ResourcesPractical guidance and standards for financial crime compliance practitioners

The Wolfsberg Group c/o Basel Institute on Governance Steinenring 60 | 4051 Basel, Switzerland

18 August 2023

Ms. Violaine Clerc Executive Secretary Financial Action Task Force (FATF) 2 Rue André Pascal 75116 Paris, France

RE: Public Consultation on the draft FATF R.8/INR Amendments and Best Practice Paper to Combat the Abuse of NPOs

Dear Ms. Clerc:

The Wolfsberg Group (“the Group”) appreciates the opportunity to provide comments on the draft Financial Action Task Force (“FATF”) amendments to R.8 and its Interpretative Note (”INR.8”) and draft Best Practice Paper (“BPP”) to Combat the Abuse of the Not-Profit Organisation (“NPO”) sector.

We welcome the revisions to R.8/INR.8 designed to clarify how best to implement a risk-based approach, as well as addressing the negative impact of the over-application of preventive measures on legitimate NPO activities. The Group supports the statement that the NPO sector is not homogeneous in its risk profile with regards to Terrorism Financing (“TF”) and should not be considered as such by countries and Financial Institutions (“FIs”).

The FATF asked specifically about the placement of example measures in the revised INR.8 and notes the possibility that their inclusion as part of paragraph 7(b)(iii) may have led to misinterpretation and unintended consequences. We consider that the listed measures are reasonable and their removal from the INR may lead to different unintended consequences and that moving them to a footnote as envisaged under option (iii) would maintain their impact but lessen the chance that they be viewed as mandatory, especially if supplemented by a cross reference to the Best Practices Paper.

Our comments on the updated BPP focus primarily on Sections 3 and 4.

NPOs’ risk awareness and mitigation

The draft revision of R.8/INR.8 requires countries to conduct a TF risk assessment of NPOs and put in place focused, proportionate, and risk-based measures to tackle the risks identified without unduly disrupting legitimate actors. The INR does not require NPOs to undertake measures to understand and mitigate TF risks (see paragraph 79 of the BPP) although non-prescriptive guidance on how they may protect themselves against TF abuse is provided in the BPP.

The Group firmly believes that these measures should be further enhanced by adding a requirement to R.8/INR.8 for NPOs themselves adopt a risk-based approach to also identify and assess their own risks – including of being abused for TF – and design a set of reasonable, risk-based, and explainable controls to mitigate those risks. Relevant national authorities should enforce this requirement and monitor its implementation.

We commend the proactive initiatives already undertaken by several NPOs, as reflected in Annex B. However, we remain of the view that all NPOs have the responsibility to understand if, and how, they may introduce risk into the system and to have adequate resources to manage that risk accordingly. Identifying the source and destination of funds, to an extent that allows the NPO to understand and be reasonably comfortable with both, is a fundamental element of managing risk for an activity involving the raising and disbursing of funds. This is especially true for NPOs that handle significant amounts of funding and/or operate in higher-risk contexts (e.g. in terms of geographies where they are active or services they provide).

We note the content of paragraph 48 that NPOs do not have customers but observe that there are characteristics that repeat donors may share with ‘traditional’ customer relationships. We also note that the role an NPO plays in sourcing funds from donors and then disbursing them to beneficiaries warrants a requirement that the NPO develop a risk-based awareness of the source and use of funds in order to mitigate the risk that they will be abused for TF and other financial crimes – in some ways those controls could look similar to those employed by correspondent banks. FIs, which act as gatekeepers to help prevent, deter, and detect financial crime as acknowledged in Box C.16 of the BPP, should be required to perform their controls on NPOs, but analogue to paragraph 48 and to Box 12, FIs should not be required to extend their preventive measures such as customer due diligence (CDD) towards the NPOs’ donors or beneficiaries.¹

As further improvements to sections 3.1-3 of the BPP, we suggest the following amendments:

• Once an NPO has identified its specific risk factors and assessed the likelihood and consequences of each risk, it should design a set of reasonable and risk-based controls to mitigate those risks (paragraph 85).
• Both the risks identified and the controls designed to address them should be monitored, reassessed, and adapted as regularly as necessary to ensure the continued effectiveness of risk management measures (paragraph 86).
• Professional auditors invited to conduct independent audits should have expertise in recognising TF risk and controls (Box 8).
• Internal controls and risk management procedures should be directed by an independent function within larger and/or higher-risk NPOs (paragraph 87).
• Collaboration between NPOs including, where appropriate, relevant self-regulatory organisations can be useful fora, e.g. for sharing knowledge, but appropriate controls still need to be implemented at the individual NPO’s level (paragraphs 93-99).

