26

SEC Memorandum Circular No. ______

Series of 2020

TO : ALL SEC COVERED PERSONS

SUBJECT : GUIDELINES IN THE IMPLEMENTATION OF A RISK-BASED

APPROACH TO ANTI-MONEY LAUNDERING/COMBATING THE
FINANCING OF TERRORISM (AML/CFT) AND ADOPTION AND
DEVELOPMENT OF A RISK RATING SYSTEM FOR SEC COVERED
PERSONS

WHEREAS, the Commission is the government agency having jurisdiction and

supervision over all corporations, partnerships or associations who are the grantees of
primary franchises and/or licenses or permits issued by the Government;

WHEREAS, as Supervising Authority, it is mandated to assist the Anti-Money

Laundering Council (AMLC) in supervising the implementation of the Anti-Money
Laundering Act, as amended (AMLA), and the Terrorist Financing Prevention and
Suppression Act (TFPSA), and their respective Implementing Rules and Regulations
(IRRs), and other AMLC issuances;

WHEREAS, in order to be able to focus supervisory resources where the risks

are higher, there is a need to identify, assess, and understand the money
laundering/terrorist financing (ML/TF) risks to which the sectors of covered persons
supervised by the Commission are exposed;

WHEREAS, a risk-based approach to Anti-Money Laundering/Combating the

Financing of Terrorism (AML/CFT) would ensure that the appropriate measures
commensurate to those risks are taken in order to mitigate them effectively;

WHEREAS, complementary to a risk-based approach to AML/CFT is the

implementation and development of a risk-focused examination process and rating
system to gauge the sufficiency of a covered person’s AML/CFT framework as against
the risks to which it is exposed;

WHEREAS, Rule 15, Chapter V of the 2018 IRR of the AMLA, likewise requires
covered persons to take appropriate steps to identify, assess, and understand the
ML/TF risks by conducting their own institutional risk assessment and formulating and
implementing their own institutional risk management;

NOW, THEREFORE, the Commission, hereby issues these Guidelines in the

implementation of its Risk-Based Approach to AML/CFT and resolves to adopt an
AML/CFT Risk Rating System (ARRS) to be employed by the Commission in the conduct
of its on-site examinations of covered persons.
Published:
Philippine Star, September 26, 2020
Manila Standard, September 26, 2020
 CHAPTER I
RISK ASSESSMENT AND
MANAGEMENT BY COVERED PERSONS

Section 1. Coverage. This Circular shall apply to all SEC covered persons as
enumerated under Section 3(a) of the AMLA and Section 1.2 of the SEC Memorandum
Circular No. 16, Series of 2018 or the 2018 AML/CFT Guidelines.

Section 2. Institutional Risk Assessment. All SEC covered persons shall conduct an
institutional risk assessment as mandated by the 2018 IRR of the AMLA.

2.1. “Institutional Risk Assessment” refers to a comprehensive exercise to

identify, assess understand a covered person’s ML/TF threats,
vulnerabilities and the consequential risks, with a view to mitigate illicit
flow of funds and transactions.

2.2. The risk assessment should be commensurate to the size, nature and
complexity of the covered person’s business and should enable it to
understand how, and to what extent, it is vulnerable to ML/TF.

2.3. The risk assessment should be properly documented, regularly updated

and communicated to the relevant covered person’s senior management.

2.4. Institutional risk assessment shall be conducted, at least, once every two
(2) years, or as often as the board or senior management, the Commission
or the AMLC may direct, depending on the level of risks found in the
previous institutional risk assessment or other relevant AML/CFT
developments that may impact the operations of the covered persons.

2.5. Covered persons should consider internal feedback within their

organization, including from those who interact with customers,
compliance risk management, and internal audit departments (where
relevant), in performing their periodic risk assessments.

Section 3. Information to be Considered. In conducting their risk assessments,

covered persons should consider quantitative and qualitative information obtained
from relevant internal and external sources to identify, manage and mitigate these risks.
This may include the National Risk Assessment (NRA) published by the AMLC, the
Sectoral Risk Assessment conducted by the Commission, crime statistics, typologies,
risk indicators, red flags, guidance and advisories issued by inter-governmental
organizations, national competent authorities and the Financial Action Task Force
(FATF), and AML/CFT mutual evaluation and follow-up reports by the FATF or
associated assessment bodies.

