Application of RBA in Supervision -FATF

Supervisors play a crucial role in preventing money laundering and terrorist financing. They ensure banks, other financial institutions, virtual asset service providers, accountants, real estate agents, dealers in precious metals and stones, and other designated non-financial business and professions, understand the risks facing their business and how to mitigate them. Effective supervisors also ensure that these businesses comply with their anti-money laundering and counter-terrorist financing obligations and take appropriate action if they fail to do so.

FATF encourages countries to move beyond a tick-box approach in monitoring the private sector’s efforts to curb money laundering and terrorist financing. This report helps supervisors address the full spectrum of risks and focus resources where the risks are highest. A risk-based approach is less burdensome on lower risk sectors or activities, which is critical for maintaining or increasing financial inclusion.

The RBA to AML/CFT aims to develop prevention or mitigation measures which are commensurate to the ML/TF risks identified. In the case of supervision, this applies to the way supervisory authorities allocate their resources. It also applies to supervisors discharging their functions in a way that is conducive to the application of a risk-based approach by banks.

A. THE RISK-BASED APPROACH TO SUPERVISION

Recommendation 26 requires countries to subject banks to adequate AML/CFT regulation and supervision. INR 26 requires supervisors to allocate supervisory resources to areas of higher ML/TF risk, on the basis that supervisors understand the ML/TF risk in their country and have on site and off-site access to all information relevant to determining a bank’s risk profile.

In October 2021, the FATF updated its 2019 Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs). This updated guidance forms part of the FATF’s ongoing monitoring of the virtual assets and VASP sector.

Recommendation 26 (R.26) requires risk-based supervision of financial institutions, Recommendation 28 (R.28) requires the risk-based supervision or monitoring of DNFBPs and Recommendation 15 (R.15) requires the risk-based supervision of or monitoring of VASPs. INR 15, 26 and 28 recommend that supervisors should allocate their supervisory resources based on risk. This requires supervisors understand the ML/TF risk in their jurisdiction, sector, and entities and have onsite and off-site access to all information relevant to those risks. Additionally, R.15, 27 and 28 require supervisors to have powers to impose a range of effective, proportionate and dissuasive sanctions (in line with Recommendation 35 (R.35)) to address failures to comply with AML/CFT requirements. The FATF Standards refer to both the ‘supervision’ and ‘systems for monitoring’ of regulated entities (see R.14, R.15, R.26 and R.28)

· Financial institutions subject to the Core Principles should be subject to licencing and supervision in line with the applicable Core Principles and R.26. All other financial institutions (including MVTS or money or currency changing providers) and VASPS must be licenced or registered and must be supervised or monitored depending on the ML/TF risks present in line with R.14, R.15 and R.26.
· Casinos should be licenced, regulated and supervised in line with R.28. DNFBPS other than casinos should be subject to effective systems for monitoring and ensuring compliance with AML/CFT requirements on a risk sensitive basis in line with R.28.

RISK-BASED APPROACH GUIDANCE FOR THE BANKING SECTOR SUPERVISION

This guidance paper should be read in conjunction with:

The FATF Recommendations, especially Recommendations 1 and 26 (R. 1, R. 26) and their Interpretive Notes (INR), and the Glossary.
Other relevant FATF documents, such as the FATF Guidance on National Money Laundering and Terrorist Financing Risk Assessment, the FATF Guidance on Politically Exposed Persons, or the FATF Guidance on AML/CFT and Financial Inclusion.

The risk-based approach (RBA) is central to the effective implementation of the revised FATF International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation, which were adopted in 2012. The FATF has reviewed its 2007 RBA guidance for the financial sector, in order to bring it in line with the new FATF requirements and to reflect the experience gained by public authorities and the private sector over the years in applying the RBA. This revised version(2021) focuses on the banking sector, and a separate guidance will be developed for the securities sector.

The purpose of this Guidance is to:

Outline the principles involved in applying a risk-based approach to AML/CFT;
Assist countries, competent authorities and banks in the design and implementation of a risk-based approach to AML/CFT by providing general guidelines and examples of current practice;
Support the effective implementation and supervision of national AML/CFT measures, by focusing on risks and on mitigation measures; and
Above all, support the development of a common understanding of what the risk-based approach to AML/CFT entails.

APPLICATION OF THE RISK-BASED APPROACH

Recommendation 1 sets out the scope of the application of the RBA. It applies in relation to:

Who and what should be subject to a country’s AML/CFT regime: in addition to the sectors and activities already included in the scope of the FATF Recommendations14, countries should extend their regime to additional institutions, sectors or activities if they pose a higher risk of ML/TF. Countries could also consider exempting certain institutions, sectors or activities from some AML/CFT obligations where specified conditions are met, such as an assessment that the ML/TF risks associated with those sectors or activities are low.

How those subject to the AML/CFT regime should be supervised for compliance with this regime: AML/CFT supervisors should consider a bank’s own risk assessment and mitigation, and acknowledge the degree of discretion allowed under the national RBA, while INR 26 further requires supervisors to themselves adopt a RBA to AML/CFT supervision; and

How those subject to the AML/CFT regime should comply: where the ML/TF risk associated with a situation is higher, competent authorities and banks have to take enhanced measures to mitigate the higher risk. This means that the range, degree, frequency or intensity of controls conducted will be stronger. Conversely, where the ML/TF risk is lower, standard AML/CFT measures may be reduced, which means that each of the required measures has to be applied, but the degree, frequency or the intensity of the controls conducted will be lighter.

Supervisors oversee the measures put in place by the private sector to implement anti-money laundering checks and report suspicions. Effective, risk-based supervision is an essential part of a strong anti-money laundering system. This document guides supervisors on how to assess risks in the sectors they oversee and adapt their resources accordingly and includes strategies to address common challenges.

The objective of this non-binding Guidance is to clarify and explain how supervisors should apply a risk-based approach to their activities in line with the FATF Standards. In addition to explaining common expectations, the Guidance is also forward looking and identifies innovative practices that can help improve the effectiveness of AML/CFT supervision and thus the overall AML/CFT system.

This Guidance focuses on the general process by which a supervisor, according to its understanding of risks, should allocate its resources and adopt risk-appropriate tools to achieve effective AML/CFT supervision. While the Guidance identifies some of the specificities in supervising the financial sector vis-à-vis other sectors, it does not seek to identify or address sectoral risks. This guidance complements the sector-specific guidance in the FATF’s sector specific risk-based approach guidance documents.

This Guidance does not advocate any specific institutional framework for supervision. The institutional measures and other means that jurisdictions use to apply risk-based supervision and enforcement should be tailored to each jurisdiction’s context. This can include the existing institutional and regulatory framework (such as the prudential regulation of relevant sectors), the size and complexity of the regulated sectors and the degree of ML/TF risks (including threats and vulnerabilities) to which they are exposed. In this Guidance, any reference to practices applied in a particular jurisdiction are provided by way of example only and is not to be considered FATF-approval or endorsement of the effectiveness of that system.

The concepts of ‘supervision’ and ‘systems for monitoring’ involve a spectrum of activities and tools available to supervisors that should be applied in a risk-based manner. For the purposes of this Guidance, having in place a ‘system for monitoring’ implies a difference in the approach and focus of supervisors rather a fundamental difference in tools available and activities undertaken:

· Under a ‘system for monitoring’ the ongoing observation of the activities of regulated entities is generally less intrusive than traditional supervision regime. For example, entities may not usually be subject to regular inspection cycles. Nonetheless, under a system for monitoring, supervisors should be able to use a range of interventions, including intrusive measures, where risks are identified and should not be limited to off-site activities.
· Under a ‘system for monitoring’ interventions are more reactive to specific (or materialised) risks than in a traditional supervision regime. That said, effective monitoring requires a range of proactive measures to detect and respond to significant changes in risks (e.g., periodic data returns, periodic updates of risk assessments to identify changing risk profiles, and ongoing monitoring of relevant data or events such as suspicious transaction filings or significant risk events and active interventions with entities as necessary). For example, the system of monitoring helps to detect entities that are consistently failing to undertake CDD or report STRs or having potentially facilitated illicit financial flows which is the basis for triggering more intrusive supervisory intervention.

Preventing money laundering or terrorist financing (ML/TF) is more effective in protecting communities from harm than pursuing prosecution of the activity after it happens. AML/CFT supervisors1 play an essential role in protecting the financial system and other sectors from misuse by criminals and terrorists by:

(1) Increasing regulated entities awareness and understanding of the ML/TF risks and setting regulatory obligations and facilitating and encouraging good practices,
(2) Enforcing and monitoring compliance with AML/CFT obligations, and
(3) Taking appropriate measures where deficiencies are identified. In order to perform this function effectively and efficiently, supervisors must implement a risk-based approach.

A risk-based approach involves tailoring the supervisory response to fit the assessed risks. This approach allows supervisors to allocate finite resources to effectively mitigate the ML/TF risks they have identified and that are aligned with national priorities. Tailoring supervision to address the relevant ML/TF risks will reduce the opportunities for criminals to launder their illicit proceeds and terrorists to finance their operations and improve the quality of information available to law enforcement authorities. It will also ensure that supervisory activities do not place an unwarranted burden on lower risk sectors, entities, and activities. This is critical for maintaining or increasing financial inclusion which could reduce overall ML/TF risks by increasing transparency. A robust risk-based approach includes appropriate strategies to address the full spectrum of risks, from higher to lower risk sectors and entities. Implemented properly, a risk-based approach is more responsive, less burdensome, and delegates more decisions to the people best placed to make them.

Mutual evaluations reveal that making the transition to risk-based supervision is a challenging task. Supervisors need a good understanding of risks, a strong legal basis (mandate and powers) as well as political and organisational support and adequate capacity and resources to succeed in implementing a robust risk-based supervisory approach. The transition from a rule-based to a risk-based approach takes time. It requires a change in the supervisory culture, and investment in capacity building and training of staff, in addition to the development and implementation of a comprehensive supervisory toolkit. To assist in this exercise, the FATF sets out high-level guidance in Part One of this document, practical advice to address common implementation challenges in Part Two and country examples in Part Three, including strategies and examples of supervision of Designated Non Financial Business and Professions (DNFBPs) and Virtual Asset Service Providers (VASPs). This Guidance should be read alongside forthcoming guidance on proliferation financing (PF) that explains new requirements introduced in October 2020 for countries and regulated entities to assess proliferation financing (PF) risks and implement risk-based measures.

