- Our analysis show that on average, only 3% of an NRA can be used to inform risk-based processes in the private sector
- There are three main types of NRAs: The ones that are only there to please the FATF, the ones that contain descriptions of financial crime threats and risk indicators, and the ones that focus on specific themes such as Hawala. It's only the second type that provides any value whatsoever to the private sector.
- NRAs in their current format is never good enough to by themselves inform a business-wide risk assessment and a risk-based framework (they are not detailed nor broad enough)
- Since NRAs are only available in unstructured, free text in the shape of PDF or Word documents, it is extremely time consuming to find them, make sense of them, assess if they are relevant, assess how relevant they are and potentially convert them into mitigating actions
- We need to re-think how national risk assessments should work; relying on excel, pdf, word and physical meetings is never going to protect society from financial crime