Methodological Recommendations on Conducting Risk Assessments for Financing Criminal Activities and Money Laundering for Entities Supervised by the National Bank of the Kyrgyz Republic

Return to previous page

Print version

Creation date: 2026-06-05

Appendix to the Resolution

of the Supervisory Committee

of the National Bank

of the Kyrgyz Republic

of May 29, 2026

No. 24/1

METHODOLOGICAL RECOMMENDATIONS

on conducting risk assessments for financing criminal activities

and legalization (money laundering) of criminal proceeds by entities supervised

by the National Bank of the Kyrgyz Republic

General Provisions

These Methodological Recommendations on conducting risk assessments for financing criminal activities and legalization (money laundering) of criminal proceeds by entities supervised by the National Bank of the Kyrgyz Republic (hereinafter – the Methodological Recommendations) are developed to provide banks, non-bank financial organizations (credit unions, microfinance organizations, specialized financial-credit organizations, exchange bureaus, hereinafter – NFO), operators of payment systems using electronic money and payment organizations (hereinafter – OPS/PO) with recommendations on conducting risk assessments for financing criminal activities and legalization (money laundering) of criminal proceeds (hereinafter – FCA/ML) at the organizational level in accordance with the requirements of the Law of the Kyrgyz Republic "On Countering Financing of Criminal Activities and Legalization (Money Laundering) of Criminal Proceeds" and regulatory legal acts of the National Bank of the Kyrgyz Republic (hereinafter – the National Bank).

A Bank/NFO/OPS/PO is obliged to ensure an up-to-date understanding of FCA/ML risks, take into account new trends and methods of money laundering, and on this basis ensure the appropriate adaptation of internal control systems. The activities of these organizations must be carried out within the framework of a comprehensive risk-based approach, aligned with national and sectoral priorities.

3. Measures applied to manage FCA/ML risks must be proportional to the level and nature of identified risks and provide for the application of enhanced control measures regarding operations, clients, and products classified as high-risk.

4. Risk assessment is the first stage that a Bank/NFO/OPS/PO must undergo before developing and implementing its program for countering financing of criminal activities and legalization (money laundering) of criminal proceeds (hereinafter – PFC/ML). This process involves identifying, assessing, monitoring, managing, reducing, and documenting inherent FCA/ML risks that a Bank/NFO/OPS/PO can reasonably encounter. Upon completion of the risk assessment, the responsible person gains the opportunity to develop and implement an internal control program for PFC/ML aimed at reducing identified risks to an acceptable level. The internal control program for PFC/ML must be based on the results of the risk assessment of the organization itself, as well as risks identified through the National Risk Assessment (hereinafter – NRA) and Sectoral Risk Assessment (hereinafter – SRA).

Results of the national and sectoral risk assessments are key to determining risk factors and conducting FCA/ML risk assessments. A Bank/NFO/OPS/PO must use the results of the NRA and SRA to identify, assess, and understand its own FCA/ML risks, as well as to align internal control procedures, customer due diligence measures, and transaction monitoring mechanisms.

5. An effective PFC/ML regime is built on a risk-based approach.

In this regard, internal control programs for PFC/ML may vary significantly depending on the level of risk, nature, structure, and complexity of a specific organization's activities.

For example, for a Bank/NFO/OPS/PO with a low level of risk, a relatively simple internal control program for PFC/ML may be sufficient, whereas a Bank/NFO/OPS/PO conducting activities with an elevated level of risk will require a more comprehensive and detailed system of measures.

There is no universal approach, and each Bank/NFO/OPS/PO must take into account the nature, scale, and complexity of its activities when determining appropriate risk reduction measures.

6. A common practice is the assessment of inherent FCA/ML risks associated with relevant risk factors, as well as the analysis of the adequacy of existing PFC/ML control measures based on both quantitative data and qualitative information.

If inherent risks cannot be completely eliminated and risks remain after the application of PFC/ML control measures, such a risk is called residual risk. If the level of residual risk exceeds the acceptable risk appetite of a Bank/NFO/OPS/PO, additional control measures must be implemented to bring the Bank/NFO/OPS/PO's risk level to an acceptable value.

7. According to the Financial Action Task Force (FATF) Guidelines on Applying a Risk-Based Approach, risk assessment must correspond to the nature, scale, and complexity of the organization's activities. For smaller or less complex supervised organizations (for example, with a homogeneous client base and/or a limited range of products and services), a simplified risk assessment may be sufficient. At the same time, more complex business models, the presence of several subsidiary structures or branches, a wide range of products and services, and a diverse client base require a more comprehensive and detailed risk assessment process.

