How to Conduct an AMLA Industry Risk Assessment in the Philippines

This article explains how to design and execute an industry-level Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) risk assessment in the Philippine context. It’s written for industry associations, self-regulatory organizations, large conglomerates analyzing multiple sectors, and compliance leaders who need a structured, defensible approach aligned with the Anti-Money Laundering Act of 2001 (RA 9160), as amended, and Philippine supervisory expectations.

1) Legal and regulatory context (Philippines)

Primary statute. The Anti-Money Laundering Act of 2001 (AMLA, RA 9160), as amended by later laws (including, among others, RA 9194, 10167, 10365, 10927, and 11521), establishes the anti-money laundering and terrorism financing regime. It created the Anti-Money Laundering Council (AMLC) as the Philippines’ Financial Intelligence Unit (FIU).

Risk-based approach (RBA). Philippine supervisors—Bangko Sentral ng Pilipinas (BSP), Securities and Exchange Commission (SEC), and Insurance Commission (IC)—require covered persons to adopt an RBA, maintain risk assessment methodologies, and keep documentation current. An industry-level risk assessment should mirror these expectations and align with FATF Recommendation 1 (risk identification and mitigation).

Covered persons and sectors commonly in scope.

  • BSP-supervised: universal/commercial/thrift/rural banks; e-money issuers and operators; money service businesses (MSBs)/remittance agents; electronic payment providers; virtual asset service providers (VASPs); quasi-banks; trust entities.
  • SEC-supervised: brokers/dealers in securities; investment houses; mutual fund companies and distributors; financing and lending companies; crowdfunding and digital asset exchange operators licensed by the SEC.
  • IC-supervised: life and non-life insurers; HMO/pre-need; insurance brokers.
  • Designated non-financial businesses and professions (DNFBPs) under Philippine rules: casinos, real estate developers and brokers, and select other businesses specified by law/regulation.

Reporting duties. Covered/industry participants must report covered transactions and suspicious transactions to the AMLC through the prescribed electronic channels, and implement customer due diligence (CDD), ongoing monitoring, targeted financial sanctions screening, record-keeping, and internal controls commensurate to risk.

Related counter-terrorism laws. The Terrorism Financing Prevention and Suppression Act (TFPSA) and other security legislation complement AMLA obligations—your industry assessment must treat money laundering (ML) and terrorism financing (TF) risks together.

2) What is an Industry Risk Assessment (IRA)?

An Industry Risk Assessment evaluates ML/TF risks at the sector or industry level—e.g., “Philippine remittance sector,” “Philippine real estate sector,” or “VASPs operating in the Philippines.” It aggregates risk drivers across multiple firms, products, delivery channels, and customer profiles to identify inherent risk, assess control effectiveness at the industry level, and conclude on residual risk. It informs:

  • Industry-wide guidance, training, and typologies,
  • Standard-setting and model risk taxonomies for member firms,
  • Collective engagement with regulators/AMLC,
  • Prioritization of sectoral mitigations (e.g., shared KYC utilities, information-sharing protocols),
  • Periodic updates to enterprise-wide risk assessments (EWRAs) at the firm level.

3) Governance and scope

3.1 Establish governance

  • Sponsor & steering group. Name an accountable sponsor (e.g., industry association board or chief compliance executives from major players). Form a Steering Committee with representatives from compliance, legal, risk, operations, and data/analytics.
  • Independent challenge. Appoint an independent reviewer (internal audit function or external advisor) to challenge methods, data sources, and conclusions.
  • Confidentiality framework. Put NDAs and data-sharing protocols in place; define aggregation rules (e.g., no single member’s data is identifiable).

3.2 Define scope

  • Sectoral boundary. Describe which entities and business models are covered (e.g., pawnshops vs. banks; primary real estate developers vs. brokers; centralized vs. peer-to-peer VASPs).
  • Products & services. List all major offerings (e.g., wire remittances, cash-in/cash-out, e-wallets, trust accounts, insurance products, casino junket play, property sales/leases, OTC virtual asset conversions).
  • Delivery channels. Face-to-face onboarding, agent networks, digital onboarding, third-party introducers, APIs/embedded finance.
  • Customers. Retail, SMEs, high-risk corporates, non-profit organizations (NPOs), politically exposed persons (PEPs), high-net-worth, cross-border clients.
  • Geographies. Domestic (by region) and foreign (counterparty countries and corridors).

