FAQ’s on AML/CFT
What are the KYC requirements for the accounts opened before 2012?
The KYC/CDD requirements for the pre-existing accounts opened before 2012 is explained under Section 9b – Existing Customers (reproduced below) of the SECP Guidelines on AML, CFT and Proliferation Financing :
“RPs are required to apply CDD measures to existing customers on the basis of materiality and risk, and to conduct due diligence on such existing relationships at appropriate times, taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained”.
Why are KYC documentation for Corporate Accounts such as Memorandum and Articles of Association, Trust Deeds, Certificate of Incorporation and Commencement required when the SECP website provides the status of the corporate entities?
KYC documentation should be reviewed to understand the nature/size of business, purpose and intended nature of the business relationship, ownership and control structure of the entity.
Why are certain documents like Authority Resolutions’ and Directors’ CNICs required for KYC purposes in case of corporate entities?
The individuals who are authorized to open and operate the accounts in case of corporate entities should also be subject to comprehensive CDD requirements. Therefore, documentation is required for identification and verification of person acting on behalf of the entity and its directors. In addition, the authority of such person to act on behalf of the customer shall be verified through documentary evidence including Resolution of Board of Directors.
Why isn’t there a standardized process to determine thresholds and investors’ categorization for enhanced due diligence (EDD)?
ML/TF risk w.r.t risk categories, i.e. customers, countries or geographical locations, products and services, transactions and delivery channels are specific to each entity. Examples of high and low risk categories are given in section 18 of the SECP AML/CFT Guidelines 2018. It may be noted that EDD is mandatory for high risk customers and has to be done irrespective of any thresholds.
What are the documentation requirements for enhanced due diligence such as wealth statements, bank statements etc. and what can be the examples of source of wealth and/or source of funds?
Please refer to FAQs on link https://www.secp.gov.pk/faq/ wherein the examples of source of wealth/ source of funds are provided.
Are corporate websites, newspapers, tax directories acceptable for KYC purposes?
KYC/CDD process entails identifying the customer or beneficial owner; obtaining information on the purpose and intended nature of the business relationship; and monitoring of accounts/transactions on ongoing basis. Therefore, reliable and independent sources may be used for verification purposes.
What is the mechanism for on-going monitoring of accounts (in terms of thresholds, investor categories, period of relationship etc.).
Ongoing monitoring is part of the customer due diligence and essentially consists of monitoring transactions for intended purpose of the customer. Section 10 of the SECP AML/CFT Guidelines 2018 explains the mechanism of ongoing monitoring of accounts. However, entity should formulate policies and procedures for on-going monitoring.
How should the regulated person respond to discrepancies (such as credit blocks, follow-up periodicity etc.) that may arise during on-going monitoring?
SECP AML/CFT Regulations and guidelines are reproduced below which may be referred to for guidance:
SECP AML/CFT Regulations, 2018 Section 6 – Customer Due Diligence:
(11) “where regulated person is not able to satisfactorily complete required CDD measures, account shall not be opened or existing business relationship shall be terminated and consideration shall be given if the circumstances are suspicious so as to warrant the filing of an STR in relation to the customer”.
SECP AML/CFT Guidelines section 9(b) (iii) and (iv) – Existing Customers:
iii. An RP is entitled to rely on the identification and verification steps that it has already undertaken, unless it has doubts about the veracity of that information. Examples of situations that might lead an institution to have such doubts could be where there is a suspicion of money laundering in relation to that customer, or where there is a material change in the way that the customer’s account is operated, which is not consistent with the customer’s business profile.
iv. Where an RP is unable to complete and comply with CDD requirements as specified in the Regulations, it shall not open the account, commence a business relationship, or perform the transaction. If the business relationship has already been established, the RP shall terminate the relationship. Additionally, the RP shall consider making a STR to the FMU.
What are the KYC requirements for investors with long term banking relationships?
Section 12 of the SECP AML/CFT Regulations, 2018 provides detailed guidance on third party reliance.
It may be noted that notwithstanding long term banking relationships and the investment of funds through banking channel the responsibility for ongoing monitoring of customers and reliance on third parties ultimately remains with the regulated person, including generation of STRs.
What is the closure mechanism for discrepant accounts?
Under SECP AML/CFT Guidelines 2018, section 9(b) (iv) – Existing Customers:
iv. Where an RP is unable to complete and comply with CDD requirements as specified in the Regulations, it shall not open the account, commence a business relationship, or perform the transaction. If the business relationship has already been established, the RP shall terminate the relationship. Additionally, the RP shall consider making a STR to the FMU.
The customer should be is provided with fair opportunity to remove the discrepancies and in cases, where he is unable to comply with the relevant CDD measures, the business relationship should be terminated.
How to identify and verify the beneficiaries in case of trusts as required under Regulation (7)2 of SECP AML/CFT Regulations 2018?
In the case of “Trusts”, the regulated person should obtain:
a) Whether the Trust is a Public Trust or Private Trust;
b) Trust Deed whereby the Trust has been created;
c) Details of Settlor (this will also be available in the Trust Deed);
d) Objects of the trust (this will also be available in the Trust Deed);
e) Trustee of the trust (whether trustee is associated person of the settlor);
f) Description of each class or type of beneficiary (this information may also be checked from Trust Deed);
g) Details of any possibility of influence of any other person on trustee regarding management and control of trust property;
h) In the case of “Private Trust” if the beneficiary of a trust is also the beneficial owner of the trust, identification and verification of the beneficiary is required otherwise the name and CNIC of each beneficiary of a trust should be obtained. (verification of this information is not required).
For this purpose, the regulated person may obtain a declaration from Governing Body/Board of Trustees/Executive Committee/sponsors on ultimate control, purpose and source of funds etc. Further, the documents as per Sr. No. 1 of the Annex 1 of the SECP AML/CFT Regulations, 2018 can be used for identification and verification of settlor, the trustee, the protector (if any), the beneficiaries and any natural person exercising ultimate ownership, ultimate control or ultimate effective control over the trust under Regulation (7)2 of SECP AML/CFT Regulations 2018.
