Serial

No

2
3
4
5
6
7
8
9
10
11
12
13
14
15

16
17
18
19
20
21
22
23
24
25
26

27
28

29
30

31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

50

51
52
53
54

55
56
57

58
59

60
61
62
63
64
65
66

67
68
69
70
71
72
73
74
75
76

77
78
79
80
81
82
83
84
85
86
87

88
89
90
91
92
93

94
95
96

97

98
99

100
101
102
103
104

105
106
107
108
109
110
111

112

114
115
116
117

118

119
120

121

122
123

124
125
126

127

128
129
130
131
132
133

134
135
136
137
138
139

140
141

142
143
144
145
146
147
148

149
150
151
152
153
154
155

156

157

158

159

160

161
162
163
164

165

166
167
168
169
170
171
172
173

174
175

176
177

178
179
180
181
182
183

184
185
186

187
188

189
190

191

192
193
194

195
196
197
198
199

200
201

202

203

204
205

206
207

208
209
210
211
212

213
214
215

216

217
218
219
220
221

222
223
224
225
226
227
228
229
230
231
232
233
234

235
236

237

238
239
240
241
242
243
244
245
246
247
248
249
250

251

252
253

254
255
256
257
258
259
260
261
262
263

264

265

266
267
268
269
270
271
272
273
274
275
276
277
278
279

280
281
282
283
284
285
286
287

288

289

290

291
292

293
294
295
296
297
298

299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314

315
316

317
318
319
320
321
322
323
324
325
326

327

328
329

330
331
332
333
334

335
336

337
338
339
340

341
342
343
344
345

346
347
348
349
350
351
352
353

354
355
356

357
358
359
360
361
362
363
364
365
366
367
368
369
 Question

(A) AML/CFT Systems

1.RPs are required to assess their ML/TF/PF risk and then implement appropriate internal policies,
and controls to mitigate risks of ML/TF/PF.
Have RP taken into account the following risk factors when assessing own ML / TF/PF risk?
(a) Product / service risk
(b) Delivery / distribution channel risk
(c) Customer risk
(d) Country risk
2.RPs are required to have effective controls to ensure proper implementation of AML/CFT policies
procedures.
Does your AML/CFT system cover the following controls?
(a) Board of Director and Senior management oversight
(i) Have you appointed an appropriate person as a Compliance Officer?
(ii) Do you ensure that CO/department is:
1. the focal point for the oversight of all activities relating to the prevention and detection of ML/TF/PF
2. independent of all operational and business functions as far as practicable within any constraint of si
institution
3. of a sufficient level of seniority and authority within your institution
4. provided with regular contact with and direct access to senior management to ensure that senior ma
able to satisfy itself that the statutory obligations are being met and measures against the risks of ML/TF/PF a
and robust
5. fully conversant in the statutory and regulatory requirements and ML/TF/PF risks arising from your
6. capable of accessing on a timely basis all required available information in performing their role
7. equipped with sufficient resources, including staff
8. overseeing your firm's compliance with the relevant AML requirements in Pakistan and overseas bra
subsidiaries.
(b) Audit function
(i) Have you established an independent audit function?
(ii) If yes, does the function regularly review the AML/CFT systems to ensure effectiveness?
(iii) If appropriate, have you sought review assistance from external sources regarding your AML/CFT syste
(c) Staff screening
(i) Do you establish, maintain and operate appropriate procedures in order to be satisfied with the integrity
employees?
3.RP with local / overseas branches or subsidiary undertakings should put in place a group AML/CFT
ensure an overall compliance with the CDD and record-keeping requirements.
Does your firm have overseas branches and subsidiary undertakings?
Do you have a group AML/CFT policy to ensure that all local /overseas branches and subsidiary undertakings h
procedures in place to comply with the CDD and record-keeping requirements similar to those set under the A
Regulations?
If yes, is such policy communicated within your group?
In the case where your overseas branches or subsidiary undertakings are unable to comply with the above men
due to local laws' restrictions, have you done the following?
(a) informed the SECP of such failure
(b) taken additional measures to effectively mitigate ML/TF/PF risks faced by them
3a.Transnational TR Risk Assessment Factor Review
A: SENIOR MANAGEMENT OVERSIGHT
Did the Financial Institution (FI) have an adequate understanding of the transnational TF risk generated by it?
Did the FI identify international jurisdictions which it considers riskier in perspective of transnational TF risk?
Did the FI identify domestic locations which it considers riskier in perspective of transnational TF risk?
Did the FI identify and assessed its customers / products / channels which involve transactions with overseas ju
and are more risky with respect to transnational TF risk?
Did the FI file any STR suspecting a customer over transnational TF risk during the year?
B: POLICY & PROCEDURES
Did the FI’s board approve AML/CFT policy adequately defines and covers the area of transnational TF risks p
the FI?
