In the conduct of their daily business activities, Supervised Entities (i.e. Non-Regulated Financial Institutions and Listed Businesses) face risks of money laundering (ML), financing of terrorism (FT) and proliferation financing (PF). As such, Supervised Entities (SE) should take a risk-based approach to reduce the impact of these risks (risk mitigation).
Regulation 7 of the Financial Obligations Regulations, 2010 (‘FORs’) requires that SE adopt a risk-based approach to monitoring financial activities. This means SE are required to take steps to identify, assess, understand and document their ML, FT and PF risks to determine those that are low, medium or high risk.
A Risk Based Approach (RBA) is a measurable methodology that will not eliminate ML, FT and PF risk but will enable the SE to understand and reduce or manage the risks faced. This involves for four (4) simple steps: identification, assessment and evaluation of the risks so adequate mitigating systems can be developed and implemented to protect the business from being used by criminals.
No | Risk Based Approach steps | Details |
1 | Identification of Risks | The SE shall take appropriate steps to identify the ML, FT and PF risks they face based on factors including but not limited to the following: Customers (E.g. Politically Exposed Persons, Non-resident/Non-Nationals);Products and services offered (E.g. high valued products, gaming, Real Estate, Managing funds, etc);Delivery of products and services (E.g. face to face, online/electronically, methods of payment [cross border transactions, source of funds,]); andGeographic location you operate in or jurisdiction of the customers you do business with (For e.g. high risk jurisdictions designated by FATF, etc). |
2 | Assessment and Evaluation of Risks | SE must assess and evaluate the risk identified so they can understand and develop appropriate measures to address the risks. Document the report on the risk assessment and review the assessment as frequently as management determines. Measure the level of risk for every product or service you provide (Likelihood of exposure x Impact to organisation). Categorize or rank each risk identified as either low, medium or high. Develop appropriate policies and procedures to minimize or manage the risk. |
3 | Mitigate and Manage the Risk | Ensure the policies and procedures developed are documented in the form of a Compliance Programme, which must be approved by senior management of the SE. Some policies to be included in the Compliance Programme are Customer Due Diligence, Enhanced Due Diligence, Reporting and Record Keeping obligations. Refer to the FIU’s Guidance Note titled “Guide to Structuring AML/CFT Compliance Programme” Some examples of risk mitigating measures include cash transaction limits, management approval of high risk customers, continuous training of staff or transaction monitoring. |
4 | Monitor and Review | SEs must review the ML/FT/PF risk assessment to ensure the policies and procedures intended to mitigate risk are appropriate and valid. This review should also influence the AML/CFT/CPF training programme of the SE to strengthen weaknesses and improve employee understanding of the techniques for identifying any suspicious transaction or activities. SE must ensure that their AML/CFT/CPF Compliance Programme is tested independently periodically to determine effectiveness of its measures implemented. |
The benefits of adopting a RBA include:
- resources are utilized more effectively as there is focus on the medium and high risk activities;
- measures will be developed to manage and mitigate such risks.
The FIUTT regularly conducts outreach and awareness seminars to provide SE with information on their AML/CFT obligation. Check out the Events page for upcoming outreach events on Risk Assessment and Management.