ResourcesPractical guidance and standards for financial crime compliance practitioners

Country Risk FAQs

Download Wolfsberg Group Country Risk FAQs (2024)
PDF406.4 KB

Introduction

In 2018, the Wolfsberg Group (the Group) issued a Country Risk Frequently Asked Questions (FAQs) document setting up the foundations as to how Financial Institutions (FIs) should capture country risk in their Anti-Money Laundering/Counter Terrorist Financing (AML/CTF) framework. The Group has updated its FAQs based on members’ current best practices and to suggest how the Group believes those practices should develop over time. The prior version of these FAQs, published in 2018, has now been retired.

A key driver of financial crimes risk for FIs is the customer. In assessing the risk presented by any one particular customer, country risk is one factor among many that an FI may consider. Country ratings, along with other factors, will inform the FI’s customer risk assessment framework, which will rate a customer so that appropriate levels of customer due diligence are undertaken, and their transactions or activities monitored with that context in mind. Accordingly, country risk does not, by itself, determine the risk of a customer. Disregarding country risk could discount important context about a customer, whereas too much emphasis could result in undesirable outcomes across the customer base. Each FI must strike a balance in how it assesses country risk and applies consideration of that risk in its customer and other risk framework(s). To assist in achieving a balance, these FAQs set out factors that FIs may consider when thinking about country risk.

The Group believes that these FAQs will assist FIs to develop and maintain an effective AML/CTF programme1 following the principles of a risk based approach established by the Financial Action Task Force (FATF).2

There is a significant debate as to whether financial crime country risk assessments should be considered a model, a methodology, a tool or even an application (see Question 5). These FAQs use the term methodology for consistency, unless explicit reference is being made to a model.

Q1. What is country risk in the context of financial crime compliance?

FIs typically referred to the term “country risk” as the additional risk created by investing in, or lending cross border to, a foreign country in the context of credit facilities. With the introduction of the risk-based approach as the overriding principle in the fight against financial crime, FIs identified country risk factors (amongst others) as being relevant to assessing the financial crime risk of the customer. Country-related factors could include a customer’s domicile, country of incorporation, centre of activity or other nexus, such as country of tax residency.

When assessing a customer’s risk profile, FIs need to consider not only the financial crime risk related to the customer profile, but also the effectiveness of AML/CTF legal and regulatory frameworks in the countries to which the customer has a relevant exposure, as well as the political and macro-economic environment in those countries. For reasons of differentiation, these FAQs refer to this type of country risk as Financial Crime Country Risk (FCCR), which seeks to assess the residual level of financial crime in that country after considering the inherent risk and the effectiveness of the country’s AML/CTF framework. It is to be noted here that an elevated FCCR should not necessarily preclude business being undertaken in any particular country, but rather that FIs may need to consider whether their control environment is appropriately robust to manage that risk.

An FI’s FCCR rating methodology should be based on the FI’s initial understanding of the country’s risks and context in the widest sense, as well as elements which contribute to them. These may cover:

  • The nature and extent of money laundering, sanctions, proliferation and terrorism financing, presence of known terrorist organisations in the country, corruption, significant production of narcotics and/or laundering of the proceeds related to drug trafficking, tax evasion risks, human trafficking risks, amongst others;
  • Factors which could significantly influence the effectiveness of a country’s AML/CTF measures, including the maturity and sophistication of the regulatory and supervisory regime in the country;
  • Legal AML/CTF frameworks (e.g. as assessed by the FATF or FATF Style Regional Bodies (FSRBs) in their Mutual Evaluation Reports (MERs));
  • Structural elements which underpin the AML/CTF system, for example: political stability, robust governance (e.g. per global standards, such as the World Bank or FATF), a high-level commitment to address AML/CTF issues, and indicators of financial secrecy;
  • Other geographical factors, such as trading or cultural links, or what are commonly known as nexus risks, where geographic proximity may drive a higher risk rating. This is particularly true for sanctions and terrorism financing considerations.

An FCCR rating seeks to determine the overall level of financial crime risk in a country by assessing the threats and mitigants in that country which are relevant to FIs. It is not assessing an FI’s direct risk profile in that country, but the overall level of financial crime in that country. The ways in which a customer or FI could be vulnerable to that risk profile are measured using other risk rating methodologies.

