Methodological Recommendations on Conducting Risk Assessment for Financing of Criminal Activities and Money Laundering by Entities Supervised by the National Bank of the Kyrgyz Republic

Back

Print Version

Date of creation: 2026-06-10

Appendix to the Resolution of the Supervision Committee of the National Bank of the Kyrgyz Republic dated May 29, 2026 No. 24/1

METHODOLOGICAL RECOMMENDATIONS on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds by entities supervised by the National Bank of the Kyrgyz Republic

General Provisions

1. These Methodological Recommendations on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds by entities supervised by the National Bank of the Kyrgyz Republic (hereinafter – Methodological Recommendations) are developed to provide banks, non-bank financial organizations (credit unions, microfinance organizations, specialized financial-credit organizations, exchange offices, hereinafter – NFO), operators of electronic money payment systems and payment organizations (hereinafter – OSR/PO) with recommendations on conducting risk assessment for financing of criminal activities and legalization (money laundering) of criminal proceeds (hereinafter – FPD/LPD) at the organizational level in accordance with the requirements of the Law of the Kyrgyz Republic "On Counteracting Financing of Criminal Activities and Legalization (Money Laundering) of Criminal Proceeds" and regulatory legal acts of the National Bank of the Kyrgyz Republic (hereinafter – National Bank).

2. The Bank/NFO/OSR/PO is obliged to ensure the availability of up-to-date understanding of FPD/LPD risks, take into account new trends and methods of money laundering, and on this basis ensure appropriate adaptation of internal control systems. The activities of the specified organizations must be carried out within a comprehensive risk-based approach, aligned with national and sectoral priorities.

3. Risk management measures applied to FPD/LPD must be commensurate with the level and nature of identified risks and provide for the application of enhanced control measures regarding operations, clients, and products classified as high-risk.

4. Risk assessment is the first stage that the Bank/NFO/OSR/PO must undergo before developing and implementing its counter-financing of criminal activities and money laundering program (hereinafter – PF PD/LPD). This process includes identifying, assessing, monitoring, managing, mitigating, and documenting inherent FPD/LPD risks that the Bank/NFO/OSR/PO can reasonably encounter. Upon completion of risk assessment, the responsible person gains the opportunity to develop and implement an internal control program for PF PD/LPD aimed at reducing identified risks to an acceptable level. The internal control program for PF PD/LPD must be based on the results of risk assessment by the organization itself, as well as risks identified through the national risk assessment (hereinafter – NRA) and sectoral risk assessment (hereinafter – SRA). Results of national and sectoral risk assessments are key to determining risk factors and conducting FPD/LPD risk assessment. The Bank/NFO/OSR/PO must use NRA and SRA results to identify, assess, and understand its own FPD/LPD risks, as well as to align internal control procedures, client due diligence measures, and current transaction monitoring mechanisms.

5. An effective PF PD/LPD regime is built on a risk-based approach. Accordingly, internal control programs for PF PD/LPD may vary significantly depending on the risk level, nature, structure, and complexity of a specific organization's activities. For example, a Bank/NFO/OSR/PO with a low risk level may require a relatively simple PF PD/LPD internal control program, whereas one operating with an elevated risk level will need a more comprehensive and detailed system of measures. There is no universal approach, and each Bank/NFO/OSR/PO must consider the nature, scale, and complexity of its activities when determining appropriate risk mitigation measures.

6. A common practice is assessing inherent FPD/LPD risks associated with corresponding risk factors, as well as analyzing the adequacy of existing PF PD/LPD control measures based on both quantitative data and qualitative information. If inherent risks cannot be fully eliminated and risks remain after applying PF PD/LPD control measures, such risk is called residual risk. If the level of residual risk exceeds the Bank/NFO/OSR/PO's acceptable risk appetite, additional control measures must be implemented to bring the Bank/NFO/OSR/PO's risk level to an acceptable value.

7. According to the Financial Action Task Force (hereinafter – FATF) Guidelines on applying a risk-based approach, risk assessment must correspond to the nature, scale, and complexity of the organization's activities. For smaller or less complex supervised organizations (e.g., with a homogeneous client base and/or limited range of products and services), a simplified risk assessment may be sufficient. At the same time, more complex business models, multiple subsidiary structures or branches, a wide range of products and services, and a diverse client base require a more comprehensive and detailed risk assessment process. Risk assessment and the PF PD/LPD internal control program must reflect a risk-based approach, providing the Bank/NFO/OSR/PO with certain flexibility in fulfilling its PF PD/LPD obligations. This approach does not prohibit conducting operations or establishing business relations with high-risk clients, but rather allows organizations to more effectively manage FPD/LPD risks and prioritize their mitigation. Examples provided in these Methodological Recommendations are of a recommendatory and illustrative nature and are not exhaustive.

