Risk Classification

Risk Classification

Risk Classification within Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) frameworks is essential for financial institutions and obligated entities to effectively manage and mitigate potential risks.

The European Union’s 4th and 5th AMLDs, along with the European Banking Authority’s (EBA) ML/TF Risk Factors Guidelines and Germany’s GwG alongside BaFin’s Interpretation and Application Guidance, provide a comprehensive structure for identifying and categorizing risks into lower, normal, and higher risk categories.

Understanding Risk Classification in AML/CTF

Lower Risk

  • Lower risk scenarios are identified as situations where the potential for money laundering or terrorist financing is minimal.
  • According to the 4th AMLD and further emphasized in the 5th AMLD, entities that fall into this category might include public companies with stringent disclosure requirements or customers residing in jurisdictions with robust AML/CFT systems.
  • Simplified Customer Due Diligence (SCDD) measures are often applicable in these cases, allowing for a reduced level of scrutiny due to the diminished risk level.

Normal Risk

  • Normal risk categories encompass the standard level of risk that most business relationships or transactions present.
  • These do not exhibit overt risk factors that would elevate their risk profile, nor do they qualify for simplified due diligence measures associated with lower-risk categories.
  • Standard due diligence processes are employed here, ensuring a baseline level of scrutiny is maintained to prevent ML/TF activities effectively.

Higher Risk

  • Higher risk categories pertain to scenarios where there is a significant risk of ML/TF activities.
  • These might involve complex or opaque business structures, high-risk geographic locations, or dealings with politically exposed persons (PEPs).
  • The 5th AMLD and EBA Guidelines highlight the necessity for Enhanced Due Diligence (EDD) in these situations, requiring a more in-depth investigation to mitigate the identified risks adequately.

4th AMLD

The 4th Anti-Money Laundering Directive (AMLD) of the EU outlines the requirements for Simplified Customer Due Diligence (SDD) and Enhanced Customer Due Diligence (EDD) with a focus on risk classification.

Lower Risk – Simplified Customer Due Diligence (SDD):

  • Allows for SDD measures in lower-risk situations, provided that the entity first ascertains the lower degree of risk.
  • It emphasizes the need for continuous monitoring to detect unusual or suspicious transactions despite the simplified measures.
  • Lists factors that could indicate lower risk, such as customer type, geographic area, and the nature of products/services, directing attention to Annex II for specific lower risk factors.
  • Announces that the European Supervisory Authorities (ESAs) will issue guidelines on risk factors and measures for SDD, taking into account the business’s nature and size.

Normal Risk:

  • The AMLD does not explicitly define „Normal Risk“ but implies that situations not categorized as lower or higher risk fall into this category.
  • Standard customer due diligence measures apply here, requiring entities to identify and verify their clients‘ identities and understand the nature of their business relationships.

Higher Risk – Enhanced Customer Due Diligence (EDD):

  • Requires EDD in higher-risk situations, such as dealing with entities from high-risk third countries or in complex, large transactions with no clear economic purpose.
  • It specifies that EDD measures should be proportionate to the risks and lists factors to consider for higher risk in Annex III.
  • Detail specific scenarios requiring EDD, including dealings with politically exposed persons (PEPs), cross-border correspondent relationships, and life insurance policies.
  • These articles mandate additional measures like senior management approval, understanding the source of funds, and enhanced ongoing monitoring.
  • Explicitly prohibits relationships with shell banks and requires measures to prevent engagement with institutions known to facilitate shell bank activities.

Risk Factors – Annexes II and III:

  • Annex II (Lower Risk): Includes factors like public companies subject to adequate transparency, customers from low-risk geographic areas, and certain low-risk products and services.
  • Annex III (Higher Risk): Lists factors indicating higher risk, such as relationships conducted under unusual circumstances, customers from high-risk geographic areas, cash-intensive businesses, and products or transactions favoring anonymity.

5th AMLD

The 5th AMLD (Directive (EU) 2018/843), specifically through the amendments made to Directive (EU) 2015/849, introduces and refines the classification of risk levels, particularly focusing on „Higher Risk“ scenarios with enhanced due diligence measures. The amendments do not explicitly redefine „Lower Risk“ or „Normal Risk“ categories but continue to emphasize a risk-based approach in customer due diligence.

EBA ML/TF Risk Factors Guidelines

The European Banking Authority (EBA) „The ML/TF Risk Factors Guidelines“ [EBA/GL/2021/02] provide a comprehensive framework for assessing and categorizing the risk of money laundering and terrorist financing (ML/TF). The guidelines emphasize a nuanced, holistic approach to risk evaluation, distinguishing between lower, normal, and higher risk categories based on a range of factors and their interplay.

Holistic Risk Assessment

  • Firms are advised to adopt a comprehensive perspective when assessing ML/TF risks, considering all relevant factors collectively rather than in isolation. The presence of a single risk factor doesn’t automatically categorize a relationship or transaction as higher or lower risk unless specified by EU directives or national laws.

