ICPAC GUIDANCE PAPER ON THE RISK

BASED APPROACH

(RBA)

March 2019

1

A. Purpose This guidance has been prepared to set out what is expected by any firm holding a license by ICPAC (“Licensed Firm”) and the Compliance Officer of the firm in relation to the risk assessment policies and procedures required by The Prevention and Suppression of Money Laundering and Terrorist Financing Law of 2007-2018 and ICPAC’s AML Directive. The guidance provides a list of steps on how to design and implement a risk-based approach. Furthermore, an example of a manual risk scoring methodology on a client level is included and available to all Members of ICPAC. It should be noted that, it is the responsibility of the Members to ensure they are able to demonstrate full compliance with these requirements and obtain independent advice from reliable sources, when required. The guidance is a living document and may need to be updated from time to time.

B. What is the RBA? Each Licensed Firm should apply appropriate measures and procedures, on a Risk Based Approach (herewith “RBA”), to focus its effort in those areas where the risk of money laundering and terrorist financing (ML/TF) appears to be higher. The application of RBA assists firms to identify the areas of operations where ML / TF risks emanate and assess those risks. Consequently, Licensed Firms are able to distribute their resources and efforts in ways that improve their AML / CFT controls and mitigate more effectively their ML / TF risks.

A RBA involves specific measures and procedures such as: (a) Identifying and assessing the ML/TF risks emanating from particular clients, services, geographical areas, and delivery channels of operation of the Licensed Firm and its clients; (b) Documenting in the risk management and procedures manual, the policies, measures, procedures and controls to ensure their uniform application across the Licensed Firm by persons specifically appointed for that purpose by the Board of Directors / sole director / sole practitioner; (c) Managing and mitigating the assessed risks by the application of appropriate and effective measures, procedures and controls; (d) Continuous monitoring and improvements in the effective operation of the policies, procedures and controls. The RBA is carried out:

1) on a client basis during on-boarding and revised during the review of the relationship:

✓ Applies on each client or occasional service ✓ Every time a client is accepted ✓ Periodically for all existing clients ✓ Provides data on the risk profile of clients as part of the entity level

assessment

2

2) on an entity (firm-wide) basis annually taking into account the overall risks undertaken by the firm:

✓ applicable to the firm overall ✓ performed initially once the RBA is adopted ✓ reviewed periodically and if material changes take place internally or

externally ✓ uses the results of the assessment of individual relations or transactions

The current Guidance places emphasis only on the risk-based approach on a client basis. For further guidance on the risk-based approach on an entity basis, follow the link to ICAEW’s ‘Firm-wide risk assessment methodology’ and the link to the Guidelines on AML/CFT issued by the Joint Committee of the three European Supervisory Authorities. Licensed Firms should identify and assess the ML/TF risk associated with the services they offer, the jurisdictions they operate in, the clients they attract and the transaction or delivery channels they use to service their clients, i.e. the risk that they could be used for ML/TF. The steps Licensed Firms take to identify and assess ML/TF risk across their business must be proportionate to their nature and size. That is to say that firms that do not offer complex services and that have limited or no international exposures (i.e. have mostly local clients) may not need an overly complex or sophisticated assessment. It is important to understand that there are no standard rules that draw the implementation of the RBA in each Licensed Firm, however, FATF Recommendation 1 can be considered as the basics towards the implementation of the RBA. This document provides guidance regarding the overall annual assessment process which must be undertaken by Licensed Firms. The results of the assessment will assist the Licensed Firm to put in place the necessary additional controls and to allocate sufficient resources to mitigate the risks identified. C. Identifying and Assessing risk at client level The process below describes two basic steps. Step 1: Identify the ML/TF risk factors in accordance with the risk appetite of the Licensed Firm. Step 2: Assess the level of risk from the identified ML/TF risk factors

C.1.How to identify risk Risk assessments should assist the Licensed Firm to understand its exposure to ML/TF risk and identify and prioritize the areas which focus should be placed in order to combat ML/TF. Step 1: Identify the risk factors The risk areas that arise from a client-specific risk assessment can be divided into the following: (a) Client/Client risk; What are the types of Clients serviced by the Licensed Firm?

3

(b) Service/transaction risk; what services/transactions does the client require and could they be used to launder money or finance terrorism?

(c) Geographical risk; what countries/geographical areas does the client operate in, reside in or the country of citizenship?

(d) Delivery Channel Risk; how and by whom are the clients introduced to the Licensed Firm?

