Encik Abu Hassan Alshari Yahaya: Financial crime and terrorism financing

Keynote address by Mr Encik Abu Hassan Alshari Yahaya, Assistant Governor of the Central Bank of Malaysia, at the 5th International Conference on Financial Crime and Terrorism Financing (IFCTF 2013), Kuala Lumpur, 23 October 2013.

The views expressed in this speech are those of the speaker and not the view of the BIS.

Central bank speech  | 
25 October 2013

It is a great pleasure for me to be here today and I would like to thank the Conference Organiser, the Asian Institute of Finance in collaboration with the Malaysia's Compliance Officers' Networking Group, for the invitation to deliver the keynote address at this 5th International Conference on Financial Crime and Terrorism Financing. I am happy to note that this annual conference has received strong response and continued to provide industry players with the developments in the area of financial crimes and terrorism financing and how financial service providers and relevant businesses and professions could continuously strengthen the capacity and capabilities in addressing these risks.

I am glad to note that there has been an increased participation from the designated non-financial businesses and professions (DNFBPs) in this year's conference. This reflects heightened awareness and seriousness by the DNFBPs to improve their compliance and understanding of their roles in combating money laundering and terrorism financing. I am also informed by the organisers that the Malaysian Bar Council, the Malaysian Institute of Accountants and the Association of Money Services Business have also reached out to their members to attend this and by accrediting this program as part of the continuous professional development.

Ladies and gentlemen,

Weaknesses in risk governance have been one of the major cause for the recent global financial crisis. Until now, risk governance remains a work in progress as evident from the recent money laundering control failures experienced by some big financial institutions in developed economies. The theme for this year's conference, the "Risk, Governance & Self-Regulation: Within and Beyond", is not only timely but also an ongoing self-reflection for all of us. The organisers have also impressed upon me that this year theme is a continuation of 2012 theme of "Compliance, Challenges and Effectiveness: The next level". After the efforts in putting in place the appropriate risk management framework, it is time for us to ask ourselves the following questions: Have we done enough on risk and governance? And can we do it better?

Sound risk management is fundamental to preserve the integrity of the financial system and there has been increased attention given to this area. In my remarks today, I intend to focus on the following key points and highlight initiatives undertaken by Bank Negara Malaysia to strategically support financial sectors' governance and self-regulation in preventing the risks related to financial crime. Firstly, the risks and its importance in setting the context: Secondly, the governance and risk culture; and thirdly, self-regulation.

Risks and its importance in setting the context

In principle, money laundering and terrorism financing risks are no different than other type of risks facing businesses. Key in managing the risks is to identify the sources and assess the extent of its impact to the business. Recognising this importance, The Financial Action Task Force or better known as FATF, has provided a clear statement on this under the very first recommendation in its Revised International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation. Countries, financial institutions and designated non-financial businesses and professions are required to clearly identify, assess, and understand risks. Understanding of those risks will then set the context for taking actions and allow better allocation of resources to effectively manage and mitigate those risks.

To respond to this development, Bank Negara Malaysia has issued revised policies on Anti Money Laundering and Counter Financing of Terrorism (AML/CFT) in September 2013. The integral component of the revised AML/CFT policies is the introduction of an obligation for reporting institutions to adopt a risk-based approach in identifying, assessing, and understanding the money laundering and terrorism financing risks of respective reporting institutions. The risk-based approach is an over-arching requirement that runs through all the other elements in the AML/CFT policies. Proper assessment and understanding of the risks will allow reporting institutions to tailor an appropriate risk controls and establish proper policies and procedures to mitigate the risks. The revised policies also focused on refining Customer Due Diligence (CDD) requirements to reflect the varied risk levels. The revised policies also aimed to address implementation issues faced by both the reporting institutions and the supervisors as well as to incorporate FATF requirements under the revised standards. To ensure consistency of AML/CFT policies across the sectors, the revision was carried out jointly with other financial supervisors such as the Labuan Financial Services Authority and the Securities Commission. Extensive consultations and engagements were undertaken with the industry players both during pre and post issuance of the policies. The consultations provided a broad range of opinions and support. Whilst majority of responses were supporting a risk-based approach, concerns were also raised on the cost and burden of compliance. Bank Negara Malaysia recognises that the cost of implementing the Customer Due Diligence under the risk-based approach may be high at the early stage of implementation but the establishment of robust risk framework that commensurate with the risks of your institutions will minimise the institutions' reputational risk and would also lower the overall costs in the long-run given the ability for reporting institutions to focus resources to the right area.

