These guidelines may be cited as the Insurance (Anti-Money Laundering and Combating Financing of Terrorism) Guidelines.
In these guidelines, unless the context otherwise requires—
means the Insurance Act;
refers to Insurance Regulatory Authority;
refers to the beneficiary to the insurance contract;
refers to the Financial Reporting Centre established under section 21 of Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A);
refers to a policyholder or prospective policyholder;
has the same meaning as provided for under the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59A);
has the same meaning as defined in the Proceeds of Crime and Anti Money Laundering Regulations (sub. leg); and
refers to insurers, takaful operators and microinsurers underwriting life assurance, brokers and agents licensed under the Act.
The object of these guidelines shall be to outline the requirements for regulated entities to develop programmes to effectively combat money laundering and financing of terrorism activities.
These guidelines shall apply to regulated entities.
A regulated entity shall establish and maintain a anti-money laundering and combating financing of terrorism program including comprehensive risk assessment, screening process and controls to mitigate any risks arising from money laundering or financing of terrorism.
A regulated entity shall adopt policies on anti-money laundering and combating financing of terrorism for the prevention of transactions that may facilitate money laundering or financing of terrorism.
A regulated entity shall formulate and implement internal procedures and other controls to deter criminals from using its services and products for money laundering and financing of terrorism.
The board of a regulated entity shall—
establish policies and procedures for the prevention, detection, reporting and control of money laundering and financing of terrorism activities; and
promote a strong risk and compliance culture and develop monitoring and reporting mechanisms to support anti-money laundering and combating financing of terrorism controls.
The management of a regulated entity shall—
develop, implement and issue to its staff instruction manuals setting out procedures for—
customer acceptance and identification;
customer due diligence;
record-keeping;
identification and reporting of suspicious transactions;
staff screening and training; and
establishing legitimate sources of funds;
ensure that the internal audit or compliance function regularly verifies compliance with anti-money laundering and financing of terrorism policies, procedures and controls;
assess and ensure that the risk mitigation procedures and controls work effectively;
register with the Centre and comply with the any reporting requirements;
report to the Centre suspicious transactions; and
appoint a Money Laundering Reporting Officer.
A regulated entity shall appoint a person in management as a Money Laundering Reporting Officer who shall have relevant competence, authority and independence.
Other than in the case of a sole proprietor, a principal officer and internal auditor of a regulated entity shall not qualify to be appointed as a Money Laundering Reporting Officer.
A Money Laundering Reporting Officer of a regulated entity shall—
co-ordinate the development of a programme on anti-money laundering and combating financing of terrorism compliance;
monitor, review and co-ordinate the implementation of the anti-money laundering and combating financing of terrorism compliance program;
receive and vet suspicious transaction reports from the regulated entity's staff;
submit suspicious transaction reports to the Centre;
co-ordinate the training of staff in anti-money laundering and combating financing of terrorism awareness, detection methods and reporting requirements;
together with the human resources function, ensure that new members of staff are screened; and
act as a liaison officer for the Authority and Centre and a point of contact for all employees on issues relating to money laundering and financing of terrorism.
A regulated entity shall ensure that the Money Laundering Reporting Officer has access to other information that may be of assistance to the officer in respect of suspicious or unusual transaction reports.
The board of a regulated entity shall ensure that—
annual independent audits of the internal anti-money laundering and combating financing of terrorism measures are undertaken to determine their effectiveness;
that the roles and responsibilities of the auditor are clearly defined and documented including—
checking and testing compliance with relevant legislations on money laundering and financing of terrorism; and
assessing whether current measures are consistent with developments and changes of anti-money laundering and combating financing of terrorism requirements.
The auditor shall submit a written report on the audit findings to the board highlighting any inadequacies in internal anti-money laundering and combating financing of terrorism measures and controls and the board shall ensure that necessary measures are taken to rectify the inadequacies.
A board of a regulated entity shall ensure that audit findings and reports are submitted to the Authority within thirty days of receiving the findings or reports but in any event not later than the 31st January of every year.
