Money Laundering and Terrorist Financing for NBFCs

Ashish M. Shaji

08 Feb, 2021

The Reserve Bank of India issued a notification for an amendment to Master Direction on KYC (Know Your Customer) wherein the regulated entities must carry out money laundering and terrorist financing risk assessment exercises periodically. The first assessment is required to be carried out by 30 June 2020.

Concept of Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment

This concept arises from the recommendations of the Financial Action Task Force, also known as FATF. It has provided detailed guidance on Terrorist Financing risk assessment. As both Money Laundering and Terrorist Financing are linked the guidelines also covers the Money Laundering risk assessment.

Terrorist Financing is a form of a risk that functions through threat, vulnerability and consequence. It runs the risk that the funds or other assets are raised, stored or used for a terrorist or terrorist organization in the form of legitimate or illegitimate funds or any other assets.

The process of risk assessment by NBFCs

The process of risk assessment of a financial sector entity like NBFC doesn’t need to be complicated, but it should be commensurate with the size and nature of its business. A simple risk assessment is enough for especially small or less complex NBFCs.

The risk assessment process by NBFCs based on the FATF guiding principles may be divided into the following stages:

• Information collection

The process of risk assessment shall begin with information collection on different variables such as information on the general criminal environment, terror financing and terror threats etc. Such information can be collected externally or internally.

The Directorate of Enforcement deals with the matters of Money Laundering and Terrorist Financing in India. It has the information and the list of terrorists. Moreover, the information can also be availed from the Central Bureau of Investigation^[1] (CBI).

• Identification of Threat

Once the information is collected, the jurisdiction and the sector-specific threats must be identified based on such information. Although the identification of the threat must be based on the national level, it should not be limited to it only. It must be aligned with the size and nature of the business entity.

The NBFCs must look at the controls that are placed including the quality of risk management policy, functioning of internal functions etc.

• Assessment of Money Laundering and Terrorist Financing vulnerabilities

In this process, it must be known how the identified threats are going to impact the entity. Factors like the nature, scale, diversity and complexity of their business must be considered while assessing the risks. Apart from it, the regulatory findings and the internal audit must also be considered.

The volume and size of its transaction must be kept in the picture while assessing the risk. The NBFCs must complement this information with the information received from internal as well as external sources.

• Analysis of Money laundering/Terrorist financing threats and vulnerabilities

When terrorist financing threats and their vulnerabilities are identified, then it is vital to know how these interact to form risks. It includes consideration of how domestic or foreign terrorist financing threats can take advantage of identified vulnerabilities. The analysis also consists of the assessment of potential consequences.

• Risk Mitigation

After the threats and vulnerabilities are analyzed, the NBFCs are required to develop and implement policies to mitigate the risks associated with the ML and TF. Customer Due Diligence (CDD) processes must be formed to understand and identify their customers by requiring them to collect information on their profession and the need for financial services by them.

1. CDD procedures: Carrying out the Customer Due Diligence is the first step while beginning with the customer relationship. This process identifies a customer and a risk-based assessment of the customer is conducted. This procedure must also include checkpoints with regard to Money Laundering and Terrorist Financing. The nature of the business or customer’s activity is also understood in the CDD procedure. Misuse of a legal person for conducting money laundering and terrorist financing must be prevented by taking measures.
2. Ongoing CDD and Monitoring: Ongoing monitoring is the scrutiny of the transactions to know if the transactions are consistent with the NBFCs knowledge of the customer and the nature of the loan product and business relationship. Monitoring can help in identifying suspicious transactions.
3. Reporting: The NBFCs must mark the unusual movement of funds for analysis, and there must be a case management system so that such funds are scrutinized timely, and it can be determined if the funds or the transactions are suspicious. Those funds that are suspicious must be reported to the FIU (Financial Intelligence Unit) in the manner specified by the authorities.
4. Internal Control: For proper mitigation of risks, it is essential to have adequate internal controls. Internal controls involve governance arrangements where the responsibility for Anti-money laundering and CFT is clearly allocated, and proper oversight is in place to test the effectiveness of NBFC policies and processes to identify assess and monitor risk.
5. Recruitment and Training: NBFCs must ensure that the personnel that they employ have integrity and are skilled enough and possess the expertise and the knowledge to perform their functions. The employees and the staff must be trained to assess the quality of NBFCs Money laundering and terrorist financing risk assessments. Adequate training shall help them to form sound judgements regarding the adequacy and the proportionality of the anti-money laundering controls.

• Post compliances

Once the assessment is completed the impact of the risk must be recorded, and measures to mitigate the risks must be provided. The information forming the basis of the risk assessment process must be updated timely, and where there is a significant change in the information, the process of risk assessment must be carried out.

Conclusion