The Importance of Jurisdictional Risk When Doing Business with Money Services Businesses

Identifying jurisdictions that may pose a higher inherent risk of money laundering is one of the core components of an effective risk management process, both at an enterprise level and when assessing the risks relating to a particular business relationship. Erroneous risk classification of countries may lead to incorrect customer risk rating, and therefore application of insufficient customer due diligence measures (CDD), including those applied after establishing a business relationship. This in turn may affect the ability to identify and scrutinize suspicious or unusual transactions and as a result lead to facilitation of money laundering.

Varying Approach to Jurisdictional Risk Assessment

To identify the higher risk jurisdictions, firms usually use a range of sources. These include for example the lists of countries with strategic money laundering weaknesses, published by the Financial Action Task Force (FATF) and the European Commission and those that appear high on the Corruption Perception Index. Composite score rankings are also widely utilized, for example, the Basel AML Index. Firms applying more sophisticated jurisdiction risk assessment models are generally able to better identify the risks relevant to a given business relationship. Firms utilizing a simplistic model, for example, reliance on a single source providing a composite score, may often miscalculate their risk exposure and not account for those factors that are particularly relevant to a given relationship.

To help firms in developing robust jurisdiction risk assessments, in this article, we analyze the strength of regulations applicable to Money Services Businesses (MSBs) across seven jurisdictions commonly perceived as associated with low or medium money laundering risk: the U.S., Singapore, Hong Kong, Canada, Australia, Israel and the UAE. In our analysis, we used the FATF Mutual Evaluation Reports (MER) to illustrate how a detailed analysis of jurisdictional risk factors may lead to the identification of specific risks requiring additional due diligence or enhanced transaction monitoring.

MSBs

MSBs are considered by regulators as high-risk entities given that the nature of transactions involve large amounts of cash, third parties, intermediaries or ultimate beneficial owners whose identities are not known to the transmitter. Furthermore, it is rarely the case that an MSB knows either the source of funds or the purpose of the transaction. There is a long history of MSBs being abused by criminals to allow movement of illicit funds and facilitate financial fraud, terrorist funding, and bribery and corruption activities, including drug and human trafficking. For example, in the UK, the 2015 National Risk Assessment (NRA) identified “that at least GBP 1.5 billion (bn) of UK criminal proceeds go through MSB remittance each year”.¹ The December 2020 NRA found that terrorist organizations continue to use MSBs as a means to move funds.²  It also reported that the recent de-risking efforts in the banking sector to reduce the risk exposure to MSB relationships could have driven some MSBs to revise their business model to include the use of intermediary payment service providers and informal value transfer (IVT) mechanisms, such as hawala. The NRA estimates that IVT networks launder over GBP 2 bn per year in the UK.
 
Yet, in numerous jurisdictions we selected for our analysis, the KYC, monitoring and sanctions screening requirements in respect of MSBs are less stringent compared to the UK. As such, when dealing with MSBs, one would question whether it is still appropriate for firms to rely on the regulated or supervised status; and consider that the financial crime risk is therefore mitigated, or whether the strength of the AML regulations and supervision should play a major factor in the risk assessment. All jurisdictions selected for analysis had identified the MSB sector as posing a key money laundering vulnerability; however, the number of MSB firms vary significantly between the jurisdictions.³

To illustrate how a detailed analysis of jurisdictional risk may impact the risk of a relationship with an MSB established in one of the seven jurisdictions, below we set out an overview of some differences in regulations and the associated risks. 

Threshold for Application of CDD Measures

In all jurisdictions, except Israel and the U.S., the threshold for application of CDD measures by the MSB is set around EUR 1,000. In Israel, MSBs are required to verify the customer for cash transactions above NIS 10,000 (c. EUR 2,400) and non-cash transactions above NIS 50,000 (c. EUR 12,000). Similarly, in the U.S., customer verification applies only to transactions above USD 3,000 (c. EUR 2,500). This means that while firms may take comfort from dealing with an institution subject to anti-money laundering (AML) supervision in Israel or the U.S., it is likely that no CDD was completed for transactions under these thresholds, which may represent a large proportion of customers. In effect, there is no certainty whether the details of the originating customer are correct; this limits the effectiveness of not only the transaction monitoring rules in place (e.g., detection of multiple transfers from the same originator) but also the sanction screening. Applying EDD measures when onboarding an MSB (i.e., reviewing AML policies, procedures and controls of an MSB) will not reduce the risk of facilitating movement of illicit funds given that the MSB itself won’t often know what funds are being moved.

Extent of Required CDD Measures

In some jurisdictions, MSBs are only expected to apply limited CDD measures for the transactions above the CDD threshold. For example, in Hong Kong, there is no expectation to apply EDD for politically exposed persons from mainland China. In Israel and the U.S., there are no explicit requirements to verify the customer’s ultimate beneficial owner. In the U.S., although MSBs are expected to implement an effective AML program, those operating solely as a money transmitter are not required to establish a Customer Identification Program compliant with the Bank Secrecy Act (BSA). These limitations pose additional risks regarding the origin of funds being transferred.
 
Completeness of Originator and Beneficiary Information

In most jurisdictions, with some variations, the threshold for including the originator and beneficiary information in a wire transfer is the same as for the application of CDD. For example, in Canada, MSBs are not required to include beneficiary name, address and account number for transfers below CAD 10,000 (c. EUR 6,000). In Canada, Israel and the U.S., there are also no specific requirements for intermediary and beneficiary financial institutions to identify cross-border transfers that contain inadequate originator information. This may indicate that the funds being transferred by MSBs from these jurisdictions may be of unknown source and destination, further increasing the risks related to effective monitoring of transactions and compliance with sanctions legislation.

Identifying and Managing Risk

To assist firms with developing effective tools to identify and manage the jurisdiction risk when dealing with MSBs, below we set out four areas of good practice:

• Firms should utilize a range of sources and ensure these sources provide information relevant to the risks associated with a particular type of relationship and services it provides. Firms should monitor their jurisdiction risk exposure regularly to ensure this remains within the firm’s risk appetite. Reliance on a single source, providing a composite score for a jurisdiction may not provide sufficient information to determine the level of due diligence measures required. 
• Where the risks related to the equivalency of regulations or strength of supervision appear increased, firms should apply additional due diligence measures, for example, requiring the customer to provide an independent assessment of their AML systems and controls or carry out an on-site inspection. While reviewing customers’ AML policies and procedures may provide some insight into the AML controls, such review provides no information on the effectiveness of these procedures. 
• Transaction monitoring arrangements should be configured in a way allowing the firm to identify and scrutinize those transactions that may not have been subject to CDD. In extreme scenarios, firms may want to consider, for example, excluding certain transactions from the agreement with the customer. 
• Appropriate training should be provided to employees involved in risk assessment, customer onboarding, transaction monitoring and sanction screening, allowing them to appreciate the risks related to differences in AML legislations among jurisdictions. 

How We Can Help

Kroll (Duff & Phelps rebranded to Kroll in February 2021) helps a wide range of financial services firms to identify, remediate and manage regulatory risk in their business, including developing a robust jurisdictional risk assessment that is tailored to individual firms. Our team operate locally and globally to meet our clients’ diverse needs, backed by our deep understanding of jurisdictional risks associated with countries around the world.
 
This article was written by Maria Evstropova, Director, and Julius Kania, Vice President, in our global Financial Services Compliance and Regulation practice.

Sources:
¹https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015_final_web.pdf
²https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/945411/NRA_2020_v1.2_FOR_PUBLICATION.pdf 
³As per the data in the latest MER for a given country