8. Risk Assessment Requirements

9. When conducting FPD/LPD risk assessment, the Bank/NFO/OSR/PO must ensure:

• identification of FPD/LPD risks it can reasonably encounter in the course of its activities;
• determination of risk levels associated with fulfilling PF PD/LPD obligations, including risks related to clients, products and services, as well as countries and geographic directions of operations;
• documentation of risk assessment in writing, which must contain a description of mechanisms for its regular review and updating;
• consideration of recommendations from the National Bank and the authorized state body in the field of PF PD/LPD, as well as risks identified within NRA and SRA;
• approval of risk assessment by senior management, which must serve as the basis for developing and implementing PF PD/LPD policies, procedures, and risk mitigation measures;
• regular review and updating of risk assessment to ensure its relevance, identify shortcomings, and make necessary changes;
• a systematic, consistent, and well-founded assessment approach;
• commensurability of PF PD/LPD policies, procedures, and risk mitigation measures with the results of risk assessment. Risk assessment is subject to independent verification conducted by internal audit (if available) or another person authorized to conduct PF PD/LPD audits.

3. Fundamentals of Understanding FPD/LPD Processes

4. Before considering FPD/LPD risks, it is advisable for the Bank/NFO/OSR/PO to outline key provisions characterizing the essence of these processes. Legalization (money laundering) is generally considered a process involving three main stages: placement, layering, and integration. Terrorism financing shares several characteristics with money laundering but may be carried out using both illegal and legal fund sources, and is generally associated with relatively small transaction volumes. The placement stage involves introducing funds or other property obtained illegally into the financial system. This stage may be carried out by splitting large cash amounts into smaller ones and subsequently depositing them into accounts, as well as through acquiring financial instruments or topping up payment or credit cards. In some cases, including when committing crimes such as fraud or tax evasion, placement may be carried out electronically and be an integral part of the unlawful act itself. The layering stage begins after funds enter the financial system and involves a series of operations to convert, transfer, or otherwise transform them to conceal their illegal origin and facilitate tracking. Such operations may include buying and selling investment instruments or expensive goods, as well as making transfers through multiple accounts and jurisdictions. In some cases, operations are disguised as payments for goods or services, giving them an appearance of legality. The integration stage is the final stage of money laundering and involves returning funds to legal circulation after creating a sufficient number of intermediate operations (layers). This may be carried out by investing in real estate, acquiring valuable assets, or participating in business activities, allowing the use of these funds without obvious signs of their illegal origin.

5. Identification of FPD/LPD Risks

6. To identify and assess FPD/LPD risks to which the Bank/NFO/OSR/PO is exposed, it is necessary to consider a set of risk factors. These factors include, among others:

• the nature, scale, diversity, and complexity of the organization's activities;
• types of products and services provided;
• client types and target markets in which the Bank/NFO/OSR/PO operates;
• the share and number of clients classified as high-risk;
• country (geographic) risks to which the organization is exposed, including risks related to countries and territories with high levels of corruption, organized crime, and/or insufficient PF PD/LPD systems, including jurisdictions included in FATF lists;
• methods of providing products and services, including used service channels, degree of direct interaction with clients, involvement of third parties (where provided by law) for client due diligence, and application of remote and other technological solutions;
• financial and non-financial organizations, as well as other counterparties with which the organization interacts;
• volume, frequency, and size of operations (transactions) carried out;
• results of internal/external audits (if available) or other PF PD/LPD reviews, supervisory inspections conducted by the National Bank.

11. Nature, scale, diversity, and complexity of activities. The size and complexity of the business play a significant role in determining its vulnerability and exposure to FPD/LPD risks. For example, a large Bank/NFO/OSR/PO generally has less personal knowledge of its clients, which may provide a higher level of anonymity compared to a small Bank/NFO/OSR/PO. Similarly, a Bank/NFO/OSR/PO conducting complex operations involving international jurisdictions may create more opportunities for its services to be used for money laundering than an organization operating exclusively in the domestic market. Corporate data analysis allows determining which business directions, products, or segments are most vulnerable to FPD/LPD risks. Thus, a Bank/NFO/OSR/PO may identify a high-risk product, but without information on the number of such products provided to clients and the geographic distribution of corresponding clients, risk assessment may be distorted. Using the organization's annual report and other relevant data sources contributes to a more accurate and well-founded risk assessment.

