Vulnerable Activities and AML Compliance

RBA, manual, systems and audit for Vulnerable Activities

In brief

The 2025 reform expressly incorporated risk-based assessment, manual, training, automated mechanisms and audit into Article 18 of the LFPIORPI. As of the July 9, 2026 cutoff, their enforceability must be determined against the transitory provisions and the General Rules that activate the added obligations; this dossier does not present them as fully enforceable without that verification. A defensible program links methodology, file, monitoring, alerts, decisions and effectiveness testing.

Improvement cycle among risk-based approach, manual, system, training and audit.
Design, execution and evidence must close the same control cycle.

Contents

  1. RBA methodology
  2. Inherent and residual risk
  3. System and annual audit
  4. Compliance officer
  5. RBA applied to lending
  6. Weightings and ranges
  7. Effectiveness of mitigants
  8. Manual structure
  9. Real coverage
  10. Technological evidence

Note on regulatory transition

Sections VII to XI of Article 18 were added in 2025. The official criteria indicate that their operational entry into force depends on the timelines set by the rules; the decree also contains provisions for annual training and audit periods. Before setting an enforceability date for a specific organization, publications subsequent to this article's cutoff must be reviewed. The prudent recommendation is to build capacity and evidence, not to wait until the last day.

What must an RBA methodology contain?

The document defines universe, period, sources, scales and governance. It identifies risk events, probability and impact; calculates inherent exposure; assigns mitigants; determines residual risk; and establishes appetite and response.

Each indicator needs a definition, source data, periodicity, owner and threshold. The methodology must be capable of being recalculated with the same data and yielding the same result. Exceptions are recorded and are not corrected by manually changing the rating without a trace.

The RBA ends in measures: simplified due diligence where legally applicable, standard or enhanced; approval; monitoring; updating and eventual rejection.

How to put it into practice

Test the methodology with specific files and extreme scenarios. Another person must be able to recalculate the category with the same inputs. Overrides of expert judgment require a reason, evidence, an approver and an expiry. While the regulatory activation of the added obligations is being verified, maintain a readiness matrix that distinguishes “designed capability,” “tested control” and “enforceable obligation.” That distinction allows progress without asserting a legal date that depends on subsequent General Rules or transitory provisions.

The approval must record the population and period used. If the model excludes a channel or product, the limitation is presented to the governing body and receives a temporary measure; it is not hidden in a methodological note.

Article 18 of the LFPIORPI and SPPLD general criteria.

How are inherent and residual risk distinguished?

The measurement separates probability and impact. It then relates each risk to specific controls: identification, bank validation, limits, approval, monitoring or training. Not all of them reduce all risks.

Residual risk should not automatically reach zero. A floor prevents claiming that a risk that was merely managed has been eliminated. If the exposure exceeds the appetite, the product, client, channel or control is modified.

The audit must be able to select a mitigant and verify design, execution, coverage, exception and result. That test is more important than mathematical sophistication.

How to put it into practice

Test coverage and timeliness with data. If screening was run after the transaction or covered only 80% of the population, the credit given to the mitigant must reflect that. Define a residual floor and a response when it exceeds appetite: restrict, reinforce, redesign or reject. During the transitory regime, document these elements as readiness and good practice, clearly separating the design date from the date on which a General Rule makes the added component enforceable.

Compare the residual against actual incidents and exceptions. If losses or alerts are concentrated in “low” categories, the scale or the credit granted to controls needs documented recalibration.

Amended Article 18 of the LFPIORPI and SPPLD legal framework.

What is the relationship between the automated system and the annual audit?

The audit starts from the RBA. If the risk is high, the LFPIORPI provides for an independent external auditor; for low or medium risk it contemplates an internal area or an external person, subject to rules. The annual file must justify the risk category that determined the modality.

The auditor compares the rule, the manual and the operation. It tests traceability from alert to resolution, filing to acknowledgment, and client to file. It also reviews whether prior findings were closed with evidence.