Examples of common AML/CFT supervisory frameworks include arrangements where there is:

· A single AML/CFT supervisor responsible for AML/CFT supervision of all regulated entities (this task is usually exercised by the same authority which fulfils the task of the FIU or the prudential supervisor).
· Integration of some aspects of supervision, for example, integrated AML/CFT and prudential supervision of the financial sector and/or the FIU or tax or other authority is responsible for AML/CFT supervision of all or some non financial sectors.
· A decentralised model for AML/CFT supervision with multiple agencies and/or SRBs responsible for AML/CFT supervision across and within different sectors. The FIU or another authority may also play a role in overseeing or coordinating supervision of all or some DNFBP sectors.

Under an effective risk-based supervisory framework, the supervisor identifies, assesses and understands ML/TF risks within the sector(s) and entities under its purview and mitigates them effectively on an ongoing basis. This involves implementation of a sound risk assessment system that enables the identification, measurement, control and monitoring of ML/TF risks, as well as a risk-based supervisory approach that enables timely supervisory intervention to address any significant changes or elevation in risks. More specifically, the supervisor:

· Develops and maintains a good understanding of ML/TF risks at the sectorial as well as entity level based on sound risk assessment of inherent risks and quality of mitigation measures and informed by national ML/TF risk assessment (see section2. and note the new requirements to assess PF risk and refer to FATF’s forthcoming PF Guidance);

· Develops and implements a supervisory strategy that effectively directs supervisory focus to higher or emerging ML/TF risks while ensuring that there are appropriate, risk-based strategies in place to address lower risks effectively and efficiently without impacting unnecessarily on access to and usage of financial services (see section 3. );

· Positively influences entities’ behaviour by ensuring they have effective AML/CFT policies in place and where issues are identified, providing targeted guidance and feedback, directing and/or overseeing remedial actions and exercising enforcement powers in a dissuasive and proportionate manner taking risk, context and materiality into account;

· Monitors the evolving risk environment and stays agile to identify emerging risks and respond promptly (for example, see section 2.4);

· Is equipped with the expertise, powers, discretion, and tools needed and adequately resourced to perform its functions; and

· Coordinates with other competent authorities when relevant, including the FIU, law enforcement agencies and other supervisory agencies, as well as its foreign counterparts by sharing information, prioritising risks and carrying out joint supervisory activities as appropriate (see sections 3.9 and 3.10).

Overview of the Risk-based Supervision process

The risk-based supervision process consists of two main components illustrated below and further explained in this Guidance: (1) identifying and understanding risks, and (2) mitigating those risks.

source: FATF

B. SUPERVISOR'S RISK UNDERSTANDING

The Scope and Purpose of Supervisory Risk Assessments

To apply risk-based supervision, supervisors first need to understand the ML/TF risk exposure of the sectors and entities they regulate. Supervisors should develop, document and update their ML/TF risk understanding by undertaking a supervisory risk assessment (SRA). The purpose of undertaking a SRA is to help supervisors plan their activities in a risk-sensitive manner by determining how much attention to give relevant sectors and entities within those sectors, and to identify which risks should be prioritised. The scope of the SRA should cover: threat, vulnerability and consequence, which are explained in detail in previous FATF Guidance.

In October 2020 the FATF introduced a requirement for countries and regulated entities to assess proliferation financing (PF) risks in addition to ML/TF risks. This means that supervisors are now required to assess how the entities they supervise or monitor are exposed to PF risks and take this into account in applying risk-based measures. This Guidance should be read alongside forthcoming guidance by the FATF on PF risk assessment and mitigation.

Sectoral and Entity-level risk assessment

Understanding inherent risks and common weaknesses in AML/CFT controls at the sectoral level is the starting point for understanding risks at a more granular, i.e., entity-level. In order to achieve a comprehensive risk understanding, supervisors should establish and maintain ongoing risk assessments of sectors8 and individual entities and/or groups.

The different risk assessment approaches adopted by AML/CFT supervisors may depend on the jurisdiction’s supervisory framework (see section 1.3), the number of sectors under their supervision and the number of individual entities within each sector. For example, AML/CFT supervisors of banks may choose to risk assess each entity under their supervision or group together banks with similar characteristics, including size, structure and ML/TF risk exposure. As a result, the intensity of supervisory activities would be different for these subgroups.

Where appropriate considering their risk and materiality, DNFBP supervisors may determine risks at the entity level bases on risk assessments at the sector level where classes of entities can be clearly identified and defined based on specific characteristics (e.g. class of activities, business model or structure, profile of customers and geographic risks). Where supervisors rely on sectoral risk assessments to understand risks of particular entities, the risk assessment should be sufficiently nuanced to consider each class of entities identified, and their ML/TF risks. For example, in the trust company service providers (TCSPs) sector, TCSPs that are in the business of acting as a formation agent of legal persons may be identified to be of greater risks when compared to other TCSPs.

Identifying risks particular to different sectors is essential for prioritising supervisory activities within the sector. In order to determine the risk of a sector as a whole, it is necessary to take into account the nature of the business models within the sector, as well as the business and risk profiles (e.g. volume of business, customer profiles) of the entities in the sector. It may also be useful to categorise entities in sub-sectors as a way to group together different types of risks (for example, within the banking sector, sub-sectoral risks may be identified for those providing mainly retail services, private banking or investment banking because of similar types of customers, distribution channels, types of products and services etc. provided). In this context, when deciding whether to carry out a sub-sectoral risk assessment, supervisors should also take into account the number of entities in a sector, the nature of and variation of business activities carried out by entities in a sector, their specific business volume and the extent of compliance by each type of entity. They should also consider the size or other characteristics of the sector vis à-vis other sectors. In developing a risk assessment methodology, supervisors should consider the jurisdiction’s AML/CFT supervisory framework for financial, VASP and DNFBP sectors as this may affect risk mitigation (e.g., certain sectors may not be supervised adequately and may therefore introduce additional risks to other related sectors).

Sectoral level ML/TF risk understanding is also important to prioritise supervisory activities among the different sectors, particularly where there are multiple supervisors. An effective risk-based supervisory framework requires a supervisor to understand the risk of the sector(s) that they supervise, relative to others. Otherwise, they may spend a disproportionate amount of time and effort dealing with a risk that it important to them, but not to the jurisdiction overall.

Entity-level risk assessments help to identify entities’ standalone ML/TF risk levels to guide the level and focus of supervisory engagement required. The inherent risks facing a specific entity may vary, for example, based on the type of business it conducts, its size, the profile of its customers and its exposure resulting from doing business with high-risk jurisdictions. What constitutes adequate mitigation measures will also vary from entity to entity.

· At the entity-level, risk assessments may involve obtaining information on transaction data and other information pertaining to the entity’s activities relative to products, services, customers, delivery channels and geographic locations, and assessing how this information affects the entity’s ML/TF risk exposure. This could involve comparing volumes and types of activities against peer entities to determine which entities are higher risk compared to the “average” in their sector. It could also involve analysing broader data on entities, including studying the entity’s operating models, policies and procedures, suspicious transaction reports filed by the entity etc. to arrive at an understanding of the entity’s risks and controls. In some cases, a preliminary entity-level risk assessment can be determined based on a combination of criteria.

· Supervisors often rate the quality of an institution´s mitigation measures, using ratings weighted and tailored to the sectoral risks and entity-level inherent risks, i.e., not every deficiency is equal.

A common approach to rating the residual risk presented by each sector or entity is to develop an ongoing and iterative risk matrix with ratings for the inherent ML/TF risks on one axis and the vulnerabilities or quality of AML/CFT-mitigation, on another. The probability of ML/TF taking place should also be considered. The risk indicators used to assess inherent risks should be tailored to each sector. Some indicators are applicable to most sectors, while others are specific to some sectors or sub-sectors.

Aggregating ML/TF risk assessments of individual entities is not the same as a sectoral risk assessment but can help supervisors identify common ML/TF risks. At a sectoral level, entity-level risk assessments provide competent authorities with important information on deficiencies in sector and national regimes, allowing authorities to develop appropriate responses that may include publishing new regulations or amending existing ones, applying enhanced measures, and issuing supervisory guidance.

Supervisory Risk Assessments and the National Risk Assessment

The interplay between supervisory risk assessment and the NRA process is two-way. On the one hand, supervisors’ understanding of their sectors and entities under their purview should feed into the NRA. On the other hand, the understanding of risks by supervisors should be informed by, and be consistent with, the NRA that includes input from a range of AML/CFT stakeholders. This will provide the information and insights on risks from other authorities and entities (such as other supervisors, law enforcement, judicial, customs, FIU, or intelligence authorities). In addition, the exchange of the relevant risk information could also be provided by working groups that include different national authorities with responsibilities in AML/CFT as well as through meetings with the private sector. It is crucial that supervisors develop their own understanding of risks that feeds into the NRA. If supervisors base their sectoral risk understanding on the NRA, supervisors should assess whether the NRA analysis meets their information needs (including whether it is sufficiently up-to-date and granular) and complement it as necessary.

Some of the specific examples of the interplay between supervisory risk assessments and the NRA include:

· Higher or lower risk activities identified by the competent authorities through the NRA process should align with the approach taken by supervisors in overseeing the risk-based approach to compliance with AML/CFT requirements implemented by entities.

· Revision of inherent risk modelling or controls assessment based on identified risks in the NRA.

· Continuing supervision of entities that contribute to and/or challenge or confirm identification of risk in the NRA.

· Understanding financial inclusion products and services, including risks associated with financial exclusion and the risk assessment needed to justify exemptions or an appropriate level of due diligence measures.

The Supervisory Risk Assessment process

Assessing Inherent Risks

Inherent risks are ML/TF risks intrinsic to a sector or an entity’s business activities before any AML/CFT controls are applied. Inherent risks are associated with features of a business (including their nature, scale and complexity) or characteristics of their business activities with respect to customers, products and services, geographic regions and delivery channels. Certain features or characteristics pose higher or lower risks than others. INR.10 provides some examples of possible higher- and lower-risk factors (see paragraphs 15–17) and the FATF’s range of sectoral RBA Guidance and typologies reports can help guide supervisors’ assessment of inherent risks of a certain sector or entity.

Supervisors should allocate adequate resources to ensure a good understanding of the inherent risks of the regulated entities, leveraging their own knowledge of the business activities of the sector or through engagement with experts in those fields.

