8 minute read
Assessing the Inherent ML/tF Risk Factors
Banks and other financial institutions generally implement group-wide AML/CFt systems across all branches and subsidiaries, domestically and abroad, including group-wide AML/CFt policies and procedures. Banks and other financial institutions should therefore identify and assess ML/tF risks on a consolidated group basis. these risk assessments should be reviewed and updated periodically. Having an assessment of consolidated group risks facilitates the implementation of group-wide AML/CFt compliance measures. Where any cross-border branch or subsidiary cannot implement the group AML/CFt measures (for example, due to differing legal and regulatory requirements), additional risk-mitigating measures for managing the cross-border ML/tF risks need to be applied, and the home supervisor should be informed.
Consideration of a Jurisdiction’s National Risk Assessment in Business-Wide Risk Assessments
A jurisdiction’s national risk assessment provides essential inputs for business-wide risk assessments. Whenever it becomes available or is updated by the authorities, financial institutions should receive the results. the national risk assessment contains valuable information on ML/tF trends, high-risk products and jurisdictions or regions, and emerging ML/tF typologies and threats. Financial institutions should take this information into account in the assessment and mitigation of their risks.
During the drafting of the national risk assessment, the authorities may request the involvement of or input from the financial sector. If possible, institutions should take part in these activities and provide information as well as their observations and insights about risks. Cooperation and proactive involvement of the institutions contribute to a more accurate understanding of the ML/tF risks in the jurisdiction.
ASSESSING THE INHERENT ML/TF RISK FACTORS
As indicated, there are at least four principal inherent risk factors: customers; products, services, and transactions; geographic locations; and delivery channels. Consequently, any risk assessment model should assess at least the ML/tF risks inherent in these factors.
A key source of information for assessing the adequacy of information used for the businesswide risk assessment is information from national risk assessments, sectoral risk assessments, and ML/tF typologies relating to the specific sector. FAtF Recommendation 10 on customer due diligence provides examples of potentially higher-risk situations with respect to customers, geography, products, transactions, services, and delivery channels. these factors are relevant for assessing the risks of an individual customer but also for conducting a business-wide risk assessment. the following describes the main elements of each of the risk factors that should form the foundation of the business-wide risk assessment.
Customer Risk
It is the institution’s responsibility to assess and understand the degree of risk posed by types or categories of customers as well as by individual customers. the assessment of the risk factors used in
the business-wide risk assessment is an important input in determining which customers and types of customers pose varying levels of risk (for example, low, medium, and high). When assessing an institution’s business-wide risk assessment, supervisors should focus on reviewing whether the information, criteria, parameters, and processes used to assess the level of customer risk are adequate.
the FAtF provides the following examples of higher-risk customers:
● Business relationships that are conducted in unusual circumstances
● nonresident customers
● Legal persons or arrangements that are personal asset-holding vehicles
● Companies that have nominee shareholders or shares in bearer form
● Businesses that are cash-intensive
● ownership structures that appear unusual or excessively complex given the nature of the company’s business.
the following are some examples of lower-risk customers:
● Financial institutions and designated nonfinancial businesses and professions that are subject to requirements to combat ML/tF consistent with the FAtF recommendations, have implemented those requirements effectively, and are supervised or monitored effectively in accordance with the FAtF recommendations to ensure compliance with those requirements
● Public companies listed on a stock exchange and subject to disclosure requirements (either by stock exchange rules or through law or enforceable means), which impose requirements to ensure adequate transparency of beneficial ownership
● Public administrations or enterprises.
Financial institutions will generally identify certain categories of customers as inherently high risk because they are prescribed by law or regulation (for example, politically exposed persons), customer risks are identified in the national risk assessment or in FIU information and typologies, or their own ML/tF risk assessments identify them as high risk. these customer categories include the following, among others:
● Politically exposed persons
● Casinos
● nonresident entities, particularly those with connections to high-risk jurisdictions
● Professionals (for example, lawyers, accountants, and trust and company service providers) acting as an introducer or intermediary on behalf of clients or groups of clients (whereby there is no direct contact with the client)
● High-net-worth individuals
● Respondent banks from high-risk jurisdictions
● Private investment or asset protection vehicles.
It is not necessary to categorize all of the persons or entities in one of these groups as automatically high risk, as doing so may not be accurate and may cause financial exclusion. these categories
concern the assessment of inherent risks. After mitigating measures have been applied, the risk category might be different. A successful customer risk assessment framework distinguishes between high-, medium-, and low-risk clients.
Product, Service, Transaction, and Delivery Channel Risks
A financial institution should also take stock of the lines of business (products and services) that are more vulnerable to ML/tF abuse. How a customer uses a product or service is what determines the likelihood of abuse. the characteristics of some products make them vulnerable or attractive to abuse (for example, private banking, cash transactions, or virtual assets).
Financial institutions should assess the inherent risks of abuse of products and services by customers, by taking into account factors such as their ease for holding and transferring value or their complexity and transparency. not all products and services attract the same level of risk, and the model used to assess risk should evaluate their likelihood and impact for being abused for ML or tF. A highly vulnerable product or service may only be used occasionally by a few customers or for small amounts, which could then result in a lower inherent risk of that product or service. to assess the degree of inherent risk, other factors should be taken into account, such as the volume of use, meaning the amount and number of accounts or transactions. similarly, financial institutions should also assess the inherent risks associated with their business activities, processes, and transactions with respect to the delivery channels used. Inherently high risks occur in non-face-to-face situations—especially when no safeguards are in place, such as an electronic means of identification—and when professional intermediaries and introducers are used. Financial institutions providing virtual asset services are also likely to have primarily online, non-faceto-face interactions that should be captured by the risk assessment (FAtF 2019). the following are examples of the risk factors related to higher-risk products, services, transactions, or delivery channels as provided by the FAtF:
● Private banking
● Anonymous transactions (which may include cash)
● non-face-to-face business relationships or transactions (without the use of reliable, independent digital identity and other responsible innovative solutions)
● Payments received from unknown or unassociated third parties.
the FAtF also provides examples of the risk factors of lower-risk products, services, transactions, or delivery channels:
● Financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes.
other products and services also have inherent ML/tF vulnerabilities:
● Back-to-back loans
● Financial guarantees (for example, trade finance, stand-by letters of credit)
● Currency exchange
● trust services
● Wealth management and investment services, including brokerage
● Correspondent banking, including payable-through accounts
● Cash management and custodial services
● Virtual assets.
Geographic Risk
Financial institutions generally have geographic ML/tF risk exposure from both domestic and crossborder sources. these risks arise from (a) the locations where the institution has offices, branches, and subsidiaries; and (b) locations where customers reside or conduct their activities. With regard to geographic risk, financial institutions can obtain information from national risk assessments and the FIU, among other sources, to identify high-risk regions and jurisdictions. For example, branches in border regions, airports, free trade zones, or areas with higher criminality may pose higher ML/tF risks. With regard to cross-border exposures, financial institutions can also draw on the information from sources such as mutual evaluation reports and other reliable reports published by the FAtF or the organisation for economic Co-operation and Development.
With respect to both the business-wide risk assessment as well as the risk assessment of an individual customer, geographic risk is generally assessed in combination with customer risk or product, service, and transaction risk. For instance, a corporate customer may be active in or have an ultimate beneficial owner from a high-risk jurisdiction, or a customer might send funds to a high-risk jurisdiction. the FAtF provides the following examples of higher-risk jurisdictions or geographic risk factors:
● Jurisdictions identified by credible sources, such as mutual evaluation or detailed assessment reports or published follow-up reports, as not having adequate AML/CFt systems
● Jurisdictions subject to sanctions, embargos, or similar measures issued by, for example, the
United nations
● Jurisdictions identified by credible sources as having significant levels of corruption or other criminal activity
● Jurisdictions or geographic areas identified by credible sources as providing funding or support for terrorist activities or as having designated terrorist organizations operating within their jurisdiction.
the FAtF provides the following examples of lower-risk jurisdictions or geographic risk factors:
● Jurisdictions identified by credible sources, such as mutual evaluation or detailed assessment reports, as having effective AML/CFt systems
● Jurisdictions identified by credible sources as having a low level of corruption or other criminal activity.
Other Relevant Factors
A financial institution should also consider factors that may present specific or ancillary risks. these factors can include the following:
