Risk-based assessment, internal instructions and training of personnel
The supervised entity must apply such risk management procedures related to money laundering and terrorist financing as are commensurate with the nature and size of its business. In assessing risks, the supervised entity must consider the risks of money laundering and financing of terrorism related to new and existing customers, countries or geographical areas, products, services and transactions as well as distribution channels and technologies (risk-based assessment). The supervised entity must be able to demonstrate to the supervisor that it applies adequate risk management methods concerning customer due diligence and ongoing monitoring as required by the AML Act.
In addition, the supervised entity must have internal instructions suitable for its activities and clearly defined working processes for customer due diligence and AML/CFT. The supervised entity must ensure continuous training of its personnel.
Persons in charge and internal processes
The supervised entity must designate a person who receives reports on suspicious transactions and who has the authority to file reports with the Financial Intelligence Unit.
Attention must also be paid on the clarity of duties and allocation of responsibilities, work processes, internal reporting and the operability of internal control systems. The following general principles of internal control and risk management of companies largely apply to the prevention of money laundering and financing of terrorism:
- Management is responsible for risk management and procedures concerning money laundering and terrorist financing.
- The company has a clear view of who its customers are and to whom it provides its services.
- The company has persons who have the expertise and adequate decision-making powers to deal with money laundering and other aspects of misconduct on behalf of the company without delay.
- The personnel is provided comprehensive and continuous induction and training.
- Internal instructions are applicable to the company's activities and products.
- Working processes are clear.
- Internal reporting threshold is as low as possible.
- Internal control also covers compliance with AML/CFT obligations and procedures.