RECOMMENDATION 1

ASSESSING RISKS AND APPLYING A RISK-BASED APPROACH5 The requirements in this recommendation should be assessed taking into account the more specific risk based requirements in other Recommendations. Under Recommendation 1 assessors should come to an overall view of risk assessment and risk mitigation by countries and financial institutions/DNFBPs as required in other Recommendations, but should not duplicate the detailed assessments of risk-based measures required under other Recommendations. Assessors are not expected to conduct an in-depth review of the country’s assessment(s) of risks. Assessors should focus on the process, mechanism, and information sources adopted by the country, as well as the contextual factors, and should consider the reasonableness of the conclusions of the country’s assessment(s) of risks.

OBLIGATIONS AND DECISIONS FOR COUNTRIES

    Risk assessment
  1. 1.1Countries6 Where appropriate, ML/TF risk assessments at a supra-national level should be taken into account when considering whether this obligation is satisfied. should identify and assess the ML/TF risks for the country,
  2. 1.2Countries should designate an authority or mechanism to co-ordinate actions to assess risks.
  3. 1.3Countries should keep the risk assessments up-to-date.
  4. 1.4Countries should have mechanisms to provide information on the results of the risk assessment(s) to all relevant competent authorities and self-regulatory bodies (SRBs), financial institutions and DNFBPs.
  5. Risk mitigation
  6. 1.5Based on their understanding of their risks, countries should apply a risk-based approach to allocating resources and implementing measures to prevent or mitigate ML/TF.
  7. 1.6Countries which decide not to apply some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, should demonstrate that:
    1. there is a proven low risk of ML/TF; the exemption occurs in strictly limited and justified circumstances; and it relates to a particular type of financial institution or activity, or DNFBP; or
    2. a financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis (having regard to quantitative and absolute criteria), such that there is a low risk of ML/TF.
  8. 1.7Where countries identify higher risks, they should ensure that their AML/CFT regime addresses such risks, including through: (a) requiring financial institutions and DNFBPs to take enhanced measures to manage and mitigate the risks; or (b) requiring financial institutions and DNFBPs to ensure that this information is incorporated into their risk assessments.
  9. 1.8Countries may allow simplified measures for some of the FATF Recommendations requiring financial institutions or DNFBPs to take certain actions, provided that a lower risk has been identified, and this is consistent with the country’s assessment of its ML/TF risks.7Where the FATF Recommendations identify higher risk activities for which enhanced or specific measures are required, countries should ensure that all such measures are applied, although the extent of such measures may vary according to the specific level of risk.
  10. 1.9Supervisors and SRBs should ensure that financial institutions and DNFBPs are implementing their obligations under Recommendation 18The requirements in this criterion should be assessed taking into account the findings in relation to Recommendations 26 and 28..
  11. OBLIGATIONS AND DECISIONS FOR FINANCIAL INSTITUTIONS AND DNFBPS

    Risk assessment
  12. 1.10Financial institutions and DNFBPs should be required to take appropriate steps to identify, assess, and understand their ML/TF risks (for customers, countries or geographic areas; and products, services, transactions or delivery channels)9 The nature and extent of any assessment of ML/TF risks should be appropriate to the nature and size of the business. Competent authorities or SRBs may determine that individual documented risk assessments are not required, provided that the specific risks inherent to the sector are clearly identified and understood, and that individual financial institutions and DNFBPs understand their ML/TF risks.. This includes being required to:
    1. document their risk assessments;
    2. consider all the relevant risk factors before determining what is the level of overall risk and the appropriate level and type of mitigation to be applied;
    3. keep these assessments up to date; and
    4. have appropriate mechanisms to provide risk assessment information to competent authorities and SRBs.
  13. Risk mitigation
  14. 1.11Financial institutions and DNFBPs should be required to:
    1. have policies, controls and procedures, which are approved by senior management, to enable them to manage and mitigate the risks that have been identified (either by the country or by the financial institution or DNFBP);
    2. monitor the implementation of those controls and to enhance them if necessary; and
    3. take enhanced measures to manage and mitigate the risks where higher risks are identified.
  15. 1.12Countries may only permit financial institutions and DNFBPs to take simplified measures to manage and mitigate risks, if lower risks have been identified, and criteria 9 to 11 are met. Simplified measures should not be permitted whenever there is a suspicion of ML/TF.

RECOMMENDATION 17

RELIANCE ON THIRD PARTIES5959. This Recommendation does not apply to outsourcing or agency relationships, as set out in paragraph 1 of INR.17.

  1. 17.1 If financial institutions are permitted to rely on third-party financial institutions and DNFBPs to perform elements (a)-(c) of the CDD measures set out in Recommendation 10 (identification of the customer; identification of the beneficial owner; and understanding the nature of the business) or to introduce business, the ultimate responsibility for CDD measures should remain with the financial institution relying on the third party, which should be required to:
    1. obtain immediately the necessary information concerning elements (a)-(c) of the CDD measures set out in Recommendation 10;
    2. take steps to satisfy itself that copies of identification data and other relevant documentation relating to CDD requirements will be made available from the third party upon request without delay;
    3. satisfy itself that the third party is regulated, and supervised or monitored for, and has measures in place for compliance with, CDD and record-keeping requirements in line with Recommendations 10 and 11.
  2. 17.2 When determining in which countries the third party that meets the conditions can be based, countries should have regard to information available on the level of country risk.
  3. 17.3 For financial institutions that rely on a third party that is part of the same financial group, relevant competent authorities60 The term relevant competent authorities in Recommendation 17 means (i) the home authority, that should be involved for the understanding of group policies and controls at group-wide level, and (ii) the host authorities, that should be involved for the branches/subsidiaries. may also consider that the requirements of the criteria above are met in the following circumstances:
    1. the group applies CDD and record-keeping requirements, in line with Recommendations 10 to 12, and programmes against money laundering and terrorist financing, in accordance with Recommendation 18;
    2. the implementation of those CDD and record-keeping requirements and AML/CFT programmes is supervised at a group level by a competent authority; and
    3. any higher country risk is adequately mitigated by the group’s AML/CFT policies.