A regulated entity shall establish and maintain an anti-money laundering and combating financing of terrorism program that sets out the internal policies, procedures and controls necessary to detect money laundering and financing of terrorism and to manage and mitigate the risk of money laundering and financing of terrorism.
An anti-money laundering and combating financing of terrorism program shall include—
the appointment of a Money Laundering Reporting Officer;
the development and regular review of internal policies, procedures and controls;
assessment and documentation of risks related to money laundering and financing of terrorism, and the documentation and implementation of mitigation measures to deal with the risks;
continuing training for employees and agents; and
an independent review of the policies, procedures and internal controls to test their effectiveness and efficiency.
A money laundering and financing of terrorism program shall take into account the nature, scale and complexity of the regulated entity and the nature and degree of money laundering and financing of terrorism risks'facing the entity.
The money laundering and financing of terrorism program shall be documented, approved by the board and communicated to all levels of the regulated entity.
A regulated entity shall develop and maintain an anti-money laundering and combating financing of terrorism policy which including—
a high-level summary of key controls and objectives of the policy;
a statement that the anti-money laundering and combating financing of terrorism policy applies to all areas of the business including on a global basis—
to waivers and exceptions; and
to operational controls.
The operational controls of an anti-money laundering and combating financing of terrorism policy shall include—
a statement of responsibility for compliance with the anti-money laundering and combating financing of terrorism policy;
customer due diligence including—
customer identification and verification;
additional Know Your Customer information;
high-risk customers;
non-face-to-face business, where applicable;
reinsurance arrangements;
the handling of politically exposed persons;
monitoring and reporting of suspicious transactions;
co-operation with other relevant authorities;
record-keeping;
screening of transactions and customers;
employee training and awareness; and
adoption of risk management practices and use of a risk-based approach.
A regulated entity shall develop a compliance policy statement on the commitment of senior management and board of the entity to develop anti-money laundering and combating financing of terrorism objectives and implementation of measures to deter the use of its services and products for money laundering and financing of terrorism.
An anti-money laundering and financing of terrorism policy shall establish clear responsibilities and accountabilities within the regulated entity to ensure that policies, procedures and controls are developed and maintained to deter criminals from using their services and products for money laundering and financing of terrorism.
An anti-money laundering and financing of terrorism policy shall include—
standards and procedures for compliance with applicable laws and regulations;
a description of the role of the Money Laundering Reporting Officer and other relevant employees;
screening programs for hiring employees;
incorporating anti-money laundering compliance in job descriptions and performance evaluations of appropriate employees;
mechanisms for program continuity when there are changes in management or employee composition or structure; and
any other issue as may be required by the Authority.
The compliance policy statement shall include a statement that-
employees shall comply with applicable laws and regulations and corporate ethical standards;
activities by the regulated entity shall comply with applicable laws and regulations;
directs staff to a compliance officer or other knowledgeable individual when there is a question regarding compliance matters; and
employees shall be held accountable for carrying out their compliance responsibilities.
A regulated entity shall establish—
screening procedures when hiring employees and agents taking into account the risks identified in the entity's risk assessment; and
policies, procedures and controls for the regular vetting senior managers, the Money Laundering Reporting Officer and any other employee whose role involves anti-money laundering and combating financing of terrorism duties.
A regulated entity shall establish measures to ensure that the members of the board, employees and agents are regularly trained on—
anti-money laundering and combating financing of terrorism laws and regulations;
prevailing techniques, methods and trends in money laundering and financing of terrorism; and
the entity's internal policies, procedures and controls on anti-money laundering and financing of terrorism.
A regulated entity shall document and maintain the following in respect of training—
scope and nature of the training;
the tasks to be undertaken by staff who have had anti-money laundering and financing of terrorism training;
application of the anti-money laundering and financing of terrorism training, including frequency and delivery methods;
monitoring to ensure that members of staff have completed the required training;
tailoring training for different employees based on tasks carried out and degree of anti-money laundering and financing of terrorism risk the entity faces from members of staff in their positions; and
whether and how employees are assessed for knowledge, application and retention of the anti-money laundering and financing of terrorism training.