Weighting Risk Factors

  • When evaluating ML/TF risks, firms may assign different weights to various factors based on their significance in a specific context.
  • This process should be informed and judicious, ensuring that no single factor unduly influences the overall risk assessment.
  • Firms must ensure that economic considerations do not skew risk ratings and that the system allows for high-risk categorizations when warranted.
  • Automated IT systems used in risk assessment should be well-understood by the firm, ensuring that the generated risk scores align with the firm’s understanding of ML/TF risks.

Categorizing Risk

  • Firms should determine the most suitable method for categorizing risk, which may vary based on the firm’s size and the nature of its exposure to ML/TF risks.
  • While many firms use a three-tier system (high, medium, low), alternative categorizations are also acceptable.
  • The final categorization should consider inherent risks and mitigating factors identified during the risk assessment process.

Risk Categories

Lower Risk
  • Lower risk scenarios are those where risk factors suggest a minimal likelihood of ML/TF activities.
  • These might involve entities or transactions with clear, transparent structures and operations, low-value transactions, or business relationships in well-regulated jurisdictions with strong AML/CFT measures.
  • Simplified due diligence may be applicable in these cases, following a thorough risk assessment.
Normal Risk
  • Normal risk scenarios are those that do not present clear indicators of heightened risk but also do not qualify for simplified due diligence due to the absence of lower risk factors.
  • Standard due diligence processes apply here, involving routine identity verification, monitoring of transactions, and understanding the nature of the business relationship.
Higher Risk
  • Higher risk scenarios are characterized by factors that significantly increase the risk of ML/TF activities.
  • These could include connections to high-risk jurisdictions, complex and opaque corporate structures, transactions involving high-risk products or services, or customers that fall under higher-risk categories such as politically exposed persons (PEPs).
  • Enhanced due diligence measures are required in these situations to mitigate identified risks adequately.

German GwG

The German GwG outlines a risk-based approach to customer due diligence, differentiating between lower risk, normal risk, and higher risk scenarios. This approach allows obliged entities to adjust the intensity of their due diligence measures based on the assessed risk level associated with their clients, business relationships, or transactions.

Lower Risk

Under Section 14(1), simplified due diligence requirements are applied in scenarios identified as having a lower risk of money laundering or terrorist financing. The determination of lower risk should consider the factors specified in Annex 1, which include:

  • Customer Risk Factors: Such as public companies subject to adequate transparency requirements, public administrations or companies, and customers from low-risk geographical areas.
  • Product, Service, Transaction, or Delivery Channel Risk Factors: Including low-premium life insurance policies, pension schemes without early surrender options, and financial products designed to enhance financial inclusion.
  • Geographical Risk Factors: Entities registered or established in member states, third countries with effective AML/CFT systems, or countries recognized for low levels of corruption or criminal activity.

Normal Risk

  • The GwG implies a „normal risk“ category, which falls between the lower and higher risk classifications.
  • In these scenarios, obliged entities are expected to apply standard due diligence measures as outlined in Section 10(2), adjusting the extent of these measures based on the specific risks associated with the contracting party, business relationship, or transaction.

Higher Risk

Section 15(2) and (3) mandate enhanced due diligence measures for scenarios identified as presenting a higher risk of money laundering or terrorist financing. This includes situations highlighted through a risk analysis or by considering the risk factors specified in Annex 2, such as:

  • Customer Risk Factors: Involving unusual business relationships, customers from high-risk geographical areas, legal persons used as personal asset-holding vehicles, and cash-intensive businesses.
  • Product, Service, Transaction, or Delivery Channel Risk Factors: Including private banking, products favoring anonymity, non-face-to-face transactions without secure identification, and transactions involving high-risk commodities like oil, arms, and precious metals.
  • Geographical Risk Factors: Countries lacking effective AML/CFT systems, known for high levels of corruption or criminal activity, under international sanctions, or supporting terrorist activities.

BaFin-Interpretation and Application Guidance on the German GwG

The BaFin Interpretation and Application Guidance on the German GwG provides detailed instructions on customer due diligence obligations, particularly focusing on the updating of customer information according to risk classification. The guidance categorizes customer and business relationship risks into „Inactive accounts,“ „Low risk,“ „Normal risk,“ and „High risk,“ each with specified review periods and actions to ensure the up-to-dateness of data.

Inactive Accounts

  • Accounts that remain inactive for an extended period with a small balance are exempt from regular update measures.
  • Update measures are required upon account reactivation, suggesting a dormant account becomes active again.

Low Risk

  • Customer data for low-risk categories must be updated at least every 15 years based on a risk assessment.
  • Further actions may be taken based on a risk-based decision if there is no customer reaction to update attempts.

Normal Risk

  • For normal risk categories, customer information must be updated every 10 years at the latest.
  • If the update attempt is unsuccessful or the information obtained is unclear, a reassessment of the risk may be considered.
  • Further measures may be decided based on a risk-oriented approach if there is no customer response.

High Risk

  • High-risk categories require more frequent and rigorous monitoring, with customer information needing an update at least every 2 years.
  • This category includes customers or business relationships that are either prescribed by law as high risk or identified as such through a risk assessment.

Sources: