AML/CFTR 3.1.1 Firms must conduct risk assessment and decide risk mitigation

(1) A firm:
(a) must conduct, at regular and appropriate intervals, an assessment (a business risk assessment) of the money laundering and terrorism financing risks that it faces, including risks identified in the National Risk Assessment and those that may arise from:
(i) the types of customers that it has (and proposes to have) (customer risk);
(ii) the products and services that it provides (and proposes to provide) (product risk);
(iii) the technologies that it uses (and proposes to use) to provide those products and services (interface risk); and
(iv) the jurisdictions with which its customers are (or may become) associated (jurisdiction risk); and

Examples of 'associated' jurisdictions for a customer
1 the jurisdiction where the customer lives or is incorporated or otherwise established
2 each jurisdiction where the customer conducts business or has assets.
(b) must decide what action is needed to mitigate those risks.
(2) The firm must be able to demonstrate:
(a) how it determined the risks that it faces;
(b) how it took into consideration the National Risk Assessment and other sources in determining those risks;
(c) when and how it conducted the business risk assessment; and
(d) how the actions it has taken after the assessment have mitigated, or have failed to mitigate, the risks it faces.
(3) If the firm fails to take into account the National Risk Assessment and other sources or fails to assess any of the risks it faces, it must give the reasons for its failure to do so, if required by the Regulator.
Derived by QFCRA RM/2019-8 (as from 1st February 2020)