An FI’s assessment of country risk should be iterative and evolve dynamically subject to external factors affecting the financial crime risk environment, thus requiring regular review to ensure appropriateness. However, once an FI has defined its FCCR methodology, and validated it as per the FI’s normal governance process, it should be used as widely and consistently as possible to inform decisions where country risk is a required factor. Generally, a FCCR methodology is used across all the FI’s business lines and activities. Any exceptions to this should only be granted under a robust governance process.

Q2. What data sources should be considered when developing a methodology to assess country risk?

Most assessments of FCCR incorporate both subjective (analytical/research based or qualitative) and objective (numeric or quantitative) data. Data sets are usually purchased from external vendors or list/index providers, and are then considered alongside the FI’s experience of operating within countries (noting that FIs may have limited geographic footprint or exposure) and other relevant factors to determine the overall risk rating. The sources used for quantitative risk scoring should cover financial crime relevant risk parameters or dimensions, such as:

  • Criminal Indicators: FIs may consider data sets, such as corruption and terrorism indices, as well as drug trafficking, countries considered to be tax havens,3 and/or susceptible to human smuggling, trafficking or modern slavery and environmental crime, amongst others;
  • Political Factors, such as political stability, regulatory effectiveness, levels of democratisation, rule of law, human rights considerations, freedom of the press, civil liberties, amongst others;
  • Regulatory Factors: expectations from home and host regulators on how to categorise countries from a financial crime risk management perspective, as well as how AML/CTF regimes are assessed by relevant third parties (e.g. FATF MERs).

In addition, FIs may use other qualitative data, such as national risk assessments4 and threat priorities.

Note: Sanctions-related aspects are covered in Questions 3 and 4.

Depending on an FI’s methodology, it may also wish to consider economic indicators, such as gross domestic product, levels of inflation and debt (internal and external), the ease of doing business, global competitiveness or unemployment level, amongst others. Note that these may also be covered by an FI’s sovereign credit risk rating and should therefore be at the discretion of the FI.

The most important criteria for choosing sources are the reputability, credibility, relevance and quality of the sources and the publishing institution. Sources with no editorial process or with serious allegations against, or challenges to, their content, including completeness, quality of data and the number of countries covered, should be avoided.

There is no prescribed number of sources an FI could or should use in its methodology. Underlying data sources may take the form of individual data points or indices collating a number of data points. The approach should also vary based on the methodology (e.g. weight-based models should consider statistically significant contributions from each factor). Irrespective of the methodology, the impact of changes in any data source to the country risk score/rating should be clearly identifiable and understandable for internal and external stakeholders.

Irrespective of the number of sources used, an analysis of those sources should be undertaken (including data quality checks to ensure that sources are reliable and the data is current), combined with the FI’s own experiential judgment criteria supported by a robust rationale (e.g. experience of operating in a particular country), which will yield a score. Care should be taken to ensure that sources or any qualitative considerations are not duplicative of data inputs already being used so as not to skew the data through double-counting.

Whichever approach is used by the FI, the choice of the sources, the balance between subjective and objective elements, the process for carrying out the evaluation, and any decisions affecting financial crime compliance outcomes should be documented. Note that a non-exhaustive list of impacted financial crime compliance processes is listed in Question 16. If significant deviations from the objective data sets are part of the outcomes, these should be clearly articulated and explained. The final determination of the FCCR ratings and methodology should be approved by an authorised senior manager or appropriate governance forum, with representatives who have appropriate financial crime compliance knowledge and sufficient seniority to be able to satisfy regulatory scrutiny. The approval body (e.g. authorised senior manager or appropriate governance forum) should review the methodology, agree on deviations and approve the final ratings.

Q3. How often should data sources be refreshed and country risk ratings reviewed?

As a general rule, it is appropriate to update ratings no less frequently than annually, following updates of the underlying data sources, as many of these are updated only once a year. To the extent possible, it is important to choose a date when the majority of the data is current.

However, consideration may be given to revising ratings on an interim/ad-hoc basis when key trigger data, i.e. items which can have a material impact on the rating, are released. Examples could include:

  • FATF public statements, demonstrating material deficiencies in the AML/CTF framework in the country concerned. FIs could also periodically review the FATF and FSRB MERs which include both technical compliance and effectiveness ratings for FATF’s recommendations and immediate outcomes;
  • Countries becoming subject to sanctions or embargoes, e.g. United Nations (UN) Security Council sanctions, Office of Foreign Assets Control (OFAC) Sanctions Programs, Financial sanctions imposed by the European Union (EU) or national authorities (e.g. His Majesty’s Treasury (UK HMT) in the United Kingdom);
  • Regime change through a coup d’état or significant political unrest, which is relevant to a particular FI’s operations;
  • Relevant changes to an FI’s regulatory framework or legislative changes, such as competent authorities issuing lists of countries that pose a heightened risk due to strategic deficiencies in their AML/CTF regimes;
  • The publication of, or amendment to, a national risk assessment, in a country where the FI has a significant presence.

