AML Policy test

1.0 Overview
It is a legal requirement to comply with the anti-money laundering laws in force in Mauritius and the various guidelines and regulations related thereto issued by the FSC, FIU and the Government of Mauritius such as the FIAMLA 2002 and FIAMLA regulations. This Manual for Compliance and Anti-Money Laundering is for the understanding, and it documents the procedures required to be adhered to by all staff and officers of the Company to combat laundering of criminal proceeds, the financing of terrorism and financing of proliferation of weapons of mass destruction.

Staff members and officers should understand the procedures set out herein and the Company’s policies with regards to sound Customer Due Diligence (‘CDD’) measures and checks. This Manual should be read together with the AML Handbook which is very detailed and helpful. Several texts of the AML Handbook have been repeated in this Manual. The AML Handbook is designed to help financial institutions like the Company to adopt a more effective, risk-based and outcome-focused approach. The AML Handbook does not cover an exhaustive list of ML & TF risks that a financial institution can face but there are examples of such risks. The FSC will consider the AML Handbook when assessing the level of compliance with the ML & TF laws and regulations.

The AML Handbook requires the board and senior management of a financial institution have a responsibility to ensure that a financial institution’s systems and controls are appropriately designed and implemented and are effectively operated to reduce risk of the business being used in connection with ML & TF.

The board and senior management of a financial institution must have documented systems and controls which:
a) undertake risk assessments of its business and its customers;
b) determine the true identity of customers and any beneficial owners and controllers;
c) determine the nature of the business that the customer expects to conduct and the commercial rationale for the business relationship;
d) require identification information to be accurate and relevant;
e) require business relationships and transactions to be effectively monitored on an ongoing basis with particular attention to transactions which are complex, both large and unusual, or an unusual pattern of transactions which have no apparent economic or lawful purpose;
f) compare expected activity of a customer against actual activity;
g) apply increased vigilance to transactions and relationships posing higher risks of ML & TF;
h) ensure adequate resources are given to the Compliance Officer to enable standards within this Handbook to be adequately implemented and periodically monitored and tested;
i) ensure procedures are established and maintained which allow the Money Laundering Reporting Officer (‘MLRO’) and the Deputy MLRO to have access to all relevant information, which may be of assistance to them in considering suspicious transaction reports (“STRs”).

The Company shall adopt a robust approach and shall not refrain from asking customers noncustomary questions in circumstances of unusual activity. Any reluctance or failure by the customer to provide credible and verifiable answers should lead the Company to investigate the reason for this reluctance, establish any case for suspicion and follow up with appropriate action.

A hierarchical approach within a business may hinder an effective system of AML/CFT control, which the Company needs to recognize and address. The human element is particularly important since policies and procedures only work if they are understood, followed and enforced by those required to comply with them. The hierarchical relationships between employees within the Company and with its customers can face the following damaging barriers:

a) senior management being unwilling to lead on the concept of the need for sound corporate ethics;
b) junior employees assuming that their concerns or suspicions are not significant;
c) employees being unwilling to subject high value (therefore important) customers to effective CDD checks;
d) management or customer relationship managers outside Mauritius pressurizing employees in Mauritius to transact without obtaining all relevant CDD and business relationship information;
e) employees being unable to understand the commercial rationale for customer relationships and the use of certain products / services, so that potentially suspicious activity is not identified;
f) lack of time and/or resources to address concerns generating a tendency for line managers to discourage employees from raising concerns; and
g) conflict between the desire on the part of employees to provide a confidential and efficient customer service and the requirement for employee vigilance in respect of prevention and detection of ML/TF.

The FATF Recommendations provide for AML/CFT requirements, allowing a business to adopt a risk-based approach towards the prevention and detection of ML and TF.

It is very important to note that FIAMLA, FIAML Regulations 2018 do not prohibit or prevent any type of business, customers or systems from operating, unless they are involved in ML/TF. The legislation only requires that the risks posed by customers, products and systems are identified, mitigated and the mitigating factors/controls documented and reviewed periodically.

The application of a risk-based approach provides a strategy for managing potential risks by enabling financial institutions to subject customers to proportionate controls and oversight. Financial institutions should avoid the “tick box” approach at all times, and always have to determine their risks themselves, based on their respective circumstances.

To demonstrate that a financial institution acted reasonably, an assessment of risk should always be documented, reasonably and objectively justifiable and sufficiently robust. Finally, while a risk-based approach grants a wide degree of discretion, parameters set by law or regulation may limit that discretion.

The purpose of this document is to:

Outline the company’s framework and strategic position in respect of the prevention of Money Laundering and Counter Terrorist Financing within all of its remote operations.
Identify the measures and procedures, which have been implemented and embedded within the Company’s operations.
Detail and describe the Company’s procedures on a risk-based approach in order to ensure compliance.
Outline and set out the processes, measures and audit methods in use in order to ensure that the Company’s AML policy is known and adhered to by all employees.
Outline the duties of the Compliance Officer and the MLRO.

1.1 What is risk
Risk can be seen as a function of three factors and ideally, a risk assessment involves making judgments about all three of these elements:

THREAT – person or group of people, an object or an activity with the potential to cause harm. The threats may vary across customers, countries, geographic areas, products/services and delivery channels.
VULNERABILITY – that which can be exploited by the threat or that may support or facilitate its activities, such as size and volume of the business and client base profile.
CONSEQUENCE – the impact or harm that ML or TF may cause, such as the impact on reputation and imposition of regulatory sanctions.

1.2 What is mitigation
Once the risks have been identified, financial institutions must then take appropriate steps to mitigate any risks that have been identified. This will involve determining the necessary controls or procedures that need to be in place in relation to a particular part of the business in order to reduce the risk identified. The documented risk assessments that are required to be undertaken by Section 17 of the FIAMLA will assist the business to develop a risk-based approach.

Systems and controls may not always prevent and detect all ML/TF. A risk-based approach will, however, serve to balance the cost burden placed on financial institutions and their customers, with a realistic assessment of the threat of a business being used in connection with ML/TF. It focuses effort where it is needed and has most impact.

1.3 Assessing Compliance with a Risk Based Approach
Financial institutions should avoid internal systems of control that encourages the ‘tick box’ approach rather than involving a thorough process, which counter-productive. Internal systems should require employees to think about the risks posed by individual customers and relationships and to mitigate appropriately and document their thought process. The FSC must be able to see clear, documented rationale of how risks have been assessed then how these risks have been mitigated or controlled.

In accordance with Regulation 31 of the FIAML Regulations 2018, any risk assessment systems used by the financial institution should be reviewed regularly to ensure an effective system is in place and swift action should be taken to remedy any identified deficiencies.

The Company recognizes that failure to comply with anti-money laundering laws, on its part or any individual employed by them, may result in sanctions being leveled against them and that these sanctions include regulatory action, prosecution, loss of license or fines and could affect the ability of the Company to operate in the future. There are also actions under the Administrative Penalties

Regulatory Framework which may also apply.

All the procedures below in this manual and those set out in the AML Handbook should be

adhered to. Failure to do is a breach of your duty towards the Company and the regulatory

authorities.

In order to ensure that the Company and its employees are not in breach of Anti Money Laundering legislations, the company will:

Maintain the role of an appointed Money Laundering Reporting Officer (‘MLRO’).
Deliver staff training at all levels that includes identification of suspicious transactions, activity or incidents and the correct reporting process.
Include in staff training the fact that a customer should not in any way be informed that they are either suspected or the subject of a report.
Operate an audit process that measures compliance with anti-money laundering procedures and identifies points of difficulty or uncertainty.
Risk assesses the business and ensures that an appropriate level of examination is provided to higher risk business.
Maintain reports, records of anti-money laundering activities for inspection by the regulators.
Provide a source of communication for all enquiries or questions and a reporting process that directs information to the MLRO.
Make Suspicious Transaction Reports in accordance with Anti Money Laundering legislation applicable.
Consider any action by an employee that is in breach of company instruction or policy in relation to anti-money laundering as an action, which may lead to disciplinary action and summary dismissal.
Comply with such other ML & TF requirements.

It is the responsibility of every member of staff to report any suspicions regarding potential money laundering by contacting the MLRO directly.

2.0 Corporate Governance in Financial Crime
2.1 Introduction
Good corporate governance should provide proper incentives for the board and senior management to pursue

objectives that are in the interest of the firm and its shareholders and should facilitate effective monitoring of the firm for compliance with its AML and CFT obligations.

The presence of an effective corporate governance system, within an individual company and across an economy as a whole, is key to building an environment of trust, transparency and accountability.

2.2 Board Responsibility for Compliance
The Board of the Company is responsible for managing the institution effectively and is in the best position to understand and evaluate all potential risks to the financial institution, including those of ML and TF. The Board must therefore take ownership of, and responsibility for, the business risk assessments and ensure that they remain up to date and relevant.

On the basis of its business risk assessment, the Board must establish a formal strategy to counter money laundering and financing of terrorism. Where a financial institution forms part of a group operating outside Mauritius, that strategy may protect both its global reputation and its Mauritius business. The Board must document its systems and controls (including policies and procedures) and clearly apportion responsibilities for countering money laundering and financing of terrorism, and, in particular, responsibilities of the Compliance Officer and MLRO.

The financial institution shall establish and maintain an effective policy, for which responsibility shall be taken by the Board, and such policy shall include provision as to the extent and frequency of compliance reviews. The Board should take a risk-based approach when defining its compliance review policy and ensure that those areas deemed to pose the greatest risk to the firm are reviewed more frequently.

The Board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the financial institution occur. Where, as a result of its review, changes to the compliance arrangements or review policy are required, the Board must ensure that the financial institution makes those changes in a timely manner.

As part of its compliance arrangements, the financial institution is responsible for appointing a Compliance Officer (‘CO’) who is responsible for the implementation and ongoing compliance of the financial institution with internal programmers, controls and procedures in accordance with the requirements of the FIAMLA and FIAML Regulations 2018.

In addition to appointing a CO, an independent audit function to test the ML and TF policies, procedures and controls of the financial institution shall be maintained, pursuant to Regulation 22(1)(d) of the FIAML Regulations 2018.

The Board must ensure that the compliance review policy takes into account the size, nature and complexity of the business of the financial institution, including the risks identified in the business risk assessments. The policy must include a requirement for sample testing of the effectiveness and adequacy of the financial institution’s policies, procedures and controls.

The Board must document its systems and controls (including policies and procedures) and clearly apportion responsibilities for ML and TF, and, in particular, responsibilities of the MLRO and Compliance Officer.

2.3 List of Officers

Money Laundering Reporting Officer (‘MLRO’):	Mrs. Ameera Goollam Kader
Deputy MLRO:	Mrs. Anju Rampersand
Compliance Officer:	Mrs. Priyabye Busgeeth

2.4 Money Laundering Reporting Officer
The Company has appointed a MLRO in accordance with Regulations 26 (1) of FIAML Regulations 2018 being a natural person approved under section 24 of the FSA. It is required the MLRO be someone who is senior in the organization of the reporting person or have sufficient experience, knowledge and authority as required by Competency Standards issued by FSC in 2014. He or She should be someone who has a right of access to the board of directors of the company and having sufficient time and resources to effectively discharge its functions.

All internal disclosures need to be made to the MLRO who considers the report to decide whether external disclosure is required. All matters involving ML & TF will be referred to the MLRO for consideration and investigation.

The Company has a clearly laid down structure for reporting any suspicions regarding AML/CTF. It is the MLRO’s responsibility to consider, investigate and report such matters in a timely and prescribed method.

The company must ensure that the MLRO/DMLRO:
a) is the main point of contact with the FIU in the handling of disclosures;
b) has unrestricted access to the CDD information of the financial institution’s customers, including the beneficial owners thereof;
c) has sufficient resources to perform his or her duties;
d) is available on a day-to-day basis;
e) reports directly to, and has regular contact with, the Board or equivalent of the financial institution; and
f) is fully aware of both his or her personal obligations and those of the financial institution under FIAMLA and FIAML Regulations 2018 and the Handbook.

Where the same person acts as MLRO on multiple financial institutions, he/ she should ensure that in accordance with FIAML Regulations 2018, he/ she has sufficient time and resources to effectively discharge his/ her functions. The FSC may require financial institutions to demonstrate the allocation of time and resources by the MLRO at onsite/ offsite reviews and failure to effectively and satisfactorily show the above may indicate non-compliance to Regulation 26(4) (b) of FIAML Regulations 2018.

According to Regulation 26(4) of the FIAML Regulations 2018, the Money Laundering Reporting Officer and the Deputy Money Laundering Officer must be:
a) be sufficiently senior in the organization of the financial institution or have sufficient experience and authority; and
b) have a right of direct access to the board of directors of the financial institution and have sufficient time and resources to effectively discharge his functions.

The MLRO also produces a monthly (if required) and annual report, together with reports commissioned by senior management to ensure they are informed of matters, issues and risks that may be suspected or identified concerning ML & TF.

As a financial institution, the Company is also required to appoint a DMLRO in order to exercise the functions of the MLRO in his or her absence. The DMLRO should be similar status and experience as the MLRO and has same responsibilities in absence of the MLRO.

The MLRO/ DMLRO is the person who is nominated to ultimately receive internal disclosures and who

considers any report to determine whether an external disclosure is required.

The DMLRO should be of similar status and experience to the MLRO.

Reference to the MLRO implies the DMLRO in the MLRO’s absence.

Role and Responsibilities of the MLRO/DMLRO

The responsibilities of the MLRO will normally include, as stated in the FIAML Regulations 2018:

a) undertaking a review of all internal disclosures in the light of all available relevant information and determining whether or not such internal disclosures have substance and require an external disclosure to be made to the FIU;
b) maintaining all related records;
c) giving guidance on how to avoid tipping off the customer if any disclosure is made;
d) liaising with the FIU and if required the FSC and participating in any other third party enquiries in relation to money laundering or terrorist financing prevention, detection, investigation or compliance; and
e) providing reports and other information to senior management.

2.5 Compliance Officer
The Company has appointed a Compliance Officer who is of senior management level and approved under section 24 of the FSA with appropriate qualification, knowledge, skill and experience. All compliance matters will be handled by the Compliance Officer.

Role and Responsibilities of the Compliance Officer

continued compliance with the requirements of the Handbook, FIAMLA 2002, as amended, FIAMLA Regulations and such other laws and regulations (as may be applicable), subject to the ongoing oversight of the board of the Company.
undertaking day-to-day oversight of the program for combating money laundering and terrorism financing.
regular reporting, including reporting of non-compliance, to the board.
contributing to designing, implementing and maintaining internal compliance manuals, policies, procedures and systems for combating money laundering and terrorism financing.

The Board must ensure that the Compliance Officer has:
a) has timely and unrestricted access to the records of the financial institution.
b) has sufficient resources to perform his or her duties;
c) has the full co-operation of the financial institution’s staff;
d) is fully aware of his or her obligations and those of the financial institution; and
e) reports directly to, and has regular contact with, the Board so as to enable the Board to
f) satisfy itself that all statutory obligations and provisions in FIAMLA and FIAML Regulations 2018 and the Handbook are being met and that the financial institution is taking sufficiently robust measures to protect itself against the potential risk of being used for ML and TF.

The MLRO, the Deputy MLRO and the Compliance Officer are fit and proper, in that, they are persons of:

honesty, integrity, diligence, fairness, reputation and good character;
competence and capability; and
financial soundness.

2.6. Meaning of Terms

AML	Anti – Money Laundering
AML/CFT	Anti – Money Laundering and Countering of Terrorism Financing
CDD	Customer Due Diligence
CFT	Countering Financing of Terrorism
CO	Compliance Officer
Company	Sky Links Capital Limited
DMLRO	Deputy Money Laundering Reporting Officer
EDD	Enhanced Due Diligence
FATF	Financial Action Task Force
FSA	Financial Services Act 2007, as amended
FSC	Financial Services Commission
FIAMLA	The Financial Intelligence and Anti – Money Laundering Act 2002, as amended
FIAML Regulations 2018	The Financial Intelligence and Anti – Money Laundering Regulations 2018
FIU	Financial Intelligence Unit
FSC	Financial Services Commission
Handbook	the Anti Money Laundering and Combatting the Financing of Terrorism Handbook 2020 issued by the FSC
ML	Money Laundering
MLRO	Money Laundering Reporting Officer
NCCT	Non-Cooperative Country/Territory
NRA	National Risk Assessment
STR	Suspicious Transaction Report
TF	Terrorism Financing

2.7 Money Laundering & Terrorist Financing Definitions & Procedures

2.7.1 Money Laundering (ML)
Money laundering is defined in Part II of FIAMLA 2002 ‘as any process that conceals the origin or derivation of the proceeds of crime so that the proceeds appear to be derived from legitimate source.’

Criminals attempt to conceal the nature, location and ownership of these proceeds. It should be noted that it is not only associated with organized crime and drug trafficking but also occurs when a person deals with another person’s direct or indirect benefit from criminal activities.

Money laundering can in summary be defined to be a three-stage process, as follows:
a)Placement Stage – the stage where illegal money or property is introduced into the financial system;
b)Layering Stage – the stage where property undergoes a series of transactions, concealing its origin and making it appear to be legitimate; and
c)Integration Stage -the stage where laundered money enters within the legitimate economy.

Stages (b) and (c) above in the money laundering process are where the Company will be most vulnerable.

In general terms, ML is the process by which criminals attempt to conceal the true origin and ownership of the proceeds of criminal activities. If successful, the criminal property can lose its criminal identity and appear legitimate, meaning that criminals can benefit from their crimes without the fear of being caught by tracing their money or assets back to a crime.

Illegal arms sales, smuggling, and the activities of organized crime, including for example, drug trafficking and prostitution, can generate huge profits. Embezzlement, insider trading, bribery and computer fraud schemes can also produce large profits and create the incentive to “legitimize” the ill-gotten gains through ML. When a criminal activity generates substantial profits, the individual or group involved must find a way to control the funds without attracting attention to the underlying activity or the persons involved. Criminals do this by disguising the sources, changing the form, or moving the funds or assets to a place where they are less likely to attract attention and disguising ownership and control.

Traditional money laundering model:

ML will often involve a complex series of transactions, traditionally represented in three separate phases of Placement, Layering and Integration described above.

Our services can be misused in these stages and therefore the Company’s vulnerability should be fully appreciated and understood.

2.7.2 Terrorist Financing (‘TF’)
In general terms, TF is the financial support, in any form, of terrorism or those who encourage, plan or engage in terrorism. TF differs from ML in that the source of funds can either be legitimate, such as an individual’s salary, or illegitimate, like the proceeds of crimes such as selling pirate DVDs, fraud or drug trafficking.

Usually, the focus of scrutiny for potential terrorist financing activity will be the end beneficiary and intended use of the money or assets. A terrorist financier may only need to disguise the origin of the property if it was generated from criminal activity but in the vast majority of cases, they will seek to disguise the intended use i.e. providing support to terrorists or supporting acts of terrorism.

Traditional terrorist financing model:
Terrorist financing often involves a complex series of transactions, generally considered as representing three separate phases and this could be sourced through various means for example through seeking donations, carrying out criminal acts and from genuine charities, as illustrated below:

a) Collection
Funds are often acquired through seeking donations, carrying out criminal acts or diverting funds from genuine charities.

b) Transmission
Where funds are pooled and transferred to a terrorist or terrorist group

c) Where the funds are used to finance terrorist acts, training, propaganda etc.

