Principles and Prudential Requirements
Responsibility of Board and Senior Management
- The Board of Directors (Board) is responsible forensuring the AI meets its obligations under all relevant laws, regulations, prudential standards and reporting requirements associated with KYC and AML/CTF regulations in PNG and other jurisdictions in which the AI operates.
- The Board must ensure that policies and procedures are comprehensive and implemented fully. This includes strict customer due diligence (CDD) rules to promote high ethical and professional standards in the AI to prevent it from being used
- Further, that all staff receive appropriate training including annual awareness training. The compliance and internal audit function must monitor and test the effectiveness of policies and procedures and their implementation.
- 10. The AI’s KYC policies and procedures must address the following four elements:
- Customer Acceptance Policy (CAP)
- Customer Identification Procedures (CIP)
- Monitoring of transactions and accounts
- Compliance and risk management
Customer Acceptance Policy (CAP)
- The CAP must establish explicit criteria for acceptance of customers, and by definition the rejection of potential customers as well as separation with existing customers that do not meet the CAP. Policies and procedures are expected to provide:
- that no account is opened in an anonymous or fictitious name
- b. accurate risk categorisation of customers as low, medium or high risks (or level I, II, or III etc) to provide for risk based monitoring of accounts and transaction and frequency ofcustomer and enhanced due diligence processes. Parameters for risk categoriesmust be clearly defined and at a minimum address nature of business activity, sources of wealth, location of customer and clients, mode of payments, volume of turnover, social and financial status etc as well as customers requiring very high level of monitoring, for example, Politically Exposed Persons (PEPs)
- c. that no account is opened and that existing accounts are closed where the AI cannot undertake appropriate customer due diligence measures. For example, the AI is unable to verify the identity and /or obtain documents required as per the risk categorisation due to uncooperative nature of the customer or unreliability of the data or information provided
- criteria and verification requirements, where a customer is permitted to act on behalf of another person or entity, for example,trustee on behalf of beneficiaries
- searches and checks of applicants pre-account opening so as to ensure the customer is not a known criminal and/or does not pose a significant money laundering risk due to links to criminals or credible information suggesting involvement in criminal behavior, or terrorist or otherwise associated with banned entities, activities or countries.
- For the purpose of risk categorisation:
Low risk – individuals (other than High Net Worth) and entities whose identities and sources of wealth can be easily identified and whosetransactions conform to their KYC profile, may be categorised as low risk. For example, salaried employees, low value credit card accounts
Customers categorised as low risk must be subject to due diligence not less than every 3 years, when their categorisation changes or if transactions or activities have triggered raising a suspicious transaction report
Medium risk – categorisation as medium risk may be the aggregation of a number of characteristic around the customer’s background, sources of wealth, nature and location of activity, country of origin, sources of funds, client profile, significant cash dealings, or substantial dealings with Government agencies or departments.
Customers categorised as medium subject to due diligence every 2 years, when their categorisation changes or if transactions or activities have triggered raising a suspicious transaction report.
High Risk – certain activities should be require high risk categorisation regardless of size, nature of transactions, verification etc and require enhanced due diligence on an annual basis, that is, every year. These include
• Money changers, bullion dealers, money transfer agencies, payday lenders;
• Jewelry or gold dealers;
• Gaming establishments, nightclubs, bars;
• non-resident customers;
• high net worth individuals;
• trusts, charities, NGOs and organisations receiving donations;
• companies having close family shareholding or beneficial ownership;
• firms with ‘sleeping partners’;
• politically exposed persons (PEPs);
• law firms, real estate agents and other entities that operate trust accounts through which clients funds may be moved anonymously;
• non-face to face customers; and
• known criminals or those with dubious reputation as per public information available or individuals who are known to have been exited by other AI’s, etc.