FIs should assess specific scenarios where a country’s risk rating would need to be elevated to the higher/highest rating (e.g. inclusion on the FATF grey/blacklist). Similarly, Fis should consider where a risk rating needs to be reassessed to take account of visible improvements in country risk frameworks (e.g. removal from the FATF grey/blacklist with evidence of long-term effectiveness).

The process for updating the FCCR should be clearly set out in the FI’s FCCR governance/methodology documentation. Lastly, FIs, through their internal governance and risk appetite should decide whether a change to a country rating leads to a retrospective review of exposure or only a forward-looking impact.

Q4. How should sanctions be considered in country risk methodologies?

In most cases, FIs will default sanctioned regimes to the highest risk rating in their country risk methodology and regulators generally expect that an FI’s relationships with customers associated with sanctioned countries, territories or regions are subject to the highest levels of due diligence and approvals. An FI’s presence (both where it is based geographically, the markets in which it does business, as well as the markets in which its customers do business), may determine which economic and trade sanctions it should comply with. The FI may then source a list of sanctioned regimes from the sanctioning entities’ websites or, in an aggregated fashion, from third-party providers.

Sanctions may change quickly as political, diplomatic, or economic issues arise, or are resolved. In general, the effect of sanctions is immediate, therefore it is important for FIs to keep abreast of any changes and respond accordingly. It is also important to consider what processes and systems the FI uses to comply with sanctions and what the sanctions mean for the FI’s FCCR methodology.

FIs may want to consider the reasons why certain countries/territories are sanctioned, what risks are present and how that is linked to financial crime. FIs should develop a methodology and decide how it will be used, such as in manual and automated financial crime prevention processes.

The general practice is for both sanctions and money laundering to be included in a FCCR methodology. FIs should be prepared to present separate or combined country risk assessments (e.g. for money laundering, sanctions, and bribery and corruption) depending on the FI’s regulatory, operational and governance drivers. The assessments should factor in the availability of relevant underlying data/qualitative assessments (e.g. national risk assessments) from trustworthy sources, and the timeliness of the assessment. Note that if the FI decides not to use its FCCR methodology for sanctions compliance, then it may decide to include fewer sanctions-related data points in the methodology.

An FI should determine whether comprehensive and/or sectoral sanctions may be integrated into the methodology’s logic. Specially Designated National (SDN) sanctions are not considered to have geographical relevance as they are specific to individual persons or entities. The effect of the inclusion of different types of sanctions on downstream processes and systems should also be considered. In some instances, sanctions are specific to a certain market segment or activity (i.e. sectoral sanctions) and there may be a more appropriate methodology used for complying with these sanctions. For example, if the sanctions ban the supply of petroleum and related products from a particular country, the risk may be addressed more effectively by focussing on the FI’s customers in specific industries rather than a blanket approach of focussing on a country as a whole.

Conversely, an FI can pursue a broader approach by considering relevant economic ties between non-sanctioned and sanctioned countries which could indicate elevated sanctions risk. This approach captures the risk of an economic partner being exposed to the risks present in a sanctioned country by dealing with that country. This element of the methodology may be more subjective than data-driven because not all countries that have trade relationships with sanctioned countries may be faced with the same level of risk. Care should be taken not to determine that all the countries bordering on sanctioned countries become sanctions-nexus countries by default.

Q5. What methodologies are available to FIs to measure country risk?

There is ongoing debate amongst financial crime Subject Matter Experts (SMEs), and regulators, as to whether FCCR assessment considerations and outputs should be considered a model, a methodology, a tool or even an application. There is no industry standard as to whether the different means of measuring financial crime risk (e.g. FCCR or customer risk assessment) should be considered models, though some countries have issued their own guidance.5

These methodologies, while not subjected to the same kind of quantitatively focused independent model review, as with credit models for example, should be subjected to a robust governance process, including a form of independent review and validation by competent third parties.6 Ultimately, therefore, it is the Group’s view that the decision as to whether an FI’s FCCR rating mechanism is a model, a methodology or something else, should be determined by the governance protocols and modelling standards of each individual FI and any relevant regulatory requirements.

