting interaction between market participants’ and ‘being a FinTech incubator on a global scale’. The objectives of the FinTech Consortium include to educate, inform and communicate, foster and promote, attract and accelerate, advise and collaborate, as well as to represent and consult.

Gerben Visser

Dato’ Shahrul Nazri Abdul Rahim

27

IFCTF 2016

28

Financial technologies have been around for years but have only risen to prominence recently. In his opinion, the financial crisis was a trigger that led to the emergence of FinTech. From a consumer perspective, a similar example is the launch of the iPhone in 2007. He highlighted that customer behaviour, particularly among ‘millennials’, is completely different from a decade or so.

He argued that the six igniting trends of the FinTech revolution are:(1) Increasing balance sheet and regulatory pressure;(2) Rising compliance costs and legal fees;(3) Need for strategic renewal from within;(4) Loss of trust in financial institutions;(5) Mass presence of new technology; and (6) New consumer behaviour patterns.

Mr Gerben Visser explained that FinTech can be applied in various fields across a wide range of verticals, which include investing, trading and brokerage, alternative lending and crowd funding, under four main components: (1) Compliance / know your customer (KYC) / anti-money

laundering (AML) / fraud; (2) Cyber-infrastructure security; (3 ) Cloud computing / omni-channel; and (4) Trade execution / settlement.

In terms of P2P, the applications include auto loans, credit card payoffs, refinancing, debt consolidation, major purchases, medical expenses and invoice financing among others. Success factors will depend on country-specific conditions, including investors, borrowers as well as strength of P2P lending start-ups.

Next he talked about crypto-currencies which are a subset of alternative and digital currencies. The first crypto-currency was bitcoin. Crypto-currencies typically feature decentralised control and a public ledger, such as bitcoin’s blockchain, which records transactions and forms the main technological innovation of bitcoin. A brief overview of the history of crypto-currency is as follows: ‘b-money’ was published in 1998; bitcoin was released in 2008; namecoin created in 2011; lifecoin created in 2011; and the second generation of crypto-currencies in 2014. Blockchain technology consists of two kinds of transaction records.

Next he provided an explanation of insurtech and its applications. The insurance industry is undergoing a profound change where many advances in technology are

being incorporated in the sector. In recent years, many insurance companies are developing their business strategies in response to insurtech start-ups. Insurance technology applications are being used for:(1) Customer engagement;(2) Laws and regulations;(3) Information security;(4) Wealth management; and(5) Data analytics.

He also discussed robo-advisors – an online wealth management service that provides automated portfolio management without a human financial planner. Digital, automated advice is likely to become a standard expectation of the mass-affluent and mass-market segments. Big data and advanced analytics have the potential to broaden the scope of robo-advice dramatically and incorporate financial planning into broader retirement, health and wellbeing planning. It is also important to note the definitions used in relation to FinTech to ensure proper understanding. For instance, ‘unbanked’ refers to a situation where individuals do not have their own bank accounts. ‘Underbanked’ refers to the situation where consumers have limited or no access to any financial services, which are normally offered by banks.

Q & A SessionThe first question posed to Mr Gerben Visser was whether he saw any potential unicorns in South East Asia. In reply he said that funding was very important for an early stage company. In South East Asia, money to invest in FinTech is not there yet but it will be in the near future.

On his view of lending clubs replacing banks, Mr Gerben Visser explained that generally FinTech companies do not provide core banking services. FinTech companies identify something that they can do very well in a niche area and operate on the edges of traditional banks.

Another question was that FinTech is viewed as disrupting financial institutions, but when would FinTech be used to fight criminals? Mr Gerben Visser replied that there are concerns in terms of transaction monitoring. There has been innovation in this area but not at the desired pace. Many entrepreneurs are working on solutions. He was asked whether blockchain could be part of the solution and he answered positively.

The next question was whether these new FinTech start-ups had vulnerabilities which potential criminals could target. Mr Gerben Visser answered that this is a legitimate concern and that banks have stringent processes which need to be adhered to.

The last question was whether it is correct to assume that blockchain is something that the established banking system does not really know how to manage as yet. Mr Gerben Visser answered that, in most banks, innovation stems from experimenting with blockchain and referred to the earlier example of four major banks that have partnered and seen the benefits of blockchain. In terms of blockchain, banks are looking at idea verification and are exploring and understanding this technology.

“ The insurance industry is undergoing a profound change

where many advances in technology are being

incorporated in the sector. ”Gerben Visser


Addressing the New Compliance Framework: Responding to the Latest and Anticipated Future Regulatory Requirements to Build an Effective Compliance Framework for Your Organisation

Panellists: Qaiser Iskandar bin AnwarudinDirector, Prudential Financial Policy Department, Bank Negara Malaysia

Andrew Glover Regional Director, International Compliance Association

Mohd Khaidzir bin ShahariExecutive Director, KMPG Management & Risk Consulting Sdn Bhd

Moderator: V. MasilamaniChief Compliance Officer, Al Rajhi Banking and Investment Corporation (Malaysia) Bhd

The moderator, Mr V. Masilamani, started by noting that the compliance function has undergone a major shift following new regulatory demands by the government and regulators, especially after the global financial crisis in 2008 and enactment of the Financial Services Act 2013 (FSA) and the Islamic Financial Services Act 2013 (IFSA). He then briefly summarised how compliance became important in the financial services industry in Malaysia, starting with the Bursa and Securities Commission requiring compliance measures for capital market players.

The legal requirement for financial institutions (FIs) to have compliance officers was introduced by Bank Negara Malaysia (BNM) through the passing of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA). However, some commercial banks had already recognised the importance of having a separate compliance function. Another factor was the growth of financial services institutions (FSI), some of which operated as large conglomerates and reorganised themselves to operate as universal banks with commercial banks driving the whole organisation.

The issue was that there was no requirement from the central bank to have a compliance officer, compared to investment banks, and so in 2009 the Compliance Officers’ Networking Group (CONG) and the Malaysian Investment Banking Association (MIBA) asked Bank Negara Malaysia (BNM) for issuance of a compliance guidelines. It took a while and BNM finally issued a draft in December 2015. While compliance

officers reacted positively to BNM’s guidelines, many fear the regulatory expectations placed upon them. In his view, the role of compliance has transformed from being a mere policeman to an adviser and now to an active owner of compliance risk.

