Risk Rating the Vatican!

A 'Quick and Dirty' Approach to assessing an AML/CTF risk weight for the Vatican.

I was inspired by Stephan Schmitz's post on the Vatican and FATF to demonstrate a 'quick and dirty' AML/CTF risk rating for the Vatican. Even though the Vatican is ignored in most open source assessments, it is possible to use those methodologies to develop and document a usable AML/CTF risk factor.

You won't make a lot of friends this way, but here's one way to describe the Vatican;

a theocratic monarchy, where women are denied citizenship, and where there is 1 soldier for every 5 residents.

For purposes of this post; there are two components to the risk factor; a set of core AML/CTF infrastructure questions, and the Transparency International Corruption Perception Index.

Core Questions

For the 'quick and dirty' approach, I used the same questions employed by the US Department of State to assess the money laundering risk of various countries. Their results are published annually as part of their International Narcotic Control Strategy Report.

To answer the core questions, I used the Vatican's “LEGGE CONCERNENTE LA PREVENZIONE ED IL CONTRASTO DEL RICICLAGGIO DEI PROVENTI DI ATTIVITÀ CRIMINOSE E DEL FINANZIAMENTO DEL TERRORISMO”, which was put into effect in December 2010. My facility with Italian is not great, so any assessment errors are my own.

Core Questions	Qualitative Answer	Numeric Score
1. “Criminalized Drug Money Laundering”:Has the Vatican enacted laws criminalizing the offense of money laundering related to the drug trade?	Yes	0
2. “Criminalized Beyond Drugs”: Has the Vatican enacted laws criminalizing the offense of money laundering related to crimes other than the drug trade.	Yes	0
3.“Know Your Customer Provisions”: By law or regulation, does the Vatican requires banks and/or other covered entities to adopt and implement Know Your Customer/Customer Due Diligence programs for their customers or clientele?	Yes	0
4. “Report Large Transactions”: By law or regulation, are banks and/or other covered entities required to report large transactions in currency or other monetary instruments to designated authorities?	No	1
5. “Report Suspicious Transactions”: By law or regulation, are banks and/or other covered entities required to report suspicious or unusual transactions to designated authorities?	Yes	0
6. “Maintain Records over Time”: By law or regulation, are banks and/or other covered entities required to keep records, especially of large or unusual transactions, for a specified period of time, e.g., five years?	Yes	0
7. “Disclosure Protection - ‘Safe Harbor”: By law, does the Vatican provides a “safe harbor” defense to banks and/or other covered entities and their employees who provide otherwise confidential banking data to authorities in pursuit of authorized investigations?	No(?)	1
8. “Criminalize “Tipping Off”: Under Vatican law, is disclosure of the reporting of suspicious or unusual activity to an individual who is the subject of such a report, or to a third party, a criminal offense?	Yes	0
9. “Financial Intelligence Unit”: Has the Vatican has established an operative central, national agency responsible for receiving (and, as permitted, requesting), analyzing, and disseminating to the competent authorities disclosures of financial information in order to counter money laundering?	Yes	0
10. “Cross-Border Transportation of Currency”: By law or regulation, has the Vatican established a declaration or disclosure system for persons transiting the jurisdiction’s borders, either inbound or outbound, and carrying currency or monetary instruments above a specified threshold?	Yes	0
11. “International Law Enforcement Cooperation”: Does the Vatican cooperate with authorized investigations involving or initiated by third party jurisdictions, including sharing of records or other financial data, upon request? (Based on past experience. Their new law promises a better level of cooperation.)	No	1
12. “Mutual Legal Assistance”: By law or through treaty, has the Vatican agreed to provide and receive mutual legal assistance, including the sharing of records and data?	Yes	0
13. “System for Identifying and Forfeiting Assets”: Has the Vatican established a legally authorized system for the tracing, freezing, seizure, and forfeiture of assets identified as relating to or generated by money laundering activities?	Yes	0
14. “Arrangements for Asset Sharing”: By law, regulation or bilateral agreement, does the Vatican permit sharing of seized assets with third party jurisdictions that assisted in the conduct of the underlying investigation?	No	1
15. “Criminalized the Financing of Terrorism”: Has the Vatican criminalized the provision of material support to terrorists, terrorist activities, and/or terrorist organizations as required by the UN International Convention for the Suppression of the Financing of Terrorism and UN Security Council Resolution 1373?	Yes	0
16. “Report Suspected Terrorist Financing”: Are banks and/or other covered entities required to record and report transactions suspected to relate to the financing of terrorists, terrorist groups or terrorist activities to designated authorities?	Yes	0
17. “States Party to 1988 UN Drug Convention”: Is the Vatican party to the 1988 United Nations Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances, or a territorial entity to which the application of the Convention has been extended by a party to the Convention?	Yes	0
18. “States Party to the UN International Convention for the Suppression of the Financing of Terrorism”: Is the Vatican party to the International Convention for the Suppression of the Financing of Terrorism, or a territorial entity to which the application of the Convention has been extended by a party to the Convention?	No	1
19. “States Party to the UN Convention against Transnational Organized Crime”: Is the Vatican party to the United Nations Convention against Transnational Organized Crime (UNTOC), or a territorial entity to which the application of the Convention has been extended by a party to the Convention?	No	1
20. “States Party to the UN Convention against Corruption”: Is the Vatican party to the United Nations Convention against Corruption (UNCAC), or a territorial entity to which the application of the Convention has been extended by a party to the Convention?	No	1
21. “US or International Sanctions/Penalties”: Has the US, another jurisdiction and/or an international organization, e.g., the UN or FATF, has imposed sanctions or penalties against the Vatican?	No	0
Total Quantitative Score		7

