RBA Approach to Supervision - Strategies : FATF

By

 Objectives and scope

This section identifies common challenges in applying risk-based supervision and presents potential strategies to address these challenges, but does not oblige authorities to take any of the specific measures outlined. It should be read alongside the FATF Standards and the Guidance in Part One of this paper.

The examples covered in this section and in Part 3 should be considered in light of the supervisory frameworks in place in those jurisdictions – the strategies may not be appropriate in all contexts. The inclusion of examples in this report is for illustrative purposes only and does not constitute the FATF’s endorsement of the effectiveness of the country’s supervisory framework for the purposes the FATF mutual evaluations or otherwise. Readers are advised to bear this in mind when drawing reference to these examples.


Overview of Challenges Identified in Mutual Evaluations

 

While mutual evaluations demonstrate some successes in applying the risk-based approach to supervision, in three out of four evaluations, major and fundamental improvements are required. The majority of the 102 countries evaluated against the 2013 FATF Methodology are rated “moderate” for IO.3. A Core Issue by Core Issue review shows that the largest gaps to achieving “substantial” ratings are in the implementation of the risk-based approach to supervision (Core Issue 3.2) and the application of sanctions for non-compliance (Core Issue 3.4). Analysis of a sample of 59 evaluations suggests that only 24% of FI supervisors and 7% of DNFBP supervisors have conducted an updated risk assessment. Analysis of Core Issue 3.2 of these reports reveals that the ability to apply supervision on a risk-sensitive basis is not necessarily connected to sector supervised, but rather to the overall quality of supervision (i.e. means and tools available to supervisors). Supervisors with more resources and tools were able to mitigate, although not eliminate, this gap and adequately supervise both FI and DNFBP sectors.

Countries are performing generally very well in terms of technical compliance with requirements related to supervision, with largely compliant to compliant ratings obtained in most Recommendations. However some weaknesses remain with 44% countries rated NC on R.28, related to the supervision of DNFBPs.

The evaluations highlight different degrees of supervisory focus and resources put on financial and DNFBP sectors. Implementation of risk-based supervision is generally more advanced for FIs than it is for DNFBPs. The DNFBP sectors are often newer to regulation and there are challenges for the supervisors and the industry. Entities in DNFBP sectors often have insufficient understanding of their obligations and sectoral and –entity level- risk assessments, when available, are less developed. Often there are also limitations within the agencies responsible for supervising or monitoring DNFBPs (i.e. lack of capacity/expertise and resources to supervise the large sectors, agencies new to supervision, overlapping responsibilities, etc.). In addition, these sectors often include a large number of entities that vary widely in size, nature and sophistication while also involved in a diverse range of activities, creating challenges in risk assessment and risk-based supervision. The challenges in relation to VASP supervision can be similar to those faced in other sectors but are also unique due to a number of factors, including the novel nature of the sector, its global reach and the speed at which transactions can take place.

Strategies to Address Challenges in Assessing ML/TF risks



Disconnect from, or misalignments with, the NRA


National Risk Assessments (NRAs) are intended to inform the national AML/CFT policy and strategies and implementation of a risk-based approach to both AML/CFT regulation and supervision. They provide a point in time view of the risks of ML/TF that the country is exposed to. NRAs should be regularly reviewed and kept up to date. If the ML/TF risks at national or sectoral level are not assessed comprehensively, or there is a disconnect or misalignment between the NRA findings and the AML/CFT supervision framework, AML/CFT supervision cannot be effectively risk-based. For example, while working on the design and development of risk-based AML/CFT supervisory frameworks, some jurisdictions have noticed gaps and deficiencies in their NRAs, as the NRAs did not comprehensively identify all the ML/TF risks or provide the necessary insights and information on the risks. This has led these jurisdictions to revisit their NRAs and supplement them with additional analysis, particularly on sectoral risks. Another example of possible issues in NRAs is the lack of information on medium-risk and low-risk areas/sectors, and ML/TF risks in the DNFBP sectors, which are also essential for effective risk-based approach to AML/CFT supervision. The NRA and the SRA do not have align perfectly in terms of risk scoring etc., but there should be a general coherence between the findings of both assessments.


Strategies to address this challenge:


· Supervisory authorities should participate in the NRA process and share and discuss their understanding of sectoral risks with other stakeholders. The NRA report and findings should be accessible to supervisory authorities and should be taken into account in the development of supervision strategies. If the NRA is not complete or comprehensive enough to inform the risk-based supervision framework, it should be reviewed and improved.

· Authorities should ensure ongoing communication among supervisors on the NRA to ensure identified risks remain current and to understand emerging risks that need to be reflected in NRA updates.


New areas of supervisory responsibility – identifying the regulatory population 


If a supervisor’s authority is extended to include a sector not previously supervised for AML/CFT purposes, a first step is to identify the regulatory population and begin to understand the risk environment. This is particularly important, as it underpins a number of decisions, including what resources, skills and experience are needed to effectively supervise the sector. This task is often more straightforward if the authority is being extended to cover activities carried out by entities that are already regulated for other purposes (the challenge may be to track down and share this information among authorities). Identifying the population is more challenging when it involves entities that are not already supervised for another purpose (e.g. VASPs in most jurisdictions). For example, it can be difficult to accurately predict the size of the population before the registration/licensing process begins. In one jurisdiction that was early to introduce AML/CTF regulations for VASPs, the supervisor estimated that approximately 50 VASPs would register as obliged entities. However, when the regime came into force, the actual number of registrations received was around 350. The challenge can be more acute where there are no trade associations or industry bodies and there are numerous smaller operators. Additional challenges occur when entities are physically based outside the jurisdiction but are able to operate within them (e.g. online casinos or VASPs). 


