Methodological Recommendations on Conducting Risk Assessment for Financing of Criminal Activities and Money Laundering by Entities Supervised by the National Bank of the Kyrgyz Republic

Back

Print Version

Date of creation: 2026-06-11

Appendix to the Resolution of the Supervision Committee of the National Bank of the Kyrgyz Republic dated May 29, 2026 No. 24/1

METHODOLOGICAL RECOMMENDATIONS on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds by entities supervised by the National Bank of the Kyrgyz Republic

General Provisions

These Methodological Recommendations on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds by entities supervised by the National Bank of the Kyrgyz Republic (hereinafter – the Recommendations) are developed to provide banks, non-bank financial organizations (credit unions, microfinance organizations, specialized financial-credit organizations, exchange offices, hereinafter – NFO), operators of electronic money payment systems and payment organizations (hereinafter – OSR/PO) with recommendations on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds (hereinafter – FPD/LPD) at the organizational level in accordance with the requirements of the Law of the Kyrgyz Republic "On countering financing of criminal activities and legalization (money laundering) of criminal proceeds" and regulatory legal acts of the National Bank of the Kyrgyz Republic (hereinafter – National Bank).

The Bank/NFO/OSR/PO is obliged to ensure up-to-date understanding of FPD/LPD risks, take into account new trends and methods of money laundering, and on this basis ensure appropriate adaptation of internal control systems. The activities of these organizations shall be carried out within a comprehensive risk-based approach, aligned with national and sectoral priorities.

3. Risk management measures applied shall be proportional to the level and nature of identified risks and provide for the application of enhanced control measures regarding operations, clients, and products classified as high-risk.

4. Risk assessment is the first stage that a Bank/NFO/OSR/PO must undergo before developing and implementing its program for countering financing of criminal activities and money laundering (hereinafter – FPD/LPD Program). This process includes identifying, assessing, monitoring, managing, mitigating, and documenting inherent FPD/LPD risks that a Bank/NFO/OSR/PO can reasonably encounter. Upon completion of risk assessment, the responsible person gains the opportunity to develop and implement an internal control program for FPD/LPD aimed at reducing identified risks to an acceptable level. The FPD/LPD internal control program must be based on the results of risk assessment by the organization itself, as well as risks identified through the national risk assessment (hereinafter – NRA) and sectoral risk assessment (hereinafter – SRA). Results of national and sectoral risk assessments are key to determining risk factors and conducting FPD/LPD risk assessment. A Bank/NFO/OSR/PO must use NRA and SRA results to identify, assess, and understand its own FPD/LPD risks, as well as to align internal control procedures, client due diligence measures, and transaction monitoring mechanisms.

5. An effective FPD/LPD regime is built on a risk-based approach. Accordingly, FPD/LPD internal control programs may vary significantly depending on the risk level, nature, structure, and complexity of a specific organization's activities. For example, a Bank/NFO/OSR/PO with a low risk level may require a relatively simple FPD/LPD internal control program, whereas one operating with an elevated risk level will need a more comprehensive and detailed system of measures. There is no universal approach, and each Bank/NFO/OSR/PO must consider the nature, scale, and complexity of its activities when determining appropriate risk mitigation measures.

6. A common practice is assessing inherent FPD/LPD risks associated with corresponding risk factors, as well as analyzing the adequacy of existing FPD/LPD control measures based on both quantitative data and qualitative information. If inherent risks cannot be fully eliminated and risks remain after applying FPD/LPD control measures, such risk is called residual risk. If the level of residual risk exceeds the Bank/NFO/OSR/PO's acceptable risk appetite, additional control measures must be implemented to bring the organization's risk level to an acceptable value.

7. According to the Financial Action Task Force (FATF) Guide on applying a risk-based approach, risk assessment must correspond to the nature, scale, and complexity of an organization's activities. For smaller or less complex supervised organizations (e.g., with a homogeneous client base and/or a limited range of products and services), a simplified risk assessment may be sufficient. At the same time, more complex business models, multiple subsidiaries or branches, a wide range of products and services, and a diverse client base require a more comprehensive and detailed risk assessment process. Risk assessment and the FPD/LPD internal control program must reflect a risk-based approach, providing a Bank/NFO/OSR/PO with certain flexibility in fulfilling its FPD/LPD obligations. This approach does not prohibit conducting operations or establishing business relationships with high-risk clients, but rather allows organizations to more effectively manage FPD/LPD risks and prioritize their mitigation. Examples provided in these Methodological Recommendations are advisory and illustrative in nature and are not exhaustive.

