Risk-based approach workbook
Credit Unions/Caisses populaires

June 2017

Introduction

FINTRAC has designed this workbook to help you with your risk-based approach (RBA).  It is structured to help you identify risks by products, services and delivery channels; clients and business relationships; geography and other relevant factors.  It will also help you implement effective measures and monitor the money laundering and terrorist financing (ML/TF) risks you may encounter as part of your activities and business relationships. 

For more detailed information on implementing a risk assessment, please refer to the information contained in the FINTRAC Guidance on the Risk-Based Approach and Guideline 4: Implementation of a Compliance Regime.

Note: Amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations including new technologies and developments as well as risk resulting from the activities of affiliates will be coming into force in June 2017. These new elements will be further developed in this guidance document in the coming months.

Who should use this document?

This document was designed for a small business in the Credit Union/Caisse populaire (CU/CP) sector.

How should you assess your risks?

As part of your risk assessment, you need to identify the areas of your business that are vulnerable to being used by criminals for conducting money laundering or terrorist financing (ML/TF) activities.

This means that you need to assess the risks associated with all your business services and activities. Specifically, you must address the following four areas:

To do so, you need to consider the types of clients you deal with, the products and services you provide, how you deliver your products and services, and the location of your business.

If you identify situations that represent a high risk of ML/TF activities, you need to control these risks by implementing mitigation measures, including conducting enhanced ongoing monitoring and keeping client information up to date. This will be explained further in the document.

Risk-based approach cycle

The following cycle represents the main steps of your risk-based approach:

  1. identification of your inherent risks; 
  2. creating risk-reduction measures and key controls; 
  3. implementing your risk-based approach; and 
  4. reviewing your risk-based approach.

The following chart depicts the cycle of the steps of the risk-based approach.  Each step is described in the following pages.

View the text equivalent
  1. Identification of your inherent risks

    Products, services and delivery channels:
    Products, services and delivery channels offered that may pose higher risks of ML/TF.

    Geography:
    Location of your business and activities in relation to certain landmarks, populations or events.

    Other relevant factors:
    Other factors that are relevant to your business

    Clients and business relationships:
    Inherent risks linked to the nature and type of business that your clientele has with you through:

    1. the products, services and delivery channels they utilize;
    2. their geography; and
    3. their characteristics and patterns of activities.
  2. Create risk-reduction measures and key controls
    Risk mitigation is about implementing controls to limit the ML/TF risks you have identified while conducting your risk assessment.
    When your risk assessment determines that risk is high for ML/TF, you will have to develop written risk mitigation strategies and apply them to the high-risk situations or clients you have identified.
  3. Implement your risk-based approach:
    Once you have gone through the risk assessment exercise, you will apply your risk-based approach as part of your day-to-day activities.
    It is important that your compliance policies and procedures are communicated, understood and adhered to by all the staff dealing with clients.
  4. Review your risk-based approach:
    Part of your risk assessment must also include a periodic review (minimum every 2 years) to test the effectiveness of your compliance regime.
    This will help evaluate the need to modify existing policies and procedures or to implement new ones. A risk-based approach is not a static exercise. The risks identified will change or evolve over time as new products or new threats enter your business context.

To better assess your inherent risks effectively, you can divide your risk assessment into two parts:

  1. Business-based risk assessment: your products, services and delivery channels; the geographical location in which your business operates along with other relevant factors.
  2. Relationship-based risk assessment: products and services your clients utilize, the geographical locations in which they operate or do business as well as their activities, transaction patterns, etc.

It is important to note that there is no prescribed methodology for the assessment of risks.  What follows is FINTRAC's suggested assessment process which will need to be adapted to your business situation.  Although presented separately, parts 1 and 2 could be done simultaneously.  You can also create your own assessment process.

1 - Business-based risk assessment

Products, services and delivery channel  

Begin your risk assessment by taking a business-wide perspective. As a CU/CP, you must assess all your products, services and delivery channels to determine if they pose a high risk of ML/TF. This may include, but is not limited to:

To help you in your assessment, you may consider the following:

Some examples of potentially high-risk products, services and delivery channels are:

For examples on how to assess risk for products, services and delivery channels, see the FINTRAC Guidance on the Risk-Based Approach

Geography

Assess whether your own branch location, the countries to which you transfer funds, and the countries from which you receive funds could pose a high risk for ML/TF activities.

