(AML-CFT Law Article 16.1(a) and AML-CFT Decision Article 4.1(a)-(b))

Documentation

FIs are obliged to document their ML/TF business risk assessment, including methodology, analysis, and supporting data, and to make them available to the Supervisory Authorities upon request. FIs should incorporate into their documentation, the information used to conduct the ML/TF business risk assessment in order to demonstrate the effectiveness of their risk assessment processes. Examples of such information include, but are not limited to:

The documentation measures taken by FIs should be reasonable and commensurate with the nature and size of their businesses.

Updating

FIs are obliged to keep their ML/TF business risk assessment up-to-date on an ongoing basis. In fulfilling this obligation, they should review and evaluate their ML/FT business risk assessment processes, models, and methodologies periodically, in keeping with the nature and size of their businesses. FIs should also update their ML/TF business risk assessment whenever they become aware of any internal or external events or developments which could affect their accuracy or effectiveness.

Such developments may include, among other things, changes in business strategies or objectives, technological developments, legislative or regulatory developments, or the identification of material new ML/FT threats or risk factors. In this regard, FIs should take into consideration the results of the most recent NRA or any Topical Risk Assessment, as well as circulars, notifications and occasional published information from official sources, such as the Supervisory Authorities; other national Competent Authorities; or relevant international organisations, such as FATF, MENAFATF and other FSRBs, the Egmont Group, and others. Links to some of these sources may be found in Appendix 11.2.