9870310368 8860712800

Learning

Learning » IFSCA » Risk Based Approach and assessment under IFSCA AML/CFT Guidelines 2022

SP Services

Risk Based Approach and assessment under IFSCA AML/CFT Guidelines 2022

Nikhil Mogha

| Updated: Nov 21, 2022 | Category: IFSCA

Risk Based Approach and assessment under IFSCA AML/CFT Guidelines 2022

The IFSCA[1] or International Financial Services Centres Authority, issued IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines 2022 on 28th October 2022. In the said circular, the IFSCA has enumerated detailed provisions for the risk based approach and assessment activities that need to be undertaken by the regulated entities. The risk based Approach helps the regulated entity to assess and identify the potential risks to which the regulated entities are exposed. Apart from undertaking a risk-based Approach, the regulated entity shall assess the ML/TF risk from the perspective of business and customer. Henceforth, the present article deals with the risk based Approach and assessment in accordance with the IFSCA guidelines.

What is Risk Based Approach?

Chapters 2, 3 & 4 of the IFSCA guidelines deal with risk based Approach and assessment, respectively. To be specific, chapter 2 of IFSCA guidelines on IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, states that a Risk-Based Approach enables the regulated entities to assess or identify the potential ML or TF risks to which they are exposed. The risk of regulated entities differs with the nature of business or exposure or involvement with the clients, services & products, geographic areas, countries, transactions, or delivery channels etc. The other important provisions under the guidelines for risk based Approach and assessment are:

Pre-requisites before adopting Risk Based Approach and Assessment

The pre-requisites before adopting risk based Approach and assessment are:

  • It shall be objective
  • It shall be proportionate to the risks
  • It shall be based on reasonable grounds
  • It shall be updated and reviewed at appropriate intervals.

Risk Assessment

The Risk Assessment shall be proportionate to the nature & size of the business. The regulated entity must consider all the risk factors before finalising overall risk and implementing Risk Based Approach. Therefore, the regulated entity must apply effective measures to mitigate and manage those risks identified during risk assessment.

Risk Assessment at the Enterprise Level  

In addition to assessing the risk of individual customer, the regulated entity shall also identify and assess the ML or TF risks associated at an enterprise level. It includes a comprehensive assessment of risk that exists across all product lines, business and delivery units. It is further stated that reports issued by FATF on Anti-money laundering, counter-terrorist financing and any other information supplied by the relevant authorities and the person who the UNSCR sanctions, may also be used to assess the risk.

Documentation of the Risk Assessment

The decision of the risk-assessment shall be appropriately documented and the regulated entity must ensure that information on ML or TF risk assessment is supplied to the authority upon request. Further, the record of the documents shall be kept in accordance with the guidelines. The documents shall contain the following:

  • Enterprise-wise AML, or CFT risk assessment
  • Details of the implementation of the risk management system & controls

Grading of the Result of Risk Assessment

The risk-assessment result shall be graded as low or medium or high. The logic behind grading of results is to apply enhanced CDD measures in the case of high-risk customers and simple CDD measures in the case of low-risk customers.

Review of Risk Assessment

The regulated entity must update its risk assessment. They shall review their risk assessment for at least once in every 2 years and supply the same to the governing body or to the authorised committee.

What are the types of risk assessment?

Chapters 3 & 4 of the IFSCA guidelines on IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022 state two types of risk based approach and assessment techniques.

1. Business Risk Assessment

Chapter 3 of IFSCA guidelines states the manner of undertaking risk based Approach and assessment for business risk by a regulated entity. The business risk-assessment helps the regulated entity to identify the risk associated with money laundering and terrorist financing. It enables the regulated entity to frame appropriate measures in order to protect its business from getting misused used for ML/TF. The outcome of the business risk assessment must be used to understand its own susceptibility to the risks and be prepared with the necessary plan to mitigate such risks. The risk exposure to regulated entities varies with several factors such as the nature of business, types of customers, products & services offered and delivery channels. The important provision for a risk based approach and assessment of business risk is discussed below:

A. Identifying and Assessing business AML risk

The risk based Approach and assessment mandates the regulated entity toidentify the nature, size & complexities of its business activities and take necessary steps in identifying ML/TF risks. The regulated entity take into consideration the following factors while identifying & assessing the risk:

  • Types of customer and their activities
  • Business engagement in the countries or in any geographic areas.
  • Activity profiles, Services or products and their delivery channels
  • Development of new products and business practices
  • Use of new technologies for pre-existing and new products

In addition to this, the regulated entity must undertake equivalent mitigation measures.

B. New products, Business practices and Technologies

The regulated entity must identify & assess the ML or TF risks that may arise due to the following:

  • Development of new products, new delivery mechanisms & business practices
  • Use of new technologies for pre-existing and new products

Moreover, the regulated entity must undertake a risk-assessment before undertaking such practices and using such products or technologies. The entity shall further take measures to mitigate the risks identified at the time of risk-assessment.

C. AML and CFT Systems and Controls

The AML and CFT systems and controls shall correspond with the ML/TF risks identified through enterprise-wise risk assessment. The senior management shall approve the AML and CFT policies, procedures and controls. Further, the regulated entity shall constantly monitor its implementation.

