As of January 2025, the Astana Financial Services Authority (AFSA) has approved amendments to the Guidance applicable to the Internal Control Rules for Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) for AIFC Financial Monitoring Entities (hereinafter referred to as the “Guidance”).
In this article, we will outline the key changes and highlight aspects that AIFC participants should consider when analyzing their internal documentation in this area.
One of the significant innovations is the introduction of a new concept – Business Risk Assessment (BURA). Alongside the Customer Risk Assessment (CRA) Policy, financial institutions are now required to implement a Business Risk Assessment policy. This document is expected to take into account the following risks:
- Customer risk factors, such as the type of customers
- Country or geographic/jurisdictional risks
- Product, service, transaction, and delivery channel risk factors
The Business Risk Assessment must be conducted regularly, and its results must be provided to the company’s senior management. This policy is similar to the Customer Risk Assessment, but each company will need to tailor it to its business specifics.
Previously, the requirements set out in the Guidance applied to all relevant persons regulated or supervised by the AFSA, except for authorized firms licensed as representative offices. Now, credit rating agencies have been added to the list of exemptions.
This is because such agencies do not conduct financial transactions on behalf of clients and do not bear direct AML/CTF-related risks. Excluding them from the scope of the Guidance aligns with the risk-based approach principle and international regulatory practices.
The updated Guidance clarifies the structure of AML policies, procedures, systems, and controls:
- The new version introduces a requirement for the “appropriate representation of AML compliance function in the managing and organizing internal control system on AML matters,” which clarifies the role of the AML compliance function within the internal control system.
- The previous version was broader: “appropriate representation of compliance function in the management,” leaving ambiguity regarding its role.
- The requirement for a risk management program explicitly mentions “BURA, CRA,” indicating specific approaches or documents related to risk management.
- The previous version did not reference these programs and instead used more general terms like “risk management.”
These changes make the requirements clearer and more detailed, defining roles in governance and control systems more precisely.
Additionally, the new version of the Guidance introduces:
- The objective of effectively identifying not only money laundering and terrorist financing (ML/TF) but also sanctions violations and mitigating these risks.
- An expanded list of monitored activities, including additional actions such as attempts to evade monitoring and suspicious financial transactions linked to the movement of illicit funds.
- The addition of geographic risk criteria: transactions involving entities registered in high-risk regions are now explicitly addressed, which was not included in the previous version.
We also see enhancements in the risk assessment model. Under the updated version, entities must develop and implement a risk assessment model based on both quantitative and qualitative characteristics. Numerical values help determine the risk category (geography, customer type, products, services, and delivery channels), as well as the overall customer risk. Each category may be assessed differently depending on the nature of the company’s business.
Moreover, the new version introduces a requirement for entities to establish a customer risk profile based on the CRA procedure.
The Guidance has always prohibited organizations from establishing or maintaining business relationships with Shell Banks. A Shell Bank is defined as a bank that has no physical presence in its country or jurisdiction, even if it has agents or administrative personnel. Such banks are often used to bypass regulations and pose money laundering risks. The requirement aims to prevent engagement with such banks to protect against financial crimes. According to the new amendments, the presence of a local agent or administrative staff does not constitute a physical presence in the country where the client is registered or licensed. Therefore, Shell Banks with this characteristic will not be exempt from the prohibition on engagement.
One of the clarifications introduced in the Guidance concerns the procedure for deferring customer or beneficial owner verification, which is now permitted when necessary for the proper functioning of business operations in the securities sector. Companies or intermediaries required to complete a transaction within a short timeframe may finalize the transaction before completing customer verification.
This clarification highlights that the securities sector has specific market demands that require swift responses and transaction completion, making standard verification timelines impractical.
At the same time, it is crucial that the fundamental principles of security and AML compliance are not compromised. Companies must implement a system ensuring that customer verification is completed at a later stage. Organizations should develop risk management procedures specifying conditions under which a customer may begin a business relationship before verification is completed. These procedures should include limitations on the number, types, or amounts of transactions, as well as strict monitoring of large or complex transactions that fall outside expected norms for that type of business relationship.
This approach aims to balance AML compliance with the need for efficiency in securities trading processes.
These changes strengthen risk control measures related to deferred customer verification. While allowing organizations to act swiftly in specific situations (e.g., urgent transactions or short-term deals), they introduce additional safeguards such as transaction limits and monitoring of unusual activities.
These amendments require updates to internal policies and procedures, as well as adaptations to internal control systems to align with the new requirements. We are ready to assist you in assessing your internal documentation, ensuring compliance with the latest regulations, and preparing the annual AML/CTF report in accordance with AIFC requirements.
If you have any questions or require consultation, please contact us at [email protected]
