QAU Memo No. 22, s2020 : SEC Updates

SEC Memorandum Circular (MC) No. 26, Series of 2020 Guidelines in the Implementation of a Risk-Based Approach to Anti-Money Laundering/ Combating the Financing of Terrorism (AML/CFT) and Adoption and Development of a Risk Rating System for SEC Covered Persons

To: All SEC Covered Persons

The Commission issued these guidelines in the implementation of its Risk-Based Approach to AML/CFT and to adopt an AML/CFT Risk Rating System (ARRS) to be employed by the Commission in the conduct of its on-site examinations of covered persons.


All SEC covered persons as enumerated under Section 3(a) of the AMLA and Section 1.2 of the SEC MC No. 16, Series of 2018 or the 2018 AML/CFT Guidelines.[MRAL1] 

Section 3(a) of the AMLA:

  • Banks, non-banks, quasi-banks, trust entities, and all other institutions and their subsidiaries and affiliates supervised or regulated by the Bangko Sentral ng Pilipinas (BSP);
  • Insurance companies and all other institutions supervised or regulated by the Insurance Commission; and
  • (i)Securities dealers, brokers, salesmen, investment houses and other similar entities managing securities or rendering services as investment agent, advisor or consultant, (ii) mutual funds, closed-end investment companies, common trust funds, pre-need companies and other similar entities, (iii) foreign exchange corporations, money changers, money payment, remittance, and transfer companies and other similar entities, and (iv) other entities administering or otherwise dealing in currency, commodities or financial derivatives based thereon, valuable objects, cash substitutes and other similar monetary instruments or property supervised or regulated by SEC.

Section 1.2 of the SEC MC No. 16, Series of 2018 or the 2018 AML/CFT Guidelines:

  • Securities Brokers, Dealers and Salesmen, Associated Person of a Broker or Dealer, Investment Houses and other similar entities managing securities or rendering similar services;
  • Investment Company Advisers/ Fund Managers, Mutual Fund Distributors, Mutual Fund Companies, Closed-End Investment Companies;
  • Investment Advisor/ Agent/ Consultant;
  • Financing Companies and Lending Companies, both with more than 40% foreign participation in its voting stock or with paid-up capital of Php10 Million or more;
  • Other entities administering or otherwise dealing in currency, commodities or financial derivatives based thereon, cash substitutes and other similar monetary instruments or property, supervised or regulated by the Commission.

Institutional Risk Assessment

All SEC covered persons shall conduct an institutional risk assessment[1] as mandated by the 2018 IRR of the AMLA.

The risk assessment should be commensurate to the size, nature and complexity of the covered person’s business. It should be properly documented, regularly updated and communicated to the relevant covered person’s senior management. It should be conducted, at least, once every two (2) years, or as often as the board or senior management, the Commission or the AMLC may direct, depending on the level of risks found in the previous institutional risk assessment or other relevant AML/CFT developments that may impact the operations of the covered persons.

Covered persons should consider internal feedback within their organization in performing their periodic risk assessments.

Information to be considered:

Quantitative and qualitative information obtained from relevant internal and external sources to identify, manage and mitigate the risks should be considered.

Risk Factors

  1. The nature, diversity and complexity of its business, products and target markets;
  2. The proportion of customers identified as high risk;
  3. The jurisdictions in which the covered person is operating or otherwise exposed to, either through its own activities or the activities of customers, especially jurisdictions with greater vulnerability due to contextual and other risk factors such as the prevalence of crime, corruption, or financing of terrorism, the general level and quality of the jurisdiction’s prosecutorial and law enforcement efforts related to AML/CFT, the regulatory and supervisory regime and controls and transparency of beneficial ownership;
  4. The distribution channels through which the covered person distributes its products, including the extent to which the securities provider deals directly with the customer and the extent to which it relies (or is allowed to rely) on third parties to conduct customer due diligence (CDD) or other AML/CFT obligations, the complexity of the transaction chain and the settlement systems used between operators in the payment chain, the use of technology and the extent to which intermediation networks are used;
  5. The internal and external (such as audits carried out by independent third parties, where applicable) control functions and regulatory findings; and
  6. The expected volume and size of its transactions, considering the usual activity of the covered person and the profile of its customers.

