prpri Guidance on Money Laundering & Terror Financing Risk Assessment by NBFCS Guidance on Money Laundering & Terror Financing Risk Assessment by NBFCS

Guidance On Money Laundering (ML) And Terrorist Financing (TF) Risk Assessment By Non-Banking Financial Companies (NBFCS)


Reserve Bank of India has issued Notification w.r.t. Internal ML/TF Risk Assessment by Regulated Entities – Amendment to Master Direction (MD) on KYC, where Regulated Entities (REs) are required to carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc.

While assessing the ML/TF risk the REs are required to take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator/supervisor may share with REs from time to time. Further, the internal risk assessment carried out by the RE should be commensurate to its size, geographical presence, complexity of activities/structure, etc.

Also, the REs shall apply a Risk Based Approach (RBA) for mitigation and management of the identified risk and should have Board approved policies, controls and procedures in this regard. This requirement shall be applicable with immediate effect and the first assessment has to be carried out by June 30, 2020.


The concept of ML and TF risk assessment arises from the recommendations of Financial Action Task Force (FATF). FATF has also provided detailed guidance on TF Risk Assessment. Due to the inter-linkage between ML and TF, the guidelines also serve the purpose of guiding ML risk assessment. TF risk is defined as-

A TF risk can be seen as a function of three factors: threat, vulnerability and consequence. It involves the risk that funds or other assets intended for a terrorist or terrorist organization are being raised, moved, stored or used in or through a jurisdiction, in the form of legitimate or illegitimate funds or other assets.”


Based on FATF recommendations, many jurisdictions have prepared and published risk assessment procedures. India is yet to come up with the same.

For example, the National risk assessment of money laundering and terrorist financing is the guidance published by the UK government. It provides sector specific guidance for risk assessment. The sector specific guidance is further granulated keeping in view the specific threats to certain parts of the sector.

The guidance provided by the Republic of Serbia is a generalized one providing broad guidance to all sectors for risk assessment.

In Germany, financial institutions are classified on the basis of potential risk of ML/TF identified by them (considering the factors such as location, scope of business, product structure, customers’ profile and distribution structure) and the intensity of supervision by regulator is based on such risk categorization.


A risk-based approach is a process that allows you to identify potential risks of money laundering and terrorist financing and develop strategies to mitigate them.

The approach to the management of risk and risk mitigation requires the leadership and engagement of senior management towards the detection and deterrence of money laundering and terrorist financing. Senior management is ultimately responsible for making management decisions related to policies, procedures and processes that mitigate and control the risks of money laundering and terrorist financing within a business. 

Sl. No. Parameters Particulars
1. Risk Assessment A risk assessment is an analysis of potential threats and vulnerabilities to money laundering and terrorist financing to which your business is exposed.

Based on the assessment, ML/TF risks should be classified as low, medium and high impact risks.

While assessing the risks, following factors should be considered:

  • The nature, scale, diversity and complexity of their business;
  • Target markets;
  • The number of customers already identified as high risk;
  • The jurisdictions the entity is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organized crime, and/or deficient AML/CFT controls and listed by RBI or FATF;
  • The distribution channels, including the extent to which the entity deals directly with the customer or relies third parties to conduct CDD;
  • The internal audit and regulatory findings;
  • The volume and size of its transaction.

The risk assessment should be approved by senior management.

2. Analysis of ML/TF threats and vulnerabilities In the context of money laundering/terrorist financing (ML/TF), risk means:

  • At the National level: threats and vulnerabilities presented by ML/TF that put at risk the integrity of India’s financial system.
  • At the Reporting Entity level: threats and vulnerabilities that put the reporting entity at risk of being used to facilitate ML/TF.

Threats: this could be a person (or group), object that could cause harm. In the ML/TF context, a threat could be criminals, facilitators, their funds or even terrorist groups.

Vulnerabilities: elements of a business that could be exploited by the identified threat. In the ML/TF context, vulnerabilities could be weak controls within a reporting entity, offering high risk products or services, etc.

3. Risk Mitigation To develop and implement policies and procedures to mitigate the ML/TF risks they have identified through their individual risk assessment:

  • Customer due diligence (CDD) processes should be designed to understand who their customers;
  • Requiring them to gather information on what they do and why they require financial services;
  • To assess the ML/TF risk associated with a proposed business relationship;
  • Determine the level of CDD to be applied and deter persons from establishing a business relationship to conduct illicit activity.
4. CDD Procedures
  • Identifying the customer and, where applicable, the customer’s beneficial owner;
  • Verifying the customer’s identity on the basis of reliable and independent information, data or documentation to at least the extent required by the applicable legal and regulatory framework;
  • Understanding the purpose and intended nature of the business relationship;
  • To take measures to comply with national and international sanctions legislation by screening the customer’s and beneficial owner’s names against the UN and other relevant sanctions lists;
  • The CDD procedures and policies should suitably include checkpoints with respect to ML and TF.
5. Risk Categorization The risk classification of the customer should also be done based on the CDD carried out.

