Banks and other financial institutions generally implement group-wide AML/CFT systems across all branches and subsidiaries, domestically and abroad, including group-wide AML/CFT policies and procedures. Banks and other financial institutions should therefore identify and assess ML/TF risks on a consolidated group basis. These risk assessments should be reviewed and updated periodically. Having an assessment of consolidated group risks facilitates the implementation of group-wide AML/CFT compliance measures. Where any cross-border branch or subsidiary cannot implement the group AML/CFT measures (for example, due to differing legal and regulatory requirements), additional risk-mitigating measures for managing the cross-border ML/TF risks need to be applied, and the home supervisor should be informed.
Consideration of a Jurisdiction’s National Risk Assessment in Business-Wide Risk Assessments A jurisdiction’s national risk assessment provides essential inputs for business-wide risk assessments. Whenever it becomes available or is updated by the authorities, financial institutions should receive the results. The national risk assessment contains valuable information on ML/TF trends, high-risk products and jurisdictions or regions, and emerging ML/TF typologies and threats. Financial institutions should take this information into account in the assessment and mitigation of their risks. During the drafting of the national risk assessment, the authorities may request the involvement of or input from the financial sector. If possible, institutions should take part in these activities and provide information as well as their observations and insights about risks. Cooperation and proactive involvement of the institutions contribute to a more accurate understanding of the ML/TF risks in the jurisdiction.
ASSESSING THE INHERENT ML/TF RISK FACTORS As indicated, there are at least four principal inherent risk factors: customers; products, services, and transactions; geographic locations; and delivery channels. Consequently, any risk assessment model should assess at least the ML/TF risks inherent in these factors. A key source of information for assessing the adequacy of information used for the businesswide risk assessment is information from national risk assessments, sectoral risk assessments, and ML/TF typologies relating to the specific sector. FATF Recommendation 10 on customer due diligence provides examples of potentially higher-risk situations with respect to customers, geography, products, transactions, services, and delivery channels. These factors are relevant for assessing the risks of an individual customer but also for conducting a business-wide risk assessment. The following describes the main elements of each of the risk factors that should form the foundation of the business-wide risk assessment.
Customer Risk It is the institution’s responsibility to assess and understand the degree of risk posed by types or categories of customers as well as by individual customers. The assessment of the risk factors used in
Appendix A
171