As set out in R.1, regulated entities must assess the ML/TF risks facing their businesses. Regulated entities’ risk assessments may help to inform supervisors’ view of risk and enable them to obtain information on specific risk categories (e.g., products, services, customers, delivery channels and geographic locations) relevant to the entity. They also help to inform supervisors’ understanding of risks within a sector and at the entity level. Supervisors should provide guidance and clarify the supervisory expectations for entity risk assessments. This will help supervisors receive more organised and informative entity-level risk assessments to support their understanding of the entity-level risks.

In addition to risk categories referenced in R.1, AML/CFT supervisors in developing their risk assessment should also take into account other supervisory information available to them (see Box 2.1 below), including entity type risks such as the systemic importance of the entity to the sector in which it operates from the AML/CFT angle and its key financial indicators. When considering these factors, supervisors should take into account characteristics of the sector(s) as well as contextual factors and use judgement to determine their implications for ML/TF risks.

For example:

· An institution that aggressively expands its market share or changes its business model may be more willing to take risks, compared to an institution with an established, lower risk client base and operating model.
· For entities which are part of a larger group of entities, supervisors may also need to consider the risks posed by the other aspects of the group’s business, including the complexity of the business operations, geographic risks associated with the different countries in which the group operates and the AML/CFT standards applied therein, etc.11
· Supervisors may become aware of beneficial owners or directors of entities whose fitness and propriety are questionable and raise concerns about the ability and/or willingness of the entity or group to establish and implement a sound AML/CFT framework and “tone at the top”.
· AML/CFT and prudential problems often form a mutually reinforcing spiral in seriously troubled institutions. In some cases, banks have weakened or abandoned their AML/CFT controls in an attempt to attract illicit funds to solve problems of liquidity or solvency. Equally, the loss of business as a result of supervisors’ findings of AML/CFT violations can seriously affect the nature and volume of business, causing liquidity or solvency problems – particularly for a small or specialised bank.
· The entity or sector largely services financially excluded individuals or organisations and has adequate mitigation measures to limit the risks associated with their products and services. Without these services, the risks might be transferred to the unregulated economy where risks are left unmitigated.

Categories for assessing inherent risks presented by regulated entities Supervisors may consider:

· Entity type risk: the industry in which it operates, the entity’s materiality in the sector it operates and/or its market share, complexity of its operations and its business structure or model and strategy (including planned expansions into new business segments or regions, merges and acquisitions), its shareholding/beneficial ownership information which may elevate ML/TF risks, key financial indicators (e.g., asset and deposit growth, liquidity and cross-border flows).
· Customer risk: additional factors such as demographics and specialized product/service offering for select client groups, including on the basis of whether the customers are natural or legal persons or persons representing legal arrangements, types of businesses serviced, whether customers are domestic or foreign and whether there are specific categories of customers involved (e.g., Politically Exposed Persons).
· Geographic risk: geographic footprint of the entity’s operations both domestic and international (including where funds are received from/sent to and where clients are based and residency of beneficial owners), markets served, etc.; robustness of the foreign AML/CFT legal framework under which it operates, contextual factors (e.g., levels of corruption, crime or terrorism) and how that might influence the entity’s approach particularly in relation to online service providers or financial or other groups.
· Products and services risk: types and features of the products and services (e.g. anonymity, volume and speed of transactions, duration of the contracts, etc.). The revenues generated from these also play an important role in understanding the entity’s risk profile.
· Delivery channel risk: the features of delivery channels used which may include: the ability to reliably identify/verify customers through remote or digital onboarding,12 products or services delivered exclusively by post, telephone, internet etc., or the use of introducers or intermediaries (and the nature of their relationship with the entity)..
· Transactional risk: types of transactions, financial flows, information and analysis received from the FIU of the transactional reporting from the entity may provide additional insights and independently verified information. Note: This is not a comprehensive list – for more information see the FATF’s range of sectoral risk-based approach guidance and the list of useful resources at the end of this Guidance. Also see the FATF’s forthcoming PF Guidance for further detail on how these categories may be relevant for PF risk.

Assessing Mitigation Efforts

AML/CFT systems or controls are the measures in place within an entity/s to mitigate ML/TF risks. There are different approaches to assessing the adequacy of controls but supervisors should look beyond the specific controls and processes (e.g., CDD, record keeping, transaction monitoring, etc.) to also assess the overall effectiveness and soundness of the AML/CFT framework, including whether the broader corporate governance environment and compliance culture enables sound and effective AML/CFT internal controls.

Supervisors should use a range of tools to enable the proactive monitoring of entities in order to assess the adequacy of their AML/CFT systems or controls. Such mechanisms could include the periodic collection of information on the key AML/CFT controls across the sector to proactively identify entities with major deficiencies in controls and/or common or thematic control weaknesses among entities. Another mechanism could be the use of data analytics to analyse suspicious transaction reports filed by supervised entities to identify potential control weaknesses in specific entities. Taken together, such pro-active approaches can augment supervisors’ ability to identify at-risk entities for targeted supervisory scrutiny or point to a need to provide more broad-based supervisory guidance to improve certain control practices across the sector.

Supervisors should develop a holistic assessment of the AML/CFT systems or controls within an entity (for examples Box 2.2 below). In determining if the entity has the necessary conditions to apply AML/CFT mitigation measures effectively, it is important to pay attention to the level of oversight exercised by the boards and managements of entities (who are ultimately responsible for the entity’s AML/CFT controls). Many of the large-scale AML/CFT compliance failures in recent years occurred either with the will or knowledge of top management, board and sometimes owners of these institutions, or due to a lack of adequate oversight. It is therefore critical that AML/CFT supervisors understand the risk appetite of the owners, board, and management of the regulated entity. Supervisors may be able to obtain this information in the board minutes, policy documents and exchanges with other supervisors (including prudential and conduct supervisors where applicable) but supervisors will need to have a more holistic understanding of the actual control dynamics and the risk appetite of an institution (and its beneficial owners). It is important to meet with and assess the competency of senior management, board, owners and non-executive directors as relevant. Monitoring of open source information and risk-appetite data indicators (such as aggressive expansion) may also assist in assessing the entity risk appetite. Developing risk indicators (refer examples provided in Box 2.1) may assist supervisors in identifying wilful or reckless defiance of AML/CFT obligations. Group-level supervision has an important role to play in understanding the group-level dynamics and risk tolerance.

Assessing entities’ AML/CFT systems and controls

To assess entities’ AML systems and controls in a holistic manner, supervisors should consider the adequacy of the:

· Oversight by board and senior management

· Number of qualified/experienced staff with appropriate authority and resources

· AML/CFT policies and procedures and conflicts with other policies and procedures, e.g., remuneration based on turnover

· Risk management function

· Compliance function

· Internal controls (e.g., CDD, record keeping, transaction monitoring, etc.)

· Management of information systems

· Independent testing (internal and external audit), and

· Training provided to staff on AML/CFT.

The above list is both non-exhaustive (there may be other factors to consider) and not always applicable considering the size and characteristics of the entity. For example, the factors will need to be adapted to small businesses who may not have a board or separate compliance function.

When identifying and assessing the mitigation of inherent risk factors, supervisors should consider risks specific to their jurisdiction and sectors they oversee as well as the size and characteristics of supervised entities. For example, Singapore’s NRA identified trade-based money laundering, abuse of legal persons and corruption to be key risk faced by financial institutions. Singapore’s financial sector supervisor, the Monetary Authority of Singapore, has considered these risks in developing a list of inherent risk indicators that it uses to collect the relevant information from FIs and to assess FIs’ controls in mitigating these key identified threats and risks. In Germany, supervisors assess the appropriateness of an institution´s transaction monitoring system depending on criteria such as the entity´s business model and transaction volume.

A supervisor’s assessment of an entity’s mitigation efforts should be based on its interactions and knowledge of the entity, but it can be supplemented by the results of work completed by third parties where available. Supervisors should only place reliance on such third-party work to the extent that it is comfortable with the robustness of the work performed, and it does not contradict its own understanding of the entity’s AML/CFT systems and controls. See section 4.3 on the use of third parties for more information.

Examples of third-party work could be:

· Reports produced by the entity’s external auditors, the FIU, foreign supervisors for entities with foreign operations, and home supervisors of foreign entities operating in the jurisdiction. If permitted by law, a supervisor might hire a third party to conduct targeted AML/CFT reviews or audits on their behalf.
· AML/CFT supervisors for the financial sector with access to the prudential or conduct supervisory work may take into account broader risk management factors that have an impact on the overall state of the entity’s AML/CFT program. For example, these additional elements include the quality of governance and oversight across the ‘three lines of defence’, state of the operational controls and data quality and availability across the organisation. Information from prudential or conduct supervision work is particularly useful when it reveals inconsistent views of the prudential/conduct and AML/CFT supervisors on an entity’s general governance and suggests the need to revisit the issue.

Assessing Residual Risks

Residual risks are ML/TF risks that remain after AML/CFT systems and controls are applied to address inherent risks. For example, an entity with weak AML/CFT controls may not be high-risk if the inherent risks arising from its businesses are low (although over time, the weaker controls may be exploited by criminals causing a change to the entity’s inherent risk exposure). An entity with high inherent risks may not necessarily be high-risk if strong AML/CFT controls are applied so that the residual risks are lowered. The residual risk assessment should not be a purely quantitative approach based solely on numerical risk scores. Where supervisors have significant concerns about the potential ML/TF risk impact to the system posed by an entity, supervisors should have the ability to reflect such concerns in the residual risk assessment.

Supervisors should acknowledge that no matter how robust AML/CFT controls are, inherent risks cannot be entirely mitigated. Therefore, residual risks will always remain that require management by the regulated entities in line with the risk appetite of the institution.

Supervisory risk models usually consider both inherent and residual risks. For example, a high inherent risk rating would generally indicate the need for closer supervisory attention, so that supervisors can assess and intervene where necessary to strengthen the entity’s risk mitigation. The residual risk may influence the intensity/scope, and where necessary be used to prioritise between entities (see example 7.1.4).

When determining the level of tolerable residual risk, supervisors can consider a range of factors including the potential impact on the jurisdiction and its supervisory population if a residual risk is high, the possible unintended consequences of over-applying mitigation measures (e.g., increased overall ML/TF risks due to financial exclusion) and the entities’ ability to manage their own residual risk i.e. appropriate governance, staff training and competence.

See Part Three for further examples of supervisory risk models.

Information a supervisor need to identify and understand the risks

Supervisors’ understanding of ML/TF risks should be formed based on the analysis of all relevant qualitative and quantitative information. This may include prudential and conduct information already held by the supervisors including regulatory and supervisory records, information gathered through surveys or periodic off-site reporting records of past supervisory activities, AML/CFT supervisory returns, information shared by other domestic or foreign competent authorities including the FIU and LEAs on the usefulness of the entity’s AML/CFT outputs, and open source information.

