Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
Assessing the identified ML/TF risk factors is a complex and necessary element to perform the risk analysis.
All risk factors do not have the same weight. The relevance or weight of each factor depends on its own nature and the context in which they act
For calculate the inherent risk it is necessary to first assign a weight to the identified ML/TF risk factors. If you cannot measure it, you cannot improve it.”(Lord Kelvin).
The ISO UNE-ISO 31000 Risk Management. Principles and guidelines, establishes that each identified risk factor will have a weight depending on two factors:
- Vulnerability or degree of exposure of the Entity analysed to the risk factor. To assess the vulnerability is necessary to obtain statistical data on the context, referring to customers, the products or service offered, and the operations carried out.
- Threat or severity of the possible impact or damage, which can be obtained from the regulations, national and international standards, or from the experience of the entity analysed.
A simple example of how each risk factor can be assessed through a relational matrix is as follows:
Figure 1. Relation between threat and vulnerability
A more elaborate example is the one used by the World Bank (“Introduction to the National Risk Assessment Tool- June 2015”):
Figure 2. Overall money laundering risk in a jurisdiction
It is important to obtain a numerical value for the inherent risk. Only if we can measure it, can we manage it properly.
To establish internal control measures necessary to manage this inherent risk, ISO UNE-ISO 31000 also contains a distinction between general and specific measures.
- General measures, they are of a structural and procedural type established by the prevention system, and directed towards the Entity itself
The model we propose uses the criteria published by the Spanish Financial Intelligence Unit (Sepblac), which allows us to group control measures into four sections:
1. Governance and compliance
2. Detection and reaction
3. Training
4. Controls and revisions
- Specific measures, which are those aimed at a specific client, to whom CDD requirements are applied according to the highest risk factor identified.
In Spanish regulations, for example, these measures are indicated in Article 20 of the Regulations approved by Royal Decree 304/2014, of May 5:
a) Update the data obtained in the customer acceptance process.
b) Obtain documentation or additional information about the purpose and nature of the business relationship.
c) Obtain documentation or additional information on the origin of the funds.
d) Obtain documentation or additional information about the origin of the client's assets.
e) Obtain documentation or information about the purpose of the operations.
f) Obtain directive authorization to establish or maintain the business relationship or execute the operation.
g) To carry out a reinforced follow-up of the business relationship, increasing the number and frequency of the controls applied and selecting patterns of operations for examination.
h) Examine and document the congruence of the business relationship or operations with the documentation and information available about the client.
i) Examine and document the economic logic of operations.
j) Require that payments or income be made in an account in the name of the customer, opened in a credit institution domiciled in the European Union or in equivalent third countries.
k) Limit the nature or amount of the operations or payment methods used.
The model used to perform the risk analysis must allow the weight of the measures taken to manage the inherent risk to be calculated.
Those of us who carry out the external audit of financial institutions must have sufficient knowledge to evaluate these internal control measures of the prevention system.
The difference between the calculated value of the inherent risk, and the value of the management measures adopted allows us to calculate the residual risk.
The applied process is as follows:
Figure 3. Risk analysis process
The relational matrix to calculate the residual risk may be similar to the one indicated in the image, in which the line of tolerance or risk appetite (risk appetite) that is willing to assume the top management of the entity examined has also been added.
When the residual risk exceeds the risk appetite or tolerance, it is necessary to design and implement an action plan, which allows the established prevention system to be stable.
Figure 4. residual risk table example
I believe that assessing and weighting ML/TF risk factors is an essential element in “The Risk Factors Guidelines”, but identification and categorization is only the first step in the risk analysis process.
It is desirable that the Guide provide additional information on how risks can be assessed in order to obtain results that add value to this analysis and allow a subsequent risk-based approach (RBA).
Madrid, March 16, 2020
Benigno de Valentín
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
PROPOSAL FOR GUIDELINE 2 AND GUIDELINE 3Assessing the identified ML/TF risk factors is a complex and necessary element to perform the risk analysis.
All risk factors do not have the same weight. The relevance or weight of each factor depends on its own nature and the context in which they act
For calculate the inherent risk it is necessary to first assign a weight to the identified ML/TF risk factors. If you cannot measure it, you cannot improve it.”(Lord Kelvin).
The ISO UNE-ISO 31000 Risk Management. Principles and guidelines, establishes that each identified risk factor will have a weight depending on two factors:
- Vulnerability or degree of exposure of the Entity analysed to the risk factor. To assess the vulnerability is necessary to obtain statistical data on the context, referring to customers, the products or service offered, and the operations carried out.
- Threat or severity of the possible impact or damage, which can be obtained from the regulations, national and international standards, or from the experience of the entity analysed.
A simple example of how each risk factor can be assessed through a relational matrix is as follows:
Figure 1. Relation between threat and vulnerability
A more elaborate example is the one used by the World Bank (“Introduction to the National Risk Assessment Tool- June 2015”):
Figure 2. Overall money laundering risk in a jurisdiction
It is important to obtain a numerical value for the inherent risk. Only if we can measure it, can we manage it properly.
To establish internal control measures necessary to manage this inherent risk, ISO UNE-ISO 31000 also contains a distinction between general and specific measures.
- General measures, they are of a structural and procedural type established by the prevention system, and directed towards the Entity itself
The model we propose uses the criteria published by the Spanish Financial Intelligence Unit (Sepblac), which allows us to group control measures into four sections:
1. Governance and compliance
2. Detection and reaction
3. Training
4. Controls and revisions
- Specific measures, which are those aimed at a specific client, to whom CDD requirements are applied according to the highest risk factor identified.
In Spanish regulations, for example, these measures are indicated in Article 20 of the Regulations approved by Royal Decree 304/2014, of May 5:
a) Update the data obtained in the customer acceptance process.
b) Obtain documentation or additional information about the purpose and nature of the business relationship.
c) Obtain documentation or additional information on the origin of the funds.
d) Obtain documentation or additional information about the origin of the client's assets.
e) Obtain documentation or information about the purpose of the operations.
f) Obtain directive authorization to establish or maintain the business relationship or execute the operation.
g) To carry out a reinforced follow-up of the business relationship, increasing the number and frequency of the controls applied and selecting patterns of operations for examination.
h) Examine and document the congruence of the business relationship or operations with the documentation and information available about the client.
i) Examine and document the economic logic of operations.
j) Require that payments or income be made in an account in the name of the customer, opened in a credit institution domiciled in the European Union or in equivalent third countries.
k) Limit the nature or amount of the operations or payment methods used.
The model used to perform the risk analysis must allow the weight of the measures taken to manage the inherent risk to be calculated.
Those of us who carry out the external audit of financial institutions must have sufficient knowledge to evaluate these internal control measures of the prevention system.
The difference between the calculated value of the inherent risk, and the value of the management measures adopted allows us to calculate the residual risk.
The applied process is as follows:
Figure 3. Risk analysis process
The relational matrix to calculate the residual risk may be similar to the one indicated in the image, in which the line of tolerance or risk appetite (risk appetite) that is willing to assume the top management of the entity examined has also been added.
When the residual risk exceeds the risk appetite or tolerance, it is necessary to design and implement an action plan, which allows the established prevention system to be stable.
Figure 4. residual risk table example
I believe that assessing and weighting ML/TF risk factors is an essential element in “The Risk Factors Guidelines”, but identification and categorization is only the first step in the risk analysis process.
It is desirable that the Guide provide additional information on how risks can be assessed in order to obtain results that add value to this analysis and allow a subsequent risk-based approach (RBA).
Madrid, March 16, 2020
Benigno de Valentín