Governance and risk culture

Let's now turn to governance and risk culture. Governance refers to actions, process, traditions and institutions by which authority is exercised and decision are taken and implemented. A good governance is, therefore, a mixture of legislation, non-legislative codes, self-regulation and best practices, structure, culture and management and board competency. If we take a step back and reflect, we will notice that risk governance is woven through the risk management framework. Many elements of requirements for the risk management framework contribute to risk governance. For instance, the requirement for effective board audit and risk committee, regular reviews of the effectiveness of the framework and its implementation and so on. The Board plays a critical role in risk governance. The Board sets standards and expectations that would influence the culture and management of the business, and ultimately, the quality of risk governance. Common shortcoming occurs when Board fails to serve as a sufficient "check and balance" on the activities of the senior management, causing the business to focus excessively on short-term growth at the expense of long term stakeholders' interest. For this reason, Bank Negara Malaysia places greater expectation on the roles and responsibility of Board and senior management. This expectation can be found in many policy documents issued by Bank Negara Malaysia since the past several years and specifically provided for in the Financial Services Act (FSA) and the Islamic Financial Services Act (AFSA).

For an institution's risk governance to be effective, there must be a strong risk culture which is consistent with the institution's espoused values and risk appetite. You may asked, how does Board assess risk culture? There isn't simple and straightforward answer to this question. Some institutions undertake "climate review" among its management and staff to gauge the culture whilst another approach could involve focus group. Ultimately, audit, compliance and risk management functions would have opportunities in the course of their work to observe the risk culture throughout the business. From the regulator's perspective, risk culture could be inferred and gauged based on the effective implementation and level of compliance by the risk takers and the frontline staff. To improve risk culture, Board and management must review the incentives and penalties in place and ensure that it is effectively implemented. Among the key questions that Board and management should be asking are; Does the performance management and compensation system reward good behaviour and punish bad behaviour? And how are audit and supervisory issues handled?

As you already know, a weak risk culture may lead to staff resorting to "check the box" compliance exercise whilst a strong risk culture will judge the wisdom and decision of looking beyond the profit number and be able to see the medium and long term sustainability.

On this note, allow me to share some of the key observations made by Bank Negara Malaysia during the recently completed AML/CFT Thematic Reviews on Banks and Insurance Companies. First, the good news. In general, we observed that there was greater awareness among Board and senior management on ML/TF risks and its potential implication to their reputation. From the AML/CFT policies and framework implemented, there was also shift towards risk-based approach. In most of the institutions reviewed, the management of AML/CFT was no longer viewed solely as a "Compliance" job but more aligned and integrated with the bank's overall risk management function. In addition, it is also worth noting that in terms of management information system (MIS), more investments were made to either upgrade or enhance their existing MIS to facilitate effective monitoring of suspicious transactions. This is encouraging.

Now let me share the not so good news. Implementation of AML/CFT policies and procedures, although has shown improvement as compared to the last review, is still an area that needs to be strengthened particularly with regards to CDD and customer monitoring. While we acknowledged that in almost all cases, CDD were conducted, the extent of due diligence in some instances were inadequate and not reflective of the level of money laundering and terrorist financing risks posed by the customers and/or transactions. We believe that to address this issue, strong risk culture must be inculcated and the performance and reward system should reflect that culture.


