Title
AMLC Guidelines for DNFBPs AML/CFT Compliance
Law
Amlc Regulatory Issuance (b) No. 1, S. 2018
Decision Date
Jun 13, 2018
The Anti-Money Laundering Council (AMLC) establishes comprehensive guidelines for Designated Non-Financial Businesses and Professions (DNFBPs) to combat money laundering and terrorism financing, mandating compliance with ethical standards, customer due diligence, and effective risk management systems.

Legal basis, policy intent, and principles

  • Republic Act No. 9160 (Anti-Money Laundering Act of 2001), as amended, is the governing AML framework that regulates DNFBPs as covered persons.
  • Republic Act No. 10365 amended Republic Act No. 9160 to include additional DNFBP types as covered persons.
  • Republic Act No. 10168 (otherwise known as the Terrorism Financing Prevention and Suppression Act of 2012 (TFPSA)) is part of the compliance target for countering terrorism financing.
  • DNFBP regulation is required to be proportionate to the nature, scale, and complexity of operations to prevent exploitation by criminals (Section 1).
  • DNFBPs must apply AML/CFT principles including: high ethical standards and good corporate governance (Section 1); sufficient customer/client knowledge (Section 1); AML/CFT risk management that identifies, assesses, monitors, and controls ML/TF risks (Section 1); full compliance culture (Section 1); and full cooperation with AMLC and AMLC directives (Section 1).

Coverage and core definitions

  • The guidelines apply to the following DNFBPs (Section 2):
    • Jewelry dealers, dealers in precious metals, and dealers in precious stones.
    • Company service providers that, as a business, provide services to third parties involving: formation agency for juridical persons; acting as or arranging directors/corporate secretaries/partners or similar positions; providing registered office/business address/correspondence/administrative address; or acting as or arranging nominee shareholders.
    • Persons (including lawyers and accountants) that provide services involving: managing client money/securities/other assets; management of bank/savings/securities/accounts; organization of contributions for company creation/operation/management; and creation/operation/management of juridical persons or arrangements, and buying and selling business entities.
  • The guidelines define an Account as a business relationship between a DNFBP and a customer/client (Section 3(a)).
  • A Beneficial Owner is any natural person who ultimately owns or controls the customer and/or on whose behalf a transaction is being conducted, or has ultimate effective control over a legal person or arrangement (Section 3(d)).
  • A Covered Transaction includes transactions involving: Php500,000.00 or more (or equivalent) generally (Section 3(f)(1)); and Php1,000,000.00 or more (or equivalent) in the case of jewelry dealers and dealers in precious metals and precious stones (Section 3(f)(2)).
  • A Customer/Client is any person who transacts or attempts to transact with a DNFBP (Section 3(g)).
  • A Suspicious Transaction is defined by reference to paragraph (b-1), Section 3 of Republic Act No. 9160 (Section 3(r)).
  • Politically Exposed Person (PEP) shall be used as defined under Section 3.R of the 2016 RIRR and amendments thereto (Section 3(m)).
  • Terrorism Financing refers to acts defined and punished under Sections 4, 5, 6, 7 and 8 of Republic Act No. 10168 (Section 3(s)).
  • Unlawful activity refers to unlawful activities under Section 3(i) of the AMLA, as amended (Section 3(u)).
  • The guidelines adopt additional term definitions from the 2016 Revised Implementing Rules and Regulations (RIRR) when not otherwise mentioned (Section 3).

