FATF – RBA for Trusts and Company Service Providers
For the full report download it here.
- The risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations. It means that supervisors, financial institutions, and trust and company service providers (TCSPs) identify, assess, and understand the money laundering and terrorist financing (ML/TF) risks to which they are exposed, and implement the most appropriate mitigation measures. This approach enables them to focus their resources where the risks are higher.
- The FATF RBA Guidance aims to support the implementation of the RBA, taking into account national ML/TF risk assessments and AML/CFT legal and regulatory frameworks. It includes a general presentation of the RBA (at 8 below) and provides specific guidance for the TCSP sector (at 9 below) and for their supervisors. The Guidance was developed in partnership with the profession, to make sure it reflects expertise and good practices from within the industry.
- The development of the ML/TF risk assessment is a key starting point for the application of the RBA. It should be commensurate with the nature, size and complexity of the business. The most commonly used risk criteria are country or geographic risk, client risk, service/transaction risk. We provide examples of risk factors under these risk categories below (at 10).
- The Guidance highlights that it is the responsibility of the senior management of TCSPs to foster and promote a culture of compliance as a core business value. They should ensure that TCSPs are committed to manage ML/TF risks when establishing or maintaining business relationships.
Contact us about helping you train your staff.
Below we highlight that TCSPs should design their policies and procedures so that the level of initial and ongoing client due diligence measures addresses the ML/TF risks they are exposed to.
In this regard, we explain the obligations for TCSPs regarding identification and verification of beneficial ownership information (at 22) and provide examples of standard, simplified and enhanced CDD measures based on ML/TF risk (at 30).
In the full report there is guidance for the supervisors of the TCSP sector and this highlights the role of self-regulatory bodies (SRBs) in supervising and monitoring. It explains the risk-based approach to supervision as well as supervision of the risk-based approach by providing specific guidance on licensing or registration requirements for the TCSP sector, mechanisms for on-site and off-site supervision, enforcement, guidance, training and value of information-exchange between the public and private sector.
The report also highlights the importance of supervision of beneficial ownership requirements and nominee arrangements. It underscores how supervisory frameworks can help ascertain whether accurate and up-to-date beneficial ownership information on legal persons and legal arrangements is maintained by TCSPs and made available in a timely manner to competent authorities when required.
The Risk based approach to Money Laundering and Terrorist Financing means that jurisdictions, competent authorities and DNFBPs, which include Trusts and Company Service Providers should identify, assess and understand the ML-TF risks to which they are exposed and take the required measures to effectively and efficiently mitigate and manage the risks.
TCSPs should be able to identify and maintain an understanding of the ML-TF risk faced by their business as well as specific to the specificity of their services, client base, jurisdictions in which they operate and the effectiveness of actual and potential risk controls that are or can be put in place, this will require the investment of resources and training.
This will require ML-TF supervisors to also maintain an understanding of the ML-TF risks specific to their area of supervision, and the degree to which AML-CFT measures can reasonably be expected to mitigate such risks. To effectively set the standard. The Risk based approach is not a “zero failure” approach; there may be occasions where a TCSP has taken reasonable and proportionate AML-CFT measures to identify and mitigate risks, but is still used for ML or TF purposes in isolated instances.
Although there are limits to any RBA, ML-TF is a real and serious problem that TCSPs must address so that they do not, unwittingly or otherwise, encourage or facilitate it. This is particularly relevant as the regulators start to tighten up on beneficial ownership; criminals, terrorists and launders are expected to alter their methods to enable a continuance of their criminality. It is this TCSPs have to guard against with the RBA. Key elements are summarised in the image;
The effectiveness of a risk based approach depends on a shared understanding between competent authorities and TCSPs of what the RBA entails, how it should be applied and how ML-TF risks should be addressed.
In addition to a legal and regulatory framework that spells out the degree of discretion, TCSPs should deal with the risks they identify. Competent authorities should issue risk-based approach guidance to TCSPs on meeting their legal and regulatory AML/CFT obligations. Supporting ongoing and effective communication between competent authorities and the sector is essential.
Competent authorities should acknowledge that in a risk-based regime, not all TCSPs will adopt identical AML-CFT controls. On the other hand, TCSPs should understand that a RBA does not exempt them from applying effective AML-CFT controls with a RBA.
A practical starting point for firms (especially smaller firms) and TCSPs (especially sole practitioners) would be to take the following approach.
