On 13 September 2022, the Microfinance Supervision Committee (“Committee“) under the Ministry of Planning and Finance issued Directive No.4/2022 (“Directive“), which outlines risk-based management strategies required of microfinance institutions (“MFIs“) to combat money laundering and terrorism. The Directive also pertains to Section 69 (c) of the Anti-Money Laundering Law (Union Parliament Law No. 11/2014) and Section 68 (b) of the Microfinance Law (Union Parliament No. 13/2011).
This Directive applies to MFIs that have obtained a license to operate in Myanmar, including their members/individuals/organizations and companies participating in the MFI, as well as their board of directors, senior management, managers, compliance officers and employees. The directive also applies to banks, financial institutions, companies, non-profit organizations, trust groups, and entities in their dealing with MFIs.
The Directive sets out the procedures, methods, and policies that MFIs must follow when implementing the Anti-Money Laundering/Combating the Financing of Terrorism (“AML/CFT“) risk management system, as follows:
1. AML/CFT risk management: Control procedures and MFI methods
The MFIs must establish and develop policies, risk management, control procedures, and methods to be used for the AML/CFT risk management process implemented by the national government of Myanmar. The required procedures include:
- Identify and evaluate AML/CFT-related risks arising from MFI activities;
- Recognize the information of the members of the MFIs and carefully monitor the members;
- Monitor and supervise the operations of MFIs and the financial activities of members, including cash transactions;
- Report suspicious activities to the competent authorities;
- Maintain records under the provisions of the Anti-Money Laundering Law;
- Establish policies and procedures for existing members and service distribution channels in the organization and geographical region that are adaptable to related risks;
- Communicate openly with all employees and compile necessary evidence;
- Carry out occasional reviews of the risk environment for MFIs; and
- Manage AML/CFT risks with a transparent accountability process and step-by-step reporting systems that should be implemented by all individuals and departments involved in the process.
The Directive highlights specific money laundering methods the MFIs must remain aware of, including the placement of illegal money in the legitimate financial system and cases in which illicit funds from criminal activities are introduced into the financial system. The MFIs must understand the “layering” processes used by entities to conceal the illegal source of their funds. The MFIs must continuously monitor where criminals place their funds, specifically when the illegal source of funds has been concealed.
According to the Directive, MFIs must be aware of the following factors related to the financing of terrorism:
- Financing terrorism as defined in the Anti-Terrorism Law;
- Financing of terrorism includes material support, noting that money and materials can come from legitimate sources as well as from criminal sources, and the amount supplied may be very small;
- The risk of financing terrorism using MFIs requires that Customer Due Diligence (CDD) processes are carefully carried out
- Funding terrorism can be carried out through Hundi, Hawala, informal money transactions, and Value Transfer Services (MVTs), and such transactions can be efficiently conducted without any documentation
- Transportation of hard cash by land or water in places where strict transnational border control is not possible;
- Misconduct in international trade and money transfers related to terrorism financing can be made using fraudulent invoices; and
- High-value items such as gold and jewellery can be transported between countries through money laundering and terrorism financing.
An MFI must be thoroughly audited to ensure it complies with AML/CFT requirements. MFIs must assign specific responsibilities and powers to their employees to ensure that their service and distribution channels are not used for money laundering and terrorist financing. In addition, AML/CFT policies and standards must be effectively established and implemented.
2. Managing AML/CFT risks with a risk-based approach
According to the Directive, MFIs must know that money laundering and terrorism financing risks arise from clients, distributed financial services/products, distribution channels for financial services/products, and operation areas. It identifies the levels of risk management as follows:
- Risk Identification: Consider factors such as the national political system, the economy, and other factors
- Risk Assessment: Develop methods for measuring the potential impact and identifying the sources of risk
- Risk Management: In defining the risk management framework, a specific reporting system and responsibilities must be set and established
- Risk Monitoring: The MFI must build Management Information Systems (MIS) that monitor risk continuously. The MIS should identify when a member’s practices and activities are linked to money laundering and terrorism financing.
Regarding the AML/CFT, an MFI’s establishment and implementation of policy standards must be effectively linked to membership policies, compliance responsibilities, and independent audit reviews from operations.
