Proliferation Financing Institutional Risk Assessment by FIs, DNFBPs, and VASPs

Last Updated: 04/1/2026

Table of Contents

Protect your business with reliable and effective AML strategies with AML UAE.

Contact Us Now

Proliferation Financing Risk Assessment: At a Glance

  • Proliferation Financing Risk Assessment is the process of identifying, analysing, and mitigating risks related to the financing of Weapons of Mass Destruction (WMD).
  • The Federal Decree Law 10 of 2025 and Cabinet Resolution 134 of 2025 make PR Risk Assessment a mandatory part of the AML/CFT & CPF framework, particularly for DNFBPs, FIs, and VASPs.
  • Guidance from EOCN and FATF requires businesses to assess PF risk at both enterprise and customer levels.
  • The PF Risk Assessment process includes evaluating inherent risk, control effectiveness, residual risk, and ongoing monitoring.
  • A robust Proliferation Financing Compliance Framework integrates governance, risk assessment, and control mechanisms across the business.

What is Proliferation Financing Risk Assessment?

Proliferation Financing Risk Assessment is the process of identifying, analysing, and assessing the risk that a business may be exposed to activities involving the financing of weapons of mass destruction (WMD).

In simple terms, Proliferation Financing Risk Assessment enables businesses to assess their exposure across customers, geographies, products, and transactions, and implement appropriate PF risk control measures to prevent and mitigate PF risks.

Identifying and assessing your business’s vulnerabilities to the threats of proliferation financing is essential.

The Executive Office for Control and Non-Proliferation (EOCN)has issued a Proliferation Financing Institutional Risk Assessment Guidance for FIs,DNFBPs, and VASPs.

In its recommendations, the FATF included a thorough assessment of the PF risk and the development of adequate counter-proliferation financing (CPF) measures for managing this risk. As an active member of FATF, the UAE commits to developing detection, prevention, and mitigation measures against PF.

Let us discuss the key highlights of the guidelines and the authority’s recommendations to the private sector.

EOCN’s Guidance on Proliferation Financing Risk Assessment

EOCN released a guidance on Proliferation Financing Institutional Risk Assessment for Financial Institutions (FIs), Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs).

The guidelines discuss various risk categories and factors associated with proliferation financing, the methodology the regulated entities must consider in assessing the overall PF risk the business is exposed to, the customer-specific PF risk, and the risk mitigation measures to be implemented as part of CPF.

Let us now understand the importance of proliferation financing risk assessment in safeguarding the business.

Why Proliferation Financing Risk Assessment is Important?

Proliferation financing means supporting or facilitating the proliferation of weapons of mass destruction (WMD) and their delivery systems. It means providing funds for or facilitating the following activities related to nuclear, biological, and chemical weapons:

  • Manufacturing
  • Using
  • Developing
  • Possessing
  • Transporting
  • Brokering
  • Trading
  • Transferring
  • Transshipping
  • Stockpiling

It also includes financing or facilitating the delivery of these weapons or their related materials, i.e., dual-use goods or technologies used for illegal purposes.

Unless you identify the potential vulnerabilities, your business may be unknowingly exploited for the above-mentioned proliferation financing activities. Thus, to counter proliferation financing risk, you must assess the potential PF threats at the business level and also at the business relationship level. You must learn how your business is vulnerable to PF risks. You must know the characteristics of PF risks, which you can spot and raise an alert.

You will face enormous penalties if you do not apply CPF measures or willingly or unwillingly engage in proliferation financing activities. It may result in various national and international sanctions, leading to irreversible reputational damage and loss of customer trust and revenue.

So, it becomes essential for you to identify and prevent the proliferation financing risks. This is possible with timely and accurate PF risk assessment and developing an integrated risk management framework, combing anti-money laundering, combating terrorism financing, and countering proliferation financing. The PF risk assessment at the entity level is popularly known as Proliferation financing Institutional Risk Assessment, Proliferation financing Business Risk Assessment, or Proliferation financing Enterprise-Wide Risk Assessment.

Steps in Proliferation Financing Risk Assessment

The guidelines also elaborate on the various questions that can be included in the Know Your Customer (KYC) and Customer Risk Assessment process to assess the PF risk posed by each customer or transaction.

The guidelines also discuss some of the best practices the regulated entities must implement to identify and counter the proliferation financing risk.

