Wave Money

Risk & Compliance Training

October 2021
Contents

1. Objectives
2. Risk and types of Risk
3. Risk Management Approach
a. Risk Management Cycle
b. Risk Governance
c. Three lines of defence
4. Risk Management Tools
5. Operational risk, internal controls, and fraud
6. Anti-Money Laundering/Combating the Financing of Terrorism
(AML/CFT) and Know Your Customer (KYC)
Objectives

To understand:
• The risks that Wave Money faces and how they are managed.
• The risk management cycle for assessing and treating risks.
• The importance of internal controls in risk management.
• What is fraud and what are the fraud indicators and red flags.
• Know Your Customer (KYC), and Anti-money laundering/Combating the
financing of terrorism (AML/CFT) and Wave Money’s responsibilities
regarding them.
• Your individual responsibilities when it comes to risk management,
internal controls and fraud.
Risk and Compliance Test

You will be tested on the content of this training. The purpose of this is to
make sure that you understood concepts and can apply them to your
work. It is NOT a test of your performance.

 The online test will consist of 20 questions

 A score of 14/20 (70%) is needed to pass
 Individual follow-up sessions will be arranged for those who do not
pass
You are expected to uphold the code of conduct and personal ethics,
using the test to honestly represent your own knowledge and
understanding of the information.
Risk and types of Risk
What is Risk and Risk Management?

ISO 31000 states:

Risk is the effect of uncertainty on objectives
• An effect is a deviation from the expected—positive or negative
• Uncertainty is the lack of information, understanding or knowledge of an event,
its consequence, or likelihood
• Objectives are what we want to achieve. Objectives can be at different levels
(organization-wide, department, project, product) and/or have different aspects
(financial, social impact, etc.)

Risk management is a process of thinking systematically about all possible

effects (deviations from the expected) before they happen and setting up
procedures that will avoid them, if possible, and minimize or cope with
their impact if they cannot be avoided.
 Types of risk faced by Wave Money

Wave faces many risks, as identified in the

diagram. Those risks are often related—the
two main interconnected risks are:
Political Risk is the possibility that political decisions, events,
or conditions, will significantly affect the profitability of a
business or the expected value of a given economic action.
Political risks are beyond the control of the organizations and
customers affected by them but can have a serious impact
on the business. All company activities and risks are affected
by political risk, which is why it is represented by the circle in
the diagram.
Reputational Risk refers to the risk of losses from damage to
the image of a provider, partner, or stakeholder, leading to a
reduction of trust from clients, agents, the regulator, etc.
Reputational risk is not a direct risk but is a result of other
risk-related problems and the consequences can be severe
and long lasting.

Source: Digital Financial Services and Risk Management Handbook, ISBN Number: 978-0-620-71506-5
 Types of risk faced by Wave Money
Strategic Risk is defined as the actual losses that result
from an unsuccessful business plan or the potential
losses resulting from missed opportunities. Examples of
this are ineffective products, failure to respond to
changes in the business environment, or inadequate
resource allocation.
Regulatory Risk refers to the risks associated with
complying or not complying with regulatory guidelines
and rules. For mobile financial services these include
anti-money laundering/ combating financing of
terrorism, Know Your Customer, data privacy, account
and transaction limits, trust accounts, and regulations
regarding the use of agents.
Financial Risk refers to the risks associated with
managing the finances of the company. These risks
include liquidity, foreign exchange, counterparty
(concentration) risk as well as credit and interest rate
risk.
Partnership Risk is the potential that a partner will fail
to deliver on their obligations to the company resulting
in losses and business disruptions. Partners can include
distributors, master agents, vendors, technology
providers, etc., and can also be a source of reputational
risk.
Agent Management Risk refers to risks associated with
the use of agents to act on behalf of the company. The
management and supervision of agents is imperative to
a well-functioning service that protects customers. The
use of agents can trigger operational, technological,
legal, reputational, and fraud risk.
 Types of risk faced by Wave Money
Operational Risk is inherent in any business and refers to risks
associated with products, business practices, damage to
physical assets, as well as the execution, delivery and process
management of the service. In shorthand, operational risk is
often referred to as risk related to people, processes, and
systems. Operational risks are often managed through internal
controls.
Technology Risk refers to technology failure that leads to the
inability to transact. It is closely linked to operational risk.
Technology risk may be triggered failure by software,
hardware, or connectivity; transaction delays and replays; loss
of data; and cyber attacks.
Fraud Risk refers to the risk associated with the intentional,
false representation, or concealment of a material fact for the
purpose of inducing another to act upon it, resulting in damage
or loss. Fraud risk is multi-faceted and relates to several other
risks. Operational and technology risk can cause fraud risk, and
fraud can lead to financial risk. Fraud is also a significant
driver of reputational risk.
Risk Management Approach
 Risk Management

