Associations and protection against terrorist financing

Associations are in the spotlight and play an important role as links in society, but they can also be misused for terrorist purposes.

Introduction

Terrorism has many different forms. Basically, it is defined as criminal acts of violence against people or property with the intention of achieving a political, religious or ideological goal (in contrast to money laundering, which is strongly characterized by a personal profit motive). The fight against terrorist financing covers all manifestations of terrorism.

Terrorist financing refers to the provision or collection of assets to carry out terrorist acts or to support a person who intends to carry out such acts or a member of a terrorist organization with the knowledge that they intend to carry out such acts (Section 278d StGB). It is irrelevant whether this is committed out of sympathy with the aims of the terrorist or the terrorist organization. In contrast to money laundering (Section 165 StGB), both illegal and legal assets can be used for terrorist financing, such as donations, profits from companies, income, etc.

It is also prohibited to support an anti-state organization with funds (Section 246 para. 2 StGB), to support an anti-state movement with substantial funds (Section 247a para. 2 StGB) and to support a religiously motivated extremist organization with substantial funds (Section 247b para. 2 StGB).

The misuse of charitable organizations for terrorist purposes can take various forms. This includes pretending to be a legitimate non-profit organization, misusing a legitimate non-profit organization to finance terrorism and diverting aid funds from legitimate projects.

In Austria, non-profit organizations provide enormously important assistance and services in many areas of life and perform important socio-charitable tasks in terms of social and democratic policy. It is precisely because of the high level of public trust that charitable organizations can be attractive targets for terrorist groups. Conversely, even a few cases of terrorist financing can reduce the reputation of the charitable sector and thus also the volume of donations.

Since the purposes of non-profit organizations are usually very diverse and appeal to all parts of society, they can also be misused by terrorist organizations in various ways. These include their services, the use of their financial resources or abuse by their employees. The risk of such abuse can increase if the governance structures and financial controls of NPOs are not robust enough. Further information can be found in the sector risk assessment NPOs (PDF, 1 MB) (currently only in German).

Not all non-profit organizations are equally at risk of being misused for terrorist financing purposes. There is a higher risk of abuse for charitable organizations that provide aid in the immediate vicinity of an active terrorist threat. This includes charitable organizations that

  1. operate in a conflict zone where there is an active terrorist threat, or
  2. operate in a country where there is no conflict but where terrorist organizations want to win over population groups.

In both cases, the key variable for risk is not geographic location, but proximity to an active terrorist threat. It is important to note that this proximity does not always correspond to geographical areas of conflict or areas with a low state presence.

In conflict zones or areas with a weak state presence where terrorist groups do not or cannot operate, non-profit organizations may be exposed to risks related to corruption or other forms of crime, but not necessarily terrorist financing. Conversely, in a relatively stable environment, terrorist groups may actively target the support of the population.

The fight against terrorist financing is addressed internationally, in particular by the Financial Action Task Force and its 40 recommendations for the prevention of money laundering and terrorist financing as well as initiatives of the European Union for harmonized implementation.

The following guidelines present best practices for identifying, mitigating and managing terrorist financing risks. These best practices have been developed following extensive consultation with national stakeholders. In addition, international best practices and research reports have been taken into account:

  • FATF (2023) “Best Practices Paper on Combating the Abuse of Non-Profit Organisations (Recommendation 8)”
  • Dr. Justine Walker (2020) “Risk Management Principles Guide for Sending Humanitarian Funds into Syria and Similar High-Risk Jurisdictions”
  • Singapore Office of the Commissioner of Charities (2015) “Protecting your Charity Against Money Laundering and Terrorist Financing”
  • Norwegian Refugee Council (2020) “Toolkit for Principled Humanitarian Action. Managing Counterterrorism Risks”
  • Niederländisches Finanzministerium (2021) “Risico op misbruik Non-Profit Organisaties voor financiering terroristische activiteiten”
  • ABN Amro (2023) “Information and tips for associations and foundations”
  •  Australian Government (2009) “Safeguarding your organisation against terrorism financing”.

Why does my bank ask me questions about my association?

Credit and financial institutions are legally obliged to check their customers' activities for possible money laundering, terrorist financing and sanctions violations. This includes collecting data on their customers and checking suspicious transactions.

