4.2.1 Risk Assessment Methodology
Effective from 13/7/2023(AML-CFT Decision Article 4.1(b))
The AML-CFT Decision obliges FIs to document their risk assessment operations. FIs may utilise a variety of models or methodologies in assessing their ML/FT risk. FIs should determine the type and extent of the risk assessment methodology that they consider to be appropriate for the size and nature of their businesses, and should document the rationale for these decisions.
To be effective, a risk assessment should be based on a methodology that:
| • | Is based on quantitative and qualitative data and information and makes use of internal meetings or interviews; internal questionnaires concerning risk identification and controls; review of internal audit reports; |
| • | Reflects the FI’s management-approved AML/CFT risk appetite and strategy; |
| • | Takes into consideration input from relevant internal sources, including input and views from the designated AML/CFT compliance officer and other relevant units like risk management and internal control; |
| • | Takes into consideration relevant information (such as ML/FT trends and sectoral risks) from external sources, including the NRA or any Topical Risk Assessment, Supervisory and other Competent Authorities, and the FATF, MENAFATF and other FSRBs, the Egmont Group, and others where appropriate; |
| • | Describes the weighting of risk factors, the classification of risks into different categories, and the prioritisation of risks. |
| • | Evaluates the likelihood or probability of occurrence of identified ML/FT risks, and determining their timing and impact on the organization. |
| • | Takes into account whether the AML/CFT controls are effective, specifically whether there are adequate controls to mitigate risks concerning customers, products, services, or transactions. |
| • | Determines the effectiveness of the AML/CFT risk mitigating measures in place by using information such as audit and compliance reports or management information reports. |
| • | Determines the residual risk as a result of the inherent risks and the effectiveness of the AML/CFT risk mitigating measures. |
| • | Establishes based on the residual risk and the risk appetite, whether additional AML/CFT controls have to be put in place. |
| • | Determines the rationale and circumstances for approving and performing manual interventions or exceptions to model-based risk weightings or classifications. |
| • | Is properly documented and maintained, regularly evaluated and updated, and communicated to management and relevant personnel within the organisation. |
| • | Is tested and audited for the effectiveness and consistency of the risk methodology and its output with regard to statutory obligations. |