As presented earlier, Risk management is a process of thinking systematically about all possible effects
(deviations from the expected) before they happen and setting up procedures that will avoid them, if
possible, and minimize or cope with their impact if they cannot be avoided.

Good risk management:

• creates and protects value.
• is an integral part of all organizational processes.
• is part of decision making.
• explicitly addresses uncertainty.
• is systematic, structured and timely.
• is based on the best available information.
• is tailored.
• takes human and cultural factors into account.
• is transparent and inclusive.
• is dynamic, iterative and responsive to change.
• facilitates continual improvement of the organization.
Risk Management Framework

Wave Money’s approach to manage risks mirrors the ISO 31000 risk management framework

Establish the context

Core principles
Risk management is a continuous and
Risk assessment iterative process (the arrows show the
Communication and Consultation

Risk Identification
continuous flow)

Monitoring and Review

Communication and monitoring need
to take place throughout the process
Risk Analysis
for it to be effective (the two blue
boxes)
All staff involved in and responsible
for risk management (3 lines of
Risk Evaluation
defence concept discussed later)

Risk Treatment

Source: ISO 31000

12
 Risk Management Framework
Overview of Steps
 Establish the context includes the external, internal and risk management context and classification of risk criteria.
External context involves familiarization with the environment in which the organization and the system operates
including cultural, political, legal, regulatory, financial, economic and competitive environment factors. Internal
context involves understanding capabilities of the organization in terms of resources and knowledge, information
flows and decision-making processes, internal stakeholders, objectives and the strategies that are in place to
achieve them, perceptions, values and culture, policies and processes.
 Risk Assessment is the overall process of risk identification, risk analysis and risk evaluation. Risk assessment
provides an understanding of risks, their causes, consequences and their probabilities. The output of risk
assessment is an input to the decision-making processes of the organization.
 Risk Treatment - Having completed a risk assessment, risk treatment involves selecting and agreeing to one or
more relevant options for changing the probability of occurrence, the effect of risks, or both, and implementing
these options.
 Communication and consultation - Successful risk assessment is dependent on effective communication and
consultation with stakeholders. Involving stakeholders in the risk management process will assist in developing a
communication plan, defining the context appropriately, ensuring that the interests of stakeholders are
understood and considered, bringing together different areas of expertise for identifying and analysing risk,
ensuring that different views are appropriately considered in evaluating risks, ensuring that risks are adequately
identified, securing endorsement and support for a treatment plan.
 Monitoring and Review - Risks and controls should be monitored and reviewed on a regular basis to verify that
assumptions about risks remain valid; assumptions on which the risk assessment is based, including the external
and internal context, remain valid; expected results are being achieved; results of risk assessment are in line with
actual experience; risk assessment techniques are being properly applied; 13
risk treatments are effective.
 Governance Structure of Risk Management

Board Audit & Risk

Governance Board of Directors Committee

External Audit & Regulators

Leadership Team, Risk Management Committee
Performance

Operational units Risk & Compliance Internal Audit

2 Apr 2024 Restricted 14

 Governance Structure of Risk Management
Split vertically into two aspects of
risk management:
Governance and Performance

Risk Management Governance

• Sets the “Tone at the Top”
• Sets company strategy and
objectives, risk appetite and
ultimate level of responsibility

Risk Management Performance

• Executes risk activities according to
the strategies and objectives
determined by governance level
• Establishes the lines of defense
approach.