Many of these elements are critical to satisfying other obligations owed to clients, such as fiduciary duties, and as part of their general regulatory obligations:
Client acceptance and know your client policies: identify the client (and its beneficial owners) and the true “beneficiaries” of the transaction. Obtain an understanding of the source of funds and source of wealth of the client, its owners and the purpose and nature of the transaction.
Engagement acceptance policies: Understand the nature of the work. TCSPs should know the exact nature of the service that they are providing and have an understanding of how that work could facilitate the movement or obscuring of the proceeds of crime. Where a TCSP does not have the requisite expertise, the TCSP should not undertake the work.
Understand the commercial or personal rationale for the work: TCSPs need to be reasonably satisfied that there is a commercial or personal rationale for the work undertaken. TCSPs however are not obliged to objectively assess the commercial or personal rationale if it appears reasonable and genuine.
Be attentive to red flag indicators: exercise vigilance in identifying and then carefully reviewing aspects of the transaction if there are reasonable grounds to suspect that funds are the proceeds of a criminal activity, or related to terrorist financing. These cases would trigger reporting obligations. Documenting the thought process by having an action plan may be a viable option to assist in interpreting/assessing red flags/indicators of suspicion. Then consider what action, if any, needs to be taken.
The outcomes of the above action (i.e. the comprehensive risk assessment of a particular client/transaction) will dictate the level and nature of the evidence/documentation collated under a firm’s CDD/EDD procedures (including evidence of source of wealth or funds).
TCSPs should adequately document and record steps taken under a) to e).
a. Country/Geographic risk. The provision of services by a TCSP may be higher risk when features of such services are connected to a higher risk country, for example:
b. the origin, or current location of the source of funds in the trust, company or other legal entity;
c. the country of incorporation or establishment of the company or the trusts;
d. the location of the major operations or assets of the trust, company or other legal entity; and
e. the country in which any of the following is a citizen or tax resident: a settlor, beneficiary, protector or other natural person exercising effective control over the trust or any beneficial owner or natural person exercising effective control over the company or other legal entity.
There is no universally agreed definition of a higher risk country or geographic area but TCSPs should pay attention to:
Countries/areas identified by credible sources as providing funding or support for terrorist activities or that have designated terrorist organisations operating within them.
Countries identified by credible sources as having significant levels of organised crime, corruption, or other criminal activity, including being a major source or a major transit country for illegal drugs, human trafficking and smuggling and illegal gambling.
Countries subject to sanctions, embargoes or similar measures issued by international organisations such as the United Nations.
Countries identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by FATF statements as having weak AML/CFT regimes, in relation to which financial institutions (as well as DNFBPs) should give special attention to business relationships and transactions.
Countries identified by credible sources to be uncooperative in providing beneficial ownership information to competent authorities, a determination of which may be established from reviewing FATF mutual evaluation reports or reports by organisations that also consider various co-operation levels such as the OECD Global Forum reports on compliance with international tax transparency standards.
Client risk In the examples given below, the client of TCSPs may be an individual who is a settlor or beneficiary of a trust, or beneficial owner of a company, or other legal entity that is, for example, trying to obscure the real beneficial owner or natural person exercising effective control of the trust, company or other legal entity. The client may also be a representative of a company’s or other legal entity’s senior management who are, for example, trying to obscure the ownership structure. The key risk factors that TCSPs should consider are:
- The TCSP’s client base includes industries or sectors where opportunities for ML/TF are particularly prevalent.
- The clients include PEPs or persons closely associated with or related to PEPs, who are considered as higher risk clients (Please refer to the FATF Guidance (2013) on politically-exposed persons for further guidance on how to identify PEPs).
- Clients conducting their business relationship or requesting services in unusual or unconventional circumstances (as evaluated taking into account all the circumstances of the client’s representation).
- Clients where the structure or nature of the entity or relationship makes it difficult to identify in a timely manner the true beneficial owner or controlling interests or clients attempting to obscure understanding of their business, ownership or the nature of their transactions, such as:
- Unexplained use of shell and/or shelf companies, front company, legal entities with ownership through nominee shares or bearer shares, control through nominee or corporate directors, legal persons or legal arrangements splitting company incorporation and asset administration over different countries, all without any apparent legal or legitimate tax, business, economic or other reason.
