AML Measures when Dealing with High-Risk Customers under IFSCA AML Guidelines

The regulated entities operating in the International Financial Service Centre (IFSC) are required to identify and assess the money laundering and terrorism financing risk and apply adequate risk mitigation measures in accordance with IFSCA (AML, CFT, and KYC) Guidelines, 2022 (IFSCA AML Guidelines). The IFSC AML Guidelines mandate the regulated entities to perform Enhanced Customer Due Diligence when the identified ML/FT exposure is high.

In this article, we shall discuss Enhanced Due Diligence (EDD). These certain risk factors may suggest increased risk involved, warranting the performance of enhanced measures and EDD measures to be applied when engaging with high-risk customers.

What is Enhanced Due Diligence?

The IFSCA AML Guidelines require regulated entities to implement robust AML policies and procedures, focusing on the timely identification of ML/FT risks and conducting necessary checks and verifications to manage these risks.

One of the key AML provisions prescribed under IFSCA AML Guidelines is conducting the Customer Due Diligence (CDD) process to identify the customer, verify their identities and assess the risk exposure from the particular business relationship.

An integral part of the CDD is enhanced customer due diligence, applied when the customers are identified as posing increased risks. This concept is in line with the foundation of the AML program – the risk-based approach, requiring the regulated entities to apply increased controls when the higher risk is assessed, and for lower-risk customers or transactions, standard risk mitigation measures can be enough.

Enhanced Due Diligence is an advanced version of normal Customer Due Diligence, with additional inquiries around the customer information and stringent verification of the customer’s profile. This may include a thorough understanding of the customer’s business activities, the purpose of the business relationship, the customer’s financial position, etc.

For applying these additional checks and controls, the regulated entity may seek additional details and information from the customer relying on third-party reliable and independent data sources, social media, etc.

Identifying the High-Risk Customers?

It is essential for the regulated entities to identify the high-risk business relationships or transactions to manage the risk to ensure:

  • Regulatory compliance with the provisions of IFSCA AML Guidelines
  • Protection of the business against potential exploitation by financial criminals
  • Avoid reputational damage to the business
  • Contribute towards stability and integrity of the economy

The IFSCA AML Guidelines have enlisted certain factors around the nature of the customer, product or services offered, the jurisdiction involved, etc., which pose a higher risk of being associated with money laundering, terrorism financing, other financial crime, or its typologies.

Here are certain high-risk factors that regulated entities must consider while developing the Customer Risk Assessment methodology:

Risk arising from the nature of the customer

  • Customer is a Politically Exposed Person (PEP) or is a close relative or associate of the PEP
  • Customer involved in high-risk business activities (such as casino, money service provider, etc.)
  • A corporate customer has a complex ownership structure or where identification of the beneficial owners is difficult
  • Corporate customer having nominee arrangements – nominee shareholders or nominee directors
  • Legal persons or arrangements acting as personal asset-holding vehicles
  • The customer has been alleged or convicted in the past for any financial crime

Geographic risk

  • Customer is hailing from or is closely associated with high-risk countries such as jurisdictions subject to FATF grey list or black list (e.g., North Korea or Iran)
  • Transaction is expected to be executed in a country known for a high level of corruption
  • Countries with weak or no AML regulatory framework for controlling and preventing money laundering, terrorism financing or financial crimes
  • Jurisdictions subject to sanctions, embargos or similar restrictions by the United Nations or any other international organisations
  • Countries known for funding terrorist activities

Risk related to the nature of product, service, or transaction, delivery channel involved

  • Products or services favouring anonymity
  • When the customer is onboarded via remote channels or non-face-to-face basis without applying adequate controls in this regard
  • The customer is insisting on settling the transaction charges through a significant value of cash or crypto or other virtual assets
  • Business relationship involves agents and intermediaries without any business sense
  • When the transaction payment is settled through an unassociated third-party account
  • The value of a product or service is disproportionate to the customer’s financial profile
  • The services requested by the customer are related to the appointment of nominee shareholders or setting up a trust in a foreign country

The list here is not an exhaustive one, and the overall customer risk profile must be determined considering the combination of various risk parameters and not just one. The customer risk assessment program must align with the business’s nature and the overall Enterprise-Wide Risk Assessment.

