Crafting Robust Proliferation Financing National Risk Assessments

In 2020, the Financial Action Task Force (FATF), the international standard-setter for combating money laundering (ML), proliferation and terrorist financing (TF), expanded the scope of its risk assessment recommendation to include proliferation financing (PF). While the intent of the expanded scope is to incorporate a risk-based approach into counter-PF (CPF) standards, particularly in relation to risk assessments, national PF risk assessments to date have varied in their scope, approach and breadth.

This policy brief examines how countries have approached their PF national risk assessments (NRAs), and uses these examples to advise jurisdictions on how to approach future NRAs.

Based on a review of 23 published PF NRAs, the main findings of this brief are:

• Most NRAs do not identify the characteristics of broader PF threats, or examine how PF risk differs from ML and TF.
• Jurisdictions struggle to adequately integrate country-specific contexts, such as social, economic and geographical factors, into their understanding of PF vulnerabilities, notwithstanding the existence of resources such as the RUSI National PF Guide 1 and the FATF’s own PF Risk Assessment Guidance.
• Jurisdictions tend to limit their assessment to sanctions lists, although UN restrictions are considerably broader than these lists.
• Jurisdictions rarely assess PF-related consequences, one of the three key elements of a risk assessment exercise.

With only 15% of jurisdictions receiving a ‘substantial’ or ‘high’ level of effectiveness rating for PF in FATF’s fourth-round mutual evaluation cycle, understanding PF risk will be a key challenge for jurisdictions in the upcoming fifth round. Along with other criteria, this will be assessed under revised technical criteria, alongside jurisdictions’ effectiveness in implementing the standards.

This policy brief offers recommendations for countries to consider when planning and conducting their PF NRAs, as part of the effort to contribute to a more robust global CPF regime.

This policy brief examines PF NRAs of members of FATF and FATF-style regional bodies to better understand the challenges around and limitations of identifying PF risk. The analysis is based on a review of 23 publicly available PF NRAs published between 2015 and 2023 (see Table 1). Additionally, the research is informed by 21 online and in-person workshops on PF risk assessments and PF typologies, delivered by the author.

^{Note: The NRAs are grouped by FATF-style regional body (FSRBs). FSRBs establish systems for combating money laundering and the financing of terrorism and proliferation in their regions, conduct evaluations of member states’ anti-money laundering and counterterrorist financing and counter-PF systems, and make recommendations for improvement.}

^{CFATF is the Caribbean Financial Action Task Force; FATF is the Financial Action Task Force; MONEYVAL is the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism; GAFILAT is the Financial Action Task Force of Latin America; APG is the Asia/Pacific Group on Money Laundering; ESAAMLG is the Eastern and Southern Africa Anti-Money Laundering Group; EAG is the Eurasian Group on Combating Money Laundering and Financing of Terrorism; GIABA is the Inter-Governmental Action Group Against Money Laundering in West Africa.}

There are several limitations to this study. First, the author was only able to review publicly available NRAs. There is no requirement for countries to publish their NRAs, and not all do. Secondly, the NRAs varied considerably in terms of their substantive depth. Many countries, for example, may choose to ‘sanitise’ their reports before publication or only publish parts of them. Finally, the analysis covers the period from 2015 to 2023. Most of the restrictions on Iran’s nuclear programme imposed by UN Security Council Resolution 2231 expired in October 2023, while the option to restore six Security Council resolutions against Iran remains available until October 2025.

Compared with other types of financial crime such as ML and TF, PF remains a somewhat ambiguous and ill-defined concept. Conceptually, it is rooted in two key international regimes: UN Security Council resolutions and the FATF standards.

In 2004, the UN Security Council (UNSC) adopted Resolution 1540, which, among other requirements, calls upon UN member states to prevent the financing of WMD, including related technology and means of delivery, with a focus on non-state actors. From 2006, this was followed by country-specific UNSC resolutions (UNSCRs), such as those addressing North Korea (UNSCR 1718 and subsequent Resolutions) and Iran (UNSCR 2231). These imposed targeted financial sanctions (TFS), activity and trade-based prohibitions, and certain vigilance measures. Yet none of the requirements concretely defined PF.