A regulated entity shall—
conduct a risk assessment of its customers to identify the type of customers with a high risk of money laundering and financing of terrorism;
establish measures in its internal policies and procedures to address the different kinds of risks posed by its customers;
apply a risk-based approach in the assessment of risks associated with money laundering and financing of terrorism in respect to—
customers and business relationships;
products and services;
distribution channels;
geographical location; and
other relevant factors;
take into consideration the following factors when conducting risk assessment of customers or type of customers—
the origin of the customer and location of business;
background of the customer;
nature of the customer's business;
structure of ownership for a corporate customer; and
any other information that may indicate whether or not the customer is of higher risk;
monitor the patterns of each customer's transactions to ensure it is in line with the customer's profile and reassess the customer's risk profile if there are material changes;
incorporate the following in its risk assessment and profiling processes—
documentation on risk assessment and findings;
consider all relevant factors before determining the level of overall risk and appropriate level and type of mitigation to be applied;
ensure that risk assessment procedures are up to date; and
conduct an assessment at least once every two years;
take enhanced measures to manage and mitigate high risks;
apply simplified mitigation measures for low risks;
document the outcome of risk assessment and submit the report the Authority upon request.
A regulated entity shall—
conduct customer due diligence and establish the identity and legal existence of customers based on reliable and independent source documents; and
conduct customer due diligence when—
establishing business relationship with a customer;
carrying out cash or occasional transactions;
the entity suspects money laundering or financing of terrorism activities; or
the entity doubts the correctness or adequacy of previously obtained information.
The customer due diligence shall comprise of—
identifying and verifying relevant customer details;
identifying and verifying beneficial ownership and control of transactions;
identifying and verifying any natural persons behind a legal person or legal arrangement including the nature of business, ownership and control structure in relation to a customer that is a legal person or legal arrangement;
obtain information on the purpose and intended nature of the business relationship or transaction; and
conduct on-going due diligence and scrutiny to ensure that the information provided is up to date and relevant.
A regulated entity shall—
take reasonable steps to ascertain the true identity of its customers or beneficiaries;
identify and verify details of proposed recipients where claims and other monies are payable to persons or companies other than customers or beneficiaries; and
not commence business relationships or perform any transactions or, in the case of existing business relationships, renew such business relationships where customers fail to comply with customer due diligence requirements and file suspicious transaction reports with the Centre where necessary.
A regulated shall conduct customer due diligence for not more than fourteen days after the business relationship has been established where the risks of money laundering and financing of terrorism are low or where measures are already in place to effectively manage the risk to enable the customer to furnish the relevant documents.
Where a regulated entity has already commenced the business relationship and is unable to ascertain the identity of the customer or beneficiary, it shall terminate the business relationship and make a suspicious transaction report to the Centre.
A regulated entity may apply simplified customer due procedures where there is no suspicion of money laundering or financing of terrorism and—
where the risk profile of the customer is low;
there is adequate public disclosure in relation to the customer; or
there are adequate checks and controls from the customer's country of origin or source of funds.
A regulated entity shall apply enhanced customer due diligence procedures in order to—
obtaining further information that may assist the entity in ascertaining the customer's identity;
verify the documents furnished by the customer;
obtain senior management approval for establishing business relationship;
obtain comprehensive customer profile information including the purpose for the insurance cover, the occupation of the customer and source of funds;
assign a member of staff to serve, and conduct continuous due diligence of, the customer;
request other documents to complement those which are otherwise required; and
request certification of submitted documents by appropriate authorities or professionals.
A regulated entity shall, in the case of a natural person, require the customer to produce an official record to ascertain the true identity seeking to enter into a business relationship, such as—
a birth certificate;
a national identity card;
a driver's licence;
passport; or
such other particulars as may be required by the Financial Reporting Centre under section 44 of the Proceeds of Crime and Anti Money Laundering Act (Cap. 59A).
