Risk-based assessment, internal instructions and training of personnel
The supervised entity must apply such risk management procedures related to money laundering and terrorist financing as are commensurate with the nature and size of its business. In assessing risks, the supervised entity must consider the risks of money laundering and financing of terrorism related to new and existing customers, countries or geographical areas, products, services and transactions as well as distribution channels and technologies (risk-based assessment). The supervised entity must be able to demonstrate to the supervisor that it applies adequate risk management methods concerning customer due diligence and ongoing monitoring as required by the AML Act.
In addition, the supervised entity must have internal instructions suitable for its activities and clearly defined working processes for customer due diligence and AML/CFT. The supervised entity must ensure continuous training of its personnel.
Contact person and internal processes
The supervised entity must designate a contact person who receives reports on suspicious transactions and who has the authority to file reports with the Financial Intelligence Unit. The name and other details of the contact person must be notified to the Financial Intelligence Unit and the FIN-FSA. Any changes in this information must also be notified.
Attention must also be paid on the clarity of duties and allocation of responsibilities, work processes, reporting and the operability of internal control systems. The following general principles of internal control and risk management of companies largely apply to the prevention of money laundering and financing of terrorism:
- Management is responsible for risk management and procedures concerning money laundering and terrorist financing.
- The company has a clear view of who its customers are and to whom it provides its services.
- The contact person has the expertise and adequate decision-making powers to deal with money laundering and other aspects of misconduct on behalf of the company without delay.
- The personnel is provided comprehensive and continuous induction and training.
- Internal instructions are applicable to the company's activities and products.
- Working processes are clear.
- Internal reporting threshold is as low as possible.
- Internal control also covers compliance with AML/CFT obligations and procedures.