The definitions of money laundering and terrorist financing have differences and similarities as well.
To start with, the differences are:
i) Terrorist financing is an activity in support of future illegal acts, whereas money laundering generally occurs after the commission of illegal acts; and
ii) Legitimate property is often used to support terrorism and the origin of laundered money is illegitimate.

Similarities include:
i) Terrorist groups are often involved in other forms of criminal activities which may in turn fund their terrorist activities;
ii) Both money launderers and terrorist financiers require the assistance of the financial sector to further their aims and acts.

2.8 The consequences of ML and TF
Increased abuse of the financial system by criminal actors leads to increased criminal activity and less safety for everyone in the country and around the world. ML/TF can have serious negative consequences for the economy, national security and society in general. Some of these consequences may include:
a) (reputational damage from being perceived as being a haven for money launderers and terrorist financiers, leading to legitimate business taking their business elsewhere;

b) attracting criminals including terrorists and their financiers to move to or establish new business relationships within the jurisdiction;

c) damaging the legitimate private sector who may be unable to compete against front companies;

d) weakening of financial institutions which may come to rely on the proceeds of crime for managing their assets, liabilities and operations, plus additional costs of investigations, seizures, fines, lawsuits etc.;
e) economic distortion and instability; or
f) increased social costs to deal with additional criminality such as policing costs or hospital costs for treating drug addicts.

2.9 Financing of proliferation of weapons of mass destruction
Proliferation of weapons of mass destruction (“WMDs”) can be in many forms, but ultimately involves the transfer or export of technology, goods, software, services or expertise that can be used in programmers involving nuclear, biological or chemical weapons, and their delivery systems (such as long range missiles).

Proliferation of WMD financing is an important element and, as with international criminal networks, proliferation support networks may use the international financial system to carry out transactions and business deals. Unscrupulous persons may also take advantage of the potential profits to be made by facilitating the movements of sensitive materials, goods, technology and expertise, providing seemingly legitimate front organizations or acting as representatives or middlemen.

Please refer to the FIAMLA AND FIAML regulations and the Handbook regarding offences relating to ML & TF.

3.0 Risk-Based Approach and Assessment
3.1 Risk-Based Approach
A risk-based approach towards the prevention and detection of ML and TF aims to support the

development of preventative and mitigating measures that are commensurate with the ML and TF risks identified by the financial institution. This approach also aims to deal with those risks in the most cost-effective and proportionate way.

Section 17 of the FIAMLA provides for a duty for the financial institution to identify, and understand its money laundering and terrorism financing risks. Furthermore, section 17 (A) of the FIAMLA requires a financial institution to establish policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorism financing identified in any risk assessment undertaken by the financial institution. In this respect the financial institution should:

(a) understand its ML and TF risks; and
(b) have in place effective policies, procedures and controls to:
(i) identify;
(ii) assess,
(iii) understand,
(iv) mitigate,
(v) manage, and
(vi) review and monitor, those risks in a way that is consistent with the requirements of section 17 of the FIAMLA and the requirements of the Handbook.

A risk-based approach starts with the identification and assessment of the risk that has to be managed. A risk-based approach requires the financial institution to assess the risks of how it might be involved in ML and TF, taking into account its customers (and the beneficial owners of customers), countries and geographic areas, the products, services and transactions it offers or undertakes, and the delivery channels by which it provides those products, services and/or transactions.

In determining how the risk-based approach should be implemented, the financial institution should analyze and seek to understand how the identified ML and TF risks affect its business. This determination should take into account a range of information, including (amongst others) the type and extent of the risks that the financial institution is willing to accept in order to achieve its strategic objectives (its “risk appetite”), its AML and CFT experience and the public version of the Mauritius NRA Report which can be found at the following link: http://www.fiumauritius.org/English//DOCUMENTS/NRA%20FINAL%20REPORT.PDF

Through the business risk assessments and determination of a risk appetite, the financial institution an

establish the basis for a risk-sensitive approach to managing and mitigating ML and TF risks. It should be noted, however, that a risk-based approach does not exempt the financial institution from the requirement to apply enhanced measures where it has identified higher risk factors.

A risk-based approach prescribes the following procedural steps to manage the ML and TF risks faced by the financial institution:
a) identifying the specific threats posed to the firm by ML and TF and those areas of the firm’s business with the greatest vulnerability;
b) assessing the likelihood of those threats occurring and the potential impact of them on the financial institution;
c) mitigating the likelihood of occurrence of identified threats and the potential damage to be caused, primarily through the application of appropriate and effective policies, procedures and controls;
d) managing the residual risks arising from the threats and vulnerabilities that the financial institution has been unable to mitigate; and
e) reviewing and monitoring those risks to identify whether there have been any changes the threats posed to the financial institution which necessitate changes to its policies, procedures and controls.

In applying a risk-based approach and taking the steps detailed above, it is crucial that, regardless of the specific considerations and actions of the financial institution, clear documentation is prepared and retained to ensure that the board and senior management can demonstrate their compliance with the requirements of Section 17 of the FIAMLA.

By adopting a risk-based approach the financial institution should ensure that measures to prevent or mitigate ML and TF are commensurate risks identified. In this respect, the business risk assessments will also serve to enable the financial institution to make decisions on how to allocate its resources in the most efficient and effective way and to determine its appetite and tolerance for risk.

No system of checks will detect and prevent all ML and TF risks. A risk-based approach will, however, serve to balance the cost burden placed upon the financial institution and its customers with a realistic assessment of the threat of the financial institution being used in connection with ML and/or TF. It focuses the effort where it is needed and has most impact.

3.2 Identification and Mitigation of Risks
Regulation 31 of the FIAML Regulations 2018 requires that the financial institution should establish and maintain appropriate procedures for monitoring and testing compliance with the Anti-Money

Laundering or Combatting the Financing of Terrorism requirements; while ensuring it has robust and documented arrangements for managing the risks identified by the business risk assessment conducted, in accordance with Section 17 of the FIAMLA.

The financial institution’s policies, procedures and controls must take into account the nature and complexity of its operations, together with the risks identified in its business risk assessments and must be sufficiently detailed to demonstrate how the conclusion of each risk assessment with respect to relationships with customers has been reached.

3.3 Business Risks
Risk can be seen as a function of three factors and a risk assessment involves making judgements about all three of the following elements:
(a) threat – a person or group of persons, an object or an activity with the potential to cause harm;
(b) vulnerability – an opportunity that can be exploited by the threat or that may support or facilitate its activities; and
(c) consequence – the impact or harm that ML and TF may cause.

Having identified where it is vulnerable and the threats that it faces, the financial institution should take appropriate steps to mitigate the opportunity for those risks to materialize. The threats specific to the business can be identified by going through typology reports, notices published by the FSC, the FIU or other regulatory bodies, media articles, and other information that may be available internally at the financial institution. This will involve determining the necessary controls or procedures that need to be in place in order to reduce the risks identified.

The documented risk assessments that are required to be undertaken by Section 17 of the FIAMLA, will assist the financial institution in developing its risk-based approach.
Retaining documentation on the results of the financial institution’s risk assessment framework will assist the Company to demonstrate how it:
(a) identifies and assesses the risks of being used for ML and TF;
(b) adopts and implements appropriate and effective policies, procedures and controls to
(c) manage and mitigate ML and TF risk;
(d) monitors and improves the effectiveness of its policies, procedures and controls; and
(e) ensures accountability.

3.4 Accumulation of Risks
In addition to the individual consideration of each risk factor, the financial institution must also consider all such factors holistically, to establish whether their concurrent or cumulative effect might increase or decrease the financial institution’s overall risk exposure and the dynamic that this could have on the controls implemented by the financial institution to mitigate risk.

Such an approach is relevant not only to the financial institution in its consideration of the risks posed to its business as part of undertaking its business risk assessments, but also in the consideration of the risk that individual business relationships or occasional transactions pose.

There are also other operational factors which may increase the overall level of risk and should therefore be considered in conjunction with the financial institution’s ML and TF risks. An example of such factor could be the use of on-line or web-based services and cyber-crime risks which may be associated with those service offerings.

3.5 Weightage of Risk Factors
In considering the risk of a business relationship or occasional transaction holistically, the Company may decide to weigh risk factors differently depending on their relative importance. When weighting risk factors, the financial institution should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction.

This will likely result in the Company allocating varying ‘scores’ to different factors; for example, the firm may decide that a customer’s personal links to a country, territory or geographic area associated with higher ML and/or TF risk is less relevant in light of the features of the product they seek.

Ultimately, the weight given to each risk factor is likely to vary from product to product and customer to customer (or category of customer). When weighting risk factors, the financial institution should ensure that:

a) weighting is not unduly influenced by just one factor;
b) economic or profit considerations do not influence the risk rating;
c) weighting does not lead to a situation where it is impossible for any business relationship or occasional transaction to be classified as a high risk relationship;
d) the provisions of Regulation 12(1) of FIAML Regulations setting out the situations which will present high risk (for example, the involvement of PEPs or in event of suspicious activity) cannot be over-ruled by the financial institution’s weighting; and

e) it is able to override any automatically generated risk scores where necessary. The rationale for the decision to override such scores should be documented appropriately.

We have allocated scores based on various factors, given the assessment criteria and given a weighting factor to have a weighted average of the risk score. Please refer to Annex A for risk scoring model and template to be used.

Where the financial institution uses automated IT systems to allocate overall risk scores to business relationships or occasional transactions and does not develop these in house but purchases them from an external provider, it should understand how the system works and how it combines risk factors to achieve an overall risk score. The financial institution should be satisfied that the scores allocated reflect its understanding of ML and TF risk and it should be able to demonstrate this.

3.6 Business Risk Assessment
The financial institution must, under Section 17(1) of the FIAMLA identify, assess, understand and monitor that person’s money laundering and terrorism financing risks. A risk assessment involves making a judgment of several elements including threat, vulnerability and consequence.

It should be noted that the management, compliance and risk management should all work together on performing the Business Risk Assessment. Primarily, responsibility for the quality and execution of the risk analysis lies with the first line of defense. This is the business, as risks manifest themselves first there. The role of compliance is process monitoring, facilitating and testing. Other functions or departments such as audit can also provide the necessary input. The ultimate responsibility for the Business Risk Assessment lies with the board of directors.
It should also consider the extent of its exposure to risk by reference to a number of additional factors which are explained in Section 17 of the FIAMLA. The examples provided are not exhaustive and other factors may need to be considered depending on the nature of the business and its activities.

A key component of a risk-based approach involves the financial institution identifying areas where its products and services could be exposed to the risks of ML and TF and taking appropriate steps to ensure that any identified risks are managed and mitigated through the establishment of appropriate and effective policies, procedures and controls.

The business risk assessments are designed to assist the financial institution in making such an assessment and provide a method by which it can identify the extent to which its business and its products and services are exposed to ML and TF. Good quality business risk assessments are therefore vital for ensuring that its policies, procedures and controls are proportionate and targeted appropriately.

It must record and document its risk assessment in order to be able to demonstrate its basis. The assessment must be undertaken as soon as reasonably practicable after the financial institution commences business and regularly reviewed and amended to keep it up to date. It is expected that this risk assessment is reviewed at least annually and this review should be documented to evidence that an appropriate review has taken place.

Risk management requires a systematic approach; it is a cyclical process. This means that a financial institution is expected to perform the whole cycle of identification, analysis and testing of the effectiveness of controls at regular intervals. This is because risks are not static. Risks to financial institutions may change as a result of both internal and external factors. The financial institution’s activities may for instance be expanded or changed, specific trends may emerge in the financial and economic world, or laws and regulations may be amended.

Since the risks of ML/FT vary from business to business and are not static, it is the responsibility of the financial institution to identify the vulnerabilities and risks faced, maintain an up to date understanding of these risks, and develop and implement appropriate strategies to mitigate and

control those identified risks. This includes adjustment of such mitigation when needed. The appropriate strategy in order to manage and control those risks is to have an effective internal compliance culture under the board of directors’ ultimate responsibility.

Any risks that have been identified should be properly mitigated by policies, procedures and controls. The financial institution should also document the mitigating factors and controls put in place to provide an audit trail of how the assessed risks have been mitigated.

As per Section 17(2) (b) of the FIAMLA, all financial institutions shall take into account the findings of the NRA and any guidance issued in their business risk assessment.

The Company shall perform its Business Risk Assessment on a yearly basis. The template to be used can

be found at Annexure A.

Prior to a Business Risk Assessment being conducted by the Company on its own business, each of its clients is risk rated individually. The Company further performs its Business Risk Assessment based mainly on the below-mentioned six key areas per Section 17(2) of the FIAMLA:

(i) the nature, scale and complexity of the Company’s activities;
(ii) the products and services provided by the Company;
(iii) the persons to whom and the manner in which its products and services are provided;
(iv) the nature, scale, complexity and location of its customer’s activities;
(v) reliance on third parties for elements of the customer due diligence process; and (vi) technological developments.

Appropriate weightage should be given to each key area, and this is to be reviewed by the Company on an annual basis or whenever required. The Company will ensure that it has the appropriate mitigating controls in place to mitigate any risks to its business.

The above six key areas are further elaborated below for a better understanding:

3.6.1 The nature, scale and complexity of its activities

Consider the services provided by the Company and how those services might be abused for ML/TF.
Actively involve all members of senior management in determining the risks (threats and vulnerabilities) posed by ML/TF within those areas for which they have responsibility.
Consider any organizational factors that may increase exposure to the risk of ML/TF e.g., business volumes and outsourcing aspects of regulated activities or compliance functions.
Consider the nature, scale and complexity of its business including the diversity of its operations, the volume and size of its transactions, and the degree of risk associated with each area of its operation. Large volume and more complex transactions may pose higher risk of money laundering than less complex and voluminous transactions. However, this will also depend on the assessment of the area of operations and nature of business. As a whole, factors need to be considered together in order to have a more comprehensive assessment.
Consider the jurisdictions in which the business operates, any particular threats from those jurisdictions, any particular vulnerabilities within the organization in those jurisdictions. Regulation 24(1) of the FIAML Regulations 2018 states how high-risk countries should be identified.

Risk factors that the financial institution can consider when identifying the effectiveness of a countries or territory’s AML and CFT regime include:

(a) Has the country or territory been identified by a mutual evaluation as having strategic deficiencies in its AML and CFT regime? In accordance with Regulation 12(1)(c) of FIAML Regulations 2018, EDD measures shall be applied where a customer or an applicant for business is from a high risk third country.
(b) Is there information from more than one credible and reliable source about the quality of the countries or territory’s AML and CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight? Examples of possible sources include mutual evaluation reports by the FATF or FATF-style regional bodies (in particular Recommendations 10, 26 and 27 and Immediate Outcomes 3 and 4), the FATF’s list of high-risk and non-cooperative jurisdictions, International Monetary Fund (“IMF”) assessments and Financial Sector Assessment Programmer reports. The financial institution should note that membership of the FATF or a FATF-style regional body does not, of itself, mean that the countries or territory’s AML and CFT regime is adequate and effective.

Consider the scale on which the services are provided and linked to this, any vulnerabilities in the level of compliance resources available.
Consider whether the business model provides for complex structures and what risks this poses to the business.
Consider the findings of the NRA in relation to the business sector.

3.6.2 The products and services provided by the financial institution

Consider the vulnerabilities of the services or products offered by the financial institution and how they could be abused for ML/TF. Certain characteristics of the products and whether there are any increased vulnerabilities such as high volumes of cash, virtual currencies or untraceable/anonymous medium.
Whether payments to any unknown or un-associated third parties are allowed. Such payments would entail higher risks.
Whether the products/services/structure are of particular, or unusual complexity.

When identifying the risk associated with the way in which the customer obtains the products or services they require, the financial institution should consider the risk related to:
a) the extent to which the business relationship is conducted on a non-face-to-face basis; and
b) any introducers of business or other intermediaries the financial institution might use and the nature of their relationship with the financial institution.

3.6.3 The persons to whom and the manner in which its products and services are provided

Consider the threats posed by the types of customers. Some examples include politically exposed persons (“PEPs”), high net worth individuals, those from or operating in a higher risk jurisdiction; and non-face-to-face business.
The type of product should be considered, the higher risk products or services are more likely to be those with high values and volumes; where unlimited third-party funds can be freely received and those where funds can regularly be paid to third parties without CDD on the third parties being obtained.
The speed with which products and services can be delivered or transactions undertaken.
Factors as above can be considered collectively such as the risk of provision of a service in a non- face-to-face manner to a PEP or risk imposed by a client dealing in securities in a high-risk jurisdiction. Proper assessment would be effective when a comprehensive list of factors that is most relevant is taken into consideration as touchstones.

3.6.4 The nature, scale, complexity and location of its customer’s activities

Whether the customer base has any involvement in those businesses which are likely to be most vulnerable to corruption, such as oil, construction or arms sales.
Consider jurisdictional factors such as high levels of organized crime, increased vulnerabilities to corruption and inadequate frameworks to prevent and detect ML/TF in countries where it may have customers.
The countries, territories and geographic areas with which customers (and the beneficial owners of customers) have a relevant connection.

Risk factors the financial institution can consider when identifying the level of TF risk associated with a country or territory include:
a) Is there information (for example, from law enforcement or credible and reliable open media sources) suggesting that a country or territory provides funding or support for terrorist activities or

that groups committing terrorist offences are known to be operating in the country or territory?
b) Is the country or territory subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation issued by, for example, the UN or the EU?

Risk factors that the financial institution can consider when identifying the risk associated with the level of predicate offences to ML in a country or territory include:
a) Is there information from credible and reliable public sources about the level of predicate offences to ML in the country or territory, for example, corruption, organized crime, tax crime and serious fraud? Examples include corruption perceptions indices; OECD country reports on the implementation of the OECD’s anti-bribery convention; and the UN Office on Drugs and Crime World Drug Report.
b) Is there information from more than one credible and reliable source about the capacity of the countries or territory’s investigative judicial system effectively to investigate and prosecute these offences?

The complexity of customer and beneficial ownership structures.
The complexity of legal persons and legal arrangements.
The number of customers and beneficial owners which are charities or non-profit organizations (“NPOs”) and their associated countries or geographic areas.

3.6.5 Reliance on third parties for elements of the customer due diligence process
Under Regulation 21 of the FIAML Regulations 2018, a financial institution may rely on a third party to introduce business or to perform the CDD measures. When reliance is placed on third parties, the following may be considered:

Consider how reliance on third parties is prompted and agreed on.
Consider who these third parties are, including any reputational issues, the quality of relationships with such third parties and previous experiences.
Consider the extent and type of any reliance placed or to be placed on third parties.
Consider the extent of the information being provided by the third party and who has actually met the customer face-to-face (chains of information).
Consider any jurisdictional issues in connection with reliance placed on third parties.
Consider the results of any testing undertaken on the third party’s procedures and the responses to any previous requests for documentation.
Consider the extent of any outsourcing undertaken.
Consider the quality of the provider for any outsourced functions including any reputational issues, previous experiences with the provider, results of any audits, assessments or inspections

where the material generated as a result of outsourcing has been reviewed.

