The International Financial Services Authority has issued a discussion paper to seek comments a...
The IFSCA or International Financial Services Centres Authority, issued IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines 2022 on 28th October 2022. In the said circular, the IFSCA has enumerated detailed provisions for the risk based approach and assessment activities that need to be undertaken by the regulated entities. The risk based Approach helps the regulated entity to assess and identify the potential risks to which the regulated entities are exposed. Apart from undertaking a risk-based Approach, the regulated entity shall assess the ML/TF risk from the perspective of business and customer. Henceforth, the present article deals with the risk based Approach and assessment in accordance with the IFSCA guidelines.
Chapters 2, 3 & 4 of the IFSCA guidelines deal with risk based Approach and assessment, respectively. To be specific, chapter 2 of IFSCA guidelines on IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022, states that a Risk-Based Approach enables the regulated entities to assess or identify the potential ML or TF risks to which they are exposed. The risk of regulated entities differs with the nature of business or exposure or involvement with the clients, services & products, geographic areas, countries, transactions, or delivery channels etc. The other important provisions under the guidelines for risk based Approach and assessment are:
The pre-requisites before adopting risk based Approach and assessment are:
The Risk Assessment shall be proportionate to the nature & size of the business. The regulated entity must consider all the risk factors before finalising overall risk and implementing Risk Based Approach. Therefore, the regulated entity must apply effective measures to mitigate and manage those risks identified during risk assessment.
In addition to assessing the risk of individual customer, the regulated entity shall also identify and assess the ML or TF risks associated at an enterprise level. It includes a comprehensive assessment of risk that exists across all product lines, business and delivery units. It is further stated that reports issued by FATF on Anti-money laundering, counter-terrorist financing and any other information supplied by the relevant authorities and the person who the UNSCR sanctions, may also be used to assess the risk.
The decision of the risk-assessment shall be appropriately documented and the regulated entity must ensure that information on ML or TF risk assessment is supplied to the authority upon request. Further, the record of the documents shall be kept in accordance with the guidelines. The documents shall contain the following:
The risk-assessment result shall be graded as low or medium or high. The logic behind grading of results is to apply enhanced CDD measures in the case of high-risk customers and simple CDD measures in the case of low-risk customers.
The regulated entity must update its risk assessment. They shall review their risk assessment for at least once in every 2 years and supply the same to the governing body or to the authorised committee.
Chapters 3 & 4 of the IFSCA guidelines on IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022 state two types of risk based approach and assessment techniques.
Chapter 3 of IFSCA guidelines states the manner of undertaking risk based Approach and assessment for business risk by a regulated entity. The business risk-assessment helps the regulated entity to identify the risk associated with money laundering and terrorist financing. It enables the regulated entity to frame appropriate measures in order to protect its business from getting misused used for ML/TF. The outcome of the business risk assessment must be used to understand its own susceptibility to the risks and be prepared with the necessary plan to mitigate such risks. The risk exposure to regulated entities varies with several factors such as the nature of business, types of customers, products & services offered and delivery channels. The important provision for a risk based approach and assessment of business risk is discussed below:
The risk based Approach and assessment mandates the regulated entity toidentify the nature, size & complexities of its business activities and take necessary steps in identifying ML/TF risks. The regulated entity take into consideration the following factors while identifying & assessing the risk:
In addition to this, the regulated entity must undertake equivalent mitigation measures.
The regulated entity must identify & assess the ML or TF risks that may arise due to the following:
Moreover, the regulated entity must undertake a risk-assessment before undertaking such practices and using such products or technologies. The entity shall further take measures to mitigate the risks identified at the time of risk-assessment.
The AML and CFT systems and controls shall correspond with the ML/TF risks identified through enterprise-wise risk assessment. The senior management shall approve the AML and CFT policies, procedures and controls. Further, the regulated entity shall constantly monitor its implementation.
The risk based approach and assessment information shall be used to:
Chapter 4 of IFSCA guidelines states the manner of undertaking risk based Approach and assessment for consumer risk by a regulated entity. The risk identified at the time of assessing the business risks must be used for customer risk assessment. The consumer risk assessment shall be performed in the manner mentioned below:
The Regulated Entity is required to:
However, the risk-assessment shall be completed before undertaking CDD for new and existing customers.
The regulated entity while undertaking risk based approach and assessment, consider the following activities:
When there is a high risk of ML/TF, the regulated entity shall undertake risk based Approach and assessment and take into consideration the following things:
When there is a low risk of ML/TF, the regulated entity shall undertake risk based Approach and assessment and take into consideration the following things:
The regulated entity is not required to maintain any business relationship with the customer in following cases:
The risk based Approach and assessment are important for a regulated entity to undertake while establishing a business relationship with the customer. The assessment of risk from the information obtained from the customer shall be evaluated adequately to prevent the regulated entity from being exposed to any money laundering and terrorist financing activities. The IFSCA, through theseguidelines, will maintain robust scrutiny over the activities of the regulated entity and restrict the flow of income in the economy to prevent any money laundering and terrorist financing activities.
Read our Article: What is a Risk Assessment Model