<strong>Risk</strong>-<strong>Based</strong> <strong>Approach</strong> – <strong>Guidance</strong> <strong>for</strong> <strong>Money</strong> <strong>Service</strong> <strong>Businesses</strong> - July 2009Identify the beneficial owner, and take reasonable measures to verify the identity of anybeneficial owner. The measures that have to be taken to verify the identity of the beneficialowner will vary depending on the risk.For higher risk transactions or customer, obtain appropriate additional in<strong>for</strong>mation to understandthe customer‟s circumstances and business, including the expected nature and level oftransactions. If appropriate, obtain appropriate additional subsequent in<strong>for</strong>mation to understandthe customer‟s circumstances, including the relationship to the sender or receiver, and the sourceof funds.Periodically update relevant CDD in<strong>for</strong>mation together with the customer risk assessment.If appropriate and practical during a back-end review of the customer‟s activity, obtainappropriate additional subsequent in<strong>for</strong>mation to understand the customer‟s circumstances,including the nature of the transaction, the relationship to the sender or receiver, and the source offunds.118. The starting point is <strong>for</strong> a MSB to assess the risks that certain categories or types of customersmay pose taking into consideration any appropriate risk variables be<strong>for</strong>e making a final determination. Tothis end, MSBs can also take into consideration useful examples <strong>for</strong> higher or lower risks that may beissued by domestic regulators. MSBs will determine the due diligence requirements appropriate to eachcustomer. This may include:A standard level of due diligence applied to all customers, specifically, applicable customeridentification at appropriate monetary thresholds as required by law, regulation and other nationalrequirements or internal policy and applicable regulations.The standard level being reduced in recognized lower risk scenarios, such as conductingtransactions <strong>for</strong>: Publicly listed companies subject to regulatory disclosure requirements. Other financial institutions (domestic or <strong>for</strong>eign) subject to an AML/CFT regime consistentwith the FATF Recommendations.An increased level of due diligence should be applied to those customers determined to be higherrisk, such as: Non face-to-face customers. Customers conducting large cash transactions, either carried out in a single operation or inseveral operations that appear to be linked. Customers conducting higher principal or higher frequency activity. Customers sending to or receiving from higher-risk jurisdictions. Customers located in a higher-risk jurisdiction. Customers who are PEPs.36 - © 2009 FATF/OECD
<strong>Risk</strong>-<strong>Based</strong> <strong>Approach</strong> – <strong>Guidance</strong> <strong>for</strong> <strong>Money</strong> <strong>Service</strong> <strong>Businesses</strong> - July 2009 Customer circumstances are as described in paragraph 111 above.Monitoring of Customers and Transactions119. The degree and nature of monitoring by a MSB will depend on the size of the MSB, theAML/CFT risks that the business has, the monitoring method being utilised (manual, automated or somecombination), and the type of activity under scrutiny. In applying a risk-based approach to monitoring,MSBs and their regulatory supervisors must recognize that not all transactions, accounts or customers willbe monitored in the same way. The degree of monitoring will be based on the perceived risks associatedwith the customer, the products or services being used by the customer, the location of the customer andthe nature of the transactions. Monitoring methodologies and processes also need to take into account theresources of the MSB. For example smaller MSBs need not implement technologically sophisticatedtransactions monitoring systems, so long as the methods utilised to conduct monitoring adequately reflectthe risk of the MSBs‟s business.120. The principal aim of monitoring in a risk-based system is to respond to enterprise-wide issuesbased on each MSB‟s analysis of its major risks. Regulatory authorities should, there<strong>for</strong>e, be mindful ofand give due weight to the determinations made by MSBs, provided that these determinations areconsistent with any legislative or regulatory requirements, and are reasonable and adequately documented.121. Monitoring under a risk-based approach allows a MSB to create monetary or other thresholds todetermine which activities will be reviewed. Defined situations or thresholds used <strong>for</strong> this purpose shouldbe reviewed on a regular basis to determine their adequacy <strong>for</strong> the risk levels established. MSBs shouldalso assess the adequacy and integrity of any systems and processes on a periodic basis. The results of themonitoring should be documented, either systematically or manually (or a combination) in order to create acomprehensive audit trail, and maintained according to applicable recordkeeping requirements.122. National law should provide that <strong>for</strong> all wire transfers of EUR/USD 1 000 or more, thebeneficiary institution should adopt an effective risk-based approach procedure <strong>for</strong> identifying andhandling wire transfers that are not accompanied by full originator in<strong>for</strong>mation. The lack of full originatorin<strong>for</strong>mation may be considered as a factor in assessing whether a wire transfer or related transactions aresuspicious and, as appropriate, whether they are thus required to be reported to the financial intelligenceunit or another competent authority.Suspicious Transaction Reporting123. The reporting of suspicious transactions or activity is critical to a country‟s ability to utilizefinancial in<strong>for</strong>mation to combat ML/TF and other financial crimes. Countries‟ reporting regimes are laiddown in national law, requiring institutions to file reports when the level of suspicion is reached.124. When a suspicious transaction report must be made, a risk-based approach is not applicable.However, challenges arise <strong>for</strong> those MSBs located in multiple jurisdictions. In order to avoid regulatorysanctions, careful attention should be given to proper <strong>for</strong>mat, timely filing, and applicable record keepingrequirements, since jurisdictional requirements may vary.125. A risk-based approach is, however, appropriate <strong>for</strong> the purpose of identifying suspicious activity,<strong>for</strong> example, by directing additional resources to those areas a MSB has identified as higher risk, such ascertain products or services or agents or certain patterns of transaction activity. As part of a risk-basedapproach, it is also likely that a MSB will utilize in<strong>for</strong>mation provided by competent authorities to in<strong>for</strong>mits approach <strong>for</strong> identifying suspicious activity. A MSB should also periodically assess the adequacy andintegrity of its system <strong>for</strong> identifying and reporting suspicious transactions. The decisions <strong>for</strong> reporting or© 2009 FATF/OECD - 37