Mr Qaiser Iskandar bin Anwarudin commenced by discussing the key trends in compliance. Technology, such as FinTech, continues to foster industry competition. Another trend is financial cybercrime, which has caused a steep rise in financial and reputational costs for FIs. Accenture estimates that 35% of banking revenues will be at risk by 2020 due to disruption within the financial services sector and a study by Juniper Research shows that the costs for data breaches will quadruple. Persistent negative international media coverage such as the Wells Fargo, LIBOR and Panama Papers scandals also results in a public trust deficit in FIs. There is also heightened scrutiny from regulators and larger penalties are being imposed for non-compliance. A Morgan Stanley study stated that the largest five


29

“ The compliance function has undergone a major shift following new regulatory demands by the government and regulators. ”V. Masilamani

V. Maslamani

IFCTF 2016

30

US and European banks have been fined up to USD2 billion. Recently, issues arose over Deutsche Bank’s sale of mortgage-backed securities. Also, financial institution executives may be held personally liable, for example, in the UK pursuant to section 36 of the Financial Services (Banking Reform) Act 2013 (not yet in force) and in Malaysia under section 57 of the FSA.

He then highlighted regulatory developments on the international front including:(1) New and enhanced global standards for capital adequacy

and liquidity;(2) Financial market reforms, especially around derivatives;(3) Revisions to accounting standards by the International

Financial Reporting Standards (IFRS);(4) Updates to the Financial Action Task Force (FATF)

recommendations especially on terrorism financing and monitoring/supervision of non-profit organisations (NPOs).

On the domestic front, BNM’s prudential agenda continues to focus on effective governance and risk management by empowering the compliance function, strengthening governance practices in FIs and the effective management of operational risks. It is his belief that boards have an important role to play. For example, the independence of the board has become an integral part of corporate governance guidelines.

He then noted that effective compliance is integral to business sustainability and culture plays an essential role in elevating the standards of compliance risk management within an institution. Mr Qaiser Iskandar bin Anwarudin discussed governance as being the key to setting the right tone for institutional culture. Officers at all levels within the institution have a role to play in ensuring the highest standards of compliance. The board and senior management should set out the compliance objectives, have a strong understanding of the regulatory landscape and how developments may affect the business, be actively aware of key risk areas within the institution and the steps taken to mitigate them, as well as to provide a conducive environment for compliance officers to perform their roles effectively. Also, first-line officers in business functions should be sufficiently trained to be aware of the laws and requirements that directly/indirectly affect their day-to-day work and have a vested interest in ensuring compliance risk is managed effectively in their capacity as the first line of defence, rather than rely on compliance to identify issues and remedial actions.

Remuneration is another important tool in reinforcing the value and importance of compliance objectives and can involve the following:

(1) Sufficient and continuous attention from the board to consider the FI’s compliance objectives and state of compliance when approving the remuneration of the Chief Compliance Officer (CCO), and of other senior officers. Also to continuously review and monitor the overall institutional performance in terms of compliance goals and consider how this could affect remuneration.

(2) Focusing on independence from the business units, whereby the remuneration of the CCO and compliance officers must not compromise their independence, including where compliance officers are stationed within business units.

(3) Alignment with prudent risk-taking behaviour – remuneration should be in proportion to risk outcomes and there should be a close relationship between remuneration and accountability.

The next point was that compliance and business objectives must be mutually reinforcing and compliance requires a thorough understanding of the business and vice versa. For the compliance function to add value to the business it should: (i) have sufficient knowledge of the FI’s business objectives and strategies to challenge the existing processes; (ii) engage business lines on a consistent basis for a better understanding of gaps and benchmark practices in managing compliance risk; and (iii) have sufficient technical understanding of its services and products. Meanwhile, for business functions to pre-empt potential compliance issues they should: (i) have a clear awareness of compliance objectives and how these can be integrated into existing procedures/processes; (ii) actively seek out consultation/advice from compliance officers on areas where there may be concerns on compliance risk or where non-compliance issues have been raised; and (iii) have a solid understanding of regulatory developments in their respective areas of expertise.

Mr Qaiser Iskandar bin Anwarudin’s last point was that an effective compliance function should anticipate high-risk areas in a rapidly evolving environment and provide pre-emptive advice and solutions on potential compliance issues. Pre-emptive identification of high-risk areas includes keeping track of, and complying with, different laws and regulations across countries. FIs can also more actively engage national regulators and international bodies on regional regulatory developments. Another is technological risk issues, as with

Andrew Glover

“ Compliance and business objectives must be mutually reinforcing and compliance

requires a thorough understanding of the business and vice versa. ”Qaiser Iskandar bin Anwarudin


large portions of financial business moving online, external threats such as Malware and hacking and internal threats, such as protection of customer information, arise. In relation to strong detection and response systems, he emphasised early detection by automation of systems and anti-malware programmes and timely responses by having clear reporting lines and communication channels as well as coordination mechanisms between different risk functions.

Mr Andrew Glover started by noting that an important issue is whether compliance should be rules or principles- based. He explained that rules give clarity and provide support to compliance officers but do not always cover all situations, may not perfectly suit a given position, and invite us to play ‘the rules game’. In comparison, principles allow flexibility but are open to interpretation – principles, ethics and moral standards differ from one individual to another and they do not support compliance officers as much.

He said the debate is whether a rules or principles-based system is better. He prefers the latter due to its flexibility, although he added that it is easy to be highly principled when it costs you nothing or if you gain from it (in terms of money, power or influence), but it becomes less so when it competes with the potential to gain such things, giving the example of the Wells Fargo scandal. Essentially, the success of principles-based regulation depends upon the principles, ethics and moral standards of the regulated parties, it must come from the top and actually be practised.

Next, Mr Andrew Glover discussed morals, work ethics and people’s behaviour when they think nobody is looking. He referred to several studies on human nature and statistics which suggest that when it comes to criminal or moral choices, 10% of people will never knowingly choose the wrong path and would always follow the compliance programme, laws or rules, whilst 10% of people will actively look for shortcuts, perhaps to make their lives easier or more profitable. 80% of people will only take the wrong path if it is presented to them and they think that they could ‘get away with it’. The conclusion to be drawn is that ‘people only respect what you inspect’ – that is, a large majority of people will only fully follow requirements if they believe that their actions are being observed, either physically or by post-application review (reviewing data etc.) even in a principles-based environment. The common view being that “if nobody

‘upstairs’ is bothering to look at what I do then it cannot be that important, so it would not matter if I do not do it well”. It is also fair to say that much white-collar crime is only committed when there is opportunity and little or no oversight.

He said that shaping a firm’s compliance culture must come from the top. Every firm has a general pervasive culture which drives the way power flows, the way people, especially management, communicate, the risk appetite, the way things are done and the energy and resource levels applied.

Moving to compliance management systems, he said that the typical compliance function’s terms of reference are to develop an appropriate compliance culture, provide training and consultancy to business units, implement, monitor and report on standards of compliance and interface between the

firm and regulators. He then referred to a quote from the ICA Conformity Assessment Board:

“A content management system (CMS) is an integrated system compromised of written documents, functions, processes, controls and tools. This is the digital, physical and human architecture that enables an organisation to comply with legal requirements and minimise harm to consumers due to breaches of regulation”.

