NATIONAL MONEY LAUNDERING / TERRORIST FINANCING (ML/TF) RISK ASSESSMENT TOOLKIT GUIDANCE MANUAL NON-PROFIT ORGANIZATIONS TF RISK ASSESSMENT TOOL Identifying the FATF NPOs at risk of terrorist financing abuse Funded by the European Union 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy, completeness, or currency of the data included in this work and does not assume responsibility for any errors, omissions, or discrepancies in the information, or liability with respect to the use of or failure to use the information, methods, processes, or conclusions set forth. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be construed or considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, all of which are specifically reserved. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. Cover photo: Refik Tekin / Shutterstock Edit by: Publications Professionals LLC Design by: Bruna Sofia Simones Version 1.0 (June 2022) World Bank Group National Money Laundering and Terrorist Financing Risk Assessment Toolkit Disclaimer and Terms of Use The National Money Laundering/Terrorist Financing Risk Assessment (NRA) Toolkit has been developed by World Bank Group (WBG) staff members to support WBG client countries and jurisdictions in self-assessing their money laundering and terrorist financing risks. The NRA Toolkit contains guidance manuals, including this document; Excel worksheets and the formulas therein; PowerPoint presentations; and any other materials provided as part of the NRA Toolkit. Jurisdictions are advised to use the NRA Toolkit with technical assistance from the WBG to ensure proper application. The NRA Toolkit is supplied in good faith and is based on certain factors, assumptions, and expert opinions that the WBG may in its absolute discretion have considered appropriate at the time the toolkit was developed. Even if being done through the NRA Toolkit, an NRA is conducted as a self-assessment by a jurisdiction and not by the WBG staff. The user is responsible for any data, statistics, and other information put into the various NRA Toolkit templates, as well as for any interpretation and conclusion based on the results of the NRA Toolkit. The WBG provides the NRA Toolkit as is and disclaims all warranties, oral or written, express or implied. That disclaimer includes without limitation a warranty of the fitness for a particular purpose or noninfringement or accuracy, completeness, quality, timeliness, reliability, performance, or continued availability of the NRA Toolkit as a self-assessment tool. The WBG does not represent that the NRA Toolkit or any information or results derived from the NRA Toolkit are accurate or complete or applicable to a user’s circumstances and accepts no liability in relation thereto. The WBG shall not have any liability for errors, omissions, or interruptions of the NRA Toolkit. The WBG will not be responsible or liable to users of the NRA Toolkit or to any other party for any information or results derived from using the NRA Toolkit for any business or policy decisions made in connection with such usage. Without limiting the foregoing, in no event shall the WBG be liable for any lost profits—direct, indirect, special, incidental, or consequential—or any exemplary damages arising in connection with use of the NRA Toolkit, even if notified of the possibility thereof. By using the NRA Toolkit, the user acknowledges and agrees that such usage is at the user’s sole risk and responsibility. The NRA Toolkit does not constitute legal or other professional advice, but in particular it does constitute an interpretation of these Financial Action Task Force (FATF) documents: FATF 40 Recommendations and Methodology for Assessing Technical Compliance with the FATF Recommendations and the Effectiveness of AML/CFT Systems. The WBG shall not be responsible for any adverse findings, ratings, or criticisms from the FATF or FATF-style regional bodies arising from use of the NRA Toolkit. Nothing herein shall constitute or be considered a limitation on or a waiver of the privileges and immunities of the International Bank for Reconstruction and Development, which are specifically reserved. The European Union partially funded development of this tool but had no direct involvement in the technical work. This guidance manual and any other supporting documents it refers to do not represent views of the European Union. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 3 >>> Acknowledgments This tool has been developed by the Financial Market Stability and Integrity (FSI) unit of the World Bank. The tool and this guidance were developed by Yee Man Yu, with essential support from Emile J. M. van der Does de Willebois and Benjamin Evans. The project team is thankful to the staff and management of FSI for their support. The team also thanks Keesook Viehweg and Victoria Taaka for their excellent and relentless administrative support at all stages. The team is especially grateful to the group of experts who peer reviewed this tool: Lia van Broekhoven (Human Security Collective), Andrea Hall (Charity & Security Network), Kristen Alma (Financial Action Task Force), and Stuart Yikona (World Bank). Cecilia Joseph Marian kindly provided a final review. Their contributions were essential to the development and improvement of the tool. Special thanks go out to Jocelyn Nieva and Claudia Guadamuz of the International Center for Not-for-Profit Law for their support in piloting the tool. This document, and other documents and Excel templates that are under the scope of the Non-Profit Organizations Risk Assessment Tool, are intended as working documents for World Bank technical assistance activities and do not represent the views of the World Bank Group, its Boards of Directors, or its management. >>> Contents Introduction of the NPO Tool 7 THE RISK ASSESSMENT PROCESS 7 Composition of the Working Group 7 Participation of NPOs in the Working Group 8 Skills and knowledge needed by the Working Group 8 Data and information 8 ASSESSMENT STEPS 9 OUTCOMES OF NPO TF RISK ASSESSMENT TOOL 9 UNDERSTANDING THE NPO Tool 9 Variables 9 The structure of the NPO Tool (the Network Diagram) 9 Step 1. Identify and Collect Data on All NPOs That Meet the FATF Definition 11 1A. ASSEMBLE JURISDICTION AID PROFILE 11 1B. IDENTIFY ALL LEGAL ENTITIES, ARRANGEMENTS, AND ORGANIZATIONS THAT COULD FALL UNDER 11 THE FATF DEFINITION OF NPO Exclusion of NPOs from the risk assessment 12 1C. DOCUMENT CORE INFORMATION ABOUT FATF NPOs 13 1D. COLLECT ADDITIONAL FATF NPO INFORMATION (IF AVAILABLE) 15 Step 2. Assess and Document Evidence and Level of Terrorist Financing Abuse of NPOs 16 >>> Contents Step 3. Assess Inherent Risk 20 OBJECTIVE 20 BEFORE THE INHERENT RISK ASSESSMENT: CATEGORIZATION OF NPOs 20 3A. ASSESS THE THREAT BY CATEGORY OF FATF NPOSs 22 3B. ASSESS THE INHERENT VULNERABILITY BY CATEGORY OF FATF NPOs 25 Step 4. Analyze Mitigating Factors by Category of FATF NPOs 29 OBJECTIVE 29 ASSESSMENT OF MITIGATING MEASURES 30 Step 5. Draw Conclusions and Disseminate Resulting Materials 36 USE THE TOOL TO DRAW YOUR OWN CONCLUSIONS 36 BASE RECOMMENDATIONS ON THE RISK ASSESSMENT 36 CAPTURE AND COMMUNICATE THE CONCLUSIONS 37 Integrating the NPO TF Risk Assessment results into the National TF Risk Assessment 37 Disseminating results 37 >>> Introduction of the NPO tool The nonprofit organization (NPO) tool of the National Risk Assessment (NRA) Tool serves as an instrument that jurisdictions can use to support their analyses of the terrorist financing abuse of NPOs. Through it, the Working Group will identify NPOs that meet the Financial Action Task Force (FATF) definition, assess the evidence of NPO abuse for terrorist financing, determine the inherent risk (exposure to active terrorist threat), and review the quality of existing mitigation measures. This analysis should seek to complement and draw on national terrorism and terrorist financing risk assessments.1 The Risk Assessment Process COMPOSITION OF THE WORKING GROUP In line with a collaborative approach, the Working Group should represent all relevant parts of government and the NPO sector. Representatives of the following entities are required: ● At least one representative of each type of NPO2 ● Competent authority overseeing or monitoring NPOs (this may be a regulator or a coordinating authority; all such authorities should be represented if there is more than one) ● Financial Intelligence Unit ● An intelligence service representative or someone who represents another authority with operational knowledge of terrorist financing (including confidential information and any ongoing cases) ● Law enforcement authorities ● Banking association ● Tax authority (if NPOs have a dedicated tax status) 1. To comply with international legal obligations, jurisdictions should ensure that activities protected by international humanitarian law, international human rights law, and international refugee law are not treated as negative factors in a risk assessment. 