- Unexplained use of informal arrangements such as family or close associates acting as nominee shareholders or directors without any apparent legal or legitimate tax, business, economic or other reason.
- Use of trust structures for tax evasion or to obscure ownership in order to place assets out of reach to avoid future liabilities.
- Unusual complexity in control or ownership structures without a clear explanation, where there are certain transactions, structures, geographical location, international activities or other factors are not consistent with the TCSP’s understanding of the client’s business or economic purpose behind the establishment or administration of the trust, company or other legal entity with respect to which the TCSPs are providing services.
- Unusually high levels of assets or unusually large transactions compared to what might reasonably be expected of clients with a similar profile may indicate that a client not otherwise seen as higher risk should be treated as such.
The offer by the person giving instructions to the TCSP to pay extraordinary fees for services, which would not ordinarily warrant such a premium.
The relationship between employee numbers/structure is divergent from the industry norm (e.g. the turnover of a company is unreasonably high considering the number of employees and assets compared to similar businesses)
Sudden activity from a previously dormant client without a clear explanation.
Clients that start or develop an enterprise with unexpected profile or abnormal business cycles or clients that enter into new/emerging markets. Organised criminality generally does not have to raise capital/debt, often making them first into a new market, especially where this market may be retail/cash intensive.
Indicators that client does not wish to obtain necessary governmental approvals/filings, etc.
Payments received from un-associated or unknown third parties and payments for fees in cash where this would not be a typical method of payment.
Clients who have funds that are obviously and inexplicably disproportionate to their circumstances (e.g. their age, income, occupation or wealth).
Clients who appear to actively and inexplicably avoid face-to-face meetings or who provide instructions intermittently without legitimate reasons and are otherwise evasive or very difficult to reach, when this would not normally be expected. Subsequent lack of contact, when this would normally be expected.
Inexplicable changes in ownership.
Activities of the trust, company or other legal entity are unclear or different from the stated purposes under trust deeds or internal regulations of the company or foundation.
The legal structure has been altered frequently and/or without adequate explanation (e.g. name changes, transfer of ownership, change of beneficiaries, change of trustee or protector, change of partners, change of directors or officers).
Management of any trustee, company or legal entity appears to be acting according to instructions of unknown or inappropriate person(s).
Unreasonable choice of TCSP without a clear explanation, given the size, location or specialisation of the TCSP.
Frequent or unexplained change of professional adviser(s) or members of management of the trustee, company or other legal entity.
The person giving instructions to the TCSP is reluctant to provide all the relevant information or the TCSP has reasonable grounds to suspect that the provided information is incorrect or insufficient.
Clients who request that transactions be completed in unusually tight or accelerated timeframes without a reasonable explanation for accelerating the transaction, which would make it difficult or impossible for TCSPs to perform a proper risk assessment.
Clients who insist, without adequate justification or explanation, that transactions be effected exclusively or mainly through the use of virtual assets for the purpose of preserving their anonymity.
Clients with previous convictions for crimes that generated proceeds, who instruct TCSPs (who in turn have knowledge of such convictions) to undertake specified activities on their behalf.
Clients who change their means of payment for a transaction at the last minute and without justification (or with suspect justification), or where there is a lack of information
The transfer of the seat of a company to another jurisdiction without any genuine economic activity in the country of destination poses a risk of creation of shell companies which might be used to obscure beneficial ownership.
Clients seeking to obtain residents rights or citizenship in the country of establishment of the TCSP in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities.
Transaction/service and associated delivery channel risk. Services which may be provided by TCSPs and which (in some circumstances) risk being used to assist money launderers may include:
a) Use of pooled client accounts or safe custody of client money or assets or bearer shares, without justification.
b) Situations where advice on the setting up of legal persons or legal arrangements may be misused to obscure ownership or real economic purpose (including setting up of trusts, companies or other legal entities, or change of name/corporate seat or establishing complex group structures). This might include advising in relation to a discretionary trust that gives the trustee discretionary power to name a class of beneficiaries that does not include the real beneficiary (e.g. naming a charity as the sole discretionary beneficiary initially with a view to adding the real beneficiaries at a later stage). It might also include situations where a trust is set up for the purpose of managing shares in a company with the intention of making it more difficult to determine the beneficiaries of assets managed by the trust.
In case of an express trust, an unexplained (where explanation is warranted) nature of classes of beneficiaries and acting trustees of such a trust.