Suspicious transactions are transactions that generally come to light during an ex-ante (before the transaction is carried out) or ex-post (after the transaction is carried out) review and resemble suspicious behavior or indicators. In this case, the bank is obliged to inquire with the account holder about the background to the transaction. Written documentation and evidence of the transactions are therefore helpful in clearing up misunderstandings. If suspicious transactions cannot be plausibly explained, credit and financial institutions are obliged to report them to the Money Laundering Reporting Office.

Reports to the Financial Intelligence Uni may result in further business policy measures (e.g. termination of accounts, restriction of transaction channels, etc.).

It is extremely important to respond promptly to all questions from your bank! If banks are unable to meet their due diligence obligations towards a customer, e.g. due to a lack of information, they may not establish a business relationship or execute any transactions. They must also terminate an existing business relationship. They must also consider submitting a suspicious activity report to the Money Laundering Reporting Office (Section 7 (7) of the Financial Markets Anti-Money Laundering Act - FM-GwG).

Certain professional groups such as tax advisors, lawyers and notaries are subject to the same obligations.

Threat scenarios for terrorist financing

The following threat scenarios reflect practical experience. As terrorist groups actively seek new opportunities for abuse, they may also be confronted with other threats in the course of their activities.

  1. Diversion of funds: Actors within the nonprofit organization or external actors (such as foreign partners or third-party fundraisers) may divert funds to support terrorist groups at any point in the nonprofit organization's operational or financial processes.
  2. Relationships with a terrorist organization: Nonprofit organizations or their employees may knowingly or unknowingly have relationships with a terrorist organization. As a result, a non-profit organization can be misused for terrorist purposes, including providing logistical and financial support to the terrorist organization. The payment of "protection money" to terrorist groups or the use of services from companies associated with or controlled by terrorist groups is also subject to the terrorist financing prohibition. When determining the risk, it must be taken into account whether regulated local organizations or individuals are involved.
  3. Abuse to support the recruitment efforts of terrorist organizations: This occurs, for example, when employees of charitable organizations sympathize with terrorist groups and use their work at the charitable organization to promote terrorist groups.
  4. Misuse of programs at the destination: Even if the flow of funds is legitimate, projects of charitable organizations at the destination can be misused. This includes, for example, the takeover of completed aid projects such as schools by terrorist groups.

Risk indicators for terrorist financing

It may be helpful to pay attention to the following risk indicators:

  • Involvement of persons or entities covered by applicable EU sanctions.
  • The use of cash in areas known for terrorist activities, e.g. Syria, Yemen and Iraq. However, the use of cash may sometimes be necessary for the provision of humanitarian aid or development cooperation. In this case, the use of funds should be accurately documented.
  • Frequent use of cash donations and/or expenditures citing cultural or religious considerations, without further justification.
  • In the case of transfers, e.g. donations labelled "for the brothers" or "for the fight".
  • Failure to register or incorrect registration of beneficial owners in the respective beneficial ownership registers.
  • Uncertainty about the purpose of non-profit organisations or contradictions between the purpose and the actual activities.
  • Unnecessarily complex financial and transaction structures within the non-profit organisations, leading to a lack of transparency in the origin and/or use of funds.

The above characteristics are possible signs of an increased risk of misuse for terrorist financing and should not be considered a direct link to or evidence of terrorist financing. If risk indicators exist, it is advisable to check them. If in doubt, a suspicious transaction report should be submitted (see advice on what to do in suspicious cases).

Advices

  • Clear internal rules are necessary for the safe financial management of a non-profit organization to ensure both transparency and measures to prevent terrorist financing. These rules should include regular and effective internal monitoring and auditing.
  • It is advisable to create a "mission statement" that clearly distances itself from any support for terrorism, money laundering or other criminal acts. This can be anchored in the statutes, for example.
  • Financial management should be transparent, with comprehensible accounting and reporting, transparent bank accounts, use of regulated financial channels and control over the distribution and withdrawal of funds.
  • Potential risks within an NPO should be identified and regularly reviewed (as part of a risk assessment).
  • Projects, especially those with risk aspects, should be subject to regular reviews and final audits.
  • It is advisable to provide checklists for each step in the implementation process of a project to ensure financially transparent monitoring.

