4.1.1. General Duty

A Relevant Person must take appropriate steps to identify and assess the risks of money laundering to which its business is exposed, and must establish and maintain policies, procedures, systems and controls to mitigateand manage the risks identified.

A Relevant Person must take appropriate steps to manage and mitigate risks considering country-wide risks, including those relevant for the Republic of Kazakhstan identified in the published reports and guidance given by the Financial Intelligence Unit of the Republic of Kazakhstan (the "FIU") regarding the FATF mutual evaluations and follow-up reports, and implement enhanced measures where higher risks are identified.

4.1.2. Nature and size of business

In deciding what steps are appropriate under AML 4.1.1, a Relevant Person must consider the size (as measured by the number of its employees, revenue, or market capitalisation, as appropriate) and nature of its business and the complexity of its activities.

4.1.3. Obligation to assess, manage and mitigate business and customer risks

In order to identify and assess the risks of money laundering a Relevant Person must conduct a business risk assessment and must also conduct customer risk assessments in accordance with Chapter 5 and keep these assessments up to date.

The risks of money laundering that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products must be identified and assessed by a Relevant Person prior to the launch or use of such products, practices and technologies.

A Relevant Person must take appropriate measures to manage and mitigate the risks identified in its risk assessments.

4.2.1. Risk factors to be considered for business risk assessment

In carrying out a business risk assessment as required under AML 4.1.1 a Relevant Person must take into account risk factors including:

• (a) its customers;
• (b) the countries or geographic areas in which it operates;
• (c) its products or services;
• (d) its transactions;
• (e) its delivery mechanisms, channels and partners;
• (f) the development of new products and new business practices, including new delivery mechanisms, channels and partners; and
• (g) the use of new or developing technologies for both new and pre-existing products.

4.2.2. Use of the business risk assessment

A Relevant Person must use the information obtained from its business risk assessment to:

1. (a) develop and maintain the policies, procedures, systems and controls required by AML 4.1.1;
2. (b) ensure that its policies, procedures, systems and controls adequately mitigate the risks identified;
3. (c) assess the effectiveness of its policies, procedures, systems and controls ;
4. (d) assist in allocation and prioritisation of AML resources; and
5. (e) assist in the carrying out of customer risk assessments under Chapter 5.

4.3.1. Requirements of policies, procedures, systems and controls

The policies, procedures, systems and controls adopted by a Relevant Person under AML 4.1.1 must be:

1. (a) proportionate to the nature, scale, complexity and money laundering risks of the activities of the Relevant Person’s business;
2. (b) comprised of, at minimum, organisation of the development and maintenance of the policies, procedures, systems and controls required by AML 4.1.1:
3. (i)appropriate representation of AML compliance function in the managing and orginising internal control system on AML matters;
4. (ii)risk management programme (BURA, CRA);
5. (iii)customer identification programme (KYC/CDD) ;
6. (iv)transaction monitoring and reviewing;
7. (v)employees training and awareness programme;
8. (vii)adequate screening procedures to ensure high standards when hiring employees (Know Your Employee); and
9. (vii)independent audit function to test the system.
10. (c) approved by its senior management; and
11. (d) monitored, reviewed and updated regularly.

4.3.2. Purpose of policies, procedures, systems and controls

Purpose of policies, procedures, systems and controls is efficient detection of money laundering and terrorist financing (ML/TF), sanctions violation, prevention and minimisation of ML/TF and sanctions risks.

The policies, procedures, systems and controls must provide for the identification and scrutiny of including, but not limited to:

1. (a) complex or unusually large transactions, or an unusual pattern of transactions;
2. (b) transactions which have no apparent economic or legal purpose; and
3. (c) other activity which the Relevant Person regards as particularly likely by its nature to be related to money laundering, sanctions evasion or other financial crimes;
4. (d) actions aimed at evading proper verification and (or) financial monitoring;
5. (f) transaction with money and (or) other property, the participant of which is a person registered (residing) in a geographic area (state or territory) considered to be an area of high risk. 

4.3.3. Record of policies, procedures, systems and controls

A Relevant Person must maintain a written record of the policies, procedures, systems and controls established under AML 4.1.1. The requirements regarding record-keeping for the purposes of these is Rules are in AML 14.5.