Section 4. Risk Factors. In identifying and assessing indicators of ML/TF risk to which
they are exposed, covered persons should consider a range of factors including:

a. The nature, diversity and complexity of its business, products and target
markets;

b. The proportion of customers identified as high risk;

2
 c. The jurisdictions in which the covered person is operating or otherwise
exposed to, either through its own activities or the activities of customers,
especially jurisdictions with greater vulnerability due to contextual and
other risk factors such as the prevalence of crime, corruption, or financing
of terrorism, the general level and quality of the jurisdiction’s prosecutorial
and law enforcement efforts related to AML/CFT, the regulatory and
supervisory regime and controls and transparency of beneficial ownership;

d. The distribution channels through which the covered person distributes its
products, including the extent to which the securities provider deals
directly with the customer and the extent to which it relies (or is allowed to
rely) on third parties to conduct customer due diligence (CDD) or other
AML/CFT obligations, the complexity of the transaction chain (e.g. layers of
distribution and sub-distribution, type of distributors such as independent
financial advisors, investment advisors) and the settlement systems used
between operators in the payment chain, the use of technology and the
extent to which intermediation networks are used;

e. The internal and external (such as audits carried out by independent third
parties, where applicable) control functions and regulatory findings; and

f. The expected volume and size of its transactions, considering the usual
activity of the covered person and the profile of its customers.

Section 5. Country/Geographic Risk. Country/area risk, in conjunction with other

risk factors, provides useful information as to potential ML/TF risks. Factors that may
be considered as indicators of higher risk include:

a. Countries/areas identified by credible sources as providing funding or

support for terrorist activities or that have designated terrorist
organizations operating within them;

b. Countries/areas identified by credible sources as having significant levels

of organized crime, corruption, or other criminal activity, including source
or transit countries for illegal drugs, human trafficking and smuggling and
illegal gambling;

c. Countries subject to sanctions, embargoes or similar measures issued by

international organizations such as the United Nations; and

d. Countries/areas identified by credible sources as having weak governance,

law enforcement, and regulatory regimes, including countries identified by
the FATF statements as having weak AML/CFT regimes, and for which
financial institutions should give special attention to business relationships
and transactions.

3
Section 6. Customer/Investor Risk. Covered persons should determine whether a
particular customer/investor poses higher risk and analyze the potential effect of any
mitigating factors on that assessment. Such categorization may be due to a customer’s
occupation, behavior or activity. These factors considered individually may not be an
indication of higher risk in all cases. However, a combination of them may warrant
greater scrutiny. Categories of customers whose business or activities may indicate a
higher risk include:

a. Customer is sanctioned by the relevant national competent authority for

non-compliance with the applicable AML/CFT regime and is not engaging
in remediation to improve its compliance;

b. Customer is a politically exposed person (PEP) or customer’s family

members or close associates are PEPs (including where a beneficial owner
of a customer is a PEP) as covered under Section 2.1.18 of the 2018
AML/CFT Guidelines;

c. Customer resides in or whose primary source of income originates from

high-risk jurisdictions (regardless of whether that income originates from a
cash-intensive business);

d. Customer resides in countries considered to be uncooperative in providing

beneficial ownership information;

e. Customer acts on behalf of a third party and is either unwilling or unable to

provide consistent information and complete documentation thereon;

f. Customer has been mentioned in negative news reports from credible

media, particularly those related to predicate offenses for ML/TF or to
financial crimes;

g. Customer’s transactions indicate a potential connection with criminal

involvement, typologies or red flags provided in reports produced by the
FATF or national competent authorities [e.g. financial intelligence unit
(FIU), law enforcement etc.];

h. Customer is also a covered person, acting as an intermediary or otherwise,

but is either unregulated or regulated in a jurisdiction with weak AML/CFT
oversight;

i. Customer is engaged in, or derives wealth or revenues from, a high-risk

cash-intensive business;

j. The number of suspicious transaction reports (STRs) on certain customers

and their potential concentration on particular client groups;

k. Customer is a legal entity predominantly incorporated in the form of bearer

shares;

4
 l. Customer is a legal entity whose ownership structure is unduly complex as
determined by the covered person or in accordance with any regulations or
guidelines;

m. Customers who have sanction exposure (e.g. have

business/activities/transactions exposed to the risk of sanctions); and

n. Customer has a non-transparent ownership structure.

