A risk assessment is an analysis of potential risks and vulnerabilities that could expose your business to ML/TF activities. This assessment will allow you to identify your inherent risk and will assist you and those authorized to act on your behalf in developing mitigation measures to deal with these risks.
The outcome of your risk assessment should reflect the reality of your business, be documented and as a best practice include all the elements, applicable to you, in FINTRAC’s Guidance on the risk-based approach to combatting money laundering and terrorist financing. FINTRAC has also published risk-based approach workbooks that expand on the guidance to include a “how to” methodology to assist different sectors in implementing an effective risk-based approach cycle. Workbooks have been developed for the following sectors: accountants, British Columbia notaries, credit unions/caisses populaires, dealers in precious metals and stones, life insurance companies, brokers and agents, money services businesses, real estate, and securities dealers.
The complexity of your risk assessment will depend on the size and risk factors of your business. However you must consider the following:
- your clients and business relationships, including their activity patterns and geographic locations;
- the products, services and delivery channels you offer;
- the geographic location(s) where you conduct your activities;
- new technologies and their impacts on your clients, business relationships, and products or delivery channels of your activities;
- other relevant factors affecting your business (e.g. employee turnover, rules and regulations for your industry, etc.); and
- if you are a financial entity, life insurance company, or securities dealer, risks resulting from the activities of an affiliate that is also subject to the PCMLTFA and associated Regulations under these sectors, or that is a foreign affiliate that carries out activities similar to these sectors.
How do you document the risk assessment?
How you document your risk assessment will depend on what makes sense for your business. However, FINTRAC expects that you can demonstrate that you have considered all facets of your business’s exposure to ML/TF activities. To do this, you can document all the risks you have considered and the mitigation measures you have developed for those that are high risk.
You also need to be able to demonstrate to a FINTRAC compliance officer that you have reviewed and, if necessary, updated your risk assessment and mitigation measures as applicable. For example, if you offer a new product, FINTRAC expects that you have considered and documented any potential or actual ML/TF risks associated with the new product and therefore, have identified and applied measures to deal with your identified risks.
What are enhanced measures?
Enhanced measures are the development and application of written policies and procedures to mitigate high risks identified within your business and your clients.
If you identify a client as posing a high-risk, you must:
- Take additional steps to identify those individuals and confirm the existence of those entities.
- Conduct enhanced ongoing monitoring of your business relationships for the purpose of:
- detecting suspicious transactions that are required to be reported to FINTRAC;
- keeping client identification information, beneficial ownership (if applicable), and the purpose and intended nature of the business relationship records up-to-date;
- re-assessing your client’s risk level based on their documented transactions and activities; and
- determining whether the transactions or activities are consistent with “what you know” about that client.
- Take any other enhanced measure to mitigate the risks. This could include:
- obtaining additional information on a client (e.g. volume of assets, information available through public databases, Internet, etc.);
- obtaining information on the source of funds or source of wealth of a client;
- obtaining information on the reasons for attempted or conducted transactions;
- increasing the frequency of your monitoring of higher-risk transactions, products, services and channels;
- gathering additional documentation, data or information, or taking additional steps to verify the documents you have obtained;
- establishing transaction limits;
- increasing internal controls for high-risk business relationships;
- obtaining the approval of senior management for products and services that are new for clients; or
- any other measures you deem appropriate.