NPOs and prevention of terrorist financing
Terrorism has many different forms. It refers to criminal acts of violence against people or property with the intention of achieving a political, religious or ideological goal (in contrast to money laundering, which is strongly characterised by a personal profit motive). The fight against terrorist financing covers all manifestations of terrorism.
Terrorist financing refers to the provision or collection of assets to carry out terrorist acts or to support for a person who intends to carry out such acts or for a member of a terrorist organisation with the knowledge that it intends to carry out such acts (Art. 278d StGB). It is irrelevant whether this is committed out of sympathy with the aims of the terrorist or the terrorist organisation. In contrast to money laundering (Art. 165 StGB), both illegal and legal assets can be used for terrorist financing, e.g. donations, profits from companies, income etc.
Additional prohibitions apply to the support of an anti-state association with funds (Art. 246 para 2 StGB), the support of an anti-state movement with substantial funds (Art. 247a para 2 StGB) as well as the support of a religiously motivated extremist association with substantial funds (Art. 247b para 2 StGB).
The misuse of non-profit organisations for terrorist purposes can take various forms. These include pretending to be a legitimate non-profit organisation, misusing a legitimate non-profit organisation to finance terrorism, and diverting aid money from legitimate projects.
Non-profit organisations provide enormously important assistance and services in many areas of life, not only in Austria, and fulfil socially and democratically important social and charitable tasks. Precisely because of the high level of public trust, non-profit organisations can be attractive targets for terrorist groups. Conversely, even a few cases of terrorist financing can damage the reputation of the non-profit sector, including the volume of donations.
Since the purposes of non-profit organisations are usually very divers and address all sections of society, they can also be abused by terrorist organisations in various ways. These include abuse of their services, the use of their financial resources or abuse by their staff. The risk of such abuse may increase if NPOs' governance structures and financial controls are weak.
The risks for NPOs of being abused for terrorist financing are not the same. A greater risk of abuse exists for NPOs that provide assistance in close proximity to an active terrorist threat. This may relate to a NPO (i) operating in an area of conflict where there is an active terrorist threat, or (ii) operating in a country where there is no conflict but where terrorist organisations are seeking to win over populations. In both cases, the key variable of risk is not the geographical location but the proximity to an active terrorist threat. Importantly, this does not always correspond to geographical areas of conflict or areas with low state presence.
In areas of conflict or low state presence where terrorist groups do not or cannot operate non-profit organisations may be exposed to risks related to corruption or other forms of crime but not necessarily to terrorist financing. Conversely, terrorist groups may actively target populations in relatively stable environments.
The fight against terrorist financing is governed in particular by the Financial Action Task Force and its 40 Recommendations on the Prevention of Money Laundering and Terrorist Financing as well as European Union initiatives for harmonised implementation.
This guideline presents best practices to identify, mitigate and manage terrorist financing risks.
Why is my bank asking me questions about my association?
Credit and financial institutions are required by law to monitor their customers' activities for possible money laundering, terrorist financing and sanctions violations. This includes collecting data on their customers and reviewing suspicious transactions.
Suspicious transactions are transactions that, when examined either ex-ante (before the transaction is carried out) or ex-post (after the transaction has been carried out), show signs of suspicious behaviour or indicators. In this case, the bank is obliged to ask the account holder about the background of the transaction. Written documentation and evidence of the transactions are therefore helpful in clarifying any misunderstandings. If suspicious transactions cannot be plausibly explained, credit and financial institutions are obliged to report them to the Financial Intelligence Unit.
Reports to the Financial Intelligence Unit may lead to further business policy measures (e.g. closure of accounts, restriction of transaction channels etc.).
It is extremely important to respond promptly to all questions from your bank! If banks are unable to fulfil their due diligence obligations towards a customer, for example due to a lack of information, they may not enter into a business relationship and may not carry out transactions. They must also terminate any existing relationship. They must also consider submitting a suspicious transaction report to the Financial Intelligence Unit (Art. 7 para. 7 of the Financial Market Anti-Money Laundering Act – FM-GwG).