The FATF standards constitute the other part of the international CPF regime. Under the FATF Recommendations, countries are required to establish a legal, regulatory and institutional framework to freeze the assets of entities and individuals sanctioned by relevant UNSC resolutions, and ensure they do not have access to or benefit from any direct or indirect funds or economic resources. Taking a step further, FATF revised Recommendation 1 in 2020, requiring countries and their private sector institutions – financial institutions, designated non-financial business and professions (DNFBPs) and virtual asset service providers – to carry out PF risk assessments.

What is an NRA?

The objective of an NRA is to understand the dimensions of the ML, TF and PF risks relevant to a jurisdiction, to better equip national authorities to address and mitigate any legal, regulatory and enforcement-related shortcomings.

FATF’s guidance on PF NRAs provides a concept of risk for countries, consisting of three elements: threat, vulnerability and consequence. ‘Threat’ covers ‘designated persons and entities that have previously caused or with the potential to evade, breach or exploit a failure to implement PF-TFS’; ‘vulnerability’ refers to an aspect of a country’s system that can be exploited by malign actors; and a ‘consequence’ occurs when funds or assets are made available to sanctioned individuals or entities.

In setting out its findings, this policy brief follows the structure of threat, vulnerability and consequence.

While PF and ML/TF have features in common, it is important to recognise the distinct features of PF. Both TF and PF actors generate funds through both legal and illicit means, and proliferators, like money launderers, use well-known laundering strategies such as shell/front companies, intermediaries, and misuse of the legal financial system. However, ML/TF is primarily concentrated among non-state actors, such as terrorist organisations and organised crime groups. PF, in contrast, involves both state and non-state actors, their extensive networks across various countries and regions, and third-party countries and nationals. In contrast to ML, the aim is not to launder money, and unlike TF, the activity or procurement process does not necessarily lead to a harmful act. The goal of PF is to acquire or facilitate acquisition of sensitive WMD materials and technologies to support the development of WMD programmes (see Table 1 in this RUSI guide). This policy brief adopts a broader scope for threats, consistent with the World Bank’s approach to TF risk assessments. This perspective includes threat actors, typologies, funding needs, and related activities, offering a good framework for considering PF risks.

UNSCRs 2231 and 1718 name North Korea and Iran as key PF threat actors. 15 PF NRAs – 65% of the total – address relationships with these countries specifically, assessing direct diplomatic, social and trade connections with each country.

Some countries take a wider view of national and global security than the UNSC’s consensus-based view, preferring not to limit their analysis to particular threat actors. Six NRAs (26% of the total) look beyond North Korea and Iran to consider other countries they believe pose PF threats. China draws particular attention because of its facilitator role in relation to well-known sanctioned proliferators, and the hundreds of China-based companies and cases that have been discovered to be connected to North Korea’s violation of UN sanctions. Pakistan, Syria and Russia are also among the threat actors analysed due to their proliferation-related activities.

Some governments show concern about terrorist organisations, taking lessons from the potential ambitions of Islamic State to procure WMD, or organised crime groups’ alleged involvement in nuclear-material trafficking. Nigeria’s NRA, for example, specifically notes Boko Haram’s possible access to mineral reserves, some of which have dual-use functions and can be used for nuclear purposes.

In addition to terrorist groups, some countries, for example Serbia, take a wider view of threats, referring to armed conflicts and/or actors under other UN counterterrorism sanctions regimes. While some of the activities conducted by these people may fall under PF, it is important to clearly distinguish between PF and TF threats.

Direct Threats

PF threats can be divided into direct and indirect threats.

Direct threats may occur in two forms:

1. Products, sectors and services that are/could be exploited by threat actors.
2. Resources and financial services associated with WMD procurement.

