Mitigating money laundering and terrorist financing risk without harming innocent institutions

The EBA/2021/02 guidelines on customer due diligence have changed. With this in mind, what are the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions under Articles 17 and 18(4) of Directive (EU) 2015/849?

According to the European Commission and the European Banking Authority (EBA), de-risking is having a negative impact on a diverse range  of customers and potential customers of institutions. Notably, not-for-profit organisations (NPOs) have been particularly affected.

For some financial institutions (FIs), de-risking entire categories of customers without due consideration of individual customers’ risk profiles is a sign of ineffective money laundering and terrorist financing risk management. This is due to the lack of an analytical approach focusing on a proper risk assessment of their customers, underpinned by an underlying weak or obsolete IT platform.

In addition, the recent outbreak of wars in Ukraine and in other parts of the world has had a major impact on the de-risking process in the context of humanitarian relief. Unfortunately, in many situations, the de-risking process has not been well-designed in order to reflect a risk-based approach, which is what the European regulation is increasingly requiring on all types of customer segments.

To prevent the unintentional negative impact, a more granular and well-configured analytical approach is needed in the interest of all parties involved. This will result in less unjustified or unsubstantiated de-risking, which is highly prejudicial to NPOs struggling to alleviate human suffering.

Once a software platform, well-designed and tested has been implemented, there should be no restrictions in processing the required information highlighted by the EBA under the demand of the European Commission. This information will feed a number of weighted risk factors, all combined together to generate a reliable overall customer risk score and establish a customer profile. This profile will then be submitted to further observation during the customer lifecycle.

Some of the risk factors, as outlined by EBA, and which should not be missed out are:

• Who controls the customer and who its beneficial owners are?
• How is the NPO funded (private donations, government funds, etc.)?
• What are the objectives of the customer’s operations?
• Which categories of beneficiaries benefit from the customer’s activities (this can be risk scored)?
• What nature of transactions is the NPO likely to request (the expected frequency, size, and geographical destination of those transactions should be submitted to the scrutiny of the FI)?
• Where does the NPO conduct its programmes and/or operations, in particular whether the NPO conducts its activities only at domestic level, or in other jurisdictions associated with higher ML/TF risks and in high-risk third countries. In this context, and again, this can be risk quantified?

Governance and exertion of control

• Does the NPO have a legal status under national law or the national law of another Member State?

Reputation/adverse media findings

• Has the NPO been established only recently?
• Has the NPO been linked by relevant, reliable and independent sources to extremism, extremist propaganda or terrorist sympathies and activities?
• Has the NPO been involved in misconduct or criminal activities?

Funding methods

• Do the NPO’s funding methods carry ML/TF risks and rely entirely or largely on cash donations, crypto assets or crowdfunding, or are the NPO’s sources of funds channelled through the payments system?
• Is the NPO funded partly or largely by private donors or donors from jurisdictions associated with higher ML/TF risks or high-risk third countries?
• Does the NPO operate or deliver assistance in jurisdictions associated with higher ML/TF risks?
• Is the business relationship with the NPO likely to involve the execution of transactions with respondent institution located in high risk jurisdictions?
• Does the NPO receive fundings from governments, supranational or international organisations that are not associated with high-risk third countries or with jurisdictions with higher ML/TF risks?

These crucial factors should be under the watchful eye of the FI to identify any deviation from the original statement.

In conclusion, all the above factors lead to the conclusion that there is no valuable input that cannot feed a reliable enough risk matrix. This allows for the stress testing of a sound risk-based approach, making it achievable under one condition, and that is if and when the underlying technological framework and analytical architecture of a tested platform allow the implementation of such a risk-based approach.