The Significance of taking a risk-based approach

Risk-Based Approach Foundation


1. Risk-Based Approach Foundation


1.1. The Caribbean Financial Action Task Force (CFATF) Mutual Evaluation Report, published in March 2019, forms the foundation of the Cayman Islands' risk-based approach (RBA) to addressing anti-money laundering (AML), countering the financing of terrorism (CFT) and proliferation (CFP) threats. Some of the latest Cayman legislation and regulations are the Proceeds of Crime Law (2020 Revision) (Law) and the Anti-Money Laundering Regulations (2020 Revision) (Regulations).


1.2. The amendments allow for effective, proportionate and dissuasive administrative and criminal sanctions for breaches of AML/CFT/CFP. It also establishes an inter-agency committee for enhanced domestic cooperation at the operational level and supervisors for designated non-financial businesses and professions (DNFBPs). This illustrates the pro-active approach of the Cayman Islands' in combating money laundering (ML).


1. What is "Risk-Based Approach"


1.1. A RBA is a significant recommendation to combat ML, financing terrorist (FT) and proliferation (FP). A RBA ensures that policies to prevent or mitigate ML/FT/FP are proportionate with the risks identified. This approach enables competent authorities, self-regulatory bodies (SRBs) and financial institutions to make decisions on how to allocate their own resources in the most effective way. This approach enables them to make decisions on how to allocate their own resources in the most effective way across the AML/CFT/CFP regime, and the implementation of the Law and Regulations throughout the Cayman Islands.


2. Identifying Risk


2.1. By adopting a RBA, the competent authorities, self-regulatory bodies (SRBs) and financial institutions, charged with the responsibility for AML/CFT/CFP matters, should ensure that their policies to prevent or mitigate ML/FT/FP are proportionate with the risks identified. They should have in place processes to identify, assess, monitor, manage and mitigate ML/FT/FP risks.


2.2. The general principle of a RBA is that, whenever higher risks are identified the competent authorities, SRBs and the financial institutions should take enhanced customer due diligence (CDD) to manage and mitigate the risks. Most financial institutions in the Cayman Islands already take this approach, especially in the case where the customers are from certain jurisdictions or politically exposed persons. Correspondingly, where the risks are lower, simplified measures may be the permitted approach. Simplified measures should not be implemented where there is a suspicion of ML/FT/FP.


2.3. Financial institutions should not commence business relations or perform the transaction if the customer carrying out relevant financial business is unable to obtain information required by the Regulations to satisfy relevant CDD measures. The institution shall also consider making a suspicious activity report in relation to the customer.


3. The Significance of RBA.


3.1. All relevant competent authorities, SRBs and financial institutions should keep their RBA assessments up-to-date and should have mechanisms which provide appropriate steps to identify and assess their ML/FT/FP risks. The nature and extent of any assessment of risks in ML/FT/FP should be suitable for the institution's nature and size. This should be done across the board for a customer of the institution, the country or geographic area in which the customer resides or operates, the products, services and transactions of the institution and the delivery channels of the institution.


The competent authorities, SRBs and financial institutions should document those risk assessments in order to be able to demonstrate their grounds, keep all assessments up to date, and have appropriate mechanisms to provide risk assessment information to the 1.1. competent authorities and SRBs. Although the competent authorities or SRBs have the discretion to determine that the institution does not require individual documented risk assessments, any specific risks that are intrinsic to the institution should be clearly identified and understood.


2. Risk Management and Mitigation