Guidance on the risk-based approach to combatting money laundering and terrorist financing – June 2017
Guidance on the risk-based approach to combatting money laundering and terrorist financing
This guidance and the sector specific risk-based assessment workbooks have not been updated to reflect recent legislative amendments and will be removed from FINTRAC’s website on June 1, 2021.
June 2017
Table of Contents
Introduction
The Concept of Risk
General Overview and Purpose of this Guidance
Risk-Based Approach Cycle
Annex A – References
Annex B – Example of Risk Segregation for Business Based Risk Assessment
Annex C – Likelihood and Impact Matrix Tool
Introduction
The object of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its Regulations is to detect and deter money laundering and terrorism financing. In 2008, the Government of Canada introduced amendments to the PCMLTFA and its Regulations to enhance the Canadian anti-money laundering and anti-terrorism financing (AML/ATF) regime. As part of these amendments, the Risk-Based Approach (RBA), which requires reporting entities to conduct assessments of their exposure to money laundering and terrorism financing risk using a number of prescribed criteria, was introduced. These criteria are further discussed in this document. FINTRAC has also provided guidance on this matter in Guideline 4: Implementation of a Compliance Regime.
On the international front, the Financial Action Task Force (FATF), an inter-governmental body, has developed a series of Recommendations that are recognised as the international standard for combating money laundering, terrorism financing and other related threats to the integrity of the international financial system. More specifically, the FATF developed Recommendation 1 on the RBA, an effective way to combat money laundering and terrorist financing.
By regularly assessing their money laundering and terrorism financing risks, reporting entities can protect and maintain the integrity of their businesses while contributing to the integrity of the Canadian financial system as a whole. While each reporting entity is responsible for its own risk assessment, FINTRAC has developed this guidance document to help reporting entities meet the RBA obligations.
This guidance document is structured to help reporting entities better understand what the RBA is and take inventory of their risks relating to products, services and delivery channels, clients and business relationships, geography and other relevant factors. It will also help in implementing effective mitigation measures and in monitoring the money laundering and terrorist financing risks reporting entities may have or encounter as part of their activities and business relationships.
This guidance document is intended for all activity sectors covered under the PCMLTFA. However, some examples and/or indicators may apply only to certain activity sectors.
Note: Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations require that you consider the risk of new technologies and developments as well as the risk resulting from the activities of affiliates will be coming into force in June 2017. These new elements will be further developed in this guidance document in the coming months.
The Concept of Risk
What is risk?
Risk can be defined as the likelihood of an event and its consequences. In simple terms, risk can be seen as a combination of the chance that something may happen and the degree of damage or loss that may result from such an occurrence. In the context of money laundering/terrorist financing (ML/TF), risk means:
At the national level: threats and vulnerabilities presented by ML/TF that put at risk the integrity of Canada’s financial system and the safety and security of Canadians.
At the reporting entity level: threats and vulnerabilities that put the reporting entity at risk of being used to facilitate ML/TF.
Threats: this could be a person (or group), object that could cause harm. In the ML/TF context, a threat could be criminals, facilitators, their funds or even terrorist groups.
Vulnerabilities: elements of a business that could be exploited by the identified threat. In the ML/TF context, vulnerabilities could be weak controls within a reporting entity, offering high risk products or services, etc.
Impact: this refers to the seriousness of the damage that would occur if the ML/TF risk materializes (i.e. threats and vulnerabilities)
What is risk management?
Risk management is a process that is widely used in the public and private sector to assist in decision-making. When dealing with ML/TF, it is the process that includes the recognition of ML/TF risks, the assessment of these risks, and the development of methods to manage and mitigate the risks that have been identified.
What are inherent and residual risks?
When assessing risk, it is important to distinguish between inherent risk and residual risk. Inherent risk is the intrinsic risk of an event or circumstance that exists before the application of controls or mitigation measures. On the other hand, residual risk is the level of risk that remains after the implementation of mitigation measures and controls. These concepts are further defined and explained in this guidance document. However, it is important to clarify that the risk assessment exercise described in this document focuses on the inherent risks to your business, activities and clients.
What is a risk-based approach?
In the context of ML/TF, a risk-based approach is a process that encompasses the following:
The risk assessment of your business activities and clients using certain prescribed elements;
Products, services and delivery channels;
Geography;
Clients and business relationshipsFootnote 1; and
Other relevant factors.
The mitigation of risk through the implementation of controls and measures tailored to the identified risks;
Keeping client identification and, if required, beneficial ownership and business relationship information up to date in accordance with the assessed level of risk; and
The ongoing monitoring of transactions and business relationships in accordance with the assessed level of risk.
It is paramount to remember that assessing and mitigating the risk of ML and TF is not a static exercise. The risks that have been identified may change or evolve over time as new products or new threats enter your business context. Consequently, your risk-based approach should be re-evaluated and updated when the risk factors change.
General Overview and Purpose of this Guidance
By law, your compliance regime has to include:
the appointment of a compliance officer;
the development and application of compliance policies and procedures. These policies and procedures have to be written and kept up to date;
an assessment and the documentation of risks related to ML/TF, as well as the documentation and implementation of mitigation measures to deal with those risks;
an ongoing compliance training program (if you have employees or agents or other individuals authorized to act on your behalf). The training program has to be written and maintained; and
a review of your compliance policies and procedures to test their effectiveness. The review has to cover your policies and procedures, your assessment of risks related to money laundering and terrorist financing and your training program.
This guidance document will mainly focus on item 3: the assessment and documentation of risks related to ML/TF.
The nature of some of your business activities, and the business relationships you have with certain individuals exposes your business to ML and TF risks. In order to mitigate these risks, and to comply with the PCMLTFA and associated Regulations, your reporting entity must conduct a risk assessment. This will allow you to establish procedures and controls that will help detect and mitigate possible ML/TF activities.
It should be noted that conducting high-risk activities or having high-risk business relationships is not against the law. Defining clients as high-risk does not cast your business in a bad light; it is an assessment that allows you to ensure that controls are put in place to mitigate the risks and to apply prescribed special measures.
This guidance document should help you:
Consider business-wide elements or factors that may impact your ML/TF risk and apply controls and measures to mitigate the risks, addressing:
Your products, services and delivery channels;
Your business’ geography; and
Other factors relevant to your specific activities (e.g. legal, environmental, etc.)
Evaluate the risks associated with your clients and business relationships by looking at:
The products, services and delivery channels they utilize;
The geography related to your clients (their location, links to high-risk countries, where they conduct their business and transactions, etc.); and
Their activities, transaction patterns, characteristics, etc.
This specific assessment will allow you to identify high-risk business relationships and apply the prescribed special measures.
Identify and validate controls to mitigate your high-risk activities and business relationships, including prescribed special measures; and
Review and assess the status of your compliance regime with the PCMLTFA as well as the adequacy of your current controls to mitigate the identified high risks.
Risk-Based Approach Cycle
The following cycle represents the six steps of your risk-based approach:
identification of your inherent risks (business-based risk assessment along with the relationship-based risk assessment);
setting your risk tolerance;
creating risk-reduction measures and key controls;
evaluating your residual risks;
implementing your risk-based approach; and
reviewing your risk-based approach.
Overall FINTRAC expectations in regards to the RBA:
The expectations below are generic in nature.
