Obliged entities are obliged to take preventive and risk-oriented measures to prevent their activities from being misused for money laundering and the financing of terrorism. This is done, among other things, by carrying out risk assessments, formulating policies and procedures, training employees, examining the reliability of customers, the risk-classification of customers, monitoring them on a regular basis, and investigating and reporting suspected money laundering and terrorist financing.
Click on an image to learn more:
Business wide risk assessment
A business wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing in the activities of obliged entities. The risk assessment is intended to identify the main weaknesses and threats to the obliged entities, and it shall specify methods and means for managing and mitigating the identified risk of the activities being misused for money laundering and terrorist financing.
In accordance with Act No. 140/2018 (in Icelandic), obliged entities are obliged to conduct risk assessments of their operations and transactions. The risk assessment shall be updated at least every two years and when the need arises.
The risk assessment shall include a written analysis and assessment of the risk of money laundering and terrorist financing and, among other things, take into account risk factors related to customers, trading countries or regions, products, services, trading, technology and distribution channels. A risk assessment must always be carried out before new products or services are launched on the market and when new distribution channels and new technologies are put into use.
Obliged entities engage in substantially different activities and the scope of the entities' activities may vary. The risk assessment shall therefore take into account the size, nature and scope of the activities of obliged entities and the complexity of their operations.
Before carrying out a risk assessment, the obliged entity shall document the methodology it applies. It shall clearly state how the assessment is conducted, including, among other things, how the risk factors are identified, where and how data is obtained, how risk classification is carried out and what criteria are applied in the risk classification. The approach, which the obliged entity chooses to apply to its risk assessment, shall be substantiated. The methodology used shall be regularly reassessed and updated if necessary. When conducting a risk assessment, obliged entities must take the risk assessment of the National Commissioner of the Police into account.
The risk assessment shall, among other things, discuss:
- inherent risk, the classification of individual risk factors and the rational for the conclusion,
- the quality of controls and other methods to mitigate risk,
- residual risk and risk classification of individual risk factors.
The European Banking Authority EBA has issued guidelines on risk factors related to the actions of obliged entities in the financial sector against money laundering and terrorist financing. Obliged entities shall familiarise themselves with these guidelines and take them into account when preparing the risk assessment.
The preparation of a risk assessment is covered in greater detail in Regulation No. 545/2019 (in Icelandic), which stipulates, among other things, methodologies for risk assessment, risk classification, monitoring and supervision, management and procedures.
Useful links
- Conducting a risk assessment for money laundering and terrorist financing
- Regulation No. 545/2019 on risk assessment (in Icelandic)
- Risk assessment of the National Commissioner of the Police (in Icelandic)
- EBA Risk Factors Guidelines
- Risk assessment (in Icelandic)
- Risk factors in the banking sector (in Icelandic)
- Risk factors in the securities and fund market (in Icelandic)
- Risk factors in the life insurance market (in Icelandic)
- Risk factors due to the issuance and handling of electronic money (in Icelandic)
- Risk factors related to money remittance (in Icelandic)
- Risk factors in the provision of payment services (in Icelandic)
Policies, controls and procedures
The risk assessment shall be used to develop policies, controls and procedures to mitigate and manage the identified risks and maintain adequate control.
The policy should lay the foundations for the company's defences and be a policy statement about the culture and values that shall be upheld by the obliged entity in order to prevent their activities being misused for money laundering and terrorist financing. In addition, the policy should discuss how responsibilities are divided between individual employees and units.
Policies, controls and procedures shall, as a minimum, include provisions for the development and updating of policies, controls and procedures, including methods for mitigating risk, due diligence, the reporting of suspicious transactions, internal controls, the appointment of a AML/CFT compliance officer, and an examination of the qualifications of employees and, as appropriate, the requirement for an independent audit department or independent auditor to carry out audits and test internal policies, controls and procedures, as described above.
