Anti-Money Laundering FAQs

Governance, policies, procedures

  • What provisions are mandatory for AIFC Participants’ internal document on AML matters?

AIFC AML Rules set forth minimum standards for participant’s internal documents regulating AML/CFT. Internal control rules should include:                                                                                                                                               

(i) appropriate representation of AML compliance function in the management, organisation of internal control system on AML matters;
(ii) risk management programme (BRA, CRA);
(iii) customer identification programme (KYC/CDD);
(iv) transaction monitoring and reviewing;
(v) employee training and awareness programme;
(vi) adequate screening procedures to ensure high standards when hiring employees (Know Your Employee);
(vii) independent audit function to test the system.

  • What law are AFSA participants subject to in terms of AML/CFT -   AIFC AML Rules or Kazakhstan's Law on AML/CFT?

Both. All AIFC Participants whose activities are subject to financial monitoring are required to comply with the Law of the Republic of Kazakhstan on AML/CFT, as well as the AIFC AML/CFT and Sanctions Rules. On the territory of the AIFC, the requirements of the laws of the Republic of Kazakhstan are applied to the extent not regulated by AIFC Acts or the Constitutional Law of the Republic of Kazakhstan.

  • Is there any requirement to conduct AML audit and how frequent should it be

Participants should ensure regular reviews and assessments of the effectiveness of AML policies, procedures, systems, controls, and audits on compliance with AIFC AML Rules. Such audits may be conducted by an internal audit function or externally by a competent firm at least once in two years.

  • Does the Person responsible for AML matters have to be registered or approved?

Yes, such function should be approved and according to GEN 2.1.1, the MLRO position is to be filled by Approved Individuals and it is a Controlled Function.

  • What is the reason behind the AIFC AML framework within a FinTech company prohibiting operations with cash?

The reason is not regarding FinTech companies only, but this is the general approach to limit the turnover of cash in the AIFC. The outcomes of National Risk Assessment and international regulatory bodies (FATF, FCA, Egmont) have identified that cash transactions present increased risks of facilitation of the laundering of illicit funds because it is anonymous and is difficult to trace. Cash is a bearer negotiable instrument that gives no details either on the origin of the proceeds or the beneficiary of the exchange.
Business operations specific to cash-intensive businesses present specific risks associated with the following misconduct:

  1. laundering large amounts of cash, which are proceeds of criminal activity, by claiming that the funds originate from economic activities,
  2. laundering proceeds of criminal activity, by justifying its origin based on fictitious economic activities (both for goods and services), and
  3. financing, through often small amounts of cash, terrorist activities without any traceability.

The AFSA expects that Relevant Persons should refrain or limit from employing cash-based operations in or from AIFC.

  • Can you clarify the relationship between Kazakhstan's Law on AML\CFT (including orders) and AIFC AML Rules and Practical Guidelines?

Astana International Financial Centre (hereinafter Centre or the AIFC) is a defined territory within the city of Astana, which has a special legal framework for the financial sphere. This legal framework is a distinctive feature of the Centre and gives the bodies of AIFC an authority to adopt the AIFC Acts based on the principles, legislation and precedents of the law of England and Wales and/or on the standards of leading global financial centres. In addition, the AIFC territory is also subject to the legislation of the Republic of Kazakhstan, which is applied in the part not regulated by the Constitutional Law or acts adopted by the AIFC.

Thus, in terms of countering money laundering (legalization) of criminal proceeds and financing of terrorism(AML/CFT), the respectiveLaw of the Republic of Kazakhstan is in force on the territory of the AIFC, but at the same time a number of regulatory acts regulating activities of AIFC Participants have also been developed and implemented in order to comply with AML/CFT requirements based on the best practices of global financial centres and international standards. Relevant persons shall comply with AIFC AML Rules, while in any parts that are not regulated by AIFC AML Rules the Persons shall comply with Kazakhstan's AML/CFT Law. Practical Guidance to AIFC AML/CFT framework serves as support to understand the requirements of AIFC AML framework.

  • How can an efficient organisational structure be established, and how should responsibilities be divided within the company? Who should assume the ultimate responsibility for AML Regime violations?