In case of medium or high-risk customers, or unusual transactions, the entities should also carry out transaction due diligence to identify source and application of funds, beneficiary of the transaction, purpose etc.

NBFCs should document and state clearly the criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers.

6. Monitoring of Transactions
  • Monitoring in high risk situations: daily transaction monitoring, manual transaction monitoring, frequent analysis of information, considering the destination of funds, establishment of red flags based on typologies reports, reporting of monitoring results to senior management etc.
  • Monitoring in lower risk situations: thresholds, low frequency, automated systems
7. Reporting The NBFCs have the ability to flag unusual movement of funds or transactions for further analysis.

Funds or transactions that are suspicious should be reported promptly to the Financial Intelligence Unit (FIU) and in the manner specified by the authorities.

8. Internal Control Adequate internal controls are a prerequisite for the effective implementation of policies and processes to mitigate ML/TF risk.

Internal controls include appropriate governance arrangements where responsibility for AML/CFT is clearly allocated and there are controls to test the overall effectiveness of the NBFC’s policies and processes to identify, assess and monitor risk.

9. Governance The successful implementation and effective operation of a RBA to AML/CFT depends on strong senior management leadership and oversight of the development and implementation of the RBA across the functions.

Senior management should consider various ways to support AML/CFT initiatives:

  • To promote compliance as a core value of the NBFCs by sending a clear message that the NBFCs will not enter into, or maintain, business relationships that are associated with excessive ML/TF risks which cannot be mitigated effectively.
  • Senior management, together with the board, are responsible for setting up robust risk management and controls adapted to the NBFCs’s stated, sound risk-taking policy;
  • Implement adequate mechanisms of internal communication related to the actual or potential ML/TF risks faced by the NBFCs;
  • Decide on the measures needed to mitigate the ML/TF risks identified.

Steps taken by Senior Management to promote compliance:

  • To carry out product development and commercial campaigns in strict compliance with national AML/CFT legislation.
  • To involve senior management in AML/CFT training of staff.
10. Training and Awareness The effective application of AML/CFT policies and procedures depends on staff within NBFCs understanding not only the processes they are required to follow but also the risks these processes are designed to mitigate, as well as the possible consequences of those risks.

It is therefore important that NBFCs staff receive AML/CFT training, which should be:

  • Of high quality, relevant to the NBFCs ML/TF risks, business activities and up to date with the latest legal and regulatory obligations, and internal controls;
  • Obligatory for all relevant staff;
  • Tailored to particular lines of business within the NBFCs, equipping staff with a sound understanding of specialized ML/TF risks they are likely to face and their obligations in relation to those risks;
  • Effective: training should have the desired effect, and this can be checked for example by requiring staff to pass tests or by monitoring levels of compliance with the NBFCs’ AML/CFT controls;
  • Ongoing: AML/CFT training should be regular, relevant, and not be a one-off exercise when staff are hired;
  • Complemented by AML/CFT information and updates that are disseminated to relevant staff as appropriate.

Overall, the training should also seek to build up a working behavior where compliance is embedded in the activities and decisions of all NBFCs’ staff.

11. Assessment of Controls NBFCs should take steps to be satisfied that their AML/CFT policies and controls are adhered to and effective.


1) Facilitate the reporting of suspicious transactions:

  • Set up staff training on mechanisms to adequately detect unusual transactions;
  • Establish adequate channels to allow staff to report unusual transactions to the Compliance Officer;
  • Ensure confidentiality to staff reporting suspicious transactions

2)      Allow staff to report areas of policy or controls they find unclear/unhelpful/ineffective:

  • Establish ongoing consultation channels for staff concerning AML/CFT issues;
  • Ensure consistency of the answers given to staff questions concerning AML/CFT issues;
  • Conduct AML/CFT activities in such a way that they are perceived by all staff as a support to the quality of the NBFCs services provided to clients and the integrity of the NBFCs.



Author Bio

Qualification: CS
Company: N/A
Location: New Delhi, New Delhi, IN
Member Since: 18 May 2020 | Total Posts: 2

My Published Posts

More Under Fema / RBI

Leave a Comment

Your email address will not be published. Required fields are marked *

Search Posts by Date

July 2021