Enhancing NPOs’ risk awareness and control frameworks will improve the effectiveness of the whole system in identifying, preventing, and combating TF, and should bolster financial inclusion by placing risk awareness close to the source of the risk.

Access of legitimate NPOs to financial services

Considering FIs’ legal obligations and applicable international standards, it is important that prospective and current NPO customers can explain their activities, their risk assessment process and associated control framework, demonstrating that they have sufficient staff with the right experience and skills-set to manage their risks and can evidence their approach.

FIs may determine to enter and maintain, or not, customer relationships for a variety of reasons. This can include where an FI does not believe that it can manage the financial crime risks associated with an individual business relationship effectively, in line with its legal obligations and international standards. The rationale for this could either be with respect to mitigating the risk such that it remains within the FI’s risk appetite or with respect to the ability to manage the risk in a commercially viable manner. It is an appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a relationship or product offering; only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law. The Group understands paragraph 111 to include all the different types of decisions that an FI may make when assessing the relationship on a case-by-case basis but believes that, without further context, paragraph 111 may contribute to unintended consequences if interpreted differently by others.

The Group welcomes the BPP’s focus on promoting open and proactive exchanges between NPOs and FIs and suggests the language be more specific in the type of engagement that is expected, such as multi-stakeholder events with NPOs, regulators and FIs all present (paragraphs 123, 129-132). We also wish to add that NPOs should be prompt and timely in responding to FIs’ requests for information, at onboarding, as well as in the context of transaction surveillance. FIs should also be clear and transparent about their requirements and expectations, to the extent that this does not jeopardise efforts to combat and prevent financial crime. We believe that full transparency on, and public sharing of (as suggested in paragraph 124), FIs’ risk-based decision making processes could serve as a useful guide for criminals and should not be considered as normal business practice.

Countries’ and FIs’ assessment of the risk posed by NPOs should rely, to the extent possible, on data-driven evaluations that promote effectiveness and avoid bias and anecdote. Empirical evidence, in line with several national risk assessments, shows that most NPOs present little to no risk for TF, while other offences such as corruption, fraud or tax evasion are more prominent and see NPOs as either the instruments or the victims of such crimes. On a broader level, we strongly recommend that FATF address these corruption, fraud and tax-related financial crime risks which, at present, are not sufficiently understood and managed. Misunderstanding and misdiagnosing NPO risk not only limits access of legitimate NPOs to financial services, but also allows criminals to operate with few limitations.

Finally, we believe that Section 4.1 should also reflect the need for countries to focus on effective outcomes and limit rules-based requirements for reducing friction on customers, including NPOs, and supporting financial inclusion.² Indeed, rules-based requirements that are disproportionate to the risks being managed increase the cost of compliance and increase the risk of supervisory action should they not be applied in full.

Other comments

In addition to the comments referenced above, we would like to suggest the following edits to the text of the BPP:

1. The title of the BPP should reflect the focus on TF (“the FATF Best Practice Paper to Combat the TF Abuse of NPOs”).
2. The final element of FATF’s functional definition of NPOs (“or for the carrying out of other types of “good works””) is very broad and liable to misinterpretation and resultant unintended consequences. We would strongly suggest that the FATF consider some qualification to this part of the definition.
3. The reference in paragraph 33 to ‘wire transfers’ should be expanded to cover any financial transactions not limited to wires.
4. Adding Virtual Asset Service Providers (VASPs) to the list of private sector entities in paragraph 35 would recognise the growing role that these entities have in movement of monetary value.
5. Affirming the risk-based obligation that an NPO must establish the legitimacy of the source and use of funds it handles (as distinct from CDD) would strengthen paragraph 48.
6. The term “registered bank account” would require a definition (paragraph 127) and we suggest that the FATF consider whether the reference to bank accounts is overly specific given the emergence of VASPs.
7. As currently phrased, paragraph 56 and section 2.3.3 do not feature FIs. However, we believe that they could be included considering how they could contribute positively to identifying typologies and best practices to address TF abuse of NPOs.

The Group is grateful for the opportunity to comment on the draft changes to R.8/INR.8 and the Best Practice Paper to Combat the Abuse of NPOs and would like to thank you in advance for your consideration of our feedback. We remain at your disposal should any clarification be necessary.

Yours sincerely,

Alan Ketley
Executive Secretary
The Wolfsberg Group