AllfrontierGlobal
AllfrontierGlobalTrade LibraryAML, SANCTIONS, AND DATA PROTECTION
sop

AML, SANCTIONS, AND DATA PROTECTION

526 words · 37 sections · 9 data table(s)

COMPLIANCE CHECKLIST

For Trade Facilitators and Commission Agents

Organisation / Facilitator: _____________________________________________

Transaction / Mandate Ref.: _____________________________________________

Principal (Seller): _____________________________________________

Introduced Party (Buyer): _____________________________________________

Date of Assessment: _____________________________________________

Assessed by: _____________________________________________

This checklist covers the Anti-Money Laundering (AML), counter-terrorism financing (CTF), economic sanctions, and data protection compliance obligations applicable to trade facilitators, commission agents, and intermediaries operating in India-EU cross-border trade. It should be completed for each new Principal and each new Introduced Party at the outset of the relationship, and reviewed annually thereafter.

PART A — ANTI-MONEY LAUNDERING (AML) AND KNOW YOUR CUSTOMER (KYC)

A1 — Legal Framework

Trade facilitators and commission agents in India are subject to the Prevention of Money Laundering Act 2002 (PMLA) as amended, and RBI AML guidelines. EU-based parties (or parties receiving EU funds) are also subject to EU Anti-Money Laundering Directives (currently 6AMLD, with 7AMLD framework under development). The Financial Action Task Force (FATF) sets the global AML standards against which both India and the EU are assessed.

Key obligation: "Know Your Customer" — before entering into any business relationship or facilitating any transaction, a trade facilitator must identify and verify the identity of their clients (Principals and Introduced Parties) and understand the nature of the business relationship and the source of funds.

A2 — Customer Due Diligence (CDD) — Indian Principal

A3 — Customer Due Diligence (CDD) — EU Introduced Party (Buyer)

A4 — Enhanced Due Diligence (EDD) — When Required

Enhanced Due Diligence (EDD) must be applied when any of the following risk factors are present:

Principal or Introduced Party is resident in a FATF high-risk or monitored jurisdiction (as published in the FATF public statement — updated bi-annually).

Principal or Introduced Party is a PEP or is associated with a PEP.

Transaction value is unusually high relative to the apparent size and turnover of the business.

Transaction structure is unnecessarily complex, involves multiple unrelated jurisdictions, or lacks clear commercial rationale.

Unusual payment arrangements: Requests for payment to be made to an unrelated third party, to accounts in a non-correspondent banking jurisdiction, or in cash.

Principal or Introduced Party is in a sector with elevated ML/TF risk: precious metals, gems, cash-intensive businesses, luxury goods, cryptocurrencies.

EDD measures include: additional documentary verification of identity; source of wealth/funds inquiry; senior management approval before proceeding; enhanced ongoing monitoring of the relationship.

PART B — ECONOMIC SANCTIONS SCREENING

B1 — Applicable Sanctions Regimes

Trade facilitators must screen all parties against the following sanctions lists before entering into any transaction:

B2 — Sanctions Screening Procedure

PART C — EXPORT CONTROL AND PROLIFERATION FINANCING

PART D — DATA PROTECTION COMPLIANCE

D1 — Indian Data Protection (DPDP Act 2023)

The Digital Personal Data Protection Act 2023 (DPDP Act) governs the processing of digital personal data in India. It applies to trade facilitators who collect and process personal data of individuals (including business contact persons, directors, and employees of counterparties) in the course of their trade facilitation activities.

D2 — EU GDPR Compliance (For EU Counterparty Data)

PART E — ONGOING MONITORING AND ANNUAL REVIEW

COMPLIANCE SIGN-OFF

Doc 88 — AML, Sanctions, and Data Protection Compliance Checklist — Neutral Template

