TRACFIN : Implementation Guide work of a procedure of risk assessment ?

I. The criteria for implementing a procedure

1. A structuring legal framework

In accordance with articles L561-4-1 and L561-32 of the Monetary and Financial Code ( CMF ), the professionals subject to anti-money laundering and counter-terrorism financing obligations ( LCB/FT ) have the responsibility to develop a risk-based approach to LCB/FT that is both tailored and adapted to their specificities.  To this end, Article L561-4-1 of the CMF establishes the obligation to implement a « risk assessment and management system » that is structured, formalized, and regularly updated. 

This system initially allows for the identification of risks ( Step 1 ), to subsequently classify and evaluate them ( Step 2 ). These steps are part of a broader approach called risk mapping.  Article L561-32 of the CNIL establishes an “operational” dimension by requiring professionals to supplement this mapping with concrete internal measures and procedures ( Step 3 ), Specifically designed to address the risks identified and assessed in the preceding steps.

2. A three-stage approach

The risk mapping consists of compiling a list of situations or profiles that could present risks of LCB/FT.

The first step is therefore to identify the risks , by examining the nature of the client ( whether it is a natural person or a legal person ) as well as the nature of the transactions and operations carried out. The guidelines of the DGCCRF and TRACFIN enumerate key elements to take into account for this risk identification :

• The characteristics of the clientele and the modalities of the transactions carried out. 
  Example of risk : Inconsistency between the client’s profile (age, profession, income) and the transaction in question ;
• The nature of the activities carried out by the client or the beneficial owner, that is to say the natural person who controls, directly or indirectly, the legal person for which the transaction is made. 
  Example of risk : declared activity that does not correspond to the subject matter of the transaction ;
• The geographical location of the client’s or its beneficial owner’s activities. 
  Example of risk : establishment in a country classified as high-risk by the FATF ;
• The legal form, the size and the nature of the client’s business activity. 
  Example of risk : recently established companies, without a history or frequent changes of management ;
• Operations involving clients presenting a particular risk profile, in particular due to their functions and requiring enhanced vigilance. 
  Example of risk : politically exposed person (PEP) or person known for past offenses ;
• All elements contributing to a better understanding of the client, the beneficial owner, and the specifics of the business relationship. 
  Example of risk : refusal or difficulties in providing supporting documents or incomplete/altered documents ;
• The criteria provided by the Monetary and Financial Code which call for the implementation of supplementary or enhanced monitoring measures. 
  Example of risk : unusual transactions by their amount or frequency ;
• Business relationships or transactions involving persons or entities located in States or territories identified by international bodies as having deficiencies in FCRA/FT, or transactions carried out via establishments based in those zones. 
  Example of risk : payments originating from sanctioned countries.

Then, there are the steps of risk assessment and classification ( steps 2 and 3 ). At this stage, the professionals prioritize the identified risks according to a set of criteria and assign each situation a risk level ( low, medium, high ). This classification directly determines the level of vigilance measures that will be implemented subsequently. The risk classification relies not only on external information to the entity ( reports of activity and analyses from TRACFIN and the National Sanctions Commission – CNS, documents from the FATF, press, databases, etc. ), but primarily on the criteria defined in Article L561-4-1 of the CMF :

• Description of products or services offered ; 
• Proposed transaction terms ;
• Distribution channels used ;
• Client Characteristics ;
• Characteristics of geographical location ( country or territory of origin or destination ) funds or parties involved.

Finally, comes the crucial stage of the determination and the implementation of operational measures to address the identified risks. These vigilance measures must be adapted according to risk categories and it is essential to formalize internal procedures that all concerned employees must know and follow. These measures may include, for example, the identification of the client and the ultimate beneficial owner, the collection of information on transactions ( as specified in Article L.561-5-1 of the CNIL ), as well as regular monitoring of the business relationship ( as stipulated in Article L.561-6 of the CNIL ). It is also important that all actions are well documented and justifiable at all times, particularly in the event of an inspection by competent authorities. If anomalies are detected, enhanced vigilance may be required, or a suspicion report may be made to TRACFIN.

