After draft updates and significant input from the nonprofit organization (NPO) sector, the Financial Action Task Force (FATF) released its revised Best Practices Paper (BPP) in June 2015. The long-awaited revision incorporates almost all of the changes requested by NPOs with a new emphasis on taking a risk-based approach and avoiding a one-size-fits-all regulatory scheme.
This latest BPP revision, which offers guidance on FATF Recommendation 8, on laws relating to NPOs, states at its outset that FATF recognizes “the vital importance of the NPO community in providing charitable services around the world, as well as the difficulty of providing assistance to those in need, often in remote regions.” It also recognizes the efforts of NPOs to promote transparency in their work and “to prevent misuse of the sector by those wishing to support terrorist financing and terrorist organisations.”
The paper specifically states that the good practices outlined in it are not mandatory elements of the FATF standards, but rather are cited as examples only. They “should not be used as a checklist of requirements applied to all NPOs,” the paper states. Therefore, throughout the paper, all references to “best practices” have been changed to “good practices,” indicating that they should not be used as a ‘gold standard.’
The BPP does not apply to the NPO sector as a whole, it explains, adding that not all NPOs are high-risk. A one-size-fits-all approach would be inconsistent with a proper implementation of a risk-based approach, it notes. Existing regulations or measures may sufficiently address the terrorist finance (TF) risk to NPOs, according to the paper, which warns against overregulating the sector. “Detailed registration procedures for NPOs, additional reporting requirements, requirement of appointing a designated staff responsible for counter-terrorism compliance, and an external audit of the organization, may not be appropriate for CFT [countering the financing of terrorism] purposes for those NPOs facing little to no TF risk,” the paper states.
Following is a section-by-section summary of the new BPP:
Purpose and Context
The BPP states at its outset that the purpose of the paper is to set out specific examples of good practice to assist countries in their implementation of Recommendation 8, in line with Recommendation 1 and the risk-based approach, and consistent with “countries’ obligations to respect freedom of association, assembly, expression, religion or belief, and international humanitarian law.” The paper should is also intended to assist NPOs and financial institutions in meeting the objectives of Recommendation 8 and mitigating any TF threats.
Recommendation 8 does not apply to the NPO sector as a whole, according to the BPP. “Countries should take a targeted approach to implementing the measures called for in Recommendation 8,” based on an understanding of the diversity of the NPO sector and the terrorist risks it faces. In doing so, it’s important to realize that Recommendation 8 does not apply to all NPOs, but rather those that meet the FATF definition of a non-profit organization:
“a legal person or arrangement or organisation that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying out of other types of ‘good works’.”
In implementing a risk-based approach, both countries and financial institutions should keep in mind that not all NPOs are high-risk, and some present little, if any, risk at all. A one-size-fits-all approach to NPOs is “not appropriate,” the paper states, “either in terms of how countries supervise and monitor the sector, or how financial institutions manage business relationships with customers who are NPOs.”
This section of the BPP notes that measures adopted by countries to protect the NPO sector from terrorist abuse should not disrupt or discourage legitimate charitable activities. Instead, measures should promote transparency and build confidence—in NPOs, with donors and with the general public—that charitable funds and services reach intended legitimate beneficiaries.
Finally, this section states that the BPP is not mandatory for assessing compliance with FATF Standards and countries should not use the examples in the paper as a checklist of requirements to be applied to or by all NPOs. They are included as examples only, and may be valuable to consider when determining how to prevent or mitigate terrorist abuse in the NPO sector.
This section of the BPP is divided into two main sections: Understanding the Risk and Mitigating the Risk. The second part, Mitigating the Risk, is then divided into four sub-sections: Outreach to the Sector, Supervision or Monitoring of NPOs, Effective Investigation and Information Gathering, and Effective Capacity to Respond to International Requests for Information about an NPO of Concern.
Understanding the Risk
Importantly, the BPP briefly notes that for there to be a risk, both a threat and a vulnerability must exist. A helpful chart in the paper illustrates this concept (see BPP, p. 10).
Understanding the risk to NPOs starts with identifying, assessing and understanding the money laundering and terrorist financing risks for the country. Based on these findings, countries may designate an authority or mechanism to coordinate the work of assessing risks and apply resources to effectively mitigate them. A risk-based approach is the basis for implementing an anti-money laundering and countering the financing of terrorism (AML/CFT) regime and the FATF Recommendations, the paper states. Since FATF adopted its revised Recommendations, which emphasize a risk-based approach, using this risk-based approach to implement Recommendation 8 has become more critical, the paper states.
Countries may periodically reassess the NPO sector. This would involve reviewing new information on potential vulnerabilities to the sector, trends related to terrorist abuse, and risk mitigation measures.
While NPOs may fact other risks relating to money laundering, fraud, corruption and tax evasion, keep in mind that Recommendation 8 specifically addresses only NPO vulnerability to terrorist abuse. That said, measures implemented to protect against and mitigate other financial threats may also be useful in mitigating terrorist financing risk.
In the 4th round of Mutual Evaluations, an understanding of the domestic NPO sector and the terrorist financing risks it faces “are critical to complying with Recommendation 8,” the paper states. The starting point for this would be a domestic review of the entire NPO sector. Countries can then determine which NPOs fall within the scope of the FATF definition of NPO, better understand the sector, understand the relevant risks, determine which existing laws and policies might help mitigate those risks, incorporate these findings into the national risk assessment, and determine whether additional measures are needed. Countries should also consult the FATF’s 2014 report on Risk of Terrorist Abuse in Non-Profit Organisations (aka NPO Typology Report), which found a correlation between the types of activities an NPO is engaged in and the risk of terrorist abuse.
Mitigating the Risk
Just as there is no one-size-fits-all approach to mitigating terrorist financing risks faced by NPOs, there is a wide range of ways to identify, prevent and combat terrorist misuse of these organizations, the BPP explains, adding that not all NPOs should be subject to the same measures. According to the Interpretive Note to Recommendation 8, a successful approach is flexible, multi-faceted and four-pronged (including outreach; proportionate, risk-based supervision and monitoring; effective investigation and information gathering; and effective mechanisms for international cooperation). Countries should ensure that any response is proportionate to the TF risk posed. The BPP reminds countries that measures already established to mitigate risks from other illicit financial activity “may sufficiently address the current TF risk to the sector, while additional or different measures may need to be considered when existing measures are found inappropriate to mitigate the risk, or as the TF risk to the sector evolves and changes over time.”
Here, the BPP again reminds countries that measures implemented need to be proportionate to the risks identified, avoiding those that disproportionately burden NPOs with little or no TF risk because: not all NPOs face high terrorist financing risks, and many NPOs face little or no such risk; the sector has an extremely large number of very diverse entities; and a one-size-fits-all approach is not effective in combatting terrorist abuse of NPOs and is more likely to disrupt or discourage legitimate charitable activities. Examples of measures that may not be appropriate for NPOs facing little or no risk include detailed registration procedures, additional reporting requirements, requirement of appointing a designated staff person responsible for CT compliance, and an external audit of the organization.
Outreach to the Sector
The BPP reminds countries that they are required by Recommendation 8 to conduct outreach to the NPO sector on TF issues. All stakeholders, including governmental and non-governmental actors, law enforcement and NPO regulators, can be involved in developing outreach and education about the specific risks facing the NPO sector and provide good examples of mitigation measures. Ideally, the outreach would be a two-way, ongoing dialogue between governments and NPOs. Advantages of this approach include: obtaining useful information about specific needs, concerns, vulnerabilities, risks and challenges that can form the basis of more effective policies; issues flagged can help countries prevent or disrupt high-risk activities before they escalate; more effective implementation of mitigation measures will give NPOs a better understanding of their risks; and learning how to conduct more effective outreach and engage in more constructive dialogue with the sector.
Supervision or Monitoring of NPOs
The Interpretive Note also requires countries to take steps to promote effective supervision or monitoring of the NPO sector. The BPP warns countries against applying the same measures to all NPOs. Instead, countries may implement measures that are commensurate with the risk identified through a domestic review of the NPO sector and an understanding of the TF risks facing the sector.
Specifically, countries should apply the measures set out in sub-paragraphs 5(b)(i) to 5(b)(vii) of the Interpretive Note to Recommendation 8 to address the NPOs that both fall within FATF’s definition of an NPO and face the greatest risk of TF abuse. Measures that could be applied in these situations include requirements for an organization to: be licensed or registered (although countries are not required to impose specific licensing or registration requirements for CT financing purposes); maintain information on their activities and those who own, control or direct their activities; issue annual financial statements; have controls in place to ensure that funds are fully accounted for and spent in a manner consistent with the NPO’s stated activities; follow a ‘know you beneficiaries and associate NPOs’ rule; keep records; and be subject to monitoring by the appropriate authorities.
There are several advantages to properly implementing these supervision and monitoring requirements, the BPP notes, including: avoidance of over-regulation on the sector; the ability to change regulatory, investigative or outreach response as NPOs change over time; helping mitigate risks by leveraging off transparency, good governance and/or self-regulatory initiatives already implemented by NPOs; better allocation of limited supervisory resources by taking steps that are commensurate; and adopting different approaches to supervision and monitoring based on a range of factors. There is no single correct approach to ensuring effective oversight of the sector, the BPP adds.
Effective Investigation and Information Gathering
Countries should ensure effective cooperation, coordination and information sharing to the extent possible between all relevant agencies and organizations. They should have investigative expertise and the capability to examine those NPOs that are suspected of being exploited by, or actively supporting, terrorist organizations. In addition, all NPOs falling within the FATF definition and deemed to be at a higher risk of TF abuse should have available some financial and programmatic information in the event that an investigation into possible terrorist abuse becomes necessary. Mechanisms for information sharing are important—when a country suspects that a particular NPO is being abused by terrorists, they should promptly share any relevant information with appropriate authorities so that preventive or investigative action can be taken.
While information provided by NPOs to government agencies is important in promoting transparency, the use of national security or intelligence-based information gathering is important in those specific cases where organizations rely on deception to mislead donors and other NPOs for terrorist financing purposes. Information from criminal investigations can provide authorities with a better understanding and context of the TF risk environment surrounding NPOs. In some cases, administrative measures and targeted financial sanctions may be necessary to protect the NPO sector from abuse. The paper explains that a collaborative, inter-agency approach to detection of abuse and risk can ensure that investigative actions by one agency don’t conflict with or jeopardize actions by another group.
Effective Capacity to Respond to International Requests for Information about an NPO of Concern
The BPP concludes this section by noting that countries should be ready for international requests for information regarding a suspect NPO by identifying appropriate points of contact and procedures to respond to these requests.
This section of the paper was renamed in the current revision (it was previously titled “Best Practices for NPOs”), minimizing the possibility that it would be misunderstood as a checklist for governments in regulating the NPO sector.
The paper recognizes the NPO sector’s efforts to promote transparency and to prevent the misuse of the sector, including preventing TF. In many countries, the NPO sector has representational and self-regulatory (umbrella) organizations that have developed standards and initiatives to help NPOs ensure accountability and transparency.
While most NPOs have good relations with their donors, partner organizations and beneficiaries, practical risks do exist and NPOs can be abused, the paper explains. It is therefore important for NPOs to understand the TF risks they face and take appropriate measures to mitigate them. Many NPOs undertake their own risk analysis before working in a new environment or with new partners, and examples of this can be found in Annex 2 of the paper.
Mitigating the Risk
The BPP asserts that having good governance and strong financial management is the best way an NPO can ensure it is not abused for terrorist purposes. This includes having robust internal and financial controls and risk management procedures, as well as carrying out proper due diligence on the individuals and organizations that give money to, receive money from or work closely with the NPO, the paper states. The BPP explains that due diligence is the range of practical steps taken by NPOs “so that they are reasonably assured of the provenance of the funds given to the NPO; confident that they know the people and organisations the NPO works with; and able to identify and manage associated risks.”
For NPOs that are deemed to be at higher risk of TF abuse, the risk mitigation measures they implement will depend on a variety of factors, including aspects of the NPO’s work and associated risks, existing due diligence and risk mitigation measures, and whether the NPO’s partners operate in close proximity to an active terrorist threat.
