Grey clouds are gathering

I want to talk about the FATF.  First, I think it’s called the “eff-ay-tee-eff” – not “fat-fee” or (occasionally) “faft”.  And second, I’m interested in the significance of their grey list (officially, their list of jurisdictions under increased monitoring).  Not the contents of the list – plenty of others have written about who should be on the list and who shouldn’t – but the significance of it.  If you turn to the source of it all – the FATF itself – you can read this: “The FATF does not call for the application of enhanced due diligence measures to be applied to these jurisdictions [as it does for those on the really naughty list], but encourages its members to take into account the information presented below in their risk analysis.” (Note that this link will be updated very soon – they’re meeting as we speak.)

So what does this mean?  It does not mean that governments (and, by extension, regulated entities) must apply EDD to all business associated with those jurisdictions, but rather that a jurisdiction’s presence on this list must inform any risk analysis of that jurisdiction (and, by extension, clients associated with it).  However, as the FATF requirements can be viewed as a starting point – i.e. you can go beyond them, as long as you encompass them – I know of many MLROs who deem it simpler (and safer) to apply EDD to all jurisdictions on both FATF lists.  But if you wanted to do it the other way and, as required by the FATF, “take into account the information presented in [your] risk analysis”, what would this look like?  Well, grab a Twix and let’s work through an example: Nicaragua.

The FATF grey list currently says this about Nicaragua: “Nicaragua should continue to work on implementing its action plan to address its strategic deficiencies, including by: (1) finalising the updating of the NRA to develop a more comprehensive understanding of its ML/TF risk; (2) conducting effective risk-based supervision; (3) taking appropriate measures to prevent legal persons and arrangements from being misused for criminal purposes.”  From this I deduce that the issues the FATF has with Nicaragua’s AML/CFT regime are these:

• its NRA is insufficiently robust and needs updating
• its AML/CFT supervisory regime is not using a risk-based approach
• Nicaraguan companies and trusts are being used for money laundering and/or terrorist financing.

And how relevant this is to you will depend on what business you do with Nicaraguan individuals and entities.  If you are entering into a business partnership with a regulated business in Nicaragua that has based its in-house business risk assessment on the NRA (which is not good enough) and is supervised in Nicaragua for AML/CFT purposes (by a poor supervisor), then you would be wise to do your own due diligence on the business and not rely on what it has said in its own BRA, or place any faith in its being approved by its supervisor.  If, on the other hands, you are concerned about Nicaraguan clients, then it’s the third point that is of most concern.  You would need to show that your AML/CFT procedures will require your staff to be extra careful about accepting money coming from or going to a Nicaraguan company or trust (or beneficial owner of one), as we have been told that they are routinely being used “misused for criminal purposes”.  So SOF/SOW checks will be extra important, as will checks into beneficial ownership.

You can see why some MLROs might take the “EDD for all” approach – but does this lay them open to charges of not applying a true risk-based approach, and perhaps even something akin to de-risking?  Whoever said that making lists was easy?