In the assessment of your geography, you have to consider whether the geographic locations in which you operate or undertake activities potentially pose a high risk for money laundering and terrorist financing. Depending on your business and operations, this can range from your immediate surroundings, whether rural or urban, to a province or territory, multiple jurisdictions within Canada (domestic) or other countries

Some examples of geographic elements that need to be reflected in your assessment are:

For more examples on how to assess risk for geographic locations, see the FINTRAC Guidance on the Risk-Based Approach

Other factors relevant to your business (if applicable)

Assess other factors that may apply to your business that do not fall in the other categories. There may be something about your business that can make it more attractive to individuals who want to carry out ML/TF activities.

Some examples that may apply to you are:

Note: Further guidance will be developed on this element in the coming months.

Business-based risk assessment worksheet

The following worksheet is for illustrative purposes only (please see additional instructions in Annex A). Using this worksheet could be an easy way for your entity to present the inherent risks related to your business, or you may develop your own worksheet.

Note: The information below is provided as an example only.  Your entity may have more risk factors to consider.  Furthermore, you may have different risk ratings.  For more options, you can consult the matrix included in the FINTRAC Guidance on the Risk-Based Approach.

Business-based risk assessment worksheet
Column A:

LIST OF FACTORS

Identify all the  factors that apply to your business (i.e. products, services and delivery channels, geography, other relevant factors)

Column B:

RISK RATING

Assess each factor (e.g. low, medium or high)

Column C:

RATIONALE

Explain why you assigned that particular rating

Column D:

DESCRIBE MITIGATION MEASURES FOR HIGH RISKS IDENTIFIED IN COLUMN A.

Non-member service provision

Low to high risk

Risk will depend on ability to obtain client information and nature of transaction.

  • Set parameters within which certain transactions require managements review and approval.
  • Put a limit on cash transactions.

Non-face-to-face delivery channels(telephone, online, mobile)

High risk

Potential third party involvement in the payment or receipt of product.

  • Increase employee awareness or the risks of online markets.
  • Identify and verify customers before entering into a business relationship.
  • Set parameters within which certain transactions require management review and approval.

Proximity to a large border crossing with USA.

High risk

Business may be the first point of entry into the financial system.

  • Increase employee awareness through training so that staff better understand the placement stage of money laundering and its potential impacts.
  • Attempt to obtain information to understand the customer's circumstances/business.
  • Put a limit on cash transactions.

Transactions with high-risk countries or correspondent banks

High risk

Differences in operating regulatory requirements with respect to AML/ATF controls.

  • Gather sufficient information about the correspondent bank to confirm that it is not operating as a shell bank and has an AML/TF regime in place.
  • Establish procedures which require management review and approval before establishing new correspondent relationship.

Etc.

2 - Relationship-based risk assessment (i.e. your clients)

For all your business relationships, you need to make a risk assessment based on the inherent characteristics of your clients. This can be done based on the combination of the following factors, some of which were identified in the previous section:

Below are some examples of client and transaction characteristics that can be considered high risk:

Client

Transactions

Please note that the following indicators, when encountered, will place clients in the overall high-risk category, regardless of other factors:

For more examples of how to assess risk for client and business relationships, see the FINTRAC Guidance on the Risk-Based Approach

Relationship-based risk assessment worksheet

The following worksheet is for illustrative purposes (please see additional instructions in Annex B).  Using this worksheet could be an easy way for your entity to present the inherent risks related to your business relationships, or you may develop your own worksheet. 

This worksheet is to assess all your business relationships and high-risk clients. For more information on business relationships, see FINTRAC Guidance.

Note: The information below is provided as an example only.  For more options, you can consult the matrix included in the FINTRAC Guidance on the Risk-Based Approach.