The financial institution should also establish procedures to be satisfied that:
a) the third party applies CDD measures and keeps records to a standard equivalent to the FATF Recommendations;
b) the third party will provide, immediately upon request, relevant copies of identification data in accordance with Regulation 21(2)(b) of the FIAML Regulations 2018; and
c) the quality of the third party’s CDD measures is such that it can be relied upon.

3.6.6 Technological Developments
Under Section 17(3) of the FIAMLA and Regulation 19(1) of the FIAML Regulations 2018, all financial institutions should identify and assess the money laundering and terrorism financing risks that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.

The financial institution should assess the use of developing technologies for both new and pre- existing products such as:

digital information storage including cloud computing;
digital or electronic documentation storage;
electronic verification of documentation;
data and transaction screening systems; or
the use of virtual or digital currencies.

For completeness, the assessment should consider the operational risks, reputational risks and legal risks posed by the use of new technologies the context of ML/TF. Appropriate action should be taken to mitigate the risks that have been identified.

3.6.6.1 Operational risks
Operational risks arise from the potential loss that could be incurred due to significant deficiencies in system reliability or integrity. Operational risks will also increase in proportion to amount of reliance placed on outside service providers and external experts to implement, operate, and support portions of electronic systems.

Also, the rapid pace of technological change carries risk in itself. For example, staff may not fully understand the nature of new technology, resulting in operational problems with new or updated systems. Channels for distributing software updates could pose risks in that criminal or malicious individuals could intercept and modify the software.

It will have to be considered whether any of the factors above would have any impact in relation to the relevant person continuing to meet the AML/CFT requirements.

3.6.6.2 Reputational risks
Reputational risk may arise when systems or products do not work as expected and cause negative public reaction and when there are large AML/CFT failures as a result of unmitigated technology risks. In particular, if these affected systems were involved with the collection or maintenance of customer information, this may lead to serious reputational concerns. The event of this happening would have to be assessed by the financial institution and any risk should be mitigated. Testing of the systems is also recommended.

3.6.6.3 Legal risks
Legal risks arise from violations or non-compliance with legislation such as the FIAMLA and FIAML Regulations 2018. Financial institutions may also face increased difficulty in applying traditional crime prevention and detection methods because of the remote access by customers of the systems.

It is recognized that where financial institutions may be part of a larger group, the parent may introduce new products, systems or procedures without input from the Mauritius based branch. The financial institution should identify and mitigate any risks arising from the proposed system.
The above risk factors are a non-exhaustive list and it is for the financial institution to assess and decide what is appropriate and relevant in the circumstances of the business. In cases, where not all the risk elements have been considered when conducting the business risk assessment, the financial institution has to demonstrate how effective and robust its business risk assessment is in line with its inherent risks and vulnerabilities and the Commission will assess to what extent the business risk assessment conducted reflect residual risks faced by the financial institution.

3.7 Customer Risk Assessments
The customer risk assessment estimating the risk of ML/TF must be undertaken prior to the establishment of a business relationship or carrying out an occasional transaction, with or for, that customer. This risk assessment must be documented in order to be able to demonstrate its basis. The

customer risk assessment may have to take into account that not all CDD and relationship information might have been collected yet. It should be a living document that is revisited and reviewed, as and when more information about the customer and relationship is obtained. The customer risk assessment can be done on categories of clients (risk buckets), and it is not necessary to individually risk rate each client should the financial institution deem it appropriate.
The initial risk assessment of a particular customer will help determine:

the extent of identification information to be sought;
any additional information that needs to be requested;
how that information will be verified; and
the extent to which the relationship will be monitored on an ongoing basis.

Due care should be exercised under a risk-based approach. Being identified as carrying a higher risk of ML/TF does not automatically mean that a customer is a money launderer or is financing terrorism. Similarly, identifying a customer as carrying a lower risk of ML/TF does not mean that the customer presents no risk at all.

In order to complete a meaningful risk assessment, it is recommended that information should be gathered prior to the assessment, although this may not always be possible. Upon completion of the risk assessment any additional information, evidence or clarification should be sought in the event that circumstances remain unclear.

It should be noted that the FSC has no objection to a financial institution having higher risk customers, provided that they have been adequately risk assessed and any mitigating factors documented. If the customer is assessed as presenting a higher risk, EDD must be performed.
The basic risk assessment process shall be as follows:
a) Collect
b) Assess and Evaluate
c) Determine initial risk rating
d) Collect additional information and documentation
e) Assess and Evaluate
f) Confirm risk rating
g) Conduct on-going due diligence

When assessing the risks posed by a customer, the financial institution should consider all risk factors that are known and ensure that all of these factors are included into the customer’s risk profile, taking care that any mitigating factors are fully documented. All financial institutions must be able to objectively and reasonably justify a risk assessment classification and document those justifications. The financial institution should also ensure that its internal sign off procedure in relation to customer risk assessments is appropriate.

It is highly advised to avoid a tick box approach when assessing risks and consider each customer on a case-by-case basis or in group risk- rated buckets based on their profiles, looking at any risks they pose along with any mitigating factors.

The Company must identify and assess its potential exposure to inherent ML, TF and sanctions risks introduced as a result of entering into a business relationship with a customer. The Company assesses business relationship risks through a Client Risk Assessment.

The Company will take a number of factors into consideration including but not limited to the following:

Nature and type of Customer;
Geographical location of the customer;
Customer’s source of wealth
Customer’s source of funds and destination of funds;
Customer’s Activity and transaction frequency;
Product type/Industry
Automatic risk adjustment to ‘High’ based on High-Risk Indicators such as: Incomplete CDD, Dealing with PEP, Dealing with Sanctioned countries, Unsupported bank transactions, World Check Hit or any adverse info from media or internet, Reliance on Third Parties (not meeting requirements of FIAMLA Regulations 2018), any suspicious activities reported to the MLRO.

(The above list is non exhaustive)
The template of the Client Risk Assessment and its methodologies used by the Company can be accessed at Annexure B hereto which has the details of risk factors, the scores, assessment criteria and the weighting factor.

Risk profiling is applicable to:

New Customers (at on-boarding stage); and
Existing Customers.

The FSC handbook provides guidance that frequency of the reviews, customer risk assessments should be reviewed:

at least annually for higher risk customers or whenever a transaction with a high-risk country or high-risk customer occurs;
at least every 3 years for standard risk customers subject to sector specific guidance; and
at the point of a material change in the customer’s circumstances, for example establishing connections with a higher risk jurisdiction or engaging in a higher risk business.

However, the Company, as part of its internal policy undertakes a review of all its clients on annual basis, usually, every year around end of January or beginning of February. This exercise shall be properly documented.

The Company is also required to review its customer risk profiling methodology to ensure the customer risk categories remain relevant and reflective of the real risk that the Company is exposed to as a result of its customer relationships.

The steps involved in performing the Customer Risk Assessment is based on CDD and the various factors listed above, and a weightage is assigned to each factor. Some factors are given a higher weightage due to the risk that such factor carries. For example, a client being a PEP will be considered as high risk and the weightage assigned to a PEP would normally be higher.

The various risk factors are elaborated in section 3.8 below.

3.8 Risk Factors
The various risk factors included within the below sections are purely for guidance and are provided as examples of factors that the Company might consider when undertaking a risk assessment of the relationship they have with their customers. The following factors are not exhaustive. It is for any financial institution to assess and decide what is appropriate in the circumstances of the business relationship and set the parameters. It is not expected that all factors will be considered in all cases.

If it is determined, through a relationship risk assessment, that there are types of customers, activity, business or profession that are at risk of abuse from ML and/or TF, then the Financial Institution should apply higher AML and CFT requirements as dictated by the relevant risk factor(s).

3.8.1 Customer Risk Factors
When identifying the risk associated with its customers, including the beneficial owners of customers, the financial institution can consider the risk related to:
a) the customer’s (and beneficial owner’s) business or professional activity;
b) the customer’s (and beneficial owner’s) reputation; and
c) the customer’s (and beneficial owner’s) nature and behavior.

3.8.2 Countries and Territories Risk Factors
When identifying the risk associated with countries and territories, the financial institution can consider the risk related to those countries and territories with which the customer or beneficial owner has a relevant connection.

The Financial Institution should note that the nature and purpose of the business relationship will often determine the relative importance of individual country and geographical risk factors.

3.8.3 Products, Services and Transactions Risk Factors
When identifying the risk associated with products, services or transactions, the Financial Institution can consider the risk related to:
a) the level of transparency, or opaqueness, the product, service or transaction affords;
b) the complexity of the product, service or transaction; and
c) the value or size of the product, service or transaction.

4.0 Customer Due Diligence Checks (‘CDD’)
4.1 Customer Due Diligence Procedures to be adopted
The Company needs to identify and verify the identity of customers for business which is essential for the prevention of money laundering and combatting the financing of terrorism. CDD is the means by which the Company achieves such knowledge and a key part of any internal AML/CFT system. This should be done by identifying and verifying the identities of applicants for business whether they are directors, shareholders, beneficial owners, settlors or contributors of capital, beneficiaries, protectors, enforcers, trustees, bank mandate and power of attorney holders, amongst others.

4.1.1 Identifying Customers
All financial institutions must identify their customers, and where applicable, their beneficial owners and then verify their identities, which is essential to the prevention of money laundering and combatting the financing of terrorism. CDD is the means by which financial institutions achieve such knowledge and is a key element of any internal AML/CFT system.

A minimum CDD requirements and framework must be established by which a financial institution should develop a risk-based approach prior to deciding the type and extent of CDD measures to apply to different types of customers, products and services.

Identification and verification refer to establishing and verifying a customer’s identity. Verification refers to the verification of elements of the identification information, by using independent reliable sources, which may include material obtained from the customer such as a passport to verify the customer’s name. It is essentially the concept of the financial institution satisfying itself that its customer is who they say they are.

The inadequacy or absence of satisfactory CDD measures can subject the financial institution to serious customer and counterparty risks, as well as reputational, operational, legal and regulatory risks, any of which can result in significant financial cost to its business.

Effective CDD measures are vital because they:
a) help to protect the financial institution and, more widely, the integrity of the financial system of the jurisdiction and globally, by reducing the likelihood of the financial institution’s business becoming a vehicle for, or a victim of, financial crime;
b) assist law enforcement agency, by providing it with relevant information ascertained via CDD in the event of a suspicious transaction report (‘STR’); and
c) constitute an essential part of sound risk management, for example by providing the basis for identifying, limiting and controlling the risk posed by particular customers or classes of customers.
Financial institutions must routinely consider the risks that all such relationships pose to them and the manner in which those risks can be limited. To do so, financial institutions must be able to demonstrate the effective use of documented CDD information. CDD information is also a vital tool for the MLRO and business employees when examining unusual or higher risk activity or transactions, in order to determine whether a STR will be appropriate.

CDD measures that should be undertaken by the financial institution under the relevant legislation include:
a) identifying and verifying the identity of each applicant for business;
b) identifying and verifying the identity of individuals connected to the account or transaction, such as the customer’s beneficial owner(s);
c) obtaining information on the purpose and intended nature of the business relationship (the inability for employees of the financial institution to understand the commercial rationale for business relationship may result in the failure to identity non-commercial and therefore potential money laundering and financing of terrorism activity);
d) conducting ongoing due diligence on the business relationship and scrutiny of transactions throughout the course of that relationship, to ensure that the transactions in which the customer is engaged are consistent with the financial institution’s knowledge of the customer and its business and risk profile (including the source of funds);
e) achieving each of the above measures by using reliable, independently sourced documents, data or information (this is intended through the use of commercial databases and public information); and ensuring that all material collected under the CDD process is kept relevant and up to date (for example undertaking reactive reviews in response to trigger events, and by undertaking regular planned reviews of existing records at intervals determined by risk rating, with higher risk customers warranting more frequent reviews).

If the financial institution forms a suspicion that one or more actual or proposed transactions relates to ML/TF, it should take into account the risk of tipping off when performing the CDD process. If the financial institution reasonably believes that performing the CDD process will tip off the customer or potential customer, it should stop the CDD process and will need to file a STR in such circumstances.

An applicant for business may be an individual acting on his own behalf or for others (for example, a trustee of an express trust), or a legal body or legal arrangements seeking to enter into or having entered into a business relationship or to conduct a one-off transaction, as principal or on behalf of a third party.

The financial institution is required to take reasonable measures at the time of establishing a business relationship to determine whether the applicant for business is acting on behalf of a third party. If the financial institution determines that the applicant is acting for a third party, then it must keep a record setting out:
a) the identity of the third party (and any beneficial owners or associated persons as required);
b) the proofs of identity required; and
c) the relationship between the third party and the applicant for business.

Where CDD measures are required to be undertaken, the financial institution must apply the CDD measures listed above in order to enable a customer profile to be prepared.
It is the Company’s policy to perform CDD, prior to the establishment of a business relationship with its clients.

4.1.2 Risk Profiling/Rating
In applying CDD measures, the financial institution will be expected to follow a risk-based approach while

meeting the standards set out in legislation. A risk-based approach to CDD is one that involves several steps in assessing the most effective and proportionate to manage the money laundering and financing terrorism risk faced by a financial institution.

In light of the information obtained, the financial institution must carry out and maintain a risk assessment of the applicant, taking into account all the relevant factors. It will allocate a risk rating based on the client profile, geography and other factors that the financial institution deemed necessary on a risk-based approach.

The risk assessment of a particular applicant will determine the extent of identification information (and other CDD information) that will be requested, how that information will be verified, and the extent to which the resulting relationship will be monitored.

Systems and controls will not detect and prevent all instances of ML and TF. A risk-based approach will, however, serve to balance the cost burden placed on the financial institution and on applicants and customers with the risk that the business may be used in money laundering or to finance terrorism by focusing resources on higher risk areas.

Care nevertheless has to be exercised under a risk-based approach. Being identified as carrying a higher risk of money laundering does not automatically mean that a customer is a money launderer or is financing terrorism and vice versa.

The extent of customer relationship information sought in respect of a particular applicant, or type of applicant, will depend upon the jurisdictions with which the applicant is connected, the characteristics of the product or service requested, how the product or service will be delivered, as well as factors

specific to the applicant and the associated risk ratings.

The financial institution must keep and maintain customer relationship information with respect to all its customers as detailed in the CDD measures listed above. This would also include scrutinizing the source of funds and the source of wealth.

4.1.3 Source of Funds

The source of funds normally refers to the origin of the particular funds or assets which are the subject of the business relationship between the financial institution and its client and the transactions the financial institution is required to undertake on the client’s behalf (e.g. the amounts being invested, deposited or remitted). The source of funds requirement refers to where the funds are coming from in order to fund the relationship or transaction. This does not refer to every payment going through the account; however, the financial institution must ensure it complies with the ongoing monitoring provisions.

The Company ensures and shall at all times ensure that as part of its ongoing transaction monitoring procedures and whenever there is a funding of a bank account, the source of funds is assessed. The Declaration of Source of Funds Form to be used is as per Annexure C.

Supporting documents are to be requested from the clients to establish the link between the origin of the funds and its destination. Some examples of supporting documents would be bank statements/ agreements. The staffs working on the file will have to work closely with his/her team leader/supervisor/ compliance manager to ensure that the source of funds is correctly assessed.

4.1.4 Source of Wealth
The source of wealth is distinct from source of funds and describes the origins of a customer’s financial standing or total net worth i.e., those activities which have generated a customer’s funds and property. Prior to onboarding a new client, the Company ensures that legitimacy of his/her source of wealth is checked and he/she is required to complete a Declaration of Source Wealth form. The client is usually required to provide information whether his/her source of wealth is derived from below list (non-exhaustive) and provide supporting documents:

Family / generational wealth and personal background
Investment activities
Income, revenue and business activities

The financial institution is required to hold sufficient information to establish the source of wealth and this information must be obtained for all higher risk customers (including higher risk domestic PEPs) and all foreign PEPs and all other relationships where the type of product or service being offered makes it appropriate to do so because of its risk profile.

The Company shall ensure that it assesses the source of wealth of its clients at onboarding stage and where necessary follow ups are done. The Declaration of Source of Wealth form to be used is as per Annexure D. This form is to be completed by each client and all information provided therein is cross checked against the client’s curriculum vitae and profile of the client. Supporting documents will further be asked from the client to confirm on the assertion made in the Declaration of Source of Wealth form. Some examples would be bank statements, minutes, statutory documents, accounts of companies, depending on the information listed in the form.

4.2 Identification and verification
The financial institution must, on the basis of the relevant CDD information collected, make an analysis of the information provided and make such appropriate verification using external database or source, and consider whether it is appropriate to collect further CDD information. CDD information comprises both identification and verification information and customer relationship information.

Regulation 3(1) of the FIAML Regulations 2018 imposes an obligation for a financial institution to identify his customer whether permanent or occasional and verify the identity of his customer. Financial institutions should note that failure to identify and verify customers is an offence under the FIAMLA.

The Financial Institution must have in place clear, documented procedures governing how they will:
a) identify and verify the identity of their applicants for business and existing customers on a risk based approach (including identifying and verifying the identity of any connected individuals such as beneficial owners and controllers of the applicant);
b) determine whether or not an applicant for business is acting or intending to act for a third party; and
c) where the financial institution is unable to determine whether the applicant is acting for a third party or not, make a STR pursuant to section 14 of the FIAMLA to the FIU.

These procedures must be brought to the knowledge of and be readily available to all relevant staff for the creation of an effective internal compliance culture and all staff will be aware of the reporting

chain and procedures to follow.

All relevant employees must receive ongoing training that is tailored to their role and responsibilities within the business.

4.2.1 Natural Persons
Regulation 4 of the FIAML Regulations 2018 lays down specific requirements for natural persons (applicants or beneficial owners/controllers of applicants). A financial institution must collect the identification data on a natural person, and verify that data, in accordance with the following:
a) The data to be collected applies to both standard and high-risk applicants for business.
b) The appropriate number of methods for verifying the data will vary depending on whether the customer is standard or high risk.

4.2.1.1 Identification and Verification data for natural persons

Data to be collected:

Permissible methods for verifying data:

1. Legal name (including any former names, aliases and any other names used).

2. Sex.

3. Date of birth.

4. Place of birth.

5. Nationality.

· current valid passport

· current valid national identity card

· current valid driving license (where the financial institution is satisfied that the driving licensing authority carries out a check on the holder’s identity before issuing the license)

In each case, the document must incorporate photographic evidence of identity.

Where the legal person with which the natural person is associated is low or standard risk, then the method of verification for each required piece of data will normally suffice and can be one of the above methods.

However, where the legal person is high risk, or where a high-risk rating would otherwise be

attached to the individual principal, then the methods of verification will depend on the

6. Current residential address. PO Box addresses are not acceptable.

7. Permanent residential address (if different to current residential address).

8. Any public position held and, where appropriate, nature of employment (including self-employment) and name of employer.

9. Government issued personal identification number or other government issued unique identifier.

riskiness of the relationship and more than

one method will be necessary

· any of the identity sources listed above;

· a recent utility bill issued to the individual by name;

· a recent bank or credit card statement; or

· a recent reference or letter of

introduction from (i) a financial institution that is regulated in Mauritius; (ii) a regulated financial services business which is operating in an equivalent jurisdiction or a jurisdiction that complies with the FATF standards; or (iii) a branch or subsidiary of a group headquartered in a well-regulated overseas country or territory which applies group standards to subsidiaries and branches worldwide, and tests the application of, and compliance with, such standards. ‘recent’ means within the last three months.