See Box 2.3 for a list of possible information sources.

In their efforts to assess and understand ML/TF risks, supervisors may take into account risk assessments conducted by the supervised/monitored entities themselves but supervisors should always maintain an independent view instead of unduly relying on the entity’s own risk assessments.

Supervisors should take into account the jurisdiction’s privacy laws15 and inter agency information exchange abilities. Supervisors should protect privacy interests, but privacy should not serve as an undue impediment to sharing to combat ML, TF, and other illicit financial activities. The ability to obtain various AML/CFT-related data will have a direct influence on the granularity of the assessment under each of the inherent risk categories/factors considered in the risk assessment methodology and the supervisor’s ability to maintain an up-to-date risk assessment. As set out under R.2 of the FATF Standards, AML/CFT authorities (including supervisors) and authorities responsible for data protection and privacy should co-operate and coordinate to ensure the compatibility of AML/CFT requirements with Data Protection and Privacy rules and other similar provisions.

Sources of information for risk identification and understanding

· National risk assessment, including inputs from other stakeholders
· Findings of past supervisory activity (either entity-level or horizontal/thematic reviews)
· Input from other supervisors (domestic and international) for example, prudential supervisors’ findings on the broader corporate governance environment in an entity. Information from the regulated entities on
o Entity’s risk assessment and risk appetite
o Data returns / responses to questionnaires, e.g., annual compliance reports that consist of questions relating to the implementation of AML/CFT systems and controls the entities implemented to meet legislative obligations. See section 7.1.1 for further examples.
o Financial and operational data that is being shared with the supervisory agencies as a part of routine off-site reporting (including prudential data).
o Risk input from public/private partnerships or other consultation mechanisms

o Results of independent testing/audit that is provided to supervisory agencies.
· Feedback from the FIU on suspicious transaction reports filed by entities, for instance, on their timeliness and quality of filing, under or over-reporting compared to peers and their responsiveness to the FIU’s request for information. Those elements should be analysed in regard to the overall number of operations recorded in the entity’s sector and taking into account the concentration level of this sector. The FIU may also be able to identify situations where a suspicious transaction report (STR) should have been filed but was not, which may be an indicator of the effectiveness of the entity’s internal control system. Recurring typologies identified in STRs may suggest specific risk exposures or deficiencies of the mitigation measures in place at an entity. Regular exchanges between the supervisor and the FIU on their assessment on the governance, functioning and overall risk culture of the entity’s AML-CFT teams. Additionally, information may be shared by the FIU before inspections or as result of other events such as reports by whistle-blowers.
· Input from other competent authorities (police, prosecutors, intelligence agencies, tax, customs, anticorruption authorities and agencies dealing with targeted financial sanctions, for example). This includes ML/TF typologies and their observations and risk perceptions about the sector and, where available, the effectiveness/usefulness of the outputs of a financial institution’s AML program. See section 5.6 for examples.
· Findings from public sources (media, adverse reporting, etc.). At the French financial sector supervisor (ACPR), there is a dedicated division in charge of press reviews that feed the offsite supervision teams with regular press reviews, upon request. Regular press reviews can be dedicated to specific issues (for instance on tax havens) or specific FIs (providing inputs on a FI’s litigations in other jurisdictions, negative information on FI’s shareholders, etc.). Apart from news outlets, common third-party reports include Transparency International and the Organized Crime and Corruption Reporting Project (OCCRP).
· Findings from matters reported by whistle-blowers and complaints.
· Data on financially excluded populations.
· Input from international counterparts, groups and organisations (FATF and FSRB Reports; ESAs Risk Factor Guidelines etc.)

Supervisors keeping their Risk Understanding Updated

Effective supervision depends on supervisors’ ability to identify and prioritise on a timely basis, areas and institutions for greater supervisory attention. Supervisors typically review and update their risk assessments according to a fixed cycle and in response to trigger events (especially in relation to entity-level risk assessments, and this is further explained below). In addition to such updates, there are opportunities to leverage available information and data to move towards more dynamic and timely assessment of risks (see section 4.1).

Supervisors should ensure that their ML/TF risk assessments remain up to date and relevant, by doing the following:

· Set out the frequency and triggers for updates to sectoral and entity risk assessments under the supervisory risk assessment methodology.
· Identifying and assessing emerging risks and trends within their supervised population, then revising the risk assessment on an ongoing basis. It should be reviewed and updated on an ongoing so that they can perform their risk assessment against a backdrop of observations by law enforcement agencies on emerging ML/TF threats and typologies, and consider how these factors would affect the risks of the sector or entity that is being supervised. See examples 7.1.4 and 7.5.4.
· Regular dialogue and information sharing with the public and private sector to understand latest trends and risks (see sections 3.9 and 4.2 for further information).

C. RISK-BASED APPROACH TO SUPERVISION

The risk-based approach to supervision enables supervisory authorities to allocate their resources and attention based on identified risks. Supervisory authorities should develop and implement supervisory strategies that are risk-based and graduated using the information obtained as part of the risk assessment process. The strategy should provide a clear nexus between the ML/TF risks (the risks specific to the jurisdiction or sector) and indicate how the proposed strategy and the use of supervisory tools (covered in Annex A of this Guidance) addresses these risks. A risk-based supervisory strategy ensures the risks determine the nature, frequency, intensity, and focus of supervision, setting expectations for engagement with entities across the risk spectrum including higher risk and lower risk entities.

CONTINUATION SHEET -:ANNEX-A

Supervisory Strategy

A supervisory strategy sets clear objectives for AML/CFT supervision, explains how supervisors will address the ML/TF risks they have identified across their sector(s) and how they will respond to emerging risks. The strategy should not only focus on the highest risk entities or sectors, but should also set out adequate supervisory coverage (including monitoring where relevant) of all entities or sectors, including those associated with lower ML/TF risks. The supervisory strategy sets out the approach the supervisor will take in applying its tools to address the risks identified. The strategy and the output of the risk assessment are used to plan supervisory activity (commonly including 12 or 24 month supervision or inspection plans). In some cases, supervisors may include inspection plans in their strategy, however a supervision strategy should set out how the supervisor will address each category of risk, including how other non-inspection supervisory tools will be employed to address risks. Importantly, the strategy should also address the information, support and guidance the supervisor plans to provide regulated entities to address identified risks. The supervisory strategy is developed in line with the supervisory risk assessment and should be revised as needed.

Where relevant, supervisors should refer to the relevant supervisory principles when choosing appropriate types of supervisory interventions, including the Basel Committee on Banking Supervision’s Core Principles for Effective Supervision. In developing an AML/CFT supervisory strategy, supervisory authorities should ensure that there is an understanding of broader supervisory considerations. For example, authorities should share information and communicate with prudential or other relevant supervisors regularly to ensure that any areas of concern are raised and incorporated into the supervisory plan (as required) and that there is a shared awareness of the respective supervisory programs (planned inspections, desk based reviews, etc.).

Addressing the Risk Identified by the Supervisory Strategies

Supervisory strategies should include an approach for the application of the supervisory tools on a graduated basis across the spectrum of supervised entities/sectors, with the nature, frequency, intensity and focus being determined in accordance with the level of ML/TF risk (see Sections 3.3, 3.4 and Annex A. Overview of supervisory tools).

The supervisory strategy should articulate the rationale for the approaches to the application of each of the specific supervisory tools in accordance with the ML/TF risk ratings assigned to the sector or specific entity (i.e., details of the purpose of the tools in terms of the outcome to be achieved and also the reasons for the regularity of their application). As the FATF standards focus on outcomes rather than process, it is important for supervisors to consider whether their activities contribute to supervisory outcomes (i.e. AML/CFT risk identification / risk mitigation) rather just the form or quantity of those interventions.

The application of these tools should be determined by the supervisors’ understanding of the level and nature of ML/TF risk at both the sectoral and entity-levels. Supervisors should consider developing additional tailored/bespoke strategies for engaging with entities presenting the highest ML/TF risk within the supervisory population, which may be above the level of activity defined for other entities in the cohort. Strategies should be tailored to target risks specific to the jurisdiction or sector that includes not only identifying and targeting entities more exposed to these risks but also the potential for carrying out thematic supervisory reviews across a selection of entities in response to any risk-trigger events, or identified priority ML/TF risk areas (see Box 3.1).

Supervisors should actively consider how to improve or augment the fixed cycle based approaches with more timely interventions to address significant changes or escalation of risks levels of regulated entities. Given the fast-evolving nature of ML/TF risks, supervisors should recognise the limitations of relying solely on cycle based supervisory inspections where the length of the cycle is determined periodically (e.g. annually) using a point-in-time assessment of entity risk levels (see section 2.4 on keeping an up-to-date understanding of risks).

The use of thematic assessments to address risks across a range of entities

Supervisors are increasingly focused on addressing priority ML/TF risks using thematic inspections and supervisory engagements. This could be conducted on-site, off-site, or a combination of both, and serves to facilitate a holistic assessment of the industry’s awareness and mitigation of risks identified from the national (and sectoral) risk assessments. In this regard, a thematic inspection or supervisory engagement typically prioritises entities that supervisors assessed to have heightened exposure to the planned thematic risk focus area based on their entity-level risk assessments and ongoing monitoring, and could include entities that might otherwise have a lower overall ML/TF risk profile. Through these thematic-focused supervisory efforts, supervisors are able to raise awareness among supervised entities of ML/TF risks that are most pertinent to the financial system, so that they can focus minds on effectively mitigating these risks. For instance, based on the Monetary Authority of Singapore’s (MAS) supervisory observations and information obtained through its national risk assessment and co-ordination mechanisms, MAS has in recent years identified and conducted targeted thematic inspections on FIs’ effectiveness in areas such as combating proliferation financing, transaction monitoring, and detecting the abuse of legal persons. These inspections have offered good opportunities for deeper dialogue with financial institutions on the priority risk areas to generate deeper risk understanding and identify consequential enhancements to strengthen risk mitigation efforts. To ensure that the broader industry is also kept apprised of these risks, MAS has published guidance papers on its findings and good practices observed from these thematic inspections.