Section 7. Product/Service/Transaction Risk. An overall risk assessment should

include looking into the potential risks presented by specific products and services
offered by the covered person. Transactions may be conducted on a regulated exchange
or other market or they may be conducted between parties directly. A covered person
should assess, using a risk-based approach, the extent to which the offering of its
products and services presents potential vulnerabilities to placement, layering or
integration of criminal proceeds into the financial system. Determining the risks of
products and services offered to a customer may include a consideration of their
attributes, as well as any associated risk mitigation measures. Products and services
that may indicate a higher risk include:

a. Products or services that may inherently favor anonymity or obscure

information about underlying customer transactions (e.g. bearer share
instruments or the provision of omnibus account services);

b. The geographical reach of the product or service offered, such as those

emanating from higher risk jurisdictions;

c. Products with unusual complexity or structure and with no obvious

economic purpose;

d. Products or services that permit the unrestricted or anonymous transfer of

value (by payment or change of asset ownership) to an unrelated third
party, particularly those residing in a higher risk jurisdiction;

e. Use of new technologies or payment methods not used in the normal

course of business by the covered person;

f. Products that have been particularly subject to fraud and market abuse,
such as low-priced securities;

g. The purchase of securities using physical cash;

h. Offering bank-like products, such as check cashing and automated cash

withdrawal cards;

i. Securities-related products or services funded by payments from or

instructions given by unexpected third parties, particularly from higher risk
jurisdictions;

5
 j. Transactions wherein customers request the transfer of funds to a higher
risk jurisdiction/country/corridor without a reasonable business purpose
provided; and

k. A transaction is requested to be executed, where the securities provider is

made aware that the transaction will be cleared/settled through an
unregulated entity.

Section 8. Distribution Channel Risk. Products and services are typically distributed
to customers directly (including online) or through intermediaries. An overall risk
assessment should include the risks associated with the different types of delivery
channels to facilitate the delivery of securities products and services.

a. Covered persons that distributes products or services directly through

online delivery channels should identify and assess the ML/TF risks that may
arise in relation to distributing its products using this business model. In
addition to the analysis of risks performed in advance of engaging in such an
online business, the risk assessment process for online delivery risk should
be performed when the covered person develops new products and new
business practices;

b. Covered persons should analyze the specific risk factors, which arise from
the use of intermediaries and their services. Covered persons should
understand who the intermediary is and perform a risk assessment on the
intermediary prior to establishing a business relationship. Covered persons
and intermediaries should establish clearly their respective responsibilities
for compliance with applicable regulation. Assessing intermediary risk is
more complex for securities providers with an international presence due to
varying jurisdictional requirements, the potential risk of non-compliance by
intermediaries with the applicable local AML/CFT regulations and the
logistics of intermediary oversight. An intermediary risk analysis should
include the following factors, to the extent that these are relevant to the
securities providers’ business model:

i. Intermediaries suspected of criminal activities, particularly financial

crimes or association with criminal associates;

ii. Intermediaries located in a higher risk country or in a country with a

weak AML/CFT regime;

iii. Intermediaries serving high-risk customers without appropriate risk

mitigating measures;

iv. Intermediaries with a history of non-compliance with laws or

regulation or that have been the subject of relevant negative
attention from credible media or law enforcement;

v. Intermediaries that have failed to attend or complete AML/CFT

training programs requested by the covered persons; and

6
 vi. Intermediaries that have weak AML/CFT controls or operate
substandard compliance programs, i.e. programs that do not
effectively manage compliance with internal policies and/or
external regulation or the quality of whose compliance programs
cannot be confirmed.

Section 9. Institutional Risk Management. The board of directors of the covered

persons shall exercise active control and supervision in the formulation and
implementation of institutional risk management. They shall be ultimately responsible
for the covered persons’ compliance with the AMLA and TFPSA, their respective IRRs,
and other AMLC issuances.

