Section 1: ML/TF Risk Assessment
| No: 18318/486 | Date(g): 17/11/2019 | Date(h): 20/3/1441 | Status: In-Force |
| The main step for a financial institution to adopt a risk-based approach is to assess, understand and document its ML/TF risks and to identify the weaknesses that could be used to carry out ML/TF transactions. The risk assessment shall be comprehensive and include an analysis of the risks arising from: | |||
| Customers and beneficial owners; | |||
| The nature of products, services and transactions offered; -countries or geographical regions in Saudi Arabia, The channels used for providing services and products; and Other risk factors. The principles of this Guide do not aim to encourage financial institutions to reduce risks by excluding certain services or a certain class of customers due to the high risks associated with them as financial institutions are not prohibited from dealing with high-risk customers and business relationships. Rather, a financial institution shall develop and implement preventive risk mitigation measures commensurate with the results of the risk assessment it conducted. Responsibilities of financial institutions to assess ML/TF risks are mentioned in Article (5) of the Anti-Money Laundering Law, Article (63) of the Law on Combating Terrorism Crimes and Financing, and Article (16) of its Implementing Regulations. | |||
1.1 | The financial institution shall take the appropriate steps to identify, assess, understand, and document in writing its ML/TF risks, provided that the nature and scope of the risk assessment are commensurate with the nature and size of the financial institution's business. Such risk assessment shall be updated regularly (once every two years at a minimum) and shall be documented and approved by the senior management. When carrying out the risk assessment process, the financial institution can focus on the following factors: | ||
| a) | Risk factors associated with the financial institution’s business, with an emphasis on: | ||
| - | Products and services. | ||
| - | Transactions. | ||
| - | Channels used for delivering services and products. | ||
| - | Countries or geographical areas within Saudi Arabia where the business of the financial institution or its subsidiaries, in which the financial institution owns the majority of shares, is conducted. | ||
| b) | Risk factors associated with customers, beneficial owners, or the financial institution’s beneficiary, with an emphasis on: | ||
| - | Products or services used by customers, beneficial owners, or beneficiaries. | ||
| - | The type of transactions executed by a customer. | ||
| - | The volume of deposits and transactions made by a customer. | ||
| - | Countries/geographical areas in which customers, beneficial owners, or beneficiaries conduct their businesses, or the source or destination of transactions. | ||
| - | Characteristics of a customer, beneficial owner, or beneficiary (e.g. Profession, age and type of legal entity). | ||
| c) | Other risk factors, including: | ||
| - | ML/TF risks as issued by the Anti-Money Laundering Permanent Committee (AMLPC) and the Permanent Committee for Countering Terrorism (PCCT). | ||
| - | Results of the risk assessment issued by SAMA, competent authorities and other supervisory authorities, when available. | ||
| - | Purpose of the account or business relationship. | ||
| - | The frequency of transactions or duration of the business relationship. | ||
| - | Attractiveness of products and services provided to money launderers including, but not limited to, private banking services and products offered to high net-wealth individuals as well as quick transfers to high-risk geographical areas. | ||
| - | Regulatory risks associated with regulations and decisions issued by government entities. | ||
| - | Business risks associated with the organizational and operational structure of the financial institution. | ||
| - | ML/TF risks that may arise from the development of new products, business practices, or means of providing services, products or transactions, or those arising from the use of new technologies or technologies under development with new or existing products. | ||
| - | Any additional risks arising from other countries with which customers are associated, including intermediaries and service providers. | ||
| - | Any other variables that may increase or reduce the risk of ML/TF in a particular situation. | ||
| - | Results of ML/TF risk assessments issued by international bodies and organizations such as the FATF, the Basel Committee, the World Bank, the International Monetary Fund, the United Nations, and Transparency International. | ||
| 1.2 | Before developing and implementing controls, policies and procedures to mitigate ML/TF risks, the financial institution shall determine its risk appetite with respect to the results of ML/TF risk assessment, taking into account regulatory, reputational, legal, financial, and operational risks. | ||
| 1.3 | The financial institution shall develop and implement controls, policies and procedures to mitigate ML/TF risks based on the risk assessment results referred to in Paragraph (1.1). The financial institution shall ensure that such procedures are effective, appropriate and sufficient to mitigate the risks associated with the assessment results. Furthermore, the financial institution shall take into account that its activities will be exposed to risks regardless of the appropriateness and sufficiency of the measures taken. Therefore, it shall strengthen and update these measures whenever the need arises. | ||
| 1.4 | The financial institution shall classify all its customers according to the risk assessment results and take the necessary preventive measures to mitigate ML/TF risks. The financial institution can classify the level and degree of risks as (high, medium, or low) or using other categories as it determines based on the risk assessment results. This classification shall be consistent with the size and nature of the financial institution's business. | ||
| 1.5 | The financial institution shall review and update the customer risk profile regularly and based on the level of ML/TF risks. | ||
| 1.6 | The risk assessment shall be broad-based and at a level of sophistication commensurate with the business complexity of financial institutions with a complex organizational structure. For a financial institution with a less complex organizational structure, a simpler approach to conduct the risk assessment may be appropriate. | ||
| 1.7 | The financial institution shall assess risks before launching new products, services or business practices and before using new technologies or technologies under development, and it shall take appropriate measures to manage and reduce the identified risks as stated in Paragraph (1.3) under the ML/TF Risk Assessment Section. | ||
| 1.8 | The financial institution shall set up an appropriate mechanism for providing and submitting the information and reports on which the ML/TF risk assessment is based to SAMA upon request. | ||
| 1.9 | In the event that a customer is classified as high-risk, the financial institution shall obtain the senior management’s approval on the classification, provided that the information on which such classification is based is acceptable and reasoned. | ||
| 1.10 | Periodic reports shall be submitted to the board of directors regarding risk assessment at the level of the financial institution. The reports shall include the following: | ||
| a) | Results of the ML/TF monitoring activities carried out by the financial institution. | ||
| b) | The level of exposure to ML/TF risks based on major activities or customer categories. | ||
| c) | General indicators and patterns of suspicious transactions as well as general trends and indicators of requests received from the SAFIU and the competent authorities. | ||
| d) | Details of significant incidents, occurring internally or externally, and how they are handled in addition to their impact or potential effect on the financial institution. | ||
| e) | Domestic and international developments in the AML/CTF laws, regulations, instructions and requirements as well as their impact on the financial institution. | ||
| f) | The level of effectiveness of preventive measures in mitigating the effects of risks. | ||