MANUAL ON

ANTI-MONEY LAUNDERING AND

COMBATING THE FINANCING OF
TERRORISM: GUIDANCE ON DESIGNING
AN AML/CFT MANUAL

February 2020
 Guidance to the Members of ICPAC regarding the design and establishment of an
AML/CFT Manual

© 2020 ICPAC. All rights reserved.

No reproduction, republication, copy, translation or amendment of this publication,
in whole or in part, may be made without prior written permission.
Table of Contents
Acronyms …………………………………………………………………………………………………………1

1. Purpose ………………………………………………………………………………………………………2

2. Introduction…………………………………………………………………………………………………2

3. Content of the Manual ………………………………………………………………………………….3

4. Key definitions …………………………………………………………………………………………….3

5. Relevant legislation ……………………………………………………………………………………..3

6. Policies ……………………………………………………………………………………………………….4

a. The AML/CFT Policy …………………………………………………………………………4

b. The Client Acceptance Policy ………………………………………………………………4

7. Duties and responsibilities ……………………………………………………………………………6

a. Duties and responsibilities of the BoD and Senior Management …………….6

b. Duties and responsibilities of the CO ……………………………………………………6

8. Background checks/ screening of clients ………………………………………………………..7

9. Risk-based approach ……………………………………………………………………………………7

a. Identification of risks …………………………………………………………………………7

b. Assessing the risks ……………………………………………………………………………..7

c. Categories of risks ………………………………………………………………………………7

d. Implementing appropriate mitigating measures …………………………………..8

e. Monitoring and improving the measures and procedures ………………………8

10. Customer Due Diligence Procedures ……………………………………………………………..8

11. Third Party Reliance …………………………………………………………………………………….9

12. Record Keeping …………………………………………………………………………………………10

13. Training ……………………………………………………………………………………………………10

14. Reporting obligations …………………………………………………………………………………10

Useful links …………………………………………………………………………………………………….12
Acronyms

ACO Assistant Compliance Officer

ACOR Annual Compliance Officer’s Report
AML Anti-Money Laundering
BoD Board of Directors
CAP Client Acceptance Policy
CDD Customer Due Diligence
CFT Countering the Financing of Terrorism
CO Compliance Officer
CPD Continuing Professional Development
EDD Enhanced Due Diligence
EU European Union
FATF Financial Action Task Force
IMF International Monetary Fund
KYC Know Your Client
ML Money Laundering
NRA National Risk Assessment
OFAC Office of Foreign Assets Control
PEP Politically Exposed Person
RBA Risk Based Approach
SAR Suspicious Activity Report
SDD Simplified Due Diligence
SNRA Supranational Risk Assessment
SoF Source of Fund
SoW Source of Wealth
STR Suspicious Transaction Report
TF Terrorist Financing
UBO Ultimate Beneficial Owner
UN United Nations

1
 1. Purpose

The purpose of this Guidance is to assist all ICPAC members to design an AML/CFT
Manual (“Manual”) containing the policies and procedures adopted against money
laundering and terrorist financing. According to ICPAC’s AML/CFT Directive
(“Directive”) members must design, establish, implement and document policies and
procedures in appropriate AML/CFT manuals.

2. Introduction

The Manual is a critical pillar of an Anti-Money Laundering Program and the “Bible”
of the firm in relation to AML/CFT conduct. The manual provides written compliance
standards, procedures and practices which guide the firm and its employees on a day-
to-day basis. The manual includes areas such as a code of conduct detailing
fundamental principles, Customer Due Diligence (CDD), risk assessment, policies and
procedures and information on relevant laws and regulations.

It should be noted that the AML/CFT Manual should reflect and record the AML/CFT
policies and procedures adopted and applied by the firm. The said procedures should
be appropriate based on the nature and size of each firm, the services provided and its
risk exposure. As such the extent of the procedures will vary accordingly. It is
highlighted that the firms should document the procedures they actually implement
and not give a general view of their obligations under the Prevention and Suppression
of Money Laundering and Terrorist Financing Law of 2007 (“Law”), as applicable, and
ICPAC’s Directive or include policies and procedures that do not in reality apply or are
implemented by them.

It should be noted that the Manual should be updated in accordance with the latest
provisions of the relevant legislation and the risk appetite of the firm, current trends
and best practices.

Adherence to the provisions of the Manual is a safeguard to the effective

implementation of the AML/CFT program of the firm.

2
This Guidance should be read in conjunction with the Law, ICPAC’s Directive and
ICPAC’s Guidance and Circulars relating to ML/TF matters.