Risk assessment and the internal control program for PFC/ML must reflect a risk-based approach, providing a Bank/NFO/OPS/PO with certain flexibility in fulfilling its PFC/ML obligations. Such an approach does not prohibit conducting operations or establishing business relationships with high-risk clients, but rather allows organizations to manage FCA/ML risks more effectively and prioritize their reduction.

Examples provided in these Methodological Recommendations are of a recommendatory and illustrative nature and are not exhaustive.

2. Requirements for Risk Assessment

3. When conducting FCA/ML risk assessments, a Bank/NFO/OPS/PO must ensure:

• identification of FCA/ML risks that they can reasonably encounter in the course of their activities;

• determination of the level of risks associated with fulfilling obligations within the PFC/ML system, including risks arising from clients, products and services, as well as countries and geographic directions of activity;

• documentation of the risk assessment in writing, which must contain a description of mechanisms for its regular review and updating;

• consideration of recommendations from the National Bank and the authorized state body in the field of PFC/ML, as well as risks identified within the framework of the NRA and SRA;

• approval of the risk assessment by senior management, which must serve as the basis for developing and implementing policies, procedures, and measures to reduce FCA/ML risks;

• regular review and updating of the risk assessment to ensure its relevance, identify deficiencies, and make necessary changes;

• a systematic, consistent, and justified approach to assessment;

• proportionality of policies, procedures, and measures to reduce FCA/ML risks to the results of the risk assessment.

The risk assessment is subject to independent verification conducted by internal audit (if available) or another person authorized to conduct verification on PFC/ML issues.

3. Fundamentals of Understanding FCA/ML Processes

4. Before considering FCA/ML risks, it is advisable for a Bank/NFO/OPS/PO to outline the basic provisions characterizing the essence of these processes. Legalization (money laundering) of criminal proceeds is generally considered a process involving three main stages: placement, layering, and integration.

Terrorist financing has several similar characteristics to money laundering of criminal proceeds, but may be carried out using both illegal and legal sources of funds and is generally associated with relatively small volumes of operations.

The placement stage involves introducing funds or other property obtained through criminal means into the financial system. This stage may be carried out by splitting large amounts of cash into smaller ones and subsequently depositing them into accounts, as well as through the purchase of financial instruments, topping up payment or credit cards. In some cases, including when committing crimes such as fraud or tax evasion, placement may be carried out electronically and be an integral part of the offense itself.

The layering stage occurs after funds enter the financial system and involves a series of operations to convert, move, or otherwise transform them to conceal their criminal origin and hinder the tracking of fund movements. Such operations may include, among other things, buying and selling investment instruments or expensive goods, as well as making transfers through multiple accounts and jurisdictions. In some cases, operations are disguised as payment for goods or services, giving them an appearance of legality.

The integration stage is the final stage of legalization (money laundering) of criminal proceeds and involves returning funds to legal circulation after creating a sufficient number of intermediate operations (layers). This may be carried out by investing in real estate, acquiring valuable assets, or participating in business activities, which allows the use of these funds without obvious signs of their criminal origin.

4. Identification of FCA/ML Risks

5. In order to identify and assess FCA/ML risks to which a Bank/NFO/OPS/PO is exposed, it is necessary to take into account a set of risk factors.

Such factors include, among others:

• the nature, scale, diversity, and complexity of the organization's activities;

• types of products and services provided;

• types of clients and target markets in which a Bank/NFO/OPS/PO operates;

• the share and number of clients classified as high-risk;

• country (geographic) risks to which the organization is exposed, including risks associated with countries and territories with high levels of corruption, organized crime, and/or insufficient development of PFC/ML systems, including jurisdictions included in FATF lists;

• methods of providing products and services, including used service channels, the degree of direct interaction with clients, involvement of third parties (in cases provided by legislation) for conducting customer due diligence, as well as the application of remote and other technological solutions;

• financial and non-financial organizations, as well as other counterparties with which the organization interacts;

• volume, frequency, and size of operations (transactions) carried out;

• results of internal/external audits (if available) or other PFC/ML checks, supervisory inspections conducted by the National Bank.

11. Nature, scale, diversity, and complexity of activities. The size and complexity of the business play a significant role in determining its vulnerability and exposure to FCA/ML risks. For example, a large Bank/NFO/OPS/PO typically has less personal knowledge of its clients, which may provide a higher level of anonymity compared to a small Bank/NFO/OPS/PO. Similarly, a Bank/NFO/OPS/PO conducting complex operations involving international jurisdictions may create more opportunities for its services to be used for money laundering than an organization operating exclusively in the domestic market.

Analysis of corporate data allows determining which areas of activity, products, or business segments are most vulnerable to FCA/ML risks. Thus, a Bank/NFO/OPS/PO may identify a high-risk product, but without information on the number of such products provided to clients, as well as the geographic distribution of corresponding clients, the risk assessment may be distorted. The use of the organization's annual report and other relevant data sources contributes to a more accurate and justified risk assessment.

