Professional Documents
Culture Documents
January 2021
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
TABLE OF CONTENTS
1. INTRODUCTION.......................................................................... 8
2. LEGAL FRAMEWORK ................................................................. 9
Compliance with Anti-Money Laundering Laws ................................ 10
3. RISK-BASED APPROACH .......................................................... 10
4. OBJECTIVE OF THE GUIDELINE .............................................. 12
5. SCOPE AND APPLICATION OF THE GUIDELINE...................... 13
6. BENEFITS AND RATIONALE FOR RBA .................................... 14
7. ENFORCEABILITY OF THIS GUIDELINE .................................. 14
8. RISK CATEGORIES AND DEFINITIONS .................................... 15
9. IDENTIFYING AND UNDERSTANDING ML/TF RISKS .............. 15
10. COMPONENTS OF THE RBA .................................................. 16
Risk-Based Approach vs Risk Appetite: ......................................... 17
Implementation process: ............................................................... 18
11. GENERAL GUIDANCE ON AML/CFT ..................................... 18
Key Narrative............................................................................... 18
Terrorism Financing..................................................................... 22
12. AML/CFT REQUIREMENTS FOR PSPs/FIs............................... 23
13. AML/CFT GOVERNANCE FRAMEWORK ............................... 23
14. AML/CFT RISK MANAGEMENT ............................................. 25
15. KNOWING YOUR CUSTOMER (KYC) AND CUSTOMER DUE
DILIGENCE (CDD) .......................................................................... 26
16. CUSTOMER ACCEPTANCE POLICY ...................................... 29
17. TECHNOLOGICAL DEVELOPMENTS ..................................... 29
18. TRANSACTION MONITORING ............................................... 31
19. IDENTIFICATION OF DESIGNATED ENTITIES AND PERSONS
AND FREEZING OF FUNDS ............................................................ 33
20. KNOWING YOUR EMPLOYEE (KYE) ..................................... 35
21. CORE OBLIGATIONS OF REPORTING ENTITIES ................... 38
Page 2 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 3 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 4 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
DEFINITIONS
‘Agent’’ means a person acting in the name and on behalf of, and so
representing one or more PSP issuing a retail payment instrument
vis-àvis users. The issuing PSP is subject to all relevant
Zimbabwe rules on principal-agent relationship. By virtue of the
agency agreement, the agent is permitted to conduct solely and
specifically the services indicated in the agreement.
Page 5 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 6 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
LIST OF ABBREVATION
AML/CFT Ant-Money Laundering and Combating Financing of Terrorism
CAP Customer Acceptance Policy
CBR Correspondent Banking Relationship
CDD Customer Due Diligence
ME Mutual Evaluation
ML/TF Money Laundering and Terrorist Financing
MLPC Money Laundering & Proceeds of Crime Act, Chapter 9:24
Page 7 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
1. INTRODUCTION
Page 8 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
1.7 The Reserve Bank of Zimbabwe (RBZ) through its National Payment
Systems is issuing an Anti-Money Laundering (AML) Risk Based
Oversight and Supervision Guideline (hereinafter referred to as the
Guideline) to ensure that the payment services providers or financial
institutions that fall under its regulation comply with the MLPC Act and
implement robust AML/CFT frameworks that are commensurate with their
size, complexity and risk profile.
1.8 In 2015, Zimbabwe was subject to a 4th Round Mutual Evaluation (ME) by
the Eastern and Southern Africa Anti- Money Laundering Group
(ESAAMLG) to assess compliance with the FATF’s revised Standards.
The country also conducted a National Risk Assessment (NRA) during
2014/ 2015 period.
1.9 Consequently, this revised Guideline seeks to address the findings of the
ME and the subsequent NRAs whilst closely reflect the 2012 revised FATF
Recommendations.
2. LEGAL FRAMEWORK
Page 9 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
2.4 The MLPC Act, section 12B , requires financial institutions to apply risk
sensitive measures based on a comprehensive ML/TF risk assessment. The
Section relates to, assessing risks and implementing risk-based approach by
financial institutions (FIs) and designated non-financial businesses and
professions (DNFBPs).