A regulated entity may take additional measures to identify and verify the identity of the customer including the customer's—
postal address;
physical or residential address;
utility bills including electricity or water bills;
occupation or employment details;
source of income;
nature and location of business activity;
personal identification number issued under a tax law;
where applicable, written references attesting to the customer's identity;
such other particulars as may be required by the Financial Reporting Centre under section 44 of the Proceeds of Crime and Anti Money Laundering Act (Cap. 59A) or any other written law.
A regulated entity shall obtain the following documents from a legal person or a body corporate when conducting customer due diligence—
its registered name;
a certified copy of its Certificate of Registration or Certificate of Incorporation, or Memorandum and Articles of Association or other similar documentation;
a certified copy of its board's resolution granting authority to transact business with the regulated entity and designating persons having signatory authority thereof;
the names, dates of birth, identity card or passport numbers and addresses of the natural persons managing, controlling or owning the body corporate or legal entity;
in the case of corporate bodies, the audited financial statements for the year preceding the transaction with the regulated entity;
its personal identification number issued under a tax law; or
where applicable, written confirmation from the customer's prior regulated entity, attesting to the customer's identity and previous business relationship.
A regulated entity shall obtain the following particulars to ascertain the identity of a partnership—
the name of the partnership or its registered name;
the partnership deed;
the registered address or principal place of business or office;
the registration number;
the names, dates of birth, identity card numbers or passport numbers and addresses of the partners;
the partner who exercises executive control in the partnership;
the name and particulars of the natural person who has been authorised to establish a business relationship or to enter into a transaction with the regulated entity on behalf of the partnership; or
the un-audited financial statements for the year preceding the transaction with the regulated entity.
A regulated entity shall obtain the following particulars to ascertain the identity of a trust—
its registered name, if any;
its registration number, if any;
its Certificate of Incorporation or registration, where relevant;
the trust deed;
official returns indicating its registered office and, where different from the registered office, the principal place of business;
the names and details of the management company of the trust or legal arrangement, if any;
the names of the persons having senior management position in the legal person or trustees of the legal arrangement;
names of the trustees, beneficiaries or any other natural person exercising ultimate effective control over the trust;
the name of the founder of the trust;
any other documentation from a reliable independent source proving the name, form and current existence of the customer; and
such other documents or particulars as may be required by the Financial Reporting Centre under section 44 of the Proceeds of Crime and Anti Money Laundering Act (Cap. 59A).
A regulated entity shall ascertain the beneficial owners, nature of business ownership and control structure of corporate customers and sources of funds of the customer.
A regulated entity shall obtain the following particulars to ascertain the beneficial owners and control structure of corporate customers—
details of incorporation;
partnership agreements;
deeds of trust;
particulars of directors and shareholders;
names of relevant persons holding senior management positions;
names of trustees, beneficiaries or any other natural person exercising ultimate effective control; and
any other documentation obtained from a reliable independent source ascertaining the name, form and existence of the customer.
A regulated entity shall conduct customer due diligence on any natural person who ultimately owns or controls the customer's transaction if it suspects that a transaction is conducted on behalf of a beneficial owner and not the person who is conducting the transaction.
A regulated entity may rely on customer due diligence conducted by intermediaries if it is satisfied that the intermediary—
has adequate customer due diligence procedures;
has reliable mechanisms for verifying customer identities;
can provide the customer due diligence information and readily make copies of relevant documentation available on request; and
is regulated and supervised for the purpose of preventing money laundering and financing of terrorism.
A regulated entity that relies on an intermediary for customer due diligence shall not be required to retain copies of customer identification documentation where the documentation can be obtained from the intermediary on request.
Where a regulated entity relies on an intermediary for customer due diligence, ultimate responsibility for customer due diligence shall remain with the regulated entity.
A regulated entity shall take reasonable measures to mitigate money laundering and financing of terrorism risks arising from the use of new technologies in transactions which do not require face-to-face contact.
A regulated entity shall establish measures for customer verification that are as stringent as those for face-to-face interactions and implement monitoring and reporting mechanisms to identify potential money laundering and financing of terrorism activities.
A regulated entity shall, where possible, carry out face to face interviews for high risk customers.