Source: MAS, Singapore

Ways in which the Supervisors adjust their approach to vary the nature, frequency, intensity and focus of supervision

Supervisors should keep in mind the following four principles in deciding the tools to adopt for supervision. The first three principles should guide supervisors in the selection of tools to use based on their risk assessment of the regulated entity, as well as how the various tools interact with each other. The fourth principle is important given the fast-changing risk environment and need for supervisors to identify key risk areas and to adapt their supervisory approach/plan to target those risks.

1. Outcome-focused: Supervisors should be clear about the intended objective of supervision for the sector and for individual entities. These objectives help inform the supervisor’s approach in selection of tools to adopt.

2. Risk appropriateness: The type and intensity of tools applied to an entity should be aligned with the supervisor’s understanding of the nature and level of risks of the entity as well as the supervisory strategy in place.

3. Efficiency: In selecting the most suitable tool, supervisors should consider the type of resources that are available. Supervisors should ensure that the tool chosen is the most efficient means of achieving the supervisor’s objective.19

4. Dynamism and responsiveness: Supervisors should be prepared to respond to identified emerging risks in a timely and agile manner, amending their supervisory strategy and plans to address such risks.

Examples of ways in which supervisors can adjust their approach based on identified risks include:

· Adjusting the supervisory approach, for example, by adjusting the ratio between off‐site and on‐site supervision.

· Adjusting the focus of supervision, for example by focusing on the management of higher risks associated with particular products or services, or on specific aspects of the AML/CFT processes such as customer identification, risk assessment, ongoing monitoring and reporting activities. It could include adjusting the range of interviews, and premises to be visited (i.e. headquarters vs branches).

· Adjusting the frequency and duration of supervisory engagement.

· Adjusting the intensity and level of supervisory scrutiny, for example by determining, according to risk, the scope, coverage and depth of transaction testing.

· Adjusting the resources to ensure the needed experience and skillsets are allocated to assess the identified risk.

Supervisors are using increasingly diverse supervisory tools. As each supervisory tool has a different and specific objective, supervisors could consider adopting one or more or combinations of these tools, and to calibrate their supervisory approaches to their objective and risks of the entities.

For example, thematic inspections could be carried out to better address material risk concerns that are assessed to be of a systemic nature. For entity-specific risk concerns, supervisors may initiate a targeted inspection on that entity or employ appropriate monitoring tools, depending on the assessed risk impact. The maturity of the AML/CFT regulatory and supervisory framework should also be factored in when considering the most appropriate model to implement. For example, supervisors may need to balance resources dedicated to training/awareness raising, inspections and setting expectations when implementing a newly established regulatory framework. Consideration of such a balance is also necessary when a supervisor is newly designated as the AML/CFT supervisor of a sector and decisions are required regarding dedicating resources to cover a larger percentage of entities in shorter/targeted inspections rather than carrying out full scope AML/CFT inspections. See example 13 in the FATF Guidance on Effective Supervision and Enforcement which describes Canada’s compliance continuum and the application of a range of “low intensity, high coverage” activities to “high intensity, low coverage” activities.

The most intensive supervisory tools are those that comprehensively test the AML/CFT controls that the supervised entity has in place. Entities associated with higher ML/TF risks should be subject to more frequent and more intense scrutiny than entities associated with lower levels of ML/TF risk. For example, in the US, many of the largest financial institutions have resident inspection staff that conduct continuous AML inspections (referred to as examinations in the US) of the various components of the large financial institution. The discussion below sets out how supervisors should take into account ML/TF risk when developing inspection plans. See examples 7.1.6 and 7.1.2 for how inspections are planned on a risk-sensitive basis.

Planning inspections and associated resources in line with the supervisory strategy

An important part of implementing supervisory strategy when it comes to inspections is developing an inspection plan. Inspection plans should list:

· The entities that will be subject to planned AML/CFT inspections or reviews during a specified period (i.e., inspections to be conducted over one year or a number of years and may also include follow-up on previous inspections)

· The type and scope of those inspections or reviews, taking into account the level of risk associated with each entity

· Where relevant, the focus of each inspection or review, taking into account specific risks that have been identified or specific objectives that have been agreed (e.g. fact-finding to inform an ongoing risk assessment), and

· The supervisory resources required for each inspection or review, as well as a timeline for each inspection or review. Inspection plans should:

· Include the approach to be taken on entities with different levels of risk exposure, in line with the supervisory strategy

· Leave sufficient flexibility to accommodate or address unplanned inspections triggered by risk events or new information that could not have been foreseen when the plan was agreed

· Be adequately documented and amended where the risk exposure of an entity included in the plan has changed or if a new risk is identified in the course of on‐site or off‐site supervision, and

· Be governed by an internal policy that sets out at what level the plan should be agreed/approved within the supervisory unit, how progress against the plan can be reviewed, the approval process for changes to the plan, and the extent to which an overview of the plan can be published (e.g. number of inspections per risk rating).

Source: Adapted from guidance from the European Banking Authority & IMF

Combining off-site and on-site tools to strengthen the RBA to supervision

As set out above, there is a range of supervisory tools that supervisors can use individually or in combination to achieve the intended supervisory outcomes. These tools when used in combination could have mutually reinforcing effects in strengthening supervisory effectiveness.

Off-site monitoring helps keep supervisors up-to-date on the ML/TF risk landscape, inherent risk profiles of regulated entities, and potential control weaknesses in these entities. The insights gained from performing off-site monitoring would thus guide the approach and focus of supervisors’ on-site reviews. For example, the results of preliminary evaluations can be used to tailor the nature, frequency, intensity and focus of supervision, as well as guide the supervisory authority to how to pivot attention to higher-risk areas. Effective off-site monitoring entails collecting and analysing data and information to enable ongoing monitoring of an entire sector, instead of a snapshot of one or several entities. As an example, risk surveillance (a supervisor’s monitoring of relevant data and information including STR/CTR information where available) could help detect emerging risk areas in the sector being supervised, as well as indications of significant AML/CFT control issues in regulated entities.

Where off-site monitoring activities point to material risk concerns in a regulated entity, it might warrant supervisors adjusting existing on-site inspection plans in order to trigger an immediate for-cause inspection on the entity. Consistent with a risk-based approach, such for-cause inspections should take precedence over any routine inspections, given that a material risk trigger event has materialised.

In general, on-site inspections offer supervisors an opportunity to conduct a more thorough review of the entities’ controls through the performance of sampling tests and complement off-site work. Similarly, it also helps validate the risk profile of the entity so that it can be adjusted as needed. Relatedly, there can also be an off-site process (pre-engagement) where the regulated entities’ risk assessment is revalidated prior to an on-site inspection. The interactions with entities’ board, management and staff during the inspection process would help inform supervisors’ assessments of the entities’ risk culture.

Some or all elements of supervisory inspections, including sample testing may also be very effectively carried out off-site, by obtaining the information from the entity and the application of SupTech tools. Where live testing is not possible off-site, the prior standard sample testing can augment additional, more targeted live testing during the on-site – e.g. when carrying out a walkthrough of a CDD system, select customers (random selection/based on level of risk etc.) and in a “live” assessment, request the member of the entity to produce the customer risk assessment, CDD documentation etc.

As their access to and use of technology improves, supervisors may be able to perform a significant amount of their activity off-site (see section 4.1). As regulated entities transform their business and AML/CFT compliance functions with technology, the boundaries between off-site and on-site interventions are increasingly blurred as their data is kept electronically and supervisory technology is a necessary to perform effective supervision. As off-site monitoring capabilities mature, there may be supplementary or alternative approaches that enable supervisors to more effectively identity, monitor and target risks. Where appropriate, supervisors should assess and consider adapting their supervisory frameworks, taking into account the pros and cons of the various approaches.

Treatment of lower risk sectors and entities by the supervisors

While most supervisory resources should be dedicated to the higher ML/TF risk areas, supervisory’ strategies should also set out the supervisory approach for areas of lower ML/TF risk. Within a risk-based supervision framework, it is expected that there will be areas and segments of regulated entities that are assessed to be of lower ML/TF risk. As set out above in this Guidance, the sound assessment of risks at a sectoral or sub-sectoral level does not necessarily require an assessment of each entity in the sector (see section 2.1.1). Risk analysis can be undertaken with varying degrees of detail, depending on the type of risk and the purpose of the risk assessment, as well as based on the information, data and resources available (for example, keeping in mind the nature, scale and complexity of the relevant entities/sectors).

It should be clear that lower risk entities are still subject to supervisory attention commensurate with the level and nature of risk they present. The latter may entail the application of the supervisory tools by a combination of less frequent supervisory cycles, sample testing and/or reactive interventions. Supervisory authorities are not expected to cover all lower ML/TF risk entities under a fixed inspection cycle over time, particularly where there are large populations of lower ML/TF risk entities.

Monitoring of lower-risk entities may allow for limited application of on-site tools. For example, one possible supervisory approach for lower risk entities is to centre it on the detection of any material risk events or escalations in risk profiles among the lower risk entities, so that supervisors can intervene effectively to mitigate risks. In such scenarios, the nature of the materialised risks and desired supervisory outcomes should guide the application of an appropriate set of tools (either onsite, offsite or a combination). See section 3.4 for further information.

Supervisory authorities should regularly test their understanding and assumptions of the level of ML/TF risk and the adequacy of controls in the entity/sector (see section 2.4). Supervisors should also have the capacity to carry out supervisory activities on a responsive or reactive basis, where intelligence has been received that would merit supervisory intervention (e.g., intelligence from returns or questionnaires, from other supervisors, from media reports or whistle-blowers, or from law enforcement or the FIU/STRs).

Supervisors should also ensure that education and outreach extends to lower risk sectors to enable them to implement risk-based, proportionate measures and to help identify and report any ML/TF risks that may arise. With reference to national financial inclusion objectives, supervisors can also play a role in:

a) Reducing requirements on lower risk entities that do not mitigate risk sufficiently to justify the effort they consume;

b) Reassuring other regulated entities that provide financial services to lower risk entities those lower risk entities are adequately supervised.

See examples 7.6.1 and 7.6.3.

