MIDAS FINANCING LIMITED

Money Laundering and Terrorist Financing Risk

Assessment and Management

Overview of ML&TF Risk

1. 1 Introduction

The success of AML&CFT program highly depends on efficient assessment of related

threat/vulnerability/risk and placing necessary tools for combating ML&TF risks as per the
result of assessed threat/vulnerability/risk.

The purpose of this guideline is to:

provide general information about ML & TF risks related with or generated through the
products, services, delivery channels, and geographical presence;

assist MIDAS Financing Limited (MFL) to assess their ML&TF risks efficiently;

enable MFL in implementing an AML & CFT program appropriate to their business having
regard to the business size, nature and complexity;

provide a broad risk management framework based on high-level principles and procedures
that MFL may wish to consider when developing and implementing a risk-based approach
to identify, mitigate and manage the ML & TF risks;

enable MFL to understand how and to what extent, it is vulnerable to ML&TF risks; and

help MFL to allocate the resources efficiently to mitigate the Ml & TF risk.

1.2 Obligation for ML&TF Risk Assessment and Management

Recommendation 1 of Financial Action Task Force (FATF), the international standard setter
on anti money laundering (AML) and combating terrorist financing (CTF) states that
countries should require financial institutions and designated non-financial businesses and
professions (DNFBPs) to identify, assess and take effective action to mitigate their money
laundering and terrorist financing risks. As per Rule 21 of MLP Rules 2013 MFL shall
conduct periodic risk assessment and forward the same to the Bangladesh Financial
Intelligence Unit (BFIU) for vetting.

1.3 Assessing risk

MFL would take appropriate steps to identify and assess their money laundering and terrorist
financing risks arisen from or through customers, products or services and transactions or
delivery channels and geographical presence.

1
 MIDAS FINANCING LIMITED

1.4 What is risk

Risk can be defined as the combination of the probability of an event and its consequences. In
simple term, risks can be seen as a combination of the chance that something may happen and
the degree of damage or loss that may result if it does occur.

1.5 What is risk management

Risk management is a systematic process of recognizing risk and developing methods to both
minimize and manage the risk. This requires the development of a method to identify, assess,
treat (deal with), control and monitor risk exposures. In risk management, a process is
followed where the risks are assessed against the likelihood (chance) of them occurring and
the severity or amount of loss or damage (impact) which may result if they do happen.

1.6 Which risks do MFL need to consider

For the AML & CTF aspects, MFL would take into account two main sources of ML & TF
risks i.e., ML & TF risk arises from or through doing their business and non-compliance of
regulatory requirements.

ML & TF risk arises from or through doing their business:

ML & TF risk that arises or generated in doing business is the risk that business may be used
for ML & TF. MFL must at least take into consideration the following segment of their
business in assessing ML & TF risk:

● customer risks, i.e. ML&TF risk arisen from or generated through customers

● products or services risks

● business practices and/or delivery method risks and

● country or jurisdictional risks

Non-compliance of regulatory requirements:

Regulatory risk is associated with not meeting all obligations of MFL under the Money
Laundering Prevention Act, 2012, Anti Terrorism Act, 2009 (including all amendments), the
respective Rules issued under these two Acts and instructions issued by BFIU. Examples of
regulatory obligations are failure to report STR/SAR, unable or inappropriately verification
of customers and lacking of AML&CFT program (how a business identifies and manages the
ML&TF risk it may face) etc.

2
 MIDAS FINANCING LIMITED

Risk Management Framework

2.1 Introduction

MFL will have flexibility to construct and tailor its risk management framework for the
purpose of developing risk-based systems and controls and mitigation strategies in a manner
that is most appropriate to its business structure (including financial resources and staff), its
products and/or the services it provide. Such risk-based systems and controls would be
proportionate to the ML&TF risk(s) MFL reasonably faces.

For effective risk management, MFL would at all levels follow the principles below:

Risk management contributes to the demonstrable achievement of objectives and

improvement of performance, governance and reputation.

Risk management is not a stand-alone activity that is separate from the main activities and
processes of MFL. Risk management is part of the responsibilities of management and an
integral part of all organizational processes, including strategic planning.

Risk management helps decision makers making informed choices, prioritize actions and
distinguish among alternative courses of action.

Risk management explicitly takes account of uncertainty, the nature of that uncertainty,
and how it can be addressed.

