Aspida Insights

Aspida Insights

Mastering Compliance: Navigating Risks & Regulatory Returns with Aspida’s Expertise

Michael Calleja | Senior Compliance Services Executive | Malta

As we find ourselves in that pivotal time of year where subject persons traditionally undertake the important task of updating their Business Risk Assessments (BRAs), Customer Risk Assessments (CRAs), and preparing to fill in the Risk Evaluation Questionnaire (REQ) for the Financial Intelligence Analysis Unit (FIAU) alongside the Annual Compliance Return (ACR) for the Malta Financial Services Authority (MFSA), it’s an opportune moment to revisit and delve deeply into the basic notions of risk. These activities are integral to ensuring compliance and maintaining a robust framework against money laundering (ML) and terrorism financing (TF), addressing the ever-evolving landscape of regulatory requirements and risks.

Given the critical importance of understanding, assessing, and effectively managing these risks, we thought it best to embark on a comprehensive exploration of the foundational concepts and regulatory guidelines surrounding risk. This includes an in-depth analysis of the nature of risk as outlined by the FIAU’s Implementing Procedures, the mechanisms for assessing and mitigating these risks through BRAs and CRAs, and the significance of understanding the residual risk that remains after all mitigating measures have been applied. By thoroughly examining these aspects, Aspida aims to provide subject persons with the knowledge and tools needed to navigate their legal and regulatory obligations with confidence and precision.

BRAs vs CRAs

Business Risk Assessments (BRAs) and Customer Risk Assessments (CRAs) are pivotal components within the risk-based approach advocated by the Financial Intelligence Analysis Unit (FIAU) for combating money laundering (ML) and terrorism financing (TF). While both assessments aim to identify and mitigate ML/TF risks, they serve distinct purposes and focus on different aspects of a subject person’s operations.

Business Risk Assessment (BRA)

A BRA involves a comprehensive evaluation of the overall risks to which a business is exposed in its entirety. This assessment encompasses a wide range of factors, including the nature of the business, the sectors it operates in, the complexity and geographical scope of its activities, and the types of clients it serves. The objective of a BRA is to identify the inherent risks within the business model and operational framework, enabling the organization to develop overarching policies, controls, and procedures tailored to mitigate these risks. It focuses on the business’s vulnerability to ML/TF risks at a macro level, considering external and internal risk factors that could affect the business’s operations and reputation.

Customer Risk Assessment (CRA)

In contrast, a CRA is a more focused analysis that examines the ML/TF risks associated with individual business relationships or specific transactions. It delves into the details of the customer’s background, the nature of their business or professional activities, the source of their funds, and their geographical

connections, among other factors. The CRA aims to understand the specific risk profile of each customer or transaction, allowing for the application of customer-due diligence measures that are proportionate to the identified risks. This targeted approach helps in pinpointing higher risk customers or transactions that may require enhanced scrutiny or controls.

Key Differences

The primary difference between a BRA and a CRA lies in their scope and focus. A BRA is broad and evaluates the business’s overall exposure to ML/TF risks, leading to the establishment of a risk management framework applicable across the entire organization. On the other hand, a CRA is narrow, concentrating on the risks presented by individual customers or transactions, resulting in tailored due diligence measures. While a BRA provides a macro-level view of risk, guiding the strategic direction of an organization’s AML/CFT efforts, CRAs offer a micro-level perspective, ensuring that specific risks associated with particular customers or transactions are appropriately managed.

Together, BRAs and CRAs form the cornerstone of a robust risk-based AML/CFT framework, ensuring that businesses not only understand their broader risk environment but also address the nuances and complexities of the risks associated with individual customers and transactions. This dual approach enables organizations to allocate their resources more efficiently and effectively, focusing their efforts where they are most needed to mitigate ML/TF risks.

Understanding and Assessing ML/TF Risks

The FIAU’s Implementing Procedures outlines that the effectiveness of the risk-based approach is contingent upon a subject person’s proper understanding of the ML/TF risks they face before the implementation of any mitigating measures. Inherent risk is the exposure to ML/TF risks prior to the application of any policies, controls, and procedures designed to mitigate such risks. This necessitates an initial step of identifying and understanding how risk can manifest, focusing on vulnerabilities and threats that may be exploited for ML/TF purposes. Risk factors, which may increase or decrease the ML/TF risk, are crucial in this assessment, including variables related to customers, countries, products, services, transactions, and delivery channels.

