Developing and establishing an effective anti-money

laundering ("AML") compliance program is a requirement for financial

institutions in order to combat laundering the proceeds of crime and terrorist

financing worldwide.

In this article, our aim is to reveal the scope and

the significance of developing and establishing AML compliance program in

Turkey.

(I)

Introduction

In Turkey, compliance program requirement is set forth

in the Regulation on Compliance Programs Regarding Obligations on Laundering

the Proceeds of Crime and Prevention of Financing of Terrorism ("Compliance

Regulation").

According to the Compliance Regulation, only the

foregoing obliged parties such as banks (except for Central Bank of Republic of

Turkey as well as development and investment banks), capital markets

intermediary institutions, insurance and pension companies, Post and Telegraph

Organization General Directorate (pertaining only to banking activities) oblige

to establish and operate a risk-based AML compliance program.

The AML compliance program requirement for each

category of covered obliged parties would also apply to their agents, branches,

commercial representatives or similar affiliates located in abroad to the

extent allowed by their local jurisdiction.

(II)

Scope of AML Compliance Program

The

scope of AML compliance program established with a risk-based approach is as

follows: (i) creating corporate policies and procedures, (ii) carrying out risk

management activities, (iii) performing monitoring and controlling activities,

(iv) assigning compliance officer and forming a compliance unit, (v) conducting

training activities, (vi) carrying out internal control activities.

The

risk management as well as monitoring and controlling activities are carried

out by compliance officers. Moreover, those activities are under obligation of

the board of directors of the obliged parties.

(1)

Corporate Policies and Procedures

Obliged parties must create corporate policies by

considering the size of the institution, the volume of the business and the

type of their transactions. Corporate policies must consist of at least risk

management, monitoring and controlling, training and internal control policies

under Turkish laws.

The purpose of establishing corporate policy is (i) to

determine strategies on ensuring obliged parties to comply with the obligations

pertaining to laundering the proceeds of crime and prevention of financing of

terrorism and on minimising risks to be exposed through assessing obliged parties'

customers, transactions and services with a risk-based approach; (ii) to

determine controls and measures within the institution, operational rules and

responsibilities and (iii) to make the employees aware of these matters.

Corporate policies and procedures are required to be

prepared in written form under the observation and coordination of the

compliance officer. The board of directors is under obligation to approve corporate

policies. Under the Compliance Regulation, compliance officers must deliver

corporate policies and any amendments to the corporate policies to the

Financial Crimes Investigation Board ("MASAK").

Obliged parties are also required to deliver corporate

policies to the employees by obtaining their signatures. MASAK Frequently Asked

Questions No. 105 states that corporate policies may be delivered

electronically on the condition that the relevant employee has electronic

signature. Moreover, e-mail

messages may also be used to deliver the amendments to the policies, provided

that the delivery is confirmed with read receipt method and that such method is

stated in the relevant policy or amendment policy.

(2)

Risk

Management Activities

Obliged parties are required to implement risk management

policies by considering the size of the institution, the volume of the business

and the type of their transactions. The purpose of the risk management policy

is to identify, grade, monitor, assess and minimise the risk that can be

exposed. Risk management policy must consist of at least internal measures and

operational rules regarding customer identification measures stipulated in the

relevant anti-money laundering legislation. In addition to preparing risk

management policy, obliged parties must also carry out risk management

activities such as developing risk identification, grading, classification and

assessment methods based on customer risk, service risk and country risk as

well as grading and classifying services, transactions and customers.

(3)

Monitoring

and Controlling Activities

Another requirement for obliged parties is to conduct

monitoring and controlling activities by considering the size of the

institution, the volume of the business and the type of their transactions. Protecting

obliged parties against risks and monitoring and controlling whether their

activities are carried out in accordance with AML and corporate policies and

procedures is the main purpose monitoring and controlling activities.

According to Article 15 of the Compliance Regulation,

the minimum scope of the monitoring and controlling activities is as follows: (i)

high risk customers and their transactions, (ii) transaction conducted with

risky countries, (iii) complex and unusual transactions.

(4)

Compliance

Officer and Compliance Unit

Pursuant to Article 16 of the Compliance Regulation, assigning

compliance officer is a must for obliged parties. Once it is notified by obliged

parties, MASAK assesses whether the relevant compliance officer candidate meets

the criteria stipulated in the Compliance Regulation. If not, obliged parties are

under obligation to assign a new compliance officer meeting the criteria.

