The implementation of a business risk assessment (BRA) is an obligation that came into force as in 2018 under Regulation 5(1) of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and Section 3.3 of the FIAU Implementing Procedures Part I (IPs). The BRA lies at the core of the risk-based approach underlying current AML/CFT regulatory frameworks and is a regulatory obligation that has been attracting increased scrutiny by supervisory authorities. Having said that, the practice of conducting a thorough BRA has advantages that transcend mere statutory compliance with official regulations.
Malta Business Risk Assessment Advantages
A corporate entity needs to be mindful of the application of timely and effective compliance monitoring and appropriate controls. The BRA process empowers organisations to develop a thorough understanding of the innate and residual risks present in a subject-person’s operating environment.
The PMLFTR provides that each subject person is required to:
“identify and assess the risks of money laundering and funding of terrorism that arise out of its activities or business, taking into account risk factors including those relating to customers, countries or geographical areas, products, services,transactions and delivery channels andshall furthermore take into consideration any national or supranational risk assessments relating to risks of money laundering and the funding of terrorism”.[1]
This obligation translates into having a business risk assessment evaluating the risks that each subject person entity needs to consider in its operations, as a minimum, the money laundering and funding of terrorism risks of such subject person.
Every time new threats and vulnerabilities are detected, when there are changes to an entity’s business model/structures/activities, and/or whenever there are shifts in the external environment within which the subject person is operating, the BRA is to be documented and needs to be revised. It is essential that subject persons are conscious of their operational ecosystem and the risks presented by same. Any periodical novel threats identified should feature within an entity’s BRA, together with documentation of appropriate and equivalent controls.
If there are no such changes within a particular year, the subject person is still required to review its BRA annually and determine whether any changes are required thereto.
Malta Business Risk Assessment Basic Guidelines
Hereunder are some basic guidelines to be considered when an entity is compiling its upcoming BRA document.
Whilst acknowledging the importance of a corporation’s operational risks, it’s important to note that the BRA should be restricted to evaluating money laundering threats, funding of terrorism risks and sanctions risks and should not consider other operational risks of the subject person.[2]
The BRA should include a description of the methodology adopted by subject persons in compiling it.[3] Section 3.3.1 of the IPs also explains that the BRA should define the residual risk by considering the inherent risk level across the array of ML/FT risks in the light of the effectiveness of controls applied to mitigate these risks.
Malta Business Risk Assessment: Methodology
BRA methodology should be drafted in a way as to reflect the nature, size and complexity of the entity, as well as its industry or sector which it operates. The aim is to identify, assess and discuss specific risks which may impact the organisation, which can then enable the organisation to come up with a detailed risk scoring across its ambit of operations.
BRA methodology needs to be documented and ought to specify the manner in which the BRA is designed, the sources used to identify risks, the method employed to measure the impact of each risk scenario, the way in which inherent risk is calculated, the manner in which the effectiveness of the controls is assessed, and how the respective controls would impinge on the inherent risk of each specific risk. The subject person should also determine whether the relevant risk is within its own risk appetite, and in the case that it does not fall within its risk pre-disposition, the measures to be adopted by the subject person in such a case.
Malta Business Risk Assessment: Risks
The inherent risks identified should be relevant to the subject person in question. Therefore, a thorough assessment of customer-type risks, geographical risks, interface risks and service, product and/or transaction risks as well as the delivery channel, is to be undertaken and documented. A description of the risk identified should also be documented in order to ensure that the controls implemented for mitigation of such risks are adequate and bespoke to that particular threat.
Subject persons should avoid situations where the BRA exercise is tackled purely in a theoretical manner. A subject person’s senior management team needs to have a proper understanding of the risks to which the entity is exposed. In this respect, it is crucial to ensure that the data on which the BRA is based is of good value and dependable. On the contrary, if such information is of low quality, the final BRA outcome would not be a true reflection of the risks to which the subject person is exposed to, meaning that the entity may not be tackling and managing its risk adequately.
Risks detected in the BRA exercise should be quantified, hence placing the subject person in a better position to evaluate the inherent risk it is exposed to.
Malta Business Risk Assessment: Controls
With regards to controls, a report should be presented, in the sense that such controls need to be documented and implemented. A very detailed assessment of the controls included in the BRA should be carried out to ensure that in reality such measures that are documented are also implemented in fact.
The BRA should present an entity’s senior management team with a detailed view of the inherent threats to the business, level of control implemented, and residual risk of each risk pillar (i.e., customer risk, geographical risk, product, service and/or transaction and interface risk). In this manner, an awareness of risk factors driving up an entity’s risk profile would be created, and efforts can be focused towards mitigating same.
From the above process, an overall general risk profile report of the entity can also be generated, incorporating the results of each risk identified under each risk pillar and amassing same into one general report.
The Effects of the Malta Business Risk Assessment
The results of the BRA should also be presented by the MLRO to the directors and senior management of an entity to enable the latter to have sufficient visibility of the risks the entity is exposed to and therefore have meaningful senior level discussions on such risks as well as mitigation and management measures implemented.
The BRA review exercise should not be regarded as a mere formal procedure. Carrying out such process with a ‘tick-the-box’ frame of mind would defeat the whole purpose of this undertaking. If carried out appropriately, the BRA provides valuable data to discuss the risks of the subject person, enabling it to address issues of money laundering, funding of terrorism and sanctions risk and thereafter reducing them by channelling its resources to areas of higher-than-normal risk of ML/FT. This enables an entity to protect itself against legal, regulatory, and reputational damage.
