10 minute read
International standards for Risk-Based supervision
Financial Action task Force (FAtF) Recommendation 1 sets out the overarching risk-based requirements for jurisdictions, including financial institutions and their supervisors. Paragraph 9 of the interpretive note to Recommendation 1 requires supervisors to review the money-laundering and terrorism financing (ML/tF) risk profiles and risk assessments prepared by financial institutions and to consider the results of this review in their supervision. With respect to financial institutions, part B of this interpretive note details the obligations and decisions in assessing ML/tF risks as well as the weapons proliferation financing risks. Immediate outcome (Io) 3 establishes the requirements for supervisors to supervise, monitor, and regulate financial institutions appropriately for compliance with anti-money-laundering and combating the financing of terrorism (AML/CFt) requirements commensurate with their risks, and Io 4 sets out the obligations for financial institutions to apply AML/CFt preventive measures commensurate with their risks and to report suspicious transactions.
In summary, these standards require financial institutions and supervisors to identify, assess, and understand the ML/tF risks and to apply proportionate risk mitigation and supervisory measures, respectively. Where risks are higher, mitigation and supervision should be enhanced, and where risks are lower, less rigorous measures may be applied. this principle also implies that where the risks are at a normal level (neither high nor low), the standard measures described in the recommendations apply.
Outcomes from FATF Evaluations with Respect to Supervision
the FAtF recommendations set the standard for an effective risk-based AML/CFt supervisory approach. Recommendation 26 and Io 3 set out the main requirements for applying effective riskbased AML/CFt supervision to financial institutions.
As of november 2021, the FAtF had published the mutual evaluation reports and followup reports of 119 jurisdictions.1 of these 119 jurisdictions, 30 are members of the FAtF2 and 89 are members of an FAtF-style regional body (FsRB). Members of FsRBs are largely developing jurisdictions.
Jurisdictions have so far had mixed results from the assessment of compliance with Recommendation 26. As shown on figure 3.1, 87 percent of the assessed FAtF members are largely compliant or compliant with this recommendation. In contrast, only 61 percent of the assessed FsRB members are largely compliant or compliant; 39 percent are partially compliant or noncompliant.
% of jurisdictions assessed 70 60 50 40 30 20 10 0
Noncompliant Partially compliant Largely compliant FATF members FSRB members
Source: FATF consolidated assessment ratings, updated November 8, 2021. Note: FATF = Financial Action Task Force. FSRB = FATF-style regional body. Compliant
the assessments of effectiveness of supervision under Io 3 also show a divergence between FAtF members and FsRB members. the differences are, however, smaller than with the technical compliance with Recommendation 26. Figure 3.2 shows that 17 percent of FAtF members have substantial effectiveness, compared with only 7 percent of FsRB members. the percentage of jurisdictions rated as having moderate effectiveness is 73 percent among FAtF members and 53 percent among FsRB members. Moreover, 10 percent of FAtF members have a low effectiveness rating, versus 40 percent of the FsRB members.
% of jurisdictions assessed 80 70 60 50 40 30 20 10 0
Low e ectiveness Moderate e ectiveness Substantial e ectiveness
FATF members FSRB members
Source: FATF consolidated assessment ratings, updated November 8, 2021. Note: FATF = Financial Action Task Force. FSRB = FATF-style regional body. IO = Immediate Outcome. High e ectiveness
In all, of the 119 assessed jurisdictions, only 11 jurisdictions (5 FAtF members and 6 FsRB members) have a substantial effectiveness rating. none of the jurisdictions has obtained a high effectiveness rating. In all, it is evident that jurisdictions have difficulty attaining an effective riskbased AML/CFt supervisory framework for all entities covered by the AML/CFt requirements.
FATF IO 3
Io 3 identifies six core issues for assessing the overall effectiveness of supervision in a risk-based framework. Core Issues 3.2 and 3.3, in particular, deal with the understanding of risk and risk-based supervision.3 these six core issues are as follows:
● Core Issue 3.1. How well do licensing, registration, or other controls implemented by supervisors or other authorities prevent criminals and their associates from holding, or being the beneficial owner of, a significant or controlling interest or holding a management function in a financial institution, designated nonfinancial business or profession, or virtual asset service provider?
How well are breaches of such licensing or registration requirements detected?
● Core Issue 3.2. How well do the supervisors identify and maintain an understanding of the
ML/tF risks in the financial and other sectors as a whole, between different sectors and types of institutions, and in individual institutions?
● Core Issue 3.3. With a view to mitigating the risks, how well do supervisors, on a risk-sensitive basis, supervise or monitor the extent to which financial institutions, designated nonfinancial businesses and professions, and virtual asset service providers are complying with their
AML/CFt requirements?
● Core Issue 3.4. to what extent are remedial actions or effective, proportionate, and dissuasive sanctions applied in practice?
● Core Issue 3.5. to what extent are supervisors able to demonstrate that their actions have an effect on compliance by financial institutions, designated nonfinancial businesses and professions, and virtual asset service providers?
● Core Issue 3.6. How well do supervisors promote a clear understanding by financial institutions, designated nonfinancial businesses and professions, and virtual asset service providers of their
AML/CFt obligations and ML/tF risks?
