As the three European Supervisory Authorities (ESAs) publish a new joint opinion on money laundering and terrorist financing (ML/TF) risks affecting the EU financial sector, Zia Ullah and Ruth Paley of Eversheds Sutherland LLP take a look at the key risks, noting the fact that Credit and Financial Institutions will want to consider whether this additional information should inform the annual process of undertaking a firm-wide risk assessment under Regulation 18 of the Money Laundering Regulations 2017 (MLR 2017).

Drawing on data and information provided by regulators across the EU, the ESAs highlighted concerns relating to transaction monitoring and suspicious activity reporting, particularly in sectors where a financial institution's business model is based on frequent transactions.

The ESAs concluded that some financial institutions are still finding it a challenge to implement adequate firm-wide and customer risk assessments, and that more guidance on the process was needed. In terms of emerging threats, there was a focus on the increasing use of new technologies by financial and credit institutions which, whilst these could be deployed in the fight against financial crime, also posed vulnerabilities if the risks were not properly understood and mitigated. The rapid spread of virtual currencies was also cited as an area of growing concern in view of heightened ML/TF risks due to the absence of a common regulatory regime and the opportunities for anonymity.

The ESAs called on national regulators to play a more active role and enhance their engagement with the private sector to develop a better understanding of new technologies, products and services available to credit and financial institutions, and to consider whether they have a sufficient understanding of risks and controls in those sectors where they have carried out only limited assessments and may need to review their supervisory approach.

The opinion is accompanied by a really helpful interactive tool which accompanies the opinion and gives a visual snapshot of all ML/TF risks identified – Credit and Financial Institutions may find the tool useful in considering whether there are additional risks not currently captured in the firm’s risk assessment which could be referenced in the next iteration of that document.

*Note on the firm-wide risk assessment process under Regulation 18 MLR 2017

The requirement to undertake an ML/TF risk assessment is enshrined in UK regulation under the MLR 2017. Regulation 18 mandates relevant firms to engage in the exercise of identifying the firm’s key risks, and testing the controls in place to mitigate those risks. The risk assessment seeks to measure the firm’s exposure to the risks it faces and to plan actions to reduce those risks.

There are many different ways to conduct the risk assessment process, and there is no one-size-fits-all method. Any good risk assessment requires a detailed understanding of the nature of the firm’s business, and an evaluation of the controls which impact on the risks inherent in the work. Firms must consider the ML/TF risk attaching to client base, geographical sphere of operations, transactions, products and services, and delivery channels. There is plenty of guidance available to help with identifying the risks associated with those five areas, including sectoral risk assessments, the UK National Risk Assessment, supra-national risk assessments and opinions such as the one just published by the ESAs, the JMLSG Guidance and Appendices, and Wolfsberg publications including Frequently Asked Questions. Management information, facts and figures should be interrogated as a starting point, as well as details from the MLRO, transaction monitoring, alert handling and SARs data which will also be key.