Even when it is not a new area of responsibility, there may be fluctuations and changes in the regulatory population or failures to fully identify the regulatory population. For example, in the UK, the Office for Professional Body Anti-Money Laundering Supervision (OPBAS) found at the end of its first year in operation, 18% of relevant DNFBP supervisors had not fully identified their supervised population. Following a series of workshops in June 2019, by the end of that year, this had been rectified.


Strategies to address this challenge:


· A number of other domestic and international authorities or organisations may hold relevant information. For example, revenue and tax agencies, corporate registries and trade or professional associations. Already supervised entities may also provide a source of information (e.g., banks will hold information on activities of customers).

· Open source information (e.g., web searches or industry contact directories) may also be of assistance in this regard. Outreach actions and workshops may also assist the supervisor not only in understanding the risk environment but also in identifying the regulatory population (e.g., outreach actions towards representative bodies of DNFBP or VASP sectors).

· Supervisors should continue to identify and verify their regulated population on a periodic basis to capture fluctuations and reassess supervision strategies and resources required to deliver them. Where point-of-consumption regulation applies, supervisors should establish communication channels with jurisdictions that have a concentration of entities located, but not operating within them (e.g., jurisdictions that host a large number of online casinos that ae mainly used by customers in other jurisdictions).

 · See VASP sector examples at section 9.1.


New areas of supervisory responsibility – identifying and understanding the risks

Where supervisors’ mandates have been expanded to include new activities not previously subject to AML/CFT supervision, supervisors may not have a good understanding of the risks in the sector or the strength of mitigation measures and need to consider how best to integrate entities engaging in such activities into their risk models.


Strategies to address this challenge:


· As a starting point, supervisors should focus on the potential level of ML/TF risk in the sector (i.e., inherent risks). Supervisory authorities should seek to build an initial understanding of the inherent risk that these new activities could present and seek to supplement this knowledge through engagement with law enforcement authorities, other supervisory authorities which are already supervising and licencing/registering such entities and through engagement with the entities themselves (for example, through issuing a ML/TF questionnaire, engaging in meetings with the sector or with specific entities as part of registration or licensing processes).30 To ensure that this process does not result in diverting resources from existing higher risk sectors, additional resources may be required or sought. These resource considerations should be part of planning and rolling out regulation to new sectors. Supervisors can also learn from other jurisdictions that are already supervising the activities (i.e. where regulation has been introduced by their international counterparts).

· Putting in place a dynamic risk assessment process which is kept under review and duly updated as the understanding of the sector develops (including appropriate re-rating of sectors and entities), can help ensure resources are targeted at the highest risk areas. See guidance on updating risk assessments at section 2.4, including incorporate findings from supervision work and feeding in other sources of information.

· In some cases, existing information from regulated entities can help supervisors obtain information on newly regulated entities.

· Where a significant number of entities are entering a market or seeking licencing or registration at the same time (e.g., VASPs), it may be useful for supervisors to ensure that sufficient flexibility is built into their approach, to allow for prioritisation of incoming requests. This could involve identifying and prioritising entities carrying out the highest risk activities for early registration, monitoring key risk indicators, or increased emphasis on ad-hoc onsite and off-site reviews, and engaging regularly with industry bodies.


Difficulties in assessing risks at the entity-level 


In certain situations, an entity may not have developed a risk assessment, or the risk assessment that was developed may be overly broad and does not provide sufficient granularity or analysis.

Some sectors have a large number of (mostly smaller) active institutions and it is difficult to develop comprehensive risk profiles for each individual entity. In the case of newly established institutions or recently regulated sectors, there may not be in depth knowledge about the risks presented by those individual entities’ business models and activities, and the results from the supervisory authority's own audits or other supervisory activities are not yet available.


Strategies to address this challenge:


· Undertake sectoral risk assessments as a first step. The sectoral risk analysis primarily provides a good overview of the risks to which an institution is exposed as a result of its business activities in this sector, and therefore important insights can be gained for the risk profile of the individual institution. It also makes it possible to provisionally apply the sectoral risk rating as a default rating to newly established or recently regulated institutions.

· Depending on the specificities of the regulatory population, develop clusters of entities that share common characteristics, where the risks of ML/TF affecting the entities in the cluster are very similar.

· Encourage the supervised entities to leverage the sectoral risk assessment created by supervisors as a starting point or model to develop their own risk assessment over time. Supervisors could also consider making application to register conditional upon preparation of a risk assessment (reviewed at time of application).

· The larger, more comprehensive and higher risk the business activities of an entity are, the greater degree of granularity in the assessment of risks should be carried out when developing a risk profile. On the other hand, this means that, for small entities with very limited business activities, risk profiles can be developed based on the sector analysis combined with the entity's key financial figures (e.g. turnover, transaction volume, cross-border transaction of the business volume).