Certain professional groups such as tax advisors, lawyers and notaries are subject to the same obligations.
Terrorist Financing Threats
The following threat scenarios reflect practical experience. As terrorist groups actively seek new opportunities for abuse, you may also be confronted with additional threats in the course of your activities.
- Diversion of funds: Actors within the NPO or external actors (such as foreign partners or third-party fundraisers) may divert funds to support terrorist groups at some point in the NPO's operational or financial processes.
- Relationships with a terrorist group: NPOs or their employees may knowingly or unknowingly have relationships with a terrorist group. This can lead to a non-profit organisation being misused for terrorist purposes, including providing logistical and financial support to the terrorist organisation. The payment of "protection money" to terrorist groups or the use of services from companies that are close to or controlled by terrorist groups is also subject to the terrorist financing prohibition. When determining risk, it must be taken into account whether regulated local organisations or individuals are involved.
- Abuse in support of recruitment efforts of terrorist groups: This occurs, for example, when NPO staff sympathise with terrorist groups and use their work in the NPO to promote terrorist groups.
- Misuse of programmes at the destination: Even if the flow of funds is legal, projects of the non-profit organisations can be misused at the destination. This includes, for example, the takeover of completed aid projects such as schools by terrorist groups.
Risk indicators for terrorism financing
It may be helpful to consider the following risk indicators:
- Involvement of individuals or entities subject to applicable EU sanctions.
- The use of cash in areas known for terrorist activity, such as Syria, Yemen and Iraq. However, the use of cash may sometimes be necessary for the provision of humanitarian aid or development cooperation. In this case, the use of funds should be well documented.
- Frequent use of cash donations and/or spending on cultural or religious grounds without further justification.
- In the case of remittances, for example, donations marked "for the brothers" or "for the struggle".
- Failure to register or incorrect registration of beneficial owners in the relevant beneficial ownership registers.
- Ambiguity about the purpose of NPOs or inconsistencies between the purpose and actual activities.
- Unnecessarily complex financial and transactional structures within NPOs, leading to a lack of transparency in the origin and/or use of funds.
The above characteristics are possible indicators of an increased risk of misuse for terrorist financing and should not be considered as a direct link to or evidence of terrorist financing. Where risk indicators are present, it is advisable to investigate. In case of doubt, a suspicious transaction report should be filed (see Best practices in case of suspicions).
Best Practices for Financial Transparency in Non-Profit Organisations
- The secure financial management of a non-profit organisation requires clear internal rules to ensure both transparency and measures to prevent terrorist financing. These rules should include regular and effective internal monitoring and review.
- It is advisable to draw up a mission statement setting out a clear rejection of any support for terrorism, money laundering or other criminal activities. This can be anchored in the statutes, for example.
- Financial management should be transparent, with comprehensible accounting and reporting, transparent bank accounts, use of regulated financial channels, and controls on the distribution and withdrawal of funds.
- Potential risks within an NPO should be identified and regularly reviewed (through a risk assessment).
- Projects, especially those with elevated risks, should be subject to regular reviews and audits.
- It is advisable to provide checklists for each step of a project to ensure financially transparent monitoring
Best practices for the risk assessment
- In order to identify and manage the risks of terrorist financing, a risk assessment is advisable.
- A risk assessment should be carried out if NPOs operate in proximity to active terrorist threats (as explained above). It can be prepared per project or country.
- You can use the following example structure:
- Assess the threat scenarios listed above and any other identified threats. You can use the values low (1), medium (2), high (3) or very high (4).
- Assess how vulnerable your organisation is to each identified threat scenario. You can use the values low (1), medium (2), high (3) or very high (4).
- List the risk mitigating measures (e.g. auditing of project partners, documentation of payment flows, 4-eyes principle when approving payments) you will apply and assess how these measures affect your risk.
- Calculate the total risk according to the formula: 40 % threat + 60 % vulnerability - risk mitigating measures = total risk.