12. Products and services offered. Some products and services are inherently more vulnerable to FPD/LPD risks. When assessing whether the Bank/NFO/OSR/PO's products and services can be used for FPD/LPD, it is recommended to consider the following questions:

• does the product or service allow for client anonymity to be maintained;
• does the product or service allow concealing the source of funds or origin of client property (assets);
• does the product or service allow payments to third parties;
• are the product or service generally associated with receiving or paying cash;
• have the product or service been identified within NRA, SRA, or authorized state body documents in the PF PD/LPD field as having elevated FPD/LPD risk;
• does the product or service allow cross-border transfers or fund movements. It should be noted that FPD/LPD risk levels associated with products and services may also be influenced by other factors. Responsibility for identifying and analyzing these factors within the own risk assessment lies with the Bank/NFO/OSR/PO.

13. Client types and target markets. Some client categories have higher FPD/LPD risk levels, especially when combined with products and services or high-risk jurisdictions. PF PD/LPD legislation serves as the starting point for identifying higher or lower FPD/LPD risk situations. At the same time, the Bank/NFO/OSR/PO must independently analyze all its clients, both new and existing, considering the following factors:

• whether the client is a trust or other legal entity;
• whether the organization has identified the client's beneficial owners;
• whether the client requires enhanced due diligence;
• whether the client participates in one-off or single transactions exceeding a certain threshold;
• whether the client uses complex business structures not yielding obvious financial benefits;
• whether the client is a public official (hereinafter – PO);
• whether the client conducts business with large cash flows;
• whether the client's activity is related to a sector with high corruption levels;
• whether the client has unexplained or difficult-to-verify sources of funds or property (assets);
• whether the client conducts business through intermediaries, such as accountants, lawyers, or other intermediaries;
• whether the client is a non-profit organization;
• whether the client has been identified within NRA/SRA, or in regulatory acts of the authorized state body in the PF PD/LPD field, or by the National Bank as representing elevated FPD/LPD risk. The above factors are not exhaustive. Many other factors may also influence client FPD/LPD risk. As with products and services, responsibility for identifying these factors and analyzing them lies with the Bank/NFO/OSR/PO within its own risk assessment. When conducting risk assessment, it is recommended to use both internal information sources and international materials, including guidelines and recommendations from regulators and specialized PF PD/LPD bodies.

14. Country risks to which the Bank/NFO/OSR/PO is exposed. When assessing FPD/LPD risks, it is important to consider that the concept of country risk is significantly broader as it relates not only to FPD/LPD issues. Country risks may arise due to the following reasons:

• ineffective implementation of PF PD/LPD measures;
• low rule of law and insufficient economic stability;
• high level of organized crime;
• prevalence of corruption and bribery;
• connection with terrorism financing;
• conflict zones and adjacent territories;
• production and/or transnational transportation of prohibited goods and narcotic drugs. To determine the level of country risks, the Bank/NFO/OSR/PO may use various information sources, including but not limited to:
• FATF lists: "black" list (High-Risk Jurisdictions subject to a Call for Action) and "grey" list (Jurisdictions under Increased Monitoring);
• FATF mutual evaluation reports;
• EU AML and tax "black lists";
• Basel AML Index;
• UN Office of Drugs and Crime (UNODC) reports;
• Transparency International Corruption Perceptions Index (CPI);
• reliable and independent mass media. Although these sources do not directly relate to PF PD/LPD, it is also recommended to consider whether the jurisdiction is subject to sanctions, embargoes, or similar measures, as this may affect the level of risk of cooperation with that country.

15. Methods of providing products and services. How an organization attracts clients and provides products and services directly affects its vulnerability to FPD/LPD risks. When assessing these risks, it is recommended to consider the following questions:

• whether the organization has clients with whom business relations were established without personal presence (by mail, phone, via internet or through intermediaries);
• whether products or services are provided via the internet;
• whether there are indirect relationships with clients (e.g., through intermediaries, pooled accounts, etc.);
• whether agents or intermediaries are used to provide products and services;
• whether products and services are provided to clients abroad. Analyzing these aspects helps determine service delivery channels that may increase FPD/LPD risk and take appropriate control measures.

16. Organizations with which the Bank/NFO/OSR/PO cooperates. Some organizations bear a higher FPD/LPD risk compared to others. This may be related to industry characteristics, type of business relations, or management method. Examples of high-risk organizations:

• financial organizations not under supervision or being shell entities;
• structures used by criminals to mask the beneficial owner;
• banks, payment organizations, and other financial intermediaries that may be vulnerable to being used for FPD/LPD. It is recommended that the Bank/NFO/OSR/PO rely on NRA/SRA results, as well as available internal and external information sources, when assessing risks.