· To improve entities’ risk assessments, identify themes and common shortcomings that may be addressed through guidance and feedback. Ensure a number of channels are used to disseminate the outcomes of the NRA or supervisory risk assessments. E.g. Jersey recently produced a video explaining the key ML/TF risks entities in the jurisdiction are subject to. Other jurisdictions have produced summarised information to provide a snapshot of risks, etc.

· Provide clear guidance to entities for their institutional risk assessments. Consider developing ready to use templates that will guide them in their institutional risk assessments. If the entities do not have the analytical capacity, these templates may target to collect low risk information (i.e. the volume of certain products or services, number of non-resident clients) which can be the basis for the risk assessment by the supervisory authority.


Building risk understanding over time 


Developing a supervisory risk assessment methodology for the first time, or updating the methodology, to provide more nuanced risk assessment, can be a daunting task.

Strategies to address this challenge:

· Supervisory authorities should seek to build an initial understanding of the inherent risk in the sectors they supervise and the national context from the NRA, sector experts and engagement with other relevant authorities. This will ensure that the risk factors assessed are adapted for ML/TF purposes.

· Supervisors should seek to identify and use quantitative and qualitative data when starting or updating a risk assessment. Ideally, risk assessments should be performed with a set of up-to-date, accurate, relevant and consistent data. This data can be obtained through a questionnaire or data return from entities which can include information such as data on ML/TF alerts, STR activity, staff training (among other quantitative data), as well as information on the financial and economic activity of the entity.

· Supervisory authorities’ risk understanding will develop overtime through the experience and knowledge gained from carrying out supervisory work, engagement with law enforcement and other supervisory authorities, and from regular participation at domestic and international AML/CFT operational and policy fora. This enhanced understanding should be incorporated into supervisory authorities’ risk assessments and supervisory authorities should have processes in place to ensure that risk assessments are subject to regular review and update. Supervisory authorities’ processes should seek to undertake risk assessments at the individual entity level when applying supervisory tools and these individual risk assessments should feed into the sectoral risk assessments.

· Supervisory authorities should seek to enhance and strengthen their models for risk understanding by supplementing the qualitative approach to risk understanding with quantitative information. Supervisory authorities that are applying supervisory tools as part of their supervision models through which they are routinely collecting data from supervised entities or that have access to data from other sources, should ensure that relevant data is integrated into the risk assessment process. Supervisors should also consider adapting the data requested via questionnaires or data returns to address the latest risks. See case study7.1.2.

· While developing a risk assessments methodology, supervisors should opt for the models that provide results at various levels (e.g., at individual risk category for one or across multiple entities, provide consolidated views, trends year-over-year, etc.). The methodology should allow supervisors to form a view on the levels of risks across the entities of similar size and operations, or within the same sector. Supervisors should be able to obtain from entities or generate reports on changes in the risks and quality of controls from one risk assessment period to another.

· As the risk model becomes more sophisticated it may be adapted to provide greater distinction of the relative risks of entities within and across sectors

 (e.g. more specific risk rating categories may be added). Supervisors should review periodically their risk rating approach to assess whether it remains adequate and proportionate to the regulatory population.

· The methodology and results of the supervisors’ risk assessment should be well supported with a clear rationale and understanding of how risks are identified and weighted. These should regularly be revisited in accordance with the changes in the risk environment.


Engagement with other authorities to supplement the risk assessment 


Other authorities hold important information that should inform supervisory risk assessments. For example, regulated entities report suspicious activities to FIUs that are further investigated by other authorities and supervisors need to obtain feedback on this reporting and on typologies to better understand the risks facing the entities they supervise. In the same vein, prudential authorities or other foreign authorities can be aware of new activities in a regulated entity that supervisors are not aware of, which can give rise to new AML/CFT risks.


Strategies to address this challenge:


· Supervisors should diversify the sources of inputs of their risk assessments by engaging with other stakeholders, especially other AML/CFT or prudential supervisors, the FIU, law enforcement agencies, and relevant foreign authorities. Some ways to facilitate this are secondments and liaison officers for pertinent relationships and joint meetings or guidance for regulated entities. In some jurisdictions, the FIU provides regular reports on the quality and quantity of STR filings by regulated entities and/or specific warnings that highlight deficiencies or weaknesses identified in some regulated entities’ internal control systems. See section 3.9 and case studies at 7.5.

· Building strong co-operation with the prudential authorities or other authorities regulating the sectors being supervised. Where the same authority is responsible for supervising both ML/TF and prudential risk of FIs, there can be significant synergies for the ML/TF supervision but information sharing and co-operation continue to be critical as in cases where these functions are performed by different agencies. Synergies can be found in terms of understanding FIs’ business models, internal governance arrangements and internal control system weaknesses.

· Building strong co-operation with foreign authorities: this can be achieved through informal and proactive exchanges of information, establishing international supervisory colleges and official channels for communication, participating in supervisors’ forums and having regular meetings with other authorities. See section 3.10 for further detail.

· Co-operating across public/private partnerships: For example, the UK has published its Economic Crime Plan, which sets out the actions being taken by the public and private sectors to ensure that the UK cannot be abused for economic crime. Inputs and outputs on the plan are being considered at ministerial as well as working level, to ensure the right risks are identified, shared and mitigated across the financial service and DNFBP sectors.