3. Content of the AML Manual

AML manuals should cover the following categories:

• Key definitions
• References to relevant legislation
• Policies of the firm, i.e., AML/CFT policy and CAP
• Duties and responsibilities, i.e., responsibilities of BoD and Senior
Management, responsibilities of the C.O
• Background checks/ Screening
• RBA
• KYC & CDD procedures and measures
• Third party reliance (if applicable)
• Record keeping
• Training
• Suspicions Reporting obligations

4. Key definitions

This section should include key definitions for basic terms used throughout the
Manual, as to allow all levels and types of staff to familiarize themselves with
AML/CFT related matters. Such definitions may include ML, TF, PEP, UBO e.t.c.

5. Relevant legislation

This section should include reference to relevant applicable legislation and provide
guidance that employees could refer to when additional guidance is needed. The
manual should make reference to the applicable EU AML Directive, the AML/CFT Law
(Law) and ICPAC’s Directive. It may also make reference to the FATF Standards, the
Basel AML Index and reports issued by various international organizations and

3
standard setters such as the FATF, the MONEYVAL Committee, the EU Commission,
the UN and the IMF. Reference should also be made to the NRA and SNRA etc.

This section should also include the relevant offences and applicable sanctions based
on the Law and ICPAC’s Directive.

6. Policies

The manual should clearly state the policies of the firm regarding AML/CFT, namely
the AML/CFT Policy and the Client Acceptance Policy.

a. The AML/CFT Policy

The AML Policy constitutes the strategy adopted by the firm to prevent and effectively
combat any AML/CFT related matters. The AML/CFT Policy should clearly state the
commitment of the firm to combat ML/ TF and the objectives of the adopted policy.
The policy may also make a brief reference to the procedures, measures and internal
controls applied by the firm and designed to ensure compliance with the firm’s
obligations under the relevant legislation. The policy should provide for the review and
update of these procedures and measures when deficiencies are detected, or
adjustments are needed in order to ensure appropriateness and to accommodate for
changes in the relevant legislation and the firm’s business or risk profile.

b. The Client Acceptance Policy

The CAP is fundamental to any effective AML program and reflects the firm’s risk
appetite.

The risk appetite is the amount and type of risk that an organization is willing to take
in order to meet its strategic objectives. ICPAC members may have different risk
appetites depending on the services they provide, their resources, culture, existing
clientele and objectives. Risk appetite may change over time.

The CAP should include clear policies and procedures for accepting new clients and
entering into business relationships.

Each firm’s senior management officials should establish the acceptable risk profiles
of its clients.

4
The CAP should make clear reference to the categories of clients whose risk level is
intolerable, specify the clients who carry a high-risk classification by default and lay
down the conditions and criteria for termination of a business relationship.

The CAP should include the categories and types of clients that fall outside the
business and risk policy of the firm. The decision not to accept specific categories and
types of clients should be based upon the legal and regulatory requirements and the
risk appetite of the firm, taking into account various factors that affect the risk posed
by the client.

Consideration should be placed on the legal and regulatory requirements and

reference should be made to the circumstances that should result in the termination
of the business relationship. It should be clearly stated that, as per the provisions of
the Law and the Directive, in cases where the client refuses to provide the requested
and/or additional information, the firm must not enter into a business relationship or
must terminate the business relationship with an existing client and must consider
whether or not to proceed with a SAR/ STR to MOKAS. The CAP should also specify
the time frame given to the client to provide the requested information before
proceeding with the termination of business relationship.

Example of factors to take into consideration according to the firms risk appetite
include persons or entities subject to sanctions, the line of business of the client, the
countries of business, persons with adverse media, arms dealing, gambling, or more
general such as PEPs, international clients, high-risk clients etc.

The CAP should also refer to the types of clients that are to be treated as high risk by
default. This category must include the types of clients referred to in article 64 of the
Law and the Directive. This section should also incorporate all types of clients that the
firm opts to treat as by default high risk. Examples may include arms dealing, adverse
media, gambling etc.

The CAP should clearly state that the firm must not proceed with any transaction or
provide any service to the client before the client acceptance procedures are
completed.

5
 7. Duties and responsibilities

The Manual should make clear distinction and state the duties and responsibilities of
the BoD and Senior Management and the duties and responsibilities of the C.O.

a. Duties and responsibilities of the BoD and Senior Management

Responsibilities include:

• Designation of a Board Member responsible for the implementation of the AML

program as per the provisions of article 58D of the Law (contact details of the
Board Member must be provided)
• Appointment of the C.O (contact details of the C.O and A.C.O (if needed) must
be provided)
• Establishment of risk appetite and CAP
• Ensure the update of CAP
• Approval of policies, procedures and controls
• Measures to identify the need for adjustment of procedures
• Enhancement or adjustment of procedures, where needed
• Approval of establishment or continuation of a business relationship with a PEP
and high-risk clients
• Provision of appropriate and adequate training to the BoD, Senior Management
and staff
b. Duties and responsibilities of the C.O

Reference should be made to:

• The role of the C.O. as per paragraphs 3.1.4 and 3.2.1 of ICPAC’s Directive
• The approval of third parties
• The designing and establishment of procedures regarding reporting
obligations, the examination of reports and the filing of SAR/ STR
• The completion and submission of the ACOR and AML questionnaire to ICPAC
as per paragraph 3.2.1(j) of ICPAC’s Directive

6
 8. Background checks/ screening of clients

The Manual should provide for the background checks/ screening of clients. It should
state the time and frequency of screening as well as the manner of screening (through
automated screening tools, manually or a combination).