1st Line 2nd Line 3rd Line

Split horizontally into the Three lines of Defence
(see separate slide)

2 Apr 2024 Restricted 15

Governance Structure of Risk Management
Risk Committees
Audit & Risk Committee (ARC)
o Main risk forum for the Board of Directors with
quarterly meetings in advance of the Board of
Directors meeting
o The key governance body for risk management
o Membership consists of two directors from the
board and management participates in the
meetings
o Standard and Ad Hoc agenda items to ensure
coverage of key Risk topics
o The ARC
o Provides oversight to the internal audit function to ensure it
remains independent of management
o Conducts detailed review and discussion of WM risks and
risk activities
o Reports on significant risk items to the BOD
o Recommends BOD approval of policies and other risk
decisions
Risk Management Committee (RMC)
o Main risk forum for management with monthly
meetings
o The key operational decision and approval forum for
WM to manage its risks
o Membership consists of leadership team with other
staff involved based on relevance of Standard and Ad
Hoc agenda items to ensure coverage of key Risk
topics
o The RMC has the authority to
o Approve treatment plans for risks rate as High or Extreme
o Accept and approve monitoring plans for risks rated as High
or Extreme for which treatment is not practical
o Approve new risk policies and changes to existing policies
o Undertake and approve risk-based decisions within WM’s Risk
Appetite
o Escalate risks and issues to the Audit and Risk Committee of
the Board.
 Governance Structure of Risk Management
Wave Money employs the three lines of defence model for Risk Management and Internal Control

1. The first line of defence (functions that own and manage risks)
This is formed by managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they
should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. This requires an understanding
of the company, its objectives, the environment in which it operates, and the risks it faces.

2. The second line of defence (functions that oversee or who specialise in compliance or the management of risk)
This provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how
effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.

3. The third line of defence (functions that provide independent assurance)

This is provided by internal audit. Sitting outside the risk management processes of the first two lines of defence, its main roles are to ensure that the first two lines
are operating effectively and advise how they could be improved. Tasked by, and reporting to the board / audit committee, it provides an evaluation, through a risk-
based approach, on the effectiveness of governance, risk management, and internal control to the organisation’s governing body and senior management. It can also
give assurance to sector regulators and external auditors that appropriate controls and processes are in place and are operating effectively.

Benefits of the model

 Improved coverage of risks and controls by identifying and refining where necessary the population of risks and controls, and appropriately allocating the ownership
and performance of these risks and controls across the lines of defence. Consequently, any unintended risks and gaps in controls may be avoided, and unnecessary
duplication of work should be avoided by removing layers of redundant controls;
 Improved control culture across the organisation by enhancing the understanding of risks and controls. For example, potential conflicts of interest or incompatible
responsibilities may be more readily identified and challenged with those risks then either removed or mitigated; and
 Improved reporting to the Board and executive management through a coordinated approach to providing timely and insightful reporting avoiding potentially
duplicative and irrelevant information. 17
 Your Responsibility NEEDS TO BE DEVELOPED
Everybody within Wave Money has a responsibility to manage Risk.
How can you do this?
• Following procedures. This is the best defense!
• Incident Reporting: Tell the risk department immediately if you ever encounter risk issues or Suspicious events.
• Be alert: Look for “red flags” that might indicate fraud or problems.
• Completing required internal checks
• Collaborate with Risk to fix problems
• Complete required Risk training
What Can I Do?
• Make sure you participate in any risk management activities, and critically assess the things you are doing to see if there are any risks you
should be worried about.
To Whom Should I Report?
• Your immediate line Manager and / or Risk & Compliance team
How to Report
• In person, Through email or phone:
 david.paulson@wavemoney.com.mm (09791009187) ; neil.waller@wavemoney.com.mm (09765418536); myatmyat.su@wavemoney.com.mm (09765418660) ;
hanhtun.oo@wavemoney.com.mm (09765418510)