  • In order to identify and manage the risks of terrorist financing, a risk assessment by the organisations concerned is advisable.
  • A risk assessment should be carried out when operating in proximity to active terrorist threats (as explained above). It can be prepared per project or country.
  • You can follow the example structure below:
  1. Evaluate the threat scenarios listed above and any other identified threats. You can use the values ​​low (1), medium (2), high (3) or very high (4).
  2. Evaluate how vulnerable your organization is to each identified threat scenario. You can use the values ​​low (1), medium (2), high (3) or very high (4).
  3. State which risk-reducing measures (e.g. checking project partners, documenting payment flows, dual control when approving payments) you will use and evaluate how these measures affect your risk.
  4. Calculate the overall risk using the formula: 40% threat + 60% vulnerability - risk-reducing measures = overall risk.
  5. The overall value determined reflects the risk of terrorist financing. Individual areas identified with higher risk should be given special consideration in project implementation. Possible measures include more stringent monitoring of business partners and/or transactions. If the risk limit defined within the organization is exceeded, certain projects should not be carried out or should only be carried out under modified conditions.
  • You can use this template (Word, 36 KB) for this purpose.
  • The country reports of the Financial Action Task Force can provide information on the risks of terrorist financing. Jurisdictions with a high risk of money laundering and terrorist financing can be found on the relevant country lists of the Financial Action Task Force and the European Commission. You can also use information from the authorities and articles from reputable newspapers or research institutes. If you or trustworthy informants already have a local presence, you can also use this information.
  • The key figure determined by the risk aseesment reflects an assessment of your own risk and should be reviewed regularly. It should be adjusted if essential parameters change, e.g. if new projects are added in new countries.
  • The risk assessment is used to derive preventive measures and to coordinate them with the organization's internal risk strategy, risk preferences, risk tolerances and risk limits.
  • For further information on preparing a risk assessment and practical examples, please refer to the National Risk Assessment 2021 (PDF, 1 MB) and the FMA circular on this topic.

  • Make sure that the management and staff involved in the project are trustworthy. You can do this by, among other things, obtaining references, criminal records or checking EU sanctions lists.
  • Make sure you know your beneficiaries. Depending on the identified risk of the project, you should have at least basic information about your group of beneficiaries.
  • Make sure you know your project and business partners. You can do this by, among other things, obtaining information from authorities, articles from reputable newspapers or research institutes, checking EU sanctions lists, obtaining information on beneficial owners and trustworthy local informants.
  • Regularly check that the beneficiaries or project and business partners are not persons or entities covered by applicable EU sanctions or belonging to other terrorist organisations.
  • Determine in advance who can access how much money, when and under what conditions.
  • Management and project staff should be aware of the risk and take appropriate risk-reducing measures. They should also be trained and informed accordingly.
  • Adapt your measures to the identified risk. For example, if you have identified a high risk of diversion on site, you can increase the monitoring of local project partners.
  • Document every transaction step from receipt of the money to its use in the target project and archive this documentation for an appropriate period of time (for example, five years).
  • If possible, carry out follow-up checks to ensure that the aid was provided as intended. The "three lines of defence" model can play an important role in risk management. Each of the three lines of defence takes on a specific role in an organisation's broader governance framework. For example, local staff can act as the first line of defence to carry out preventive measures. As a second line of defense, Compliance staff conduct spot checks and verify implementation. The third line of defense is the organization's internal audit team, which ensures the effectiveness of internal control procedures through regular audits. It is necessary that all three lines of defense know their roles and are appropriately trained.

