Risk Based Supervision Framework - Compliance Commission

The Compliance Commission (the Commission) has implemented a risk-based AML/CFT supervisory regime in keeping with legislative changes and international best practices.  This regime is designed to assist the Commission in carrying out its supervisory mandate in assessing the level of risk of its constituents and the sector as a whole.  Consequently, designated non-financial business and professions (DNFBPs) under the supervision of the Commission, regardless of their size and complexity, are required by law to:

  • take appropriate measures to identify, assess and understand the identified or inherent risks in relation to its facility holders and the countries or jurisdictions of their origin; the countries or jurisdictions of its operations; and its products, services, transactions and delivery channels;
  • develop and implement a comprehensive risk management system approved by the financial institution’s senior management and commensurate with the scope of its activities, incorporating continuous identification, measurement, monitoring and controlling of identified risks;
  • take appropriate measures to manage and mitigate the inherent risks identified;
  • take account of any risk assessment carried out at a national level and any regulatory guidance issued by its Supervisory Authority; and
  • upon request, provide the Supervisory Authority with a copy of its risk assessment.

DNFBPs shall carry out a risk assessment:

  • prior to the launch of a new product or business practice;
  • prior to the use of new or developing technologies; and
  • when there is a major event or development in the management and operation of the group, to identify and assess the identified risks that may arise in relation to such products, business practices or technology for both new and pre-existing products and such assessment shall consider:
    • the facility holder’s geographic area, product, service, transaction and means of delivery risk factors, which shall be proportionate to the nature and size of the financial institution’s business; and
    • the outcome of any risk assessment carried out at a national level, and any regulatory guidance issued.

DNFBPs shall document in writing the outcome of a risk assessment and shall keep the same up to date and make it available to relevant competent authorities and regulatory bodies upon request.

The risk assessment enables the DNFBPs to focus its AML efforts and to adopt appropriate measures to optimally allocate the available resources.   This process is necessary for managing the risks of ML/TF to which the DNFBP may be vulnerable.  Moreover, the nature and extent of any assessment of ML/TF risks should be appropriate to the nature and size of the business. The essential elements of the risk assessment involves the identification, analysis, management and mitigation of such risks, inclusive of the on-going monitoring of the risks.

Registrants of the Commission are encouraged to review the Commission’s Codes of Practice relevant to their business operation for a more in-depth analysis of the key major components when conducting a risk assessment.

MAJOR COMPONENTS TO BE CONSIDERED WHEN CONDUCTING A RISK ASSESSMENT:

Source: Guidance on risk-based supervision & risk assessments, Prepared by Council of Europe Expert Maud Bokkenrink.