DNFBP compliance program obligations

  • DNFBPs must establish, implement, monitor, and maintain an effective AML/CFT Compliance Program consistent with these guidelines (Section 4(a)).
  • DNFBPs must devise and implement policies, procedures, processes, and controls designed to prevent and detect potential ML/TF, including at minimum: compliance regime; risk assessment; customer due diligence; record keeping; training and awareness; employee screening; detection of suspicious transactions; and reporting of covered and suspicious transactions (Section 4(b)).
  • DNFBPs must communicate relevant policies and controls to all relevant employees (Section 4(c)).
  • DNFBPs must conduct an ongoing employee training program on current ML/TF risks, techniques, methods, and trends (Section 4(d)).
  • DNFBPs must conduct regular independent reviews of their AML/CFT program (Section 4(e)).
  • DNFBPs must conduct Institutional Risk Assessment by identifying, assessing, and understanding AML/CFT risks relating to customers, business, products/services, geographical exposures, transactions, delivery channels, and size, and document a risk-based approach (Section 5(a)).
  • The institutional risk assessment must include both quantitative and qualitative factors (Section 5(a)) and must be documented with findings (Section 5(b)(1)).
  • DNFBPs must keep risk assessments up-to-date through periodic review and submit the assessment information to the AMLC when required (Section 5(b)(3) and Section 5(b)(4)).
  • Institutional risk assessment must be conducted at least once every two (2) years or as determined by the AMLC (Section 5(f)).
  • DNFBPs must develop risk management policies to mitigate identified ML/TF risks, monitor implementation, enhance measures when needed, and apply enhanced measures when higher risks are identified (Section 6).
  • DNFBPs’ Board or governing body, partners, or sole proprietor are ultimately responsible for ensuring AMLA compliance, AML rules/regulations, and AMLC directives (Section 7(a)).
  • DNFBPs must designate a compliance officer of senior management status for day-to-day AML/CFT compliance, with direct communication to the governing body and authority to report AML/CFT issues including failures to manage ML/TF risks and new AML/CFT obligations issued by AMLC (Section 8(a)).
  • DNFBPs must designate another officer responsible and accountable for record keeping requirements, and ensure records are made available to the AMLC upon request (Section 8(a)).

ML/TF Prevention Program (ML/TFPP) requirements

  • The Board/governing body/partners/sole proprietor must approve, and the compliance officer must implement, a comprehensive, risk-based ML/TFPP geared toward promoting high ethical/professional standards and preventing ML and TF (Section 9(a)).
  • The ML/TFPP must be: in writing, consistent with the AMLA, reflected in the DNFBP’s corporate structure and risk profile, readily available in hard or soft copy, well disseminated to implementing officers/staff, and supported by an audit trail evidencing dissemination (Section 9(a)).
  • DNFBPs with multiple Philippine locations must adopt an institution-wide ML/TFPP implemented in a consolidated manner (Section 9(a)).
  • The ML/TFPP must be updated at least once every two (2) years or whenever necessary to reflect changes in AML/CFT obligations, trends, detection techniques, and typologies (Section 9(a)).
  • The ML/TFPP must include, at minimum (Section 9(a)(1)-(8)):
    • Detailed procedures covering AMLA and guidelines requirements, including customer identification/acceptance and ongoing monitoring; record keeping/retention; covered transaction reporting; suspicious transaction reporting with a flagging/monitoring/reporting system regardless of amount; a suspicious transaction reporting chain; and designation of a Board-Level or approved Committee or a senior officer to decide filing to AMLC (Section 9(a)).
    • A continuous AML/CFT training program for directors and responsible officers/employees to ensure compliance with AMLA, guidelines, other issuances, internal policies, and AMLC obligations (Section 9(b)).
    • A risk-based screening and recruitment process to ensure only qualified personnel with no criminal record or integrity-related issues are employed or contracted (Section 9(c)).
    • An internal audit system and independent audit program ensuring completeness/accuracy of customer information, including written specification of independent audit scope covering accuracy of identification documents, CTR and STR submitted to the AMLC, and records retained, and adequacy/effectiveness of training programs (Section 9(d)).
    • A mechanism ensuring audit/inspection deficiencies are immediately corrected (Section 9(e)).
    • Cooperation with the AMLC (Section 9(f)).
    • Designation of a compliance officer as lead implementer (senior management level) (Section 9(g)).
    • Identification, assessment, and mitigation of ML/TF risks arising from new business practices, services, technologies, and products (Section 9(h)).
  • Within ninety (90) days from effectivity, all DNFBPs must prepare and have available for inspection an updated ML/TFPP embodying the guidelines’ principles and provisions (Section 9).
  • The compliance officer must submit to the AMLC a sworn certification that the updated ML/TFPP has been prepared, duly noted and approved by the Board/governing body (Section 9).

