The crucial role of a business-wide risk assessment
In its recently revised ML/TF Risk Factors Guidelines, EBA stated that financial institutions should use the findings from their business-wide risk assessment to inform their AML/CFT policies, controls and procedures, as set out in Article 8(3) and (4) of Directive (EU) 2015/849. This is to ensure that their business-wide risk assessment also reflects the steps taken to assess the ML/TF risk associated with individual business relationships or occasional transactions and their ML/TF risk appetite.
To comply with Guideline 1.18, and also having regard to Guidelines 1.21 and 1.22 of the revised EBA ML/TF Risk Factors Guidelines, financial institutions should use the business-wide risk assessment to inform the level of initial customer due diligence that they will apply in specific situations, and to particular types of customers, products, services and delivery channels. And finally, customer risk assessments should inform, but are no substitute for, a business-wide risk assessment.
Even though the business-wide and customer risk assessments are different and separate processes, they are interdependent. This means you need to know how to use them and how they interact between each other, in order to have an overall effective ML/TF risk assessment procedure.
As highlighted before, a customer risk assessment should be informative, but can not be a replacement for a business-wide risk assessment. The findings of the business wide risk assessment should be used to help the customer risk assessment as well as the other way around.
Using the findings of the business risk assessment to help the customer risk assessment
First of all, financial institutions should use the findings from their business-wide risk assessment to inform your AML/CFT policies, procedures and controls, as set out in Article 8(3) and (4) of the fourth EU AML Directive. It is important to ensure that the business-wide risk assessment also reflects the steps taken to assess the risks associated with individual business relationships or occasional transactions and their money laundering and/or terrorist financing risk appetite. The business-wide risk assessment should be used to inform the level of initial customer due diligence that financial institutions will apply in specific situations, and to particular types of customers, products, services and delivery channels.
Zooming in on the latter, financial institutions should adjust the extent of initial CDD measures on a risk-sensitive basis, taking into account the findings from their business-wide risk assessment. Where the risk associated with a business relationship is likely to be low, and to the extent permitted by national legislation, it may be able to apply simplified
customer due diligence measures (SDD).
Where there are indications however that the risk may not be low, for example where there are grounds to suspect that money laundering or terrorist financing is being attempted or where there is doubt about the veracity of the information obtained, SDD must not be applied. Equally, where specific high risk scenarios apply and there is an obligation to conduct EDD, SDD must not be applied.
Secondly, financial institutions should also use the findings of their customer risk assessments to review the effectiveness of the business-wide risk assessment, propose
improvements, after they have seen the process conducted on a case-by-case basis.
Why is this important?
Not only is it a regulatory expectation and compliance obligation which is being more and more enforced by national AML/CFT regulators such as DNB in the Netherlands, it also forms the basis of an institution’s risk-based approach. It enables any financial institution to understand how, and to what extent, it is vulnerable to money laundering and terrorist financing. The EBA has therefore decided to amend Guideline 1.12 by making it explicit that the holistic approach should also be applied in the business-wide risk assessment.
In other words, for financial institutions to be able to really know their customers and their customer’s money laundering and terrorist financing risks, they need to know their own
business-wide risks first.