The following article is the first of a series of 10 articles on cross border transactions and remittances. These articles will explore the rules and regulations that monitor these transactions, the requirements Malaysian individuals or companies must fulfill when undertaking such payments via banks. They will also look into how sufficient the existing systems are in ensuring transparency in cross border remittances and the role banks and financial institutions play in the traceabillity of the funds, and their obligations to their clients in the event of returned remittances.
Today’s article explores a critical element in managing third-party remitter risk — the Letter of Undertaking (LOU). The LOU functions as a formal agreement between a reporting institution and the remitter, setting clear expectations on obligations under Bank Negara Malaysia’s (BNM) Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) framework.
Why the Letter of Undertaking Matters
Letters of Undertaking (LOUs) play an essential role in mitigating third-party remitter risk, particularly when payments are made by entities other than the contracting party. According to Raymon Ram, Managing Principal at Graymatter Forensic Advisory Sdn Bhd, an effective LOU must go beyond simply naming the payer, principal, and beneficiary. It should also establish the lawful purpose of the payment, justify the third-party’s involvement, affirm compliance with BNM’s Foreign Exchange Administration Rules, and incorporate indemnity clauses that hold the principal accountable for the legitimacy of the transaction.
A review of global best practices shows that robust LOUs typically include clauses covering due diligence, risk assessment, and the reporting institution’s duty to identify and report suspicious transactions under BNM’s AML/CFT regulatory regime.
Key Elements Anchored in BNM’s Regulatory Requirements
Customer Due Diligence (CDD)
The LOU must reflect the reporting institution’s responsibility to identify and verify the third-party remitter and beneficial owner. This extends to ongoing monitoring of the business relationship, ensuring transactions align with the risk profile of the remitter. Verification should rely on independent and reliable documentation, with the depth of checks determined by the institution’s risk assessment frameworks, as outlined in BNM’s AML/CFT and Targeted Financial Sanctions (TFS) Policy Documents (2024).
Risk Assessment and Mitigation
The LOU must acknowledge the institution’s internal controls for managing third-party risk, applying a risk-based approach that considers the remitter’s profile, the nature of the transaction, and the origin of funds. It should address the heightened risks of relying on third parties, emphasizing the need for enhanced due diligence and robust monitoring mechanisms.
Reporting Obligations
The institution’s duty to file Suspicious Transaction Reports (STRs) to BNM’s Financial Intelligence and Enforcement Department (FIED) should be clearly spelled out in the LOU. The document must also ensure the remitter’s awareness of, and compliance with, applicable AML/CFT laws, including obligations under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA).
Responsibility and Accountability
The LOU should define the specific responsibilities of both the institution and the third-party remitter, setting out clear expectations for due diligence, risk assessment, and reporting obligations. Including an attestation or signed acknowledgment by the third party strengthens the enforceability of the agreement.
Data Sharing and Confidentiality
The LOU must address the institution’s rights and limitations in sharing customer data with other reporting institutions for CDD purposes, as permitted under AML/CFT rules. It should also affirm the duty to maintain the confidentiality of sensitive remitter information, in line with the Financial Services Act 2013 and related confidentiality provisions.
Other Regulatory Considerations
Under the Securities Commission Malaysia’s Guidelines on Conduct for Capital Market Intermediaries, firms must establish rigorous policies for monitoring third-party deposits. This includes identifying the third-party remitter (with details such as identification number, address, and contact), verifying the relationship between the customer and the payor, and documenting the reason for the deposit. Supporting documents, such as bank-in slips or remittance forms, are typically required to substantiate the transaction.
Final Words of Caution
Raymon Ram emphasizes that while LOUs provide an important legal and compliance safeguard, they are only as strong as the due diligence behind them. Banks should require comprehensive supporting documentation, including underlying commercial contracts, board approvals, or agency agreements, alongside full KYC on the third-party payer.
Failure to rigorously vet LOUs exposes financial institutions to reputational and regulatory risk. Negligent oversight can position banks as enablers of financial misconduct, while corporates or intermediaries submitting false LOUs can face severe penalties. For corporate clients, a properly crafted LOU not only clarifies the roles and responsibilities in a transaction but also helps shield them from regulatory exposure, provided the information submitted is truthful and complete.
Reference Sources
- Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act 2001 (AMLA)
- Bank Negara Malaysia, AML/CFT and Targeted Financial Sanctions (TFS) for Financial Institutions, 2024
- Bank Negara Malaysia, Foreign Exchange Administration (FEA) Rules, 2023
- Financial Services Act 2013
- Securities Commission Malaysia, Guidelines on Conduct for Capital Market Intermediaries, revised 2023
a formal way to clarify roles and responsibilities, but they must be prepared carefully and truthfully to avoid exposure.
–WE