Indicators to be considered for the each identified risk factor

The Licensed Firm should assess and measure the level of risk based on the following risk factor indicators:

(a) Client/Client risk Each Licensed Firm must determine whether a specific client poses higher risk of ML/TF. Each client is different and will have their own risk profile. When identifying the risk associated with clients, the Licensed Firm should consider the risks related to:

• the client’s and the client’s beneficial owner’s business or professional activity, i.e. whether the activity carries a high risk of corruption (e.g. arms dealing), whether it relates to high levels of cash, whether they are regulated etc;

• the client’s and the client’s beneficial owner’s reputation i.e. is there adverse media surrounding the client and the beneficial owners, are they subject to previous suspicion report or have they been convicted etc?;

• the client’s and the client’s beneficial owner’s nature and behavior i.e. are they unnecessarily secretive, is their doubt of the veracity of the KYC documents, is there frequent and inexplicable change in ownership etc?;

• the client’s structure, i.e. is the structure non-transparent, unusually complex with no reasonable explanation etc?, and

• Individuals subject to sanctions issued by the U.N., EU and OFAC

The relevant risk factors for considering the risks associated with a client’s or a client’s beneficial owner’s business or professional activity are included in Table 1. (b) Service/transaction risk Each Licensed Firms should identify the risk of ML/TF associated to the services and transactions offered/processed to/for their clients. Identified risk may arise due to unusual activity and request which lack commercial sense. When identifying the risks associated with services/transactions, the Licensed Firm should consider the risks related to:

• the level of transparency the service/transaction affords, i.e. do these services promote anonymity, do firms accept instructions given by a third party etc?

4

• the complexity of the service/transaction, i.e. do the transactions involve a number of parties from a number of jurisdictions? and

• the value or size of the service/transaction, i.e. are the services cash intensive or involve high value transactions?

The relevant risk factors for considering the risk associated with a services/transaction risk are included in Table 1 (c) Geographical risk

Each Licensed Firm should place consideration on the risk posed by the geographical location of the business/economic activity and the source and destination of funds of the client, as well as the nationality, residence, citizenship and place of birth of a client. Countries with EU equivalent AML/CFT regimes could pose lower risk. At the same time, some jurisdictions may pose higher risk by virtue of common trading such as drug trafficking and terrorism. Although there is no one single available list of countries posing higher ML/TF risk, the determination of countries and the level of risk attached to them should be identified and included in the risk assessment. When identifying the risk associated with geographical risk, the Licensed Firm should consider the risks related to:

• Countries not having adequate AML/CTF systems e.g. FATF and EU high-risk third country lists

• Countries subject to sanctions, embargoes or similar measures issued by, for example the U.N., EU and OFAC

• Countries having significant levels of corruption or other criminal activities such as narcotics, arm dealing, human trafficking, illicit diamond trading, etc

• Countries identified to support terrorist activities, or have designated terrorist organizations operating within their country

High-risk countries have been identified similarly, by many regulatory and advisory bodies based on certain characteristics as stated above, which can assist in understanding the level of risk such as the level of stability and corruption, terrorist and criminal activity.

Licensed Firms are urged to visit, on a regular basis, official websites providing credible information on the risks entailed for various countries. A non-exhaustive list of relevant websites is provided below:

• The country assessment reports prepared by the FATF (http://www.fatf-gafi.org)

• MONEYVAL Committee of the Council of Europe (www.coe.int/moneyval)

• EU Common Foreign & Security Policy (https://eur-lex.europa.eu)

• UN Security Council Sanctions Committees (www.un.org/sc/committees/)

5

• International Money Laundering Information Network (IMOLIN) – (www.imolin.org)

• International Monetary Fund (www.imf.org)

• Transparency International (https://www.transparency.org) It should be highlighted that the European Commission has identified a number of countries demonstrating strategic deficiencies in their AML/CFT regime. These countries are considered as high-risk third countries. Clients resident or established in such jurisdictions should be classified as high-risk clients and Licensed Firms should apply Enhanced Due Diligence Measures. For the summary of the EU high-risk third countries, please refer to Circular 15/2018 issued by ICPAC on 12 July 2018 and updated accordingly thereafter. (d) Delivery Channel Business Risk The main concern faced by the Licensed Firms is how this client was introduced, by whom and whether or not there is a face-to-face business relationship with the client. When identifying the risk associated with delivery channel business risk, the Licensed Firm should consider the risks related to:

• The channels through which the Licensed Firm establishes a business relationship or through which transactions are carried out. Channels that favor anonymity increase the risk of ML/TF if no measures are taken towards this.

• In the cases where interaction with the client takes place on a non-face to face basis, technological measures can be put in place to mitigate the heightened risk of identity fraud or impersonation present in these situations. These measures allow a Licensed Firm to establish whether the client providing the relative identification details is actually the person he alleges to be.

Specific High-Risk Situations It is important to note that independently of the risk assessment carried out by the Licensed Firms, there will always be categories of clients which by themselves impose an inherent high risk, for example PEPs. These are as identified in the provisions of the AML Law of 2007-2018 regarding situations that always present a high ML/TF risk. These risks relate to:

• PEPs, their family members and close associates

• Clients from EU high-risk third countries Other factors to consider (a) Other risk assessments and sectoral reports When assessing risk, Licensed Firms should consider other relevant risk factors before concluding the level of overall risk. The risk assessment should incorporate findings of the Cyprus National Risk Assessment, the Supranational Risk Assessments, and/or any other available sectoral reports that provide insights on the ML/TF risk inherent to the services provided, activities of or jurisdictions associated to the clients.