When to Report
• Immediately… There is no need to wait until “all facts are in” before making a report.
Risk Management Tools
Risk Management Tools
To support the Risk Management process, Wave Money has adopted several risk
management tools which are implemented by the Risk & Compliance function and across
the company. The table below identifies some of the main tools that are being used.

Tool Process Step

Risk register All steps
Key Risk Indicators Monitoring; Communications
Risk Heatmap Monitoring; Communications
Risk Appetite Statement Establishing the context; Communication
Risk Committees Monitoring; Communications
Business Continuity Planning Risk Treatment; Communications

As the risk register supports all process steps, this training will cover the basics of the risk
register process which will also give insight and guidance on the risk assessment process of
identification, analysis, and evaluation.
Risk Identification

The purpose of risk identification is to identify what might happen or what situations might exist that
might affect the achievement of the objectives of the company. Once a risk is identified, we should identify
any existing controls such as design features, people, processes and systems. The risk identification
process includes identifying the causes and source of the risk, events, situations or circumstances which
could have a material impact upon objectives and the nature of that impact.
Common approaches to risk identification are assessing issues that have already occurred and
brainstorming. Brainstorming can be started with two questions:

What could go wrong?

What keeps you awake at night?

Risk Analysis
Once risks have been identified, including any
existing controls, each risk can be analysed and
rated.
Inherent risk: the vulnerability that exists
before treating the risk.
• Ex: Risk of head injury from motorcycle
crash
Residual risk: the vulnerability that remains
after a risk response is put into place.
• Ex: Risk of head injury from motorcycle
crash if wearing head protection. The
quality of the treatment matters. The risk is
reduced if wearing a helmet vs. wearing a
bucket (!)

The WM risk register focuses on residual risk

22
Risk Analysis - Rating Risks

We use Probability (or likelihood) and Impact to determine the risk

rating;
• Probability addresses how likely the risk event or condition is to
occur
• Impact details the extent of what would happen if the risk actually
happened
Therefore, the risk rating is Probability x Impact

Lowest risk: the chance of the risk happening is low AND the
impact if it does happen is low.
Medium Risk: the chance of the risk happening is low BUT the
impact if it does happen is high.
the chance of the risk happening is high BUT the
impact if it does happen is low.
High Risk: the chance of the risk happening is high AND the
impact if it does happen is high.
23
Risk Analysis - Rating Risks

Assessing Probability and Impact as either high or low is not very useful,
especially when we want to compare many different risks.
To solve this, we use scores for the assessment. For consistency and
comparability across risks there are standard measures in place.
Likelihoo Probability of occurrence within
Score d one year with a material frequency Probability %
Risk is unlikely to materialize or will
1 unlikely 0-25%
materialize with low frequency
Risk could materialize at some point or will
2 possible materialize with a moderate frequency 25-50%
Risk is likely to materialize at some point
3 likely 50-75%
or will materialize with a high frequency
Risk is highly likely to materialize at some
almost
4 point or will materialize with a very high 75-100%
certain
frequency