Annual risk assessment Framework and Compliance Assessment Checklist are required to be filed with SECP by June 30 of each Financial Year. What would be the cut-off date for data to be used for this risk and compliance assessment?
The May 31 of each financial year may be taken as a cut-off date for data to conduct necessary assessment and subsequent filing to the SECP on June 30. However, the data for month of “June” shall be included in the subsequent annual filing.
Six monthly information/ data is required to be filed with SECP by June 30 and December 31 of each Financial Year. What would be the cut-off date for data to be used for each six monthly information/ data submission?
The first six monthly data along with annual risk assessment and annual compliance check list shall be submitted not later than 30th June based upon the data up to 31st May (hence the data period will be from 1st December to 31st May) and for second six monthly information/data shall be submitted not later than 31st December based upon the data up to 30 November (hence the data period will be from 1st June to 30st November).
GENERAL FAQ’S
What is eServices and how to access the eServices?
e-Services is a 24/7 available portal developed by SECP to facilitate the users in reservation of name, incorporation of companies, filing of specified forms and related documents required under the Companies Ordinance, 1984 and the Rules and Regulations being administered by SECP, in electronic form to the Registrar of Companies for registration. eServices can be accessed through SECP’s website at www.secp.gov.pk.
What are the benefits of using eServices?
Following are the benefits of using e-Services instead of physical filing:
- Simple and hassle-free procedure to create account on e-Services
- Accessible 24/7 from anywhere in the world
- Lower fee compared to physical submission of documents
- No need to visit Company Registration Offices (CROs)
Which equipment is required for using e-Services?
A personal computer equipped with a web browser and internet access, preferably broadband connection.
Is the Promoters’ Guide available on the SECP website?
Yes, the Promoters’ Guide is available on the SECP website at https://www.secp.gov.pk/wp-content/uploads/2017/04/Promoters-Guide.docx
How can I get help on eServices?
For eServices assistance, you can email your query to the help desk at “helpdesk.eservices@secp.gov.pk”. You can also call the Service Desk at UAN: 111-117-327.
Ultimate Beneficial Ownership
How would you differentiate between direct or indirect ownership or control?
Direct owner refers to individuals and entities who directly own shares in any legal entity. For example, if you own 20% of the shares in a particular entity, you become a direct owner. A direct owner need not necessarily be an individual (natural person) and can also be another entity as in the case where the parent company is a direct owner in its direct subsidiary.
A person can be an indirect owner, if a company or any other business entity in which he has shares, owns another company, as illustrated below. For example, if Company 2 is owned to the extent of 20% by Company 1, and Company 1 is owned to the extent of 50% by a natural person, than the said Person is an indirect owner of Company 2 through Company 1, to the extent of 10% ownership in Company 2 (50% of 20%).
Which companies are required to comply with the provisions of Circular no. 16 of 2018 read with Circular no. 20 of 2018?
The aforesaid Circulars are only applicable upon those companies which have:
a. One or more legal persons/companies as their member or shareholder, AND
b. Such legal persons/companies hold not less than 10% ownership or control rights in the companies subject to requirement of these Circulars
Because a company is not directly aware of the pattern of shareholding of the legal persons appearing as its members, it would determine the status of Ultimate Beneficial Ownership (UBO) of the natural persons who are the members or shareholders of the legal persons, after obtaining information in respect of them. Only if the indirect shareholding of any such natural person, which is arrived at by multiplying his ownership percentage in the legal person with the ownership percentage of the legal person in the company, is not less than 10%, his particulars would be entered in the register of UBO to be maintained by the company.
For instance, as per illustration given in Q1 above, assume that Company 2 has a legal person Company 1 as its member with 80% of its share capital held by it, and Company 1 has a natural person Mr. X with 20% shares in Company 1. Mr. X would be classified as a UBO through the following calculation:
Mr. X direct percentage shareholding in Company 1 = 20%
Mr. X indirect shareholding in Company 2
= (Shareholding percentage of Company 1 in Company 2) X (Shareholding percentage of Mr. X in Company 1)
= 80% X 20% (i.e. 20% of 80%)
= 16%
In the given illustration, Mr. X holding more than 16% shares in Company 2 through Company 1 would be classified as a UBO in Company 2. Company 2 would be required to enter particulars of Mr. X as specified in Circular no. 16 of 2018 in its register of UBO. For
What is the mechanism for obtaining UBO information by a company, having legal person(s) as its members, from ultimate beneficial owners?
Following procedure is to be followed to ensure compliance with the requirements to obtain and maintain ultimate beneficial ownership information.
1) In respect of members of a company, say Company X, who are natural persons and hold not less than 10% ownership or controlling rights in it, no information would be required to be entered in the register of UBO because their particulars would already being maintained and recorded in the register of members of Company X under section 119 of the Act read with regulation 19 of the Regulations.
2) Company X will circulate the letter requiring ultimate beneficial ownership information from those members who:
(i) are legal persons, i.e. other than natural persons or individuals, and
(ii) have not less than 10% ownership or controlling stake in Company X;
3) A Company Y which is a member of Company X and in receipt of the above letter from Company X will then;
(i) in respect of its members who are natural persons and hold not less than 10% ownership or controlling interest, extract information from its register of members required under section 119 of the Companies Act, 2017 read with regulation 19 of the Companies (General Provisions & Forms) Regulations, 2018, for provision to Company X. It may be noted that the sets of information required vide clause 4 of circular no. 16 and that vide regulation 19 of the Regulations are almost identical;
(ii) in respect of its members who are legal persons and hold not less than 10% ownership or controlling interest, circularize the requirement as requested by Company X;
4) If there is another company or legal person in the ownership chain which is a member of Company Y, as per sr. no. 3(ii) above, the aforesaid process as mentioned in sr. no. 3(i) above will be repeated, until the natural person or individual exercising ultimate ownership or control and lying at the end of the ownership chain is reached;
5) Company Y will provide the information available with it in its register of members in respect of members who are natural persons as at sr. no. 3(i), and that received from members who are legal persons as at sr. no. 3(ii) and 4 above, to Company X;
6) Company X will enter the particulars of those natural persons who are members of Company Y and of any other legal person up the ownership chain, and have ultimate shareholding or controlling interests of not less than 10% in Company X through Company Y, in the register of ultimate beneficial ownership as specified in terms of Circular no. 16 of 2018;
To illustrate, assume that Company X has Company Y as its member with 50% shareholding in it, and Company Y has two individuals as members i.e. Mr. A and Mr. B with 90% and 10% shareholding respectively in Company Y. In this case, the indirect or ultimate beneficial ownership of Mr. A in Company X would be 45% (50%x90%) and that of Mr. B in Company X would be 5%(50%x10%). Accordingly, particulars of Mr. A would be required to be maintained by Company X.