6

(b) Reliability of data collected Whether the source of beneficial ownership information is a public registry, another third-party source, or the client, there is always potential risk in the correctness of the information, in particular where the underlying information has been self-reported. Despite the risk of collecting incorrect information, the starting point in determining the beneficial ownership should almost always start by communicating with the immediate client, having determined that none of the relevant exceptions to ascertaining beneficial ownership apply, e.g., the client is a publicly listed company. The information provided by the client should then be appropriately verified by reference to public registers and other third-party sources where possible. This may require further and clarifying questions for the immediate client. The goal is to ensure that the Licensed Firm is reasonably satisfied about the identity of the beneficial owner. (c) Use of dormant/inactive companies Criminals may attempt to use companies established / registered which have remained dormant/inactive for a long time. This may be in an attempt to create the impression that the company which has been registered for a number of years has a clear history and is reputable. Dorman/inactive companies can also be used to add to an existing group structure, hence increasing the overall complexity of the structure, and concealing the underlying beneficial ownership information. C.2. Risk Assessment Step 2: Assess the level of risk The Licensed Firm must have a holistic view of the ML/TF risk factors which have been identified. These should be weighed differently according to their relative importance. The result of this assessment will determine the level of ML/TF risk associated with a business relationship or occasional transaction.

The assessment of the ML/TF risk should be proportionate to the nature and size of the Licensed Entity. As a result, the processes can be performed manually through the use of a non-complex matrix where a Licensed Entity offers services which are relatively simple, involving relatively few clients, or clients with similar non-complex characteristics. An automated software should be used where the Licensed Entity has a larger number of clients especially when they are non-local and offers a number of services or which could be complex and sophisticated. Automated ‘off-the-shelf’ systems are available in the market and each Licensed Firm looking to invest in such solutions should evaluate them. To this end, ICPAC has issued a guidance on 25 July 2016 on how to assess systems for the prevention of money laundering and terrorist financing that can be accessed through the following link.

7

The risk assessment policy should be reviewed and updated periodically or when the need arises to ensure that:

• it remains current and up to date,

• any deficiencies in its effectiveness will be identified and rectified

Finally, details of the risk assessment policies and procedures must be provided to ICPAC on an annual basis via the Annual Compliance Officers Report. Weighting risk factors The weight assigned to each risk factor, i.e. allocating a score to each factor, should reflect the risk appetite of the Licensed Firm as well as the associated level of ML/TF risk and is likely to vary depending on the service and on the client. When weighting risk factors, the Licensed Firm must ensure that:

• weighting is not disproportionately influenced by just one factor;

• economic or profit considerations do not influence the risk rating;

• weighting does not lead to a situation where it is impossible for any business relationship to be classified as high risk;

• the provisions of the ICPAC Directive or the AML Law of 2007-2018 regarding situations that always present a high ML/TF risk cannot be over-ruled by the Licensed Firm’s weighting.

It should be noted that if the Licensed Firm uses an automated system, the Compliance Officer of the firm should have sufficient knowledge of the variables/weights incorporated in the available system and document them in the firms AML/CFT Manual as well as have the flexibility to alter any pre-set variables/weights. During the AML monitoring visit of ICPAC, a demonstration of this will be requested as part of the review. Risk Scoring The Licensed Firm may decide on the most appropriate way to categorise their risk. Usually the risk ratings are High, Normal and Low, although other classifications are possible. The Licensed Firm should risk rate in a numerical format: the scoring should range from 1 to 5 with 1 being the lowest and 5 being the highest risk posed to the Licensed Firm. It should be noted that, having more than 3 numerical ranges could give the flexibility to the firm to develop further analysis of risks such as Low, Low-Medium, Medium. Medium-High, High. For the purposes of simplicity however, a 3-level risk categorization is used in this document.

8

Suggested Risk Scoring Table The weight assigned to each risk factor to ascertain the overall total risk rating of each client is judgmental and based on the non-exhausting list of risk factors stated in Table1

5 3-4 1-2

High Normal Low The average of each risk factor classification as presented in Section C1 above, (client/service/geographical/delivery channel) should be calculated and inputted in the Risk Assessment Table (Table 2). The sum of score should fall in one of the risk assessment categories (High/Medium/Low). For clients who are identified as PEPs or that are associated to the EU High-risk Third Countries should be classed as high-risk by default, in line with article 64 of the AML/CFT Law. Suggested total scoring for risk classification

17-20 9-16 4-8

High Normal Low This rating will also determine the level of due diligence and the monitoring process (suggested below) the Licensed Firm will adopt to mitigate the compliance risk. The overall responsibility for the risk assessment policy and implementation lies with the Compliance Officer. If at any stage the Compliance officer choses to override the manual or automated risk assessment scores/results, then the rationale along with any information used should be documented and appropriately filed. Suggested Applicable level of due diligence & monitoring

Total Risk

Scoring

17-20 9-16 4-8

Risk Level High Normal

Low Due Diligence

Level

EDD CDD CDD/SDD

Approval BOD MLCO

MLCO

Monitoring*

Yearly, BOD approval for continuance of the

relationship

Every 2 years Every 3 years

*: Suggestion for the frequency of on-going monitoring of the business relationship The results of the above process should be documented in the “Client Risk Assessment” form (template of the form can be found in Table 2) and placed into the personal file of each client. For more guidance on EDD/CDD/SDD documentation refer to ICPACs Directive.