Internal controls, audits, and CDD system

  • DNFBPs must establish internal controls for day-to-day compliance considering size and complexity (Section 10(a)).
  • Internal audits must be conducted by qualified personnel independent of the unit being audited, with support and direct line of communication to the Board/governing body/partners/sole proprietor (Section 10(a)).
  • Internal audit must include periodic and independent evaluation of risk management and adherence to compliance measures (Section 10(a)).
  • Internal audit scope must cover accuracy of customer identification information, covered and suspicious transaction reports, and all other records/internal controls for AML/CFT compliance (Section 10(a)).
  • Internal audits must occur at least once every two (2) years or at a frequency consistent with DNFBP risk assessment (Section 10(a)).
  • Internal audit results must be timely and directly communicated to Board/senior management and the compliance officer (Section 10(a)).
  • DNFBPs must have written procedures for promptly remedying deficiencies identified through internal audit (Section 10(a)).
  • Audit results relative to AML/CFT compliance must be promptly made available to the AMLC upon request (Section 10(a)).
  • Findings of internal audit must be periodically assessed by an independent third-party auditor accredited by the AMLC (Section 10(a)).
  • DNFBPs must implement customer due diligence by adopting a policy to identify and verify customers before establishing a business relationship using documents/data/information from customers and reliable independent sources (Section 11(a)).
  • DNFBPs must obtain information to assess the extent of risk the customer may expose them to (Section 11(a)).
  • DNFBPs must perform CDD measures when establishing a business relationship, when there is suspicion of ML/TF, and when there are doubts about integrity or adequacy of previously obtained identification information (Section 19(a)).
  • Where risks are assessed as low and verification is not possible at relationship establishment, verification may be completed after establishment, but not later than five (5) working days or any other period specified by the AMLC (Section 19).
  • DNFBPs must implement risk-based CDD that requires enhanced diligence for high-risk customers and reduced due diligence for low-risk customers, with documented criteria for low/normal/high risk (Section 18(a)).
  • Customer risk classification must consider source of funds, occupation, residence/origin, PEP status, adverse media exposure, watch lists, types of services/products/transactions, linked accounts, and must be documented for each customer (Section 18(a)).
  • DNFBPs must undertake enhanced due diligence when information raises doubts on customer accuracy/ownership, justifies re-classification to high-risk, arises from countries identified by FATF/AMLC, or warrants an STR, including specified STR-triggering situations (Section 26(a)).
  • Commencing an account or business relationship with a high-risk customer requires approval from a senior/management-level officer (Section 26).
  • For high-risk individuals, enhanced due diligence includes obtaining additional information including lists of banks with accounts, directorship/officer/stockholder positions, specific services sought, and source of wealth and funds (Section 26).
  • For high-risk juridical persons, enhanced due diligence includes lists of banks with accounts; verified names/nationality/present address/date and place of birth/nature of work/sources of assets of primary officers; and all stockholders owning five percent (5%) or more of voting stock (Section 26).
  • DNFBPs must be aware of new/developing technologies that favor anonymity and take measures to prevent ML/TF use (Section 26).
  • DNFBPs must use relevant AMLC findings concerning individuals/groups/entities subject of ML/TF investigations or included in sanctions lists issued by international competent authorities (Section 26).
  • DNFBPs must know prior to establishing a customer relationship: identity; type of activity/relationship; complexity; whether customer represents a third party; and how to verify presented information (Section 26).
  • DNFBPs must update high-risk customer/client data more regularly (Section 26).
  • DNFBPs must conduct ongoing due diligence by scrutinizing transactions to ensure consistency with knowledge of customer and risk profile, including source of funds when necessary (Section 27(a)), keeping CDD documents/data up-to-date, undertaking reviews particularly for higher-risk customers, and establishing mechanisms to monitor and update customer transaction/identification information to detect unusual or suspicious patterns (Section 27).
  • DNFBPs must update existing customer information and identification documents on a materiality and risk basis when documentation standards change substantially, when there is a material change in relationship, or when DNFBP lacks sufficient information or doubts accuracy (Section 28(a)).

