AML/CFTR 3.1.2 Approach to risk mitigation must be based on suitable methodology

(1) The intensity of a firm's approach to the mitigation of its money laundering and terrorism financing risks must be based on a suitable methodology (a threat assessment methodology) that addresses the risks that it faces.
(2) A firm must be able to demonstrate that its threat assessment methodology:
(a) includes:
(i) identifying the purpose and intended nature of the business relationship with each customer; and
(ii) assessing the risk profile of the business relationship by scoring the relationship;

Note 1 Business relationship is defined in rule 4.2.4.

Note 2 For scoring the business relationship in relation to customer risk, product risk, interface risk and jurisdiction risk, see rule 3.2.3, rule 3.3.3, rule 3.4.3 and rule 3.5.3, respectively.
(b) is suitable for the size, complexity and nature of the firm's business;
(c) is designed to enable the firm:
(i) to identify and recognise any changes in its money laundering and terrorism financing risks; and
(ii) to change its threat assessment methodology as needed; and
(d) includes assessing risks posed by:
(i) new products and services; and
(ii) new or developing technologies.
(3) A firm must also be able to demonstrate that its practice matches its threat assessment methodology.
Derived by QFCRA RM/2019-8 (as from 1st February 2020)