While evaluating the risks of ML and TF, entities must also assess the PF risks. During this procedure, you must handle the following steps:

Assess inherent risks

You must analyze the inherent proliferation financing risk your business is exposed to considering the following risk factors:

  • Customer and the nature of business activities the customer is associated with
  • Geography
  • Products, services, and transactions
  • Delivery channels
  • Cyber risks to software and systems

The assessed inherent PF risk can be classified as low, medium, or high, considering the PF vulnerabilities, the risk appetite of the business, etc.

Check the adequacy and effectiveness of controls

The next step is checking the adequacy and effectiveness of control measures. These measures aim to manage and mitigate the inherent risks identified in Step 1.

A control measure is adequate only if it is accurate in risk detection and prevention. The control effectiveness must be determined considering the quality of the control design and the operation efficacy of the controls. The outcome of the control effectiveness can be determined only based on the degree and extent of how well the controls can manage the impact of the risk on the business.

Based on the analysis of the adequacy or deficiencies in the design and operation of the controls, the control measures can be classified as effective, partially effective, or ineffective.

You must conduct frequent reviews of control measures to test effectiveness and sufficiency. If found otherwise, you must take corrective actions.

Identify residual risks

Residual risk = inherent risk (less) controls’ effectiveness

It means whatever risk remains from the inherent risk after considering control measures is the residual risk.

Ongoing risk assessment

When new, emerging risks arise, a risk assessment must be conducted. Based on these new risk scenarios, your control measures must change. Thus, you must frequently review and update PF risk assessment for the business and particular customer.

Key Risk Factors in PF Risk Assessment

A documented proliferation financing risk framework is essential for DNFBPs. A well-designed PF assessment ensures that the risk assessment for proliferation financing is proportionate to the nature, size and complexity of the business.

DNFBPs should document their understanding and assessment of PF risk. The approach for PF risk assessment should be commensurate with DNFBP’s nature and size of business. DNFBP’s PF risk assessments shall include the following categories:

a. Geographic Risk: 

Geographic risk in proliferation financing involves exposure to high-risk or sanctioned jurisdictions. Regional risks PF extend beyond sanctioned countries, as proliferators often rely on third-country routing. A proper geographic PF assessment considers both direct and indirect geographic exposure.

DNFBPs should identify and assess their business locations, where it conducts business and their target markets.  

As mentioned above, North Korea and Iran are the major source of PF risk. However, it is pertinent to note that geographic risk is not limited to these countries only, as such countries and terrorist groups depend on global networks, such as using neighbouring countries to route the money or procure the proliferation materials. 

b. Customer Risk:

Customer risk in proliferation financing is primarily identified through PF customer screening and may arise from the following aspects:  

Sanctions Exposure – Where the customer is a UN-sanctioned person or entity. 

Entities owned by UN-sanctioned persons – During the CDD process, DNFBPs must identify the UBO of such entities and screen them against the TFS list.  

Customer business activities – Customers producing proliferation-sensitive goods can pose PF risk on DNFBPs.  

Geographic exposure– DNFBPs shall assess customers’ locations (residence and business place).  

c. Product and Service Risk:

Product and service risk in proliferation financing exists where products and/or services can be misused to raise, move, or disguise funds or procure sensitive goods.

DNFBPs shall assess the PF product risks that their products or services may be exploited for proliferation financing in any way; either to obtain funding for WMD activities or to disguise the funds or to obtain proliferation-sensitive goods.  

Proliferation Financing Risk Assessment as part of AML/CFT Framework

An effective proliferation financing risk assessment should form an integral part of an organisation’s AML/CFT Framework.

Integrating PF Risk Assessment within the AML/CFT framework ensures alignment with UAE regulatory requirements, FATF Recommendations, and targeted financial sanctions (TFS) obligations.

A comprehensive proliferation financing assessment enables DNFBPs to evaluate PF risk in AML/CFT across customers, products, services and geographic exposure.

Businesses need to understand the Key Components of Proliferation Financing Risk Assessment:

1. Proliferation Financing Threats

Proliferation Financing threats refer to persons and entities that have previously caused or have the potential to evade, breach, or exploit a failure to implement TFS related to Proliferation. 

Key risk factors associated with PF threats include links to sanctioned countries like North Korea and Iran, sanctioned entities, front or shell companies, and actors involved in the procurement of dual-use goods.

Terrorist organisations and illicit networks may also present PF threats where there is an interest in acquiring nuclear, chemical, or biological materials.

2. Proliferation Financing Vulnerabilities 

Vulnerabilities in proliferation financing refers to weaknesses that may facilitate the breach, non-implementation, or evasion of TFS related to Proliferation.