Calendars must take into account the transitory provisions and rules in force. “Annual” does not authorize choosing any period without documenting it.

How to put it into practice

The audit file must allow an alert and a filing to be reproduced. Preserve the rule version, parameters, input data, decision, user and output. Sample changes and exceptions, not just cases that worked. In anonymized systems, the demonstration showed a correct alert, but the interface had stopped loading a branch for weeks; only the reconciliation of populations revealed the gap. Coverage and integrity matter as much as the formula.

Define independence and scope according to risk and activating rules. The auditor must not validate their own design without safeguards. Include restoration, segregation, closed alerts, privileged access and prior remediation. Before the added obligation is enforceable, a readiness review labeled as such may be carried out; after activation, adjust the period, modality and deliverables in accordance with the General Rule. This avoids presenting a voluntary test as the definitive legal audit.

The annual plan must reserve time to retest findings. A report delivered on the last day with no window for correction may meet an internal calendar, but it contributes little preventive capability to the program.

Article 18, added sections, of the LFPIORPI and SPPLD criteria.

What must be documented when designating the compliance officer?

The function must not exist only in the portal. It needs access to contracts, clients, transactions and systems; the ability to escalate; and reporting to the governing body. An external provider's contract does not automatically displace the legal responsibilities.

The registration acknowledgment and changes are retained, but the officer's identity is restricted in accordance with the confidentiality regime. Public documents must not expose unnecessary data.

An annual calendar covers training, assessment, review of the manual, audit, reports and remediation. Each absence or change triggers a continuity plan.

How to put it into practice

The designation act or resolution must identify the function, access to information, reporting line and authority to escalate, without publishing unnecessary data. Add a decision matrix: who classifies, who approves alerts, who submits filings and who resolves exceptions. In anonymized programs, the officer was registered in the portal, but depended on operations to obtain files without an agreed deadline; the function existed formally and could not be executed. A service-level agreement and direct access corrected that weakness.

Document continuity for holidays, departure or unavailability, distinguishing operational substitution from the formal designation required. The external provider may support, but does not replace the legal responsibilities by contract. For RBA, manual, training, systems and audit, maintain a General Rule/transitory-provision monitor and assign the officer the task of activating the plan when applicable. Retain the evidence of that regulatory review together with the calendar to explain why a task was in readiness or already enforceable.

Test quarterly that the officer receives alerts, can consult transactions and retains portal access. A correct designation loses effectiveness if credentials, permissions or internal flows become outdated.

Article 20 and related obligations of the LFPIORPI in force.

How is the RBA applied to non-financial lending?

Client indicators may include structure, PEP, activity, seniority, jurisdiction and transparency. Product contemplates term, amount, collateral, revolving nature and disbursement means. Transaction analyzes third-party payers, prepayments, account changes and deviations.

The initial rating is updated by events. New collateral, a restructuring, beneficiary or payment pattern may change the risk. A high-risk transaction needs approval and defined controls, not just a label.

The design must prevent bias and duplication. Two indicators that measure the same thing must not inflate the result without justification.

How to put it into practice

Map the product's own events: application, drawdown, collateral, third-party payment, prepayment, account change, restructuring and enforcement. For each event identify the signal, source and response. In anonymized portfolios, “high amount” and “high collateral” measured almost the same phenomenon and duplicated the score, while third-party payments were not captured. A correlation and coverage review improves usefulness without requiring a complex statistical model.

The initial category must change by events, not only on the anniversary. Configure triggers for changes to BC, PEP, jurisdiction, payer, collateral or pattern. Test B2B, secured and revolving clients separately. If the RBA obligation still depends on activation through a General Rule, document the simulation as readiness, not as definitive compliance, and record what data is missing to operate. Upon activation, validate that the ranges and measures correspond to the rule in force and not only to the anticipated design.