2. One individual can represent more than one type of NPO. For example, the person may be a representative for an umbrella organization or association with a foreign headquarters that is also working in a geographical location in close proximity to an active terrorist threat. . GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 7 PARTICIPATION OF NPOS IN THE WORKING GROUP The coordinator must ensure participation of a representative sample of the NPO sector in the risk assessment. It is particularly important to include representation of NPOs that meet the FATF definition, and representatives that have reliable knowledge of unregulated NPOs. To increase reach, the following actions can be taken: ● Administer online surveys and questionnaires (including perception surveys) ● Connect with umbrella organizations as a means of enabling participation by NPOs that represent the sector ● Engage with NPOs on an ongoing basis (rather than one-time consultations) ● Provide opportunities for NPO participation (such as by gathering data, assessing findings, and validating results) ● Exchange information (instead of providing only one-directional training or information) SKILLS AND KNOWLEDGE NEEDED BY THE WORKING GROUP ● Understanding of the NPO sector ● Understanding of the domestic legal framework for NPOs ● Understanding of the accounting, accountability, and governance regimes for NPOs ● Access to information (including confidential information) on cases of terrorist financing ● Analytical skills to assess the quality and weight of qualitative evidence ● Meeting facilitation ability ● Report writing ability A collaborative multistakeholder process that promotes and protects trust, transparency, and inclusiveness by and between the Working Group’s members is essential. The Working Group should be co-led by an NPO representative if possible. Risk assessment processes have been most beneficial where there is (a) strong commitment by participants and the Working Group leadership to perform a realistic and credible assessment, and (b) a strong coordinator (a dedicated project leader with solid project management and communication skills, technical and analytical capacity, and sufficient seniority to function independently while also being very collaborative). Subtasks may be divided among members, but all final assessments must be agreed on by the Working Group as a whole. DATA AND INFORMATION Working Groups should observe the following guidelines for gathering and using data and information: ● Use the best available information and list the sources on which the assessment is made. Particularly where data are scarce, not comprehensive, or inaccurate, it is important to indicate this in records and reports. ● Give reliable estimates when requested data are not available. ● Obtain information from all relevant sources, including the NPO sector, NPO regulators or supervisors, financial institutions, Financial Intelligence Units, law enforcement authorities, intelligence authorities, tax authorities, and others. ● If information or data to reliably complete tables are unavailable, perform more work to collect such information or data about FATF NPOs in that jurisdiction. Data collection methods could include the following: • Questionnaires and surveys • Interviews • Observations • Focus groups • Ethnographies, oral histories, and case studies (where they exist) • Documents and records such as the following: ○ Gazette list of registered NPOs ○ Government ministries ○ Civil society databases GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 8 Assessment steps Jurisdictions can assess the risk of the abuse of NPOs for terrorist financing by following the steps below: 1. Identify all NPOs that could meet the FATF definition and collect information about these FATF NPOs. 2. Assess the evidence of terrorist financing abuse of NPOs. 3. Assess the inherent risk of FATF NPOs (for all FATF NPOs together, for selected categories, or both) 4. Assess the effectiveness of mitigating measures (for all FATF NPOs together, for selected categories, or both). Note. Step 4 need only be performed for FATF NPOs assessed to be of a medium to high inherent risk. If the FATF NPO category is assessed to be of a low inherent risk, there may be no need to apply mitigating measures. This is especially the case if there is no or low evidence of terrorist financing (TF) abuse of NPOs. Outcomes of NPO TF Risk Assessment Tool Implementing a TF risk assessment can be expected to produce the following assessment outcomes: ● Identification of FATF NPOs and collection of data on their characteristics ● Evidence of terrorist financing abuse of NPOs ● Level of inherent risk by FATF NPO category ● Effectiveness of mitigating measures by FATF NPO category ● Visual summaries of all assessment results to support analysis Understanding the NPO Tool Many factors contribute to the risk of terrorist financing abuse of NPOs. This tool has been developed to reflect the key factors and their underlying relationships, based primarily on the FATF Recommendations and Guidance papers. In this tool, these factors are called variables. The ratings assigned to these different variables by the Working Group ultimately lead to the assessed risk level of terrorist financing abuse of NPOs. VARIABLES There are two types of variables in the tool: (a) input variables, and (b) intermediate variables. a. Input variables: These variables require the Working Group to enter an assessment rating. For each step of this assessment, there is guidance on these variables in this document. b. Intermediate variables: These variables are higher-level factors. Using the ratings entered for the input variables and the underlying formulas that reflect their relationships, the Excel tool generates the ratings for these intermediate variables. THE STRUCTURE OF THE NPO TOOL (THE NETWORK DIAGRAM) The formulas that have been built into the tool make it possible to combine the assessment results of input variables and calculate the ratings for intermediate variables. Each variable in the tool has been assigned a weight, and the underlying relationships between the variables of various levels have been determined by setting up certain preconditions. The diagrams in figure 1 reflect the underlying network of variables for the NPO tool. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 9 >>> Figure 1: Network Diagram NPO Tool EVIDENCE OF NPO INVOLVEMENT IN TF/TERRORISM Number of TF/ Number of TF/ Number of TF/ Number of TF/ Number of TF/ Number of TF/ terrorism terrorism terrorism intelligence terrorism allegations in terrorism convictions terrorism STRs prosecutions investigations investigations credible open sources Size Diversion of funds Activity type Affiliation with a Offshore/complex terrorist entity control structure NPO profile Level of accountability Abuse of required by funding sources TF typologies programming Level of verifiability of fundraising methods Support to Level of cash transfers, valuable in-kind goods recruitment efforts INHERENT Level of risk appetite False representation/ THREAT VULNERABILITY Complexity/length of sham NPO Operational operational chains features Reliance on transitory or informal workforce Raising of funds Level of professionalism Proximity to active Use of cash Transfer of funds terrorist threat Methods to Use of virtual currency Operations and transfer funds Use of informal money expenditure of funds transfer system INHERENT RISK MITIGATING MEASURES Quality of governance Quality of outreach and education Quality of financial management Quality of NPO policies Quality of project management Scope of registration GOVERNMENT NPO of FATF NPOs MEASURES MEASURES Quality of staff vetting and oversight Availability and accessibility of accurate NPO information Level of commitment to ethics and transparency Avoiding disruption of NPO activities Level of self-regulation (incl. implementation) At the end of the assessment, the Excel tool will help generate at least three ratings: ● Evidence and level of terrorist financing abuse of NPOs ● Inherent risk of NPOs by NPO category ● Quality of mitigating measures by NPO category Important: The National Risk Assessment (NRA) Tool is not a data analysis tool. The input required should be based on qualitative judgment of the data, information, and expert opinions for the different input variables. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 10 1. >>> Step 1. Identify and collect data on all NPOs that meet the FATF definition 1a. Assemble jurisdiction aid profile Indicate the amount of aid that the jurisdiction has provided and received in the assessment period. Depending on the jurisdiction context (level of TF threat and active terrorist threat), this may be of relevance in determining which category of NPOs might be more exposed to TF threat. 