FATF Recommendation (1) states the following:
“Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action, including designating an authority or mechanism to coordinate actions to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and countering the financing of terrorism (AML/CFT) regime and the implementation of risk-based measures throughout the FATF Recommendations. Where countries identify higher risks, they should ensure that their AML/CFT regime adequately addresses such risks. Where countries identify lower risks, they may decide to allow simplified measures for some of the FATF Recommendations under certain conditions.
Countries should require financial institutions and designated non-financial businesses and professions (DNFBPs) to identify, assess and take effective action to mitigate their money laundering and terrorist financing risks."
The ADGM Financial Services Regulatory Authority (FSRA) is a risk-based regulator. This means that the FSRA’s approach focuses on those areas that present the greatest risk to its regulatory objectives.
The risk-based approach (RBA) is an effective way to combat money laundering and terrorist financing. By adopting a risk-based approach, competent authorities, financial institutions and DNFBPs should be able to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified, and would enable them to make decisions on how to allocate their own resources in the most effective way.
In implementing a RBA, financial institutions and DNFBPs should have in place processes to identify, assess, monitor, manage and mitigate money laundering and terrorist financing risks. The general principle of a RBA is that, where there are higher risks, financial institutions and DNFBPs should consider and take enhanced measures to manage and mitigate those risks; and that, correspondingly, where the risks are lower, simplified measures may be permitted. Simplified measures should not be permitted whenever there is a suspicion of money laundering or terrorist financing.
Section (5.1.1) of ADGM AML Rules states the following:
“5.1.1 A Relevant Person must:
(a) Assess and address its AML risks under the AML Rulebook by adopting an approach which is proportionate to the risks to which the Person is exposed as a result of the nature of its business, Customers, products, services and any other matters which are relevant in the context of money laundering; and
(b) Ensure that, when undertaking any risk-based assessment for the purposes of complying with a requirement of the AML Rulebook, such assessment is:
(i) objective and proportionate to the risks;
(ii) based on reasonable grounds;
(iii) properly documented; and
(iv) reviewed and updated at appropriate intervals.”
Examples of Risk-Based Approach
FATF Recommendation 1 can be considered the groundwork towards the implementation of the risk-based approach:
The Wolfsberg risk-based approach guidance has provided an insight on the approach by identifying these components that can assist in measuring the risk. Industry risk related to Business activities in which the customer is involved. “Money laundering risks may be measured using various categories, which may be modified by risk variables. The most commonly used risk criteria are: country risk customer risk and services risk.” Based on Wolfsberg’ s guidance on a risk-based approach, risk factor identification or indicators that can allow the assessment and measurement of the level of risk can be summarized in the following diagram:
The risk based approach or assessment process should be comprehensive, transparent and well documented. When completing the risk based approach effectively, the end result should create reliable conclusions necessary to establish appropriate policies, procedures, processes and systems required to develop the organization’s Compliance Program.