Supervising lower risk sectors and entities and supporting financial inclusion

An important consideration in risk based supervision is the risk proportionate distribution of resources across the different risk areas and sectors. In particular, there may be lower-risk sectors at the national level, lower-risk segments in a certain sector, or lower-risk institutions in a sector. Furthermore, within a reporting institution, there may be lower-risk products, services, delivery channels, clients or geographic areas. However, lower risk does not mean no risk and supervisors should ensure that they can effectively detect any new significant risk concerns within the lower risk sectors and entities. While supervisors may devote less resources to lower risk areas, they should still devote sufficient resources to verifying and monitoring risk understanding of those areas while also allowing greater supervisory resource allocation to higher risk sectors. The regulatory requirements should also be commensurate with the level and nature of risk present in sectors and entities. Recommendation 1 and INR 1 allow jurisdictions to exempt particular types of regulated entities from compliance with some of the FATF Recommendations if there is a proven low risk and the exemption occurs in strictly limited and justified circumstances. Further, in a risk-based AML/CFT regime, the CDD, internal controls, compliance function, ongoing monitoring, STR and other reporting requirements should also correspond to the risk-level of the sector and the institutions. Risk- based supervision of lower risk sectors is also important from a financial inclusion perspective. Disproportionate legal or regulatory obligations, supervisory expectations and lack of guidance from supervisors may result in the application of unnecessarily prohibitive CDD and other AML/CFT controls in lower risk sectors, increasing the cost of products and services, and eventually undermining financial inclusion objectives. From a holistic perspective, excessive AML/CFT obligations may increase overall ML/TF risks by:

· Driving potential users to the unregulated sector as a result of their failure to gain access to available financial services, or
· Increasing the costs of compliance such that it becomes unprofitable to provide products and services to people or entities that do not generate substantial income (such as Non Profit Organisations (NPOs) (see section 10.1)) and shifting these transactions to less transparent channels.

In the US, banking supervisors have reiterated the risk-based approach with respect to NPOs in which banking supervisors reminded banks that offer financial services to this sector should not view the charitable sector as a whole as presenting a uniform or unacceptably high risk for ML/TF risks. Banking supervisors provided non-binding guidance of factors to consider in identifying the AML/CFT risk profile of NPOs.

The role of supervisors in identifying de-risking or in encouraging financial inclusive practices

While a risk-based approach requires supervisors to focus their attention on higher risk areas, lower risk areas still require attention particularly if financial exclusion is a concern. Financial exclusion of customers holds serious ML/FT risks as customers may seek the unregulated cash economy or access services by providers who may not have robust risk control measures. Where supervisors identify that an institution is involved in large-scale and indiscriminate account closure or denial of services or does not implement simplified due diligence measures where risks are generally assessed as lower, supervisors should engage the institution to understand the reasons for its decisions. As set out in the FATF Guidance on Money Value Transfer Services (2016) while the decision to introduce simplified due diligence measures or to accept or maintain a business relationship is ultimately a commercial one for the entity, supervisors need to scrutinise these decisions to understand whether these decisions may indicate a need for supervisory clarifications or reforms, or whether they indicate an area of changing risks, or some other dynamic such as profit concerns. Where decisions to restrict or terminate relationship with customers is due to a lack of understanding of the flexibility of the risk-based approach, supervisors will be able to provide appropriate guidance as to what the RBA entails. Entities may be engaging in indiscriminate denials of service to entire classes of customer, without taking into account, seriously and comprehensively, their level of risk and risk mitigation measures for individual customers within a particular sector. This is contrary to the advice given by FATF.

Developing a more robust risk-based approach by supervisors over time

Supervisors should ensure that their supervisory strategies are kept under regular review. In implementing the strategy, supervisors will develop a better understanding of the quality of the supervised entities’ AML/CFT controls and the ML/TF risk profiles of the business models, as well as the effectiveness of various supervisory tools. This knowledge should be utilised to enhance the overall ML/TF risk understanding at both the sectoral and the individual entity levels along with consideration of any new/emerging ML/TF risks. Building and maintaining the institutional memory is key to achieve this.

Further, supervisory authorities should use the experience garnered from carrying out supervisory tasks to enhance the effectiveness of their supervisory strategies and to continuously refine and enhance these methods. In addition, on an ongoing basis, the risk assessment (along with supervisory planning process) should not be conducted in isolation, but in close co-ordination with prudential supervision and other relevant departments (or other supervisors). Any changes to the ML/TF risk understanding and/or proposals for refinement or enhancement of the mix of supervisory tools to be applied should be considered in the context of the review of the overall strategy with the aim of continuing to improve and strengthen the supervisory approach to ensure it remains effective.

Supervisors should implement mechanisms to ensure sound and consistent supervisory assessments and independence regarding decision-making in AML/CFT risk-based supervision. For example, when determining a risk rating for a sector and for individual entities the decision should be supported by a documented outline of the assessment (including findings from onsite and offsite activities etc.) and the rationale to explain the proposed risk rating.

Supervisors, particularly supervisors with larger, more complex supervisory populations, may apply additional measures to ensure consistency. For example, assigned risk ratings could be subject to peer review/challenge by other staff members within the AML/CFT supervisory unit who were not involved in the assessment.26 Other examples of methods to further enhance the integrity of the assessment (at both the sectoral and entity level), could include a supervisory panel to provide independent judgement and to promote consistency. Such panels could comprise management members/representatives/specialised staff from the supervisory body who are not involved in the direct supervision of entity/sector. Supervisors responsible for direct supervision of entities could present their findings and recommendations to the supervisory panel for a “horizontal” review to ensure consistency of supervisory judgement. The supervisory panel would over time develop a sense of how AML/CFT supervisory issues are dealt with in a range of contexts and will be able to usefully transmit this to supervisors/ teams whose perspective is inevitably narrower based on the entities they directly supervise.

Adequate training is required to support an effective AML/CFT risk-based supervisory framework. Training is required at all levels, from front-line supervisors to managers and board members. The training should cover issues such as how to interact with entities and risk-based decision making. The visible and active engagement of senior staff in training sends a strong signal about their commitment to the process.

In some circumstances, the transition from a rules-based to a risk-based approach takes time. It can require a change in the supervisory culture and the management of supervisory bodies need to articulate their risk tolerance. There also needs to be recognition that AML/CFT related weaknesses in areas of lower ML/TF risk may go undetected by supervisors in the application of risk-based supervision and responses to these will be governed largely by whether they are within or outside the range of acceptable outcomes implied by the risk tolerance.

Supervisors of different sectors and supervisors in different jurisdictions should encourage collegiality and share best practices, for example, through facilitating “best practice” visits, especially for those authorities that have less mature frameworks to learn from more established/effective AML/CFT supervisors, In addition, more established supervisors should share good practices and facilitate “best practice” inspections. For examples of co-operation between supervisors, see Section 7.5.

Remedial Actions and Available Sanctions in RBA to Supervision

R.35 requires jurisdictions to have a range of effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, available to deal with natural or legal persons that fail to comply with AML/CFT requirements. The FATF Guidance on Effective Supervision and Enforcement is a comprehensive guide on remedial actions and sanctions. This section focuses on links between taking a risk based approach to supervision and applying remedial actions and sanctions.

Supervisory authorities should have access to a range of remedial actions and sanctions that can be applied based on the level and nature of identified deficiencies or gaps in the regulated entity’s AML/CFT controls and risk management system. This range could include warnings, action letters, orders, agreements, administrative sanctions, penalties and fines and other restrictions and conditions on an entity’s activities that may be progressive in severity, requiring entities to remedy AML/CFT deficiencies and any breach of AML/CFT obligations or failure to mitigate risks in a timely manner.

In assessing the appropriate remedial actions or sanctions to apply in a risk-based supervision approach, supervisors should consider the following:

· The nature of findings – deficiencies in relation to higher risk areas, including those identified in a national, sectoral or supervisory risk assessment, could be prioritised for remedial action or sanctions as appropriate
· The impact or harm that the identified deficiency or gap in terms of ML/TF risk exposure of the entity, sector and the public (e.g., whether it is a systemic breakdown, isolated incident or other egregious activity, such as failing to report large volumes of suspicious activity or other required reports and the length of time the identified deficiency or gap in the regulated entity’s risk management system remained outstanding or uncorrected. Supervisors may consider the scope of the deficiency in terms of the probability of the risks materialising given the entity’s size, nature, geographic reach, volume of business conduct)
· Using the power to withdraw, restrict or suspend the entity’s license (or equivalent for those registered), where applicable, for example, in situations where the entity has been determined by legal process to have engaged in criminal activity related to ML or TF, a severe and systematic violation of AML/CFT measures, or similarly applicable sanctions or prohibition of directors and senior managers.
· Publishing the results of the supervisory actions and providing information on the relevant entities’ deficiencies to help address risks across the sector as other entities take note of the consequences of similar failings.

Based on these considerations, effective remedial actions and sanctions application should seek not only to discourage past inappropriate actions and correct weaknesses in processes, procedures and systems or controls within regulated entities but also to promote changes in behaviour to foster a corporate culture of compliance that covers the board, senior management, compliance teams and all other relevant staff of the relevant entity. To this end, supervisors should be able to apply remedial actions and sanctions proportionately to greater or lesser breaches of supervisory requirements against board of directors and management, controlling owners and other employees of regulated entities, depending on their level of responsibility in committing the breach, especially in the case of intentional or serious breaches. Supervisors should also ensure that the compliance departments of regulated entities have sufficient stature, independence, staffing and resources commensurate with the risk profile of the entity. The confidence that a supervisor has in the demonstrated intent, commitment and capability of an institution to satisfactorily remedy identified deficiencies may influence the supervisor’s selection of formal or informal remediation tools or techniques. For example, if supervisors identify a large control deficiency, yet believe the institutions has a satisfactory culture of compliance and a high capability of remediating the issue, the supervisors may opt to take a lighter approach in remediation techniques.

Supervisors should also consider transparency, consistency and proportionality in applying remedial actions or sanctions while taking into account the specifics of the particular entity, the nature and significance of the risk mitigation failures and the identified deficiency or gap. Consideration should be given to establishing policies/guidelines for determining which remedial action and/or sanctions are most appropriate to be applied in particular circumstances, and methodologies for calculating/determining amount of fines, severity of orders and administrative sanctions that are dissuasive and proportionate to the size of the regulated entity as well as the seriousness of the failure. Such transparent and consistent application could improve effective implementation of AML/CFT measures among regulated entities.

On the other hand, supervisors should avoid taking a “zero tolerance” or “zero failure” approach, or applying mandatory sanctions on entities where the risk impact is not material, or where the deficiencies are less relevant from a risk mitigation perspective as this could give regulated entities the wrong message and create an incentive for entities to return to a rules-based approach. While sanctions may in some cases be appropriate for non-compliance in areas of lower risk (for example, to address repeated, knowing or wilful non-compliance with AML/CFT requirements), supervisors should consider the totality of the entity’s mitigation efforts and use the flexibility of the risk-based approach to supervision to avoid sanctioning entities for focusing their efforts on areas of higher risk.

