AML EWRA - How to conduct Anti-Money Laundering overall risk assessment ?
The Enterprise-Wide Risk Assessment (EWRA) or Overall Risk Assessment has become a regulatory obligation from EU and Bel...

AML EWRA - How to conduct Anti-Money Laundering overall risk assessment ?

The Enterprise-Wide Risk Assessment (EWRA) or Overall Risk Assessment has become a regulatory obligation from EU and Belgian perspective for all credit institutions, stockbroking firms, licensed insurance companies and banking industries submitted to the Anti-Money Laundering regulation.

The overall assessment of the risks (EWRA) that financial institutions are required to perform in this context is an instrument that enables obliged entities to identify and appropriately manage the ML / FT risks to which they are exposed, or where appropriate, to limit them.

In a broader context, Enterprise Risk Assessment (ERA) or Enterprise Risk Management (ERM) programs help entities to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.


How to realize an effective aml risk assessment of your business ?

The multiple benefits of an effective aml assessment system can only result if a proper understanding of the aml ewra regulation and the experience of your company and business industry work concurrently.

Conducting an aml risk assessment is not a single task. It implies to define an aml risk rating methodology, to create an aml risk assessment model in line with your business.

Financial institutions manage their AML risk exposure by defining sound processes and risk-based vigilance efforts.


EWRA Compliance and the Risk-Based Approach (RBA)

An appropriate risk-based approach begins with the acquisition of an in-depth and up-to-date awareness of the institution's risk exposure and an understanding of those risks.

Risk-based approach (RBA) is an essential part of Risk Management and the AML/CFT framework. RBA was highlighted in the 2012 FATF Recommendations:

“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.”


and was also a major concern implemented in the fourth European AML Directive.

The RBA is a methodology that allows prioritising the company's activities based on a previous analysis of data.
According to RBA, there is proportionality of actions taken, depending on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks, where enhanced measures are mandatory. Thanks to this method the allocation of available resources can be optimised.


AML EWRA Enterprise-Wide Risk Assessment Methodology

A successful EWRA methodology is consistent across the domains and is commonly built through three main stages: the risk identification, the gap analysis (controls) and the adjustment (corrections-mitigation).

EWRA compliance methodology


The overall risk assessment (EWRA) exercise is carried out under the responsibility of the AMLCO that ensures related procedures and processes are formalized and executed in a manner that reflects the results of this permanent exercise. The firm identifies and classifies the ML/TF risks. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that arise.

According to the regulation in place, obliged entities must take at least into account the characteristics of their customers, the products, services or operations they offer, the countries or geographical areas concerned, as well as the distribution channels they use.
In addition to the characteristics, international, relevant sectorial standards and reviews (European Supervisor Authorities,...) should also be considered by companies to perceive their aml risk exposure.

The inherent risk scoring must be calculated using a defined methodology.
Frequently a ponderation factor is added to the classified risks in order to bring balance and impact precision in the aggregated view of the risk category.a ponderation factor is added to the classified risk in order to bring balance and impact precision in the aggregated view of the risk category.
The inherent risk scoring takes place before the consideration of (internal) controls and evaluates the nature, complexity, and volume of the activities giving rise to the risk identified.
It is the analysis and assessment of the adequacy of the existing relevant risk management measures. Companies are required to objectively evaluate whether risk management measures in place are deemed sufficient (design) or if additionnal measures are required to cover to risk identified. Ultimately, the operational (execution) evaluation of how these risk control measures are actually applied and complied with in practice, will complete the controlling measure evaluation.
The residual risk score provides a final vision on the risk after the consideration of findings and internal controls.
If it is deemed necessary, the adjustment phase proposes new or additional risk management measures to control the risks that are not or not adequately covered. In this phase, a well-described corrective action plan is often provided.
The AMLCO needs to ensure that appropriate corrections are timely, efficient and involve the means necessary. In this context, a foreseen due date and an estimation of the completion requirements are indicated in the corrective actions or remediation plan, together with the appropriate means for completing the task.
The action priorities are justified by the final residual risk scoring.



The obligation for financial institutions to document and continuously update their EWRA

In general, the AML Overall Risk Assessment shall be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity.

It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arise. The entity should have, at any time, a clear understanding of how its ML risks associated with the business relationship are evolving.

In addition to the EWRA report, a document describing the process for the completion of the assessment is expected. In this record, the applicable legal framework and sectorial guidance are specified. Moreover, it should mention the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and timely updating the risk assessment process and a reference to the extent to which the Anti-Money Laundering Compliance Officer (AMLCO), the compliance officer, senior management, and any other parties have been involved in all the phases of the process.

Firms must be able to demonstrate to their regulator, on the basis of those documents, that their approach meet the obligations of the AML law of 18 September 2017 (Belgium).

Anti Money Laundering - Compliance Consultancy
EWRA Overall Risk Assessment

Are you looking for more detailed information on the EWRA Overall Risk Assessment ? Follow the article for more insights.



The relevant risk factors to consider

In order to conduct their EWRA, firms will have to consider specific risk factors and the principle of proportionality.

The risk factors that must be considered are customers, countries or geographic areas, products, services, transactions or delivery channels. All must be assessed proportionately, meaning according to the size and the nature of the entity. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.

The risk factors will be used in the analysis and in the final assessment as pillars that the firm will be built on its evaluation. The risk factors cover specific domains that can include many sub-risks that have to be taken into consideration. For example, the risk factor of customers can include risks like working with the wrong counterparty, not having enough additional measures to take a founded decision, etc.

The entities that conduct an EWRA should weight the risk factors based on their relevance in the business relationship and transactions. The entities usually put different “scores” for various factors. According to EBA’s Risk Factors Guidelines (JC 2017 37) when weighing risk factors, the entities should consider many things like, the fact that profit considerations do not influence the risk rating and that the firm is ready to override any automatically generated risk scores where necessary, providing, of course, proper documentation for this decision.


The rationale behind the EWRA obligation

Conducting a Business-wide risk assessment is one of the cornerstones for the battle against ML and TF. Decisions are taken in a more informed way towards risks. This effort leads to the protection of the market from another crisis and as a result of the protection of the society.

The competent national authorities can assess the adequacy of the firms' AML/CFT internal organisation framework and policies and procedures.
It allows firms to identify the ML / TF risks to which a business is exposed and to identify situations that generate higher ML / FT risks and on which efforts on combating ML / FT should be focused.

Furthermore, it gives firms a sound perspective on how to best estimate their customer aml risk scoring while approaching singular cases.


Consider the legal framework before starting an AML EWRA

The Belgian legal framework for the EWRA AML Overall Risk Assessment mainly consists of four legal documents:

There are also useful documents published from the Authority of Services and Financial Markets (FSMA):


It is a chance for companies to gain a clearer picture of the business they are in and to anticipate the ML/TF risks before they become unbearable burdens for the entity.

Requiring Assistance ?

Pideeco conducts independent Compliance reviews to provide financial institutions greater insights on their regulatory performance. We can assist you in your business Risk Assessment and ensure that all regulatory requirements are appropriately covered.
Oscar Canario da Cunha - Pideeco Network Partner
Oscar Canario da Cunha Associate Director
< PREVIOUS ARTICLE Mon 28 May 2018

Conduct Risk - Changing governance principles

Sat 27 May 2017 NEXT ARTICLE >

How to implement efficient corporate governan...

0 comments
Add your comment