Obliged entities must, as a minimum, have internal rules/procedures in place for the following:
- due diligence,
- ongoing monitoring,
- suspicious and unusual transactions,
- monitoring whether individuals are in a risk group due to being politically exposed persons,
- monitoring whether customers are on sanctions lists,
- notifications to the Financial Intelligence Unit (FIU),
- examinations of the qualifications of employees and rules on what checks should be run on their job applicants,
- access of employees and restrictions on access to data and information which is stored on the basis of the Act on Measures against Money Laundering and Terrorist Financing.
The designated supervisor of measures against money laundering and terrorist financing shall ensure that policies, rules and procedures are implemented to promote coordinated working methods and a good implementation of the law in the activities of obliged entities. The senior management shall approve and monitor policies, controls and procedures.
Employee training
Employee training is one of the key elements in the prevention of money laundering and the financing of terrorism and forms part of the active internal control of obliged entities. Obliged entities shall ensure that their employees including employees of branches and subsidiaries, receive special training in measures against money laundering and terrorist financing and acquire appropriate knowledge of the provisions of Act No. 140/2018 (in Icelandic), regulations and rules issued on the basis thereof.
Frequency of training
The training shall take place upon commencing employment and regularly to ensure that employees know the obligations of obliged entities pursuant to Act No. 140/2018 (in Icelandic), including due diligence checks on customers and reporting obligations, as well as information on developments in the field and the latest methods of money laundering and terrorist financing.
It is assumed that general training must take place at least once a year and, as the case may be, also in special circumstances, e.g. if changes are made to the regulatory framework, risk assessment or methods of money laundering and terrorist financing. It then depends on the risk, nature and size of the obliged entity whether more specialised training is required for specific employees more than once a year.
A plan should be in place on how the training will be conducted. Such a plan should include an assessment of the need and frequency of training, e.g. by areas of activity, individual business units, types of customers or projects.
What do employees need to know?
Employees need to at least know:
- laws, regulations, rules and, as the case may be, guidelines on the issue, e.g. with regard to the obligation to conduct risk assessments and due diligence on the basis of risk assessments, how to conduct regular inspections (in particular regarding suspicious transactions) and notifications to the person responsible and the Financial Intelligence Unit,
- what consequences it may have for the obliged entity, its employees and the customer if rules in this area are not respected,
- the main risks and the latest methods of money laundering and terrorist financing.
Customer due diligence
The risk assessment of obliged entities forms the basis for customer risk classification. The assessment determines the type of due diligence to be carried out. When a risk assessment shows that there is a low risk, a simplified due diligence may be applied. If, on the other hand, a risk assessment shows a higher risk, more rigorous due diligence should be performed. At the same time, increased due diligence must also be carried out under certain statutory circumstances.
The conducting of due diligence
Firstly, customers, beneficial owners and any parties that have authority to represent the customer towards the obliged entity must prove their identities to the obliged entities by presenting recognised ID and legal entities information from an official register.
- Secondly, the obliged entities themselves must obtain adequate information about customers, beneficial owners and any parties that have authority to represent the customer towards the obliged entity.
- Thirdly, obliged entities need to ensure the reliability of information about customers and beneficial owners. This involves verifying the identity of the customer and the beneficial owner where applicable. This also applies to any parties that have authority to represent the customer towards the obliged entity. The identity of these parties shall be verified on the basis of reliable and independent information, in addition to which information on the purpose and nature of the proposed transaction shall be assessed. An obliged entity shall independently assess whether the information about the beneficial owner is correct and satisfactory and that the entity understands the ownership, activities and organisational structure of the clients, who are legal entities, trust funds or other comparable entities. There shall also be an assessment of whether the transaction is carried out in the interest of a third party and, if so or if there is reason to believe so, the identity of the third party must be verified. The parties must also confirm, as appropriate, the source of the funds used in the transaction and take appropriate measures to verify the relevant information.
When shall due diligence be carried out?
