The Bangko Sentral ng Pilipinas (BSP) has issued guidance for central bank-supervised financial institutions (BSFIs) on conducting institutional risk assessments (IRAs). In addition to setting out firms’ regulatory obligations, the paper offers practical guidance on identifying, analyzing, and understanding the money laundering (ML), terrorist financing (TF), and proliferation financing (PF) risks that can arise from BSFI business activities and relationships.
Governing regulations, standards, and expectations
The BSP defines IRAs as the “cornerstone of a risk-based approach to ML/TF/PF and sanctions risks prevention and mitigation.” It bases its recommendations on foundational regulations and international standards, including the Anti-Money Laundering Act of 2001 (AMLA), and the Financial Action Task Force (FATF) standards.
Once an IRA has been conducted, BSFIs are expected to craft bespoke policies, controls, and procedures to manage and mitigate the identified risks effectively. These procedures should result in a risk-driven ML/TF/PF prevention and mitigation strategy in line with the risk-based approach required by the AMLA and the FATF.
The BSP covers four vital regulatory expectations firms should consider when crafting their risk assessments. These include:
- Using a methodology aligned with the BSFI’s risk appetite and context
- Identifying and analyzing the ML/TF/PF and sanctions risks that could arise before the development or launch of new products, services, and technologies
- Implementing enhanced measures in the areas categorized as high risk
- Ensuring the IRA is made available to the BSP as part of a risk-based supervision
Based on the FATF Guidance on National Money Laundering and Terrorist Financing Risk Assessment, the BSP provides a diagram of the systemic IRA process from planning and scope to reporting, monitoring, and reassessment.
The BSP reminds BSFIs to clarify the risk assessment’s objective at the outset of the process. BSFIs must define the focus of the IRA and set its scope to determine whether it is a combined or individual assessment for ML/TF/PF and sanctions risks.
While the BSP highlights there is no “one-size-fits-all” approach to assessing ML/TF/PF and sanctions risks, adopting a suitable methodology proportionate to the nature and complexity of the BSFIs’ activities and operations is critical. The chosen method must not only achieve the defined objective of the assessment but also align with the BSFI’s risk appetite.
Once the IRA methodology has been identified, the BSP outlines the three stages of risk assessment:
- Stage 1: Identification – Understanding the threat environment and listing known threats, including relevant predicate offenses and their proceeds.
- Stage 2: Analysis – Assessing the nature, sources, likelihood, and consequences of the identified risks.
- Stage 3: Evaluation – Determining priorities and developing practical strategies proportionate to the level of assessed residual risks (the risk remaining after risk treatment).
Monitoring and additional controls
To ensure the IRA remains up-to-date, the BSP advises BSFIs to update their assessments once every two years, or as often as senior management deems necessary. In addition to updated risk assessments, BSFIs should ensure they review the suitability of their chosen IRA methodology and clarify the adequacy of the data, information, and reports used in the evaluation.
To counteract any high residual risk, BSP identifies four additional controls BSFIs should consider implementing. These include:
- Introducing or amending transaction limits
- Requiring approval of a higher authority
- Conducting additional due diligence on transactions that exceed thresholds
- Exclusively providing certain products to a specific target market (e.g., a low-risk sector)
The BSP encourages BSFIs to designate a champion who will ensure the completion of the IRA. However, the IRA should also have the strong support of the Board of Directors and Senior Management.
Compliance staff should ensure they are familiar with the guidelines in this paper and actively look for ways to incorporate the recommendations into their IRA process.
As the deadline draws closer for the Philippines’ next report to the FATF, further improvements to the country’s AML/CFT regime can be expected. While IRAs did not feature in the Philippines’ last Asia/Pacific Group on Money Laundering (APG) Mutual Evaluation Report, the guidance points to the country’s steps toward improving its AML/CFT regime in light of being re-added to the FATF greylist in June 2021. The Philippines’ next report to the FATF is due in September 2022.
This IRA guidance is also part of a broader move by the Philippines to ensure the core pillars of its AML/CFT regime are robust enough to withstand regulatory scrutiny. Last year, the country issued guidance to banks and financial institutions to include the identities of beneficial owners or account holders in their suspicious transaction reports (STRs). Additionally, regulated firms are now required to have an automated and real-time fraud monitoring and detection system to address the growing cyber fraud incidents.