The recommendations form part of the latest guidance published by the Isle of Man Financial Services Authority (IoMFSA) as part of its Anti-Money Laundering and Countering the Financing of Terrorism handbook.
Examples of risk factors to be taken into account include:
- the type of customer – with higher attention being paid to politically exposed people, presenting a higher risk for potential involvement in bribery and corruption;
- the nature, scale, complexity, and geographical location of the customer’s personal and business activities;
- the extent to which the products and services they are providing to their clients are vulnerable to money laundering or terrorist financing abuse (with the arms trade referenced as a textbook case); and
- the jurisdictions in which customers reside, are located or operate their business.
The IoMFSA expects financial services firms to “avoid a tick-box approach” when assessing these risks, and to consider each customer’s circumstances by simultaneously looking at the threats as well as the mitigating factors – with both to be thoroughly documented in the customer’s risk profile so as to be able to demonstrate the assessment’s basis.
It added that there “would have no objection to templates or forms being used during the risk assessment”, provided firms exercise due diligence using them by focusing on how the scoring system is reviewed or overridden, and by ensuring that the score only takes into account factors that are relevant to money laundering and terrorist financing.
“A living document”
A key criterion informing the guidance is that financial operators have to take into account that the relevant customers’ due diligence and relationship information might not have been collected in its entirety, when their risk evaluation firstly occurred.
This is why the ongoing monitoring of customers conduct and activities is a crucial part of their risk assessment, which “should be a living document that is revisited as more information about the customer and relationship is obtained”, the regulator said.
“Due diligence information in respect of all customers should be reviewed periodically to ensure that it is accurate, and up to date”, the IoMFSA added. This includes a survey of all the transactions undertaken by the customer.
The regulator also outlined the frequency of the reviews:
- at least annually for higher risk customers;
- at least every three years for standard risk customers subject to sector-specific guidance; and
- at the point of a material change in the customer’s circumstances, for example establishing connections with a higher risk jurisdiction or engaging in a higher risk business.
High-risk jurisdictions
In the document, the IoMFSA also published a list of countries and territories that don’t apply the Financial Action Task Force (FATF) recommendations, or do so insufficiently
As such, these are regarded as high-risk jurisdictions, with firms required to exert enhanced due diligence when engaging with customers who reside or are located in such jurisdictions. These include, among others, North Korea, Iran, Israel, Turkey, Nigeria and Ukraine.
The guidance includes potential action for product providers who identify a customer as posing an ‘unacceptable risk’ of money laundering and terrorist financing without the ability to effectively mitigate those risks. In this case, advisers may “decline from entering into a business relationship with, or carrying out, an occasional transaction for that customer”.
Where such risks give rise to suspicions that customers might have engaged in such criminal activities, financial operators are then required to report an internal disclosure to the authorities, including in particular the Financial Supervision Commission and the Money Laundering Reporting Officers (MLROs).
However, the IoMFSA also encourages companies to make decisions on customers who may pose ‘unacceptable risk’ “on a case by case basis”, to avoid implementing policies that support the wholesale de-risking of business segments.