Under the supervision of the Central Bank of Iceland, obliged entities shall carry out due diligence in the following circumstances:
- when establishing a contractual relationship,
- when carrying out individual transactions amounting to EUR 15,000 or more, based on the officially posted exchange rate at any time, whether the transaction is carried out in a single operation or in several operations, which appear to be linked,
- in the case of a transfer of funds, in the case of individual transactions, whether it be a transfer of funds within the country or across borders, amounting to EUR 1,000 or more at the official exchange rate as recorded at any given time,
- in the trading of goods and services, which are paid for in cash, whether the transaction is made in one payment or several payments, which appear to be linked, amounting to EUR 10,000 or more, based on the official exchange rate recorded at any given time,
- when there is a suspicion of money laundering or terrorist financing, regardless of any exemption or threshold,
- when there are doubts about the veracity or reliability of submitted information on the customer or beneficial owner.
- The performance of due diligence is further stipulated in section III of Act no. 140/2018 and Regulations no. 745/2019 on Due Diligence and the guidelines of the European Banking Authority (EBA).
Useful links
Risk assessment of contractual relationships and occasional transactions
The risk assessment of an obliged entity forms the basis for decisions on the risk classification of clients. Obliged entities shall ensure that customers are risk classified in accordance with their transactions and shall preserve all the data, information and reasoning regarding the customers' risk classification. The risk classification shall reflect the risk posed by the customer at any given time.
Risk factors
When assessing a customer's risk classification, any relevant risk factors, which may, in themselves or in combination, increase or decrease the risk of money laundering or terrorist financing, should be considered. The total risk associated with the customer should be considered and it should be borne in mind that a single risk factor does not necessarily mean that the risk classification increases or decreases.
Among other things, the following shall be taken into account:
- the activities, reputation and political exposure of the customer and the beneficial owner,
- which countries or territories are linked to the business relationship,
- risk factors related to the product, service or transaction that is being sought,
- which distribution channels are used,
- whether the customer uses intermediaries to represent him,
- whether the customer is a legal entity with a complex ownership or administrative structure,
- whether the customer is a trust or a comparable entity, and
- whether the customer mainly trades in cash.
- When assessing an individual risk factor, obliged entities shall, as a minimum, ensure that:
- A single risk factor does not have an abnormal effect on lowering the risk classification,
- a decision on the weight of individual risk factors does not prevent contractual relationships from being classified as high risk,
- financial and profit-driven considerations do not affect risk classification,
- the provisions of the Act on Measures against Money Laundering and Terrorist Financing regarding cases where increased due diligence is to be applied always take precedence over the risk classification of obliged entities,
- It is possible to bypass automated risk classification if deemed necessary. The reasons for such a decision shall be documented.
- Obliged entities are authorised to use automated information technology systems to reach a risk classification decision in order to classify contractual relationships and occasional transactions. The obliged entity, on the other hand, needs to be able to explain to the regulator how the system works and how it combines risk factors to reach a final conclusion regarding risk classification. The entity must also ensure that the result reflects the risk of money laundering and terrorist financing and be able to justify such a conclusion to regulators.
Useful links
- Regulation No. 545/2019 on risk assessment (in Icelandic)
- Regulation No. 745/2019 on due diligence (in Icelandic)
- Conducting a risk assessment for money laundering and terrorist financing
- Risk assessment – educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)
- Risk factors in the banking sector (in Icelandic)
- Risk factors in the securities market and funds (in Icelandic)
- Risk factors in the life insurance market (in Icelandic)
- Risk factors due to the issuance and handling of electronic money (in Icelandic)
- Risk factors related to money remittance (in Icelandic)
- Risk factors in the provision of payment services (in Icelandic)
On-going monitoring
The risk assessment of an obliged entity and the customer's risk classification form the basis for a decision on how the monitoring of money laundering and terrorist financing shall be conducted. On-going monitoring involves monitoring customer information, on the one hand, and their transactions, on the other.