The Manual should also provide for the procedure to be followed for assessing and
evaluating information gathered from the internet and media searches.

9. Risk-based approach

The Manual should provide with clarity the risk-based approach used by the firm to
determine the risk posed by each of its clients. The RBA should consist of identifying
the risks, evaluating and assessing the risks, implementing appropriate mitigating
measures and monitoring the implementation and adequacy of the measures.

a. Identification of risks

This section should state all the risk factors taken into account when identifying the
risk posed by the client. Factors relating to the characteristics of the client,
geographical areas, products and services and delivery channels should be
documented in the Manual. Lists of risk factors are available in Annexes I, II, IV and
V of ICPACs Directive.

b. Assessing the risks

This section should incorporate the weight given to each factor so as to calculate the
total risk and determine the risk category of the client. The rationale behind allocation
of weights to specific risks should also be documented in the Manual.

c. Categories of risks

The categories of risks should be documented. Firms may choose to establish

additional categories of risks apart from the three categories of high, medium, low.
The criteria determining the risk categorization of the client should also be
documented in the Manual.

7
d. Implementing appropriate mitigating measures

Based on each risk category, the mitigating measures and CDD procedures to be
adopted should be stated. The said measures and procedures must be appropriate,
adequate and targeted to the individual circumstances and risks posed by the client.

Examples of risk mitigating measures include measures for higher risk situations, e.g.,
escalating approval, more frequent on-going monitoring, automated systems,
independent audit, as well as measures for other risk situations, e.g., on-going
monitoring, specialized training etc.

e. Monitoring and improving the measures and procedures

The Manual should provide for regular and/or periodic and change-trigger event
reviews of the measures and procedures applied to mitigate the risks. It should also
provide for the assessment of information obtained as part of the on-going monitoring
procedures for the client that should be cross-checked against the current risk of the
client, so as to apply any changes to the allocated risk.

For details regarding the establishment and application of a risk-based approach, refer
to the ICPAC Guidance Paper on the Risk-Based Approach (RBA) as well as
GE_16/2019 - RBA Guidance issued by the FATF

10. Customer Due Diligence Procedures

The Manual should comprehensively document the CDD procedures and KYC
measures that the firm applies.

Reference should be made regarding the situations that would give rise to the
obligation to perform CDD procedures (art. 60 of the Law and Chapter 5 of the
Directive)

The Manual should clearly state all the KYC measures and CDD procedures applied by
the firm both for natural and legal persons. This section should differentiate between
the different risk categories of clients, mentioning the depth and breadth of those
measures (minimum procedures for SDD and EDD provided in the Law must be
included). Data collection and documents that are to be obtained by the firm for each
risk category should also be stated, including as a minimum those stated in Annex III

8
of the Directive. The Manual should also state the data and documents to be collected
for the natural, legal persons, trusts and foundations. If the firm is using a
standardized KYC form, it should be included in the Manual as an Annex. This section
should also provide for the procedures to be followed for determining the ownership
and control structure of the client, the purpose and nature of the business relationship
and the measures and steps to be taken to determine the economic profile of the client.

The Manual should also cover the supporting documentation that must be collected in
order to corroborate the SoF/ SoW of the client. A list of supporting documents are
provided in Appendix II of the AML Guidance on establishing SOF/SOW

The Manual should also mention when (timing) the KYC/CDD measures and
procedures should be performed.

Provisions regarding verification of the information collected should be included.

The Manual should also contain provisions regarding on-going monitoring procedures
and update of records. Examples of on-going monitoring include scrutinizing of
transactions and business activities for ML/TF risks, reviewing client behavior for
changes/ deviations in the expected level of activity, reviewing the documents and
information collected to ensure they are up-to-date, examining transactions and
identifying transactions with increased risk level or without apparent economic or
lawful purpose. The method of on-going monitoring, timing of update of records, type
of records to be updated, regular/ periodic updates and change-trigger events should
be part of this section.

11. Third party reliance

The Manual should clearly state whether third party reliance is permitted by the firm.