  • Designate informed contact persons for your bank and respond promptly to inquiries from your bank. If possible, any anticipated delays should be communicated and explained to the bank in good time.
  • Answer all questions and, if necessary, explain the circumstances of the transaction or business relationship (remember that your bank is not a specialized humanitarian organization). The answers should be meaningful to reduce the need for follow-up inquiries.
  • Only use credit and financial institutions that are authorized and supervised. If you do business with unlicensed providers, you risk losing the donations through fraud. The FMA's company database provides an overview of all providers authorized in Austria.
  • Contact your bank early. Provide a summary of the program you are proposing, listing the intended beneficiaries, the selection of beneficiaries, the program to be implemented, the schedule, the project partners and the award procedures.
  • Be prepared to help your bank understand your processes – they are not a specialised humanitarian organisation and may not be familiar with the controls you have in place. To comply with their legal obligations, banks need to understand how you work, what your purposes are and the volume and frequency of payments you plan to make.
  • Be transparent and as detailed as possible and build trust with your bank. In complex scenarios, explain how you carried out your project planning, which sanctions lists you checked, the criteria you use to select your project partners and how you will deal with potential risk scenarios.

  • File a suspicious transaction report with the Financial Intelligence Unit and follow all further instructions. Information on how to identify anomalies can be found on the FIU's website and in a circular from the FMA.
  • In this regard, it is also advisable to inform and sensitize employees accordingly so that they are also able to recognize possible indications or anomalies in connection with terrorist financing. This could take place, for example, as part of (internal or external) training courses or information events.
  • If necessary, update your risk assessment and the preventive measures you have taken.

 

Further information on cooperation with credit and financial institutions

In order to comply with their legal obligations, credit and financial institutions prepare risk assessments of their customers and adapt their due diligence obligations to the identified risk. Credit and financial institutions must ensure that the information they request is proportionate to the risks.

The risk assessment and transaction monitoring of credit and financial institutions take various aspects into account. Receiving donations of very different amounts from different donors, transactions with new countries due to newly approved projects (which were not listed at the start of the business relationship), fewer staff than expected (e.g. due to a large number of volunteers on site), transactions with high-risk countries (where help and services are needed), online crowdfunding, absence of donors in the country of residence - these situations can arise in the course of the activities of non-profit organizations. When monitoring transactions by credit and financial institutions, they can present anomalies and lead to inquiries.

Risk factors in the non-profit sector may include, but are not limited to:

  1. Project countries
  2. Scope of activity
  3. Organizational structure
  4. Source and use of funds

This does not mean that a non-profit organization that has one or more risk factors is actually involved in financial crime. However, the bank may ask more detailed questions about each of these risk factors to assess the risk of money laundering or terrorist financing.

The risk assessment as a whole gives an indication of the level of risk and includes not only the sum of the individual answers, but also the coherence and logic between the different risk factors.

Risk factors

Certain countries are more vulnerable to money laundering, terrorist financing or other financial crimes and are on higher-risk country lists, such as those of the European Commission or the FATF.

Credit and financial institutions take these lists into account and also assess whether the nonprofit is registered or operating from abroad. This includes foreign banking relationships, board members residing abroad and transactions from or to abroad. In addition, credit and financial institutions must comply with applicable sanctions regulations and review potential violations of these sanctions.

» Please note the following points:

  • Does your organization's name include a higher-risk or sanctioned country? This may lead to inquiries at the bank or at a correspondent bank required to conduct transactions.
  • Do the funds originate from conflict or post-conflict countries, higher-risk countries or sanctioned countries? The European Commission and the FATF classify certain countries as particularly high-risk. Explain what measures your organization takes to ensure that funds do not come from an illegal source in those countries.
  • Do you fund activities in conflict or post-conflict areas, high-risk countries or sanctioned countries? Have you taken steps to mitigate the risks involved?
  • Are activities conducted outside of conflict or high-risk countries but visited from high-risk countries?
  • Do you use third-party services in conflict, high-risk or sanctioned countries/areas?
  • Do your beneficiaries, board members or staff come from areas controlled by terrorist groups?

Credit and financial institutions need to know what activities the nonprofit carries out. Some activities are known to be particularly vulnerable to money laundering or terrorist financing, for example when a lot of cash is used or a relatively large proportion of funds are used for printed promotional materials linked to an engagement in a conflict zone.