Services where TCSPs may in practice represent or assure the client’s standing, reputation and credibility to third parties, without a commensurate knowledge of the client’s affairs.
Services that are capable of concealing beneficial ownership from competent authorities.
Services that have deliberately provided, or depend upon, more anonymity in relation to the client’s identity or regarding other participants than is normal under the circumstances and in the experience of the TCSP.
Use of virtual assets and other anonymous means of payment and wealth transfer within the transaction without apparent legal, tax, business, economic or other legitimate reason.
Transactions using unusual means of payment (e.g. precious metals or stones).
The postponement of a payment for an asset or service delivered immediately to a date far from the moment at which payment would normally be expected to occur, without appropriate assurances that payment will be made.
Successive capital or other contributions in a short period of time to the same company with no apparent legal, tax, business, economic or other legitimate reason.
Acquisitions of businesses in liquidation with no apparent legal, tax, business, economic or other legitimate reason.
Power of Representation given in unusual conditions (e.g. when it is granted irrevocably or in relation to specific assets) and the stated reasons for these conditions are unclear or illogical.
Transactions involving closely connected persons and for which the client and/or its financial advisors provide inconsistent or irrational explanations and are subsequently unwilling or unable to explain by reference to legal, tax, business, economic or other legitimate reason.
Situations where a nominee is being used (e.g. friend or family member is named as owner of property/assets where it is clear that the friend or family member is receiving instructions from the beneficial owner), with no apparent legal, tax, business, economic or other legitimate reason.
Commercial, private, or real property transactions or services to be carried out by the trust, company or other legal entity with no apparent legitimate business, economic, tax, family governance, or legal reasons.
Products/services that have inherently provided more anonymity or confidentiality without a legitimate purpose.
Existence of suspicion of fraudulent transactions, or transactions that are improperly accounted for. These might include:
Over or under invoicing of goods/services.
Multiple invoicing of the same goods/services.
Falsely described goods/services – over or under shipments (e.g. false entries on bills of lading). iv. Multiple trading of goods/services.
Any attempt by the settlor, trustee, company or other legal entity to enter into any fraudulent transaction.
Any attempt by the settlor, trustee, company or other legal entity to enter into any arrangement to fraudulently evade tax in any relevant jurisdiction.
Variables that may impact on a RBA and risk. While all TCSPs should robust high standards of due diligence in order to avoid regulator arbitrage, due regard should be accorded to differences in practices, size, scale and expertise amongst TCSPs, as well as the nature of the clients they serve. As a result, consideration should be given to these factors when creating a RBA that also complies with the existing obligations of TCSPs.
Consideration should also be given to the resources that can be reasonably allocated to implement and manage an appropriately developed RBA. For example, a sole practitioner would not be expected to devote an equivalent level of resources as a large firm; rather, the sole practitioner would be expected to develop appropriate systems and controls and a RBA proportionate to the scope and nature of the practitioner’s practice and its clients.
Small firms serving predominantly locally based and low risk clients cannot generally be expected to devote a significant amount of senior personnel’s time to conducting risk assessments. In such cases, it may be more reasonable for sole practitioners to rely on publicly available records and information supplied by a client than it would be for a large firm having a diverse client base with different risk profiles.
However, where the source is a public registry, or the client, there is always potential risk in the correctness of the information. Sole practitioners and small firms may be regarded by criminals as more of a target for money launderers than large law firms. TCSPs in many jurisdictions and practices are required to conduct both a risk assessment of the general risks of their practice, and of all new clients and current clients engaged in one-off specific transactions. The emphasis must be on following a RBA.
A significant factor to consider is whether the client and proposed work would be unusual, risky or suspicious for the particular TCSP. This factor must always be considered in the context of the practice of TCSP. The RBA methodology of TCSP may thus take into account risk variables specific to a particular client or type of work. Consistent with the RBA and proportionality, the presence of one or more of these variables may cause a TCSP to conclude that either enhanced CDD and monitoring is warranted, or conversely that standard CDD and monitoring can be reduced, modified or simplified. When reducing, modifying or simplifying CDD, TCSPs should always adhere to the minimum requirements as set out in national legislation These variables may increase or decrease the perceived risk posed by a particular client or type of work and may include:
Examples of factors that may increase risk are:
Unexplained urgency of assistance required.
Unusual sophistication of structure, including complexity of control and governance arrangements and use of multiple TCSPs.
