FATF Guidance on Proliferation Financing Risk Assessment and Mitigation


On the 29th of June, the Financial Action Task Force (FATF) published its Guidance on Proliferation Financing Risk Assessment and Mitigation.

As the title suggests the document provides guidance around assessing and mitigating risks of proliferation financing, but most importantly for the crypto assets industry, it clarifies that FATF Recommendations relating to Proliferation Financing should also apply to Virtual Asset Service Providers.

What is proliferation financing?

Proliferation financing (in the context of FATF Recommendations) refers to;

  • potential breach,
  • non-implementation,
  • evasion,

of the targeted financial sanctions obligations referred to by Recommendation 7.

Recommendation 7’s obligations apply to two country-specific regimes for; the Democratic People’s Republic of Korea (North Korea) and the Islamic Republic of Iran.

How does proliferation financing differ from targeted financial sanctions?

Proliferation financing is highly connected to targeted financial sanctions obligations.

The difference is that the sanction programmes relate to direct dealings with designated individuals and entities (including entities 50%+ owned by such persons). Proliferation financing relates to the breach or evasion of sanctions, as well as non-implementation, which is much wider than direct sanctions concerns.

For example, a corporate entity client may have no designated persons in their beneficial owners and directors; however, a due diligence process has revealed that there is a risk this customer is breaching sanctions – for instance by having designated entities from Iran as serviced customers.

What are the FATF requirements regarding proliferation financing for the private sector?

In October 2020, the FATF updated Recommendation 1 to require private sector entities to;

  • Identify, assess and understand the proliferation financing risks for the country and respective private sector
  • Mitigate these risks

The above requirements may be met within the framework of the existing sanctions and compliance program at the entity. Importantly. The risk assessment conducted must be documented.

The paper published in June 2021 focuses on the above obligations and provides guidance on how to;

  • Assess proliferation financing risks
  • Mitigate proliferation financing risks
  • Supervise the above

It also clarifies that the private sector entities that should perform proliferation financing risk assessment and mitigation includes Virtual Asset Service Providers.

How to assess proliferation financing risks?

Proliferation financing risk can be viewed as the function of;

  • Threat
  • Vulnerability
  • Consequence

These three elements can be included in the proliferation financing risk assessment similarly to other risk assessment exercises.

Threat refers to designated persons and entities that have previously evaded, breached or failed to implement targeted financial sanctions.

Vulnerability refers to features, products or a type of service that can be used in breach, non-implementation or evasion of targeted sanctions. 

Consequence refers to the outcome where assets are made available to designated persons and entities, which could ultimately allow them, for example, to source the required materials, items or systems for developing nuclear, biological or chemical weapon systems.

Apart from the concepts of threat, vulnerability and consequence, risk assessment should cover both inherent risk and residual risk.

Inherent risk refers to the natural level of risk, i.e. risk prior to introducing any mitigation measures.

Residual risk refers to risk which remains after the mitigation process.

For instance, a VASP may identify that due to its global reach it has a high risk of dealing with individuals located in North Korea and Iran.

A mitigation measure may be to restrict users from these countries. A residual risk would then be the actual risk of dealing with such individuals after the restriction has been introduced.

Proliferation financing risk assessment may follow the same six stages as the risk assessment undertaken for money laundering, i.e.

  • Preliminary scoping
  • Planning and organization
  • Identification of threats and vulnerabilities
  • Analysis
  • Evaluation and follow -up
  • Update

The guidance provides a detailed description of what each stage should entail.

To summarize, as per FATF Recommendations and Guidance, VASPs should be required to perform proliferation financing risk assessments and document their analysis.

How to mitigate against the risks identified?

The measure to mitigate proliferation risk for VASP depends on;

  • National legislation requirements
  • Results of VASP risk assessment analysis of proliferation financing risks, in particular source and degree of risks

The guidance provides examples of risk mitigation measures;

  • Improved client onboarding process (including scrutiny around beneficial owners)
  • Enhanced customer due diligence procedures
  • Effective maintenance of customer master data
  • Regular controls to ensure effectiveness of procedures for sanctions screening
  • Leveraging existing compliance programs

FATF notes that there may be cases of VASPs having a particularly low risk of proliferation financing, e.g. small VASPs serving predominantly locally-based and lower-risk customers.

In such cases of low-risk exposure, it would be reasonable to rely on publicly available records and information supplied by customers for screening against the list of designated entities and individuals to meet the obligations.

For VASPs that have a high risk of proliferation financing, the paper gives more detailed guidance on potential risk mitigation, for example, incorporation of various international guidance and typologies on the subject in their compliance programs or using technology and software to identify links to proliferation financing relationships.

How can Coinfirm support you in mitigating proliferation financing risks?

Coinfirm’s AML Platform has strong sanctions controls inbuilt that handle not only direct sanction risk, but also a wide plethora of indirect sanctions risks.

The risk assessment of a given address takes into account both direct and indirect identified nexus to;

  • Designated persons and entities (and their wallet addresses)
  • Countries subject to sanctioned programs (including North Korea and Iran)

What that means in practice is that if we identified that a given address has ultimately received a substantial portion of funds from or sent a substantial portion of funds to an address with links to designated persons or Iran or North Korea, this risk will be reflected in their C-Score even if the transaction took place a few hops away.

Additionally, any address that Coinfirm has identified as directly receiving funds from an address linked to designated persons or Iran or North Korea, will be marked as high-risk, regardless of the amount concerned.