A systematic, timely and structured approach to risk management contributes to

efficiency and to consistent, comparable and reliable results.

Risk management is based on the best available information.

Risk management will be aligned with the MFL’s external and internal context and risk
profile.

Risk management is transparent and inclusive.

Risk management is dynamic, iterative and responsive to change.

Following the above mentioned principles MFL will develop and maintain logical,
comprehensive and systematic methods to address each of the components referred to in this
Guideline.

In assessing and mitigating ML & TF risk, MFL would consider a wide range of financial
products and services, which are associated with different ML & TF risks. These include:

Different deposit schemes: where MFL offer products and services directly to persons,
business customers, Corporate bodies, Government offices, NGOs, Clubs, societies such as
Term deposit scheme, Double money deposit scheme, Triple money deposit scheme, Monthly
deposit scheme as well as other savings products;

3
 MIDAS FINANCING LIMITED

Corporate finance and investment services: where MFL would provide corporate finance
products such as lease finance, term loan, project finance, working capital finance, short-term
finance and investment services to corporations, large and medium size enterprises,
governments and institutions;

Consumer finance: where MFL finance their customers to purchase different consumer
products and services.

MFL would be mindful of those differences when assessing and mitigating the ML & TF risk
to which they are exposed.

2.2 Risk Management Framework

A risk management framework would consist of:

(a) establishing the internal and external context within which the designated service is, or is
to be, provided. These may include:

-the types of customers;

-the nature, scale, diversity and complexity of their business;

-their target markets;

-the number of customers already identified as high risk;

-the jurisdictions MFL is exposed to, either through its own activities or the activities of
customers, especially jurisdictions with relatively higher levels of corruption or organized
crime, and/or deficient AML & CFT controls and listed by FATF;

-the distribution channels, including the extent to which MFL deals directly with the
customer or the extent to which it will rely (or is allowed to rely on) third parties to conduct
CDD and the use of technology;

-the internal audit and regulatory findings;

-the volume and size of its transactions, considering the usual activity of MFL and the profile
of its customers.

(b) risk identification;

(c) risk assessment or evaluation; and

(d) risk treatment (mitigating, managing, control, monitoring and periodic reviews).

4
 MIDAS FINANCING LIMITED

Figure 1: The risk management framework at a glance

 Risk identification:

Identify the main ML&TF risks arising from business: 

• customers
• products & services
• business practices/delivery methods or channels
• country/jurisdiction

Identify the main regulatory risks:

failure to report STRs/SARs
inappropriate customer verification
inappropriate record keeping
lack of AML/CFT program

 Risk assessment/evaluation:

Measure the size & importance of risk:

• likelihood – chance of the risk happening 
• impact – the amount of loss or damage if the risk happened 
• likelihood X impact = level of risk (risk score) 



 Risk treatment:

Manage the business risks:

• minimize and manage the risks 
• apply strategies, policies and procedures 

Manage the regulatory risks: 
• put in place systems and controls 
• carry out the risk plan and AML&CFT program 



 Risk monitoring and review:

Monitor and review the risk plan:

• develop and carry out monitoring process
• keep necessary records
• review risk plan and AML&CFT program
• do internal audit or assessment
• do AML&CFT compliance report
5
 MIDAS FINANCING LIMITED

2.3 The risk management process

2.3.1 Risk identification

Identify the main ML&TF risks arising from business:

• customers
• products & services
• business practices/delivery methods or channels
• country/jurisdiction

Identify the main regulatory risks:

failure to report STRs/SARs
inappropriate customer verification
inappropriate record keeping
lack of AML/CFT program

MFL would identify sources of risk, areas of impacts, events (including changes in
circumstances) and their causes and their potential consequences. The aim of this step is to
generate a comprehensive list of risks based on those events that might create, enhance,
prevent, degrade, accelerate or delay the achievement of objectives.

Identification would include risks whether or not their source is under the control of the
organization, even though the risk source or cause may not be evident. Risk identification
would include examination of the knock-on effects of particular consequences, including
cascade and cumulative effects. It would also consider a wide range of consequences even if
the risk source or cause may not be evident. As well as identifying what might happen, it is
necessary to consider possible causes and scenarios that show what consequences can occur.
All significant causes and consequences should be considered.