4) Data strategy

4.1 Sources of evidence

  • Regulatory and supervisory materials: AMLC advisories/typologies, BSP/SEC/IC circulars, and enforcement actions/sanctions.
  • Industry data: volumes, values, corridor maps, chargebacks, fraud/AML alerts, STR/CTR trends (aggregated), customer risk ratings, onboarding outcomes.
  • Law-enforcement and public records: predicate crime trends, arrests/convictions, seizure/confiscation data where available.
  • International references: FATF mutual evaluations and follow-up reports; typology reports from other FIUs where relevant to the Philippine context.
  • Firm-level inputs: anonymized case studies, internal audit findings, model validation results, control testing KPIs.

4.2 Data quality controls

  • Define data dictionaries and lineage.
  • Use aggregation thresholds to prevent re-identification.
  • Document gaps/assumptions (e.g., under-reporting bias, survivorship bias).

5) Methodology: risk model and scoring

A defensible, regulator-friendly approach uses the standard inherent risk – controls – residual risk structure.

5.1 Risk taxonomy Break ML/TF risk into threats and vulnerabilities:

  • Threats: types of illicit proceeds and TF sources (fraud, corruption, drug trafficking, cyber-enabled crime, trafficking-in-persons, environmental crime, tax crimes, proliferation financing, etc.), and threat actors (organized crime, insider collusion, foreign syndicates).
  • Vulnerabilities: product features (anonymity, rapidity, liquidity), delivery channels (non-face-to-face, agents), customer types (PEPs, cash-intensive businesses, high-risk NPOs), geographic exposures (high-risk jurisdictions, conflict zones), and structural issues (beneficial ownership opacity, third-party dependencies).

5.2 Indicators (examples by sector)

  • Banks/E-money/MSBs: cash deposit/withdrawal intensity; velocity of funds; layering via multiple e-wallets; high-risk corridors; mules; synthetic identities; merchant acquiring chargebacks; large cash-in to virtual assets.
  • VASPs: on/off-ramp volumes; exposure to high-risk exchanges; blockchain analytics risk scores; mixing/tumbling; DeFi interactions; NFT wash trading indicators.
  • Casinos: junket play; minimal gaming with rapid buy-in/cash-out; third-party chips; cross-border patronage; non-resident high rollers; cage activity anomalies.
  • Real estate: cash payments; third-party payments; flip transactions within short periods; offshore clients using local proxies; shell companies; complex layered escrow.
  • Insurance: single-premium life products with early surrender; third-party premium payments; high-risk beneficiaries; policy loans shortly after inception.
  • Securities/Capital markets: omnibus accounts; high-velocity trades in illiquid securities; private placements; nominee structures; cross-listing arbitrage.

5.3 Scales and scoring

  • Scales: 1 (Low), 2 (Low-Medium), 3 (Medium), 4 (Medium-High), 5 (High).

  • Inherent risk score (IRS): Weighted sum across Products/Services, Channels, Customers, Geographies, Delivery/Technology, Third-parties.

    Example: IRS = 0.3*Products + 0.2*Channels + 0.2*Customers + 0.15*Geographies + 0.1*Delivery/Tech + 0.05*Third-parties

  • Control effectiveness (CE): Evaluate design and operating effectiveness across CDD/KYC, Ongoing Monitoring & Screening, Transaction Monitoring, STR governance, Training & Culture, Independent Testing, Model risk management, Outsourcing/vendor oversight. Score 1–5, where 5 = highly effective.

  • Residual risk (RR): Combine as a function such as RR = IRS × (6 − CE) / 5 (so higher CE reduces RR). Calibrate and validate with expert judgement and back-testing against STRs/enforcement trends.

5.4 Weighting and sensitivity

  • Justify weights using volumes/values, exposure share, and historical case data.
  • Run sensitivity analysis to show if conclusions are robust to reasonable changes.

