Financial institutions and DNFBPs are required to identify, assess, and understand their crime risks in concert with their business nature and size, and comply with the following:
Considering all the relevant risk factors such as customers, countries or geographic areas; and products, services, transactions and delivery channels, before determining the level of overall risk and the appropriate level of mitigation to be applied.
Documenting risk assessment operations, keeping them up to date on on-going bases and making them available upon request.
Financial Institutions and DNFBPs shall commit to take steps to mitigate the identified risks mentioned as per Clause (1) herein, taking into consideration the results of the National Risk Assessment, by the following:
Developing internal policies, controls and procedures that are commensurate with the nature and size of their business and are approved by senior management, to enable them to manage the risks that have been identified, and if necessary, to monitor the implementation of such policies, controls and procedures and enhance them as per Article (20) of the present Decision.
Applying CDD measures to enhance high risks management once identified. Examples include:
Obtaining more information and investigating this information such as information relating to the Customer and Beneficial Owner identity, or information relating to the purpose of the business relationship or reasons of the transaction.
Updating the CDD information of the Customer and Beneficial Owner more systematically.
Taking reasonable measures to identify the source of the funds of the Customer and Beneficial Owner.
Increasing the degree and level of ongoing business relationship monitoring and examination of transactions in order to identify whether they appear unusual or suspicious.
Obtaining the approval of senior management to commence the business relationship with the Customer.
In case the requirements stipulated in Clauses (1 and 2) above are met, the Financial Institutions and DNFBPs shall be permitted to apply simplified CDD measures to manage and limit the identified low risks, unless there is suspicion of a committed Crime. The simplified CDD measures should be commensurate with the low risk factors. These include the following, as examples:
Verifying the identity of the Customer and Beneficial Owner after establishing the business relationship.
Updating the Customer’s data based on less frequent intervals.
Reducing the rate of ongoing monitoring and transaction checks.
Concluding the purpose and nature of the business relationship based on the type of transactions or the business relationship that has been established, without the need to gather information or performing specific procedure.