Proliferation Financing Institutional Risk Assessment by FIs, DNFBPs, and VASPs
Have you conducted an Enterprise-Wide Risk Assessment to identify the money laundering (ML) and terrorism financing (TF) risks to your business? Did you factor in the risk you may face on account of proliferation financing (PF)? Is your customer risk assessment methodology comprehensive enough to assess the PF risk your customer poses to the business? Identifying and assessing your business’s vulnerabilities to the threats of proliferation financing is essential. The Executive Office for Control and Non-Proliferation (EOCN) has issued a Proliferation Financing Institutional Risk Assessment Guidance for FIs, DNFBPs, and VASPs.
In its recommendations, the FATF included a thorough assessment of the PF risk and the development of adequate counter-proliferation financing (CPF) measures for managing this risk. As an active member of FATF, the UAE commits to developing detection, prevention, and mitigation measures against PF.
Before we discuss the key highlights of the guidelines and the authority’s recommendations to the private sector, let us understand the importance of proliferation financing risk assessment in safeguarding the business.
Why is proliferation financing risk assessment important?
Proliferation financing means supporting or facilitating the proliferation of weapons of mass destruction (WMD) and their delivery systems. It means providing funds for or facilitating the following activities related to nuclear, biological, and chemical weapons:
- Manufacturing
- Using
- Developing
- Possessing
- Transporting
- Brokering
- Trading
- Transferring
- Transshipping
- Stockpiling
It also includes financing or facilitating the delivery of these weapons or their related materials, i.e., dual-use goods or technologies used for illegal purposes.
Unless you identify the potential vulnerabilities, your business may be unknowingly exploited for the above-mentioned proliferation financing activities. Thus, to counter proliferation financing risk, you must assess the potential PF threats at the business level and also at the business relationship level. You must learn how your business is vulnerable to PF risks. You must know the characteristics of PF risks, which you can spot and raise an alert.
You will face enormous penalties if you do not apply CPF measures or willingly or unwillingly engage in proliferation financing activities. It may result in various national and international sanctions, leading to irreversible reputational damage and loss of customer trust and revenue.
So, it becomes essential for you to identify and prevent the proliferation financing risks. This is possible with timely and accurate PF risk assessment and developing an integrated risk management framework, combing anti-money laundering, combating terrorism financing, and countering proliferation financing. The PF risk assessment at the entity level is popularly known as Proliferation financing Institutional Risk Assessment, Proliferation financing Business Risk Assessment, or Proliferation financing Enterprise-Wide Risk Assessment.
Want to contribute to a safe and trustworthy global business environment?
Conduct Proliferation financing Institutional Risk Assessment with the help of our experts!
EOCN’s guidance on proliferation financing institutional risk assessment
EOCN released a guidance note on PF risk assessment for Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs). The guidelines discuss various risk categories and factors associated with proliferation financing, the methodology the regulated entities must consider in assessing the overall PF risk the business is exposed to, the customer-specific PF risk, and the risk mitigation measures to be implemented as part of CPF.
The guidelines also elaborate on the various questions that can be included in the Know Your Customer (KYC) and Customer Risk Assessment process to assess the PF risk posed by each customer or transaction.
The guidelines also discuss some of the best practices the regulated entities must implement to identify and counter the proliferation financing risk.
Proliferation financing Institutional Risk Assessment
While evaluating the risks of ML and TF, entities must also assess the PF risks. During this procedure, you must handle the following steps:
Assess inherent risks
You must analyze the inherent proliferation financing risk your business is exposed to considering the following risk factors:
- Customer and the nature of business activities the customer is associated with
- Geography
- Products, services, and transactions
- Delivery channels
- Cyber risks to software and systems
The assessed inherent PF risk can be classified as low, medium, or high, considering the PF vulnerabilities, the risk appetite of the business, etc.
Check the adequacy and effectiveness of controls
The next step is checking the adequacy and effectiveness of control measures. These measures aim to manage and mitigate the inherent risks identified in Step 1.