The ultimate responsibility for violations of the AML regime lies with the company's senior management. The MLRO, in turn, is responsible for operational activities and implementation of effective internal controls in the field of AML/CFT.

The most efficient structure in terms of functions and disseminating duties is when three lines of defence are stipulated in the system of internal control. Three lines of defence model gives an overview roles and responsibilities for internal control and risk assessment in a simple and effective manner. Even in small organisations where there is no formal structure or risk management system, the model can help improve the efficiency and understanding of corporate risk exposure and internal control. The model provides a description of the organisation's control structure and distinguishes three groups (or areas) that are involved in effective internal control and risk management:

  • The First Line of Defence is the process owners who manage the business risks in the organization’s processes. It owns the risk and is accountable for the design and execution of the organisation’s internal controls - “Risk ownership” (client facing divisions, front office)
  • The second line is designed to support management and provide additional expertise and knowledge, process excellence and monitoring to ensure effective risk and control management. Its activities are separate from the First Line of Defence and are partially independent (like MLRO as regards STR and TTR) but they still report functionally to Senior Management (or Special Committee in Board). – “Risk Control”.
  • The third line, which is internal audit, provides senior management and the Board with assurances of the effectiveness of the First and Second lines. The Third line is not allowed to perform managerial functions to protect their objectivity and independence. It has direct reporting to the BOD.

It is important to know that the functions of the second and third line of defence must operate independently of the lines they control. In other words, they should not perform tasks that are the responsibility of the first line. On the contrary, they should check and monitor the implementation of tasks in accordance with external and internal rules and regulations.

  • Can a compliance officer be additionally appointed as an auditor  within the same licenced firm?

It is not recommended to combine second and third lines of defence so that it does  not negatively impact the results of the assessment of AML/CFT systems and controls from the audit perspective.

  • A client has requested us to provide them the services for AML Compliance, so we need to do a revision on how the Client complies with AML law. The question is the following: do we need a licence in order to provide such services since we only have a licence to provide audit services?

There is no specific licence for carrying out an AML audit. Nevertheless, it is recommended using Practical Guidance to AIFC AML/CFT framework and particular Annex 7 which contains the information regarding AML audit and AFSA's requirements and expectations to the quality and scope of the AML audit. Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework (

  • What is the difference between AML Policy and AML Procedures? Are applicants required to develop both?

Policy is a high-level document, which may contain general description of developed and implemented AML programmes. Procedures serve as a detailed instruction for internal use. Procedures may also be interpreted as internal control rules for AML matters and should contain full description of all mandatory programmes and respective measures, processes and controls implemented in the company. AIFC AML Rules set forth minimum standards for participant’s internal documents regulating AML/CFT. Internal control rules should include:                                     

(i) appropriate representation of AML compliance function in the management, organisation of internal control system on AML matters;
(ii) risk management programme (BRA, CRA);
(iii) customer identification programme (KYC/CDD);
(iv) transaction monitoring and reviewing;
(v) employees training and awareness programme;
(vi) adequate screening procedures to ensure high standards when hiring employees (Know Your Employee);
(vii) independent audit function to test the system.

  • Which authority serves as FIU for the AIFC Participants?

FIU - national centre for the receipt and analysis of: (a) suspicious transaction reports; and (b) other information relevant to money laundering, associated predicate offences and terrorist financing, and for the dissemination of the results of that analysis. FIU in Kazakhstan is the Agency of Financial Monitoring

  • What type of AML returns should be submitted and how often?

A Relevant Person must complete AFSA's AML Return form on an annual basis and submit such form to AFSA within two months after the end of each year;  you can find the form here (AFSA Annual AML Return Form.docx (

  • Can a firm be relieved of AML obligations on monitoring for suspicious activities?

If a firm is considered as obliged entity (Relevant Person), it cannot be relieved of Anti-Money Laundering (AML) obligations on monitoring for threshold transactions and suspicious activities. AML obligations require firms to have robust compliance cultures, governance, and risk management programme. The firm's senior management is expected to hold prioritise AML/CFT as a top priority and demonstrate a commitment to adhering to AML obligations. The firm must establish and maintain effective internal controls, including monitoring systems, to detect and report potentially suspicious activity. Failure to comply with AML obligations or intentional violations may result in regulatory penalties, reputational damage and even criminal liability. Therefore, firms are expected to fulfil their AML obligations and actively monitor for threshold and suspicious transactions.