8. Risk Assessment Requirements

9. When conducting FPD/LPD risk assessment, a Bank/NFO/OSR/PO must ensure:

• identification of FPD/LPD risks it may reasonably encounter in the course of its activities;
• determination of risk levels associated with fulfilling FPD/LPD Program obligations, including risks related to clients, products and services, as well as countries and geographical directions of operations;
• documentation of risk assessment in writing, which must include a description of mechanisms for its regular review and updating;
• consideration of recommendations from the National Bank and the authorized state body in the field of FPD/LPD, as well as risks identified within NRA and SRA;
• approval of risk assessment by senior management, which must serve as the basis for developing and implementing FPD/LPD policies, procedures, and risk mitigation measures;
• regular review and updating of risk assessment to ensure its relevance, identify deficiencies, and make necessary changes;
• a systematic, consistent, and well-founded assessment approach;
• proportionality of FPD/LPD policies, procedures, and risk mitigation measures to the results of risk assessment. Risk assessment is subject to independent verification conducted by internal audit (if available) or another person authorized to conduct FPD/LPD audits.

3. Fundamentals of Understanding FPD/LPD Processes

4. Before considering FPD/LPD risks, a Bank/NFO/OSR/PO should outline the key provisions characterizing the essence of these processes. Money laundering (legalization) of criminal proceeds is generally considered a process involving three main stages: placement, layering, and integration. Terrorist financing shares several characteristics with money laundering but may be carried out using both illegal and legal fund sources, and is generally associated with relatively small transaction volumes. The placement stage involves introducing funds or other property obtained criminally into the financial system. This stage may be carried out by breaking down large cash sums into smaller ones and depositing them into accounts, as well as through acquiring financial instruments or topping up payment or credit cards. In some cases, including when committing crimes such as fraud or tax evasion, placement may be carried out electronically and be an integral part of the unlawful act itself. The layering stage occurs after funds enter the financial system and involves a series of operations to convert, transfer, or otherwise transform them to conceal their criminal origin and hinder tracking. Such operations may include buying and selling investment instruments or expensive goods, as well as making transfers through multiple accounts and jurisdictions. In some cases, operations are disguised as payments for goods or services, giving them an appearance of legality. The integration stage is the final stage of money laundering (legalization) of criminal proceeds and involves returning funds to legal circulation after creating a sufficient number of intermediate operations (layers). This may be carried out by investing in real estate, acquiring valuable assets, or participating in business activities, allowing the use of these funds without obvious signs of their criminal origin.

5. Identification of FPD/LPD Risks

6. To identify and assess FPD/LPD risks to which a Bank/NFO/OSR/PO is exposed, it is necessary to consider the aggregate of risk factors. Such factors include, among others:

• the nature, scale, diversity, and complexity of the organization's activities;
• types of products and services provided;
• client types and target markets in which a Bank/NFO/OSR/PO operates;
• the share and number of clients classified as high-risk;
• country (geographical) risks to which the organization is exposed, including risks related to countries and territories with elevated levels of corruption, organized crime, and/or insufficient FPD/LPD system development, including jurisdictions included in FATF lists;
• methods of providing products and services, including used service channels, degree of direct interaction with clients, involvement of third parties (where provided by law) for conducting client due diligence, and application of remote and other technological solutions;
• financial and non-financial organizations, as well as other counterparties with which the organization interacts;
• volume, frequency, and size of operations (transactions) carried out;
• results of internal/external audit (if available) or other FPD/LPD audits, supervisory inspections conducted by the National Bank.

11. Nature, scale, diversity, and complexity of activities. The size and complexity of business play a significant role in determining its vulnerability and exposure to FPD/LPD risks. For example, a large Bank/NFO/OSR/PO typically has less personal knowledge of its clients, which may provide a higher level of anonymity compared to a small Bank/NFO/OSR/PO. Similarly, a Bank/NFO/OSR/PO conducting complex operations involving international jurisdictions may create more opportunities for its services to be used for money laundering than an organization operating exclusively in the domestic market. Corporate data analysis allows determining which business directions, products, or segments are most vulnerable to FPD/LPD risks. Thus, a Bank/NFO/OSR/PO may identify a high-risk product, but without information on the quantity of such products provided to clients and the geographical distribution of corresponding clients, risk assessment may be distorted. Using the organization's annual report and other relevant data sources contributes to a more accurate and well-founded risk assessment.

12. Proposed products and services. Some products and services are inherently more vulnerable to FPD/LPD risks. When assessing whether products and services offered by a Bank/NFO/OSR/PO can be used for FPD/LPD, it is recommended to consider the following questions:

• does the product or service allow maintaining client anonymity;
• does the product or service allow concealing the source of funds or origin of client property (assets);
• does the product or service allow payments to third parties;
• are the product or service generally associated with receiving or paying cash;
• have the product or service been identified within NRA, SRA, or documents of the authorized state body in the field of FPD/LPD as having an elevated level of FPD/LPD risk;
• does the product or service allow cross-border transfers or fund movements. It should be noted that other factors may also influence the FPD/LPD risk