The requirement for individualization and formalization

The risk assessment and management system that each subject professional implements cannot be standardized; it must be specifically adapted to the actual situation and must be individualized . This means that it must take into account the specific characteristics of each organization, such as its size, activities, clientele, the nature of goods in its field of activity, and its geographical location. The guidelines of the DGCCRF and TRACFIN highlight the importance of this individualization to be fully compliant with the obligations of the CSSF. It is also important to note that simply copying and pasting legal texts or reproducing guidelines is not sufficient; each professional must adjust its procedures according to each situation. As the guidelines state, the mere repetition of the guidelines or the reproduction of articles from the CSSF by the professional will not suffice to put it in compliance with the obligations of Article L.561-32 CSSF.

Furthermore, the designation of a LCB/FT responsible, regular updating of the risk mapping, the implementation of internal controls and ongoing training are essential elements to ensure an effective and dynamic implementation of this procedure. Learn more about the in-service training of real estate professionals

4. Reports of the CNIL regarding the implementation of due diligence obligations

The CNS 2023 activity report highlights that many professionals subject to it, particularly in the real estate and virtual office sectors, do not concretely apply their due diligence obligations, despite the existence of a clear legal framework.

Key findings :

• The risk-based approach is often perceived as too theoretical. Many professionals, particularly in small and medium-sized enterprises, experience difficulties in distinguishing between global risk assessment and the assessment of each client individually. These misunderstandings prevent the adaptation of internal procedures to the reality of each activity, which contravenes the requirement for individualization provided for in Article L561-32 of the CNIL.
• The failure to understand key concepts such as the beneficial owner, the exposed political person (PPE), or even the handling of suspicion reporting remains frequent. This significantly limits the effectiveness of the implemented vigilance framework.
• Some professionals rely on digital tools to assess risks, but these tools cannot replace human judgment. The CNS recalls that assessment and professional judgment remain essential elements in this process.
• The 2023 activity report of the CNS highlights the fact that numerous sanctions have been imposed on professionals for non-compliance with their obligations. The five The main deficiencies identified, representing 89% of all deficiencies, relate to :

• The obligation to define and implement mechanisms for identifying and assessing risks, as well as documenting due diligence efforts, and an adapted policy to these risks ;
• The obligation to identify and verify the client’s and beneficial owner’s identity ;
• The collection and updating of information on the subject matter and nature of the business relationship ;
• The training and information of employees ;
• The non-compliance with legal obligations relating to GDPR in this matter.

In 2023, the CNS imposed a total of 195 sanctions, including 90 temporary suspensions of practice, 13 warnings and 1 censure. Furthermore, nearly 89 financial penalties were applied, ranging from 500 to 50,000 euros. Most of these sanctions concerned the real estate sector ( 62.5%), registered address service ( 33.3%), and the art market ( 4.2% ). Find our article on the TRACFIN declarations for real estate agents

II. The key issues (PPE, FATF, beneficial owner)

1. The Politically Exposed Person (PEP)

According to Article L561-10 of the Monetary Funds Law and Article 3(9) of Directive European 2015/849 on combating money laundering , A politically exposed person (PEP) is a person who holds or has held an important public function and who, as a result, is exposed to a higher risk of money laundering, particularly due to corruption and undue influence associated with their functions. According to Article R561-18 of the Monetary Funds Law, this may include individuals such as a head of state, a minister, a head of a public company, a member of a supreme court, or an ambassador, among others. The concept of a PEP also extends to the direct family members of the individual ( spouse, children, descendants ) as well as their closest associates.

Data Processors represent a particular risk due to their functions and, consequently, their identification and monitoring are essential. The guidelines recommend certain basic measures to be implemented for their identification, before applying supplementary measures ( notably those provided for in Article R561-20-2 of the CNIL ) : this includes, for example, asking a client whether they meet the characteristics of a Data Processor and verifying their status online. It is also possible to refer to lists of Data Processors provided by certain commercial companies.

