• AML/CFTR Part 3.1 AML/CFTR Part 3.1 The risk-based approach generally

    Note for Part 3.1

    Principle 2 (see rule 1.2.2) requires a firm to adopt a risk-based approach to these rules and their requirements.

    Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.1.1 Firms must conduct risk assessment and decide risk mitigation

      (1) A firm:
      (a) must conduct, at regular and appropriate intervals, an assessment (a business risk assessment) of the money laundering and terrorism financing risks that it faces, including risks identified in the National Risk Assessment and those that may arise from:
      (i) the types of customers that it has (and proposes to have) (customer risk);
      (ii) the products and services that it provides (and proposes to provide) (product risk);
      (iii) the technologies that it uses (and proposes to use) to provide those products and services (interface risk); and
      (iv) the jurisdictions with which its customers are (or may become) associated (jurisdiction risk); and

      Examples of 'associated' jurisdictions for a customer
      1 the jurisdiction where the customer lives or is incorporated or otherwise established
      2 each jurisdiction where the customer conducts business or has assets.
      (b) must decide what action is needed to mitigate those risks.
      (2) The firm must be able to demonstrate:
      (a) how it determined the risks that it faces;
      (b) how it took into consideration the National Risk Assessment and other sources in determining those risks;
      (c) when and how it conducted the business risk assessment; and
      (d) how the actions it has taken after the assessment have mitigated, or have failed to mitigate, the risks it faces.
      (3) If the firm fails to take into account the National Risk Assessment and other sources or fails to assess any of the risks it faces, it must give the reasons for its failure to do so, if required by the Regulator.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.1.2 Approach to risk mitigation must be based on suitable methodology

      (1) The intensity of a firm's approach to the mitigation of its money laundering and terrorism financing risks must be based on a suitable methodology (a threat assessment methodology) that addresses the risks that it faces.
      (2) A firm must be able to demonstrate that its threat assessment methodology:
      (a) includes:
      (i) identifying the purpose and intended nature of the business relationship with each customer; and
      (ii) assessing the risk profile of the business relationship by scoring the relationship;

      Note 1 Business relationship is defined in rule 4.2.4.

      Note 2 For scoring the business relationship in relation to customer risk, product risk, interface risk and jurisdiction risk, see rule 3.2.3, rule 3.3.3, rule 3.4.3 and rule 3.5.3, respectively.
      (b) is suitable for the size, complexity and nature of the firm's business;
      (c) is designed to enable the firm:
      (i) to identify and recognise any changes in its money laundering and terrorism financing risks; and
      (ii) to change its threat assessment methodology as needed; and
      (d) includes assessing risks posed by:
      (i) new products and services; and
      (ii) new or developing technologies.
      (3) A firm must also be able to demonstrate that its practice matches its threat assessment methodology.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)

    • AML/CFTR 3.1.3 Risk profiling a business relationship

      (1) In developing the risk profile of a business relationship with a customer, a firm must consider at least the following 4 risk elements in relation to the relationship:
      (a) customer risk;
      (b) product risk;
      (c) interface risk;
      (d) jurisdiction risk.
      (2) The firm must identify any other risk elements that are relevant to the business relationship, especially because of the size, complexity and nature of its business and any business of its customer.
      (3) The firm must also consider the risk elements (if any) identified under subrule (2) in relation to the business relationship.
      (4) Together the 4 risk elements mentioned in subrule (1), and any other risk elements identified under subrule (2), combine to produce the risk profile of the business relationship.
      (5) This risk profile must be taken into account in deciding the intensity of the CDD and ongoing monitoring to be conducted for the customer.

      Note Each of the 4 risk elements mentioned in subrule (1) is dealt with in the following Parts of this Chapter.
      Derived by QFCRA RM/2019-8 (as from 1st February 2020)