Customer identification standards and documentation

  • DNFBPs must know customers and, where possible, the intermediary and the person/entity on whose behalf the transaction is being conducted, and create a system to establish and record full identity and risk assessment results (Section 17(a)).
  • DNFBPs must require customers to furnish required Identification Documents (Section 17(a)).
  • DNFBPs must ensure appropriate systems and methods, with internal controls, to verify and record true/full customer identity from reliable independent sources upon establishment of business relationships (Section 21(a)).
  • For corporate customers and arrangements (trustee/agent/nominee/intermediary arrangements), DNFBPs must verify legal existence and organizational structure and verify authority and identification of all persons purporting to act on behalf (Section 21(a)).
  • DNFBPs must identify and verify persons purporting to act on behalf of customers and verify beneficial owners through reasonable measures (Section 20(b)-(c)).
  • Minimum CDD information and Identification Documents depend on customer type (Section 22):
    • Individual persons must provide: name; date/place of birth; present and permanent address; contact number/information if any; nationality; proof of identification and identification number; and nature of work with employer or self-employment/business (Section 22(A)).
    • Absence of any listed individual information is not a violation if identity is sufficiently known through other identifying information and the DNFBP can risk profile the customer (Section 22(A)).
    • Foreign nationals must present valid passport, Alien Certificate of Registration, Alien Employment Permit, or any government-issued identification document bearing photograph, if DNFBP is satisfied with document authenticity (Section 22(A)).
    • Juridical persons/sole proprietorships must provide: entity name; authorized representative name; beneficial owner name if applicable; official address; contact number/information; nature of business; specimen signature; verified entity identification as corporation/partnership/sole proprietorship; verified entity source of funds and business nature; verification entity is not dissolved/struck-off/wound-up/terminated/under receivership/liquidation; verification with supervisory authority; and obtaining specified registration and corporate documents including DTI/SEC/CDA documents, articles/bylaws, board/ownership resolution authorizing signatory, and lists and identification documents of owners/partners/directors/principal officers/authorized signatories/stockholders owning at least 20% (Section 22(B)).
    • For entities incorporated outside the Philippines, DNFBPs must obtain and authenticate similar documents/information through the Philippine Consulate where registered (Section 22(B)).
    • Legal arrangements must identify and verify beneficial owners through specified information: for trusts—settlor, trustee(s), protector (if any), beneficiaries/class, and any other natural person exercising ultimate effective control; for other legal arrangements—persons in equivalent positions (Section 22(C)).
  • DNFBPs must determine the true nature of parties’ capacities and duties by obtaining copies of written documents evidencing their relationship and apply the same standards for risk assessment and due diligence (Section 23(a)).
  • If DNFBPs doubt the account holder or transactor is a dummy used to circumvent laws, DNFBPs must apply enhanced due diligence or file a Suspicious Transaction Report if warranted (Section 23(a)).