MFL would apply risk identification tools and techniques that are suited to its objectives and
capabilities, and to the risks faced. Relevant and up-to-date information would be used in
identifying risks.

In identification of ML & TF risk MFL would consider at least the risk arisen doing its
business i.e. its customers, products or services, delivery channels or methods and jurisdiction
and risk of non-compliance.

ML & TF risk arises from Business:

MFL would consider the risk posed by any element or any combination of the elements listed
below:

● Customers
● Products and services
● Business practices/delivery methods or channels
● Countries it does business in/with (jurisdictions).

Under these four groups, individual risks to MFL can be determined. While not an exhaustive
list, some of these individual risks may include:
6
 MIDAS FINANCING LIMITED

 Customers:

Followings are some indicators (but not limited to) to identify ML & TF risk may arise from
customers of MFL.

a new customer.

a new customer who wants to carry out a large transaction.

a customer or a group of customers making lot of transactions and/or maintaining several
accounts in the same name or group.

a customer who has a business which involves large amounts of cash.

a customer whose identification is difficult to check.

customers conducting their business relationship or transactions in unusual circumstances,

such as:

- significant and unexplained geographic distance between the institution and the location of
the customer.

- frequent and unexplained movement of accounts to different institutions.

- frequent and unexplained movement of funds between institutions in various geographic

locations.

a non- resident customer.

a corporate customer whose ownership structure is unusual and excessively complex.

customers that are politically exposed persons (PEPs) or influential persons (IPs) or head of
international organizations and their family members and close associates.

customers submits account documentation showing an unclear ownership structure.

customer opens account in the name of his/her family member who intends to credit large
amount of deposits not consistent with the known sources of legitimate family income.

a customer comes with premature encashment of fixed deposit.

a customer generally tries to convince for cash deposit but insists for financial instrument
while withdrawing the deposit.

a customer who wants to settle his loan early.

government employee having several large amounts of fixed deposit accounts.

7
 MIDAS FINANCING LIMITED

Products and services:

prioritized or privileged financial service

Syndicate financing

anonymous transaction

non face to face business relationship or transaction

payment received from unknown or unrelated third parties

Receivable financing

Loan against FDR/deposits/financial instruments

Sale and lease back facility

 Term Loan

 Consumer Credit Scheme

 Loan against Lien of Securities

 Term Deposit

 Double money deposit scheme,

 Triple money deposit scheme

 Monthly deposit scheme

 Monthly income scheme

ny new product & service developed

Business practice/delivery methods or channels:

Direct to the bank account of the customer or to the account of the supplier/vendor through
A/C payee cheque

online/internet

phone

8
 MIDAS FINANCING LIMITED

fax

email

third-party, agent or broker

Country/jurisdiction:

any country which is identified by credible sources as having significant level of corruption
and criminal activity.

any country subject to economic or trade sanctions.

any country known to be a tax haven and identified by credible sources as providing
funding or support for terrorist activities or that have designated terrorist organizations
operating within their country.

any country identified by FATF or FSRBs as not having adequate AML&CFT system.

any country identified as destination of illicit financial flow.

branch in any land port, sea port city or any border area.

Regulatory risk:

This risk is associated with not meeting the requirements of the Money laundering Prevention
Act, 2012, Anti Terrorism Act, 2009 (including all amendments) and instructions issued by
BFIU. Examples of some of these risks are:

● customer/beneficial owner identification and verification not done properly

● failure to keep record properly
● failure to train staff adequately
● not having an AML&CFT program
● failure to report suspicious transactions or activities
● not submitting required report to BFIU regularly
● not having an AML&CFT Compliance Officer
● failure to doing Enhanced Due Diligence (EDD) for high risk customers (i.e., PEPs,IPs)
● not complying with any order for freezing or suspension of transaction issued by BFIU or
BB
failure to scrutinize staffs properly
● not submitting accurate information or statement requested by BFIU or BB.

2.3.2. Risk assessment:

For assessing risk, MFL will use, the Table -1, which is a simple & generic table with Risk
Score and Treatment. Risk Score can be found by blending likelihood and impact; Table -1 is

9
 MIDAS FINANCING LIMITED

used, only the examples of customer risk assessment and developed phase by phase so that
user can have a good idea of risk assessment.