For the purpose of compliance with Circulars no. 16 and 20 of 2018, Company X would enter the particulars of Mr. A in its register of ultimate beneficial ownership only. The ultimate or indirect shareholding of 5% possessed by Mr. B in Company X being less than the requisite ultimate shareholding of 10% would not be reflected on the said register.
Assume that a company has five members including three natural persons and two legal persons with varying ownership percentages, how would it determine the UBOs whose particulars would be needed to be entered in the UBO register?
Let’s assume that Company A has the following members, as appearing on its register of members required to be maintained under section 119 of the Companies Act, 2017:
Member | Ownership percentage |
Mr. X | 10% |
Mr. Y | 10% |
Mr. Z | 10% |
Company B | 30% |
Company C | 40% |
Company B again has two natural persons Mr. BA and Mr. BB as its members holding 70% and 30% shares, respectively. Company C is a single member company with all its shares held by Mr. CA.
The ultimate beneficial owners of Company A in the given illustration would be as follows:
Natural Persons | Registered Member of | Direct shareholding in Company A | Indirect shareholding in Company A | UBO (minimum 10% indirect shareholding threshold) |
Mr. X | Company A | 10% | No | |
Mr. Y | Company A | 10% | No | |
Mr. Z | Company A | 10% | No | |
Mr. BA | Company B | 21% (70% of 30%) | Yes (UBO of Company A) | |
Mr. BB | Company B | 9% (30% of 30%) | No | |
Mr. CA | Company C | 40%(100% of 40%) | Yes (UBO of Company A) | |
Company A would obtaining UBO information through Companies B and C following the mechanism, as illustrated in Q3 above.
Based on the aforesaid illustration, Company A would determine the ultimate beneficial ownership by calculating the product of shareholding of Company B in it and the shareholding of the natural persons who are members of Company B, with similar exercise to be carried out in case of Company C.
Mr. BA and Mr. CA would qualify for classification and recording of particulars as UBO in the records of Company A.
How would you differentiate between beneficial ownership and legal ownership?
Ownership is the right to possess, use, sell, donate or give as a gift any asset or property belonging to a person known as the “owner.” An owner can either be a beneficial owner or a legal owner.
A legal owner is essentially the ‘official’ or ‘formal’ owner of a property. The legal owner of an asset may either be a natural person or a legal person that holds the legal title of that asset.
On the other hand, a beneficial owner is the person with the right to enjoy or benefit from the property – this can include the right or entitlement to any income from the property. In majority of the situations, the same person is the legal owner as well as the beneficial owner. A beneficial owner must always be a natural person, as a legal person cannot exert “ultimate” control over an asset or entity. This is due to the fact that legal persons are always controlled, directly or indirectly, by natural persons.
What is the purpose behind the requirement to maintain ultimate beneficial ownership information by the companies?
The requirement to maintain UBO information is aimed at determining the true owners of a company. Under normal circumstances, a company’s corporate ownership structure comprises a few individuals or natural persons holding shares in the share capital of the company, called as shareholders or members. The particulars of such members are already required to be maintained in a ‘register of members’ under section 119 of the Companies Act, 2017. Detailed particulars to be maintained in the said register are specified in terms of regulation 19 of the Companies (General Provisions & Forms) Regulations, 2018 (the “Regulations”).
However, there might be certain cases where legal persons or corporate entities are appearing as members of the company in which case the required particulars as to the true owners, being the ultimate shareholders, would not be available. Information about the actual (ultimate) owners and shareholders is the most significant information for a large number of stakeholders of a company who may comprise creditors, tax authorities, corporate registry, major suppliers, major customers, financial institutions, etc.
For instance, a financial institution before establishing a banking relationship with a company would be interested in knowing the material particulars of a company including its shareholders, members and directors, as part of its KYC/CDD obligations. This information is obtained through the corporate registry in the form of statutory returns, financial statements and other documents of the company. However, in certain cases, the members appearing on the returns are themselves companies or other legal persons whose shareholders and members are not apparent from the said documents. In such a case, the financial institution would be interested in knowing the ultimate individual owners who are natural persons exercising the ownership and control rights, and enjoying the cash flow rights in the company with whom the financial institution is contemplating to establish a business relationship.
Accordingly, the State Bank of Pakistan, vide its BPRD Circular Letter no. 18 of 2018 issued on October 19, 2018, has required all the banks and DFIs to enhance their efforts to obtain relevant information with the objective to know the ultimate beneficial ownership of accounts/transactions. Vide the same circular letter, reference has been made to SECP’s Circular no. 16 of 2018 dated August 29, 2018 as available on SECP’s website at https://www.secp.gov.pk/laws/circulars/ through which SECP has directed all companies to enhance their efforts to obtain and maintain up-to-date ultimate beneficial ownership information.
Who needs information on beneficial ownership and control?
Beneficial ownership information is necessary to detect and prevent tax evasion, corruption, money laundering, terrorist financing, and other illicit behavior involving one or more companies. Public trust in companies and markets largely depends on the existence of an accurate disclosure regime that provides transparency in the beneficial ownership and control structures of companies.
BO information assists financial institutions in applying adequate customer verification procedures before commencement of the relationship with their customers. This is also likely to assist the companies themselves in understanding their ultimate owners/controllers where there are complex corporate ownership and/or control structures.
