Consob Communication no. 0186002 of 4 June 2018 - CONSOB AND ITS ACTIVITIES
Bullettin
Communication no. 0186002 of June 4, 2018
Subject: Criteria and methodologies for assessing the risks of money laundering and terrorist financing to which statutory auditors and audit firms are exposed in the exercise of their activity.
1. Introduction
This Communication identifies the criteria and methodologies for the analysis and assessment of the risks of money laundering and terrorist financing to which statutory auditors and audit firms are exposed in the exercise of their activity (hereinafter also referred to as ‘self-assessment of the risks of money laundering and terrorist financing’), pursuant to Art. 15, para. 1, of Legislative Decree no. 231/2007.
This Communication shall serve as guidelines for statutory auditors and auditing firms to respect the obligations arising from Art. 6, paras 1 and 2 of the 'Regulation laying down provisions for the implementation of Legislative Decree no. 231 of November 21, 2007, and subsequent amendments and additions, in relation to internal organisation, procedures and controls of statutory auditors and auditing firms with auditing engagements in public interest entities or entities subject to intermediate regime for preventing and countering the use of the economic and financial system for money laundering and terrorist financing purposes' (hereinafter also 'Regulations on internal organisation, procedures and controls').
The documents relating to the annual self-assessment of the risks of money laundering and terrorist financing carried out by auditing firms pursuant to Art. 6, para. 4, of the said Regulation shall be transmitted to CONSOB's certified email address consob@pec.consob.it (for the attention of Inspectorate Division, Abusive Phenomena and Money Laundering Inspections Office).
2. The self-assessment methodology
The methodology for self-assessment of the risks of money laundering and terrorist financing consists of three phases, as follows:
- Identification and assessment of the risks of money laundering and terrorist financing to which the auditing firms and statutory auditors are exposed in the context of their activity (identification of the 'inherent risk');
- Assessment of the suitability of organisational, procedural and control devices concretely implemented by auditing firms and by statutory auditors with respect to the risks identified above, in order to detect any vulnerability ('vulnerability' analysis);
- Determination of the residual risk to which the auditing firms and statutory auditors, taking account of their level of vulnerability, remain exposed and of corrective actions to be taken in order to mitigate this risk.
2.1 Assessment of inherent risk
In order to identify the level of inherent risk, at least the following elements must be taken into account:
- The number of customers (and business owners) operating in economic activity sectors that are at risk of money laundering and terrorist financing[1];
- The number of customers (and business owners) operating in geographical areas at risk of money laundering and terrorist financing[2];
- The number of customers (and beneficial owners) involved in matters that are the subject of prejudicial information (e.g., involvement in criminal proceedings for money laundering, terrorism or other alleged crimes and cases related to crimes of money laundering or terrorism) or included in the so-called ‘terrorism watch’ lists;
- The number of customers with complex or not very transparent shareholding structures (e.g., due to the presence of a trust or trust shielding);
- The number of customers with significant business relationships with key players operating in geographical areas at risk of money laundering and terrorist financing;
- The number of customers with in precarious economic and financial situations (so-called 'significant uncertainties') that led to qualified or negative audit opinions;
- The number of customers with reference to whom the statutory auditors found matters to which attention was drawn by way of emphasis;
- The number of customers who issued partial, inaccurate, incomplete or false declarations that have resulted in the impossibility to issue an opinion;
- The number of customers with non-cooperative or reticent conduct;
- The number of customers classified as being at a high risk of money laundering or terrorist financing (also due to the presence of politically exposed foreign or national persons )[3];
- The volume of turnover derived from activities other than auditing.
Auditing firms and statutory auditors can identify risk factors other than those listed above, also in view of the specificities of the activities carried out and the customers on behalf of which they operate.
In the light of the above-listed assessment elements, also taking into account the elements resulting from the reports and other evidence of corporate control functions and the findings of any inspections carried out by the Supervisory Authorities, auditing firms and statutory auditors measure the level of inherent risk, which is reduced to one of the four levels roughly described in the following table.