Monitoring, reporting, recordkeeping, and confidentiality

  • DNFBPs must adopt an ML/TF monitoring system with name screening mechanisms (electronic or manual) appropriate to risk profile and business complexity, capable of generating timely, accurate, and complete reports, including CTRs and STRs, and capable of regularly apprising the Board/governing body/partners/sole proprietor on compliance (Section 12(a)).
  • DNFBPs must keep records of customer transactions and documents obtained during customer due diligence for five (5) years (Section 13(a)).
  • DNFBPs must maintain records in an organized and confidential manner allowing the AMLC and courts to establish an audit trail, in forms admissible in court (Section 38(a)).
  • DNFBPs must retain and safely store records of customer identification and transaction documents for five (5) years from transaction dates, or as long as the business relationship exists (Section 39(a)).
  • If a court case has been filed involving the account, DNFBPs must retain and safely keep records beyond five (5) years until the AMLC Secretariat confirms the case is resolved, decided, or terminated with finality (Section 39(a)).
  • DNFBPs must retain and safely store for at least five (5) years from the dates accounts were terminated records of customer identification and transaction documents (Section 39(a)).
  • DNFBPs must keep electronic copies of covered and suspicious transaction reports for at least five (5) years from the dates of submission to the AMLC (Section 39(a)).
  • DNFBPs must maintain records of internal reporting of CTRs/STRs and decision-making on whether to file them for at least five (5) years after the transaction date (Section 40(a)).
  • DNFBPs must ensure no secrecy or data protection issues restrict prompt access to data for outsourced relationships regarding full application of the guidelines (Section 41).
  • DNFBPs must report covered transactions and suspicious transactions to the AMLC within five (5) working days from occurrence (Section 42(a)).
  • For suspicious transactions, “occurrence” means the date the transaction’s suspicious nature is determined, and determination must not exceed ten (10) calendar days from the date of transaction (Section 42(a)).
  • Where a transaction is related to an unlawful activity or the person transacting is involved in or connected to unlawful activity or a money laundering offense, the ten (10) calendar day determination period is reckoned from the date the covered person knew or should have known the suspicious transaction indicator (Section 42(a)).
  • DNFBPs must be given a reasonable period to gather facts to enable meaningful STR submission, which must not exceed sixty (60) calendar days (Section 42(a)).
  • If a transaction is both a covered transaction and a suspicious transaction, it must be reported as a suspicious transaction (Section 42(a)).
  • CTRs and STRs must otherwise comply with the AMLC Registration and Reporting Guidelines (ARRG) (Section 43).
  • DNFBPs must observe an STR framework including internal policies enabling employees to report suspicions to the compliance officer, prompt STR filing by the compliance officer when suspicion/grounds exist, internal investigation and documentation of outcomes/justification if no external report is filed, disciplinary measures against employees who fail to file internal suspicious activity reports when there is evidence, monitoring of suspicious indicators, and performing EDD as necessary (Section 44).
  • DNFBPs and their officers/employees are prohibited from communicating to any person/entity or the media the fact that a covered or suspicious transaction has been or is about to be reported, the report contents, or any related information; such information must not be published/aired via mass media or email or similar devices, and violation triggers criminal liability for the concerned officer/employee and media (Section 45).
  • A safe harbor applies: no administrative, criminal, or civil proceedings lie against persons who made covered/suspicious transaction reports in regular performance of duties and in good faith, whether or not the report results in any criminal prosecution (Section 46).

