6 minute read
Risk-Based Approach to supervision
structures; and internal procedures. Any such measures take into account their effect on the soundness and stability of ongoing business.
8. the supervisor has a clear framework or process for handling banks in times of stress, such that any decisions to require or undertake recovery or resolution actions are made in a timely manner.
9. Where the supervisor becomes aware of bank-like activities being performed fully or partially outside the regulatory perimeter, the supervisor takes appropriate steps to call the matter to the attention of the responsible authority. Where the supervisor becomes aware that a bank is restructuring its activities to avoid the regulatory perimeter, the supervisor takes appropriate steps to address this situation.
RISK-BASED APPROACH TO SUPERVISION
A risk-based approach to AML/CFt supervision refers to (a) the process by which a supervisor, according to its understanding of ML/tF risks in the jurisdiction and of the supervised institutions, allocates its resources to AML/CFt supervision; and (b) the specific process of supervising institutions (that is, the frequency and intensity of off-site and on-site AML/CFt supervision). the Joint Committee of the european supervisory Authorities—a forum with the objective of strengthening cooperation between the european Banking Authority, the european Insurance and occupational Pensions Authority, and the european securities and Markets Authority—characterizes risk-based supervision as an ongoing, cyclical process that includes four steps (Joint Committee of the european supervisory Authorities 2016, 3):
1. the identification of ML/tF risk factors, whereby competent authorities obtain information on both domestic and foreign ML/tF threats affecting the relevant markets;
2. the assessment of risk, whereby competent authorities use this information to obtain a holistic view of the ML/tF risk associated with each credit or financial institution (“firm”) or group of firms, including the inherent risk to which the firm or group of firms is exposed and the risk-mitigating measures that a firm or group of firm has in place;
3. the allocation of AML/CFt supervisory resources based on this risk assessment, which includes decisions about the focus, depth, duration, and frequency of on-site and off-site activities and supervisory staffing needs, including technical expertise; and
4. the monitoring and review of the risk assessment and associated allocation of supervisory resources to ensure that they remain up to date and relevant.
Adopting a risk-based approach to AML/CFt supervision allows the supervisory authority to allocate its resources based on the risks assessed in the jurisdiction, in a sector, or in an institution. As a result, the supervisory authority can use its resources effectively and efficiently. to do so, the supervisor should have a clear understanding of the following (FAtF 2021b, 75–76):
● the ML/tF risks and the policies, internal controls, and procedures associated with the institution or group, as identified by the supervisor’s assessment of the institution or group’s risk profile;
FIGURE 3.3 A General Framework for Risk-Based AML/CFT Supervision
Understanding national and sectoral risks Risk-based design of supervision architecture Supervision strategy O -site Institution risk profiles
Guidance
Annual inspection plan On-site
Laws and regulations Corrective actions and sanctions
Source: World Bank risk-based approach toolkit. Note: AML = anti-money-laundering. CFT = combating the financing of terrorism.
E ective controls at reporting entities Mitigation of risks
● the ML/tF risks present in the jurisdiction; and
● the characteristics of the financial institutions or groups, in particular, the diversity and number of financial institutions and the degree of discretion allowed under the risk-based approach.
the risk assessment of a sector or financial institution is not static. It will change depending on how risks evolve, at the national level and at the level of the sector or institution. the assessment of the ML/tF risk profile of a financial institution or group, including the risks of noncompliance, should therefore be reviewed both periodically and “when there are major events or developments in the management and operations of the financial institution or group” (FAtF 2021b, Criterion 26.6, 76). the supervisory activities will generally consist of off-site and on-site activities (figure 3.3). As a basic principle, off-site supervision should tackle everything that can be reviewed remotely, and on-site activities should focus on sample testing, interviews, and aspects that cannot be assessed remotely, such as the actual implementation of AML/CFt requirements.
supervisors should formulate a risk-based regime for supervising compliance with AML/CFt requirements, including its effective implementation by financial institutions. A key objective of such a regime is to apply a proportional approach to AML/CFt supervision that establishes the intensity, frequency, and scope of oversight. the supervisory regime should be comprehensive, transparent, and proportional to the ML/tF risks identified. In developing and implementing a risk-based AML/CFt supervisory regime, supervisors should adhere to some basic principles. the following are examples of some of these principles, but each supervisory body should adopt them in accordance with its jurisdiction’s regulatory framework and practices, context, and experience:
● supervisory authorities have appropriate discretion to apply the supervisory policies and procedures in a risk-sensitive manner and provide institutions with appropriate discretion to apply a risk-based approach. Rules-based stringencies and a zero-tolerance stance can easily undermine the risk-based approach.
● the supervisor employs a well-defined methodology to identify and assess ML/tF risks as well as the AML/CFt compliance measures of the supervised institutions and sector. Based on the
ML/tF risk profile of financial institutions and the understanding of risks in the sector, the supervisor develops its supervisory strategies and plans.
● the nature, intensity, and frequency of AML/CFt supervision is proportional to the ML/tF risk profile of the jurisdiction, sectors, and individual institutions. this approach allows the supervisor to formulate its operational plans, including for off-site and on-site supervision. It also allows for effective and efficient planning and deployment of available resources, including planning and budgeting for the annual calendar of supervisory activities.
● the supervisor uses a methodology, based on quantitative and qualitative information, to inform its AML/CFt supervision. the methodology includes prudential and AML/CFt data collection and analytical tools to form a comprehensive view of the risk of institutions and sectors. the supervisor uses the results of the national risk assessments to develop and update its ML/tF risk assessments.
● the supervisor informs and consults with the sectors and other relevant authorities in a clear and transparent manner on the application of its risk-based supervisory regime.
● the supervisor collaborates with foreign counterpart supervisors to ensure consolidated riskbased supervision of international groups, including through supervisory memoranda of understanding and colleges.
● Financial supervisors have adequate financial, human, and technical resources. they also have sufficient operational independence and autonomy to ensure freedom from undue influence or interference. the supervisory authorities ensure that staff maintain high professional standards, including standards concerning confidentiality, and are themselves of high integrity and appropriately skilled.
● the supervisor periodically reviews and updates the supervisory framework, taking into account changes in risks, but also changes in legislation and in the international AML/CFt standards, guidelines, and best practices.
Risk-Based Approach at the Bank Level
the FAtF standards and BCPs for taking a risk-based approach to implementing national AML/CFt measures include obligations on all AML/CFt stakeholders—not just government agencies, the FIU, law enforcement, and supervisors, but also private sector entities, such as financial institutions and designated nonfinancial businesses and professions.6
From the perspective of individual financial institutions, the key requirement is to identify and assess the ML/tF threats inherent in their business activities, the ML/tF vulnerabilities in their processes, and the level of their AML/CFt controls. Financial institutions should assess the inherent risks of their (a) customer base, (b) products and services, (c) transactions, (d) geographic areas in which they operate or where their customers are located, and (e) delivery or distribution channels for their products, services, and transactions. these risk factors are not exhaustive, and financial institutions can assess additional risk factors depending on, among others, the risk and context of the jurisdiction and sector or the particular business models of individual institutions. In conducting a risk assessment, financial institutions should be free to determine how they do this, as long as the approach is coherent, consistent, and transparent to the supervisor.
