This post has already been read 842 times!
The guidance in this post comes from the EU. It can and is applied globally as best practice.
Assessing and managing risk: general
These guidelines come in two parts. This part is general and applies to all firms. Part 2 is sector-specific. Both parts should be read in conjunction with each other to achieve the most rounded view-point, when reviewing risk for a specific sector of the industry (retail banking or Wealth Management as examples).
Firms’ approach to assessing and managing the ML/TF risk associated with business relationships and occasional transactions should include the following:
- Business-wide risk assessments should help firms understand where they are exposed to ML/TF risk and which areas of their business they should prioritise in the fight against ML/TF. To that end, and in line with Article 8 of Directive (EU) 2015/849, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their customers. The steps firms take to identify and assess ML/TF risk across their business must be proportionate to the nature and size of each firm. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.
Customer Due Diligence (CDD)
- Firms should use the findings from their business-wide risk assessment to inform their decision on the appropriate level and type of CDD that they will apply to individual business relationships and occasional transactions.
- Before entering into a business relationship or carrying out an occasional transaction, firms should apply initial CDD in line with Article 13(1)(a), (b) and (c) and Article 14(4) of Directive (EU) 2015/849. Initial CDD should include at least risk-sensitive measures to:
- identify the customer and, where applicable, the customer’s beneficial owner or legal representatives;
- verify the customer’s identity on the basis of reliable and independent sources and, where applicable, verify the beneficial owner’s identity in such a way that the firm is satisfied that it knows who the beneficial owner is; and
- establish the purpose and intended nature of the business relationship.
- Firms should adjust the extent of initial CDD measures on a risk-sensitive basis. Where the risk associated with a business relationship is low, and to the extent permitted by national legislation, firms may be able to apply simplified customer due diligence measures (SDD). Where the risk associated with a business relationship is increased, firms must apply enhanced customer due diligence measures (EDD).
Obtaining a holistic view
- Firms should gather sufficient information to be satisfied that they have identified all relevant risk factors, including, where necessary, by applying additional CDD measures, and assess those risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction. Firms should note that the risk factors listed in these guidelines are not exhaustive, and that there is no expectation that firms will consider all risk factors in all cases.
Monitoring and Review
- Firms must keep their risk assessment up to date and under review. Firms must monitor transactions to ensure that they are in line with the customer’s risk profile and business and, where necessary, examine the source of funds, to detect possible ML/TF. They must also keep the documents, data or information they hold up to date, with a view to understanding whether the risk associated with the business relationship has changed.
Risk assessments: methodology and risk factors
A risk assessment should consist of two distinct but related steps:
a) the identification of ML/TF risk; and
b) the assessment of ML/TF risk.
Identifying ML/TF risk
Firms should find out which ML/TF risks they are, or would be, exposed to as a result of entering into a business relationship or carrying out an occasional transaction.
When identifying ML/TF risks associated with a business relationship or occasional transaction, firms should consider relevant risk factors including who their customer is, the countries or geographical areas they operate in, the particular products, services and transactions the customer requires and the channels the firm uses to deliver these products, services and transactions.
Sources of information
Where possible, information about these ML/TF risk factors should come from a variety of sources, whether these are accessed individually or through commercially available tools or databases that pool information from several sources. Firms should determine the type and numbers of sources on a risk-sensitive basis.
Firms should always consider the following sources of information:
- The European Commission’s supranational risk assessment;
- Information from government, such as the government’s national risk assessments, policy statements and alerts, and explanatory memorandums to relevant legislation;
- Information from regulators, such as guidance and the reasoning set out in regulatory fines;
- Information from Financial Intelligence Units (FIUs) and law enforcement agencies, such as threat reports, alerts and typologies; and
- Information obtained as part of the initial CDD process.
Other sources of information firms may consider in this context may include, among others:
- The firm’s own knowledge and professional expertise;
- Information from industry bodies, such as typologies and emerging risks;
- Information from civil society, such as corruption indices and country reports;
- Information from international standard-setting bodies such as mutual evaluation reports or legally non-binding blacklists;
- Information from credible and reliable open sources, such as reports in reputable newspapers;
- Information from credible and reliable commercial organisations, such as risk and intelligence reports; and
- Information from statistical organisations and academia.