9.1. Covered persons shall:

i. Develop sound risk management policies, controls and procedures,

which are approved by the board of directors to enable them to
manage and mitigate the risks that have been identified in the NRA,
or by the AMLC, the Commission or the covered persons themselves;

ii. Monitor the implementation of those controls and to enhance them

if necessary; and

iii. Take enhanced measures to manage and mitigate the risks where
higher risks are identified.

9.2. Covered persons may adopt Reduced Due Diligence (RDD) to manage and
mitigate risks if lower risks have been identified. Provided, that the
requirements of Rules 13 to 16 of the 2018 IRR of the AMLA are met. RDD is
not allowed whenever there is a suspicion of ML/TF.

CHAPTER II
AML/CFT RISK RATING SYSTEM
OF THE SECURITIES AND EXCHANGE COMMISSION

Section 10. Risk Based AML/CFT Supervision. The Commission shall implement a
risk-based AML/CFT supervision of its covered persons comprised of assessing the
quality of controls to detect and deter ML/TF based on the assessed risks, including
controls that are required by law. Such supervision shall be applied through off-site and
on-site examinations, which can include questionnaires and dedicated meetings and
shall be based on having appropriate access to all the books and records of each
supervised covered person sufficient to provide all the information that the Commission
needs.

Section 11. AML/CFT Risk Rating System (ARRS). Complementary to the risk-based
approach to AML/CFT is the development and implementation of a risk-focused
examination process and the adoption of an ARRS that will serve as a supervisory tool in
measuring the effectiveness of the covered person’s AML/CFT framework and its level
of compliance with AML/CFT rules and regulations.

7
Section 11. Adoption of the ARRS. The ARRS is to be used by the Commission in the
conduct of its on-site examinations of covered persons. The adoption and
implementation of the ARRS is intended to ensure that supervisory attention is
appropriately focused on entities with inefficient Board and Senior Management
oversight and monitoring, inadequacies in their AML/CFT framework, weaknesses in
their internal controls and audit, and defective implementation of their AML/CFT
procedures and policies. Covered persons are directed to give their utmost cooperation
in the implementation of the ARRS.

SECTION 12. Composite Rating. Under the ARRS, each covered person is assigned a
Composite Rating based on an assessment of three (3) components of a covered
person’s framework and operations in the prevention of ML/TF. These component
factors consist of the following:

a. Efficient Board of Directors (BOD) and Senior Management (SM) oversight;

b. Sound AML policies and procedures embodied in its Money Laundering and
Terrorist Financing Prevention Program (MTPP) duly approved by the BOD;
and

c. Effective implementation.

SECTION 13. Inherent and Residual Risks. The development and implementation of
the risk rating system will have to take into account the inherent risks to which a
covered person may be exposed and the level of its awareness of the risk, an assessment
of the covered person’s risk profile based on the records of the Commission, the sectoral
risk assessment to be conducted by the SEC in coordination with the AMLC and the
institutional risk assessment to be conducted by the covered persons concerned. Apart
from engendering awareness and an understanding of the risks, this will also enable the
SEC to determine any residual risk that remains after the controls are put in place and
implemented.

The risk profile of a covered person shall initially be determined based on the following
available information:

a. Value/size of assets or transactions – the larger the value and importance of

the covered person, the easier it is for the criminals to disguise illegal
transactions.

b. Complexity and diversity of products – the diversity and complexity of the

products can attract more sophisticated money launderers and provide them
with more opportunities to launder money.

c. Customer profile – assesses whether the covered persons are being used by
high risk customers to launder money, i.e. PEPs, clients with foreign business
or interests, non-resident clients, high-net-worth individuals.

d. Frequency of international transactions (cross-border funds flow, transactions

with off-shore centers, tax havens and high-risk jurisdictions) – covered
persons are at risk of ML/TF abuse if it engages in certain international
transactions.
8
 e. Distribution channels (deals directly with customers, uses the services of third
parties or agents, to conduct customer due diligence process, non-face-to-face
or the use of information and communication technology) – assesses the
quality of the initiation of business relationships of the covered person, i.e.
non-face-to-face initiation raises ML/TF vulnerability.

f. Record of compliance with relevant rules and regulations of the Commission.

