Guidelines on the Risk-Based Approach for AML/CFT/FP to Financial Institutions

[Logo: Central Bank of Haiti]

GUIDELINES ON THE RISK-BASED APPROACH FOR AML/CFT/FP

TO FINANCIAL INSTITUTIONS

These guidelines aim to specify the conditions for implementing the risk-based approach regarding money laundering, terrorist financing, and financing of the proliferation of weapons of mass destruction, hereinafter referred to as "proliferation".

The Concept of Risk

Risk can be defined as the probability that a negative event and its consequences will occur. In other words, a risk is a combination of the likelihood of something happening and the extent of damage or losses that may result from that occurrence.

An inherent risk is the risk of an event or situation existing prior to the implementation of controls or mitigation measures. A residual risk is the degree of risk that persists after the implementation of mitigation measures and controls.

When assessing risks, it is important to distinguish between inherent risks and residual risks. Every financial institution must have a thorough understanding of the money laundering, terrorist financing, and proliferation risks inherent to its clientele, products, distribution channels, and the countries in which it or its clients operate. Any residual risk must be managed in accordance with the risk profile resulting from the risk assessment. This assessment and understanding of risks must be demonstrable to the BRH and deemed acceptable by it.

The Risk-Based Approach in Combating Money Laundering, Terrorist Financing, and Proliferation Financing

The risk-based approach aims to improve the effectiveness of combating money laundering, terrorist financing, and proliferation financing by identifying and assessing the risks faced by financial institutions and taking effective measures to mitigate them. The process requires, for this purpose, an assessment, understanding, management, and mitigation of the risks faced by the financial institution.

The risk-based approach enables:

1

---

• to determine the level of resources required to mitigate identified risks and the training to be provided to relevant staff;
• to mitigate identified risks by implementing controls and measures tailored to the risks identified;
• to identify and assess potential gaps or weaknesses in the financial institution's compliance program.

The risk-based approach must be adapted to the size and activities of the financial institution. Its results must be validated by the board of directors or by the risk management committee, where applicable.

To identify and assess the money laundering, terrorist financing, and proliferation financing risks to which they are exposed, financial institutions must take into account a series of factors that may include, among others:

a) the nature, scale, diversity, and complexity of their activities; b) their target markets; c) high-risk clients; d) the countries and territories to which the financial institution is exposed, either through its own activities or through those of its clients, particularly jurisdictions presenting relatively higher levels of corruption or organized crime, and/or deficient anti-money laundering, terrorist financing, and proliferation financing controls, and listed by the FATF; e) distribution channels; f) findings from internal audit and compliance; g) the volume and size of its transactions, taking into account the institution's usual activity and the profile of its clients.

Risk Assessment

Financial institutions must define and implement mechanisms for identifying and assessing money laundering, terrorist financing, and proliferation financing risks.

During risk assessment, the financial institution must consider all relevant inherent and residual risk factors, including at the country, sector, institution, and business relationship levels, to determine its risk profile and implement appropriate mitigation measures.

The financial institution must take into account in its assessment criteria such as customer due diligence policies and procedures, client acceptance, client identification, and monitoring of clients and transactions.

2

---

During risk assessment, financial institutions may consider as examples the risk factors listed in the annex to these guidelines.

When assessing risks related to types of clients, countries or geographic areas, and specific products, services, operations, or distribution channels, a financial institution should take into account risk variables associated with these risk categories. These variables, considered individually or combined, can increase or decrease potential risk and, consequently, affect the appropriate level of due diligence measures to be implemented. These variables may include, among others:

• the purpose of an account or relationship;
• the level of assets deposited by a client or the volume of transactions conducted;
• the regularity or duration of the business relationship.

Risk Classification

The risk-based approach relies on the development of a risk classification based on the following elements:

1. client characteristics;
2. the nature of products and services offered or under development;
3. the distribution channels used;
4. the countries of origin or destination of funds.

The financial institution must assign a risk score to each of the risk factors listed above and then a global risk score per business relationship.

Risk classification takes into account, non-exhaustively, the following information sources:

a) the legislative and regulatory framework; b) the risk factors indicated in these guidelines; c) standards, studies conducted by national and international bodies; d) conclusions of the national risk assessment; e) any information or publication from the Financial Intelligence Unit (FIU); f) the results of internal and external controls conducted within the financial institution or its group, where applicable.

Risk classification applies to all activities, all commercial geographic locations, and leads to the classification of all clients. It must impact onboarding processes, ongoing customer due diligence, and monitoring of transactions and accounts for deposit-taking institutions. It must be reviewed periodically.

3

---

Depending on the client's profile, the financial institution will apply simplified or enhanced due diligence measures.