24
 Risk Analysis - Rating Risks

Scores and measures for impact assessment

Legal / regulatory Reputation Financial Operational Customer Impact
Regulatory or legal Damage to the Financial loss for WM, Loss or reduction of Prolonged outages, loss
breach that could lead image of WM, or a per year. [The % operational service, or of funds, extensive time
to disciplinary action, specific mobile gives a value of increased effort, spent to resolve issues
fines, or cessation of money product . financial loss in because of issues with with customer support.
service. comparison to the processes, people,
value of the trust systems or external
Score Impact account] events.
Significant breach of
Less than USD20,000; Small number of customers
internal policy, but not Moderate regional Frequent unplanned outages
1 Minor Less than 0.1% of trust suffer prolonged outage or
leading to action by reputational impact. but within SLA.
account loss of funds.
regulator.
Incident leading to USD20,000 to Systemic impact to a large
disciplinary action by Moderate national USD200,000; Between number of customers; or a
2 Moderate Occasional SLA breaches.
regulator or minor legal reputational impact. 0.1% and 1% of trust major impact to a smaller
action account number of customers
Incident leading to USD200,000 to
Occasional major breach of Large number of customers
significant fine by Significant national USD1,000,000; Between
3 Major SLA, with significant affected, including prolonged
regulator or serious legal reputational impact. 1% and 5% of trust
downtime. outages or loss of funds.
action account
Forced cessation of Majority of customers affected
Major, long-lasting More than USD1,000,000 Frequent major breach of
service due to regulatory by event, including prolonged
4 Severe national reputational or equivalent; More than SLA with significant
breach or serious legal outages or loss of funds
damage 5% of trust account downtime.
action

25
Risk Analysis - Rating Risks

Calculating the Risk Rating using likelihood and impact allows is to plot the
ratings on a matrix and compare the exposure to different risks.
Impact

Severe
High

Major
Medium

Moderate
2

Minor
Low

1
Likelihood 1 2 3 4
Unlikely Possible Likely Almost Certain

26
Risk Evaluation

Risk evaluation involves reviewing estimated levels of risk (risk ratings) to determine the significance of the
level and type of risk.
Risk evaluation uses the understanding of risk obtained during risk analysis to make decisions about future
actions. Ethical, legal, financial and other considerations, including perceptions of risk, are also inputs to
the decision.
Decisions may include:
 whether a risk needs treatment;
 priorities for treatment;
 whether an activity should be undertaken;
 which of a number of paths should be followed.
Risk Evaluation

Probability and Impact can help us evaluate risk. The simple high-low
matrix can help us understand if treatment is needed and which type of
treatment:
 Transfer – Shift the negative impact of a threat, along with the
ownership, to a third party.
• Insurance is a good example of transferring a risk, e.g. the impact of a fire
destroying the building would be high, but insurance would reduce the impact
because a third party (the insurance company) would be responsible for
paying for the damage.
 Control – Reducing the Probability or Impact of a threat through control
activities.
• Preventive controls reduce likelihood as they prevent the risk from happening
• Detective controls can reduce impact as the undesired event is identified
quickly, reducing damage (impact)
 Avoid – Change the activity to eliminate the threat.
• In some cases, additional controls may reduce the impact
• Some high risks are part of the business and in those cases management and
the BOD need to accept the high risk
 Accept – No change to process to deal with the risk.
• Passive acceptance: no action, deal with threats as they occur
• Active acceptance: establish a contingency reserve to handle threats (time or
funds)
28
Risk Treatment

Once the risk assessment is complete, a treatment plan is developed

reduce the threat for those risks that remain too high.
The Risk Treatment should be:
• Proactive, not reactive
• Appropriate to significance of the risk
• Cost effective
• Timely
• Realistic
• Owned by a responsible person

29
Operational risk, internal
controls, and fraud
 Operational Risk and Internal Controls
As discussed in the types of risk section above, Operational Risk is referred to
as risk related to people, processes, and systems, as well as external events, and
is often managed through internal controls.
Therefore, operational risk touches each staff member so it is important that
everyone understands operational risk and the main treatment for these risks:
internal control.
Definition of Internal Control
Internal control is a process, implemented by an entity’s board of directors, management and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives
related to:
• protecting its resources against waste, fraud, and inefficiency;
• ensuring accuracy and reliability in operating, business, financial, and accounting data;
• securing compliance with the policies of the organization and the rules and regulations of the
environments in which it operates; and
• evaluating the level of performance in all organizational units of the organization.
 Types of Controls
Detective controls are
designed to uncover an
undesired event that has
already occurred.
Preventive controls are Corrective controls assist
intended to reduce the in the investigation and
likelihood of an undesired correction of causes of
event (a risk) from undesired event that have
happening in the future. been detected

Directive Controls are policies, procedures and

other instructions put in place by management
that support controls at all stages.

