Risk Assessment Professional corresponding with EBA Guidelines and Wolfsberg Group

EBA 2021 Guidelines1

Guideline 1: Risk assessments: key principles for all firms                                                                                                                                                                              1.1. Firms should ensure that they have a thorough understanding of the ML/TF risks to which they are exposed.

General considerations.                                                                                                                                                                                                                                           1.2. To comply with their obligations set out in Directive (EU) 2015/849, firms should assess:

a) the ML/TF risk to which they are exposed as a result of the nature and complexity of                                                                                                                                b) their business (the business-wide risk assessment);

Each risk assessment should consist of two distinct but related steps:

a) the identification of ML/TF risk factors;                                                                                                                                                                                                             b) and the assessment of ML/TF risk.

1.3. When assessing the overall level of residual ML/TF risk associated with their business and with individual business relationships or occasional transactions, firms should consider both, the level of inherent risk, and the quality of controls and other risk mitigating factors.

1.6. Firms should put in place systems and controls to keep their assessments of the ML/TF risk associated with their business, and with their individual business relationships under review to ensure that their assessment of ML/TF risk remains up to date and relevant.

Business-wide risk assessments                                                                                                                                                                                                                           1.11. Business-wide risk assessments should help firms understand where they are exposed to ML/TF risk and which areas of their business they should prioritise in the fight against ML/TF.

1.12. To this end, firms should take a holistic view of the ML/TF risks to which they are exposed, by identifying and assessing the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their customers.

1.13. Firms should: Identify risk factors based on information from a variety of internal and external sources, including the sources listed in Guidelines 1.30 to 1.31.

Linking the business-wide and individual risk assessments.                                                                                                                                                                             1.18. Firms should use the findings from their business-wide risk assessment to inform their AML/CFT policies, controls and procedures, as set out in Article 8(3) and (4) of Directive (EU) 2015/849. Firms should ensure that their business-wide risk assessment also reflects the steps taken to assess the ML/TF risk associated with individual business relationships or occasional transactions and their ML/TF risk appetite.

Sources of information                                                                                                                                                                                                                                            1.29. To identify ML/TF risk, firms should refer to information from a variety of sources, which can be accessed individually or through commercially available tools or databases that pool information from several sources.

  1. the European Commission’s supranational risk assessment;
  2. the European Commission’s list of high-risk third countries;
  3. information from governments, such as governments’ national risk assessments,
  4. policy statements and alerts, and explanatory memorandums to relevant legislation;
  5. information from regulators, such as guidance and the reasoning set out in 
  6. regulatory fines;
  7. information from Financial Intelligence Units (FIUs) and law enforcement
  8. agencies, such as threat reports, alerts and typologies; and
  9. information obtained as part of the initial CDD process and ongoing monitoring.
EBA guidlines

 Wolfsberg Group FAQs on Risk Assessments for ML, Sanctions and Bribery & Corruption 2

6. What is the conventional/standard ML Risk Assessment methodology?                                                                                                                                                

The risk assessment should cover the entirety of the FI’s business, though may be conducted in parts, or as part of a rolling cycle, to focus on separate areas, such as divisions, units or specific business lines, countries and/or legal entities.

The risk assessment process can be considered in 3 Phases:

  1. Phase 1: Determine the Inherent Risk;
  2. Phase 2: Assess the Internal Control Environment (both design and operating effectiveness);
  3. Phase 3 Derive the Residual Risk.


6.1 Phase 1 – Inherent Risk Assessment

Inherent Risk represents the exposure to money laundering, sanctions or bribery and corruption risk in the absence of any control environment being applied. As no two FIs are the same, inherent risk ratings may vary for FIs depending upon the size and scope of their businesses and the risks involved.


Managing the risk factors inadequately could lead to reputation risk, regulatory or legal sanction and possible consequent financial costs. Due to the nature of the particular business unit or business line’s products and services and client base, a risk-based approach is used to determine inherent risk. Each risk factor is usually assigned a score or weighting which reflects the level of risk associated with that risk factor and the prevalence of that risk compared to other risk factors.

6.2 Phase 2 – Assessment of Internal Controls                                                                                                                                                                                               

Once the inherent risks have been identified and assessed, internal controls must be evaluated to determine how effectively they offset the overall risks. Controls are programmes, policies or activities put in place by the FI to protect against the materialisation of a ML risk, or to ensure that potential risks are promptly identified. Controls are also used to maintain compliance with regulations governing an organisation’s activities. Many of the same controls apply to various activities undertaken within the FI and will be executed by both the Front Office (1st line) and Compliance (2nd line).

The controls in place are evaluated for their effectiveness in mitigating the inherent money laundering risk and to determine the residual risk rating. AML controls are usually assessed across the following control categories:

  • AML Corporate Governance; Management Oversight and Accountability
  • Policies and Procedures
  • Know Your Client (“KYC”); Client Due Diligence (“CDD”); Enhanced Due Diligence (“EDD”)
  • Previous Other Risk Assessments (local and enterprise-wide)
  • Management Information/Reporting
  • Record Keeping and Retention
  • Designated AML Compliance Officer/Unit
  • Detection and SAR filing
  • Monitoring and Controls
  • Training
  • Independent Testing and Oversight (including recent Internal Audit or Other Material Findings)
  • Other Controls/Others


6.3. Phase 3 – Arriving at the Residual Risk                                                                                                                                                                                                     

Once both the inherent risk and the effectiveness of the internal control environment have been considered, the residual risk can be determined. Residual risk is the risk that remains after controls are applied to the inherent risk. It is determined by balancing the level of inherent risk with the overall strength of the risk management activities/controls. The residual risk rating is used to indicate whether the ML risks within the FI are being adequately managed.