One of the key elements of the FATF Standards is to take into consideration the imminent ML/TF risk in the jurisdiction and individual sectors for the purposes of applying ML/TF measures on a risk sensitive basis. This enables the state authorities, as well as the private sector to allocate resources more appropriately and focus on areas with higher vulnerabilities and threats.

Risks are defined by the FATF as a combination of the following factors: 

  • Threats: a person, object or activity with the potential to cause harm to, for example, the state, society, economy, etc.; 
  • Vulnerabilities: things that can be exploited by the threat or that may support or facilitate its activities; 
  • Consequence: impact or harm that may be caused, amongst others, on the financial systems and institutions, as well as economy or society more generally.

The 2004 FATF Recommendations focused on the assessment of risk in several areas. Firstly, risk-based approach was to be applied by the private sector when implementing preventive measures. Supervisory authorities were also required to adopt a risk-based approach to monitoring of compliance with AML/CFT requirements. With regard to state governmental authorities, an understanding of risks was required for the purposes of designation of national priorities, when formulating national strategic documents, as well as with regard to the NPO sector in order to be able to target measures to mitigate the risks. 

The 2012 FATF Recommendations increase the focus on understanding of ML/TF risks. Recommendation 1 and Immediate Outcome 1 formulate concrete requirements for countries to identify, assess and understand the ML/TF the jurisdiction faces and they shall establish a mechanism for undertaking this risk assessment. This risk assessment undertaken by the authorities serves as a basis and guidance for the application of the risk-based approach by the private sector. It shall be reviewed and up-dated regularly in order to reflect current developments in the jurisdiction. For further information on national risk assessments, see the relevant section. The obligations of the private sector to evaluate and understand the risks imminent to their business and customers, as well as the requirements to put in place measures to mitigate such risks are also enhanced in the FATF 2012 Recommendations. Corresponding responsibilities exist for the supervisory authorities.