The criteria for reliance as stated in the Law and the Directive should be included. The
Manual should expressly state that reliance on a third party is only permitted at the
outset of the business relationship and not as part of the ongoing monitoring. It should
also highlight that the firm bears the ultimate liability for failure to perform or
inadequately performed KYC by the third party. In the case where third-party reliance
is permitted, the procedures to be followed for assessing the third party prior to relying
should be listed, along with the documents that should be provided. Criteria to be

9
satisfied prior to relying on a third party are summarized under article 67 of the
AML/CFT Law and section 5.9 of the Directive. The Manual should provide for the
need to maintain a separate file for each third party documenting the assessment
procedures.

The Manual should expressly state that reliance on third parties established in high
risk third countries is strictly prohibited as per the provisions of the Law.

Any other prohibitions relating to third party reliance posed by the firm should also
be included, e.g., foreign providers or specific situations where reliance is
prohibited, e.g., PEPs, non-face-to-face clients.

The Manual may also make provisions regarding reliance at a group level as per the
provisions of the Law and the Directive.

12. Record keeping

The Manual should reflect on the record retention policy of the firm. It should include
the retention period, with reference to the 5 year period mandated by the Law, as well
as provisions for additional retention in accordance with the relevant provisions of the
Law, the documents to be kept, the format of record, the language of records. The
Manual should also make provisions regarding the retention of transaction records,
records kept for counter parties to transactions, information third parties that the firm
relies upon and documents and information on internal and external STRs/SARs.

13. Training

The Manual should include the policy adopted by the firm regarding training and
raising awareness activities. This section should include information relating to the
training of the C.O. (reference should be made regarding the minimum 40 CPD units
requirement posed by ICPAC’s Members Handbook), the training of the different
types and level of employees of the firm and the training of the BoD and Senior
Management.

10
 14. Reporting obligations

The Manual should clearly mention the procedures to be followed when a reporting
obligation arises. The Manual should provide for internal reporting procedures and
external reporting procedures. Information on the way and the format of reporting
should be provided.

The Manual should specify the reporting channels i.e. directly to the Compliance
Officer and the evaluation, recording and retention of the information as part of the
internal reporting procedures.

More specifically, the Manual should include provisions regarding record keeping of
internal SARs and STRs. The information to be retained should also be stated,
including details of:

• All internal SARs / STRs made;

• The manner in which the suspicion was investigated, including any requests
for further information;
• Assessments of the information provided, along with any subsequent decisions
about whether or not to await developments or seek additional information;
• The rationale for deciding whether or not to proceed with an external
SAR/STR;
• Any advice given to personnel about continuing the business relationship and
any relevant internal approvals granted in this respect

The Manual should state that external reporting is only made by the CO through the
‘goAML system’.

Finally, provisions relating to tipping-off, must be incorporated in the Manual,

clarifying the prohibition as well as the cases where disclosure is not prevented
according to the provisions of article 49 of the Law.

For details regarding reporting obligations, refer to ICPAC’s Guidance on Suspicious

Transactions/ Activities

11
Useful links

Basel AML Index

https://www.baselgovernance.org/basel-aml-index

Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the

Financing of Terrorism (MONEYVAL Committee)

https://www.coe.int/en/web/moneyval

Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May
2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial
system for the purposes of money laundering or terrorist financing, and amending
Directives 2009/138/EC and 2013/36/EU

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32018L0843

Directive to the members of ICPAC on Anti-Money Laundering and Combating

Terrorist Financing Activities

https://www.icpac.org.cy/selk/common/PreviewDocument.ashx?itemId=2271&refIt
emId=T470DOCUMENTS&refTableId=470&language=EL

EU sanction list

https://data.europa.eu/euodp/en/data/dataset/consolidated-list-of-persons-
groups-and-entities-subject-to-eu-financial-sanctions

EU sanctions map

https://sanctionsmap.eu/#/main

12
European Commission

https://ec.europa.eu/info/law_en

Financial Action Task Force (FATF) publications

http://www.fatf-gafi.org/publications/?hf=10&b=0&s=desc(fatf_releasedate)

ICPAC specialized technical material/ guides

https://www.icpac.org.cy/selk/userforms/member/antimoneylaundering.aspx

International Monetary Fund (IMF)

https://www.imf.org/external/index.htm

National Risk Assessment of Money Laundering and Terrorist Financing Risks,

Cyprus

http://mof.gov.cy/en/press-office/announcements/national-risk-assessment-of-
money-laundering-and-terrorist-financing-risks-cyprus

OFAC sanctions list

https://sanctionssearch.ofac.treas.gov/

Supranational Risk Assessment Report

https://ec.europa.eu/info/sites/info/files/supranational_risk_assessment_of_the_
money_laundering_and_terrorist_financing_risks_affecting_the_union.pdf

13
The Prevention and Suppression of Money Laundering and Terrorist Financing Law
of 2007

http://www.cylaw.org/nomoi/enop/non-ind/2007_1_188/index.html

UN sanctions List

https://www.un.org/securitycouncil/content/un-sc-consolidated-list

United Nations

https://www.un.org/en/sections/general/documents/

14