The overall assessment of the risks (EWRA) that financial institutions are required to perform in this context is an instrument that enables obliged entities to identify and appropriately manage the ML / FT risks to which they are exposed, or where appropriate, to limit them.
In a broader context, Enterprise Risk Assessment (ERA) or Enterprise Risk Management (ERM) programs help entities to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
How to realize an effective aml risk assessment of your business ?The multiple benefits of an effective aml assessment system can only result if a proper understanding of the aml ewra regulation and the experience of your company and business industry work concurrently.
Conducting an aml risk assessment is not a single task. It implies to define an aml risk rating methodology, to create an aml risk assessment model in line with your business.
Financial institutions manage their AML risk exposure by defining sound processes and risk-based vigilance efforts.
EWRA Compliance and the Risk-Based Approach (RBA)An appropriate risk-based approach begins with the acquisition of an in-depth and up-to-date awareness of the institution's risk exposure and an understanding of those risks.
Risk-based approach (RBA) is an essential part of Risk Management and the AML/CFT framework. RBA was highlighted in the 2012 FATF Recommendations:
“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.”
and was also a major concern implemented in the fourth European AML Directive.
The RBA is a methodology that allows prioritising the company's activities based on a previous analysis of data.
According to RBA, there is proportionality of actions taken, depending on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks, where enhanced measures are mandatory. Thanks to this method the allocation of available resources can be optimised.
AML EWRA Enterprise-Wide Risk Assessment MethodologyA successful EWRA methodology is consistent across the domains and is commonly built through three main stages: the risk identification, the gap analysis (controls) and the adjustment (corrections-mitigation).
According to the regulation in place, obliged entities must take at least into account the characteristics of their customers, the products, services or operations they offer, the countries or geographical areas concerned, as well as the distribution channels they use.
In addition to the characteristics, international, relevant sectorial standards and reviews (European Supervisor Authorities,...) should also be considered by companies to perceive their aml risk exposure.
The inherent risk scoring must be calculated using a defined methodology.
Frequently a ponderation factor is added to the classified risks in order to bring balance and impact precision in the aggregated view of the risk category.a ponderation factor is added to the classified risk in order to bring balance and impact precision in the aggregated view of the risk category.
The inherent risk scoring takes place before the consideration of (internal) controls and evaluates the nature, complexity, and volume of the activities giving rise to the risk identified.
The residual risk score provides a final vision on the risk after the consideration of findings and internal controls.
The AMLCO needs to ensure that appropriate corrections are timely, efficient and involve the means necessary. In this context, a foreseen due date and an estimation of the completion requirements are indicated in the corrective actions or remediation plan, together with the appropriate means for completing the task.
The action priorities are justified by the final residual risk scoring.
The obligation for financial institutions to document and continuously update their EWRAIn general, the AML Overall Risk Assessment shall be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity.
It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arise. The entity should have, at any time, a clear understanding of how its ML risks associated with the business relationship are evolving.
In addition to the EWRA report, a document describing the process for the completion of the assessment is expected. In this record, the applicable legal framework and sectorial guidance are specified. Moreover, it should mention the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and timely updating the risk assessment process and a reference to the extent to which the Anti-Money Laundering Compliance Officer (AMLCO), the compliance officer, senior management, and any other parties have been involved in all the phases of the process.
Firms must be able to demonstrate to their regulator, on the basis of those documents, that their approach meet the obligations of the AML law of 18 September 2017 (Belgium).
The relevant risk factors to considerIn order to conduct their EWRA, firms will have to consider specific risk factors and the principle of proportionality.
The risk factors that must be considered are customers, countries or geographic areas, products, services, transactions or delivery channels. All must be assessed proportionately, meaning according to the size and the nature of the entity. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.
The risk factors will be used in the analysis and in the final assessment as pillars that the firm will be built on its evaluation. The risk factors cover specific domains that can include many sub-risks that have to be taken into consideration. For example, the risk factor of customers can include risks like working with the wrong counterparty, not having enough additional measures to take a founded decision, etc.
The entities that conduct an EWRA should weight the risk factors based on their relevance in the business relationship and transactions. The entities usually put different “scores” for various factors. According to EBA’s Risk Factors Guidelines (JC 2017 37) when weighing risk factors, the entities should consider many things like, the fact that profit considerations do not influence the risk rating and that the firm is ready to override any automatically generated risk scores where necessary, providing, of course, proper documentation for this decision.
The rationale behind the EWRA obligationConducting a Business-wide risk assessment is one of the cornerstones for the battle against ML and TF. Decisions are taken in a more informed way towards risks. This effort leads to the protection of the market from another crisis and as a result of the protection of the society.
The competent national authorities can assess the adequacy of the firms' AML/CFT internal organisation framework and policies and procedures.
It allows firms to identify the ML / TF risks to which a business is exposed and to identify situations that generate higher ML / FT risks and on which efforts on combating ML / FT should be focused.
Furthermore, it gives firms a sound perspective on how to best estimate their customer aml risk scoring while approaching singular cases.
Consider the legal framework before starting an AML EWRA
- The 4th AML Directive (2015/849);
- The Belgian ML/FT Law of 18 September 2017, which transposes 4th AML Directive in the Belgian legal framework;
- The NBB Regulation of 21 November 2017;
- Circular 02/2018 / Overall assessment of money laundering and terrorist financing risks.
There are also useful documents published from the Authority of Services and Financial Markets (FSMA):
- Practical Guide for the Overall Risk Assessment for Money Laundering and Terrorism of financing from the insurance intermediaries (“Guide pratique FSMA_2018_07 du 22/05/2018”) , available in French or Dutch.
- Periodic questionnaire related to the prevention of Money Laundering and the Financing of Terrorism (“FSMA_2019_10 du 20/05/2019) available in French only.
It is a chance for companies to gain a clearer picture of the business they are in and to anticipate the ML/TF risks before they become unbearable burdens for the entity.