Firms should note that the following risk factors are not exhaustive, nor is there an expectation that firms will consider all risk factors in all cases. Firms should take a holistic view of the risk associated with the situation and note that, unless Directive (EU) 2015/849 or national legislation states otherwise, the presence of isolated risk factors does not necessarily move a relationship into a higher or lower risk category.
Customer risk factors
When identifying the risk associated with their customers, including their customers’ beneficial owners, firms should consider the risk related to:
- The customer’s and the customer’s beneficial owner’s business or professional activity;
- The customer’s and the customer’s beneficial owner’s reputation; and
- The customer’s and the customer’s beneficial owner’s nature and behaviour.
Risk factors that may be relevant when considering the risk associated with a customer’s or a customer’s beneficial owner’s business or professional activity include:
- Does the customer or beneficial owner have links to sectors that are commonly associated with higher corruption risk, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement?
- Does the customer or beneficial owner have links to sectors that are associated with higher ML/TF risk, for example certain Money Service Businesses, casinos or dealers in precious metals?
- Does the customer or beneficial owner have links to sectors that involve significant amounts of cash?
- Where the customer is a legal person or a legal arrangement, what is the purpose of their establishment? For example, what is the nature of their business?
- Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or beneficial owner? Where a customer or their beneficial owner is a PEP, firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849.
- Does the customer or beneficial owner hold another prominent position or enjoy a high public profile that might enable them to abuse this position for private gain? For example, are they senior local or regional public officials with the ability to influence the awarding of public contracts, decision-making members of high-profile sporting bodies or individuals who are known to influence the government and other senior decision-makers?
- Is the customer a legal person subject to enforceable disclosure requirements that ensure that reliable information about the customer’s beneficial owner is publicly
- For guidance on risk factors associated with beneficiaries of life insurance policies, please refer to ‘Insurance Risk’.
- Is the customer a credit or financial institution acting on its own account from a jurisdiction with an effective AML/CFT regime and is it supervised for compliance with local AML/CFT obligations? Is there evidence that the customer has been subject to supervisory sanctions or enforcement for failure to comply with AML/CFT obligations or wider conduct requirements in recent years?
- Is the customer a public administration or enterprise from a jurisdiction with low levels of corruption?
- Is the customer’s or the beneficial owner’s background consistent with what the firm knows about their former, current or planned business activity, their business’s turnover, the source of funds and the customer’s or beneficial owner’s source of wealth?
The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owners’ reputation:
- Are there adverse media reports or other relevant sources of information about the customer, for example are there any allegations of criminality or terrorism against the customer or the beneficial owner? If so, are these reliable and credible? Firms should determine the credibility of allegations on the basis of the quality and independence of the source of the data and the persistence of reporting of these allegations, among other considerations. Firms should note that the absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.
- Has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have reasonable grounds to suspect that the customer or beneficial owner or anyone publicly known to be closely associated with them has, at some point in the past, been subject to such an asset freeze?
- Does the firm know if the customer or beneficial owner has been the subject of a suspicious transactions report in the past?
- Does the firm have any in-house information about the customer’s or the beneficial owner’s integrity, obtained, for example, in the course of a long-standing business relationship?
The following risk factors may be relevant when considering the risk associated with a customer’s or beneficial owner’s nature and behaviour; firms should note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established:
- Does the customer have legitimate reasons for being unable to provide robust evidence of their identity, perhaps because they are an asylum seeker?
- Does the firm have any doubts about the veracity or accuracy of the customer’s or beneficial owner’s identity?
- Are there indications that the customer might seek to avoid the establishment of a business relationship? For example, does the customer look to carry out one transaction or several one-off transactions where the establishment of a business relationship might make more economic sense?
- Is the customer’s ownership and control structure transparent and does it make sense? If the customer’s ownership and control structure is complex or opaque, is there an obvious commercial or lawful rationale?