32
Common Controls by Type

Preventive Controls Detective Controls

• Checklists • Verifications
• Approvals, Authorizations and limits • Reconciliations
• Alerts
• Security of Assets and Documents
• Physical Inventory Counts
• Segregation of Duties
• Control and Compliance Checks
• User Access Control
• Budget to Actual Variance Reports

Directive Controls
Corrective Controls
• Code of Conduct
• Back-up and recovery • Employee Policies
• Documentation (audit trail) • Raising Integrity Concerns
33
Fraud Risk

What is fraud?
Fraud is the intentional, false representation, or concealment of a material fact for the purpose of inducing another to act upon it, resulting
in damage or loss to the victim and a personal unfair or unlawful gain, either direct or indirect for fraudster.
Simply put, fraud is deceiving someone to the benefit of another.

Who can commit fraud?

Fraud can be committed by almost anyone: staff, customers, agents, vendors, members of the general public. Who commits it is not a key
aspect—the intention and unfair benefit are the keys. Anyone can intentionally deceive for an unlawful gain.
Actions Constituting Fraud
• Manipulation, falsification, alteration of records or documents belonging to a WM, a shareholder or customer, staff member, supplier,
vendor, agent, etc;
• Forgery or alteration of cheques or other financial documents;
• Misappropriation of funds, supplies or other assets;
• Impropriety in the handling or reporting of money or financial transactions;
• Profiteering as a result of insider knowledge of sensitive and privileged information;
• Disclosing to unauthorised persons the sensitive and privileged information engaged in or contemplated by WM;
• Accepting or seeking anything of material value from customers and person(s) providing services/materials to the company in return for
giving favourable treatment to such parties;
• Unauthorised destruction or suppression of documents, records, furniture, fixtures and equipment;
• Cheating, falsifying documents for gainful usage of oneself or for others outside WM;
Fraud

What type of Fraud does Wave Money face?

Fraud is an operational risk as it can involve people, processes, systems and external events, but it can also be part of technology
risk, financial risk, and reputational risk. As a reputation risk, WM needs to not only fight fraud against the company, but also
against our customers and our distribution network.

Fraud against Wave Money
• Agent or customer raising false dispute
claim for reimbursement
• Vendor bid-rigging or billing the company
for goods or services not provided.
• Staff submitting false receipts
• Agents and other partners gaming
commissions and incentives.
• Security breaches
• Candidates providing false employment
history to get hired
• theft of intellectual property
• hacking
• theft of proprietary information
Fraud against Customers
• Identity Theft from customers by agents or
nearby third-party person
• Social engineering by impersonation WM
or WM staff
• Unauthorized access of agent’s transaction
tools
• Phishing, SMS spoofing, fake SMS
• Cheating through online shopping
• False transactions-make customers believe
a transaction was successful
• Unauthorised withdrawal - use of
customer's transaction code
• Imposition of unauthorised customer
charges/surcharging
• Split transactions for higher fees
Fraud against WM partners
• Counterfeit currency given by customer
• Customer refusing to pay for completed
transaction
• Unauthorized access of agent’s transaction
tools
• Fraud on agent app
• Social engineering by impersonation WM
or WM staff
• Phishing, SMS spoofing, fake SMS
• Staff taking bribe from a partner in the
name of WM
 Fraud Management
The main components of an effective anti-fraud strategy are Prevention, Detection, and Response. These
components are all closely interlinked and together create effective fraud Deterrence.
Response Prevention
A consistent and comprehensive response to suspected and Effective fraud prevention focuses on decreasing motive, restricting
detected incidents of fraud is also important. This sends a message opportunity and limiting the ability for potential fraudsters to
that fraud is taken seriously and that action will be taken against rationalise their actions.
perpetrators. Prevention initiatives include:
Reasonable steps for fraud response include: Fraud • Developing an ethical Culture
• clear reporting mechanisms Prevention • Periodic assessment of fraud risk
• a thorough investigation • Fraud risk training and awareness
• disciplining of the individuals responsible (internal, civil and/or criminal) • Reporting mechanisms and whistleblowing
• recovery of stolen funds or property • Sound internal control systems
• modification of the anti-fraud strategy to prevent similar behavior in • Pre-employment screening
the future. Fraud
Deterrence