9

C.3. On-going monitoring of the RBA and review Risk Assessment is not a static event of a limited duration or an event that happens only once. An effective risk assessment has to be dynamic and on-going. Licensed Firms have to ensure that they revise the existing procedures when there are significant developments within the environment they are operate in and within their business structures/activities. Such changes may lead to exposure to new ML/TF risks for Licensed Firms. Frequent revision of the risk assessment allows the obliged entities to take action to ensure that its measures, policies, controls and procedures are robust enough to cater for these. The Licensed Firm should monitor and evaluate, on an ongoing basis, the effectiveness of the measures and procedures that have been introduced, with the aim of ensuring that the evaluations and assessments made remain current and that the procedures put in place remain suitable and appropriate for the assessed level of ML/TF risk. Any changes in the client’s pattern of activity must be assessed to determine whether an update of the client’s profile or risk categorisation is necessary. Additionally, the Licensed Firm should periodically assess information obtained as part of their ongoing monitoring of a business relationship and consider whether this information affects the risk assessment. Risks to be considered during the assessment are presented in Table 1 “RISKS OBSERVED DURING MONITORING/REVIEW OF THE CLIENT”. Like the initial risk assessments, any update to a risk assessment and adjustment of accompanying CDD measures should be proportionate and commensurate to the ML/TF risk. The controls presented below are recommended to be applied in order to identify potential new risks:

• Subscribe to receive alerts on changes of the EU/US/UN Sanctions lists.

• Subscribe to a reputable database and screen clients at regular intervals.

• Reviewing media reports that are relevant to the sectors or jurisdictions in which the Licensed Firm operates/has clients.

• Monitor papers issued by ICPAC and other competent authorities.

• Participate in relevant seminars and trainings.

• Review the National and the Supranational Risk Assessment Reports.

C.4. Record Keeping The Licensed Firm should record and document their risk assessments of business relationships, as well as any changes made to risk assessments as part of their reviews and monitoring, to ensure that they can demonstrate to ICPAC that their risk assessments and associated risk management measures are adequate.

10

TABLE 1: RISK FACTORS EXAMPLES AND SUGGESTED RISK SCORING The below risk areas and factors are for consideration/guidance and are not exhaustive.

Note: The table can also be used as a risk assessment matrix with the addition of the ‘Risk Scoring’ column. For additional guidance on the factors and types of evidence that demonstrate potentially lower risk refer to Appendix II of the AML law of 2007-2018 and for higher risk, Appendix III of the AML law and Appendix C of ICPACs AML Directive. It is also noted that the assessment can take other formats e.g memo and notes if the size and nature of the business of the firm justifies such format. RISK OBSERVED DURING THE ON BOARDING STAGE

RISK AREA RISK FACTORS ASSOCIATED RISK(S) Suggested

Risk Scoring

(a) Client / Client Risk

• The client’s and the client’s beneficial owner’s business or professional activity

Client or beneficial owner have links to following sectors: • construction, • narcotics, pharmaceuticals and healthcare, • the arms trade and defence,

public procurement

Sectors that are commonly associated with higher corruption risk

3-5

Client or beneficial owner have links to following cash-intensive sectors:

• Money Exchangers/Money Service Businesses / crowdfunding platforms and virtual currencies

• Casinos / internet gambling and other gambling related activities

• Traders and Dealers in precious metals/ High-value, easily tradable "lifestyle" goods (e.g. jewellery, watches, cars, arts, antiques)

• Traders and Dealers in oil

Sectors that are associated with higher ML/TF risk Real Estate sector – Variety of professionals (real estate agents, credit institutions, notaries and lawyers) involved in transactions which lead to high ML Risk exposure

4-5

11

• Real estate sector

• Gatekeepers (lawyers, notaries, accountants, investment advisors, trusts and company service providers)

Gatekeepers – Risk of not identifying/not correctly checking the UBO hence associated to higher ML/TF risk

Client or beneficial owner have links to the following sectors that are cash intensive:

• bars and restaurants

• clothing stores

• food markets, including local markets, etc.

Sectors that are associated with Tax offences and potentially higher ML/TF risk

3-5

Client is a non-profit organisation

Such activities could be abused for terrorist financing purposes hence carry a higher TF risk

4-5

Client is a Politically Exposed Person (PEP). Beneficial owner/family member is a PEP or persons known to be close associates of PEP. The client or beneficial owner have other relevant links to a PEP, for example, the client’s directors are PEPs and, if so, these PEPs exercise significant control over the client or beneficial owner.

Involves the highest level of corruption risk

5

PEP client is always High

Risk, regardless of the overall

score

Former Politically Exposed Person (Former PEP). Client or beneficial owner / family member who is no longer entrusted with a prominent public function for at least 12 months or close associate of PEP who is no longer entrusted with such function for at least 12 months.

Risk of placement of previously earned illegal proceeds into the financial system. Special attention needs to be exercised to assess whether the risk of corruption/power to influence is still valid.

1-5

Other Risk Factors: Client or Beneficial owner associated with industries that link to sectors that are commonly associated with normal risk, for instance including but not limited by the following industries:

• Bank / Insurance companies Employees, Officers

Sectors that are associated with lower/moderate level of ML/TF risk

1-3

12

• Companies publicly listed on a stock exchange subject to disclosure requirements

• Public administrations or enterprises

• The client’s or the beneficial owner’s background is consistent with what the Licensed firm knows about their former, current or planned business activity, their business’s turnover, the source of funds and the client’s or beneficial owner’s source of wealth.