Different authorities may have a recognisable legal interest in obtaining information on beneficial ownership and control in order to investigate suspected illicit activities. Law enforcement authorities investigating and prosecuting money laundering and other crimes, tax authorities verifying compliance with tax laws, and securities regulators investigating market manipulation, unlawful insider trading, and fraud are just some of the authorities who may require information on beneficial ownership and control. Courts may also need such information in the context of corporate self-dealing and other litigation cases. Legal and beneficial ownership information can assist law enforcement and other competent authorities by identifying those natural persons who may be responsible for the underlying activity of concern, or who may have relevant information to further an investigation.
How the regulatory requirements for maintenance of register of members required under section 452 of the Companies Act, 2017 differs from the register of ultimate beneficial owners?
The regulatory requirements for the two different provisions are compared below:
Circular nos. 16 and 20 of 2018 read with section 453 and 510 of Companies Act, 2017 | Circular no. 32 of 2017
read with section 452 of Companies Act, 2017 |
|
Applicability | All the companies having natural persons as ultimate beneficial owners (UBO) with not less than 10% ownership/ control rights in that company through legal persons | Every substantial shareholder (having not less than 10% interest), officer of the company or the company itself, having shareholding or other interest in a foreign company or body corporate |
Represents | Ultimate Ownership of the company | Investment by substantial shareholders, officers or the company |
Information to be maintained by the company | Yes | Yes |
Information to be notified to the registrar or Commission | No, unless demanded | Yes |
Information is publicly available | No | Yes |
Information to be provided to other authorities | Yes, as may be demanded by other authorities from the companies | Yes, by the Commission |
Penal provision for non-compliance | Yes | Yes |
What is the role and purpose of Financial Action Task Force?
The Financial Action Task Force (FATF), an inter-governmental body formed to coordinate efforts on Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT), has issued a set of 40 recommendations which serve as international standards for combating ML/TF. Pakistan is a member of APG- a FATF Styled Regional Body, and is required to adopt FATF standards as per membership obligations and also to comply with the UN Resolution.
FATF recommendation 24 require countries to take measures to prevent the misuse of legal persons for ML/TF purposes, and ensure that there is adequate, accurate and timely information available with the companies on the ultimate (actual) beneficial ownership and control of legal persons that can be accessed in a timely manner by competent authorities
What are the requirements for provision of UBO information to regulatory authorities?
Circular no. 16 of 2018 specifies the following requirements for provision of information to regulatory authorities or agencies:
- SECP may require the information from a company or a class or classes of companies relating to its/their ultimate beneficial owners or changes thereto within such time period as specified in the notice.
- Companies shall also provide this information to any other authority or agency of the Government pursuant to the powers to call for information entrusted by law to such authority or agency.
- Each company shall authorize its chief executive officer or one of its directors to provide the requisite information to the concerned authorities, and provide further assistance as may be needed.
Is it required to maintain a register of ultimate beneficial ownership in case there is no ultimate beneficial owner of the company as defined in circular no. 20 of 2018?
In such a case, the company would not be required to maintain the register of UBO.
Is it required to regularly or periodically submit the information of ultimate beneficial owners to SECP?
No, there is no periodic or regular reporting requirement for submission of this information to SECP. However, in terms of para xx circular no. 16 of 2018, SECP may require any company or class or classes of companies to submit this information through a notice within such time period as may be specified in the notice. Any company maintaining this information shall also be bound to provide the same to any other authority or agency of the Government as required.
How would you differentiate between a legal person and a natural person?
Legal persons are any legal entities which are formed and established through a law, such as public companies, private companies, limited liability partnerships, associations not for profit, etc. registered under the Companies Act, 2017.
FATF recommendations define legal persons as any entities, other than natural persons, that can establish a permanent customer relationship with a financial institution or otherwise own property. This can include companies, bodies corporate, foundations, partnerships, or associations and other relevantly similar entities that have legal personality.
Natural persons are living human beings or individuals, who for the purpose of FATF recommendations, shall be recognized as ultimate beneficial owners if exercising ownership and control rights in companies indirectly through legal persons.
Both a legal person as well as a natural person can establish a permanent customer relationship with a financial institution or otherwise own property.
What is the difference between a member and a shareholder?
A shareholder is a person who owns the share in a company whereas a member is a person whose name is entered or recorded in the register of Members maintained by the Company. The name of a person will be entered or recorded in the register of members, in the capacity of a subscriber upon registration of a company, and later if any person agrees in writing to become a member of the company.
Every member may not be a shareholder and likewise every shareholder may not be a member.
FAQ’S ON AML
What are the international obligations concerning AML/CFT?
The United Nations through its Securities Council Resolution 1617 requires all UN Member States to implement FATF’s AML/CFT Recommendations. Pakistan is a member of UN and Asia Pacific Group (FATF Styled Regional Body) and therefore, is required to adopt FATF standards as per membership obligations.
What obligations are placed on RPs?
Basic obligations imposed on reporting entities include: i. Assessing the money laundering and financing of terrorism risk that it may reasonably expect to face in the course of its business; ii. Establishing, implementing and maintaining an AML/CFT programme (procedures, policies and controls) to detect, manage and mitigate the risk of money laundering and the financing of terrorism; iii. Customer due diligence (CDD) (identification and verification of identity) and ongoing CDD; iv. Suspicious transaction reporting; v. Record keeping. Reporting entities have considerable flexibility within the limits prescribed by Regulations, in how they meet their obligations.
What are the stages of Money Laundering?
There are three stages involved in money laundering:
1. Placement: involves placing the proceeds of crime in the financial system;
2. Layering: involves converting the proceeds of crime into another form and creating complex layers of financial transactions to disguise the audit trail and the source and ownership of funds (e.g., the buying and selling of stocks, commodities or property);
3. Integration: involves placing the laundered proceeds back in the economy under a veil of legitimacy.
How are the requirements of AML/CFT applicable on Financial Institutions regulated by the SECP when money is routed through banking channels?