Data collection issues


Data collection is an important way for supervisors to identify and monitor risks, but it can be time consuming and burdensome for entities and supervisors when it is done inefficiently. Entities may have difficulties collecting data required by supervisors or providing data where their systems are not compatible with that of the supervisor. Supervisors may also face challenges in handling and processing data, particularly large-scale data sets. Some of the common data collection challenges include:

· A lack of relevant historical quantitative data or the data requested is not retained by the entity in the form requested by the supervisor

· Lack of information in digital format or held in multiple databases

· High volume of information

· Inconsistent definitions may affect the quality of the data collected and there may be compatibility issues among the data from different institutions

· Information requires data cleaning before using, and

· Cost of collection, validation, storage, processing and dissemination.

When developing or revising data collection from regulated entities there are several challenges that can arise. For example, entities may not understand the requirements or interpret them differently creating consistency and comparability issues and ultimately leading to inaccurate outcomes because of the data quality issues. Although supervisors are increasingly using technology and need to feed their automatic tools with data, they should also consider that any request of a new set of data may require the supervised entities to adapt their information system to be able to report adequate and reliable data, so advance notice is needed.


Strategies to address this challenge: 


· Effective co-ordination and information sharing within the supervisory agency to ensure information already collected by a department is not requested by another. For example, in the UK the FCA has an Information Governance Board to ensure that uniform requests for data are justified by meeting certain criteria, including that the data has not already been collected. It is also prudent to consult with other relevant authorities, such as the FIU that may also seek or hold relevant data from regulated entities.

· Regulated entities should be consulted early in the development of data collection tools. In France, there is a consultation phase with FIs before issuing the yearly ML/TF questionnaire. Presenting the new questions and the rationale for any changes of the questionnaire (i.e. quantitative and qualitative data) is an opportunity to present the priorities if the changes result from an increasing attention to a specific risk. It helps supervised entities understand the purpose of any new or amended question and to answer it accurately and specifically. It also gives an opportunity for regulated entities to raise any difficulties they may face in answering the questionnaire (difficulty in implementing new regulations, availability of data requested that may need IT developments, etc.). This prior consultation facilitates the collection of better data.

· Increase the type of information requested gradually, starting with information already collected and moving towards information not collected, thereby giving entities the time to start collecting data. Automated data collection should also be considered. Carefully assess which data is required at a minimum to make an informed assessment of ML/TF risk, bearing in mind that more information does not necessarily translate into a better risk assessment. Give sufficient prior notice to the regulatory population to adapt its information system and to ensure the quality and reliability of the reported data and provide adequate time for entities to adapt to the new or revised requirements.

· For significant providers of data, supervisors may liaise with the entities’ technology providers so they can build in back-end/output supervisory requirements to front end/input data collection portals.

· For sectors involving fast-paced changes in technology and or changes in the market environment (e.g., the VASP sector), authorities could engage with industry bodies or self-regulating bodies to understand the technology and adapt its data collection accordingly.



Special considerations for DNFBP supervisors


Some sectors, in particular DNFBPs, have a very large number of entities such that understanding ML/TF risks of each entity is difficult as supervisors may have no or little data on individual entity activities. In addition, the range of sizes of entities (from sole traders up to groups operating internationally) and the diversity of activities undertaken by DNFBPs often makes understanding and assessing ML/TF risks across all sub-sectors challenging, in the absence of highly specialised resources (supervisors) who are knowledgeable and experienced in the specific activities carried out by all types of DNFBPs.


On a more practical level, data collection from DNFBP sub-sectors may be difficult due to:

· The sub-sectors having little or no capacity to generate or produce the type of comprehensive and reliable data required by supervisors to asses risk, due to a lack of understanding by the entities

· A lack of legal authority to collect data (particularly in the case of self regulating bodies (SRBs))

· Challenges in identifying reporting entities or determining whether a person/company is a reporting entity, especially in those sectors that are not directly regulated or licensed by any licensing authorities or self-regulating bodies (SRBs), and

· The absence of compliance data on individual entities (e.g. in lower risk sectors, or newly regulated subsectors with no history of supervision or regulatory relationship); meaning that assessing the effectiveness of control frameworks and hence residual risk in some DNFBPs is a particular challenge.


Strategies to address these challenges: 


· Supervisors of these sectors may seek to identify sub-sectors or market segments or clusters within the sector and understand their respective features or characteristics so that risk profiles can be established at the sub sectorial or segment level.

· Supervisors may develop simplified risk assessment templates for less complex entities with lower risk profiles for ML/TF and other illicit financial activity. Such templates may collect the information from institutions on their business and transactions, products and services, client profiles etc. Supervisors can form a broad judgement about the risks based on this data.

· In addition, supervisors may coordinate and liaise with licensing bodies and sectoral associations to obtain information on the entities in the sector, subject to a legal basis to share information between the supervisor and these bodies. Licensing bodies and sectoral associations could help to identify entities for supervisory focus based on criteria developed by the supervisor.

· Supervisors may introduce and strictly enforce obligations to submit risk and activity information (e.g., an annual report or similar). These obligations need to be augmented by provisions in law together with sanctions for non submission.

