Regulatory Alerts2024-07-11
Guidelines for Self-Assessment of Money Laundering and Terrorist Financing Risks 2024
The Central Bank of Iraq mandates all supervised entities to conduct structured, Risk-Based Approach (RBA) aligned self-assessments of money laundering and terrorist financing risks, covering inherent risk identification, control evaluation, and residual risk determination. Entities must implement robust Know Your Customer (KYC) procedures, maintain continuous monitoring and internal audits, and submit documented annual reports to the CBI in accordance with prescribed formats. This guideline aligns with FATF recommendations, the National Risk Assessment (NRA), UN Security Council resolutions, EU regulations, and OFAC sanctions, with non-compliance subject to supervisory actions and disciplinary penalties from the date of issuance.
CENTRAL BANK OF IRAQ
Republic Of Iraq | CBI Head Office: Al-Rasheed St. Baghdad - Iraq | Tel: 8165171 | P.O. Box: 64 | Fax: 0096418166802 | E-Mail: cbi@cbi.iq Date: 14/05/2024 | Ref: cbi@cbi.iq
Guidelines for Self-Assessment of Money Laundering and Terrorist Financing Risks 2024
1. Objective and Scope
This guideline establishes the mandatory framework for conducting self-assessments of money laundering (ML) and terrorist financing (TF) risks across all entities supervised by the Central Bank of Iraq (CBI). It aims to standardize risk identification, evaluation, and reporting processes, ensuring consistent application of the Risk-Based Approach (RBA) in line with international best practices.
2. Alignment with RBA and FATF Recommendations
The self-assessment process is fundamentally built upon the Risk-Based Approach (RBA) and fully aligns with the Financial Action Task Force (FATF) recommendations. Supervised entities must integrate FATF standards into their internal policies, ensuring that risk identification covers all relevant ML/TF typologies and vulnerabilities. The guideline mandates continuous monitoring, adequate record-keeping, and periodic reviews to maintain compliance with evolving regulatory expectations.
3. Risk Assessment Methodology
Entities are required to conduct a structured three-stage risk evaluation:
- Inherent Risk: Identification of ML/TF risks before applying any controls, considering the entity’s business model, customer base, products, delivery channels, and geographic exposure.
- Risk Mitigations: Evaluation of existing internal controls, governance structures, compliance functions, and operational safeguards designed to reduce identified risks.
- Residual Risk: Determination of the remaining risk level after mitigations are applied, ensuring it falls within the entity’s risk appetite and regulatory thresholds.
4. Implementation and Reporting Requirements
Supervised entities must implement robust Know Your Customer (KYC) and customer due diligence (CDD) procedures, supported by adequate training, internal audits, and management oversight. The self-assessment must be documented, reviewed at least annually, and submitted to the CBI in accordance with prescribed formats. Entities are also required to update their assessments promptly following material changes in operations, regulatory directives, or the risk environment.
5. Regulatory Alignment and Enforcement
This guideline harmonizes with the National Risk Assessment (NRA), FATF recommendations, United Nations Security Council resolutions, European Union regulations, and OFAC sanctions lists. Compliance is mandatory from the date of issuance, with non-compliant entities subject to supervisory actions and disciplinary penalties under prevailing Iraqi banking laws. The CBI reserves the right to issue supplementary circulars or technical standards to clarify implementation requirements.