A letter or other written confirmation of

the individual’s status from the public body in question and or any enhanced CDD; a letter or other written confirmation of employment.

The relevant government document.

Note: Where a particular aspect of an individual’s identity changes (such as change of name, nationality, or any other forms as approved), the financial institution must take reasonable measures to re-verify that particular aspect of identity of the individual using the same methods prescribed by the table above. In case of high-risk customers, further verification should take place using a newly issued replacement for the expired document.

4.2.2 Applicants for business who are Legal Persons or Legal Arrangements
Regulations 5, 6 and 7 of the FIAML Regulations 2018 lays down specific requirements where an applicant is a legal person or a legal arrangement.

For customers that are legal persons, the financial institution should identify and verify the identity of beneficial owners by obtaining information on:

a) the identity of all the natural persons who ultimately have a controlling ownership interest in the legal person;
b) where there is doubt under subparagraph (a) as to whether the person with the controlling ownership interest is the beneficial owner or where no natural person exerts control through ownership interests, the identity of the natural person exercising effective control of the legal person; and
c) where no natural person is identified under subparagraph (a) and (b), the identity of the natural person who holds the position of senior managing official.

Where the underlying shareholders are not natural persons, the financial institution must ‘drill down’ to establish the identity of the natural persons ultimately owning or controlling the business. A legal person may have one or more methods of data verification as provided in the right column and the method of data verification will apply according to the legal status of the person to be identified.

4.2.2.1 Identification and verification data for legal person

Person to be identified

Data to be identified

Method of data verification

Underlying persons who are individuals.

As per the requirements for natural person

Where the individual persons are such by virtue of their status as members of the board of directors of a relevant legal person (or equivalent – for examples partners in a partnership, or council members in a foundation),

financial institutions are required to identify and verify the identity of all such persons.

As per the requirements for natural person

Where the legal person with which the underlying person is associated is low or standard risk, then the method of verification for each required piece of data will normally suffice and can be one of the above methods.

However, where the legal person is high risk, or where a high-risk rating would otherwise be attached to the individual principal, then the methods of verification will depend on the riskiness of the relationship and more than one method will be necessary

Private companies

Partnerships

Sociétés Foundations

Other legal persons

1.Legal status of body

2.Legal name of body

3.Any trading names

4.Nature of business

5.Date and country of incorporation /registration

6.Official identification number (for example, company number)

7.Registered office address

8.Mailing address (if different)

9.Principal place of business / operations (if different)

10.Any other data which the financial institution considers to be reasonably necessary for the purposes of establishing the true identity of the legal person.

· Certificate of incorporation (or other appropriate certificate of registration or licensing);

· Memorandum and Articles of Association (or equivalent);

Company registry search, including confirmation that the person is not in the process of being dissolved, struck off, wound up or terminated;

· Latest audited financial statements or equivalent;

· Annual report or equivalent;

· Personal visit to principal place of business;

· Partnership deed or equivalent;

· Charter of Foundation;

· Acte de société;

· Certificate of good standing from a relevant national body;

· Reputable and satisfactory third-party data, such as a business information service

· Any other source of information that to verify

that the document submitted is genuine.

Where identification information relating to a legal person is not available from a public source, the financial institution will be dependent on the information that is provided by the legal person. It should accordingly treat such information with care and in any event in accordance with the legal person’s risk assessment.

Where it intends to use data held by a third-party organization, such data must be satisfactory and the organization reputable. Such criteria will be likely to be satisfied where organization:
a) accesses a wide range of information sources; and

b) has transparent processes that enable a financial institution to know what checks have been carried out, what the results of these checks were and to be able to determine the level of satisfaction provided by those checks.

4.2.3 Legal arrangements

For customers that are legal arrangements, financial institutions should identify and verify the identity of beneficial owners:

a) for trusts, on the identity of the settlor, the trustee, the beneficiaries or class of beneficiaries, and where applicable, the protector or the enforcer, and any other natural person exercising ultimate effective control over the trust, including through a chain of control or ownership;
b) for other types of legal arrangements, on the identity of the persons in equivalent or similar positions.

The financial institution must collect the identification data concerning a legal person listed in the left-hand column of the table below, and verify that data in accordance with the following:

a) The data to be collected applies to low, standard and high-risk applicants for business. Potential methods of data verification are listed in the right-hand column of the table.
b) The appropriate number of methods for verifying the data will vary depending on the status of the person to be identified and the risk rating:

i). For low-risk legal persons, verification of each piece of the required data may take place using one of the methods identified.

ii). For standard and high-risk legal persons, verification of each item of the required data must take place using at least two such methods wherever practicable.

4.2.3.1 Identification and verification data for legal arrangement

Person / arrangement to be identified	Data to be identified	Method of data verification
Underlying principals who are legal persons	As per the requirements for legal persons above In circumstances where an applicant for business which is a legal arrangement acts or	As per the requirements for legal persons above
	purports to act on behalf of a legal person, then identification and verification must take place not just in respect of that legal person, but also in respect of that legal person’s underlying principals in accordance with the preceding row of this table.
Legal arrangement	1. Legal status of arrangement (including date of establishment)	· Trust deed or equivalent instrument
	2. Legal name of arrangement (if applicable)	· Official certificate of registration (if applicable)
	3.Trading or other given name(s) of arrangement (if applicable) 4.Nature of business 5.Any official registration or identifying number (if applicable)	· Where the above proves insufficient, any other document or other source of information on which it is reasonable to place reliance in all the circumstances.
	6.Registered office address (if applicable)
	7.Mailing address (if different)
	8. Principal place of business / operations (if different)
	9. Any other data which the financial institution considers to be reasonably necessary for the purposes of establishing the true identity of the legal arrangement.

The financial institution must seek and obtain assurances from the trustee/s (or controlling individual/s) that all of the data requested by the financial institution under the above process has been provided, and that the individual(s) will notify the financial institution in the event of any subsequent changes.

Where identification information relating to a legal arrangement is not available from a public source, the financial institution will be dependent on the information that is provided by the legal arrangement (usually through its controlling individuals, such as trustees). It should accordingly treat such information with care and in any event in accordance with the legal arrangement risk assessment.

4.3 Acquisition of a business or block of customers

Where the financial institution takes on a business which has established business relationships or a block of customers, a financial institution shall undertake sufficient enquiries to determine:

a) whether the business’s CDD policies, procedures, controls and systems are in line with current AML/CFT legislative requirements;
b) the level and the appropriateness (having regard to risk) of identification data held in relation to the customers and business relationships which are to be acquired.

In deciding whether to acquire the business, the Financial Institution may rely on the identification data held where:

a) The business relationships were established in jurisdictions that have equivalent AML/CFT legislation or meets the FATF Standards;
b) The business’ CDD policies, procedures and controls are in line with the AML/CFT legislative framework;
c) it has obtained identification data for each customer acquired.

Where deficiencies in the identification data held are identified, either at the time of transfer/acquisition or subsequently, the financial institution must determine and implement a programmer to remedy any such deficiencies, prioritized according to its assessment of the risks.

4.4 Individuals acting on behalf of applicants for business and customers

There might be cases where applicants for business and customers (particularly those which are legal persons) will have one or more individuals authorized to act on their behalf in dealing with financial institutions – for example, persons authorized to instruct the financial institution to transfer funds on the customer’s behalf. Such authority may derive from a number of possible sources: for example, a power of attorney, or an authorized signatory mandate form, or a trust instrument.

The financial institution must have in place appropriate policies, procedures and controls to ensure that they are able to identify and verify the identity of all persons purporting to act on behalf applicants for business or existing customers, and to confirm the authority of such persons to act. It must, in the case of individuals acting on behalf of applicants for business or existing customers, obtain identification data and verify that data as per table above

Where a particular aspect of the above identification data subsequently changes or expires, it must take reasonable measures to re-verify that particular aspect of identity of the individual.

4.5 Third party reliance

The Financial Institution may rely on relevant third parties to complete certain customer due diligence (“CDD”) measures, provided that there is a contractual arrangement in place with the third party and the third party provides all CDD information to the financial institution (but the document can be provided at a later stage and upon request) and undertakes to provide to the firm any CDD documents obtained as soon as practicable upon request pursuant to section 17D of the FIAMLA. Where such reliance is permitted, the ultimate responsibility for CDD measures will remain with the Financial Institution relying on the third party.

4.6 Electronic identification and verification

Where the Financial Institution adopts a system providing for the electronic verification of natural person identity, it must assess the veracity of the controls inherent within the system in order to determine whether the financial institution can place reliance on the results produced, or if additional steps are necessary to complement the existing controls.

The additional steps undertaken by the Financial Institution could include requiring a representative of the Financial Institution or a designated third party for example a lawyer, a notary or an accountant to be present with the natural person when the on-boarding software is being used.

Whilst the use of electronic verification can help to reduce the time and cost involved in gathering information and identification data for a natural person, the Financial Institution should be mindful of any additional risks posed by placing reliance on an electronic method or system.

This should include understanding the method and level of review and corroboration within the system and the potential for the system to be abused.

Knowledge and understanding of the functionality and capabilities of a system can help provide assurance of its suitability. In particular, there should be certainty of the methods applied to corroborate identification data. The use of more than one confirmatory source to match data enhances the assurance of authenticity. A process whereby the images taken are independently verified, either by a suitably trained individual or computer system, to confirm the authenticity of the identification data used to verify identity (for example, that the identification data has not been fraudulently altered, is listed on a missing/stolen documents list, etc.). The corroboration of biometric information (for example, fingerprints, voice identification, etc.) and/or geotagging/geolocation (i.e., the inclusion of geographical identification metadata to confirm the location in which the user interacted with the system) could be done.

In all circumstances, the Financial Institution should adopt a risk-based approach to satisfy itself that the documents received adequately verify that the customer is who they say they are and that the Financial Institution is comfortable with the authenticity of these documents. The Financial Institution could check the type of file and ensure it is tampered resistant, it could check the email address it is being received from to ensure it seems legitimate and relates to the customer sending in the documentation, if the document has been certified that it is a suitable certifier etc.

Where the Financial Institution is unsure of the authenticity of the documents based on electronic means of collection, or that the documents actually relate to the customer, a cumulative approach should be taken and additional measures or checks undertaken to gain comfort. If still unsatisfied with the verification of identity or address the business relationship must proceed no further, the financial institution must terminate the business relationship and consideration be given to making an internal disclosure.

5.0 Enhanced Due Diligence (EDD) Checks

Regulation 12 of the FIAML Regulations 2018 provides that financial institutions shall implement internal controls and other procedures to combat money laundering and financing of terrorism, including EDD procedures with respect to high-risk persons, business relations and transactions and persons established in jurisdictions that do not have adequate systems in place to combat money laundering and financing of terrorism.

Where the ML/TF risks are identified to be higher, a financial institution shall take EDD measures to mitigate and manage those risks.

Financial institutions must assign a high-risk rating to the applicant for business where a high risk of ML/TF has been identified.

If the level of AML/CFT of a customer is assessed to be High, in addition to the CDD measures, an appropriate level of Enhanced CDD should also be performed, documented and evaluated prior to the acceptance.

Enhanced CDD shall be performed:

where a higher risk of money laundering or terrorist financing has been identified;
where through supervisory guidance a high risk of money laundering or terrorist financing
b) has been identified;
where a customer or an applicant for business is from a high risk third country;
in relation to correspondent banking relationships, pursuant to regulation 16;
subject to Regulation 15 of the FIAMLA Regulations, where the customer or the applicant for business is a political exposed person;
where a reporting person discovers that a customer has provided false or stolen identification documentation or information and the reporting person proposes to continue to deal with that customer;
in the event of any unusual or suspicious activity.

Enhanced CDD measures that may be applied for higher risk business relationships include:
a. obtaining additional information on the customer (e.g. occupation, volume of assets, information available through public databases, internet, etc.), and updating more regularly the identification data of the customer and the beneficial owner;

a. obtaining additional information on the intended nature of the business relationship;

b. obtaining information on the source of funds or source of wealth of the customer;

c. obtaining information on the reasons for intended or performed transactions;

d.obtaining the approval of senior management to commence or continue the business relationship;
f. conducting enhanced monitoring of the business relationship, by increasing the number and
g. timing of controls applied, and selecting patterns of transactions that need further examination;
h. requiring the first payment to be carried out through an account in the customer’s name with a bank subject to similar CDD standards.

The following types of Customers shall require application of the EDD:

Politically Exposed Persons (‘PEPs’);

Any Customer that their nature entails a higher risk of money laundering or terrorist financing; and

Any Customer determined by the risk profiling methodology as being High Risk.

The EDD conducted must be adequate to assess and, where necessary, identify mitigants to the identified risk(s) and/or inform the Board regarding a decision to establish, continue or terminate the business relationship or enter into a single transaction.

The following measures must be applied in cases of high-risk relationships:

Increased intensity of CDD measures, including verification of source of wealth;
Extensive ongoing monitoring must be conducted on all transactions (including but not limited to bank transactions) to verify source and destination of funds (special attention to PEPs) and ascertain whether such transactions are properly supported/evidenced (e.g. Board approval, relevant executed agreements, etc.);
Quarterly screening (World Check and Internet Check) must be performed;
Increased review periods of customer information.

The above enhanced measures would also apply in cases where high volumes of cash are involved, such as pay outs to a beneficiary from a high-risk territory or of high-risk status.

In case where the Financial Institution is unable to perform the required EDD requirements, the latter shall terminate the business relationship and file a suspicious transaction report under section 14 of the FIAMLA.

5.1 PEPs

Business relationships with Politically Exposed Persons (“PEPs”) pose a greater than normal money laundering risk to financial institutions, by virtue of the possibility for them to have benefitted from proceeds of corruption, as well as the potential for them (due to their offices and connections) to conceal the proceeds of corruption or other crimes.

The classification of a person as a PEP needs to be carefully checked and determined based on PEP declaration form received and also checked on World Check Refinitiv and other software tools being used. This is important as a PEP has a scoring weight age much higher than a non- PEP client. Proper identification is needed for a correct client risk assessment and rating.

As per Regulation 2 of FIAMLR 2018, “PEP”,

a) means a foreign PEP, a domestic PEP and an international organization PEP; and
b) for the purposes of this definition –

“Domestic PEP” means a natural person who is or has been entrusted domestically with prominent public functions in Mauritius and includes the Head of State and of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials and such other person or category of persons as may be specified by a supervisory authority or regulatory body after consultation with the National Committee;

“Foreign PEPs” means a natural person who is or has been entrusted with prominent public functions by a foreign country, including Heads of State or of government, senior politicians, senior government, judicial or military officials, senior executives of state-owned corporations, important political party officials and such other person or category of persons as may be specified by a supervisory authority or regulatory body after consultation with the National Committee;

“International organization PEP” means a person who is or has been entrusted with a prominent function by an international organization and includes members of senior management or individuals who have been entrusted with equivalent functions, including directors, deputy directors and members of the board or equivalent functions and such other person or category of persons as may be specified by a supervisory authority or regulatory body after consultation with the National Committee”.

A PEP is an individual who is or has been entrusted with a prominent public function such as:

heads of state;
heads of government;
ministers and deputy or assistance ministers;
members of parliament;
influential functionaries in nationalized industries and government administration;
judges and senior magistrates;
senior political party functionaries;
senior and/or influential officials, functionaries and military leaders and people with similar functions in international or super national organizations;
members of ruling royal families;

The definition of PEP also includes:

‘Close associates’, i.e.: (a) individuals who are closely connected to a PEP, either socially or professionally; and (b) includes any other person as may be specified by a supervisory authority or regulatory body after consultation with the National Committee.

‘Family members’; i.e.:

(a) individuals who are related to a PEP either directly through consanguinity, or through marriage or similar civil forms of partnership: and

(b) includes any other person as may be specified by a supervisory authority or regulatory body after consultation with the National Committee.

The Company must:

(a) develop and document a clear policy on the acceptance of business relationships or one-off transactions with PEPs, and ensure that this is adequately communicated;

(b) obtain and document the approval of senior management prior to establishing relationships with PEPs;

(c) where such persons are discovered to be so only after a relationship has commenced, thoroughly review the relationship and obtain senior management approval for its continuance; and

(d) apply EDD measures to establish the source of funds and source of wealth of PEPs.

5.2 Non-face-to-face relationships or occasional transactions

Business conducted by financial institutions may also be conducted on a non- face-to-face basis, i.e. where there is no face-to-face contact with the customer or connected persons such as beneficial owners or controllers. Examples might be where identification information is provided through a trustee about persons who are connected with a trust, or by a legal body about the persons who are its beneficial owners and controllers or through identification documents received through electronic means. A further example may be where, although there is face-to- face contact with a customer, the supporting identification and verification documentation is provided at a time when the customer is not present.

Financial institutions must apply appropriate enhanced CDD measures on a risk-sensitive basis where an applicant for business or customer (or any connected person, such as a beneficial owner or controller) is unable to be identified and when the financial institution is unsure of the authenticity of the documents in non-face-to-face relationships.

5.3 Connected persons that are PEPs

Connected persons will include underlying principals such as beneficial owners and controllers. Financial institutions must apply appropriate EDD measures on a risk-sensitive basis where an

applicant for business or customer (or any connected person, such as a beneficial owner or controller) is a PEP, and must ensure that they operate adequate policies, procedures and controls to comply with this requirement.

Financial institutions must:

a) develop and document a clear policy on the acceptance of business relationships or one-off transactions with such persons, and ensure that this is adequately communicated;
b) obtain and document the approval of senior management prior to establishing relationships with such persons;
c) where such persons are discovered to be so only after a relationship has commenced, thoroughly review the relationship and obtain senior management approval for its continuance; and
d) apply EDD measures to establish the source of funds and source of wealth of such persons. The Company needs to assess whether a client is a PEP or associated with same. A PEP declaration form shall also be completed by clients as per Annexure E.

6.0 Simplified Due Diligence

In general, the full range of CDD measures should be applied by financial institutions. However, simplified CDD measures can be implemented in cases where lower risks have been identified and this corresponds to the situations outlined in Regulation 11 of the FIAML regulations and where the CDD measures are commensurate with the lower risk factors or any guidance issued. The possibility of applying simplified CDD measures does not remove from the financial institution its responsibility to adopt CDD measures, it only allows for application of reduced measures. The ultimate decision rests with the financial institution and there may be instances, depending on the level of risk and all the known circumstances (a high-risk relationship e.g. PEP will be dealt with more caution rather than the routine CDD measures), where it is inappropriate to adopt these simplified measures. An example of simplified CDD measure could be not requiring CDD documentation for beneficial owner of publicly listed entities. The financial institution could obtain and retain documentary evidence of the existence of the public company and of its listed status, together with a copy of its annual report to verify that the individuals who purport to act on behalf of such entity have the necessary authority to do so.

Under all circumstances, financial institutions must keep the client risk assessment up to date and review the appropriateness of CDD obtained even if simplified CDD measures are adopted. Financial institutions are required to keep

the risk assessment and level of CDD requirements under review and the level of risk of the CDD measures should be consistent with the risk of the relationship.