- Does the customer issue bearer shares or does it have nominee shareholders?
- Is the customer a legal person or arrangement that could be used as an asset-holding vehicle?
- Is there a sound reason for changes in the customer’s ownership and control structure?
- Does the customer request transactions that are complex, unusually or unexpectedly large or have an unusual or unexpected pattern without an apparent economic or lawful purpose or a sound commercial rationale? Are there grounds to suspect that the customer is trying to evade specific thresholds such as those set out in Article 11(b) of Directive (EU) 2015/849 and national law where applicable?
- Does the customer request unnecessary or unreasonable levels of secrecy? For example, is the customer reluctant to share CDD information, or do they appear to want to disguise the true nature of their business?
- Can the customer’s or beneficial owner’s source of wealth or source of funds be easily explained, for example through their occupation, inheritance or investments? Is the explanation plausible?
- Does the customer use the products and services they have taken out as expected when the business relationship was first established?
- Where the customer is a non-resident, could their needs be better serviced elsewhere? Is there a sound economic and lawful rationale for the customer requesting the type of financial service sought? Firms should note that Article 16 of Directive 2014/92/EU creates a right for customers who are legally resident in the Union to obtain a basic payment account, but this right applies only to the extent that credit institutions can comply with their AML/CFT obligations.
- Is the customer a non-profit organisation whose activities could be abused for terrorist financing purposes?
Countries and geographical areas
When identifying the risk associated with countries and geographical areas, firms should consider the risk related to:
- The jurisdictions in which the customer and beneficial owner are based;
- The jurisdictions that are the customer’s and beneficial owner’s main places of business; and
- The jurisdictions to which the customer and beneficial owner have relevant personal links.
Firms should note that the nature and purpose of the business relationship will often determine the relative importance of individual country and geographical risk factors. For example:
- Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant.
- Where funds are received from, or sent to, jurisdictions where groups committing terrorist offences are known to be operating, firms should consider to what extent this could be expected to or might give rise to suspicion, based on what the firm knows about the purpose and nature of the business relationship.
- Where the customer is a credit or financial institution, firms should pay particular attention to the adequacy of the country’s AML/CFT regime and the effectiveness of AML/CFT supervision.
- Where the customer is a legal vehicle or trust, firms should take into account the extent to which the country in which the customer and, where applicable, the beneficial owner are registered effectively complies with international tax transparency standards.
Risk factors firms should consider when identifying the effectiveness of a jurisdiction’s AML/CFT regime include:
- Has the country been identified by the Commission as having strategic deficiencies in its AML/CFT regime, in line with Article 9 of Directive (EU) 2015/849? Where firms deal with natural or legal persons resident or established in third countries that the Commission has identified as presenting a high ML/TF risk, firms must always apply EDD measures.
- Is there information from more than one credible and reliable source about the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight? Examples of possible sources include mutual evaluation reports by the Financial Action Task Force (FATF) or FATF-style Regional Bodies (FSRBs) (a good starting point is the executive summary and key findings and the assessment of compliance with Recommendations 10, 26 and 27 and Immediate Outcomes 3 and 4), the FATF’s list of high-risk and non- cooperative jurisdictions, International Monetary Fund (IMF) assessments and Financial Sector Assessment Programme (FSAP) reports. Firms should note that membership of the FATF or an FSRB (e.g. MoneyVal) does not, of itself, mean that the jurisdiction’s AML/CFT regime is adequate and effective.
- Firms should note that Directive (EU) 2015/849 does not recognise the ‘equivalence’ of third countries and that EU Member States’ lists of equivalent jurisdictions are no longer being maintained. To the extent permitted by national legislation, firms should be able to identify lower risk jurisdictions in line with these guidelines and Annex II of Directive (EU) 2015/849.
Risk factors firms should consider when identifying the level of terrorist financing risk associated with a jurisdiction include:
- Is there information, for example from law enforcement or credible and reliable open media sources, suggesting that a jurisdiction provides funding or support for terrorist activities or that groups committing terrorist offences are known to be operating in the country or territory?
