The interpretive notes to Recommendations 1 and 26 provide guidance on a risk-based approach to AML/CFT supervision. In practice, supervisors may have their own supervisory risk models for developing institutional risk profiles to inform their supervisory strategies and activities. This process may involve obtaining data from the financial institutions on inherent ML/TF risks and AML/ CFT compliance and developing an assessment model based on the overall level of ML/TF risks and the quality of AML/CFT risk mitigation processes. Some supervisors have adopted prudential risk assessment frameworks to conduct this assessment, which may include an assessment of the quality of risk management systems. However, a tailored approach to assessing the inherent ML/TF risks and the quality of AML/CFT risk-mitigating measures is an essential tool for allocating resources to AML/CFT supervision and determining the intensity and frequency of AML/CFT supervisory activities.
Quantitative Factors AML/CFT supervisors should assess the inherent ML/TF risks of the institutions they supervise. This assessment includes assessing each institution’s inherent risks related to the type and number of customers, products, services, transactions, geographic areas, and delivery channels. Risk assessments should also consider the size, complexity, and nature of an institution. Several AML/CFT supervisory authorities have implemented various models for assessing risk, including rating and scoring models.
Qualitative Factors The supervisor also needs to assess the adequacy and effectiveness of a financial institution’s policies, procedures, and controls for mitigating ML/TF risks. The strength of controls should be proportional to a financial institution’s assessed risks. Lower inherent risks allow for simpler measures of risk mitigation. Quite apart from the institution’s own control measures, other external factors—such as the geographic areas where the bank operates, its clientele, and its exposure to United Nations– sanctioned entities or individuals—might not show up in hard data but nevertheless reflect real risk factors. Chapters 3 and 4 address this risk-based AML/CFT supervisory framework and off-site AML/CFT supervision in more detail.
ORGANIZATIONAL APPROACHES FOR EFFECTIVE AML/CFT SUPERVISION Neither the BCPs nor the FATF standards prescribe or give specific guidance on which type of model or supervisory arrangements a jurisdiction should use to supervise banks and other institutions subject to the AML/CFT regime. Obviously, different jurisdictions will take different approaches, and a universal model would never do those differences justice. However, the FATF standards and the BCPs more generally do require jurisdictions to implement a risk-based approach to AML/CFT supervision (FATF 2014). The choice of supervisory model depends on several factors, including the legal framework that designates the AML/CFT supervisor; the history, culture, and practice of supervision; the experience of the supervisor; and, very important, the human, financial, and technical resources available. The choice of supervisory model may also be influenced by national priorities in the fight 14
PREVENTING MONEY LAUNDERING AND TERRORIST FINANCING
