ML/TF RISK ASSESSMENT MANUAL FOR DAOs

###### tags: `lexClinic` `active product` # ML/TF RISK ASSESSMENT MANUAL FOR DAOs **WHAT IS RISK ASSESSMENT?** The risk assessment is a tool that helps DAO to identify, understand and assess the probability of their activities being used for money laundering (ML) or terrorist financing (TF). Entities engaged with financial activities or operations with underlying virtual assets are required by the respective countries where they operate to identify, assess and take effective actions to mitigate their MLT/TF risks. **DEFINITIONS** *Money laundering* – the conversion or transfer of property, knowing that such property is derived from criminal activity or from an act of participation in such activity, for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person's action, as well as participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the actions; *Terrorist financing* – the provision or collection of funds, by any means, directly or indirectly, with the intention that they be used or in the knowledge that they are to be used, in full or in part, in order to carry out any of the offences within the meaning of the Terrorist Financing Convention. Financing of terrorist organisations and individual terrorists even in the absence of a link to a specific terrorist act or acts shall be considered as criminalized offence. *DAO* – a relatively new organizational structure that focuses on community rather than centralized governance and legal structure. With the absence of a uniform definition of what constitutes DAO the practical implication may be used to demonstrate the nature of organization. A group of stakeholders who have no central authority, ownership or governance, apply the decentralized governance model assigning voting powers to holders of “governance” tokens, thus effectively emulate the operation of a corporate entity through code. *High-risk countries* – Jurisdictions with strategic deficiencies in their regimes to counter money laundering, terrorist financing, and proliferation financing (https://www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/increased-monitoring-june-2022.html *Blockchain address risk categorization* – Model scoring assigned by reputable blockchain analytics service providers (e.g. Chainalysis or Elliptic). The possession and constant monitoring of huge size of blockchain data allows the analytics software to group various wallet addresses into clusters and subsequently attribute them to specific entities/organizations. Risk rating below is determined by the potential for criminality. | Low Risk | Medium Risk | High Risk | Severe Risk | | -------- | -------- | -------- |-------- | | Hosted wallets | Gambling | Illicit actor organizations | Sanctions |Merchant Services | OTC Brokers | Ransomware | Child abuse materials |Mining Pools| DeFi | Darknet markets | Terrorist Financing |Exchanges| Nested services | Mixers | Stolen funds || Crypto ATMs | High-risk jurisdictions | Scams **WHAT IS RISK?** In order to identify and assess the risk of ML/TF, the first steps to be taken are establishing ***the threat, vulnerabilities, actual harm and probability of occurrence***. In the AML context, a **threat** is represented by an individual or group of people, object or activity that may cause harm, for example criminals or organized crime groups, terrorist or terrorist organizations, persons who support them and/or any actions performed or planned to support ML/TF. For the diligent assessment of ML/TF risks concerning threats recognition to which the DAO may be exposed, the scope of DAO’s activities and the customer base to whom the services are directed should be considered. The **vulnerability** is a weakness in the system (supranational, national, sectoral or organizational) for prevention and countering ML/TF, which may be used by the threat or may facilitate or otherwise assist the realization of the threat. Vulnerabilities are usually established in relation to a particular product or service. The **harm** occurs when a threat exploits a vulnerability to effectively launder money or finance terrorism. For the benefit of identification and assessment of ML/TF risks it is necessary to consider the harm **probability**, i.e. the likelihood that the threat will exploit the vulnerability and harm will occur. Risk assessment allows the organization to determine the degree of risk associated with their activity and customers, based on which to take appropriate measures the reduce it. Standard risk levels are divided into three groups: low, medium and high. Upon establishing low risk, the organization does not have to take further action. In case of medium or high risk, the organization shall apply a monitoring program and additional measures for specific customers, relations with them, or certain activities. **RISK ANALYSIS CRITERION** Five important indicators shall be considered in the course of risk analysis: 1) Organizational structure of DAO; 2) Activity overview in terms of revenue and expenses; 3) Risk factors identification; 4) Effects on the DAO activity; 5) Risk probability; Risk assessment is conducted in a cycle including a preliminary review and three main stages. Assessment phase: Review of the organizational structure, including ownership and management (shareholders, board members and executive directors), territorial scope of activity and nature of business Stage 1: Risk Identification An overview of the categories shall be performed: • Sources of organization’s revenue; • Type of expenses incurred by the organization; Revenue: described by type, as the