Guidance Note on the AML/CFT Risk-Based Approach for the Hospitality (Hotel Sub-Sector)

1

GUIDANCE NOTE AML/CFT RISK BASED APPROACH FOR HOSPITALITY (HOTEL SUB SECTOR) ISSUED BY THE SPECIAL CONTROL UNIT AGAINST MONEY LAUNDERING 2019

2 Background

1. Risk-Based Approach for the Designated Non-Financial Institutions The Special Control Unit against Money Laundering (SCUML) has commenced implementation of the outcome of the Nigeria National Money Laundering/Terrorist Financing (ML/TF Risk Assessment)(NRA) concluded in 2016. The Assessment was conducted as a response to Recommendation 1 of the Financial Action Task Force 40 Recommendations. The Recommendation urges countries to identify, assess and understand their ML/TF risks and apply mitigating measures commensurate to identified risks. Following the conclusion of the Nigerian National Risk Assessment (NRA) exercise, the country developed a National Strategy from the findings of the NRA as contained in the National AML/CFT strategy 2018-2020. Accordingly, individual reporting entities or DNFIs are required to conduct an assessment of their own Money Laundering /Terrorist financing risk (ML/TF)in line with the risks identified in the NRA using customers, countries or geographic areas, products and services, transactions or delivery channels.i Such as when on-boarding new customers, and throughout the relationship with each customer, Designated Non financial institutions are required to perform anti-money laundering (AML) and know-your-customer (KYC) risk assessments to determine a customer’s overall money laundering risk. In order to achieve the above objective of combating ML/TF, it is essential to have a clear understanding of the threats/vulnerabilities to the dealers in precious metals and stones in particular and the Designated Non-Financial Institution sector in general. Consequently, SCUML has developed an AML/CFT risk assessment template and information collection tool herewith attached for your guidance. Please note that SCUML is available to guide your understanding and utilization of the developed template and tool where required.

3 Risk-Based Approach for the Designated Non-Financial Institutions 1.1 Introduction In today’s emerging risks and challenges, Designated Non Financial Businesses and Professions (DNFBPs) which is referred to as Designated Non- financial institutions (DNFIs) in S.25 of the Money Laundering Prohibition Act, 2011 as amended are seriously exposed to vulnerabilities of money laundering, terrorist financing and proliferation of weapons of mass destruction and consequently risk being sanctioned. It is therefore necessary to adopt preventive measures that will ensure effective application of mitigation measures. According to the Financial Action Task Force (FATF) guidance, published on October 2014, risk based approach “RBA to AML/CFT means that countries, competent authorities and Designated Non- financial institutions are expected to identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively. This approach should be an essential foundation to efficient allocation of resources across the anti-money laundering and combating the financing of terrorism (AML/CFT) regime and the implementation of risk based measures throughout the FATF Recommendations. Based on the foregoing, Nigeria conducted her maiden National Risk Assessment (NRA) on Money Laundering/Terrorist Financing in 2016,the assessment covered the period between 2010- June 2016.The report findings rated the vulnerability of the hospitality of the DNFIs sector (hotel sub sector) high in Nigeria.iiIn line with Regulation 10(7) of Federal Ministry of Industry, Trade and Investment (Designation of Non-Financial Institutions and Other Related Matters) Regulations, 2013, it is required that DNFIs conduct their risk assessment and come up with measures to mitigate the risks thereof. For the purpose of guidance, find below a risk based approach manual to guide the operations of the sector.