- The total value determined reflects the risk of terrorist financing. Individually identified areas of higher risk should be given special consideration in project implementation. Possible measures include stronger monitoring of business partners and/or transactions. If the risk limit defined internally by the organisation is exceeded, certain projects should not be carried out or only under modified conditions.
- You can use the following template (Word, 34 KB).
- The country reports of the Financial Action Task Force can serve as information on the risks of terrorist financing. Jurisdictions with a high risk of money laundering and terrorist financing can be found on the corresponding country lists of the Financial Action Task Force and the European Commission. You can also consult information from the authorities and articles from reputable newspapers or research institutes. If you or trustworthy sources already have a local presence, you can also draw on this information.
- The risk assessment figure reflects an assessment of your own risk and should be reviewed regularly. It should also be reviewed if any essential parameters change, e.g. new projects in new countries.
- The risk assessment is used to derive preventive measures as well as to coordinate with the organisation's internal risk strategy, risk preferences, risk tolerances and risk limits.
- For further information on the preparation of a risk assessment and practical examples, you can refer to the National Risk Assessment 2021 (PDF, 1 MB) and the FMA circular on this topic.
Best practices for project management
- Make sure that the management and staff involved in the project are trustworthy. You can do this by, among other things, asking for references, criminal records or checking against EU sanctions lists.
- Make sure you know your beneficiaries. Depending on the identified risk of the project you should have at least basic information about your beneficiary group.
- Make sure you know your project and business partners. You can use, among other things, information from the authorities, articles from reputable newspapers or research institutes, cross-checking with EU sanctions lists, obtaining information on the beneficial owners, and trustworthy local respondents.
- Check regularly that beneficiaries or project and business partners are not persons or entities covered by applicable EU sanctions or other terrorist organisations.
- Determine in advance
- under what conditions
- can access how much money
- The management as well as the staff involved in the project should be aware of the risks and take appropriate risk-mitigating measures. They should also be trained or informed accordingly.
- Adapt your measures to the identified risks. For example, if you have identified a high risk of diversion locally, increase the screening of local project partners.
- Document every transaction step from receipt of the money to its use in the target project and archive this documentation for an appropriate period of time (for example five years).
- Where possible, carry out follow-up checks to ensure that aid has been delivered as intended.
- The three lines of defence model can play an important role in risk management. Each of the three lines of defence has a specific role to play in an organisation's broader governance framework. For example, the first line of defence may be frontline staff taking preventative action. The second line of defence is compliance staff who conduct spot checks and verify implementation. The third line of defence is the organisation's internal audit team, which ensures the effectiveness of internal control procedures through regular audits. It is important that all three lines of defence understand their roles and are trained accordingly.
Best practices for cooperation with credit and financial institutions
- Establish contact points for your bank and respond promptly to their requests for information. If possible, give the bank advance notice of any anticipated delays in providing the information and explain them.
- Answer all questions and, where appropriate, explain the circumstances of the transaction or relationship (taking into account that your bank is not a specialist humanitarian organisation). Answers should be substantive to reduce the need for follow-up questions.
- Only use credit and financial institutions that are licensed and supervised. When doing business with non-licensed providers, you risk losing the donations through fraud. An overview of all providers licensed in Austria can be found in the FMA's company database.
- Contact your bank at an early stage. Provide a summary of your proposed programme, including the intended beneficiaries, the selection of beneficiaries, the programme to be implemented, the timetable, the project partners and the award procedures.
- Be prepared to help your bank understand your procedures – it is not a specialised humanitarian organisation and may not be familiar with the controls you have put in place. To comply with their legal obligations banks need to understand how you operate, what your purposes are as well as the anticipated frequency and volume of your transactions.
- Be transparent and as detailed as possible and build trust with your bank. For complex scenarios, explain how you carried out your project planning, which sanctions lists you checked, which criteria you use to select your project partners and how you will deal with potential risk scenarios.
Best practices in case of suspicions
- File a suspicious activity report with the Financial Intelligence Unit and follow all further instructions of the Financial Intelligence Unit. Information on how to recognise suspicious circumstances can be found on the homepage of the Financial Intelligence Unit and in a circular of the FMA.