2.5 Nevertheless, implementing such an approach involves a comprehensive
analysis and profound knowledge in AML standards and KYC international
norms and standards.
3. RISK-BASED APPROACH
3.1 The risk-based approach (RBA) is the most effective way to combat money
laundering and terrorist financing.
According to FATF guidance, published on October 2014, “RBA to
AML/CFT means that countries, competent authorities and financial
institutions are expected to recognise or identify, assess and understand the
ML/TF risks to which they are exposed and take AML/CFT measures
commensurate to those risks in order to mitigate them effectively.
Page 10 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 11 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 12 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 13 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 14 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 15 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 16 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 17 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Implementation process:
10.7 During the implementation process, it is important for the financial
institution to plan the process to eliminate gaps that can lead to negative
observations from the regulators.
10.8 The first step is the base of implementing RBA and should cover all aspects
by identifying the risk factors and setting up risk scoring.
Key Narrative
11.1 Money laundering is the process used by criminals to conceal the illegal
origin and ownership of funds derived from criminal activities. If
successfully undertaken, it allows them to maintain control over those
proceeds, the funds lose the criminal identity and appears to be legitimately
derived.
11.2 The money laundering process involves three (3) main stages, namely,
placement, layering and integration:
Page 18 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 19 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
i. Governance,
ii. Institution and related sector,
iii. Products and services,
iv. Delivery channel,
v. Customers,
vi. Geographic location.
11.5 However, money laundering risks may be measured using various
categories, which may be modified by risk variables. The Wolfsberg risk-
based approach guidance is the most commonly used risk criteria.
11.6 Based on Wolfsberg’ s guidance on a risk-based approach, risk factor
identification or indicators that can allow the assessment and measurement
of the level of risk can be summarized in the following diagram:
Page 20 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Source: Wolfsberg
11.7 Identifying these risk factors will assist in defining the weightage (weighted
risk level) by listing each component and attributing a rating that will allow
the risk rating.
11.8 In order to define the customer risk, the financial institution should
understand the nature of the customer and that should be defined based on
its vulnerability to money laundering and terrorist financing (e.g., the
AML/CTF risk would be higher for non-resident customers than for
residents).
11.9 Identifying the risk level of the customers can be challenging to financial
institution in countries where there is no clear definition of high risk
customers or activities. However, there are international organizations that
have advised on the type of customers susceptible to be used by money
launderers and terrorist financiers; such as FATF recommendations,
Page 21 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Terrorism Financing
11.11Terrorism is defined as the unlawful threat of action designed to compel the
government or an international organization or intimidate the public or a
section of the public for the purpose of advancing a political, religious or
ideological belief or cause. Financing of terrorism (FT/TF) is the process
by which funds are provided to an individual or group to finance terrorist
acts.
11.12The key difference between ML and TF is that with ML, the person seeks
to disguise the origins of illicit funds with a profit motive in mind; while in
contrast, a person funding terrorism may use legitimately-held funds to
pursue illegal and ideological motives. Financial institutions should bear
this in mind when assessing the risks posed by those funding terrorism.
11.13A financial institution that carries out a transaction, knowing that the funds
or property involved are owned or controlled by terrorists or terrorist
organisations or that the transaction is linked to or is likely to be used in
terrorist activity, is committing a criminal offence.
11.14TF often involves small sums of money and may be difficult to detect.
Notwithstanding, many of the AML controls financial institutions have in
place will overlap with measures to combat the financing of terrorism
Page 22 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
(CFT). These may include for example, risk assessments, customer due
diligence procedures,
12.1 Payment Services Providers regulated under the NPS Act are required to
implement risk-based AML/CFT compliance programmes that are
approved by their board of directors.
