-Financial Services Division (firstname.lastname@example.org)
The Reserve Bank of India (RBI) introduced an amendment to Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) requiring Regulated Entities (REs) to carry out money laundering (ML) and terrorist financing (TF) risk assessment exercises periodically. This requirement shall be applicable with immediate effect and the first assessment has to be carried out by June 30, 2020.
Carrying out ML and TF risk assessment is a very subjective matter and there is no thumb rule to be followed for the same. There is no uniformity on procedures of risk assessment, however, they may be guided by a set of broad principles. The following write-up intends to explore guidance principles enumerated by international bodies and suggest principles to be followed by financial institutions in India, specifically NBFCs, for carrying out risk assessment exercise.
Origin of the concept
The concept of ML and TF risk assessment arises from the recommendations of Financial Action Task Force (FATF). FATF has also provided detailed guidance on TF Risk Assessment. Due to the inter-linkage between ML and TF, the guidelines also serve the purpose of guiding ML risk assessment. TF risk is defined as-
“A TF risk can be seen as a function of three factors: threat, vulnerability and consequence. It involves the risk that funds or other assets intended for a terrorist or terrorist organisation are being raised, moved, stored or used in or through a jurisdiction, in the form of legitimate or illegitimate funds or other assets.”
Global practices for ML/TF risk assessment
Based on FATF recommendations, many jurisdictions have prepared and published risk assessment procedures. India is yet to come up with the same.
For example, the National risk assessment of money laundering and terrorist financing is the guidance published by the UK government. It provides sector specific guidance for risk assessment. The sector specific guidance is further granulated keeping in view the specific threats to certain parts of the sector.
The guidance provided by the Republic of Serbia is a generalised one providing broad guidance to all sectors for risk assessment.
In Germany, financial institutions are classified on the basis of potential risk of ML/TF identified by them (considering the factors such as location, scope of business, product structure, customers’ profile and distribution structure) and the intensity of supervision by regulator is based on such risk categorisation.
Risk assessment process by NBFC
The risk assessment of a financial sector entity such as an NBFC, need not be complex, but should be commensurate with the nature and size of its business. For smaller or less complex NBFCs where the customers fall into similar categories and/or where the range of products and services are very limited, a simple risk assessment might suffice. Conversely, where the loan products and services are more complex, where there are multiple subsidiaries or branches offering a wide variety of products, and/or their customer base is more diverse, a more sophisticated risk assessment process will be required.
Based on the guiding principles provided by the FATF and specific guidance issued by FATF for banking and financial sector, the process of risk assessment by NBFCs may be divided into following stages:
Stage 1: Collection of information
The risk assessment shall begin with collecting of information on a wide range of variables including information on the general criminal environment, TF and terrorism threats, TF vulnerabilities of specific sectors and products, and the jurisdiction’s general AML capacity
The information may be collected externally or internally. In India, Directorate of Enforcement is the body which deals with ML and TF matters and has collection of information and list of terrorists. Further, the information may also be obtained from Central Bureau of Investigation.
Stage 2: Threat identification
Based on the information collected, jurisdiction and sector specific threats should be identified. Threat identification should be based on the risks identified on the national level, however, shall not be limited to the same. It should also be commensurate to the size and nature of business of the entity.
For individual NBFCs, it should take into account the level of inherent risk including the nature and complexity of their loan products and services, their size, business model, corporate governance arrangements, financial and accounting information, delivery channels, customer profiles, geographic location and countries of operation. The NBFC should also look at the controls in place, including the quality of the risk management policy, the functioning of the internal oversight functions etc.
Stage 3: Assessment of ML/TF vulnerabilities
This stage involves determination of the how the identified threats will impact the entity. The information obtained should be analysed in order to assess the probability of risks occurring. Based on the assessment, ML/TF risks should be classified as low, medium and high impact risks.
While assessing the risks, following factors should be considered:
- The nature, scale, diversity and complexity of their business;
- Target markets;
- The number of customers already identified as high risk;
- The jurisdictions the entity is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT controls and listed by RBI or FATF;
- The distribution channels, including the extent to which the entity deals directly with the customer or relies third parties to conduct CDD;
- The internal audit and regulatory findings;
- The volume and size of its transaction.
The NBFCs should complement this information with information obtained from relevant internal and external sources, such as operational/business heads and lists issued by inter-governmental international organisations, national governments and regulators.
The risk assessment should be approved by senior management and form the basis for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the NBFC and stating the risk level deemed acceptable. It should be reviewed and updated on a regular basis. Policies, procedures, measures and controls to mitigate the ML/TF risks should be consistent with the risk assessment.
Stage 4: Analysis of ML/TF threats and vulnerabilities
Once potential TF threats and vulnerabilities are identified, the next step is to consider how these interact to form risks. This could include a consideration of how identified domestic or foreign TF threats may take advantage of identified vulnerabilities. The analysis should also include assessment of likely consequences.