 · For sectors with little data available, supervisors may initially implement a relatively simple risk-based supervisory strategy (e.g., driven by broad indicators of inherent risk). More complexity may be incorporated into the approach as better data becomes available and supervisory engagement increases, allowing an effective consideration of control frameworks and residual risk. Also see sections 5.4 and 6.3.

· Supervisors may undertake on-sites of a random sample of sectors where there are data gaps (e.g. lower risk subsectors that are not subject to regular inspection cycles). These may be used not only to assess control frameworks but also to confirm a supervisor’s risk understanding of that sector and/or confirm the validity of risk information provided.


Other guidance


· Supervisors should have skilled and trusted personnel who can assess and understand risks, including recruitment through fit and proper tests or integrity testing as appropriate. This also requires these authorities maintain high professional standards to ensure that individuals have the necessary skills and expertise to carry out this work, which should be commensurate with the complexity of the entity’s operations and risk profile and comply with integrity standards.

 · Consider a balance between having staff specialised in particular sectors or entities for a number of years to build up knowledge/experience and building in rotation or other safeguards to ensure objectivity and sharing of expertise within supervisory teams. Secondments from industry are also a good way of complementing knowledge and experience.

 

Applying Risk-Based Supervision



Sequencing to establish risk-based supervision

 

Where there are new supervisory responsibilities or AML/CFT supervision is applied to new sectors, it may be difficult to achieve a fully effective risk-based supervision over the short term.

 Strategies to address this challenge:

 · Consider building into the supervisory strategy a step-by-step approach to risk-based supervision. For example, below is the process followed by the Anti-Money Laundering Compliance Unit in the Irish Department of Justice which supervisors several DNFBP sectors.

Step-by-step approach to establishing risk-based supervision

• Develop legal framework and define scope of the regime (e.g. what activities or types of entities will be regulated). Think about powers needed for the specific sector based on the risks it presents. For example: specific powers to enter premises, remove files etc.

• Establish a preliminary understanding of the sector, including identifying an estimate of the entities in scope, the size of their operations, etc.

• Establish supervisory authority and staff (think about needs, e.g., knowledge and skills gaps, additional technology, etc.)

• Programme of staff training (Who should deliver it? Who should you involve? What training is available?)

• Develop inspection procedures around obligations in legislation, international best practice (e.g. FATF/EU)

• Think about frequency (e.g. more often for high risk) and focus (e.g. particular cohort challenges) of inspections

• Learn about your cohorts – identify inherent risks by understanding the specific threats and vulnerabilities in each sector. Review any existing information (e.g., national risk assessments or assessments by other authorities) or international documentation on sector and risks it faces e.g. FATF, EU etc. (see section on risk assessment) and identify missing information.

• Think about the balance between off-site reviews and. onsite inspections. Sometimes it is difficult to establish residual risks in certain cohorts without an on-site visit.

• Identify residual risks after applying AML/CFT measures.

• Undertake outreach with sector before commencing inspections e.g. information booklets, templates etc.

• Think about undertaking capacity-building inspections for both the entity and the supervisor.

• Share information within the AML supervisor. For example, internal team meetings every fortnight to share findings, discuss issues arising, FATF/EU guidance, trends, media, strategies for improvements etc.

Source: Department of Justice, Ireland Note: In reality, many of these steps may happen in a different order or in tandem.

Insufficient resources or inexperienced staff 

There may be a lack of, or inadequately trained staff, to conduct a proper risk-based supervision. Teams conducting AML/CFT supervision may be new or covering new sectors or AML/CFT responsibilities newly assigned to existing regulators. There may be a lack of supervisory tools and technologies.

Strategies to address this challenge: 

· Allocate the limited supervisory resources based on sector’s/entities’ risks in an effective manner. In allocating resources, based on the outcome-focused approach (See Section 3.4), supervisors should focus not only on the headcount but also the capability and training of the AML/CFT staff.

· Ensure that there is requisite senior management support and buy in within the supervisory body. Use the results of the risk assessment to secure additional resources by demonstrating the risks that remain unmitigated. For those who are part of a larger agency, consider designating specific resources for AML/CFT to build expertise and support other supervisory staff. If staff lack AML/CFT expertise, or expertise in relation to a particular sector, develop strategies to build capacity and consider appropriate use of other experts. Consider seconding staff from more experienced AML/CFT supervisory authorities to transfer knowledge and expertise. Consider appropriate use of third parties or consultants as an interim measure (see section 4.3 for more detail).

· When designing the supervisory approach and determining the target operating model, conduct a detailed training needs analysis and allocate resources for training. Where a supervisor is taking on supervision responsibilities for a newly regulated sector, it is unlikely that they will have existing staff with both the technical knowledge of the sector and experience in carrying out risk based supervision. It is also unlikely that they will be able to easily recruit individuals to meet this need. Providing tailored training and forming teams with a mix of skilled supervisors and technical experts is an approach to addressing this issue.

· Provide AML/CFT training courses or learning opportunities to AML/CFT supervisors and adequate provision of budget and staff time for learning and development, along with exploring opportunities to gain insight into best practice from more established AML/CFT supervisors. This may include, for example: a resource centre that has job aids, templates, and other tools that can assist less experienced staff in a time of immediate need; access to financial crime training courses or online or pre-recorded training material that staff can access and participation in international or regional training or experience exchange with supervisors in other jurisdictions.

