In accordance with Article 16(3) of the EBA Regulation, competent authorities and financial institutions in the European Union must make every effort to comply with the Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (‘The ML/TF Risk Factors Guidelines’). As further laid down in this provision each competent authority shall confirm, within 2 months of the issuance of any guideline or recommendation issued by one of the ESA’s, whether it complies or intends to comply with that guideline or recommendation. In the event that a competent authority does not comply or does not intend to comply, it shall inform the Authority, stating its reasons.

These guidelines have been issued on 1 March 2021, competent authorities should have confirmed that they comply or intend to comply with these Guidelines by 07 October 2021 .

What about financial institutions?

Although these timelines do not apply to financial institutions, it is however expected that they have at least thoroughly analysed the ML/TF Risk Factors Guidelines and made the necessary amendments to their AML/CFT compliance framework.

With tens of thousands of financial institutions, out of which over 5.200 banks alone, in the European Economic Area (EEA), it is not unimaginable that this analysis has not (yet) been done by most firms.

What are the ML/TF Risk Factors Guidelines?

Article 17 and 18(4) of Directive (EU) 2015/849 required the European Supervisory Authorities (EBA, ESMA and EIOPA) to issue guidelines to support firms with this task and to assist competent authorities when assessing the adequacy of firms’ application of simplified and enhanced customer due diligence measures. The aim was to promote the development of a common understanding, by firms and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied.

The Guidelines are divided into two parts:

The first title (Title I) is pretty generic and applies to all firms. It has been designed to equip firms with the tools they need to make informed, risk-based decisions when identifying, assessing and managing ML/TF risk associated with: 

• Individual business relationships or 
• Occasional transactions.
  

The second title (Title II) is sector-specific and complements the generic guidelines in Title I. It sets out risk factors that are of particular importance in certain of those sectors and provides guidance on the risk-sensitive application of Customer Due Diligence measures by firms in those sectors. So as to foster greater convergence of supervisory expectations of the measures firms should take to tackle emerging risks, additional sectoral guidelines have been added on: 

• Crowdfunding platforms, 
• Providers of currency exchange services, 
• Corporate finance, and 
• Payment initiation services providers (PISPs) and account information service providers (AISPs).
  

Therefore, in total Title II now contains thirteen sectoral guidelines about very different key financial sectors such as for instance: 

• Correspondent banking, 
• Retail banking, 
• Electronic money, 
• Money remittance, 
• Life insurance, and 
• Investments firms.
  

Together, Title I and Title II promote the development of a common understanding, by firms and competent authorities across the EU, of what the risk-based approach to AML/CFT entails and how it should be applied. 

What can firms do to comply with these Guidelines?

First of all, firms need to conduct an extensive analysis of all possible gaps between their firms’ AML/CFT compliance framework (e.g. business-wide risk assessment, AML/CFT policies, procedures and CDD processes) and the new Guidelines. Based on the identified gaps relevant actions are to be formulated, planned and executed. These actions include, but are not limited to:

• Updating the risk assessment methodology, 
• Conducting a new business-wide risk assessment, 
• Revising policies and procedures, 
• Designing and implementing new control measures. and 
• Remediating customer risk profiles in accordance with the revised policies and procedures.

We at Simon Consulting are ready to help you conduct an extensive ‘ML/TF Risk Factors Guidelines’ gap analysis and guide you through all the necessary steps.