Professional Documents
Culture Documents
Contents
1 Introduction 4
1.1 What is the purpose of this guidance document? 4
1.2 About this document 5
2 Summary 6
4 Transaction monitoring 10
4.1 The transaction monitoring process 10
4.2 Maturity model 14
5 Guidance 18
5.1 SIRA 18
5.2 Policies and procedures 21
5.3 The transaction monitoring system 22
5.4 Alert handling and notification process 31
5.5 Governance 40
5.6 Training and awareness 42
Glossary 43
1 Introduction
4 1.1 What is the purpose of this As gatekeepers for the Dutch financial system, banks
guidance document? are expected to adequately and continuously monitor
transactions, and to stay alert. There are statutory
Financial and economic crime is a major problem in requirements which banks must meet in this regard,
our contemporary society. Headlines in the media and it is our task to supervise compliance with these
show how society has unwittingly fallen victim to rules and regulations. All banks are therefore obliged
this form of crime. Take for example, the Panama to conduct transaction monitoring, although this
Papers and the terrorist attacks in Western Europe. obligation and its supervision is principle-based.
Financial institutions, including banks, play a key This means that the practical interpretation of this
role in preventing money laundering and terrorist requirements is not prescribed in detail by laws and
financing. Their actions in this respect include regulations, or by the supervisory authority. It is up to
conducting customer due diligences (CDD) and you as a bank to determine how exactly you interpret
monitoring customer transactions to identify this. The supervisory authority will assess the result.
unusual transactions. This guidance focuses on the
latter, transaction monitoring. Transaction monitoring is not new for banks.
The areas of concern and the examples presented in
2A bank can only intervene in good time when this document serve as a supplement to prevailing
a potentially unusual transaction is made or a laws and regulations and the previously published
notifiable transaction pattern occurs, if it adequately guidances on this subject such as the DNB Guidance
monitors transactions. The bank should investigate on the Wwft and SW (version 3.0, April 2015¹);
these cases further and report them if necessary. DNB Guidance on the Anti-Money Laundering and
Failure to ensure adequate monitoring may result Anti-Terrorist Financing, preventing the misuse
in a bank inadvertently cooperating in terrorist of the financial system for money laundering and
financing or in money laundering. terrorist financing purposes and controlling integrity
risks, and the Q&A Assessment of Ongoing Due
Diligence Process (Wwft and SW) of December 2013.
1
Wwft: Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen
en het financieren van terrorisme), SW: 1977 Sanctions Act.
Post-event transaction monitoring process for banks
2 The transaction monitoring theme was the subject of a cross-sectoral examination conducted in
various sectors (four banks, four payment institutions, three money transfer offices, and six trust
offices). Comparable guidances have been prepared for the other sectors.
2 Summary
6 Transaction monitoring is an essential measure 4. Banks must have an adequate process for
for reporting unusual transactions to the Financial notification and dealing with alerts. Banks must
Intelligence Unit – Netherlands (FIU-NL), to control ensure they fully and immediately notify FIU-NL
integrity risks in the area of money laundering and of executed or proposed unusual transactions.
terrorist financing. In this process, for each alert considerations
and conclusions are documented underlying
This entails the following: decisions to close or escalate an alert.
1. Banks must ensure the transaction monitoring 5. Banks must have structured their governance
process reflects the risks of money laundering with regard to transaction monitoring in such
and terrorist financing that emerge from a way that there is clear segregation of duties,
the SIRA. When determining the risk profile for example through the three lines of defence
for a customer and or “customer peer model.
groups” banks must also include expected 6. Banks must offer their staff tailored training
transaction behaviour. programmes. Staff must be aware of the risks of
2. Banks must have developed sufficient policy for money laundering and terrorist financing.
transaction monitoring and have adequately
elaborated this policy in underlying procedures
and operating processes.
3. Banks must have an (automated) transaction
monitoring system in place and have a
substantiated and adequate set of business rules
(detection rules with scenarios and threshold
values) to detect money laundering and
terrorist financing. Banks must periodically test
these business rules, in terms of both technical
aspects and effectiveness.
Post-event transaction monitoring process for banks
3 Legal context
and scope
3.1 Transaction monitoring: statutory what purpose the business relationship is used. 7
obligation for continuous monitoring
In order to exercise adequate continuous
Banks have a statutory obligation to take measures monitoring, banks must pursuant to Section 10
to counter money laundering and terrorist of the Decree on Prudential Rules for Financial
financing. In this respect they must pay particular Undertakings (Besluit prudentiële regels Wft – Bpr)
attention to unusual transaction patterns and conduct a systematic integrity risk analysis (SIRA).
transactions of customers that due to their nature Integrity risks are defined here as the “threat to the
typically carry a higher risk of money laundering or reputation of, or the current or future threat to the
terrorist financing. If there are grounds to assume capital or the results of a financial institution due
that a (proposed) transaction is linked to money to insufficient compliance with the rules that are in
laundering or terrorist financing, banks must report force under or pursuant to the law.”⁶ This therefore
this transaction to the FIU-NL³ without delay. To be includes risks of money laundering and terrorist
able to this it is crucial that banks have in place an financing. If on the basis of the SIRA a bank notes
effective transaction monitoring process.⁴ any new or residual risks, it must address these in
adequate policies, procedures and measures.
With reference to the DNB Guidance on the
Wwft and Sw, version 3.0, April 2015, we confirm Specifically with regard to risks relating to money
the following⁵: as the Wft (ethical operational laundering and terrorist financing, under the Anti-
management) and the Wwft are focused on the Money Laundering and Anti-Terrorist Financing
same objective , the procedures a bank uses for the Act (Wwft) banks must carry our checks on their
implementation of the Wft and the Wwft can be customers.⁷ This must include establishing the
integrated so that the requirements under the two purpose and the intended nature of the business
Acts can be met in the same manner. Measures to relationship. They are also obliged to monitor
combat money laundering and terrorist financing, the business relationship and the transactions
based on the Wft are set out in greater detail in the conducted for the duration of that relationship
Wwft. The principal goal remains that banks should on an ongoing basis.⁸ This way banks can ensure
know who they are doing business with and for that the transactions conducted correspond to the
3.2 Scope of guidance 9
SIRA
2nd line
Pre-Transaction Post-Transaction Case handling
Transactions
Monitoring
R.C. Mutation
Monitoring & Review
assessment FIU FIU
notification
Scoring, Bucketing
& assign cases
Governance TM proces: 1st line (business), 2nd line (Compliance), 3rd line (internal audit)
Post-event transaction monitoring process for banks
14 In the case of post-event transaction monitoring the transaction has already been carried
out by the institution and transaction monitoring occurs retrospectively, while in the case of
pre-transaction monitoring the transaction has not yet been carried out.
15 MLRO means Money Laundering Reporting Officer, a second-line function.
12 Post-event transaction monitoring particular customers, products, distribution channels
This guidance document describes the post-event or transactions pose. The bank then documents
transaction monitoring process, because banks the results of this analysis in the SIRA. The SIRA is
are primarily able, based on non-cash settlement applied to policy, business processes and procedures
of transactions, to detect money laundering and relating to transaction monitoring. A bank may
terrorist financing risks in this manner. have various SIRAs, for example a separate SIRA
for subsidiaries or a SIRA for each business line.
Customer due diligence is part of the transaction A bank must document how it translates the results
monitoring process. Customer due diligence of the SIRA, as well as the resulting processes and
provides banks with knowledge of its customers, procedures themselves.
including the purpose and intended nature of
the business relationship with the customer. When identifying and analysing risks, a bank must
This knowledge enables the bank to conduct classify its customers in various risk categories,
risk based assessments to ascertain whether the such as high, medium and low, based on the money
transactions carried out have unusual patterns laundering and terrorist finance risks attached to the
that could indicate money laundering or terrorist business relationship with the customer. To determine
financing. The bank must tailor its transaction the customer’s risk profile, a bank should prepare a
monitoring to the type of customer, the type transaction profile based on expected transactions or
of services provided and the risk profile of the expected use of the customer’s (or customer group’s)
customer or customer segment. This means account.¹⁶ By preparing a transaction profile in this
monitoring can have a different set-up for the way (through peer grouping) a bank can sufficiently
various customer segments and products to which monitor transactions conducted throughout the
the bank provides its services. duration of the relationship to ensure they are
consistent with its knowledge of the customer
Step 1: risk identification and their risk profile. By identifying the expected
The first step in the transaction monitoring process transaction behaviour of their customer, a bank
is risk identification. During the identification can assess whether the transactions the customer
process a bank must systematically analyse the carries out are consistent with its knowledge of the
money laundering and terrorist financing risks that customer.
16 For further information on how institutions can do this, please refer to pages 29-32 of our
Guidance on the Wwft and SW (version 3.0 of April 2015).
Post-event transaction monitoring process for banks
A feasible transaction profile in any case process. This can be data concerning the customer, 13
meets the following six criteria: the services and the transactions. If there are large
1 Current: the transaction profile is up-to-date and numbers of transactions then it is appropriate to
is dated. All relevant changes to the profile are have an automated transaction monitoring system
made promptly. in place to be able to safeguard the effectiveness,
2 Complete: the transaction profile contains all consistency and processing time of the monitoring.
bank account numbers, names of beneficiaries
and authorised representatives. The system must at least include pre-defined
3 Specific: the expected items and money flows business rules: detection rules in the form of
are clearly described in terms of e.g. amounts, scenarios and threshold values. In addition to this,
services and frequency. The (threshold) amounts more advanced systems may also be needed, and
indicated are well-substantiated and can actually in applicable cases may be essential, depending
contribute to recognising unusual transactions. on the nature and the size of the transactions and
4 Clear: financial flows are represented in clear the nature of the institution in question. So for
and simple diagrams. example, a highly advanced system would be less
5 Substantiated: the transaction profile is necessary for a bank with a limited number of
substantiated with relevant documents clarifying simple transactions. It may also be the case that a
and explaining the forecast financial flows. bank considers the use of a highly advanced system,
6 Documented: the transaction profile is which makes use of artificial intelligence (AI) for
documented in the customer file. example, to be essential.¹⁷
Step 2: detection of patterns and transactions In any case, the responsibility for effectively detecting
For the second step, detecting the unusual unusual transactions remains with the bank. A bank
transaction patterns and transactions that may must have a good understanding of its systems,
indicate money laundering or terrorist financing, and should not just rely on the algorithms provided
a bank must have a transaction monitoring system by external suppliers. When opting for an AI-based
in place. Before making use of such a system the system, it may therefore be advisable to involve staff
bank should ensure that all data are fully and with relevant expertise.
correctly included in the transaction monitoring
17 The application of artificial intelligence involves the computer itself learning to recognise specific
patterns based on a pattern recognition or cluster algorithm. An algorithm is a method used to
calculate certain quantities and functions.
14 Step 3: data analysis 4.2 Maturity model
A bank should analyse its transaction data using
its transaction monitoring system and relevant When conducting the thematic examination
intelligent software. The system generates alerts on (post-event) transaction monitoring at payment
the basis of business rules. An alert is a signal that service providers, we used a maturity model we had
indicates a potentially unusual transaction. Any alerts developed ourselves for transaction monitoring.
are investigated. The findings of this investigation This model takes into consideration the relevant Wft
must be adequately and clearly recorded. When and Wwft requirements and is intended to indicate
the findings of the investigation reveal that the where a bank is in the transaction monitoring
transaction is unusual, the bank must notify this to process with regard to maturity. In this model
FIU-NL without delay. A bank must have sufficiently the degree of compliance in six areas is assessed
described and documented the considerations and according to a four-point colour-coded scale:
decision-making process as to whether or not to ▪ Red: completely non-compliant
report a transaction. When a bank fails to meet its ▪
Orange: insufficiently compliant
notification duty – even if this is not deliberate – ▪
Yellow: sufficiently compliant
it constitutes an economic offence. ▪
Green: best practice
Step 4: assessment, measures and documentation Banks can use this maturity model to determine
The bank must then assess the consequences of their own ambitions, while ensuring they achieve a
the notification to FIU-NL and a possible feedback “yellow” score as a minimum. The level of ambition is
report from FIU-NL for the customer’s risk profile dependent on the bank’s risk profile. A yellow score
and determine whether any additional control means that a bank complies with the minimum
measures have to be taken. The final part of the statutory requirements (sufficiently compliant).
transaction monitoring process is to ensure all the
details of the process are properly recorded. In this
connection, the bank keeps the data relating to the
notification of the unusual transaction and records
them in readily accessible form for five years after
the notification was made, allowing the transaction
to be reconstructed.
