AML/ CTF Quick Reference Guide

AML/ CTF Quick Reference Guide (QRG)

Legal & Regulatory Requirements

In what year did the relevant AML/ CTF laws and regulations become effective?

If the AML/ CTF laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML/ CTF regime?

Who is the regulator for AML/ CTF controls for:

(a) Banking;

(b) Other financial Services;

(c) Non financial sector (e.g. casinos, high value goods etc.).

Please include link to the regulator(s) website.

Is there any practical guidance provided to firms by public authorities regarding AML requirements, beyond the FATF recommendations and local legislation? Please include link to website, where available.

Is there a requirement to retrospectively verify the identity of customers before the date the new AML/ CTF regime was introduced?

Is a risk based approach approved by the local regulator(s)?

Has the country been the subject of a FATF (or FATF-style) Mutual Evaluation or IMF assessment exercise in the last three years? If yes, please find a link to a relevant report (if publicly available).

Customer Due Diligence (CDD)

Are there minimum transaction thresholds, under which customer due diligence is not required?
If Yes, what are the various thresholds in place?

What are the high level requirements for verification of customer identification information (individuals and legal entities)?

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

What are the high level requirements around beneficial ownership (identification and verification)?

Simplified Due Diligence (SDD)

In what circumstances are simplified due diligence arrangements available?

Enhanced Due Diligence (EDD)

In what circumstances are enhanced due diligence measures required?

In what circumstances is additional due diligence required for Politically Exposed Persons (‘PEPs’)?

What enhanced due diligence must be performed for correspondent banking relationships (cross-border banking and similar relationships)?

Are relationships with shell banks specifically prohibited?

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Suspicious Activity Report (SAR)

To whom are Suspicious Activity Reports (SARs) made? Please include a link to their website.

What was the volume of SARs made to the authorities in the most recent year? Please state the GDP for the equivalent year

Are there any obligations to report anything more than suspicious transactions e.g. unusual transactions, cash transactions above a certain threshold, international wire transfers, other transactions etc.?

Are there any de-minimise thresholds below which transactions do not need to be reported?

Are there any penalties for non-compliance with reporting requirements e.g. tipping off?

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Does the local legislation allow transactions to be monitored outside the jurisdiction?


Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

If an external report on the bank’s AML/ CTF systems and controls is required:
a) how frequently must the report be provided?
b) to whom should the report be submitted?
c) is it part of the financial statement audit?

What are the requirements for the content of this external report on a bank’s AML/ CTF systems and controls? Does it require:
a) sample testing of KYC files?
b) sample testing of SAR reports?
c) examination of risk assessments?

General Data Protection Regulation (GDPR)

Does the country have established data protection laws? If so:
a) does the definition of “personal data” cover material likely to be held for KYC purposes?
b) how do the laws apply to corporate data?
c) does this country have a separate definition of “sensitive data”? How is it defined and what are the additional protections?

Are there any prohibitions on the transfer of credit reports (for KYC and credit risk analysis purposes), criminal records (for KYC and crime prevention purposes) and medical data (for KYC and pension
benefits purposes)?

Does this jurisdiction have bank secrecy laws or other obligations of confidentiality (other than those that may have been accepted expressly under contract e.g. in account opening documentation)? If so,
what data is subject to regulation?