Financial institutions can apply simplified CDD measures where:

a) Lower risks have been identified and the simplified CDD measures shall be commensurate with the lower risk factors;
b) there is a low level of risk, financial institutions shall ensure that the low risk identified is consistent with the findings of the NRA or any risk assessment carried out, whichever is most recently issued;

Where the Financial Institution decides to adopt the simplified measures in respect of a particular applicant, it must:

a) document that decision in a manner which explains the factors which it took into account (including retaining any relevant supporting documentation) and its reasons for adopting the measures in question; and
b) keep the relationship with the applicant (including the continued appropriateness of using the simplified measures) under review, and operate appropriate policies, procedures and controls for doing so.

Simplified CDD shall never apply where, the financial institution knows, suspects, or has reasonable grounds for knowing or suspecting that a customer or an applicant for business is engaged in money laundering or terrorism financing or that the transaction being conducted by the customer or applicant for business is being carried out on behalf of another person engaged in money laundering or where there are other indicators of ML/TF risk.

Where simplified CDD measures are adopted, financial institutions should apply a risk-based approach to determine whether to adopt the simplified CDD measures in a given situation and/or continue with the simplified measures, although these clients’ accounts are still subject to transaction monitoring obligations.

However, it is not part of the Company’s internal policy to perform simplified CDD on its clients.

7.0 Rejection of Clients

There are various instances where the Company will not onboard a client as this will pose extensive AML/CFT risks, reputational risks or potential connections with criminal activity. Some examples (non-exhaustive) can be found below:

Business Activity of the client being unclear

Reluctancy on the part of the client to provide KYC/CDD

The client risk rating is classified as high.

The above proposed clients would not be onboarded and therefore rejected by Company at the very initial stage. In case of doubts with regards to the above, the Board or senior management should be contacted.

8.0 Reliance on Others

8.1 Third Party Reliance

A financial institution may rely on relevant third parties to complete certain CDD measures, provided that there is a contractual arrangement in place with the third party. Where reliance is placed on a third party for elements of CDD, the financial institution must ensure that the identification information sought from the third party is adequate and accurate. The CDD information has to be submitted immediately in line with section 17D of the FIAMLA upon onboarding although the documents can be provided upon request at a later date. Where such reliance is permitted, the ultimate responsibility for CDD measures will remain with the financial institutions relying on the third party.

In a third-party reliance scenario, the third party should be regulated, supervised and monitored and subject to CDD in line

with section 17C of the FIAMLA and record keeping requirements pursuant to section 17F of the FIAMLA and Regulation 21 of the FIAML Regulations 2018 which provides for third party reliance. When reliance is placed on a third party that is part of the same financial group, the financial institution must ensure that the group applies the measures as applicable to regulation 21(4) of the FIAML Regulations 2018.

Moreover, the financial institution needs to be aware on the level of the country risk when determining in which country the third party can be based, countries with strategic deficiencies in the fight against money laundering and the financing of terrorism, e.g. those identified by the FATF as having strategic deficiencies. A high-risk country can also be those countries that are vulnerable to corruption and which are politically unstable, the above examples are not exhaustive.

An example of a third-party reliance arrangement is in the context of investment fund (fund), a third-party reliance arrangement between the fund or its administrator and a relevant third party that acts as a fund distributor for its underlying investors is very common.

In order to ensure that these arrangements meet the FSC’s expectations, an investment fund and its administrator should ensure that:

there is a signed agreement between the fund or its administrator and the relevant third party, in which the third-party consents to being relied upon for these purposes and undertakes;
to provide any CDD information obtained immediately upon onboarding;
they signed agreement contains clear contractual terms in respect of the obligations of the third party to obtain and maintain the necessary CDD records and to provide the CDD documents upon request;
they signed agreement does not contain any conditional language, whether explicit or implied, which may result in the inability of the third party to provide the CDD documents. For example, language which qualifies the obligation to provide the CDD documents, such as “to the extent permissible by law” or “subject to regulatory request”, is not acceptable. This is of particular relevance where reliance is placed on a third party based in a jurisdiction that is subject to secrecy laws or similar restrictive rules; and
policies and procedures are in place which set out an approach with regard to the identification, assessment, selection and monitoring of third-party relationships, including the frequency of testing performed on such third parties to deliver the necessary CDD documents when requested.

Reliance may only be placed on third parties to carry out CDD measures in relation to the identification and verification of a customer’s identity and the establishment of the purpose and intended nature of the business relationship. Third parties may not be relied upon to carry out the ongoing monitoring of dealings with a customer, including identifying the source of wealth or source of funds.

The FSC recommends that regular assurance testing is carried out in respect of the third-party arrangements, to ensure that the CDD documents can be retrieved without undue delay and that the documentation received is sufficient pursuant to section 17(2)(v) of the FIAMLA.

Financial institutions should take steps to ensure that any existing third-party reliance arrangements comply with the applicable AML/CFT legislation in this regard. It is suggested that, where third party reliance arrangements are in place, reporting entities (e.g. funds) receive a report from the administrator about the arrangements that meets those requirements and that the report details the outcome of the testing carried out.

8.2 Introduced Business

There are occasions where applicants for business are introduced to financial institutions by ‘introducers’ pursuant to Regulation 21 of the FIAML Regulations 2018, a form of third-party reliance.

Financial institution should subject third-party introducers to the full identification and verification CDD measures for identification and verification as provided under Regulations 3(a), (c) and (d) of the FIAML Regulations 2018.

The financial institution should at the time of establishing the introducer relationship should carry out a risk analysis of this relationship and monitor the introducer relationship. In line with the third-party reliance obligations, when individual applicants, or applicants which are body corporate, are introduced to a financial institution by an introducer, the financial institution should:

a) obtain and maintain documentary evidence that the introducer is regulated for the purposes of preventing money laundering and terrorist financing; and
b) be satisfied that the procedures laid down by the introducer meet the requirements specified in the FIAMLA and FIAML Regulations 2018.

Financial institutions should at all times bear in mind that the ultimate responsibility to ensure the completion of satisfactory CDD measures rests with them and not with the introducer. Where it is proposed to rely on the introducer to carry out any of the CDD requirements, financial institutions must adopt a risk-based approach and must:

a) obtain explicit written assurance from the introducer that it will carry out the requirements for CDD;
b) satisfy themselves independently (and have clear procedures for doing so) that the procedures followed by the introducer are sufficiently robust to ensure that the introducer complies with the requirements of the AML/CFT legislation; and
c) obtain evidence that the introducer is regulated/ supervised.

Where CDD identification data and other documentation is to be retained by the introducer rather than the financial institution, there must be a clear written understanding between the financial institution and the introducer that:

a) such data will be retained by the introducer and will not be disposed of without the financial institution ’s consent,
b) the financial institution will have timely access to such data (including inspection of documents) upon request, and
c) such data will be promptly transferred to the custody of the financial institution, if the introducer ceases to act in that capacity.

Financial institutions’ boards of directors or equivalent senior management must ensure that periodic testing of the above arrangements is conducted by the financial institution, to ensure that the financial institution is complying with the current legislative framework with respect to the above provision.

9.0 Ongoing Monitoring

9.1 Monitoring Transactions and Activity

The regular monitoring of a business relationship, including any transactions and other activity carried out as part of that relationship, is one of the most important aspects of effective ongoing CDD measures.

The procedures for ongoing monitoring performed by the Company can be found below at sections 9.4, 9.7 and 9.10.

It is vital that the Financial Institution understands a customer’s background and is aware of changes in the circumstances of the customer and beneficial owner throughout the life-cycle of a business relationship. The financial institution can usually only determine when it might have reasonable grounds for knowing or suspecting that ML and/or TF is occurring if it has the means of assessing when a transaction or activity falls outside the normal expectations for a particular business relationship.

There are two strands to effective ongoing monitoring:

a) The first relates to the transactions and activity which occur on a day-to-day basis within a business relationship and which need to be monitored to ensure they remain consistent with the financial institution’s understanding of the customer and the product or service it is providing to the customer.
b) The second relates to the customer themselves and the requirement for the financial institution to ensure that it continues to have a good understanding of its customers and their beneficial owners. This is achieved through maintaining relevant and appropriate CDD and applying appropriate ongoing screening.

There is a requirement for the financial institution to monitor business relationships on an ongoing basis, including the application of scrutiny to large and unusual or complex transactions or activity so that ML and TF may be identified and prevented as required under Regulation 3(1)(e) of the FIAML Regulations 2018.

9.2 Objectives

A key prerequisite to managing the risk of a business relationship is understanding the customer, and beneficial owner, and where changes to those parties occur. It is also important to maintain a thorough understanding of the business relationship and to appropriately monitor transactions in order to be in a position to detect, and subsequently report, suspicious activity.

The type of monitoring applied by the Financial Institution will depend on a number of factors and should be developed with reference to the financial institution’s business risk assessments and risk appetite. The factors forming part of this consideration will include the size and nature of the financial institution’s business, including the characteristics of its customer-base and the complexity and volume of expected transactions or activity.

The monitoring of business relationships should involve the application of scrutiny to large and unusual or complex transactions, as well as to patterns of transactions or activity, to ensure that such transactions and activity are consistent with the financial institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds.

Particular attention should be paid to high-risk relationships (for example, those involving PEPs), high risk countries / territories and high-risk transactions.

An unusual transaction or activity may be in a form that is inconsistent with the expected pattern of activity within a particular business relationship, or with the normal business activities for the type of product or service that is being delivered. For example, unusual patterns of transactions with no apparent or visible economic or lawful purpose.

The nature of the monitoring in any given case will depend on the business of the financial institution, the frequency of activity and the types of business. Monitoring may include reference to: specific types of transactions; the relationship profile; a comparison of activities or profiles with that of a similar customer or peer group; or a combination of these approaches.

9.3 Obligations

Under Regulation 3(1) (d) of the FIAML Regulations 2018, financial institutions should understand and obtain adequate and relevant information on the purpose and intended nature of a business relationship or occasional transaction. Further, in accordance with Regulation 3(1) (e) of the FIAML Regulations 2018, financial institutions should conduct ongoing monitoring of a business relationship, including:

a) scrutiny of transactions undertaken throughout the course of the relationship, including, where necessary, the source of funds, to ensure that the transactions are consistent with his knowledge of the customer and the business and risk profile of the customer;
b) ensuring that documents data or information collected under the CDD process are kept up to date and relevant by undertaking reviews of existing records, in particular for higher risk categories of customers.

Regulation 12(2)(f) of the FIAML Regulations 2018 states that EDD measures that may be applied for higher risk business relationships including conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.

Regulation 15(1)(d) of the FIAML Regulations 2018 requires a financial institution to conduct enhanced ongoing monitoring on foreign PEPs, whether as customer or beneficial owner, in addition to performing the CDD measures. The same requirement applies in cases when there is higher risk business relationship with a domestic PEP or an international organization PEP.

Examples of the additional monitoring arrangements for high-risk relationships could include:

a) undertaking more frequent reviews of high-risk relationships and updating CDD
b) information on a more regular basis; undertaking more regular reviews of transactions and activity against the profile and expected activity of the business relationship;
c) applying lower monetary thresholds for the monitoring of transactions and activity;
d) reviews being conducted by persons not directly involved in managing the relationship, for example, the CO;
e) ensuring that the financial institution has adequate MI systems to provide the board and CO with the timely information needed to identify, analyze and effectively monitor high risk relationships and accounts;
f) appropriate approval procedures for high value transactions in respect of high-risk relationships; and/or
g) a greater understanding of the personal circumstances of high-risk relationships, including an awareness of sources of third-party information.

The financial institution should also consider the possibility for legal persons and legal arrangements to be used as vehicles for ML and TF.

9.4 Ongoing Monitoring of PEP Relationships and Procedures

The system of monitoring used by the Financial Institution must provide for the ability to identify where a customer or beneficial owner becomes a PEP during the course of the business relationship and whether that person is a foreign PEP, domestic PEP or international organization PEP.

In accordance with Regulation 15(1) (b) of FIAML Regulations 2018, where a customer or beneficial owner becomes a foreign PEP during the course of an existing business relationship, as part of the EDD measures subsequently applied the financial institution shall obtain senior management approval to continue that relationship. The same requirement applies in cases when there is higher risk business relationship with a domestic PEP or an international organization PEP.

It is not expected that the financial institution will have a thorough knowledge of, or fully research, a family connection. The extent to which a connection is researched should be based upon the size, scale, complexity and involvement of the person in the context of the business relationship and the profile of the business relationship, including its asset value.

It is possible that family members and/or associates may not inform the financial institution, or even be aware, of their PEP status and therefore independent screening and monitoring should be conducted. It is also possible that an individual’s PEP status may not be present at take-on, for example, where that person takes office during the life of a business relationship. It is therefore important that ongoing monitoring exists in order to identify changes of status and risk classification.

Once a business relationship has been established with a PEP, on-going monitoring must be conducted on all related transactions to ensure that they are in line with the customer’s source of funds and wealth and original account mandate. This can be achieved by requesting for additional information to understand the purpose of a transaction and verifying the provenance of the source of funds and where required, to request for evidentiary documents such as agreements, invoices, bank statements, etc.

Furthermore, quarterly World Check and Internet Check must be conducted on the PEP and evidences of such screening kept on records.

Annual reviews must be conducted on all customers identified as PEPs and approved by Board / Senior Management.

The following information and documentation must be reviewed/reconfirmed/updated when conducting an annual review of a PEP client:

all KYC information;
the relevance of the EDD conducted initially including reconfirmation of the customer’s source of funds and source of wealth; and
where adverse information such as ongoing litigation or regulatory proceedings were noted as
part of the on-boarding information, further checks must be undertaken to ascertain any outcomes or obtain updated information.

Information obtained from the customer may be compared against additional independent sources. In order to verify the accuracy of the information.

The formal decision and reasons to either maintain or terminate the PEP relationship must be documented by the Company.

9.4.1 Factors to consider in establishing/maintaining/terminating a customer relationship with a PEP

The following are factors, which should be considered in deciding whether to establish/ maintain/terminate a customer relationship with a PEP:

funding of the account: are the funds/proceeds in the client’s account in line with the customer’s source of funds and wealth and original account mandate;

is there a history of suspicious or unexplained transactions;

is the customer responsive to requests for up-to-date information.

There should be a detailed consideration of the rationale for establishing, maintaining, or terminating the business relationship with the PEP.

Where a customer has been accepted and the said customer or its beneficial owner or its associate or its family member is subsequently found to be, or subsequently becomes a PEP, appropriate EDD and the Company’s Board’s approval should be obtained as per above in order to continue such business relationships

9.4.2 Connected persons that are PEPs

‘Connected persons will include underlying principals such as beneficial owners and controllers. The Company must apply appropriate EDD measures on a risk-sensitive basis where an applicant for business or customer (or any connected person, such as a beneficial owner or controller) is a PEP, and must ensure that they operate adequate policies, procedures and controls to comply with this requirement.

The Company must:

a) develop and document a clear policy on the acceptance of business relationships or one off
b) transactions with such persons, and ensure that this is adequately communicated;
c) obtain and document the approval of senior management prior to establishing relationships
d) with such persons;
e) where such persons are discovered to be so only after a relationship has commenced, thoroughly review the relationship and obtain senior management approval for its continuance; and
f) apply EDD measures to establish the source of funds and source of wealth of such persons.

9.5 High Risk Transactions or Activity

When conducting ongoing monitoring, the following are examples of red flags which may indicate high risk transactions or activity within a business relationship:
a) an unusual transaction in the context of the financial institution’s understanding of the business relationship (for example, abnormal size or frequency for that customer or peer group, or a transaction or activity involving an unknown third party);

b) funds originating from, or destined for, an unusual location, whether specific to an individual business relationship, or for a generic customer or product type;
c) transactions or activity unexpectedly occurring after a period of dormancy;
d) unusual patterns of transactions or activity which have no apparent economic or lawful purpose;
e) an instruction to effect payments for advisory or consulting activities with no apparent connection to the known activities of the customer or their business;
f) the involvement of charitable or political donations or sponsorship; or
g) a relevant connection with a country or territory that has significant levels of corruption, or provides funding or support for terrorist activities.

Financial institutions must remain conscious that under the FIAMLA, they have an obligation to prevent and detect ML and TF.

A customer who is, or may be, attempting to launder money may frequently structure his instructions in such a way that the economic or lawful purpose of the instruction is not apparent or is absent entirely. When asked to explain circumstances or transactions, the customer may be evasive or may give explanations which do not stand up to reasonable scrutiny.

Where a financial institution is suspicious, or has knowledge of, money laundering or terrorist financing, it should not unquestioningly carry out instructions as issued by the customer. If a financial institution unquestioningly carries out unreasonable instructions in this manner, it may mean that it is failing in its duty to prevent and detect ML/TF.

When faced with unreasonable customer instructions that lead the relevant person to know or suspect ML/TF, the financial institution must file a suspicious transaction report and also consider taking legal advice.

9.6 Handling Cash Transactions

The use of cash and monetary instruments as a means of payment or method to transfer funds can pose a higher risk of ML/TF than other means, such as wire transfer, cheques or illiquid securities. Unlike many other financial products with cash and monetary instruments there will likely be no clear audit trail and it may be unclear where the funds have originated from. Section 5 of the FIAMLA states that any person who makes or accepts any payment in cash in excess of 500,000 rupees or an equivalent amount in foreign currency, or such amount as may be prescribed, shall commit an offence.

Therefore, where cash and monetary instrument transactions are being proposed by customers, and such requests are not in accordance with the customer’s known reasonable practice, financial institution must approach such situations with caution and make relevant further enquiries.

In relation to cash transactions, the financial institution should consider factors such as the amount of cash, currency, denominations and the age of the notes in determining whether the activity is ‘normal’ for the customer along with a comparison with the customer’s expected activity.

Financial institutions should be especially robust when dealing with requests for frequent or unusually large amounts of cash and monetary instrument by customers, especially where the customer is resident in jurisdictions where tax evasion is a known problem.

Financial institutions should be vigilant for explanations given by customers which do not stand up to scrutiny. Where the financial institution has been unable to satisfy itself that the transaction is legitimate activity, and therefore considers

it suspicious, an internal disclosure must be made.

9.7 Real-Time and Post-Event Transaction Monitoring

Monitoring procedures should involve a combination of real-time and post-event monitoring.

Real-time monitoring focuses on transactions and activity where information or instructions are received before or as the instruction is processed. Post-event monitoring involves periodic, for example monthly, reviews of transactions and activity which have occurred over the preceding period.

Real-time monitoring of activity can be effective at reducing exposure to ML, TF and predicate offences such as bribery and corruption, whereas post-event monitoring may be more effective at identifying patterns of unusual transactions or activities.

In this respect, regardless of the split of real-time and post-event monitoring, the over-arching purpose of the monitoring process employed should be to ensure that unusual transactions and activity are identified and flagged for further examination.

Financial institutions should ensure that the flags / alerts raised are examined within the shortest delay and properly documented prior to closure.

The Company operates a manual system for transaction monitoring. It is a process put in place to monitor all transactions and activity of the Company’s clients on an ongoing basis which involves a combination of real-time and post-event monitoring.