6) Procedure: step-by-step

Step 1 – Planning & scoping

  • Approve the Project Charter (scope, timelines, roles).
  • Map the value chain: onboarding → funding → transfer → conversion → withdrawal/cash-out → closure.
  • Identify interdependencies (agents, payment processors, custodians, cross-border partners).

Step 2 – Data collection

  • Issue standardized Data Request Templates to participants.
  • Pull regulator/FIU typologies and supervisory findings relevant to the sector.
  • Collect three years of trend data where possible (volumes, STR types, sanctions hits, false positives, operational KPIs).

Step 3 – Inherent risk analysis

  • Score each risk factor (Products/Channels/Customers/Geographies/etc.).
  • Develop corridor heat maps (e.g., PH↔Middle East; PH↔East Asia; intra-ASEAN).
  • Highlight emerging risks (crypto-to-cash arbitrage; mule networks; account-for-rent; social-engineering fraud flows).

Step 4 – Control assessment

  • Benchmark industry controls against supervisory expectations (BSP/SEC/IC) and AMLC guidance:

    • CDD/KYC including beneficial ownership, PEP screening, lifecycle reviews.
    • Transaction monitoring rules/models; segmentation; tuning cadence; scenario coverage (placement/layering/integration; TF typologies).
    • Name screening (sanctions, watchlists) with hit management and quality metrics.
    • Model risk: documentation, validation, drift monitoring, back-testing.
    • Training: role-based content, completion rates, testing outcomes.
    • Reporting: timeliness and quality of CTRs/STRs; typology richness.
    • Outsourcing: due diligence, SLAs, right-to-audit, exit strategies.

  • Score design and operating effectiveness separately, then combine to CE.

Step 5 – Residual risk and prioritization

  • Compute RR per factor and per sub-sector (e.g., e-wallet vs. bank deposits; new-to-bank onboarding vs. existing customers).
  • Rank the Top 10 sector risks and map to near-term mitigations.

Step 6 – Validation & challenge

  • Conduct expert workshops (with anonymized case studies).
  • Perform peer comparisons and trend sanity checks.
  • Have independent reviewers challenge assumptions, weights, and conclusions.

Step 7 – Reporting & approval

  • Produce an IRA Report (see Section 11 template).
  • Obtain Steering Committee approval and record Board/Association adoption.
  • Define review frequency (at least annually, or upon material change: new product launch, regulatory change, major typology shift).

7) Philippines-specific risk drivers to consider

  • Cash intensity in certain regions and sectors; limited financial inclusion in some areas.
  • Overseas remittance corridors (OFW markets) with varied KYC practices and intermediary risk.
  • Use of agents/sub-agents in MSB/e-money ecosystems; onboarding risks for third-party distribution.
  • Rapid digitalization: e-KYC, remote onboarding, API banking, embedded finance, and VASPs connecting fiat ↔ crypto.
  • Casinos/junkets and VIP play dynamics; cross-border patrons; chip purchase/redemption typologies.
  • Real estate transactions with offshore buyers; beneficial ownership opacity; shell/nominee arrangements.
  • PEPs and SOEs exposure, and public procurement-related risks.
  • NPOs with cross-border funding into/out of conflict or high-risk areas (TF risk).
  • Cyber-enabled fraud (SIM swap, phishing, social engineering) feeding mule networks and rapid layering through e-wallets and small-ticket rails.
  • Trade-based money laundering (TBML) via under/over-invoicing and related-party flows with limited visibility in some sectors.

8) Control themes expected by Philippine supervisors

  • CDD/KYC & Beneficial Ownership: risk-based identification and verification; reasonable measures to understand beneficial owners of legal persons; enhanced due diligence for high-risk (including PEPs and complex structures).
  • Sanctions and watchlist screening: UN sanctions implementation; TF-related designations; local directives.
  • Ongoing monitoring & transaction surveillance: time-to-alert, alert quality, model tuning and documentation, scenario coverage (including TF and proliferation financing typologies).
  • STR/CTR governance: thresholds and triggers calibrated to Philippine reporting rules; timely filing; strong narrative quality.
  • Recordkeeping: retention periods compliant with AMLA and sectoral regulations.
  • Training and culture: role-specific, frequent; measurable competency.
  • Independent testing & audit: periodic, risk-based; remediation tracked to closure.
  • Outsourcing/third-party risk: due diligence, performance monitoring, data security, and exit strategies.
  • Technology controls: e-KYC safeguards (liveness, spoofing resistance), device intelligence, geolocation, velocity checks, anomaly detection, and model risk management.