Table 1- Analysis of the inherent risk
Rating |
Attribution criteria |
Low risk |
The number of customers/beneficial owners of businesses who operate in sectors or areas at risk of money laundering and terrorist financing, or that are involved in matters that are the subject of prejudicial information, or have one or more of the risk factors listed above, is very low. |The number of customers at a higher risk of money laundering or terrorist financing is low. The amount of the turnover is derived almost exclusively from the auditing activity. |
Medium-low risk |
The number of customers/beneficial owners of businesses who operate in sectors or areas at risk of money laundering and terrorist financing, or that are involved in matters that are the subject of prejudicial information, or have one or more of the risk factors listed above, is low. The number of customers at risk of money laundering or terrorist financing is low. The amount of turnover resulting from auditing activities is predominant in comparison with that resulting from other services. |
Medium-high risk |
The number of customers/beneficial owners of businesses who operate in sectors or areas at risk of money laundering and terrorist financing, or that are involved in matters that are the subject of prejudicial information, or have one or more of the risk factors listed above, is high. A large number of customers have a higher risk of money laundering or terrorist financing. The amount of turnover resulting from auditing activities is roughly equivalent to that from other services. |
High risk |
The number of customers/beneficial owners of businesses who operate in sectors or areas at risk of money laundering and terrorist financing, or that are involved in matters that are the subject of prejudicial information, or have one or more of the risk factors listed above, is very high. The number of customers with a higher risk of money laundering or terrorist financing is very high. The amount of the turnover resulting from auditing activities is lower than that from other services. |
In determining the level of inherent risk, auditing firms and statutory auditors shall adopt prudential criteria. In particular, in case of doubt among multiple levels of risk, the higher risk level shall be attributed in principle.
The attribution of the level of inherent risk must always accompanied by a description of the assessment factors considered and of the reasons which have led to the choices made.
2.2 Vulnerability analysis
Pursuant to Art. 5 of the Regulation on internal organisation, procedures and controls, auditing firms and statutory auditors shall adopt and implement suitable policies and procedures for mitigating the risks of money laundering and terrorist financing.
The following table summarises the system of devices (organisational structure, internal procedures, control systems, training) that is considered to express non-significant vulnerability, as it is fully effective and allows to identify and counter the risks of money laundering and terrorist financing to which the auditing firms or the auditors may be exposed.
Statutory auditors shall carry out the vulnerability analysis in coherence with their nature of individual professionals and in a manner proportionate to the organisational structure they use (if any).
Table 2 - Non-significant vulnerability: fully effective and suitable mitigating devices
Organisational Structure |
The roles, responsibilities and duties of the Bodies and/or entities involved in the processes aimed at fulfilling the obligations laid down in the anti-money laundering legislation have been defined. A suitable, complete and timely system of information flows toward company bodies is in place. The Head of the Anti-Money Laundering Compliance function was appointed on the basis of his/her proven experience or expertise on money laundering and a replacement mechanism was established to be applied in the event that he/she provides professional services to the customers. The Anti-Money Laundering Compliance function is organised in a manner consistent with the principle of proportionality and in such a way as to guarantee its independence. If the Anti-Money Laundering Compliance function is outsourced, the necessary measures were adopted aimed at ensuring that corporate bodies maintain their powers of guidance and control and that the methods of providing services are continuously monitored. |
Internal procedures |
These procedures fully describe the operational processes concretely adopted for the purpose of discharging the obligations imposed by primary and secondary legislation (identification and due diligence of the customer and the beneficial owner, constant control, retention of data and information, reporting of suspicious transactions). A system of profiling customers appropriate to the operational context and the reference customer characteristics has been adopted. The said system, based on an objective weighting mechanism with predetermined metrics, allows the classification of customers on at least three levels of risk ('low', 'medium' and 'high'). Customer due diligence measures commensurate with the money laundering profile attributed to the customers have been established. Procedural rules have been brought to the attention of all personnel and are in line with the legislative and regulatory framework in force. |
Control system
|
The control system adopted is suitable for promptly detecting and managing the risks of money laundering and the terrorist financing. The control functions carry out their checks in a continuous way and formalise the outcomes. The results of the control activities, together with indication of any corrective actions, are fully reported in the annual reports prepared by the said control functions and formally presented to the Board of Directors The outcome of the checks carried out in the last year shows no organisational or procedural deficiencies, or that any deficiencies found were readily overcome through the adoption of specific corrective measures. The suitability and effectiveness of the activities carried out by the Anti-Money Laundering Compliance function are subjected to periodic monitoring by the Quality Control function. |
Training |
The Head of the Anti-Money Laundering Compliance function has established specific training programmes aimed at ensuring all personnel an up-to-date knowledge of the laws and regulations, the methods for their implementation, the evolution of money laundering risks, as well as the typical operational schemes of money laundering. The training activity involved all the money laundering process stakeholders. All the recipients took part in training courses carried out in the last year (if any) and their degree of learning was seen as satisfactory by the Head of the Anti-Money Laundering Compliance function. |
Auditing firms and statutory auditors shall examine and assess the risk mitigating devices concretely in place and implemented and compare them to those that, based on the summary table above, can be regarded as effective and suitable and therefore as the sign of a non-significant vulnerability level.
