RU CN Contacts

Risk-based approach - your the necessary tool to comply with AML/CTF regulations

On 26 June 2015, Directive EU 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Directive EU 2015/849) entered into force. This Directive aims, inter alia, to bring European Union legislation in line with International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation that the Financial Action Task Force (the FATF), an international Anti-Money Laundering/Counter Terrorism Financing (AML/CTF) standard settler, adopted in 2012. In line with the FATF’s standards, Directive (EU) 2015/849 puts the risk-based approach at center of European Union’s AML/CTF regime.

The measures and procedures implemented by a regulated entity in the financial sector must be appropriate given the risks that it runs. This allows regulated entities to focus on the areas where it runs the highest risk of being used for money laundering and terrorist financing activities. The risk-based approach recognizes that money laundering and terrorist financing vary across customers, countries, services and financial instruments, and allows the organizations to differ between these different type of risk. A risk-based approach is typically seen as being more cost effective and promoting the prioritization of efforts. To ensure the most cost-effective and proportionate way to manage money laundering and terrorist financing a regulated entity must identify and assess the risks with different customers, countries and services and it must ensure that its policies and procedures are effective and appropriate to manage and mitigate any risks. On an ongoing basis the processes and procedures must be monitored and, if necessary, amended.

In other words a risk-based approach:

  • Recognizes that the money laundering or terrorist financing threat varies across customers, countries, services and financial instruments;
  • Allows the board of directors to differentiate between customers of a regulated entity in a way that matches the risk of their particular business;
  • Allows the board of directors to apply its own approach in the formulation of policies, procedures and controls in response to a regulated entity’s particular circumstances and characteristics;
  • Helps to produce a more cost effective system; and
  • Promotes the prioritization of effort and actions of a regulated entity in response to the likelihood of money laundering or terrorist financing occurring through the use of services provided by it.

A risk-based approach involves specific measures and procedures in assessing the most cost effective and proportionate way to manage the money laundering and terrorist financing risks faced by a regulated entity. Such measures and procedures are:

  • Identifying and assessing the money laundering and terrorist financing risks emanating from particular customers, financial instruments, services, and geographical areas of operation of a regulated entity and its customers;
  • Documenting in the risk management and procedures manual the policies, measures, procedures and controls to ensure their uniform application across a regulated entity by persons specifically appointed for that purpose by the board of directors;
  • Managing and mitigating the assessed risks by the application of appropriate and effective measures, procedures and controls;
  • Continuous monitoring and improvements in the effective operation of the policies, procedures and controls.

The Directive (EU) 2015/849 recognizes that the risk of Money Laundering/Terrorist Financing (ML/TF) can vary and that Member States, competent authorities and regulated entities have to take steps to identify and assess that risk with a view to deciding how best to manage it. For regulated entities, Customer Due Diligence (CDD) is central to this process, for both risk assessment and risk management purposes.

CDD means:

  • Identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
  • Identifying the customer’s beneficial owner and taking reasonable measures to verify their identity so that the obliged entity is satisfied that it knows who the beneficial owner is;
  • Assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship; and
  • Conducting ongoing monitoring of the business relationship. This includes transaction monitoring and keeping the underlying information up to date.

Directive (EU) 2015/849 provides that regulated entities can determine the extent of these measures on a risk-sensitive basis. It also provides that where the risk associated with the business relationship or occasional transaction is low, Member States may allow regulated entities to apply simplified customer due diligence (SDD) measures instead. Conversely, where the risk associated with the business relationship or occasional transaction is increased, regulated entities must apply enhanced customer due diligence (EDD) measures.

For better understanding let’s go briefly through the way of a regulated entity during the process of accepting and continuing business relationships with the client. During the process of client acceptance and further relationships a risk assessment should take place and consist of two steps: the identification of ML/TF risk and the assessment of ML/TF risk. Regulated entities should find out which ML/TF risk they are, or would be exposed to as a result of entering into a business relationship or carrying out an occasional transaction. When identifying ML/TF risk associated with a business relationship or occasional transaction, regulated entities should consider relevant risk factors including who their client is, the countries of geographical areas they operate in, the particular products, services and transactions the client requires and the channels regulated entities uses to deliver these products, services and transactions. The abovementioned risk factors include a large number of subcategories. For example, customer risk factors include: customer reputation, is the customer a politically exposed person (PEP), professional activity, etc.; geographic risk factors include: does the customer carry out business in a high risk country, if there is an adequate AML/CFT regime in the country of the customer’s origin, etc.; products/services risk factors: the complexity, value and size, level of transparency, etc.; delivery channel risk factors: if the customer is non face-to-face, the nature of introducers who delivered the customer to the regulated entity, etc. As a result, regulated entities have to weight risk factors to determine the final category of client’s risk: low, medium or high.

Schematically this can be represented as follows:

After determining if the client falls into the low, medium or high risk category a regulated entity has to perform consequently Simplified Customer Due Diligence, Customer Due Diligence or Enhanced Customer Due Diligence. CDD is the standard procedure which we have described above. During the SDD less information may be quested form the low risk client and the ongoing monitoring procedures may be performed in lightweight form. In case of EDD vice versa – additional information may be requested, ongoing monitoring have to be performed more strictly.

It is important that the type of due diligence measures applied should be effective and proportionate to the risks. That’s why weighting of the risk factors is so important. Here we have described the schematically easy example of how the risk-based approach has to work. In practice the process is much more complicated as the clients may fall into different risk categories, risk categories may be not only: low, medium and high, but low-to-medium, medium – high, etc., the scope of information may be very large and in this case a special computer program must be used.

To help itself in understanding the risk-based approach a regulated entity may use different Guidelines issued by the relevant authorities. The latest Guidelines are:

  • Joined Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on simplified and enhanced customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions issued by the European Supervisory Authorities (ESAs) on 26.06.2017 and which was updated on 04/01/2018;
  • FATF Guidance for a Risk-Based Approach for Securities Sector issued in 2018.

In conclusion we want to pay your attention on the fact that a regulated entity in the financial sector has the responsibility to identify, record and evaluate all potential risks. The successful establishment of measures and procedures on a risk-based approach requires the clear communication of the measures and procedures that have been decided across a regulated entity, along with robust mechanisms to ensure that these are implemented effectively, weaknesses are promptly identified and improvements are made wherever necessary. A risk-based approach is a prerequisite and necessary tool which helps regulate entities be in compliance with the AML/TF legislation.