Best practices for NPOs
Terrorism has many different forms. It refers to criminal acts of violence against people or property with the intention of achieving a political, religious or ideological goal (in contrast to money laundering, which is strongly characterised by a personal profit motive). The fight against terrorist financing covers all manifestations of terrorism.
Terrorist financing refers to the provision or collection of assets to carry out terrorist acts or to support for a person who intends to carry out such acts or for a member of a terrorist organisation with the knowledge that it intends to carry out such acts (Art. 278d StGB). It is irrelevant whether this is committed out of sympathy with the aims of the terrorist or the terrorist organisation. In contrast to money laundering (Art. 165 StGB), both illegal and legal assets can be used for terrorist financing, e.g. donations, profits from companies, income, etc.
Additional prohibitions apply to the support of an anti-state association with funds (Art. 246 para 2 StGB), the support of an anti-state movement with substantial funds (Art. 247a para 2 StGB) as well as the support of a religiously motivated extremist association with substantial funds (Art. 247b para 2 StGB).
The misuse of non-profit organisations for terrorist purposes can take various forms. These include pretending to be a legitimate non-profit organisation, misusing a legitimate non-profit organisation to finance terrorism, and diverting aid money from legitimate projects.
Non-profit organisations provide enormously important assistance and services in many areas of life, not only in Austria, and fulfil socially and democratically important social and charitable tasks. Precisely because of the high level of public trust, non-profit organisations can be attractive targets for terrorist groups. Conversely, even a few cases of terrorist financing can damage the reputation of the non-profit sector, including the volume of donations.
Since the purposes of non-profit organisations are usually very diverse and address all sections of society, they can also be abused by terrorist organisations in various ways. These include abuse of their services, the use of their financial resources or abuse by their staff. The risk of such abuse may increase if NPOs' governance structures and financial controls are weak.
The risks for NPOs of being abused for terrorist financing are not the same. A greater risk of abuse exists for NPOs that provide assistance in close proximity to an active terrorist threat. This may relate to a NPO (i) operating in an area of conflict where there is an active terrorist threat, or (ii) operating in a country where there is no conflict but where terrorist organisations are seeking to win over populations. In both cases, the key variable of risk is not the geographical location, but the proximity to an active terrorist threat. Importantly, this does not always correspond to geographical areas of conflict or areas with low state presence.
In areas of conflict or low state presence, where terrorist groups do not or cannot operate, non-profit organisations may be exposed to risks related to corruption or other forms of crime, but not necessarily to terrorist financing. Conversely, terrorist groups may actively target populations in relatively stable environments.
The fight against terrorist financing is governed in particular by the Financial Action Task Force and its 40 Recommendations on the Prevention of Money Laundering and Terrorist Financing as well as European Union initiatives for harmonised implementation.
This guideline presents best practices to identify, mitigate and manage terrorist financing risks.
Terrorist Financing Threats
The following threat scenarios reflect practical experience. As terrorist groups actively seek new opportunities for abuse, you may also be confronted with additional threats in the course of your activities.
- Diversion of funds: Actors within the NPO or external actors (such as foreign partners or third-party fundraisers) may divert funds to support terrorist groups at some point in the NPO's operational or financial processes.
- Relationships with a terrorist group: NPOs or their employees may knowingly or unknowingly have relationships with a terrorist group. This can lead to a non-profit organisation being misused for terrorist purposes, including providing logistical and financial support to the terrorist organisation. The payment of "protection money" to terrorist groups or the use of services from companies that are close to or controlled by terrorist groups is also subject to the terrorist financing prohibition. When determining risk, it must be taken into account whether regulated local organisations or individuals are involved.
- Abuse in support of recruitment efforts of terrorist groups: This occurs, for example, when NPO staff sympathise with terrorist groups and use their work in the NPO to promote terrorist groups.
- Misuse of programmes at the destination: even if the flow of funds is legal, projects of the non-profit organisations can be misused at the destination. This includes, for example, the takeover of completed aid projects such as schools by terrorist groups.
Best Practices for Financial Transparency in Non-Profit Organisations
- Clear internal rules are necessary for the financial management of a NPO to ensure both transparency and measures to prevent terrorist financing. These rules should include regular and effective internal monitoring and review.
- It is advisable to draw up a mission statement setting out a clear rejection of any support for terrorism, money laundering or other criminal activities. This can be anchored in the statutes, for example.
- Financial management should be transparent, with comprehensible accounting and reporting, transparent bank accounts, use of regulated financial channels, and controls on the distribution and withdrawal of funds.
- Potential risks within an NPO should be identified and regularly reviewed (through a risk assessment).
- Projects, especially those with elevated risks, should be subject to regular reviews and audits.
- It is advisable to provide checklists for each step of a project to ensure financially transparent monitoring
Best practices for the risk assessment
- In order to identify and manage the risks of terrorist financing, a risk assessment is advisable.
- A risk assessment should be carried out if NPOs operate in proximity to active terrorist threats (as explained above). It can be prepared per project or country.
