Immediate Outcome 1

Money laundering and terrorist financing risks are understood and, where appropriate, actions co-ordinated domestically to combat money laundering and the financing of terrorism and proliferation.

Characteristics of an effective system

A country properly identifies, assesses and understands its money laundering and terrorist financing risks, and co-ordinates domestically to put in place actions to mitigate these risks. This includes the involvement of competent authorities and other relevant authorities; using a wide range of reliable information sources; using the assessment(s) of risks as a basis for developing and prioritising AML/CFT policies and activities; and communicating and implementing those policies and activities in a co-ordinated way across appropriate channels. The relevant competent authorities also cooperate, and co-ordinate policies and activities to combat the financing of proliferation. Over time, this results in substantial mitigation of money laundering and terrorist financing risks.
This outcome relates primarily to Recommendations 1, 2, 33 and 34 and also elements of R.15.

Note to Assessors:
  1. Assessors are not expected to conduct an in-depth review of, or assess the country’s assessment(s) of risks. Assessors, based on their views of the reasonableness of the assessment(s) of risks, should focus on how well the competent authorities use their understanding of the risks in practice to inform policy development and actions to mitigate the risks.
  2. Assessors should take into consideration their findings for this Immediate Outcome (IO) in their assessment of the other IOs. However, assessors should only let their findings relating to the cooperation and co-ordination of measures to combat the financing of proliferation affect the assessments of IO.11 and not of the other IOs. (i.e. IO.2 to IO.10) that deal with combating money laundering and terrorist financing.
Core Issues to be considered in determining if the Outcome is being achieved
  1. 1.1How well does the country understand its ML/TF risks?
  2. 1.2How well are the identified ML/TF risks addressed by national AML/CFT policies and activities?
  3. 1.3To what extent are the results of the assessment(s) of risks properly used to justify exemptions and support the application of enhanced measures for higher risk scenarios, or simplified measures for lower risk scenarios?
  4. 1.4To what extent are the objectives and activities of the competent authorities and SRBs consistent with the evolving national AML/CFT policies and with the ML/TF risks identified?
  5. 1.5To what extent do the competent authorities and SRBs co-operate and co-ordinate the development and implementation of policies92Having regard to AML/CFT requirements and Data Protection and Privacy rules and other similar provisions (e.g. data security / localisation) as needed. and activities to combat ML/TF and, where appropriate, the financing of proliferation of weapons of mass destruction?93Considering that there are different forms of co-operation and co-ordination between relevant authorities, Core Issue 1.5 does not prejudge a country’s choice for a particular form and applies equally to all of them.
  6. 1.6To what extent does the country ensure that respective financial institutions, DNFBPs and other sectors affected by the application of the FATF Standards are aware of the relevant results of the national ML/TF risks?
  1. Examples of Information that could support the conclusions on Core Issues
    1. The country’s assessment(s) of its ML/TF risks (e.g., types of assessment(s) produced; types of assessment(s) published / communicated).
    2. AML/CFT policies and strategies (e.g., AML/CFT policies, strategies and statements communicated/published; engagement and commitment at the senior officials and political level).
    3. Outreach activities to private sector and relevant authorities (e.g., briefings and guidance on relevant conclusions from risk assessment(s); frequency and relevancy of consultation on policies and legislation, input to develop risk assessment(s) and other policy products).
  2. Examples of Specific Factors that could support the conclusions on Core Issues
    1. What are the methods, tools, and information used to develop, review and evaluate the conclusions of the assessment(s) of risks? How comprehensive are the information and data used?
    2. How useful are strategic financial intelligence, analysis, typologies, and guidance?
    3. Which competent authorities and relevant stakeholders (including financial institutions and DNFBPs) are involved in the assessment(s) of risks? How do they provide inputs to the national level ML/TF assessment(s) of risks, and at what stage?
    4. Is the assessment(s) of risks kept up-to-date, reviewed regularly and responsive to significant events or developments (including new threats and trends)?
    5. To what extent is the assessment(s) of risks reasonable and consistent with the ML/TF threats, vulnerabilities and specificities faced by the country? Where appropriate, does it take into account risks identified by other credible sources?
    6. Do the policies of competent authorities respond to changing ML/TF risks?
    7. What mechanism(s) or body do the authorities use to ensure proper and regular cooperation and co-ordination of the national framework and development and implementation of policies to combat ML/TF, at both policymaking and operational levels, and where relevant, the financing of proliferation of weapons of mass destruction? Does the mechanism or body include all relevant authorities?
    8. Is interagency information sharing undertaken in a timely manner in a bilateral or multiagency basis as appropriate?
    9. Are there adequate resources and expertise involved in conducting the assessment(s) of risks, and for domestic co-operation and co-ordination?