Country/Geographic Risk

Factors that may be considered as indictors of higher risk include:

  1. Countries/areas identified by credible sources as providing funding or support for terrorist activities or that have designated terrorist organizations operating within them;
  2. Countries/areas identified by credible sources as having significant levels of organized crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking and smuggling and illegal gambling;
  3. Countries subject to sanctions, embargoes or similar measures issued by international organizations such as the United Nations; and
  4. Countries/areas identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT regimes, and for which financial institutions should give special attention to business relationships and transactions.

Customer/Investor Risk

Categories of customers whose business or activities may indicate a higher risk include:

  1. Customer is sanctioned by the relecant national competent authority for non-compliance with the applicable AML/CFT regime and is not engaging in remediation to improve its compliance;
  2. Customer is a politically exposed person (PEP) or customer’s family members or close associates are PEPs (including where a beneficial owner of a customer is a PEP);
  3. Customer resides in or whose primary source of income originates from high-risk jurisdictions (regardless of whether that income originates from a cash-intensive business);
  4. Customer resides in countries considered to be uncooperative in providing beneficial ownership information;
  5. Customer acts on behalf of a third party and is either unwilling or unable to provide consistent information and complete documentation thereon;
  6. Customer has been mentioned in negative news reports from credible media, particularly those related to predicate offenses for ML/TF or to financial crimes;
  7. Customer’s transactions indicate a potential connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national competent authorities [e.g. financial intelligence unit (FIU), law enforcement etc.];
  8. Customer is also a covered person, acting as an intermediary or otherwise, but is either unregulated or regulated in a jurisdiction with weak AML/CFT oversight;
  9. Customer is engaged in, or derives wealth or revenues from, a high-risk cash-intensive business;
  10. The number of suspicious transaction reports (STRs) on certain customers and their potential concentration on particular client groups;
  11. Customer is a legal entity predominantly incorporated in the form of bearer shares;
  12. Customer is a legal entity whose ownership structure is unduly complex as determined by the covered person or in accordance with any regulations or guidelines;
  13. Customers who have sanction exposure (e.g. have business/activities/transactions exposed to the risk of sanctions); and
  14. Customer has a non-transparent ownership structure.

Product/Service/Transaction Risk

Products and services that may indicate a higher risk include:

  1. Products or services that may inherently favor anonymity or obscure information about underlying customer transactions (e.g. bearer share instruments or the provision of omnibus account services);
  2. The geographical reach of the product or service offered, such as those emanating from higher risk jurisdictions;
  3. Products with unusual complexity or structure and with no obvious economic purpose;
  4. Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party, particularly those residing in a higher risk jurisdiction;
  5. Use of new technologies or payment methods not used in the normal course of business by the covered person;
  6. Products that have been particularly subject to fraud and market abuse, such as low-priced securities;
  7. The purchase of securities using physical cash;
  8. Offering bank-like products, such as check cashing and automated cash withdrawal cards;
  9. Securities-related products or services funded by payments from or instructions given by unexpected third parties, particularly from higher risk jurisdictions;
  10. Transactions wherein customers request the transfer of funds to a higher risk jurisdiction/country/corridor without a reasonable business purpose provided; and
  11. A transaction is requested to be executed, where the securities provider is made aware that the transaction will be cleared/settled through an unregulated entity.

Distribution Channel Risk

An overall risk assessment should include the risks associated with the different types of delivery channels to facilitate the delivery of securities products and services.

  1. Covered persons that distributes products or services directly through online delivery channels should identify and assess the ML/TF risks that may arise in relation to distributing its products using this business model. In addition to the analysis of risks performed in advance of engaging in such an online business, the risk assessment process for online delivery risk should be performed when the covered person develops new products and new business practices;
  2. Covered persons should analyze the specific risk factors, which arise from the use of intermediaries and their services. Covered persons should understand who the intermediary is and perform a risk assessment on the intermediary prior to establishing a business relationship. Covered persons and intermediaries should establish clearly their respective responsibilities for compliance with applicable regulation. Assessing intermediary risk is more complex for securities providers with an international presence due to varying jurisdictional requirements, the potential risk of non-compliance by intermediaries with the applicable local AML/CFT regulations and the logistics of intermediary oversight. An intermediary risk analysis should include the following factors, to the extent that these are relevant to the securities providers’ business model:

        i.  Intermediaries suspected of criminal activities, particularly financial crimes or association with criminal associates;

        ii.            Intermediaries located in a higher risk country or in a country with a weak AML/CFT regime;

       iii.            Intermediaries serving high-risk customers without appropriate risk mitigating measures;

     iv.            Intermediaries with a history of non-compliance with laws or regulation or that have been the subject of relevant negative attention from credible media or law enforcement;

      v.            Intermediaries that have failed to attend or complete AML/CFT training programs requested by the covered persons; and

      vi.            Intermediaries that have weak AML/CFT controls or operate substandard compliance programs, i.e. programs that do not effectively manage compliance with internal policies and/or external regulation or the quality of whose compliance programs cannot be confirmed.

Institutional Risk Management

The board of directors shall supervise and implement the institutional risk management. They shall be ultimately responsible for the covered persons’ compliance with the AMLA and TFPSA, their respective IRRs, and other AMLC issuances.

Risk Based AML/CFT Supervision

The Commission shall implement a risk-based AML/CFT supervision of its covered persons comprised of assessing the quality of controls to detect and deter ML/TF based on the assessed risks, including controls that are required by law. It shall be applied through off-site and on-site examinations, which can include questionnaires and dedicated meetings and shall be based on having appropriate access to all the books and records of each supervised covered person sufficient to provide all the information that the Commission needs.

AML/CFT Risk Rating System (ARRS)

Complementary to the risk-based approach to AML/CFT is the development and implementation of a risk-focused examination process and the adoption of an ARRS that will serve as a supervisory tool in measuring the effectiveness of the covered person’s AML/CFT framework and its level of compliance with AML/CFT rules and regulations.

Adoption of the ARRS

The ARRS is to be used by the Commission in the conduct of its on-site examinations of covered persons. The adoption and implementation of the ARRS is intended to ensure that supervisory attention is appropriately focused on entities with inefficient Board and Senior Management oversight and monitoring, inadequacies in their AML/CFT framework, weaknesses in their internal controls and audit, and defective implementation of their AML/CFT procedures and policies. Covered persons are directed to give their utmost cooperation in the implementation of the ARRS.

Inherent and Residual Risks

The risk profile of a covered person shall initially be determined based on the following available information:

  1. Value/size of assets or transactions
  2. Complexity and diversity of products
  3. Customer profile
  4. Frequency of international transactions (cross-border funds flow, transactions with off-shore centers, tax havens and high-risk jurisdictions)
  5. Distribution channels (deals directly with customers, uses the services of third parties or agents, to conduct customer due diligence process, non-face-to-face or the use of information and communication technology)
  6. Record of compliance with relevant rules and regulations of the Commission.

Control Risk

  1.  Efficient oversight of the BOD and SM

                i.         Corporate Governance

                ii.          Compliance Office

                iii.          Institutional Risk Assessment

                iv.          Internal Audit

  1. Detailed AML policies and procedures and strong internal control and audit

                  i.            Coverage and Risk Management Policies and Practices

                  ii.            Dissemination, continuing education and training program

  1. Effective implementation of internal policies and procedures
    1. Customer Identification, Verification and Acceptance
    2. Ongoing monitoring and customer due diligence
    3. Covered Transaction Monitoring and Reporting System
    4. Suspicious Transaction Analysis and Reporting System
    5. Record Keeping and Retention

Rating System

Covered persons shall be evaluated using an overall composite rating of Weak, Needs Improvement, Satisfactory and Strong with the corresponding numerical scale of 1 to 4. The highest rating is 4 indicating a strong risk management system and most effective operational practices that entail the least degree of supervision. This should also correspond to an indication of the level of compliance with the AMLA and its IRR.

Enforcement Actions

  1. An overall rating of 4 and 3 will require no enforcement action.
  2. An overall rating of 2 and 1 will require submission by the covered person to the Anti-Money Laundering Division of the Enforcement and Investor Protection Department (AMLD-EIPD) of a written action plan duly approved by the BOD aimed at correcting the noted inefficiency in BOD and SM oversight, inadequacy in AML/CFT policies and procedures, weakness in internal controls and audit, and/or ineffective implementation within a reasonable period of time. The viability of the plan shall be assessed and the covered person’s performance monitored.
  3. c. An overall rating of 1 shall be considered an indication that the AML/CFT framework and level of AML/CFT compliance of the covered person concerned is grossly inadequate. Prompt corrective action shall be immediately implemented by the covered person. The covered person shall be subjected to close monitoring and regular compliance audit by the AMLD-EIPD.
  4. If after due notice and hearing, the Commission finds that there is a violation of the mandatory provisions of these guidelines or any order issued by the Commission in the implementation thereof including the failure of the covered person concerned to submit an acceptable plan within the deadline or to properly implement the action plan, the Commission may, in accordance with the provisions of the Revised Corporation Code of the Philippines (RCCP), impose any or all of the following sanctions taking into consideration the extent of participation, nature, effects, seriousness and frequency of the violation:

          i.         Imposition of a fine ranging from Five Thousand Pesos (P5,000.00) to Two Million Pesos (P2,000,000.00), and not more than One Thousand Pesos (P1,000.00) for each day of continuing violation but in no case to exceed Two Million Pesos (P2,000,000.00);

            ii.         Issuance of a permanent cease and desist order;

           iii.         Suspension or revocation of the certificate of incorporation; and

         iv.         Dissolution of the corporation and forfeiture of its assets under the conditions in Title XIV of the Revised Corporation Code of the Philippines.

  1. Such violations shall likewise be a ground for the revocation of the secondary license of the erring or non-compliant corporation.
  2. The findings of any violations of the AMLA and its IRR shall be endorsed to the AMLC for appropriate action


QAU Memo is the official publication of R.S. Bernaldo & Associates to keep the Firm’s professional staff informed of the issues affecting the practice.  The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.  Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.  No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.    

The Firm cannot be held liable for any losses suffered as a result of reliance upon information contained in this memo. 

This is a property of R.S. Bernaldo & Associates.  Reproduction of any material included in the memo should be subject to the approval of the Editorial Board.

R.S. Bernaldo & Associates is a member firm of the PKF International Limited family of legally independent firms and does not accept any responsibility or liability for the actions or inactions of any individual member or correspondent firm or firms.

Comments and suggestions are welcome.

Editorial Board   
  • Rose Angeli S. Bernaldo

Partner | Quality and Compliance/ Training Partner

rose [dot] bernaldo [at] rsbernaldo [dot] com


  • Anthony D. Paño

Senior Quality Assurance Manager/

Quality Assurance Leader

anthony [dot] pano [at] rsbernaldo [dot] com


  • Mary Rose A. Lorilla

Assistant Quality Assurance Manager/

Assistant Quality Assurance Leader

rose [dot] lorilla [at] rsbernaldo [dot] com


  • Jean S. Losloso

Senior Quality Assurance Associate/

Engagement Quality Control Review Leader

qau [at] rsbernaldo [dot] com


  • Nikka Hazel M. Mendoza

Senior Quality Assurance Associate/

Consultation Leader

qau [at] rsbernaldo [dot] com


  • Charmaine S. De Guzman

Senior Quality Assurance Associate/

Learning and Training Leader

qau [at] rsbernaldo [dot] com



[1] Institutional risk assessment refers to a comprehensive exercise to identify, assess understand a covered person’s ML/TF threats, vulnerabilities and the consequential risks, with a view to mitigate illicit flow of funds and transactions.

 [MRAL1]Can you briefly enumerate the  persons covered.