Most internal FCCR indices used by FIs, as well as “off-the-shelf” vendor products, include a composite index to express FCCR as a number (e.g. ascending values from 0 to 10 to reflect increasing levels of risk) or category (e.g. red/amber/green; low, medium, high, higher risk).

Although there are “off-the-shelf” commercial products that produce FCCR ratings based upon various publicly available data sources, most FIs do not use such products as their sole approach to measuring FCCR (see Question 6). Rather, the outputs from such vendors may be utilised as data sources as a basis of comparison to gauge the output of an FI’s proprietary FCCR index or as an input to a customised index used by the FI. Regardless of the approach adopted, any methodology adopted by an FI must, at minimum, use publicly available data sources for its assessment. Methodologies represent a data-driven consistent application across the FI’s footprint with minimal risk of interpretation issues. FIs may elect to vary the application of the methodology on an exceptional basis (e.g. driven by local knowledge or information, organisational and geographical footprint subject to appropriate oversight and governance).

Since there is no universally agreed approach to determining FCCR, many FIs, and vendors alike, integrate experiential judgment or subject-matter expertise into their approach to sense check that the output of the FCCR rating process is as expected and in line with those individuals’ unique expertise within each jurisdiction, where such knowledge and experience exist. Governance committees within FIs should utilise their institutional experience (in limited circumstances only, refer to Question 12) to ensure individual ratings are valid, plausible and continue to capture the latest developments in the area of financial crime risks. The output of the FCCR rating process should be suited to each FI’s unique risk profile, knowledge and appetite. Depending on the use of this element of subjectivity in the country risk rating process, the FCCR assessment may not be formally considered a “model” in the same way as a more purely quantitative driven model might.

Q6. What should FIs consider if they choose to purchase and use an off-the-shelf commercial product to determine their FCCR ratings?

Some FIs may opt to purchase an “off-the-shelf” commercial vendor product for their FCCR ratings. Should an FI consider only using such a vendor product, it should first become familiar with the choice of data sources, methodologies, modelling parameters and validation processes used by the vendor to determine country risk ratings. In particular, FIs should, in a manner consistent with their risk appetite, be satisfied, at a minimum, that:

  • The vendor’s product has produced a documented set of FCCR ratings which is consistent with how the FI considers country risk (e.g. using data points in line with an FI’s expectations);
  • The vendor’s product includes the risk parameters or dimensions covered in Question 2;
  • The information used by the vendor is refreshed on a periodic basis.

FIs should ensure that the vendor can produce documentation rationalising their choice of data sources, methodologies, modelling parameters and validation processes so that the FI and any authorised third party understand how the ratings were achieved. The FI should confirm that this documentation may be shared with supervisors, as needed.

Q7. Is there a standard/conventional methodology to assess country risk?

There are a number of approaches for assessing FCCR, which may be combined or used independently. These include, but may not be limited to:

  • Statistically-based methodology: this approach uses various statistical tools to combine lists and to reach a final FCCR score or classification;
  • Calculation of weighted average score: the FI’s experts assign a weight7 to each input category or list, where the final score represents a weighted combination of inputs;
  • Zero-risk approach: this methodology assumes a starting point of zero risk and adds negative risk factors to the score.

Usually, the result of any assessment is expressed either as a number (e.g. ascending values from 0 to 10 to reflect increasing levels of risk) or category (e.g. red/amber/green; low, medium, high, higher risk). There are usually common features spanning approaches:

  • An FI should identify the various data inputs and output categories that it wants to consider;
  • Data lists come in many types and therefore a clearly articulated process to “normalise” the different lists into a numeric point scale should be implemented. Lists can be normalised by using mathematical algorithms, including different types of scaling, as long as these are coherent and robust with respect to the other parameters of the rating;
  • SMEs should review and approve the outputs of any methodology.

Regardless of the approach adopted by an FI, the means by which it conducts its assessment should be appropriately documented so that the rationale can be clearly understood.

Q8. How should FIs determine countries in scope for assessment?

There is no universally agreed approach prescribing how many countries should be considered as part of the FIs country risk assessment process. Hence, as a best practice, FIs can perform a risk assessment on the countries having unique UN ISO 31668 (alpha-2 &alpha-3)9 codes and assign a risk rating for these countries as appropriate.

FIs can select the number of countries for the assessment based on their risk appetite, size, geographical presence, products and services (e.g. cross-border transactions) among other factors. However, when considering the current global interdependent economy driven by the latest technological developments, FIs should take into account the means by which they are connected across multiple jurisdictions and their global business networks.