4 1.2 Understanding of the RBA Risk is defined as the possibility of some adverse event occurring and the likely consequences of this event. Risk is expressed as; • combination of threat and vulnerabilities Risk is also defined as Risk = Likelihood x Consequence ML threat refers to The proceeds of crimes in a country which includes • The proceeds generated in the country (internal threat) • The proceeds that come from other countries (external threat) ML Threat Assessment should analyze • The frequency of predicate crimes that generate illicit proceeds • The scale of illicit proceeds in the country • The scale of ML in the country • ML methods and trends in the country TF threat • Refers to the scale of funds raised/ moved/used or utilized/transiting to support TF activities and groups Vulnerability • Is about the weaknesses and gaps in defense mechanisms against ML/TF, which can be at the national and/or sector level. A vulnerability assessment should analyze • Lack of awareness, commitment, knowledge, resources • Weaknesses/gaps in AML/CFT laws and regulations

5 • Weaknesses/gaps within institutional frameworks (FIU, police, judicial, etc.) • Weaknesses in infrastructures (ID infrastructure, STR collection and analysis) • Economic, geographical, or social environment factors • Low awareness and general or specific control mechanisms: o Designated Non-Financial Financial Institution(DNFIs) 1.3 Components of the risk-based approach and risk profiling Designated Non Financial Institutions are required to take appropriate steps to identify, assess, understand and mitigate their ML/TF. The assessment should be documented. FATF Recommendation 1 is considered the groundwork towards the implementation of the risk-based approach: See figure 1 below: Figure 1: Risk based approach implementation Groundworkiii 1.4 Risk Factors Accordingly, the main components that drive a risk assessment by the Designated Non financial institution are as recommended by the Wolfsberg risk￾based approach guidance has provided an insight on the approach by identifying these components that can assist in measuring the riskiv. “Money laundering risks may be measured using various categories, which may be modified by risk variables. The most commonly used risk criteria are as follows: • country risk Identify the risk factors Assess the level of risk Understand the impact of the risk Mitigation plan Identify Assess Understand Take action

6 • customer risk • Product and Services risk • Industry risk See figure 2 below for details: Figure 2: Risk Based Approach: Risk Factors 2.1 Risk Factors For The Hospitality Sector The risk factors have been modified as seen below for the hotel sub sector for the purpose of conducting a risk based assessment in the sector. The list is non exhaustive. Customer Risk • Minor • Politicians(PEP) • Corporate Bodies-Private Companies

7 • Government Agencies • Individuals • Foreigner/Non-Resident • Unknown beneficial owner • Agents Geography/Country Risk • Hotels with International Affiliation • Hotels located in Central Business District • Hotels located in High brow Area • Hotels located in Crime Prone Areas • Hotels located in Middle brow Areas • Hotels located in Low brow Areas • Hotels located in Safe haven location for Terrorism • Hotels located in Safe haven location for Tax evasion Industry/Sector Risk • International currency exchange • Treasure/Safe deposit boxes • Transfer of unspent fund • Concealment of the source of funds • Indigenous partnerships Product/Service Risk The under listed are typical characteristics of Product/services for the Hospitality sector: • Accommodation • Hotels Management • Flight arrangement for travelers • Safe keep of valuables • International Currency exchange • Fitness Activities • Group Booking 3.1 Modified risk Variables It is important to identify the risk factors which will assist in defining the weightage or classification of the customer (weighted risk level) by listing each component and attributing a rating or score that will allow the risk rating. 3.1.1 Customer Risk

8 In order to define the customer risk, the Designated Non-financial institution should understand the nature of the customer that should be rated based on its vulnerability to money laundering and terrorist financing (e.g., the AML/CTF risk would be higher for a PEP customer than for a civil servant). It can be difficult to effectively identify all high risk customers based on prevailing circumstances, it is therefore necessary that a thorough understanding of all the risks associated with the customers should be obtained prior providing a risk rate. 3.1.2 Country Risk High-risk countries to ML/TF have been identified by many regulatory and advisory bodies such as the Financial Action Task Force (FATF), World Bank, Transparency International, United Nations, Office of Foreign Asset Control (OFAC) etc based on certain characteristics as stated below which can assist in understanding the level of risk such as the level of stability and corruption, terrorist and criminal activity. • Countries not having adequate AML/CTF systems • Countries subject to sanctions, embargoes issued by the U.N., EU and OFAC • Countries having significant levels of corruption or other criminal activities such as narcotics, arm dealing, human trafficking, illicit diamond trading, etc. • Countries identified to support terrorist activities, or have designated terrorist organizations operating within their country. 3.1.3 Product /Services Risk The risk level of products and services should be identified based on their vulnerability to money laundering and terrorist financing. E. g Products/services that allow unlimited third-party transactions (such as using lawyers/TCSP to buy properties without disclosing the beneficial owners), those that operate with limited transparency, and those that may involve significant international transactions such as inflows from foreign accounts, politically exposed persons