The key questions are how to benchmark systems and whether there are any common standards. In his view a common global standard is desirable. The International Standards Organisation (ISO) has standards such as ISO 19600 and ISO 37001 (Anti-Bribery and Corruption Management Systems), due to come into effect in 2017. Under ISO 19600, external ISO auditors assess a firm’s current status against the standards and provide recommendations for the firm to meet, a second visit assesses the systems for conformity. A Conformity Assessment Board considers the audit report to decide whether ISO status can be granted, validation visits are undertaken in the following two years, and recertification occurs in the third year. The advantage of obtaining ISO 19600 is that it is a public statement of the firm’s intent, it shows regulators that the firm is committed to achieving a consistent and coherent approach and it provides a measure of reassurance to clients, investors, shareholders and staff.

Mr Andrew Glover invited the audience to contact ICA to find out more about ISO certification.

31

“ ‘People only respect what you inspect’ – that is, a large majority of people will only

fully follow requirements if they believe that their actions are being observed. ”Andrew Glover

Qaiser Iskandar bin Anwarudin

IFCTF 2016

32

The final speaker, Mr Mohd Khaidzir bin Shahari, commenced by stating that adhering to compliance guidelines involves costs and resources. He then set out a number of key steps or initiatives for compliance:(1) Assess and set the vision of the board and organisation in

terms of compliance and identify where you are now. The board sets the tone and compliance must know the vision.

(2) Perform an enterprise-wide risk assessment and link sustainability risk into the risk profile.

(3) Ensure that all lines of defence – the process owner, compliance, internal audit and the board of directors – are prepared and effective. For example, the board should know why it needs to comply and internal audit should perform its role and not simply rely on compliance.

(4) Assess the organisation’s culture of compliance and what happens to people who do not comply – for example, warning letters, salary deduction or non-payment of bonuses. Identify high risk areas. Consider rules and risk compliance. Is there is a database of all the organisation’s rules, although bank compliance officers have the advantage of guidance from BNM.

(5) Compliance must have access to current technology as data quality is immensely important and compliance officers should have sound knowledge of the latest developments.

(6) Compliance must proactively identify changes in rules and regulations in all relevant areas and allocate specific responsibility for this.

Q & A SessionThe first question raised was whether compliance review is a burden placed solely on compliance officers and how much focus should be on building a culture where everyone is expected to be compliant.

Mr Qaiser Iskandar bin Anwarudin replied that boards are responsible for ensuring that an appropriate risk culture to be practised by the whole organisation. Also, the CCO should have direct access to the board and should not be afraid to highlight his concerns. On a question related to principles versus rules-based regulation, BNM seeks to continuously enhance their rules and regulations and implement global best practices. BNM’s approach is to try and find the right balance between principles and rules-based regulation, and as such there will continue to be expectations on compliance which are rules-based.

Mr Andrew Glover added that he prefers principles-based regulation due to its flexibility but it also brings a

higher level of culture and ethical requirements. The 80/10/10 rule discussed earlier showed that ethical standards can be blurred. There has to be a balance in the approach: you do not have to sit on top of people, but a failure to inspect over time leads to breaches of rules. In his opinion, where a firm tries to do the right thing some latitude should be given, but where a breach is deliberately criminally negligent, then strict punishment should follow.

Mr Mohd Khaidzir bin Shahari’s view was that the audit and compliance role is similar to that of a gatekeeper and it needs to be creative and effective. Inspection is necessary but the area where inspections take place is important. He agreed with guidelines in the form of principle as opposed to step-by-step rules akin to box-ticking. In conclusion, he felt that everyone has to sign off and compliance has to act without fear or favour.

The second question was in relation to the three lines of defence, namely, where is the line drawn between audit, risk and compliance as the guidelines are being pushed to compliance. Also with regards to financial blueprints, will mandatory certification of compliance officers be required?

In terms of the three lines of defence model, Mr Qaiser Iskandar bin Anwarudin was of the view that internal audit is meant to provide the assurance that the compliance and risk management objectives have been met and this expectation has been embedded within BNM’s guidelines.

Mr Andrew Glover added that there should be formal qualification requirements for compliance officers, with it being a crucial job, and to increase its respect level. Discussing the three lines of defence, Mr Mohd Khaidzir bin Shahari said that compliance should educate audit committees and senior management as to their respective roles and functions. For banks, internal audit is clearly the third line of defence.

The last question was whether Islamic banks comply with money laundering and terrorism financing legislation as some of their products are legal in Malaysia but not elsewhere.

Moderator Mr V. Maslamani answered that all Islamic banks are licensed and regulated. Additionally, they are required to meet the international best practice standards to continue to operate as a financial institution.

Mohd Khaidzir bin Shahari

“ The audit and compliance role is similar to that of a

gatekeeper and it needs to be creative and effective. ”Mohd Khaidzir bin Shahari


OECD’s Global Common Reporting Standard (CRS) for Automatic Exchange of Information (AEOI)

Panellists: Dr Chong Han HweePartner, Ernst and Young Advisory Services Sdn Bhd

Esther A.P. Koisin Director of International Affairs & Exchange of Information, Inland Revenue Board of Malaysia

Moderator & Panellist: Steven SiekerPartner & Head of Tax Practice, Hong Kong/China, Baker & McKenzie

The session began with moderator Mr Steven Sieker’s introduction. He set out his points of discussion, namely, global trends and challenges for financial institutions and account holders. He said that global trends in relation to common reporting standards is the evolution of a number of a developments over the last six to eight years. In 2009 the G20 and the Organisation for Economic Co-operation and Development (OECD) announced that the era of bank secrecy is over, a trend that had begun some years earlier primarily as an effort by the OECD and the G20’s largest economies to try and deal with what they perceived as undeclared assets in offshore jurisdictions. Part of that problem related to concerns pertaining to tax evasion as some European countries had very high tax rates which sometimes resulted in people placing their money in Switzerland and other countries. This was combined with US concerns following domestic terrorist attacks of people putting money in undeclared places to be used to facilitate terrorism financing. Taking into consideration the financial crisis, a sort of ‘perfect storm’ was created.

The global and domestic political environment changed quite dramatically from 2008 onwards – for instance US investigations into Swiss banks and some very aggressive prosecutions by US tax authorities; the implementation of the Foreign Account Tax Compliance Act (FATCA) in 2010, which was basically the US imposing a reporting standard on the rest of the world to try and get information on US persons anywhere in the world; then an agreement by the OECD in 2014 that countries around the world would exchange information with each other; and finally a recent series of disclosures, including leaks from Luxembourg, Panama and other places, played out in the popular press and creating the impression that there are vast amounts of undeclared funds. This is the background to the Common Reporting Standard (CRS).