9) Special topics for the Philippine IRA

9.1 Politically Exposed Persons (PEPs). Define domestic and foreign PEP coverage; align on source of wealth/source of funds documentation standards; maintain periodic review cycles and event-driven refreshes (e.g., election cycles).

9.2 Virtual assets. Address travel-rule compliance, blockchain analytics integration, high-risk exchange exposure limits, self-hosted wallet risk treatment, and NFT/DeFi interactions where relevant.

9.3 Casinos. Treat junkets separately from mass gaming; analyze buy-in/redemption patterns; handle third-party chip purchases; set controls for non-resident patron onboarding.

9.4 Real estate. Set rules for cash thresholds, third-party payments, source-of-funds documentation, and developer/broker onboarding controls; monitor rapid flip patterns.

9.5 NPOs. Differentiate low-risk domestic charities from cross-border/high-risk operations; adopt proportionate due diligence focused on TF indicators.

9.6 Proliferation financing (PF). Incorporate PF typologies: dual-use goods, front companies, transshipment through high-risk hubs; ensure sanctions screening covers PF-related lists and expanded attributes.

10) Quantitative techniques and analytics

  • Stratification & segmentation: group customers by risk attributes; compute STR rates per segment; monitor drift.
  • Scenario coverage mapping: tie each typology to at least one rule/model; maintain a coverage matrix.
  • Machine learning (optional): use supervised models for alert triage; never replace RBA with “black-box” models without documentation, explainability, and validation.
  • Benchmarking: compare alert rates, STR conversion, sanction hit-rates, and EDD volumes across peer groups (anonymized).
  • Back-testing: check if historical confirmed cases would have been detected by current scenarios; adjust thresholds accordingly.

11) Report structure (industry AML/CTF risk assessment)

  1. Executive Summary

    • Overall residual risk rating (per sector and consolidated)
    • Top risks & recommended mitigations
    • Regulatory alignment statement

  2. Scope & Methodology

    • Sectors, entities, products, channels, customers, geographies
    • Data sources, time horizons, limitations
    • Scoring framework (weights, scales, formulas)

  3. Industry Overview

    • Market size, key players (described generically), value chain, distribution models

  4. Threat Assessment

    • Predicate crimes most relevant to the sector; TF/PF considerations

  5. Vulnerability Assessment

    • Product/channel/customer/geography analysis with inherent risk scores

  6. Control Environment

    • Industry control benchmarks and gaps; CE scoring

  7. Residual Risk & Heat Maps

    • By sector and risk factor; corridor maps

  8. Findings & Prioritized Action Plan

    • What to do in the next 3–6–12 months

  9. Implementation Roadmap & KPIs

    • Owner, timeline, metrics

  10. Appendices

    • Data dictionary; scenario coverage matrix; STR/CTR taxonomy; glossary; sensitivity analysis

12) Deliverables and artifacts

  • Risk Register (industry-level): each risk with root cause, indicators, current mitigants, owner (industry or member-level), timeline.
  • Heat Maps: inherent and residual risk by factor and sub-sector.
  • Typology Playbooks: red flags, exemplar STR narratives with key facts.
  • Control Benchmarking Pack: mapping against BSP/SEC/IC expectations.
  • Model Documentation (if analytics used): data lineage, features, validation, and periodic review schedule.

13) Practical red flags (sector-agnostic quick list)

  • Structuring/smurfing around reporting thresholds; frequent cash-in/cash-out with minimal business rationale.
  • Accounts controlled by third parties; account-for-rent patterns; multiple devices per identity (or vice versa).
  • Rapid movement from cash to e-money/virtual assets and back, or chips to cash with minimal gaming activity.
  • Third-party payments for real estate or insurance, especially from unrelated offshore entities.
  • Inconsistent source of wealth/source of funds narratives; newly formed entities with high-value transactions.
  • High-risk corridors with limited transparency; dealings with sanctioned or high-risk counterparties.