Guidance on RBA

1. (a) AML 4.1.1. requires a Relevant Person to adopt an approach to AML which is proportionate to the risks inherent in its business. This is illustrated in Figure 1 below. The AFSA expects the RBA to be a key part of the Relevant Persons AML compliance culture and to cascade down from the senior management to the rest of the organisation. It requires the full commitment and support of senior management, and the active cooperation of all employees. Embedding the RBA within its business allows a Relevant Person to make decisions and allocate AML resources in the most efficient and effective way.
2. (b) No system of checks will detect and prevent all money laundering. A RBA will, however, balance the cost burden placed on Relevant Persons and their customers, against a realistic assessment of the threat of the Relevant Person’s business being used in connection with money laundering. It will focus the effort where it is needed and will have most impact.
3. (c) In implementing the RBA, a Relevant Person is expected to have in place processes to identify and assess money laundering risks. After the risk assessment, the Relevant Person is expected to monitor, manage and mitigate the risks in a way that is proportionate to the Relevant Person's exposure to those money laundering risks. The general principle is that where there are higher risks of money laundering, a Relevant Person is required to take enhanced measures to manage and mitigate those risks, and that, correspondingly, when the risks are lower, simplified measures are permitted.
4. (d) The RBA discourages a tick-box approach to AML. Instead, a Relevant Person is required to assess relevant money laundering risks and adopt a proportionate response to such risks.
5. (e) RBA indentifies, manages and analyses ML/TF and sanctions risks in order to develop and effectively implement appropriate procedures and controls. it is therefore critical that risk ratings accurately reflect existing risks, provide meaningful assessments leading to practical steps to reduce those risks, are reviewed periodically and, where necessary, regularly updated.
6. (f) The risk-based analysis should include, among other things, relevant inherent and resudual risks at the country, industry, entity itself and business relationship levels. As a result of this analysis, a Relevant Person should develop a thorough understanding of the risk inherent on its customer base, products, delivery channels, services and products offered (pre-existing and new services/products). and the jurisdictions in which it and its customers do business or territories where they are registered  from. This understanding should be based on operational, transactional and other internal information collected by the organisation, as well as external sources.
7. (g) When identifying all ML/TF risks, all relevant information must be considered. This typically requires the input of experts from business, risk management, compliance/legal departments, as well as advice from external experts when necessary. Current and new business products and services should be assessed for vulnerability to money laundering and sanctions violations, and appropriate controls should be put in place before launching them in activate stage. There is also a growing number of useful ML/TF risk assessment guidelines available to the public that should be taken into account. For example, published by the FATF, FSRB, regulators and FIU and other agencies such as the UNODC, the IMF, the World Bank, Wolsberg Group, as well as jurisdiction-specific information, advice and guidance.
8. (h) Risk is dynamic and requires constant management. It should also be noted that the environment in which every organisation operates is subject to constant change. Externally, political changes in a jurisdiction, as well as the introduction or lifting of economic sanctions, can affect a country's risk rating. 
9. (i) Unless a Relevant Person understands the money laundering and sanctions risks to which it is exposed, it cannot take appropriate steps to prevent its business being used for the purposes of money laundering and sanctions violations. Money laundering risks vary from business to business depending on the nature of the business, the type of customers a business has, and the nature of the products and services sold.
10. (j) Relevant Persons that do not offer complex products or services and that have limited international exposure may not need an overly complex or sophisticated business risk assessment, but it should be tailored to the specifics of business and scope of the Relevant Person.
11. (k) Using the RBA, a Relevant Person assesses its own vulnerabilities to money laundering and takes all reasonable steps to eliminate or manage such risks. The results of this assessment will also feed into the Relevant Person’s risk assessment of its customers (see Chapter 6).
12. Risk management is a continuous process, carried out on a dynamic basis. A money laundering risk assessment is not a one-time exercise. The AFSA expects a Relevant Person's risk management processes for managing money laundering risks are kept under regular review and that any changes made to policies, procedures, systems and controls are recorded.
13. (l) The Relevant Person should develop and implement the risk assessment model based on quantitative and qualitative charasteristics. Numerical values allow to determine the risk category (geography, customer type, products, services channels used) and the customer's overall risk. Each category can be scored differently, depending on the circumstances of each company's business.