Central Bank of The Bahamas ML/TF/PF Risk Assessment Guidance Notes (June 2023)

CENTRAL BANK OF THE BAHAMAS MONEY LAUNDERING/TERRORIST FINANCING/PROLIFERATION FINANCING RISK ASSESSMENTS GUIDANCE NOTES June 2023

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 2 TABLE OF CONTENTS DEFINITIONS ............................................................................................................................... 3 INTRODUCTION ........................................................................................................................... 6 APPLICABILITY ............................................................................................................................. 6 SCOPE..........................................................................................................................................6 PURPOSE .....................................................................................................................................6 RISK ASSESSMENT METHODOLOGY .............................................................................................. 7 DETERMINE RISK APPETITE AND RISK TOLERANCE ........................................................................8 Risk Appetite.......................................................................................................................................8 Risk Tolerance .....................................................................................................................................8 IDENTIFY AND ASSESS INHERENT RISKS ........................................................................................8 Customer Risk Factors.........................................................................................................................9 Country/Geographic Risk Factors.......................................................................................................9 Products/Services Risk Factors .........................................................................................................10 Delivery Channels Risk Factors .........................................................................................................11 Other Qualitative Risk Factors..........................................................................................................11 ESTABLISH CONTROLS AND MEASURE EFFECTIVENESS ................................................................ 12 EVALUATE RESIDUAL RISKS ........................................................................................................ 13 MONITOR AND REVIEW OF THE RISK ASSESSMENT ..................................................................... 13

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 3 DEFINITIONS

1. For the purpose of these Guidance Notes the following acronyms or terms will be used: “AML” means anti-money laundering; “CFT” means countering financing of terrorism; “CPF” means countering proliferation financing; “corrective action plan” means a time-specific collection of remediation steps designed to correct possible and existing deficiency gaps; “customer1 ” means any of the following – a) a person for whom a transaction or account is arranged, opened or undertaken; b) a signatory to a transaction or account; c) a person to whom an account or rights or obligations under a transaction have been assigned or transferred; d) a person who is authorised to conduct a transaction or control an account; e) a person who attempts to take any of the actions referred to in (a) to (d) above; or f) such other person as may be prescribed by the Minister2 ; “identified risk”3 means corruption, cybercrime, human trafficking, money laundering, proliferation or financing of weapons of mass destruction, terrorism or financing of terrorism, or such other risk as the Minister may prescribe by regulations; “impact” means the adverse effect that may follow due to a risk event occurring; “inherent risk” meansthe risk associated with any current or future process or activity before the implementation of risk mitigating mechanisms and controls; “inherent vulnerability variable’’ relates to specific features of a particular risk factor. As an example, a client base profile may vary from product to product and consequently affect its vulnerability to ML/TF/PF risk; “internal controls” means a process, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance;

1 FTRA, 2018 2 Minister here means the Minister of Finance 3 FTRA, 2018

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 4 “likelihood” means the probability of a risk event occurring; “money laundering” 4 means — a) any offence referred to in Part III of the Proceeds of Crime Act, 2018 (“POCA, 2018”); b) any act or words which constitutes an attempt, conspiracy, or incitement to commit an offence referenced in paragraph (a); c) any act or words which constitutes aiding, abetting, counselling or procuring the commission of an offence referenced in paragraph (a); or d) conduct committed outside The Bahamas which would constitute an offence specified in paragraph (a), (b) or (c) if the conduct was committed in The Bahamas; “politically exposed person”5 means an individual who is or has been entrusted— a) with a domestic prominent public function, inclusive of a head of state or government, legislator, politician, senior government, judicial or military official, senior executive of a state owned corporation, or important political party official; b) with a prominent public function by a foreign jurisdiction, inclusive of, a head of state or government, legislator, senior politician, senior government, judicial or military official, senior executive of a state owned corporation, or senior political party official; or c) with a senior position at an international organisation or branch thereof, domestic or foreign, and includes a family member or close associate of a politically exposed person; “proliferation financing”6 refers to the underlying financial services which make proliferation possible. It is the financing of proliferation activities; “residual risk” means the risk that remains after controls are applied to the inherent risk; “risk” means the possibility that an event of a given impact will occur, adversely affecting the achievement of objectives; “risk appetite” means the aggregate level and types of risk a SFI is willing to assume to achieve its strategic objectives and business plans; “risk appetite statement”means the written form of the aggregate level and types of risk that a SFI is willing to accept, or to avoid, in order to achieve its business objectives;

4 POCA, 2018 5 FTRA, 2018 6 Guidance Note on Proliferation and Proliferation Financing, 2018

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 5 “risk assessment” means the combined effort of identifying and analysing potential events that may negatively impact individuals, assets, and/or the environment; “risk owner(s)” means the first line decision maker(s) with the accountability, authority and responsibility to manage risks within their span of control; “risk profile” means a composite view of the risk assumed at a particular level of the SFI, or aspect of the business, that positions management to consider the types, severity and interdependencies of risks and how they may affect performance relative to the strategy and objectives; “risk tolerance” is the variation around the prescribed risk appetite that the SFI is willing to take; “risk triggers” means the risk symptoms, warning signs or indicators of an event or condition that breaches the risk tolerance has occurred; “terrorist”7 includes a person who — a) commits a terrorist act by any means directly or indirectly, unlawfully and wilfully; b) participates as an accomplice in terrorist acts or the financing of terrorism; c) organises or directs others to commit terrorist acts or the financing of terrorism; or d) contributes to the commission of terrorist acts or the financing of terrorism by an individual or a group of persons acting with a common purpose where the contribution is made intentionally — i. with the aim of furthering the terrorist act or the financing of terrorism; or ii. with the knowledge of the intention of the individual or group of persons to commit the terrorist act or the financing of terrorism; “terrorist financing”8 involves the solicitation, collection or provision of funds with the intention that they may be used to support terrorist acts or organisations;

7 Anti-Terrorist Act (ATA, 2018) 8 IMF AML/CFT-Topics

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 6 INTRODUCTION

1. The Central Bank of The Bahamas (“the Central Bank”) requires that all Supervised Financial Institutions (“SFIs”) implement an appropriate Money Laundering/Terrorist Financing/Proliferation Financing (ML/TF/PF) Risk Assessment framework. These Guidance Notes serve as a general guide and set out the Central Bank’s minimum expectations with regards to SFIs’ ML/TF/PF Risk Assessment process.
2. Nothing herein prevents or limits the Central Bank from taking any course of action, it deems necessary, for the protection and strengthening of the financial system in The Bahamas. APPLICABILITY
3. These Guidance Notes apply to SFIs incorporated in The Bahamas and are to be applied as appropriate to the nature, complexity and inherent ML/TF/PF risks in the SFIs’ business activities. These Notes, however, do not directly apply to nominee trust companies9 . SCOPE
4. These Guidance Notes outline the elements that must be captured when SFIs complete a ML/TF/PF risk assessment. It is intended to supplement Sections 25 and 26 of the Central Bank’s Guidelines for Supervised Financial Institutions on the Prevention of Money Laundering, Countering the Financing of Terrorism & Proliferation Financing (‘’AML/CFT/CPF Guidelines’’), and incorporates international best practices based on The FATF Risk Based Approach for the Banking Sector; The Basel Committee on Banking Supervision 2020 Guidelines on Sound management of risks related to money laundering and financing terrorism; and The Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption. PURPOSE
5. The purpose of the ML/TF/PF Risk Assessment is to drive improvements in financial crime risk management through identifying, assessing, and monitoring the risks faced by SFIs. The results of a risk assessment can be used for various purposes, including but not limited to the following: i. To identify gaps or opportunities for improvement in AML/CFT/CPF policies, procedures, and processes; ii. To make informed decisions about the SFI’s risk appetite as well as the implementation of controls and the allocation of resources;

9 Although nominee trust companies are exempt from these Guidance Notes, it is the Central Bank’s expectation that the risk assessments of their parent companies will include their ML/TF/PF risks.

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 7 iii. To assist management in understanding how the structure of a business unit or business line’s AML/CFT/CPF compliance programme aligns with its risk profile; iv. To develop risk mitigation strategies including applicable internal controls and thereby lower a business unit’s or business line’s residual risk exposure; v. To ensure senior management is made aware of the key risks, control gaps and remediation efforts; vi. To assist senior management with strategic decisions in relation to commercial exits and disposals; vii. To assist management in ensuring that resources and priorities are aligned with its risks; and viii. To ensure regulators are made aware of the key risks, control gaps and remediation efforts across the SFI. RISK ASSESSMENT METHODOLOGY 6. A SFI's risk-based approach should be built on their risk assessment methodology. The processes for identifying and evaluating risk variables, scoring criteria, and weights should be contained in the SFI’s internal policies and procedures documentation. It should also give internal stakeholders a blueprint for a replicable procedure to improve upon and allow third parties to test the design and operational effectiveness of the risk assessment. Moreover, risk owners should be clearly identified. 7. The risk assessment should be based on a SFIs' business model and should be logical, comprehensive, and relevant to ensure the timely identification, management and escalation of breaches in material risk limits/tolerance levels. 8. SFIs should take into account the threats and vulnerabilities that have been identified in The Bahamas’ National Risk Assessment. SFIs should assess how these (and any other aspects of their business) make their business vulnerable to identified risks. SFIs should assess the probability or likelihood that these aspects of their business could result in ML/TF/PF risks. The end-result of this step will be a likelihood rating for each of the risk areas of your business. For example, a SFI may rate each area from a range of high (highly likely) to low (unlikely) to be used for ML/TF/PF risks. 9. SFIs should employ a three lines of defence regime to ensure effective risk and control measures. These are as follows: i. First line roles deliver products/services to clients while managing risk (e.g. front office, customer-facing activity); ii. Second line roles deliver expertise, support, monitoring, and challenge on risk￾related matters (e.g. risk management/compliance function); and iii. Third line roles deliver independent and objective assurance and advice on all related matters (e.g. internal audit).

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 8 10. It is important to note that the size and complexity of the SFI will determine the characteristics of each line of defence. 11. SFIs should also establish robust ML/TF/PF risk management policies and procedures, and conduct periodic risk assessments that are reviewed and approved by the Board and senior management and submitted to the Central Bank. 12. Although SFIs are not required to follow a prescribed risk assessment methodology, the following sections lay out the main tenets that should be included within an effective ML/TF/PF risk assessment. DETERMINE RISK APPETITE AND RISK TOLERANCE Risk Appetite 13. SFIs are expected to determine their risk appetite, approved by the Board, and provide a risk appetite statement in the risk management policy and procedures documentation. Risk appetites may differ among SFIs, depending on their sector, culture and business objectives and may change over time. Risk Tolerance 14. After establishing the risk appetite, SFIs should clearly document the deviations that are acceptable as well as where approving authority lies for exceeding risk appetite thresholds (i.e. an entity’s risk tolerance). While risk appetite is often broad, risk tolerance is tactical, quantitative, and focused. It applies to significant objectives and cascades throughout the entity, providing guidance on a daily basis. There should also be a clear policy for the swift reporting and management of threshold breaches. By identifying the specific risk triggers for each event, SFIs can better oversee their risk management process. 15. In setting risk tolerance, SFIs should consider the relative importance of each objective. Highly significant objectives are often assigned low-risk tolerances. Optimising resource allocation becomes a specific consideration when deciding where to set tolerance. The lower the range of risk tolerance, the more likely it will be that greater resources are required to stay within that range. IDENTIFY AND ASSESS INHERENT RISKS 16. Inherent risk factors should be categorised by customer, country/geographic area, products/services, transactions, delivery channels or other qualitative and emerging risks. SFIs should consider each risk factor individually and in combination with other risk variables to determine potential ML/TF/PF risks.

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 9 Customer Risk Factors 17. Determining the identity of a customer and the type of activity involved is a critical part of countering financial crime. SFIs must ensure that inherent risks are accounted for based on the composition of their customer base, exposure to high-risk legal entities or arrangements, and the complexity of those entities. Given the nature of ML/TF/PF risks, a SFI is severely exposed if it fails to identify the risks that are inherent in its customer base. Essentially, know your customer (“KYC”) principles serve as the foundation of an effective risk management system. SFIs’ risk management systems must account for atypical behavioural changes to ensure the timely detection of illicit transactions. 18. Notwithstanding the customer due diligence (‘’CDD’’) and transaction monitoring activities that occur throughout the duration of the customer relationship, SFIs should segment their customers in order to identify patterns and trends. For example, customers should be identifiable based on whether they are legal or natural persons; low, medium, or high-risk; or where the customer is a PEP. 19. When identifying and assessing the risk associated with customers, including the beneficial owners of those customers, SFIs must consider all of the following risk factors, either individually or in combination: i. Whether a customer can issue bearer shares or has nominee shareholders; ii. Whether a customer engages in high levels of cash transactions or cash￾equivalent intensive business; iii. Whether a customer is a PEP, family member or close associate of a PEP, and/or where the beneficial owner is a PEP; iv. Whether a customer is the subject of a law enforcement conviction or sanction; v. Whether a customer engages in business activities in a high-risk jurisdiction, or a jurisdiction known for corruption, terrorist activities, organised crime or drug production/distribution; vi. Whether a customer has corporate vehicle structures that have no clear commercial or economic rationale and/or lack transparency to identify beneficial owners; vii. Whether a customer is employed in a high risk industry; and viii. Whether a customer appears unable or reluctant to disclose details about the payee or beneficiary of a wire transfer or other information (e.g. address, contact information, etc.). Country/Geographic Risk Factors 20. SFIs should consider the geographical region where their customers conduct business activities including multiple components such as: cross-border transactions, the

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 10 domicile or nationality of customers/beneficial owners, the geographical region in which the customer conducts business, including proximity to high-risk and sanctioned countries. 21. When identifying country/geographic risks, SFIs should evaluate ML/TF/PF risks associated with doing business, opening and servicing accounts, offering products and services and/or facilitating transactions involving certain geographic regions. 22. When assigning risk ratings to a country/geographic region that may pose ML/TF/PF risks, SFIs must consider: i. whether the country has been identified by reliable and credible sources (such as the FATF, CFATF or other FATF-Style Regional Bodies) as lacking appropriate AML/CFT/CPF laws, policies and compliance measures and where special attention should be given to business relationships and transactions; ii. whether the country has significant levels of organised crime, corruption, or other criminal activity, including being a source or transit country for illegal drugs, arms dealing, human trafficking, people smuggling and illegal gambling; iii. whether the country or geographic region is subject to sanctions, embargos imposed by the United Nations Securities Council or has had other similar measures imposed; iv. whether the country/geographic region is known for terrorist activities, or has terrorist organisations domiciled in the region; and v. whether the customer business relationship and/or associate doing business within a country/geographic region is known for high levels of ML/TF/PF risk. Products/Services Risk Factors 23. Certain products and services are inherently more vulnerable to ML/TF/PF risks. SFIs’ overall risk assessmentsshould identify and assess all products(e.g. deposit accounts), and services (e.g. asset management) particularly those that have a high vulnerability to ML/TF/PF. Assessing the inherent vulnerability variable of each existing product and service contributes to a comprehensive risk assessment. 24. Based on the SFI’s business model, the following products and services may be included (although not be limited to these) in the assessment: private banking, retail deposits, and deposits of legal persons, credit products for retail customers, small and medium-size businesses, large businesses, electronic banking, trade finance, digital assets, and wire transfers. 25. When assigning a risk rating to products and services, SFIs should consider: i. the nature, value, and complexity of the business (including the total size/volume and average transaction size); ii. the cross-border nature of transactions; iii. whether non face-to-face customer acceptance and/or occasional transactions are conducted;