12.1.1 Internal systems, processes and controls to ensure ongoing compliance
with AML/CFT requirements;
12.1.2 Internal and external audits to verify compliance with AML/CFT
requirements;
12.1.3 Training of relevant personnel in the identification, monitoring and
reporting of suspicious transactions; and
12.1.4 A Compliance Officer, appointed by Senior Management and
approved by the RBZ, with responsibility for continuous compliance
with the AML/CFT legislation and guidelines.
12.1.5 The Compliance Officer is required to be “fit and proper” to diligently
carry out AML/CFT responsibilities effectively.
Page 23 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
and processes that are put in place to prevent ML/FT and PF are
appropriate. Refer to Annexure 1.
13.3 The PSPs or financial institution’s AML/CFT programme should be risk-
based and commensurate with the nature, size, complexity and inherent
risks of the institution.
13.4 The PSPs or financial institution’s AML/CFT policies, procedures and
controls must be clearly documented and communicated to all relevant
employees in the business units. All employees must be adequately trained
to implement the AML/CFT policies and procedures and to be aware of
their obligations in ensuring compliance with prevailing AML/CFT laws,
regulations and guidelines.
13.5 The compliance function and other control functions comprise the second
line of defence and is responsible for ongoing monitoring of the financial
institution’s compliance with AML/CFT requirements.
13.6 Internal Audit is responsible for independent oversight and evaluation of
the PSPs or financial institution’s AML/CFT risk management controls,
processes, systems and of the effectiveness of the first and second line of
defence functions. Findings of such reviews must be reported to the audit
committee of the Board or an equivalent oversight body.
13.7 External auditors and the RBZ play a critical role in independently
assessing the institution’s overall governance and control structure to
determine whether it is adequately complying with the relevant standards
and rules.
13.8 External auditors are required to conduct an annual AML/CFT audit on all
regulated entities and submit reports to the RBZ. (Refer to Annexure 1)
Page 24 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 25 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 26 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 27 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
15.4 Financial institutions are required to conduct CDD on the customer and
where applicable, the beneficial owner and the person acting on behalf of
the customer at appropriate times such as when a customer is attempting to:
15.4.1 Establish a business relationship;
15.4.2 Conduct a one-off or occasional transaction of based on set limits,
where the transaction is carried out in a single operation or in several
operations that appear to be linked; or
15.4.3 Conduct a one-off or occasional wire transfers above a set limit where
the transaction is carried out in a single operation or in several
operations that appear to be linked.
15.5 Financial institutions may also conduct CDD where:
15.5.1 There is suspicion of ML/TF, regardless of the amount of the
transaction, unless doing so results in tipping off the customer. In such
instances, the financial institution may forego the CDD and must file
an STR;
15.5.2 There is doubt about the veracity or adequacy of documents, data or
information previously obtained for the purposes of identification or
verification.
15.6 CDD should also be conducted when there is a change in the circumstances
of the customer, for example, changes to the customer’s transaction activity.
15.7 The primary purpose of the CDD process is to ensure that the financial
institution knows its customers and understands their financial activities.
There should be sufficient information to obtain a complete picture of the
risk associated with the business relationship and provide a meaningful
basis for subsequent monitoring.
Page 28 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
17.3 Nothing in this document shall be taken to indicate the RBZ’s licensing,
authorisation, endorsement or validation of digital currency services or any
entities involved in providing similar services is associated with digital
currencies.
17.4 Accordingly, dealings in digital currencies are not covered by prudential
and market conduct requirements applicable to licensed and authorised
activities, or by established avenues for redress in the event of complaints
or losses and damages incurred by parties dealing in digital currencies.
17.5 Financial institutions must therefore assess the ML/TF risks associated with
the introduction of all:
17.5.1 New financial products and services and/or changes to existing
products and services;
17.5.2 New or additives and developing technologies used to provide
services;
17.6 Financial institutions must:
17.6.1 Undertake the risk assessment and approval prior to the launch or
adoption of such new digital services, products, business practices and
technologies.