A total of 20 NRAs (87%) assess direct threats to critical sectors, products or services. 19 NRAs (83%) also assess associated financial services, such as trade finance or transportation for the export of proliferation-sensitive items. These threats are often discovered using domestic data on the flow of goods/finances to and from proliferation actors to determine whether the commodities involved are sanctioned or not, and export-control data.

Namibia’s NRA, for example, found that Iran’s shareholding in the country’s uranium mining exposed Namibia to potential PF risks. The UK’s NRA found that the insurance sector and legal persons were targeted by proliferators, and the US’s NRA assesses the extent to which export controls have been violated in the US.

When countries do not find evidence of PF-related activity, this can lead them to conclude that they are not vulnerable to PF activities – rather than to consider where potential threats may arise. As an example of good practice, Portugal’s NRA notes that the country is not a significant route for the purchase of WMD-sensitive goods, but it recognises potential threats, including efforts by countries it identifies as high risk to acquire sensitive or dual-use items from Portuguese companies.

16 NRAs (70%) assess inherent risks related to supply chains and transshipment hubs. For instance, countries such as the US and Latvia see themselves as potentially exposed as part of a financial pathway, while Kazakhstan and Serbia view themselves as potential physical transshipment points.

Indirect Threats

Most PF activities are not overtly connected to a designated entity. Much revenue raising and procurement is done through diverse international networks of front/shell companies, intermediaries, and third countries, all of which are in violation of UNSCR 1718 and its successor resolutions,2 and all of which pose significant PF risks. Yet only 13 NRAs (57%) assess such types of exposure to PF risk.

A focus on TFS implementation often has the effect of limiting CPF efforts to monitoring only entities which appear on sanctions lists. By contrast, investigating broader PF activities beyond the procurement of WMD-related goods helps to determine the true extent of exposure. A striking illustration of this point is Thailand’s NRA, which concluded that the country’s PF risk is medium to low and the country was not implicated in PF activities. However, according to the 1718 Sanctions Committee Panel of Experts (UN PoE) reports, several companies based in Thailand have been linked to North Korea, including a front company associated with the Ocean Maritime Management network, which ‘played a key role in arranging the shipment of concealed cargo of arms and related materiel from Cuba to [North Korea] in July 2013’; there is also more current evidence of the presence of North Korean operations in the country. By concentrating solely on TFS assessment, Thailand’s NRA appears to meet FATF standards, but understates the PF risks to which Thailand is exposed.

To make use of the money generated from revenue-raising activities, proliferators need access to the global financial system – that is, bank accounts and payment processing. However, only 11 NRAs (48%) examine the jurisdiction’s financial and corporate infrastructure. 

Sources for a Threat Assessment 

UNSC PoE reports should serve as a primary source for understanding PF threats, trends and cases across different regions and countries. Established in 2009, the PoE identified in its reports 2,306 companies and 2,090 individuals allegedly associated with North Korea’s prohibited activities. The PoE published its final report in March 2024, and no further reports will be released. However, the sanctions list under UNSCR 1718 includes only 80 individuals and 75 entities, representing less than 2% of those identified in the PoE reports. Despite the importance of the reports as an up-to-date source on global trends and activities, only 13 PF NRAs (57%) refer to the reports, which also offer useful information for broader compliance with FATF standards.

There are other useful resources for understanding PF. FATF publishes useful documents focusing on typologies and relevant UNSCRs; RUSI hosts a webpage for PF-specific resources, including open source reports and a database containing all the names and entities mentioned in UN PoE reports; King’s College London has published a typology report. The Wisconsin Project on Nuclear Arms Control and the Peddling Peril Index are also useful sources. Additionally, the official financial intelligence unit websites of various countries provide examples of guidance, sector-specific typologies, and details or summaries of risk assessments. For cryptocurrency-specific information, blockchain companies publish articles related to their own investigations and share their findings on North Korean crypto asset activity.

Recommendations

• Jurisdictions should take a proactive and thorough approach to identifying possible sanctions-evasion threats from proliferators. Even if they are physically distant or do not have direct trade links to North Korea, their networks and relationships with other actors of concern should be considered.
   
