6 minute read
Risk Profiling: A Key Prerequisite for Risk-Based supervision
RISK PROFILING: A KEY PREREQUISITE FOR RISK-BASED SUPERVISION
off-site supervision includes the identification and analysis of institutional and sectoral ML/tF risks. the results of this risk analysis are used to inform the type and intensity of other supervisory activities as well as the planning and resourcing of on-site inspections. this analysis requires supervisors to collect as much relevant information as possible about institutions’ inherent ML/tF risks and the adequacy of their AML/CFt policies, procedures, and controls, including information on the business-wide risk assessment of financial institutions, the AML/CFt compliance systems, and audit and compliance reports (see appendix A for more detail on the business-wide risk assessment of financial institutions).
In the case of financial groups, group-wide information is required for a consolidated risk profile of the institution.
Information Requirements for Developing Risk Profiles
one of the biggest challenges for off-site supervision is to determine the extent of the information required to conduct risk profiling. the type and amount of information required will depend on various factors, including the availability of useful, up-to-date information within the supervisory body, availability of information within supervised entities,2 stage of development of AML/CFt controls in the financial institutions, and resources of the supervisors. the following subsections provide examples of the type of information required to conduct risk profiling for a financial institution.
General Institutional and Contextual Information
General information on the institution provides the broad contextual framework for the risk profile of the institution. It may also form the basis for establishing peer groups or clusters of institutions.3
● Corporate structure, including ownership and management structure, group structure, shareholding structure and beneficial owners, branch and subsidiary network, and years in operation;
● Financial information, including size, total deposits and assets, and business lines;
● Prudential and other supervisory information, including business model, governance, risk appetite, prior examination reports, compliance and enforcement history, external auditors’ reports, and general reputation;
● Input from other competent authorities, including information from police, prosecutors, and intelligence agencies; tax, customs, and anticorruption authorities; and agencies dealing with targeted financial sanctions, for example;
● Results of national risk assessments as they relate to the financial sector and its customers, products, and services;
● Results of independent testing and audits that are provided to supervisory agencies;
● Information on risks obtained from public-private partnerships or other consultation mechanisms;
● open-source information (media, adverse reporting) with respect to allegations or factual cases related to ML/tF or financial crime;4 apart from news outlets, transparency International and the organized Crime and Corruption Reporting Project produce third-party reports;
● Findings from matters reported by whistleblowers and complaints; and
● Input from international counterparts, groups, and organizations (for example, reports of the FAtF and FAtF-style regional bodies and risk factor guidelines of the european supervisory Authorities).
Inherent ML/TF Risks
Inherent risks are ML/tF risks intrinsic to a sector’s or an entity’s business activities before any AML/ CFt controls are applied. Data are collected on inherent risks related to the type and number of customers, products, services, transactions, geography, and delivery channels. For these risk factors, information should be collected on the number and volume of the underlying topic. the following are some examples:
● Customers, including the number of clients that are natural persons, legal persons and arrangements, residents, nonresidents, politically exposed persons (domestic and foreign), nonprofit organizations, correspondent relations, and high-net-worth individuals;
● Products, services, and transactions, including the number and volume of cash deposits, wealth management and private banking services, trustee services, international funds transfers, currency exchanges, money remittances, trade finance, and virtual assets;
● Geography, including the number of customers (per type) who reside in or are active in high-risk jurisdictions, number and volume of fund transfers, and number and volume of remittances to or from high-risk jurisdictions;
● Delivery channels, including the number of business relationships that were established (in a period) through agents or intermediaries, and the number of business relationships established in a given period without reliable, independent digital identification systems; and
● Any other inherent risk factors the supervisors may consider appropriate given the context of the jurisdiction and sector.
Annex 4A provides an example of a questionnaire that can be used to collect data on inherent ML/tF risk.
Risk Mitigation
supervisors should obtain and assess information on a jurisdiction’s AML/CFt policies, procedures, and controls. Based on the information obtained, the adequacy of the mitigation measures should be assessed. As a general guide, the off-site function should obtain sufficient information, including the following:
● Corporate governance and role of the board (especially in setting the bank’s risk appetite and strategy), board governance, and board committees for AML/CFt compliance;
● Compliance information for management, compliance monitoring reports, reports on incidents, and internal and external audit reports;
● Compliance and audit functions, including independence, operational autonomy, qualifications and resources of (group) audit and compliance, role and responsibilities of the compliance function, scope of compliance work regarding monitoring, stRs, risk assessments, and training;
● Business-wide ML/tF risk assessment, AML/CFt policies, procedures, and controls, including on customer due diligence, transaction monitoring, targeted financial sanctions screening, and record keeping;
● Monitoring, analysis, and reporting of unusual and suspicious transactions, including security of information, decision-making arrangements, quality controls, and communications with the FIU; and
● AML/CFt resources, staffing, and training.
Annex 4B provides an example of a questionnaire that can be used to obtain information on AML/CFt controls.
Proliferation Financing
For the risk profile of financial institutions, the supervisor can decide to assess the risk of proliferation financing as a subset of the overall assessment of inherent risk. since the same set of controls is generally used for proliferation financing as for targeted financial sanctions, no separate assessment of the adequacy of control measures specifically for proliferation financing is necessary for off-site supervision purposes. Proliferation financing assessment is a new requirement, and there is little literature addressing it. In its 2018 “Guidance on Counter Proliferation Financing,” the FAtF provides useful insights, in particular with respect to using a risk-based approach (FAtF 2018; see also box 4.1).
BOX 4.1 Extract from FATF Guidance: Supervision of Proliferation Financing
specifically, an effective supervisory model in the proliferation financing context often involves the following measures: 1. Competent authorities should communicate the consolidated list of persons and entities through their websites immediately after publication by the United Nations Security
Council/Sanctions Committee, and preferably through one single website to prevent confusion to different supervised institutions. 2. Supervisors may encourage their supervised institutions to apply a risk-based approach in the context of proliferation financing, by making reference to the Financial Action
Task Force (FATF) “Guidance for a Risk-Based Approach to Effective Supervision and
Enforcement by AML/CFT Supervisors of the Financial Sector and Law Enforcement.” 3. Supervisors should understand the proliferation financing contextual situation or exposure to potential sanctions evasion faced by supervised institutions and sectors in their country, for example, customers, products, geographical reach, and delivery channels. While not a binding requirement under FATF standards, supervisors may note that proliferation financing risks are distributed differently from money-laundering (ML) and terrorism financing (TF) risks between and within financial institutions. Adequately supervising the implementation of counterproliferation financing measures may require
(box continues on next page)