Did the FI's policy cover methodology for identification, assessment, monitoring and mitigation of transnationa
Did the FI cover transnational TF aspect in their internal TF risk assessment and aligned it with the country’s
C: TRANSNATIONAL TF RISK ARISING FROM CUSTOMER ONBOARDING
Did the FI maintain comprehensive listings of all persons and entities who are designated either by UNSC or A
Did the FI name screen those customers who posed transnational TF risk before providing any financial servic
At the time of customer onboarding, did the FI properly identify the nationality of individual customers?
Where the nationality was assessed as ‘Pakistani’, did the FI identify whether the individual customer was a re
resident Pakistani?
While onboarding Afghan nationals, did the FI seek information like profession, occupation, sources and jurisd
generation, utilization and jurisdiction of utilization and expected turnover in the account?
While onboarding nationals of FATF monitored jurisdictions (grey listed and black listed), did the FI seek infor
profession, occupation, sources and jurisdiction of funds generation, utilization and jurisdiction of utilization a
turnover in the account?
In case of entities, did the FI identify the actual country of origin of the entity?
In case of foreign entities, did the FI identify the ultimate beneficial ownership of the entity?
In case of domestic NPOs / NGOs, did the FI assess the validation of their registration, the terms of their licens
In case of domestic NPOs / NGOs (including but not limited to Madrassas & religious charitable organizations)
assess the sources of their funds?
D: ON GOING MONITORING AND REVIEW
Did the FI ensure that it, on an ongoing basis, review all relationships of the FI posing transnational TF risk?
Did the FI specifically ensure that it, on an ongoing basis, reviewed the accounts of Afghan nationals, nationals
DPRK including the accounts of staff of their embassies with respect to transnational TF risk?
Did the FI put in place such name screening measures which screened all existing relationships on a continuou
Did the FI adequately assess funding of domestic NPOs/NGOs (including but not limited to Madrassas & religio
organizations) by foreign NPOs/NGOs/individuals that have presence in jurisdictions maintaining hostile relati
Pakistan, jurisdictions monitored by FATF as high risk, jurisdictions identified as high risk by the FI or have lin
designated / proscribed entities or individuals?
E: OTHERS
Did the FI’s staff have adequate understanding of the transnational TF risk emanating from financial operation
Did the FI provide any trainings to its staff on transnational TF risk arising from financial operations?
Did the FI’s Internal Audit include review of the FI’s assessment of transnational TF risk in its reviews?
Was review of transnational TF risk assessment by internal audit adequate?
(B) Risk-Based Approach ('RBA')
4.RPs are required to determine the extent of CDD measures and ongoing monitoring, using an RBA
upon the background of the customer and the product, transaction, or service used by that custome
Does your RBA identify and categorize ML/TF/PF risks at the customer level and establish reasonable measure
risks identified?
Do you consider the following risk factors when determining the ML/TF/PF risk rating of customers?
(a) Country risk - customers with residence in or connection with the below high-risk jurisdictions:
(i) countries identified by the FATF as jurisdictions with strategic AML/CFT deficiencies
(ii) countries subject to sanctions, embargoes or similar measures issued by international authorities
(iii) countries that are vulnerable to corruption
(iv) countries that are believed to have strong links to terrorist activities
(b) Customer risk - customers with the following nature or behaviour might present a higher ML/TF/PF risk
(i) the public profile of the customer indicates involvement with, or connection to, politically exposed person
(ii) complexity of the relationship, including use of corporate structures, trusts and the use of nominees and
instruments (if applicable) where there is no legitimate commercial rationale
 (iii) request to use numbered accounts or undue levels of secrecy with a transaction
(iv) involvement in cash-intensive businesses
(v) nature, scope and location of business activities generating the funds/assets, having regard to sensitive
activities
(vi) the origin of wealth (for high risk customers and PEPs) or ownership cannot be easily verified
(c) Product/service risk - product/service with the following factors might present a higher risk
(i) services that inherently have provided more anonymity
(ii) ability to pool underlying customers/funds
(d) Distribution/delivery channels
(i) a non-face-to-face account opening approach is used
(ii) Business sold through third party agencies or intermediaries
Do you adjust your risk assessment of customers from time to time, based upon information received from a c
authority, and review the extent of the CDD and ongoing monitoring to be applied?
Do you maintain all records and relevant documents of the above risk assessment?