Financial institutions means any natural or legal person who conducts as a business one or more of the following activities or operations for or on behalf of a customer:
i. Acceptance of deposits and other repayable funds from the public;
ii. Lending;
iii. Financial leasing;
iv. Money or value transfer services;
v. Issuing and managing means of payment (e.g. credit and debit cards, cheques, traveller’s cheques, money orders and bankers’ drafts, electronic money);
vi. Financial guarantees and commitments;
vii. Trading in:
a. money market instruments (cheques, bills, certificates of deposit, derivatives etc.);
b. foreign exchange;
c. exchange, interest rate and index instruments;
d. transferable securities;
e. commodity futures trading.
viii. Participation in securities issues and the provision of financial services related to such issues;
ix. Individual and collective portfolio management;
x. Safekeeping and administration of cash or liquid securities on behalf of other persons;
xi. Otherwise investing, administering or managing funds or money on behalf of other persons;
xii. Underwriting and placement of life insurance and other investment related insurance;
xiii. Money and currency changing.
The risk of money laundering in Non-Bank Financial Institutions (NBFIs) may not lie in the placement stage but rather in the layering and integration stages of money laundering. The National Risk Assessment has highlighted the vulnerabilities and threats in terms of both money laundering and terrorist financing in these sectors. Accordingly, NBFI is obliged to comply with FATF recommendations even if money is routed thorough the banking channel.
Are non-deposit taking financial institution exempt from the compliance of AML/CFT requirements?
No. The definition of Financial Institution includes lending business activity. Therefore, the Non-deposit taking financial institutions are required to comply with AML/CFT Regulations, 2018 in the same manner as applicable to the other Non-Banking Financial sector institutions.
What is a risk assessment?
Reporting entities are required to assess the money laundering and financing of terrorism risk that they may reasonably expect to face in the course of their business. In making this assessment, the reporting entity is required to consider:
i. Nature, size and complexity of its business;
ii. Products and services it offers;
iii. Methods by which it delivers products and services to its customers;
iv. Types of customers it deals with;
v. Countries it deals with;
vi. Institutions it deals with;
vii. Any guidance material produced by supervisors;
viii. Any other factors that are set out in regulations.
Reporting entities also need to consider whether any of their products involve new or developing technologies that may favour customer anonymity.
How is customer risk assessment different from entity risk assessment?
Risk assessment is the identification and assessment of ML/TF risk faced by the regulated person in relation to the jurisdictions or countries its customers are from or in; the jurisdictions or countries the regulated person has operations or dealings in and products, services, transactions and
delivery channels of the regulated person. Whereas KYC/CDD measures determine the risk profile of the customer only. Customers’ risk profiling is one of the facet used in the entity risk assessment.
What is risk-based approach in AML/CFT compliance?
Risk Based Approach means that financial institutions identify, assess, and understand the money laundering and terrorist financing risks to which the financial institution is exposed and implement the most appropriate mitigation measures. This approach enables financial institutions to focus their resources where the risks are higher.
What is an AML/CFT programme?
An AML/CFT programme sets out a reporting entity’s internal policies, procedures and controls to detect money laundering and financing of terrorism and to manage and mitigate the risk of it occurring. The programme must be in writing and be based on its risk assessment. Certain elements of a programme are specifically required by the Regulations, including: i. Vetting senior managers and AML staff; ii. Training senior managers and AML staff; iii. Customer due diligence, including enhanced CDD and simplified CDD; iv. Reporting suspicious transactions; v. Monitoring and record keeping; vi. Monitoring and managing compliance with the AML/CFT programme. Risk-based systems and controls should be based on the nature, size and complexity of a reporting entity’s business, along with any money laundering and financing of terrorism risks it may face.
Can head of Internal Audit perform the role of Compliance Officer?
No. The regulated person should establish the three lines of defense to combat ML/TF namely Business Units, Compliance Officer and Internal Audit. Therefore, the scope of responsibilities will vary between compliance officer and internal audit functions. However, dual hatting is allowed for the role of Compliance Officer.
How is customer risk rating linked with CDD measures?
Customer risk rating (High, Low) is assigned based on ML/TF risk posed by each relevant factor (Customer, Geography, Product and Transaction Risk), whereas the level of due diligence (Simplified or Enhanced) is determined based on the ML/TF risk posed by the customer.
What is the requirement to apply CDD measures to existing customers?
Regulated Persons are required to apply CDD requirements to existing customers on the basis of materiality and risk, and to conduct due diligence on such existing relationships at appropriate times, taking into account whether and when CDD measures have previously been undertaken and the adequacy of data obtained.
What if there are deficiencies/discrepancies in documentation provided by the customer?
Where the regulated person is not able to complete required CDD measures, account shall not be opened or existing business relationship shall be terminated and consideration shall be given if the circumstances are suspicious to warrant the filing of an STR in relation to the customer. The basis of deciding whether an STR is to be filed or not shall be documented and kept on record together with all internal findings and analysis done in relation to a suspicion irrespective of the fact that the transaction is subsequently reported or not. (Section 14(6) of the SECP AML/CFT Regulations, 2018).
When can Simplified Due Diligence measures be applied?
Simplified due diligence is the lowest level of due diligence that can be conducted on a customer. This is appropriate where there is low risk of products/services or customer becoming involved in money laundering or terrorist financing.
What are the Simplified Due Diligence measure?
The SDD measures may include but are not limited to:
1. Adjusting the timing of CDD where the product or transaction sought has features that limit its use for ML/TF purposes, e.g.
i. Verifying the customer’s or beneficial owner’s identity during the establishment of the business relationship; or
ii. Verifying the customer’s or beneficial owner’s identity once transactions exceed a defined threshold or once a reasonable time limit has lapsed. Regulated person must make sure that:
a) this does not result in a de facto exemption from CDD, that is, firms must ensure that the customer’s or beneficial owner’s identity will ultimately be verified;
b) the threshold or time limit is set at a reasonably low level (although, with regard to terrorist financing, RP should note that a low threshold alone may not be enough to reduce risk);
c) they have systems in place to detect when the threshold or time limit has been reached; and
d) they do not defer CDD or delay obtaining relevant information about the customer where regulations requires that this information be obtained at the outset.
