Risk assessment

As part of AML, you are required to conduct a risk assessment. For each client, you check whether they present a low, medium or high risk. Beforehand, your firm has already drafted a policy outlining how your firm handles these risks and when there is what level of risk. In this article, we explain these AML components in more detail.

What is a risk policy?

A risk policy is a plan that outlines how the firm deals with money laundering and terrorist financing risks. It contains guidelines and procedures that your firm implements to identify, assess, manage and monitor risks.

You establish in it how clients are assessed, when a client has a high risk profile and how you deal with the different risk profiles. When exactly a client has a high risk profile is up to you. The easiest way to do that is to add a risk indicator list to your policy.

In addition, the policy specifies how risks are mitigated and under what circumstances the relationship with a client is terminated, providing a framework for risk management and decision-making.

What is a risk profile?

A risk profile is an evaluation of how likely a particular client, transaction or activity is to be involved in money laundering or terrorist financing. Each client is thus given its own risk profile. It helps you take appropriate measures to reduce these risks, such as conducting an enhanced investigation.

Why do you need to set the risk policy and profile?

When you identify the risks and describe them in the risk policy, you can better identify the risks for each client. It's a guide for you and your colleagues. In addition, you can more effectively tailor measures to the specific risks you may face.

Determining the risk profile for each client enables you to understand risks and take targeted measures to manage and mitigate them. By knowing the risk profile, you can potentially deploy heightened scrutiny or exclude a high-risk client.

Which AML risk profiles exist?

Within AML, we have low, medium and high risk profiles.

How do you determine the risk profile?

You make the decision about the risk profile and type of follow-up examination based on the information provided by client. The risk policy already describes the most common risks. This will help in identifying potential risks, assessing their likelihood of occurrence and impact. Use this policy as a guide.

Below is a brief overview of how the three different risk profiles are primarily determined:

Low: A listed company, or its wholly-owned subsidiary, is supervised to the extent that, like a government agency or other regulated party, it is classified as having a low risk profile.
Medium: This is the AML starting point. Every client has a medium risk profile by default until you prove otherwise. Based on various factors, you determine whether this is correct.
High: You determine a high risk profile based on:
- High risk country
- PEP
- Company structure
- Activity/industry
- Nature of transaction/service provided

Every time you determine a risk profile, you must also justify it. In our article on risk profiles, we describe how the three different risk profiles are determined and give some examples of justification.

What types of subsequent investigations are there?

Once you have determined, justified, and recorded - the risk profile for your client, you take the next step: the investigation. The type of investigation you conduct usually depends on the risk profile.

Simplified investigation: a listed company (or wholly owned subsidiary) or government agency/regulated party.
Regular investigation: this type of investigation is the starting point for medium risk profiles. In the case of a regular investigation, note that there is no reason to conduct a simplified/reinforced investigation.
Enhanced investigation: when the risk profile is high. Look at the origin of the assets, shareholder structure, concerns regarding the resources of the transaction, etc.
Low profile, still enhanced investigation
Sometimes a client with a low risk profile may still require enhanced due diligence. For example, if the client wants to establish a company in a high-risk country. The risk profile can then still be set at low, while you have to do an enhanced investigation because a high risk country is involved in the transaction. This will not happen often in practice, yet we would like to make you aware of the exceptions we encounter.

Justification for the type of investigation

You must also be able to justify the choice of investigation type.

Risk assessment: a tool

AML requires you to conduct a careful risk assessment when establishing a new client relationship. To support you in this, we have prepared a document that helps you determine whether you are dealing with a low, medium or high risk client. The document contains questions you can answer, after which a score is calculated to easily determine the risk level.

However, it is very important to be aware of the indicative nature and the need to analyze each situation individually. Always remain alert to changes in laws and regulations and adjust your AML process and policy accordingly. Your policy is not static; it should be a “living” document.

By conducting thorough due diligence and risk assessment, you not only fulfill your legal obligations, but also contribute to promoting a financial sector with integrity and security. This is how we work together to build a solid defense against money laundering and terrorist financing.

Themed file: fully prepared for the supervisor’s audit

This article is part of a number of articles and downloads that will help you prepare yourself for the supervisor’s visit. Do you want to be 100% AML-proof and ready for the supervisor’s visit? Find all FAQs in our Knowledge Centre.

Knowledge centre

Download the checklist: "100% AML proof"

Download here

Application >

Features

Compliance as a service >

Integrations >

100% AML proof

Most discussed topics

To the knowledge centre >

News & blog >

Download the AML whitepaper >

About us >

Founders >

Contact RegLab >

Working at RegLab >