A regulated entity shall only establish business relationships upon completion of the customer due diligence process that have been conducted through face-to-face interactions.
A regulated entity shall apply customer identification procedures and continuing monitoring standards for non-face-to-face customers as for face-to-face customers
A regulated entity shall take any of the following measures to mitigate the risks associated with non-face-to face transactions—
require certification of identity documents by magistrates, legal practitioners, commissioners of oaths or notaries public;
requisition of additional documents to complement those required for face-to-face customers;
use independent contacts to verify customer identities;
require payment of premiums through a bank account in the customer's name;
require more frequent update of information on customers; or
refusal of business relationships without face-to-face contact for high risk customers.
A regulated entity shall have, in addition to its customer due diligence process, a risk management framework to ascertain whether or not customers are politically exposed persons.
A regulated entity shall gather sufficient and appropriate information from the customer and any other source to ascertain whether or not the customer is a politically exposed person.
A regulated entity shall take reasonable measures to establish the source of funds of a politically exposed person with whom it has a business relationship.
A regulated entity shall conduct enhanced continuing customer due diligence on politically exposed persons during its business relationships with politically exposed persons including customer due diligence on the family members or close associates of politically exposed persons.
A regulated entity shall conduct enhanced customer due diligence on customers assessed as higher risk including requiring—
more detailed information from the customer and other sources including the purpose of the transaction and source of funds; and
approval from the senior management of the regulated entity before establishing the business relationship with the customer.
Customers assessed as higher risk include—
high net worth individuals;
non-resident customers from locations known for high rates of crime and higher risk jurisdictions as identified under section 45A of the Proceeds of Crime and Anti Money Laundering Act (Cap. 59A);
politically exposed persons;
legal arrangements that are complex including trusts and nominees;
cash-based businesses; and
unregulated industries.
A regulated entity shall, in addition to customer due diligence on customers and beneficial owners, conduct customer due diligence on beneficiaries of life insurance and other investment related insurance policies as soon as the beneficiaries are identified or designated.
A regulated entity shall ensure that customer records including the customer profiles are up to date and relevant.
A regulated entity shall regularly review customer records, especially when—
a significant transaction takes place;
there is a material change in the way the customer account is operated;
the customer's documentation standards change substantially; or
the entity discovers that the customer information is or has become inadequate.
A regulated entity shall maintain customer records for at least seven years after the end of the business relationship and ensure that that the information is easy to retrieve.
The customer records to be maintained include—
the risk profile of customers or beneficiaries;
data obtained through customer due diligence;
the nature and date of transactions;
the type and amount of currency involved;
the policy and claims settlement details, statements of account and business correspondence; and
copies of official documents of identity such as passports, identity cards or similar documents.
Where customer records are the subject of ongoing investigations or prosecution in court, they shall be retained beyond the specified retention period until it is confirmed by the relevant authority that the records are no longer needed.
A regulated entity shall ensure that all documents collected through customer due diligence are up to date and relevant by conducting reviews of existing records.
A regulated entity shall ensure that retained documents and records—
are able to create a traceable audit trail on individual transactions;
can enable the entity to establish the history, circumstances and reconstruction of each transaction including the—
identity of the customer or beneficiary;
type and form of transaction; and
amount and type of currency;
are in a form that is acceptable under the Evidence Act (Cap. 80); and
are secure and retrievable in a timely manner.
A regulated entity shall conduct continuing customer due diligence with regards to its business relationship with its customers, account activities and transaction behaviour based on customer risk assessments.
A regulated entity shall conduct continuing due diligence on existing high-risk customers including endorsements to policies and exercise of rights under terms of insurance contracts.
