From C5

(including assessment by customer type, products/services as well as geographical location). This flexible approach allows the institution to focus and devote more resources on higher risk areas. Identifying, assessing and understanding the institution’s ml/TF risks: FI / DNFBp must assess risks by customer type, products/services and geography

Not all customers pose the same level of ml/ TF risks. The institution must identify customer types that pose higher risk, those that pose moderate risk and those with the lowest risks. The institution must then implement proportionate Aml/CFT measures for each category. For example, simplified CDD and less intensive transaction monitoring is required for low risk customers, while enhanced CDD and intensive transaction monitoring is necessary for high risk customers e.g. pEps

Similar to customer type, different products and services pose different levels of risks, depending on a number of variables and must be categorised accordingly into low, moderate or high risk. Enhanced controls and monitoring are required for high risk products and services while less resources and focus is devoted to low risk products.

The FI /DNFBp risk assessment must consider country and geographic risks. Customers or transactions linked to countries with poor Aml/ CFT compliance reputation should generally be deemed as high risk and be treated accordingly.

Customer Due Diligence (CDD) customer identification/identity verification: Identify the customer (name) and verify identity of the customer by means of official identification document, documentation required to verify identity of individuals versus corporates.

Where the customer is acting through another (e.g. company rep. or an agent) identify and verify identity of both the customer and the person acting for the customer. For companies, in addition to identifying and verifying identity of the customer itself, one must also identify and verify the identity of the directors. Whether this is necessary in every case depends on the level of risk.

In the case of a company, trust, or other corporate vehicle, not only must you identify and verify the identity of the customer and its directors, you must also identify the ultimate Beneficial owner (uBo). This requires piercing the various layers of corporate veils until you get to the natural person(s) who ultimately own(s) and / or control(s) the entity. Customer due diligence also involves gathering enough information about the customer’s nature of business and source of funds. Identifying and reporting suspicious transactions:

•Every financial institution and every DNFBp is under obligation to identify and report suspicious transactions (where the transaction is such as to give rise to suspicion of money laundering, terrorism financing or related financial crime).

•A suspicious transaction must be reported to the Financial Intelligence unit (FIu), in prescribed form, promptly, but in any case not later than 48 hours from the time the suspicion arises.