The risk based approach and assessment information shall be used to:

  • Establish effective policies, systems and controls to prevent money laundering and terror financing activities.
  • Ensure that the policies, system and controls have effectively mitigated the risks
  • Ensure that the systems and controls shall contain the provision for regular review of information on operations & effectiveness of its system and controls by the senior management.
  • Ensure that the systems and controls enable the regulated entity to determine the following:
  1. Whether the beneficial owner or customer is a PEP (Politically Exposed Person)
  2. Whether the beneficiary of the policy is a PEP, in cases where the policy is a life insurance policy and other similar policy
  • Ensure that regular Risk Assessments are carried out on the system and controls to monitor, identify, assess and mitigation of the risk promptly and adequately.

2. Customer Risk Assessment

Chapter 4 of IFSCA guidelines states the manner of undertaking risk based Approach and assessment for consumer risk by a regulated entity. The risk identified at the time of assessing the business risks must be used for customer risk assessment. The consumer risk assessment shall be performed in the manner mentioned below:

A. Assessing the Customer AML Risks

The Regulated Entity is required to:

  • Undertake risk-assessment of each customer, and
  • Assign the risk rating proportionate to the ML/TF risks.

However, the risk-assessment shall be completed before undertaking CDD for new and existing customers.

The regulated entity while undertaking risk based approach and assessment, consider the following activities:

  • Identification of the customer & beneficial owner
  • Obtaining information on the intended nature of the business relationship
  • Consider the nature of the business’s relationship
  • Consider the customer’s nature, ownership and control structure
  • Consider the relationship of the customer’s business with the regulated entity
  • Consider the customer’s residence, country of origin, nationality, place of incorporation or business.
  • Consider relevant services, products and transaction
  • Consider the beneficiary of the policy

B. Factors that may indicate high Money laundering (ML) and Terror Financing (TF) risk

When there is a high risk of ML/TF, the regulated entity shall undertake risk based Approach and assessment and take into consideration the following things:

  • Customer Risk
  1. Identify the customer’s from High-Risk business
  2. Determine the ownership structure of the legal person that appears unusual or excessively complex
  3. Determine whether the business relation are conducted in an unusual manner
  4. Identify the companies having nominee shareholders or share in bearer form
  5. Determine the corporate structure of the customer that appears unusual or excessively complex 

  • Country or Geographic Risk
  1. Identify the countries with organised crime, inadequate AML or CFT, high levels of corruption as notified by FATF and to which regulated entities are exposed.
  2. Identify the countries with organised crime, inadequate AML or CFT, and high levels of corruption as notified by a credible body.
  3. Identify the countries which do not have adequate AML or CFT systems as notified by credible sources through mutual evaluation follow-up reports and detailed assessments.
  4. Identify the country that does not possess an adequate system to counter ML or TF.
  5. Identify the country that is subject to embargos or sanctions by India or any international organisation.
  6. Identify the counties that fund or support terrorism.
  7. Identify the countries having organisations that India or international organisations declared as terrorist organisations.
  • Product, service, transaction, or delivery channels Risk factors
  1. Identify the services that involve private banking
  2. Identify the product service or transaction that offers anonymity
  3. Determine the situation that involves non-face-to-face business relationships without any safeguards
  4. Identify the payments received from unknown or non-associated third parties
  5. Determine the services that are offered to nominee directors or shareholders outside the country
  6. Determine the anonymous transaction that involves frequent payments from unknown or non-associated third parties

C. Factors that may indicate low Money laundering (ML) and Terror Financing (TF) risk

When there is a low risk of ML/TF, the regulated entity shall undertake risk based Approach and assessment and take into consideration the following things:

  • Customer risks, where the customer is
  1. Government Entity
  2. Public companies listed on a stock exchange and subject to disclosure requirements
  3. Financial institution or its subsidiary established outside India and is subject to compliance with AML or CFT requirements set by FATF.
  4. Public body or public-owned enterprise
  5. Resident registered in a geographical area of low risk
  • Product, service, transaction, or delivery channels Risk factors, where the product or service is
  1. Contract of Non-life insurance
  2. Contract of life insurance with no return on investment or redemption or surrender.
  3. Insurance policy of pension scheme that does not provide an early surrender option and could not be used as collateral.
  4. Reinsurance contract ceded by an issuer
  5. Superannuation or pension scheme
  6. Products where ML or TF is adequately managed
  7. Financial products that provide particular services to certain customers.

D. No Business Relationship with the customer

The regulated entity is not required to maintain any business relationship with the customer in following cases:

  1. The arrangement, control and ownership of the customer prevent the entity from identifying the beneficial owner of the customer.
  2. The account is held in a nominee account or fictitious name and in the name of one person but is held for the benefit of other people whose identity is unknown to the regulated entity.
  3. The Shell Financial Institution

Conclusion

The risk based Approach and assessment are important for a regulated entity to undertake while establishing a business relationship with the customer. The assessment of risk from the information obtained from the customer shall be evaluated adequately to prevent the regulated entity from being exposed to any money laundering and terrorist financing activities. The IFSCA, through theseguidelines, will maintain robust scrutiny over the activities of the regulated entity and restrict the flow of income in the economy to prevent any money laundering and terrorist financing activities.

Read our Article: What is a Risk Assessment Model

Nikhil Mogha

An Advocate by profession, Nikhil Mogha holds experience in the field of Business and Securities law. He has done his Masters of Law in Corporate Law from Guru Gobind Singh Indraprastha University, New Delhi. He is also versed with the drafting and research work in the field of Company Law, Banking Laws and Contract Laws.

Business Plan Consultant


No Comments

Leave a Reply

Request A Call Back

Are you human?: 3 + 4 =

Categories

Startup CFO

Trending Articles

Hey I'm Suman. Let's Talk!