Table 1: Risk Management Worksheet – risk

Risk group: Customers

Risk Likelihood Impact Risk score Treatment/Action

New customer
(example only)

Customer who
brings in large
amounts of used
notes and/or
small
denominations
(example only)
Customer
whose business
address and
registered office
are in different
geographic
locations
(example only)

A table similar to Table 1 shown above - Risk management worksheet - would be used for
each risk group in preparation for assessing and managing those risks: customers, products
and services, business practices/delivery methods, country/jurisdiction and the regulatory
risks. Compilation of all risk groups by following table-1 will be treated as risk register.

2.3.3. Calculation of Risk Score

Measure the size & importance of risk:

• likelihood – chance of the risk happening

• impact – the amount of loss or damage if the risk happened
• likelihood X impact = level of risk (risk score)

Having identified the risks involved, they would be assessed or measured in terms of the
chance (likelihood) they will occur and the severity or amount of loss or damage (impact)
which may result if they do occur. The risk associated with an event is a combination of the
chance (likelihood) that the event will occur and the seriousness of the damage (impact) it
may do.

Therefore each risk element will be rated by:

10
 MIDAS FINANCING LIMITED

● the chance of the risk happening – ‘likelihood’

● the amount of loss or damage if the risk happened – ‘impact’ (consequence).

To help assess the risks identified in the first stage of this process, MFL will apply the risk
rating scales for likelihood shown in Table 2 and impact shown in Table 3 and from these
MFL will get a level of risk or risk score using the risk matrix shown in Figure 2.

LIKELIHOOD X IMPACT = RISK LEVEL/SCORE

Likelihood scale

A likelihood scale refers to the potential of an ML&TF risk occurring in the business for the
particular risk being assessed. Three levels of risk are shown in Table 2. This likelihood will
be ascertained based on the available information, group consultation or by applying
subjective judgment. MFL shall engage all concerned and competent personnel in ML & TF
risk management process including ascertaining the likelihood scale.

Table 2: Likelihood scale

Frequency Likelihood of an ML&TF risk

Very likely Almost certain: it will probably occur several times a year

Likely High probability it will happen once a year

Unlikely Unlikely, but not impossible

Impact scale

An impact scale refers to the seriousness of the damage (or otherwise) which could occur if
the event (risk) happen.

In assessing the possible impact or consequences, the assessment can be made from several
viewpoints. It does not cover everything and it is not prescriptive. Impact of an ML&TF risk
could, depending on MFL and its business circumstances, be rated or looked at from the point
of view of:

● how it may affect the business (if through not dealing with risks properly MFL suffers a
financial loss from either a crime or through fines from BFIU or regulator);

● the risk that a particular transaction may result in the loss of life or property through a
terrorist act;
● the risk that a particular transaction may be involved in funds generated from any of the
following crimes: corruption and bribery, counterfeiting currency, counterfeiting deeds and
documents, smuggling of goods/workers/immigrants, banking offences, narcotics offences,
psychotropic substance offences, illegal arms trading, kidnapping, terrorism, theft,
embezzlement, or fraud, forgery, extortion, smuggling of domestic and foreign currency,
black marketing, fraud etc.;

11
 MIDAS FINANCING LIMITED

● the risk that a particular transaction may be involved in financing of terrorism;

● reputational risk – how it may affect MFL if it is found to have (unknowingly) aided an
illegal act, which may mean BFIU or government sanctions and/or being shunned by the
community of customers;

● how it may affect the wider community of customers if it is found to have aided an illegal
act; the community may get a bad reputation as well as the business.
Legal risk- how it may affect MFL if it becomes a part of legal proceedings.

All these impacts should be considered during measurement of impact scale.

Table 3: Impact scale

Consequence Impact – of an ML & TF risk

Major Huge consequences – major damage or effect. Serious terrorist
act or large-scale money laundering.
Moderate Moderate level of money laundering or terrorism financing
impact
Minor Minor or negligible consequences or effects.

Risk matrix and risk score

Risk matrix will be used to combine LIKELIHOOD and IMPACT to obtain a risk score. The
risk score may be used to aid decision making and help in deciding what action to be taken in
view of the overall risk. How the risk score is derived can be seen from the risk matrix
(Figure 2) and risk score table (Table 4) shown below. Four levels of risk score are shown in
Figure 2 and Table 4.