3. Responsibilities of the management team
The Directive outlines the following duties and functions of the management team to ensure that the employees of the MFI consistently comply with the AML/CFT policies and procedures:
- The MFI establishes/maintains effective compliance practices regarding AML/CFT financial crimes;
- Include AML/CFT procedures as a part of the MFI’s day-to-day operating procedures and ensure these procedures are successfully implemented and adequately applied;
- Detection of procedural issues related to AML/CFT, guidance to the Compliance Office if there is a need to establish or change procedures;
- Monitor the effectiveness of the policies related to AML/CFT adopted by the MFI and prepare and submit a report to the MFI’s board;
- Conduct risk assessments that are up-to-date related to products or services, technology, and adaptable to the MFI’s continuously changing situation;
- The Compliance Officer of the MFI shall provide all information that the MFI requires relevant to AML/CFT operations and its contact bank;
- Suspicious circumstances related to AML/CFT from the MFI’s activities should be quickly directed to the Compliance Officer.;
- Ensure that MFI officials understand and implement risk-based prevention responsibilities and processes in their day-to-day operations;
- Providing training on AML/CFT to relevant MFI employees.
4. Duties of the Compliance Officer
This Directive sets out duties for the Compliance Officer as follows,
- Verify information received from employees and send suspicious reports to the Myanmar Financial Intelligence Unit (MFIU);
- Ensure that the MFI develops and implements internal procedures and AML/CFT policies that meet regulatory requirements;
- Assist the management team in developing a culture of effective implementation of AML/CFT compliance;
- Maintain comprehensive risk management policies for the MFI’s AML/CFT prevention processes, including a report on risk identification and evidence related to their use, and provide a complete presentation if requested by inspection and supervisory authorities;
- Meet with the MFI’s senior management team to establish plans to apply a risk-based approach to the implementation of the AML/CFT procedures;
- Conduct investigations without delay on reports of suspicious activity within the organization;
- Timely submission of Suspicious Activity Reports to the MFIU per the requirement;
- Provide continuous initial and advanced training on AML/CFT to relevant employees;
- Provide AML/CFT awareness to employees and senior management;
- Report to the CEO and senior management teams if deficiencies are found in the policies, procedures, and methods regarding the AML/CFT activities of the MFI; the MFI’s board must follow up to correct these deficiencies;
- The Compliance Officer, on behalf of the MFI, shall communicate and coordinate with third parties, including law enforcement agencies;
- Review AML/CFT sensitive information regarding cash inflows/outflows, make necessary decisions regarding reports, and identify erroneous concepts;
- Provide knowledge to relevant employees about the Central Body on Anti-Money Laundering, relevant supervisory authorities, Financial Intelligence Unit, and persons or organizations who the United Nations Security Council has sanctioned;
- Provide information reasonably requested by law enforcement agencies;
- Accept new members per the MFI’s policy statement, open accounts through Enhanced Due Diligence (“EDD“), and conduct the necessary monitoring of risk-assessment reports;
- Establish an automated registration system regarding activities and high-risk members; and
- Consistently comply with risk management reports and enhanced monitoring procedures in line with the latest situation.
5. Effective monitoring and enforcement of risk controls
All MFIs shall conduct risk management on an ongoing basis and review it on a timely basis. They must identify potential risks, and their senior management team must keep risk management up-to-date and prepare an annual review. The senior management team must establish a monitoring system to check whether the MFI effectively implements AML/CFT policies and procedures. The system must operate as follows:
- Keep CDD processes up-to-date, including information, evidence and activities of members and contacts;
- Continuously monitor and review the various products and services distributed by the MFI;
- Continuously review the effectiveness of staff awareness and training on AML/CFT;
- Monitor and enforce AML/CFT regulatory compliance programs through review teams, including internal and external audits;
- Implement an appropriate information management system and keep it up-to-date;
- Communicate between Compliance Officer and Senior Management Team regularly; and
- Communicate with Law Enforcement Agencies.
6. Sources of risk to monitor
The senior management team must identify the risk factors based on the conditions encountered in operations.
High-risk factors include newly joined members, applicants for membership through current members, Politically Exposed Persons (“PEP“), members who have attempted abuse in the past, members who are purchasing products on a lease, those who join as members through an intermediary, and members who carry out electronic money transfers.
Medium-risk activities include members included in risk classes, activities of members above reported financial amounts, and activities related to obtaining grants from local/foreign donors/organizations.
Low-risk factors include domestic/foreign borrowing and acceptance of savings from members.
7. Rules for establishing and applying membership acceptance policy
The Directive states that when establishing and applying a membership acceptance policy, the senior management team must not accept the following persons, members, and actions:
- If determined by a reliable source that a member is a criminal or a member of a criminal group, terrorist, or a member of a terrorist group.
- A member has a history of criminal activity and is from a country with a high rate of terrorist activity.