Relationship-based risk assessment worksheet
Column A:

BUSINESS RELATIONSHIPS

Identify all your business relationships or high-risk clients (individually or as groupings)

Column B:

RISK RATING

Assess each  business relationship (e.g. low, medium or high)

Column C:

RATIONALE

Explain why you assigned that particular rating

Column D:

DESCRIBE ENHANCED MEASURES TO ASCERTAIN ID FOR HIGH-RISK BUSINESS RELATIONSHIPS

Column E:

DESCRIBE MITIGATION MEASURES FOR HIGH-RISK BUSINESS RELATIONSHIPS

Column F:

DESCRIBE THE PROCESS TO KEEP CLIENT INFORMATION UP TO DATE FOR HIGH-RISK BUSINESS RELATIONSHIPS

Column G:

DESCRIBE ENHANCED ONGOING MONITORING FOR HIGH-RISK BUSINESS RELATIONSHIPS

Group A

Low

Medium value transactions conducted face to face in line with the clients profile.

N/A

N/A

N/A

N/A

Client B (or group B)

High

Client conducts large cash transactions that seem inconsistent with the client profile/business model.

Make thresholds for ascertaining identification more stringent for clients with similar characteristics.

Increase employee awareness through training of suspicious indicators for these accounts.

Set thresholds and request information on the source of funds for any amount above threshold.

Ask clients to confirm or update their identification at the threshold transaction.

Perform a quarterly review or transactions conducted by client.

Obtain additional client information through public databases or other sources of information.

Identify patterns of transactions that require further examination.

Unregistered Charity or Non-Profit Organization(NPO)

Medium to high

Charities/NPO may be used to raise, move or launder funds.

Seek additional information beyond minimum requirements to ascertain identity such as Charters or Organizational By-laws.

Obtain independant verification of client information from another credible source.

Obtain information regarding measures that the client may have in place to mitigate risk, including regulatory requirements

Establish consent protocols for processing or denying particular transactions.

Ask clients to confirm and update identification information on a cyclical basis.

Obtain additional information on the source and/or destination of charitable funds.

Obtain additional client information through public databases or other sources of information.

Identify patterns of transactions that require further examination.

Clients for whom Suspicious Transaction Reports(STR) have been previously submitted

High

Reasonable grounds for suspicion have already been established through submission of STRs.

Make thresholds for ascertaining identification more stringent for clients with similar characteristics.

Set threshold and request information on source/destination of funds for any amounts above threshold.

Ask clients to confirm or update identification information at every threshold transaction.

Review transactions conducted by client more frequently.

Identify patterns of transactions that require further examination.

Politically Exposed (Foreign)Person(PEP or PEFP)

High

A PEP/PEFP is an individual who may be vulnerable to ML/TF or corruption due to their position, relationship or influence.

Implement training programs to endure employees can identify PEP/PEFP clients and to understand assess and handle the potential associated risks.

Require senior management approval to open new accounts or maintain existing accounts.

Set transaction thresholds(dollar value and/or frequency) and request information on the source of finds for transactions above thresholds

Ask clients to confirm or update identification information at every threshold transaction.

Obtain additional information about the client's source of wealth.

Increase the monitoring of transactions of higher-risk products, services and channels.

Identify patterns of transactions that require further examination.

Etc.

Note: in order to enhance your relationship-based risk assessment you may want to consider the following:

This may assist you in focusing resources and developing policies and procedures and/or risk mitigation strategies that are more tailored to your organization.

ANNEX A

Instructions to complete the Business-based risk assessment worksheet (Products, services and delivery channels; geography; other relevant factors)
This worksheet is for illustration. You may develop your own, so long as it includes the concepts that are described below.. The following are instructions on how to complete each column of the worksheet:
Column A:

List of factors

Describe your products, services, delivery channels, factors related to your geographical location(s) and other relevant factors.

Column B:

Risk rating

Rate each risk factor (products, services, delivery channels, factors related to geographic location(s) and other relevant factor).

Please note that the PCMLTFA and Regulations do not require you to use a low, medium and high scale.  You could decide to have low and high risk categories or to have a more complex rating scale. A scale must be established, tailored to the size and type of business you have.

Column C:

Rationale

Provide the reasons why you assigned a particular risk rating to each product, service, delivery channel, geography, or other relevant factor.

Column D:

Describe mitigation measures for high-risk factors

By law, all factors identified as "high-risk" must be addressed with documented mitigation measures. You have to write policies and procedures to explain how you are going to reduce and how you will control these risks in your day-to-day activities.