  • Can you clarify the distinctions between AFSA AML supervision and Kazakhstan FIU Supervision, and specify which state authority authorised individuals must report to?

AFSA is responsible for Anti-Money Laundering supervision in the AIFC. AFSA oversees the compliance of Relevant Persons (financial institutions) with AML/CFT obligations, including the efficiency of their reporting of suspicious/threshold transactions and maintaining effective internal controls. The Kazakhstan FIU (Financial Intelligence Unit) is responsible for AML supervision at the national level in Kazakhstan. They receive and analyse Suspicious Transactions Reports (STRs) and Threshold Transaction Reports (TTRs) and disseminate intelligence date to relevant authorities, if needed.

In terms of reporting obligations, MLRO must report information relating to money laundering to the FIU, which is responsible for receiving STRs/TTRs and other relevant reports at the national level. After the STR/TTR was reported to FIU, AFSA should be notified on the case. It is acceptable to provide this information to AFSA not on a case-by case basis, but by accumulating a series of cases over a certain period of time.

Staff training and awareness

  • How frequently should ongoing training for appropriate personnel be done?

Relevant Persons should take a risk based approach  to AML training. AML training should be provided by a Relevant Person to each of its relevant employees at intervals appropriate to the role and responsibilities of the employee. In the case of an Authorised Firm, training should be provided to each relevant employee at least annually. In addition, it is expected by AFSA that all new employees of AIFC Participants undergo relevant trainings upon commencing employment with the Participant.


  • What are the minimal requirements for MLRO appointment?

When appointing the MLRO, it is strongly recommended to consider that the candidate has at least two years of work experience in the field of AML/CFT, certificates of continuous  studying in the field of AML/CFT. In the absence of the specified work experience, it is important to pay attention to certificates of training for AML/CFT purposes, which are not older than 2 years, and include theoretical and practical parts as well as the results of final tests.

In addition, for candidates for CO and MLRO positions an impeccable business reputation is crucial. For more detailed information please also use Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework (

  • Is the MLRO required to approve the STR or TTR reports with senior management?

No. MLRO must have such level of seniority and independence within the Relevant Person which enables him/her to act on  his/her own authority and to act independently in carrying out his/her responsibility on reporting.

  • What specific AML certifications are required for individuals holding the MLRO position?

By choosing the courses or certification programmes for AML/CFT matters, it is recommended to focus on those that offer both theoretical  and practical workshops or masterclasses for MLROs in obliged entities. It is important that the course also contains final testing. The results of testing demonstrate the level of dedication of candidate and confirm their acquired knowledge and understanding. It is preferable when the course providers have tutors or lecturers certified by international professional programmes (like ACAMS, ICA, ACFCS or the equivalent of such).

  • Is there an option to combine the responsibilities of MLRO and Compliance Officer?

Yes. Given the nature, complexity, scale and money laundering risks of the activities of the firm’s business, some companies may decide to combine two functions in one position.

Depending on the circumstances of each company, a decision may be made to organise these functions (combine or separate). It is important, however, that whoever performs the compliance function, MLRO must devote sufficient time to the role. Candidates who only intend to spend a few hours a week on this will usually fail, if they do not consider company’s exact needs.

Many large companies have 2 staff members who are responsible for these functions. In those cases, the compliance officer monitors the activities of the MLRO, since the risks of the AML/CFT are part of the compliance system. Smaller companies may offer a combination of functions.

Sometimes it may be the case that a company hires an MLRO to perform this role on a part-time basis - and AFSA sometimes agrees to this - but it is important that their commitment to this role must be proportionate and sufficient.

If the proposed Chief Compliance Officer or MLRO serves in another role within or outside the firm, any conflicts of interest must be understood and addressed. For example, successful candidates will typically be independent of the customer facing side of the business, as one of their responsibilities will be to oversee the customer facing business and make the decision to accept the client.