12. Proposed products and services. Some products and services are inherently more vulnerable to FCA/ML risks. When assessing whether products and services offered by a Bank/NFO/OPS/PO can be used for FCA/ML, it is recommended to consider the following questions:

• does the product or service allow for client anonymity;

• does the product or service allow concealing the source of funds or the origin of the client's property (wealth);

• does the product or service allow payments to third parties;

• are the product or service generally associated with the receipt or payment of cash;

• have the product or service been identified within the framework of the NRA, SRA, or in documents of the authorized state body in the field of PFC/ML as having an elevated level of FCA/ML risk;

• does the product or service allow cross-border transfers or movement of funds.

It should be taken into account that other factors may also affect the level of FCA/ML risk associated with products and services. Responsibility for identifying and analyzing such factors within their own risk assessment lies with the Bank/NFO/OPS/PO.

13. Types of clients and target markets. Some categories of clients have a higher level of FCA/ML risk, especially when combined with products and services or jurisdictions with an elevated level of risk.

Legislation in the field of PFC/ML serves as a starting point for identifying situations with a higher or lower level of FCA/ML risk.

At the same time, a Bank/NFO/OPS/PO must independently analyze all its clients, both new and existing, taking into account the following factors:

• is the client a trust or other legal entity;

• has the organization identified the beneficial owners of the client;

• does the client require enhanced due diligence;

• is the client involved in one-time or single transactions exceeding a certain threshold;

• does the client use complex business structures that do not bring obvious financial benefit;

• is the client a public official (hereinafter – PEO);

• does the client conduct business with large cash flows;

• is the client's activity associated with a sector where the level of corruption is high;

• does the client have unexplained or difficult-to-verify sources of funds or property (wealth);

• does the client conduct business through intermediaries, such as accountants, lawyers, or other intermediaries;

• is the client a non-profit organization;

• was the client identified within the framework of the NRA/SRA, or in regulatory acts of the authorized state body in the field of PFC/ML, or the National Bank as representing an elevated FCA/ML risk.

At the same time, the above factors are not exhaustive. Many other factors can also affect the FCA/ML risk of clients.

As in the case of products and services, responsibility for identifying these factors and analyzing them lies with the Bank/NFO/OPS/PO within its own risk assessment.

When conducting risk assessments, it is recommended to use both internal information sources and international materials, including guidelines and recommendations from regulators and specialized bodies combating FCA/ML.

14. Country risks to which a Bank/NFO/OPS/PO is exposed. When assessing FCA/ML risks, it is important to take into account that the concept of country risks is significantly broader, as they are associated not only with FCA/ML issues. Country risks may arise for the following reasons:

• ineffective implementation of PFC/ML measures;

• low level of rule of law and insufficient stability of the economic environment;

• high level of organized crime;

• prevalence of corruption and bribery;

• connection with terrorist financing;

• conflict zones and adjacent territories;

• production and/or transnational transportation of prohibited goods and narcotic drugs.

To determine the level of country risks, a Bank/NFO/OPS/PO may use various information sources, including, but not limited to:

• FATF lists: "black" list (High-Risk Jurisdictions subject to a Call for Action) and "grey" list (Jurisdictions under Increased Monitoring);

• FATF mutual evaluation reports;

• EU AML and tax "black lists";

• Basel AML Index;

• reports of the United Nations Office on Drugs and Crime (UNODC);

• Transparency International Corruption Perceptions Index (CPI);

• reliable and independent mass media.

Although these sources do not directly relate to PFC/ML, it is also recommended to consider whether the jurisdiction is subject to sanctions, embargoes, or similar measures, as this may affect the level of risk of cooperation with that country.

15. Methods of providing products and services. The manner in which an organization attracts clients and provides products and services directly affects its vulnerability to FCA/ML risks. When assessing these risks, it is recommended to consider the following questions:

• does the organization have clients with whom business relationships were established without personal presence (by mail, phone, via the internet, or through intermediaries);

• are products or services provided via the internet;

• are there indirect relationships with clients (for example, through intermediaries, joint accounts, etc.);

• are agents or intermediaries used to provide products and services;

• are products and services provided to clients abroad.

Analysis of these aspects helps determine channels for providing goods and services that may increase FCA/ML risk and take appropriate control measures.

16. Organizations with which a Bank/NFO/OPS/PO cooperates. Some organizations bear a higher FCA/ML risk compared to others. This may be related to the specifics of their industry, the type of business relationship, or the method of management.