FATF Guidance on the Risk-Based Approach
In March 2021, the FAtF issued its “Guidance on Risk-Based supervision” to encourage countries to move beyond a tick-box approach to monitoring the private sector’s efforts to curb moneylaundering and terrorism financing (FAtF 2021b). the overarching goal is to make supervision more effective. to that end, the guidance is meant to help supervisors to address the full spectrum of risks and focus resources where the risks are highest. A risk-based approach is less burdensome on lower-risk sectors or activities, which is critical for maintaining or increasing financial inclusion. establishing a risk-based approach is not trivial, though. In fact, transitioning from rules-based supervision to risk-based supervision is a demanding process, which can be especially challenging in low-capacity countries. It requires a change in supervisory culture and staff mind-set. supervisors
need to work across government and with the private sector to develop an in-depth understanding of the risks facing their regulated entities.
As the FAtF puts it, “this is important because every business operates differently and faces different risks. supervisors need to have appropriate powers, skills, and resources as well as political and organizational support. they need to continuously update their understanding of risk and adjust and improve their supervisory approach” (FAtF 2021b). the FAtF guidance is composed of three parts. Part 1 explains how supervisors should assess the risks facing their supervised sectors and prioritize their activities in line with the FAtF standards’ risk-based approach. Part 2 discusses strategies to address common challenges in risk-based supervision and provides jurisdictional examples, including examples of strategies for supervising designated nonfinancial businesses and professions and virtual asset service providers. Part 3 provides country examples from across the global network of supervision of the financial sector, virtual asset service providers, and other private sector entities. the FAtF guidance, while nonbinding, clarifies and explains how supervisors should apply a riskbased approach to their activities in line with the FAtF standards. In addition to explaining common expectations, the guidance is also forward-looking and identifies innovative practices that can improve the effectiveness of AML/CFt supervision and thus the overall AML/CFt system.
In this document, the FAtF defines what constitutes an effective risk-based supervisory framework. In such a framework, the supervisor identifies, assesses, and understands ML/tF risks within the sector(s) and entities under its purview and mitigates them effectively on an ongoing basis. this process involves implementing a sound risk assessment system that enables the identification, measurement, control, and monitoring of ML/tF risks as well as a risk-based supervisory approach that enables timely supervisory intervention to address any significant changes or elevation in risks (FAtF 2021b, 12). More specifically, the supervisor undertakes the following:
● Develops and maintains a good understanding of ML/tF risks at the sector as well as the entity level based on a sound assessment of inherent risks and quality of mitigation measures and informed by national ML/tF risk assessment;
● Develops and implements a supervisory strategy that directs supervisory focus to higher or emerging ML/tF risks, while ensuring that appropriate, risk-based strategies are in place to address lower risks effectively and efficiently without unnecessarily affecting access to and use of financial services;
● Influences entities’ behavior by ensuring that they have effective AML/CFt policies in place and, where issues are identified, provides targeted guidance and feedback, directing or overseeing remedial actions and exercising enforcement powers in a dissuasive and proportionate manner taking risk, context, and materiality into account;
● Monitors the evolving risk environment and stays agile to identify emerging risks and respond promptly;
● Is equipped with the expertise, powers, discretion, and tools needed and has adequate resources to perform its functions; and
● Coordinates with other competent authorities when relevant, including the financial intelligence unit (FIU), law enforcement agencies, and other supervisory agencies, as well as with foreign counterparts, sharing information, prioritizing risks, and carrying out joint supervisory activities as appropriate.
The Basel Core Principles
the Core Principles for effective Banking supervision (the Basel Core Principles, or BCPs) also require banking supervisors to apply a risk-based approach to supervision in general, including for AML/CFt. BCP 8 addresses a supervisory approach based on risks in general, stating, “An effective system of banking supervision requires the supervisor to develop and maintain a forward-looking assessment of the risk profile of individual banks and banking groups, proportionate to their systemic importance; identify, assess, and address risks emanating from banks and the banking system as a whole; have a framework in place for early intervention; and have plans in place, in partnership with other relevant authorities, to take action to resolve banks in an orderly manner if they become nonviable.”4
BCP 8 has eight essential criteria:5
1. the supervisor uses a methodology for determining and assessing on an ongoing basis the nature, impact, and scope of the risks (a) that banks or banking groups are exposed to, including risks posed by entities in the wider group; and (b) that banks or banking groups present to the safety and soundness of the banking system.
2. the methodology addresses, among other things, the business focus, group structure, risk profile, internal control environment, and resolvability of banks and permits relevant comparisons between banks. the frequency and intensity of supervision of banks and banking groups reflect the outcome of this analysis.
3. the supervisor has processes to understand the risk profile of banks and banking groups and employs a well-defined methodology to establish a forward-looking view of the profile. the nature of the supervisory work for each bank is based on the results of this analysis.
4. the supervisor assesses banks’ and banking groups’ compliance with prudential regulations and other legal requirements.
5. the supervisor takes the macroeconomic environment into account in its risk assessment of banks and banking groups. the supervisor also takes into account cross-sectoral developments—for example, in nonbank financial institutions—through frequent contact with their regulators.
6. the supervisor, in conjunction with other relevant authorities, identifies, monitors, and assesses the buildup of risks, trends, and concentrations within and across the banking system as a whole. this assessment includes, among other things, banks’ problem assets and sources of liquidity (such as the funding conditions and costs of domestic and foreign currency). the supervisor incorporates this analysis into its assessment of banks and banking groups and addresses proactively any serious threat to the stability of the banking system. the supervisor communicates any significant trends or emerging risks identified to banks and other relevant authorities with responsibilities for financial system stability.
7. Drawing on information provided by the bank and other national supervisors, the supervisor, in conjunction with the resolution authority, assesses the bank’s resolvability, where appropriate, having regard for its risk profile and systemic importance. When bank-specific barriers to orderly resolution are identified, the supervisor requires, where necessary, banks to adopt appropriate measures, such as changes in business strategies; managerial, operational, and ownership