2. Adjusting the quantity of information obtained for identification, verification or monitoring purposes, for example by:
i. verifying identity on the basis of information obtained from one reliable document or data source only; or
ii. assuming the nature and purpose of the business relationship because the product is designed for one particular use only,
3. Adjusting the quality or source of information obtained for identification, verification or monitoring purposes;
4. Adjusting the frequency of CDD updates and reviews of the business relationship, for example carrying these out only when trigger events occur such as the customer looking to take out a new product or service or when a certain transaction threshold is reached; firms must make sure that this does not result in a de facto exemption from keeping CDD information up-to-date;
5. Adjusting the frequency and intensity of transaction monitoring, for example by monitoring transactions above a certain threshold only.
When Enhanced Due Diligence measures are applied?
Enhanced due diligence measures are applied in situations that are flagged and assessed as high risk where there is an increased likelihood of money laundering or terrorist financing presented either by customers, service/ product; transaction and/or jurisdiction.
What can be an example of Customer Due Diligence measure for a housewife account?
In relation to housewife accounts the regulated person may obtain a self-declaration for source and beneficial ownership of funds from the customer and perform further due diligence measures accordingly.
How often should the ongoing due diligence on business relationship (in terms of customer risk profile) be carried out?
The regulated person’s policy and procedures should specify how often ongoing monitoring is to be conducted. A clear cycle should be indicated for each risk category or type of customer, for example at least once a year for high risk cases, at least once every two years for medium risk cases and every three years for low risk cases, or where a review is triggered by a defined event.
In case of Co-Insurance/Banc assurance, the leading company has direct access to customers, how should the reporting entity exercise the CDD procedures?
Under section 12 of the SECP AML/CFT Regulation, 2018 the Regulated person may rely on a third party to conduct CDD on its behalf. However, it must satisfy itself that third party is regulated and has measures in place for compliance with CDD and record-keeping requirements in line with the regulations. However, the ultimate responsibility for CDD measures remains with the regulated persons relying on the third party.
Is obtaining Politically Exposed Person (PEP) declaration sufficient to determine whether a customer is a PEP or not?
In addition to obtaining declaration from the customer, the regulated person should perform screening, on risk sensitive basis, against information sources such as publically known information (list of members of the National Assembly, Senate, Political Parties, Senior Executives of State Owned Entities etc.) or commercial screening databases, to determine if the client is a PEP, its family member or a close associate.
At what level / grade / designation officers should be considered as PEP?
Regulated person shall implement appropriate internal risk management systems, policies, procedures and controls to determine if any customer or a beneficial owner is a PEP. However, the regulated person should consider the nature of the prominent public function held by the PEP (e.g. level of seniority, access to or control of public funds and the nature of the position).
Regulated persons may develop a questionnaire with specific reference to criteria that identify PEPs including family members and persons known to be close associates of the PEP. Such a questionnaire may be made part of account opening form.
Is there a time limit to declassify a customer as PEP who is no longer a PEP?
The entity should consider the level of influence that the individual could still exercise and whether the individual’s previous and current function are linked in any way (e.g., formally by appointment of the PEPs successor, or informally by the fact that the PEP continues to deal with the same substantive matters).
Can STR only be generated for a customer with whom business relation has been established?
It is normal practice for an entity to turn away business that they suspect might be criminal in intent or origin. Where an applicant or a customer is hesitant/fails to provide adequate documentation (including the identity of any beneficial owners or controllers), consideration should be given to filing a STR.
Should STR only be generated for transactions that have been executed?
No. STR should be generated where an attempted transaction gives rise to knowledge or suspicion of ML/TF. Such attempted transaction should be referred to the compliance officer for possible reporting to FMU.
Where can I find guidance on indicators of suspicious transactions?
Refer to Annex 3 & 4 to the SECP AML and CFT Regulations Guidelines for ML/ TF and Proliferation Financing Warning Signs/ Red Flags.
What is CTR?
CTR stands for Currency Transaction Report which has to be filed with the FMU. It is a threshold based report of cash transaction of two million rupees or above involving payment, receipt, or transfer of an amount by customers of a reporting entity. The guidelines for submitting a CTR can be accessed at FMU’s website http://fmu.gov.pk/docs/CTR_Guidance_Notes.pdf
Who should be included in the screening of sanctions list?
Sanctions list screening should be performed for the customer, beneficial owner of the customer and person(s) acting on behalf of a customer.
What happens if a customer’s name appears on sanctions list?
If a customer’s name is matched with a name on a sanctions list, further checks will be needed to determine whether it is a true match . In case of a true match, the entity should freeze without delay the customer’s fund and block the transaction, reject the customer, lodge a STR with the FMU and notify the SECP and the Ministry of Foreign Affairs.
How should a NICOP holding customer residing in Pakistan be categorized?
The customer holding a valid NICOP may be effectively categorized as a non-resident irrespective of the place of residence.
How should the transactions from a non-resident customer through domestic account be treated?
The transaction through local bank account may be treated as a domestic transfer. However, the business relations with customers shall be monitored on an ongoing basis to ensure that the transactions are consistent with the regulated person’ knowledge of the customer, its business and risk profile and where appropriate, the sources of funds.
Is there a definition of High Net worth Individual?
There is no strict definition of High Net worth (HNW) Individuals. However, thresholds defined in SECP Circular No. 8/ 2017, Circular No. 9/2017, Circular 10/2017 may be used as reference. Further, risk posed by HNW Individuals needs to be assessed in accordance with other relevant risk factors.
When is the evidence for source of income required from customer?
In case of low risk customer, the regulated person should obtain information of source of income; however, no specific evidence is required. In case of high-risk customers, where EDD is required, evidence of source of income may be requested from the customer.
What can be the examples of source of wealth/ source of funds?