1b. Identify all legal entities, arrangements, and organizations that could fall under the FATF definition of NPO Given the variety of legal forms that NPOs can have (depending on the jurisdiction), the FATF has adopted a functional definition of NPO (see box). This means that FATF Recommendation 8 applies to any legal person, arrangement, or organization that meets the FATF definition, regardless of legal status in the jurisdictions where there is legislation for NPOs (though such legislation is not required by FATF). The FATF’s functional definition of Nonprofit Organization (NPO): An NPO is any legal person or arrangement or organization that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of “good works”.3 3. FATF (Financial Action Task Force), International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation: The FATF Recommendations (Paris: FATF/OECD, 2012–2021), 64, Interpretive Note to Recommendation 8. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 11 The FATF has established that only NPOs that fall under the FATF definition are vulnerable to TF abuse. To enable an informed distinction between the organizations that do and do not meet the FATF definition, the Working Group should do the following: ● Identify all organizations that perform activities for purposes of any type of good works, ● Categorize these organizations, ● Document basic information about these organizations in the Excel file (to the best of the Working Group’s knowledge; this may mean that the Working Group is only able to provide an approximation of the number of organizations, their operating models, activities, and purposes until it obtains more information for future risk assessments), ● Review the information collected about the various categories of organizations against the FATF definition. Only where the organizations meet the FATF definition are they considered FATF NPOs. The Working Group should only apply the risk assessment to this subset of FATF NPOs, to determine the risk level of the different categories of FATF NPOs. FATF requirements for NPOs (Recommendation 8): Countries should review the adequacy of laws and regulations that relate to nonprofit organizations that the country has identified as being vulnerable to terrorist financing abuse. Countries should apply focused and proportionate measures, in line with the risk-based approach, to such nonprofit organizations to protect them from terrorist financing abuse. There are two important notes that need to be made: 1. Focused and proportionate measures need to be taken depending on the risk level of NPOs. 2. The FATF is not prescriptive about the measures that should be applied. It does not require jurisdictions to implement registration, licensing, or a regulatory regime to NPOs. In particular, the FATF does not encourage introducing supervision of all NPOs for the purposes of countering the financing of terrorism. Moreover, the FATF does not suggest that NPOs should become reporting entities (like financial institutions). Such one-size-fits-all approaches are inconsistent with the risk-based approach of Recommendation 1.4 When identifying which NPOs could meet the FATF definition, Working Groups should ensure that the widest array of nongovernment and not-for-profit legal persons, arrangements, and organizations are considered. It may be that the FATF NPOs overlap entirely with regulated NPOs in the jurisdiction, but this cannot be assumed. Working Groups should ensure that this broad consideration includes NPOs registered with another authority as well as those that are not registered. EXCLUSION OF NPOS FROM THE RISK ASSESSMENT At the identification stage, it is better to be comprehensive. If a particular legal category in the jurisdiction includes some organizations that meet the FATF definition and some that do not, those that do not should still be included. However, certain types of organizations can be safely excluded. Examples include political parties, trade unions, professional associations, and credit unions. These are all normally considered to be outside the scope of organizations that engage in good works. The FATF has established that the NPOs most at risk of abuse for terrorist financing are those that are engaged in service activities such as providing housing, social services, education, or health care. 4. FAFT, The FATF Recommendations, 60–63. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 12 NPOs engaging in expressive activities (for example, sports and recreation, arts and culture, interest representation, or advocacy) such as political parties, think tanks, and advocacy groups are much less likely to be exposed to TF abuse. For expressive NPOs, the Working Group should consider whether there are considerations warranting their inclusion—for example, if there are concerns that expressive NPOs are encouraging terrorist recruitment. 1c. Document core information about FATF NPOs Core information on FATF NPOs is collected in this step. Even where data are not available, this table should be completed. In such cases, reliable estimations and expert opinions may be used instead. The records and report should clearly indicate the degree to which data or information is unavailable, inaccurate, scattered, or outdated. For example, it is common that registration does not provide 100% coverage, or that NPOs have drifted away from their original missions. Item Input Guidance Total number of Insert the total number of FATF NPOs. FATF NPOs Insert the (estimated) total value of the income, budget, or expenditure of all Total value of NPOs that meet the FATF definition. Just one of these metrics is sufficient. income/budget/ The metric of choice should be the one that is most reliable in establishing expenditure of the financial size of the NPO sector. This will differ by jurisdiction, depending FATF NPOs on the data collected. In the records, please indicate the metric chosen. Value of Establish income, budget, or expenditure brackets (income band for the last income/budget/ financial year) to best reflect the NPO sector in the jurisdiction. Break down Bracket 1: expenditure the number of FATF NPOs by these value brackets. Provide a best estimate number of NPOs brackets of if accurate or comprehensive data are not available. Rows for more brackets FATF NPOs can be added as needed. Bracket 2: number of NPOs Bracket 3: number of NPOs Number of Insert the number of FATF NPOs that raise or disburse significant interna- FATF NPOs tional funds or have international operations. The threshold for significance with significant should be determined by the Working Group. For example, 15%–30% of international fundraising, disbursement, or operations occurring across borders could be exposure considered significant. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 13 Item Input Guidance Using the jurisdiction’s NPO classification, break down (list the estimated or Purpose of actual number of) FATF NPOs with significant international exposure by pur- FATF NPOs pose classification. If there is no classification available, the Johns Hopkins with significant list—which includes categories such as culture, health, social, education, international environmental, and development—can be used. Rows can be added as exposure needed to include all necessary classifications. Number of NPOs Purpose classification Number of NPOs Purpose classification Number of NPOs Purpose classification Number of NPOs Purpose classification Using the jurisdiction’s NPO classification, break down (list the estimated or Purpose of actual number of) predominantly domestic FATF NPOs by purpose classifi- predominantly cation. If there is no classification available, the Johns Hopkins list—which domestic FATF includes categories such as culture, health, social, education, environmental, NPOs and development—can be used. Rows can be added as needed to include all necessary classifications. Number of NPOs Purpose classification Number of NPOs Purpose classification Number of NPOs Purpose classification Number of NPOs Purpose classification Number of NPOs Purpose classification List the estimated or actual number of FATF NPOs for each type of legal structure an FATF NPO can take within the jurisdiction. Rows can be added as needed. Categories may include foundations, associations, trusts, registered Legal types of societies, charitable incorporated organizations, and unincorporated associa- NPOs tions. Where there are ad hoc, unregistered, or informal NPOs or NPOs that do not have a clear legal structure, these should be added as a category and an estimated number or indicative range of such NPOs should be given. Number of NPOs Legal structure Number of NPOs Legal structure Number of NPOs Legal structure Number of NPOs Legal structure Number of