If yes, are they able to demonstrate to the SECP the following?
(a) how you assess the subject customer?
(b) the extent of CDD and ongoing monitoring is appropriate based on that customer's ML/TF/PF risk
(C) - Customer Due Diligence ('CDD')
5.RPs are required to carry out CDD, which is a vital tool for recognizing whether there are grounds
knowledge or suspicion of ML/TF/PF.
Do you conduct the following CDD measures?
(a) identify the customer and verify the customer's identity using reliable, independent source documents, data
information
(b) where there is a beneficial owner in relation to the customer, identify and take reasonable measures to ver
beneficial owner's identity, including in the case of a legal person or trust, measures to enable you to understa
ownership and control structure of the legal person or trust
(c) obtain information on the purpose and intended nature of the business relationship established with you un
purpose and intended nature are obvious
(d) if a person purports to act on behalf of the customer:
(i) identify the person and take reasonable measures to verify the person's identity using reliable and indep
documents, data or information
(ii) verify the person's authority to act on behalf of the customer (e.g. written authority, board resolution)
Do you apply CDD requirements in the following cases ?
(a) at the outset of a business relationship
(b) when you suspect that a customer or a customer's account is involved in ML/TF/PF
(c) when you doubt the veracity or adequacy of any information previously obtained for the purpose of identify
customer or for the purpose of verifying the customer's identity
6.RPs are required to identify and take reasonable measures to verify the identity of a beneficial own
When an individual is identified as a beneficial owner, do you obtain the following identification information?
(a) Full name
(b) Date of birth
(c) Nationality
(d) Identity document type and number
Do you verify the identity of beneficial owner(s) with reasonable measures, based on your assessment of the M
so that you know who the beneficial owner(s) is?
7.RPs are required to identify and take reasonable measures to verify the identity of a person who p
act on behalf of the customer and is authorized to give instructions for the movement of funds or as
When a person purports to act on behalf of a customer and is authorized to give instructions for the movement
assets, do you obtain the identification information and take reasonable measures to verify the information obt
Do you obtain written authorization to verify that the individual purporting to represent the customer is autho
Do you use a streamlined approach on occasions where difficulties have been encountered in identifying and v
signatories for individuals being represented to comply with the CDD requirements?
If yes, do you perform the following:
(a) adopt an RBA to assess whether the customer is a low risk customer and that the streamlined approach is o
to identified low risk customers
(b) obtain a signatory list, recording the names of the account signatories, whose identities and authority to ac
confirmed by a department or person within your organization is independent with respect to the persons who
are
8.RPsbeing
areverified
required to take appropriate steps to verify the genuineness of identification provided if s
raised.
In case of suspicions raised in relation to any document in performing CDD, have you taken practical and prop
steps to establish whether the document offered is genuine, or has been reported as lost or stolen? (e.g. search
available information, approach relevant authorities)
Have you rejected any documents provided during CDD and considered making a report to the authorities (e.g
suspicion on the genuineness of the information cannot be eliminated?
9.RPs are required to understand the purpose and intended nature of the business relationship esta
Unless the purpose and intended nature are obvious, have you obtained satisfactory information from all new c
(including non-residents) as to the intended purpose, and reason for opening the account or establishing the bu
relationship, and recorded the information on the relevant account opening documentation?
10.RPs are required to complete the CDD before establishing business relationships.
Do you always complete the CDD process before establishing business relationships?
If you are unable to complete the CDD process, do you ensure that the relevant business relationships must no
established and assess whether this failure provides grounds for knowledge or suspicion of ML/TF/PF to subm
the FMU as appropriate?
If the CDD process is not completed before establishing a business relationship, would this be on an exception
and with consideration of the following:
(a) any risk of ML/TF/PF arising from the delayed verification of the customer's or beneficial owner's identity c
effectively managed.
(b) it is necessary not to interrupt the normal course of business with the customer (e.g. securities
transactions).
(c) verification is completed as soon as reasonably practicable.