In the case of real time monitoring, the focus is on transactions/activity where information/instructions are received before a payment instruction is processed. The Company has an internal bank transfer checklist in place when processing such transactions.

Post-event monitoring consists of reviewing transactions/activity on a periodic basis (e.g. monthly). The over-riding principle is to ensure that unusual transactions and activity are identified and subject to a heightened level of scrutiny or examination within the shortest delay and properly documented.

The activities being carried out needs to be checked against existing business plan filed including the projections and figures mentioned. Clients should be questioned if there is any change in business plan or figures amended business plan should be kept if changes are material.

Where the risks of money laundering or terrorism financing are higher, enhanced CDD measures must be conducted which are consistent with the risks identified. Of note, Transaction Monitoring can trigger an Internal Investigation and warrant a STR report, in case a suspicious transaction is identified.

The Compliance Officer will check on the transaction monitoring process whether all supporting documents are held on

file and whether in line with each client’s activity.

9.8 Automated and Manual Monitoring

The financial institution’s monitoring processes should be appropriate with respect to its size, activities and complexity, together with the risks identified within its business risk assessments.

While bigger financial institutions with large volumes of transactions will likely favor an automated system, the financial institution may conclude that a manual real-time and/or post- event monitoring process is sufficient given the size and scale of its business.

Notwithstanding the method of monitoring used, the financial institution should adapt the parameters of its processes, in particular the extent and frequency of monitoring, on the basis of materiality and risk, including, without limitation, whether or not a business relationship is a high-risk relationship.

The rationale for deciding upon either a manual or automated method of monitoring, together with the criteria in defining the parameters of that monitoring, should be based on the conclusions of the financial institution’s business risk assessments and risk appetite.

Where an automated monitoring method is used, whether specific to the financial institution or a group-wide system, the financial institution must:

a) understand how the system works and how to use the system (for example, making full use of guidance);
b) understand when changes are to be made to the system (including the nature and extent of any changes);
c) understand the system’s coverage (including the extent of the transactions, activity and/or parties monitored);
d) understand the sources of data used (including both the source(s) of internal data fed into the system and the source(s) of external data to which it is compared);
e) understand the nature of the system’s output (exceptions, alerts etc.);
f) set clear procedures for dealing with potential matches, driven on the basis of risk rather than resources; and
g) record the basis for discounting alerts (for example, false positives) to ensure there is an appropriate audit trail.

Where the financial institution is a branch office or subsidiary of an international group and uses group-wide systems for transaction and activity monitoring, the ability for the financial institution to dictate the particular characteristics of the monitoring conducted by the system may be limited. Where this is the case, notwithstanding the group-wide nature of the system, the financial institution must be satisfied that it provides adequate mitigation of the risks applicable to the business of the financial institution.

The financial institution should be aware that the use of computerized monitoring systems does not remove the requirement for relevant employees to remain vigilant. It is essential that the financial institution continues to attach importance to human alertness. Factors such as a person’s intuition; direct contact with a customer either face-to-face or on the telephone; and the ability, through practical experience, to recognize transactions and activities which do not seem to have a lawful or economic purpose, or make sense for a particular customer, cannot be automated.

9.9 Examination

In accordance with Regulation 25(1) of FIAML Regulations 2018, where within a business relationship there are complex, or large and unusual transactions, or unusual patterns of transactions, which have no apparent economic or lawful purpose,

the financial institution shall examine the background and purpose of those transactions.

As part of its examination, the financial institution should give consideration to the following:

a) reviewing the identified transaction or activity in conjunction with the relationship risk assessment and the CDD information held;
b) understanding the background of the activity and making further enquiries to obtain any additional information required to enable a determination to be made by the financial institution as to whether the transaction or activity has a rational explanation and economic purpose;
c) reviewing the appropriateness of the relationship risk assessment in light of the unusual transaction or activity, together with any supplemental CDD information obtained; and
d) considering the transaction or activity in the context of any other connected business relationships and the cumulative effect this may have on the risk attributed to those relationships.

For the purposes of Regulation 25(1) of FIAML Regulations 2018, what constitutes a large and unusual or complex transaction will be based on the particular circumstances of a business relationship and will therefore vary from customer to customer.

The financial institution must ensure that the examination of any large and unusual, complex, or otherwise higher risk transaction or pattern of transactions or other activity is sufficiently documented and that such documentation is retained in a readily accessible manner in order to assist the FSC, the FIU, other domestic competent authorities and auditors.

The financial institution must ensure that procedures are maintained which require reporting of internal disclosures to be made to the MLRO in accordance with the requirements of Regulations 27 (c) of FIAML Regulations 2018 and where any information or other matters that come to the attention of the file handler and his opinion gives rise to any knowledge or suspicion that another person is engaged in money laundering and terrorism financing activity.

Following the conclusion of its examination, the financial institution should give consideration to whether follow-up action is necessary in light of the identified transaction or activity. This could include, but is not limited to:

a) applying EDD measures where this is considered necessary or where the financial institution has reassessed the business relationship as being high risk as a consequence of the transaction or activity;
b) considering whether further employee training in the identification of large and unusual, complex, or higher risk transactions and activity is needed;
c) considering whether there is a need to adjust the monitoring system (for example, refining monitoring parameters or enhancing controls for more vulnerable products, services and/or business units); and/or
d) applying increased levels of on-going monitoring for particular relationships.

9.10 Ongoing CDD

In accordance with Regulation 3(1) (e)(ii), the requirement to conduct ongoing CDD will ensure that the financial institution is aware of any changes in the development of a business relationship. The extent of the financial institution’s ongoing CDD measures must be determined on a risk-sensitive basis. However, the financial institution must be aware that as a business relationship develops, the risks of ML and TF may change.

It should be noted that it is not necessary to re-verify or obtain current identification data unless an assessment has been

made that the identification data held is not adequate for the assessed risk of the business relationship or there are doubts about the veracity of the information already held. Examples of such could include a material change in the way that the business of the customer is conducted which is inconsistent with its existing business profile, or where the financial institution becomes aware of changes to a customer’s or beneficial owner’s circumstances, such as a change of address.

In order to reduce the burden on customers and other key principals in low-risk relationships, trigger events (for example, the opening of a new account or the purchase of a further product) may present a convenient opportunity to review the CDD information held.

The review must take account of the CDD and EDD obtained on the customer, whether there have been any changes to the customer’s activity / circumstances. Where the basis of a relationship has changed the relevant person should consider whether the risk rating of the customer needs amending and carry out further CDD procedures to ensure that the revised risk rating and basis of the relationship is fully understood. Ongoing monitoring procedures must take account of these changes. If the risk changes significantly it should be remembered that EDD may be required. The review should include considering the customer’s location in relation to the high risk third countries and sanctions list.

Financial institutions must ensure that any updated CDD information obtained through meetings, discussions, or other methods of communication with the customer is recorded and retained with the customer’s records. That information must be available to the MLRO.

Failure to adequately monitor customers’ activities could expose a business to potential abuse by criminals and may call into question the adequacy of systems and controls, or the prudence and integrity or fitness and properness of the management of the business.

The Company will ensure that it checks for all outdated CDD and request for updated ones from its clients. Some trigger events for the request of updated CDD would be where a client’s passport has expired, or someone has changed status from single to being married or a client has changed its residential address. If the client is a legal person, then the Company needs to check whether the there has been any changes in the connected persons of that legal person.

Reminders should be kept by each staff for cases of updated passports. Further, each client file is thoroughly reviewed on a yearly basis and a Client Risk Assessment is performed on each file.

9.10.1 Customer screening

When obtaining CDD or carrying on ongoing monitoring, it is likely that a financial institution will perform searches against its customer’s name, and in the case of non-personal customers, against the names of the beneficial owners, controllers, beneficiaries etc. These searches can be performed using a wide variety of risk management systems or public domain searches.

When conducting searches against the name of an individual or entity, financial institutions should consider “negative press” in addition to whether the individual or entity is named on a sanctions or PEP list.

Negative press is the term given to any negative information, whether alleged or factual. This could be anything from an allegation of fraud by a disgruntled former customer to an article in a newspaper relating to a criminal investigation.

Consideration should be given to the credibility of the information source, the severity of the negative press, how recent the information is and the potential impact the negative press would have on the business relationship with that customer.

The FSC would expect the financial institution to document:

the source and date of the search;
actions taken to confirm or discount any potential match;
details of the negative press;
any actions taken to verify or disprove the claims; and
any additional actions taken as a result of this information such as treating the customer as high risk and/or seeking proof of source of wealth/funds etc.

The Company shall screen all its clients manually on a quarterly basis through World Check Refinitiv. Further the Company also has a subscription to Batch Risk Screen KYC 360 search tool, through which all of its clients are screened on a daily basis. Any new clients signed up are added to the list. By clients to be screened means all stakeholders, directors, bank signatories, officers and any other connected person to the Company’s clients.

9.10.2 Internal procedures of the Company with regards to hits received on a client: Usually, when a hit is found against a client and connected person of the client, the following procedures are followed:

a) First of all, the file handler checks whether the hit matches with the client’s details.
b) If related to the client, the seriousness of the hit mentioned in the report is checked.
c) If it is a serious hit (such as a criminal or civil offence, we go back to the client to request for further information such as the case law and the outcome of the case confirmed by the lawyers involved).
d) If it is a minor hit, this is also investigated either by going back to the client for further information and also through our independent research.
e) We also check whether the hits are positive matches or negative matches. If it is a negative match, then the hit is discounted. All records are kept on file and duly documented.

9.11 Sanctions Screening and Targeted Financial Sanctions

Sanctions are measures imposed by governments across the world in response to a variety of international issues including terrorism and nuclear weapons proliferation. Sanctions make it an offence to do business with persons or entities listed in such sanctions. Sanctions lists are local and/or international lists of persons and entities with whom a business relationship may not be established.

These lists include the Office of Foreign Assets Control (OFAC), United Nations Security Council (UNSC) and European Union (EU) which are incorporated into the World Check Compliance screening and KYC 360 checks performed by the Company. The updated list can also be accessed from the FIU’s website.

Sanctions screening of all customers and where possible suppliers against applicable local and international sanctions shall be conducted.

Where sanctions screening identifies a potential match, the result must be properly investigated in order to determine whether it is a positive match. In the event that the match is positive, it must be reported to the Compliance Officer for further investigation.

Section 23(1) of the United Nations (Financial Prohibitions, Arms Embargo and Travel Ban) Sanctions Act 2019 (the “UN Act”) provides that subject to the said Act, no person shall deal with the funds or other assets of a designated party or listed party, including:

a) all funds or other assets that are owned or controlled by the designated party or listed party, and not just those that can be tied to:

(i) a particular terrorist act, plot or threat;

(ii) a particular act, plot or threat of proliferation;

b) those funds or other assets that are wholly or jointly owned or controlled, directly or indirectly, by the designated party or listed party;
c) funds or other assets derived or generated from funds or other assets owned or controlled, directly or indirectly, by the designated party of listed party, and
d) funds or other assets of a party acting on behalf of, or at the direction of, the designated party or listed party.

In addition, section 23(2) of the UN Act provides that where a prohibition is in force, nothing shall prevent any interest which may accrue, or other earnings due, on the accounts held by a listed party, or payments due under contracts, agreements or obligations that arose prior to the date on which those accounts became subject to the prohibition, provided that any such interest, earnings and payments continue to be subject to the prohibition.

Where a party is listed pursuant to UNSCR 1737 and the listing continues pursuant to UNSCR 2231, or is listed pursuant to UNSCR 2231, the National Sanctions Committee may authorize the listed party to make any payment due under a contract, an agreement or an obligation, provided that the National Sanctions Committee:

a) is satisfied that the contract, agreement or obligation was entered prior to the listing of such
b) party;
c) is satisfied that the contract, agreement or obligation is not related to any of the prohibited items, materials, equipment, goods, technologies, assistance, training, financial assistance, investment, brokering or services referred to in UNSCR 2231 and any future successor resolutions;
d) is satisfied that the payment is not directly or indirectly received from, or made to, a person or entity subject to the measures in paragraph 6 of Annex B to UNSCR 2231; and
e) has, 10 working days prior to such authorization, notified the United Nations Sanctions Committee of its intention to authorize such payment.

In addition, any person who holds, controls or has in his custody or possession any funds or other assets of a designated party or listed party shall immediately notify the National Sanctions Secretariat of:

(a) details of the funds or other assets against which action was taken;

(b) the name and address of the designated party or listed party;

(i) the name and address of the sender;

(ii) the name and address of the intended recipient;

(iii) the purpose of the attempted transaction;

(iv) the origin of the funds or other assets; and

(v) where the funds or other assets were intended to be sent.

Any person who fails to comply with Section 23 (1) or (2) shall commit an offence and shall, on conviction, be liable to a fine not exceeding 5 million rupees or twice the amount of the value of the funds or other assets, whichever is greater, and to imprisonment for a term of not less than 3 years.

Section 24(1) of the UN Act relating to prohibition on making funds or other assets available to designated party or listed party available, provides that subject to the UN Act, no person shall make any funds or other assets or financial or other related services available, directly or indirectly, or wholly or jointly, to or for the benefit of:

(a) a designated party or listed party;

(b) a party acting on behalf, or at the direction, of a designated party or listed party; or

Section 26 of the UN Act provides with regard to the application for freezing order that:

“(1) (a) Where the Secretary for Home Affairs declares a party as a designated party, he shall, within a reasonable time of that declaration, make an ex-part application to the Designated Judge for a freezing order of the funds or other assets of the designated party.

(b) Where the Designated Judge is satisfied, on a balance of probabilities, that the designated party qualifies to be declared as such under this Act, he shall grant a freezing order which shall remain in force as long as the party is a designated party.

(2) Where a freezing order is in force, nothing shall prevent any interest which may accrue, or other earnings due, on the frozen accounts of the designated party, or payments due under contracts, agreements or obligations that arose prior to the date on which those accounts became subject to the freezing order, provided that any such interest, earnings and payments continue to be subject to the freezing order.

(3) For the purpose of this section, the Designated Judge shall, where required, examine, in camera, and in the absence of the designated party, any security or intelligence reports or other information or evidence considered by the National Sanctions Committee and these reports, information or evidence shall not, for security reasons, be disclosed to any other person, including the designated party or its legal representatives.

(4) The Secretary for Home Affairs shall give public notice, in 2 newspapers having wide circulation and in such other manner as he may determine, and notify any reporting person or any party that holds, controls or has in his or its custody or possession the funds or other assets of the designated party of any freezing order granted under this section.”

If any positive match is found on any designated list, then the Company has an obligation to submit a report to the National Sanctions Secretariat, without delay and not later than 24 hours.

The templates for the notification to the National Sanctions Secretariat under section 23(4) of the UN Sanctions Act 2019 and for the reporting on positive name match under section 25(2) of the UN Sanctions Act 2019 can be accessed on the National Sanctions Secretariat website.

The National Sanctions Secretariat may be further contacted on the below address:

National Sanctions Secretariat

Prime Minister’s Office (Home Affairs)

Fourth floor

New Government Centre

Port Louis Email: nssec@govmu.org

9.12 Oversight of Monitoring Process by Compliance Officer

The CO should have access to, and familiarize himself or herself with, the results and output from the financial institution’s monitoring processes. Such output should be reviewed by the CO who in turn should report regularly to the board, providing relevant management information such as statistics and key performance indicators, together with details of any trends and actions taken where concerns or discrepancies have been identified.

The board should consider the appropriateness and effectiveness of the financial institution’s monitoring processes as part of its annual review of the financial institution’s business risk assessments and associated policies, procedures and controls. This should include consideration of the extent and frequency of such monitoring, based on materiality and risk as set out in the business risk assessments.

Where the financial institution identifies weaknesses within its monitoring arrangements, it should ensure that these are rectified in a timely manner.

10.0 Liaison with the Law Enforcement and Reporting suspicious transactions

10.1 Introduction

Under the FIAMLA, a suspicious transaction has been defined as a transaction which:

a) gives rise to a reasonable suspicion that it may involve:

(i) the laundering of money or the proceeds of any crime; or

(ii) funds linked or related to, or to be used for, terrorist financing or by proscribed organizations, whether or not the funds represent the proceeds of a crime;

b) is made in circumstances of unusual or unjustified complexity;
c) appears to have no economic justification or lawful objective;
d) is made by or on behalf of a person whose identity has not been established to the satisfaction of the person with whom the transaction is made; or
e) gives rise to suspicion for any other reason.

A transaction includes:

a) opening an account, issuing a passbook, renting a safe deposit box, entering into a fiduciary relationship or establishing any other business relationship, whether electronically or otherwise; and
b) a proposed transaction or an attempted transaction.

Given the above, financial institutions should also be able to report transactions which are

planned for the future and give rise to suspicion and/or transactions which have been endeavored. The predicate offence need not be known or suspected, reasonable grounds to suspect should suffice.

The above definition is not exhaustive.

The assessment of suspicion should be based on a reasonable evaluation of different factors, including the knowledge of the Customer’s business, financial history, unusual pattern of activity, risk profile, background and behavior. All circumstances surrounding a transaction should be reviewed.

It follows that an important precondition for recognition of a suspicious transaction or activity is that the employees of the Company must know enough about the business relationship to recognize that a transaction or activity is unusual.

In case of suspicion, an employee is not expected to know the exact nature of the underlying criminal offence (called the predicate offence), or that the particular funds were those arising out of the crime or being used to finance international terrorism. The simple rule is, where a transaction raises any suspicion, the employee should as a first step request more information from the customer about the circumstances surrounding the transaction. He/she must decide if the explanation received is reasonable and legitimate and if not, report the transaction to the MLRO.

10.2 Unusual activity

According to Regulation 28(2) of the FIAML Regulations 2018, where a financial institution identifies any unusual activity in the course of a business relationship or occasional transaction the financial institution should:

a) perform appropriate scrutiny of the activity;
b) obtain EDD in accordance with regulation 12 only if this will not tip off the client; and c) consider whether to make an internal disclosure in accordance with the reporting procedures established under regulation 27.

Unusual activity includes, but not limited to, any activity or information relating to a business relationship, occasional transaction or an attempted transaction where there is no apparent economic or lawful purpose, including transactions that are:

a) complex;
b) both large and unusual; or
c) of an unusual pattern. Unusual activity also includes, but not limited to, anything that causes the financial institution to doubt the identity of the customer (including beneficial owners and controllers or introducer, where appropriate) or anything that causes the financial institution to doubt the good faith of the customer (including beneficial owners and controllers or introducer, where appropriate).

10.2.1 Unusual Situations

Situations that are likely to appear unusual include, inter alia:

a) transactions or instructions which have no apparent legitimate purpose and appear not to have a commercial rationale;
b) transactions, instructions or activity that involve apparent unnecessary complexity;
c) where the transaction being requested by the customer is out of the ordinary range;
d) where the size or pattern of transactions is out of line with expectations for that customer;
e) where the customer is not forthcoming with information about their activities, reason for a transaction, source of funds,

CDD documentation etc.

f) where the customer who has entered into a business relationship uses the relationship for a single transaction or for only a very short period of time where that was not expected;
g) the extensive use of offshore structures where the customer’s needs are inconsistent with the use of such services;
h) transfers to or from high-risk jurisdictions which are not consistent with the customer’s expected activity;
i) unnecessary routing of funds through third party accounts;
j) unusual investment transactions with no discernible purpose; and
k) extreme urgency in requests from the customer, particularly where they are not concerned by large transfer fees, early repayment fees etc.

