The Financial Action Task Force, the world's anti-money-laundering standard-setter, has published fresh guidelines to govern the risk-based approach that financial firms ought to be taking to their AML duties in the context of securities. In the meantime, it has changed its recommendations to say more about virtual assets, which it has declined to classify as securities.

A risk-based approach - the term that the FATF borrowed from the UK, which pioneered it in the early 'noughties - obliges financial institutions to identify, assess and understand the money-laundering risks to which they are exposed and take commensurate steps to offset those risks effectively.

The purpose of the guidance is to outline the main principles that any financial firm should apply to its 'risk-based approach' to money-laundering control when it deals with or enters the securities sector, or a bank acting as an intermediary. It does not seek to override national rules but instead complements them and the FATF anticipates that 'external examiners' (remediation consultants and/or regulators) will find them useful. The FATF writes: "given the commonality of issues between the securities and banking sectors, such as issues raised by pooled account structures, banks offering securities products and services should consider this guidance." 'Securities' cover not only stocks and bonds but also money-market instruments, derivatives and investment funds, including units in collective investment undertakings. The FATF knows that in some countries virtual assets and the associated Initial Coin Offerings are recognised as securities (and subject to AML regimes), whereas other countries are undecided on the issue and yet more have banned them. 'Securities providers' range from retail stockbrokers, wealth managers and financial advisors to firms that serve a largely institutional market, such as prime brokers, global custodians, sub-custodians and depository banks.

Country risk

The FATF admits that there is no universally agreed-upon definition or method for spotting 'higher risk' jurisdictions. It merely points to factors to be considered, which include:

• countries/areas that "credible sources" say are funding or supporting terrorist activities or have 'designated' terrorist organisations operating within them;
• countries that "credible sources" say have significant levels of organised crime, corruption or other criminal activity - an apparent reference to Italy;
• countries subject to sanctions issued by international organisations such as the United Nations; and
• countries that "credible sources" believe to be governed weakly, with weak law enforcement and regulatory regimes.

The FATF identifies itself as a "credible source," despite the fact that its pronouncements and policy are dominated by the wishes of the American government. Others are the International Monetary Fund, the World Bank and the Egmont Group of Financial Intelligence Units. HM Treasury has itself identified the FATF as credible for these purposes.

Which investors are risky?

Customers' activities may indicate a 'higher risk' in the following cases.

• The customer is sanctioned by a national competent authority for failing to comply with its AML regime and is not engaging in remediation to improve its compliance.
• He is a politically-exposed person/PEP or his relatives or close associates are PEPs.
• He resides in (or his primary source of income originates from) a highly risky jurisdictions (regardless of whether that income originates from a cash-intensive business).
• He resides in countries considered (presumably by the FATF) to be un-co-operative in providing information about beneficial ownership.
• He acts on behalf of a third party and cannot provide consistent information and complete documentation thereon.
• He has been pilloried in the press, especially in connection with an acquisitive crime.
• His transactions might indicate a connection with criminal involvement, typologies or red flags provided in reports produced by the FATF or national police or financial intelligence units.
• He is also a provider of securities but either unregulated or regulated in a jurisdiction with "weak AML oversight," which technically includes every jurisdiction on earth, as no jurisdiction's authorities impound even as much as one-five-hundredth of criminal funds, according to the United Nations.
• He is engaged in, or derives wealth or revenues from, a highly risky cash-intensive business.

Product risk
 
Products and services that may indicate a higher risk include:

• Those that may inherently favour anonymity or obscure information about customers' underlying transactions (e.g. bearer-share instruments or the provision of omnibus account services).
• The geographical reach of the product or service being offered.
• Products that are unusually complex and have no obvious economic purpose.
• Products or services that permit the unrestricted or anonymous transfer of value (by payment or change of asset ownership) to an unrelated third party,
• particularly those residing in a higher risk jurisdiction.
• The use of new technology or payment methods that the securities provider does not use in the normal course of business.
• Products that have been particularly subject to fraud and market abuse, such as cheap securities.
• The purchase of securities using physical cash.
• Bank-like products such as check-cashing and automated cash withdrawal cards.
• Securities-related products or services funded by payments from or instructions given by unexpected third parties, particularly from highly risky jurisdictions.
• Transactions involving penny/microcap stocks.