Measuring the effectiveness of their RBA to Supervision

Supervisors should also properly record, monitor, and analyse their own supervision activities and outputs. Supervisors, when developing their supervision models, should ensure that they have a repository for recording supervisory engagements (ideally in digital form) with each entity including details of the issues identified, relevant action plans and the risk assessment for each entity. The supervisor should be able to extract data and management information (MI) in order to measure performance against key risk indicators and on issues identified and risk profiles of each individual entity and sector, and feed these in aggregate form back into the NRA process.

Supervisors are encouraged to use data to determine and demonstrate the impact of their supervision. For example, using a system to record supervisory engagements that enables the extraction of data to illustrate how supervision has impacted risk management and compliance, both at the firm and sectoral level. Data can help to identify changing patterns in terms of numbers, degree of seriousness of issues identified overtime and fluctuations in ratings of the effectiveness of the controls. This includes the analysis of the changes in the quality or risk management and risk profile of the individual institutions as well as overall trends in the sector, including de-risking and financial exclusion concerns.

This information should also be used to better target the application of supervisory resources and supervisory tools and to inform the approach on outreach initiatives. For example, analysis of the supervision data may indicate increasing problems resulting from potential deficiencies in the transaction monitoring capabilities of the regulated entities, leading the supervisor to issue new guidance or requirements to address this developing trend. Other the other hand, data can also indicate whether supervisory efforts are succeeding in terms of their impact on the improvement of AML/CFT measures in an entity or across a sector whereby findings identified during inspections move from the space of significant gaps being identified to overtime findings identified being of a less serious nature and being more in the space of refinements or enhancements. Improvements in the quality of risk assessments undertaken by entities may be another measure of effectiveness.

Another measure which can assist supervisors in determining the impact of their supervision on entities’ risk management effectiveness is to consider the key outputs from AML/CFT frameworks, e.g., the quality of suspicious transaction reports. Supervisors should seek feedback from FIUs as to the number, quality and timeliness of reports they have received from sectors and entities, as improvements in this area can also be an indicator of the successful results of supervisory activities. Some of the relevant factors supervisors could consider include:

· The number of ML/TF offences committed using the sector's infrastructure and any relevant changes in trends

· Changes in the number and quality of STRs submitted by entities in the sector and the timeliness of this reporting

· The number of breaches or deficiencies, including repeated failings, committed by entities and the severity of these deficiencies,

· Complaints received from stakeholders, and

· Evidence of entities going beyond a tick-box approach and demonstrating a commitment to risk-based AML/CFT objectives, including proportionate responses across the spectrum of risk (including higher and lower risk areas).

The measurement of the results of supervisory measures and feedback on the key outputs of AML/CFT frameworks can help safeguard against confirmation bias. When this feedback does not align with supervisors’ understanding of risks, this should prompt supervisors to reconsider assumptions. Supervisors should apply measures to revisit their risk models or risk assessments based on engagement with law enforcement agencies, the FIU and international partners and ad hoc or sample testing or using whistle-blowers reports or adverse media reporting.

There should be mechanisms in place to promote accountability and transparency, of the effectiveness of the supervisor’s risk-based approach. This should include at least one of the following:

(i) Oversight by the supervisor’s management board;

(ii) Oversight by the supervisor of SRBs (in a decentralised model);

(iii) Review by a State Audit Office or similar governmental body; and

(iv) As appropriate, publication of information relating to the supervisory strategy and inspection plans and results of supervisory engagements.

For example, without impinging on the operational independence of the supervisor:

· The supervisor’s board, State Audit Office or national co-ordination authority could set key performance indicators against which they periodically assess effectiveness of the supervisor

· Industry surveys could be used to periodically assess performance of the supervisor, and/or

· Supervisors and the FIU could periodically report on the number and quality of reports by sector, since this is often considered to be a good measure of the level of effective implementation of preventive measures by supervised entities.

Example

UK’s Office for Professional Body Anti-Money Laundering Supervision (OPBAS) measures to test the effectiveness of DNFBP supervisors’ risk-based approach OPBAS supervises Self-Regulating Bodies (SRBs) that are designated DNFBP supervisors under the UK’s money laundering regulations. As part of their supervisory activity, a DNFBP supervisor which supervises a sector described as high risk in the UK NRA, identified their 103 highest risk entities. At the request of OPBAS, they conducted an on-site deep dive assessment of those entities and identified a high level of non compliance and poor systems and controls. Their findings, and follow up discussions with OPBAS, influenced them to allocate appropriate resources to an on-going programme of more intensive supervision for these entities. They will also dip sample visit some entities identified as high, medium and low risk to assess if their wider supervisory strategy is fit for purpose or needs further evaluation and refinement. Where DNFBP supervisors, particularly SRBs, have multiple functions (for example, as an advocate for their members who they also supervised for AML/CFT compliance) care must be taken to ensure potential conflicts of interest are managed appropriately. In the UK, this was a particular focus for OPBAS when assessing supervisors who maintained both an AML and advocacy role. Robust governance in place within the supervisor helps mitigate this risk.

Domestic co-operation, including between AML/CFT supervision and prudential supervision

Co-operation and information exchange between AML/CFT supervisors, other supervisors, FIUs, and other competent authorities, including tax authorities and law enforcement, is important to ensure that all stakeholders have a good understanding of, and can act to mitigate, ML/TF risks. Co-ordination with LEAs and the FIU can help to assess the effectiveness/usefulness of the outputs of entities’ AML/CFT programs and provide coordinated messages on risk prioritisation.

Prudential and AML/CFT supervisors should establish an effective co-operation mechanism regardless of the institutional setting to ensure that ML/TF risks (informed by NRA processes) are adequately supervised in the domestic and cross jurisdictional context for the benefit of the two functions. Even when a prudential supervisor is not part of an integrated supervisory authority with the AML/CFT supervisor, and that authority therefore does not have direct responsibility for supervising or monitoring compliance with AML/CFT requirements, it will often be responsible, among others, for licensing, and will monitor implementation of systems and controls from a prudential perspective that may be relevant for AML/CFT purposes. For further details see the Basel Committee on Banking Supervision’s Guidelines for the Sound Management of Risks relating to Money Laundering and Financing of Terrorism at Annex 5 “Interaction and Co-operation between Prudential and AML/CFT Supervisors”. Jurisdictional examples are provided in the FI Compendium at Section 7.5.

In addition to risk understanding, domestic co-ordination mechanisms (especially the NRA process) should also allow the allocation of resources to AML/CFT supervision based on ML/TF risks (see section 2.1.2). As a practical matter, supervisory attention of different sectors may be affected by available resources. For example, a well-resourced supervisor of a lower risk sector may apply a disproportionate amount of resources to monitoring compliance with AML/CFT requirements, because it has strong funding arrangements. Conversely, a poorly resourced supervisor of a higher risk sector may fail to apply adequate proportion of its resources to AML/CFT supervision since the resources available to it are insufficient. National Risk Assessment processes and co-ordination between supervisors should aim to help to allocate resourcing in a risk-sensitive manner.

International co-operation to achieve a risk-based approach to supervision

Many regulated entities routinely operate across national borders and may therefore be subject to AML/CFT supervision by several supervisory authorities in multiple jurisdictions. The ML/TF risks in question are frequently cross-border in nature, and systems and control failings in one part of the group can be replicated elsewhere. Taking a risk-based approach to supervision requires international co operation, particularly in relation to groups operating across multiple jurisdictions. Co-operation between supervisors is important to mitigate those risks and is covered under Recommendation 40.

International co-operation increases the effectiveness of the risk-based approach by:

· Enhancing risk understanding – including understanding the group’s attitudes and understanding of risks. Broader information on risks could also be shared to increase awareness among supervisors of emerging risks or to develop a common understanding of risks associated with particular types of initiatives, sectors or activities (for example, sharing risks associated with MVTS corridors for financial inclusion purposes). Sharing risk and controls assessments among supervisors would strengthen their collective understanding of the group’s risk profile, and its impact on their respective regulated entities.
· Harnessing synergies in supervisory efforts – to coordinate on supervisory interventions and follow-up, and to identify and drive synergies by sharing supervisory priorities, strategies and programs. Supervisors may conduct inquiries on behalf of foreign counterparts and authorise or facilitate the ability of foreign counterparts to conduct inquiries themselves in the country, in order to achieve effective group supervision.
· Ensuring effective risk mitigation – to assess implementation of preventative measures and the strength of control and audit functions at a group-level.

There are challenges to international co-operation between AML/CFT supervisors that in turn may limit the effectiveness of supervision such as a lack of common understanding about the AML/CFT information that should be shared or where there could be legal obstacles to information sharing with counterparts and non counterparts across borders. Data protection and privacy provisions often inhibit sharing of relevant personal information for fit and proper tests. In some cases, information on ongoing cases being pursued by supervisors is not shared with foreign counterparts due to fear of tipping off or causing undue alarm. Cross-border contact between AML/CFT supervisors may be ad hoc, rather than ongoing, even when it concerns an ongoing cross-border risk.

Supervisors of higher risk entities operating in groups should actively communicate with other relevant supervisors and there should be official channels in place for co operation amongst supervisors of groups of higher risk entities, including spontaneous sharing of information that may be relevant to other supervisors. The Basel Committee on Banking Supervision’s Guidelines for the Sound Management of Risks relating to Money Laundering and Financing of Terrorism includes guidance on the roles of home and host supervisors and sets out guidelines for supervision of group-wide AML/CFT measures for financial institutions. In the EU, supervisory co operation can occur in AML/CFT colleges in relation to entities active in multiple EU member states (see box below). Even though co-operation between supervisors of DNFBP sectors is less well developed, there are efforts to increase international co operation on DNFBP supervision. For example, DNFBP supervisors are involved in the “International Supervisors Forum” which includes supervisors from Australia, Canada, New Zealand, the United Kingdom and the United States.

