Let’s start with the summary: The 6th EU Anti-Money Laundering Directive poses a potential threat towards EU’s fight against money laundering, terrorist financing and sanction violations. Worrying? Yes. Surprising? Not really. I’ll elaborate more on that below, but let’s start by explaining what a national risk assessment is.
The national risk assessments today
Every country faces different threats and risks from money laundering, terrorist financing and sanction violations. To identify those threats and risks, a country might produce a national risk assessment, where those threats and risks are identified, assessed and communicated. Most of the time, the reports are completely free to the public and posted on various government websites. Sometimes, only a summary is publicly available.
The reason for producing these reports is not just for fun. It’s a way for states to comply with one of the key recommendations from the global watchdog Financial Action Task Force (FATF). In the EU, updating your national risk assessment once every year is also necessary to comply with the 4th Anti-Money Laundering Directive (AMLD4).
So why does the FATF and EU care so much about if countries produce and update their national risk assessments? One key reason: Intelligence is essential to having any idea on how to design and execute countermeasures against financial crime that actually makes sense (in other words, enable a risk-based approach). Without adequate insights into how the criminals behave and how that could affect you as a country you have no way of knowing where to priorities your resources to effectively find, stop and report the criminals.
The same applies to any company regulated under financial crime regulations – if you don’t have enough information about how you can be misused by criminals and where your highest risks are, you will never be able to create and maintain an effective anti-financial crime framework in your organisation.
For the reason above, virtually any regulated company thoroughly disseminate the national risk assessments for the countries they operate in, when creating business-wide risk assessments, policies, transaction monitoring and other mitigating actions. And this is where things get tricky, mainly because of this:
The national risk assessments of today are pretty poor:
- Only about 60 out of the worlds 195 countries have one at all
- The majority are between 4-6 years old, making them obsolete (make a mental note of this one for later)
- The reports all look different – some are two pages some are 200
- Most reports provide little to no information about specific risk indicators connected to specific threats, rendering them virtually impossible to use as a single source of information for regulated companies
- The information provided in the reports can be contradictory: There are several cases where we have plenty of information about a specific threat in global, European and local law enforcement sources but where that very threat is not even mentioned in the national risk assessment (or is deemed as low risk when everyone else says it’s high).
To make up for the weaknesses in the national risk assessments, regulated companies must source intelligence from a number of other sources. This does not only create a challenge resource-wise, it’s also something that is almost impossible to pull off in a sustainable way by using Google and Excel without an army of senior financial crime analysts.
How the AMLD6 could make things worse
Now it’s time to get back to that mental note we did about the frequency of which states are required to update their national risk assessment. One would have thought that the national risk assessments – being a critical pre-requisite for implementing a risk-based approach – would be towards a more up-to-date view of the ever-evolving financial crime landscape.
But no: Now the national risk assessments only need to be updated once every four years .
Just think about it. How did the criminal landscape look four years ago in your country? Some things are the same, sure. But much more has changed. The problem that all of us working against financial crime share, is that we’re always five steps behind the bad guys. With the AMLD6, we will now risk being at least 10 steps behind.
Reducing the frequency of updates will mean that regulated companies must increase their efforts even more to find, collect and analyse intelligence from other sources than the national risk assessments to keep up to speed with financial crime trends.
So why has this change come up? My perhaps blunt guess is that it’s simply because it’s notoriously hard to coordinate several authorities to come up with a report that is good enough (if you think that your company is slow, try working in the public sector). In other words: It’s really hard to pull off a complex thing such as a national risk assessment every year.
On the positive note, this gives the authors of the national risk assessments plenty of time to produce reports with more detail and actionable intelligence for regulated companies – but I can’t help to wonder what good that will make given that the information is old as mold.