Supervising sectors with a large number of entities and limited risk information

Strategies to address this challenge:

 · See the advice in the section above on strengthening the risk assessment. If adequate information is available, using risk rating scales that include more risk ratings (e.g., high, medium high, medium, medium low, and low) ratings may help provide greater distinction of the relative risks of entities within and across sectors with a large number of entities than a lower number of ratings in a scale, for example a three-risk rating scale. With greater distinction, supervisors can further tailor their supervisory approach.

· Identify key players in the sector, for example those that make up a large percentage of market share or those that belong to a sub-sector presenting higher risks. It may also be possible to engage with entities providing AML/CFT compliance services for a large number of entities in a sector e.g. outsourcing of transaction monitoring or CDD. It may be possible to use economies of scale by leveraging off an inspection to one entity by making some assumptions about other entities using the same service provider, subject to any particularities/refinements adopted by individual entities and any differences in the use of the product or service.

· Identified sub-sectors or clusters of entities can be grouped together by similar, factual inherent risk characteristics such as services offered in a specific location, for example, conveyancing in London. Supervisors can supervise these sub-sectors by picking entities using criteria under a risk based sampling methodology for further attention via on-site or off-site supervision. Where the outcomes of these assessments are significantly varied, the sub-sector may not be specific enough and not appropriate to be clustered together for supervision purposes.31 Where the outcomes are similar, trends can be identified and supervisory strategies can target the entire sub-sector. This allows supervisors to effectively target resource in the most appropriate way.

 · Identifying and engaging with AML/CFT compliance officers in these entities to increase awareness of risks and regulatory requirements.

· Ensure communications and guidance are used to set expectations and provide feedback on good and poor practices. This can be achieved through a number of channels including, industry outreach, publishing the outcomes of thematic reviews and detailing specific failings in enforcement notices. This enables businesses that may receive less direct supervisory engagement to conduct gap analysis on their systems and controls to ensure they align with good practice.

Poor independent audits of entities 

Many supervisors of financial institutions make use of FI’s internal and external audits as an important source of information on FI’s AML/CFT controls (many smaller DNFBPs do not have internal audit functions). Independent audits with an inadequate scope or of poor quality may present a challenge for the supervisor. In some systems, supervisors may rely heavily on audit information regarding the entity’s specific risks, to understand how these risks are being managed and controlled, and the status of the compliance program. Therefore, if the entity’s independent audit is inadequate, those independent audit findings cannot be leveraged to tailor the review areas covered by the supervisory authority and to allocate the resources necessary to assess the entity’s compliance program. Moreover, poor independent audit report(s) and supporting paper work can hinder supervisors in understanding audit coverage and the quality and quantity of transaction testing that was performed as part of the independent audit. Without this knowledge, supervisors may be limited in their ability to risk-focus and identify areas for greater (or lesser) review.

 Strategies to address this challenge:

· To prevent this issue, supervisory authorities should assess whether the entities have processes in place to ensure the audit scope and depth is appropriate and that audits are performed by competent, qualified and reputable independent auditors and take steps to satisfy themselves that the audits performed are of sufficient quality, for example by carrying out sample checks. Moreover, supervisors should confirm that the financial institution or DNFBP’s independent audit plan assesses the effectiveness of AML/CFT controls across and within the entity or group’s operations.

· Cross-compare findings from supervision activities and independent audit to help detect the deficiencies in independent audit and auditors.

Special considerations for DNFBP supervisors

Challenges in data collection and assessment of risk are detailed in section 1.9 above, while further challenges to risk-based supervision of DNFBPs include:

 · Difficulties in ensuring an adequate level of DNFBP supervision (where risk models/Supervisory programmes usually focus on larger FIs like banks). This is discussed in the context of monitoring in Part A, but is particularly relevant to DNFBP supervision in a single supervisor.

· Notably, in order to achieve “statistical significance”, a meaningful number of supervisory engagements (whether on-site or off-site) need to be carried out relative to the population size. In the case of DNFBP sectors with large populations, achieving statistical significance may not be attainable. In these cases a supervisor could instead focus on a sub-group or selection of entities within the population that presents the highest risk.

· Difficulties in ensuring supervisors are specialists and/or sufficiently trained, experienced and knowledgeable in relation to the widely diverse activities carried out by supervised entities.

· DNFBP supervisors, in particular self-regulatory bodies, may not have full legal authority to carry out supervision on all entities within the sector.

Strategies to address these challenges:

 · Intensive outreach and engagement with and via sectoral associations (which may not be necessarily the self-regulatory bodies), including the provision of specific DNFBP sectoral typologies.

· Comprehensive training for supervisors on the business models and activities of the various DNFBP sub-sectors.

· Ensuring that random, reactive and event-driven supervisory activity provides sufficient coverage across DNFBP subsectors which are not subject to cyclical on-site programmes.

· Defining a strategy which is adapted to the sector and degree of risk presented by entities.

· As set out at section 5.8 above, supervisors may initially implement a relatively simple risk-based supervisory strategy (e.g., driven by broad indicators of inherent risk in a subsector). More complexity may be incorporated into the approach as better data becomes available and supervisory engagement increases, allowing an effective consideration of control frameworks and residual risk in individual entities.