  • What MLRO Certification in KZ is acknowledged by the AIFC? What are the minimum requirements for courses?

By choosing the courses or certification programmes for AML/CFT matters, it is recommended to focus on those that offer both theoretical  and practical workshops or masterclasses for MLROs in obliged entities. It is important that the course also contains final testing. The results of testing demonstrate the level of dedication of candidate, confirm their acquired knowledge and understanding. It is preferable when the course providers have tutors or lecturers certified by international professional programs (like ACAMS, ICA, ACFCS or analogy)

  • How critical is the requirement to appoint a Deputy MLRO?

It is a mandatory requirement. A Relevant Person should make adequate arrangements to ensure that it remains in compliance with AIFC AML/CFT and Sanctions Rules in the event that its MLRO is absent. Adequate arrangements would include appointing a temporary (deputy) MLRO for the period of the MLRO's absence or making sure that the Relevant Person’s AML systems and controls allow it to continue to comply with the Rules when the MLRO is absent.

Risk Assessment

  • What does RBA stand for and what are the main takeaways of RBA for AIFC Participants?

Risk-based approach or RBA. Obliged entities should identify, assess, and understand the money laundering, terrorist financing and sanctions risks they face. They should take appropriate measures to mitigate the identified risks. The risk-based approach allows to allocate limited resources in a targeted manner in line with specific circumstances to increase the efficiency of preventive measures. Certain aspects of a financial organisation’s business pose greater money laundering risks than others and therefore require additional controls to mitigate those risks. Other aspects of business present a minimal risk and do not need the same level of attention.

  • What does BURA stand for?

Business (enterprise-wide) risk assessment or BURA. In order to identify and assess the risks of money laundering a Relevant Person must conduct a business risk assessment. Before designing an AML/CFT programmes and developing the internal policies and procedures, it is imperative to understand what is required of a financial organisation, its employees, and customers according to the risk exposure. The Company should understand its vulnerabilities and threats. A risk-based approach requires financial organisations to implement systems and controls that are commensurate with the specific risks of money laundering and terrorist financing they can face. When assessing risk, it is recommended considering:

  • Customer risk factors, such as type of customers
  • Country or geographic/jurisdictional risks
  • Product, service, transaction, and delivery channel risk factors.

Business risk assessment should be conducted regularly and the outcomes have to be provided  to Senior Management.

  • What risk factors must be taken into account?

When assessing risk, it is recommended considering:

  • Customer risk factors, such as type and characteristics of customers
  • Country or geographic/jurisdictional risks
  • Product, service, transaction, and delivery channel risk factors
  • What does risk model mean?

Risk Model for AML matters denotes quantitative (numerical) and qualitative (hybrid) approach that aims to produce systematic risk assessments for the purpose of AML Risk understanding and management.

RBA identifies, manages and analyses AML/CFT risks in order to develop and effectively implement appropriate procedures and controls. It is therefore critical that risk ratings accurately reflect existing risks, provide meaningful assessments leading to practical steps to reduce those risks, are reviewed periodically and, where necessary, regularly updated.

The risk-based analysis should include, among other things, relevant inherent and residual risks at the country, industry, entity itself and business relationship levels.

Inherent risks represent the level of risks that exist in the absence of controls, however, residual risks are the amount of risks that remains after controls are applied.

As a result of this analysis, the Relevant Person should develop a thorough understanding of the risks inherent in its customer base, products, delivery channels, services offered (including new services/products offered), and the jurisdictions in which it and its customers do business or territories where they are registered. This understanding should be based on operational, transactional and other internal information collected by the organisation, as well as external reliable sources.

When identifying all ML/TF risks, all relevant information must be considered. This typically requires the input of experts from the business, risk management, compliance / legal departments, as well as advice from external experts when necessary. Current and new business products and services should be assessed for vulnerability to money laundering and sanctions, and appropriate controls should be put in place before going life. There is also a growing number of useful ML/TF risk assessment guidelines available to the public that should be taken into account. For example, published by the FATF, FSRB, regulators and other agencies such as the UNODC, the IMF, the World Bank, as well as jurisdiction-specific information, advice and guidance. Risk is dynamic and requires constant management. It should also be noted that the environment in which every organisation operates is subject to constant change. Externally, political changes in a jurisdiction, as well as the introduction or lifting of economic sanctions, can affect a country's risk rating. 