Free-Trade Zones (FTZs) or Offshore Financial Centers (OFCs) within the same jurisdiction may introduce elevated risks at a sub-national level. An FI’s assessment could aim to apply a targeted risk rating for FTZs/OFCs that are deemed to be equivalent or higher-risk than their parent countries. Risks could be mitigated by:

  • Financial crime risk intelligence and controls (including AML/CTF framework, such as transaction monitoring or targeted data analytics);
  • Outcomes from technical competency and effectiveness assessments performed on the AML/CTF regimes of the FTZ and OFCs, as well as by international/regional organisations;
  • Risk assessments performed by the local regulators and any reports prepared by the ‘parent’ country’s Financial Intelligence Unit or law enforcement agencies/tax governance bodies.

Q9. How can FIs assess risk ratings for Overseas Countries & Territories and Dependencies (OCTs)?

The majority of these OCTs are part of Europe (e.g. territories of Denmark, Finland, France, the Netherlands, Norway, United Kingdom) and the Americas (e.g. American Samoa, Puerto Rico, Virgin Islands U.S.).10

FIs may follow two distinct approaches to risk rate OCTs:

  • Use the FCCR to derive a risk rating for the OCTs;
  • Align the OCTs’ ratings to their “parent” country risk ratings.

Irrespective of the approach, the following considerations can be given to an FI’s assessment of the risk ratings:

  • The extent of financial crime risk exposure is the same or similar as the parent country (i.e. mainland) or different (notably to check whether the OCT has higher risk exposure) from its parent country. Similarly, from a controls perspective, FIs should assess whether the OCT has to comply with the parent country’s AML/CTF regime or has its own regime;
  • If the OCT is subject to the parent country’s AML/CTF regime, then FIs can assess the extent of the parent country’s control over these OCTs (whether applying partial/full or direct/indirect control over these OCTs) and the stability/maturity of the parent country’s AML/CTF regimes. If an OCT has its own AML/CTF framework, FIs may follow their usual risk assessment approach;
  • Additional considerations can be given to certain other aspects, such as administration, location and distance from parent country, economic activities, population, amongst others.

As a general principle, FIs should implement a standalone risk rating for OCTs where the AML/CTF frameworks are considered different from their parent countries.

Q10. How can FIs test and validate the effectiveness of their FCCR Models or Methodologies and how frequently should this be undertaken?

If an FI has defined its FCCR rating process as a model, then that model should be subject to the normal cycles of model governance, including quantitative and qualitative validation. The intent of any model validation process is to verify that models are performing as expected, in line with their design objectives and business uses. The model validation process confirms, via continuous analysis and communication, that the model and its outputs are fit for purpose. Validation may identify issues which lead to model development activity or an approved change process as part of model governance.

However, model validation may not involve determining the appropriateness of the hierarchy of country risk ratings in all cases as these are the domain of subject matter expertise and/or an expression of the FI’s risk appetite. Rather, model validation may limit itself to the review and challenge of the development, documentation and execution of the approved methodology. In cases such as these, the final outcome of the model should be challenged and approved by senior financial crime compliance governance.

The effectiveness of any given model should be tracked regularly to check whether it is working appropriately and to identify any areas that require improvement. This ongoing monitoring can be undertaken through the use of Key Performance Indicators (KPIs) and periodic reviews. Each FI will develop KPIs in line with their normal assessment criteria with KPIs usually defined through qualitative user feedback and quantitative analysis. They are subsequently used to assess the performance of the model, identify problems and examine whether governance processes are being followed correctly. Examples of KPIs include model sensitivity,11 volatility, benchmarking against vendor tool ratings (which can serve as a useful sense check for any discrepancies in ratings versus expected outcomes).

For FIs that have chosen to define their FCCR rating process as a methodology,12 any review should occur in line with the minimum standard of review of the underlying data sources, i.e. at least annually. A review will look to address previously identified areas of improvement since the last review and assess any external factors that may affect country risk. The reviews may include input from SMEs, trend analysis and/or compliance with industry norms and regulatory obligations/expectations. Reviews should also re-validate the coverage of the methodology (i.e. which jurisdictions, dependencies, territories, FTZs and OCTs are included in the assessment).

Regardless of how an FI defines its FCCR rating process, there should be a sufficiently robust governance process around the selection of data sources, the development of any scoring mechanism, SME input, change control processes and some form of independent review and validation so that the outcomes are justified, documented, stable and effective.

