A risk-based approach (RBA) is central to the effective implementation of the AML/CFT legislation. It means that FIs identify, assess, and understand the ML/TF risks to which they are exposed, and implement the most appropriate mitigation measures. An RBA requires financial institutions to have systems and controls that are commensurate with the specific risks of money laundering and terrorist financing facing them. Assessing this risk is, therefore, one of the most important steps in creating a good AML/CFT compliance program and will enable FIs to focus their resources where the risks are higher. In this regard, FIs can take into account their business nature, size and complexity.

(AML-CFT Law Article 16.1; AML-CFT Decision Article 4.1-3)

Implicit in both the AML-CFT Law and the AML-CFT Decision is the well-established concept of a risk-based approach (RBA) to the identification and assessment of ML/FT risks. Specifically, the AML-CFT Law states that FIs should “identify crime risks within (their) scope of work” and should update their risk assessments on the basis of the various risk factors set out in the AML-CFT Decision. Likewise, the AML-CFT Decision states that FIs’ identification, assessment and understanding of the risks should be carried out “in concert with their business nature and size,” and that various risk factors should be considered in determining the level of mitigation required. The AML-CFT Decision further provides that enhanced due diligence should be performed in cases where high risks are identified, while simplified due diligence may be performed in certain cases where low risk is identified, unless there is a suspicion of ML/FT.

An RBA to AML/CFT means that FIs should identify, assess and understand the ML/TF risks to which they are exposed and take AML/CFT measures commensurate to those risks in order to mitigate them effectively. This will require an understanding of the ML/TF risk faced by UAE (national risks), risks by the sector and the FI as well as specific products and services, customer base, the capacity in which customers are operating, jurisdictions in which they operate , the delivery channel and the effectiveness of risk controls put in place.

The use of an RBA thus allows FIs to allocate their resources more efficiently and effectively, within the scope of the national AML/CFT legislative and regulatory framework, by adopting and applying preventative measures that are targeted at and commensurate with the nature of risks they face.

While there are limits to any risk-management approach, and no RBA can be considered as completely failsafe; there may be occasions where an FI has taken all reasonable measures to identify and mitigate ML/TF risks, but it is still used for ML/TF in isolated instances. FIs should nevertheless understand that a risk-based approach is not a justification for ignoring certain ML/FT risks, nor does it exempt them from taking reasonable and proportionate mitigation measures, even for risks that are assessed as low. Their statutory obligations require them to identify, assess and understand the level of (inherent) risks presented by their (types of) customers, products and services, transactions, geographic areas and delivery channels, and to be in a position to apply sufficient AML/CFT mitigation measures on a risk-appropriate basis at all times.

In order to do so, they should identify and assess their exposure to ML/FT risks on the basis of a variety of risk factors (see Section 4.1, Risk Factors), some of which are related to the nature, size, complexity and operational environment of their businesses, and others of which are customer- or relationship-specific. Furthermore, they should take reasonable and proportionate risk mitigation measures based on the severity of the risks identified.

Conducting an ML/TF business risk assessments can assist FIs to understand their risk exposure and the areas they should give priority in combating ML/FT. The extent of business-wide risks to which an FI is exposed may require different levels of AML/CFT resources and mitigation strategies.

The following picture is a schematic overview of the RBA process from an ML/TF business risk assessments to developing policies, procedures and measures to CDD and the reporting of suspicious transactions.