A control measure is adequate only if it is accurate in risk detection and prevention. The control effectiveness must be determined considering the quality of the control design and the operation efficacy of the controls. The outcome of the control effectiveness can be determined only based on the degree and extent of how well the controls can manage the impact of the risk on the business.
Based on the analysis of the adequacy or deficiencies in the design and operation of the controls, the control measures can be classified as effective, partially effective, or ineffective.
You must conduct frequent reviews of control measures to test effectiveness and sufficiency. If found otherwise, you must take corrective actions.
Identify residual risks
Residual risk = inherent risk (less) controls’ effectiveness
It means whatever risk remains from the inherent risk after considering control measures is the residual risk.
Ongoing risk assessment
When new, emerging risks arise, a risk assessment must be conducted. Based on these new risk scenarios, your control measures must change. Thus, you must frequently review and update PF risk assessment for the business and particular customer.
Proliferation financing (PF) risk mitigating measures
The business must apply adequate PF risk mitigation measures based on the assessed risk and adopt a risk-based approach.
The measures you apply to combat ML and TF risks may also help you fight the PF risks. But pay attention to the PF risk factors while applying these measures to avoid missing the PF-specific threats to your business. These risk-mitigating measures include:
KYC and CDD during client onboarding
During this process, you will identify customers and verify their identities. You learn about customer’s:
- Backgrounds
- Sources of wealth/funds
- The purpose of the relationship
- Their ultimate beneficial owners (in the case of a legal entity)
- Connection with sanctions or the presence of any adverse media
- Association with Politically Exposed Person (PEP)
- Primary market and customer base
- Engagement in dual-use goods or other controlled goods and, if so, license to trade in such goods
Further, you must include detailed questions in the KYC and customer risk assessment questionnaire to uncover the PF risk the customer may pose. Such questions may relate to the following:
- geographies the customer is associated with,
- the jurisdictions proposed to be involved in the transactions,
- the consistency between the proposed transaction and the customer’s social and economic profile,
- ease and cooperation in identifying the UBOs,
- ease in identifying the customer’s source of funds and wealth,
- delivery channels used – mode of interacting with and onboarding the customer,
- customer’s business segment, whether associated with a high-risk industry,
- nature of the products or services requested by the customer,
- customer’s legal structure – is it overly complex,
- reasonableness of the transaction value,
- frequency of the transactions executed by the customer, etc.
As applied to the customer, the KYC and customer due diligence measures must also be adopted for the beneficial owners, senior management, power of attorney, and authorized signatories of the customer.
Understanding the customer’s association with dual-use goods or controlled items, either as direct trading or involvement in the shipment or transshipment of goods, is essential to assessing the PF risk.
The customer details must be periodically reviewed to ensure their validity, relevance, and accuracy and to identify any change in the customer profile that may impact the customer’s PF risk assessment.
Customer screening against sanctions and adverse media
As one of the CPF measures, you must screen your customers against a comprehensive and accurate database pertaining to sanctions, watchlists, and adverse media. You must screen the customer and connected persons, including the ultimate beneficial owners, directors, attorney holders, and authorized signatories.
Screen them against various lists to find matches with:
- Adverse media or news
- Criminal cases
- PEPs or close relations with PEPs
- Sanctions or association with sanctioned persons
- Links with proliferators or proliferation financing activities
The screening results must be considered for determining the customer’s risk profile and the risk mitigation measures required.
Enhanced Due Diligence (EDD)
When the PF risk arising from a business relationship is high, you must apply enhanced due diligence measures. The following is an illustrative list of customer attributes that call for EDD measures:
- If a customer is a PEP
- If the customer is residing in or has business operations in a high-risk jurisdiction
- If the customer engages in products or services with higher risks of PF
- If the customer has a highly complex and opaque ownership structure
- If the customer is associated with a high-risk business sector
- If the customer uses international corporate vehicles for asset structuring and investment needs
Considering the above and other factors, if the customer is assessed as posing an increased risk, you must collect more information from independent sources for customer identification and identity verification purposes. In such high-risk corporate customers, you may reduce the beneficial ownership threshold from 25% to 10% to apply checks on more individuals associated with the customer.