The dashboard must show which signal changed the category, which measure was applied and for how long. Without this explanation, the user sees a number but does not know what specific action to take.

Articles 17, section IV, and 18 as amended of the LFPIORPI.

How to justify weightings and ranges?

The documentation retains version, date, approver and simulation. Extreme values and sensitivity are tested: how much the result changes if an indicator moves. If a critical factor does not alter the category, the model may be miscalibrated.

The institutional weighting and the client weighting are distinct layers. The first assesses the obligated entity; the second determines measures for a relationship or transaction.

A committee or responsible person may exercise expert judgment, but must explain cause, evidence and measure. Overrides without limits turn the methodology into non-auditable discretion.

How to put it into practice

Document for each factor its hypothesis: why it increases risk, its source and its relationship with a measure. Simulate low, medium and high cases and an isolated critical factor. If a PEP or opaque structure does not change the result because other weights dilute it, review gates or minimums. In anonymized models, lowering the cutoffs until 90% ended up “low” concealed the lack of controls; calibration must follow exposure, not a predetermined quota.

Maintain version, dataset, approval and comparison with the previous version. Expert judgment may adjust, but with a limited range, reason, evidence and expiry. During the regulatory transition, label the ranges as pilot and preserve results to recalibrate when activating General Rules are published. Do not claim that an anticipated model satisfies criteria not yet issued. The file must show which part derives from law, which part from internal design and which will have to be validated again.

A stability test must compare the distribution across periods and explain jumps. If an update massively shifts clients with no economic change, review data, scales and deployment before using the result.

Amended Article 18 of the LFPIORPI and SPPLD general criteria.

How to demonstrate that a mitigant works?

For each mitigant, the risk, owner, frequency, population and evidence are defined. Coverage is measured: what percentage of transactions passed through the control and how many exceptions existed. Timeliness is verified: screening after disbursement may be real but ineffective in preventing it.

Failures feed residual risk and the remediation plan. A control with open exceptions must not receive the same credit as a stable one.

The annual assessment updates weights, catalogs and controls. Continuous improvement must leave a changelog.

How to put it into practice

Prepare a sheet per control: risk, owner, population, frequency, evidence, indicator and tolerance. Then measure whether it operated before the event it was meant to prevent. In anonymized controls, a list check had 100% of records, but was run after disbursement; it was complete and late. The effectiveness assessment must distinguish execution from timeliness and result.

Sample positives, negatives and exceptions. Compare the expected population against logs and prove that closed alerts contain analysis. If the control depends on a third party, verify contract, service level, incidents and excluded data. Failures adjust the residual and generate remediation; they are not hidden by averaging months. During the transition, this sheet serves for readiness, but it will have to be checked against activating General Rules and definitive criteria. Retain a changelog and the date of each test so as not to retroactively attribute to the control capabilities it did not yet have.

Define an explicit tolerance and a reaction. Without a failure threshold, an indicator may deteriorate for months without generating a responsible party, deadline or escalation to the governing body.

Amended Article 18 of the LFPIORPI and SPPLD framework.

What structure does the Internal Policies Manual need?

Each policy needs a procedure. Saying “the client will be identified” does not explain who, when, data, evidence, rejection or exception. The annexes contain forms and matrices without turning the body into an unmanageable repository.

The manual must correspond to the operating model. If the company is digital, it cannot describe exclusively physical files; if it uses providers, it defines supervision and access. Area names must exist.

The approval records date and validity. Regulatory changes are translated into impact, action, training and deployment, not just a new cover page.

How to put it into practice

Write each section with six questions: who, when, input, action, output and exception. “Identify the client” becomes role, moment, fields, documents, blocking and escalation. In anonymized manuals, mentioning nonexistent areas and physical files in a digital operation made it impossible to execute the text. Walking through a real case with operations and technology reveals those disconnects before approval.