Immediate Outcome 4

Financial institutions, DNFBPs and VASPs adequately apply AML/CFT preventive measures commensurate with their risks, and report suspicious transactions.

Characteristics of an effective system

Financial institutions, DNFBPs and VASPs understand the nature and level of their money laundering and terrorist financing risks; develop and apply AML/CFT policies (including group-wide policies), internal controls, and programmes to adequately mitigate those risks; apply appropriate CDD measures to identify and verify their customers (including the beneficial owners) and conduct ongoing monitoring; adequately detect and report suspicious transactions; and comply with other AML/CFT requirements. This ultimately leads to a reduction in money laundering and terrorist financing activity within these entities.

This outcome relates primarily to Recommendations 9 to 23, and also elements of Recommendations 1, 6 and 29.

Note to Assessors:
  1. Assessors should determine which financial, DNFBP and VASP sectors to weight as being most important, moderately important or less important, and should reflect their judgment in Chapters 1, 5 and 6 of the report. While judging on the overall effectiveness of this IO, assessors should explain how they have weighted the identified deficiencies and also explain how these have been taken into account in relation to how the assessors have weighted the different sectors.
  2. When determining how to weight the various financial, DNFBP and VASP sectors, assessors should consider their relative importance, taking into account the following factors:
    1. the ML/TF risks facing each sector, taking into account the materiality relevant to each sector (e.g. the relative importance of different parts of the financial sector and different DNFBPs and VASPs; the size, integration and make-up of the financial sector97E.g. including, but not limited to, the business concentration in the different sectors; the relative importance of different types of financial products or institutions; the amount of business which is domestic or cross-border; the extent to which the economy is cash-based; and estimates of the size of the informal sector and/or shadow economy), and
    2. structural elements and other contextual factors (e.g. whether established supervisors with accountability, integrity and transparency are in place for each sector; and the maturity and sophistication of the regulatory and supervisory regime for each sector).98E.g. special supervisory activities, such as thematic reviews and targeted outreach to specific sectors or institutions
    For more information on how assessors should take risk, materiality, structural elements and other contextual factors into account, see paragraphs 5 to 12 of the Methodology. For more guidance on how to reflect in the report their judgment on the relative importance of the financial, DNFBP and VASP sectors, see the Mutual Evaluation Report Template in Annex II of the Methodology.
  3. Assessors are not expected to conduct an in-depth review of the operations of financial institutions or DNFBPs, but should consider, on the basis of evidence and interviews with supervisors, FIUs, financial institutions and DNFBPs, whether financial institutions, DNFBPs and VASPs have adequately assessed and understood their exposure to money laundering and terrorist financing risks; whether their policies, procedures and internal controls adequately address these risks; and whether regulatory requirements (including STR reporting) are being properly implemented.
Core Issues to be considered in determining if the Outcome is being achieved
  1. 4.1How well do financial institutions, DNFBPs and VASPs understand their ML/TF risks and AML/CFT obligations?
  2. 4.2How well do financial institutions, DNFBPs and VASPs apply mitigating measures commensurate with their risks?
  3. 4.3How well do financial institutions, DNFBPs and VASPs apply the CDD and record-keeping measures (including beneficial ownership information and ongoing monitoring)? To what extent is business refused when CDD is incomplete?
  4. 4.4How well do financial institutions, DNFBPs and VASPs apply the enhanced or specific measures for: (a) PEPs, (b) correspondent banking, (c) new technologies, (d) wire transfers rules99In the context of VASPs, this refers to virtual asset transfer rules , (e) targeted financial sanctions relating to TF, and (f) higher-risk countries identified by the FATF?