(d) the business relationship will be terminated if verification cannot be completed as soon as reasonably pract
Have you adopted appropriate risk management policies and procedures when a customer is permitted to ente
business relationship prior to verification?
If yes, do they include the following?
(a) establishing timeframes for the completion of the identity verification measures and ensuring that they are
soon as reasonably
(b) placing practicable
appropriate limits on the number of transactions and type of transactions that can be undertaken, p
verification
(c) ensuring that funds are not paid out to any third party
(d) other relevant policies and procedures
When terminating a business relationship where funds or other assets have been received, have you returned t
assets to the source (where possible) from which they were received?
11.RPs are required to keep the customer information up-to-date and relevant.
Do you undertake reviews of existing records of customers to ensure that the information obtained for the purp
complying with the AML requirements are up-to-date and relevant when one of the following trigger events ha
(a) when a significant transaction is to take place
(b) when a material change occurs in the way the customer's account is operated
(c) when your customer documentation standards change substantially
(d) when you are aware that you lack sufficient information about the customer concerned
(e) if there are other trigger events that you consider and are defined in your policies and procedures, please e
further in the text box
Are all high-risk customers subject to a review of their profile?
12.RPs are required to identify and verify the true and full identity of each natural person by using r
independent sources of information.
Do you have customers who are natural persons?
Do you collect the identification information for customers:
(i) Residents
(ii) Non-residents
(iii) Non-residents who are not physically present
Do you document the information?
If yes, please provide a list of acceptable documents that you obtain for verifying residential address (e.g. utilit
statements). Certain types of address verification should not be considered sufficient, e.g. a post office box add
persons residing in Pakistan or corporate customers registered and/or operating in Pakistan.
In cases where customers may not be able to produce verified evidence of residential address, have you adopte
methods and applied these on a risk sensitive basis?
Do you require additional identity information to be provided or verify additional aspects of identity if the custo
product or service, is assessed to present a higher ML/TF/PF risk?
13.RPs are required to identify and verify the true and full identity of each legal person and trust an
beneficial owners by using reliable and independent sources of information.
Do you have measures to look behind each legal person or trust to identify those who have ultimate control or
beneficial ownership over the business and the customer's assets?
Do you fully understand the customer's legal form, structure and ownership, and obtain information on the nat
business, and reasons for seeking the product or service when the reasons are not obvious?
14.Companies
Do you have customers that are companies?
Do you obtain the following information and verification documents in relation to a customer that is a copmany
For companies with multiple layers in their ownership structures, do you have an understanding of the owners
control structure of the company and fully identify the intermediate layers of ownership in the company?
Do you take further measures, when the ownership structure of the company is dispersed/complex/multi-layere
obvious commercial purpose, to verify the identity of the ultimate beneficial owners?
15Partnerships and unincorporated bodies
Do you have customers that are partnerships or unincorporated bodies?
Do you take reasonable measures to verify the identity of the beneficial owners of the partnerships or unincorp
entities?
Do you obtain the information and verification documents in relation to the partnership or unincorporated enti
Do you have customers that are in the form of trusts?
Do you obtain the information and verification documents to verify the existence, legal form and parties to a tr
Have you taken particular care in relation to trusts created in jurisdictions where there is no or weak money la
legislation?
16.RPs may conduct simplified ‘Know Your Customer’ due diligence ('SDD') process instead of full C
measures given reasonable grounds to support it. Simplified due diligence is the lowest level of due
that can be completed on a customer. This is appropriate, where there is little opportunity or risk of
services or customer becoming involved in money laundering or terrorist financing. SDD is a condit
timing of the actual verification of a particular customer is deferred until such time the entire CDD
completed, rather than reducing what needs to be obtained, under a risk-based approach.
Have you conducted SDD instead of full CDD measures for your customers?
Do you refrain from applying SDD when you suspect that the customer, the customer's account or the transact