• The firm has in-house information about the client’s or the beneficial owner’s integrity, obtained, for example, in the course of a long-standing business relationship.

• Clients that are resident locally, or in the EU or third countries identified as having an effective AML/CFT system

• Low rank employees/Administrative positions (secretaries, clerks etc.)

• Development/Sale/Licensing of Software

• Import / export companies (excluding industries and goods mentioned above in High Risk sectors)

• Educational / Training providers

• Sales, marketing and distribution (excluding industries and goods mentioned above in High Risk sectors)

• Trading in financial instruments for own account

• Client’s or beneficial owners’ reputation

Adverse media reports or other relevant sources of information about the client, for example allegations of criminality or terrorism against the client or the beneficial owner.

Potential risk of involvement in illegal activities, as absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing which is associated to higher levels or risk.

3-5

13

Client, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing.

Risk of placement of previously earned illegal proceeds into the financial system which is associated to higher levels or risk.

3-5

The firm knows that the client or beneficial owner has been the subject of a suspicious transactions report in the past.

Risk of placement of previously earned illegal proceeds into the financial system

3-5

The Client or beneficial owner is listed or related to the Sanction List, however requests services which are not restricted by such sanction.

Risk of illegal activities 3-5

The Client or beneficial owner and/or their affiliates are listed in the Panama papers, or other offshore leaks.

Risk of illegal activities 3-5

• Client’s or beneficial owner’s nature and behaviour

Non-Face-to-Face. The Client which is (actively avoiding) not met in person.

Higher Risk of impersonation or identity fraud.

4-5

The Client is a Trust/ Fund Risk of hiding the identity of the controlling persons could give rise to higher ML/TF Risk.

3-5

Third person operating and controlling “Client Account(s)” (e.g. Omnibus Accounts)

Higher risk of ML/TF Risk 4-5

High Net Worth Individuals -HNWI (i.e. physical persons or client with beneficial owner(s) with a Net Worth of €xxxx set amount e.g. 3,000,000.)

Risk of concealing the origins of funds, tax evasion which can lead to higher ML/TF risks

3-5

14

The firm has doubts about the veracity or accuracy of the client’s or beneficial owner’s identity.

False identity might be a sign of criminal activity which can lead to higher ML/TF risks.

4-5

The Client’s ownership and control structure is complex (set number of levels e.g. 3 levels).

Complex structure might be a sign of criminal activity , tax evasion or other actions which can lead to higher ML/TF risks.

1-5

The client has nominee shareholders or shares in bearer form.

Hiding the UBO might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risks.

1-5

The Client who requests transactions that are complex, unusually or unexpectedly large or have an unusual or unexpected pattern without an apparent economic or lawful purpose or a sound commercial rationale.

Risk that the client is trying to evade specific thresholds set by the AML legislation which can lead to higher level of ML/TF risk.

3-5

The business relationship is conducted in unusual circumstances, for example the customer is reluctant to share CDD information or appears to want to disguise the true nature of the business relationship.

Hiding of information might be a sign of criminal activity, tax evasion or other actions which can lead to ML/TF risk. Hiding information might mean that the identity of the real beneficiary is not disclosed/identified which leads to higher level of risk.

3-5

The client requests unnecessary or unreasonable levels of secrecy, for example, reluctant to share CDD information, or appear to want to disguise the true nature of their business.

Hiding of information might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk.

3-5

15

(b) Services / Transaction Risk

• The level of transparency the service/transaction affords.

1. The client wishes to structure the relationship in such a way that multiple parties, for example nominee companies, are used in different jurisdictions, particularly where these jurisdictions are associated with higher ML/TF risk, therefore favouring anonymity

2. The client choses services or transactions that inherently provide more anonymity

Might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk

3-5

• The complexity of the service/transaction

The Client requires complex transactions which involve multiple parties and/or multiple jurisdictions.

Might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk

3-5

• The value or size of the service/transaction

The Client favours high value transactions for no commercial reason such as:

1. high value loans 2. Commercial, private or real property

transactions

Might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk

3-5

Continuous injection of capital or other contribution without apparent commercial/tax reason.

Might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk

3-5

The Client receives payments from un-associated or unknown third parties.

Might be a sign of criminal activity, tax evasion or other actions which can lead to higher ML/TF risk

3-5

The Client choses life insurance policies with low premiums, or pension schemes where contributions are deducted at source and the assignment of interest is not permitted.

Associated to lower ML/TF risk 3-5

16

(c) Geographical Risk

• Countries and geographical areas risk factors

The Clients or the client’s beneficial owner is based and/or has business activities:

1. locally or in the EU 2. third countries with an effective AML/CFT

system 3. third countries with low level of corruption of

other criminal activity (credible source)

Jurisdictions associated to moderate levels of risk

1-3

The Client or client’s beneficial owner is based and/or has business activities and/or has funds in a jurisdiction associated with:

1. high ML/TF Risk or is subject to sanctions/embargoes e.g. UN, EU.