Vulnerabilities may include features of a particular sector, a financial product, or a type of service that make it attractive for a person or entity engaged in the breach, non-implementation, or evasion of TFS related to Proliferation. 

PF vulnerabilities may be based on factors such as business structure or sector (banking or insurance), products or services (virtual assets or money transfer services), customers and transactions (customers from high-risk jurisdictions like Iran). 

To identify the PF vulnerabilities, DNFBPs should consider the international reports on PF typologies and the sectoral reports on PF issued by UAE authorities. 

What is the principal vulnerability and driver of proliferation financing?

Principal Vulnerability refers to the immediate PF risk that a business is exposed to. The principal vulnerability would differ from business to business, depending on its PF risk assessment. The Drivers of such principal vulnerability will also differ from one business to another, as no two businesses are the same, including their PF risk factors.

3. Proliferation Financing Consequences  

Consequence  refers to the outcome where funds or assets are made available to proliferators, which could be used to procure the materials, items, or systems for developing illicit nuclear, chemical, or biological weapon systems, causing the threat of use of WMD.  

The consequences of proliferation financing are severe. The risks of financing proliferation include enabling the procurement of WMD materials, compromising global security, and exposing DNFBPs to regulatory sanctions, criminal liability and reputational damage.

Proliferation Financing Risk Mitigation Measures

The business must apply adequate PF risk mitigation measures based on the assessed risk and adopt a risk-based approach.

The measures you apply to combat ML and TF risks may also help you fight the PF risks. But pay attention to the PF risk factors while applying these measures to avoid missing the PF-specific threats to your business. These risk-mitigating measures include:

KYC and CDD during client onboarding

During this process, you will identify customers and verify their identities. You learn about customer’s:

  • Backgrounds
  • Sources of wealth/funds
  • The purpose of the relationship
  • Their ultimate beneficial owners (in the case of a legal entity)
  • Connection with sanctions or the presence of any adverse media
  • Association with Politically Exposed Person (PEP)
  • Primary market and customer base
  • Engagement in dual-use goods or other controlled goods and, if so, license to trade in such goods

Further, you must include detailed questions in the KYC and customer risk assessment questionnaire to uncover the PF risk the customer may pose. Such questions may relate to the following:

  • geographies the customer is associated with,
  • the jurisdictions proposed to be involved in the transactions,
  • the consistency between the proposed transaction and the customer’s social and economic profile,
  • ease and cooperation in identifying the UBOs,
  • ease in identifying the customer’s source of funds and wealth,
  • delivery channels used – mode of interacting with and onboarding the customer,
  • customer’s business segment, whether associated with a high-risk industry,
  • nature of the products or services requested by the customer,
  • customer’s legal structure – is it overly complex,
  • reasonableness of the transaction value,
  • frequency of the transactions executed by the customer, etc.

As applied to the customer, the KYC and  customer due diligence measures must also be adopted for the beneficial owners, senior management, power of attorney, and authorized signatories of the customer.

Understanding the customer’s association with dual-use goods or controlled items, either as direct trading or involvement in the shipment or transshipment of goods, is essential to assessing the PF risk.

The customer details must be periodically reviewed to ensure their validity, relevance, and accuracy and to identify any change in the customer profile that may impact the customer’s PF risk assessment.

Customer screening against sanctions and adverse media

As one of the CPF measures, you must screen your customers against a comprehensive and accurate database pertaining to sanctions, watchlists, and adverse media. You must screen the customer and connected persons, including the ultimate beneficial owners, directors, attorney holders, and authorized signatories.

Screen them against various lists to find matches with:

  • Adverse media or news
  • Criminal cases
  • PEPs or close relations with PEPs
  • Sanctions or association with sanctioned persons
  • Links with proliferators or proliferation financing activities

The screening results must be considered for determining the customer’s risk profile and the risk mitigation measures required.

Enhanced Due Diligence (EDD)

When the PF risk arising from a business relationship is high, you must apply enhanced due diligence measures. The following is an illustrative list of customer attributes that call for EDD measures:

  • If a customer is a PEP
  • If the customer is residing in or has business operations in a high-risk jurisdiction
  • If the customer engages in products or services with higher risks of PF
  • If the customer has a highly complex and opaque ownership structure
  • If the customer is associated with a high-risk business sector
  • If the customer uses international corporate vehicles for asset structuring and investment needs

Considering the above and other factors, if the customer is assessed as posing an increased risk, you must collect more information from independent sources for customer identification and identity verification purposes. In such high-risk corporate customers, you may reduce the beneficial ownership threshold from 25% to 10% to apply checks on more individuals associated with the customer.