in ML/TF/PF, or when you doubt the veracity or adequacy of any information previously obtained for the purpo
identifying or verifyingof
Before the application the
SDDcustomer?
on any of the customer categories, have you performed a review of whether they
criteria of the respective category?
17.RPs are required, in any situation that by its nature presents a higher risk of ML/TF/PF, to take a
measures to mitigate the risk of ML/TF/PF.
Do you take additional measures or enhanced due diligence ('EDD') when the customer presents a higher risk
If yes, do they include the following?
(a) obtaining additional information on the customer and updating more regularly, the customer's profile inclu
identification
(b) data.
obtaining additional information on the intended nature of the business relationship, the source of wealth a
funds
(c) obtaining the approval of senior management to commence or continue the relationship
(d) conducting enhanced monitoring of the business relationship, by increasing the number and timing of the c
applied and selecting patterns of transactions that need further examination.
18.RPs are required to apply, the same equally effective customer identification procedures and ong
monitoring standards for customers not physically present for identification purposes, as are used
customers who are available for interview.
Do you accept customers that are not physically present for identification purposes to open an account?
If yes, have you taken additional measures to compensate for any risk associated with customers not physically
face to face) for identification purposes?
If yes, do you document such information?
19.RPs are required to determine whether a potential customer, a customer or the beneficial owner
Politically Exposed Person ('PEP') and to adopt EDD on PEPs.
Do you define a PEP (foreign and domestic) in your AML/CFT policies and procedures ?
Have you established and maintained effective procedures for determining whether a customer or a beneficial
customer is a PEP (foreign and domestic)?
If yes, are the screening and searches performed to determine if a customer or a beneficial owner of a custome
(e.g. through commercially available databases, publicly available sources and internet / media searches etc.)
20.Foreign PEPs
Do you conduct EDD at the outset of the business relationship and ongoing monitoring when a foreign PEP is i
suspected?
Have you applied the following EDD measures when you know that a particular customer or beneficial owner i
PEP (for both existing and new business relationships)?
(a) obtaining approval from your senior management
(b) taking reasonable measures to establish the customer's or the beneficial owner's source of wealth and the s
funds
(c) applying enhanced monitoring to the relationship in accordance with the assessed risks
21.Domestic PEPs
Have you performed risk assessment for an individual known to be a domestic PEP to determine whether the i
poses a higher risk of ML/TF/PF?
If yes, and the domestic PEP poses a higher ML/TF/PF risk, have you applied EDD and monitoring?
If yes, have you retained a copy of the assessment for related authorities, other authorities and auditors and re
assessment, whenever concerns as to the activities of the individual arise?
For foreign and domestic PEPs assessed to present a higher risk, are they subject to a minimum of an annual r
ensuring that the CDD information remains up-to-date and relevant?
22.RPs have the ultimate responsibility for ensuring that CDD requirements are met, even where in
were used to perform any part of the CDD measures.
Have you used any intermediaries to perform any part of your CDD measures?
When intermediaries (not including those in contractual arrangements with the RPs to carry out its CDD funct
relationships, accounts or transactions between RPs for their clients) are relied on to perform any part of the C
do you obtain written confirmation from the intermediaries that:
(a) they agree to perform the role
(b) they will provide without delay a copy of any document or record obtained in the course of carrying out the
measures on your behalf upon request.
When you use an intermediary, are you satisfied that it has adequate procedures in place to prevent ML/TF/PF
When you use overseas intermediaries, are you satisfied that it:
(a) is required under the law of the jurisdiction concerned to be registered or licensed or regulated under the
jurisdiction
(b) has measures in place to ensure compliance with the requirements
(c) is supervised for compliance with those requirements by an authority in that jurisdiction that performs func
to those of any of the relevant authorities in Pakistan
In order to ensure the compliance with the requirements set out above for both domestic or overseas intermed
take the following measures?
(a) review the intermediary's AML/CFT policies and procedures
(b) make enquiries concerning the intermediary's stature and regulatory track record and the extent to which
AML/CFT standards are applied and audited
Do you immediately (with no delay) obtain from intermediaries the data or information that the intermediaries