Role of self-regulatory bodies for DNFPBs

According to the FATF Standards, a jurisdiction may decide to assign all or some of supervisory tasks and responsibilities to self-regulatory bodies (SRBs) of DNFBPs (except for casinos). However, this arrangement needs to consider the jurisdictional context and may not be optimal for all jurisdictions. In general, SRBs may lack the power and the tools of government supervisory agencies, particularly the sanctioning power. There may be conflict of interest and independence related issues for some SRBs (particularly where SRBs are dependent upon membership fee income). In addition, many SRBs have serious human resources and other capacity constraints, or are not adequately focused on, or adequately trained/experienced in relation to, AML/CFT issues.

Strategies to address this challenge:

 · The designation of the appropriate AML/CFT supervisory authorities should carefully analyse these factors before deciding the possible role of the SRBs in supervision accordingly. Based on this analysis, a jurisdiction may decide that the role of the SRBs can be more complementary in nature, for example, contributing to implementing market entry controls, awareness raising, training, and guidance.

· If an SRB is chosen as a supervisor laws and regulations need to be drafted/amended to ensure that they have the necessary powers and tools. The laws and regulations should also ensure the conflict of interest situations are dealt with.

· There should be some level of oversight/supervision by a competent authority over the AML/CFT work of SRBs. In the UK, OPBAS was set up as a supervisor of SRBs designated as DNFBP supervisors under the Money Laundering Regulations to ensure there is a consistent approach to AML/CFT supervision across the relevant DNFBP sectors and to assess whether they are effectively meeting their obligations set out in legislation. While further improvements in the effectiveness of AML/CFT supervision remain, there has been significant progress made. OPBAS continues to deliver its second phase of supervisory work and expects to publish its third report in 2021.

 

Lack of clarity in the division of supervisory roles and responsibilities

 

In many jurisdictions, there is a lack of clarity in the division of the labour and responsibilities between AML/CFT supervisory authorities, particularly between the FIU and the other supervisors but also between prudential and AML/CFT supervisors or AML/CFT supervisors that are responsible for the AML/CFT supervision of different aspects of the same entity’s activities. In those cases, it is not always clear which agency has the primary role and responsibility for AML/CFT supervision.

 

Strategies to address this challenge:

 

· Ideally, the law should clearly identify which agency has the primary responsibility of AML/CFT supervision of a sector. To this end, any ambiguities in the laws should be addressed, and the overlaps and conflicts between AML/CFT laws and sectoral supervision laws should be examined and eliminated, as necessary. In addition, as appropriate, memoranda of understandings can help define the respective roles the authorities and the principles for collaboration and information sharing among them. Such arrangements and clear division of AML/CFT supervision roles and responsibilities becomes particularly essential when a multinational authority and/or a federal authority have AML/CFT supervisory responsibilities over domestic or local entities.

· Set up mechanisms to ensure co-operation and a consistent approach between those agencies and ensure that information flows freely and in a timely manner.

 

Zero-tolerance or zero-failure approach

 

A zero-tolerance approach that does not tolerate imperfections, particularly in areas identified to pose lower risks, is counterproductive to an effective AML/CFT system and for risk-based supervision. This is valid both at the supervisory agency and in terms of an entity’s approach to meeting its requirements. In certain cases, it may be difficult to develop institutional support for taking a risk-based approach due to fears of missing compliance failures in areas deemed as lower risk. It also requires deep knowledge of sectors and providers, critical thinking and subjective judgment by supervisors. As set out in section 3.7, there may be valid reasons for supervisors to take remedial or other action across the risk spectrum if, for example, the failure is due to repeated, knowing or wilful non-compliance with AML/CFT requirements. At the entity level, a zero tolerance approach could lead to indiscriminate cutting loose of entire classes of customer, without taking into account, seriously and comprehensively, their level of risk and risk mitigation measures for individual customers within a particular sector.

 

Strategies to address this challenge:

 

· Especially in the introductory stages of the implementation of a risk-based approach to AML/CFT, supervisors should explain the approach to their regulatory population and clearly explain and provide guidance on how it should be applied. In justifying their approach internally, supervisors should seek high-level support for their supervisory strategies by explaining its rationale and be able to demonstrate the benefits of this approach.

· The development and senior management sign-off of supervisory risk statements and frameworks would also be an appropriate strategy.

· Supervisors should introduce the RBA gradually, and give greater flexibility to the sector as their expertise and risk assessment capability increases.

· Supervisors should make clear that it is inappropriate to indiscriminately terminate or restrict business relationships of entire classes of customer, without taking into account, seriously and comprehensively, their level of risk and risk mitigation measures for individual customers within a particular sector.

 

 

Integrated vs. Standalone AML/CFT Supervision

 

While some supervision agencies have dedicated AML/CFT supervision programs and teams, some others conduct their AML/CFT supervision as an (integrated) part of general or prudential supervision program. Both approaches may have pros and cons. For example, in an integrated supervision framework, on-site inspection plans may depend heavily on prudential risks leaving prudentially sound entities with higher ML/TF risks out of the inspection plan, which is not in line with the RBA to supervision. On the other hand, when AML/CFT supervision is conducted on a standalone basis, co-ordination and collaboration with the prudential supervisors and other aspects of supervision is often challenging.