Post-event transaction monitoring process for banks
1 2 3
SIRA/risk profile Design of AML/CFT policy TM system/ business rules
and procedures
▪ A SIRA has been conducted, ▪ Institution has designed ▪ System for transaction monitoring
but its scenarios and risks lack transaction monitoring insufficiently matches the
16 sufficient depth policy and procedures, but institution's risk profile
▪ Scenarios and risks in the SIRA they are too general and ▪ Institution uses a limited number
have not been translated into insufficiently detailed, so of AML/CFT indicators and
transaction monitoring policy that material aspects are business rules to recognise unusual
and procedures lacking transactions
▪ There are customer risk profiles,
but no ex ante transaction risk
profiles
▪ Scenarios and risks in the SIRA ▪ Transaction monitoring ▪ Institution has an automated and
accurately and fully reflect the policy and procedures self-learning transaction monitoring
institution's specific risk profile have been demonstrably system commensurate with its risk
▪ Moreover, the SIRA is incorporated in the profile
continuously adjusted to reflect institution's work process ▪ Institution is pro-active towards
developments in the area of and their operating developments in money laundering
money laundering and terrorist effectiveness has been and terrorist financing, i.e. in its
financing demonstrated adjustments to system and business
▪ SIRA forms the basis for ▪ Transaction monitoring rules
the periodic updates of the policy and procedures are ▪ Institution uses backtesting
transaction monitoring up to date and fully aligned when introducing new AML/CFT
framework with the most recent indicators and business rules
▪ Detailed ex ante transaction risk developments in the area ▪ Structural use of pattern
profiles of money laundering and recognition and network analyses
terrorist financing to recognise unusual transactions
▪ Active cooperation and
consultation on policy with
other financial institutions
Post-event transaction monitoring process for banks
4 5 6
Alerts processing and Governance: 1st, 2nd and 3rd line Training en awareness
notification process
▪ No alerts processing or unusual ▪ No segregation of duties between 1st, 2nd ▪ Relevant employees have no
transactions notification processes and 3rd lines knowledge or awareness of money
defined ▪ Responsibilities of 1st, 2nd and 3rd line have laundering and/or terrorist financing
▪ Processing of transaction monitoring not been described risks or controls
alerts is not laid down or followed up ▪ No second line monitoring ▪ No training available in the area of
▪ (Intended) unusual transactions are ▪ No independent internal control AML/CFT
generally not immediately reported ▪ Periodic management information about
to FIU TM results unavailable
▪ Alerts processing and unusual ▪ Segregation of duties for 1st, 2nd and 3rd ▪ Employees have insufficient
transactions notification processes line has been designed knowledge or awareness of money
are capacity-driven rather than risk- ▪ Inadequate description of responsibilities laundering and/or terrorist financing 17
based of 1st, 2nd and 3rd line risks or controls
▪ Alerts processing is insufficiently ▪ Second line monitoring (SLM) and ▪ Incidental training sessions in the
recorded (no considerations/ independent internal control has been area of AML/CFT (only reactive,
conclusions) and there is no follow- designed, but its operating effectiveness for instance in response to audit
up is insufficient in terms of frequency and/ findings or incidents). Their content
▪ (Intended) unusual transactions are or quality (SLM programme, checks lacks quality (absence of material
incidentally (immediately) reported performed, reporting) elements)
to FIU ▪ Periodical management information
about TM results are available to a limited
degree
▪ Alerts processing and unusual ▪ Segregation of duties for 1st, 2nd and 3rd ▪ Employees and senior management
transactions notification processes line has been designed and is in place have sufficient knowledge and
have been sufficiently defined, ▪ Responsibilities of 1st, 2nd and 3rd line are awareness of money laundering
including escalation to the 2nd line adequately described and/or terrorist financing risks and
▪ Processing of transaction monitoring ▪ Second line monitoring and independent controls
alerts is laid down and followed up internal control have been designed ▪ Training programme has been
▪ (Intended) unusual transactions are and exist. Their frequency and quality designed based on distinctive levels
immediately reported to FIU are adequate (suboptimal operating in the organisation (from
effectiveness) management to staff member)
▪ Findings from 2nd and 3rd line monitoring ▪ Obligatory and optional training
activities are adequately followed up by sessions on AML/CFT are offered
the 1st line (reactive) periodically, their quality is sufficient
▪ Management information about results is and they contain material elements
adequate, in essence providing direction
▪ Alerts processing and money ▪ Segregation of duties has been designed ▪ All employees and senior
laundering notification processes and exists for 1st, 2nd and 3rd line and management have extensive
have been defined and the institution its operating effectiveness has been knowledge about and are fully aware
is pro-active towards developments demonstrated of money laundering and terrorist
in money laundering and terrorist ▪ Responsibilities of 1st , 2nd and 3rd financing risks and controls
financing line have been described clearly and ▪ Senior management acts as a role
▪ Processing of transaction monitoring completely and 1st line pro-actively model
alerts is consequently documented takes final responsibility for transaction ▪ Obligatory and optional training
and followed up monitoring sessions on AML/CFT are regularly
▪ Institution acts as a fully- ▪ High-quality second line monitoring is offered and relate to cases tailored to
fledged discussion partner of the conducted very frequently (operating the institution
investigative authorities and chain effectiveness) ▪ New developments in the area of
partners ▪ High-quality independent internal checks money laundering and terrorist
of transaction monitoring take place financing are immediately applied
regularly (operating effectiveness) to the organisation's day-to-day
▪ Elaborate management information is practice (e.g. FIU-NL cases)
available about TM results and provides
direction
5 Guidance
18 5.1 SIRA reviewed, and should be translated into procedures
and measures. The results of the SIRA must affect
Banks must ensure the transaction monitoring the entire organisation, and must also be reflected
process reflects the risks of money laundering and in the risk analyses at customer level. Below we
terrorist financing that emerge from the SIRA. have shown an example of a bank where that is not
the case.
18 Pursuant to Sections 10(1) and 10(2) of the Bpr, an institution must have a SIRA in place. If this
reveals any new or residual risks, the institution must address these through adequate policies,
procedures and measures.
19 For a further description of the SIRA, please see the document: “Integrity risk assessment – more
where necessary, less where possible” http://www.toezicht.dnb.nl/en/2/51-234066.jsp.