Transactions which a regulated entity shall be required to conduct continuing due diligence on existing high-risk customers include—
change in beneficiaries to include non-family members;
request for payments to persons other than beneficiaries;
a significant increase in the sum insured or premium payment that appears unusual in the light of the income of the policy holder;
use of cash for payment of large single premiums;
payment by a wire transfer from or to foreign parties;
high frequency of endorsements on a policy;
payment by banking instruments which allow anonymity of the transaction;
change of address or place of residence of the policy holder or beneficiary;
lump sum top-ups to an existing life insurance contract;
lump sum contributions to personal pension contracts;
requests for prepayment of benefits;
unusual use of the policy as collateral other than for the financing of a mortgage by a regulated financial institution;
change of the type of benefit including change of type of payment from an annuity to a lump sum payment; or
early surrender of the policy or change of the duration where this causes penalties or loss of tax relief.
A regulated entity shall conduct continuing customer due diligence to ascertain the economic background and purpose of any transaction or business relationship that appears unusual, does not have any apparent economic purpose or the legality of such transaction is not clear including with regards to complex and large transactions or higher risk customers.
A regulated entity shall conduct continuing due diligence or monitoring of transactions of business relationships and transactions with individuals, businesses, companies and financial institutions from countries which have insufficiently implemented anti-money laundering and combating financing of terrorism measures.
A regulated entity shall make further enquiries on such business relationships and transactions including their background and purpose and document the findings in writing.
A regulated entity shall put in place an adequate management information system to complement its customer due diligence and which should provide the entity with timely information on a regular basis to enable the entity to detect any suspicious activity.
The management information system shall be part of the regulated entity's information system that contains its customers' normal transaction and business profile, which is accurate and updated.
A regulated entity shall establish internal criteria, hereafter referred to as red flags, to detect suspicious transactions and for conducting enhanced due diligence and continuing monitoring of any transaction that matches the red flags criteria.
Suspicious transactions may fall in any of the categories specified in the Schedule.
A regulated entity shall—
report suspicious transactions to the Centre and maintain a register of reported suspicious transactions;
ensure that the reporting of suspicious transactions is done securely in order to maintain confidentiality and secrecy.
A regulated entity shall submit a suspicious transaction report when—
it is unable to complete the customer due diligence process on a customer who is unreasonably evasive or uncooperative based on normal commercial criteria and its internal policy; or
a customer's transaction or attempted transaction fits the regulated entity's list of red flags.
The Money Laundering Reporting Officer of a regulated entity shall maintain a register of internally generated suspicious transaction reports and supporting documentary evidence thereon.
A regulated entity shall establish reasonable measures to ensure that employees involved in conducting or facilitating customer transactions are aware of suspicious transactions reporting procedures and consequences for the failure to report suspicious transactions.
A regulated entity shall report to the Centre any cash transaction equivalent to or exceeding ten thousand United States dollars or its equivalent in any other currency carried out by the entity whether or not the transaction appears to be suspicious.
A regulated entity shall maintain a database of names and particulars of listed persons in the United Nations Sanctions List.
A regulated entity shall, upon receipt from the Authority, keep updated the Sanctions List of various resolutions passed by the United Nations Security Council on combating terrorism and other relevant resolutions which require sanctions against individuals and entities.
A regulated entity, upon receipt of the Sanctions List from the Authority, shall conduct regular checks on the names of new customers, as well as regular checks on the names of existing customers and potential customers, against the names in the Sanctions List.
Where a regulated entity matches a name match on the Sanctions List with a name in its Sanction List database, it shall take reasonable and appropriate measures as required by the Prevention of Terrorism (Implementation of the United Nations Security Council Resolutions on Suppression of Terrorism) Regulations, 2013.
A regulated entity shall ensure that the information contained in its Sanctions List database is up to date and easily accessible by its employees.
A regulated entity shall file with the Authority on a quarterly basis a report on compliance with these guidelines within thirty days after the end of the quarter.
Where the Authority determines non-compliance with the provisions of these guidelines, it may take any intervention prescribed by the Insurance Act or any other relevant written law.
Where the Authority determines that a regulated entity has not met the requirements of these guidelines, the Authority may impose any or all of the administrative sanctions specified in the Insurance Act to correct the situation including—
directing the regulated entity to take appropriate remedial action;
imposing additional reporting requirements and monitoring activities; and
withdrawing or imposing conditions on the business license of the regulated entity based on the nature of the breach.