The aforementioned report by the CNS highlighted a lack of vigilance regarding SPIs, particularly in the real estate and virtual office sectors, where many professionals have not fully integrated the risk and obligation approach stemming from them. The CNS also observes that the concept of SPI remains unclear for a majority of professionals, which complicates the identification and application of obligations relating to these at-risk individuals.

2. The Financial Action Task Force (FATF)

The FATF ( Financial Action Task Force ) develops recommendations to assist States in combating money laundering and terrorist financing. It requires financial institutions and professionals to know their clients and assess the risks associated with their transactions, particularly as regards the beneficial owners.

The FATF recommends a risk-based approach, requiring professionals to assess specific risks related to their activities, clients, and transactions. This involves a thorough understanding of their clients, collecting detailed information, and conducting ongoing evaluations. Complying with FATF recommendations is not only important for maintaining international compliance, but also for avoiding sanctions imposed by the UNSC.

The CNS report of 2023 highlights that the FATF’s work is essential, particularly during the risk classification phase, such as that relating to a client’s country of residence. The FATF publishes a list of non-cooperative countries and if a client originates from one of these countries, it can significantly increase the risk in relation to AML/CFT.

The Actual Beneficiary

The beneficial owner is the natural person who ultimately controls a client, or for whom an operation is carried out or a business is conducted, directly or indirectly ( Article L561-2-2 CMF ). The identification and verification of the beneficial owner represent the second most frequent breach ( 23% ) in the 2023 CNS report and remains an unclear concept for many professionals.

His identification is crucial, particularly in high-risk sectors such as registered address services, where arrangements can be made to conceal the origin of funds or their true beneficiary [12].

The report by the CNS highlights sectors such as real estate and art trading, where professionals do not systematically verify the identity of the beneficial owners. This leads to sanctions. For example, in 2023, the CNS observed that sales of high-value assets ( real estate or artworks ) have involved undeclared beneficial owners, as evidenced by the following decisions :

• Decision No. 2019-58 of March 29, 2021 : « The opacity of files due to changes in capital structures and management of companies located did not allow for the easy determination of the actual beneficial owners of said companies » ;
• Decision No. 2022-17 of November 17, 2023: “The Commission considers that it is incumbent upon each professional subject to LCB/FT obligations to carry out the necessary due diligence […] to identify and verify the identity of clients and beneficial owners.” » ;
• Decision No. 2022-40 of October 20, 2023: “The requirement […] for identification and risk assessment appears all the more imperative in the art sales sector, particularly exposed to the risks of BFT [subject to] recourse to shell companies complicating the traceability of operations and the identification of beneficial owners.” »

III. Internal control: a key point

Internal control is a key element of risk management in the context of LCB/FT, as stipulated in Article L561-32 of the Monetary Funds Law. This article obliges professionals to establish internal organizations and procedures adapted to the nature and size of their activities, as well as the identified risks. These procedures must enable continuous vigilance and allow for the rapid detection of FT risks. The guidelines highlight that this internal control system must be proactive, with sufficient human and material resources to ensure the effective implementation of vigilance obligations, including monitoring suspicious transactions and business relationships.

The guidelines and report from the CNS also emphasize the need for continuous staff training. It is crucial that those responsible for the implementation of LCB/FT obligations benefit from appropriate training and knowledge to effectively exercise their functions. 

Finally, internal control must be strengthened by regular audits and constant monitoring of vigilance procedures, particularly concerning the identification of ultimate beneficiaries and SPVs, in order to guarantee the effectiveness of the LCB/FT framework.

Need support with TRACFIN compliance implementation ?

Whether you are a notary, real estate agent, accountant, luxury professional, or service provider linked to financial flows, your obligations regarding the fight against money laundering and terrorist financing must not be taken lightly.

Aumans Avocats accompanies professionals subject to TRACFIN in :

• the implementation of their risk assessment procedure,
  
• the development of their risk mapping,
  
• the drafting of internal procedures,
  
• the training of their teams and the management of suspicion reports.

Contact us for an audit or personalized support.