Anti-Money Laundering & Counter-Terrorism Financing (AML/CFT) Policy & Standard Operating Procedure (SOP)
1. Policy Overview
This policy is established to ensure that PICO PLUS ROI ET CO., LTD. (hereinafter referred to as "the Company") strictly adheres to the Anti-Money Laundering Act B.E. 2542 (1999) and the Counter-Terrorism and Proliferation of Weapons of Mass Destruction Financing Act B.E. 2559 (2016) of Thailand. The Company is committed to maintaining a robust risk prevention system aligned with the Thailand National Risk Assessment (NRA) 2022-2027 strategy as mandated by the Anti-Money Laundering Office (AMLO). We maintain a Zero-Tolerance stance toward money laundering, fraud, and terrorism financing.
2. Digital Onboarding & e-KYC SOP
To ensure identity authenticity, the Company utilizes an automated verification engine compliant with IAL 2.3 standards:
- Real-Time DOPA Verification: Direct API integration with the Department of Provincial Administration (DOPA) to verify Thai ID status in real-time, filtering out IDs that are revoked, expired, or belong to deceased individuals.
- 3D Liveness Detection: Mandatory execution of facial movement sequences (blinking, nodding, opening mouth). The system requires a similarity score of ≥85% between the live capture and the ID photo.
- Sanctions Screening: Automated cross-referencing against the AMLO Thailand List, the UNSC Sanctions List, and local Politically Exposed Persons (PEPs) databases.
3. Risk-Based Approach (RBA) Matrix
In accordance with the Ministerial Regulation on Customer Due Diligence B.E. 2563 (2020), the Company categorizes customers as follows:
| Risk Level | Risk Characteristics (Red Flags) | Action Required |
|---|---|---|
| Low Risk | Verified salary, stable residence, and successful DOPA verification. | Standard automated monitoring and periodic review. |
| Medium Risk | Self-employed, residing in high-risk border zones, or high transaction frequency. | Review every 6 months + verification of E-Statements. |
| High Risk | Sensitive industries (Gambling/Precious Metals), linked to multiple devices, or PEPs. | Enhanced Due Diligence (EDD): Manual phone interview + 3-month bank statement verification. |
4. Operational Flowchart
- Application Submission: Customer uploads ID card and undergoes facial recognition.
- Layer 1 Technical Verification: Triggering DOPA API validation, 3D liveness detection, and geo-fencing analysis.
- Layer 2 Sanctions Screening: Automated collision check against AMLO official blacklists and global real-time sanctions lists.
- Layer 3 Risk Scoring: Automated RBA scoring based on occupation, geography, and device association.
- Layer 4 Disbursement Control: Strict prohibition of third-party disbursement; funds are only released to bank accounts matching the verified ID name.
- Layer 5 Ongoing Monitoring: Real-time "Red Flag" engine monitoring during the repayment cycle.
- Layer 6 Reporting: Suspicious findings are submitted to regulatory authorities via the AMLO AERS System by the Compliance Officer.
5. Real-Time Transaction Monitoring & Red Flags
The monitoring engine triggers immediate alerts for the following anomalies:
- Smurfing Detection: Repayments through more than 5 different channels (e.g., multiple CDM or QR transfers) for a single loan within 24 hours.
- Device Multi-Linking: A single mobile device (IMEI/UUID) associated with more than 3 unique Thai ID numbers or accounts.
- Geographic Deviation: Login from high-risk border zones (e.g., Tak, Chiang Rai) or operation via foreign VPN/Proxy IPs.
- Third-Party Repayment Anomaly: Repayments where the remitter's name does not match the borrower's registered name, or one remitter covering multiple borrowers.
6. Reporting & Data Retention
- STR Filing: Confirmed suspicious activities are reported within 7 days via the AERS (Electronic Reporting System) to AMLO.
- Threshold Reporting: Strict adherence to legal requirements for routine reporting of cash transactions (single or cumulative) exceeding the legal threshold.
- 10-Year Retention: All KYC data and transaction records are encrypted and stored for at least 10 years after the business relationship ends, ensuring compliance with PDPA B.E. 2562.
7. Internal Governance
- Compliance Officer: Responsible for maintaining liaison with AMLO and leading quarterly internal compliance audits.
- ATS Staff Training: All operational staff must annually complete certified courses from the AMLO Training System (ATS) to stay updated on the latest digital fraud and money laundering trends.
Upload ID card:
3D liveness detection:
Collection of personal information:
business process diagram:
