UK FINANCE Countering Proliferation Finance: A Financial Sector Perspective [guidance]

A UK finance paper has been published that summarises the current regulatory framework for proliferation financing and the subsequent approach to risk management for the financial sector.

UK FINANCE PAPER

• The UK Finance paper is the product of the collective work of the UK Finance Proliferation Finance (PF) Working Group, established in November 2022.
• This paper highlights the:
• Key regulatory framework relating to PF;
• Steps taken to assess PF risks with relevant risk factors;
• Approaches to mitigate and manage the risks via bank control frameworks and
• Challenges and recommendations on improving the effectiveness of counter-PF measures.

INTRO

1. Recent developments of international standards, particularly at FATF, on PF have triggered a heightened focus on PF threats and vulnerabilities. United Nations Security Council Resolutions (UNSCRs) relating to the nuclear and missile programmes of Iran and the Democratic People’s Republic of Korea (DPRK/North Korea), and more generally on any WMD proliferation to non-state actors, lie at the core of countering PF.
2. However, there is a lack of consensus on the extent to which FIs’ obligations to assess and manage PF risk extend beyond implementing UNSCR measures and relevant autonomous regulations. The inconsistent scope and definition of PF pose significant challenges for the global risk management framework in the financial sector, particularly for international banks, when attempting to comply with laws and regulations established by multiple jurisdictions.
3. PF is not a new topic. Still, the adoption of PF as a risk factor by the Financial Action Task Force (FATF) and the forthcoming inclusion of PF in mutual assessments have resulted in a heightened focus among financial institutions (FIs).
4. The Executive Summary pinpoints the key areas identified where challenges are being faced and improvements can be made. Essential to improving our response to PF will be dialogue with the public sector and other relevant parties, which will require a collaborative effort.
5. The current level of dialogue on PF is underdeveloped compared to that seen in counter-terrorism, illicit wildlife trade, and human trafficking.
6. Enhancing our collective approach to public-private information sharing, with more significant consideration of who needs to be involved from both the public and private sectors, is essential.
7. Beyond financing or the processing of payments, there are other private sector actors (including, but not limited to, shipping lines and airlines, freight forwarders, couriers, insurers, manufacturers and traders in dual-use items) who are relevant to the conversation on how we can collectively address the risks posed by PF.
8. The increased focus by sanctions authorities on the supply of goods to Russia’s military provides an opportunity to enhance our approach, as many of the challenges surrounding the identification of such illicit trade are shared with PF.