[1] Article 5 (1)
[2] Article 5(1)
[3] Implementing Procedures (Ips) Section 3.3.2
The implementation of a business risk assessment (BRA) is an obligation that came into force as in 2018 under Regulation 5(1) of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and Section 3.3 of the FIAU Implementing Procedures Part I (IPs). The BRA lies at the core of the risk-based approach underlying current AML/CFT regulatory frameworks and is a regulatory obligation that has been attracting increased scrutiny by supervisory authorities. Having said that, the practice of conducting a thorough BRA has advantages that transcend mere statutory compliance with official regulations.
Malta Business Risk Assessment Advantages
A corporate entity needs to be mindful of the application of timely and effective compliance monitoring and appropriate controls. The BRA process empowers organisations to develop a thorough understanding of the innate and residual risks present in a subject-person’s operating environment.
The PMLFTR provides that each subject person is required to:
“identify and assess the risks of money laundering and funding of terrorism that arise out of its activities or business, taking into account risk factors including those relating to customers, countries or geographical areas, products, services,transactions and delivery channels andshall furthermore take into consideration any national or supranational risk assessments relating to risks of money laundering and the funding of terrorism”.[1]
This obligation translates into having a business risk assessment evaluating the risks that each subject person entity needs to consider in its operations, as a minimum, the money laundering and funding of terrorism risks of such subject person.
Every time new threats and vulnerabilities are detected, when there are changes to an entity’s business model/structures/activities, and/or whenever there are shifts in the external environment within which the subject person is operating, the BRA is to be documented and needs to be revised. It is essential that subject persons are conscious of their operational ecosystem and the risks presented by same. Any periodical novel threats identified should feature within an entity’s BRA, together with documentation of appropriate and equivalent controls.
If there are no such changes within a particular year, the subject person is still required to review its BRA annually and determine whether any changes are required thereto.
Malta Business Risk Assessment Basic Guidelines
Hereunder are some basic guidelines to be considered when an entity is compiling its upcoming BRA document.
Whilst acknowledging the importance of a corporation’s operational risks, it’s important to note that the BRA should be restricted to evaluating money laundering threats, funding of terrorism risks and sanctions risks and should not consider other operational risks of the subject person.[2]
The BRA should include a description of the methodology adopted by subject persons in compiling it.[3] Section 3.3.1 of the IPs also explains that the BRA should define the residual risk by considering the inherent risk level across the array of ML/FT risks in the light of the effectiveness of controls applied to mitigate these risks.
Malta Business Risk Assessment: Methodology
BRA methodology should be drafted in a way as to reflect the nature, size and complexity of the entity, as well as its industry or sector which it operates. The aim is to identify, assess and discuss specific risks which may impact the organisation, which can then enable the organisation to come up with a detailed risk scoring across its ambit of operations.
BRA methodology needs to be documented and ought to specify the manner in which the BRA is designed, the sources used to identify risks, the method employed to measure the impact of each risk scenario, the way in which inherent risk is calculated, the manner in which the effectiveness of the controls is assessed, and how the respective controls would impinge on the inherent risk of each specific risk. The subject person should also determine whether the relevant risk is within its own risk appetite, and in the case that it does not fall within its risk pre-disposition, the measures to be adopted by the subject person in such a case.
Malta Business Risk Assessment: Risks
The inherent risks identified should be relevant to the subject person in question. Therefore, a thorough assessment of customer-type risks, geographical risks, interface risks and service, product and/or transaction risks as well as the delivery channel, is to be undertaken and documented. A description of the risk identified should also be documented in order to ensure that the controls implemented for mitigation of such risks are adequate and bespoke to that particular threat.
Subject persons should avoid situations where the BRA exercise is tackled purely in a theoretical manner. A subject person’s senior management team needs to have a proper understanding of the risks to which the entity is exposed. In this respect, it is crucial to ensure that the data on which the BRA is based is of good value and dependable. On the contrary, if such information is of low quality, the final BRA outcome would not be a true reflection of the risks to which the subject person is exposed to, meaning that the entity may not be tackling and managing its risk adequately.
Risks detected in the BRA exercise should be quantified, hence placing the subject person in a better position to evaluate the inherent risk it is exposed to.
Malta Business Risk Assessment: Controls
With regards to controls, a report should be presented, in the sense that such controls need to be documented and implemented. A very detailed assessment of the controls included in the BRA should be carried out to ensure that in reality such measures that are documented are also implemented in fact.
The BRA should present an entity’s senior management team with a detailed view of the inherent threats to the business, level of control implemented, and residual risk of each risk pillar (i.e., customer risk, geographical risk, product, service and/or transaction and interface risk). In this manner, an awareness of risk factors driving up an entity’s risk profile would be created, and efforts can be focused towards mitigating same.
From the above process, an overall general risk profile report of the entity can also be generated, incorporating the results of each risk identified under each risk pillar and amassing same into one general report.
The Effects of the Malta Business Risk Assessment
The results of the BRA should also be presented by the MLRO to the directors and senior management of an entity to enable the latter to have sufficient visibility of the risks the entity is exposed to and therefore have meaningful senior level discussions on such risks as well as mitigation and management measures implemented.
The BRA review exercise should not be regarded as a mere formal procedure. Carrying out such process with a ‘tick-the-box’ frame of mind would defeat the whole purpose of this undertaking. If carried out appropriately, the BRA provides valuable data to discuss the risks of the subject person, enabling it to address issues of money laundering, funding of terrorism and sanctions risk and thereafter reducing them by channelling its resources to areas of higher-than-normal risk of ML/FT. This enables an entity to protect itself against legal, regulatory, and reputational damage.
[1] Article 5 (1)
[2] Article 5(1)
[3] Implementing Procedures (Ips) Section 3.3.2