17.6.2 Take appropriate measures to manage and mitigate the risks; and,
17.6.3 Properly document the risk assessment.
17.7 In such instances, financial institutions must also consider as applicable, the
RBZ’s Guidelines regarding new or materially different products and
services in line with the NPS, Banking and Exchange Control Acts among
others.
Page 30 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
17.8 Financial institutions must also assess the level of risk associated with
potential or existing customers and third parties who offer technologically
innovative products and services, such as Fintech companies, to determine
whether the relationship poses higher ML/TF risk and thereafter, categorize
the relationship and conduct due diligence accordingly.
17.9 In this regard, financial institutions should ensure there are systems and
controls in place to identify emerging ML/TF risks, assess and where
appropriate, incorporate these into the institutional risk assessments in a
timely manner.
17.10The Central Bank will continue to monitor developments on new payment
methods and provide additional guidance as necessary on emerging best
practices to address regulatory issues in respect of ML/TF risks.
Page 31 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
18.4 Regardless, the key element of any system is having up-to-date customer
information to facilitate the identification of unusual activity.
18.5 Monitoring can be either:
18.5.1 In real time, in that transactions and/or activities can be reviewed as
they take place or are about to take place; or
18.5.2 After the event through an independent review of the transactions
and/or activities that a customer has undertaken.
18.5.3 Any monitoring mechanisms commensurate with the level of risk
identified and measured.
18.6 PSPs and financial institutions should also have systems and procedures to
deal with customers who have not had contact for some time, such as
dormant accounts or relationships, to be able to identify future reactivation
and unauthorized use.
18.7 In designing monitoring arrangements, it is important that appropriate
account be taken of the frequency, volume and size of transactions with
customers, in the context of the assessed customer and product risk.
18.8 Monitoring processes and systems should enable trend analysis of
transaction activity including monitoring of transactions with parties in
higher risk countries or jurisdictions, to identify unusual or suspicious
business relationships and transactions.
18.9 The monitoring system should enable PSPs or financial institutions to
monitor and report to senior management on significant customer
relationships and activity on an individual or consolidated basis across the
financial group and identify activity that is inconsistent with the financial
institution’s knowledge of the customer, their business and risk profile.
Page 32 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 33 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 34 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 35 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 36 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 37 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
20.10 The standards should include a code of ethics for the conduct of all
employees and procedures should allow for regular reviews of employees’
performance and their compliance with established rules and standards. It
should also provide for disciplinary action in the event of breaches of
these rules.
20.11 Financial institutions and PSPs should monitor employees paying
particular attention to employees whose lifestyles cannot be supported by
their salary or known financial circumstances.
20.12 Supervisors and managers should be encouraged to know the employees
in their department and investigate any substantial changes in their
lifestyles which do not match their financial condition. Procedures should
provide for special investigation of employees who are associated with
unexplained shortages of funds.
Page 38 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 39 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 40 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
21.9.2 Considering all the relevant risk factors before determining what is
the level of overall risk and the appropriate level and type of
mitigation to be applied;
21.9.3 Keeping the assessment up-to-date through a periodic review; and
21.9.4 Having appropriate and clearly defined mechanisms to provide risk
assessment information to the supervisory authority.
21.10 PSPs or FIs do not have to follow all the processes in this Guideline but
should apply the method of risk assessment that best suits its individual
business needs, as long as it is adequate for the business and tailored to
the local context.
21.11 However, they should be able to explain and demonstrate to the Central
Bank, the adequacy and effectiveness of procedures, policies and controls
stated therein, within the context of the Zimbabwe’s AML/CFT
requirements.
Page 41 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Risk Profiling
21.18 Financial institutions including PSPs must conduct risk profiling on their
customers.
Page 42 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
21.19 In profiling the risk of its customers, reporting institutions must consider
the following factors:
21.19.1 Customer risk (e.g. resident or non-resident, type of customers,
occasional or one-off, legal person structure, status as PEP,
occupation);
21.19.2 Geographical location of business or country of origin of customers;
21.19.3 The products, services, transactions or delivery channels (e.g. cash-
based, face-to-face, non-face-to-face, domestic or cross-border); and
21.19.4 Any other information suggesting that the customer is of higher risk.
Page 43 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Beneficial Owner
21.27 Note that the concept of ‘beneficial owner’ is now extensively defined in
section 13 of the MLPC Act. This should be carefully studied by all
CROs.