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 11 iv. payments received from unknown or unrelated third parties; v. products or services that permit the exchange of cash for a negotiable instrument, such as a stored value card or money order; and vi. the level of transparency of the products and/or services, the anonymity or layers of opacity of the customer, beneficial ownership, or those products or services that can readily transcend international borders, such as cash, online payment systems, stored value cards, money orders, mobile payments, prepaid cards and international wire transfers; vii. use of new technologies or payment methods; and viii. products or services that provide limited and defined services to certain types of customers to increase access for financial inclusion. Delivery Channels Risk Factors 26. When assessing the delivery channels risk factors, SFIs should assess whether, and to what extent, the method of account origination or account servicing, such as non-face￾to-face account opening or the involvement of third parties, including intermediaries, could increase the inherent delivery channel risks. 27. SFIs should document and assign, where applicable, a differentiated rating scale and weights to delivery channels risk. The business unit or business line should determine the percentage of accounts or customers who are rated according to the risk classification (e.g. low risk versus moderate, or high versus higher risk), in order to determine the overall inherent channels risk. 28. SFIs should consider the following inherent vulnerability factors that may indicate a higher risk when completing their risk assessments: i. Outsourced service arrangements via the use of intermediaries or introducers (for example, mortgage and deposit agents and brokers), that may not be subject to similar compliance laws and measures as the SFI, and not adequately supervised; ii. Use of electronic banking, telephone, mail and e-mail correspondence as a substitute for face to face interaction with the customer; and iii. Wire transfer(s) that are payable upon presentation of client identification. Other Qualitative and Emerging Risk Factors 29. SFIs should consider other qualitative risk factors and emerging risks that could have an impact on operational risks and contribute to an increased or decreased likelihood of ML/TF/PF. Qualitative risk factors such as significant strategy and operational changes could directly or indirectly increase inherent risks. These changes may require a review of existing, or the establishment of new internal controls. 30. Other vulnerable risk factors may include, but not be limited to, the following:

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 12 i. Environmental and climate change risk; ii. IT system integration; iii. Frequency of AML Compliance employee turnover; iv. Material changes in business strategy and operational procedures not being assessed; v. The existence (or lack thereof) of an independent compliance function; vi. Impact of products and services on operations; vii. The level at which SFIs rely on or change third party service providers; viii. Introductions of new products and/or services; ix. Acquisitions and/or mergers of business; x. Projects and initiatives related to AML Compliance matters (e.g. remediation, elimination of backlogs); and xi. Prior internal audit or regulatory remedial findings/enforcement actions. ESTABLISH CONTROLS AND MEASURE EFFECTIVENESS 31. When establishing controls, SFIs must ensure that there is a clear connection between the inherent risks that were initially identified and the AML/CFT/CPF controls and measures. In other words, there should be a logical ‘cause and effect’ relationship between the inherent risks and the controls that are implemented to mitigate these risks. 32. Furthermore, the ML/TF/PF risk assessments should include an evaluation of the effectiveness of a SFI’s controls and an indication of any potential gaps or weaknesses within their risk management information system. SFIs should promptly adjust controls to reduce the ML/TF/PF risk posed by their business operations, customers, and external risk factors. SFIs should ensure that their programmes, policies and activities are designed and implemented to protect against the materialisation of ML/TF/PF risks. 33. SFIs are expected to test their controls based on their effectiveness in mitigating inherent risks. Control effectiveness should reflect the likelihood of control failure. For example, a control with a high likelihood of failure should not be acceptable for a high residual risk area. 34. AML/CFT/CPF controls are usually assessed across the following control categories: i. Corporate Governance (See Corporate Governance Guidelines). For example, the process of reporting and escalating matters to Senior Management and Board; ii. Know Your Customer Policies and Procedures; iii. AML/CFT/CPF tiered training for staff, executive management, and the Board; iv. Previous other risk assessments (onsite examinations, and AML/enterprise￾wide assessments); v. Operational Policies and Procedures;

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 13 vi. Record-Keeping and Retention; vii. Effectiveness and independence of a Designated AML Compliance Officer/Unit; Compliance Function (i.e. Unfettered access to the Board or Board committee); viii. Detection and unusual/suspicious transaction reports filing (i.e. ongoing transaction monitoring to account purpose and parameters); ix. Sanctions screening and anti-terrorist financing risk measures; and x. Targeted financial sanctions related to CFT or CPF controls. EVALUATE RESIDUAL RISKS 35. After SFIs have identified and assessed their inherent risks and have established effective controls and measures to mitigate these risks, they must evaluate their residual risks. Residual risks are determined by balancing the level of inherent risks with the overall strength of the risk management controls. Residual risks are used to assess whether the ML/TF/PF risks within the SFI are being adequately managed. A high level of residual risk may suggest that additional controls should be implemented. 36. Regarding ML/TF risk management, SFIs will usually have the following three types of residual risk responses: i. Avoid: Discontinue performing the processes or activities that create the risk; ii. Mitigate: Add controls or strengthen existing controls; and iii. Accept: Adjust risk tolerance to incorporate the risk. 37. SFIs that decide to accept residual risks that are outside of their risk appetites should ensure that this is documented and approved by the Board. Residual risk acceptance should also be based on a thorough and transparent review process to ensure that the risks are appropriately estimated. 38. To evaluate residual risks, SFIs should develop and implement a risk rating scale that is appropriate to the nature, size, and complexity of their operations. It is possible to apply a three tier rating scale, to evaluate the residual risk on a scale of High, Moderate and Low. An alternative rating scale could also be used, for example a 5 point scale of Low, Low to Moderate, Moderate, Moderate to High, and High. MONITOR AND REVIEW OF THE RISK ASSESSMENT 39. As mentioned in the AML/CFT/CPF Guidelines, risk assessments should be kept up-to￾date through periodic reviews and when risk factors change. These risk assessments

Central Bank of The Bahamas ML/TF/PF Risk Assessments Guidance Notes Bank Supervision Department 14 must be made available to the Central Bank annually, or as otherwise advised by the Central Bank. SFIs are also required to monitor compliance with internal policies, procedures, and controls, and enhance them if necessary. Where appropriate, having regard to the size and nature of their business, SFIs must engage an audit function to test the internal AML/CFT/CPF policies, controls and procedures. 40. A SFI’s monitoring system should be adequate with respect to its size, its activities and complexity as well as the risks present within the institution. Where deficiencies are discovered that have not been resolved, such as an inadequate information technology monitoring system, a SFI should document its decision and be able to demonstrate to the Central Bank or third parties that it has in place an effective alternative. Monitoring systems should cover all accounts of the SFI’s customers and transactions for the benefit of, or by the order of, those customers. As stated earlier, by risk rating the customers effectively, SFIs are better positioned to allocate resources to the higher risk areas. 41. For a ML/TF/PF risk assessment to be useful over time, SFIs must be able to demonstrate whether any risk factors have changed, internally or externally, and show whether any of the internal compliance policies, procedures, and controls have been updated. SFIs should undertake trend analysis of transaction activity to identify unusual business relationships and transactions in order to mitigate ML/TF/PF risks. 42. SFIs are encouraged to engage in periodic reviews, guided by their corrective action plans. SFIs are expected to test their controls to determine whether they are relevant and operating effectively. Controls should be tested periodically, based on the entity’s risk appetite, tolerance, control frequency, and control effectiveness. SFIs should also determine the likelihood of control failure. 43. A SFI must conduct ongoing monitoring of its business relationships on a risk-sensitive basis. Ongoing monitoring means scrutinising transactions to ensure that they are consistent with what the SFI knows about the customer, and taking steps to ensure that the firm’s knowledge of the business relationship remains current. As part of this monitoring, SFIs must keep documents, data and information obtained in the CDD process (including information about the purpose and intended nature of the business relationship) up to date. It must apply CDD measures where it doubts the veracity or adequacy of previously obtained documents, data or information. Furthermore, SFIs have a legal requirement to investigate unusual activity and to report suspicious activity to the Financial Intelligence Unit.