- In this context it is also useful to inform and sensitise employees so that they are able to recognise possible indications or suspicious patterns in connection with terrorist financing. This could be done, for example, through training or information sessions (internal or external).
- If necessary, update your risk assessment and preventive measures.
Further information on cooperation with credit and financial institutions
In order to comply with their legal obligations credit and financial institutions carry out risk assessments of their customers and adapt their due diligence obligations to the risk identified. Credit and financial institutions must ensure that the information they request is proportionate to the risks.
Risk assessment and transaction monitoring by credit and financial institutions take different aspects into account. Receipt of donations of very different amounts from different donors, transactions with new countries due to newly approved projects (not listed at the beginning of the relationship), fewer staff than expected (e.g. due to a large number of volunteers in the field), transactions with high-risk countries (where aid and services are needed), online crowdfunding, absence of donors in the country of residence – these situations can occur in the context of NPO operations. In the context of transaction monitoring by credit and financial institutions they may represent anomalies and lead to enquiries.
Risk factors in the not-for-profit sector may exist in the following areas, among others:
- The countries in which the NPO is active
- The type of activities the NPO engages in
- Organisational structure
- Transactions and funding
This does not mean that an NPO with one or more risk factors is actually involved in financial crime. However, the bank may ask more detailed questions about each of these risk factors in order to assess the risk of money laundering or terrorist financing.
The risk assessment as a whole gives an indication of the level of risk and includes not only the sum of the individual answers, but also the coherence and logic between the different risk factors.
- The countries in which the NPO is active
Certain countries are more susceptible to money laundering, terrorist financing or other financial crimes and are included on high-risk country lists, such as those published by the European Commission or the FATF.
Credit and financial institutions take these lists into account and also assess whether the NPO is registered in or operates from a foreign country. This includes foreign banking relationships, board members living abroad, and transactions to or from abroad. In addition, credit and financial institutions must comply with applicable sanctions regulations and investigate possible violations of these sanctions.
Please consider the following points:
- Does your organisation's name include a high-risk or sanctioned country? This may result in queries from the bank or from a correspondent bank required to process transactions.
- Do the funds originate from conflict or post-conflict countries, higher risk countries or sanctioned countries? The European Commission and the FATF identify certain countries as high-risk. Explain what measures your organisation takes to ensure that funds do not originate from illicit sources in these countries.
- Do you fund activities in conflict, post-conflict, high-risk or sanctioned countries? Have you taken steps to mitigate the risks?
- Do you conduct activities outside of conflict or high-risk countries, but have visitors from high-risk countries?
- Do you use third party services in conflict, high-risk or sanctioned countries/territories?
- Do your beneficiaries, board members or employees come from areas controlled by terrorist groups?
- The type of activities the NPO engages in
Credit and financial institutions need to know what activities the non-profit organisation is engaged in. Some activities are known to be particularly vulnerable to money laundering or terrorist financing, e.g. when a lot of cash or a relatively large amount of funds are used for printed promotional materials in connection with an engagement in a conflict zone.
Please consider the following points:
- Is there a clear link between your organisational objectives and your actual activities?
- Do you have evidence of your activities, such as an annual report? Quality reports help credit and financial institutions in their assessment. An established track record of the NPO, such as benchmarks, references or a reference to previous activities gives a better idea of the types of activities carried out. Make your track record visible through media links, project summaries, references and short case descriptions.
- Do you have an online presence (social media or website)? We are aware that organisations working mainly with volunteers have less capacity and resources for websites and press releases and/or do not seek media coverage. Similarly, non-profit organisations working on human rights issues in authoritarian regimes sometimes work under the radar and deliberately do not seek media attention and/or a profile of their own. A public presence can help ensure that credit and financial institutions proactively receive information about the non-profit organisation, thus preventing possible misunderstandings.
- How long has your organisation been active? What is your (expected) turnover, what are your funding sources and who are your beneficiaries? Is this information logical and consistent in relation to your activities?
- Has your organisation (or any of its partners, beneficiaries or board members) been the subject of critical reporting in the past? If you are aware of such reporting, it is helpful to provide background information and further explanation. Do not keep quiet about such reporting, but address it proactively.