Intermediary risk

An intermediary risk analysis should include the following factors, to the extent that these are relevant to the securities providers’ business model.

• If the intermediaries are suspected by someone-or-other of criminal activities, particularly financial.
• If they are located in highly risky countries or in countrieswith weak AML regimes.
• If they serve highly risky customers without appropriate risk-mitigating measures.
• If they have a history of non-compliance with laws or regulations or have been the subject of "relevant negative attention from credible media or law enforcement."
• If they have failed to attend or complete AML training at the request of the securities providers.
• If they have weak AML controls or do not effectively manage compliance with internal policies and/or the wishes of their regulators.

The compliance department

Each firm's compliance function and internal controls should do the following.

• Place priority on the securities provider’s operations (products, services, customers and geographic locations) that are more vulnerable to abuse than others.
• Provide for regular reviews of risk assessments and management processes.
• Test key components.
• Ensure that adequate risk assessment and controls are in place before offering new products or services.
• Regularly inform senior managers about compliance initiatives, identified deficiencies in compliance, corrective action that the compliance team has taken, and suspicious activity reports.
• Provide for something the FATF calls "programme continuity" in the event of people leaving.
• Keep records.
• Send in suspicious transaction reports on time.
• Fix controls on higher-risk customers, transactions and products such as transaction limits or approval by managers.
• Manage and oversee its intermediaries, checking their backgrounds initially, training them and monitoring the risks they pose thereafter.
• Supervise employees who handle transactions, complete reports, grant exemptions, monitor activity with a suspicious eye or engage in any other activity that forms part of the business’s AML programme.
• Incorporate AML compliance into job descriptions and the evaluations of appropriate people's performance.
• Ensure that the performance of staff "is not the driver for taking disproportionate ML/TF risks."
• Train all relevant staff and intermediaries, as applicable, at appropriate intervals.

Virtual assets

The FATF, unlike certain national regulators, stops short of classifying virtual assets as securities. Instead, it uses the term 'virtual asset' to refer to digital representations of value that can be digitally traded or transferred and can be used for payment or investment purposes, including digital representations of value that function as a medium of exchange, a unit of account, and/or a store of value.

The FATF has, albeit slightly, changed its '40 recommendations' and its accompanying glossary with regard to financial activities that involve virtual assets. The glossary now describes 'virtual asset service providers' as exchanges, certain types of wallet providers and providers of financial services for Initial Coin Offerings (ICOs). The new text states that jurisdictions should ensure that virtual asset service providers are subject to AML regulations that oblige them, for instance, to gather "customer due diligence" or CDD information, i.e. the facts about customers that should help them assess the extent to which those customers expose them to money laundering, while also monitoring customers continually, keeping records and reporting their suspicious transactions to their national financial intelligence units. They should be licensed or registered and subject to monitoring. The FATF is planning to elaborate further on these requirements in future.

The FATF has written: "All jurisdictions should urgently take legal and practical steps to prevent the misuse of virtual assets. This includes assessing and understanding the risks associated with virtual assets in their jurisdictions, applying risk-based AML/CFT regulations to virtual asset service providers and identifying effective systems to conduct risk-based monitoring or supervision of virtual asset service providers."

The standard-setter issued guidelines regarding the risk-based approaches that firms ought to take to virtual currencies in 2015. The operative recommendation is number 15, on the subject of 'new technologies.' Last month it revised R15 and added new definitions of 'virtual asset' and 'virtual asset service provider' in an attempt to clarify its ideas about the application of AML rules to virtual assets.