Q11. How should an FI deal with missing data points?

Depending on whether the list of countries being rated is a universal list (e.g. as per the UN list of recognised jurisdictions) or a non-universal list (e.g. excluding small or uninhabited territories), there may be a desire to use substitutes for missing values, either for missing list values or countries that were not rated on any list. The substitution may be with either the highest risk level, the lowest risk level, or an average risk score or proxy value (a value identified for a number of rationalised reasons as likely for the country with missing data). Care must be taken that this process does not distort the FCCR scores, e.g. by making countries that should naturally be high risk, appear as lower risk. Any defaulting decisions should be documented clearly and should only occur after the methodology is created, unless a rationale is developed to leverage similar datapoint for a comparable jurisdiction.

Given that unknown information is a priori a risk factor, there should be a data quality assessment done when data is missing. If there is a paucity of information for a particular country, a subjective override should be considered for that country. If a data source is limited in terms of the number of countries it covers, appropriate consideration should be given to the impact of this on the output. If data source limitations are identified on a wholesale basis, then consideration should be given to not using the data source in question or, as a minimum, mitigate any impact on outputs.

Regardless of the FCCR methodology used, FIs may account for missing data in input lists and/or countries, either by (i) elevating the country with missing data to a higher risk or by (ii) deciding not to include the country for consideration in the rating process and risk rate it subjectively instead. Following a risk-based approach combined with professional judgment, FIs shall determine if overrides are required to mitigate missing inputs.

Q12. Should overrides or discretionary risk rating changes be allowed?

In very limited circumstances, manual overrides and/or discretionary rating changes to FCCR outputs may be envisaged, although these should be strictly limited in number and subject to a stringent justification and governance process. There may be occasions when an FI will need to consider in-country intelligence, subject matter expertise or other additional risk factor dimensions or apply expert judgment that may not be factored into existing FCCR rating methodologies. However, overriding FCCR ratings derived from credible sources can present significant risks, such as, but not limited to:

  • Interference with the FCCR methodology and results places the integrity of the methodology at risk. Recurring overrides are typically an indication that, in some respect, the methodology is not performing as intended or has limitations or its scope and purpose have not been well defined;
  • Excluding or ignoring objective risk input criteria from which the methodology produced rating is derived without comprehensive documentation as to why, exposes the FI to regulatory, compliance, operational and reputational risk. For example, despite information on a country’s well-known primary risk of drug trafficking or corruption and a methodology that produced a rating of ‘high,’ the FI approves a lower FCCR due to the fact that the country’s AML/CTF regulatory regime is considered acceptable. As a result, customers from this country would potentially not be subjected to enhanced transaction monitoring or undergo enhanced due diligence (EDD) which could result in the FI failing to identify, and thereby possibly facilitating, the flow of illicit funds;
  • Failure to ensure uniform compliance with risk rating standards through complete internal reviews. The process of reviewing and approving override requests in a vacuum and/or as part of an ad-hoc request could potentially result in inconsistent application of ratings across similarly situated and risk rated countries;
  • The more discretion an FI exercises in overriding and the greater the number of employees/management permitted to exercise override authority, the greater the interference and the potential undermining of the methodology. It is imperative that discretion is limited, properly controlled, and governed by the appropriate risk control or financial crime compliance function. Whenever there are high-risk factors present, the higher and more independent the override approval obtained for the decision, the better.

Individual countries may need to check for specific local regulatory requirements to be considered in any FCCR methodology. If there are local regulatory requirements, these should be brought to the attention of the methodology owner for submission as a dispensation or a localisation process. Any change request should have clear rationale (copy of the local regulatory requirements) and appropriate financial crime compliance sponsorship. All approvals should be documented as per the methodology governance process.

As previously mentioned, overrides or discretionary risk rating changes should be very limited. In order to minimise the risk of undermining the methodology, supporting documentation should include, as appropriate, a detailed risk-based rationale for the override/change and details on how the residual risk of not complying with the risk rating(s) generated by the approved methodology will be mitigated. Approved exceptions should be assigned an expiration date and be required to be reviewed at least annually or more frequently if significant changes in regulatory guidance or geographic developments necessitate.

Q13. Who should maintain ownership of the FCCR methodology and what kind of resources are required?

