The crucial role of a business-wide risk assessment

September 29, 2021

In its recently revised ML/TF Risk Factors Guidelines, EBA stated that financial institutions should use the findings from their business-wide risk assessment[1] to inform their AML/CFT
policies, controls and procedures, as set out in Article 8(3) and (4) of Directive (EU) 2015/849. This is to ensure that their business-wide risk assessment also reflects the steps
taken to assess the ML/TF risk associated with individual business relationships or occasional transactions and their ML/TF risk appetite.

To comply with Guideline 1.18, and also having regard to Guidelines 1.21 and 1.22 of the revised EBA ML/TF Risk Factors Guidelines, financial institutions should use the business-wide risk assessment to inform the level of initial customer due diligence that they will apply in specific situations, and to particular types of customers, products, services and delivery channels. And finally, customer risk assessments should inform, but are no substitute for, a business-wide risk assessment.

Even though the business-wide and customer risk assessments are different and separate processes, they are interdependent. This means you need to know how to use them and how they interact between each other, in order to have an overall effective ML/TF risk assessment procedure.

As highlighted before, a customer risk assessment[2] should be informative, but can not be a replacement for a business-wide risk assessment. The findings of the business wide risk assessment[3] should be used to help the customer risk assessment as well as the other way around.

Using the findings of the business risk assessment to help the customer risk assessment

First of all, financial institutions should use the findings from their business-wide risk assessment to inform your AML/CFT policies, procedures and controls, as set out in Article 8(3) and (4) of the fourth EU AML Directive. It is important to ensure that the business-wide risk assessment also reflects the steps taken to assess the risks associated with individual business relationships or occasional transactions and their money laundering and/or terrorist financing risk appetite. The business-wide risk assessment should be used to inform the level of initial customer due diligence that financial institutions will apply in specific situations, and to particular types of customers, products, services and delivery channels.

Zooming in on the latter, financial institutions should adjust the extent of initial CDD measures on a risk-sensitive basis, taking into account the findings from their business-wide risk assessment. Where the risk associated with a business relationship is likely to be low, and to the extent permitted by national legislation, it may be able to apply simplified
customer due diligence measures (SDD).

Where there are indications however that the risk may not be low, for example where there are grounds to suspect that money laundering or terrorist financing is being attempted or where there is doubt about the veracity of the information obtained, SDD must not be applied. Equally, where specific high risk scenarios apply and there is an obligation to conduct EDD, SDD must not be applied.

Vice versa

Secondly, financial institutions should also use the findings of their customer risk assessments to review the effectiveness of the business-wide risk assessment, propose
improvements, after they have seen the process conducted on a case-by-case basis.

Why is this important?

Not only is it a regulatory expectation[4] and compliance obligation which is being more and more enforced by national AML/CFT regulators such as DNB in the Netherlands, it also forms the basis of an institution’s risk-based approach. It enables any financial institution to understand how, and to what extent, it is vulnerable to money laundering and terrorist financing. The EBA has therefore decided to amend Guideline 1.12 by making it explicit that the holistic approach should also be applied in the business-wide risk assessment.

In other words, for financial institutions to be able to really know their customers and their customer’s money laundering and terrorist financing risks, they need to know their own
business-wide risks first.

[1] Also known as the Systematic Integrity Risk Analysis (SIRA) in the Netherlands.

[2] A customer risk assessment must be undertaken by any regulated entity prior to the establishment of each individual business relationship or the carrying out of occasional transactions, with, or for, that customer in order to estimate the risk of money laundering or terrorist financing posed by a customer.

[3] A business-wide risk assessment, known in the Netherlands as the SIRA, identifies, analyzes and evaluates the money laundering and terrorist financing risks to which financial institutions are exposed as a result of the nature and complexity of their business.
[4] The AMLD in recital 22 refers to a holistic, risk-based approach for all ML/TF risks in the sense of
comprehensive risk-based methods and monitoring approaches, not only at individual level but also at
business-wide level.

The crucial role of a business-wide risk assessment

From the blog

The new Payment Services Act in Singapore

Beyond Tick-the-Box Compliance: Unveiling the True Impact of Regulatory Annual AML/CFT Training

On the Wolfsberg Group, financial inclusion and the importance of financial crime compliance training