Additionally, as per Article 18 of the Compliance

Regulation, in order to ensure that compliance officer perform its duties and

responsibilities effectively, board of directors is required to ensure

establishment of compliance unit to execute compliance program by considering

the size of the institution, the volume of the transaction, the number of the

branch and personnel or the level of the risks it may expose to.

Duties and responsibilities of compliance officers are

stipulated in Article 19 of the Compliance Regulation. Accordingly, compliance

officers' duties and responsibilities are including but not limited to conduct

necessary works to ensure that obliged parties comply with the AML legislation;

conduct necessary communication and coordination with MASAK; establish corporate

policies and procedures and submit corporate policies for approval of the board

of directors; establish risk management and monitoring and controlling policies

and carry out risk management and monitoring and controlling activities; submit

her/his works regarding training program on laundering proceeds of crime and

terrorist financing for the approval of the board of directors and ensure

effective implementation of the approved training program and report suspicious

activities to MASAK.

(5)

Training

Activities

Obliged parties are ordered to constitute a training

policy including the matters such as operation of training activities, the

person who would be responsible for conducting training activities,

determination and training of employees and trainers to be participated to

training activities as well as training methods. The purpose of implementing a training

policy is to ensure compliance with obligations within the scope of Turkish AML

legislation and raise awareness of the employees.

In addition to implementation of a training policy,

obliged parties are also required to carry out training activities in

compliance with the size of the institution, the volume of the business and

changing conditions for prevention of laundering proceeds of crime and

terrorist financing.

Trainings to be presented to the employees need to

include the following subjects: terms of laundering proceeds of crime and

terrorist financing; stages and methods of laundering proceeds of crime and

case studies on this matter; legislation on prevention of laundering proceeds

of crime and terrorist financing; risk areas; corporate policies and

procedures; principles on customer identification and suspicious activity

reporting; obligation of archiving and submission; obligation of providing

information and documents; sanctions to be implemented in case of breach of

obligations; international regulations on combating laundering and terrorist

financing.

(6)

Internal Control

Obliged parties are required to ensure, annually and

on a risk-based approach, examination and controlling of corporate policies and

procedures, risk management, monitoring and controlling activities, sufficiency

and efficiency of training activities and risk policy and whether the

transactions are carried out in compliance with AML legislation and corporate

policies and procedures. Internal control units and supervisory boards of

obliged parties carry out internal control activities and report such

activities to the board of directors.

(III)

The Significance of Anti-Money Laundering Compliance Program

As

stated above, compliance programs are implemented by compliance officers. However,

the ultimate responsibility for carrying out compliance program adequately and efficiently lies with the board of

directors. The board of directors may delegate some or all of its authorities to

one or more board member(s). Delegation of an authority cannot remove the

responsibility of the board of directors.

It

is important to note that in case non-compliance with obligations as to

training, internal control and risk management system, obliged parties must be given at least 30 days in order to correct

deficiencies and take necessary measures. If obliged parties do not correct

deficiencies and take necessary measures, an administrative fine of TRY 15,035 (~

EUR 2,300) could be imposed by MASAK. If the obliged party is a bank,

insurance and pension company or capital market institution, an administrative fine of TRY 30,070 (~ EUR 4,600) could

be imposed. For each breach, the total amount of administrative fines applied

to the obliged parties within the year of the breach cannot exceed TRY

1,709,600 (~ EUR 255,165) and TRY 17,096,120 (~ EUR 2,551,650) for banks, insurance

and pension companies or capital market institutions. If the obliged parties

subject to upper limit on fines (i.e. banks, insurance and pension companies or

capital market institutions) do not comply with these obligations in the

following year, the limit shall be applied twofold.

Therefore, it is crucial to comply with obligations pertaining to setting and

implementing compliance program to not to face with the administrative burdens

and reputational risk.

(IV)

Conclusion

In

light of the foregoing, institutions subject to the AML legislation are under

obligation to establish and implement risk-based compliance programs

proportionate to the size and volume of their businesses. The consequences of

non-compliance with establishment and operation of AML compliance program might

be subject to administrative fines and reputational damage to the relevant

institution.

Authors:

Gönenç Gürkaynak, Esq., Damla Doğancalı and Büşra Üstüntaş, ELIG Gürkaynak Attorneys-at-Law

(First published by Mondaq on May 3, 2019)