The technical compliance component of the methodology refers to the implementation of the specific requirements of the relevant AML/CTF laws and regulations. For the most part, it does not include the indicators of the requirements that relate principally to effectiveness. These are assessed separately through the effectiveness component of the methodology.
The technical compliance component of the methodology sets out the specific requirements of each relevant provision from the relevant AML/CTF laws and regulations as a list of criteria, which represent those elements that should be present in order to demonstrate full compliance with the mandatory aspects of the AML/CTF regulatory framework. In some cases, elaboration is provided in order to assist in identifying important aspects of the assessment of the criteria. For criteria with such elaboration, the Reviewer reviews whether each of the elements is present, in order to judge whether the criterion as a whole is met. For each requirement, the Reviewer reaches a conclusion about the extent to which you comply (or not) with the requirement. There are five possible levels of compliance: compliant, largely compliant, partially compliant, and non-compliant. In some circumstances, a requirement may also be rated as not applicable. These ratings are based only on the criteria specified in the technical compliance assessment and are presented in the table below:
When deciding on the level of shortcomings for any requirement, the Reviewer considers, having regard to your circumstances, the number and the relative importance of the criteria met or not met. The individual criteria used to assess each requirement do not all have equal importance, and the number of criteria met is not always an indication of the overall level of compliance with each requirement. When deciding on the rating for each requirement, the Reviewer considers the relative importance of the criteria in the context of your circumstances. The Reviewer considers how significant are the identified deficiencies, given your risk profile and other business, operational and contextual information (e.g. risk levels of customers, jurisdictions where the company operates). In some cases, a single deficiency may be sufficiently important to justify an NC rating, even if other criteria are met. Conversely, a deficiency in relation to low risk or little-used types of risk factors may have only a minor effect on the overall rating for a requirement.