So, who else scores a “7” on these questions?

• Angola
• Central African Republic
• Comoros
• Nauru
• Solomon Islands
• Suriname
• Tajikistan

That's some risk neighborhood!

Transparency International Corruption Perception Index

The CPI scores run in the opposite direction from the risk weighting factor we built with the Core Questions; 'clean' jurisdictions have higher scores than 'dirty' ones. To fix that, we simply take the 10's complement of the CPI scores; in other words, subtract the country's CPI score from 10 to find its risk increment.

The second difficulty to overcome is that there is no CPI assessment for the Vatican. Well, using “0” as a risk increment is certainly possible, but it might be misleading. Standard practice in statistics accounts for missing measurements by supplying an average value. (It's certainly what my bridge club does when a pair has not played a hand.) And statistics being what it is, you have a rich variety of 'averages' from which to chose. Here are some approaches to consider; see if they match your approach to risk assessment.

1. Simple median score, in this case “5”.
2. The average for the country's nearest geographic neighbors; in this case Italy, France and Switzerland, giving an average risk increment of “3.4”
3. The average for countries sharing the same set of attributes; in this case, countries with the same scoring on the core questions, giving a risk increment of “7.5”

AML/CTF Score for the Vatican

Using the core questions, and the median CPI score, we get an AML/CTF risk score for the Vatican of 12. To put that in context; here's where it sits between the lowest rated and highest rated countries using this method:

Denmark	0.6
Vatican	12.0
Somalia	29.0

Has your AML system seen South Sudan yet?

In August, the International Standards Organization announced a new country. Well, a new ISO country code for a new country.

South Sudan.

The announcement detailed the new country code (SS), new currency code (SSD).

Overnight, 8.26 million people were in a new country.

Here's a checklist of things you might want to consider in your own AML, sanctions screening and compliance systems.

• Recognize the new country code. It'll start showing up on addresses, the party details on wires, information on letters of credit, currency transactions, and so on. It's a real country code, you should be able to recognize it.
• Recognize the new currency code. Again, you might start seeing it in FX transactions, in wire transfers and so on.
• Be on the lookout for new SWIFT BICs for banks operating in South Sudan. Some weeks after the ISO announcement, SWIFT will institute new BICs using the country code in positions 5 and 6, and will then migrate certain banks in the market to the new codes.
• Create a country risk rating for South Sudan. Maybe easier said than done, if you rely on third party information sources for rating data. You may have to establish an interim evaluation based on your assessment of the components of your country risk rating. (An upcoming post will show a DIY country risk-rating approach.)
• Assess the impact on your sanctions screening and OFAC processes. OFAC is going to a fair amount of trouble to exempt South Sudan from the current slate of Sudan country sanctions. (They're still a little stuck on how to craft language that will support South Sudan's oil industry. All the pipelines go through Sudan to reach the sea.) Focusing solely on the string “Sudan” will cause you to handle a lot false hits.

It's possible to turn this into a checklist that you can use every time the ISO organization formally assigns a new country code. South Sudan, the most recent, is a little more problematic than St. Bart's which was assigned a country this past December.

Yet, the key impacts will be the same;

• new country codes
• new bank Ids
• new currency codes
• new country risk assessment
• impacts on sanctions screening or proprietary list screening.