- A member is a perpetrator of certain offences deemed to pose a high risk of money laundering and/or terrorism financing by the source of income.
- A member is from a country where corruption or similar activities (for example, trafficking in illegal drugs) are common.
- A member who is wanted by the FIU or a law enforcement agency.
- A member from a country that the FIU or the Competent Authority has identified as having a high risk of exposure to money laundering and terrorism financing.
- A member from a country that does not comply with the AML/CFT rules and regulations enforced by the MFI.
- A member who employees of the MFI have reason to believe, based on the member’s conduct or other factors, is involved in money laundering or financing of terrorism.
8. Implementing a risk-based strategy
According to this Directive, the MFI shall classify the risk level of its members as high, medium or low. This assessment is based on the personal information of its members or customers and their financial behaviour. The MFI must carry out CDD /EDD as necessary to prevent risk-based problems.
It must also determine the risk for non-citizen members and customers based on the Corruption Perception Index and FIU conducted by the Financial Action Task Force (FATF), Transparency International, and information provided by the competent authorities and law enforcement agencies.
Additionally, the MFI shall evaluate risks depending on the member’s country of residence and carry out the following: acquire standardized information for members; perform standardized screening of members; apply EDD to the wealth and information of the financial resources of members who are deemed to be at high risk; apply reduced CDD procedures to members with low risk as assessed at the appropriate time; apply risk-based monitoring measures continuously; and acquire background information regarding high-risk members/communicators such as PEP, commercial organizations, and so forth.
9. Managing membership and geographic risks
The MFI must be aware of its members’ nature and purpose for commercial operations and identify any inconsistencies during the initial communication period. The MFI must verify the level of risk concerning businesses that mainly use cash. The MFI must know that a perpetrator can operate all or part of a business with the proceeds of crime, which can get mixed with legitimate business activities. This Directive describes companies and structures that give rise to high risks, including companies with undisclosed beneficiaries, unregistered companies that do not require the beneficial owner to be disclosed, and companies not required to have physical headquarters or a branch in a country and do business in another country. Other high-risk organizations include corporate bodies connected with trusts or special mechanisms, businesses providing financial services, real estate businesses, gemstones, and traders of valuable goods.
10. Managing risks of product/service distribution channels
All MFIs must strictly conduct the verification of members when using non-face-to-face service delivery channels, including Digital Financial Services. This type of non-face-to-face service must also be included in the high-risk class. The MFI must carefully verify the information related to members residing in areas where the illegal drug trade and terrorist organizations are known to exist.
11. Particulars on countries identified as high-risk
The Directive requires the MFI to continuously obtain information related to high-risk countries through the Compliance Officer. The MFI must verify shareholders from countries that are internationally considered high risk according to the established protocols and the requirements of the FIU and other law enforcement agencies. When conducting business with a member from a high-risk country, the MFI must fully understand the nature and purpose of the activity and perform EDD functions. Furthermore, if required, the MFI must submit reports to the FIU and Suspicious Transaction Reporting (STR) and continuously monitor high-risk activities, including lists of PEPs.
12. Risk management related to the financing of terrorism
MFIs shall maintain controls on money laundering and terrorist financings, process risk assessment, maintain a CDD Checklist, perform action monitoring and enforcement procedures in detail, monitor suspicious activity, and coordinate with the FIU and other supervisory authorities. The Compliance Officer shall identify sources of information related to the financing of terrorism (e.g., press releases, reports from supervisory authorities, reports from FIU, FATF, and court decisions).
13. Inspection of sanctions lists
The Directive states that the senior management team of the MFI must take necessary verification measures if the Compliance Officer submits a list of terrorists (or those involved in the financing of terrorism) who have been sanctioned and punished. The Compliance Officer is responsible for carefully checking whether its members participate in terrorism financing. If they are likely to participate in those processes – the officer must take timely action per the rules and regulations. MFIs must follow the resolutions the United Nations Security Council issued when combating terrorism with the information received from the FIU.
14. Providing knowledge and training to employees
To carry out investigations effectively, the MFI must ensure that its employees understand AML/CFT procedures as explained in up-to-date education and training campaigns.
15. Consequences for MFIs under the Directive
An MFI that fails to comply with the provisions of Directive No.4/2022 shall be prosecuted, including its members and those who communicated with it, according to the Microfinance Law, Anti-Money Laundering provisions Law and the Anti-Terrorism Law.
We trust that this information is helpful. Please let us know if you have any questions or would like to discuss this or any other legal issues in Myanmar.
The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.