ItemDoneNotes
Principal's full legal name and registered address confirmed — company registration certificate reviewed.[ ]
Principal's Directors / Designated Partners / Proprietor identified — names and nationalities confirmed.[ ]
Beneficial ownership (UBO) identified — person(s) owning or controlling ≥10% of the entity (or ≥25% if using FATF threshold). UBO declaration signed.[ ]
Principal's IEC, GSTIN, and PAN confirmed and cross-referenced — documents sighted.[ ]
Nature of business confirmed: Products exported, markets served, business model, and revenue sources — plausible and consistent with the proposed mandate.[ ]
Source of goods confirmed: Principal manufactures, sources, or procures goods from identifiable and verifiable sources — supply chain not opaque.[ ]
No adverse media: Internet search of Principal, its directors, and UBOs — no adverse findings (corruption, fraud, criminal conviction, regulatory sanction, AML investigation).[ ]
PEP check: Principal and its UBOs are not Politically Exposed Persons (PEPs) — or if PEP status confirmed, enhanced due diligence applied.[ ]
No high-risk indicators: Business model does not involve unusually high cash usage, complex multi-jurisdictional structures without clear business rationale, or requests for unusual payment routing.[ ]
CDD documentation filed — IEC copy, GSTIN, company registration, UBO declaration, adverse media search record, PEP check record.[ ]
ItemDoneNotes
EU buyer's full legal name and registered address confirmed — company registration from national registry (e.g. Handelsregister Germany, KVK Netherlands, Companies House UK) reviewed.[ ]
EU buyer's Directors and UBOs (≥25% beneficial ownership per EU AML Directive) identified — UBO declaration signed or UBO registry search completed.[ ]
EU buyer's VAT registration number confirmed — cross-referenced with VIES (VAT Information Exchange System).[ ]
EU buyer's EORI number confirmed — validated on EU customs portal.[ ]
Nature of business confirmed: EU buyer's business activity (importer, distributor, manufacturer, retailer) is consistent with the product being sourced.[ ]
Source of funds: EU buyer pays from known, identifiable bank accounts — no unusual payment routing through unrelated third countries or shell entities.[ ]
No adverse media: Internet search of EU buyer, its directors, and UBOs — no adverse findings.[ ]
PEP check: EU buyer's directors and UBOs are not PEPs — or if PEP status confirmed, enhanced due diligence applied.[ ]
CDD documentation filed — company registration, UBO declaration or UBO registry printout, VIES validation, adverse media search record.[ ]
Sanctions ListAdministering Authority and Scope
UN Security Council SanctionsUnited Nations — global. Includes country-specific regimes (DPRK, Iran, Libya, Somalia, Sudan, Yemen, Mali, CAR, etc.) and individual/entity designations.
EU Consolidated Sanctions ListEuropean Commission — applies to all EU persons and transactions in EUR. Accessible at eeas.europa.eu/topics/sanctions-policy.
UK Sanctions List (OFSI)His Majesty's Treasury / OFSI — applies to UK persons and GBP transactions. Accessible at gov.uk/government/publications/financial-sanctions-consolidated-list-of-targets.
US OFAC SDN ListUS Treasury / OFAC — applies to US persons and USD transactions. Critically important for any USD-denominated trade finance. Accessible at ofac.treas.gov.
India Sanctions / PMLA Designated ListMinistry of Finance / FIU-IND — India's designated terrorist and proliferator list under the UA(P)A and PMLA. Accessible at uapa.mha.gov.in.
MCA Debarred Directors ListMinistry of Corporate Affairs — disqualified company directors in India. Check at mca.gov.in.
ItemDoneNotes
All parties screened before transaction: Principal, Introduced Party, their Directors, UBOs, and any known intermediaries screened against all applicable sanctions lists.[ ]
Screening tool used: Manual search on official list portals, or commercially available screening tool (e.g. Refinitiv World-Check, Dow Jones Risk & Compliance, LexisNexis Bridger, ComplyAdvantage).[ ]
Screening date recorded — screening is only valid as of the date it is run. Ongoing monitoring established for the duration of the relationship.[ ]
No match found: Documented in writing — "Screened [date], no match found on [lists screened]." Filed in CDD file.[ ]
Possible match found: Escalated to compliance officer immediately. Transaction frozen pending assessment. Legal advice obtained before proceeding.[ ]
Confirmed match found: Transaction refused. SAR (Suspicious Activity Report) filed with FIU-IND (India) or relevant EU Financial Intelligence Unit as applicable. No "tipping off" of the screened party.[ ]
Ongoing monitoring: Alerts set up for all active counterparties — automated re-screening when lists are updated (EU sanctions list updated multiple times per year).[ ]
ItemDoneNotes
SCOMET check: Product confirmed as not on SCOMET control list — or SCOMET licence obtained (Doc 60 procedure followed).[ ]
EU Dual-Use check: For goods with potential dual-use applications supplied to EU parties — EU Dual-Use Regulation (EU) 2021/821 applicability assessed.[ ]
End-use check: Intended end-use of the goods is consistent with the commercial description and plausible for the buyer's business. No WMD, missile, or military end-use indicators.[ ]
Red flags reviewed: All SCOMET red flags from Doc 60 reviewed and no red flag present — documented.[ ]
Catch-all provision: Even if goods are not SCOMET-listed, if any red flag for proliferation financing exists — application for SCOMET licence made before proceeding.[ ]
WMD Act 2005: Confirmed that no party to the transaction is subject to designation under India's Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act 2005.[ ]
ItemDoneNotes
Identified all personal data processed in connection with mandate origination and deal execution: names, email addresses, phone numbers, passport copies (for KYC), bank details, director identification.[ ]
Lawful basis for processing established: Consent or legitimate interest (for B2B contact data). Consent mechanism implemented for personal data where required.[ ]
Privacy notice prepared and available to data subjects — explains what data is collected, why, how long it is retained, and data subject rights.[ ]
Data minimisation: Only personal data necessary for the mandate / KYC purpose is collected and retained.[ ]
Retention policy: Personal data retained for no longer than necessary — KYC records retained for 5 years post-relationship end (PMLA requirement). Business contact data reviewed annually.[ ]
Data Security: Personal data stored securely — access controls, encryption of sensitive documents (KYC, UBO declarations, passport copies).[ ]
Data subject rights: Process established for responding to access, correction, and erasure requests from data subjects.[ ]
Cross-border transfers: If personal data of Indian residents is transferred outside India — adequate protection ensured (DPDP Act provisions on cross-border transfers apply).[ ]
Data Fiduciary registration: If applicable — Significant Data Fiduciary (SDF) registration with Data Protection Board of India (once the Board is constituted).[ ]
ItemDoneNotes
GDPR applicability confirmed: Trade facilitator processes personal data of EU residents (EU buyer contacts, directors, employees) — GDPR applies.[ ]
Lawful basis for processing EU personal data: Legitimate interest (B2B contact data for trade facilitation) or contract performance.[ ]
Data Processing Agreement (DPA) signed with EU counterparties where the facilitator processes their employees' personal data (Doc 11).[ ]
Standard Contractual Clauses (SCCs) in place for transfer of EU personal data to India — Module 1 (Controller to Controller) or Module 2 (Controller to Processor) as applicable.[ ]
EU Article 27 Representative appointed (if facilitator has no EU establishment and regularly processes EU personal data) — representative details available.[ ]
Privacy notice: GDPR-compliant privacy notice available in English — covers data collection, legal basis, retention, rights, and international transfer.[ ]
Data subject rights: Procedure for handling GDPR access (SAR), rectification, erasure, and portability requests — 30-day response deadline.[ ]
Data breach procedure: Incident response plan for personal data breaches — 72-hour notification to supervisory authority where required.[ ]
ItemDoneNotes
Ongoing sanctions monitoring: All active counterparties on monitoring list — re-screened when sanctions lists are updated.[ ]
Annual KYC refresh: All active counterparties subject to annual KYC review — updated CDD documentation obtained.[ ]
Change notification: Any material change in a counterparty's ownership, directors, or business activities triggers an immediate KYC update.[ ]
SAR filing review: Annual review of whether any transactions gave rise to grounds for suspicion — FIU-IND SAR filing obligations reviewed.[ ]
AML training: All staff involved in mandate origination and deal execution trained on AML/CTF, sanctions, and data protection obligations — training records maintained.[ ]
Policy review: AML, sanctions, and data protection policies reviewed annually — updated for any change in applicable law (PMLA amendments, new EU sanctions regimes, DPDP Act notifications, GDPR guidance).[ ]
Regulatory change monitoring: FATF grey list / black list updates monitored bi-annually. EU sanctions regime updates monitored continuously. DPDP Act implementing rules monitored.[ ]
Principal KYC Complete:Yes / No / Pending EDD
Introduced Party KYC Complete:Yes / No / Pending EDD
Sanctions Screening — Principal:Clear [ ] Date: _____________
Sanctions Screening — Buyer:Clear [ ] Date: _____________
SCOMET Check:Not controlled [ ] Licence obtained [ ]
DPDP Act Compliance:In place [ ] Pending [ ]
GDPR Compliance (EU data):In place [ ] N/A [ ]
Overall Compliance Status:APPROVED TO PROCEED / HOLD PENDING EDD / REFUSED
Compliance Officer Sign-off:Name: ________________________ Date: _____________
Next Review Date:_____________ (12 months from sign-off)

Related guides

LETTER OF AUTHORISATIONINVOICE DISCOUNTING AND EXPORT FACTORINGINCOTERMS® 2020RULES OF ORIGIN COMPLIANCE CHECKLISTREGULATORY REGISTRATIONS REFERENCE SHEETINDIA-EU TRADE VERTICAL FACTSHEETALL FRONTIER GLOBAL NEXUS — FAQ SUPPLEMENTIMPORT DOCUMENTATION CHECKLIST
Active Mandate?

Got a related trade mandate (buy/sell/partner/distribute/franchise)? AJG brokers commission-only across 197 countries.

+91 9888 1471 47 · enquiry@allfrontierglobal.com · WhatsApp +91 9888 1471 47

Explore

Explore the AJG knowledge graph

Every page in the AJG platform cross-links to these primary entities. Click any pill to explore that branch of the knowledge graph.

All hubs · 80 surfaces · click to expand ↓