AMLJanuary 31, 2022

The Outsourcing of the Jurisdictional Risk Assessment (JRA)

One of the main pillars when conducting an Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) risk assessment is the Jurisdictional Risk Assessment (JRA).

One of the main pillars when conducting an Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) risk assessment is the Jurisdictional Risk Assessment (JRA).

The Prevention of Money Laundering and Funding of Terrorism Regulations  (PMLFTR) requires Subject Persons to assess the risks emanating from any jurisdiction they are dealing with, including whether they deal with jurisdictions considered as non-reputable or high-risk jurisdictions.

A Subject Person’s link to jurisdictions usually fall within two areas:

  • General Jurisdictional links

The jurisdictions where the customer or beneficial owner/s

  1. reside,
  2. have their principal place of business,
  3. where the source of wealth is generated, and
  4. the jurisdictions with which the customer trades.
  • Connections to jurisdictions that are specific to the relevant activity conducted by the Subject Person (i.e. depending on the Subject Person’s work, other connections should be considered). For example:
  1. for a payments institution, the jurisdictions from which the funds are sent and received must be assessed;
  2. when providing tax advice, the geographical risk linked to the jurisdictions used to channel funds or to exercise control within the structure must be considered;
  3. when a Subject Person is providing directorship services, the geographical risk associated with the jurisdictions where the main trade partners are located or where the customer’s assets are held should also be assessed;

There is no defined format on what methodology should be used to assess the jurisdictions.  However, the FIAU, in its Implementing Procedure, gives a clear explanation on which jurisdictions should be classified as non-reputable or high-risk.  It goes further to explain that when a jurisdiction is considered non-reputable, such classification is done due to AML/CFT considerations and gives an exhaustive list of documents with which Subject Persons should refer.  On the other hand, in the case of high-risk jurisdictions, other indices beyond AML/CFT should be considered (e.g. Transparency International Corruption Perception Index and World Justice Project Rule of Law Index).

Creating such an assessment is not an easy task.  It requires the collection of various indices and reports to generate a definite list, which must be continuously updated once the different indices are updated.  To this effect, Subject Persons are now more inclined to outsource such tasks and seek  third-party consultants’ services to draft the JRA.

Factors for outsourcing the JRA

In October 2021, the FIAU issued a revised version of its Implementing Procedures, which, for the first time, included a section related to the outsourcing of the JRA. This section provides the Subject Person with guidance on what factors should be considered when deciding to outsource the JRA.  Such considerations include:

  • The Subject Person must ensure that the sources used for the JRA are reliable;
  • The assessment carried out by the third-party provider should include aspects that may impact the Subject Person. For example, if the assessment provided by the third party does not cover the level of terrorism of a jurisdiction to which the Subject Person has clients linked to, the Subject Person must consider what is likely to be the impact on the risk rating provided by the third party to calculate the risk of such clients in a better manner;
  • The Subject Person must understand the methodology used by the third-party provider to assess each jurisdiction and determine that such methodology is objective and makes sense;
  • The JRA must constantly be updated. Therefore, the Subject Person must be aware of how the assessment is updated and must discuss with the service provider on how quickly such assessment is updated once there are changes in the indices or reports used for the assessment; and
  • Ultimately, even if the Subject Person uses a readily available index, it still needs to understand the main reasons a jurisdiction is considered as presenting its assigned level of risk.

At Compliance 360 Ltd. we have developed a detailed JRA which takes into consideration more than ten reliable indices, covers more than 250 jurisdictions, and is continuously updated.  Our assessment is based on the latest  FIAU’s requirements and principles mentioned in this article.  Should you wish to receive further information on the JRA, or to explore other services offered by Compliance 360 Ltd. you can contact us here and we will get back to you to discuss your needs.