9 (PEPs) can be determined as high risk and require further scrutiny compared to other Hospitality products like accommodation for a civil servant where the risk can be mitigated easily. 3.1.4 Industry The industry refers to the nature of business activities and related activities which typically involves Services/management, safe keeping of valuables and setting up of hotels through agents . Information on the ultimate beneficial owners on these transactions are often limited thus posing a risk. 3.2 RISK SCORING After the identification of the risk variables, the next stage is to develop a risk assessment by calculating the risk, based on the level of impact and threat considering the weightage and risk scoring in order to classify the risk properly. Attributing the risk rating should be in a numerical format. The DNFI can choose ranges from 1 to 5 with 1 being the lowest and 5 being the highest 100% 80% 60% 40% 20% 5 4 3 2 1 Very High High Medium Medium Low Low Risk Scoring 5 4 3 2 1 Risk Level Very High High Medium Medium Low Low Due Diligence Level EDD Simplified due diligence CDD Approval AML Committee CCO HOD Relationship Manager/Staff The first step in implementing RBA is identifying the risk factors and setting up risk scoring. The process can be simple or sophisticated depending on the size, nature of business and its complexity. The method should allow the integration of RBA with the Designated Non financial institution’s customer on-boarding process.

10 Hospitality agents should risk assessments of their business and developing appropriate risk mitigation policies. 4. Suspicious Transaction Reporting • The reporting of suspicious transactions or activity is critical to a country’s ability to utilize financial information to combat Money Laundering and Terrorist Financing. The Money Laundering Prohibition Act 2011 as amended and other legislation requires Designated Non Financial Institutions to file suspicious transaction reports when the need arises. See list of relevant sections of legislation: • Section 6(2)of the ML(P)A2011 as amended — • Section 14(1) of the Terrorism (Prevention) Act 2011 • Section 8(a) of the Terrorism (Prevention)(Amendment)Act 2013 • Regulation 8(1) of the Terrorism Prevention (Freezing of International Terrorists Funds and Other Related Measures) Regulations 2013 • Reg. 22 of the (FMITI) Federal Ministry of Industry Trade and Investment, AML/CFTRegulations2013 SCUML • Where a legal or regulatory requirement mandates the reporting of suspicious activity as enshrined in the various legislation: o Section 6(2)of the ML(P)A2011 as amended o Section 14(1) of the Terrorism (Prevention) Act 2011 o Section 8(a) of the Terrorism (Prevention)(Amendment)Act 2013 o Regulation 8(1) of the Terrorism Prevention (Freezing of International Terrorists Funds and Other Related Measures)Regulations 2013 o Reg. 22 of the (FMITI) Federal Ministry of Industry Trade and Investment, AML/CFTRegulations2013,SCUML • Designated Non Financial Institutions are required when once a suspicion has been formed, to file a report and therefore, a risk-based approach for the reporting of suspicious activity under these circumstances is not applicable. All these instruments mandate reporting entities to file STRs to the NFIU via info@nfiu.gov.ng.