the course of carrying out the CDD measures?
Do you conduct sample tests from time to time to ensure CDD information and documentation is produced by t
intermediary upon demand and without undue delay?
Have you taken reasonable steps to review intermediaries' ability to perform its CDD , whenever you have dou
reliability of intermediaries?
23.RPs are required to perform CDD measures on pre-existing customers when trigger events occur
Have you performed CDD measures on your pre-existing customers when one of the following trigger events h
(a) a transaction takes place with regard to the customer, which is, by virtue of the amount or nature of the tra
unusual or suspicious; or is inconsistent with your knowledge of the customer or the customer's business or ris
with your knowledge of the source of the customer's funds
(b) a material change occurs in the way in which the customer's account is operated
(c) you suspect that the customer or the customer's account is involved in ML/TF/PF
(d) you doubt the veracity or adequacy of any information previously obtained for the purpose of identifying an
customer's
(e) Are otheridentity
trigger events that you consider and defined in your policies and procedures, please elaborate fu
text box are not allowed to maintain anonymous accounts or accounts in fictitious names for any new
24.RPs
customers.
Do you refrain from maintaining (for any customer) anonymous accounts or accounts in fictitious names?
25.RPs are required to assess and determine jurisdictional equivalence as this is an important aspec
application
When you do of CDD
your measures. for assessment or determination of jurisdictional equivalence, do you take th
documentation
measures?
(a) make reference to up-to-date and relevant information
(b) retain such record for regulatory scrutiny
(c) periodically review to ensure it remains up-to-date and valid
(D) - Ongoing monitoring
26.RPs are required to perform effective ongoing monitoring for understanding customer's activitie
the RP to know the customers and to detect unusual or suspicious activities.
Do you continuously monitor your business relationship with a customer by:
(a) monitoring the activities (including cash and non-cash transactions) of the customer to ensure that they are
with the nature of business, the risk profile and source of funds.
(b) identifying transactions that are complex, large or unusual or patterns of transactions that have no apparen
lawful purpose and that may indicate ML/TF/PF
Do you monitor the following characteristics relating to your customer's activities and transactions?
(a) the nature and type of transaction (e.g. abnormal size or frequency)
(b) the nature of a series of transactions (e.g. number of cash deposits)
(c) the amount of any transaction, paying particular attention to substantial transactions
(d) the geographical origin/destination of a payment or receipt
(e) the customer's normal activity or turnover
Do you regularly identify if the basis of the business relationship changes for customers when the following oc
(a) new products or services that pose higher risk are entered into
(b) new corporate or trust structures are created
(c) the stated activity or turnover of a customer changes or increases
(d) the nature of transactions change or the volume or size increases
(e) if there are other situations, please specify and further elaborate in the text box
In cases, where the basis of a business relationship changes significantly, do you carry out further CDD proced
that the ML/TF/PF risk and basis of the relationship are fully understood?
Have you established procedures to conduct a review of the business relationship upon the filing of a report to
do you update the CDD information thereafter?
27.RPs are required to link the extent of ongoing monitoring to the risk profile of the customer dete
through RBA.
Have you taken additional measures with identified high risk business relationships (including PEPs) in the for
intensive and frequent monitoring?
If yes, have you considered the following:
(a) whether adequate procedures or management information systems are in place to provide relevant staff wi
information that might include any information on any connected accounts or relationships
(b) how to monitor the sources of funds, wealth and income for higher risk customers, and how any changes in
circumstances
Do you take intowill be recorded
account the following factors when considering the best measures to monitor customer transa
activities?
(a) the size and complexity of its business
(b) assessment of the ML/TF/PF risks arising from its business
(c) the nature of its systems and controls
(d) the monitoring procedures that already exist to satisfy other business needs
(e) the nature of the products and services (including the means of delivery or communication)
In the case where transactions are complex, large or unusual, or patterns of transactions that have no apparen
lawful purpose are noted, do you examine the background and purpose, including where appropriate the circu
the transactions?
