Main
>
Legal Framework
>
4. THE RISK BASED APPROACH
FINANCIAL SERVICES LEGISLATION
RULES
Entire Act

4. THE RISK BASED APPROACH

4.1. Obligations of the Risk-Based Approach

4.1.1. General Duty

A Relevant Person must take appropriate steps to identify and assess the risks of money laundering to which its business is exposed, and must establish and maintain policies, procedures, systems and controls to mitigateand manage the risks identified.


A Relevant Person must take appropriate steps to manage and mitigate country-wide risks, including those relevant for the Republic of Kazakhstan identified in the published reports and guidance given by the Financial Intelligence Unit of the Republic of Kazakhstan (the "FIU") regarding the FATF mutual evaluations and follow-up reports, and implement enhanced measures where higher risks are identified.


4.1.2. Nature and size of business

In deciding what steps are appropriate under AML 4.1.1, a Relevant Person must consider the size (as measured by the number of its employees, revenue, or market capitalisation, as appropriate) and nature of its business and the complexity of its activities.

4.1.3. Obligation to assess, manage and mitigate business and customer risks

In order to identify and assess the risks of money laundering a Relevant Person must conduct a business risk assessment and must also conduct customer risk assessments in accordance with Chapter 5 and keep these assessments up to date.

The risks of money laundering that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products must be identified and assessed by a Relevant Person prior to the launch or use of such products, practices and technologies.

A Relevant Person must take appropriate measures to manage and mitigate the risks identified in its risk assessments.

4.2. Business Risk Assessment by Relevant Persons

4.2.1. Risk factors to be considered for business risk assessment

In carrying out a business risk assessment as required under AML 4.1.1 a Relevant Person must take into account risk factors including:

  • (a) its customers;
  • (b) the countries or geographic areas in which it operates;
  • (c) its products or services;
  • (d) its transactions;
  • (e) its delivery mechanisms, channels and partners;
  • (f) the development of new products and new business practices, including new delivery mechanisms, channels and partners; and
  • (g) the use of new or developing technologies for both new and pre-existing products.

4.2.2. Use of the business risk assessment

A Relevant Person must use the information obtained from its business risk assessment to:

  1. (a) develop and maintain the policies, procedures, systems and controls required by AML 4.1.1;
  2. (b) ensure that its policies, procedures, systems and controls adequately mitigate the risks identified;
  3. (c) assess the effectiveness of its policies, procedures, systems and controls ;
  4. (d) assist in allocation and prioritisation of AML resources; and
  5. (e) assist in the carrying out of customer risk assessments under Chapter 5.

4.3. Internal policies, procedures, systems and controls

4.3.1. Requirements of policies, procedures, systems and controls

The policies, procedures, systems and controls adopted by a Relevant Person under AML 4.1.1 must be:

  1. (a) proportionate to the nature, scale, complexity and money laundering risks of the activities of the Relevant Person’s business;
  2. (b) comprised of, at minimum, organisation of the development and maintenance of the policies, procedures, systems and controls required by AML 4.1.1:
  3. (i)risk management;
  4. (ii)customer identification;
  5. (iii)transaction monitoring and reviewing;
  6. (iv)employees training and awareness programme;
  7. (v)appropriate representation of compliance function in the management;
  8. (vi)adequate screening procedures to ensure high standards when hiring employees; and
  9. (vii)independent audit function to test the system.
  10. (c) approved by its senior management; and
  11. (d) monitored, reviewed and updated regularly.

4.3.2. Purpose of policies, procedures, systems and controls

The policies, procedures, systems and controls must provide for the identification and scrutiny of:

  1. (a) complex or unusually large transactions, or an unusual pattern of transactions;
  2. (b) transactions which have no apparent economic or legal purpose; and
  3. (c) other activity which the Relevant Person regards as particularly likely by its nature to be related to money laundering.

4.3.3. Record of policies, procedures, systems and controls

A Relevant Person must maintain a written record of the policies, procedures, systems and controls established under AML 4.1.1. The Rules regarding record-keeping for the purposes of these Rules are in AML 14.5.

Guidance on the risk based approach

  1. (a) AML 4.1.1 requires a Relevant Person to adopt an approach to AML which is proportionate to the risks inherent in its business. This is illustrated in Figure 1 below. The AFSA expects the RBA to be a key part of the Relevant Person's AML compliance culture and to cascade down from the senior management to the rest of the organisation. It requires the full commitment and support of senior management, and the active cooperation of all employees. Embedding the RBA within its business allows a Relevant Person to make decisions and allocate AML resources in the most efficient and effective way.
  2. (b) No system of checks will detect and prevent all money laundering. A RBA will, however, balance the cost burden placed on Relevant Persons and their customers, against a realistic assessment of the threat of the Relevant Person’s business being used in connection with money laundering. It will focus the effort where it is needed and will have most impact.
  3. (c) In implementing the RBA, a Relevant Person is expected to have in place processes to identify and assess money laundering risks. After the risk assessment, the Relevant Person is expected to monitor, manage and mitigate the risks in a way that is proportionate to the Relevant Person's exposure to those money laundering risks. The general principle is that where there are higher risks of money laundering, a Relevant Person is required to take enhanced measures to manage and mitigate those risks, and that, correspondingly, when the risks are lower, simplified measures are permitted.
  4. (d) The RBA discourages a "tick-box" approach to AML. Instead, a Relevant Person is required to assess relevant money laundering risks and adopt a proportionate response to such risks.
  5. (e) Unless a Relevant Person understands the money laundering risks to which it is exposed, it cannot take appropriate steps to prevent its business being used for the purposes of money laundering. Money laundering risks vary from business to business depending on the nature of the business, the type of customers a business has, and the nature of the products and services sold.
  6. (f) Relevant Persons that do not offer complex products or services and that have limited international exposure may not need an overly complex or sophisticated business risk assessment.
  7. (g) Using the RBA, a Relevant Person assesses its own vulnerabilities to money laundering and takes all reasonable steps to eliminate or manage such risks. The results of this assessment will also feed into the Relevant Person’s risk assessment of its customers (see Chapter 6).
  8. (h) Risk management is a continuous process, carried out on a dynamic basis. A money laundering risk assessment is not a one-time exercise. The AFSA expects a Relevant Person's risk management processes for managing money laundering risks are kept under regular review and that any changes made to policies, procedures, systems and controls are recorded.