The 2003 revised 40 Recommendations of the Financial Action Task Force ( FATF, 2003 ) allow countries to implement a risk-based approach in relation to key elements of their anti-money laundering (AML) and combating of financing of terrorists (CFT) frameworks. A risk-based approach involves the development of appropriate risk control measures based on a process of identification and categorization of risk.
In the AML/CFT context, the phrase is used in connection with regulation, supervision and compliance. Risk-based regulation refers to the tailoring of rules to focus on instances of higher risk. Risk-based supervision is an approach where the supervisor focuses on risk as posed and managed by regulated entities and allocates supervisory resources on the basis of their risk profiles. A risk-based approach generally leads supervisors to devote less attention to entities that pose a lower risk and rather focus their attention and resources on those posing a higher risk1. Regulated entities that follow a risk-based approach to AML/CFT compliance tailor their control measures to fit the risk profiles of their different products and clients. The main benefit of a risk-based approach in all three cases is an appropriate and efficient allocation of resources2.
Although the introduction of a risk-based approach to AML/CFT was welcomed, it was not clear how this approach should be implemented within the FATF framework. As a consequence FATF issued a number of guidance notes during 2007 and 2008. This article highlights key aspects of that guidance for financial service providers that offer low-risk products and identifies a number of matters that FATF will need to consider.
Much of FATF's guidance focuses on the identification and management of high-risk cases. This is a natural consequence of the risk-based approach. However, the correct identification and management of low-risk products, clients and transactions is of great regulatory and corporate importance. The AML/CFT framework is broad and captures many products and transactions that do not pose a significant money laundering or terror financing risk. The risk-based approach allows appropriate, often simplified, controls to be implemented in respect of such products and transactions. Simplified controls are easier and cheaper to implement and maintain. They also impose a lesser burden on clients. When correctly implemented, these controls free up resources that can be focused on higher risk cases. They also ensure that AML/CFT controls do not pose an unnecessary barrier to low-risk clients wishing to access low-risk financial products. Correctly designed and implemented controls for low-risk products and clients are therefore regarded as an important element of a facilitative financial inclusion regime ( de Koker, 2006a, b ; Bester
Primary challenges lie, of course, in the correct identification of those providers, products and clients that pose a lower money laundering and terrorist financing risk and in the formulation of responses that are proportionate to that level of risk. These challenges can only be met if we clarify our understanding of risk and especially the meaning of “low risk” in the AML/CFT context. FATF listed some indicators of low-risk providers and products in the recommendations and in their guidance on the risk-based approach. These indicators and some of the thoughts that underlie them are discussed in this article.
This article is partly based on work funded by the FinMark Trust ( de Koker, 2008 ) and presented at the 26th Cambridge International Symposium on Economic Crime in September 2008.
The “FATF” is the international AML/CFT standard-setting body. It issued its first set of standards regarding the countering of money laundering in 1990. In 2001 these recommendations, known as the 40 Recommendations, were complemented by a set of special recommendations on the combating of terrorist financing. The recommendations are not binding in law but the international community expects countries to comply with the standards3. The majority of countries in the world form part of a framework that evaluates their compliance with the FATF recommendations in terms of a stringent standard evaluation methodology.
The 40 Recommendations were extensively revised in 2003. The revised recommendation introduced a number of new principles that underpin a risk-based approach to AML/CFT4. In essence, the recommendations allow a risk-based approach at two levels. Firstly, countries are allowed to be guided by their assessment of AML/CFT risk when they design or amend specific elements of their AML/CFT regulatory framework. Secondly, countries are allowed to permit individual institutions to design elements of their AML/CFT control measures on a risk sensitive basis ( FATF, 2007a, para. 1.7 ).
It is important to note that the application of the risk-based approach is limited to specific elements of the framework and controls. A country is, for instance, not allowed to argue that its exposure to money laundering is so low that it does not need to adopt laws to criminalise money laundering or does not need to establish a financial intelligence unit. Similarly, countries cannot allow their regulated institutions to design their controls as if a group of clients designated as high-risk by FATF, for instance politically exposed persons, are not posing a high risk.
In general, FATF's risk-based approach guides countries and institutions to focus their attention and resources on persons and activities posing a higher risk of money laundering and terror financing, while allowing them, within limits, to devote less attention and resources to those posing a lesser risk of abuse. Within this framework, regulated institutions determine the relevant risks and tailor their controls on the basis of their risk appraisal. Institutions are then inspected for the reasonableness of, and justification for, the design of the controls. This approach is often contrasted with a so-called “rule-based” approach where the regulator determines the controls that the regulated must apply. In a rule-based system institutions are inspected to determine whether they implemented the prescribed controls. Risk is not unimportant in the latter context because a reasonable regulator will determine the relevant controls based on its assessment of the risks. The main difference between the two approaches is the allocation of responsibility for determining the risk as well as the appropriate risk management actions: the regulator (rule-based) or the regulated (risk-based). In practice, the approaches may be even be combined with some elements being regulated in a rule-based and others in a risk-based manner.
It is not compulsory for countries to introduce a comprehensive risk-based approach to AML/CFT. They have a choice. They may design their regulatory framework in a manner that incorporates some or all of the elements of such an approach or, alternatively, may implement a rule-based approach. Both options, are, however, subject to the condition that matters classified as posing a high-money laundering or terrorist financing risk by FATF, should be managed by regulators and the regulated as high-risk matters. It is optional, on the other hand, whether lighter or simplified regulation or controls will be applied to those classified as low-risk matters.
The risk-based approach is highly complex and FATF (2007a) , after many requests, issued some high-level general guidance on the implementation of this approach in the financial sector in June 2007. Further and more specific guidance were issued for those businesses and persons classified as “non-financial businesses and professions”5 (accountants ( FATF, 2008d ), real estate agents ( FATF, 2008g ), trust and company service providers ( FATF, 2008h ), dealers in precious metal and stones ( FATF, 2008a ), legal professionals ( FATF, 2008f ) and casinos ( FATF, 2008e )). These guidance notes should be read with other risk-related guidance issued by FATF (2008c) , for instance its 2008 guidance on money laundering and terrorist financing risk assessment strategies.
The FATF's guidance notes on the risk-based approach are rich documents that record and flesh out various aspects of the recommendations. From the perspective of financial institutions with low-risk products, the following general principles are particularly relevant.
First, the implementation of a risk-based approach to combating money laundering and terrorist financing risk requires appropriate risk management resources and expertise within the regulators and the regulated. It requires, for instance, the ability to exercise sound judgement and to respond appropriately to the identified risks. If controls are unnecessarily tight and rigid, resources may be wasted. On the other hand, if the controls are too lax, they will be ineffective to counter the risk ( FATF, 2007a, para. 1.20 ). Regulators, in particular, should also realize that a risk-based approach will lead to greater complexity in the regulated sector. Institutions will have different risk profiles and will respond differently to risk. The regulator will need sufficient resources to supervise and regulate the diverse institutional responses while ensuring a sufficient measure of consistency to avoid regulatory arbitrage.
Second, the quality of the controls...