MAS sets out supervisory expectations where AML/CFT control functions are outsourced

On 15 July 2020, the Monetary Authority of Singapore (MAS) published a guidance paper which sets out MAS’ supervisory expectations of sound practices where anti-money laundering/countering financing of terrorism (AML/CFT) control functions are outsourced.

The guidance paper is based on a series of thematic inspections conducted by MAS of capital markets intermediaries (CMIs) to assess the adequacy of their oversight of AML/CFT service providers (ASPs), and their understanding of the key control functions outsourced to these ASPs. Gaps were observed by MAS, and in some cases, material lapses in AML/CFT controls. In addition to CMIs, the learning points in the paper may also be relevant and applicable to other financial institutions (FIs), and MAS states that FIs should incorporate the learning points from the paper in a risk based and proportionate manner.

We provide a summary of the guidance paper’s key learning points below, some of which overlap with the updated Outsourcing Principles proposed by IOSCO (see our briefing on this and MAS’ new powers to strengthen its supervisory oversight of banks’ outsourcing arrangements here).

Next steps for CMIs and FIs

CMIs should conduct a gap analysis against the best practices outlined in the guidance paper as well as MAS’ Guidelines on Outsourcing (Oct 2018), and take appropriate measures to enhance their practices as necessary. Other FIs should also consider the learning points outlined in the guidance paper and ensure that they have a robust understanding of their ASPs’ practices and that such practices align with MAS’ requirements under the relevant AML/CFT Notices.

Where FIs outsource first level alert reviews to transaction monitoring hubs within the same financial group, they should continue to study and leverage on the guidance set out in the Guidance for Effective AML/CFT Transaction Monitoring Controls issued by MAS in September 2018 and identify and address any gaps in their execution of transaction monitoring controls, to more effectively mitigate their money laundering/terrorist financing risks.

KEY LEARNING POINTS

CMIs remain responsible for outsourced AML/CFT control functions

CMIs remain responsible for complying with AML/CFT requirements under MAS Notice SFA04-N02 (Oct 2018), even when they outsource AML/CFT control functions. The board and senior management play a crucial role when their firm’s functions are outsourced. The board and senior management need to set a strong tone from the top and should ensure that the firm’s AML/CFT controls remain effective, including under any outsourcing arrangement.

Based on MAS’ Guidelines on Outsourcing (Oct 2018), outsourcing of AML/CFT control functions is considered material outsourcing. Therefore, CMIs need to ensure that, among other things, they conduct a robust assessment of the service provider and establish mechanisms to monitor and control the outsourcing arrangement on an ongoing basis.

Common deficiencies in outsourced AML/CFT functions

MAS observed gaps in CMIs’ oversight of AML/CFT outsourcing arrangements, particularly in the evaluation of potential ASPs and the ongoing monitoring of ASPs post-appointment. These deficiencies exposed CMIs to potential regulatory and reputational risks.

In relation to the evaluation of a potential ASP, CMIs should implement a structured assessment process with a defined criteria as part of their outsourcing policy in order to assess, among other things, the ASP’s experience, track record and level of staff competency. Appointment of the ASP should also be approved by senior management with formal documentation to support the assessments. CMIs should also conduct a gap analysis between their AML/CFT policies and procedures and that of the potential ASP, and assess whether the potential ASP is able to cover any gaps.

Measures to strengthen ongoing monitoring of ASPs include conducting annual visits of ASPs, performing sample reviews of accounts, reviewing all screening results and any changes to the ASPs’ processes. CMIs could also implement quarterly reports to track the progress of periodic reviews and engage auditors to conduct sample reviews of customer accounts.

Major lapses by ASPs

In more severe cases, material lapses in AML/CFT controls were noted, which led to breaches of AML/CFT requirements. The main reasons were due to a combination of the CMIs’ lack of understanding of the ASPs’ practices, and an absence of proper oversight and timely monitoring.

In order to prevent such material lapses, measures such as the ones previously stated above ought to be performed. Ultimately, CMIs should have a robust understanding of their ASPs’ practices, have rigorous oversight over ASPs and have timely monitoring mechanisms to oversee the ASPs. To this end, having (i) a structured assessment process and (ii) proper oversight of ASPs’ processes is crucial.

Assistance

Should you have any questions or require any assistance with your outsourcing arrangements, please contact us.