The regulations also emphasize the need to assess the likelihood and impact of risk manifestation, which involves evaluating the potential damage if vulnerabilities are exploited. This approach aids in determining the level of inherent risk, guiding the development and implementation of AML/CFT measures tailored to mitigate identified risks effectively.

Mitigating Measures and Residual Risk

Upon identifying and assessing inherent risks, subject persons must implement appropriate AML/CFT measures, policies, controls, and procedures to mitigate these risks. The FIAU introduces the concept of residual risk, which is the level of risk remaining after the application of mitigating measures. This highlights an essential aspect of risk management: not all risks can be entirely eliminated, and there will always be a degree of residual risk. The crucial decision for a subject person then becomes whether this residual risk is within their risk appetite and how to manage it if it falls outside acceptable parameters.

Risk Factors and Their Assessment

Understanding and managing risk in the context of anti-money laundering (AML) and countering financing of terrorism (CFT) revolves around four critical notions: Customer Risk, Geographical Risk, Product, Service, and Transaction Risk, and Delivery Channels Risk. These risk factors encompass the diverse and complex variables that can influence the likelihood and impact of money laundering and terrorism financing threats, necessitating tailored strategies for effective mitigation.

  1. Customer Risk: Identifies the risk of ML/TF arising from relationships with specific customers or entities, highlighting activities that may present higher risks, such as those that are cash-intensive or associated with a higher risk of corruption.
  2. Geographical Risk: Focuses on the risk linked to certain geographical areas, considering factors such as the presence of strategic deficiencies in AML/CFT regimes, sanctions, or levels of corruption.
  3. Product, Service, and Transaction Risk: Evaluates the risk associated with providing specific products or services, or carrying out certain transactions, taking into account their transparency, complexity, and the value or size of transactions.
  4. Delivery Channels Risk: Assesses the risk arising from the methods used to interact with customers, particularly noting the challenges and risks associated with non-face-to-face interactions or those facilitated through intermediaries.

The FIAU’s Implementing Procedures emphasize a nuanced and comprehensive approach to managing ML/TF risks, advocating for a deep understanding of inherent risks, meticulous assessment of various risk factors, and the strategic application of mitigating measures. This risk-based approach allows subject persons to tailor their AML/CFT efforts effectively, ensuring that their practices are both legally compliant and aligned with their risk appetite. Ultimately, the guidance underscores the continuous nature of risk management, urging entities to regularly review and adapt their strategies to the evolving landscape of ML/TF threats.

It is paramount to acknowledge that the journey through the intricate landscape of risk management, compliance with MFSA/FIAU expectations, and the meticulous completion of the REQ and ACR does not have to be navigated in solitude. Aspida stands at the forefront of this challenging terrain, perfectly positioned to offer unparalleled expertise and support in every aspect of your compliance journey.

Our team is not just equipped; we are dedicated to ensuring that you are fully supported in updating your BRAs and CRAs, helping you fill out your REQs for the FIAU, and assist in completing your ACRs for the MFSA.

With Aspida by your side, you are far from alone; you are partnered with a team that ensures your compliance needs are not just met, but exceeded. 

For a discussion on options available to facilitate your requirements, please contact in the first instance.

Leveraging AI in Business Support and Compliance Services

Revolutionising Operational Efficiency and Risk Management In today’s fast-paced business environment, organisations are continually seeking innovative solutions to enhance operational efficiency, reduce costs, and maintain ...
Read More »

The Intersection of Technology and Regulation

Technology now plays a crucial role in solving Governance, Risk Management, and Compliance (GRC) challenges by providing tools that can streamline processes, enhance data analysis, ...
Read More »

FATF publishes new guidance document

Michael Calleja | Senior Compliance Services Executive | Malta In March 2024, the FATF published risk-based guidance to support the application of FATF Recommendation 25 ...
Read More »

The Intricacies of Sanctions: A Legal Perspective

Michael Calleja | Senior Compliance Services Executive | Malta Introduction Sanctions serve as a pivotal instrument in the international legal arsenal, utilized by nations and ...
Read More »

Your partner in protecting and growing your business

Subscribe to receive our latest news, views and event information

Scroll to Top