Deterrence
As shown in the diagram, when all three of the main components
work together, there is effective risk deterrence. Using the same
terms as risk analysis, Prevention is related to likelihood of fraud
occurring: the stronger the prevention measures, the less likely it is
to occur. Detection is related to impact: the faster and better that
fraud is detected the lower the impact of the fraud. A strong
response that is well-communicated can impact both likelihood and
impact: if it is known that the company takes fraud seriously and
there are real consequences, some fraudsters may be deterred.
Likewise, a response that includes the recovery of lost funds and
property can reduce the impact of the fraud.
Fraud Fraud
Response Detection Detection
Fraud cannot be prevented 100% so it is important to have systems
and processes in place to detect occurrences of fraud in a timely
manner. In addition to controls and oversight, fraud can be
detected by paying attention to fraud indicators such as:
• Warning signs are organisational indicators such as cultural
issues, management issues, employee issues, process issues
and transaction issues which are opportunities for fraud risk.
• Fraud alerts and red flags are specific events which may be
indicative of fraud and which warrant follow-up. All staff
should be aware of fraud red flags and properly report any
suspicions immediately.
Preventing Fraud

There are some simple steps you can take to ensure that fraud is
prevented through your normal work activities:
 Understand and validate what you authorize, sign, or approve
o Ensure you fully understand the basis and the implications of the request
 Don’t take short cuts: know and follow policy and procedures
 Make informed decisions – never assume
 Listen to your first instincts (gut feelings) and don’t be afraid to ask
clarifying questions
Refer any suspicion to your Line Manager. If your suspicion
involves your Line Manager, refer to Risk & Compliance.
• It is not your responsibility to investigate or have proof, but the concern
needs to be raised in good faith.
Detecting Fraud – Red Flags
Red Flags are indicators that fraud may be occurring. The red flags can be behavioral or relate to work anomalies.
Red Flags do not mean that fraud is occurring, but it does indicate an unusual situation that needs further review.
All staff should be aware of red flags and bring any concerns they have to their line manager of to Risk & Compliance.
Behavioral Red Flags Work Anomalies
The Association of Certified Fraud Examiners (ACFE) 2020 Global Study  Alteration of documents and records.
on Occupational Fraud and Abuse reported that 85% of people  Extensive use of correction fl uid and unusual erasures.
committing fraud display at least one of the following behavioral red  Photocopies of documents in place of originals.
flag.  Rubber Stamp signatures instead of originals.
 Living beyond one's means
 Signature or handwriting discrepancies.
 Financial difficulties
 Missing approvals or authorisation signatures.
 Unusually close association with a vendor or customer
 Transactions initiated without the appropriate authority.
 Excessive control issues or unwillingness to share duties
 Unexplained fluctuations in account balances.
 Unusual irritability, suspiciousness, or defensiveness
 A general “wheeler-dealer” attitude involving shrewd or  inventory variances and turnover rates.
unscrupulous behavior  Inventory adjustments.
 Recent divorce or family problems  Subsidiary ledgers, which do not reconcile with control accounts.
 Extensive use of ‘suspense’ accounts.
 Inappropriate or unusual journal entries.
 Confirmation letters not returned.
 Supplies purchased in excess of need.
 Higher than average number of failed login attempts.
 Systems being accessed outside of normal work hours or from outside the
normal work area.
 Controls or audit logs being switched off.
Anti-Money Laundering/
Combating the Financing of Terrorism (AML/CFT) and
Know Your Customer (KYC)
Anti-Money Laundering (AML)

What is Money Laundering (ML)?