You must conduct frequent and more rigorous transactions and business relationship monitoring. Check their financial data, litigation history, and criminal records to build their risk profile. Whether you start, continue, or exit the business relationship with them, you must get approval from the senior management.
Ongoing monitoring – Business Relationship and Transaction
You must continuously monitor the customer profile and transactions to check the consistency between the customer’s risk profile and the transactions executed by the customer. The frequency of reviewing and updating the KYC and CDD details highly depends on the existing risk profile of the customer. If a customer’s risk profile changes, necessary measures must be immediately applied to manage the changed level of risks, e.g., if the risk changes from low to high, EDD measures must be applied. You must note and report anything found suspicious in a transaction or customer.
Suspicious Activity Reporting
Stay alert to unusual behaviour while onboarding the customer, managing the transaction, and performing ongoing monitoring. If you detect any suspicion indicating the involvement of proliferation financing or customer’s association with PF, conduct further investigation, and if required, submit a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) via the goAML portal.
Employee screening and training
Besides screening your customers, conduct employee screening before hiring them. Check for their competence, integrity, and ethical behaviour. Assess their background to find any linkages with proliferation financing activities.
Everyone in the entity must align with the goals to fight against ML, TF, and PF. So, they must undergo relevant training to detect and deter the exploitation of the business for proliferation financing activities. All employees, including senior management, must participate in PF-specific training. Customer-facing employees or those whose job duties expose them to PF risks must undergo specialized training. Employees who perform transaction monitoring, CDD, KYC, EDD, risk assessments, and screening must get focused training to identify the PF risks while performing their duties.
Overall CPF framework
All these measures help you identify, assess, and combat PF risks. For effective implementation of the counter-proliferation financing framework, adopt the following best practices:
- Including the proliferation financing risk factors while conducting an overall Enterprise-Wide Risk Assessment.
- Including and integrating CPF in the business’s overall governance framework.
- Information manuals on proliferation financing risks must be developed and communicated across the organization, covering the policies, procedures, and controls to identify and effectively mitigate PF risk.
- CPF policies must provide guidance on dealing with dual-use goods and detecting and reporting PF-related suspicious activity.
- Adequate screening systems that enable timely detection of customers associated with dual-use goods and sanctioned lists must be implemented.
- A proper process and system must be deployed to apply asset-freezing measures when any designated entity or person is identified entities. It should also support prompt termination or suspension of business relationships and timely reporting to the EOCN.
- The effectiveness and adequacy of the CPF measures must be periodically tested and enhanced.
- Before launching new products or services, the entity must assess the PF vulnerabilities.
- Process and system must be implemented for mandatory senior management approval before onboarding a customer posing PF risk.
AML UAE’s role in proliferation financing institutional risk assessment
Since you have understood the necessity of assessing and combating the proliferation financing risk, why not give it the importance it deserves? You must be proactive enough to include them in your overall AML/CFT framework. If you need any support, AML UAE is at your service.
We are a leading provider of AML, CFT, and CPF compliance services in the UAE. We help our clients fight well against financial crimes, including money laundering, terrorism financing, and proliferation financing. Besides AML compliance services, our consultants and expert professionals help you:
- Understand the importance of CPF in the context of financial crimes
- Detect and assess the emerging risks of PF
- Identify the appropriate measures against PF
- Implement these CPF measures and controls to mitigate or prevent PF risks
Intend to stop the risks of proliferation financing to your business?
Partner with AML UAE to assess PF risks and apply mitigation measures.
Share via :
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 25 years of experience in compliance management, Anti-Money Laundering, tax consultancy, risk management, accounting, system audits, IT consultancy, and digital marketing.
He has extensive knowledge of local and international Anti-Money Laundering rules and regulations. He helps companies with end-to-end AML compliance services, from understanding the AML business-specific risk to implementing the robust AML Compliance framework.