14) Common pitfalls (and how to avoid them)

  • Over-reliance on STR counts as a proxy for risk (may reflect detection capability, not true exposure). Use multiple indicators and normalize by volume/value.
  • Static risk models that ignore new products (e.g., instant payments, DeFi rails). Run change triggers and mid-cycle updates.
  • One-size-fits-all controls across very different sub-sectors. Apply proportionality consistent with the RBA.
  • Weak beneficial ownership procedures for complex structures. Adopt enhanced measures and verification tools.
  • Inadequate third-party oversight (agents, program managers, processors). Impose due diligence, KPIs, and audit rights.

15) Implementation roadmap (12 months)

0–90 days

  • Approve charter and governance; finalize taxonomy and data templates.
  • Collect data; complete inherent risk scoring; produce initial heat maps.
  • Launch quick wins (scenario tuning, basic BO enhancements).

90–180 days

  • Complete control assessment and CE scoring; calculate residual risk.
  • Issue Sector Typology Playbooks and standardized STR narrative guidance.
  • Begin remediation program with measurable KPIs.

180–365 days

  • Independent validation; publish final IRA report.
  • Embed periodic monitoring dashboards; conduct targeted training.
  • Prepare inputs for the next National Risk Assessment cycle and regulatory engagement.

16) Documentation & record-keeping

  • Maintain the full audit trail: data sources, meeting minutes, rationales for weights/scores, validation memos, sign-offs.
  • Version control the IRA model and assumptions register.
  • Keep a regulatory engagement log (queries, submissions, responses).

17) Checklists & templates (copy-ready)

A. Scoping checklist

  • Sector boundary and included business models
  • Product/service catalog
  • Channels and third-party dependencies
  • Customer segments & PEP/NPO treatment
  • Geographic corridors
  • Time horizon and data availability

B. Data request template (high-level)

  • Volumes/values by product, corridor, channel (monthly)
  • Customer risk rating distribution; onboarding outcomes (approved/declined/KYB fails)
  • Alerts by scenario; true-positive rates; sanctions hits; training completion
  • STR typologies; turnaround times; QA findings
  • Audit/inspection findings and remediation status

C. Scoring table (example)

Factor Weight Rationale Score (1–5) Weighted
Products/Services 30% Cash intensity; convertibility 4 1.20
Channels 20% Non-face-to-face; agents 3 0.60
Customers 20% PEP/NPO exposure 4 0.80
Geographies 15% High-risk corridors 3 0.45
Delivery/Tech 10% e-KYC maturity 2 0.20
Third-parties 5% Outsourcing 3 0.15
Inherent Risk 100% 3.40

D. Control benchmark (excerpt)

Control Domain Design (1–5) Operating (1–5) Notes
CDD/BO 4 3 BO verification gaps for offshore entities
Screening 4 4 Good hit-handling; missing PF attributes
Tx Monitoring 3 3 Scenario drift; limited TF coverage
STR Governance 4 3 Narratives uneven; need typology guides
Training 5 4 Strong culture; refreshers needed for agents
Independent Testing 3 3 Findings remediation on track

18) Using the IRA to drive action

  • Convert top risks into time-bound remediation with owners and budgets.
  • Share anonymized case studies to improve STR quality.
  • Align industry codes of conduct (e.g., agent onboarding standards).
  • Establish information-sharing (to the extent permitted by law) on emerging typologies and mule accounts.
  • Coordinate with AMLC and supervisors on thematic issues and joint outreach.

Final word

A Philippine Industry Risk Assessment that is methodical, evidence-based, and transparently governed will stand up to regulatory scrutiny and, more importantly, work in practice. If you adopt the structure above—clear scope, robust data, FATF-aligned scoring, credible control benchmarking, and a living remediation plan—you’ll have a defensible baseline for your sector and a practical roadmap to reduce ML/TF risk across the board.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login