Figure 2: Risk matrix

Threat level for ML/TF risk

Very Likely Medium High Extreme

Likely Low Medium High

LIKELIHOOD

Unlikely Low Low Medium

What is the Minor Moderate Major

chance it
will happen?

IMPACT
How serious is the risk?

12
 MIDAS FINANCING LIMITED

Table 4: Risk score table

Rating Description
Extreme Risk almost sure to happen and/or to have very serious consequences.
Response:
Do not allow transaction to occur without reducing the risk to acceptable
level- Follow EDD
High Risk likely to happen and/or to have major consequences.
Response:
Do not allow transaction until risk is reduced- Follow EDD
Medium Possible this could happen and/or have moderate consequences.
Response:
May go ahead but preferably reduce risk- Follow standard CDD
Low Unlikely to happen and/or have minor or negligible consequences.
Response:
Okay to go ahead.

Risk Assessment and Management Exercise:

As per above discussion, MFL would calculate risk score by blending likelihood and impact,
the risk matrix and risk score and can assess the risks of individual customer, product/service,
delivery channel and risks related to geographic region by using the simplified risk
management worksheet (Table-01). It would also fix up its necessary actions against the
particulars outcomes of risks. All the exercises done by MFL would be called together "Risk
Registrar".

Once threat levels and risk scores have been allocated MFL can be entered in the risk
management worksheet (Table 5) next to the risk.

Table 5: Risk management worksheet – threat level and risk score

Risk group: Customers

Risk Likelihood Impact Risk score Treatment/Action
New customer Likely Moderate Medium
(example only) (example (example (example
only) only) only)
Customer who brings in Likely Major High
large amounts of used (example (example (example
notes and/or small only) only) only)
denominations
(example only)
Customer whose business Very likely Major Extreme
address and registered (example (example (example
office are in different only) only) only)
geographic locations
(example only)

13
 MIDAS FINANCING LIMITED

2.3.4 Risk treatment

Manage the business risks:

• minimize and manage the risks
• apply strategies, policies and procedures

Manage the regulatory risks:

• put in place systems and controls
• carry out the risk plan and AML&CFT program

This stage is about identifying and testing methods to manage the risks MFL may have
identified and assessed in the previous process. In doing this MFL will need to consider
putting into place strategies, policies and procedures to help reduce (or treat) the risk.

Examples of a risk reduction or treatment step are:

● setting transaction limits for high-risk products

● having a management approval process for higher-risk products

● process to place customers in different risk categories and apply different identification and
verification methods

● not accepting customers who wish to transact with a high-risk country.

Table 6: Risk management worksheet – risk treatment or action

Risk group: Customers

Risk Likelihood Impact Risk score Treatment/Action

New customer Likely Moderate Medium Standard ID

(example only) (example (example (example check
only) only) only) = CDD
Customer who Likely Major High Standard +
brings in large (example (example (example additional
amounts of used only) only) only) ID check = EDD
notes and/or
small
denominations
(example only)
Customer Very likely Major Extreme May be accepted
whose business (example (example (example following high
address and only) only) only) levels
registered office of precautions
are in different
geographic
locations
(example only)

14
 MIDAS FINANCING LIMITED

Another way to reduce the risk is to use a combination of risk groups to modify the overall
risk of a transaction. MFL may choose to use a combination of customer, product/service and
country risk to modify an overall risk.

It is important to remember that identifying, for example, a customer, transaction or country

as high risk does not necessarily mean that money laundering or terrorism financing is
involved. The opposite is also true: just because a customer or transaction is seen as low risk
does not mean the customer or transaction is not involved in money laundering or terrorism
financing. Experience and common sense should be applied to the risk management process
of an entity.

2.3.5 Monitor and review

Monitor & review the risk plan:

• develop and carry out monitoring process

• keep necessary records
• review risk plan and AML&CFT program
• do internal audit or assessment
• do AML&CFT compliance report

Keeping records and regular evaluation of the risk plan and AML & CFT program is
essential. The risk management plan and AML&CFT program cannot remain static as risks
change over time; for example, changes to customer base, products and services, business
practices and the law.

Once documented, MFL would develop a method to check regularly on whether AML &
CFT program is working correctly and effectively. If not, the FI needs to work out what
needs to be improved and put changes in place. This will help keep the program effective and
also meet the requirements of the AML & CFT Acts and respective Rules.

--------x-------

15