The Reserve Bank of India (RBI) has released a detailed “Guidance Note” aimed at helping regulated entities (REs), including banks, non-banking financial companies (NBFCs), authorised persons, and payment system operators, in managing risks associated with money laundering (ML) and terrorist financing (TF).
The guidance focuses on internal risk assessments (IRA) for ML and TF, specifically addressing staff involved in handling anti-money laundering (AML), countering the financing of terrorism (CFT), and counter-proliferation financing (CPF) operations. It outlines key principles and methodologies to aid REs in developing their own risk-based assessments (RBA), enhancing their ability to identify and mitigate potential threats.
In its note, the RBI highlighted the growing complexity of the financial landscape, with new technologies and payment methods increasing exposure to ML, TF, and proliferation financing (PF) risks. As banking products and services evolve, the likelihood of misuse by illicit actors rises, necessitating stronger risk controls.
The central bank emphasised the importance of implementing effective control measures to prevent financial institutions from being exploited for illegal activities, either knowingly or unknowingly. It warned that failure to report suspicious transactions in a timely manner, as mandated by existing regulations, could lead to reputational damage and financial losses for institutions.
The guidelines
The RBI outlined the following key principles to be followed by banks and financial institutions in conducting their IRA exercises. The IRA serves as the foundation for implementing a robust risk-based approach (RBA) and is essential for institutions to identify their exposure to Money Laundering , Terrorist Financing, and Proliferation Financing risks. By doing so, institutions can determine the allocation of attention and Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) resources to mitigate these risks effectively.
Institutions are advised to conduct IRA at two levels:
Business-Level IRA: This assesses the ML/TF/PF risk to which institutions are exposed based on the specific business model, nature, and complexity of their operations. Institutions should ensure that the IRA is proportionate to the size and scope of their business. For smaller institutions with simple operations or low-risk products, a basic risk assessment may suffice. However, for larger institutions with complex operations, multiple jurisdictions, or a diverse customer base, a more detailed and sophisticated risk assessment process is required.
Individual-Level IRA: This focuses on the ML/TF risks arising from relationships with customers or occasional transactions. Institutions should consider key risk factors such as the customer’s profile, geographical areas, types of products or services required, and delivery channels used. Based on these factors, customers should be categorized into high, medium, or low-risk groups, and the level of Customer Due Diligence (CDD) applied should be adjusted accordingly.