4.1. Risk Assessment
يسري تنفيذه من تاريخ 11/11/2021As required by Article 4 of the AML-CFT Decision and Paragraph 16.2 of the Standards, LEH must identify, assess and understand the ML/FT risks associated with their businesses and perform an enterprise wide ML/FT risk assessment on a regular basis. It must develop a risk assessment in order to understand how and to what extent it is vulnerable to ML/FT, and help determine the nature and extent of AML/CFT resources necessary to mitigate and manage that risk.
The risk assessment creates the basis for the LEH’s risk-based approach. LEH may utilize a variety of models or methodologies to analyze their risks. In general, the risk assessment process would entail the following six (6) steps:
| Step 1 | Step 2 | Step 3 | Step 4 | Step 5 | Step 6 |
| Scope Determination | Risk Identification | Inherent Risk Assessment | Controls Evaluation | Residual Risk Assessment | Risk Mitigation |
| Define in-scope processes | Assess the exposure to threats and vulnerabilities in order to identify risks | Assess the impact and likelihood of risks and assign inherent risk ratings | Identify and evaluate effectiveness of controls and identify weaknesses | Calculate Residual Risk (Inherent Risk Rating minus Controls Evaluation = Residual Risk Rating) | Develop and implement mitigation plans against risks that are above an acceptable level |
The nature and extent of any assessment of ML/FT risks must be appropriate to the nature, size, and complexity of the LEHS business. The risk assessment should cover all relevant factors including but not limited to:
| • | Customer risk; | |||
| • | Products and services risk; | |||
| • | Delivery channel risk; | |||
| • | New technologies risk; | |||
| • | Jurisdiction or geographic risk; | |||
| • | Counterparty risk; and | |||
| • | Other areas of risk. | |||
As per Article 4.2 of the AML-CFT Decision as well as Paragraphs 16.2 and 16.3 of the Standards, the senior management of the LEH must be closely engaged in the risk assessment process and take responsibility for conducting an appropriate assessment. It must review and approve at least on an annual basis the LEH’s risk appetite statement, risk assessment methodology, and risk assessment findings. If an initial risk assessment assesses the LEH as higher risk, it may be necessary to conduct a more intensive assessment of certain areas of the LEH’s operations. In assessing ML/FT risks, the LEH must have the following elements in place:
| • | Documented risk assessment methodology, procedures, and processes. | |||
| • | Documented risk assessment findings, including determination of overall risk and specific risks, and mitigating measures to be applied to minimize the impact of risks. | |||
| • | Written risk appetite statement that clearly identifies the acceptable level of risk. | |||
| • | Appropriate mechanisms to provide information on risk assessments to the CBUAE when required. | |||
The risk assessment must be regularly updated annually at a minimum as well as in response to major changes in the LEH’s operations. The risk assessment process must also be fully aligned with the LEH’s products, services, customers, and geographic locations, changes in the LEH’s operations, appetite statement, the legal and regulatory framework in force in the UAE, and the guidance issued by the CBUAE. In addition, LEH may consult the the FATF Guidance on the Risk-Based Approach for Money Services Businesses and the Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption for more information on how to plan and perform comprehensive and appropriate risk assessments.3 In tandem, the risk assessment findings should be used to inform the AML/CFT Program policies, procedures, internal controls, and training in order to effectively mitigate risks. The risk assessment should also inform the LEH’s risk-based approach by directing an efficient allocation of AML/CFT risk management resources to the areas of greatest concern. The risk assessment findings should be provided to all business lines across the LEH, its senior management, and relevant employees.
3 Available at: https://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-RBA-money-value-transfer-services.pdf; and https://www.wolfsberg-principles.com/sites/default/files/wb/pdfs/faqs/17.%20Wolfsberg-Risk-Assessment-FAQs-2015.pdf.