ML/TF RISK MITIGATION FOR FINANCIAL GROUPS Sound ML/TF risk mitigation should extend to each member of a financial group11 on a consolidated basis, covering all branches and majority-owned subsidiaries of the financial group that operate domestically and in other jurisdictions. Consequently, a financial group should develop group-wide AML/CFT policies, procedures, and controls that are implemented consistently across the group but subject to jurisdiction-specific ML/TF risks and legal requirements. FATF Recommendation 18 states that, where the minimum AML/CFT requirements of the host jurisdiction are less stringent, those of the home jurisdiction should be applied to the extent that local laws and regulations permit. Where doing so is not possible, the financial institution should take additional AML/CFT measures to manage the risks and inform the home-jurisdiction supervisor. When effective implementation of group policies, procedures, and controls abroad is not feasible, the financial group should consider closing its operations in the host jurisdiction. Under a consolidated AML/CFT compliance framework, the parent bank should implement policies, procedures, and controls on a group-wide basis for all group members, while at the same time complying with local laws and regulations. This framework should include a clear process for sharing information between the head office and all branches and subsidiaries domestically and abroad. Secrecy laws and data protection laws in some jurisdictions may restrict the ability to share customer-related information within the group, which can seriously impede the assessment and mitigation of ML/TF risks. It can also hamper the effective operations of group compliance and group audits. The financial institution should have a thorough understanding of the inherent ML/TF risks associated with its customers, products, services, transactions, geographic locations, and delivery channels across the group. The institution should ensure that all entities in the group conduct a business-wide risk assessment (as described above) and consolidate these analyses on the level of the group. The risk assessments should be updated periodically. The consolidated risk assessment of the group should determine the type and intensity of AML/CFT compliance measures to be implemented for each member and for the entire group. The financial institution should also implement, at the group level, key structural controls, particularly risk management, compliance, and internal audits. These functions should evaluate compliance with and the effectiveness of group policies, procedures, and controls, including the ability to share information among group members and respond to information requests from the head office. In this regard, the institution should know the extent to which local AML/CFT legislation allows it to rely on the customer due diligence and other procedures undertaken by other entities within the group, for instance, when a customer has a business relationship with more than one member of the group. Regardless of the jurisdictions where the group operates, each institution in the group should implement effective compliance monitoring systems with the group’s policies, procedures, and controls that are proportionate to the ML/TF risks assessed by the institution in each jurisdiction. A financial institution should monitor significant customer relationships on a consolidated basis, regardless of where the accounts are held. This monitoring should be facilitated by a centralized customer due diligence and transaction-monitoring process to enhance the effectiveness and efficiency of the group’s AML/CFT framework. A centralized process should also help the group to monitor and detect suspicious transactions across the group. An international financial group should also appoint a group AML/CFT compliance officer responsible for compliance with the global AML/CFT framework. This officer should contribute to Appendix A
181