The FCCR methodology should be owned centrally by a group-level unit independent from the business. Depending on the respective organisational structure within a specific FI, an independent financial crime compliance, AML or other independent risk function would serve as an appropriate owner and approver given the regulatory responsibility of that function and overarching governance and control principles which underpin it. However, operational maintenance may be delegated to another relevant unit outside the function (e.g. an intelligence or analytics unit), which nonetheless takes direction from, and/or reports into, the FCCR methodology owner.

The unit which owns and/or maintains the FCCR methodology needs to be sufficiently resourced with appropriate regulatory and financial crime SMEs. These resources should have a profound understanding of the conceptual framework of, and methodologies associated with, country risk assessment, respective data sources considered, inter-linkages of country risk assessment with other internal AML principles and methodologies, as well as any other relevant information and industry trends in that area. Analytical and technical modelling skills, including statistical expertise, serve as basis for the development of a robust methodology. The unit should also have a good understanding of the geographic footprint of the FI’s locations and customer base so that the unit can address any local regulatory requirements.

While an independent unit should own and maintain the FCCR methodology, it is recommended that relevant SMEs and stakeholders, such as business lines, other risk functions and relevant back office functions, are included in the development of the methodology.

Q14. Who are generally the users of the assessment results and how are the ratings disseminated?

There are multiple users of FCCR ratings across an FI, including the Lines of Business, which should understand and evaluate the specific risks associated with doing business in, opening accounts for customers from, or facilitating transactions involving, different countries. In this sense, the FCCR ratings will feed (along with other factors) the FI’s Customer Risk Assessment framework, which will rate a customer so that appropriate levels of Customer Due Diligence (CDD) are undertaken, and their transactions or activities monitored accordingly. Furthermore, FCCR ratings should be considered when undertaking Enterprise Wide Risk Assessments (including the assessment of sanctions and bribery and corruption risks),13 setting thresholds and scenarios for transaction monitoring systems and may be considered in other processes (e.g. business strategy decisions, operational risks processes, third party and vendor management, etc.).

Once they have been approved by an appropriate governance forum, FCCR ratings should be provided to all relevant stakeholders involved in CDD, transaction monitoring, owners of systems used for financial crime compliance management and the appropriate Reference Data Management team for implementation within a set timescale. Any delay beyond the date set or deviation from the FCCR ratings should be agreed in line with the FI’s financial crime compliance policy or procedures. Records of the ratings, all changes and the rationale/evidence for any deviations as well as the date they were enacted in each customer/transaction system should be maintained. As part of the methodology implementation governance process, details of the systems into which these FCCR ratings are input locally should also be maintained. This process is designed to ensure that the FCCR ratings are implemented in relevant systems within the timeline prescribed and an assurance process is in place to ensure that they are applied consistently across relevant systems, Lines of Business and countries.

Q15. How should the FCCR rating methodology drive CDD and EDD requirements?

In principle, CDD requirements that have to be applied to mitigate money laundering/terrorist financing (ML/TF) risks should correlate with the level of customer risk as determined by each FI’s customer risk rating framework, of which country risk is one element. EDD is applied to mitigate risk associated with relationships with "higher-risk" customers.

FIs may be required to implement local regulatory requirements for certain countries, e.g. countries subject to FATF’s call for action (i.e. black list), countries subject to FATF’s increased monitoring (i.e. grey list)14 or similar lists issued by competent authorities of jurisdictions posing heightened risk due to strategic deficiencies in their AML/CTF regimes.15

Country risk is one factor among many that an FI may consider when evaluating customer risk. FIs should determine when exposure to a country should be relevant factor in the assessment of ML/TF risk level. For example:

  • The customer’s country of residence, incorporation, or formation and the country of origin of the customer’s or beneficial owner’s source of wealth;
  • The country of origin of the customer’s source of funds;
  • The countries involved in the transaction, be it a one-off transaction or payments and other services that take place in a business relationship;
  • Specific industries, sectors and business activities that may pose a higher risk, depending on the country of exposure;
  • Country of political exposure for Politically Exposed Persons (PEP).

Relevant risk factors should be taken into account when determining the respective requirements for CDD, both at on-boarding and at periodic review, which may in turn determine any appropriate EDD requirements.16

With regards to customer risk rating (and other control processes where applicable), FIs may consider the country of the booking entity (including the FI’s home jurisdiction) and the impact on the underlying customer exposure.

Q16. Should an FI have a country risk assessment expressed as a country risk rating?

FIs should consider the level of granularity they require from the country risk assessment output, which will depend on the usage of the methodology outputs in financial crime compliance processes and systems.