2. inadequate AML/CTF systems e.g. EU high-risk third country lists

3. having significant levels of corruption or other criminal activities such as narcotics, arm dealing, human trafficking, illicit diamond trading, etc

4. terrorist activities, or have designated terrorist organizations operating within their country

Represent Highest ML/TF Risk. 5 (if the country is included on the EU List of

High-Risk jurisdictions,

then the client is always

considered High Risk,

regardless of the overall

score)

(d) Delivery Channel Business Risk

Delivery Channel Business Risk

The Client is non face-to-face and therefore not present for identification purposes.

The Client may provide fraudulent identification documents and therefore he may not be the individual he claims to be. The factor is associated to highest ML/TF risk.

3-5

17

The client has been introduced by a 3rd party. The 3rd party on which reliance is placed, may not apply due diligence to the standards necessary by the Licensed entity.

3-5

RISK OBSERVED DURING ON-GOING MONITORING / REVIEW OF THE CLIENT

RISK AREA RISK FACTORS ASSOCIATED RISK(S) Suggested Risk Scoring

Client risk The client avoids having subsequent or periodic contact when this would normally be expected.

Might indicate identity theft, impersonation risk

1-5

Service or transaction risk factors

The client requests the repeated purchase and sale of shares within a short period of time without an obvious strategy or economic rationale.

Might be a sign of criminal activity, tax evasion or other actions which can lead to ML/TF risk

1-5

No sound reason for changes in the client’s ownership and control structure.

Might be a sign of criminal activity, tax evasion or other actions which can lead to ML/TF risk

1-5

Frequent changes to CDD information or payment details.

Might be a sign of criminal activity, tax evasion or other actions which can lead to ML/TF risk

1-5

Note: Additional risk factors that could be taken into consideration and incorporated in the table above can be found in Appendix 3.

18

TABLE 2: RISK ASSESSMENT TABLE TEMPLATE

CLIENT RISK ASSESSMENT

Date Business Unit AML Department

Form completed by

Signature

Client Name

Risk Factors Rating range

Description Risk Rating

Client /Client Risk

1 to 5

Service/Transaction Risk

1 to 5

Geographical Risks 1 to 5

Delivery Channel Business Risk

1 to 5

Remarks:

Risk Scoring

Approval Authority

Due Diligence Level

19

TABLE 2: RISK ASSESSMENT TABLE

EXAMPLE 1:

Risk Factors Rating range

Description Risk Rating

Client /Client Risk i. Client activity – construction industry 3

ii. Client behaviour – requests services urgently 4 iii. Beneficial owner – non face-to-face 5

12

1 - 5

4

(12/3)

Service/Transaction Risk i. Service offered – Audit Services 2

ii. Instructions received directly by the BO 2 4

1 - 5

2 (4/2)

Geographical Risks i. Location of Business – Dubai 3

ii. Place of birth – Egypt 4 iii. Place of residence – UK 2

9

1 - 5

The project is a single multi-floor building

3

(9/3)

Delivery Channel Business Risk i. Client introduction by 3rd party – Yes 3

1 - 5

3rd Party is based in the EU. Policies and procedures have been assessed and evaluated and deemed sufficient and satisfactory. Evidence filed in a separate file.

3

(3/1)

Remarks: Total scoring is 12 which classifies the client as Normal Risk

Risk Scoring

12

Approval Authority

MLCO

Due Diligence Level

CDD - Every two years

TABLE 2: RISK ASSESSMENT TABLE

20

EXAMPLE 2:

Risk Factors Rating range

Description Risk Rating

Client /Client Risk i. Client activity – training centre 1 ii. Beneficial owner – PEP 5

6

1 - 5

The beneficial owner is a PEP and as such the client will be high risk.

2 (6/3)

Service/Transaction Risk iii. Service offered – Audit Services 2 iv. Instructions received directly by the BO 2

4

1 - 5

2 (4/2)

Geographical Risks i. Location of Business – Cyprus 1 ii. Place of birth – Cyprus 1

iii. Place of residence – Cyprus 1 3

1 - 5

1

(3/1)

Delivery Channel Business Risk iii. Client introduction by 3rd party – No 1

1 - 5

1

(1/1) Remarks: Although the total scoring is 6, the Beneficial

Owner is a PEP and as such the client is

classified as High Risk. Enhanced Due Diligence procedures will be adopted.

Risk Scoring

6

Approval Authority

BOD

Due Diligence Level

EDD - Every year

21

APPENDIX 1: ABBREVIATIONS For the purpose of this paper, the following abbreviations shall apply:

AML/CFT

Anti-money laundering and counterterrorist financing

BO

Beneficial Owner

CDD

Client due diligence measures

EDD Enhanced client due diligence measures

EU European Union

FATF Financial Action Task Force

MLCO Money Laundering Compliance Officer

ML/TF

Money laundering and terrorist financing

PEP Politically Exposed Person

RBA

Risk Based Approach

SDD

Simplified client due diligence measures

22

APPENDIX 2: DEFINITIONS For the purpose of this paper, the following definitions shall apply:

AML Law of 2007-2018 The Prevention and Suppression of Money Laundering and

Terrorist Financing Law of 2007-2018 Business relationship means a business, professional or commercial relationship

which is connected with the professional activities of a Licensed Firm and which is expected, at the time when the contact is established, to have an element of duration;

ICPAC Directive ICPAC’s Directive dated September 2013 Occasional transaction A transaction that is not carried out as part of a business

relationship Politically Exposed Persons (PEPs)

1. A natural person who is or who has been entrusted with prominent public functions and includes the following: (a) heads of State, heads of government, ministers and deputy or assistant ministers; (b) members of parliament or of similar legislative bodies; (c) members of the governing bodies of political parties; (d) members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances; (e) members of courts of auditors or of the boards of central banks; (f) ambassadors, chargés d'affaires and high-ranking officers in the armed forces; (g) members of the administrative, management or supervisory bodies of State-owned enterprises; (h) directors, deputy directors and members of the board or equivalent function of an international organisation. (e) mayors 2. Thefamily members of PEPs which includes the following: (a) the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person; (b) the children and their spouses, or persons considered to be equivalent to a spouse, of a politically exposed person; (c) the parents of a politically exposed person; 3. ‘The persons known to be close associates of PEPs which means: (a) natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person; (b) natural persons who have sole beneficial ownership of a legal Entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.

Risk The impact and likelihood of ML/TF taking place. Risk refers to inherent risk that is, the level of risk that exists before

23

mitigation. It does not refer to residual risk, that is, the level of risk that remains after mitigation.

Risk-based approach An approach whereby competent authorities and firms identify, assess and understand the ML/TF risks to which firms are exposed and take AML/CFT measures that are proportionate to those risks

Risk factors Variables that, either on their own or in combination, may increase or decrease the ML/TF risk posed by an individual business relationship or occasional transaction.

Source of funds The origin of the funds involved in a business relationship or occasional transaction. It includes both the activity that generated the funds used in the business relationship, for example the client’s salary, as well as the means through which the client’s funds were transferred.

Source of wealth The origin of the client’s total wealth, for example inheritance or savings.

The Licensed Firm

Refers to any Firm holding any type of license by ICPAC.

24

APPENDIX 3: Examples of factors that may indicate higher ML/TF risk (Source: FATF)

(a) Client/Client risk

▪ Clients where the structure or nature of the entity or relationship makes it difficult

to identify in a timely manner the true beneficial owner or controlling interests or clients attempting to obscure understanding of their business, ownership or the nature of their transactions, such as:

i. Unexplained use of shell and shelf companies, front company, legal entities with ownership through nominee shares or bearer shares, control through nominee and corporate directors, legal persons or legal arrangements, splitting company incorporation and asset administration over different countries, all without any apparent legal or legitimate tax, business, economic or other reason.

ii. Unexplained use of informal arrangements such as family or close associates acting as nominee shareholders or directors.

▪ Client companies that operate a considerable part of their business in or have major subsidiaries in countries that may pose higher geographic risk.

▪ Businesses that while not normally cash intensive appear to have substantial amounts of cash.

▪ Businesses that rely heavily on new technologies (e.g. online trading platform) that may have inherent vulnerabilities to exploitation by criminals, especially those not regulated for AML/CFT.

▪ Clients who appear to be acting on somebody else’s instructions without disclosure.

▪ Clients who request that transactions be completed in unusually tight or accelerated timeframes without a reasonable explanation for accelerating the transaction, which would make it difficult or impossible for the Licensed Firm to perform a proper risk assessment.

▪ Clients having convictions for proceeds generating crimes who instruct the Licensed Firm (who has actual knowledge of such convictions) to undertake specified activities on their behalf.

▪ Clients who have no address, or multiple addresses without legitimate reasons.

▪ Clients who have funds that are obviously and inexplicably disproportionate to their circumstances (e.g. their age, income, occupation or wealth).

▪ Clients who change their settlement or execution instructions without appropriate explanation.

▪ Clients who change their means of payment for a transaction at the last minute and without justification (or with suspect justification), or where there is an unexplained lack of information or transparency in the transaction. This risk extends to situations where last minute changes are made to enable funds to be paid in from/out to a third party.

▪ Clients who insist, without adequate justification or explanation, that transactions be effected exclusively or mainly through the use of virtual assets for the purpose of preserving their anonymity.

▪ Clients who offer to pay unusually high levels of fees for services that would not ordinarily warrant such a premium. However, bona fide and appropriate contingency fee arrangements, where a Licensed Firm may receive a significant premium for a successful provision of their services, should not be considered a risk factor.

25

▪ Unusually high levels of assets or unusually large transactions compared to what might reasonably be expected of clients with a similar profile may indicate that a client not otherwise seen as higher risk should be treated as such. Conversely, low levels of assets or low value transactions involving a client that would otherwise appear to be higher risk might allow for a Licensed Firm to treat the client as lower risk.

▪ Where certain transactions, structures, geographical location, international activities or other factors that are not consistent with the Licensed Firms’ understanding of the client’s business or economic situation.

▪ The transfer of the seat of a company to another jurisdiction without any genuine economic activity in the country of destination poses a risk of creation of shell companies which might be used to obscure beneficial ownership.

▪ The relationship between employee numbers/structure and nature of the business is divergent from the industry norm (e.g. the turnover of a company is unreasonably high considering the number of employees and assets used compared to similar businesses).

▪ Sudden activity from a previously dormant client without clear explanation.