- You can use the following example structure:
- assess the threat scenarios listed above and any other identified threats. You can use the values low (1), medium (2), high (3) or very high (4).
- Assess how vulnerable your organisation is to each identified threat scenario. You can use the values low (1), medium (2), high (3) or very high (4).
- List the risk mitigating measures (e.g. auditing of project partners, documentation of payment flows, 4-eyes principle when approving payments) you will apply and assess how these measures affect your risk.
- Calculate the total risk according to the formula: 40% threat + 60% vulnerability - risk mitigating measures = total risk.
- the total value determined reflects the risk of terrorist financing. Individual identified areas of higher risk should be given special consideration in project implementation. Possible measures include stronger monitoring of business partners and/or transactions. If the risk limit defined internally by the organisation is exceeded, certain projects should not be carried out or only under modified conditions.
- The country reports of the Financial Action Task Force can serve as information on the risks of terrorist financing. Jurisdictions with a high risk of money laundering and terrorist financing can be found on the corresponding country lists of the Financial Action Task Force and the European Commission. You can also consult information from the authorities and articles from reputable newspapers or research institutes. If you or trustworthy sources already have a local presence, you can also draw on this information.
- The risk assessment figure reflects an assessment of your own risk and should be reviewed regularly. It should also be reviewed if any essential parameters change, e.g. new projects in new countries.
- The risk assessment is used to derive preventive measures as well as to coordinate with the organisation's internal risk strategy, risk preferences, risk tolerances and risk limits.
- For further information on the preparation of a risk assessment and practical examples, you can refer to the National Risk Assessment 2021 (PDF, 1 MB) and the FMA circular on this topic.
Best practices for project management
- Make sure that the management and staff involved in the project are trustworthy. You can do this by, among other things, asking for references, criminal records or checking against EU sanctions lists.
- Make sure you know your beneficiaries. Depending on the identified risk of the project, you should have at least basic information about your beneficiary group.
- Make sure you know your project and business partners. You can use, among other things, information from the authorities, articles from reputable newspapers or research institutes, cross-checking with EU sanctions lists, obtaining information on the beneficial owners, and trustworthy local respondents.
- Check regularly that beneficiaries or project and business partners are not persons or entities covered by applicable EU sanctions or other terrorist organisations.
- Determine in advance
- under what conditions,
- can access how much money.
- The management as well as the staff involved in the project should be aware of the risks and take appropriate risk-mitigating measures. They should also be trained or informed accordingly.
- Adapt your measures to the identified risks. For example, if you have identified a high risk of diversion locally, increase the screening of local project partners.
- Document every transaction step from receipt of the money to its use in the target project and archive this documentation for an appropriate period of time (for example five years).
- Where possible, carry out follow-up checks to ensure that aid has been delivered as intended.
Best practices for cooperation with credit and financial institutions
- Only use credit and financial institutions that are licensed and supervised. When doing business with non-licensed providers, you risk losing the donations through fraud. An overview of all providers licensed in Austria can be found in the FMA's company database.
- Contact your bank at an early stage. Provide a summary of your proposed programme, including the intended beneficiaries, the selection of beneficiaries, the programme to be implemented, the timetable, the project partners and the award procedures.
- Be prepared to help your bank understand your procedures – it is not a specialised humanitarian organisation and may not be familiar with the controls you have put in place. To comply with their legal obligations, banks need to understand how you operate, what your purposes are and to what extent and how frequently you plan to make payments.
- Be transparent and as detailed as possible and build trust with your bank. For complex scenarios, explain how you have carried out your project planning, what sanctions lists you have checked, what criteria you use to select your project partners and how you will deal with potential risk scenarios.
Best practices in case of suspicions
- File a suspicious activity report with the Financial Intelligence Unit and follow all further instructions of the Financial Intelligence Unit. Information on how to recognise suspicious circumstances can be found on the homepage of the Financial Intelligence Unit and in a circular of the FMA.
- In this regard, it also makes sense to inform and sensitise employees accordingly so that they are in a position to recognise possible indications or conspicuous features in connection with terrorist financing. This could take place, for example, within the framework of (internal or external) training or information events.
- If necessary, update your risk assessment and preventive measures.
- FATF Lists
- FATF Best Practices Paper
- EU list of high-risk third countries
- Overview of EU Sanctions
- Financial Intelligence Unit
- National Risk Assessment 2021 (PDF, 1 MB)
- FMA Circular on risk assessment
- FMA Circular on reporting
 These best practices were formulated on the basis of a comprehensive consultation of national stakeholders. They are also informed by international best practices and research reports: FATF (2015) “Best Practices Paper on Combating the Abuse of Non-Profit Organisations (Recommendation 8)”; FATF (2014) “Risk of terrorist abuse in non-profit organisations”; Australian Government (2009) “Safeguarding your organisation against terrorism financing”; Dr. Justine Walker (2020) “Risk Management Principles Guide for Sending Humanitarian Funds into Syria and Similar High-Risk Jurisdictions”; Singapore Office of the Commissioner of Charities (2015) “Protecting your Charity Against Money Laundering and Terrorist Financing”