- Is the jurisdiction subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation issued by, for example, the United Nations or the European Union ?
Risk factors firms should consider when identifying a jurisdiction’s level of transparency and tax compliance include:
- Is there information from more than one credible and reliable source that the country has been deemed compliant with international tax transparency and information sharing standards? Is there evidence that relevant rules are effectively implemented in practice? Examples of possible sources include reports by the Global Forum on Transparency and the Exchange of Information for Tax Purposes of the Organisation for Economic Co-operation and Development (OECD), which rate jurisdictions for tax transparency and information sharing purposes; assessments of the jurisdiction’s commitment to automatic exchange of information based on the Common Reporting standard; assessments of compliance with FATF Recommendations 9, 24 and 25 and Immediate Outcomes 2 and 5 by the FATF or FSRBs; and IMF assessments (e.g. IMF staff assessments of offshore financial centres).
- Has the jurisdiction committed to, and effectively implemented, the Common Reporting Standard on Automatic Exchange of Information, which the G20 adopted in 2014?
- Has the jurisdiction put in place reliable and accessible beneficial ownership registers?
Risk factors firms should consider when identifying the risk associated with the level of predicate offences to money laundering include:
- Is there information from credible and reliable public sources about the level of predicate offences to money laundering listed in Article 3(4) of Directive (EU) 2015/849, for example corruption, organised crime, tax crime and serious fraud? Examples include corruption perceptions indices; OECD country reports on the implementation of the OECD’s anti-bribery convention; and the United Nations Office on Drugs and Crime World Drug Report.
- Is there information from more than one credible and reliable source about the capacity of the jurisdiction’s investigative and judicial system effectively to investigate and prosecute these offences?
Products, services and transactions risk factors
When identifying the risk associated with their products, services or transactions, firms should consider the risk related to:
- The level of transparency, or opaqueness, the product, service or transaction affords;
- The complexity of the product, service or transaction; and
- The value or size of the product, service or transaction.
Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s transparency include:
- To what extent do products or services allow the customer or beneficial owner or beneficiary structures to remain anonymous, or facilitate hiding their identity? Examples of such products and services include bearer shares, fiduciary deposits, offshore vehicles and certain trusts, and legal entities such as foundations that can be structured in such a way as to take advantage of anonymity and allow dealings with shell companies or companies with nominee shareholders.
- To what extent is it possible for a third party that is not part of the business relationship to give instructions, for example in the case of certain correspondent banking relationships?
Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s complexity include:
- To what extent is the transaction complex and does it involve multiple parties or multiple jurisdictions, for example in the case of certain trade finance transactions? Are transactions straightforward, for example are regular payments made into a pension fund?
- To what extent do products or services allow payments from third parties or accept overpayments where this is would not normally be expected? Where third party payments are expected, does the firm know the third party’s identity, for example is it a state benefit authority or a guarantor? Or are products and services funded exclusively by fund transfers from the customer’s own account at another financial institution that is subject to AML/CFT standards and oversight that are comparable to those required under Directive (EU) 2015/849?
- Does the firm understand the risks associated with its new or innovative product or service, in particular where this involves the use of new technologies or payment methods?
Risk factors that may be relevant when considering the risk associated with a product, service or transaction’s value or size include:
- To what extent are products or services cash intensive, as are many payment services but also certain current accounts?
- To what extent do products or services facilitate or encourage high-value transactions? Are there any caps on transaction values or levels of premium that could limit the use of the product or service for ML/TF purposes?
Delivery channel risk factors
When identifying the risk associated with the way in which the customer obtains the products or services they require, firms should consider the risk related to:
- The extent to which the business relationship is conducted on a non-face-to-face basis; and
- Any introducers or intermediaries the firm might use and the nature of their relationship with the firm.
When assessing the risk associated with the way in which the customer obtains the products or services, firms should consider a number of factors including:
- Is the customer physically present for identification purposes? If they are not, has the firm used a reliable form of non-face-to-face CDD? Has it taken steps to prevent impersonation or identity fraud?
