Insights

In terms of Article 5(1) of the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”), each subject person is required to “to identify and assess the risks of money laundering and funding of terrorism that arise out of its activities or business, taking into account risk factors including those relating to customers, countries or geographical areas, products,  services,  transactions  and  delivery  channels  and  shall furthermore take into consideration any national or supranational risk assessments relating to risks of money laundering and the funding of terrorism”. This obligation translates into having a business risk assessment (“BRA”) assessing, as a minimum, the money laundering and funding of terrorism risks of the subject person.

The BRA is to be documented and is required to be updated whenever new threats and vulnerabilities are identified, whenever there are changes to its business model/structures/activities, and/or whenever there are changes to the external environment within which the subject person is operating. Subject persons should therefore be mindful of the environment in which they operate, and the risks to which they are exposed to by virtue of operating in such sector. Any new risks identified should feature within its BRA and the relevant controls to be applied should be documented accordingly.

In the event that any of the above scenarios do not materialise within a particular year, the subject person is nonetheless required to review its BRA on an annual basis and ascertain whether any changes are required.

The below are some tips to bear in mind when undertaking your next BRA review:

• The BRA in terms of Article 5(1) of the PMLFTR should be limited to assessing money laundering, funding of terrorism risks and sanctions risks and should not take into account other operational risks of the company.

• The BRA methodology should be documented. The methodology should set out the manner in which the BRA is structured, the sources used in order to identify the risks, the manner in which the likelihood and the impact of each risk scenario is assessed, the manner in which inherent risk is calculated based on the likelihood and the impact, the manner in which the effectiveness of the controls is assessed, and how the respective controls would impinge on the inherent risk of the specific risk (which would ultimately result in the residual risk). The subject person should also determine whether the relevant risk is within its risk appetite, and in the event that it does not fall within the risk appetite, the measures to be taken by the subject person.

• The BRA should, at least, take into account risks emanating from the type of customers serviced, geographical connections, the type of products or services that offered and/or type transactions carried out, as well as the delivery channel. Irrespective of the fact that all clients may be exposed to the same risk (ex. all clients being onboarded on a non-face to face basis), such risks should still feature in the BRA and delve into the controls to be applied. Where applicable, other risks (such as outsourcing risk) should also be taken into account.

• Subject persons should also refer to the supranational risk assessment and the national risk assessment in order to ‘inform’ their BRA on the threats and vulnerabilities to which they are exposed to. Other sources of information (such as FATF guidance papers and reports issued by other reputable institutions) should ideally be referenced in the BRA in order to ensure that the subject person undertakes a holistic assessment of the risks to which it is exposed to.

• The inherent risks identified should be relevant to the subject person in question. Therefore, a thorough assessment of the type of customer type risks, geographical risks, interface risks and service, product and/or transaction risks is to be undertaken and documented. A description of the risk identified should also be documented in order to ensure that the controls implemented in order to mitigate such risks are targeted towards mitigating the risk described.

• The BRA should be data driven in order that senior management may have a better understanding of the risks to which the subject person is exposed to. In this respect, it is key to ensure that the data on which the BRA is based is of good quality and reliable. In cases where the data is not of good quality, the result of the BRA would not be a true reflection of the risks to which the subject person is exposed to, meaning that the subject person may not be managing its risk appropriately.
• Risks identified in the BRA should be quantified in order to ‘inform’ the BRA. In this way the subject person would be better placed to assess the inherent risk which the subject person is exposed to.

• The controls identified for each individual risk in the BRA should be controls which the subject person has in place, and which are implemented. Therefore, a thorough assessment of the controls included in the BRA should be undertaken in order to ensure that the controls mentioned are being documented and implemented in practice.

• Through the BRA, senior management should clearly have visibility of the inherent risk, level of control, and residual risk of each risk pillar (ie customer risk, geographical risk, product, service and/or transaction and interface risk). In this way, senior management would be aware of those risk pillars driving up its risk profile and senior management may then focus their efforts towards mitigating the relevant sub-sets of risks within such risk pillar.

• The subject person should also generate an overall risk profile of the subject person, based on the results of the risks assigned to each risk pillar.

• The MLRO should report to senior management the results of the BRA in order that senior management has sufficient visibility of the risks to which it exposed to and could have a meaningful discussion on such risks, and any measures which they wish to implement in order to manage such risk in a more suitable manner.

The BRA review exercise should not be simply viewed as a routine exercise. If undertaken with the right mindset, the BRA should provide valuable information through which the risks of the subject person are discussed, in a meaningful manner, at senior management level. This would not only reduce the relevant money laundering, funding of terrorism and sanctions risk but also would reduce the legal, regulatory and reputational damage risk.

Should you have any questions regarding the contents of this article and/or the establishment and implementation of a business risk assessment, please do not hesitate to contact Mario Zerafa.