Money Laundering is the process by which illegal
funds and assets are converted into legitimate funds
and assets.
What is the source of funds used in money
laundering?
Funds and assets used in money laundering are the
proceeds from crime. Some of the most common
crimes leading to money laundering are:
Corruption and bribery Financial and Identity fraud/theft
Drug trafficking Weapons trafficking
Prostitution rings Human smuggling
Wildlife crime Counterfeiting and forgery
Anti-Money Laundering (AML)

How is money laundered?

Combatting Financing of Terrorism (CFT)

What is Financing of Terrorism (FT)?

Terrorist financing is the means and methods used by
terrorist organizations to finance their activities whether
from legitimate sources (from profits from businesses and
charitable organizations) or from illegal activities such as
trafficking in weapons, drugs or people.
How does Financing of Terrorism differ from Money
Laundering?
A significant difference between the two is that AML is
focused on the source of the funds and assets whereas CFT
is focused on the use of funds and assets. Since terrorists
are often funded from criminal activities, FT and ML are
often linked.
Anti-Money Laundering/Combatting the Financing of Terrorism

Why does AML/CFT matter to Wave?

Among the reasons why Wave is concerned with money laundering are:
• Ethical: We don’t want to support criminal activity
• Professional: Allowing our platform to be used for recycling the proceeds of crime could create
reputation risk affecting our ability to attain our objectives.
• Legal: Central Bank of Myanmar (CBM) regulations impose a series of specific obligations on financial
institutions and their employees and non-compliance could lead to CBM sanctions up to license
suspension or revocation.
What do the regulations require from Wave?
• Wave money has regulatory obligations under The Anti Money Laundering Law ( AML regulation/ 01/03-
2016), (2016 , March 30) and Customer Due Diligence Directive XXXXXX
• Perform adequate due diligence on customers – Know your Customer (KYC)
• Monitor transactions and customer behaviour to identify and report any suspicious activity, i.e. having no
genuine economic, commercial or lawful purpose and/or relate to illegal or illicit activities, corruption or corrupt
practices and narcotic activities.
• Take action against customers/accounts which are identified by CBM or Financial Intelligence Unit (FIU) which is
the government body tasked with addressing financial crimes including AML/CFT. DMM is obligated to take
immediate notice, investigate and report to CBM all unusual transactions in an account which apparently
Know Your Customer (KYC)
What is KYC?
KYC is the set of procures to identify a customer, including the collection of official
identification and other details as well as screening against blacklists. For businesses and other
organisations, this includes additional steps including verification of registration credentials,
location, the UBOs (Ultimate Beneficial Owners) of that business. KYC also includes the ongoing
monitoring of activities by customers.
What is the purpose of KYC
• Customers may try to use our services to launder illegal money or to finance terrorism.
• Knowing who our customers are and being aware of the way they operate their accounts can help us to recognize any unusual
transactions or activities that may be a red flag to money laundering and terrorism financing.
• Wave Money takes a risk-based approach to AML/CFT and KYC in line with international standards. We use account and
transaction limits and analysis tools to try to identify and prevent money laundering and terrorist financing.
Principle objectives of KYC
• To ensure that we accept only legitimate and bona fide customers.
• To ensure we properly identify our customers and fully understand the risk they may pose to Wave Money.
• To ensure we can provide proper care to our customers, without violating their privacy.
• To monitor customer accounts and transactions to prevent or detect illegal activities.
• To implement processes to effectively manage the risks posed by any attempt to misuse our services.
• To ensure we do not deal with customers who are subject to sanctions.