Monitoring of information
Obliged entities shall update customer information on a regular basis and provide additional information as necessity dictates. Changes in customer information, contractual relationships or related individual aspects, as well as the risk assessment of obliged entities may provide grounds to perform new due diligence in light of the changed information. The risk assessment of obliged entities can also give rise to new due diligence being performed on a regular basis.
The documented risk assessment or rules of the obliged entity shall specify the timing of the updated due diligence with regard to the risk classification of individual customers or groups, as applicable.
Obliged entities shall regularly assess whether a customer or beneficial owner is in a risk group, due to being a politically exposed person.
Transaction monitoring
Obliged entities shall regularly monitor contractual relationships with customers and provide adequate information on transactions conducted during the term of the agreement to ensure that their transactions are consistent with available information and risk assessments. The entities must also confirm, as appropriate, the sources of the funds used in the transactions and take appropriate measures to verify the relevant information.
Obliged entities shall ensure that there is increased or systematic monitoring of higher risk transactions and contractual relationships.
Monitoring systems, methods and procedures
In order to carry out periodic inspections, obliged entities shall have automated monitoring systems in place to flag transactions under certain circumstances and/or methods and processes for detecting deviations or suspicious transactions of their customers. Systems and methods shall at least include the following elements:
- that certain transfers or transactions are flagged or examined, based on pre-determined criteria or rules,
- that the relevant transfers or transactions are examined and investigated by the relevant employee of the obliged entity,
- that a position is taken on the transfers or transactions that are flagged, with regard to the available information about the customer and
- to take appropriate measures, such as further investigation of the transactions, if an examination reveals suspicious transactions.
Obliged entities shall also investigate, as far as possible, the background and purpose of all transactions, which at least one of the following conditions applies to:
in the case of complex transactions,
in the case of unusually high transactions,
in the case of unusual business patterns or
in the case of transactions that do not appear to have an economic or legal purpose.
All such transactions and related contractual relationships shall be subject to increased scrutiny for the purpose of identifying whether they are suspicious transactions.
Useful links
Investigation and reporting requirements
Obliged entities, their employees and managers shall notify the Financial Intelligence Unit (hereinafter FIU) in a timely manner of suspicious transactions and funds that are suspected of being traceable to criminal conduct. The term suspicion refers to the lowest level of suspicion and does not therefore constitute as detailed and unequivocal a claim as generally applies in legal proceedings for a substantiated suspicion, but in this case refers to a sufficient suspicion. In accordance with international rules in the field of measures against money laundering and terrorist financing, it is considered better for obliged entities to report more often than not. The FIU is responsible for processing the matter further and analysing the information attached to the notification.
Obliged entities must fulfil their investigative duties and carry out some preliminary investigation and analysis. Business must be avoided when there is knowledge or suspicion that it can be traced to criminal conduct.
The duty of obliged entities to investigate may be triggered when, for example:
- transactions, transfers of funds or the administration of other forms of assets or funds do not appear to have any economic or legitimate purpose,
- in the case of unusually high or complex transactions,
- the transactions seem unusual compared to previous transactions of the party concerned.
- in the case of transactions involving parties in high-risk countries or
- transactions that otherwise seem to be of an unusual nature.
Notifications must be sent to the FIU through the goAML System and their content must be clear so that there is no doubt about which individual or specific transaction or transfer is being reported and why it is suspected to be related to criminal conduct.
Obliged entities shall send notifications to the competent authority of the state in which the obliged entity is established, i.e. where it has an operating licence and its headquarters. Accordingly, obliged entities established in Iceland shall send their notifications to the Icelandic FIU.
Obliged entities are obliged to appoint an AML/CFT compliance officer from their management to the FIU and the Central Bank of Iceland, and he/she shall normally handle notifications to the FIU. He/she must have unconditional access to the customer due diligence, transactions or requested transactions, as well as all the data that may be relevant to the notifications.
Useful links
- Investigation and reporting requirements – educational material of the steering group on measures against Money Laundering and Terrorist Financing (in Icelandic)
- goAML System