All legitimate international actors need to safeguard the integrity and accountability of their operations, the paper states. Annex 3 contains examples of NPOs that have developed standards and initiatives to ensure accountability and transparency in their operations. In many countries, umbrella organizations (self-regulatory and representational) help preserve the legitimacy and reputation of NPOs by developing good practices. NPOs can build upon this good work by disseminating their experiences, providing training, and building capacity within their sector.
How Good Governance Practices by NPOs Help Meet R.8 Objectives
FATF has found that terrorist abuse of the NPO sector is commonly the result of a lack of robust internal governance and/or appropriate external oversight. For those NPOs that fall within the FATF definition and are deemed to be at a higher risk of TF abuse, having good governance practices in place is the first step in protecting themselves. The BPP recommends a handbook of good practices developed by Transparency International, Preventing Corruption in Humanitarian Operations.
The BPP groups good governance into four categories—organisational integrity, partner relationships, financial accountability and transparency, and programme planning and monitoring:
NPOs are established and operate in accordance with a governing document such as articles of incorporation, a constitution, or bylaws. Member of the governing board act in the interest of the organization and maintain oversight by establishing strong financial and human resource policies, meeting on a regular basis and actively monitoring activities.
NPO carry out appropriate due diligence on the individuals and organizations that the NPO receives money from, gives money to or works with closely before entering into relationships and agreements. Written agreements are also useful to outline the expectations and responsibilities of both parties, including detailed information on the application of funds and requirements for audits and on-site visits.
Financial accountability and transparency
Strong financial controls and procedures prevent financial abuse of NPOs and misuse of resources and funds, the BPP asserts. NPOs can keep adequate and complete financial records of income, expenses, and financial transactions throughout their operations, including the end use of the funds. They should ensure that funds are applied as intended, as clearly stated in program goals that are made publicly available.
Programme planning and monitoring
NPOs can establish internal controls and monitoring systems to ensure that funds and services are being used as intended. The BPP explains that NPOs can maintain detailed budgets for each project and generate regular reports on related purchases and expenses. The NPO should have procedures to trace funds, services, and equipment, and they should carry out transactions through the banking system when possible.
The revised BPP also addresses the difficulty NPOs have accessing financial services. The paper states that implementation of its recommendations should not adversely and disproportionately affect NPOs, which rely on banking facilities and other financial services to carry out important humanitarian and charitable services. “The wholesale termination of individual customers or entire classes of customer, without taking into account their level of risk or risk mitigation measures is not a proper implementation of a risk-based approach and is not consistent with the FATF Standards,” the paper explains.
Terminating customer accounts can drive financial flows underground, reducing transparency and “the ability to identify and take action against TF abuses,” according to the BPP. It also inhibits the delivery of aid to developing countries and crisis zones “where humanitarian needs are acute and where charitable work contributes positively to the fight against regional and global terrorism.”
Financial institutions should not view all NPOs as high-risk. Most of these organizations face little, if any, risk of terrorist abuse, the paper states. The fact that an NPO operates in cash-intensive environments or in countries of great humanitarian need does not necessarily make the organization high risk.
In considering potential risks posed by a customer, financial institutions should identify and assess the organization’s money laundering, terrorist financing risks, and risk mitigation measures, taking into account any measures the NPO has in place to mitigate risk and any regulatory requirements that may apply to the NPO. If an NPO is then deemed at-risk, the financial institution should determine whether the risk can be sufficiently mitigated to allow legitimate charitable activities to continue.
NPOs can do their part by maintaining registered bank accounts, keeping their funds in them and utilizing regulated channels for transferring funds, especially for overseas transactions. There may, however, be instances in which cash is the only feasible means for a transaction to occur, such as when providing assistance in an extremely remote region where financial services are not available. When cash is used, it should be done in line with established laws and regulations, including cash declaration and/or cash disclosure requirements.
Donors should research publicly available information to determine how an NPO operates, how it is managed, the nature of its programs and where it operates.
Examples of measures that countries have implemented and that have been implemented by NPOs have been moved out of the narrative portion of the paper to Annex 1 and Annex 2, respectively. A new Annex 3 contains a list of representational and self-regulatory organizations.