The irregularity or limited duration of the client relationship. One-off engagements for the establishment of complex trust, company or other arrangements involving legal entities without ongoing involvement may present higher risk.
Examples of factors that may decrease risk are:
Involvement of financial institutions or other DNFBPs or TCSPs which are regulated in their home jurisdiction and subject to appropriate AML/CFT regulation.
Role or oversight of a regulator or multiple regulators (e.g. regulating TCSPs, trustees or any other person exercising effective control).
The regularity or duration of the client relationship. Long-standing relationships involving frequent client contact throughout the relationship may present less risk. In addition, a relationship may present less risk where, for example, the TCSP provides an integrated service, including acting as or providing trustees or directors of the trust, company or other legal entity and responsibility for preparation of accounts or maintaining the books and financial records of such trust, company or other legal entity.
Trusts, companies or other legal entities that are transparent and well-known in the public domain.
Listed entities and other business arrangements, such as pension trusts and employee benefit trusts and other trusts used for commercial purposes.
TCSP’s familiarity with a particular country, including knowledge of local laws and regulations as well as the structure and extent of regulatory oversight
Trust and Company Service providers should design CDD procedures to enable them, with some certainty understand they know the true identity of the relevant beneficial owners of, or natural persons who actually exercise effective control over, the trust, company or other legal entity and, with an appropriate degree of confidence, know the true purpose behind the establishment or use of the trust, company or other legal entity. TCSPs’ procedures should include procedures:
For identifying the client and verifying that client’s identity using reliable, independent source documents, data or information.
For identifying the relevant beneficial owners and natural persons who actually exercise control as set out in Annex 1 and taking reasonable measures to verify the identity of such persons ( ie on a risk based approach). This is demonstrated in the below graphic.
Enabling the TCSP to understand and, as appropriate, obtain information on the purpose and intended purpose of the trust, company or other legal entity.
Conducting ongoing due diligence on the business relationship. Ongoing due diligence ensures that the documents, data or information collected under the CDD process are kept up-to-date and relevant by undertaking reviews of existing records, particularly for higher-risk categories of clients. Undertaking appropriate CDD may also facilitate the accurate filing of suspicious transaction reports (STRs) to the financial intelligence unit (FIU), or to respond to requests for information from an FIU and the law enforcement agencies.
Where risks are higher, TCSPs should obtain information about the source of funds in the trust, company or other legal entity and source of wealth in relation to the settlor or beneficial owner.
TCSPs should design their policies and procedures so that the level of CDD addresses the risk of the trust, company or other legal entity with respect to which services are being provided by the TCSP being used for ML/TF. TCSPs should design a standard level of CDD for normal risk clients and a reduced or simplified CDD process for low risk clients.
Simplified CDD measures are not acceptable whenever there is a suspicion of ML/TF or where specific higher-risk scenarios apply. Enhanced due diligence should be applied to those clients that the TCSP has assessed as high risk. These activities may be carried out in conjunction with the TCSP’s normal acceptance procedures, and will take into account any specific jurisdictional requirements for CDD in relation to the trust, company or other legal entity and any trustee, settlor, protector, beneficial owner or other natural person exercising effecting control over the trust, company or other legal entity.
In the normal course of their work, TCSPs are likely to learn more about some aspects of the trust, company or other legal entity, and the trustee, settlor, protector, beneficial owners or other natural persons exercising effective control, than other advisors. This information is likely to help the TCSP dynamically assess the ML/TF risk.
Identification of, company or other legal entity, any trustee or of any settlor, beneficial owner or natural person exercising effective control should be periodically reviewed. This is to ensure that changes in ownership or control are properly recorded. This may be carried out in conjunction with any professional requirements for client continuation processes.
Public information sources may assist with this ongoing review. The procedures that need to be carried out can vary, in accordance with the nature and purpose for which the entity exists, and the extent to which the underlying ownership differs from apparent ownership by the use of nominee shareholders and complex structures.
The following graphic details a list of standard, enhanced and simplified CDD:
In conclusion: It is clear FATF are preparing DNFBPs for criminals shifting their modus operandi from traditional hiding of BO to more obfuscated ways to remain anonymous. As the world of money-trade-service and value transfer develops globally and business gets ever more regulated, DNFBPs need to ensure they take appropriate advice to remain socially responsible businesses.