Stage 5: Risk Mitigation
Post the analysis of threats and vulnerabilities, the NBFC must develop and implement policies and procedures to mitigate the ML/TF risks they have identified through their individual risk assessment. Customer due diligence (CDD) processes should be designed to understand who their customers are by requiring them to gather information on what they do and why they require financial services. The initial stages of the CDD process should be designed to help NBFCs to assess the ML/TF risk associated with a proposed business relationship, determine the level of CDD to be applied and deter persons from establishing a business relationship to conduct illicit activity.
Focus on CDD procedure
While entering into a relationship with the customer, carrying out Customer Due Diligence (CDD) is the initial step. It is during the CDD process that the identity of a customer is verified and risk based assessment of the customer is done. While assessing credit risks, financial entities should also assess ML/TF risks. The CDD procedures and policies should suitably include checkpoints with respect to ML and TF.
The risk classification of the customer, as discussed above, should also be done based on the CDD carried out. The CDD procedure, apart from verifying the identity of the customer, should also go a few steps further to understand the nature of business or activity of the customer. Measures should be taken to prevent the misuse of legal persons for money laundering or terrorist financing.
In case of medium or high risk customers, or unusual transactions, the entities should also carry out transaction due diligence to identify source and application of funds, beneficiary of the transaction, purpose etc.
NBFCs should document and state clearly the criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers. Criteria applied to decide the frequency and intensity of the monitoring of different customer segments should also be transparent. Further, the NBFC must maintain records on transactions and information obtained through the CDD measures. The CDD information and the transaction records should be made available to competent authorities upon appropriate authority.
Some examples of enhanced and simplified due diligence measures are as follows:
Enhanced Due Diligence (EDD)
- obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
- carrying out additional searches (e.g., verifiable adverse media searches) to inform the individual customer risk assessment
- commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
- verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
- seeking additional information from the customer about the purpose and intended nature of the business relationship
Simplified Due Diligence (SDD)
- obtaining less information (e.g., not requiring information on the address or the occupation of the potential client), and/or seeking less robust verification, of the customer’s identity and the purpose and intended nature of the business relationship
- postponing the verification of the customer’s identity
Ongoing CDD and Monitoring
Ongoing monitoring means the scrutiny of transactions to determine whether the transactions are consistent with the NBFC’s knowledge of the customer and the nature and purpose of the loan product and the business relationship.
Monitoring also involves identifying changes to the customer profile (for example, their behaviour, use of products and the amount of money involved), and keeping it up to date, which may require the application of new, or additional, CDD measures. Monitoring transactions is an essential component in identifying transactions that are potentially suspicious. Monitoring should be carried out on a continuous basis or triggered by specific transactions. It could also be used to compare a customer’s activity with that of a peer group. Further, the extent and depth of monitoring must be adjusted in line with the NBFC’s risk assessment and individual customer risk profiles
The NBFCs should have the ability to flag unusual movement of funds or transactions for further analysis. Further, it should have appropriate case management systems so that such funds or transactions are scrutinised in a timely manner and a determination made as to whether the funds or transaction are suspicious. Funds or transactions that are suspicious should be reported promptly to the FIU and in the manner specified by the authorities. There must be adequate processes to escalate suspicions and, ultimately, report to the FI.
Adequate internal controls are a prerequisite for the effective implementation of policies and processes to mitigate ML/TF risk. Internal controls include appropriate governance arrangements where responsibility for AML/CFT is clearly allocated and there are controls to test the overall effectiveness of the NBFC’s policies and processes to identify, assess and monitor risk. It is important that responsibility for the consistency and effectiveness of AML/CFT controls be clearly allocated to an individual of sufficient seniority within the NBFC to signal the importance of ML/TF risk management and compliance, and that ML/TF issues are brought to senior management’s attention.
Recruitment and Training
NBFCs should check that personnel they employ have integrity and are adequately skilled and possess the knowledge and expertise necessary to carry out their function, in particular where staff are responsible for implementing AML/CFT controls. The senior management who is responsible for implementation of a risk-based approach should understand the degree of discretion an NBFC has in assessing and mitigating its ML/TF risks. In particular, it must be ensured that the employees and staff have been trained to assess the quality of a NBFC’s ML/TF risk assessments and to consider the adequacy, proportionality and effectiveness of the NBFC’s AML policies, procedures and internal controls in light of this risk assessment. Adequate training would allow them to form sound judgments about the adequacy and proportionality of the AML controls.
Stage 6: Follow-up and maintaining up-to-date risk assessment
Once assessed, the impact of the risk shall be recorded and measures to mitigate the same should be provided for. The information that forms basis of the risk assessment process should be timely updated and the entire risk assessment procedure should be carried out in case of major change in the information.
The compliance officer of the NBFC should have the necessary independence, authority, seniority, resources and expertise to carry out these functions effectively, including the ability to access all relevant internal information. Additionally, there should be an independent audit function carried out to test the AML/CFT programme with a view to establishing the effectiveness of the overall AML/CFT policies and processes and the quality of NBFC’s risk management across its operations, departments, branches and subsidiaries, both domestically and, where relevant, abroad.
Our other write-ups on NBFCs may be viewed here: http://vinodkothari.com/nbfcs/
Write-rps relating to KYC and Anti-money laundering may also be referred: