How competent authorities can enhance their risk assessments

Background and Purpose

The European Banking Authority (EBA) have recently published a report assessing the AML/CFT supervision approach of twelve Competent Authorities (CAs) [EBA/REP/2023/20]. Acuminor have analysed this report with a focus on the risk assessment findings.

Acuminor work with CAs to enhance their risk assessment approaches helping them to avoid common risk assessment failures. This report highlights the challenges encountered by CAs and provides some practical examples of how Acuminor have helped others to address them.

Executive Summary

Whilst CAs have made some progress towards implementing a risk-based approach the EBA have identified significant differences and inconsistencies across their methodologies. While high-profile cases may have acted as a trigger to re-define their supervisory approach, many CAs continue to face challenges in four key areas which impact their sectoral and entity-level risk assessments (i.e., those assessments of supervised financial institutions):

1. Deployment of documented risk-assessment methodologies, that utilise appropriate information sources and use up-to-date data,
2. Ensuring the scope of risk assessments include all risk areas, risk categories and risk indicators,
3. Ensuring sectoral risk assessments are completed having first completed all entity-level risk assessments, and
4. Raising awareness and understanding of the importance and benefits of entity-risk assessments.

Acuminor collects financial crime intelligence from a constantly growing number of vetted sources. Experts and machine learning models structure the intelligence into a comprehensive database of threats and risk indicators. Acuminor’s platforms allow CAs to identify risk areas, related threats, and risk indicators beyond money laundering (ML) including those associated with risk areas such as terrorist financing (TF) which has been identified by the EBA as a common gap, as well as others such as proliferation financing (PF) and sanctions.

The use of Acuminor’s expert analysis of this broad range of intelligence and our taxonomy of threats and risks, provides greater confidence in performing sectoral risk assessments, underpinned by a scalable and configurable documented methodology that can evolve as CAs’ capabilities grow. This supports them to obtain reliable results which can, in turn, be translated into more effective risk-based supervisory strategies, methods and actions, whilst avoiding common challenges including ineffective and inefficient deployment of resource or supervisory mechanisms.

Spotlight- Key Findings:

• Less than half of all CAs assessed had carried out their own sectoral risk assessment and had taken steps to comply with the revised (Dec 2021) EBA Risk-based supervision guidelines.
• Almost half of all supervisory risk assessments:
  • Included only one or two risk factors and failed to consider the full scope of risks identified through the National Risk Assessment (NRA).
  • Focused only on foreign geographical risk factors excluding domestic geographical risks.
  • Included no assessment of TF risks.
  • Failed to assess the likelihood of these risks crystallising or their impact and were largely descriptive in nature.
• Almost half of all CAs were found not to have the requisite understanding of the purpose of entity-level risk assessments and did not use them to inform their approach. As a result, their AML/CFT supervision was neither risk-based nor effective.
• In some cases, entities in sub-sectors had not been assessed and therefore the CAs’ entity-level risk assessments were deemed incomplete impacting the completeness of the sectoral assessment.
  • In certain cases, this was due to a lack of alignment between CAs who maintained dual responsibilities for supervision of AML/CFT of the same entity.

Key Risk Assessment Enhancement Areas:

1. Methodology, Information sources and use of up-to-date data

The methodology should:

• Be documented clearly including the definition of key terms and methods deployed, to ensure clear interpretation by downstream entities.
• Be reviewed regularly in line with enhancements to EBA guidelines and upon triggers such as: significant external events, emerging risks, findings by other supervisory authorities, changes in the way the sector is operated or significant changes in regulation.
• Involve assessment of inherent threats and risks likelihood and their impact per sector.
• Enable quantitative assessment approaches using up-to-date data as inputs. This helps to avoid use of only ‘descriptive’ or qualitative approaches and may in turn prevent risks associated with subjectivity.
• Set out a horizon scanning methodology for new threats and risks. This should include a range of information sources.

2. Risk Assessment Scope

CAs must ensure assessments encompass the full range of risks areas, risk categories and risk indicators and broaden their assessment of geographical risks. The report identifies:

• Many CAs failed to include an assessment of terrorist financing.
• CAs may only assess risks from the perspective of the products and services offered but not wider risk categories such as customer, transactions, channels and geographies.
• CAs commonly assess only one or two of the risks included in the NRA and apply focus heavily on foreign geographical risks, without looking at domestic geographical risks too.
• Existing foreign geographical assessments focus on cross-border transactions and non-resident customers but do not also consider risk posed by the foreign ownership of financial institutions.

3. Completion and Delivery of Sectoral Risk Assessments

CAs should ensure delivery of sectoral assessments to support sectors (and sub-sectors) in their interpretation of NRAs. The ability for this is dependent on:

• Ensuring their scope is complete, by considering (ii) above.
• Full completion of underlying entity level assessments. This may require greater resource capacity or improved deployment efficiency; and
• Where there are dual supervisory responsibilities across CAs for a particular financial institution, effective alignment, and engagement to complete the risk assessments; to enable their timely input into these sectoral (and sub-sector) assessments

4. Training and awareness

As in all circumstances, controls are ineffective if those deploying them fail to understand their purpose. The EBA identified the need for greater understanding of the entity level assessments as an input to sectoral risk assessments. This would support identification of higher risk institutions and enable improved resource prioritisation and supervision, but also as referenced above, may inform the identification of emerging threats and risks as inputs.

How have Acuminor helped Competent Authorities evolve and adapt their approach?

Acuminor have supported CAs in a number of areas including:

• Deployment of a robust, scalable and documented methodology,
• Ensuring awareness, understanding and comprehensive assessment of the financial crime threats and risks to which different sectors are exposed, and
• Enabling delivery of their end-to-end risk assessment facilitating a top-down and bottom-up review of financial crime risk in their sector, to enable effective and efficient risk-based supervision.

Deployment of a robust, scalable, and documented methodology

Acuminor’s methodology has been developed with reference to EBA and other financial crime industry bodies best practices. The methodology is configurable and scalable in line with CAs’ needs and can be used to create sector and sub-sector risk assessment reports.

As an example, one competent authority configured our solution to facilitate a residual risk result that could be higher than inherent risk, reflecting their approach and belief that should criminals find weaknesses in, or find an absence of controls, this may increase their attractiveness to criminals and in turn lead to greater exploitation.

The methodology enables both qualitative and quantitative assessment of risks, recognising not all risks may be quantifiable in nature. Where organisations wish to use data to drive risk calculations, the methodology can accommodate this. This can provide powerful real-time risk views and enable more dynamic sectoral risk assessments that could be shared in a more agile way with industry.

Ensuring awareness, understanding and comprehensive assessment of the financial crime threats and risks to which different sectors are exposed

Acuminor maintains the world’s largest financial crime threat and risk library. This supports CAs to increase the scope and improve efficiency across their sectoral risk assessments. Acuminor’s expert analysis provides an objective assessment of the probability of threats and risks materialising which can be amended (if required) and to which they can add their assessment of impact specific to that sector, as they seek to complete the inherent risk assessment.

In particular, examples include the ability of CAs to:

• Assess risk areas (such as ML, TF, Sanctions and PF) separately, adding custom areas if required.
• Gain understanding of the relevant underlying threats and risks using Acuminor’s consistent taxonomy with threat summaries and risk descriptions, helping consistent interpretation; and with full traceability back to original intelligence sources.
• Identify which threats and risks, present the greatest priority per sector.
• Understand how threats can materialise, through different risk categories beyond products and services to include customer, transactions, geography and channels too.
• Add risks and threats based on insights gained from their supervisory actions or cooperation with other bodies.
• To mature their approach, design and implementation of effective supervisory measures which may include the design of; data or information requests to be completed by supervised entities and/or their control assessment scope and approach.

Enable delivery of end-to-end risk assessments providing multiple views of the risk of financial crime risk in a sector to drive effective and efficient risk- based supervision .

Risk Assessment Professional enables the completion of an end-to-end risk assessment (including an ability to assess controls). The platform allows multiple users to work together in the solution across multiple stages of the workflow at any point in time, or via almost any location through access to the cloud. This would make it possible for multiple CAs to cooperate on a single sectoral risk assessment where there is overlap between the CAs.

The powerful reporting workflow enables CAs to take a holistic view of risk within a sector, in real-time, which may enable CAs to take more agile next steps. CAs can export the results as reports or choose to use API capabilities to transfer the results and use these as inputs for other purposes or to feed other solutions. When combined with more automation across their methodology and inputs, this can significantly uplift their response capabilities.

Next Steps

Acuminor has experience from working with several CAs. Through this work we can confirm that a high quality, dynamic, threat-led sectoral assessment is key to successful risk-based supervision. This work has evidenced, that by incorporating high-quality financial crime intelligence and related threat and risk detail into sectoral assessments, there can be significant impacts for the quality of the outputs derived.

For those planning their next sectoral and entity-level risk assessments, or in turn those supervised entities, who recognise some of the report’s findings in their own internal Business Wide-Risk Assessment (BWRA) approach, why don’t you contact us to see how we might be able to support. If you wish to read the EBA report directly, please find this linked here.