Simplified measures must be proportional to lower risk factors (for example, focusing solely on client acceptance measures or on ongoing monitoring). As an example, these measures may include the following:

1. verification of the client's and beneficial owner's identity after the establishment of the business relationship;
2. reduction in the frequency of updating client identification details;
3. reduction in the intensity of ongoing monitoring and the depth of transaction review based on a reasonable monetary threshold established by the financial institution;
4. not collecting specific information or implementing specific measures to understand the intended purpose and nature of the business relationship, but deducing it from the type of transaction conducted or relationship established.

Simplified due diligence measures are not acceptable when there is a suspicion of money laundering, terrorist financing, or proliferation financing, or in specific higher-risk cases.

Enhanced due diligence measures that may be applied to higher-risk business relationships include, for example:

1. obtaining additional information about the client (for example: asset volume, information available in public databases, on the internet, etc.) and more frequent updating of client and beneficial owner identification data;
2. obtaining additional information on the intended nature of the business relationship;
3. obtaining information on the origin of funds or the origin of the client's wealth;
4. obtaining information on the reasons for the intended or conducted transactions;
5. obtaining senior management approval to initiate or continue the business relationship;
6. implementing enhanced monitoring of the business relationship by increasing the number and frequency of controls and selecting transaction patterns that require more in-depth review.

Risk Management

Risk management involves the detection and analysis of money laundering, terrorist financing, and proliferation financing risks within the financial institution. Financial institutions must:

1. take appropriate measures to manage and mitigate risks;
2. implement controls to detect potential failures, non-application, or circumvention of targeted financial sanctions;

4

---

3. ensure that management and mitigation measures are appropriate to the level of risk.

Financial institutions must have policies, procedures, and controls approved by the board of directors and compliant with current laws and regulations, enabling them to manage and mitigate identified money laundering, terrorist financing, and proliferation financing risks.

Financial institutions must document their risk assessment, keep it updated, establish appropriate mechanisms to document the risk assessment, and provide related information to the BRH.

Financial institutions must monitor the implementation of established controls and strengthen them if necessary.

Repeal and Entry into Force

These guidelines repeal those of December 1, 2022, and enter into force on the date of their signature.

Port-au-Prince, April 16, 2025.

[Signature] Ronald Gabriel Governor

5

---

ANNEX

MONEY LAUNDERING AND TERRORIST FINANCING (ML/TF) RISK FACTORS

Financial institutions must identify risk factors related to their clients, countries or geographic areas, products and services, and distribution channels. The risk factors mentioned in these guidelines are not exhaustive. Financial institutions are not required to take all risk factors into account in all cases.

Client-Related Risk Factors

When identifying the risk associated with their clients, including the beneficial owners of their clients, financial institutions should take into consideration the risk related to:

a) the professional or commercial activities of the client and the beneficial owner; b) the reputation of the client and the beneficial owner; and c) the nature and behavior of the client and the beneficial owner.

The risk factors that may be relevant when identifying the risk associated with a client's or beneficial owner's professional or commercial activities include, among others:

a) Does the client or beneficial owner have links to sectors associated with a higher risk of ML/TF? b) Does the client or beneficial owner have links to sectors involving significant cash amounts? c) When the client is a legal entity, trust, or other type of legal structure, what is its corporate purpose? For example, what is the nature of its activity? d) Does the client have political ties? Is it, for example, a politically exposed person (PEP), or is its beneficial owner a PEP? Does the client or beneficial owner have other relevant ties to a PEP, for example, are the client's directors PEPs, and if so, do they exercise significant control over the client or beneficial owner? e) Does the client or beneficial owner hold another important position or enjoy public notoriety that could allow them to abuse this position for personal gain? For example, is it a senior official with the ability to influence public contract awards, or individuals known to influence the government and other high-level decision-makers? f) Is the client a financial institution acting on its own behalf in a country or territory with an effective AML/CFT framework, and is it subject to supervision regarding compliance with local AML/CFT obligations? Is there evidence that the client has been sanctioned or subjected to enforcement measures by a supervisory authority in recent years due to non-compliance with AML/CFT obligations or more general conduct requirements? g) Do information about the client or beneficial owner correspond to what the financial institution knows about their previous, current, or intended commercial activities, turnover, source of funds, or source of wealth?

The following risk factors may be relevant when identifying the risk associated with a client's or beneficial owner's reputation:

a) Are there negative echoes in the media or other relevant information sources regarding the client, for example, is the client or beneficial owner accused of criminal or terrorist acts? If so, are these information reliable and credible? Financial institutions should determine the credibility of allegations reported in the media based, among other things, on the quality and independence of the information source and the persistence of these information in the media. Financial institutions should keep in mind that the absence of criminal convictions alone is not sufficient to dismiss allegations of offenses. b) Has the client, beneficial owner, or any person publicly known to be closely related or associated with them had their assets frozen due to administrative or criminal proceedings or terrorism or terrorist financing accusations? Does the financial institution have reasonable grounds to suspect that the client, beneficial owner, or any person publicly known to be closely related or associated with them has been subject to such asset freezes at any time in the past? c) Does the financial institution have internal information regarding the integrity of the client or beneficial owner that it may have obtained, for example, as part of a long-standing relationship?

