On the 29th of June, the Financial Action Task Force (FATF) published its Guidance on Proliferation Financing Risk Assessment and Mitigation.
As the title suggests the document provides guidance around assessing and mitigating risks of proliferation financing, but most importantly for the crypto assets industry, it clarifies that FATF Recommendations relating to Proliferation Financing should also apply to Virtual Asset Service Providers.
Proliferation financing (in the context of FATF Recommendations) refers to;
of the targeted financial sanctions obligations referred to by Recommendation 7.
Recommendation 7’s obligations apply to two country-specific regimes for; the Democratic People’s Republic of Korea (North Korea) and the Islamic Republic of Iran.
Proliferation financing is highly connected to targeted financial sanctions obligations.
The difference is that the sanction programmes relate to direct dealings with designated individuals and entities (including entities 50%+ owned by such persons). Proliferation financing relates to the breach or evasion of sanctions, as well as non-implementation, which is much wider than direct sanctions concerns.
For example, a corporate entity client may have no designated persons in their beneficial owners and directors; however, a due diligence process has revealed that there is a risk this customer is breaching sanctions – for instance by having designated entities from Iran as serviced customers.
In October 2020, the FATF updated Recommendation 1 to require private sector entities to;
The above requirements may be met within the framework of the existing sanctions and compliance program at the entity. Importantly. The risk assessment conducted must be documented.
The paper published in June 2021 focuses on the above obligations and provides guidance on how to;
It also clarifies that the private sector entities that should perform proliferation financing risk assessment and mitigation includes Virtual Asset Service Providers.
Proliferation financing risk can be viewed as the function of;
These three elements can be included in the proliferation financing risk assessment similarly to other risk assessment exercises.
Threat refers to designated persons and entities that have previously evaded, breached or failed to implement targeted financial sanctions.
Vulnerability refers to features, products or a type of service that can be used in breach, non-implementation or evasion of targeted sanctions.
Consequence refers to the outcome where assets are made available to designated persons and entities, which could ultimately allow them, for example, to source the required materials, items or systems for developing nuclear, biological or chemical weapon systems.
Apart from the concepts of threat, vulnerability and consequence, risk assessment should cover both inherent risk and residual risk.
Inherent risk refers to the natural level of risk, i.e. risk prior to introducing any mitigation measures.
Residual risk refers to risk which remains after the mitigation process.
For instance, a VASP may identify that due to its global reach it has a high risk of dealing with individuals located in North Korea and Iran.
A mitigation measure may be to restrict users from these countries. A residual risk would then be the actual risk of dealing with such individuals after the restriction has been introduced.
Proliferation financing risk assessment may follow the same six stages as the risk assessment undertaken for money laundering, i.e.
The guidance provides a detailed description of what each stage should entail.
To summarize, as per FATF Recommendations and Guidance, VASPs should be required to perform proliferation financing risk assessments and document their analysis.
The measure to mitigate proliferation risk for VASP depends on;
The guidance provides examples of risk mitigation measures;
FATF notes that there may be cases of VASPs having a particularly low risk of proliferation financing, e.g. small VASPs serving predominantly locally-based and lower-risk customers.
In such cases of low-risk exposure, it would be reasonable to rely on publicly available records and information supplied by customers for screening against the list of designated entities and individuals to meet the obligations.
For VASPs that have a high risk of proliferation financing, the paper gives more detailed guidance on potential risk mitigation, for example, incorporation of various international guidance and typologies on the subject in their compliance programs or using technology and software to identify links to proliferation financing relationships.
Coinfirm’s AML Platform has strong sanctions controls inbuilt that handle not only direct sanction risk, but also a wide plethora of indirect sanctions risks.
The risk assessment of a given address takes into account both direct and indirect identified nexus to;
What that means in practice is that if we identified that a given address has ultimately received a substantial portion of funds from or sent a substantial portion of funds to an address with links to designated persons or Iran or North Korea, this risk will be reflected in their C-Score even if the transaction took place a few hops away.
Additionally, any address that Coinfirm has identified as directly receiving funds from an address linked to designated persons or Iran or North Korea, will be marked as high-risk, regardless of the amount concerned.