List of examples of appropriate information and/or supporting documentation required to establish source of wealth and funds is as follows (any one of the document may be obtained):
a) Employment Income:
|
b) Company Profits / Dividends
|
c) Savings / deposits:
|
d) Inheritance:
|
e) Sale of Property:
|
f) Loan
|
g) Gift:
|
h) Other income sources:
|
Note:
The extent to documentation required for EDD would depend on the level of risk involved. |
USER REGISTRATION IN E-SERVICES
Is it compulsory for the existing and new companies to obtain/create User ID, Password and Personal Identification Number (PIN) under new user registration system of eServices?
Yes, it is compulsory to obtain/create User ID, Password and PIN for using eServices.
Who can register as a user of the e-Services?
Any person can register as an Individual User. This may include a director / chief executive/ company secretary /authorized representative / manager of a company who is a natural person and is authorized to sign documents electronically on behalf of the company. An Intermediary / Consultant can also register as a user of the e-Services.
How to apply for user registration and what is the user registration fee?
Online user registration is available at e-Services at www.secp.gov.pk, for which Rs. 100/- only will be charged subsequently at the time of submission of documents. Please refer to User Registration Step by Step Process.
What are the requirements for user registration?
For Individual (National): CNIC/NICOP/POC, Mobile number & Email address.
For Individual (Foreign National): Attested copy of valid passport, attested photograph, Mobile number & Email address.
How can I recover forgotten Password or reset PIN?
You can make use of the “Forget Login Information” function provided on the login page of the e-Services. You have to provide information of your identification to enable the system to retrieve your Login information.
In case you forgot your password, you have to provide the Answer to your selected Security Question to enable the system to verify your identity. The system will reset your password after successful verification. The system-generated Password/PIN will be sent to your registered email address and mobile phone number automatically by the system.
What are the Terms of Use of e-Services?
Following are the terms of use of e-services for information security:
- Use of logins-
- Your login information is a valuable and confidential item that authenticates your online identity. You must, therefore, take good care of your login information/ PIN, as well as the security questions you choose when creating a login, and keep them secure.
- You will not knowingly or recklessly use or attempt to use any service, login, hardware device or code for a purpose for which it was not intended, including any unlawful purpose.
- You will notify the SECP Help Desk immediately if you know or have reason to believe that there has been or is about to be fraudulent or other unlawful use of any of your login, hardware device or code.
- Protecting logins, security questions and PIN
You must immediately change your password, security questions, or PIN and notify the SECP Help Desk if you believe that the security of your password, security questions which you answered, or PIN you created have been compromised or you become aware of any unauthorised use of your username or password.
- Recommended practices
You should
- not use an email address that is shared with other people (as it is to this email address that your username, temporary password or other information will be sent when you request support for your login, for example when you forget your username or password);
- choose a password that is a secret known only to you which cannot be easily guessed by anyone else;
- not disclose your password to anyone, including SECP services personnel (please note that SECP services personnel will never ask you for your password or PIN);
- keep your password and PIN safe from being discovered by others if you write your password or PIN down or store them electronically (unencrypted files on a computer or notes on your monitor are not safe options);
- take care when answering your security questions to ensure you can remember the answers at a later date;
- not tell anyone your answers to the security questions, other than services personnel when they require those answers to help you;
- not allow anyone to see your password, any of your answers to the security questions, or PIN or have the opportunity to see them or record them;
- not use an app other than system-generated codes as they have not been tested for compatibility or security; and
- Keep your contact details up to date.
ONLINE NAME RESERVATION
How can we reserve name for a new company by using eServices?
Please follow the procedure given below to reserve name for a new company by using eServices:
- Sign up and generate PIN using the user registration procedure referred above.
- After successful user registration in e-services, login to eServices through SECP’s website https://eservices.secp.gov.pk/eServices/ using CNIC/NICOP/POC/Passport No. as Login ID and the entering the Password.
- Upon successful login, all available processes will be displayed.
- Click on name reservation process.
- Fill in the requisite data and click “Continue” button which will display the screen where “Sign form” option is available.
- Open and Save Challan Form which is automatically generated through the System. Do not print Challan at this stage.
- Click “Sign form”. Please note that sign form link will be activated when once mandatory attachments are made to the process and challan is saved.
- Enter the PIN and click “Apply user PIN”, the field for “PIN APPLIED” will be auto-populated and by clicking “Submit process to SECP” button, process will be submitted to SECP.
- Print the Challan from “Submitted Processes” link available on the left side of the page and pay this Challan in the designated branch of MCB/UBL.
- In case of payment through credit card, please click on “online payment’ link and follow procedure.
- In case of payment thorough online fund transfer facility, please follow the procedure given in the “online fund transfer guide” available on the website at https://eservices.secp.gov.pk/eServices/.
After you have submitted the process and made payment, your process will be assigned to the concerned officer for processing after verification of payment. You will receive an email letting you know about the status of your case whether it is accepted, rejected or further information is required for issue resolution.
Please note that Name Availability Cases are processed at the concerned Company Registration Office (CRO). Contact list of CROs is below. You may also consult the User Guide available on the SECP website at http://www.secp.gov.pk/eservices/eservies-company-name-reservation/ for further assistance.
No. |
CRO Office |
Telephone
|
1 | Karachi
4th Floor, SLIC Building No.2, Wallace Road, Karachi. Email: mohammad.naeem@secp.gov.pk |
Phone: 021- 99213271-2
Fax 021-99213278
|
2 | Lahore
3rd &4th Floor, Associated House, 7-Egerton Road, Lahore Email: liaqat.dolla@secp.gov.pk |
Phone: 042-99204962-6
Fax: 042-99202044
|
3 | Islamabad
State Life Building, 7-Blue Area, Islamabad Email: shahzad.afzal@secp.gov.pk |
Phone: 051-9208740-9206219
Fax: 051-9206893
|
4 | Peshawar
1st Floor, State Life Building, The Mall, Peshawar Cantt. Email: saqib.aslam@secp.gov.pk |
Phone: 091-9213178
Fax: 091-9213686 |
5 | Faisalabad
Second Floor, Faisalabad Chamber of Commerce and Industry (FCCI) Building, East Canal Road, Faisalabad. Email: asghar.baig@secp.gov.pk |
Phone: 041-9230264
Fax: 041-9230263
|
6 | Multan
63-A, 2nd Floor, Nawa-i-Waqt Building, Abdali Road, Multan Email: iftikhar.hasan@secp.gov.pk |
Phone: 061-9200530
Fax: 061-9200920 |
7 | Quetta
Ground Floor, Aiwan-e-Mashriq Building, Opposite FC Headquarter, Email: msami@secp.gov.pk |
Phone:081-2844136 Fax: 081-2899134 |
8 | Sukkur
28 – D , Hamdard Housing Society, Airport Road, Sukkur Email: iftikhar.hasan@secp.gov.pk |
Phone: 071-5630517
Fax: 071-5633757 |
9. | Gilgit
House No. 2, Ayub Colony, Near Apna Bank, Gilgit Email: shahzad.afzal@secp.gov.pk |
Phone: 05811-922572
|
ONLINE INCOPORATION OF COMPANY
How can we incorporate a new company by using eServices?