Post-event transaction monitoring process for banks
5.1.1 Risk profile: expected transaction pattern To determine expected transaction behaviour, during 19
periodic monitoring (i.e. periodic CDD review),
In determining the customer due diligence risk the bank can for example obtain information about:
classification (low, medium, high), the bank ▪
(expected) incoming (and outgoing) flows of
must assess the customer’s expected transaction funds, including volumes, types of counterparties
behaviour. and countries; the types of transactions,
distribution channels and their frequency (credit
card, non-cash transfers, cash withdrawals and
Under the Wwft banks must prepare a customer risk deposits, funding, foreign currency, etc.).
profile as part of the customer due diligence process.
This involves assessing several factors relating to Possibly by using peer grouping the bank may deploy
the customer, such as the sector(s) and countries advanced data analysis techniques in preparing the
in which they are active, the products and the expected transaction profile.
services obtained from the bank and the distribution
channel. On this basis the bank can determine the The expected transaction profile plays an essential
risk classification of the customer. Depending on role in detecting unusual transactions and hence
the risk, mass retail customers could be included in preventing money laundering and terrorist financing,
homogeneous peer groups. as banks can only mark transactions as unusual
if they know what exactly qualifies as an unusual
Customers are subject to periodic review and their transaction. If it appears from certain transactions
details are updated based on relevant events. The or account developments that the customer’s
underlying reasons on which the risk classification transaction behaviour is deviating from its risk
is based are also used for the bank’s transaction profile, the bank must establish whether there is
monitoring process. When customers do not have the possibility of unusual transactions, and whether
a risk classification, it is in any case not possible to further actions have to be taken, such as for example
provide a risk-oriented basis for the transaction a re-evaluation of the customer’s risk profile. The
monitoring system. Based on knowledge of bank must also assess the effectiveness of the alerts
the customer, the bank can check whether the that are generated in the event of a potential unusual
transactions they carry out match the picture it has transaction. Good cooperation between different
of the customer and the expected transaction profile. individuals and departments is essential in this respect.
20 As the bank establishes the customer’s expected
transaction behaviour when entering into a business
relationship with that customer, it is primarily
dependent on information that the customer itself
provides about the expected transactions. We
expect banks to assess during the periodic risk-based
reviews, or during event-driven reviews, whether
the expected transaction behaviour is still sufficiently
in line with actual practice. This information can be
compared with the transaction behaviour of other
customers in comparable sectors or customers with
a comparable risk profile.
Good practice
In order to establish expected transaction transaction behaviour, or through a customer
behaviour, a bank has divided its customer survey. For each customer, the actual transaction
portfolio, on the basis of various customer behaviour is compared on an ongoing basis
characteristics, into homogeneous customer with the expected transaction pattern. This
groups (peer groups). For each one of these comparison involves several risk indicators, such
customer groups, with the help of data analysis, as cash deposits and international payments.
and on the basis of several relevant risk indicators Statistically significant deviations from the
from the customer portfolio, the bank establishes expected transaction behaviour are automatically
an expected transaction pattern. When this detected by the transaction monitoring system and
expected transaction pattern cannot be established investigated in accordance with the standard alert
on the basis of known customer characteristics, handling process to verify whether this presents a
the bank does this through an analysis of historic possible risk of financial economic crime.
Post-event transaction monitoring process for banks
Good practice
A bank indicated in its policy that it took additional policy, the bank decided to mitigate this inherently
control measures for customers with a high-risk higher risk by applying stricter monitoring to the
profile. In carrying out its SIRA, the bank found that transactions of these customers. To do so, it added
PEP customers have a high-risk profile by default. tailored controls for this specific customer group to
As part of its SIRA process and in line with its its regular transaction monitoring system.
22 5.3 The transaction monitoring system 5.3.1 Use of business rules
As described in section 4.1, banks make use
Banks must have an (automated) transaction of a set of business rules to detect unusual
monitoring system in place and have a transactions. Business rules are intended to
substantiated and adequate set of business mean the set of detection rules applied in the
rules (detection rules with scenarios and transaction monitoring system, which comprise
threshold values) to detect money laundering applied scenarios and particular threshold values,
and terrorist financing. such as amounts in currency and numbers of
transactions or combinations of amounts and
numbers of transactions. The method by which
We expect banks to have a transaction monitoring these business rules are determined, is essential for
system in place that reflects their own risk profile. the effectiveness of a bank’s transaction monitoring
The transaction monitoring system is preferably a process. We expect the business rules included in the
system in which data from several sources can be transaction system to be risk-based and traceable
imported, such as from open sources and sources to the outcomes of the SIRA. Traceable is intended
from commercial providers. to mean that there is a link is between the business
rules and the residual risks resulting from the SIRA.
There is no simple yes or no answer to the question The bank must clearly describe this link.
of whether a bank must have an automated system
in place for post-event transaction monitoring. When preparing these business rules, the bank must
To determine its approach to monitoring, each bank take various factors into consideration, such as:
must weigh up the costs, risks and the method it ▪▪ the type of customer, e.g. private individuals and
intends to apply. The monitoring method is strongly business customers;
dependent on the nature and scope of the bank ▪▪ the customer segment, e.g. a distinction between
and the number of transactions it conducts on a private banking and retail, broken down into other
daily basis. It is important to be aware that it is not segmented target groups such as for example
a statutory requirement for transaction monitoring professional sports;
to be automated. It is therefore up to the bank to ▪▪ the customer risk profile that was prepared during
determine whether monitoring should be manual or the CDD and possibly adjusted at a later stage;
automatic. However this decision must be sufficiently ▪▪ the transaction’s country of origin or country of
substantiated. Accordingly we expect a bank to be destination; e.g. high-risk country, EU or non-EU
able to explain why a manual transaction monitoring country;
system suffices if it conducts tens of thousands of ▪▪ the product, e.g. savings, real estate finance or
transactions on a daily basis. This could for example trade finance;
be the case if the bank can demonstrate it has ▪▪ the distribution channels, e.g. physical presence of
sufficient suitable resources for manual monitoring. the customer or online;
Post-event transaction monitoring process for banks
▪▪ the nature and frequency of transactions, e.g. cash Other examples concern dormant accounts, 23
or non-cash; ▪▪ e.g. if an account is “dormant” for six months but
▪▪ the customer’s risk profile classification, e.g. low, then suddenly becomes active;
medium or high; ▪▪ a substantial difference (to be determined by the
▪▪ international transactions effected from off-shore bank) in an account balance with respect to the
countries through the Netherlands to other off- average balance over the past three months;
shore countries. ▪▪ transactions to or from high-risk countries,
financial organisations or countries with whom
The bank must ensure there is sufficient the customer did not do business with before;
diversification in the business rules, certainly in ▪▪ a scenario for “consultancy payments”.
the case of several customer segments, countries,
products and types of transactions. In establishing business rules, the bank also considers
other transactions of the customer or transactions in
An example of a business rule in the retail segment past periods, how long a customer has had a relation
could be the following: customers within a specific ship with the bank, comparisons with a customer’s
age group, e.g. 18-25 years, crossing certain limits age group, and whether or not the customer is in a
with respect to the size and frequency of non-cash high-risk postal code area or country,²⁰
transactions.