Below are some examples of mitigation measures you may want to consider (not an exhaustive list):

  • Increase awareness of high-risk situations within business lines across your organization;
  • Provide adequate controls of higher-risk services, such as management approvals;
  • Set transaction limits for high-risk products such as wire transfers to high-risk jurisdictions; and/or
  • Monitor transactions relating to high-risk products and services more frequently.

For more examples of controls or ways to reduce risks, see the FINTRAC Guidance on the Risk-Based Approach and Guideline 4: 6.2.1 Measures to mitigate the risks.

ANNEX B

Instructions to complete the Relationship-based assessment worksheet
This worksheet is for illustration. You may develop your own, as long as it includes the concepts that are described below. The following are instructions on how to complete each column of the worksheet.
Column A:

Business relationships or high-risk clients.

Identify all your business relationships and high-risk clients.  You may decide to risk assess each business relationship separately or to do so by groups that share similar characteristics.

Column B:

Risk rating

Rate each business relationship.

You can use a scale of low, medium and high to rate your business relationship.  Please note that the PCMLFTA and Regulations do not require you to use a low, medium and high scale.  You could decide to have low and high risk categories or to have a more complex rating scale.

Column C:

Rationale

Provide the reasons why you assigned a particular risk rating to each client type/business relationship.

Column D:

Describe enhanced measures to ascertain the identity of high-risk clients or to confirm the existence of a high-risk entity

You need to describe how identification was ascertained or how the existence of an entity was confirmed for each high-risk business relationship and high-risk client.

Below are some examples:

  • Seeking additional information beyond the minimum requirements to ascertain the client's identity or the beneficial ownership information of an entity; Obtaining independent verification of the information (that is, from a credible source other than the client);
  • Establishing more stringent thresholds for ascertaining identification.

For more information on beneficial ownership, see Guideline 4: 6.3: Keeping client information, beneficial ownership and business relationship information up to date.

Column E:

Describe mitigation measures for high-risk business relationship

You need to put controls in place for each high-risk business relationship and high-risk client that you identified,

Below are some examples of mitigation measures that you may want to consider (not an exhaustive list):

  • Set limits to transaction amounts in certain situations;
  • Request bank drafts for debit transactions instead of accepting large amounts of cash;
  • Request source of funds for any cash amount; and/or
  • Conduct certain transactions only in person.

For more examples of controls or ways to reduce the risk, see Guideline 4: 6.2.1 Measures to mitigate the risks.

Column F:

Describe how you will keep client information and beneficial ownership information up to date for high-risk clients

You have to develop policies on how and how often you will update the client information of high-risk business relationships and high-risk clients.  

The information that needs to be updated generally includes:

  • For an individual, the individual's name, address and occupation or principal business.
  • For a corporation, its name and address and the names of the corporation's directors.
  • For an entity other than a corporation, its name, address and principal place of business.

Measures to keep client identification up to date include asking the client to provide information to confirm or update their identification information.  For example, you may ask a client for an additional piece of identification. You may also confirm the information through public sources if available.

Keep beneficial ownership up to date

As a CU/CP, you need to keep the beneficial ownership of all your high-risk business relationships up to date. Describe the frequency and your process to update this information in this section of the worksheet.

For more information on beneficial ownership, see Guideline 4: 6.3: Keeping client information, beneficial ownership and business relationship information up to date.

Column G:

Describe enhanced monitoring for high-risk business relationships 

For all business relationships, you will need to conduct ongoing monitoring.  This means that you will monitor your business relationships on a periodic basis for the purpose of:

  1. Detecting any transactions that are required to be reported in accordance with the PCMLTFA;
  2. Keeping client identification information up to date;
  3. Reassessing the level of risk associated with the client's transactions and activities; and
  4. Determining whether transactions or activities are consistent with the information you obtained about your client.

However, for high-risk business relationships and high-risk clients, you need to conduct monitoring more frequently and with more scrutiny than with your other business relationships. This is called enhanced monitoring.

Describe all aspects of your enhanced monitoring:

  • When is it done (frequency);
  • How is it conducted; and
  • How is it reviewed.