• Limiting threat assessments to TFS matches gives an incomplete view of PF risks. Jurisdictions should aim to reduce their exposure by embracing a holistic understanding that takes into account wider activities that can support PF, including legal and illegal revenue generation activities such as illegal wildlife trade, arms trafficking and cyber attacks.
   
• Jurisdictions should draw on a wide range of data sources, including UN PoE reports, data from think tanks and other third parties, open source intelligence, unilateral sanctions databases, and other countries’ NRAs. These resources can reveal relevant proliferation networks, improving the accuracy of the threat analysis.

‘Vulnerability’ refers to factors that can be exploited by threats or that may aid in the breach, non-implementation, or evasion of PF-related TFS. These factors may be structural or sectoral.

Structural Vulnerabilities

FATF defines structural vulnerabilities as ‘weaknesses in the national counter proliferation financing regime that makes the country … attractive to designated persons and entities’. RUSI’s 2019 National PF Guide suggests considering structural vulnerabilities under five categories: ‘legal and institutional’; ‘political and social’; ‘economic and technological’; ‘geographic and environmental’; and ‘legal persons and legal arrangements’ that can exacerbate or mitigate threats. Nearly 78% of NRAs assess at least one structural vulnerability. Of the five categories, assessments of economic and technological vulnerabilities, geographical factors, and legal entities and arrangements are the most common.

Taiwan’s NRA includes an example of a good vulnerability assessment, involving a thorough and precise analysis of all five structural vulnerability categories. On economic and technological vulnerabilities, Latvia’s NRA highlights that country’s well-developed financial sector by noting the risk of misuse of the financial system for transfers in the context of complex PF transactions or for sanctions violation.

However, in some reports, structural vulnerabilities are approached in a limited manner. For example, Indonesian authorities perceive the risk of exposure to sanctioned individuals and entities as low. However, given Indonesia’s regional shipping and trade links, coupled with unfocused strategic trade controls, the potential risk exposure may be higher.

Another example is Tanzania: its NRA focuses primarily on ML, and categorises PF under ML vulnerabilities. While there is some overlap between these financial crimes, PF has distinct characteristics that must be assessed independently. In this instance, the UN PoE notes several past cases for the country and its region, including possible construction work carried out in Tanzania by a North Korean-related company, Malaysia Korea Partners. This demonstrates the value of using UN PoE reports as a source for NRAs.

Legal and institutional factors are important elements of a structural vulnerability assessment. Nearly 74% of NRAs (17) mention national regulatory and legal frameworks designed for CPF. Only five PF NRAs (22%) evaluate the effectiveness of TFS implementation. This aligns with the FATF findings that nearly 50% of assessed countries have not developed a sufficient legislative and regulatory framework to implement TFS, and almost 80% were unable to implement TFS in a timely and effective manner.

Sectoral PF Vulnerabilities

Sectoral risk is not evenly distributed when it comes to PF. Company formation agents, for example, may pose higher risks because of their frequent use in sanctions evasion activities – namely, to obfuscate true beneficial ownership information. All the NRAs reviewed include at least one sectoral focus, most notably the financial sector; however, some countries also examine others, including aircraft, shipping/maritime, construction or education sectors.

Namibia’s NRA offers a strong example of leveraging awareness from past cases and regional patterns to focus on specific sectors within the region. The report includes cases involving North Korean sanctions-evasion activities and provides detailed risk analyses for construction, mining, short-term insurance and DNFBP sectors, reflecting regional typologies. This approach helps in effectively identifying PF specific vulnerabilities.

The Cayman Islands NRA highlights that 43.2% of the Caymans’ GDP in 2019 was attributed to financial services, and conducts a detailed analysis of vulnerabilities associated with this sector. Additionally, the report provides a comprehensive analysis of indirect threats and proliferation pathways, incorporates cases from neighbouring regions, and evaluates exposure risks across various sectors.