- BPNG acknowledges that it would be impossible to review all accounts under the risk categories within the required timeframes under each of those categories. It is intended thatan AI must ensure that it has adequate programs, process and systems in place to adequately review and demonstrate that the risks posed by the different types of customers under the required timeframes of each risk class of high, medium or low are managed prudently and with the purpose of satisfactorily fulfilling its KYC obligations as required by this standard. The reviews must commensurate the AML/CFT risk appetite an AI inherits.
Customer Identification Procedures (CIP)
- As part of KYC, the Board must establish clear CIP to be conducted at commencement of the client relationship, prior to certain financial transactions, as part of file remediation or customer due diligence (CDD) or enhanced due diligence (EDD).
- At a minimum, the AI as part of its CIP must obtain evidence and record information of the customer, including but not limited to the following:
- full name, including any aliases
- unique identification number and photographic identification (such as an identity card number, birth certificate number or passport number, or where the customer is not a natural person, the incorporation number or business registration number)
- existing residential address, registered or business address (as may be appropriate) and contact telephone number(s)
- date of birth, incorporation or registration (as may be appropriate)
- nationality or place of incorporation or registration (as may be appropriate).
- Where the customer is a company, the AI must also identify the directors of the company and the beneficial owners of the company. Where a beneficial owner is itself a company, the AI must identify the ultimate beneficial owner, that is, the natural person who owns or controls the company. Inability to properly identify or verify beneficial ownership should trigger actions under Section 20 (4) of the Proceeds of Crime Act 2005 and the AI must suspend the business relationship until such time as the beneficial ownership can be verified.Where the customer is a partnership or a limited liability partnership, the AI must identify the partners.
- Where the customer is any other body corporate or unincorporated entity or trust or similar, the AI must identify all the persons having executive authority and also instruments for establishing that authority.
Verification of Identity
- An AI must verify the identity of the customer using reliable, independent sources.
- The AI must retain copies of all reference documents used to verify the identity of the customer.
- Where the customer appoints one or more natural persons to act on his behalf in establishing business relations with the AI or the customer is not a natural person, the AI must:
- identify the natural persons that act or are appointed to act on behalf of the customer;
- verify the identity of these persons to act on behalf of the customer; and
- retain copies of all reference documents used to verify the identity and authority of these persons.
- The AI must verify the due authority of such persons to act by obtaining at a minimum:
- appropriate reliable and independent documentary evidence, including an instruments of appointment or delegation, that the customer has appointed the person/s to act on its behalf.
- where the customer is a government agency, department or program or a state-owned enterprise, evidence must be obtained from a verifiable independent source such as instrument of appointment, Ministerial or Parliamentary confirmation, copy of gazette notice or similar; and
- the specimen signatures of the persons appointed.
Verification of Beneficial Owners
- Where the customer is not a natural person, the AI must take reasonable measures to understand the ownership and control structure of the customer.
- Where the customer is not a natural person, the AI must determine if there is a beneficial owner or controller of 20% or more of the customer.
- Where there is one or more beneficial owners, the AI must obtain information sufficient to identify and verify the identities of the beneficial owners or ultimate beneficial owners.
- The AI is not required to identify and verify any beneficial owner in relation to a customer that is:
- a Papua New Guinea government entity;
- a foreign government entity; and
- an entity listed on the POM Exchange and where its largest shareholdings do not exceed 10% of issued capital.
- The AI must conduct CIP on managers and signatories of entities
- a Papua New Guinea government entity;
- a foreign government entity; and
- an entity listed on the POM Exchange and where its largest shareholdings do not exceed 10% of issued capital.
- 26. BPNG acknowledges that not all potential AI customers, particularly those in lower income groups, may have the required identification and documentation to meet CIP requirements. If anatural person belonging to low income group is not able to produce documents to satisfy the AI about identity and address, the AI can open an account with that person on the following basis:]
- if the person has been introduced by another account holder who has been subjected to full KYC procedure; and
- the person’s relationship with the AI (all accounts) is not expected to exceed K1,000 and total transactions in a year are not expected to exceed K10,000; and
- the introducerhas maintained a relationship with the AI on good terms with no transaction concerns for a period of at least 1 year;
- the customer provides a picture and address details certified by the introducer or any other evidence as to the identity and address of the customer to the satisfaction of the AI.