NPOs Legal structure GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 14 1d. Collect additional FATF NPO information (if available) Additional information relevant to TF and terrorism exposure on FATF NPOs is collected in this step. Working Groups should complete the sections for which data are available or can be reliably estimated. List the number of FATF NPOs that raise significant funds abroad. Number of FATF NPOs that raise The threshold for significance should be determined by the Working significant funds abroad Group. For example, 15%–30% of fundraising across borders could be considered significant. Break down the share of international funds raised by source jurisdic- tion (at least for the 10 main sources). If a risk classification of juris- Source jurisdictions of international dictions has been made at the national or supranational level (such funds raised (% breakdown) as a terrorist, terrorist financing, or national security assessment), the breakdown could be categorized by the assessed risk level of the source jurisdictions. Insert the number of FATF NPOs that have significant international Number of FATF NPOs with significant operations. The threshold for significance should be determined by the international disbursements Working Group. As an alternative, NPOs with at least 15%–30% of their operations occurring across borders would meet this threshold. Break down the share of international funds disbursed or spent by destination jurisdiction (at least for the 10 main destinations). If a Destination jurisdictions of international risk classification of jurisdictions has been made at the national or funds disbursed or spent (by %) supranational level (such as a terrorist, terrorist financing, or national security assessment), the breakdown could be categorized by the assessed risk level of the destination jurisdiction. Number of FATF NPOs with significant Insert the number of FATF NPOs that make significant disbursements disbursements to humanitarian (including for their own operations and activities) to humanitarian disas- disaster/emergency situations ter or emergency situations.5 Destination jurisdictions of Break down the share of international funds disbursed or spent by disbursements for humanitarian/ destination jurisdiction (at least for the five main destinations for emergency situations humanitarian/emergency support). Number of FATF NPOs with significant Insert the number of FATF NPOs that make significant disbursements disbursements to areas where there is an (including for their own operations and activities) to areas or geographi- active terrorist threat cal locations where there is an active terrorist threat. Break down the share of international funds disbursed or spent by Destination jurisdictions of disbursements destination jurisdiction (at least for the 5 main destinations with active with active terrorist threat terrorist threat). 5. Disbursing funds to or operating in humanitarian emergencies may increase exposure to TF abuse. The urgency of needs may diminish adherence to oversight and controls, which may raise exposure to abuse. For this reason, ensuring the assessment of TF risks for these NPOs can be useful—particularly where they are operating in closer proximity to terrorist activity. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 15 2. >>> Step 2. Assess and document evidence and level of terrorist financing abuse of NPOs Using the NPO tool in Excel, assess and document evidence of terrorist financing abuse of NPOs for the different input variables. If there is evidence of terrorist financing abuse of NPOs available, it is advised that descriptive information on the case(s) be included in the records and report. These should include (a) the characteristics of the NPO, such as legal type, purpose, size, value of assets, ownership and control structure, fundraising methods, disbursement methods and services/goods provided, types of transactions common to the NPO, and (b) characteristics of the case, such as NPO representative involved, value of the assets abused for TF purposes, and the method of abuse (typology description—that is, how the NPO was abused and the geographical locations involved). For each of the NPO categories that meet the FATF definition (as per Step 1), a separate analysis should be made. This category-by-category analysis is intended to support the understanding of risk at a granular level. These categories are what is meant by ‟NPO type 1,” and ‟NPO type 2” in the Excel tool. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 16 Input Variable Assessment Rating Guidance Number of TF High (1.0) Have there been any TF convictions of NPOs or their representatives and Terrorism Medium (0.5) (including employees, volunteers, or other individuals acting in an Convictions official capacity representing an NPO)? If so, at what level should the Low (0.2) number of those convictions be rated? Consider how this number of TF Does not exist (0.0) convictions relates to each of the following: ● The total number of TF convictions in the assessment period (and annual breakdown to identify trends) ● The number of FATF NPOs ● The total number of criminal convictions in the assessment period (and annual breakdown to identify trends) of NPOs, their represen- tatives, or both ● The total number of terrorism convictions in the assessment period Number of TF High (1.0) Have there been any TF prosecutions of NPOs or their representa- and Terrorism Medium (0.5) tives (including employees, volunteers, or other individuals acting in an Prosecutions official capacity representing an NPO)? If so, at what level should the Low (0.2) number of these prosecutions be rated? Consider how this number of Does not exist (0.0) TF prosecutions relates to each of the following: ● The total number of TF prosecutions in the assessment period (and annual breakdown to identify trends) ● The number of FATF NPOs ● The total number of criminal prosecutions (and annual breakdown to identify trends) of NPOs, their representatives, or both ● The total number of terrorism prosecutions in the assessment period Number of TF High (1.0) Have there been any criminal investigations related to TF of NPOs and Terrorism Medium (0.5) or their representatives (including employees, volunteers, or other Investigations individuals acting in an official capacity representing an NPO)? If so, at Low (0.2) what level should the number of criminal investigations related to TF be Does not exist (0.0) rated? Consider how this number of investigations relates to each of the following: ● The total number of criminal investigations related to TF in the as- sessment period (and annual breakdown to identify trends) ● The total number of criminal investigations related to TF charges made ● The total number of criminal investigations related to TF charges opened ● The number of FATF NPOs ● The total number of criminal investigations of NPOs, their repre- sentatives, or both ● The total number of criminal investigations related to terrorism in the assessment period GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 17 Input Variable Assessment Rating Guidance Number of TF High (1.0) Have there been any intelligence investigations related to TF of NPOs and Terrorism Medium (0.5) or their representatives (including employees, volunteers, or other Intelligence individuals acting in an official capacity representing an NPO)? If so, Low (0.2) Investigations at what level should the number of intelligence investigations related Does not exist (0.0) to TF be rated? Consider how this number of investigations relates to each of the following: ● The total number of intelligence investigations related to TF in the assessment period (and annual breakdown to identify trends), including: ○ The reliability of sources ○ The reliability of the information ● The total number of intelligence investigations related to TF (his- torically) ● The number of FATF NPOs ● The total number of intelligence investigations of NPOs, their rep- resentatives, or both ● The total number of intelligence investigations related to terrorism in the assessment period Number of High (1.0) Have there been any STRs or SARs related to TF on NPOs or their STRs/SARs Medium (0.5) representatives (including employees, volunteers, or other individu- related to TF als acting in an official capacity representing an NPO)? These STRs Low (0.2) and terrorism or SARs can be submitted by any reporting entity, including banks Does not exist (0.0) or money transfer service providers. If so, at what level should the number of STRs and SARs related to TF be rated? Consider how this number relates to each of the following: ● The total number of STRs and SARs related to TF on NPOs and their representatives that have been referred to other agencies ● The total number STRs and SARs related to TF in the assessment