Exemptions, training, AMLC cooperation, and registration

  • Lawyers and accountants authorized to practice in the Philippines and engaged as independent legal or accounting professionals are exempt from being deemed covered persons when dealing with client information where disclosure would compromise client confidences or the attorney-client relationship, so they are not required to file CTRs or STRs (Section 47).
  • Lawyers and accountants remain permitted to report to the AMLC in utmost confidentiality knowledge or information that a client is committing or contemplating money laundering or terrorism financing, or information outside the coverage of privileged communication; the AMLC shall accept electronic or paper-based submission (Section 47).
  • DNFBPs must create employee training programs detailing ML/TF prevention roles and hiring standards promoting ethical standards (Section 14(a)).
  • Training programs must be ongoing and must include refresher trainings reviewing updates from new legislation, AMLC issuances, internal audit findings, and discoveries in ML/TF trends/detection techniques (Section 14(a)).
  • Training must explain customer identification process, record keeping requirements, covered and suspicious transaction reporting, and internal processes/chain of command for reporting and cooperation with the AMLC (Section 14(a)).
  • DNFBP personnel attendance in training/seminars must be recorded; copies of training materials must be kept, submitted to the compliance officer, and made available to the AMLC upon request (Section 14(a)).
  • DNFBPs must have written procedures for cooperating with and complying with AMLC investigations, assessments, directives, orders, and court requirements; upon request for information from any competent authority regarding inquiries into potential ML/TF activity, DNFBPs must promptly inform the AMLC in writing (Section 15(a)).
  • DNFBPs must identify and assess ML/TF risks arising from development of new products and business practices, including new delivery mechanisms and new/developing technologies for both new and existing products (Section 16(a)).
  • All DNFBPs must register with the AMLC by submitting/uploading required documents to the AMLC portal, including: application letter; business model; list of owners/controlling stockholders/partners/directors/principal officers; city/municipality business registration/permit copy; SEC/DTI/CDA registration evidence; notarized deeds of undertaking (Annexes B and C); list of operating office locations; audited financial statements where applicable; proof of AML seminar attendance by proprietor/partners/directors/principal officers; and NBI clearances (or foreign equivalents) for directors/principal officers (Section 48(a)).
  • The AMLC issues a Certificate of Registration after determining complete submission of documentary requirements (Section 49(a)).
  • Registration may be denied if DNFBPs fail to provide accurate or complete registration requirements (Section 50(a)).
  • Existing DNFBPs must register within six (6) months from guidelines effectivity, while newly established DNFBPs must register before commencement of operation (Section 51(a)).
  • DNFBPs must notify the AMLC of specified events within five (5) business days:
    • commencement of operations for each individual office (Section 52(a));
    • transfer of location (Section 52(b));
    • closure of office (Section 52(c));
    • closure of business, including ownership certification and original COR (Section 52(d));
    • change of name, including DTI/SEC/CDA COR for new name and original COR under old name, after which AMLC issues new COR (Section 52(e));
    • change of ownership or control prior to effectivity, covering transfers of equity resulting in at least twenty percent (20%) ownership or control of assets or voting shares, or transfers that enable buyers to elect or be elected as director or officer of equivalent authority (Section 52(f)).

AMLC compliance checking and investigations

  • The AMLC may conduct compliance checking and investigation pursuant to Section 7(5)(7) of Republic Act No. 9160 (Section 53(a)).
  • On-site compliance checking may be conducted by AMLC and Secretariat with at least twenty-four (24)-hours prior notice to validate DNFBP compliance (Section 53(A)(1)).
  • DNFBPs must make available all documents, including customer identification documents, CTRs, STRs, and their MLPPs upon AMLC request (Section 53(A)(2)).
  • The AMLC shall investigate suspicious and covered transactions deemed suspicious, ML/TF activities, and AMLA violations, and may direct production of information/documents/objects (including video footages, clippings, recordings, and electronic data) to determine true identity, require statements from DNFBP responsible officers/employees, and request information/documents/objects from domestic government agencies, foreign states and their financial intelligence units/law enforcement agencies/financial regulators, and from the United Nations and other international organizations/entities (Section 53(B)(1)(a)-(c)).
  • DNFBPs must immediately provide authorized AMLC and Secretariat personnel full access to information/documents/objects pertaining to the account, customer, transaction, or violation under investigation (Section 53(B)(2)).
  • Certified true copies of requested documents must be submitted within five (5) working days from receipt of the AMLC request or order (Section 53(B)(2)).

Customer due diligence operational requirements

  • DNFBPs must conduct face-to-face contact at the time of establishing the business relationship, or as reasonably practicable so as not to interrupt normal business, while effectively managing ML/TF risks (Section 29(a)).
  • No transaction shall be processed without conducting face-to-face contact (Section 29(a)).
  • Use of information and communication technology for face-to-face contact may be allowed only if DNFBP has possession of and verified the submitted identification documents before the interview and documents the entire procedure (Section 29).
  • DNFBPs may rely on third parties for customer identification and face-to-face contact if the third party is either a covered person under Section 3(A) of the AMLA or a financial institution

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.