Good practice
In conducting its SIRA, a bank identified an in order to continue providing banking services
inherent corruption risk ensuing from transactions for this customer group. It therefore implemented
of customers classified as PEPs. The bank decided specific business rules for PEP transactions in its
this risk had to be mitigated to an acceptable level transaction monitoring process.²¹
5.3.3 Periodic evaluation of business rules: 2. An analysis of transactions which are identified 25
backtesting as possibly unusual through a route other than
post-event transaction monitoring. The aim of
Business rules must be periodically reviewed and this type of backtesting is to analyse the extent
tested for effectiveness. to which the transaction and monitoring system
is able to detect unusual transaction patterns
and transactions.
We expect banks to get the the effectiveness of their 3. A test involving analysis of business rules with
transaction monitoring system to the desired level many or only false positive alerts. The aim of this
and to maintain it. In this regards we expect banks to test is to review how these business rules can
periodically evaluate this system to assess whether be adjusted to generate more true positives.
the business rules applied are effective or ineffective. 4. A test involving retrospective analysis of
This could for example be the case if business rules are the timeliness of notifications in order to
to loosely defined or have thresholds and values that improve this.
are too high, and as a result there are almost no alerts
resulting from a certain business rule. Banks must The aim of these tests is to further optimise the
therefore conduct periodic reviews to assess whether business rules and make them more effective in
certain business rules have incorrectly not generated order to generate more true positive alerts. At the
any alerts and existing rules require adjustment. same time, these tests also help the bank to conduct
transaction monitoring as efficiently as possible.
Rules can be evaluated through backtesting. Based
on the results of backtesting, banks can make the
necessary adjustments to the business rules of their
transaction monitoring system.
5.3.4 Data analysis such as the use of big data and data modelling
We have observed that banks take various initiatives techniques, increases the possibilities an institution
to develop more advanced technologies in order has for detecting potentially unusual transaction
to analyse their transaction and customer data. patterns and deviant transaction behaviour.
Banks have considerable historical data they
can use to better predict, analyse and ultimately By using more advanced technology, banks will
assess individual customer transaction patterns or reduce the risk of contributing towards money
transaction patterns and behaviour of groups of laundering or terrorist financing, as they will be able
customers. We encourage banks to make use of to more effectively detect and anticipate unusual
advanced data analysis and artificial intelligence in customer behaviour.
their transaction monitoring. Advanced technology,
Post-event transaction monitoring process for banks
22 Transactions contain text in free format fields, and software technologies can be used to retrieve valuable
information from large quantities of such texts, e.g. specific patterns and trends. Using software technologies,
the texts are structured and decompiled, transformed, fed into databases and then evaluated and interpreted.
23 Source: The Egmont Group of Financial Intelligence Units, A global Financial Typology of Foreign Terrorist
Fighters; November 2015.
28 Below is a good practice of a process diagram²⁴ Step 1:
from a money transaction office, used to analyse A target is in scope based on public information
the behaviour of targets and identify new or existing typologies.
typologies. This kind of analysis may also be
useful for banks. Step 2:
The bank checks whether the target appears in
its files.
Figure 3 Process diagram of typologies
Step 3:
If the target is included in the files, their transactions
are analysed, focussing on the transaction
1. Define targets
(based on e.g. characteristics and the countries and/or individuals
existing typologies)
or entities involved.
5. Check
typologies
against data
to identify 2. Check
new targets available data
Step 4:
(transaction
and customer If it is established that the transaction patterns
data)
identified could indicate terrorist financing, the
Process diagram
of typologies patterns are translated into new typologies.
Step 5:
4. Create/
update The bank translates the typologies into transaction
institution
specific 3. Analyse monitoring scenarios. The transaction monitoring
typologies results (including
network analysis)
process is then used to identify new targets, and
the cycle begins again. This continuous process has
proved to be very valuable in detecting unusual
transactions.
5.3.7 IT control measures to safeguard quality and In order to safeguard completeness, it is important 29
completeness of data that the transaction monitoring system includes
all transactions with associated data from the
Banks must safeguard the quality and source systems. It is possible to safeguard the
completeness of the data that is used in the completeness of data in various ways. This depends
transaction monitoring system, for example, on the IT landscape and the source systems used.
through technical segregation of duties and Banks must decide in advance which transactions
completeness controls. and associated data to control. They must
subsequently establish control measures in both
the source systems and the transaction monitoring
Banks must safeguard the quality and completeness system. These measures relate both to the quality of
of the data that is used in the transaction the data and to its completeness.
monitoring system, for example, through technical
segregation of duties and completeness controls. The measures taken must be underpinned by
adequate management of the IT landscape for
We expect the quality and completeness of the the transaction monitoring process. We therefore
data used in an automated transaction monitoring advise banks to periodically control whether this
system to be adequately safeguarded. Important IT landscape still meets the requirements set, and
control measures in this respect are the (technical) wherever these requirements still reflect the risks:
segregation of duties and controls on the ▪▪ Does the IT component of the risk analysis for
completeness of data. The (technical) segregation the transaction monitoring process continue to
of duties is a fundamental part of safeguarding reflect changing circumstances.
data quality. This ensures that no undesired or ▪▪ Based on a risk analysis, are the IT control
uncontrolled adjustments are made to data. measures applied from all the source systems to
Segregation of duties can occur in various ways: the transaction monitoring system, including all
segregation is between two processes such as entry platforms in between, still effective?
and authorisation, but also technical segregation ▪▪ Does the process not have a single point of
of duties between the test environments and the failure and is knowledge of the transaction
production environment. monitoring system sufficiently safeguarded?