- If at any point of time, the aggregate value of balances in all his/her accounts with the AI exceeds K1,000 or annual turnover exceeds K10,000, no further transactions will be permitted until the full KYC procedure is completed. The AI should notify the customer well ahead of reaching the thresholds to allow time to complete KYC administration.
- In addition to conducting CDD measures, each AI must conduct EDD measures to identify and deal with customers who are, or are involved with a politically exposed person, including:
- appropriate internal policies, procedures and controls to determine if a customer or beneficial owner is a politically exposed PEP a PEP;
- approval from the AI’s senior management to establish or continue business relations where the customer or a beneficial owner is a PEP or subsequently becomes a PEP;
- establish, by appropriate and reasonable means, the source of wealth and source of funds of the customer or beneficial owner; and
- conductenhanced monitoring of transactions, accounts and other business relations with the customer; and.
- exit the customer immediately at any time that the AI is unable to establish a legitimate source and/or application of the funds.
Account and Transaction Monitoring
- Each AI must establish a systematic approach to monitor customers’ account and transaction activity to ensure that the transactions are consistent with the AI’s knowledge of the customer, its business and risk profile and, where appropriate, the source and application of funds.
- Each AI must pay special attention to all complex or unusually large transactions or patterns of transactions that have no apparent or visible economic or lawful purpose.
- Each AI must have a process for reasonably ensuring that customers who are convicted of financially motivated crime offences, or about whom there is credible information indicating their involvement in financially motivated crime, are identified and appropriate risk categorisation changes made and procedures applied, including exiting the customer where appropriate.
- Where an AI uses automated monitoring software or outsources monitoring to a third party, the AI must ensure that parameters and thresholds are appropriate in the PNG context and known money laundering typologies. Further, that all material in relation to monitoring, thresholds and parameters as well as results of inquiries to customers regarding the background and purpose of a transaction is recorded and made available to the competent authorities.
- Each AI must review periodically the adequacy of customer identification information held in respect of customers and beneficial owners and ensure information is up to date. Depending on the risk categorization, the frequency of reviews must be yearly (high risk), 2 yearly (medium risk) or 3 yearly (low risk). Reviews should also be triggered when there is a change to ownership, senior management, or a substantial change to expected transactions or activities or transactions that result in a suspicious transaction report.
- Each AI must ensure that all branches and agents maintain proper records of all cash transactions of K10,000 and above – deposits and withdrawals and international funds transfers. The internal monitoring system must provide for the reporting of large cash transactions and any transaction of a suspicious nature.
- Board endorsed policies and procedures must ensure proper implementation of KYC requirements including explicit responsibility for management oversight, systems and controls, segregation of duties, training, testing of compliance and other related matters.
- The AI’s internal audit and compliance functions must have clearly articulated responsibilitiesfor evaluation of, and ensuring adherence to, the KYC policies and procedures.
- The Board must ensure that the Internal Audit is staffed adequately and the scope and annual work plan of Internal Audit includes to check and to verify the application of KYC procedures at the branches and to comment on any lapses observed.
- 38. The AI must have initial and ongoing training of all staff in KYC processes and responsibilities with respect to anti-money laundering obligations. Training must be appropriate for staff responsibilities and activities. For example, frontline staff, compliance staff and staff dealing with new customers. All staff need to understand the reasons for KYC policies and procedures, the risks, how to implement policies consistently, detection and reporting of suspicious transactions and the risks and potential penalties. Training is expected to be updated regularly to reflect changing typologies.
