The Enterprise-Wide Risk Assessment (EWRA) or Overall Risk Assessment has become a regulatory obligation from an EU and Belgian perspective for all credit institutions, stockbroking firms, licensed insurance companies and banking industries submitted to the Anti-Money Laundering regulation.
The overall assessment of the risks (EWRA) that financial institutions are required to perform in this context is an instrument that enables obliged entities to identify and appropriately manage the ML / FT risks to which they are exposed, or where appropriate, to limit them.
In a broader context, Enterprise Risk Assessment (ERA) or Enterprise Risk Management (ERM) programs help entities to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
The overall assessment of the risks (EWRA) that financial institutions are required to perform in this context is an instrument that enables obliged entities to identify and appropriately manage the ML / FT risks to which they are exposed, or where appropriate, to limit them.
In a broader context, Enterprise Risk Assessment (ERA) or Enterprise Risk Management (ERM) programs help entities to adapt their approach of managing risks to meet the demands of the evolving financial corporate standards.
➪ How to carry out an effective AML risk assessment?
Conducting an AML risk assessment is not a single task. It implies defining an AML risk rating methodology and the creation of an AML risk assessment model in line with your business. Financial institutions manage their AML risk exposure by defining sound processes and risk-based vigilance efforts.The multiple benefits of an effective AML assessment system can only result if a proper understanding of the AML EWRA regulation and the experience of your company and business industry work together.
🔎 What is EWRA Compliance and the Risk-Based Approach (RBA) ?
An appropriate risk-based approach begins with the acquisition of an in-depth and up-to-date awareness of the institution's risk exposure and an understanding of those risks.A Risk-based approach (RBA) is an essential part of Risk Management and the AML/CFT framework. RBA was highlighted in the 2012 FATF Recommendations:
“...countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.”
It was also a major topic implemented in the fourth European AML Directive.
RBA is a methodology that allows prioritising the company's activities based on a previous analysis of data.
According to RBA, dependingthe number of actions that need to be taken depends on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks where enhanced measures are mandatory. Thanks to this method the allocation of available resources can be optimised.
According to RBA, dependingthe number of actions that need to be taken depends on how high the risk is. This means that RBA in low-risk situations allows for fewer actions to be taken, and emphasis to be given to high risks where enhanced measures are mandatory. Thanks to this method the allocation of available resources can be optimised.
📘 AML EWRA Enterprise-Wide Risk Assessment Methodology
A successful EWRA methodology is consistent across domains and is commonly built through three main stages: the risk identification, the gap analysis (controls) and the adjustment phase (corrections-mitigation).
The overall risk assessment (EWRA) exercise is carried out under the responsibility of the AMLCO that ensures related procedures and processes are formalized and executed in a manner that reflects the results of this permanent exercise. The firm identifies and classifies the ML/TF risks. The professionals conducting the risk assessment should have a clear understanding of the entity's operations and working environment and the possible problems that may arise.
According to the regulation in place, obliged entities must take at least into account the characteristics of their customers, the products, services or operations they offer, the countries or geographical areas concerned, as well as the distribution channels they use.
In addition to the characteristics, international and relevant sectorial standards, and reviews (European Supervisor Authorities,...) should also be considered by companies to identify their AML risk exposure.
The inherent risk scoring must be calculated using a defined methodology.
Frequently, a ponderation factor is added to the classified risks in order to bring balance and precision when having a full view of the risk category.
The inherent risk scoring takes place before the consideration of (internal) controls and evaluates the nature, complexity, and volume of the activities giving rise to the risk identified.
According to the regulation in place, obliged entities must take at least into account the characteristics of their customers, the products, services or operations they offer, the countries or geographical areas concerned, as well as the distribution channels they use.
In addition to the characteristics, international and relevant sectorial standards, and reviews (European Supervisor Authorities,...) should also be considered by companies to identify their AML risk exposure.
The inherent risk scoring must be calculated using a defined methodology.
Frequently, a ponderation factor is added to the classified risks in order to bring balance and precision when having a full view of the risk category.
The inherent risk scoring takes place before the consideration of (internal) controls and evaluates the nature, complexity, and volume of the activities giving rise to the risk identified.
It is the analysis and assessment of the adequacy of the existing relevant risk management measures. This may include policies, procedures, KYC and transaction monitoring software, and other tools that the company uses for compliance or risk purposes. Companies are required to objectively evaluate whether risk management measures in place are deemed sufficient (design) or if additional measures are required to cover the risk identified. Ultimately, the operational (execution) evaluation of how these risk control measures are actually applied and complied with in practice, will complete the controlling measure evaluation.
The residual risk score provides a final vision of the risk after the findings and internal controls.
The residual risk score provides a final vision of the risk after the findings and internal controls.
If it is deemed necessary, the adjustment phase proposes new or additional risk management measures to control the risks that are not adequately covered. In this phase, a well-described corrective action plan is often provided.
The AMLCO needs to ensure that appropriate corrections are timely, efficient and involve the means necessary. In this context, a foreseen due date and an estimation of the completion of the requirements are indicated in the corrective actions or remediation plan, together with the appropriate means for completing the task.
The action priorities are justified by the final residual risk scoring.
The AMLCO needs to ensure that appropriate corrections are timely, efficient and involve the means necessary. In this context, a foreseen due date and an estimation of the completion of the requirements are indicated in the corrective actions or remediation plan, together with the appropriate means for completing the task.
The action priorities are justified by the final residual risk scoring.
📄 Documentation and updating of an EWRA
In general, the AML Overall Risk Assessment shall be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity. The entity should have, at any time, a clear understanding of how its ML risks are evolving.
In general, the AML Overall Risk Assessment should be documented, updated and kept at the disposal of the supervisory authorities (the National Bank for Belgium). It will be updated every time that an event occurs and can have a significant impact on the ML risk profile of the entity. It is not a process that takes place once per year, but an on-going process that occurs every time a major situation arises. The entity should have, at any time, a clear understanding of how its ML risks associated with the business relationship are evolving.
In addition to the EWRA report, a document describing the process for the completion of the assessment is expected. In this record, the applicable legal framework and sectorial guidance are specified. Moreover, it should mention the methodology used, how this has been integrated into the assessment, a description of the procedures for monitoring and a timely update of the risk assessment process, together with a reference to the extent to which the Anti-Money Laundering Compliance Officer (AMLCO), the compliance officer, senior management, and any other parties have been involved in all the phases of the process.
Firms must be able to demonstrate to their regulator, on the basis of those documents, that their approach meet the obligations of the AML law of 20 July 2020 (Belgium).
EWRA Overall Risk Assessment
Are you looking for more detailed information on the EWRA Overall Risk Assessment ? Follow the article for more insights.
⚠️What are the risk factors to consider?
In order to conduct their EWRA, firms will have to consider specific risk factors and the principle of proportionality.
The risk factors that must be considered are customers, countries or geographic areas, products, services, and transactions or delivery channels. All must be assessed proportionately, meaning according to the size and the nature of the entity. Firms that do not offer complex products or services and that have limited or no international exposure may not need an overly complex or sophisticated risk assessment.
The risk factors will be used in the analysis and in the final assessment as pillars that the firm will use to build on its evaluation. The risk factors cover specific domains that can include many sub-risks that have to be taken into consideration. For example, the risk factor of customers can include risks like working with the wrong counterparty, not having enough additional measures to take a founded decision, etc.
The entities that conduct an EWRA should weight the risk factors based on their relevance in the business relationship and transactions. The entities usually put different “scores” for various factors. According to EBA’s Risk Factors Guidelines (JC 2017 37) when weighing risk factors, the entities should consider various matters like the fact that profit considerations do not influence the risk rating and that the firm is ready to override any automatically generated risk scores where necessary, providing, of course, proper documentation for this decision.
⭐ The rationale behind the EWRA obligation
Conducting a business-wide risk assessment is one of the cornerstones for the battle against ML and TF. Decisions are taken in a more informed way towards risks. This effort leads to the protection of the market from another crisis and as a result the protection of society.
The competent national authorities can assess the adequacy of the firms' AML/CFT internal organisation framework and policies and procedures.
It allows firms to identify the ML / TF risks to which a business is exposed and to identify situations that generate higher ML / FT risks and the focus on which the efforts should placed on.
Furthermore, it gives firms a sound perspective on how to best estimate their customer AML risk scoring while also assessing single cases.
⚖️ The legal framework of an AML EWRA
The Belgian legal framework for the EWRA AML Overall Risk Assessment mainly consists of four legal documents: • The 5th AML Directive (2018/843); • The Belgian ML/FT Law of 20 July 2020; • The NBB Regulation of 21 November 2017; • Circular 02/2018 / Overall assessment of money laundering and terrorist financing risks.
- The 5th AML Directive (2018/843);
- The Belgian ML/FT Law of 20 July 2020, which transposes the 5th AML Directive in the Belgian legal framework;
- The NBB Regulation of 21 November 2017;
- Circular 02/2018 / Overall assessment of money laundering and terrorist financing risks.
There are also useful documents published from the Authority of Services and Financial Markets (FSMA):
- Practical Guide for the Overall Risk Assessment for Money Laundering and Terrorism of financing from the insurance intermediaries (“Guide pratique “FSMA_2018_07 du 22/05/2018”), available in French or Dutch.
- Periodic questionnaire related to the prevention of Money Laundering and the Financing of Terrorism (“FSMA_2020_11 du 10/09/2020") available in French only.
It is a chance for companies to gain a clearer picture of their business and to anticipate the ML/TF risks before they become unbearable burdens for the entity.
Requiring Assistance ?
Pideeco conducts independent Compliance reviews to provide financial institutions greater insights on their regulatory performance. We can assist you in your business Risk Assessment and ensure that all regulatory requirements are appropriately covered.
RiskDue DiligenceAMLRisk ManagementRisk Based ApproachAuditFinancial firmsKYCCompliance5AMLDAudit FindingsFSMAEUEWRA
The way in which you are describing how to conduct AML risk assessment is very appropriate, the definitions and explanations are perfect, i really like this blog i want to say Thank alot for this blog.
I am looking for an automated tool / solution to perform EWRA for a Bank. Essentially risk rating engine to calculate inherent and residual risks of AML, Sanctions and Anti-Bribery and corruptions (ABC).
Dear, I suggest you address your enquiry through our contact section. Kind regards,