» Please consider the following points:

  • Is there a clear link between your organizational objectives and your actual activities?
  • Do you have evidence of your activities, such as an annual report? Quality reports help credit and financial institutions to evaluate. An established track record of the nonprofit, such as benchmarks, references or a reference to previous activities, gives a better idea of ​​the types of activities carried out. Make your track record visible through media links, project summaries, testimonials and short case descriptions.
  • Do you have an online presence (social media or website)? We recognize that organizations that work primarily with volunteers have less capacity and resources for websites and press releases and/or do not seek media coverage. Likewise, nonprofits working on human rights issues in authoritarian regimes sometimes operate under the radar and deliberately avoid seeking media attention and/or raising their profile. A public presence can help lending and financial institutions proactively obtain information about the nonprofit, thus avoiding possible misunderstandings.
  • How long has your organization been active? What is your (expected) turnover, what are your sources of funding and who are your beneficiaries? Is this information logical and consistent with your activities?
  • Has your organization (or any of its partners, beneficiaries or board members) been the subject of critical reporting in the past? If you are aware of such reporting, it is helpful to provide background information and further explanation. Do not hide such reporting, but proactively address it.

The nonprofit's organizational structure must be transparent. A politically exposed person (PEP) associated with the nonprofit (e.g. a board member) may lead to additional questions being asked during the risk assessment. PEPs are natural persons who hold or have held important public offices. Because of this position, PEPs are considered to be at an abstractly higher risk of money laundering, corruption and embezzlement. They can use the nonprofit to hide funds or assets embezzled through the abuse of their official position or through bribery or corruption.

» Please note the following points:

  • Do you have a clear organizational structure? Provide an organizational chart showing the responsibilities of each person involved and the separation between the functions of the board of directors and the finances of the nonprofit.
  • Is the majority of the members of your supervisory board independent? Too much distance of these members from the day-to-day operations of the nonprofit can be a risk factor, as members may not be sufficiently able to identify risks and act accordingly when necessary.
  • Does your organization have three or more board members? Is there equal “involvement or control,” meaning that one board member cannot dominate decision-making?
  • Is one of your employees or board members a PEP? Please note that in some cases, individuals who are family members or business partners of a PEP may also be asked additional questions in the risk assessment.
  • Does the PEP involved in the nonprofit have control over the nonprofit’s transactions?
  • Have you made provisions for the eventual end of your nonprofit? The nonprofit’s charter or bylaws should specify that any funds remaining after the nonprofit is dissolved should be used for a nonprofit with a similar mission.

The nonprofit's funds and (expected) transactions must be consistent with the nonprofit's mission. Many transactions to and from abroad, critical reporting regarding the nonprofit's funds or inconsistent funding can raise questions in the risk assessment. The key is how the organization knows that the funds, goods or activities provided have reached the intended recipients and what controls ensure proper use.

Transactions can be blocked or delayed if there are similarities with suspicious behavior or indicators. Some reasons that may arise, especially for nonprofits, are incomplete information required for the transaction or additional information requested by the correspondent bank (often a foreign bank that carries out part of the transaction).

» Please note the following points:

  • What types of transactions do you expect to conduct? Explain the different types (including estimates of amount and number) of transactions.
  • Can you demonstrate that your transactions follow logically from your activities? Do you have evidence of your payments (and donations), e.g. receipts, estimates, invoices? If you are a new organisation, indicate how you will handle transactions.
  • Can you demonstrate that you know the origin of your funds and the final destination/beneficiary? Give examples of the aid chain in conflict and high-risk areas and explain the control and transparency measures.
  • Can you explain the link between your organisation's funding source, the type of organisation and your activities? Make a clear connection between these three elements. If you anticipate that this might be difficult to understand, consider how you can improve understanding, e.g. by giving examples of established non-profit organisations.
  • Do you receive funding from individuals who are considered PEPs? This is especially important for your major donors (your largest donors relative to all donors).
  • In particular, smaller and voluntary organisations that work on a project basis have to deal with irregular funding sources. Inform your bank about this and make the purpose and time periods for the funding transparent.
  • If donations are received in a conspicuous and atypical manner, it can help your bank if you proactively contact them and explain the background of the donation.
  • Try to transfer the donation to the destination as directly as possible. Avoid intermediaries of natural or legal persons as much as possible. It can help your bank if you proactively contact them and explain why you are using intermediaries of natural or legal persons.
  • If you change the payment methods you use (transfers, cash withdrawals, crypto assets), proactively communicate the reason for the change.
  • If you use cash, document the flow of payments from receipt to use in detail.

 

Related Links