Enhancing Risk Assessment Activities: A Strategic Approach for Competent Authorities
Effective risk management is not only good practice; it helps organisations to identify and mitigate risks that could negatively impact their business. But it also relies on supervision and oversight to be effective.
The European Banking Authority (EBA) is an independent authority ensuring effective and consistent regulation and supervision across the European banking sector. One of their goals is to maintain financial stability in the EU, including safeguarding the integrity, efficiency and functioning of the banking sector.
In a recent report, the EBA evaluated the supervision approach of Competent Authorities (CAs) and highlighted some critical points for consideration. The report assessed CA’s approaches to the supervision of banks relating to anti-money laundering (AML) and countering the financing of terrorism (CFT).
During this round of assessment (which first began in 2018), EBA staff reviewed 12 CAs from nine EU/EEA Member States that are responsible for the AML/CFT supervision of banks. The review focused on how CAs assess risks with banks under their supervision and how they use risk assessments to inform their supervision.
In this article we will highlight some of the key findings of the report and recommended actions from the EBA that aim to improve risk assessment activities and support better regulatory outcomes.
The report highlights some of the progress made by CAs in adopting risk-based approaches. It also highlights some of the inconsistencies and areas of improvement still needed across
methodologies used by CAs.
Issues Impacting Risk Assessments
Four key areas were identified where CAs continue to face issues impacting their assessments of supervised financial institutions, including:
- Methodology and Data: Deploying documented risk-assessment methodologies that use up-to-date data sources and appropriate information sources.
- Scope and Coverage: Ensuring comprehensive coverage across all risk areas, risk categories, and risk indicators.
- Alignment and Sequence: Ensuring that entity-level risk assessments are completed prior to sectoral risk assessments.
- Awareness and Understanding: Raising awareness of the value, benefits and importance of entity-level risk assessments.
Other Key Discoveries
Other key findings that the EBA identified include:
- Less than half of the CAs assessed have undertaken their own sectoral risk assessments or taken the required steps to comply with the updated EBA risk-based guidelines launched in December 2021.
- There were significant issues with almost half of the risk assessments, including no assessment of terrorist financing risks or failure to assess the likelihood of risks occurring or their impact.
- Many of the risk assessments included only a handful of risk factors, including failing to consider the full scope of risks using the National Risk Assessment (NRA).
- Nearly half of all CAs don’t fully understand the purpose of entity-level risk assessments, so they don’t use them to inform their approach, making supervision ineffective.
- In some cases, risk assessments were incomplete, impacting the completeness of the overall assessment. In some instances, this was caused by a lack of alignment between CAs with shared responsibilities for the supervision of the same entity.
As part of the report, the EBA identified a range of specific recommendations for CAs to introduce to continue to improve and enhance risk assessments.
Here is a summary of some of the top recommendations:
Methodology and Data
Central to a successful risk assessment is a well-documented methodology. Documentation means that key terms and methods are understood and can be applied to all entities.
This documentation should be reviewed regularly to ensure it’s current with EBA guidelines. It also needs to consider external factors, such as events, emerging risks, changes to sector operations and new regulations.
The EBA also recommended that the methodology needs to include assessing threats and risks of likelihood (including impact) per sector. And enabling quantitative assessment to avoid using only qualitative approaches to help prevent risks that can be associated with subjectivity.
Finally, the EBA recommended using horizon scanning methodology, utilising a range of informational sources, including real-time data, to scan for new and emerging threats and risks.
Scope and Coverage
The report emphasises the ongoing need for a holistic approach to risk assessment. CAs need to comprehensively evaluate risks across sectors, including a range of risk categories and geographical factors.
Looking at risk areas individually allows for an objective assessment to determine the probability of threats occurring. And using a proactive approach helps CAs to build a more comprehensive review of risks. For example, assessing risks from various perspectives, including customers, transactions and channels as well as products and services.
While foreign geographical risks are looked at, there needs to be an increased focus on the risk posed by the foreign ownership of financial institutions. As well as further scrutiny of domestic geographical risks, with many CAs heavily focusing on foreign geographical risks only.
Alignment and Sequence
The report highlights the importance of effective alignment between CAs for rational sectoral risk assessments. For example, enabling multiple users to contribute to risk assessment seamlessly using cloud-based access. This would allow for real-time insights into sectoral risks, which would help to overcome any dual supervisory responsibilities and enable timely input into assessments.
Issues were also identified with full completion of risk assessments, necessitating the need for greater resource capacity for improving efficiencies.
Awareness and Understanding
An often overlooked aspect is the awareness and understanding of entity-level risk assessments, with controls failing to be effective if those in control don’t understand their purpose.
The EBA recognised the importance of understanding entity-level assessments as a foundation for sectoral evaluations. With a greater understanding of the connection between entity-level insights and sectoral risk assessments, CAs can prioritise high-risk institutions and allocate their resources more effectively. It may also help to identify emerging risks and threats as inputs.
Next Steps for CAs
The report highlights that although many CAs have significantly improved, many still experience significant challenges. These challenges make it difficult to tackle ML/TF risks through supervision effectively.
While many CAs are committed to entity-level risk assessments, including ensuring adequate resourcing, the results of assessments aren’t always conducive to CAs building a reliable understanding of risks.
There are numerous opportunities for CAs to help grow and improve their supervisory role to create a more secure financial system for all parties.
The quality of a sectoral assessment influences the efficacy of risk-based supervision. By integrating high-quality intelligence into assessments, CAs can significantly improve outcomes. Collaborating with experienced partners like Arctic Intelligence can help. By leveraging our expertise and insights, CAs can overcome some of the key challenges identified in the EBA report and take steps to enhance their risk assessment activities proactively.
About Arctic Intelligence (NEW)
Arctic Intelligence is a regulatory technology firm that specialises in financial crime risk assessment cloud-based solutions.
Our team of financial crime and technology experts have developed two multi-award-winning financial crime risk assessment platforms:
AML Accelerate Platform – designed for small and medium sized companies in over 30 industry sectors, in more than 30 countries. Guides you to conduct enterprise-wide money laundering and terrorism financing risk assessments, document AML/CTF Programs and track and monitor issues, breaches and incidents real-time.
Risk Assessment Platform – designed for larger companies to conduct risk assessments for financial crime and other risk domains. The Risk Assessment Platform is a highly-configurable platform that can be tailored to your organisation’s risk assessment methodology, risk and control libraries relevant to their business and execute these across multiple countries, operating groups or business units, producing real-time aggregated dashboards and reports.
Get in touch with our team for a demo today.
Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.