Implications of the Updated Guidelines for RFAs and how it affects you

The updates are based on the feedback obtained from various professional bodies including the Chartered Secretaries Institute of Singapore, the Law Society of Singapore, and the Institute of Company Accountants Singapore. Besides, ACRA’s inspections of the CSPs have also provided the foundation for the updates.

It is important for companies that have engaged CSPs to manage the regulatory compliance matters, to familiarise with the changes in order to disclose relevant information and cooperate with their service providers to ensure compliance.

Background

The enhanced regulatory framework for Corporate Service Providers (CSPs) established under the ACRA (Amendment) Act and its related regulations (“Accounting and Corporate Regulatory Authority (Filing Agents and Qualified Individuals) Regulations 2015”) came into effect since 15 May 2015. A set of guidelines facilitating the Registered Filing Agents (RFA) to fulfil the obligations under the enhanced regulations for the CSPs was issued in June 2015. 
The latest updates are aimed to provide greater clarity on issues relating to:

• risk assessments, 
• definition of beneficial owners,
• customer due diligence (CDD) especially with regard to deferred CDD and promptness in filing of suspicious transaction report.
• the Internal Policies, Procedures and Control (IPPC)

In addition, the Customer risk factors  have also been updated and the Customer Acceptance Form has been updated accordingly. 

Overview 

Changes Relating to Risk Assessment

A RFA is required to perform a risk assessment of the customer by screening the customer for adverse information and by referring to other reliable sources to determine the customer’s Money Laundering (ML) and Terrorism Financing (FT) risks. Such assessment must be made prior to establishing a business relationship and the observations and decisions must be documented. 

The updated guidelines urge the RFAs to mitigate the risks by asking detailed questions to obtained additional information relating to source of wealth, source of funds etc etc. The objective of such measures is to control the risks of dealing with customers who are Politically Exposed Persons (PEP) or those who are perceived to be in the high-risk category. 

In the updated guidelines, Designated Non-Financial Businesses and Professions (DNFBP) have been removed from the lower risk customer category.  On the basis of the country of origin of the customer, nationality, country of registration of the entity and nature of business, the guidelines have recognised that some customers could be categorised as lower risk customers. For instance, financial institutions that are subjected to AML/CFT regulations, listed public companies that are subjected to beneficial owner disclosure requirements and companies that originate from countries that are identified by credible sources such as Financial Action Task Force (FATF)  have enforced strict AML and CFT regulatory measures get categorised as lower risk customers.  DNFBPs have been removed from the lower risk category probably because the FATF’s  2016 evaluation of the AML/CTF measures of Singapore revealed some weakness among DNFBPs. 

The guidelines underscore that the risk of exposure to ML/TF must be assessed by evaluating the customers on diverse factors such as, the customer company’s layers of structure, scale of activities, country of origin and nature of services provided.  For instance, a customer would get identified as high-risk customer if the structure of the company’s ownership is excessively complex, if there are frequent unaccounted changes to the shareholders, has bearer shares, if the customer makes inexplicable changes to the instructions or if the business is cash intensive. 

The update provides a list of indicators of potentially higher risk clients and transactions in Annex B. Also, Annex C includes a Customer Acceptance Form in Part 1 and Risk Assessment Form in Part 2. The part 1 is to collect critical information on the following factors:

• Personal identification details and address of the customer/Agent
• Information on the entity
• Information on beneficial owners
• Information relating to Politically Exposed Persons (PEP)

Part 2 of the Annex C provides for the evaluation of the nature of services required by the customer and its risks by listing factors that are customer-based, country-based and transaction based. Depending on the outcome of the evaluation the customers are rated as high, medium or low risk customers. The RFA can decide whether the customer could be accepted or rejected based on the risk appetite of the RFA, adopting a risk-based approach. 

What does it mean to you as a customer?

Since CSPs are required to conduct the risk assessment prior to establishing any business relationship with a potential customer, a CSP is compelled to get as much information as it could on the entity, its owners and the connected parties. Customers in need of the services of a CSP must be co-operative and obliging their CSP’s request for information. Failure or reluctance to share information may be deemed as an attempt to withhold sensitive information or could even be treated as an indicator of suspicious transactions and result in unwarranted investigations or sanctions from authorities. Hence, it is imperative for you to provide information and respond to queries promptly and you could undertake the following measures proactively: 

• Maintain updated records and have an officer dedicated to interact and promptly respond to the queries of the CSP; this would ensure seamless flow of information and improve transparency and compliance with the regulations.
• Whenever there is a change in the information submitted to the CSP, ensure such changes are promptly and adequately conveyed to your CSP.
• Give clear directives to your employees in charge of conveying such critical information, with a set of policies and procedures governing the information to be shared with the CSP.