- Each AI must prepare, maintain and retain documentation on all its business relations and transactions with its customers such that:
- all requirements imposed by the relevant lawsand this Prudential Standard are met;
- any transaction undertaken can be reconstructed so as to provide, if necessary, evidence for prosecution of any criminal activity;
- BPNG or the FIU or other competent authority, the AI’s compliance function and the internal and external auditors are able to review the transactions and assess the level of compliance with KYC and AML obligations;
- the AI can respond fully within a reasonable time or any more specific time period imposed by law, any enquiry or order from BPNG, the FIU or other competent authority regarding information related to an account or transaction; and
- documentation as originals or copies, in paper or electronic form or on microfilm, meet the tests for admissibility as evidence in PNG.
- Each AI must implement record retention policies and procedures for periods not less than7 years
- following the termination of business relations for customer identification information, and other documents relating to the establishment of business relations, as well as account files and business correspondence; and
- following the completion of the transaction for records relating to a transaction, including any information needed to explain and reconstruct the transaction.
- The AI, or its Auditors, must notify BPNG in writing of a material breakdown in KYC and AML procedures and implementation within 7 days of detection. Serious breaches are expected to be escalated within 24 hours. Implementation of an action plan to address weakness is not a substitute for urgent notification to BPNG.
- As part of its annual attestation to BPNG, the Board of the AI must provide assurances regarding continued compliance with all laws, regulations, prudential standards, code, rules and similar for each jurisdiction in which it operates.
- 43. Non-compliance with this Prudential Standard or failure to implement appropriate KYC and AML systems and controls or willful or negligent disregard of the requirements of this Prudential Standard is an offence under section 54 of the BFIA. Penalties of up to K500,000 may apply if the AI fails to implement adequate KYC and AML measures as required under this Prudential Standard. Continuing offences may be subject to further penalties of upto K5,000 per day. Such penalties are in addition to potential criminal charges and imprisonment.
- If BPNG is not satisfied with the adequacy of an AI’s systems and procedures for compliance risk management across the institutions, BPNG may vary the conditions of the AI’s licence under section 14 of the BFIA. Such conditions may include, but are not limited, to:
- require immediate remediation of problem issues;
- suspend or limit certain business activities relating to identified weaknesses;
- prohibit certain transaction or a class of transactions; or
- require appointment of additional staff or third party support to address weaknesses identified.
Remedial Measures,Sanctions and Penalties
Appendix 1: At a minimum the acceptable evidence for the purposes of customer identification and verification
|CIP requirement||Acceptable evidence|
Legal name and any other Passport
names used or aliases
|Unique Identification Card (work in progress)
Photographic evidence for students
|Correct permanent address||Telephone bill
AI account statement
Letter from employer (subject to satisfaction of the AI)
Note: The AI’s policies should require at least 2 forms
of evidence if photo id included or 3 forms otherwise. Must be recent and original documents – no photocopies)
Name of the company
Principal place of business
Street address of the company (no PO Box)
Telephone / Fax Number
|Certificate of incorporation and Memorandum & Articles of Association
Resolution of the Board of Directors to open an account and
identification of those who have authority to operate the account
Power of Attorney granted to its managers,
officers or employees to transact business on its behalf
Recent bank account statement
Sales and income tax returns
Copy of licenses held
Copy of utility bill
Street Address (No PO Box)
Names of all partners and their addresses
Telephone numbers of the firm and partners
|Registration certificate, if registered
Identification for the partners
Power of Attorney granted to a partner or an employee
of the firm to transact business on its behalf
Any officially valid document identifying the partners
and the persons holding the Power
of Attorney and their addresses
Utility bill in the name of firm / partners
|Trusts & Foundations
Names of trustees,
beneficiaries and signatories
Names and addresses of thefounder,
/ directors and the beneficiaries
/ fax numbers
|Trust Deed and Certificate of registration, if registered
Power of Attorney granted to transact business on its behalf
Any officially valid document to identify the
trustees, settlors, beneficiaries and those holding Power of
Attorney, founders / managers / directors and
Bank account statements
Resolution of the managing body of the foundation / association