▪▪ Does the documentation describe the actual
situation, in IT technical and non-IT technical
terms, such as business rules?
▪▪ Is management of general IT controls sufficient?
30
At the banks we examined, end-to-end We found a key-man exposure risk regarding
control between the source systems and the the transaction monitoring system in the
transaction monitoring system was virtually majority of the institutions we examined:
absent. As a result, there are no checks to just one or two employees had knowledge of
establish the completeness of the transactions the system. There is a high risk of knowledge
from the source systems that are fed into the loss if few employees know how the systems
transaction monitoring system. The risk is that work, which means these systems cannot be
not all transactions will be monitored, and the properly maintained, or that incidents cannot
transaction history will be incomplete as a result. be resolved.
5.4 Alert handling and notification Banks must have procedures and working processes 31
process in place to assess and handle alerts. We expect
banks to have sufficient insight into the audit trail
As described above, banks must notify FIU-NL of and the processing times of follow-up actions for
executed or proposed unusual transactions promptly alerts. These procedures and working processes
upon their unusual nature becoming known. Prompt should ensure that the processing time from
notification to FIU-NL is one of the key elements of generating an alert to notification to FIU-NL is as
the AML/CFT process. FIU-NL investigates all notified short as possible and that the right priorities are set
transactions and, in the event these transactions are when dealing with alerts.
marked as suspect, reports them to the investigative
authorities. As a result, notification of unusual We expect banks to record the considerations and
transactions may lead to criminal prosecution, which conclusions for closing an alert or for reporting
is why a bank’s notification duty is essential in the the transaction as unusual to FIU-NL. As described
AML/CFT process. earlier it is important in this respect to document
whether the transaction in question reflects the
The sections below set out guidelines for the alert customer’s transaction behaviour but also to verify
handling and notification process. whether such a transaction is logical and plausible
for the type of customer and the sector in which the
5.4.1 Alertafhandelingsproces customer is active.
Banks must have an adequate process for We observed during our examination that escalation
notification and dealing with alerts. In this process, of alerts to the second line was largely absent from
for each alert considerations and conclusions the alerts handling process. It is therefore important
are documented underlying decisions to close or that banks offer clear guidelines for those cases in
escalate an alert. which escalation from the first line to the second
line (compliance) is necessary. Please note: We also
expect banks to be able to adequately substantiate
any conclusion, based on consideration of risks, to not
notify FIU-NL.
32 We came across the following examples of failure to
comply with requirements:
At a bank an alert was generated based on A private customer made some twenty cash
two cash deposits by a second-hand car dealer. deposits at a bank, totalling EUR 50,000.
The bank closed the alert for two reasons: Recently, the customer made a cash deposit of
firstly because cash transactions fit in with the EUR 25,000, which was then immediately debited
customer’s transaction pattern – this customer from the customer’s current account. The same
frequently made cash transactions – and secondly day the customer made another cash deposit,
because the values matched the prices of the of EUR 20,000 and also deposited several smaller
second-hand cars listed, around EUR 20,000. amounts in EUR 500 banknotes. The alert
The alert file does not substantiate whether handler classified the alerts as non-notifiable, but
it is common practice to pay for cars in this the alert file does not show how they arrived at
price range in cash. We requested a transaction this conclusion.
overview, which showed that over EUR 550,000
in cash was deposited with the bank in a period
of nine months. The bank did not (demonstrably)
investigate the plausibility of these cash deposits.
33
Good practice
A bank’s transaction monitoring system that cash deposits amounted to approximately
generated an alert following substantial cash 19% of the customer’s total income. Based on
deposits into a business account. As a follow-up, the guidance, the alert handler was able to
a broad analysis of the customer and transaction confirm that this percentage is in line with the
profile was made, which established that the applicable ratios for this sector. Even in the
account is held by a well-known beach restaurant summer period the ratio between cash and non-
on the Dutch coast, and that the CDD file did cash income remained below 20%. This could be
not contain any specific risks. An additional explained from the customer’s regular business
background investigation into the customer also activities, which commonly show a seasonal
revealed a transparent situation, and no issues pattern and a higher income in the summer
from the past. period. It was also established that the outgoing
transactions mainly involved wage payments,
The transaction analysis showed that frequent wholesaler purchases, taxes and rent. This also
cash deposits were made into this account, with a fits in with regular catering business activities.
monthly volume fluctuating between EUR 5,000
and 15,000. In the summer period this incidentally Based on the analysis, the alert handler concluded
increased to above EUR 20,000, exceeding the that the cash deposits were not unusual given the
expected volume of cash deposits laid down in customer profile, and that they therefore did not
this customer’s risk profile. The analysis showed need to be notified.
34 5.4.2 Capacity and resources to assess alerts To achieve this, the bank can prepare KPIs defining
We expect banks to have sufficient capacity and the estimated processing time for dealing with
financial resources available to conduct risk-based every type of alert. These KPIs must of course be
transaction monitoring, and their alert handling periodically evaluated.
process in particular. In addition, the department
that handles alerts must set realistic targets Finally, the bank must structure its processes to
in view of the size and risk profile of the bank. ensure a minimum risk of delay.
Good practice
One of the banks from our thematic examination alerts. The customer file can provide additional
worked on the principle of “quality before speed” information for detecting transactions with an
when handling alerts.²⁵ Alert analysts must have elevated risk of money-laundering and terrorist
sufficient time to conduct a thorough examination financing. The analyst can for example use the
and report their findings, and also have available information from the customer file to assess
sufficient resources, as well as access to whether the transactions are in line with the
internal and external systems and sources of customer’s activities. A list of denominations used
information. This means that analysts must be for withdrawals and deposits are another source
able to consult the customer file when assessing of information.