You must conduct frequent and more rigorous transactions and business relationship monitoring. Check their financial data, litigation history, and criminal records to build their risk profile. Whether you start, continue, or exit the business relationship with them, you must get approval from the senior management.

Ongoing monitoring – Business Relationship and Transaction

You must continuously monitor the customer profile and transactions to check the consistency between the customer’s risk profile and the transactions executed by the customer. The frequency of reviewing and updating the KYC and CDD details highly depends on the existing risk profile of the customer. If a customer’s risk profile changes, necessary measures must be immediately applied to manage the changed level of risks, e.g., if the risk changes from low to high, EDD measures must be applied. You must note and report anything found suspicious in a transaction or customer.

Suspicious Activity Reporting

Stay alert to unusual behaviour while onboarding the customer, managing the transaction, and performing ongoing monitoring. If you detect any suspicion indicating the involvement of proliferation financing or customer’s association with PF, conduct further investigation, and if required, submit a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) via the goAML portal.

Employee screening and training

Besides screening your customers, conduct employee screening before hiring them. Check for their competence, integrity, and ethical behaviour. Assess their background to find any linkages with proliferation financing activities.

Everyone in the entity must align with the goals to fight against ML, TF, and PF. So, they must undergo relevant training to detect and deter the exploitation of the business for proliferation financing activities. All employees, including senior management, must participate in PF-specific training. Customer-facing employees or those whose job duties expose them to PF risks must undergo specialized training. Employees who perform transaction monitoring, CDD, KYC, EDD, risk assessments, and screening must get focused training to identify the PF risks while performing their duties.

In order to mitigate PF risks adequately, businesses must adopt the following Best Practices for Proliferation Financing Risk Management.

Want to contribute to a safe and trustworthy global business environment?

Conduct Proliferation financing Institutional Risk Assessment with the help of our experts!

Contact Us Now

Best Practices for Implementing a Proliferation Financing Compliance Framework

Implementing an effective PF compliance framework requires a well-structured approach that aligns. risk assessment, governance, and control mechanisms across the business.

All these measures help you identify, assess, and combat PF risks. For effective implementation of the counter-proliferation financing framework, adopt the following best practices:

  • Including the proliferation financing risk factors while conducting an overall Enterprise-Wide Risk Assessment.
  • Including and integrating CPF in the business’s overall governance framework.
  • Information manuals on proliferation financing risks must be developed and communicated across the organization, covering the policies, procedures, and controls to identify and effectively mitigate PF risk.
  • CPF policies must provide guidance on dealing with dual-use goods and detecting and reporting PF-related suspicious activity.
  • Adequate screening systems that enable timely detection of customers associated with dual-use goods and sanctioned lists must be implemented.
  • A proper process and system must be deployed to apply asset-freezing measures when any designated entity or person is identified entities. It should also support prompt termination or suspension of business relationships and timely reporting to the EOCN.
  • The effectiveness and adequacy of the CPF measures must be periodically tested and enhanced.
  • Before launching new products or services, the entity must assess the PF vulnerabilities.
  • Process and system must be implemented for mandatory senior management approval before onboarding a customer posing PF risk.

AML UAE’s role in proliferation financing institutional risk assessment

Since you have understood the necessity of assessing and combating the proliferation financing risk, why not give it the importance it deserves? You must be proactive enough to include them in your overall AML/CFT framework. If you need any support, AML UAE is at your service.

We are a leading provider of AML, CFT, and CPF compliance services in the UAE. We help our clients fight well against financial crimes, including money laundering, terrorism financing, and proliferation financing. Besides AML compliance services, our consultants and expert professionals help you:

  • Understand the importance of CPF in the context of financial crimes
  • Detect and assess the emerging risks of PF
  • Identify the appropriate measures against PF
  • Implement these CPF measures and controls to mitigate or prevent PF risks

Intend to stop the risks of proliferation financing to your business?

Partner with AML UAE to assess PF risks and apply mitigation measures.

Contact Us Now

Share via :

About the Author

Linkedin-in

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is an ACAMS-certified AML consultant specialising in governance, risk, and compliance for regulated entities in the UAE. He brings over 28 years of experience, with 1,000+ hours of AML training and 200+ advisory engagements across DNFBPs, VASPs, and FIs. He supports businesses in aligning with AML/CFT requirements from the CBUAE, DFSA, MoET, MoJ, VARA, CMA, FSRA, and FATF. Known for translating complex regulations into audit-ready procedures, Pathik enables operational clarity and compliance readiness.

Reach Out to Pathik