11 • A risk-based approach is however, required for the purpose of identifying suspicious activity, for example, by directing additional resources at those areas a dealer has identified as higher risk. As part of a risk-based approach, it is likely that a dealer in jewelleries, precious metals and stones will utilize information provided by designated competent authorities or SROs to inform its approach for identifying suspicious activity. A Dealer should also periodically assess the adequacy of its system for identifying and reporting suspicious transactions. 5. Internal Control Systems Many DNFIs differ significantly from financial institutions in terms of size. By contrast to most financial institutions, a significant number of DNFIs have only a few staff. This limits the resources that small businesses and professions can dedicate to the fight against Money Laundering and Terrorist Financing. This peculiarity of DNFIs, including Dealers in precious metals and stones, should be taken into account in designing a risk-based framework for internal control systems. Application of know your customer measures, customer due diligence procedures, reporting(CTR) and compliance obligation/processes by DNFIs. In order for Dealers to have effective risk-based approaches, the risk-based process must be imbedded within the internal controls of the firms. The success of internal policies and procedures will be dependent largely on internal control systems. The two key systems identified are as follows;

1. Culture of compliance amongst all
2. Senior management ownership

1. Culture of compliance amongst all This should encompass: • Developing, delivering and maintaining a training program for all designated agents and employees. • Monitoring of any government regulatory changes. • Undertaking a regularly scheduled review of applicable compliance policies and procedures within the dealer firms will help constitute a culture of compliance in the industry.
2. Senior management ownership Strong senior management leadership and engagement in AML/CFT is an important aspect of the application of internal control measures. Senior management must create a culture of compliance, ensuring that staff

12 adheres to the Jewellery firm’s policies, procedures and processes designed to limit and control risks. Within precious metals and stones agencies, the front line of the transaction is with the individual dealer. Therefore, policies and procedures are effective only at the point that firm/company owners and senior management support the guidance. Having regard to the size of the precious metals and stones/jewellery’s firm, the framework of internal control should: • Provide increased focus on dealers’ operations (products, services, customers and geographic locations) that are more vulnerable to abuse by Money Launderers and other criminals. • Provide for regular review of the risk assessment and management processes, taking into account the environment within which the dealers operates and the activity in its market place. • Designate an individual or individuals at management level responsible for managing AML/CFT compliance. • Provide for an AML/CFT compliance function and review programme. • Inform senior management of compliance initiatives, identified compliance deficiencies, corrective action taken and suspicious activity reports filed. • Implement risk-based customer due diligence policies, procedures and policies. • Provide for appropriate training to be given to all relevant staff.

13 ANNEXURES: Annexure 1: Customer Risk Assessment

Date 9/8/2018 Department Private Sector Sales Customer introduced by Agent Account Manager Customer Name Abubakar Emeka Yemi Risk Factors Risk Description Rating Range Description Risk Rating Customer type Public Sector Private Sector Business man Nature of the customer • Ex.Governor • Student • Civil Servant 1-5(5- Highest,1 lowest) • 5 Country of incorporation/ Nationality • Foreigner(BVI,Iraq) • 5 UBO Ultimate beneficial owner Company in BVI • 5 Products & Services Type • Accommodation • Hotels Management • Flight arrangement for travelers • Safe keep of valuables Use of cash for payment Use of 3rd party account Safe keeping of Jewelries,treasures and cash • 5

14 Annexure 2: Customer on boarding lifecycle Customer Customer Type of Customer and Watch List screening(PEP, Natural or Legal Person) Country Country of residence and origin and risk factors of the country(sanctioned, highly corrupt, high risk)

Industry Nature of business that the customer is involved the risk level

Product and Services Type of services include; Safe keeping of Jewelries,treasures and cash. i FATF Recommendation 2012-Interpretatiove Note to Recommendation 1 ii National Risk Assessment of Money Laundering and Terrorist Financing in Nigeria 2016. High Risk Customer Low Risk Customer Medium Risk Customer Risk Rating Appro ach based Risk KYC Process

15 iii FATF Recommendations, Recommendation No.1, 2012. iv Wolfsberg Statement, Guidance on a Risk Based Approach for Managing Money Laundering Risks, 2006. 4 Typologies of Money Laundering through the Real Estate Sector in West Africa, 2008