period (and annual breakdown to identify trends) ● The total number of STRs and SARs related to TF (historically) ● The number of FATF NPOs ● The total number of STRs and SARs related to NPOs, their repre- sentatives, or both ● The total number of STRs and SARs related to terrorism in the as- sessment period GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 18 Input Variable Assessment Rating Guidance Number of TF High (1.0) Have there been any allegations in credible open sources about ter- and Terrorism Medium (0.5) rorist financing or terrorism abuse of NPOs or their representatives (in- allegations in cluding employees, volunteers, or other individuals acting in an official Low (0.2) open sources capacity representing an NPO)? If so, how should the level of these Does not exist (0.0) allegations be rated? Consider each of the following: ● The credibility of the open sources such as academic reports, NPO reports, and known news sources (as opposed to online anony- mous blogs) ● The number of allegations made ● The nature of the allegations ● The substantiation provided Disinformation about NPOs may sometimes be presented as credible. When assessing the credibility of allegations about terrorist financing abuse of NPOs or their representatives, a careful review of the source of information is warranted. It is recommended that the Working Group consult neutral third parties to obtain the most objective views on the credibility of the open-source allegations. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 19 3. >>> Step 3. Assess inherent risk Objective ● The level of the inherent risk (by category of FATF NPOs) is assessed on the basis of the following: ○ TF threat by category of FATF NPOs ○ Inherent vulnerability by category of FATF NPOs Before the inherent risk assessment: Categorization of NPOs For the inherent risk assessment, the Working Group will need to decide how to apply the assessment (figure 2). It can choose to assess all FATF NPOs as one category, or it may choose to perform additional or separate inherent risk assessments of different categories. The Excel tool will be able to draw up a comparative risk heat map if an assessment of different categories of FATF NPOs is made. Additional or separate assessments may be particularly useful where there are categories of NPOs that face more significant concerns, either because of evidence of terrorist financing abuse (see Step 2), or because of features or characteristics of the NPOs. For example, NPOs that operate in areas where there is a terrorist threat or where terrorists operate could be treated as one category, and NPOs that operate among populations known to be supportive or sympathetic toward terrorist groups as another. At this stage it may also be worthwhile to consider the level of aid that the jurisdiction has provided and received in the assessment period and whether more concern should be given to NPOs that provide aid outside the jurisdiction or to NPOs that provide incoming or domestic aid (particularly if there is an active terrorist threat in the jurisdiction). GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 20 >>> Figure 2. Network diagram for the assessment of inherent risk by NPO category EVIDENCE OF NPO INVOLVEMENT IN TF/TERRORISM Number of TF/ Number of TF/ Number of TF/ Number of TF/ Number of TF/ Number of TF/ terrorism terrorism terrorism intelligence terrorism allegations in terrorism convictions terrorism STRs prosecutions investigations investigations credible open sources Size Diversion of funds Activity type Affiliation with a Offshore/complex terrorist entity control structure NPO profile Level of accountability Abuse of required by funding sources TF typologies programming Level of verifiability of fundraising methods Support to Level of cash transfers, valuable in-kind goods recruitment efforts INHERENT Level of risk appetite False representation/ THREAT VULNERABILITY Complexity/length of sham NPO Operational operational chains features Reliance on transitory or informal workforce Raising of funds Level of professionalism Proximity to active Use of cash Transfer of funds terrorist threat Methods to Use of virtual currency Operations and transfer funds Use of informal money expenditure of funds transfer system INHERENT RISK GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 21 3a. Assess the threat by category of FATF NPOs Intermediate Input Variable for Assessment Rating Description Variable Threat TF Diversion of High (1.0) There is evidence—or reasonable grounds for believ- typologies6 funds Medium (0.5) ing or suspecting—that NPOs (including employees, volunteers, or other individuals acting in an official Low (0.2) capacity representing an NPO) in this category have Does not exist (0.0) diverted or are diverting funds to terrorism, a known or suspected terrorist entity, terrorist individual, or supporter of terrorism Affiliation with High (1.0) There is evidence—or reasonable grounds for believ- a terrorist Medium (0.5) ing or suspecting—that NPOs (including employees, entity volunteers, or other individuals acting in an official ca- Low (0.2) pacity representing an NPO) in this category maintain Does not exist (0.0) an operational affiliation with a known or suspected terrorist entity, terrorist individual, or supporter of ter- rorism. Abuse of High (1.0) There is evidence—or reasonable grounds for believ- programming Medium (0.5) ing or suspecting—that NPO-funded programs meant to support legitimate purposes are manipulated at the Low (0.2) point of delivery to support terrorism, a known or sus- Does not exist (0.0) pected terrorist entity, terrorist individual, or supporter of terrorism. Support for High (1.0) There is evidence—or reasonable grounds for be- recruitment Medium (0.5) lieving or suspecting—that NPO-funded programs efforts or facilities are used to create an environment that Low (0.2) supports or promotes terrorism recruitment-related Does not exist (0.0) activities. False High (1.0) There is evidence—or reasonable grounds for believ- representation/ Medium (0.5) ing or suspecting—that under the guise of charitable sham NPO activity, organizations or individuals raise funds or Low (0.2) carry out other activities in support of terrorism, a Does not exist (0.0) known or suspected terrorist entity, terrorist individual, or supporter of terrorism 6. FATF (Financial Action Task Force), “Terrorist Financing Risk Assessment Guidance” (FATF, 2019), para. 68. See also: FATF, “Risk of Terrorist Abuse in Non-profit Organisations,” (FATF, 2014), 36. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 22 Intermediate Input Variable for Assessment Rating Description Variable Threat Proximity Collection of High (1.0) There is evidence—or reasonable grounds for believ- to active funds Medium (0.5) ing or suspecting—that NPOs in this category are terrorist located in or collecting funds in areas with threat Low (0.2) a. an established presence of terrorism Does not exist (0.0) b. conflict in which there is an active terrorist threat. Or from collecting funds or operating with c. a known or suspected terrorist entity or terrorist individual, d. a population that is actively targeted by a terrorist movement for support and cover,7 or e. entities (including financial institutions) and indi- viduals known to be supportive of or sympathetic toward terrorist entities, terrorist individuals, ter- rorist ideology, or radical beliefs. Transfer of High (1.0) There is evidence—or reasonable grounds for funds Medium (0.5) believing or suspecting—that NPOs in this category are located in or facilitate transfer of funds through or Low (0.2) to areas with Does not exist (0.0) a. an established presence of terrorism or b. conflict in which there is an active terrorist threat, or are transferring funds to or from, or operating with c. a known or suspected terrorist entity or terrorist individual, d. a population that is actively targeted by a terrorist movement for support and cover,8 or e. entities (including financial institutions) and indi- viduals known to be supportive of or sympathetic toward terrorist entities, terrorist individuals, ter- rorist ideology, or radical beliefs. 7. FATF, “Risk of Terrorist Abuse in Non-profit Organisations,” (FATF, 2014) p. 44. 8. FATF, “Risk of Terrorist Abuse in Non-profit Organisations,” (FATF, 2014) p. 44. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 23 Intermediate Input Variable for Assessment Rating Description Variable Threat Expenditure of High (1.0) There is evidence—or reasonable grounds for funds Medium (0.5) believing or suspecting—that NPOs in this category are located in, or disbursing funds or delivery of Low (0.2) programs through which they are operating in areas Does not exist (0.0) with a. an established presence of terrorism, b. conflict in which there is an active terrorist threat, or from expending funds, or operating with c. a known or suspected terrorist entity or terrorist individual, d. a population that is actively targeted by a terrorist movement for support and cover,9 or e. entities (including financial institutions) and individuals known to be supportive of or sympathetic toward terrorist entities, terrorist individuals, terrorist ideology, or radical beliefs. Disbursing funds to or operating in humanitarian emergencies may also increase exposure. The urgency of needs can diminish adherence to oversight and controls, which may raise exposure to abuse. A lesser exposure could also arise from an NPO’s provision of services to entities, populations, or persons known to be targeted, supportive of, or sympathetic toward terrorist groups, terrorist ideology, or radical beliefs. This includes those who are vulnerable to being exploited for TF purposes, such as refugees, victims of humanitarian emergencies, and children in high-risk areas and diaspora groups. 9. FATF, “Risk of Terrorist Abuse in Non-profit Organisations,” (FATF, 2014) p. 44. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 24 3b. Assess the inherent vulnerability by category of FATF NPOs The following table can be used to assess the variables on inherent vulnerability of FATF NPOs by category (see Step 2). Intermediate Input Variable Assessment Rating Guidance Variable NPO profile Size10 Large (1.0) Indicate the size of this category of NPOs. Take the Medium (0.5) following into consideration: ● Value of income, budget, or expenditure of Small (0.2) the NPOs (the metric of choice should be the one that is most reliable in establishing the financial size of the NPO sector; this will differ by jurisdiction depending on the data collected) ● Scale of operations ● Number of staff (including volunteers) ● Number of locations ● Comparison with NPO sector in its entirety ● Comparison with other categories of NPOs in the sector Activity type Service (1.0) Indicate the type of activity that this category of NPO Expressive (0.0) engages in, using the following classifications: ● Service activities include programs focused on housing, social services, education, and health care. These may provide cash, in-kind goods, intangible services, or institutional grants or contracts. ● Expressive activities include programs focused on sports and recreation, arts and culture, inter- est representation, or advocacy. (Such NPOs might provide intangible services such as training or use of location and equipment, or they might provide in-kind goods. Depending on the mea- sure to which such services are provided, it may be warranted to qualify these NPOs as service NPOs). Offshore or High (1.0) Do NPOs in this category have foreign control struc- complex control Medium (0.5) tures, unusually complex control structures, or both? structure Low (0.2) Does not exist (0.0) 10. This variable does not have an impact on the inherent risk rating. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 25 Intermediate Input Variable Assessment Rating Guidance Variable Level of High (1.0) What is the level of accountability associated with the accountability Medium (0.5) primary sources of income for this category of NPOs? required by Income from government institutions and NGOs funding sources Low (0.2) generally present a lower exposure to abuse because Does not exist (0.0) their accountability mechanisms typically include due diligence, conditions for expenditure, reporting requirements, tracing, and oversight. Level of High (1.0) What is the level of verifiability associated with the verifiability Medium (0.5) predominant fundraising methods for this category of of fundraising NPOs? Cash collections and religious contributions methods Low (0.2) are more vulnerable to skimming and fraud or Does not exist (0.0) misrepresentation. Social media or online collection, public donation through formal financial channels, and member fees tend to allow for much more verification because a formal trail can be consulted or obtained. Level of cash High (1.0) What is the level of cash transfer or valuable in- transfers or Medium (0.5) kind goods that this category of NPOs provides? valuable in-kind This type of service delivery is prone to diversion, goods Low (0.2) misappropriation, and abuse, which raises its Does not exist (0.0) inherent vulnerability. Operational Level of risk High (1.0) The organizational culture affects the values that features appetite Medium (0.5) NPOs prioritize. What is the level of risk appetite for NPOs in this category? Risk appetite may Low (0.2) be reflected by lower controls when performing Does not exist (0.0) fundraising or by lower project management controls to enable service delivery (note that this could be driven by good intentions). Greater exposure arises where a large risk appetite is combined with a higher exposure to threat and poor standards of management. Risk may also arise where organizations are willing to lower risk management standards in order to achieve mission objectives.11 11. FATF, “Risk of Terrorist Abuse in Non-profit Organisations,” (FATF, 2014), p. 26. Interpreted as: “drive to deliver, even if compromises integrity” (such as in that report, case study 32 on p. 39). GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 26 Intermediate Input Variable Assessment Rating Guidance Variable Complexity High (1.0) The longer or more complex an operational chain or length of Medium (0.5) is, the higher its inherent vulnerability becomes. operational This vulnerability is due to increased challenges chains Low (0.2) to effective oversight, exposure to diversion of Does not exist (0.0) resources, and abuse in the delivery of programs.12 How long or complex are the logistical networks of NPOs in this category (the chains through which they collect, retain, transfer, and deliver resources)? Higher levels of decentralized management decisions on operations may increase inherent vulnerability because it reduces an NPO’s ability to perform oversight on the delivery of programs and control of resources.13 Reliance on High (1.0) What is the % of transitory workers compared to transitory Medium (0.5) regular staff of NPOs in this category? A higher level or informal of transitory staff or informal staff members may make workforce Low (0.2) it difficult to scrutinize staff in areas such as technical Does not exist (0.0) expertise, risk assessment, compliance, legal matters, and integrity, thus increasing exposure to abuse.14 Level of High (1.0) What is the level of professionalism exercised by professionalism Medium (0.5) this category of NPOs? Consider (a) their size; (b) the value of their income, budget, or expenditure; Low (0.2) (c) their scale of operations; and (d) whether they Does not exist (0.0) meet expected ethical and professional standards (evidenced by internal codes of conduct, internal and external accountability, and structures of governance—including oversight). 12. The higher the level of extended logistical networks, the higher the inherent vulnerability becomes as a result of increased exposure to diversion of resources and abuse of delivery of programs. Source: FATF 2014. 13. FATF, “Risk of Terrorist Abuse in Non-profit Organisations.” 14. A higher level of transitory staff may make it difficult to scrutinize staff, thereby increasing exposure to abuse. Source: FATF, “Risk of Terrorist Abuse in Non-profit Organisations.” GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 27 4 Intermediate Input Variable Assessment Rating Guidance Variable Methods Use of cash High (1.0) How much do NPOs in this category rely on cash used to Medium (0.5) to receive, move, and use funds? Strong reliance transfer on cash may increase the exposure to skimming, funds Low (0.2) diversion, misappropriation, and abuse, and may Does not exist (0.0) limit verifiability. This is particularly true of NPOs that have to physically transport cash to areas of operations because formal financial systems have ceased to operate (often because of violent conflict). The same applies to NPOs that make the majority of their disbursements through cash, particularly where there is close proximity to (a) an active terrorist threat; (b) entities, populations, or persons known to be supportive of or sympathetic toward terrorist groups, terrorist ideology, or radical beliefs; or (c) those who are vulnerable to being exploited for TF purposes (these may be individuals or groups). Use of virtual High (1.0) How much do NPOs in this category rely on virtual currency Medium (0.5) currencies that limit the traceability of transactions (including emerging payment methods such as Bitcoin Low (0.2) or other digital currencies) to receive, move, and use Does not exist (0.0) funds?15 Use of informal High (1.0) How much do NPOs in this category rely on informal money transfer Medium (0.5) or alternative remittance and money service systems businesses that limit the traceability of transactions Low (0.2) to receive, move, and use funds (including informal Does not exist (0.0) value transfer systems such as Hawala)?16 15. Austrac, “NPO Risk Assessment Questionnaire.” 