RISK ASSESS

1. FIs must assess their PF risk, considering the size and nature of their business.
2. They do not necessarily require a stand-alone, dedicated risk assessment framework to assess their PF risk, provided that the factors relating specifically to PF are assessed. These risk factors are categorised as relating to customers, countries or geographic areas, products or services, transactions, and delivery channels. In addition to using these risk factors in assessing PF risk enterprise-wide or business-wide, they may also be utilised in models that assess risk at the country, product, and customer levels. In the UK, FIs are required to take a risk-based approach to managing PF risks.
3. However, this is in combination with a strict liability sanctions regime, which overlaps when involving PF-related sanctions designations.
4. Customer risk factors relevant to assessing PF risk include a range of industries that produce, trade, move or finance proliferation-sensitive goods and technologies (e.g., the defence and nuclear industries). These sectors may be more vulnerable to exploitation by proliferators, often without any complicity on the part of the customer. Industry codes relating to these sectors can help assess PF risk, although additional engagement with customers will usually be required to understand the risk at a customer level.
5. Country or geographical risk exposure comes in several forms:
1. Countries with proliferation concerns, particularly those with active WMD programmes.
2. Countries which are the source of items required by proliferators, such as those with key manufacturing sectors or which are the sources of raw materials;
3. Countries that assist proliferating countries to raise the funds to support their WMD programmes, such as by buying sanctioned exports or hosting overseas workers;
4. Locations noted for the transhipment of physical items that are moved in association with WMD proliferation, including ‘gateway’ countries and maritime zones used for ship-to-ship transfers; and
5. A broad category of enabling geographies, which include jurisdictions used to register, bank or operate shell companies or where shipping registration requirements are less stringent.
6. Noting the lack of international consensus regarding which states are of proliferation concern, there is even less agreement on the other forms of geographic exposure.
7. Product and service risk factors for Proceeds of Crime (POC) are very similar to those for Money Laundering (ML) and Terrorist Financing (TF). Key product risk assessment characteristics are:
1. Cross-border nature;
2. Limited self-disclosure requirements, where proliferators may exploit jurisdictional differences in disclosure requirements;
3. Complexity, especially where this makes it easier to obfuscate beneficial ownership or interpose third parties between the proliferator and the FI; and
4. Technologies used, especially where there is less mature regulatory oversight of new technology, e.g., virtual currencies.
8. Transactional risk factors and delivery channel risk factors for PF are broadly similar to those for other types of Financial Crime (FC). Shell company risk and Digital Assets and Currencies (DACs)/cryptocurrency-related risks are cross-cutting themes that impact several of the above risk categories. Identifying typologies indicative of PF is key to distinguishing between illicit activity and legitimate business.
9. Typologies can guide financial institutions in optimising their control frameworks. Calibration and leveraging of existing FC processes and controls can be used to address PF risks.
10. These need to be articulated so that existing controls are leveraged appropriately and any additional controls required do not duplicate existing ones. In defining the Customer Due Diligence (CDD) or Know Your Customer (KYC) measures required both at onboarding and ongoing due diligence, FIs may utilise the outcome of their PF risk assessment.
11. For Retail customers, CDD or KYC is typically captured without any specific PF questions being asked beyond any sanctions exposures to Iran and DPRK. CDD/KYC for customers within trade finance or commercial business banking will look to understand the customer’s expected business and transaction activity. This could include consideration of the countries involved, as well as supply chain or downstream exposure through key counterparties and their respective locations.
12. Financial institutions (FIs) may use industry codes to help assess risk rates for customers, which can prompt sets of PF-related questions, such as the exact technology or equipment the customers produce or distribute and the trading countries an FI might expect to see.
13. Identifying customers trading in dual-use goods beyond customer declarations would require some expertise or knowledge of such items. The United States Department of Commerce’s Bureau of Industry and Security (BIS) Entity List may, upon examination on a listing-by-listing basis, indicate whether a particular actor has been added to the list for a proliferation-related concern.
14. Where proportionate under the risk-based approach, FIs may consider implementing targeted measures within their investigations and screening controls, such as:
1. Intelligence gathering following sanctions designations by reviewing historical transactions where a true match has been identified. Applying a risk-based approach, financial institutions (FIs) may use retrospective analysis or proactive ‘look-back’ investigations to identify designated individuals and entities that traded and/or transacted before being sanctioned. Such investigations enable the FI to identify non-designated counterparties that may be exposed to PF-related activities.
2. Enabling internal investigations to be tagged to a PF concern. Internal investigations carried out by FIs are typically not tagged to PF, being instead tagged to sanctions or AML concerns. Systems changes may be required to implement the ability to tag investigations to PF.
3. Producing PF-specific Management Information (MI). For example,
• Developing MI on the outcome of alerts and internal investigations may help senior management gain greater visibility into PF risks. Currently, PF alerts are subsumed within sanctions or AML alerts without any further identification. The absence of PF tags means that FIs cannot generate and utilise PF MI to support control adjustments
15. The utilisation of dual-use goods lists by FIs is impracticable and ineffective in detecting PF. These lists were designed for the use of manufacturers, importers and exporters, given their proximity to the actual goods and technical expertise in their potential uses. Most financial transactions, including non-trade finance and open account trading, do not contain the details of the goods required to screen for dual-use items.
16. If authorities aim for financial institutions (FIs) to screen goods via financial transaction data, then a re-specification of transactional data standards, such as relevant fields in payment messages, would be necessary to make relevant goods descriptions available.
17. Data quality issues would persist even if changes were agreed upon, as the goods descriptions, transactions, documents, or data available to FIs are not isolated, allowing for an inadequate comparison with the details on the dual-use goods lists. Multiple definitions of PF and inconsistent applications of those definitions, even within countries where different agencies or regulatory authorities apply differing definitions of PF, present challenges to financial institutions (FIs) seeking to adopt a consistent approach to PF.
18. It is not always clear which designation regimes relate to PF risk and which do not.
19. OFAC’s Non-Proliferation of Weapons of Mass Destruction (NPWMD) list or the UK and EU chemical weapons sanctions regimes are clearly “PF-relevant”; it is less clear whether, for example, an “Iran” regime should be similarly counted, as Iranian parties may be sanctioned for a variety of reasons, of which PF is one.
20. FIs are conducting additional due diligence on Russia-related trade. However, most dual-use goods published by regulators (in Notices to Exporters) are not on any of the published dual-use goods lists.
21. In the UK, where a licence is granted for controlled items, the granted licence does not contain related financial services provisions for the FI.
22. The FI must apply separately to the Export Control Joint Unit (ECJU) for a licence to process the payment.
23. FIs do not have a means of verifying that an export licence has been granted when a customer claims this to be the case, and existing information-sharing mechanisms are not currently utilised for such purposes.
24. FIs are not informed about rejected export licence applications so as not to engage in related transactions should the exporter continue to engage in associated transactions in the absence of an approved export licence.
25. Screening List vendors generally do not provide lists in a format that enables easy tagging of alerts to PF.
26. Specific information related to sanctioned parties, including the sanctions regime under which they were designated, is typically provided in the description but does not explicitly flag PF risk.
27. Consequently, while FIs’ screening systems will identify the individual or entity as a sanctioned party, they are unable to automatically flag alerts as being PF-related.
28. Any identification of PF linkages requires manual referral to the description in the listing.
29. Where tags are available, FIs would need to implement screening and other systems changes on their side to enable tagging of alerts and/or investigations to PF. This would allow alerts for sanctioned parties linked to PF to be identified as PF-related, in addition to their sanctions handling, and facilitate the generation of PF-related management information (MI).

Read more

https://www.ukfinance.org.uk/system/files/2025-03/Countering%20Proliferation%20Finance%20-%20A%20Financial%20Sector%20Perspective.pdf