Directive on National Risk Assessment and Implementation of Findings

AML/CFT DIRECTIVE NO 01/04/2016

[RESERVE BANK OF ZIMBABWE LOGO]

07 April 2016

To All Securities Market Intermediaries

The Managing Director

RE: Money Laundering & Terrorist Financing National Risk Assessment Report and Implementation of Findings

1. This directive applies to all financial institutions, including the securities sector, as defined in Chapter 1, section 2 of the Money Laundering and Proceeds of Crime Act [Chapter 24:24:].
2. In fulfillment of Recommendation 1 of the revised FATF Standards, the country successfully conducted the Money Laundering and Terrorist Financing National Risk Assessment (NRA), from June 2014 and completed the exercise in June 2015.
3. Under Recommendation 1 - Assessing Risks and Applying a Risk-Based Approach; countries are required to identify, assess and understand their money laundering and terrorist financing risks (ML/TF), and allocate resources commensurate with risks identified. These requirements are fulfilled by conducting national, sectoral and institutional ML/TF risk assessments.

---

4. The revised Financial Action Task Force (FATF) Recommendations, have shifted from a rule-based approach to a risk-based approach, in the implementation of Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) measures.
5. Following Zimbabwe’s successful completion of the Money Laundering and Terrorist Financing National Risk Assessment (NRA), in June 2015, a summary of the NRA report for the Securities Sector is hereto attached for your consideration, and for purposes of conducting a risk assessment at institutional level.
6. The purpose of the National Risk Assessment (NRA) was to identify, assess and understand the country’s money laundering and terrorist financing risks.
7. Money laundering and financing of terrorism risk assessments are now a requirement at national, sectoral and institutional level.
8. In this regard, every country is required to identify, assess and understand its money laundering and financing of terrorism risks at national level, and to require all financial institutions and Designated Non Financial Businesses and Professions (DNFBPs) to undertake similar exercises at institutional level. Having identified the risks, countries and institutions are required to implement risk-based measures to mitigate the risks.
9. During the National Risk Assessment, the securities sector played an important role in providing relevant information which was used to assess the country and securities sector’s vulnerability to money laundering and terrorist financing.
10. The results of the NRA revealed that the country is losing about US$1.8 billion annually through smuggling, illegal dealing in gold and precious stones, corruption, fraud, tax evasion, and externalization, among others.
11. Proceeds of these predicate offences were noted to be laundered through, the banking sector, real estate, car dealers, among other institutions, which were all identified as being highly vulnerable to money laundering.

---

12. The NRA also highlighted a number of weaknesses / vulnerabilities that were found to be common within the securities sector and which, if applicable to your institution, should be addressed, namely – (i) The securities sector settlement and record keeping are manually processed which makes it difficult to monitor and identify suspicious transactions. (ii) None application of enhanced due diligence when establishing new business relationships, especially for PEPs, non-resident and foreign customers. (iii) Some securities sector institutions do not have AML/CFT IT monitoring systems that help in the screening of transactions and identification of suspicious transactions, as well as the implementation of the UNSCR sanctions lists. (iv) The securities sector institutions have not carried out ML/TF risk assessments of their business and are yet to apply the risk-based approach in their implementation of AML/CFT measures.
13. After conducting the risk assessment, financial institutions and DNFBPs are required to apply the Risk Based Approach (RBA) in implementing the AML/CFT measures in line with the identified risk levels.
14. Where higher risks are identified, securities sector institutions are required to implement enhanced AML/CFT measures sufficient to adequately mitigate the risk. Conversely, where lower risks are identified, reduced AML/CFT measures may be applied.
15. Enhanced CDD measures are always mandatory in the following circumstances, which are deemed by law and by the FATF Standards as high risk – (a) When dealing with “politically exposed persons” (PEPs) as defined in section 13 of the Money Laundering and Proceeds of Crime Act; and

---

(b) When dealing with clients or transactions involving jurisdictions that do not adequately apply AML/CFT measures as determined and published by the FATF from time-to-time;

16. The RBA is designed to ensure efficient deployment of resources in the implementation of AML/CFT measures. Instead of uniformly applying rule-based measures to all situations, the institution will reduce application of resources and effort to proven low risk situations while increasing measures for the high risk situations. 17. It is against this background that your institution is required, if you have not yet done so, to conduct a money laundering and terrorist financing risk assessment and to submit the results of your risk assessment to the Unit. The risk assessment must be documented and must be signed off by your Board of Directors. 18. The assessment report must, among other things, detail how you have categorized the risk levels of different customers, products, transactions and situations and the level of AML/CFT measures applicable to each category. 19. The results of the assessment shall be availed to the Unit as soon as they have been adopted by the Board, but in any case, not later than 31 August, 2016. 20. Unless you have earlier submitted the results of your risk assessment, you are required to write to the Unit, by no later than 31 May 2016, detailing the progress you would have made with the assessment. 21. In undertaking your risk assessment, you should take into account the results of the National Risk Assessment, in so far as they are relevant and applicable to your institution. 22. It should be noted, however, that a National Risk Assessment only provides a broad context of the national ML/TF risks and does not take into account detailed factors and peculiarities of each business entity, hence the need to conduct institutional risk assessment.

---

23. An institution’s risk assessment may take into account some or all of the following factors :
    • The nature and range of services and products offered by the institution, including an assessment of any features that may make the products or services vulnerable to ML/TF;
    • The profile and diversity of the institution’s clientele: Different customer categories present different risk levels (foreign customers, high net-worth customers, customers from countries that do not sufficiently apply AML/CFT measures; customers with predictable sources of income such as salaries and wages etc).
    • Geographical location of both customers and branches.
24. Once conducted and documented, a risk assessment should be kept up to date. Each institution should decide the intervals for updating its risk assessment. Some parts of the assessment may be reviewed on a more regular basis than others, e.g. whenever there are material developments or changes that affect the risk rating of any part of the report.
25. As a general guide, however, the whole risk assessment should be reviewed at intervals that do not exceed three years from date of last assessment.

Yours faithfully

[Signature]

M. E. Chiremba Director, Bank Use Promotion & Suppression of Money Laundering Unit