Please follow the procedure given below for company registration using e-Services:
- Sign up using the user registration procedure referred above.
- Create/Obtain separate User IDs and PIN for all proposed Subscribers.
- After successful user registration in e-services, login to eServices through SECP’s website https://eservices.secp.gov.pk/eServices/ using CNIC/NICOP/POC/Passport no. as Login ID and the entering the Password.
- Upon successful login, all available processes will be displayed.
- Click on Company registration process.
- Fill out the data and click “Continue” button, which will display the screen where “Sign form” option is available.
- Attach and Save Memorandum of Association in the attachment link provided. Please note that the attachment size should not exceed 2 MB.
- Attach and Save Articles of Association in the attachment link provided. Please note that the attachment size should not exceed 2 MB.
- Attach and Save copies of CNICs/passports of all the Subscribers, copy of name availability email/letter, and any other required document(s) under Fill New Attachment Form link.
- Open and Save Challan Form which is automatically generated through the System. Do not print Challan at this stage.
- Click “Sign form”. Please note that sign form link will be activated when once mandatory attachments are made to the process and challan is saved.
- Enter the PIN and click “Apply user PIN”, the field for “PIN APPLIED” will be auto-populated and on clicking “Submit process to SECP” button, process will be submitted to SECP. Every Subscriber needs to sign forms by logging through his/her User ID and applying PIN.
- After your process is submitted, you will see a submitted process reference number on the screen. Please print a copy of this page for future reference.
- Print the Challan from “Submitted Processes” link available on the left side of the page and pay this Challan in the designated branch of MCB/UBL.
- In case of payment through credit card, please click on “online payment’ link and follow procedure.
- In case of payment thorough online fund transfer facility, please follow the procedure given in the “online fund transfer guide” available on the website at https://eservices.secp.gov.pk/eServices/
After you have submitted the process and made payment, your process will be assigned to the concerned officer for processing after verification of payment. You will receive an email conveying the status of your case whether it is accepted, rejected or further information is required for issue resolution.
Please note that Company Incorporation Cases are processed at the concerned Company Registration Office (CRO). You may also consult the User Guide on the SECP website at http://www.secp.gov.pk/eservices/company-incorporation/ for further assistance.
FILING OF RETURNS
How can we submit Forms/Returns by using eServices?
The general steps of the process are given below. Procedure may vary slightly depending on the kind of process selected by you.
- Sign up using the user registration procedure referred above.
- After successful user registration in e-services, login to eServices through SECP’s website https://eservices.secp.gov.pk/eServices/ using CNIC/NICOP/POC/Passport no. as Login ID and the entering the Password.
- Upon successful login, list of all companies related with user are displayed.
- Click “login” appearing after the relevant company
- The list of all available processes will be displayed.
- Click the relevant process.
- Fill out the data and click “Continue” button, which will display the screen where “Sign form” option is available.
- Attach the required document(s), if any.
- Open and Save Challan Form which is automatically generated through the System. Do not print Challan at this stage.
- Click “Sign form”. Please note that sign form link will be activated when once mandatory attachments are made to the process and challan is saved.
- Enter the PIN and click “Apply user PIN”, the field for “PIN APPLIED” will be auto-populated and on clicking “Submit process to SECP” button, process will be submitted to SECP.
- After your process is submitted, you will see a submitted process reference number on the screen. Please print a copy of this page for future reference.
- Print the Challan from “Submitted Processes” link available on the left side of the page and pay this Challan in the designated branch of MCB/UBL.
- In case of payment through credit card, please click on “online payment’ link and follow procedure.
- In case of payment thorough online fund transfer facility, please follow the procedure given in the “online fund transfer guide” available on the website at https://eservices.secp.gov.pk/eServices/
After you have submitted the process and made payment, your process will be assigned to the concerned officer for processing after verification of payment. You will receive an email conveying the status of your case whether it is accepted, rejected or further information is required for issue resolution.
Please note that the Filing of Returns cases are processed at the concerned Company Registration Office (CRO).
How can I get Challan form for online filing in eServices?
Challan form is automatically generated and filled out by the System after you enter the required information in the application/form. You have to save and print this challan and make payment in the designated branch. Do not use a manual challan for making payment for online filing.
Why the Sign Forms link is not active/clickable?
Please note that sign form link will be activated when once mandatory attachments are made to the process and challan is saved.
Why am I getting an error while trying to Sign Forms?
Major reasons why you get an error while signing forms are as follows:
- The size of files e.g. Memorandum and Articles of Association attached by you is large. File size for each of these documents should not exceed 2 MB. You can reduce file size by keeping low resolution while scanning documents.
- Another reason might be that you are trying to sign forms for all persons from one login. You have to login through each User ID to sign forms.
- Compatibility view is not enabled in Internet Explorer. Please add SECP website to Compatibility View under Tools> Compatibility View Settings.
- Security Settings for java are not set as per requirement.
If I login and find out that the data in the system is not updated for my company, then how do I get that data rectified in the system?
Contact the concerned Company Registration Office (CRO) for further assistance/information in the matter.