Good practice
Banks have the option of making high-urgency high-urgency notification the police could
notifications to FIU-NL. One of the banks in quickly initiate a criminal investigation after
our examination did so in a case in which the receiving FIU-NL’ report, and seize the funds
transaction patterns of an account seemed to before they could be channelled away.
indicate a “Ponzi scheme”. Thanks to the bank’s
25 Speed involves dealing with alerts as quickly as possible in order to prevent backlogs.
Post-event transaction monitoring process for banks
35
Good practice
A bank must keep abreast of developments Service (Fiscale inlichtingen- en opsporingsdienst
in money laundering and terrorist financing, – FIOD) revealed that the customer was indeed
and payment instruments such as bitcoin and a “bitcoin casher”. Bitcoin cashers purchase
other virtual currencies.²⁶ In their alert handling bitcoins from traders who most likely obtained
process, one of the banks we examined identified them from trading in illegal goods on the dark
a customer who made a lot of cash withdrawals web, where bitcoins are a common payment
following non-cash transfers from companies instrument. The bitcoin cashers then sell these
trading in bitcoin and other crypto currencies. The bitcoins to exchange offices on legal platforms in
bank notified FIU-NL of this, and investigation by exchange for euros. The proceeds in euros are then
FIU-NL and the Fiscal Investigation and Detection withdrawn from the account in cash.
5.4.3 Alerts related to the risk of terrorist business rules in order to detect terrorist financing
financing risks. We also expect banks to use recent guidance
We expect banks to maintain a list of red flags that documents and newsletters issued by DNB, FIU-NL
could indicate terrorist financing. The list must fit and international bodies such as the Financial Action
the bank’s risk profile and should be translated into Task Force on Money Laundering (FATF).
Good practice
Based on media coverage, a bank suspected a that closely monitors developments through the
customer of having a possible connection to media and takes action by developing an alert for
jihadi groups. The bank developed an alert for this this customer.
customer. This is a good practice of an institution
26 In July 2014, we alerted the banks to the high-risk profile of virtual currencies in a thematic
examination into new payment methods.
36
Good practice
A bank noticed a debit card transaction by one To detect such useful alerts, FIU-NL published a
of its customers in Eastern Turkey, close to the list of towns in the Turkish-Syrian border region in
Syrian border. The monitoring system generated one of its newsletters.
a terrorist financing alert for the transaction.
Good practice
Two months after the debit card transaction in The bank then decided to refuse the second loan,
Eastern Turkey described above, the customer and notified all transactions, i.e. the debit card
applied for a EUR 10,000 loan. A bank staff transaction and the two loan applications, as
member found that this customer had already unusual transactions to FIU-NL.
applied for a EUR 10,000 loan four months before,
stating that it was meant to purchase a car. The This case presented the following red flags:
bank then decided to investigate further and ▪ a debit card transaction in the Turkish-Syrian
found that the funds of the first loan were almost border region;
immediately transferred to Turkey in several ▪ taking out a loan, which is withdrawn from the
transactions. account shortly afterwards;
▪ use of the loan does not correspond with the
The bank also found a connection to the previous customer’s statement;
alert, i.e. the debit card transaction in Turkey. ▪ splitting up funds in smaller amounts for
The bank asked the customer several questions transfer;
in order to clarify matters, but the customer was ▪ transferring funds obtained as loans to certain
unable to give clear reasons for these transactions. countries.
Post-event transaction monitoring process for banks
27 See also Section 12 of the Decree on Prudential Rules for Financial Undertakings.
38
The bank notifies FIU-NL immediately Notification of unusually large cash
of any unusual transactions deposits in high denominations
The case described in 5.4.3. involved transactions In a case involving large cash deposits in
with a country with an enhanced risk of EUR 500 banknotes, the description of the bank’s
terrorist financing, where the bank noticed the investigation revealed that the staff member at
relationship between a customer and a jihadist the relevant branch office had not been given any
based on media coverage. The bank considered guidance about dealing with alerts. As a result,
this information only five months after the news the staff member had failed to inquire about the
was published, and then notified FIU-NL. origin of the funds and the reason for using EUR
500 banknotes. The alert processor therefore had
The bank should have dealt with this insufficient information to notify the transactions
information and notified it to FIU-NL at short to FIU-NL, while the large cash deposits and high
notice, in order to prevent FIU-NL and the denominations were reason enough to do so.
investigative authorities from missing out on
relevant information on potential terrorist
financing. According to the bank, the alert
required extra processing time for reasons
of thoroughness, and there was also some
backlog in dealing with alerts. Given the
substantial risks to the Netherlands and its
population, institutions should assess any
alerts related to terrorist financing promptly
and notify them to FIU-NL without delay.
Banks must deal with alerts related to terrorist
financing as a matter of high priority
Post-event transaction monitoring process for banks
5.4.5 Reclassification of customer risk We expect banks to ensure that those responsible 39
If the results of the analysis provide sufficient for analysing alerts (and if applicable receiving
grounds we expect the institution to re-evaluate feedback reports) also have possibilities to
the customer’s risk profile to establish whether reassess the customer’s risk profile. We also expect
there are reasons to adjust this profile. This can for these analysts to be able to indicate to the staff
example be based on event-driven review. This way responsible for customer assessment that a
the institution safeguards the customers risk profile, re-evaluation is necessary. In this respect we also
ensuring the customer’s risk classification reflects its expect banks, through a quality assurance process,
risk of money laundering or terrorist financing. Also, to monitor if such re-evaluations are adequately
if the bank receives feedback from FIU-NL stating conducted. The alerts handling process can also
that the report of the suspicious transaction has offer insight into the effectiveness of the business
been passed on to the investigative authorities, the rules in place. The first-line staff can play a key role
institution must reassess the customer’s risk profile in this respect and provide input for the periodic
and if necessary adjust it. review of the business rules.
Good practice
In a local news release, a staff member read that the proceeds of these illegal activities in cash
a cannabis farm was discovered at the house of into these accounts. He explained that he was in
one of the bank’s customers. Further investigation financial difficulties and hence resorted to illegal
revealed that the customer had made several activities. The unusual transactions were notified
cash deposits into his own account and that of to FIU-NL, the customer’s risk classification was
his foundation. The customer confirmed that he reviewed and the customer was reclassified as
ran a cannabis farm in his home and deposited unacceptable.
40 5.4.6 Objective indicators for automatic 5.5 Governance
notification
In view of the nature of their activities, many banks Banks must have structured their governance
have to deal with transactions that meet one with regard to transaction monitoring in such a
of the objective indicators for reporting unusual way that there is clear segregation of duties, for
transactions. To ensure that such transactions are example through the three lines of defence model.
immediately reported, a tool or functionality can
be implemented within the transaction monitoring
system by which transactions meeting this objective The principle for addressing this part of the maturity
indicator are automatically reported to FIU-NL. model is the three lines of defence model. This model
This allows these institutions to avoid failing to has been chosen as it reflects the model that most
immediately report these transactions and removes banks use in their governance. This does not however
the administrative burden for the party responsible imply that other assurance models could not be
for this task. applied. It is nevertheless important to ensure that
the model at all times safeguards the segregation
of independent duties for control activities. Banks
should of course always have an independent
compliance function²⁸ and an independent internal
control or internal audit function.