Recommendations

• 15 NRAs (65%) address PF risks in conjunction with other financial crimes such as ML/TF. This appears to be compromising their assessment of PF’s distinct features. Jurisdictions should ensure that their approach, whether standalone or integrated, fully accounts for the unique characteristics of PF.
   
• These assessments should address the vulnerabilities specific to their own context, including both structural and sectoral features, and combine these with PF-specific threats.
   
• To serve broader CPF objectives, jurisdictions should analyse the full extent of North Korea’s legal and illegal revenue-generating activities, including emerging risks such as virtual asset-related activities, referring to the indicators set out in Annex 3 of the 2019 RUSI National PF Guide, and the FATF Guidance.
   
• Jurisdictions should evaluate how their financial and corporate infrastructure indirectly supports the flow of finances and goods, and seek to conduct in-depth sector-specific risk assessments.

‘Consequence’ refers to ‘impacts and harms, and can be further categorised into … physical, social, environmental, economic and structural’. RUSI’s 2019 National PF Guide suggests considering three categories of consequence: ‘impact on human life, environment or infrastructure; impact on international or regional security or stability; impact on national economy or financial system and industry or reputational damage’. For example, Australia’s NRA remarks that North Korea’s nuclear programme could cause regional instability, posing significant security and economic risks for Australia and potentially harming its economic and financial reputation.

While FATF holds a different view, as pointed out by some experts, RUSI’s 2019 National PF Guide understands consequences as an important component of a thorough analysis. However, only four NRAs (17%) explicitly consider consequences and when they do, the assessment is often limited. An exception is Thailand’s NRA, which measures consequences using five categories, ranging from ‘negligible’ to ‘catastrophic’.

Integrating consequences has a substantial impact on the risk picture and, as a result, on the overall level of PF risk to which a country is exposed – and, therefore, on potential risk mitigation strategies identified. Of the 16 NRAs that rate their PF risk, 11 (69%) conclude that it is low or medium-low. This suggests a widespread perception among countries that PF risk is limited, which may imply commonly held views that existing controls are deemed sufficient, or that additional mitigation or prevention measures are unnecessary.

Recommendations

• A risk assessment may fail to fulfil FATF requirements if vulnerabilities and consequences are not considered along with threats, and Annex 5 of RUSI’s 2019 National PF Guide includes a table of consequence ratings. Countries should incorporate this component into their assessments, by focusing on the materialisation of a range of PF threats, and rating them accordingly.
   
• When assessing potential consequences, jurisdictions should consider: impacts on national economic and financial systems; industry effects; reputational damage; and the potential consequences of FATF greylisting and sanctions for non-compliance.
   
• Risk rating and risk appetite determine whether a risk is accepted, mitigated or prevented; this requires that countries fully assess and understand their exposure to the widest range of threats.

The expansion of FATF Recommendation 1 to include PF in 2020 is an important step in enhancing compliance with international CPF obligations. However, FATF’s definition of PF, limited to TFS, may have the effect of encouraging countries to take a limited view of their risks. FATF notes that a lack of positive TFS matches does not necessarily indicate low risk, and the threat of PF continues to grow as involved actors and sanctions-evasion activities increase. Therefore, countries must make a choice: either structure their risk assessment strictly around a narrow definition of PF and TFS, or leverage the risk assessment process as part of comprehensive proliferation control, to understand their exposure to the full scope of PF threats and address their vulnerabilities.

During the next round of mutual evaluations – the process by which the FATF assesses a country’s compliance with their obligations – all countries will be expected to provide their NRAs to assessors. However, this policy brief has found that the 23 NRAs published between 2015 and 2023 demonstrate that PF remains a subject of which many countries have minimal knowledge and understanding, and that it is not considered a priority. While limited guidance exists for assessing PF risks, the good examples and recommendations presented in this policy brief should help governments to recognise the underlying risks of PF, and decide which components to include, which resources to consult and which activities to examine.

© Fatima Busra Alsancak, 2024, published by RUSI with permission of the author.

The views expressed in this Policy Brief are the author’s, and do not represent those of RUSI or any other institution. For terms of use, see Website Ts&Cs of Use.