The above is not an exhaustive list. Unusual activity is likely to be detected during ongoing monitoring, when receiving an application from a new customer, when receiving an instruction to carry out a transaction or during other communications with the customer.

Where a financial institution identifies unusual activity, Regulation 28(2) requires the financial institution to perform ‘appropriate scrutiny’ of the activity and to obtain EDD. Appropriate scrutiny of the activity may involve making enquiries of the customer and asking the questions as per the circumstances. Relevant processes should be in place to ensure that unusual activity alerts or incidences are reviewed and analyzed promptly so that an internal disclosure can be filed as soon as possible.

10.3 Suspicious transaction reporting procedures

According to Regulation 28(1) of the FIAML Regulations 2018, where a financial institution identifies any suspicious activity or has reasonable ground to suspect that a transaction is suspicious in the course of a business relationship or occasional transaction, the financial institution should:

a) consider obtaining EDD in accordance with Regulation 12 of the FIAML Regulations 2018; and
b) make an internal disclosure in accordance with the procedures established under Regulation 27 of the FIAML Regulations 2018.

The reporting procedures as above must also apply to prospective customers and transactions that were attempted but that did not take place. The MLRO should then consider the internal disclosure to assess whether an external disclosure need to be made to the FIU.

Regulation 27 of the FIAML Regulations 2018 requires a financial institution to have documented reporting procedures in place that will:

a) enable all its directors, management and all appropriate employees to know to whom they should report any knowledge or suspicion of ML/TF activity;
b) ensure that there is a clear reporting chain to the MLRO;
c) require reports to be made to the MLRO (“internal disclosures”) of any information or other matters that come to the attention of the person handling that business and which in that person’s opinion gives rise to any knowledge or suspicion that another person is engaged in ML/TF activity;
d) require the MLRO to then consider these reports in the light of all other relevant information available to determine whether or not it gives rise to any knowledge or suspicion of ML/TF activity;
e) ensure that the MLRO has full access to any other available information that may be of assistance; and
f) enable the information or other matters contained in a report (“external disclosure”) to be provided as soon as is practicable the Financial Intelligence Unit if the MLRO knows or suspects that another is engaged in ML/TF activity.

10.4 Potential Red Flags

The following is a non-exhaustive list of possible ML and TF red flags that the financial institution should be mindful of when dealing with a business relationship or occasional transaction:

a) The deposit or withdrawal of unusually large amounts of cash from an account;
b) Unwillingness to provide CDD documentation on beneficial owners/ controllers;
c) Deposits or withdrawals at a frequency that is inconsistent with the financial institution’s understanding of that customer and their circumstances.
d) Transactions involving the unexplained movement of funds, either as cash or wire transfers.
e) Payments received from, or requests to make payments to, unknown or un-associated third parties.
f) Personal and business-related money flows that are difficult to distinguish from each other.
g) financial activity which is inconsistent with the legitimate or expected activity of the
h) customer.
i) An account or business relationship becomes active after a period of dormancy.
j) The customer is unable or reluctant to provide details or credible explanations for
k) establishing a business relationship, opening an account or conducting a transaction.
l) The customer holds multiple accounts for no apparent commercial or other reason.
m) Bank drafts cashed in for foreign currency.
n) Early surrender of an insurance policy incurring substantial loss.
o) Frequent early repayment of loans. p) Frequent transfers indicated as loans sent from relatives.
q) Funds transferred to a charity or NPO with suspected links to a terrorist organization.
r) High level of funds placed on store value cards.
s) Insurance policy being closed with a request for the payment to be made to a third party.
t) large amounts of cash from unexplained sources.
u) Obtained loan and repaid balance in cash.
v) Purchase of high value assets followed by immediate resale with payment requested via cheque.

The above list is not exhaustive and its content is purely provided to reflect examples of possible red flags. The existence of one or more red flag does not automatically indicate suspicion and there may be a legitimate reason why a customer has acted in the manner identified.

10.5 Internal disclosures

It is a statutory obligation pursuant to Regulation 28(1) of the FIAML Regulations 2018 that an internal disclosure be made to the MLRO by all employees and report suspicious transactions promptly and directly to the MLRO or to his deputy in his/her absence. The format of Internal Disclosure Form (IDF) to be used is as per Annexure F.

The Company must ensure that the MLRO/DMLRO receives full cooperation from all staff and full access to all relevant documentation so that he/she is in a position to decide whether there are reasonable grounds to suspect money laundering or terrorist financing. The predicate offence need not be known or suspected, reasonable grounds to suspect should suffice.

In some urgent circumstances, an internal disclosure may be reported to the MLRO verbally and followed by the IDF. Failure to report suspicious transactions will constitute a breach of the FIAMLA 2002 and may entail criminal sanctions and interference with the preparation or submission of an internal STR may lead to disciplinary sanctions.

The MLRO shall be of sufficiently senior status and shall have relevant and necessary competence, authority and independence.

The Company must ensure that all employees are made aware of the identity of the MLRO and his/her Deputy, and the procedures to follow when making an internal disclosure report to the MLRO. Reporting lines should be as short as possible with the minimum number of people between the employee with suspicion and the MLRO. This ensures speed, confidentiality and accessibility to the MLRO. All disclosure reports must reach the MLRO without any undue delay. Under no circumstances should reports be filtered out by supervisors or managers such that they do not reach the MLRO.

The contact details of the Company’s MLRO and that of the Deputy MLRO are provided below:

	MLRO	Deputy MLRO
Name	Mrs. Ameera Bibi Goollam Kader	Mrs. Anju Rampersand
Email	ameera@premierfinservices.com	anju@premierfinservices.com
Telephone Number	+230 59725667	+230 54930182

All suspicions reported to the MLRO will be recorded in writing, even if the suspicion is reported verbally. The internal STR should include full details of the Customer and a full statement as to the information giving rise to the suspicion. The MLRO will acknowledge receipt of the internal STR and, at the same time, provide a reminder of the obligation to do nothing that might prejudice enquiries, that is, ‘tipping off’ the customer or any other person which is a criminal offence under Section 16 of the FIAMLA 2002 and upon conviction, be liable to a fine not exceeding 5 million rupees and to imprisonment not exceeding 10 years.

Regulation 3(3) of FIAMLR 2018 stipulates that “Where a person suspects money laundering, terrorism financing or proliferation financing, and he reasonably believes that performing the CDD process, may tip-off the customer, he shall not pursue the CDD process and shall file a suspicious transaction report under section 14 of the Act”.

Where an internal STR has been made, the MLRO shall assess the information contained within the disclosure to determine whether there are reasonable grounds for knowing or suspecting that the activity is related to money laundering, terrorism financing or proliferation financing. The MLRO will validate all internal STRs before submissions to the FIU and make sure that reports are not made in bad faith, maliciously and without reasonable grounds.

The MLRO should acknowledge receipt of the internal disclosure and at the same time, provide a reminder of the obligation to do nothing that might prejudice enquiries, such as tipping off the customer or any other third party.

10.6 External disclosures (Suspicious Transaction Reports)

Regulation 29(1) of the FIAML Regulations 2018 requires the MLRO, in the event of an internal disclosure being made, to assess the information contained within the disclosure to determine whether there are reasonable grounds for knowing or suspecting that the activity is related to ML/TF.

Regulation 29(2) of the FIAML Regulations 2018 and Section 14 of the FIAMLA requires the MLRO to make an external disclosure (in the form prescribed in Section 15 of the FIAMLA) as soon as practicable but not later than 5 working days from the day on which it becomes aware of a transaction if the MLRO:

a) knows; or
b) has reasonable grounds to believe, that an internal disclosure may be suspicious.

10.6.1 Reporting to the FIU

Once the MLRO has received the IDF from the staff, the MLRO shall assess the information and shall file a suspicious transaction report to the FIU through the FIU’s GoAML’s platform. All supporting documents which gave rise to the suspicion must also be filed on the GoAML platform. The FIU will provide an acknowledgement whether the report filed by the MLRO has been accepted or rejected. In the event of a rejection due to missing information, the report will need to re-submitted by the MLRO with all requirement information.

All reports must be duly registered as per section 10.7 below.

Once a report has been filed with the FIU against a client, the needful shall be done by the Company to register this client as ‘high-risk’ in its register of high-risk clients.

10.7 Recording of internal and external disclosures Regulation 30 (1)(a) of the FIAML Regulations 2018 requires the financial institution to establish and maintain a register of all ML/TF internal disclosures made to the MLRO or Deputy MLRO.

The register must include details of:

the date the report was made;
the person who made the report;
whether the report was made to the MLRO or Deputy MLRO; and;
information to allow the papers and relevant documentation to be located.

Regulation 30 (1)(b) of the FIAML Regulations 2018 requires the relevant person to establish and maintain a register of all ML/TF external disclosures made to the FIU. The register must include details of:

the date of the disclosure;
the person making the disclosure; and
information to allow the papers relevant to the disclosures to be located.

Regulation 30(2) of the FIAML Regulations 2018 states that the registers of internal and external disclosures may be contained in a single document if the details included in the registers can be presented separately for internal and external disclosures upon request by a competent authority.

10.8 Unusual Activity-Conducting “appropriate scrutiny” of unusual activity

Regulation 28(2) of the FIAML Regulations 2018 requires the relevant person to conduct ‘appropriate scrutiny’ of any unusual activity and to obtain EDD. The activity should be looked at in detail in conjunction with additional information such as the customer’s CDD, expected activity, an explanation of the activity from the customer, supporting documentary evidence or information from independent data sources. CDD provides the basis for recognizing unusual activity therefore it is imperative that CDD is satisfactory on all customers and that business relationships are monitored appropriately.

The aim of conducting ‘appropriate scrutiny’ is to enable the financial institution to determine whether the activity is in

fact suspicious and, if so, make a disclosure. If the activity is not deemed to be suspicious but still appears unusual or risky, the relevant person should consider other actions such as reviewing and updating the customer’s risk assessment, arranging further ongoing monitoring or considering whether they have the risk appetite to continue doing business with the customer.

When conducting ‘appropriate scrutiny’, other connected customers, accounts or relationships may need to be examined. Connectivity can arise though commercial connections e.g. linked accounts, introducers etc., or through connected individuals e.g. third parties, controllers, signatories etc. The need to search for information concerning connected accounts or relationships should not delay making an external disclosure to the FIU.

The nature and scale of the scrutiny required will vary greatly depending on the type of activity, the risk factors involved and the size and scope of the activity. Regardless of the methods adopted, it is essential that the investigation and outcome are clearly documented in a prompt and timely manner.

The following are likely to cause suspicion after conducting appropriate scrutiny:

a) the customer is unable or refuses to provide a reasonable explanation for the activity and this is perceived as being an attempt to conceal criminal conduct rather than the customer being awkward, unhelpful or secretive for personal reasons;
b) the explanation does not “sit right” or does not make economic sense. For example, a bank’s customer sending repeat small amounts on a regular basis overseas despite transfer fees incurred with no reasonable explanation;
c) documentation supplied appears to be fraudulent, incomplete or doctored;
d) independent data sources reveal negative information on the customer or related parties such as allegations of corruption; or
e) activity appears consistent with known ML/TF typologies.

The above list is non-exhaustive.

10.9 Appropriate scrutiny tips

The following tips should be borne in mind when conducting ‘appropriate scrutiny’:

a) Investigate until you feel comfortable with the activity or have sufficient information to submit a disclosure.
b) Consider using a broad range of data sources – e.g. companies register, address verification sites, social networks, news.
c) Obtain an understanding of the relationships between the customer and any related parties.
d) Find out if the customer is or was acting on behalf of another person. If so, who and why?
e) Compare the customer’s explanation with publicly available information. For example, if a large credit supposedly relates to the sale of a house, consider checking the address and average prices in that area.
f) Consider the information held against known typologies and high-risk indicators – transaction type, customer background, location and currency.
g) By checking the customer’s historic activity, you may be able to detect a pattern. For ex ample a local business may always see a surge in cash deposits in June due to tourism.
h) If requesting information or documentation from a customer, allow a reasonable timeframe for them to respond and communicate by phone, email, online messaging and fax wherever possible to expedite the process. It should be noted that further CDD should not be pursued if it may tip off the client.

i) If appropriate, use this as an opportunity to gain a better understanding of what activity to expect going forward.

10.10 Tipping Off

Section 16(1) of the FIAMLA states that no person directly or indirectly involved in the reporting of a suspicious transaction shall inform any person involved in the transaction or an unauthorized third party that the transaction has been reported or that information has been supplied to the FIU pursuant to a request made under section 13(2) or (3) of the FIAMLA.

Reasonable enquiries of a customer, conducted in a discreet manner, regarding the background to a transaction or activity which has given rise to the suspicion is prudent practice, forms an integral part of CDD and on-going monitoring, and should not give rise to tipping off. If the employee suspects that CDD will tip off the client, the employee should stop conducting CDD and instead the financial institution should immediately file an STR with the FIU.

10.11 Terminating a Business Relationship

Whether or not to terminate a business relationship is a commercial decision, except where required by law, for example, where the financial institution cannot obtain the required CDD information and EDD as applicable (Regulations 12(3) and 13(b) of the FIAML Regulations 2018).

The financial institution should in these cases consider the following points when interacting with its customer:

a) it will become apparent to criminals that elements of their criminal activity is known to the financial institution, if it begins to ask probing questions regarding certain activities or if it seeks to terminate the relationship or decline entering into a business relationship without a meaningful pretext. The financial institution is therefore encouraged to carefully consider the wording of any statements made to customers explaining their decision; and
b) the more information is included in the STR, the more valuable it will be to the FIU.

11.0 Record keeping

Financial institutions are expected to have appropriate and effective policies, procedures and controls in place to ensure that records including transactions are maintained during and after the course of the business relationship, either in the form of original documents or copies.

The books and records shall include:

a) all records obtained through CDD measures, including account files, business correspondence and copies of all documents evidencing the identity of customers and beneficial owners, and records and the results of any analysis/assessment undertaken in accordance with the FIAMLA, all of which shall be maintained for a period of not less than 7 years after the business relationship has ended.
b) records on transactions, both domestic and international, that are sufficient to permit reconstruction of each individual transaction for both account holders and non-account holders, which shall be maintained for a period of 7 years after the completion of the transaction; and
c) copies of all suspicious transaction reports made pursuant to section 14 or other reports made to FIU in accordance with the FIAMLA, including any accompanying documentation, which shall be maintained for a period of at least 7 years from the date the report was made.

Where a financial institution destroys or removes any record (which includes register or document as per section 17F of

the FIAMLA); or fails to warn or inform the owner of any funds of any report required to be made in respect of any transaction or any action to be taken with respect to any transaction; or facilitates or permit a transaction to be carried out under a false identity commits an offence and on conviction is liable to a fine not exceeding one million rupees and to imprisonment for a term not exceeding 5 years.

Records shall include account records of the customer during the course of the relationship and shall be kept as long as prescribed under the relevant legislation and will also include any audit report of the different functions of the financial institution. The following information should be kept for every transaction carried out in the course of a business relationship or one-off transaction:

a) the name and address of the customer;
b) if a monetary transaction, the kind of currency and the amount;
c) if the transaction involves a customer’s account, the number, name or other identifier for the account;
d) the date of the transaction;
e) details of the counterparty, including account details;
f) the nature of the transaction; and g) details of the transaction.

Customer transaction records must provide a clear and complete transaction history of incoming and outgoing funds or assets.

Financial institutions are requested to keep sufficient records to demonstrate that their CDD measures are appropriate in view of the risk of money laundering and terrorist financing and are required to demonstrate that records of customer identification and verification can be retrieved quickly and without delay in line with the relevant legislative framework.

Financial institutions must maintain records of all transactions undertaken on behalf of the customer during the course of a business relationship, either in the form of original documents or copies. Where copies of the original identification documents (passports, national ID, driver’s license or any acceptable form of identification) are maintained, these copies should be duly certified in accordance with the CDD measures in place.

Regardless of the form in which the financial institution chooses to keep records, correspondence records must be sufficiently detailed to enable a transaction to be readily reconstructed at any time. Transaction records must adequately identify the nature and date of the transaction, who initiated the transaction (instructions can be given through various means – emails, regular instructions, etc.), the type and amount of currency, the type and number of any account with the financial institution, and the name and address of the financial institution and the responsible officer, employee or agent.

In the case of negotiable instruments other than currency, records must include particulars of the name of the drawer and the payee (if any), the financial institution on which it was drawn, the amount, date, and number (if any) of the instrument, and any endorsement details.

Financial institutions must not enter into outsourcing arrangements or place reliance on third parties to retain records where access is likely to be impeded by confidentiality or data protection restrictions. Records held by third parties are not considered to be in a readily retrievable form unless the financial institution is reasonably satisfied that the third party is itself an institution which is able and willing to keep and disclose such records when so required. Financial institutions must

maintain records of all AML/CFT training delivered to employees.

These records must include:

a) the dates on which the training was provided;
b) the nature of the training, including its content and mode of delivery; and
c) the names of the employees who received the training. Moreover, records should also include any assessment/audit carried out by the financial institution.

Where the records are being held electronically, the financial institution should ensure that the working documents should be legible and in a usable filing system, so that they can be retrieved/found without undue delay and produced on a timely basis especially where the originals are not to be retained.

Where a financial institution chooses to implement an electronic storage system, the financial institution should carry out an assessment of the risk, this risk assessment should be documented. Based on the risk assessment the financial institution may determine whether it is appropriate to retain the originals.

Where a financial institution is aware that a request for information or an enquiry is being conducted by a competent authority, the financial institution must retain the relevant records for as long as required by the competent authority.

12. Employee Recruitment, Screening and Training

One of the most important tools available to financial institutions, to assist in the prevention and detection of financial crime, is to have appropriately screened employees who are alert to the potential risks of ML and TF and who are well trained with respect to the CDD requirements and the identification of unusual activity, which may prove to be suspicious.

The effective application of even the best designed systems, policies, procedures and controls can be quickly compromised if employees lack competence or probity, are unaware of, or fail to apply, the appropriate policies, procedures and controls or are not adequately trained.

12.1 Obligations

The financial institution is required, under Regulation 22(1)(b) of FIAML Regulations 2018, to implement programmers for screening procedures so that high standards are maintained when hiring employees. Furthermore, Regulation 22(1)(c) of FIAML Regulations 2018 states that programmers against money laundering and terrorism financing should also be in place to include ongoing training programmer for the directors, officers and employees of the financial institution, to maintain awareness of the laws and regulations relating to money laundering and terrorism financing to (i) assist them in recognizing transactions and actions that may be linked to money laundering or terrorism financing; and (ii) instruct them in the procedures to be followed where any links have been identified under sub subparagraph (i).

12.2 Board Oversight

The Board must be aware of the obligations of the financial institution in relation to employee screening and training.

The financial institution must ensure that the training provided to officers and employees is comprehensive and ongoing

and that the officers and employees are aware of ML and TF, the associated risks and vulnerabilities of the financial institution, and their corresponding obligations.

