The risks of ML/TF (money laundering/terrorist financing) mean the possibility of causing damage to a legal entity and (or) the financial system through illegal money laundering or terrorist financing activities.
ML/TF risk assessment is a mandatory component of a system of internal rules that allows a particular company to clearly define all the procedures and processes for countering ML/TF. Article 21a of Act No. 253/2008 Coll., on selected measures against the legitimisation of the proceeds of crime and financing of terrorism (hereinafter referred to as the “AML/CFT Act”) states that all companies that are subject to this law and must have a written system of internal rules in place are also required to prepare a written risk assessment.
The information in this article applies only to the activities of companies that are registered and operate in the Czech Republic. At the same time, 90% of the information is applicable to other EU jurisdictions.
Requirements for preparing an ML/TF risk assessment
Under the requirements of Article 5 of Decree 67/2018 Coll., on selected requirements for the system of internal rules, procedures and control measures against the legitimisation of proceeds of crime and financing of terrorism (hereinafter referred to as the “Decree on the AML/CFT Act”), company, when assessing risks should always take into account:
- the nature of its business activities;
- the nature of the company’s products and services and the possibility of their misuse for money laundering and terrorist financing purposes;
- the risk connected with the use of new technologies within its business activities;
- the risks associated with the distribution channels it uses to offer and provide its products and services;
- measures taken and applied to manage risks.
Also, when developing a risk assessment system, it is necessary to pay special attention to the global assessments published by regulators and based on statistical data analysis in the AML/CFT area. Companies should consider the volume and types of information sources that will ensure that individual risk assessments correspond with the actual risks of the company. In particular, the Decree on the AML/CFT Act obliges institutions to always take into account:
- the national risk assessment of the Czech Republic;
- the European risk assessment conducted by the European Commission;
- methodological and explanatory materials of the Czech National Bank (ČNB) and Financial Analytical Office (FAÚ);
- information provided by law enforcement agencies and the FAÚ (records of previous inspections, etc.)
- information obtained during the identification and verification of the company’s customers.
Who is obliged to prepare a written risk assessment?
In accordance with the AML/CFT Act, a written risk assessment must be prepared by:
- credit institutions;
- financial institutions of all kinds;
- gambling operators;
- companies authorised to act as a real estate trader or broker;
- entities providing professional services to legal entities;
- companies involved in the circulation of virtual assets.
Requirements for the content of the risk assessment
The Financial Analytical Office has not developed or published any risk assessment templates but has posted on its website some basic guidelines to follow when preparing this document.
In particular, the ML/TF risk assessment should include at least:
- classification of types of clients of the company by risk factors;
- categorising the risks of products and related services that can be misused for ML/TF.
Also, in the risk assessment, it is necessary to mention examples of signs of suspicious activity included in the system of internal rules. It is important that these signs should be indicative and not just normative. Simply put, signs of suspicious activity should be described and brought into the relevant mandatory part of the system of internal rules. However, these signs should be established from the risk assessment and directly related to the portfolio of products or services offered, on the one hand, and the threats typologies provided by products or services, on the other.
The Financial Analytical Office recommends, among other things, taking into account the risks of certain jurisdictions, both in relation to the origin (citizenship) of the client and regarding the destination of the transaction. Companies also should include the risk factor associated with distribution channels in the risk categorisation of new customers.
A comprehensive risk assessment methodology is considered to be the most effective.
Companies should pay significant attention to risk management and objectively assess measures to mitigate these risks. It is necessary to comprehensively assess how effective the measures applied concerning each identified risk factor are, as well as whether they reduce potential ML/TF risks.
If the applied measures are not enough to achieve the desired result, developing and implementing additional measures is necessary.
The risk assessment should be based on analysing all available quantitative and qualitative information. However, the FAÚ emphasises that in order to prevent ML/TF, risks of different nature should not be mixed: for example, money laundering risks are of a different nature than credit default risks.
An ML/TF risk assessment is a mandatory component of the system of internal rules, which is a clear set of instructions. It should set out all the processes, procedures and tools a company needs to fully comply with its AML/CFT obligations under the AML/CFT Act.
In most cases, this document should be in writing.
Developing a system of internal rules and a detailed risk assessment requires highly specialised AML/CFT knowledge and requirements imposed by the supervisory authorities – the Financial Analytical Office and the Czech National Bank. Consequently, the easiest and most logical solution is to commission the preparation of this document to professionals from COREDO, who have many years of experience and understand all the necessary nuances in detail.
The lack of a risk assessment system and a properly designed system of internal rules indicates a company’s non-compliance with the requirements of the AML/CFT Act, which, in turn, can lead to significant fines (up to 130 million CZK), reputational losses and increased attention from fraudsters and terrorists.