The FIAU has published an Enforcement Factsheet outlining common observations across sectors subject to AML/CFT supervision. This article will address the FIAU’s observations with regard to Subject Persons’ (SP) shortcomings while conducting their Customer Risk Assessment (CRA) in 2019 and 2020. The Enforcement Section is publishing these conclusions, together with the recently issued paper titled ‘The Business Risk Assessment,’ to provide SP with more insights on compliance trends.
- Basic, non-comprehensive CRAs: A number of SPs reviewed were either found not to have CRA measures in place or else the processes which they had in place were very basic and did not allow for a sound assessment of the customer risks. At times, it was also observed that even though a CRA was in place, the CRA did not encompass all aspects of customer risks. As a result, the final risk assessment is not comprehensive and will not adequately assess the ML/FT risks arising from the established business relationship or the occasional transaction for a particular customer. This also leads to inadequate risk mitigating measures.
- Generic and inadequate risk criteria: The CRA in place did not take into account all the four main risk factors – client, geographical, product/service/transaction, and interface risks. Generic risk criteria were not adequate to arrive at an appropriate risk understanding.
- Form-based CRAs: The FIAU also observed that some adopted CRAs consisted of tick-box questionnaires and/or forms, which provided no space for value added analysis of the customer risk. On the other hand, these forms were akin more to a client on-boarding form rather than a CRA.
- Information not properly leveraged to assess risk: Some SPs, while having knowledge about their customers and intended use of the business relationship or scope of the carrying out of an occasional transaction and who could have leveraged such knowledge to assess the ML/FT risk posed by that customer, failed to do so. In such cases, the SPs did not properly apply that awareness and information to determine the risk level and appropriate level of customer due diligence and control measures.
- Over-reliability on familiarity: SPs were considering particular clients as low risk on the basis of their familiarity with such clients, allowing themselves to be overly influenced by the familiarity with these customers rather than basing their risk understanding on a sound assessment.
- Incorrect assignment of lower inherent risk: Occasionally, SPs were incorrectly assigning lower inherent risk scores to business relationships which should have been assigned a higher inherent risk score. The skewed inherent risk assignment results in an incorrect final risk categorisation towards the lower end of the spectrum, which subsequently, leads to an inadequate level of CDD.
- Delayed CRAs: The FIAU also noted issues regarding the timing of the performance of the CRA. It noted that a number of SPs delay the performance of the CRA well after the business relationship would have started and therefore, the SPs would have onboarded customers and provided them with services without understanding the customers’ risks and the required level of controls to cater for such risks.
Finally, despite noting SPs’ common shortcomings in carrying out their CRAs, the FIAU also mentioned that it has noticed an overall improvement by SPs in the carrying out of CRAs. SPs are implementing and enhancing their CRA measures and are making sure that customers are risk assessed at on-boarding and as circumstances so require during the business relationship.