▪ Frequent or unexplained change of professional adviser(s) or members of management.

▪ The client is reluctant to provide all the relevant information or Licensed Firms have reasonable doubt that the provided information is correct or sufficient.

▪ Inexplicable changes in ownership.

▪ Activities of the trust, company or other legal entity are unclear.

▪ The legal structure has been altered frequently and/or without adequate explanation (e.g. name changes, transfer of ownership, change of beneficiaries, change of trustee or protector, change of partners, change of directors or officers).

▪ Management of any trustee, company or legal entity appears to be acting according to instructions of unknown or inappropriate person(s).

(b) Service/Transaction risk

• Unexplained (where explanation is warranted) use of pooled client accounts or

safe custody of client money or assets.

• In the case of an express trust, an unexplained (where explanation is warranted) nature of classes of beneficiaries and classes within an expression of wishes.

• Acting or providing trustees or directors of such trust, company or other legal entity.

• Services where Licensed Firms may in practice represent or assure the client’s standing, reputation and credibility to third parties, without a commensurate knowledge of the client’s affairs.

• Services requested by the client for which the Licensed firm does not have expertise.

• Services that rely heavily on new technologies (e.g. online trading platform) that may have inherent vulnerabilities to exploitation by criminals.

• Transactions where it is readily apparent to the Licensed Firm that there is inadequate consideration, especially where the client does not identify legitimate reasons for the amount of the consideration.

26

• Administrative arrangements concerning estates where the deceased was known to the Licensed Firm as being a person who had been convicted of proceeds generating crimes.

• Services that deliberately have provided or depend upon more anonymity in the client identity or participants than is normal under the circumstances and experience of the accounting professional.

• Use of virtual assets and other anonymous means of payment and wealth transfer within the transaction without apparent legal, tax, business, economic or other legitimate reason.

• Transactions using unusual means of payment (e.g. precious metals or stones).

• The postponement of a payment for an asset or service delivered immediately to a date far from the moment at which payment would normally be expected to occur, without appropriate assurances that payment will be made.

• Unexplained establishment of unusual conditions/clauses in credit arrangements that do not reflect the commercial position between the parties.

• Contributions or transfers of goods that are inherently difficult to value (e.g. jewels, precious stones, objects of art or antiques, virtual assets), where this is not common for the type of clients, transaction, or with accountant’s normal course of business such as a transfer to a corporate entity, or generally without any appropriate explanation.

• Acquisitions of businesses in liquidation with no apparent legal, tax, business, economic or other legitimate reason.

• Power of representation given in unusual conditions (e.g. when it is granted irrevocably or in relation to specific assets) and the stated reasons for these conditions are unclear or illogical.

• Transactions involving closely connected persons and for which the client and/or its financial advisors provide inconsistent or irrational explanations and are subsequently unwilling or unable to explain by reference to legal, tax, business, economic or other legitimate reason.

• Situations where a nominee is being used (e.g. friend or family member is named as owner of property/assets where it is clear that the family member/friend is receiving instructions from the beneficial owner) with no apparent legal, tax, business, economic or other legitimate reason.

• Existence of suspicions regarding fraudulent transactions, or ones which are improperly accounted for. These might include:

i. Over and under invoicing of goods/services.

ii. Multiple invoicing of the same goods/services.

iii. Falsely described goods/services – over and under shipments (e.g. false entries on bills of lading).

iv. Multiple trading of goods/services.

(c) Delivery Channel risk

▪ Clients using financial intermediaries, financial institutions or DNFBPs that are not subject to adequate AML/CFT laws and measures and that are not adequately supervised by competent authorities or SRBs.

27

APPENDIX 4: References and Useful Links FATF Recommendations: http://www.fatf-gafi.org/publications/fatfrecommendations/documents/fatf-recommendations.html Guidelines on anti-money laundering and countering the financing of terrorism (AML/CFT) issued by the Joint Committee of the three European Supervisory Authorities (EBA, EIOPA and ESMA - ESAs): https://eba.europa.eu/documents/10180/1890686/Final+Guidelines+on+Risk+Factors+%28JC+2017+37%29.pdf Anti-Money Laundering Guidance for the Accountancy Sector issued by the CCAB: https://www.icpa.org.uk/about/ccab_anti_money_laundering_guidance FATF Guidance on the Risk-Based Approach for Accountants (2008): http://www.fatf-gafi.org/media/fatf/documents/reports/RBA%20for%20accountants.pdf FATF Draft Risk-Based Approach Guidance for Legal Professionals, Accountants and Trust and Company Service Providers http://www.fatf-gafi.org/publications/fatfgeneral/documents/public-consultation-guidance-tcsp.html Risk-Based Approach Understanding and Implementation: Challenges Between Risk Appetite and Compliance: http://files.acams.org/pdfs/2016/Risk-Based_Approach_Understanding_and_Implementation_K_Touil.pdf?_ga=2.248867407.930950440.1550745463-214431943.1513329258 The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption: https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/faqs/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf United Nations Security Council: https://www.un.org/securitycouncil/ United Nations Sanctions: https://www.un.org/securitycouncil/sanctions/information EU Sanctions map: https://sanctionsmap.eu/#/main