16. Austrac, “NPO Risk Assessment Questionnaire.” GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 28 4. >>> Step 4. Analyze mitigating factors by category of FATF NPOs Objective Establish the quality of mitigating measures by category of FATF NPOs by assessing the following: ○ Quality of government measures applicable to this category of NPOs ○ Quality of NPO measures taken at an institutional level by this category of NPOs. Important: The treatment of the NPO sector is, and should be, different from that of reporting entities such as financial institutions and Designated Non-Financial Businesses and Professions (DNFBPs). NPOs are not obligated to take preventive measures such as customer due diligence, record keeping, and monitoring and reporting of suspicious activity. FATF has not set out obligations for NPOs. This step aims to assess the adequacy and proportionality of mitigating measures applicable to at-risk FATF NPOs, including laws and regulations, policies, and programs that promote accountability, integrity, and public confidence in the administration and management of NPOs (figure 3). It also aims to raise awareness about the potential vulnerabilities of NPOs to terrorist financing abuse and terrorist financing risks while concurrently preventing disruption of legitimate charitable activities. These measures include self-regulatory measures within the NPO sector or subsector. The mitigating measures assessment step need only be applied to those categories of FATF NPOs that were assessed to have a high or medium inherent risk rating. In principle, low-risk FATF NPOs do not require mitigating measures. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 29 >>> Figure 3: Network diagram for the assessment of mitigating measures by NPO category MITIGATING MEASURES Quality of governance Quality of outreach and education Quality of financial management Quality of NPO policies Quality of project management Scope of registration GOVERNMENT NPO of FATF NPOs MEASURES MEASURES Quality of staff vetting and oversight Availability and accessibility of accurate NPO information Level of commitment to ethics and transparency Avoiding disruption of NPO activities Level of self-regulation (incl. implementation) Step 4. Analyze mitigating factors by category of FATF NPOs Intermediate Input Variable Assessment Rating Guidance Variable Government Quality of High (1.0) What is the quality of outreach and education to NPOs by measures outreach Medium (0.5) the government? Are at-risk NPOs aware of the risks of and terrorist abuse, and is their knowledge deepened through education Low (0.2) guidance and preventive education? What measures Does not exist (0.0) have government entities taken to improve NPOs’ understanding of their terrorist financing risk and possible methods for mitigating it? Do they collaborate with NPOs and others to establish and disseminate best practices? Examples include awareness raising, targeted risk assessments, monitoring, outreach, support, guidance, and training. Working Groups should also consider whether the outreach is sufficiently risk based—that is, providing a higher level of support to higher-risk NPOs. Quality of High (1.0) Does the government have clear policies to promote NPO policies Medium (0.5) accountability, integrity, and public confidence in the administration and management of NPOs?17 Low (0.2) Does not exist (0.0) 17. FATF Methodology (8.2.a). GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 30 Intermediate Input Variable Assessment Rating Guidance Variable Scope of High (1.0) Are all FATF NPOs required to register with (for registration Medium (0.5) example) the Tax authority, Registrar of Companies, of FATF NPOs Chamber of Commerce, or NPO regulator? At what Low (0.2) point are they expected to register? Trigger points could Does not exist (0.0) be (a) once they have a written constitution, (b) when they are legally incorporated, (c) when they open a bank account, (d) when they start public fundraising, (e) when their income exceeds a certain threshold (e.g., US$10,000), (f) when they receive overseas funding, or (g) when they achieve a best practice standard. Who are they expected to register with? What is the estimated % of registration coverage of the FATF NPOs? Are registration requirements too restrictive, leading to there being many NPOs that are established but not registered? Does registration collect the information specified by the FATF?18 Note: FATF emphasizes that specific licensing or registration requirements for counterterrorist financing purposes are not necessary. For example, in some jurisdictions, NPOs are already registered with tax authorities and monitored in the context of qualifying for favorable tax treatment such as tax credits or tax exemptions. Availability High (1.0) Rate the level to which accurate information on NPOs and Medium (0.5) is available and can be obtained by appropriate accessibility authorities if there are concerns. Is there effective of accurate Low (0.2) cooperation, coordination, and information sharing (to NPO Does not exist (0.0) the extent possible) among all appropriate authorities or information organizations that hold relevant information on NPOs? Are there appropriate points of contact and procedures to respond to international requests for information regarding NPOs when particular NPOs are suspected of terrorist financing or involvement in other forms of terrorist support? These can include (a) the names and addresses of organizations, trustees, and directors; (b) legal structure; (c) purpose(s) for which they were established; (d) the location of activities in which they are engaged; (e) the services provided; (f) their donor base; and (g) the value of income, assets, or expenditures. 18. FATF Recommendations, Interpretive Note to Recommendation 8 (8.6.b). GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 31 Intermediate Input Variable Assessment Rating Guidance Variable Avoiding High (1.0) Counterterrorist financing measures must explicitly disruption of Medium (0.5) not disrupt legitimate NPO activities; they especially NPO activities should minimize the negative impact they might have on Low (0.2) beneficiaries of the good works of NPOs. They may not be Does not exist (0.0) used to justify abuse of civil society for political purposes. Jurisdictions have an obligation to respect freedom of association, assembly, expression, religion or belief, and international humanitarian law. Indicators of disruption of legitimate NPO activities include ● De-risking: Have there been signals that NPOs have faced challenges in gaining access to financial services? Examples include disruptive delays in transfers, closure of money or value transfer services (MVTS) or bank accounts, or failure to open bank or MVTS accounts. ● Are there signals that there have been limitations to freedom of association, assembly, expression, religion, or belief, or violations of international humanitarian law as identified by the UN Special Rapporteur on Freedom of Association? Where such indicators have arisen, what measures have jurisdictions taken to minimize their negative impact on NPOs? NPO Quality of High (1.0) Have NPOs in this category implemented effective governance measures governance Medium (0.5) measures to ensure integrity and transparency? Two important elements of governance are (a) authority and stewardship Low (0.2) (active oversight of organizational governance and policy Does not exist (0.0) making by the board of directors, which oversees conduct of the NPO’s affairs, ensures that a qualified team carries out day- to-day activities, manages and accounts for financial and other resources, and oversees fulfillment of the mission); and (b) accountability (ability to explain, accept responsibility, and take public trust into consideration when carrying out responsibilities, to provide details on operations, and to accept responsibility for outcomes).19 Have NPOs in this category: ● Established effective organizational governance (versus opaque leadership or decision-making structures); ● Shown evidence of sound expenditures and management of funds received from donors and governments; ● Shown effective organizational governance (including human resources); and ● Shown accountability for the outcomes, quality, and ranges of their programs and services?20 19. ICNL (International Center for Not-for-Profit Law), “Self Governance: The Role of Governing Boards in Fostering Accountability,” International Journal of Not-For-Profit Law 2, no. 3 (March 2000), https://www.icnl.org/resources/research/ijnl/self-governance-3. 