  5. 4.5To what extent do financial institutions, DNFBPs and VASPs meet their reporting obligations on the suspected proceeds of crime and funds in support of terrorism? What are the practical measures to prevent tipping-off?
  6. 4.6How well do financial institutions, DNFBPs and VASPs apply internal controls and procedures (including at financial group level) to ensure compliance with AML/CFT requirements? To what extent are there legal or regulatory requirements (e.g., financial secrecy) impeding its implementation?
  1. Examples of Information that could support the conclusions on Core Issues
    1. Contextual factors regarding the size, composition, and structure of the financial, DNFBP and VASP sectors and informal or unregulated sector (e.g., number and types of financial institutions (including MVTS), DNFBPs and VASPs licensed or registered in each category; types of financial (including cross-border) activities; relative size, importance and materiality of sectors).
    2. Information (including trends) relating to risks and general levels of compliance (e.g., internal AML/CFT policies, procedures and programmes, trends and typologies reports).
    3. Examples of compliance failures (e.g., sanitised cases; typologies on the misuse of financial institutions, DNFBPs and VASPs).
    4. Information on compliance by financial institutions, DNFBPs and VASPs (e.g., frequency of internal AML/CFT compliance review; nature of breaches identified and remedial actions taken or sanctions applied; frequency and quality of AML/CFT training; time taken to provide competent authorities with accurate and complete CDD information for AML/CFT purposes; accounts/relationships rejected due to incomplete CDD information; wire transfers rejected due to insufficient requisite information).
    5. Information on STR reporting and other information as required by national legislation (e.g., number of STRs submitted, and the value of associated transactions; number and proportion of STRs from different sectors; the types, nature and trends in STR filings corresponding to ML/TF risks; average time taken to analyse the suspicious transaction before filing an STR).
  2. Examples of Specific Factors that could support the conclusions on Core Issues
    1. What are the measures in place to identify and deal with higher (and where relevant, lower) risk customers, business relationships, transactions, products and countries?
    2. Does the manner in which AML/CFT measures are applied prevent the legitimate use of the formal financial system, and what measures are taken to promote financial inclusion?
    3. To what extent do the CDD and enhanced or specific measures vary according to ML/TF risks across different sectors / types of institution, and individual institutions? What is the relative level of compliance between international financial groups and domestic institutions?
    4. To what extent is there reliance on third parties for the CDD process and how well are the controls applied?
    5. How well do financial institutions and groups, DNFBPs and VASPs ensure adequate access to information by the AML/CFT compliance function?
    6. Do internal policies and controls of the financial institutions and groups, DNFBPs and VASPs enable timely review of: (i) complex or unusual transactions, (ii) potential STRs for reporting to the FIU, and (iii) potential false-positives? To what extent do the STRs reported contain complete, accurate and adequate information relating to the suspicious transaction?
    7. What are the measures and tools employed to assess risk, formulate and review policy responses and institute appropriate risk mitigation and systems and controls for ML/TF risks?
    8. How are AML/CFT policies and controls communicated to senior management and staff? What remedial actions and sanctions are taken by financial institutions, DNFBPs and VASPs when AML/CFT obligations are breached?
    9. How well are financial institutions, DNFBPs and VASPs documenting their ML/TF risk assessments, and keeping them up to date?
    10. Do financial institutions, DNFBPs and VASPs have adequate resources to implement AML/CFT policies and controls relative to their size, complexity, business activities and risk profile?
    11. How well is feedback provided to assist financial institutions, DNFBPs and VASPs in detecting and reporting suspicious transactions?