Good practice
All banks in our examination had an independent These audits were generally of good quality, and
internal control function, usually a third-line follow-up of the findings was adequate. One bank
function i.e. the internal auditor. By means of also monitored the monthly progress of action
periodic audits, the independent control function points established by the business based on
assesses the design, existence and operating the audit reports. The internal auditor applied a
effectiveness of the transaction monitoring process. comprehensive chain approach.
28
Section 21 of the Decree on Prudential Rules for Financial Undertakings
(Besluit prudentiële regels Wft - Bpr).
Post-event transaction monitoring process for banks
We expect the bank’s organisation to be set We expect senior management to address signals 41
up in such a way that the first line has a clear from the first, second and third lines about possible
responsibility for transaction monitoring and that shortcomings in the transaction monitoring process.
the second line (compliance) has an advisory and In this respect it is important that banks have
monitoring role but also can have a role in reporting adequate and regular management information
unusual transactions to FIU-NL. ²⁹ that provides insight into signals and results, so they
can take timely action on this basis. In this way,
We expect your institution to have clearly defined in addition to its advisory and monitoring role,
what the advisory task of compliance is in relation compliance also fulfils a reporting role with respect
to transaction monitoring, for example, dealing with to transaction monitoring. At most of the banks
advice from compliance on high-risk cases. Quality we examined, this reporting role was in place.
assurance for transaction monitoring is performed DNB expects compliance’s periodic accountability
by the second line. This is usually referred to report to contain explicit management information
as second-line monitoring. In this context, it is about the most important results of its transaction
important to periodically and systematically test monitoring.
procedures and processes.
29 We note in this context that the following may be included in the Wwft (based on the Fourth Anti
Money laundering Directive) with respect to the compliance function: “the compliance function
monitors compliance with statutory regulations and institution-specific internal rules and is
responsible for reporting unusual transactions to FIU-NL, as described in Section 16(1) of the Wwft.”
42 5.6 Training en awareness to be tailored to each target group, from the
board and senior management to junior staff.
Banks must offer their staff tailored training We also expect the training to be adjusted to the
programmes. Staff must be aware of the risks of level of the staff members. taking into account
money laundering and terrorist financing. competencies and experience, as well as making
use of relevant cases from the institution’s own
transaction monitoring process. When establishing
We note that banks have included training sessions the content of the training programme you can
about the Wwft in a programme that is updated make use of the cases that FIU-NL publishes every
yearly. We expect the content of this programme two weeks.
Good practice
One of the banks we examined offered a second and the third line. On the basis of case
training programme for alert analysts based studies, the training programme addresses the
on four different levels of experience. The latest developments, both in terms of the laws
training programme establishes the expected and regulations, as well as practical examples of
competencies for each level of experience, as well possible cases of money laundering and terrorist
as the goals which the training should achieve. financing, and the institution’s response to this.
The training programme also establishes how the The training programme therefore covers policy,
achievement of these goals is quantified. procedures and underlying work processes,
clarifying what steps to take in such cases. Some
Another bank we examined had an annual banks employed a dedicated expert in counter-
training programme available for the first, terrorist financing.
Post-event transaction monitoring process for banks
Glossary
Alert Expected transaction behaviour 43
A signal indicating a potentially unusual transaction. The expected pattern of the customer’s
transactions.
Alert handler
The member of staff who analyses, investigates and Financial and Economic Crime
records the alert. Money laundering, corruption, terrorist financing,
insider trading, non-compliance with sanctions
Back-testing and other criminal behaviour (for example
Testing and optimisation of a certain approach, embezzlement, fraud and forgery).
based on historical data.
Indicators
Business rules Indication or signal that a transaction may involve
The set of detection rules that are applied in the money laundering or terrorist financing.
transaction monitoring system, comprising applied
scenarios and the certain threshold values. Notification process
The process of reporting unusual transactions to
Continuous monitoring FIU-NL, as described in Section 16(1) of the Wwft.
Ongoing monitoring and control.
Peer grouping
Customer Defining customer groups with common
the customer is the natural or legal person with characteristics.
whom a business relationship is entered into or who
has a transaction effected. SIRA
Systematic integrity risk analysis, as described in
Customer due diligence (CDD) Section 10 of the Bpr.
Investigation as defined in Section 1of the Wwft.
Targets
Customer risk profile Targets are subjects that are associated with
Classification of customers according to risk terrorist financing.
categories, as set out in the DNB Guidance on the
Wwft and the Sanctions Act, pp 11-12. Transaction
An act or a combination of acts performed by or
Event-driven review on behalf of a customer of which the institution has
The institution conducts a customer due diligence taken note in the provision of its services to that
on the basis of an event or incident. customer.
44 Transaction data
All data relating to a transaction.
Transaction profile
Determining the customer’s profile based on
expected transactions or expected use of the
customer’s account.
Typology
Characteristics, or groups of characteristics, which
may point to terrorist financing.
Disclaimer
In this guidance document, De Nederlandsche Bank N.V. (DNB), sets out its expectations
regarding observed or envisaged behaviour in supervision practice, that reflects an appropriate
application of the legal framework relating to the requirements of transaction monitoring. This
document also includes practical examples for a better interpretation.
This document guidance must at all times be read in conjunction with the published guidances
on this subject such as the DNB Guidance on the Wwft and SW (version April 2015). You can
use the good practices described in this guidance as a basis for your transaction monitoring,
while also taking into consideration your institution’s own circumstances. Where appropriate, a
stricter application of the underlying regulations may apply.
This Guidance is not a legally binding document or a DNB policy rule as referred to in Section
1:3(4) of the General Administrative Law Act (Algemene Wet Bestuursrecht), and it does
not have or aim to have any legal effect. It does not replace any legislation or any policy,
supervisory or other regulation on this topic. The examples presented in this document are not
exhaustive and cannot cover every eventuality. Rather, they aim to help institutions interpret
and implement the statutory requirements.
De Nederlandsche Bank N.V.
PO Box 98, 1000 AB Amsterdam
+31 20 524 91 11
dnb.nl