What AML measures are to be implemented for High-Risk Customers by IFSCA-regulated entities?

To adequately apply the Enhanced Due Diligence measures and to manage the increased risk posed by high-risk customers, the regulated entities must perform the following AML measures in addition to the standard CDD process:

Additional details

Additional inquiries must be made to understand the customer’s occupation, nature of business activities, ownership and control structure, etc.). These details may be sought directly from the customer or information can be gathered from other data sources (internet, paid subscription, corporate register, social media like LinkedIn, etc.)

The regulated entity must also establish the customer’s intended purpose of a particular business relationship.

Financial status of the customer and the beneficial owners

Reasonable efforts must be made to understand the customers’ and the beneficial owners’ financial position and its alignment with the nature and value of the transaction. For this, the regulated entities must obtain information about their source of funds and source of wealth.

The regulated entity must establish the validity of this information by obtaining valid documents like audited financial statements, tax returns, payslips, bank statements, etc.

Senior management approval

The senior management must be apprised of the risk involved. The regulated entity must have systems and procedures to seek senior management approval for onboarding or transacting with high-risk customers.

Enhanced ongoing monitoring

The degree of risk the high-risk customer poses may increase or decrease over time, impacting the relevance and validity of the EDD measures and other controls applied. Thus, the regulated entities must subject these high-risk customers to an increased monitoring program. Under this, the transactions executed by these customers shall be closely monitored, and the customer’s overall profile shall be reviewed frequently and rigorously.

Condition around first payment

The regulated entities must ensure that the first payment towards the business relationship with the regulated entity is settled through the high-risk customer’s account with a bank subject to similar AML regulations and CDD measures.

This includes the following institutions where the customer has maintained an account in his own name:

  • a Bank
  • a financial institution subject to AML regulation and supervision, implemented in accordance with FATF Recommendations,
  • a subsidiary of the abovementioned entity, following the AML regulations applicable to the parent institution.

The IFSCA-regulated entities must implement the above-stated measures as part of EDD to mitigate money laundering and terrorist financing risks.

Best practices to manage high-risk customers

The following are a few tips that the regulated entities must consider when developing the Enhanced Due Diligence Program:

  • AML training on EDD is mandatory to manage the risk effectively. The regulated entity must ensure that the compliance team and relevant staff are adequately trained on identifying high-risk customers and diligently applying the additional checks and measures.
  • To bring efficiency and speed to the monitoring program, the regulated entity may consider implementing a robust business relationship and transaction monitoring system, wherein advanced technologies (like AI & ML) can be leveraged to review the transaction on a time basis, map it with the customer’s profile and promptly identify the suspicious activities.
AML Measures when Dealing with High-Risk Customers under IFSCA AML Guidelines
  • To maintain the effectiveness, quality and relevance of the AML program, including the customer onboarding process and EDD measures, the regulated entity must establish a periodic review and AML audit function. The review must identify the weaknesses and flaws in the AML efforts and provide recommendations on strengthening the same.

Let AML India be your AML Guide

The IFSCA-regulated entities must assess the business risk and adequately develop and maintain the AML framework (policies, procedures, systems and controls) to manage these identified risks. This also includes deploying the necessary measures to assess the customer risk, classify it as high, medium or low and apply adequate Enhanced Due Diligence measures for the high-risk customers.

Let AML India assist you in framing the customized AML program, covering a comprehensive customer onboarding process, ensuring that you stay safe against the ML/FT vulnerabilities while abiding by the IFSCA (AML, CFT, and KYC) Guidelines, 2022.

About the Author

Jyoti Maheshwari


Jyoti is a Chartered Accountant and Certified Anti-Money Laundering Specialist (CAMS) with over 7 years of experience in regulatory compliance, policymaking, risk management, RegTech solution consultancy, and implementation. With an understanding of the different jurisdictional AML regulations, including PMLA, 2002 and IFSCA (AML, CFT, and KYC) Guidelines, has been closely working with clients to implement Anti-Money Laundering measures, including conducting Enterprise-Wide Risk Assessments, imparting AML training, etc.