- Organisational structure
The organisational structure of the NPO must be transparent. A politically exposed person (PEP) associated with the NPO (e.g. a board member) may lead to additional questions being asked during the risk assessment. PEPs are natural persons who hold or held important public office. Because of this position, PEPs are considered to be at a higher risk of money laundering, corruption and embezzlement in the abstract. They may use the non-profit organisation to hide funds or assets that have been misappropriated through the abuse of their official position or through bribery or corruption.
Please consider the following points:
- Do you have a clear organisational structure? Provide an organisational chart showing the responsibilities of each party and the separation between the director's functions and the finances of the non-profit organisation.
- Is the majority of the members of your board independent? Too much distance of these members from the day-to-day operations of the non-profit organisation can be a risk factor as the members may not be sufficiently able to identify risks and act accordingly when needed.
- Does your organisation have three or more board members? Is there equal "ownership or control", i.e. can one board member not dominate decision-making?
- Is any of your staff or board members a PEP? Please note that in some cases people who are family members or business partners of a PEP may also be asked additional questions during the risk assessment.
- Does the PEP involved in the NPO has control over the transactions of the NPO?
- Did you make provision for the possible end of your NPO? The articles of association or statutes of the NPO may stipulate that the financial resources remaining after the dissolution of the NPO should be used for a NPO with a similar objective.
- Transactions and funding
The NPO's funds and (expected) transactions must be consistent with the NPO's mission. Many transactions to and from foreign countries, critical reporting on the NPO's funds or inconsistent funding may raise risk assessment questions. The key is how the organisation knows that the funds, goods or activities provided reached the intended recipients and what controls are in place to ensure proper use.
Transactions may be blocked or delayed if there are similarities to suspicious behaviour or indicators. Some reasons for this, particularly for non-profit organisations, may be incomplete information required for the transaction or additional information required by the correspondent bank (often a foreign bank processing part of the transaction).
Please consider the following points:
- What types of transactions do you expect to carry out? Explain the different types (including estimates of amount and number) of transactions.
- Can you demonstrate that your transactions follow logically from your activities? Do you have supporting documentation for your payments (and donations), e.g. receipts, estimates, invoices? If you are a new organisation, explain how you will handle transactions.
- Can you demonstrate that you know the source of your funds and the final destination/beneficiary? Give examples of the aid chain in conflict and high risk areas and explain the control and transparency measures.
- Can you explain the link between your organisation's source of funding, your type of organisation and your activities? Make a clear link between these three elements. If you think this might be difficult to understand consider how you can improve understanding, for example by providing examples of established NPOs.
- Do you receive funding from individuals who are considered PEPs? This is particularly important for your major donors (your largest donors relative to all donors).
- FATF Lists
- FATF Best Practices Paper
- EU list of high-risk third countries
- Overview of EU Sanctions
- Financial Intelligence Unit
- National Risk Assessment 2021 (PDF, 1 MB)
- FMA Circular on risk assessment
- FMA Circular on reporting
 These best practices were formulated on the basis of a comprehensive consultation of national stakeholders. They are also informed by international best practices and research reports: FATF (2015) “Best Practices Paper on Combating the Abuse of Non-Profit Organisations (Recommendation 8)”; FATF (2014) “Risk of terrorist abuse in non-profit organisations”; Australian Government (2009) “Safeguarding your organisation against terrorism financing”; Dr. Justine Walker (2020) “Risk Management Principles Guide for Sending Humanitarian Funds into Syria and Similar High-Risk Jurisdictions”; Singapore Office of the Commissioner of Charities (2015) “Protecting your Charity Against Money Laundering and Terrorist Financing”; Norwegian Refugee Council (2020) “Toolkit for Principled Humanitarian Action. Managing Counterterrorism Risks”; Dutch Ministry of Finance (2021) “Risico op misbruik Non-Profit Organisaties voor financiering terroristische activiteiten”; ABN Amro (2023) “Information and tips for associations and foundations”