Beneficial Owners

There is an emphasis on identifying and verifying the identity of the beneficial owners of the RFAs’ customers. It is not sufficient to identify the beneficial owner of a customer alone but the RFA is also required to identify the customer’s connected parties.  A connected party in respect of a legal entity, other than a partnership, means a director or any natural person having executive authority; in case of a partnership, it means a partner or manager; and in case of a legal arrangement any natural person having executive authority in the legal arrangement. It must be noted that the emphasis on risk assessment and CDD for connected parties is pervasive all through the various sections of the guidelines. 

What does it mean to you as a customer?

Companies or persons engaging CSPs must ensure that beneficial owners details are accurate and also ensure to disclose details of the connected parties. Withholding information could result in termination or denial of service by the CSP. 

Customer Due Diligence

The update urges that the CDD for existing clients must be carried on before performing any other transaction for them. The term ‘existing clients’ refers to the clients who were onboarded prior to the commencement of the enhanced regulatory framework for CSP, that is 15 May 2015. 

If CDD measures (including identification and verification), cannot be performed prior to the establishment of business relationship then the CDD must be completed within 14 calendar days. If the CDD measures could not be completed within 14 calendar days, then the business relationship must be terminated. 

It must be noted that the RFAs are already required to perform CDD of their customer on other appropriate times, besides the CDD performed at the time of their onboarding. Such CDD shall be performed on a risk sensitive basis by taking into account the previous CDD measures, the time of the last CDD and the adequacy of the information obtained. 

What does it mean to you as a customer?

The authorities are aware that such excessive documentation procedures may be an encumbrance to the entities that wish to quickly commence a business relationship with a CSP or to perform a specific and urgent transaction via a CSP. Hence, the 14-calendar days window period is provided. This provision of deferred CDD is beneficial to entities that are having time constraints and need to kick-start their operations immediately but such companies/entities must be cognisant of the fact that it is just an acceptance in-principle and if the verification could not be completed for whatsoever reason within the prescribed period the CSP would terminate the ties. 

Internal Policies, Procedures and Control (IPPC)

RFAs are required to have IPPC in place to ensure that their services and operations are in compliance with the AML and CTF regulations. For this purpose, Annex A of the updated guidelines specifies the essential elements of the IPPCs. The IPPC may be customised by the RFAs to reflect the context and customer profile of their business. 

The RFAs have the obligation to ensure that their employees possess substantial knowledge of the AML/CFT regulations and are aware of the current trends and methods of the nefarious elements conducting ML and TF. For this purpose, the RFAs were originally required to send their employees for training but there was no mention of the frequency at which such training must be provided. The updated guidelines indicate that the frequency at which such training must be provided in order to ensure that the employees remain updated with current and prevailing practices and regulations. Accordingly, employees should be trained on an annual basis. 

The guidelines direct the senior management of the RFA to be actively engaged in the approval process of its IPPC governing AML and CFT measures. 

The RFAs are required to have procedures in place to identify and report suspicious transactions of their customers. However, there was no timeframe provided for filing the Suspicious Transaction Report (STR) previously. Now, the updated guidelines direct the RFAs to file the STR within 15 business days from the date of deduction of such transaction. For this purpose, the RFA can refer to Annex B for indicators of suspicious transactions. 

What does it mean to you as a customer?

A CSP having a well-documented IPPC in place is reflective of its commitment to comply with the AML and CFT regulations. Engaging CSPs that have well-informed employees will not only improve your compliance but it would also promote transparency within your organisation and help you to control your exposure to suspicious transactions and risks of ML and TF. Withholding, falsifying or supressing information would have serious implications; therefore, it is critical to have open channels of communication with your CSP and promptly respond to queries from your RFAs. If your transactions have semblance of a suspicious transaction, it would be prudent to share the rationale with your CSP along with adequate material evidence.