 

Strategies to address this challenge:

 

 · When choosing one of these approaches or a combination of both, authorities should carefully consider these advantages and disadvantages. See the diagram below and please refer to Basel Committee’s guidance on co ordination between AML/CFT supervision and prudential supervision for further guidance on this topic.

         World Bank comparison of integrated and stand-alone inspections

  

Type of Supervision

By general Prudential supervisor

By Specialised AML/CFT Supervisor

Integrated AML/CFT Supervision

All supervisors are or can be involved in AML/CFT inspections as an extension of the prudential inspections.

 

A specialised AML/CFT supervisor joins the team during the prudential inspection and conducts the AML/CFT inspection.

 

 

Pros: All supervisors gain AML/CFT experience and are involved in AML/CFT Agenda

Pros: A group of experts will excel in AML/CFT, leading to deeper, and higher quality AML/CFT inspection.

 

Co-ordination between prudential and AML/CFT inspections will be smoother.

 

Co-ordination between prudential and AML/CFT inspections will be smoother.

 

Cons: Prudential risks will determine the inspection plan. AML/CFT risks may not be always parallel to the prudential risks.

Cons: Prudential risks will determine the inspection plan. AML/CFT risks may not be always parallel to prudential risks.

 

Supervisors may tend to see the AML/CFT as a secondary issue compared to prudential risks.

 

 

Specialisation in and the depth of AML/CFT inspections may remain limited.

 

STAND-ALONE AML/CFT INSPECTION

Standalone AML/CFT inspections conducted by general or prudential supervisors. (Possible but not common).

AML/CFT inspections done by specialised supervisor, independently from Prudential Supervisors

 

Pros: All supervisors gain AML/CFT experience and involved in AML/CFT agenda.

Pros: A group of experts will excel in AML/CFT, leading to deeper, and higher quality AML/CFT inspections.

 

There will be a separate AML/CFT inspection plan that is independent from prudential side, allowing better alignment of AML/CFT supervision to ML/TF risks.

There will be a separate AML/CFT inspection plan that is independent from prudential side, allowing better alignment of AML/CFT supervision to ML/TF risks.

 

Cons: Specialisation in and the depth of AML/CFT inspections may remain limited. Co-ordination between prudential and AML/CFT inspections may require more effort.

Cons: Co-ordination between prudential and AML/CFT inspections may require more effort.

· Standalone AML/CFT supervision teams should seek input from other supervision areas in formulating a sector risk assessment and in terms of identifying specific risks and areas of focus for the assessment of particular entities. For example, AML/CFT supervision teams may want to understand if there are any concerns from a cyber-security or client assets perspective when considering AML/CFT risks, as these concerns may indicate a vulnerability for exploitation by financial criminals. The AML supervision teams should also ensure supervisory findings, either derived from offsite or onsite activities, are shared with the prudential supervisors as major AML/CFT issues may lead to or indicate critical prudential concerns.

· Although prudential and conduct risk may inform supervisors’ understanding of ML/TF risks, AML/CFT supervision should be driven by ML/TF risks rather than prudential or conduct risks.

· For those jurisdictions with dedicated AML/CFT supervision teams, supervisory resources may be categorised as teams/supervisors/responsibilities for

1) high risk supervision

2) medium risk supervision

3) low risk supervision

4) responsive supervision

5) risk analysis, data collection, horizon scanning, or the split may be divided by the type of supervisory intervention (e.g., on-site and off-site).

 

The appropriate sub-categorisations used by the supervisory authority will depend on the size, characteristics and risks presented by the supervisory population.

 

Risk-based supervision strategies should be up-to-date and dynamic

Through the advances in finance and technology today, the risks can change faster than before. Outdated assessments can undermine risk-based supervision. As set out in section 2.4, it is important to keep risk assessments under review and updated so that resources can be targeted to the highest risk areas.

Strategies to address this challenge:

· Supervisory authorities should also be fast and agile in understanding the risks and, if possible, take the advantage of SupTech in monitoring the risks in real time/on a continuous basis. They also need to have the flexibility to adapt their supervision approach and plans to promptly address the emerging ML/TF risks. See the section on ‘use of technology’.

Logistical challenges in performing on-site inspections

In jurisdictions that allow businesses located outside the country to operate within their regulatory perimeter (for example, provision of services online), or certain functions of an entity are located in different locations (e.g. where an organisation operates as a group), on-site inspections are challenging and resource intensive. External factors (current global pandemic) can also make it difficult for on-site inspections to go ahead.

Strategies to address this challenge:

· Utilise tools such as video-conferencing to simulate the types of testing that would occur at an on-site inspection, ensuring adequate vigour and spontaneity. For example, the UK Gambling Commission supervisors online casinos that offer services in the UK and it has used various tools to undertake effective supervision including:

Microsoft Teams assessments over a number of days with key individuals and the ability to view real time data and interrogation of their systems. Prior to the Microsoft Teams assessment, materials are requested and reviewed (including, the entity’s risk assessment, policies, procedures and controls) and the initial findings assist to steer the assessment and it is only during the live assessment that we usually specifically advise operators which customer accounts will be assessed. Additionally, the Gambling Commission requires annual assurance statements from highest impact operators that cover around 90% of the market and asks entities to complete ‘calls for information’.


Happy reading,


Those who read this, also read:

1. AML/CFT Risk Assessment at RE Level

2. Application of RBA in Supervision-FATF 


Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more