SECTION 14. Control Risk. Assessment of the covered institution’s control risk shall
cover the following components with their corresponding sub-components and risk
factors:

a. Efficient oversight of the BOD and SM

i. Corporate Governance
ii. Compliance Office
iii. Institutional Risk Assessment
iv. Internal Audit

b. Detailed AML policies and procedures and strong internal control and audit
i. Coverage and Risk Management Policies and Practices
ii. Dissemination, continuing education and training program

c. Effective implementation of internal policies and procedures

i. Customer Identification, Verification and Acceptance
ii. Ongoing monitoring and customer due diligence
iii. Covered Transaction Monitoring and Reporting System
iv. Suspicious Transaction Analysis and Reporting System
v. Record Keeping and Retention

SECTION 15. Rating System. Covered persons shall be evaluated using an overall
composite rating of Weak, Needs Improvement, Satisfactory and Strong with the
corresponding numerical scale of 1 to 4. The highest rating is 4 indicating a strong risk
management system and most effective operational practices that entail the least
degree of supervision. The lowest rating of 1 signifies a weak risk management system
and defective implementation which requires the highest degree of supervision
including the placement of the covered person within the framework of prompt
corrective action. This should also correspond to an indication of the level of
compliance with the AMLA and its IRR.

SECTION 16. Enforcement Actions. For findings and/or deficiencies noted during the
assessment and evaluation of the covered persons using the ARRS, the following shall
apply:

a. An overall rating of 4 and 3 will require no enforcement action.

b. An overall rating of 2 and 1 will require submission by the covered person

to the Anti-Money Laundering Division of the Enforcement and Investor
Protection Department (AMLD-EIPD) of a written action plan duly
approved by the BOD aimed at correcting the noted inefficiency in BOD and
SM oversight, inadequacy in AML/CFT policies and procedures, weakness
9
 in internal controls and audit, and/or ineffective implementation within a
reasonable period of time. The viability of the plan shall be assessed and
the covered person’s performance monitored.

c. An overall rating of 1 shall be considered an indication that the AML/CFT

framework and level of AML/CFT compliance of the covered person
concerned is grossly inadequate. Prompt corrective action shall be
immediately implemented by the covered person. The covered person
shall be subjected to close monitoring and regular compliance audit by the
AMLD-EIPD.

d. If after due notice and hearing, the Commission finds that there is a
violation of the mandatory provisions of these guidelines or any order
issued by the Commission in the implementation thereof including the
failure of the covered person concerned to submit an acceptable plan
within the deadline or to properly implement the action plan, the
Commission may, in accordance with the provisions of the Revised
Corporation Code of the Philippines (RCCP), impose any or all of the
following sanctions taking into consideration the extent of participation,
nature, effects, seriousness and frequency of the violation:

i. Imposition of a fine ranging from Five Thousand Pesos (P5,000.00)

to Two Million Pesos (P2,000,000.00), and not more than One
Thousand Pesos (P1,000.00) for each day of continuing violation
but in no case to exceed Two Million Pesos (P2,000,000.00);
ii. Issuance of a permanent cease and desist order;
iii. Suspension or revocation of the certificate of incorporation; and
iv. Dissolution of the corporation and forfeiture of its assets under the
conditions in Title XIV of the Revised Corporation Code of the
Philippines.

e. Such violations shall likewise be a ground for the revocation of the

secondary license of the erring or non-compliant corporation.

f. The findings of any violations of the AMLA and its IRR shall be endorsed to
the AMLC for appropriate action.

SECTION 17. Repealing Clause. All rules, regulations, orders, circulars and issuances
of the Commission that are inconsistent with this Memorandum Circular are hereby
amended and/or repealed accordingly.

SECTION 18. Effectivity. This Memorandum Circular shall take effect fifteen (15) days
after its publication in two (2) national newspapers of general circulation and its
posting in the Commission’s website.

24 September 2020.
Pasay City, Philippines, _____

EMILIO B. AQUINO
Chairperson
10