33

Esther A.P. Koisin

“ In 2009 the G20 and the Organisation for Economic

Co-operation and Development (OECD) announced that the era of

bank secrecy is over. ”Steven Sieker

IFCTF 2016

34

Mr Steven Sieker proceeded to elaborate on the CRS Status of Commitments and stated that a number of jurisdictions have committed to exchanging information and these can be divided into two groups. The first group has committed to begin exchanging information by late 2017 and the other group, which includes Malaysia, Singapore and Hong Kong, will begin exchanging information in late 2018 for 2017 accounts. It is expected that over time every jurisdiction will sign up.

Next he spoke about the main compliance challenges. Financial institutions (FIs) worldwide are dealing with the same compliance standards as these are set by the OECD. One challenge is trying to determine where account holders are resident, especially in countries where there are a lot of foreign residents. Another is to what extent can FIs leverage on the existing FATCA reporting infrastructure for CRS. Other challenges relate to the offshore financial industry, where most clients are not resident in the jurisdiction which requires a lot of foreign disclosure in comparison to onshore banks. However, the latter will have a larger number of customers to review. Finally, there is the risk of non-compliant account holders. Overall, he believed that in the process of complying with CRS, many compliance challenges will be eliminated.

Mr Steven Sieker noted that individual account holders need to be prepared for automatic exchange of information (AEOI) as they will have to provide information such as tax payer identification numbers and proof of residency etc. to financial institutions. This might be complicated for some, particularly wealthy customers that have residencies around the world. They may also have privacy concerns in terms of information being disclosed and used against them for other purposes such as criminal or political reasons. There are also issues around the extent that FIs can share information across borders and in light of privacy legislation.

Questions will also arise about past non-compliance and voluntary disclosure. Some countries are taking advantage of this, for example Indonesia announced a tax amnesty for residents and it has been reported in the press that 347,000 Indonesians declared having offshore accounts with a combined value of up to US$250 billion. Finally, there is a question around whether complicated structures like trusts or foundations will be able to meet the requirements.

Dr Chong Han Hwee stated that with CRS being imminent in 2017, the question that arises is how much

can we leverage on FATCA, which is already in place. Both have similarities, but the implementation of each is slightly different. Also how can data accuracy be ensured when there are differences in data structure and format, which can be challenging for implementation. To answer these questions, the panel examined the commonalities between CRS and FATCA to see how the FATCA base could be built upon as well as the degree of complexity of implementation.

First, he endorsed Mr Steven Sieker’s earlier explanation of the circumstances leading to FATCA and CRS. As for implementing CRS, he said that, in terms of scope and products, it is very similar to FATCA. For instance, doing due diligence on existing financial accounts and ensuring new onboarding captures the information required to prepare reports and annual reports for local tax authorities. He noted that there needs to be a level of awareness of the customer experience. Front-liners should be trained in order to be able to answer as many questions as possible, but the sheer numbers involved will make training difficult. Another challenge relates to the implementation of withholding tax in terms of time, resources and cost.

“ Doing due diligence on existing financial accounts and

ensuring new onboarding captures the information required to

prepare reports and annual reports

for local tax authorities. ”Dr Chong Han Hwee

Steven Sieker


Dr Chong Han Hwee believes that there are similarities with FATCA that can be leveraged upon which he estimates will involve a 60% (approximation) incremental effort. Specifically, he discussed a list of items comparing CRS and FATCA. For instance, under CRS there are no group requirements so every single entity would have to report and CRS also involves a self-declaration form, which makes implementation a big challenge. He said that programme and governance aspects of FATCA can be used for CRS.

Finally some of the steps that need to be taken to ensure that Malaysia is ready by January 2017 include preparing the required forms, policies and procedures. Training is another key aspect. In terms of technology, based on FATCA, various tools have been created to help clients.

After providing a brief historical background to the topic, Ms Esther Koisin discussed the requirements that need to be fulfilled prior to the implementation of the CRS. First there must be a legal basis prior to the exchange and that will require domestic rules/legislation. For administrative purposes, there needs to be a competent authority agreement providing for jurisdiction between the Malaysian competent authority and the exchange partner. Other requirements are an IT platform and, more importantly, confidentiality and the safeguarding of data.

The legal basis for the CRS includes the Convention on Mutual Administrative Assistance in Tax Matters (MAC), bilateral double taxation agreements (DTA) – subject to a protocol to include an AEOI article if not available in the current DTA – and a tax information exchange agreement (TIEA). Ms Esther Koisin noted that Malaysia became one of the signatories to the MAC on 25 August 2016 and currently 104 jurisdictions have signed it. Bilateral DTAs and TIEAs will also be necessary as not all jurisdictions are signatories to the MAC.

Some of the domestic (CRS) rules include translating the due diligence rules under the standard and reporting obligations (‘purple book’), specifying domestic options provided under the standard, meeting the standard and consideration of not putting an undue compliance burden on Malaysian Financial Institutions (MYFIs) and Malaysian tax resident account holders.

In terms of the competent authority agreement (CAA), it can occur multilaterally or bilaterally. The three important points to note are that the CAA sets the type of information to be exchanged, time and manner and data safeguards. Malaysia is a signatory to the OECD Multilateral CAA (MCAA), which has been currently signed by 84 jurisdictions. It will be open to bilateral CAAs with jurisdictions that have not signed the MCAA. It was emphasised by Ms Esther Koisin that although Malaysia has signed the MCAA, it does not mean that whoever else has signed it must agree that Malaysia must exchange with them. The Inland Revenue Board of Malaysia (IRBM) will eventually publish on its website which countries Malaysia will share data with.

As to comparisons between CRS and FATCA in terms of the IT platform, IRBM will subscribe to the Common Transmission System (CTS) developed by the OECD for CRS and subsequently will need to agree with exchange partners

who do not subscribe to the CTS. Unlike FATCA where MYFIs send their reports to IRBM through the IDES platform, for CRS the report will need to be sent to the IRBM IT platform (with no access to CTS for FIs).

Some of the other factors affecting the decision to exchange information include confidentiality and data safeguards. A legal framework ensures limits of use and penalties for improper disclosure. As for systems and procedures, stringent policies must be in place to ensure data confidentiality. The OECD also conducts confidentiality and data safeguard assessments as part of CRS implementation, which Malaysia underwent in April 2016.

The Standard comprises the CRS and commentaries: the CRS contains the due diligence rules for FIs to follow, while the commentaries illustrate and interpret the CRS. There are options which jurisdictions can make and should be provided for in domestic law. The approach and options on CRS implementation include a series of engagements with stakeholders including representatives from MYFI associations. The Ministry of Finance (MOF) as

35

Dr Chong Han Hwee

IFCTF 2016

36

the policymaker works closely with IRBM, Bank Negara Malaysia (BNM), the Securities Commission (SC) and the Labuan Financial Services Authority (LFSA). There are three approaches: the CRS approach, a wider approach and the widest approach. Of the three, a wider approach is the most encouraged. Under that approach MYFIs identify all accounts held by foreign account holders but only report accounts in jurisdictions where Malaysia has CRS agreements. There are several options for CRS implementation:• Option 1 – is to calculate the account balance as at the end

of the calendar year and not through the average balance. • Option 2 – in relation to the reporting period, is to report

the calendar year rather than another appropriate reporting period.

• Option 3 – in relation to phasing in the requirement to report gross proceeds, is to start reporting for gross proceeds in 2018 just as for the rest of the reportable accounts rather than ‘phasing in’.

• Option 4 – is to file NIL returns for monitoring purposes, as in FATCA.

• Option 5 – is that third party service providers are allowed but responsibility is still with the MYFIs, consistent with FATCA.

• Option 6 – is to allow due diligence procedures for new accounts to pre-existing accounts.

• Option 7 – is to allow due diligence procedures for high value accounts to lower value accounts if MYFIs elect to do so.

• Option 8 – is the residence address test for lower value accounts.

• Option 9 – is an exclusion from due diligence for pre-existing entity accounts of less than USD250,000.

• Option 10 – is simplified due diligence rules for group cash value insurance contracts and group annuity contracts. This allows MYFIs to treat group cash value insurance contracts or annuity contracts issued to an employer or individual employees as a financial account that is not a reportable account until the date on which an amount is payable to an employee/certificate holder or beneficiary.

• Option 11 – is standardised industry coding systems for the due diligence process.

• Option 12 – is currency translation which states that all amounts in the Standard are stated in US dollars and the Standard provides for the use of equivalent amounts in other currencies as provided by domestic law.

• Option 13 – is an expanded definition of pre-existing account.

• Option 14 – is an expanded related entity definition. • Option 15 – is the grandfathering rule for bearer shares

issued by exempt collective investment vehicles, which is not relevant to Malaysia as there are no bearer shares.

• Option 16 – is on controlling persons of a trust.

A brief implementation timeline was provided by Ms Esther Koisin. As for the keeping of records, she noted that the obligation is to keep and retain them in safe custody for a period of seven years. Enforcement includes the penalties under the Act with implementation subject to random audit, but one should expect MYFIs with a high number of

undocumented accounts to be selected. Higher penalties are to reflect the seriousness in enforcing levels of compliance as expected by the OECD and exchange partners. The audit is to ensure compliance by MYFIs in performing due diligence and reporting as required under AEOI Group and Global Forum agendas.

She noted that the exchange of information on request (EOIR) and automatic exchange of information AEOI are to ensure a level playing field, voluntary tax compliance and fairness of the tax system. According to the OECD, these are powerful tools to counter cross-border tax evasion. IRBM is taking steps to ensure EOIR and AEOI efforts contribute to voluntary compliance and the tax liabilities raised from which would otherwise have been tax evaded.

She finished by saying that IRBM looks forward to cooperative compliance through engagement and discussions with MYFIs. As AEOI and CRS is an international commitment, cooperation from all MYFIs is much needed and will be appreciated.

Q & A SessionThe first question was whether the IRBM would release guidance notes on CRS before the end of 2016.

In reply Ms Esther Koisin explained that FATCA is different as detailed guidance has not been provided by the US together with the Inter-governmental Agreement (IGA). For CRS, there is already a commentary in the form of the very detailed guidance provided in the ‘purple book’. She advised that the IRBM would probably not be issuing guidance notes before the rules are out.

The second question related to the guidance note for FATCA. As there is one for the inter-governmental agreement (but it has not been signed yet), were there any updates on this from the IGA. Ms Esther Koisin explained that unfortunately the IGA has not been signed yet and the concern of FIs is if Malaysia will remain in the list of jurisdictions considered to have an IGA in substance. Presently, Malaysia is one of the jurisdictions considered to have IGA but there has been concern as recently the US said that those jurisdictions who have not made an effort to complete the IGA will be removed from the list. What this means is that FIs may need to have a separate individual agreement with the US. However, she assured the audience that Malaysia will remain in the list.

“ IRBM is taking steps to ensure EOIR and AEOI efforts contribute

to voluntary compliance and the tax liabilities raised from which would otherwise have

been tax evaded. ”Esther Koisin


Responding to Terrorism Financing Risks: Trends and Insights from Across the Region

Panellists: I Nyoman Sastrawan (Pak Sastra)Group Head of Typology/Strategic Research, Indonesian Financial Transaction Reports and Analysis Center (INTRAC)

DSP Foo Wei Min Deputy Superintendent of Police, Royal Malaysia Police

Professor Rohan Gunaratna Professor of Security Studies, Head, International Centre for Political Violence and Terrorism Research, S. Rajaratnam School of International Studies (RSIS), Singapore

Moderator: Abdul Rahman Abu BakarDirector, Financial Intelligence and Enforcement, Bank Negara Malaysia

The moderator Mr Abdul Rahman Abu Bakar introduced the three distinguished speakers from Malaysia, Indonesia and Singapore. He noted that some information could not be disclosed due to ongoing investigations and hoped that the presentations would provide insight on efforts to eradicate or reduce the problems related to terrorism financing.

He gave an overview of how the session would run: Mr I Nyoman Sastrawan (Pak Sastra) would provide a regional perspective on terrorism financing, DSP Foo Wei Min would provide a Malaysian perspective and the session would be concluded by Professor Rohan Gunaratna, an expert witness and international specialist in this field.

Pak Sastra’s presentation covered methodology, data analysis, key insights, priority actions and country responses in relation to terrorism financing. He said that the methodology used was referred to as ‘FATF guidance’.

Pak Sastra discussed the first Regional Risk Assessment (RRA), which identifies the key risks, techniques and methods relied on by extremist/terrorist groups in collecting, moving and using money in the region. The raising and moving of funds by such groups may be performed legally or illegally, through the banking sector or cross-border cash-flow respectively, and funds may be used directly or indirectly. He noted that the size and structure of terrorist groups and organisations are evolving and the techniques for raising, moving and using money are increasing. Collaboration by various bodies is needed to mitigate the problem.

The RRA is a collaborative regional assessment by Indonesia, Australia, Malaysia, Thailand, the Philippines and Singapore. These countries completed self-assessment questionnaires incorporating qualitative and quantitative data, which identified each country’s terrorism risk and vulnerability to terrorism financing. The data was based on

inside intelligence, operational cases and experts’ views. The milestones were: kick off meeting in April 2016, finalisation of draft in June 2016 and presentation of results in CTF Summit August 2016. Risk areas are measured by three scales: ‘high’ (scores of 7-9), ‘medium’ (scores of 4-6) and ‘low’ (scores of 1-3). The total threat in this region was assessed at 4.5, vulnerability at 3.9 and the likelihood of terrorism financing at 4.2.

The results of the RRA identified key risks within the region as well as threats from outside the region (for example, Al-Qaeda and Islamic State of Iraq and the Levant (ISIL). Pak Sastra noted that groups raised, moved and used funds within the region. Raising funds could be via legal or illegal means, and through locals or foreigners. Moving funds could be for direct use in attacks and to maintain networks or funds could be used for organisational purposes.

He said that it is important to be aware that extremist/terrorist groups predominantly use legal methods to raise funds. Countries in the region ranked self-funding from legitimate sources as a high risk. Illegal methods for raising funds include kidnapping for ransom, cyber-crime and bank robberies. Pak Sastra gave an example where members of a terrorist group hacked into a commercial website and transferred money to the bank accounts of third parties. The risk of non-profit organisations (NPOs) being misused for terrorism financing is also considered as high due to their capacity to raise large amounts undetected. Funding from outside the region is another risk.

To move funds terrorists use both the banking sector (individual or company accounts) and non-banking sector (alternative remittances), which is assessed as relatively low risk. The highest risk medium is cash, including cross border cash flow and the smuggling of cash. Funds are usually used for direct activity, such as training and buying weapons and explosives, rather than indirect use such as member’s salaries, expanding the terrorist network, spreading propaganda and funding widows and families of terrorists.

PLENARY SESSION 5:

37

“ To move funds terrorists use both the banking sector (individual

or company accounts) and non-banking sector (alternative remittances), which is assessed

as relatively low risk. ”Pak Sastra

IFCTF 2016

38

The RRA discusses suggested regional actions. In relation to self-funding, intelligence agencies and reporting institutions need to establish secure and trusted channels for information sharing to monitor high-risk activity. For higher-risk NPOs, a regional forum has been suggested. Further ways to monitor external funding into the region should be explored. Emerging terrorism financing channels,including stored value cards/prepaid cards, online payment platforms and virtual currencies, are also mentioned.

Pak Sastra concluded by saying that law enforcement, regulators and analytics’ experts are all involved and urged the public to take an active role in informing relevant authorities of activities by terrorist groups. He hoped that collaboration between countries in the region will be enhanced.

DSP Foo Wei Min’s presentation covered an introduction to terrorism financing, a risk assessment of ASEAN terrorism financing, Malaysia’s terrorism financing profiles and case studies. He explained that he could not reveal pending cases, but could discuss one completed case – the case of Fauzi and Rohaimi who both received 16 years imprisonment for carrying out terrorism financing.

The RMP investigates terrorism financing, which is essentially ‘reverse money laundering’ as the source of funds can be legitimate or legal but the crime occurs when such funds are used for terrorism. The detection of terrorism financing primarily involves following money trails, tracing assets and intelligence gathering. Of assistance in detecting terrorism financing is the Financial Action Task Force’s (FATF) 40 recommendations on combating terrorism financing, the modifications to the law on banking secrecy and the fact that the freezing, seizure and forfeiture of properties is enforced. There is also more international cooperation.

Investigations by the RMP have identified a number of sources of terrorism financing as follows: charitable contributions/donations, legitimate or semi-legitimate businesses, criminal activities and government or state sponsorship.

DSP Foo Wei Min spoke about three methods of counter-terrorism: (1) the coercive method which includes the criminal justice

and war models;(2) proactive counter terrorism consisting of intelligence

gathering; and (3) persuasive counter terrorism which includes

rehabilitation programmes.

He then displayed a table summarising the research conducted over six countries and focused on Malaysia. Of the two forms of funding – operational and organisational – Malaysia poses a high risk of personal mobility through operational funding as well as the use of funds for explosives. In regard to funds channelled to organisations, Malaysia has a high risk of funding families of fighters who go to Syria, helping widows and sustaining the daily needs of terrorists’ families in Malaysia. The funds used for propaganda are

From left: Professor Rohan Gunaratna, I Nyoman Sastrawan, DSP Foo Wei Min, Abdul Rahman Abu Bakar

“ The detection of terrorism financing primarily involves

following money trails, tracing assets and

intelligence gathering. ”DSP Foo Wei Min


medium risk – most propaganda is carried out through social media platforms (Facebook or Twitter). There is medium risk in terms of network maintenance, banking systems and alternative remittances (MSB). DSP Foo Wei Min said that there is a high risk of cross border activity because of Malaysia’s porous land borders and maritime boundaries.

Terrorists have used Malaysia as a transit country for the recruitment of terrorists locally and from other countries. In the first terrorist attack by ISIL in June 2016, 73 Malaysians joined/attempted to join terrorist groups in Syria and Iraq, 19 were killed in conflict zones, 8 were arrested and convicted upon returning to Malaysia and 41 accounts/persons had their assets frozen. In regard to domestic terrorism, 94 terrorism cases were investigated from January to August 2016. As for terrorism financing, 18 cases were investigated, 12 cases were prosecuted resulting in one conviction with 11 ongoing trials and 6 ongoing investigations.

Domestic anti-terrorism financing legislation includes the Prevention of Terrorism Act 2015 (POTA), the Security Offences (Special Measures) Act 2012 (SOSMA) and provisions in the Penal Code (sections 130N–130Q). Sentences for terrorism offences range from the death penalty to life imprisonment or imprisonment for a term upon conviction.

Next DSP Foo Wei Min provided some red flags identified during the course of investigations. Private donations by religious groups, such as zakat or infaq, whereby funds are collected for charitable purposes or by associations and individuals through social media. They have access to considerable sources of funds and their activities are often cash-intensive. Charities are subject to significantly lighter regulatory requirements than financial institutions or public entities. Social media accounts on Facebook and the blogspot ‘Rakyat Malaysia Bersama Revolusi Islam’ (RMBRI) were created by one suspect,

Ruhaini, whereby small amounts of money were collected on a frequent basis. The money collected was channelled to bank accounts via internet banking and donors were not informed of the donation’s purpose. In relation to suspects Fauzi and Rohaimi, Fauzi was a fighter in Syria for nine months and his account was used to channel money for donations to sustain other Syrian fighters. Rohaimi created the social media accounts and utilised Fauzi’s account. During the investigations, their bank statements displayed payments for infaq and jihad.

DSP Foo Wei Min said that combating and investigating terrorism financing requires a different approach by both financial institutions and law enforcement. The use and origin of funds are relevant. To summarise, the two main methods to fund domestic terrorism financing are through the use of the financial system and the physical movement of money. He urged the public to assist law enforcement authorities to overcome this rising issue.

Professor Rohan Gunaratna began by referring to the recent case in the high court involving Malaysian terrorists. Wanndy, who directed attacks in Malaysia, including against the Movida Bar (Movida) in 2016 and is now in Syria and his brother Mohamed Danny were sentenced to four years under the Security Offences Special Measures Act (SOSMA). Danny had collected RM12,000 from a network of Malaysian nationals through Maybank accounts and transferred it through Western Union to Wanndy who used it for terrorist attacks.