The financial institution must establish and maintain mechanisms to measure the effectiveness of the AML and CFT training provided to relevant employees and on a risk-based approach.

In order to measure the effectiveness of AML and CFT training, the financial institution could consider it appropriate to incorporate an exam or some form of assessment into its on-going training programmer, either as part of the periodic training provided to employees or during the intervening period between training.

Regardless of the methods utilized, the board should ensure that it is provided with adequate information on a sufficiently regular basis in order to satisfy itself that the financial institution’s employees are suitably trained to fulfil their personal and corporate responsibilities.

12.3 Screening Requirements

In order to ensure that employees are of the required standard of competence, which will depend on the role of the employee, the financial institution must give consideration to the following prior to, or at the time of, recruitment:

a) obtaining and confirming details of employment history, qualifications and professional memberships.
b) obtaining and confirming appropriate references;
c) obtaining and confirming details of any regulatory action or action by a professional body taken against the prospective employee;
d) obtaining and confirming details of any criminal convictions, including the provision of a check of the prospective employee’s criminal record; and e) screening the employees against the UN’s list of designated persons under terrorist and proliferation financing targeted financial sanctions.

The financial institution should also carry out periodic ongoing of its employees against the UN’s list of designated persons under terrorist and proliferation financing targeted financial sanctions.

12.4 Methods of Training

Whilst there is no single or definitive way to conduct training, the critical requirement is that training is adequate and relevant to those being trained and that the content of the training reflects good practice.

The guiding principle of all AML and CFT training should be to encourage directors, officers and employees, irrespective of their level of seniority, to understand and accept their responsibility to contribute to the protection of the financial institution against the risks of ML and TF.

The precise approach adopted will depend upon the size, nature and complexity of the financial institution’s business. Classroom training, practical exams, videos and technology-based training programmers can all be used to good effect, depending on the environment and the number of directors, officers and employees to be trained.

Training should highlight to directors, officers and employees the importance of the contribution that they can individually make to the prevention and detection of ML and TF. There is a tendency, in particular on the part of more junior employees,

to mistakenly believe that the role they play is less crucial than that of more senior colleagues. Such an attitude can lead to failures in the dissemination of important information because of mistaken assumptions that the information will have already been identified and dealt with by more senior colleagues.

The Company will ensure that has good recordkeeping with regards to inhouse trainings and shall document all such trainings.

12.5 Frequency and Scope of Training

The financial institution must provide the appropriate level of AML and CFT induction training, or a written explanation, to all new employees, board members and senior management, before they become actively involved in the operations of the financial institution. Consideration should be given by the financial institution to establishing an appropriate minimum period of time by which, after the start of their employment, new employees should have completed their AML and CFT induction training. Satisfactory completion and understanding of any mandatory induction training should be a requirement to the successful completion of an employee’s probation period.

The financial institution must provide basic AML/CFT training to all employees at least every year. Some categories of employees should receive additional, specialized training according to their roles.

Training will also need to be carried out more frequently to meet the requirements of FIAML Regulations 2018, if new legislation or significant changes to this Handbook are introduced, or where there have been significant technological developments within the financial institution or with the introduction of new products, services or practices.

12.6 Content of Training

In providing the training required, pursuant to Regulation 22(1)(c) of FIAML Regulations 2018 and the Handbook, the financial institution must:

a) provide appropriate training to directors, officers and employees to enable them to competently analyze information and documentation, so as to enable them to form an opinion on whether the transactions and actions may be linked to money laundering or terrorism financing;
b) detail procedures that need to be followed if any links to money laundering or terrorism financing have been identified;
c) prepare and provide to employees a copy, in any format, of the financial institution’s policies, procedures and controls manual for AML and CFT; and
d) ensure employees are fully aware of all applicable legislative requirements.

In accordance with Regulation 22(1)(c) of FIAML Regulations 2018, the ongoing training provided by the financial institution shall cover:

a) the FIAMLA, FIAML Regulations 2018, and the Handbook;
b) the implications of non-compliance by employees to requirements of FIAMLA, FIAML Regulations 2018, and the Handbook; and
c) the financial institution’s policies, procedures and controls for the purposes of foreseeing, preventing and detecting ML and TF.

The financial institution must ensure that the ongoing training provided to directors, officers and employees also covers, to a minimum:

a) the requirements for the internal and external disclosing of suspicion;
b) the criminal and regulatory sanctions in place, both in respect of the liability of the financial institution and personal liability for individuals, for failing to report information in accordance with the policies, procedures and controls of the financial institution;
c) the identity and responsibilities of the MLRO, CO and Deputy MLRO;
d) dealing with business relationships or occasional transactions subject to an internal disclosure, including managing the risk of tipping off and handling questions from customers;
e) those aspects of the financial institution’s business deemed to pose the greatest ML and TF risks, together with the principal vulnerabilities of the products and services offered by the financial institution, including any new products, services or delivery channels and any technological developments;
f) new developments in ML and TF, including information on current techniques, methods, trends and typologies;
g) the financial institution’s policies, procedures and controls surrounding risk and risk awareness, particularly in relation to the application of CDD measures and the management of high risk and existing business relationships;
h) the identification and examination of unusual transactions or activity outside of that expected for a customer;
i) the nature of terrorism funding and terrorist activity in order that employees are alert to transactions or activity that might be terrorist-related;
j) the vulnerabilities of the financial institution to financial misuse by PEPs, including the effective identification of PEPs and the understanding, assessing and handling of the potential risks associated with PEPs; and
k) UN, EU and other sanctions and the financial institution’s controls to identify and handle natural persons, legal persons and other entities subject to sanction.

The above list is non-exhaustive and there may be other areas the financial institution may deem appropriate to include, based on the business of the financial institution and the conclusions of its business risk assessments.

12.7 Additional Training requirement

The financial institution shall also identify employees who, in view of their particular responsibilities, should receive additional and ongoing training, appropriate to their roles, and it shall provide such additional training.

This part sets out those categories of employee who are to be provided with additional training, together with the particular focus of the additional training provided. The categories below are not exhaustive and the financial institution may identify other employees who it considers require additional training.

12.7.1 The Board and Senior Management

The Board and senior management must receive adequate training to ensure they have the knowledge to assess the adequacy and effectiveness of policies, procedures and controls to counter the risk of ML and TF.

The additional training provided to the Board and senior management must include, at least, a clear explanation and understanding of:

offences and penalties arising for non-reporting or for assisting money launderers or those involved in terrorist financing;
requirements for CDD including verification of identity and retention of records; and
in particular, the application of the financial institution’s risk-based strategy and procedures.

12.7.2 The Money Laundering Reporting Officer and Deputy Money Laundering Reporting Officer

Ongoing professional development, including participating in professional associations and conferences, is vital for MLROs/ DMLROs. In addition, MLROs and DMLRO should receive in depth training on all aspects of the prevention and detection of ML/TF, including, but not limited to:

a) AML/CFT legislative and regulatory requirements;
b) the international standards and requirements on which the Mauritius’ strategy is based, namely the FATF 40 Recommendations and ML/TF typology reports that are relevant to their business;
c) the identification and management of ML/TF risk;
d) the design and implementation of internal systems of AML/CFT control;
e) the design and implementation of AML/CFT compliance testing and monitoring programs;
f) the identification and handling of suspicious activity and arrangements and suspicious attempted activity and arrangements;
g) the money laundering and terrorist financing vulnerabilities of relevant services and products;
h) the handling and validation of internal disclosures;
i) the process of submitting an external disclosure;
j) liaising with law enforcement agencies;
k) money laundering and terrorist financing trends and typologies; and l) managing the risk of tipping off.

12.7.3 The Compliance Officer

The CO is responsible for ensuring continued compliance with the requirements of FIAMLA and FIAML Regulations 2018 and having an overall oversight of the program for combatting money laundering and terrorism financing amongst others (Regulation 22(3) of FIAML Regulations 2018).

The CO should receive in depth training on all aspects of the prevention and detection of ML/TF, including, but not limited to, addressing the monitoring and testing of compliance systems and controls (including details of the financial institution’s policies and procedures) in place to prevent and detect ML and TF.

13.0 AML/CFT Independent Audit

Regulation 22(1) (d) of the FIAML Regulations requires that financial institutions shall have in place an audit function to review and verify compliance with and effectiveness of the measures taken in accordance with the FIAMLA and FIAML Regulations.

An AML/CFT independent audit is a vital element of any effective compliance programmer for financial institutions. By virtue of the FIAMLA and FIAML Regulations, there is a statutory obligation on every financial institution to have in place an audit function which will allow the reporting entity to evaluate its AML/CFT programmer and to ascertain whether the established policies, procedures, systems and controls are adapted with the money laundering and terrorism financing risks identified. The objective of an independent audit is to form a view of the overall integrity and effectiveness of the AML programmer, including policies, procedures and processes.

Conducting a successful independent audit enables a financial institution to ensure that its policies, procedures and controls remain up to date, recognize deficiencies in regulatory compliance system and develop ways to remediate the breaches in order to be compliant with the prevailing legislation.

13.1 Scope of independent audit

In line with international best practices, the independent audit exercise should be risk-based. Independent audit is the financial institution’s final line of defense; therefore, it is vital to ensure that the AML/CFT independent audit is tailored to the financial institution’s risks. The scope of the independent audit exercise is mainly a verification of the AML/CFT risk faced by the financial institution.

Typically, every independent audit should mandatorily test compliance in the following non- exhaustive areas:

AML/CFT policies and procedures;
Internal Risk Assessment;
Risk Assessment on the use of third-party service providers (Outsourcing);
Compliance Officer function and effectiveness;
MLRO function and effectiveness;
Implementation and Effectiveness of Mitigating Controls, including customer due diligence and enhanced measures;

AML/CFT Training;

Record Keeping Obligations;
Targeted Financial Sanctions; and
Suspicious Transaction Monitoring and Reporting

13.2 The Audit Professional

Regulation 22 (1) (d) of the FIAML Regulations 2018 requires the audit process to be carried out independently. The person or firm conducting the audit should be independent and must not be involved in the development of a financial institution’s AML/CFT risk assessment, or the establishment, implementation or maintenance of its AML/CFT programmer.

The person or firm conducting the audit should have the necessary skills, qualifications, relevant experience of the audit process, have a proper understanding of the FIAMLA and its supporting regulations as well as sufficient knowledge of the financial institution’s industry. In order to ensure that the audit is properly conducted as required under the FIAMLA and FIAML Regulations 2018, the audit professional needs to provide quality recommendations, so that the financial institution can use the findings and recommendations to improve upon deficient areas.

On an annual basis or at such other time(s) as may be approved by the Board, the Company shall appoint a third party or such other person as may be approved by the Board to carry out an independent audit, in order to test the ML and TF policies, procedures and controls of the Company.

14.0 Others

14.1 Assurance Testing

The Financial Institution shall take all measures to test the organization’s lines of defense, taking into account current and emerging threats. It shall allocate resources in respect of compliance and audit, through the adoption of a risk-based approach. Client files shall be reviewed on a quarterly basis.

14.2 Execution of Client Agreement covering AML/CFT aspects

Any applicant for business is also required to enter into a client agreement with the Company or such other agreements which also contain AML/CFT matters.

14.3 Appropriate Certification

All CDD documentations should be received by the Financial Institution in either original form or duly certified. The Financial Institution can accept certifications from the following certifiers:

a) A lawyer, notary, actuary or an accountant holding a recognized professional qualification;
b) A serving police or customs officer;
c) A member of the judiciary;
d) A senior civil servant;
e) An employee of an embassy or consulate of the country of issue of identity documentation;
f) A director or secretary (holding a recognized professional qualification) of a regulated financial services business in Mauritius or in an equivalent jurisdiction; or
g) A Commissioner of Oaths
h) Such other acceptable certifiers

If an employee meets an applicant for business and that was face to face where he had access to original documents, then he can make copies of these and have them certified as true copies of the original.

14.4 Registers

The Financial Institution shall keep a register of breaches, a register of high-risk clients as well as a register of PEPs.

14.5 Search Tools

Search tools used are as follows:

ANNEXURES
Annexure A: Business Risk Assessment (Assessment criteria’s can be accessed on the Company’s Server)

Annexure B: Client Risk Assessment ((Assessment criteria’s can be accessed on the Company’s Server)

Annexure C: Declaration of Source of Funds

Annexure D: Declaration of Source of Wealth

Annexure E: PEP Declaration Form

Annexure F: Internal Disclosure Form to MLRO

DECLARATION OF SOURCE OF FUNDS

SKY LINKS CAPITAL LIMITED

SECTION 1: CLIENT INFORMATION

· Full Name (Individual/Entity):

· Date of Birth/Registration:

· Nationality (for individuals) / Country of Incorporation (for entities):

· Address:

· Contact Number:

· Email Address:

· Client Account Number (if applicable):

SECTION 2: TRANSACTION DETAILS

· Amount of Funds (Currency & Amount):

· Purpose of Funds: (Select as applicable)

☐ Investment

☐ Business Transactions

☐ Real Estate Purchase

☐ Personal Savings

☐ Loan Repayment

☐ Other (Please specify):

· Date of Transaction/Expected Transfer:

SECTION 3: SOURCE OF FUNDS INFORMATION

(Provide details and attach supporting documents)

		Source of Funds	Details

				Employer Name: Job Title: Employment Duration: Monthly/Annual Income:
	Salary/Wages


				Business Name: Nature of Business: Registration No.: Annual Revenue:
	Business Income


				Type (Stocks, Bonds, Crypto, etc.): Financial Institution/Broker: Investment Value:
	Investments


				Asset Type (Real Estate, Vehicle, etc.): Sale Price: Date of Sale:
	Sale of Property/Assets


				Name of Giver/Estate: Relationship to Client: Value: Date Received:
	Inheritance/Gift


				Lending Institution/Person: Loan Amount: Loan Term:
	Loan Proceeds


Attach relevant supporting documents, such as salary slips, business financials, tax returns, sale agreements, investment statements, inheritance documents, or loan agreements.
SECTION 4: DECLARATION & CLIENT SIGNATURE
I, [Full Name], hereby declare that the funds used for the above transaction are obtained from legitimate sources and are not derived from any illicit activities, including but not limited to money laundering, terrorism financing, fraud, or other financial crimes.
I confirm that the information provided in this declaration is true, complete, and accurate to the best of my knowledge. I understand that Sky Links Capital Limited reserves the right to request additional information or documentation and that false declarations may result in legal or regulatory consequences.
Client Signature:
Date:

Official Use (Reviewed by Compliance Officer):
	o
	o Date:
	o Approval Status: ☐ Approved ☐ Rejected ☐ Further Information Required.

Annexure D: DECLARATION OF SOURCEOF WEALTH

DECLARATION OF SOURCE OF WEALTH (SOW) FORM

SECTION 1: CLIENT INFORMATION

Full Name: Date of Birth:

Nationality: Passport/ID Number: Residential Address:

City: Country: Email Address:

Contact Number:

SECTION 2: ACCOUNT DETAILS

Account Number (if applicable): Nature of Business/Occupation: Employer/Business Name: Employer/Business Address:

SECTION 3: SOURCE OF WEALTH INFORMATION

(Please select the applicable sources and provide supporting documentation)

· Employment Income – Provide latest salary slips/employment contract/tax return

· Business Profits – Provide audited financial statements/tax returns

· Inheritance – Provide will/probate document

· Investment Income – Provide portfolio statements/dividend receipts

· Sale of Property/Assets – Provide sale agreement/title deed/bank statement

· Gift/Donation – Provide notarized gift deed/statement from donor

· Other (Specify):

SECTION 4: BANKING DETAILS

Name of Bank: Account Number: Country of Bank: SWIFT Code/IBAN:

SECTION 5: DECLARATION

I, (Full Name), hereby declare that the information provided in this form is true, complete, and accurate to the best of my knowledge. I understand that Sky Links Capital

Limited reserves the right to request additional information and documentation as part of its due diligence obligations under applicable laws and regulations, including but not

limited to Mauritius’ Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) framework.

I further confirm that the funds being used for transactions with Sky Links Capital Limited are derived from legitimate sources and are not related to any criminal activity. I acknowledge that providing false or misleading information may result in the termination of my business relationship and potential legal action.

Signature: Date:

FOR OFFICIAL USE ONLY

Reviewed By: Designation: Date of Review:

Compliance Approval: □ Yes □ No

Comments:

Confidentiality Notice: This document is strictly confidential and will be used solely for compliance and regulatory purposes in accordance with the General Data Protection Regulation (GDPR) and Mauritius Data Protection Act (DPA 2017).

ANNEXURE E: PEP DECLARATION FORM

POLITICALLY EXPOSED PERSON (PEP) DECLARATION FORM (MAURITIUS)

SECTION 1: CUSTOMER INFORMATION

Full Name:

Date of Birth:

Nationality:

Identification Number (National ID/Passport No.):

Residential Address:

Contact Number:

Email Address:

SECTION 2: DECLARATION OF POLITICAL EXPOSURE

Are you or any immediate family member/close associate considered a Politically Exposed Person (PEP)?

Yes ☐

No ☐

If yes, please provide details:

Position Held:

Country where position is/was held:

Duration of Position (From – To):

Relationship (if applicable):

Do you currently hold any prominent public function or are you a close associate of someone who does?

Yes ☐

No ☐

If yes, please specify:

Name of Official:

Relationship:

Nature of Influence:

SECTION 3: SOURCE OF FUNDS/WEALTH

Please specify the source(s) of funds for transactions with our institution:

☐ Salary/Employment Income

☐ Business Income

☐ Investment Returns

☐ Inheritance/Gift

☐ Other (please specify):

Please specify the source(s) of overall wealth:

☐ Employment/Occupation

☐ Business Ownership

☐ Investments

☐ Other (please specify):

SECTION 4: DECLARATION AND SIGNATUREI, the undersigned, hereby declare that the information provided above is true, accurate, and complete to the best of my knowledge. I undertake to promptly notify the institution of any changes in my PEP status.

Signature: Date:

FOR OFFICIAL USE ONLY Verified by (Name & Signature):

Date:

Remarks (if any):

Note: This declaration is required under Mauritius’ Financial Intelligence and Anti-Money Laundering Act (FIAMLA) and other applicable regulation

Annexure F: INTERNAL DISCLOSURE FORM to MLRO

Department

Name:

Breach Reference:

FSC Rule Reference:

Sky Links Capital Limited

Procedure Reference:

Date Breach Occurred:

Date Breach Identified:

Date Breach Rectified:

Description of the Breach:

Advertent?

Inadvertent?

Action Taken to Correct the Breach:

Any Loss Incurred?

Yes

Value (AED):

Loss Reported to Senior

Management?

Yes

Date reported:

Name of Preparer of

Breach Report:

Signature

Name of Department

Head:

Signature

Compliance Review:

Satisfactory Explanation Given:

Yes

Action Taken to Rectify Breach

Adequate:

Yes

Breaches Log Updated:

Yes

Escalate to Senior Management /

Board

Yes

Escalate to Regulator:

Yes

Date Breach Closed:

SKY LINKS CAPITAL LIMITED

cs@skylinkscapital.com

Legal Documents

Resources

Trading Products