  • What is a risk scoring?

The risk assessment model uses numerical values to determine the risk category (geography, customer type, products, services, channels used) and the customer's overall risk. Each category can be scored differently, depending on the circumstances of each company's business. The general idea is that, for instance, if the scale is from 1 to 10, then 10 will correspond to the highest risk and 1 to the lowest (the same logic should be if the scale will be from 1 to 100). Individual categories can be scored: 1–3—"lower risk”, 4–7—"medium risk”, and 8–10—"high risk”, if the outcomes exceed the 10, it should be considered as prohibited or extremely high (intolerable). Such a model is particularly useful in risk analysis to help determine appropriate controls. These risk categories are then combined to produce a composite score. A simple model simply adds up the category totals, resulting in a score ranging. The model can be made more complex by weighting each of the factors and subfactors differently, for example by focusing more on customer type rather than to product or country. The model can be made even more complex, for example by creating combinations of factors that will determine the overall rating. The degree of complexity varies by organization; the more complex, the more likely the rating will reflect the real client's overall risk.

If we take a simple three-element model (Customer type, product risk factor and country risk factor).  Care must be taken to avoid inadvertently excluding any element that is different from the other elements. For example, if each item has a risk score of 3, the composite or cumulative score will be 9. However, if two of the three items have a score of 1 and the other has a score of 7, the composite risk score will also be 9. In this case, it is needed to determine how and in what way an item rated 7 should be mitigated. This may mean introducing much stricter controls or introducing some additional restrictions.
It is crucial to understand that by combining categories, a customer's risk profile becomes clearer. For example, when you combine a product with a customer type, the combination can radically change the level of risk.

For example, we have a small foreign private company, that registered less than year ago and has liaisons with offshore jurisdictions and about which you have little information, that wants to open account with money transfer capabilities. This client's ability to quickly transfer funds increases the level of risk as well as its connections to the offshore territories impacts the risk rating. A customer may also have a higher risk rating depending on geographic location, customer type, and products and services. Another example is a public domestic company with the decades of history and listed on a major stock exchange that wants to create a salary plan for its own employees in your financial institution. Public companies must provide extensive information to list on a major stock exchange. Moreover, salary plan accounts are not very vulnerable to money laundering. As a result, this customer and account will pose less risk than the foreign private company example.

The next step is to determine what thresholds should be set for each risk category. The company must ensure that high-risk relationships do not form too large segment of the general customer portfolio; This is not to say that assessments should be tailored to a customer's portfolio, but rather that high-risk clients do require much more attention. Additionally, if a portfolio is too heavily weighted toward high risk, the overall level of risk in the organization may be too high and it should reconsider the concept of its business.


  • What is a "reasonable time" to verify customers' identities before or after the relationship with the customer is established.

Relevant Person should conduct KYC/CDD before establishing relationships with the customer. The inability to conduct KYC/CDD procedures should be a reason for not carrying out a transaction with or for the customer through a bank account or in cash, to not opening an account or otherwise provide any service; to not otherwise establish a business relationship or carry out any transactions; to terminate any existing business relationship with the customer; and considering whether the inability to conduct or complete CDD necessitates the making of a STR to the FIU.

The reasonability depends on business specific. There is a difference between opening a checking account with a commercial bank and registering as a portfolio investor with an investment company. The goal is to understand whether the risks are acceptable before the client can operate.

  • What recordkeeping requirements are mandatory to be followed?

A Relevant Person must maintain a copy of all documents and information obtained in conducting initial and on-going KYC/CDD, all the supporting records (consisting of the original documents or certified copies) in respect of the customer business relationship, including transactions; STRs, TTRs and any relevant supporting documents and information, including internal findings and analysis; any relevant communications with the FIU; and results of risk assessments analysis. All documents must be maintained for at least six years from the date on which the notification or report was made, the business relationship ends, or the transaction is completed, whichever occurs last. For more detailed information please also use Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework (

  • How long must a firm retain customer identification records for?