The said assessment and comparison shall determine the vulnerability level of the system of risk mitigation devices on the basis of the criteria set out in the following table.
Table 3 - Vulnerability analysis
Rating |
Attribution criteria |
Non-significant vulnerability |
The status of mitigation devices implemented and concretely in place corresponds with that described in Table 2. |
Lowly significant vulnerability |
Weaknesses are limited compared to the situation described in Table 2, but the system of devices is overall positive and has a sufficient capacity for identifying and countering the risks of money laundering and terrorist financing. |
Rather significant vulnerability |
There are numerous deficiencies compared to the situation described in Table 2, which renders the system of devices non sufficiently suitable for identifying and countering the risks of money laundering and terrorist financing. |
Very significant vulnerability |
Compared to the situation described in Table 2, deficiencies are very numerous and widespread and such as to render the system of mitigating devices unsuitable for identifying and countering the risks of money laundering and terrorist financing. |
In all cases where the assessment finds a vulnerability level other than 'non-significant', the auditing firms and statutory auditors shall illustrate - in the risk self-assessment document drawn up pursuant to Art. 6 of the Regulations on internal organisation, procedures and controls - the areas of deviation compared with Table 2, through description of the weaknesses or deficiencies identified
2.3Determining the residual risk
The combination of the opinions on inherent risk and vulnerability of the devices determines the extent of the residual risk, according to the matrix shown below.
The residual risk determination matrix
INHERENT RISK level | High | High residual risk |
|||
Medium-high | Medium-high residual risk |
||||
Medium-low | Medium-low residual risk |
||||
Low | Low residual risk |
||||
Non-significant |
Lowly significant |
Rather significant |
Very significant |
||
VULNERABILITY |
In the risk self-assessment document drawn up pursuant to Art. 6 of the Regulation on internal organisation, procedures and controls, the determination of the level of residual risk is accompanied by the description of corrective or adaptation actions identified
THE CHAIRMAN
Mario Nava
Footnotes:
[1] Among the economic activity sectors at risk, the following must be considered at least: collection and disposal of waste, the arms trade, gaming and betting, remittance of money, art and antiques dealing, production of renewable energies, cash intensive business (e.g. retail trade and catering), mining of minerals and metals, health services and other activities related to public procurement, pharmaceutical sector, real estate, construction and earthmoving, precious stone dealing, recreational activities and sport, non-profit activities (e.g., NGOS and public benefit organisations such as Italian ONLUS organisations). Further sectors at risk can be detected from the half-yearly reports of DIA (Direzione Investigativa Antimafia, the Italian Antimafia Investigation Directorate), the publications of UIF (Unità di Informazione Finanziaria, Italy’s Financial Intelligence Unit) or the publications of research institutes, as well as the Joint Guidelines of European Supervisory Authorities on simplified and enhanced measures for customer due diligence and risk factors, published on January 4, 2018.
[2] Reference shall be made to customers and beneficial owners that have their registered office/residence or have significant economic and financial interests in countries or areas identified as high risk ones by national or international bodies, such as, e.g., FAFT-FATF (http://www.fatf-gafi.org/fr/pays/#high-risk), ‘High-risk countries’ identified by the European Commission in the exercise of the powers conferred on it by Art. 9 and Art. 64 of Directive 2015/849, tax havens (so-called 'Black List Countries' identified by the Italian Minister of Economy and Finance), half-yearly reports of DIA, annual reports of FIU, etc.
[3] The customers' risk level contributes to the assessment of the inherent risk because, although in the assessment model adopted by the auditing firm all the risk factors listed above are considered, the occurrence of one or more of the said factors does not necessarily involve attribution to customers of the highest risk level.