If yes, are the findings and outcomes of these examinations properly documented in writing and readily availab
other competent authorities and auditors?
In the case where you have been unable to satisfy that any cash transaction or third party transfer proposed by
reasonable and therefore consider it suspicious, do you make a suspicious transaction report (STR) to the FMU
(E) - Financial sanctions and terrorist financing
28.RPs have to be aware of the scope and focus of relevant financial/trade sanctions regimes.
Do you have procedures and controls in place to:
(a) ensure that no payments to or from a person on a sanctions list that may affect your operations is made
(b) screen payment instructions to ensure that proposed payments to designated parties under applicable laws
regulations are not made
If yes, does this include:
(a) drawing reference from a number of sources to ensure that you have appropriate systems to conduct check
relevant lists for screening purposes
(b) procedures to ensure that the sanctions list used for screening are up to date
Do you take the following measures to ensure compliance with relevant regulations and legislation on TF?
(a) understand the legal obligations of your institution and establish relevant policies and procedures
(b) ensure relevant legal obligations are well understood by staff and adequate guidance and
training is provided
(c) ensure that the systems and mechanisms for identification of suspicious transactions cover TF as well as M
Do you maintain a database (internal or through a third party service provider) of names and particulars of ter
and designated parties that consolidates the various lists that have been made known to it?
If yes, have you also taken the following measures in maintaining the database?
(a) ensure that the relevant designations are included in the database.
(b)ensure that the database is subject to timely update whenever there are changes
(c) ensure that the database is made easily accessible by staff for the purpose of identifying suspicious transac
Do you perform comprehensive screening of your complete customer base to prevent TF and sanction violation
If yes, does it include the following?
(a) screening customers against current terrorist and sanction designations at the establishment of the relation
(b) screening against your entire client base, as soon as practicable, after new terrorist and sanction designati
published by the MoFA/NACTA/MoI/CTD
Do you conduct enhanced checks before establishing a business relationship or processing a transaction if ther
circumstances giving rise to a TF suspicion?
Do you document or record electronically the results related to the comprehensive ongoing screening, paymen
and enhanced checks if performed?
Do you have procedures to file reports to the FMU, if you suspect that a transaction is terrorist-related, even if
evidence of a direct terrorist connection?
(F) - Suspicious Transaction reports
29.RPs are required to adopt on-going monitoring procedures to identify suspicious transactions for
reporting of funds or property known or suspected to be proceeds of crime or terrorist activity to th
Monitoring Unit ( FMU ).
Do you have policy or system in place to make disclosures/suspicious transaction reports to the FMU?
Do you apply the following principles once knowledge or suspicion has been formed?
(a) in the event of suspicion of ML/TF/PF, a disclosure is made even where no transaction has been
conducted by or through your institution
(b) internal controls and systems are in place to prevent any director, officer and employee,
especially those making enquiry with customers or performing additional or enhanced CDD procedures, comm
offence of tipping off the customer, or any other person who is the subject of the disclosure
Do you provide sufficient guidance to your staff to enable them to form a suspicion or to recognize when ML/T
place?
If yes, do you provide guidance to staff on identifying suspicious activity taking into account the following:
(a) the nature of the transactions and suspicious activity that staff is likely to encounter
(b) the type of product or service
(c) the means of delivery
Do you ensure your staff are aware and alert with the SECP's guidelines with relation to:
(a) potential ML scenarios using Red Flag Indicators
(b) potential ML involving employees of RPs.
Subsequent to a customer suspicion being identified, have you made prompt disclosures to the FMU if the follo
additional requests are made by the customer:
(a) instructed you to move funds
(b) close the account
(c) make cash available for collection
(d) carry out significant changes to the business relationship
Note: RPs are required to make prompt disclosure to FMU in any event.
(G) - Record Keeping and Retention of Records
30.RPs are required to maintain customer, transaction and other records that are necessary and suff
meet the record-keeping requirements.
Do you keep the documents/ records relating to customer identity?
If yes, are records kept throughout the business relationship with the customer, and for minimum period of fi
the end of the business relationship as per SECP regulations. ? Note: As per the regulations, Records may be