21.28 It is critical to emphasise that the concept of beneficial ownership is not
the same as legal ownership and cannot be determined by reference to the
legal position alone. Beneficial ownership is a broader concept which
focuses on real benefit and/or ultimate effective control.
21.29 The four core CDD obligations apply across the full range of business
relationships and transactions that may be undertaken by reporting
entities, and continue after a business relationship has been established.
Ongoing Monitoring
21.30 The CDD obligations are supplemented by the general obligation of all
reporting entities to conduct ongoing monitoring of all business
relationships.
21.31 Ongoing monitoring has two key components:
Page 44 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 45 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 46 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 47 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Dormant accounts
21.59 Reactivation of dormant accounts can only be undertaken following
reverification of the account holder in line with the requirements for new
customers.
Page 49 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
22.4 Reporting entities should ensure that they obtain full name and address
information from the ordering customer for all credit/debit transfers made
by electronic means, both domestic and international, regardless of the
payment or message system used.
22.5 To ensure that the SWIFT system is not used by criminals as a means to
break the audit trail, when sending SWIFT MT 100 messages (customer
transfers), reporting entities should accurately complete the fields for both
the ordering and beneficiary customers with their respective names and
addresses.
22.6 In addition, when the transfer is the result of a credit or debit card
transaction, it is not necessary to include or keep originator information
as long as the credit or debit card number is included with the transfer.
22.7 Records of electronic payments and associated messages must be treated
in the same way as any other transaction records and kept by the reporting
entity in an accessible form for a minimum of ten years (refer section 9.2
Guidelines for Retail Payment Systems and Instruments 2017).
Page 50 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 51 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
24. REMITTANCES
24.1 Full details of all remittances, as required by law, must be recorded
including names of the beneficiary.
24.2 If information as required by law relating to the name of the originator
(including details of the transaction) is not provided by the customer, then
the transaction should not be processed and the PSP or FI should consider
submitting a report to the FIU.
24.3 If staff have any concerns about the validity of the documents provided
by the customer, reference must be made to senior management and/or the
compliance officer before conducting the transaction. Copies of
supporting documents must be kept together with the payment system or
wire transfer application form.
24.4 In circumstances where the PSP/FI’s knowledge of the customer is not
consistent with the value or purpose of the remittance but staff are satisfied
regarding the explanation given for the remittance, the remittance may be
processed for payment.
24.5 Future requests to transfer funds should be monitored against the
customer profile to confirm or deny the initial explanation. Should staff
form a view that the customer may be involved in money laundering or
terrorist financing, a suspicious transaction report must be completed and
submitted to the compliance officer.
Page 52 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 53 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 54 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 55 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 56 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 57 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 58 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 59 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 60 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 61 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 62 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
SIGNATURE :
Page 63 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ATTACHMENT OF ANNEXURES
ANNEXURE 1
Board of Directors and Senior Management Responsibilities
Page 65 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 66 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ANNEXURE 2
General Guidance to Risk Based Approach
PSPs and participating institutions may conduct their internal money
laundering and financing of terrorism risk assessments (for their customers,
products & services, transactions channels and geographic areas) with the
purpose to develop their own policies and procedures, in order to identify,
assess, manage and mitigate related risks on ongoing basis.
Page 67 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 68 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
iii) All PSPs and FIs should complete the risk based template to determine
the potential risk levels. (see Annexure 1).
