RISK PROFILING: A KEY PREREQUISITE FOR RISK-BASED SUPERVISION Off-site supervision includes the identification and analysis of institutional and sectoral ML/TF risks. The results of this risk analysis are used to inform the type and intensity of other supervisory activities as well as the planning and resourcing of on-site inspections. This analysis requires supervisors to collect as much relevant information as possible about institutions’ inherent ML/TF risks and the adequacy of their AML/CFT policies, procedures, and controls, including information on the business-wide risk assessment of financial institutions, the AML/CFT compliance systems, and audit and compliance reports (see appendix A for more detail on the business-wide risk assessment of financial institutions). In the case of financial groups, group-wide information is required for a consolidated risk profile of the institution.
Information Requirements for Developing Risk Profiles One of the biggest challenges for off-site supervision is to determine the extent of the information required to conduct risk profiling. The type and amount of information required will depend on various factors, including the availability of useful, up-to-date information within the supervisory body, availability of information within supervised entities,2 stage of development of AML/CFT controls in the financial institutions, and resources of the supervisors. The following subsections provide examples of the type of information required to conduct risk profiling for a financial institution.
General Institutional and Contextual Information General information on the institution provides the broad contextual framework for the risk profile of the institution. It may also form the basis for establishing peer groups or clusters of institutions.3 ●● Corporate structure, including ownership and management structure, group structure, shareholding structure and beneficial owners, branch and subsidiary network, and years in operation; ●● Financial information, including size, total deposits and assets, and business lines; ●● Prudential and other supervisory information, including business model, governance, risk appetite, prior examination reports, compliance and enforcement history, external auditors’ reports, and general reputation; ●● Input from other competent authorities, including information from police, prosecutors, and intelligence agencies; tax, customs, and anticorruption authorities; and agencies dealing with targeted financial sanctions, for example; ●● Results of national risk assessments as they relate to the financial sector and its customers, products, and services; ●● Results of independent testing and audits that are provided to supervisory agencies; ●● Information on risks obtained from public-private partnerships or other consultation mechanisms; ●● Open-source information (media, adverse reporting) with respect to allegations or factual cases related to ML/TF or financial crime;4 apart from news outlets, Transparency International and the Organized Crime and Corruption Reporting Project produce third-party reports; CHAPTER 4: OFF-SITE AML/CFT SUPERVISION
65
