Risk assessment of contractual relationships and occasional transactions
The risk assessment of an obliged entity forms the basis for decisions on the risk classification of clients. Obliged entities shall ensure that customers are risk classified in accordance with their transactions and shall preserve all the data, information and reasoning regarding the customers' risk classification. The risk classification shall reflect the risk posed by the customer at any given time.
Risk factors
When assessing a customer's risk classification, any relevant risk factors, which may, in themselves or in combination, increase or decrease the risk of money laundering or terrorist financing, should be considered. The total risk associated with the customer should be considered and it should be borne in mind that a single risk factor does not necessarily mean that the risk classification increases or decreases.
Among other things, the following shall be taken into account:
-
the activities, reputation and political exposure of the customer and the beneficial owner,
-
which countries or territories are linked to the business relationship,
-
risk factors related to the product, service or transaction that is being sought,
-
which distribution channels are used,
-
whether the customer uses intermediaries to represent him,
-
whether the customer is a legal entity with a complex ownership or administrative structure,
-
whether the customer is a trust or a comparable entity, and
-
whether the customer mainly trades in cash.
When assessing an individual risk factor, obliged entities shall, as a minimum, ensure that:
-
A single risk factor does not have an abnormal effect on lowering the risk classification,
-
a decision on the weight of individual risk factors does not prevent contractual relationships from being classified as high risk,
-
financial and profit-driven considerations do not affect risk classification,
-
the provisions of the Act on Measures against Money Laundering and Terrorist Financing regarding cases where increased due diligence is to be applied always take precedence over the risk classification of obliged entities,
-
It is possible to bypass automated risk classification if deemed necessary. The reasons for such a decision shall be documented.
Obliged entities are authorised to use automated information technology systems to reach a risk classification decision in order to classify contractual relationships and occasional transactions. The obliged entity, on the other hand, needs to be able to explain to the regulator how the system works and how it combines risk factors to reach a final conclusion regarding risk classification. The entity must also ensure that the result reflects the risk of money laundering and terrorist financing and be able to justify such a conclusion to regulators.
Useful links
- Regulation no. 545/2019 on risk assessment (Icelandic)
- Regulation no. 745/2019 on due diligence (Icelandic)
- Conducting a risk assessment for money laundering and terrorist financing
- Risk assessment – educational material of the steering group on measures against Money Laundering and Terrorist Financing (Icelandic)
- Risk factors in the banking sector (Icelandic)
- Risk factors in the securities market and funds (Icelandic)
- Risk factors in the life insurance market (Icelandic)
- Risk factors due to the issuance and handling of electronic money (Icelandic)
- Risk factors related to money remittance (Icelandic)
- Risk factors in the provision of payment services (Icelandic)