Correlation Importance
of indicator of
To Risk indicator**
5 Very high, Institution's Risks for
each indicator***
Indicator* 4 High,
3 Medium,
2 Low
Name of
1 Very low OVERALL
Institution
Corporate Governance Positive Very high, Very low Very low
ML/TF risk level for the sector Positive Very high, Very low Very low
Legal Framework Clarity Positive Very high, Very low Very low
Size of Institution Positive Very high, Very low Very low
Complexity & No of Products Positive Very high, Very low Very low
Geographical Spread Positive Very high, Very low Very low
Transactional Values Positive Very high, Very low Very low
Customer Base Positive Very high, Very low Very low
High Net Worth Customers Positive Very high, Very low Very low
Foreign Customers Positive Very high, Very low Very low
Foreign Customers from High Risk Countries Positive Very high, Very low Very low
Customers with Predictable Sources of Income Positive Very high, Very low Very low
Customers with Unpredictable Sources of
Positive Very high, Very low Very low
Income
PEPS Positive Very high, Very low Very low
Page 69 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 70 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ANNEXURE 3
Risk Profiling of Customers
PSPs and participating institutions(FI) should profile every new customer
using their own judgment and information obtained through CDD/KYC
process. A template of Customer Risk Profiling (CRP) is provided at
‘Annexure-3A’ for guidance in order for respective institutions to develop
their own CRP formats considering their business activities, customer base
and internal procedures etc.
PSPs and all FIs are required to have adequate policies and processes,
including strict customer due diligence (CDD) rules to promote high ethical
and professional standards in the digital financial services sector and prevent
the institution from being used, intentionally or unintentionally, for criminal
activities.…
For proven lower risk situations, simplified measures may be permitted, if this
supported with the appropriate customer risk profiling.
Page 71 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Annexure 3A.
Page 72 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Others
TOTAL 139
Benchmarking
Risk Score Range Rating
Below 50 1
51 - 80 2
→81 - 110 3
111 - 140 4
141 - 170 5
170 & above 6
Page 73 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ANNEXURE 4
Specific High Risk Elements and Recommendations for EDD
Some of the relatively high risk elements identified by regulators and recommended actions for EDD may be
but not limited as under; Refer
Proprietorships and self- In relation to these accounts, following measures may be taken by FIs:
employed individuals/
professionals (i) The business transactions in personal accounts of proprietors may only be
permitted by linking it with account/business turnover. For example, such
customers having monthly turnover equivalent to say USD10,000.00 or
above may be required to open a separate account for business related
transactions; and
Page 74 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Online transactions/ In relation to such transactions, FIs should pay special attention to
remittances /e-payments geographical factors/locations for movement funds.
Page 75 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ANNEXURE 5
General High Risk Factors
In respect of general high risk elements mentioned at section (20) above, PSPs
or FIs may conduct EDD measures which are effective and commensurate to
the level of risks.
Page 76 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Page 77 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Description Factors
General low risk i) A financial institution regulated/ supervised by the Central Bank except
factors for cooperatives;
customers
Page 78 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
Low risk factors i) Country identified by credible sources such as mutual evaluation or detailed
for Geography assessment reports, as adequately complying with and having effectively
or Locations implemented the FATF Recommendations; and
ii) Country identified by credible sources as having a low level of corruption, or
other criminal activity.
Page 79 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
intended purpose and nature of account may be ascertained from the relationship
established or from the type of transactions.
Page 80 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ANNEXURE 6
Other Sources of AML/CFT Guidance
The Financial Action Task Force has prepared a number of documents that provide detailed
guidance to a reporting entity to assist them better implement their AML/CFT obligations
under domestic legislation. Some of the guidance documents a reporting entity may
consider consulting include the following:
http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-
Banking-Sector.pdf
iii) Guidance for a Risk-Based Approach for Money or Value Transfer Services (2016)
http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-
value-transfer-services.pdf
Page 81 of 82
Payment Services Providers and participants –AML-RBA Oversight Guidelines (January 2021)
ix) http://www.fatf-
gafi.org/media/fatf/documents/recommendations/GuidanceUNSCRS-Prolif-
WMD.pdf
http://www.fatfgafi.org/media/fatf/documents/reports/AML_CFT_Measures_and_
Financial_Incl usion_2013.pdf
Page 82 of 82