- Has the customer been introduced by another part of the same financial group and, if
- so, to what extent can the firm rely on this introduction as reassurance that the customer will not expose the firm to excessive ML/TF risk? What has the firm done to satisfy itself that the group entity applies CDD measures to European Economic Area (EEA) standards in line with Article 28 of Directive (EU) 2015/849?
- Has the customer been introduced by a third party, for example a bank that is not part of the same group, and is the third party a financial institution or is its main business activity unrelated to financial service provision? What has the firm done to be satisfied that:
- The third party applies CDD measures and keeps records to EEA standards and that it is supervised for compliance with comparable AML/CFT obligations in line with Article 26 of Directive (EU) 2015/849;
- The third party will provide, immediately upon request, relevant copies of identification and verification data, inter alia in line with Article 27 of Directive (EU) 2015/849; and
- The quality of the third party’s CDD measures is such that it can be relied upon?
- Has the customer been introduced through a tied agent, that is, without direct firm contact? To what extent can the firm be satisfied that the agent has obtained enough information so that the firm knows its customer and the level of risk associated with the business relationship?
- If independent or tied agents are used, to what extent are they involved on an ongoing basis in the conduct of business? How does this affect the firm’s knowledge of the customer and ongoing risk management?
- Where a firm uses an intermediary:
- Are they a regulated person subject to AML obligations that are consistent with those of Directive (EU) 2015/849?
- Are they subject to effective AML supervision? Are there any indications that the intermediary’s level of compliance with applicable AML legislation or regulation is inadequate, for example has the intermediary been sanctioned for breaches of AML/CFT obligations?
- Are they based in a jurisdiction associated with higher ML/TF risk? Where a third party is based in a high-risk third country that the Commission has identified as having strategic deficiencies, firms must not rely on that intermediary. However, to the extent permitted by national legislation, reliance may be possible provided that the intermediary is a branch or majority-owned subsidiary of another firm established in the Union, and the firm is confident that the intermediary fully complies with group-wide policies and procedures in line with Article 45 of Directive (EU) 2015/849.9
Assessing ML/TF risk
Firms should take a holistic view of the ML/TF risk factors they have identified that, together, will determine the level of ML/TF risk associated with a business relationship or occasional transaction.
As part of this assessment, firms may decide to weigh factors differently depending on their relative importance.
Weighting risk factors
When weighting risk factors, firms should make an informed judgement about the relevance of different risk factors in the context of a business relationship or occasional transaction. This often results in firms allocating different ‘scores’ to different factors; for example, firms may decide that a customer’s personal links to a jurisdiction associated with higher ML/TF risk is less relevant in light of the features of the product they seek.
Ultimately, the weight given to each of these factors is likely to vary from product to product and customer to customer (or category of customer) and from one firm to another. When weighting risk factors, firms should ensure that:
- Weighting is not unduly influenced by just one factor;
- Economic or profit considerations do not influence the risk rating;
- Weighting does not lead to a situation where it is impossible for any business relationship to be classified as high risk;
- The provisions of Directive (EU) 2015/849 or national legislation regarding situations that always present a high money laundering risk cannot be over-ruled by the firm’s weighting; and
- They are able to over-ride any automatically generated risk scores where necessary. The rationale for the decision to over-ride such scores should be documented appropriately.
Where a firm uses automated IT systems to allocate overall risk scores to categorise business relationships or occasional transactions and does not develop these in house but purchases them from an external provider, it should understand how the system works and how it combines risk factors to achieve an overall risk score. A firm must always be able to satisfy itself that the scores allocated reflect the firm’s understanding of ML/TF risk and it should be able to demonstrate this to the competent authority.
Categorising business relationships and occasional transactions
Following its risk assessment, a firm should categorise its business relationships and occasional transactions according to the perceived level of ML/TF risk.
Firms should decide on the most appropriate way to categorise risk. This will depend on the nature and size of the firm’s business and the types of ML/TF risk it is exposed to. Although firms often categorise risk as high, medium and low, other categorisations are possible.