for a longer period where transactions , customers or accounts involve litigation or is required by court or oth
authority .
Do you keep the following documents/ records relating to transactions?
(a) the identity of the parties to the transaction
(b) the nature and date of the transaction
(c) the type(if applicable) and amount of currency involved
(d) the origin of the funds
(e) the form in which the funds were offered or withdrawn
(f) the destination of the funds
(g) the form of instruction and authority
(h) the type and identifying number of any account involved in the transaction
Are the records kept for a period of five years after the completion of a transaction, regardless of whether the
relationship ended during the period, as required under the AML/CFT Regulations?
In the case where customer identification and verification documents are held by intermediaries, do you ensur
intermediaries have systems in place to comply with all the record-keeping requirements?
(H) - Staff Training
31.RPs are required to provide adequate ongoing training to staff in what they need to do to carry o
particular roles with respect to AML/CFT.
Have you implemented a clear and well articulated policy to ensure that relevant staff receive adequate AML/C
Do you provide AML/CFT training to your staff to maintain their AML/CFT knowledge and competence?
If yes, does the training program cover the following topics?
(a) your institution's and the staff's own personal statutory obligations, and the possible consequences for failu
suspicious transactions under relevant laws and regulations
(b) any other statutory and regulatory obligations that concern your institution and the staff under the relevan
regulations, and the possible consequences of breaches of those obligations
(c) your own policies and procedures relating to AML/CFT, including suspicious transaction identification and
(d) any new and emerging techniques, methods and trends in ML/TF/PF to the extent that such information is
your staff to carry out their particular roles in your institution with respect to AML/CFT
Do you provide AML/CFT training for all your new staff, irrespective of their seniority, and before commencem
If yes, does the training program cover the following topics?
(a) an introduction to the background to ML/TF/PF and the importance placed on ML/TF/PF by your institution
(b) the need for identifying and reporting of any suspicious transactions to the Compliance Officer, as well as
the offence of 'tipping-off' to the compliance officer.
Do you provide AML/CFT training for your members of staff who are dealing directly with the public?
If yes, does the training program cover the following topics?
(a) the importance of their role in the institution's ML/TF/PF strategy, as the first point of contact with potentia
launderers
(b) your policies and procedures in relation to CDD, and record-keeping requirements for staff members that a
their job responsibilities
(c) training with respect to circumstances that may give rise to suspicion, and relevant policies and procedures
for example, lines of reporting and when extra vigilance might be required
Do you provide AML/CFT training for your back-office staff?
If yes, does the training program cover the following topics?
(a) appropriate training on customer verification and relevant processing procedures
(b) how to recognize unusual activities including abnormal settlements, payments or delivery instructions
Do you provide AML/CFT training for managerial staff including internal audit officers and COs?
If yes, does the training program cover the following topics?
(a) higher level training covering all aspects of your AML/CFT regime
(b) specific training in relation to their responsibilities for supervising or managing staff, auditing the system,
performing random checks as well as reporting of suspicious transactions to the FMU
Do you provide AML/CFT training for your Compliance Officer?
If yes, does the training program cover the following topics?
(a) specific training in relation to their responsibilities for assessing suspicious transaction reports submitted t
reporting of suspicious transactions to the FMU
(b) training to keep abreast of AML/CFT requirements/developments generally
Do you maintain the training record details for a minimum of 3 years?
If yes, does the training record include the following details:
(a) which staff have been trained
(b) when the staff received training
(c) the type of training provided
Do you monitor and maintain the effectiveness of the training conducted by staff by:
(a) testing staff's understanding of the RPs and associated entities policies and procedures to combat ML/TF/P
(b) testing staff's understanding of their statutory and regulatory obligations
(c) testing staff's ability to recognize suspicious transactions
(d) monitoring the compliance of staff with your AML/CFT systems as well as the quality and quantity of intern
(e) identifying further training needs based on training / testing assessment results identified above
 f No, provide
explanation and
Yes/NO/
plan of action for
NA
remediation.