The risk assessment must be produced to an appropriate extent, thus in accordance with the nature and scope of the business activities of the obliged entity (section 4 (1) of the GwG). Pursuant to section 5 (1) sentence 2, the risk factors indicated in Annexes 1 and 2 and the information provided on the basis of the national risk assessment must be taken into consideration.
Annexes 1 and 2 of the GwG which are relevant in this regard (section 5 (1) of the GwG) include sample lists of factors and possible indications of a potentially lower or higher level of risk. Unlike in the case of the scenarios with a higher level of risk per se specified pursuant to section 15 (3) and (8) of the GwG and defined by the obliged entities themselves pursuant to section 15 (2) of the GwG, the applicability of individual factors does not mean that an increased level of risk is thus applicable per se. Instead, the key point is the overall assessment in a specific case of all (risk-increasing and risk-reducing) factors.
EBA-Guidelines on Risk Factors
In addition, pursuant to section 2 (1) nos. 1, 2, 3, 7, 8 and 9 of the GwG the obliged entities must comply with the European Banking Authority’s guidelines on money laundering and terrorist financing risk factors (hereinafter: guidelines on risk factors) of 1 March 2021 in preparing or revising a risk assessment (Art. 17 and Art. 18 of Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (hereinafter: Fourth Money Laundering Directive; cf.
Title I, no. 4 et seq.)). These guidelines are a core element of the implementation of the risk-based approach.
The guidelines on risk factors include examples of risk factors which the obliged undertakings are obliged to take into consideration within the scope of the statutory provisions – where applicable – in their review and assessment of the money laundering and terrorist financing risks associated with a transaction. In addition, the guidelines on risk factors describe how the obliged entities can adjust the scope of their customer due diligence obligations in accordance with the risks identified by them, so as to make optimal use of the available resources. The guidelines on risk factors supplement for the obliged entities the risk factors contained in the Annexes to the GwG.
Following an introductory section, the guidelines on risk factors comprise two parts:
a. Title I consists of general comments and factors to be taken into consideration which apply for all undertakings subject to anti-money laundering obligations. This guidance is intended to enable the obliged undertakings to make in-depth and risk-oriented decisions in connection with the identification, assessment and treatment of money laundering and terrorist financing risks which may apply within the scope of business relationships as well as other, occasional transactions.
b. On the other hand, Title II comprises various sector-specific subsections and helps undertakings to apply their respective customer due diligence obligations on a risk-oriented basis. The guidelines on risk factors have a particular significance, since – in deviation from previous legislation – the new GwG does not specify any scenarios where simplified due diligence obligations may apply. A similar situation applies for scenarios which are subject to an increased level of risk and which are not expressly referred to in section 15 (3) of the GwG. Objective and implementation
The objective of the risk assessment is to fully and completely register, identify, categorise and weigh up the specific risks in relation to money laundering and terrorist financing which arise within the scope of the business activities of the obliged entity. On this basis, appropriate money laundering prevention measures are to be implemented, in particular internal safeguards.
Appropriateness will be determined – as within the scope of the creation of risk management systems – on the basis of the obliged entity’s own risk assessment in relation to the risk structure of the services which it offers.
The following steps in particular are necessary as of the preparation of an internal risk assessment and the associated determination of the necessary measures:
- a complete survey of the undertaking’s specific situation,
- registration and identification of customer-, product- and transaction-related risks as well as geographical risks,
- categorisation of the identified risks, i.e. classification in terms of risk groups and, where applicable, additional weighting, i.e. assessment,
- the development and realisation of appropriate internal safeguards which are used within the scope of the necessary money laundering prevention measures due to the outcome of the risk assessment (see chapter 3 for further details),
- the review and ongoing development of the internal safeguards enacted to date, taking the outcome of the risk assessment into consideration.
The business structure of the obliged entity is relevant for the survey of its specific situation. Within the scope of this survey, registration of the undertaking’s basic customer structure, its business units and processes, the
products which it offers, its channels of distribution and its organisational structure is particularly important.
The risks can be registered and identified by means of the financial sector’s expertise in relation to the techniques used for money laundering and financing of terrorism. The expertise which is required for this purpose may be obtained or updated e.g. on the basis of national and international guidance and typology documents as well as lists of criteria establishing grounds for suspicion (incl. the typology documents available for the obliged entities in the internal section of the FIU’s website (www.fiu.bund.de), for the areas of “money laundering” and “terrorist financing”, or similar documents of the FATF on its website (www.fatf-gafi.org)), the undertaking’s existing knowledge or knowledge subsequently obtained by the undertaking (such as from media evaluations), the general analysis of suspected cases in which the undertaking has been involved in the past, or the exchange of knowledge with anti-money laundering officers (hereinafter: AML officers) of other obliged entities.
The identified risks must be categorised, i.e. divided up into different risk groups and assessed in terms of their significance. This may include a weighting of the various risks/risk groups. As a rule, the identified risks will be assessed within the scope of the risk assessment in terms of three different risk levels (high, medium, low). However, further differentiation/gradation by means of additional risk levels/categories and a – voluntary – reduction to fewer levels/categories (e.g. exclusively normal (medium) and higher-level) is likewise possible.
Example of a three-level risk classification:
- High => all scenarios which are also included in this classification either due to the high-risk classes defined by the legislation (section 15 of the GwG) or on the basis of the obliged entity’s own risk assessment, taking into consideration Annex 2 to the GwG, the guidelines on risk factors or other specific information.
- Medium => all scenarios which are not included in the classification “high” or “low” due to the obliged entity’s own risk assessment.
- Low => all scenarios where a low level of risk may be assumed in view of the requirements laid down in section 14 of the GwG, Annex 1 to the GwG as well as the guidelines on risk factors on the basis of a plausible risk assessment.
Various assessment methods may be used in the assessment. An assessment system subject to various weightings for different risk factors is possible, and so too is a fixed system where a high risk value for one individual factor is binding for the risk assessment and cannot be compensated for by means of factors subject to a low level of risk.
In addition, absolute criteria may be defined which automatically affect the customer classification and/or automatically entail a specific safeguard (e.g. particular decision-making processes as of the registration of specific new customers, e.g. PEPs or customers seated in a high-risk country).
Risk-based deviations or exceptions must be documented and justified, while taking into consideration the above comments.
For the purpose of the assessment, the obliged entities must also include the current national risk assessment results published in relation to money laundering and terrorist financing.
The results of the risk identification, categorisation and weighting are to be implemented within the scope of the individual internal safeguards. In principle, these must be determined on the basis of the results of the risk assessment and must be consistent with these.
As with risk management in general, for the implementation of individual prevention measures in a specific instance the greater the level of risk potential, the greater the need to proceed carefully.
The internal safeguards enacted must be reviewed and developed while taking into consideration the outcome of the risk assessment.
Documentation and updating obligation, section 5 (2) of the GwG The obliged entities must clearly document their risk assessment, subject to section 5 (4) of the GwG. The above internal risk assessment steps must therefore be included in this documentation.
The need for an update to the risk assessment must be reviewed regularly, i.e. at least once per year, and this must be updated where necessary. The changes made within the scope of this update must be clearly presented in a form which indicates the level of change in the risk assessment and must be documented
The current version of the risk assessment must be provided to BaFin at its request. The same applies for the internal auditors (where applicable) and for the external auditors. The current risk assessment must be presented to the competent member of the management. This must be documented in an audit-compliant manner.