The three pillars of effectiveness are governance, risk awareness, and execution. Given the importance of robust TM, the “three pillars of effectiveness” is the framework that MAS used to scrutinise the effectiveness of banks’ TM systems in the context of their broader AML/CFT regimes.

Transaction monitoring (TM) is a key control in financial institutions’ anti-money laundering and countering the financing of terrorism (“AML/CFT”) policies and procedures. The following make up the transaction monitoring process chain:

– Knowing the customer
– Risk-based calibration
– Robust implementation
– Resolve and enhance

Financial institutions with higher inherent risks or specific transaction monitoring control deficiencies to address should perform more regular reviews in order to adequately mitigate their risks. These reviews should be targeted at sustaining system effectiveness by imbibing the changing risk environment.

Financial institutions’ board and senior management must take an active role in overseeing the satisfactory performance of transaction monitoring. It is incumbent on the board and senior management to adequately resolve matters in a prompt and timely manner when outputs or outcomes are compromised due to factors such as inappropriate calibration, process inefficiencies, staff issues or system failures.

When onboarding customers, financial institutions are required to perform risk assessments and due diligence checks in order to identify and mitigate any prospective money laundering and terrorism financing (ML/TF) risks, including proliferation financing (PF) risks, at the onset.

An effective transaction monitoring system enables financial institutions to detect and assess whether customers’ transactions pose suspicion when considered against their respective backgrounds and profiles. Transaction monitoring systems also facilitate the holistic reviews of customer transactions over periods of time, in order to monitor for any unusual or suspicious trends, patterns or activities that may take place.

An effective transaction monitoring system enables financial institutions to detect and assess whether customers’ transactions pose suspicion when considered against their respective backgrounds and profiles. An effective transaction monitoring system is comprised of the following elements:

– A well-calibrated framework
– Robust risk awareness
– Meaningful integration
– Active oversight

To ensure proper functioning and effectiveness of their transaction monitoring systems, financial institutions must ensure that transaction monitoring and reviews are executed by competent and well-trained staff who exercise sound judgment in targeting unusual transactions, activities, and behaviours.

Financial institutions are required to maintain current and accurate knowledge of their customers, after establishing a business relationship, through the performance of periodic reviews and/or reviews based on trigger events, and where appropriate enhance the frequency and intensity of customer engagement where the risks are assessed to be greater.

Financial institutions with a larger scale of operations are expected to have in place automated systems capable of handling the risks from an increased volume and variance of transactions. While smaller Financial institutions may rely on transaction monitoring systems that are less automated, they must still ensure that these are appropriately executed to satisfactorily address the risks from their day-to-day transaction activities.

When appropriately configured and implemented, transaction monitoring parameters and thresholds enable financial institutions to flag unusual transactions with a reasonable degree of certainty of potential ML/TF characteristics warranting further inquiry. Some banks have employed the use of certain statistical tools and methods such as above-the-line (ATL) and below-the-line (BTL) testing to better fine-tune their calibrations.

Some risk areas that banks have developed scenarios to detect include:

– Large or complex transactions with no visible/apparent economic or lawful purpose.
– Aggregated frequent and small transactions.
– Unusual patterns of physical cash deposits or withdrawals, which are large when aggregated over a period of time.
– Significant deviations from past account activity (or inactivity).
– Transaction activities with nexus to higher risk countries or geographies.
– Detection of activities or behaviours consistent with certain predicate offences (e.g. possible tax evasion or avoidance, corruption nexus, or terrorism financing).
– Hidden relationships between customers or accounts evident through funds flows.

Some financial institutions require their front office staff to conduct pre-transaction checks before executing transactions assessed to pose higher risks or involving higher risk customers. These checks include the following:

– Inquiring on the background and purpose of transactions that exceed predefined thresholds, to ensure alignment with customers’ profiles and purpose of accounts.
– Engaging customers, filing call reports on the transaction date that detail relevant risk considerations (e.g. nature of the relationship between customer and beneficiary, identifying the origin and destination of funds), and attaching supporting documents supplied by the customer.
– Obtaining approvals from line managers and/or compliance personnel before executing higher risk transactions.

Financial institutions are expected to keep KYC information up-to-date on an ongoing basis. As part of the periodic account review process, financial institutions typically require their front office to update customers’ or beneficial owners’ KYC information and seek to update changes to the customers’ and beneficial owners’ personal information and financial condition.

An effective TM system is comprised of robust risk awareness, meaningful integration, a well-calibrated framework, and active oversight.

Financial institutions should monitor and ensure the effective performance of transaction monitoring at each stage of the transaction monitoring process chain. Listed below are the stages of the process chain:
– Knowing the customer stage.
– Risk-Based calibration stage.
– Robust implementation stage.
– The “resolve and enhance” stage.

The use of scenarios is not limited to banks or FIs with automated systems, as smaller FIs with less-automated systems should apply the same logic in training and guiding their staff to detect these more complex risks.

Some pre-transaction checks conducted by FIs front office staff before executing transactions to assess transactions that may pose higher risks or involve higher risk customers include but are not limited to inquiring on the background and purpose of transactions that exceed predefined thresholds, engaging customers, filing call reports on the transaction date and attaching supporting documents supplied by the customer and obtaining approvals from line managers and/or compliance personnel before executing higher risk transactions.

FIs should ensure that their lists of ML/TF/PF red flags are continually updated, not just to include new red flags but also to provide further guidance on existing ones, particularly when staff give feedback on a lack of clarity in interpreting these red flags.

FIs should ensure good governance and strong oversight of their material outsourcing arrangements. This means that FIs’ board and senior management are expected to be fully apprised of any risks arising from their material outsourcing arrangements, and must ensure that these arrangements do not result in the compromise or weakening of their organisations’ ML/TF risk management, internal controls and conduct of business.

Financial institutions generally perform independent verification measures on the source of wealth to serve as a plausibility check on the information provided to them. Examples of independent corroboration measures include citing public information sources (e.g. company websites, corporate registration websites, journals and media reports) to verify net worth of customers/financial statistics of operating companies as well as obtaining documentary evidence, such as bank statements, confirmation from third party professionals (e.g. tax advisors), and financial statements or management accounts of operating companies. Financial institutions also assess the authenticity and reliability of the documents provided by the customers.

The information gathered should be sufficiently detailed to facilitate independent ongoing transaction monitoring. Financial institutions should ensure that accounts are subjected to enhanced monitoring where those accounts are used for commercial transactions.

Financial institutions should always have full knowledge of originator details for incoming wire transfers, and ensure that similar information is provided for all outgoing wire transfers eg your bank account number, the recipient’s name, the recipient’s bank name and address.

External fraud is another risk that financial institutions have to confront and manage. There have been cases where financial institutions received fraudulent email instructions to release funds from their customers’ accounts to third-party accounts at other financial institutions. Hence, financial institutions should pay special attention to, and put in place rigorous controls over third party account transfers and activities, particularly if they involve inactive/dormant and/or hold-mail accounts. Financial institutions should not carry out any transaction without proper verification.

Accounts with HM services are more susceptible to being abused since customers’ receipt of account statements on a delayed basis creates opportunities for misappropriation of assets and other irregularities to go undetected.

Financial institutions have frameworks in place to govern the operations of inactive/dormant accounts. They typically include defining when an account is classified as inactive/dormant, conditions under which such an account may be reactivated, and the approval authority for its reactivation. Inactive/dormant accounts are subjected to regular independent review and are blocked to prevent unauthorized transactions.

Financial institutions generally have processes in place to understand their customers’ investment goals, risk tolerance, and personal circumstances. These typically involve customers completing a risk assessment questionnaire, which allows the financial institutions to understand and assess the customers’ investment objectives, investment time horizon, loss tolerance, volatility tolerance, financial needs or constraints, and prior investment knowledge and experience.

Requests for HM services should not be routinely approved without assessing the reasonableness of the requests. Financial institutions should ensure that retained mail is not delivered to third parties without written instructions from customers to confirm that these individuals are duly authorised to collect the retained mail on their behalf. Financial institutions should not have retained mail left uncollected for an extended period of time. Institutions should have a process to track and manage accounts with uncollected retained mail.

Based on MAS’ inspections, there is scope for FIs to enhance their reporting and escalation of the following significant risk matters:

– System implementation delays.
– IT incidents or system limitations impacting the organisation’s TM capabilities.
– Results and remediation of compliance or QA reviews.
– Regular updates and follow-ups with regard to alert ageing statistics.

When dealing with customers, institutions should act responsibly and ensure that customers fully understand the risks of products marketed and that the suitability of the products commensurate with customers’ risk appetite and investment needs.