Separate the normative body, the procedures and the annexes. Assign an owner and review date to each; a catalog change does not require re-approving the entire policy, but it does require version control. For added RBA, training, systems and audit, include an express note of validity and an activation mechanism. Until the General Rule is verified, distinguish voluntary readiness from enforceable obligation. When activated, document impact, approval, training and deployment; changing only the cover page and date does not demonstrate implementation.

Include a repeals table for previous versions and confirm that forms, scripts and training materials point to the version in force. Otherwise, several policies may operate simultaneously.

Article 18 of the LFPIORPI in force and SPPLD criteria.

How to measure the manual's real coverage?

The review evaluates design and operation. For each section a sample is selected: onboarding, client, filing, alert, training or change. If the procedure cannot be executed with the existing systems and roles, the finding is operational.

Findings are prioritized by legal impact, risk and population. The plan assigns root cause, action, owner, date and closure evidence.

The overall percentage never replaces severity. A single critical omission —such as failing to identify the Beneficial Owner— may weigh more than several minor fields.

How to put it into practice

Build the matrix at the level of the verifiable obligation, not of chapters. A row must indicate the provision, validity condition, manual text, procedure, owner, evidence and test result. In anonymized assessments, a manual covered “filings” in ten pages but did not say who reconciled the acknowledgments; textual coverage was high and operational coverage was nil. The sample must execute the process, not merely locate words.

Assign severity by effect: critical if it prevents identifying, submitting or retaining; high if it weakens coverage; medium if it affects consistency; administrative if it does not alter the conclusion. For added obligations, use the statuses “pending General Rule,” “designed,” “tested” and “activated.” This taxonomy avoids confusing readiness with non-compliance or compliance. The closure plan requires cause, action, owner, date and retested evidence. Report by severity and population, not just aggregate percentage.

Link each row to an executed sample and date. A section may exist in the manual and still fail when the team tries to complete the form or locate the required data.

Amended Article 18 of the LFPIORPI and SPPLD legal framework.

What technological evidence must be retained?

The data has input, reconciliation and quality controls. It is documented how duplicates, connection failures and manual operations are resolved. Access applies least privilege and segregation among loading, approving and modifying.

Each threshold or rule change goes through request, testing, approval and deployment. The log retains the previous and new value. Alerts cannot be deleted; they are closed with a decision and evidence.

The audit tests restoration, reproducibility of calculations and a sample from source to filing. This turns technology into a verifiable control.

How to put it into practice

Retain native evidence whenever possible: configuration export, signed log, change ticket and test result. A screenshot may illustrate, but cannot prove population or integrity. In anonymized systems, the screen showed the correct threshold, while a nightly process was still using the previous value; comparing configuration, deployed code and results detected the divergence. Record the previous value, new value, effective date and approver.

Test input reconciliation, duplicates, interface failures, least privilege, restoration and alerts that cannot be deleted. Relate each piece of evidence to a period and version. For providers, retain scope, subprocessors, incidents and audit rights. While the added obligation depends on a General Rule, use the inventory as a readiness file and flag pending components. Upon activation, run a validation against the definitive requirements and document any adjustment, without assuming that the anticipated design automatically complies.

The inventory must include manual contingency processes. A temporary sheet may be a valid control if it has an owner, access, reconciliation and scheduled retirement; a hidden sheet outside governance creates a gap.

Amended Article 18 of the LFPIORPI and SPPLD general criteria.

Implementation matrix

Implementation matrix. Columns: Component, Document and Operational evidence.
Component Document Operational evidence
RBA approved methodology data, calculation and recalibration
Manual policies and procedures files, filings and decisions
System architecture and rules logs, alerts, access and changes
Training annual program materials, attendance and assessment
Audit scope and report samples, findings and closure

Next step

SVA.LAW can turn obligations and risk models into coherent manuals, technological controls and audit files. Explore our services.


Notice: General information, not legal advice. The enforceability and calendar of obligations added in 2025 must be reviewed against the rules, criteria and transitory provisions in force at the time of implementation.