As emphasised by the FIAU in its Enforcement Factsheet, “[A]n indispensable part of the BRA is an understanding of the geographical risk exposure.” An affective JRA would encompass considerations not only of the reputation of the different jurisdictions the SP is exposed to but also of the actual ML/FT risks the jurisdictions are exposed to and how this may eventually contribute to the SP’s risk exposure. This article will address FIAU’s observations with regard to Subject Persons’ (SP) shortcoming while carrying out their Jurisdiction Risk Assessments (JRA).
- Random referencing: Some SPs did not have a defined standardised process or methodology in place to assess the reputability and risks of jurisdictions they are exposed to. On the other hand, they would randomly refer to websites and articles to determine geographical risk. As a result, SPs would assess the jurisdiction risk in a subjective manner on the basis of the information found on these websites as well as the individual carrying out the search with no common guidance as to what aspects are relevant for the assessment, and to what extent certain aspects should influence the overall jurisdiction risk. Consequently, there would not be any guidance as to which control measures would be best placed to mitigate the identified risks.
- Assessment limited to jurisdiction’s reputability: In some instances, SPs did not make any distinction between the reputability, which is more limited in scope, of a jurisdiction and the broader ML/FT risks associated by the jurisdiction in question. An assessment on reputability would generally include an assessment of how robust the AML/CFT framework of a jurisdiction is by referring to evaluation reports published by international bodies supervising jurisdictions’ adherence to international AML/CFT standards. Such bodies include FATF and MONEYVAL. A thorough jurisdiction assessment should extend beyond reputability and should involve a broader understanding of risks to which the jurisdiction is exposed of. For example, risks for elevated rates of proceeds generating crimes, whether the jurisdiction is known to have particular terrorist organisations or organised crime groups operating within, or whether a jurisdiction is known to provide for the setting up of non-transparent legal entities and arrangements that could be misused for tax evasion or to conceal the proceeds of other crimes.
- Unfounded automatic low risk presumption: This oversight is reportedly very common when it comes to JRAs for customers residing or whose business is located in any of the EU Member States due to some SPs’ automatic presumption that EU Member States are deemed to be low risk jurisdictions in view of the adoption of the EU’s robust AML/CFT frameworks. However, it is also clear that some of the Member States have rising levels of criminal activity or presence of large organized crime groups, which also impact the ML/FT risk the SP would be exposed to.
- JRA seen as very onerous obligation: The FIAU reported that SPs at times view the JRA as “a very onerous obligation” also in view of the international outreach of their customers, which may have connections with multiple different jurisdictions. SPs often consider this as triggering a requirement to carry out a JRA on all such jurisdictions. However, SPs should determine on which jurisdictions they need to carry out a JRA, as well as how detailed it should be, by also considering the nature of the service and/or product the SP is providing. Of course, through this approach, SPs would still need to monitor customer activity to assess whether geographical exposure changes over time and whether such changes would warrant fresh revisions to the JRAs currently in place.
- Failure to identify source of risk: Finally, the FIAU reported that several SPs failed to decipher and understand the source of the risk and what measures and controls would be best to mitigate those risks. This resulted in a ‘one size fits all’ approach in managing risks from all jurisdictions despite the distinct source of risk for certain jurisdictions. As all jurisdictions are unique, the SP’s mitigating measures should also be unique to each identified risk. The FIAU provides the following examples: a) when scrutinising transactions for customers who have links with countries who pose a higher terrorism financing risk, care should be given even to the lowest value of transactions; and b) when scrutinising transactions for customers who have links with countries which lack transparency, care should be given to voluminous and/or complex transactions and transfers from companies owned by the same beneficial owner.