The second key requirement of a risk-based approach is for financial institutions to mitigate the risks that have been identified and assessed. Financial institutions therefore need to have AML/CFT policies, procedures, and controls to mitigate those risks and comply with their legal and regulatory obligations. Such measures should be proportional to and consistent with the level of risks assessed, applying enhanced measures where risks are higher and simpler measures where risks are lower. Enhanced measures mean that the scope, intensity, and frequency of controls should be proportionately stronger to mitigate higher risks. Unless circumstances call for specific prescriptions, supervisors should not prescribe the s pecific measures to be applied by institutions in their management of risks, except for cases where enhanced and simplified measures are already prescribed by law or regulation. Financial institutions should have flexibility in deciding the most effective way to assess and manage their risks, but decisions should be documented, and financial institutions should be able to demonstrate to a supervisor how they came to those risk management judgments. In deciding on the degree of discretion to grant a financial institution, the supervisor should take into account several factors, including the maturity and sophistication of the sector and institution as well as the institution’s track record for AML/CFT compliance, but also for managing other risks. It is also important to take into account the supervisors’ experience in conducting risk-based AML/CFT supervision. In jurisdictions where the financial sector and AML/CFT supervisory regime are not well developed, the capacity of financial institutions to assess and mitigate their ML/TF risks may not be fully developed. In such cases, the discretion and flexibility allowed under a risk-based approach should be limited and phased in until such time as the institution’s or sector’s understanding of risks and experience in mitigating risks improve. While financial institutions have discretion to implement their own AML/CFT frameworks, supervisors should provide guidance on risk factors and the model or methodology that financial institutions could use to assess their inherent and residual ML/TF risks. Such guidance is intended to provide some consistency and allow comparisons across institutions. Notwithstanding the model used, the adequacy of the risk assessment will be influenced largely by the availability, accuracy, and up-todate nature of information required for the conduct of risk assessments.7 The supervisor will review the effectiveness of the AML/CFT risk assessment relative to, among others, the degree and nature of inherent risks. The degree of complexity of a financial institution’s risk assessment model should be commensurate with the nature, complexity, and size of its business. For less complex financial institutions, a simpler risk assessment will suffice, but a large complex institution will require a more elaborate risk assessment. The customer base, international presence, business products, and other factors contribute to the degree of complexity required. Appendix A discusses banks’ business-wide risk assessment and risk mitigation processes in more detail.
AML/CFT SUPERVISORY CYCLE Supervisors should apply an integrated, comprehensive approach to AML/CFT supervision. The risk assessments and risk profiles of financial institutions constitute an important component of the AML/CFT supervisory approach. Nevertheless, the risk-based supervisory regime needs to be harmonized with other supervisory activities, such as licensing, prudential supervision, and enforcement. In addition, collaboration and coordination with other supervisors and the FIU are also necessary in some cases. Figure 3.4 illustrates a basic AML/CFT supervisory cycle.
CHAPTER 3: INTRODUCTION TO A RISK-BASED AML/CFT SUPERVISORY FRAMEWORK
51
