On the 9th of February 2021, the Financial Intelligence Analysis Unit (FIAU) informed the relevant stakeholder that the 2021 Risk Evaluation Questionnaires (REQs) will be available on the Compliance and Supervision Platform for Assessing Risk (CASPAR) System for completion by subject persons as from 1st March 2021.

An integral part of the REQ is the formulation of the Business Risk Assessment (BRA) which is meant to assess the subject person's risks with respect to money laundering and financing and terrorism. Furthermore, Article 5 of the Prevention of Money Laundering and Financing of Terrorism Regulations (S.L. 371.01) clear states that "Every subject person shall take appropriate steps, proportionate to the nature and size of its business, to identify and assess the risks of money laundering and funding of terrorism that arise out of its activities or business, taking into account risk factors including those relating to customers, countries or geographical areas, products, services, transactions and delivery channels and shall furthermore take into consideration any national or supranational risk assessments relating to risks of money laundering and the funding of terrorism". This demonstrates that it is an obligation on the subject persons to perform a BRA.

How to perform an effective risk assessment?

There are four key phases in performing an effective risk assessment, as follows:

"Phase 1: Identify the money laundering and terrorist financing risks faced by the different areas of the business, the clients and the markets we serve.
Phase 2: Assess each identified risk by considering the potential likelihood and resulting impact should it occur (inherent risk).
Phase 3: Apply and assess the mitigation measures for each scenario (risk control).
Phase 4: Review the mitigating measures (checks, systems and controls) we have in place or mitigating actions we could take, to bring the level of net risk to an acceptable level (residual risk)."

In order to identify the subject person's inherent risk, assessment across the following five risk categories is undertaken, although, other factors may also be considered in future:

  1. Clients
  2. Products and Services
  3. Interface Risk (or Delivery Channels)
  4. Geographies
  5. Other Qualitative Risk Factors such as employees and third parties.

Risk factors are the underlying causes or circumstances where the subject person may be used for purposes connected to financial crime. Managing the risk factors inadequately could lead to loss of reputation, exposure to legal liability, and possible consequent financial costs.

Each risk scenario is analysed to determine the likelihood of the scenario occurring and the resulting impact. Control measures are implemented to mitigate the inherent risk, which is monitored through regular risk-based internal compliance reviews and reports, AML/CFT policies and procedures, and KYC checklists, irrespective of the type of the client.

Furthermore, each risk factor and control measure are assigned a score (or "weighting") which reflects the level of risk associated with that risk factor and the effectiveness of the risk-mitigating measures. The weighting used may range between 1 and 4 (or 0-100), with 4 being the highest risk weighting, which can be assigned per risk factor.

Following the determination of the inherent risk and the control strength of the mitigating factors, residual risk for each scenario is determined by 'subtracting' the total score attributed to the levels of mitigation from the inherent risk score.

After determining the residual risk score, we verify whether this falls within the boundaries of a subject person's risk appetite.

Phase 1: Identification of Risk Factors

In this phase, the subject person needs to identify the money laundering and terrorist financing risks faced by the different areas of the business, and the clients and markets targeted.

i) Clients

The client type, industries, activities, professions and businesses, alongside other factors, can increase or decrease money laundering risk. The categories which may be used to satisfy the client base and to identify aspects of client risk, may be reflected in a Client Risk Assessment.

Each client type is assigned a risk score, depending upon the expected amount of ML/FT risk each type carries.

The volume of clients that fall within each client type is then determined. This data is utilised to establish what percentage (%) of each client type is rated according to the risk classification, (e.g. low, medium, high, or very high risk), in order to determine the overall inherent client risk.

ii) Products and Services

Another major risk factor relates to Products and Services Risk, where the subject person assesses its portfolio of main product/account types and assigns an inherent score to each, based on its general inherent characteristics and the degree of money laundering risk present.

iii) Geography/Country

Identifying jurisdictions that may pose an AML/CFT risk is a core component of any inherent risk assessment and the subject person should seek to understand and evaluate the specific risks associated with doing business with clients in/from certain geographic locations.

As with all the above Risk factors, the Geographic/Country risk assessment is carried out and documented to identify the number of clients within each country. In this context, the subject person should identify the countries that its clients operate in by considering the following:

  • the countries our clients are based in or operate from;
  • where our clients obtain their funding from;
  • where our clients sell most of their goods and services;
  • how our clients are linked to countries through networks, agencies or outsourcing suppliers; and
  • nationalities and permanent residence of our clients' UBOs and directors.

iv) Interface Risk / Delivery Channels Risk

Some delivery channels/servicing methods can increase the risk of money laundering because they bring distance between the client and the subject person. As a result, the subject person may not truly know or understand the identity and activities of the client. Consequently, non-face-to-face relationships or the involvement of third parties, including intermediaries, as well as the expectation that the relationship will be conducted through the internet, are all factors that increase the inherent money laundering risk.

Furthermore, although the provision of services and the carrying out of occasional transactions on a non-face-to-face basis increases the risk of ML/FT and customer impersonation, these relationships and transactions should not automatically be considered to be high risk and the extent of CDD should be determined on the basis of a holistic CRA that also takes into consideration other elements of risk, such as the nature and characteristic of the product, service or transactions being offered or carried out and the type of customer.

v) Other Qualitative Risk Factors

Additional risk factors can have an impact on operational risks and contribute to an increasing or decreasing likelihood of breakdowns in key risk controls; therefore, directly or indirectly affect the subject person's risk exposure and inherent/residual risk. Given that this is a firm-wide business risk assessment, other qualitative risk factors have been taken into consideration while assessing the overall risk imposed by the subject person.

Additional other qualitative risk factors may be, as follows:

  • Integration of IT systems
  • Expected account/client growth
  • Expected revenue growth
  • Expected AML Compliance employee turnover
  • Reliance on third party providers
  • Recent/Planned introductions of new products and/or services
  • Recent/Planned acquisitions

Phase 2: Determination of Inherent Risk

In this phase, each identified risk is assessed by considering the likelihood of it occurring and the resulting impact if it occurs.

Phase 3: Risk Control

Once the inherent risks have been identified and assessed, internal mitigation controls must be applied and their performance evaluated to determine how effectively they offset the overall risks.

Mitigation controls are programmes, policies or activities put in place by the subject person to protect against the materialisation of an ML/FT risk, or to ensure that potential risks are promptly identified. Controls are also used to maintain compliance with regulations governing the subject person's activities.

Phase 4: Arriving at the Residual Risk

Once both the inherent risk and the effectiveness of the internal control environment have been considered, the residual risk can be determined. Residual risk is the risk that remains after controls are applied to counter the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls.

By way of conclusion, it is important to review the business risk assessment of a subject person at least annually or as may be required, especially when new products or services are implementing in the business activities of a subject person.

This was originally published in the Malta Business Weekly on 4th March 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.