Professor Rohan Gunaratna then gave an overview of the terrorist threat to the region and Malaysia. The regional threat is from ISIL. He said that the RMP has been very effective in the fight against ISIL terrorism in Malaysia, but continued cooperation and intelligence are vital. The Malaysian special branch had recently destroyed the ISIL network Al-Kubro (the great generation), which had two related networks, Panji Hitam Pantai Timur and Kumpulan Gagak Hitam (which

39

IFCTF 2016

40

staged the Movida attack). He noted that statistics show that 239 people have been arrested for terrorism in Malaysia, with ISIL representing the largest threat. In his view, the Malaysian government made a mistake in repealing the Internal Security Act (ISA) 1960. He believes that the Movida bombing would not have occurred had the ISA been in force.

He noted that, contrary to popular belief, it is middle class individuals and not poor people who are joining ISIL. He shared the story of a Malaysian suicide bomber who had received a government scholarship to study medicine in the UK. His parents refused to support his plans to travel to Syria. However, he committed and perished in a terrorist attack in Syria.

Next, he shared his experience as an expert witness in the case of Yazid Sufaat, a former captain of the Royal Military College of Malaysia (RMC), who attempted to cultivate anthrax in Afghanistan for Al-Qaeda. When the US attacked the Taliban, Yazid fled to Thailand and then Malaysia, where he was arrested. In 2013 he was detained for the incitement of terrorist acts and was the first case under SOSMA.Professor Rohan Gunaratna discussed another group that is currently being dismantled in Malaysia and also showed pictures of attacks in Syria and Iraq which young Malaysian and Indonesian nationals have joined. He also explained that the Philippines is emerging as a very important ISIL hub, which has major implications for Sabah’s security.

He noted that the four stages for detecting terrorism money are collection, movement, storage and dispersal. He stressed that the sums will not normally be large amounts.

In conclusion, Professor Rohan Gunaratna urged close collaboration between government and the banking sector to overcome terrorism financing.

Q & A SessionThe first question was to what extent religious authorities in Malaysia obstruct or assist in fighting terrorism financing? Professor Rohan Gunaratna replied that in Malaysia, Jakim is an invaluable organisation and a resource which should be harnessed as there is a need to send out a sustained message that groups such as ISIL are not Islamic organisations or promoting Islam. Law enforcement should work with Muslim clerics through the media, education systems and religious associations to promote this message. He said that it is important to know that terrorists and extremists manipulate and use religion to advance their own aims and objectives. He also explained that terrorists use Islamic concepts such as ganima to raise money and it is important that Islamic bodies

and scholars say that such activities are not in accordance with Islamic practices and traditions.

The next question was whether there is a difference between money laundering and terrorism financing. Mr Abdul Rahman Abu Bakar replied that terrorism financing is basically the reverse of money laundering as it is often based on legitimate funds and for small funds while money laundering is based on illegitimate funds for big amounts. There are similarities in funds movement. From an international perspective, the FATF has dealt with both money laundering and terrorism financing issues since ‘9/11’. Some countries have specific legislation – for example, Malaysia has the Anti-Money Laundering and Anti-Terrorism Financing Act 2001 (AMLATFA) and offences under the Penal Code. Despite different ways of legislating, countries use similar mechanisms to tackle money laundering and terrorism financing.

Professor Rohan Gunaratna added that terrorists do not usually launder money but rather engage in terrorism financing: a clear distinction being that most terrorism sources of finance are from legitimate sources (charities or businesses) and a small percentage comes from criminal activity (for example, recent international cases where terrorists used credit card scams to raise money), whereas with money laundering the aim is to convert ‘black’ money to ‘white’.

DSP Foo Wei Min added that, from an investigatory perspective, terrorism financing involves intelligence gathering, where investigators follow the trail of funds back to their source.

Pak Sastra referred to a case study of three people, where two of them were proficient in IT and one was an accountant. This was a terrorism, money laundering and cyber-crime case because the money obtained was used to buy houses and cars for terrorist groups as well as being utilised for terrorist activities and training. He noted that terrorist groups might also conduct money laundering based on a case study in Indonesia.

The next question was what are the demographics or geographical areas that are particularly at risk and whether these typologies are helpful to detect terrorism financing. DSP Foo Wei Min replied that the RMP has a sanction list and advised bankers to start there, with added information obtainable through Bank Negara Malaysia (BNM), and then to proceed with other domestic and international lists.

Pak Sastra shared his experience in Indonesia where comprehensive terrorism financial information was compiled by law enforcement bodies who work together with analysts in the Financial Intelligence Unit (FIU) to further explore high risk areas.

Finally, Professor Rohan Gunaratna was asked what could be done to improve Malaysia’s infrastructure through collaboration. He gave the example of the International Centre for Political Violence and Terrorism Research (ICPVTR) in Singapore. The Association of Banks in Singapore provided two bankers with technical knowledge to work for two years with the centre’s threat specialists to develop a guidebook on how to detect terrorist money based on suspicious indicators in the collection, storage, movement and dispersal stages. He viewed this collaboration as immensely useful and added that Malaysia had similarly sent specialists to Indonesia. He felt the threat environment would further force countries to collaborate.

“ It is important to know that terrorists and extremists manipulate and use religion to advance their own aims

and objectives. ”Professor Rohan Gunaratna


41

Keynote Closing Address – An International Perspective on Trends in Financial Crimes and Terrorism Financing

PLENARY SESSION 6:

John ShipleyProsecutor, US Attorney’s Office in Miami, The United States Justice Department

Mr John Shipley emphasised that the objective of his presentation was to give an insider’s view on the efforts made by the US Department of Justice in dealing with the investigation of global financial crimes.

His speech was divided into four parts. First, he gave his opinion on why terrorism financing differs from other financial crimes and what that means for banks. Second, he described ‘traditional’ and new methods of terrorism financing. Third, he highlighted case studies from recent US criminal prosecutions and lastly, he highlighted trends based on his personal experience for the benefit of banks and regulators.

He said that his experience has exposed him to various high profile trials involving terrorism financing. He explained that strategies involved in investigating terrorism financing changed after the 9/11 tragedy. Prior to 9/11, investigators would follow the money trail to identify culprits, but post-9/11 the strategy was to track terrorism financing in order to identify, disrupt and dismantle terrorist networks and their funding mechanisms before the incident occurs.

He highlighted the difference between money laundering and terrorism financing. Money laundering is a process by which proceeds from unlawful activities are disguised and subsequently integrated into the banking system or other mainstream financial networks. Terrorism financing is an act of knowingly providing things of value to persons or groups engaged in terrorist activity.

He added that the characteristics of money laundering include ‘tainted’ money, money moved in large sums, and the main focus being on concealing the source. Money laundering is motivated by greed and not ideologies or political beliefs. As for terrorism financing, the money may be clean, transferred in smaller amounts and the focus is on concealing the end use.

