The MAS on 15 July 2020, issued a guidance paper highlighting their findings based on thematic inspections carried out on capital markets intermediaries (“CMIs”) to assess the adequacy of their oversight of anti-money laundering and countering the financing of terrorism (“AML/CFT”) service providers (“ASPs”), and their understanding of the key control functions outsourced to these ASPs.

The MAS reiterated that the Board and senior management of CMIs need to understand money laundering and terrorism financing (“ML/TF”) risks and exercise strong oversight over their AML/CFT controls, even when the CMIs decide to outsource AML/CFT control functions to service providers. CMIs must ensure that they have effective policies, procedures, and controls to deal with ML/TF risks, as well as to have appropriate compliance arrangements in place, including AML/CFT outsourcing arrangements where they exist.

CMIS’ DEFICIENCIES

The MAS noted from the inspections that the conduct of customer due diligence (“CDD”) measures, screening and ML/TF risk profiling of customers are control functions commonly outsourced. However,
deficiencies that were commonly observed are in stages 1 and 3 of the outsourcing process. The stages:

1. Performing due diligence on ASPs
2. Review of contractual terms
3. The regular monitoring of ASP’s performance

Key weaknesses noted in the CMIs’ due diligence on ASPs (i.e. stage 1):

• Several CMIs did not have a formalised approach to assess the suitability and ability of ASPs to perform the required AML/CFT control functions.
• In some instances, CMIs’ due diligence of ASPs was ad-hoc in nature, with assessment considerations overly geared towards cost considerations or the perceived reputation of the ASPs.
• Many CMIs did not have a good understanding of the ASPs’ actual AML/CFT practices, and hence failed to ensure they were in line with the CMIs’ own policies and procedures and MAS’ requirements.
• Lack of attention to contractual terms, which resulted in significant differences between the actual scope of AML/CFT control functions outsourced to the ASP and the CMI’s intended scope of the arrangement.

Strengthening the due diligence framework requires having:

• Board and senior management to set the tone. To have in place a clear and formalised policy to evaluate the outsourcing of AML/CFT control functions to ASP.
• Structured assessment process with defined criteria. Assessing the reputation, skill, and experience of the ASP. Performing a gap analysis to ensure that the ASP has adequate policies and procedures which meet the CMI’s requirements.
• A well-defined outsourcing agreement. Sets out the scope of the outsourcing and the roles and responsibilities of the ASP.
• Proper documentation of assessments and approvals. Sets out clearly the basis for the appointment, and a timeframe for the re-performance of due diligence on the ASP.

Key weaknesses noted in the regular monitoring of ASPs’ performance (i.e. stage 3):

• Several CMIs did not have monitoring mechanisms to oversee their ASPs’
  implementation of key AML/CFT control functions.
• In some cases, CMIs merely relied on the ad-hoc escalation of issues by ASPs of
  their own accord.
• Quality assurance reviews by CMIs were lacking.
• Several CMIs did not have a formalised approach to conduct regular postappointment reviews of their ASPs.

Strengthening regular oversight of ASPs requires having:

• Board and senior management’s involvement to ensure effective oversight over outsourcing arrangements and to manage outsourcing risks.
• Regular monitoring and defined escalation mechanisms.
• Regular reviews to include defined metrics to guide the review, quality assurance reviews, timely follow-up with the ASP on agreed remediations, and periodic review assessments with proper documentation.

MAJOR LAPSES BY ASPS UNDETECTED BY CMIS

Several CMIs failed to detect major lapses by ASPs which resulted in the CMIs breaching MAS’ AML/CFT requirements. The root causes were mainly a combination of the CMIs’ inadequate understanding of the ASPs’ practices and their lack of proper oversight and timely monitoring mechanisms to oversee the ASPs.

The weak practices by ASPs included:

• Protracted delays in conducting periodic reviews of existing customers.
• Enhanced CDD measures were not duly completed; higher risk customers were
  wrongly rated as “medium risk” by the ASP.
• Screening of existing customers was not conducted.

CONCLUSION

CMIs remain responsible for complying with AML/CFT requirements even when they outsource the AML/CFT control functions. The Board and senior management play a pivotal role when their firm’s functions are outsourced, and they need to set a strong tone from the top to ensure that the firm’s AML/CFT controls remain effective. The MAS observed gaps in CMIs’ oversight of AML/CFT outsourcing arrangements, particularly in the evaluation of potential ASPs and the ongoing monitoring of ASPs post-appointment. These deficiencies exposed CMIs to potential regulatory and reputational risks. In more severe cases, material lapses in AML/CFT controls were noted, which led to breaches of AML/CFT requirements. This often arose due to a combination of the CMIs’ lack of understanding of the ASPs’ practices, and an absence of proper oversight and timely monitoring. CMIs should conduct a gap analysis against the best practices outlined in this guidance as well as MAS’ Guidelines on Outsourcing (Oct 2018), and take appropriate measures to enhance their practices.