Examples of high-risk organizations:

• financial organizations not under supervision or being shell entities;

• structures used by criminals to mask the beneficial owner;

• banks, payment organizations, and other financial intermediaries that may be vulnerable to use for FCA/ML.

It is recommended that a Bank/NFO/OPS/PO rely on the results of the NRA/SRA, as well as available internal and external information sources, when assessing risks.

17. Volume and size of operations/transactions. The volume and size of transactions, taking into account usual activity and client profiles, are key factors in assessing FCA/ML risks.

Unusually large or frequent operations not corresponding to the client's usual activity may indicate an elevated risk and require additional analysis and, if necessary, the application of appropriate control measures.

Results of internal audit, other checks, and supervision. Results of internal and/or external audits on PFC/ML issues (if available) or other PFC/ML checks, supervisory inspections conducted by the National Bank, provide important information for risk assessment. They help a Bank/NFO/OPS/PO identify areas with insufficient control levels, weak processes, and potential vulnerabilities requiring strengthening of PFC/ML measures.

Using such results allows organizations to adjust their policies, procedures, and internal control measures, increasing the effectiveness of the FCA/ML risk management system.

19. Other factors affecting FCA/ML risk. Regulatory requirements in the field of PFC/ML provide for special measures that must be performed by a Bank/NFO/OPS/PO when working with certain categories of clients and certain operations, including PEOs, money transfers, and correspondent accounts, the use of new technologies and digital channels for providing products and services.

These recommendations help a Bank/NFO/OPS/PO identify areas of activity with an elevated level of FCA/ML risk.

Additional information sources for risk assessment include the NRA and SRA, as well as recommendations from the authorized state body in the field of PFC/ML and the National Bank, indicating current trends and typical methods of FCA/ML.

In addition, when conducting risk assessments, a Bank/NFO/OPS/PO may use information posted on the official websites of FATF and the Eurasian Group (EAG), including current typologies, reports, guidelines, and other materials on PFC/ML issues. Additionally, other reliable internet sources containing relevant information for risk assessment may be used.

5. Systematic Identification and Analysis of Risks

6. The risk assessment approach must be systematic and consistent. A systematic approach implies that risk assessment is a cyclical process that includes risk identification, their analysis, and verification of the effectiveness of applied control measures.

7. A Bank/NFO/OPS/PO regularly repeats this cycle, as risks are not static and may change under the influence of internal and external factors.

Examples of such changes include:

• expansion or change in the activities of a Bank/NFO/OPS/PO;

• the emergence of new trends in the financial and economic sphere;

• changes in laws and regulatory acts;

• and other significant factors and changes.

22. Regular systematic identification and analysis of risks allows organizations to timely adapt internal procedures and control measures, ensuring effective management of FCA/ML risks.

23. The FCA/ML risk management process in a Bank/NFO/OPS/PO must be carried out on a constant and continuous basis and include interconnected stages forming a closed cycle:

1. risk identification – determination of factors and sources of FCA/ML risks inherent in the organization's activities, including risks associated with clients, products, services, geography, and service delivery channels;

2. risk assessment – analysis and classification of identified risks taking into account the probability of their realization and potential impact on the organization's activities;

3. risk management (reduction) – development and application of measures aimed at minimizing identified risks, including the implementation of internal control procedures, customer due diligence measures, and transaction monitoring;

4. risk monitoring and review – regular observation of risk levels, assessment of the effectiveness of applied measures, and updating of the risk assessment taking into account changes in the internal and external environment.

These stages are implemented on a constant basis and are subject to regular review, ensuring the continuity of the FCA/ML risk management process.

6. Risk Assessment

7. Risk can be defined in various ways, with no universal methodology for its assessment existing. After identifying FCA/ML risks arising from the activities of a Bank/NFO/OPS/PO, the organization is obliged to determine the level of these risks.

When conducting risk assessment, the following should be taken into account:

• each identified risk factor;

• the organization's own operational experience and history of interaction with similar risks;

• information and recommendations published/sent by the National Bank and the authorized state body in the field of PFC/ML;

• information and recommendations of international organizations, including FATF, Moneyval, UNODC, and others.

A Bank/NFO/OPS/PO must take into account both the current conditions of its activities and possible changes in the short and medium term. In particular, the risk assessment must take into account the impact of the introduction of new products, services, categories of clients, as well as new technologies.

It should be taken into account that FCA/ML risks may be interrelated, and their combination can form a significantly higher level of risk.

Possible approaches to risk assessment include, but are not limited to:

• the probability of an event occurring;

• possible consequences of the event;

• vulnerabilities, threats, and the impact of risk factors;

• the impact of uncertainty on an event or process.

Regardless of the chosen methodology, a Bank/NFO/OPS/PO is obliged to justify its adequacy and effectiveness to the National