John Shipley

“ Financial institutions must be vigilant and concerned about suspicious account activities. ”John Shipley

IFCTF 2016

42

Mr John Shipley said some of the traditional terrorism financing sources still being used, and rarely detected by authorities, include state sponsors, donations from wealthy supporters and the taxation of expatriates and immigrants. Traditional terrorism financing methods include bulk cash couriers, currency exchanges, wire transfers, banking systems and alternative remittance systems such as ‘hawala’ networks. These sources of money could be very hard to detect due to the small amounts involved.

The exploitation of natural resources and other large scale commercial activities, for example, the seizure of oil or natural resources in Iraq by Islamic State is a new trend, which if allowed to continue will see larger amounts of money being used for terrorism financing. The usual trends or most common ways detected in terrorism financing include incoming cash from foreign fighters and fundraising via social media or crowdfunding. The most interesting trend currently is by way of virtual currency where the funds are stored in prepaid cards and other internet-based payment sources.

He spoke about three main case studies—the Jose Padilla, Hafiz Khan and Amin prosecutions. In the Jose Padilla prosecution, the accused solicited money from both online and traditional sources supposedly to provide support to Muslim families overseas. He was convicted and sentenced to 20 years in prison. He was assisted by another person known as Jayusi and together they would collect money for the support of terrorist groups such as Al-Qaeda. They solicited money for legitimate purposes and were initially prosecuted in relation to tax disclosure laws for charities. They improvised by using the American Islamic Group to solicit funds which were then transferred to respective terror groups to finance their activities. He said that while the criminal justice system is a permanent way to dismantle terrorist networks, it is not the fastest.

On the Hafiz Khan prosecution, the trail of evidence began with funds being sent from the US to the SWAT Valley in Pakistan in support of the Taliban. The accused in this case used formal bank transfers and kept them low to avoid any suspicion. He would make a transfer request and not state any reason pertaining to the said transfer. The authorities were swift in recording his conversations in which it was discussed how to further break down the money.

Ultimately the accused was convicted and sentenced to 25 years imprisonment.

The last case study discussed was the Amin prosecution. The speaker explained that in this case, Amin, aged 17, used Twitter to provide advice to the Islamic State of Iraq and the Levant (ISIL) on transferring funds and instructed ISIL on using bitcoin, an innovative crypto-currency, and other payment networks to mask transfers. He pleaded guilty and was sentenced to 11 years imprisonment.

Mr John Shipley emphasised that financial institutions must be vigilant and concerned about suspicious account activities. This includes the account activity of terrorist sympathisers with large amounts of capital looking to get the money to supporters ‘on the ground’, account activity by terrorist organisations in generating large amounts of money from suspect commercial activity such as Islamic State in Iraq and Syria (ISIS) and account activity at branch offices or locations associated with insurgency or terrorist sympathisers.

He further highlighted recent initiatives in the US, which include broadening the reach of suspicious activity monitoring requirements, encouraging the establishment of specific in-house intelligence units staffed by former military or law enforcement officers, rewarding ‘whistle blowers’ for identifying non-compliance from within and authorising civil damages claims by terrorist victims against foreign banks.

He discussed the Arab Bank civil case where victims of Hamas attacks in the middle-east sued the bank for damages, alleging that the bank failed to monitor accounts it should have known were being used by Hamas to distribute money to terrorist families. The bank claimed that it checked the accounts against all terrorist blacklists and properly monitored all transactions. The jury, however, found the Arab Bank liable and a settlement was reached on the eve of the trial to settle the amount of damages. He pointed out that potential criminal liability for banks can be established if they knowingly or recklessly do business with countries blacklisted for supporting terrorism or even failing to follow ‘know your customer’ (KYC) requirements.

The speaker concluded by sharing some lessons that can be learned from these financial crime investigations. Banks are the first line of defence against terrorism financing. Effectively monitoring terrorism financing requires thinking globally and looking beyond local customers and transactions. He reminded bankers that the warning signs for terrorism financing are not necessarily the same as those for money laundering.

Q & A SessionWith the rise of ISIS, many governments are developing counter-terrorism units within their prosecution units. A question was asked about what has been done and what more can be done in this region to build the capabilities to fight terrorism.

Mr John Shipley responded by saying that sharing information and lessons learned with investigators is an important step in fighting terrorism.

“ Banks are the first line of defence against

terrorism financing. Effectively monitoring

terrorism financing requires thinking globally. ”John Shipley


43

Kwan Keen Yew Group Chief Compliance Officer, CIMB Group

The conference ended with closing remarks by Mr Kwan Keen Yew, Group Chief Compliance Officer of CIMB Group. He hoped that all participants had found it enjoyable and noted that a large variety of compliance, AML and CFT topics had been covered in the sessions. Particularly noteworthy were the discussions on governance and the difference between the principle-based and prescriptive approaches to compliance. Drawing attention to comments made by YBhg Datuk Dr John Zinkin in Plenary Session 1 relating to the values of society having diminished which in turn leads to increased non-compliance, whether it be within banks or society in general, Mr Kwan Keen Yew commented that compliance officers have an important role to carry out in their respective organisations. Furthermore, in his view, there is a need to emphasise the rules and regulations prescribed by regulators, as well as a need for transparency and disclosure when selling products to customers and

helping regulators to ensure that banks are safe from both an AML and a CFT perspective.

He then referred to some of the insightful sessions held during the conference, such as those discussing the Panama Papers and cybercrime. The session on FinTech highlighted that compliance officers will need to prepare for the further emergence of FinTech and the accompanying changes to regulations. Two sessions provided unique insights from law enforcement, including from US Presenter Mr John Shipley, which were particularly useful and beneficial in relation to terrorism financing.

Mr Kwan Keen Yew ended his closing remarks by expressing gratitude to the organising committee, particularly AIF. He also thanked BNM for its continuing support, noting that this is the eighth year the conference has been held and a lot of its success is due to that support, especially the assistance in obtaining speakers. Finally, he thanked the sponsors, LexisNexis Risk Solutions, Swift, Tess International, Wong and Partners and Dow Jones, and all of the participants who he hoped would attend again in 2017.

Closing Remarks

Kwan Keen Yew

IFCTF 2016

44

Event Photos


45

IFCTF 2016

46


47

Acknowledgements

Platinum Sponsor:

Exhibitors:

Partner:

ASIAN INSTITUTE OF FINANCE (838740-P)Unit 1B-05 Level 5 Block 1B, Plaza Sentral, Jalan Stesen Sentral 5, 50470 Kuala Lumpur.T | +603 2787 1999 F | +603 2787 1900 E | [email protected] W | www.aif.org.my

emerging compliance risks: addressing rising trends … · emerging compliance risks: addressing...

Documents