A Participant must retain records of all of the identification information obtained from the customer, STRs, TTRs any relevant communications with the FIU and other information mentioned in the AIFC AML Rules 14.5 for at least 6 (six) years after the business relationship ends or the transaction is completed, whichever occurs last. For more detailed information, please also use: Practical Guidance to AIFC Anti-Money Laundering and Counter – Terrorist Financing Framework (

  • Can the Relevant Person rely on third party for the on-going monitoring on its customers?

No. It is prohibited in accordance to the R.17 FATF. Conducting ongoing due diligence on the business relationship and scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution’s knowledge of the customer, their business and risk profile, including the source of funds.

The Relevant Person can rely on the third party for:

  1. Identifying the customer and verifying customer’s identity using reliable, independent source documents, data or information.
  2. Identifying the beneficial owner and taking reasonable measures to verify the identity of the beneficial owner, such that the financial institution is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include financial institutions understanding the ownership and control structure of the customer.
  3. Understanding and, as appropriate, obtaining information on the purpose and intended nature of the business relationship.

But not conducting on-going monitoring (due diligence).

  • What documents can serve as justification for a source of funds and source of wealth?

The rationale behind AFSA's (AIFC AML Rules) request for a Source of Funds (SOF) and Source of Wealth (SOW) is to ensure that the funds used in a transaction are legitimate and not derived from criminal activities. By obtaining information about the SOF and SOW, AFSA aims to assess the risk profile of the customer and identify any potential money laundering or terrorist financing risks. 

Understanding the SOF involves determining where the funds for a specific service or transaction are coming from, such as a specific bank account or financial institution. This information helps verify the legitimacy of the funds and their alignment with the customer's SOW. 

There are documents that can serve as justification for SOF and SOW. These documents can include:

Proof of Dividend Payments: Documents that demonstrate dividend payments connected to a shareholding.

Release of pension - a copy of the client’s pension statement and a copy of their bank account statement showing the money being received from the pension company.

Savings: Statements from bank showing how the client gets paid from their employer, pension, annuity and the money growing in their bank account over time (six months)

Salary/Bonus Certificates: Certificates or documents that verify the customer's salary or bonus payments.

Loan Documentation: Documentation related to loans, such as loan agreements or loan statements.

Proof of Transaction: Documents that provide evidence of a specific transaction that gave rise to the payment into the account.

Share Certificates: Certificates that confirm ownership of shares in a company.

Data of Registers or databases that provide information on the ownership of companies and assets.

Probate Documents: Documents related to the distribution of a deceased person's estate, such as a will or grant of probate.

Audited Accounts and Financial Statements: Financial statements and audited accounts that provide information on the financial situation of a legal person.

These documents, among others, can be used to establish the source of funds and source of wealth. The specific documents required may vary depending on the circumstances and the nature of the customer's financial activities. It is important for Relevant Persons to obtain and verify relevant documentation to ensure compliance with AML/CFT regulations.  It is important to focus not only on confirmation of the existence of funds but on their sources and the length of their existence.

Screening customers against sanctions lists

  • Are there any tools available to help my firm search the U.S. Treasury's Office of Foreign Asset Control's (OFAC’s), UK HMT, EU, or Kazakhstan sanctions lists?

There are openly available resources. OFAC’s Sanctions List Search is a free source that assists the public in complying with sanctions programmes by facilitating the use of the Specially Designated National and Blocked Persons list (the “SDN list”) and other sanctions lists administered by OFAC:

For HM Treasury list please follow the link:
For EU sanction list please follow the link:

For UNSC and Kazakhstan sanction lists please use the FIU platform AFM (

  • Must AIFC licenced firms comply with sanctions imposed by the relevant authorities in the US, EU and UK?

Yes. AIFC participants should stipulate relevant procedures and controls to mitigate the risks of sanctions violations.

Law enforcement

  • Who should serve as the main point of contact with the FIU and law enforcement agencies?

MLRO should be responsible for acting as the point of contact within the Relevant Person for the AFSA, FIU and any other competent authority regarding money laundering issues.

AIFC AI assistant