20. ICNL, “Self Governance: The Role of Governing Boards in Fostering Accountability.” GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 32 Intermediate Input Variable Assessment Rating Guidance Variable Quality of High (1.0) How sound are the financial management practices financial Medium (0.5) of NPOs in this category? Internal transparency and management accountability practices should ensure effective control Low (0.2) over how funds are collected, retained, transferred, Does not exist (0.0) and spent and over how programs are delivered. NPOs should keep records and employ practices consistent with the following: ● Comprehensive financial planning and budget systems—including all sources and uses of funds for all aspects of operations ● Clear procedures for execution of financial matters and separation of duties (such as ensuring that authorization functions for purchasing, cash handling, and depositing of funds are separate from review and verification functions) ● Clearly documented accounting policies and procedures ● Sound reporting practices for all revenue and expenditures for the organization as a whole as well as for programs and funding sources ● Diligent monitoring procedures for review of revenue and expenditure, including independent audit Negative indicators may include the following: ● Inability to account for the origin of income or final use of resources ● Use of third parties to open NPO bank accounts or carry out some transactions ● Inconsistency of expenditures with programs and activities ● Structural inconsistencies in accounting and mandatory reporting GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 33 Intermediate Input Variable Assessment Rating Guidance Variable Quality High (1.0) How sound are the project management practices of NPOs of project Medium (0.5) in this category? Consider whether the practices allow for management planning, tracking, and review of the use of resources in Low (0.2) light of project requirements, including the following: Does not exist (0.0) ● Effectiveness, budget, and deadlines ● If, when, and why resources are shifted toward other activities ● Whether programmatic information is being kept for a reasonable period of time. Does the NPO have milestones, targets, and indicators, and mechanisms for monitoring these to ensure project delivery and to identify possible problems? Do NPOs perform appropriate checks on donors, partners, and beneficiaries, considering the circumstances and context of the organization and the environment in which it operates? Note that there is no expectation that NPOs apply anti- money laundering (AML) or combating the financing of terrorism (CFT) customer due diligence procedures, as need to be applied by financial institutions and DNFBPs. Quality of High (1.0) What is the quality of the processes and procedures that staff vetting Medium (0.5) NPOs in this category apply for vetting (or screening) and oversight of any person acting in an official capacity representing Low (0.2) an NPO? These may be paid or unpaid volunteers or Does not exist (0.0) staff members, particularly trustees, board members, senior officers, and persons in sensitive positions. Such procedures would ensure recruitment of persons with the necessary skills, experience, and expertise, and would also protect against hiring or assigning roles to those with criminal records, such as for terrorist activity, money laundering, fraud, or bribery. Consider the effectiveness of organizational governance and oversight (including structures and processes for managing human resources). GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 34 Intermediate Input Variable Assessment Rating Guidance Variable Level of High (1.0) To what extent do NPOs in this category commit to ethical commitment Medium (0.5) practices and transparency? to ethics and Do NPOs have policies and procedures for addressing Low (0.2) transparency complaints and grievances and receiving and Does not exist (0.0) communicating feedback, and do these apply to both internal and external stakeholders? Do NPOs adhere to relevant codes of conduct or other external best practice standards? Do NPOs provide open-source information about ● The identity of those who control or direct the NPOs’ activities, ● The purpose and objectives of their activities, ● Their activities, ● Their sources, use, and expenditure of funds? Level of self- High (1.0) To what extent have NPOs in this category set up self- regulation (incl. Medium (0.5) regulation measures for good governance, accountability, implementation) and transparency? This includes internal standards Low (0.2) for programs, organizational integrity, governance, Does not exist (0.0) management practices, human resources policies, finances, communication, disclosure, and fundraising. Note that in many jurisdictions, associations of NPOs have established good practices guidelines for NPOs.21 21. ICNL “Self Governance.” GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 35 5. >>> Step 5. Draw conclusions and disseminate resulting materials Use the tool to draw your own conclusions This tool is a tool to be used to identify the relevant factors affecting the risk of abuse of NPOs for terrorist financing in a structured and transparent fashion, through the visualization provided by the tool’s results. Its function is to support analysis. In this final step, the Working Group is expected to consider the assessment results and draw conclusions regarding the level of risk and the adequacy and proportionality of measures. Important: After assessment results are inserted into the Excel tool, the tool will generate results diagrams for the three assessment steps and enable a heat map of the inherent risk faced by different categories of FATF NPOs where those categories have been assessed. Base recommendations on the risk assessment Depending on the risk assessment’s conclusions, the Working Group is expected to make evidence-based recommendations on the need for policies, programs, or amendments to laws and regulations that will (a) promote accountability, integrity, and public confidence in the administration and management of NPOs and (b) raise awareness about the potential vulnerabilities of NPOs to terrorist financing abuse and terrorist financing risks, while also preventing disruption of legitimate charitable activities. Where it is found that the inherent risk level is low or that current measures are sufficient, recommendations for further measures are not necessary. GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 36 Capture and communicate the conclusions Whichever medium the Working Group chooses, it should ensure that it reflects clear conclusions on the following items: ● How many NPOs meet the FATF definition as well as core information on these NPOs ● The level of terrorist financing abuse of NPOs as indicated by available information, the sources that support this conclusion, and descriptions, if any, of the types of abuse ● The level of inherent risk of NPOs for TF—for all FATF NPOs together and for selected categories to which the assessment has been applied—including the main underlying drivers of and explanation for this risk assessment, distinguishing between ○ the threat level (by category) and ○ the inherent vulnerability level (by category). ● The quality of mitigating measures for all FATF NPOs together and for selected categories. (Note: This is only for the high or medium inherent risk categories of FATF NPOs. If the FATF NPO category has a low inherent risk, there may be no need to apply mitigating measures. This is especially the case if there is no or low evidence of TF involvement of NPOs.) This should address: ○ the main gaps in mitigating measures and ○ current measures that are particularly effective. ● Recommendations based on the risk assessment (if any). ● Dissemination strategy in collaboration with the NPO sector. INTEGRATING THE NPO TF RISK ASSESSMENT RESULTS INTO THE NATIONAL TF RISK ASSESSMENT NPOs are not obliged entities under the FATF Recommendations. For this reason, the World Bank Group has developed this separate tool for assessing the NPO risk of TF abuse rather than treating NPOs as a sector in the TF Risk Assessment tool. The results of this NPO TF assessment can be transferred to National TF Risk Assessment (in the sectoral summary assessment sheet of Step 5) for the NPO categories that have been assessed to have a higher-than-medium threat. DISSEMINATING RESULTS The Working Group can choose any medium for recording its conclusions and recommendations to disseminate these results as effectively and efficiently as possible, including the following: ● Presentation ● Targeted report ● Sanitized report ● Briefing materials (for example fact sheets, brochures, or manuals) GUIDANCE MANUAL: NPO RISK ASSESSMENT MODULE <<< 37