Institutions with strong wisdom in risk governance and culture do not solely depend on the regulator and supervisor to tell them what to do. Self-regulation is important, particularly for financial institutions. In performing the intermediary functions, depositors and shareholders depend on the decision and practice of the financial institutions to balance the risks and rewards in their operations with the changes in operating environment and risk management expectations. We have learned and relearned abundant lessons from the experience of the past crisis and many of those lessons lead to changes in regulation, supervision, enforcement and risk management practices throughout the world. As these new rules are designed and implemented, we are expected to adapt and change our business models and risk practices.

Bank Negara Malaysia is adapting as well. I have highlighted earlier the development on the regulation and supervision's front. Allow me to highlight key developments on the enforcement front. Given that combating financial crime continues to be one of our key priorities in sustaining financial sector integrity, Bank Negara Malaysia is intensifying enforcement actions on AML/CFT non-compliances and breaches of legislations. Since 2012, Bank Negara Malaysia had compounded several banks and money service business operators for various non-compliances with the Anti-Money Laundering and Anti-Terrorist Financing Act 2001 (AMLATFA). Besides AMLATFA, the new AML/CFT policies are also issued under The FSA and IFSA. FSA and IFSA provide Bank Negara Malaysia with wider enforcement powers including the administrative and civil sanctions for breaches under these Acts. FSA and IFSA also allow for enforcement actions taken under these legislations to be made public. This means that the reputational stake for non-compliance has been set higher. This is necessary to strengthen financial sector's compliance to AML/CFT Policies and preserve the integrity of the financial system from being abuse for criminal activities.

Bank Negara Malaysia recognises that the vast majority of the DNFBPs seek to comply with the law and for certain profession such as the lawyers and the accountants, through their ethical obligations. However, given that the controls on money laundering risks implemented at the financial institutions are increasingly tightened, there is this emerging consequence that DNFBPs, particularly the legal professionals, are increasingly becoming more attractive for the criminals to launder their ill-gotten gain. According to the report published by the FATF on money laundering involving legal professionals, key among those factors are the perception that the involvement of legal professionals provides a further step in the chain to frustrate investigation by law enforcement authorities. Thus, it is imperative for DNFBPs to increase their awareness and understanding on how their industry can be susceptible to money laundering and takes necessary measures commensurate with the money laundering and terrorism financing risks faced in offering such business activities. We hope that with higher awareness among the DNFBPs, we will be able to see higher number of submission of suspicious transaction reports from the DNFBPs. As the industry is aware, Bank Negara Malaysia is finalising the revised AML/CFT policies for DNFBPs and we are targeting to issue the policy before end of October. I would like to take this opportunity to thank the various associations and self-regulatory bodies who had provided comments and feedbacks to the draft policy papers that we had issued earlier.

Bank Negara Malaysia will continue to support and partner the financial institutions to weather the challenges in fighting emerging trend in financial crimes. For this purpose, I would like to reinforce your attention that Malaysia's AML/CFT regime will be undergoing the 3rd Mutual Evaluation Exercise commencing August 2014. The assessment methodology this time around will be different from the previous two assessments. It will not only depend on how good we are in achieving technical compliance to the international standards by having the necessary laws, regulations and policies in place, but importantly, the focus of the assessment will be placed on the effectiveness of AML/CFT measures being implemented taking into consideration the risk and context of money laundering and terrorism financing risks in Malaysia. It is important for me to stress that an overall positive rating in the assessment will strengthen the confidence in our financial system and therefore the country's economic development. Our success in meeting the shared goal of protecting the integrity of our financial system against criminal abuse will continue to depend on the cooperation among the regulators, the financial industry and the law enforcement authorities. I am sure that this conference will provide a meaningful platform for all of you to engage, and importantly, to strengthen our risk management capabilities and in promoting higher level of integrity in our business conducts and operations.

On that note, I wish all of you a fruitful conference.