source of funding is determined for each type A) Donations, membership fees, grants, contracts, etc. (aggregate value to be provided for each type) B) Source and payment method to be clarified for each type - fiat or cryptocurrency transfers, payee/payor holds an account with centralized exchange or performs transaction from unhosted wallet, place of establishment (EU, US, China, high-risk countries, etc.) Expenses: described by type, as the reason for and direction of payment is determined for each type A) Donations, membership fees, grants, contracts, etc. (aggregate value to be provided for each type) B) Recipient of each payment to be determined – fiat or cryptocurrency transfers, type of recipient’s account (hosted or unhosted wallet), place of establishment (EU, US, China, high-risk countries, etc.) Stage 2: Risk Analysis Risk factors are identified depending on the type of revenue and expenses the organization makes in its ordinary activity, the source of income and the direction of expenses. The analysis of risk factors also considers the volume of the related organization's revenues/expenses. I. Customer risk: 1. Risk associated with the type of persons to whom the organisation renders services: • Doubts about the identity of members/partners; • Doubts about the reliability of accuracy of submitted data; • Unreasonable lack of transparency of the ownership structure of grantors/beneficiaries; • A person who deliberately avoids making direct contact in any form; • Certain transactions or operations are characterized by a lack of economic or legal logic, being complex, unusual or unexpectedly large or have an unreasonable rationale; II. Product, service or transaction risk, incl. new and/or future product, service or transaction risk; 1. Risk related to the revenue of the organization (method of receipt, amounts, place of execution, subject of activity) • The organization receives payments in cryptocurrencies in large amounts exceeding the regular membership fees or contributions; • Transactions originating from addresses on the OFAC Sanctions List or similar blacklist; • Transactions originating from addresses with risk exposure beyond the DAO’s risk appetite; • Receipt of transfers that have proven origin from high-risk countries; 2. Risk related to the expenses of the organization (direction, amounts, transparency) • The organization makes outgoing payments in fiat currencies or cryptocurrencies in large amounts; • Payments to persons who have citizenship, residence or place of establishment in high-risk countries; • Grants/donations provided to unfamiliar persons – not known to the organization, without traceability of signed agreements and relationship history; III. Risk related to the communication or mediation channels between the organization and customers or related to delivery channels and sales of products, services or transactions, incl. such new and/or future channels; IV. Risk related to countries or geographic regions or jurisdictions; • Transacting with or providing services to persons from high-risk countries; • Dealing with persons who have citizenship, are established or utilize centralized exchanges located in countries: - with ineffective systems for the prevention of ML/TF; - with a high level of TF risk; - with a low level of transparency or non-compliance with tax legislation; - against which sanctions, embargoes or similar measures have been imposed by UN, EU, OFAC, etc; - for which adverse media checks indicate a high level of corruption, tax evasion, organized crime or another predicate criminal activity for ML; Stage 3: Risk Evaluation Impact degree – the extent to which specific risk factors impact the DAO activity. Risk probability degree – the extent to which the identified risk factors are likely to occur. A score is measured in one of the following levels: low, medium, and high. Risk levels correspond to colours in the table: green – low level of risk; yellow – medium level of risk; red – high level of risk. ![](https://i.imgur.com/Q6cask9.png) The determined level of risk presupposes the taking of relevant appropriate measures to reduce it, according to the internal rules and procedures provided for therein. **Appropriate Risk Mitigation Measures** Low-Risk Level No action is taken, except in the case of the appearance of specific suspicious transactions, in which case the actions provided for in the internal rules are applied. Medium Risk Level Activity for which a medium level of risk has been established: ……………………………………… Risk Mitigation Measures taken: …………………………………….. *The Organization keeps all received funds and allocates them pursuant to the Statutes and Objectives of the organization, insofar as this does not significantly hinder the organization's activities. The Organization collects as complete information as possible about its members, donors and beneficiaries, and takes into account the established level of risk for the determined type of business relationship. Other measures appropriate for the specific type of business relationship/customer.* High-Risk Level Activity for which a high level of risk has been established: ……………………………………… Risk Mitigation Measures taken: …………………………………….. *If a high risk is established for a certain type of business relationship/clients, information about the ultimate beneficial owner(s) of the specific person shall be collected. If a high risk is established for a certain type of business relationship/clients, information on the source of the funds shall be collected. Other measures appropriate for the specific type of business relationship/customer.*