Examples of how enhanced monitoring is conducted and reviewed for high-risk business relationships:

  • Obtain additional information on the client (occupation, volume of assets, information available through public database);
  • Review transactions based on an approved schedule that involves management sign-off;
  • Develop reports or perform more frequent reviews of reports that list high-risk transactions. Flag activities or changes in activities and elevate concerns as necessary;
  • Set business limits or parameters regarding transactions that would trigger early warning signals and require mandatory review; and/or
  • Review transactions more frequently against suspicious transaction indicators relevant to the relationship. See Guideline 2: Suspicious Transactions for more information about indicators.

For more information on enhanced ongoing monitoring, see Guideline 4: 6.4 Ongoing monitoring of business relationships.

ANNEX C
Glossary and useful links

Affiliate:
An entity is affiliated with another entity if one wholly owns the other, if both are wholly owned by the same entity, or if their financial statements are consolidated.
Beneficial owner:
Beneficial ownership refers to the identity of the individuals who ultimately control a corporation or entity.  You must search through as many levels of information as necessary in order to determine beneficial ownership.
Business relationship:
You enter into a business relationship when a client opens an account or undertakes two or more transactions with you that require you to ascertain the identity of the client, regardless of whether the transactions are related to one another.
Delivery channels:
Medium that can be used to obtain a product or service, or through which transactions can be conducted.
FINTRAC:
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), is Canada's financial intelligence unit.
Inherent risk:
Risk that exists before the application of controls or mitigation measures.
Mitigation measures:
Controls put in place to limit the potential money laundering and terrorist financing risks you have identified while conducting your risk assessment.
Non-face-to-face transactions:
Transactions where the client is not physically present (for example, Internet, telephone or mail)
NPO
Non-Profit Organization is a legal person or arrangement or organization that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of “good works”.
Politically exposed persons and Head of an international organization:
A politically exposed person (PEP) or the head of an international organization (HIO) is a person entrusted with a prominent position that typically comes with the opportunity to influence decisions and the ability to control resources. The influence and control a PEP or HIO has puts them in a position to impact policy decisions, institutions and rules of procedure in the allocation of resources and finances, which can make them vulnerable to corruption.
Risk-based approach:

In the context of ML/TF, a risk-based approach is a process that encompasses the following:

  • The risk assessment of your business activities and clients using certain prescribed elements: Products, services and delivery channels; geography; clients and business relationships; and other relevant factors.
  • The mitigation of risk through the implementation of controls and measures;
  • Keeping client identification and, if required, beneficial ownership and business relationship information up to date; and
  • The ongoing monitoring of transactions and business relationships.
Third party:
Individual or entity other than the individual who conducts the transaction. When you are determining whether a third party is involved, it is not about who "owns" the money, but rather about who gives instructions to deal with the money.
Vulnerabilities:
Elements of a business that could be exploited.  In the ML/TF context, vulnerabilities could be weak controls within a business offering high-risk products or services.

Regulatory references:
http://laws-lois.justice.gc.ca/eng/acts/P-24.501/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2001-317/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2002-184/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2007-121/
http://laws-lois.justice.gc.ca/eng/regulations/SOR-2007-292/

Guideline 1: Backgrounder:
http://www.fintrac-canafe.gc.ca/guidance-directives/overview-apercu/Guide1/1-eng.asp

Guideline 2: Suspicious transactions (includes ML/TF indicators):
http://www.fintrac-canafe.gc.ca/guidance-directives/transaction-operation/Guide2/2-eng.asp

Guideline 4: Implementation of a compliance regime:
http://www.fintrac-canafe.gc.ca/guidance-directives/compliance-conformite/Guide4/4-eng.asp

RBA Guidance document:
http://www.fintrac-canafe.gc.ca/guidance-directives/compliance-conformite/rba/rba-eng.asp

Trends in Canadian suspicious transaction reporting (STRs) – Part 1:
http://www.fintrac-canafe.gc.ca/publications/typologies/2011-03-eng.asp

FATF Guidance for a risk-based approach-The banking sector:
http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf

FATF International standards on combating money laundering and the financing of terrorism and proliferation – The FATF Recommendations:
http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf

FATF Combating the abuse of non-profit organizations (Recommendation 8):
http://www.fatf-gafi.org/publications/fatfrecommendations/documents/bpp-combating-abuse-npo.html

Date Modified: