– 7th Annual Conference

Implementing the RBA to AML/CFT

Antonio Ghirlando Legal & Compliance Manager

What is a Risk-Based Approach?

Adopting a risk-based approach implies the adoption of a risk management process for dealing with money laundering and terrorist financing.

Ris

k M

anag

em

en

t Recognising the existence of the risk(s)

Undertaking an assessment of the risk(s)

Developing strategies to mitigate the identified risk(s)

Potential Benefits

Focus on real and identified threats.

Better management of risks.

More efficient and effective use of resources (cost benefits).

Flexibility to adapt to changing risks over time.

Minimise burdens on customers.

More difficult for criminal elements to make use of the financial system.

Reduction in crime and social harm.

Potential Challenges

Identifying and gathering appropriate information to make a sound risk analysis.

Need for expert staff capable of making sound judgements.

Overly cautious decisions and judgements.

Failure to recognise risks or to underestimate them.

Uncertainty regarding regulatory expectations and response.

Current Scenario

The possibility to apply different measures on the basis of the particular money laundering or terrorist financing risks faced was introduced by virtue of the 3rd AML Directive. Accordingly, the PMLFTR made provision for subject persons to adopt a risk-based approach instead of the prescribed mandatory risk procedures.

Regulation 4(1)(c) Regulation

7(8)

Mandatory risk assessment and risk management

Application of CDD on a risk-sensitive basis

Evolving Scenario

Supra-National

EU Commission

National

FIAU

Institutional

Subject Persons

EU Member States, ESAs, FIUs & others

Public & private entities

Recommendations

Direction & Guidance

----------

----------

The revised FATF Recommendations issued in February 2012 and the proposed 4th AML Directive require the adoption of a risk-based approach at all levels.

Risk Assessment

A risk assessment is an analysis of potential threats and vulnerabilities to money laundering and terrorist financing to which a subject person is exposed. The complexity of the risk assessment that is carried out largely depends on the nature, size, complexity and risk factors of the subject person. Risk rating methodologies will therefore differ from one subject person to another, even when operating within the same sector.

Risk Categories

Customer Risk

Product/ Service Risk

Interface Risk

Geographical Risk

The weight given to each of these categories (individually or in combination) in assessing the overall risk will need to be determined by each subject person, based on their particular circumstances.

Risk Variables

Customer Risk

Determining the potential money laundering or terrorist financing risks posed by a customer or category of customers is critical to the overall risk framework.

Based on its own criteria, a subject person needs to assess whether an individual customer or category of customers pose a higher risk. The potential impact of any mitigating factors should be considered.

All other risk variables may exacerbate or mitigate the risk.

There is no universal consensus as to which customers pose a higher risk. The FATF list could, however, serve as a starting point.

In considering risk, subject persons should also be aware of the customer’s behaviour.

Product/ Service Risk

The potential risks presented by products and services offered by a subject person should form an integral part of the risk assessment.

Subject persons should take into consideration the services identified by regulators, government authorities and other credible sources as being potentially higher risk.

Products and services that can support the movement and conversion of assets into, through and out of other financial systems may also pose high risks.

Services that inherently provide more anonymity should also be deemed as presenting a higher degree of risk.

Interface Risk

The channels through which a subject person establishes a business relationship and through which transactions are carried out have a bearing on the risk assessment.

Many delivery channels are non face-to-face and accessible 24 hours a day, seven days a week. These may therefore exacerbate the risks faced by subject persons.

Remoteness of distribution channels could lead to dependence on third parties and may also be used to obscure the true identity of customers or beneficial owners.

Geographical Risk

Though there is no universally agreed definition that prescribes whether a particular country or geographic area represents a higher risk, there are various factors that could be considered:

Countries subject to sanctions, embargoes or similar measures.

Countries identified by credible sources as lacking appropriate AML/CFT measures.

Countries identified by credible sources as providing funding or support for terrorist activities or that have designated terrorist organisations operating within them.

Countries identified by credible sources as having significant levels of corruption, or other criminal activity.

Risk Variables

A number of other variables may impact on the level of risk for each of the categories:

Purpose and intended nature of the business relationship.

The level of assets and size of transactions.

The regularity and duration of the business relationship.

The use of intermediate corporate vehicles or other structures.

The level of familiarity with the country.

Risk Mitigation

Risk mitigation is about implementing all the necessary controls in order to limit or reduce the risks that have been identified during the risk assessment to an acceptable level. Adequate policies and procedures that outline the measures that will be taken in order to address the situations where the risk for money laundering and terrorist financing is high will need to be developed.

Generic Measures

Increased awareness of higher risk situations within the business lines.

Increased levels of KYC or EDD when establishing a business relationship.

Escalation for approval of the establishment of a business relationship.

Enhanced monitoring of transactions.

Increased levels of ongoing controls and business relationship reviews.

Risk-Focused Controls (KYC)

Additional verification information to substantiate the identity of the customer.

Additional information on the intended nature of the business relationship.

A more definite indication of the amount/ type of business.

Additional documented information regarding source of wealth and funds.

Information on the customer’s AML/CFT controls wherever applicable.

More frequent review processes that also allow for exiting high risk relationships.

All information obtained should be independently verified

Risk-Focused Controls (Other)

Enhanced and risk-sensitive ongoing monitoring of customer transactions.

Ensuring monitoring capabilities are adequate in relation to the customer risk profile.

Directed additional resources in the areas identified as higher risk for identifying suspicious activity.

Directed, appropriate and risk-based training to all relevant staff.

Enhanced Internal Controls

Provide for compliance programme continuity.

Provide for increased focus on the vulnerable areas (products, services, customers and geographic locations) of the business.

Provide for adequate controls for higher risk areas. These could include escalation of approval, transaction authorisations, segregation of duties, etc.

Inform senior management of compliance initiatives, identified compliance deficiencies, corrective action taken and STRs filed.

Incorporate AML/CFT compliance into job descriptions and performance evaluations for appropriate staff.

Considerations

Subject persons must keep to the spirit and letter of the law.

There are minimum standards.

Some requirements are absolute.

Risk management is an ongoing process which needs to be reviewed periodically.

Requirements

The risk-based approach adopted by a subject person has to be approved by senior management.

Subject persons must establish a means of independently validating: The development and operation of the risk-assessment and management

processes; and The related internal controls.

Subject persons also need to ensure that their risk assessment is kept up-to-date.

The whole process has to be duly recorded in writing, and made available to the FIAU on request.

FIAU Approach

The FIAU remains committed to a cooperative approach to compliance.

The FIAU will continue to provide guidance on the existing and upcoming legislative requirements by updating the Implementing Procedures or developing specific Guidance Notes.

In terms of the risk-based approach, several factors will be considered in the reviews conducted by the FIAU Compliance Section.

The FIAU will place a regulatory focus on principles, and accept variation in practices. It will, however, expect subject persons to have appropriate policies, procedures and internal controls in place.

Antonio Ghirlando antonio.ghirlando@fiumalta.org