Some FIs may use a country score as it gives them a more precise level of risk differentiation (e.g. a numerical score in a customer risk assessment engine or transaction monitoring system). Other FIs may use a country risk rating (e.g. low, medium, high, higher risk) as it gives them an output that certain manual processes can use more easily (e.g. PEP due diligence).

Others may prefer using a traffic light symbol or colour (e.g. red/amber/green) which presents a more visual indication for individual users to work with. The output can include other elements that provide greater insights (e.g. a negative/positive trend direction or comments about disputed territories associated with the country).

FCCR ratings are usually considered in the following activities, although it is to be noted that this list is not exhaustive:

  • Portfolio analysis: what percentage of an FI’s customer base, or overall customer assets, are derived from high risk countries?
  • Due diligence requirements: should CDD or EDD be applied? This includes the related approval process to accept certain levels of risk and the appropriate level of seniority (refer to Question 15).
  • Transaction monitoring: to what extent, at what frequency, at which thresholds, against which scenarios?
  • Risk appetite: how much risk is an FI prepared to accept?
  • Periodic or event-driven KYC review processes: how often should periodic reviews be conducted, to what level and by whom?

In conclusion, the FCCR rating becomes a driver, amongst other risk factors, for a number of processes that are the core elements for any financial crime control framework in a risk-based control environment.

FCCR rating methodologies will only determine ratings that define the risk of a particular country. How an FI manages that risk through its controls, their effectiveness and iterative understanding of how to use country risk in the context of risk appetite and risk acceptance further determines considerations as to, amongst others, presence in, acceptance of customers from, or transactions to and from any given country.

Footnotes

  1. See the Wolfsberg Group Statement on Effectiveness (2019).

  2. See FATF Guidance for a Risk-Based Approach – The Banking Sector (2014). The FATF returned to this topic in its paper on Risk Based Supervision (2021) which highlighted that a “zero-tolerance approach that does not tolerate imperfections, particularly in areas identified to pose lower risks, is counterproductive to an effective AML/CTF system and for risk-based supervision.

  3. FIs may consider tax havens and offshore jurisdictions (so called “Offshore Financial Centers” or OFCs), such as the EU list of Non-Cooperative Jurisdictions for tax purposes. Question 8 details how FIs should determine countries and OFCs in scope for assessment.

  4. These are countries’ publications of national risk assessments as per the FATF Recommendations (R1). National authorities, agencies or organs of state publish a plethora of analyses which vary in terms of prescriptiveness and impact on financial services. Taken individually, the impact of these analyses or position papers may be quite clear but when taken as a whole, FIs can potentially be led to reach quite different conclusions. For Global FIs, the challenge will be how to manage the impact of different national risk assessment results, notably in home regulator markets, across the overarching spectrum of their operations.

  5. See Office of the Comptroller of the Currency (12 April 2021). Bank Secrecy Act/Anti-Money Laundering: Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance and Request for Information, Bulletin 2021-9.

  6. A third party in this instance makes reference to someone who may be indirectly involved but is not a principal party to the development of a methodology, i.e. somebody who has the competence to understand the content, while maintaining sufficient independence to challenge relevant parts of the development process.

  7. Not every input needs to be weighted equally.

  8. The purpose of ISO 3166 is to define internationally recognised codes of letters and/or numbers that can be used when refer to countries and their subdivisions. However, it does not define the names of countries – this information comes from United Nations sources (Terminology Bulletin Country Names and the Country and Region Codes for Statistical Use maintained by the United Nations Statistics Division).

  9. The country codes can be represented as a two-letter code (alpha-2) which is recommended as the general-purpose code, a three-letter code (alpha-3) which is more closely related to the country name, and a three-digit numeric code (see ISO 3166).

  10. See One World Nations Online.

  11. Model sensitivity analyses how much a country’s final score moves based on a range of changes (both realistic and unrealistic) to the underlying data input to the model.

  12. Or tool, or application; the terminology will be specific to each FI.

  13. See Wolfsberg Anti-Bribery and Corruption Compliance Programme Guidance (2023).

  14. See FATF’s Methodology for assessing technical compliance with the FATF Recommendations and the effectiveness of AML/CTF systems (2021).

  15. See His Majesty Treasury Advisory Notice: High Risk Third Countries (14 November 2022).

  16. See Wolfsberg Guidance on a Risk Based Approach for Managing Money Laundering Risks (2006).

Back to Risk-Based Approach