17. Volume and size of operations/transactions. The volume and size of transactions, taking into account normal activity and client profiles, are key factors in assessing FPD/LPD risks. Unusually large or frequent operations not corresponding to the client's normal activity may indicate elevated risk and require additional analysis and, if necessary, application of appropriate control measures.

18. Results of internal audit, other reviews, and supervision. Results of internal and/or external PF PD/LPD audits (if available) or other PF PD/LPD reviews, supervisory inspections conducted by the National Bank, provide important information for risk assessment. They help the Bank/NFO/OSR/PO identify areas with insufficient control levels, weak processes, and potential vulnerabilities requiring enhanced PF PD/LPD measures. Using such results allows organizations to adjust their policies, procedures, and internal control measures, increasing the effectiveness of the FPD/LPD risk management system.

19. Other factors influencing FPD/LPD risk. PF PD/LPD regulatory requirements provide for special measures that the Bank/NFO/OSR/PO must implement when working with certain client categories and specific operations, including PO, money transfers, and correspondent accounts, use of new technologies and digital channels for providing products and services. These recommendations help the Bank/NFO/OSR/PO identify business directions with elevated FPD/LPD risk. Additional information sources for risk assessment include NRA and SRA, as well as recommendations from the authorized state body in the PF PD/LPD field and the National Bank, indicating current trends and typical FPD/LPD methods. In addition, when conducting risk assessment, the Bank/NFO/OSR/PO may use information posted on official FATF and EAG websites, including current typologies, reports, guidelines, and other PF PD/LPD materials. Additionally, other reliable internet sources containing relevant information for risk assessment may be used.

20. Systematic Identification and Analysis of Risks

21. The risk assessment approach must be systematic and consistent. A systematic approach implies that risk assessment is a cyclical process involving identification of risks, their analysis, and verification of the effectiveness of applied control measures.

22. The Bank/NFO/OSR/PO regularly repeats this cycle, as risks are not static and may change under the influence of internal and external factors. Examples of such changes include:

• expansion or change in the Bank/NFO/OSR/PO's activities;
• emergence of new trends in the financial and economic sphere;
• amendments to laws and regulatory acts;
• other significant factors and changes.

22. Regular systematic identification and analysis of risks allow organizations to timely adapt internal procedures and control measures, ensuring effective FPD/LPD risk management.

23. The FPD/LPD risk management process in the Bank/NFO/OSR/PO must be carried out on a continuous and ongoing basis and include interconnected stages forming a closed cycle:

1. risk identification – determining factors and sources of FPD/LPD risks inherent in the organization's activities, including risks related to clients, products, services, geography, and service delivery channels;
2. risk assessment – analysis and classification of identified risks considering their probability of realization and potential impact on the organization's activities;
3. risk management (mitigation) – development and application of measures aimed at minimizing identified risks, including implementing internal control procedures, client due diligence measures, and transaction monitoring;
4. risk monitoring and review – regular observation of risk levels, evaluation of the effectiveness of applied measures, and updating of risk assessment considering changes in the internal and external environment. The above stages are implemented on an ongoing basis and subject to regular review, ensuring continuity of the FPD/LPD risk management process.

6. Risk Assessment

7. Risk can be defined in various ways, with no universal assessment methodology existing. After identifying FPD/LPD risks arising from the Bank/NFO/OSR/PO's activities, the organization must determine the level of these risks. When conducting risk assessment, the following should be considered:

• each identified risk factor;
• own operational experience and history of interaction with similar risks;
• information and recommendations published/sent by the National Bank and the authorized state body in the PF PD/LPD field;
• information and recommendations from international organizations, including FATF, Moneyval, UNODC, and others. The Bank/NFO/OSR/PO must consider both current operational conditions and possible changes in the short- and medium-term. In particular, risk assessment must account for the impact of introducing new products, services, client categories, as well as new technologies. It should be noted that FPD/LPD risks may be interrelated, and their combination can form a significantly higher risk level. Possible risk assessment approaches include but are not limited to:
• probability of the event occurring;
• possible consequences of the event;
• vulnerabilities, threats, and impact of risk factors;
• impact of uncertainty on the event or process. Regardless of the chosen methodology, the Bank/NFO/OSR/PO is obliged to justify its adequacy and effectiveness to the National Bank.