AML/CFT supervisory colleges in the European Union

AML/CFT and prudential legislation in the European Union (EU) establishes an obligation for competent authorities to co-operate and exchange information, but it does not set out in detail how this should be achieved. In the absence of a common framework, co-operation and information exchange between prudential and AML/CFT supervisors for the purposes of AML/CFT supervision can sometimes be difficult. To address this, the European Supervisory Authorities (ESAs) issued Guidelines on supervisory co-operation and information exchange in December 2019. These Guidelines lay down the rules on the establishment and operation of AML/CFT colleges. As is the case with prudential colleges, AML/CFT colleges serve as a forum for collaboration and exchange of information. They support the development of a common understanding, by all supervisors, of the ML/FT risks associated with a bank or financial institution and inform the AML/CFT supervision of that bank or financial institution. For example, the Guidelines set out how AML/CFT supervisors can use AML/CFT colleges to adopt a common approach and agree on coordinated actions. The Guidelines provide that AML/CFT colleges be set up for all banks and financial institutions that operate in at least three EU member states. All EU AML/CFT supervisors involved in the supervision of the bank or financial institution for which a college is set up are permanent members of that college. EU prudential supervisors and the AML/CFT supervisors of non-EU countries where the institution operates are invited to participate in the AML/CFT college as observers. Prudential supervisors from non-EU countries and the FIU of the EU member state where the lead supervisor is located may be invited to participate as observers as appropriate. All observers have to be subject to confidentiality rules equivalent to those in force in the EU. They are expected actively to participate, including by exchanging information within the AML/CFT college. Observers that are prudential supervisors are further expected to take action to ensure that information from AML/CFT college meetings is shared with colleges of prudential supervisors and acted upon as appropriate. FIUs from other jurisdictions, as well as other relevant persons, may be invited to participate in the AML/CFT college on an ad hoc basis as necessary.

D. Cross-cutting issues

Use of technology by supervisors (“SupTech”)

This section is intended to share experiences of how supervisors have leveraged technology for their supervisory work and how they have benefited from the use of such tools in the conduct of risk-based supervision. It does not advocate any specific technological tools which must be adopted for supervision.

New sources of data and advanced analytical tools can help supervisors be more efficient and effective at detecting and mitigating ML/TF risks. There are also new technologies available for supervision, in particular collecting, storing, analysing and transforming supervisory data to sharpen risk assessment, as well as to improve the supervisory process.

By harnessing the benefits of new technologies where appropriate, supervisors can more effectively and efficiently achieve their supervisory objectives.

· Technologies can automate routine processes and free up valuable supervisory resources allowing supervisors to focus on tasks that require human judgement expertise and experience.
· Advances in data processing capabilities, network-linked analysis techniques, robotic process automation, machine learning and artificial intelligence in general provide opportunities for supervisors to glean additional useful supervisory insights and identify risk trends across sectors and groups of regulated entities. Some supervisors have access to a far greater pool of information than any individual entity and, while it should not perform the role of an FIU, technology that enables analysis of system wide risk should be shared with other agencies and, as appropriate, the private sector, so as to collectively manage risk and preserve the integrity of the financial system.
· The opportunities for harnessing the use of new technologies for greater supervisory effectiveness are present in almost all areas of supervisory work. Some examples include:
o Risk assessment of regulated entities: Technology could enhance supervisors’ risk assessments of regulated entities, and across the sector.
o System-wide risk surveillance: Technology could strengthen overall risk surveillance capabilities, supporting activity-focused supervision to augment entity-focused supervision so as to target evolving risks more effectively.
o Supervisory reviews: Technology could enhance the effectiveness of on site/off-site supervisory reviews by augmenting supervisors’ manual reviews with machine-assisted analyses of large datasets.
· Technology could also enable deeper collaboration, including by strengthening linkages with regulated entities. Technology could open more effective channels for information sharing between regulators, law enforcement agencies and regulated entities, and strengthen collective defences against financial crime. Where regulated entities are using technologies to assist with AML/CFT functions or are providing technology-based services, effective supervision also necessitates good understanding of the use of technology by these entities and the resulting impact.
· Supervisors must also consider the potential risks of adopting new technologies including the possible amplification of cyber-related risks (by making the impact of cyberattacks or operational failures much more serious than when using traditional procedures), over- reliance on tech-models and reputational risks (if incorrect algorithms are input into technological applications that result in wrong supervisory assessments and actions). Some practical limitations may also persist, including cost/benefit considerations and the availability of underlying data. There is also a need to periodically review the effectiveness of the technological solutions and enhance the solutions where necessary, to ensure it remains relevant and accurate. In decentralised systems, supervisors may not be of sufficient size and scale to harness SupTech. Efforts to mitigate potential risks, such as running new technology in parallel form to the existing process for a reasonable period of time, should also be evaluated to ensure the resulting level of residual risk can be effectively managed.
· FATF is exploring the risks and opportunities of new technologies under its current project on digital transformation. For practical examples of the use of technology to risk-rate entities, conduct ongoing monitoring and better target supervisory resources see section 7.2.

Engagement with the private-sector

To develop a good understanding of the risks facing supervised entities, supervisors should maintain ongoing engagement with the private sector. ML/TF typologies evolve rapidly and the private sector may be able to detect these changes and inform supervisors. The private sector is likely to identify these changes before supervisors since they have direct contact with customers. On-going co-ordination between supervisors and other government authorities in their engagement with the private sector ensures clear messages are sent on expectations for risk management. In more recently regulated sectors, industry engagement should include education and awareness raising. Some of the features of a well-coordinated inter-agency and private sector dialogue system could include:

· Ongoing and regular dialogue between a range of government agencies (supervisors, law enforcement agencies and the FIU, for example) and a range of participants from regulated sectors. In some jurisdictions, this takes the form of standing consultation forums, conferences or committees. This provides an opportunity to discuss risks, and also supervisory guidelines or other developments. While the primary purpose of these events is not to provide specific feedback on an entity’s compliance, they can help to raise awareness of common challenges and responses.

· Regular information sharing, education and outreach with and across the private sector to improve understanding of risks, including through public private partnerships. This can help supervisors and other authorities achieve a more sophisticated and up to date understanding of risks faced by the private sector. It can also help entities develop their understanding of risks (see the example at 7.4.2).

· Seeking private sector feedback on particular issues. For example, seeking public feedback on the main outcomes from an inspection cycle or thematic review, or identifying the issues in which the regulatory guidance is needed most or clarification on simplified requirements in proved low risk customers/products.

· Broadening dialogue and outreach beyond regulated entities to a wider range of relevant audiences. For example, in Japan industry outreach includes engagement with trade associations and ship-owner associations to share risk information with regulated entities and the public sector to level awareness on inherent AML risks the sector faces, and necessities of transaction due diligence and investigations that the regulated entities take against customers.

Use of third-parties

Supervisors may use third parties (such as external consultants or auditors) to support their AML/CFT functions. While these activities can provide useful expertise and conserve key resources for the most important functions, ultimately the responsibility remains with supervisors to ensure compliance with their supervisory obligations. This section highlights some of the opportunities and risks that supervisors should be aware of in this context.

It is essential to strike the right balance between internal capacity building and use of third parties. The priority should be building the internal capacity of the supervisory authorities to fulfil their functions effectively and independently. This includes adequate number of in-house staff who are equipped with a range of skills and qualifications. Using third parties in AML/CFT tasks may have some efficiencies. However, overreliance or dependence on third parties can undermine the building of internal expertise and capacity.

Use of third parties has become more relevant especially as the financial sector’s level of sophistication has increased with respect to innovations in financial products and services (e.g., ‘FinTech’), business models, and IT capabilities. Therefore, the ability to tap into the expertise of financial engineers, IT experts, data scientists, and other professionals in supervisory activities becomes essential for effective supervision.

· Some financial products involve financial engineering that can go into the design of even a single transaction or contract (so-called ‘exotic financial products’). While supervisors need to develop their own understanding of these products and associated risks, in some cases access to specialist expertise and skills may assist in developing this understanding.

· The rapid changes in the information processing, analysis, and storage technologies, and innovations such as distributed ledger technology or artificial intelligence increase the importance of supervision and oversight of technology employed to undertake AML/CFT functions.

· AML/CFT supervision of the banking sector and other large financial institutions cannot be undertaken without a thorough examination and understanding of their IT systems (so-called MIS) including their monitoring systems, parameters and third-party AML/CFT compliance solutions.

The use of third-parties to assist in monitoring lower risk sectors or entities can also help supervisors focus on higher risk entities. The FATF Guidance on a risk-based approach to the MVTS sector highlights that engaging third parties to assist in performing periodic reviews of lower-risk MVTS providers can help supervisors focus on the higher risk MVTS providers and avoid being overwhelmed by the broader population.

The use of third-parties can aid supervisors to monitor entities’ remediation efforts. For example, in the UK, the Financial Conduct Authority can require an entity to engage the services of a ‘Skilled Person’ to carry out a review and provide a report to the FCA.29 The Skilled Person can test a firm’s systems and controls, identify weaknesses, and in some cases, remediate the weaknesses identified.

Supervisory authorities’ employment practices should allow enough flexibility to ensure that supervisors can access technical expertise necessary to meet their regulatory requirements. External assignments and secondments can also help these staff to diversify and deepen their experience. When engaging a third party, the supervisor should:

· Have processes to evaluate and recruit third party candidates (e.g., competencies, credentials, experience in the risk area, potential conflicts of interest, etc.)

· Have and relevant data protection laws.

· Put in place controls to ensure that the third parties carry out their tasks efficiently, effectively and independently, and in line with the tasks or instructions provided by the supervisor

· Ensure adequate protocols for communication of issues identified

· Have processes in place to oversee and monitor the quality of work being delivered, and

· Have third-parties request permission for controlled access to supervisors’ confidential information and require compliance with clear terms of reference and manual and electronic processes to protect sensitive information, including with respect to relevant data protection laws.

The steps set out above are important for supervisors to satisfy themselves that the expertise being provided is of high quality and delivering the expected outcome and that the supervisor is aware of systems and controls problems identified within entities.

Another increasing trend is the use of the third parties by the reporting entities to carry out some of the AML/CFT functions (such as record keeping, some components of customer due diligence, monitoring of terrorist individuals and entities identified as-per the relevant UN Security Council Resolutions, and monitoring of PEPs). In such cases, the legal responsibility to comply with AML/CFT obligations remains with the reporting entity. However, at least through the reporting entity, the supervisors should have the power to examine the capabilities and effectiveness of these third-parties in fulfilling the contracted AML/CFT tasks.

Happy reading,

Those who read this, also read:

1. AML/CFT Risk Assessment at RE Level

2. RBA Approach to Supervision - Strategies : FATF

Anti-Money Laundering/Combating Financing Terrorism(AML/CFT)

Anti-Money Laundering(AML)/Combating Financing Terrorism(CFT) - India in the Global Context

Application of RBA in Supervision -FATF

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

Customer Due Diligence(CDD) : Individuals

Periodic Updation of Customer Risk Profile