The following risk factors may be relevant when identifying the risk associated with the nature and behavior of a client or beneficial owner. Financial institutions should note that these risk factors are not all immediately perceptible and may only appear after the establishment of a business relationship:

a) Does the financial institution have doubts regarding the truthfulness or accuracy of the client's or beneficial owner's identity? b) Are there indications that the client may be seeking to avoid the establishment of a business relationship? For example, is the client seeking to execute a single transaction or several isolated transactions, whereas establishing a business relationship might be more economically logical? c) Is the client's ownership and control structure transparent and logical? If the client's ownership and control structure is complex or opaque, is there an obvious commercial or lawful justification? d) Does the client issue bearer shares or is its capital held by registered shareholders?

e) Is the client a legal entity or legal structure that could be used as an asset-holding structure? f) Is there a valid reason for changes made to the client's ownership and control structure? g) Does the client request complex transactions, unusually or abnormally high amounts, or unusual or unexpected types of transactions, lacking an apparent economic or lawful purpose or valid commercial justification? Are there reasons to suspect that the client is attempting to circumvent specific thresholds, such as those provided for in current laws and regulations? h) Does the client demand levels of professional secrecy that are unnecessary or unreasonable? For example, is the client reluctant to communicate information as part of the customer due diligence process, or does it seem to want to conceal the true nature of its activities? i) Can the source of wealth or source of funds of the client or beneficial owner be easily explained, for example, in relation to the client's or beneficial owner's profession, inheritance, or investments? Is this explanation plausible? j) Does the client use the products and services it has subscribed to in the manner announced during the initial establishment of the business relationship? k) When the client is a non-resident, could their needs be better served elsewhere? Does the client have valid economic and legal reasons for requesting the desired type of financial service?

When identifying the risk associated with the nature and behavior of a client or beneficial owner, financial institutions should pay particular attention to risk factors that, although not specific to terrorist financing, could indicate an increased risk of TF, particularly when other factors of the same risk are also present. To this end, financial institutions should at least take into account the following risk factors:

a) Is the client or beneficial owner a person listed on lists of persons, groups, and entities involved in terrorist acts and subject to restrictive measures, or is it known to have close personal or professional ties with persons listed on these lists (for example, because they are in a relationship or live with such a person)? b) Is the client or beneficial owner a person publicly known to be under investigation for terrorist activity or convicted of terrorist activity, or is it known to have close personal or professional ties with such a person (for example, because they are in a relationship or live with such a person)? c) Does the client conduct transactions characterized by incoming and outgoing fund transfers from and/or to countries known to harbor groups committing terrorist acts or financing terrorism, or that are subject to international sanctions? If so, can these transfers be easily explained, for example, by family ties or business relationships? d) Is the client a non-profit organization i. whose activities or leaders are publicly known to be associated with extremism or harboring terrorist sympathies? or

ii. whose transaction behavior is characterized by massive fund transfers to countries or territories associated with a higher risk of ML/TF or to high-risk third countries? e) Does the client conduct transactions involving significant money flows in a short period of time, associated with non-profit organizations whose ties to the client are unclear (for example, they are located at the same physical address, share the same representatives or employees, or hold multiple accounts under the same names)?

Country and Geographic Area-Related Risk Factors

When identifying the risk associated with countries and geographic areas, financial institutions should take into consideration the risk related to:

a) countries identified by credible sources such as mutual evaluation reports, detailed assessment reports, or follow-up reports published as not having a satisfactory AML/CFT framework; b) countries subject to sanctions, embargoes, or similar measures taken, for example, by the United Nations; c) countries identified by credible sources as being characterized by considerable levels of corruption or other criminal activity; d) countries or geographic areas identified by credible sources as providing financing or support to terrorist activities or in which designated terrorist organizations operate.

Product, Service, and Transaction-Related Risk Factors

When identifying the risk associated with their products, services, and transactions, financial institutions should take into consideration the risk related to:

a) the level of transparency, or opacity, offered by the product, service, or transaction; b) the complexity of the product, service, or transaction; and c) the value or size of the product, service, or transaction.

The risk factors that financial institutions should take into consideration when identifying the risk associated with the transparency of a product, service, or transaction include:

a) To what extent do products or services allow the client, beneficial owner, or beneficiary structures to remain anonymous or conceal their identity more easily? b) To what extent is it possible for a third party not part of the business relationship to give instructions, for example, in the case of certain correspondent banking relationships?

The risk factors that institutions should take into consideration when identifying the risk associated with the complexity of a product, service, or transaction include, among others:

a) What is the complexity of the transaction and does it involve multiple parties or multiple countries or territories, for example, in the case of certain trade credit operations? Are the transactions simple? b) To what extent do products or services allow third-party payments or accept overpayments when this is not or would not be norma