Skip to content

Understanding the financial crime risk across your group of businesses

“One of These Things is Not Like the Others…?”


In May 2021, the European Banking Authority (“EBA”) announced that it was consulting on draft guidelines (“Guidelines”) about compliance management and the role and responsibilities of AML/CFT Compliance Officers (“MLROs or AML Officers”). The Guidelines form part of a wider suite of regulatory materials intended to help European Union Member States in their application of the 5th Anti-Money Laundering Directive’s (“5AMLD”) requirements.

In 2017, the European Commission published its first supranational financial crime (“FC”) risk assessment. In response to the findings of that assessment, the Commission asked the European Supervisory Authority (“ESA”) to develop guidance to clarify the role of AML Officers. At that time the ESA decided that the guidance it had already published on internal governance was sufficient to meet this request.

However, in the years that followed, which included several high-profile cases of FC in Europe, along with early signs of uneven application of the 5AMLD requirements, this decision was revisited and the result was the proposed Guidance.

Key Elements – Game Changer or Evening Out the Playing Field?

On first look, the Guidelines might seem to the uninitiated like a daunting detailed list of duties and obligations, with specific measures that must be met by AML Officers and members of management board or senior managers responsible for AML/CFT.

For firms relatively new to the AML/CFT regulated universe (virtual asset service providers, auction houses, antiquity dealers etc.), the proposed duties are likely to be a surprise. The specific measures include a list of “must haves” for the MLRO report[1], recommendations on how risks described in those reports should be addressed and even the timing, type and depth of training provided to staff involved in board oversight, transaction monitoring and even IT and systems engineering staff.[2]

For firms such as banks, for whom compliance with AML/CFT regulations is old hat, most of the requirements will come as little surprise. Many of the requirements have been previously noted by national AML/CFT supervisors during exams or in their AML/CFT regulator’s own best practice publications.

But no matter whether this is their first time around the block or the 10th, firms should pay careful attention to some of these requirements. This is especially the case for firms, whether a scaling FinTech or a well-established bank, with operations in more than one jurisdiction.

[1] Guideline 52.

[2] Guidance 62.

Clouds Cannot Cover Secret Places (Demosthenes) – Group Business Risk Assessments

The Guidance lays in in plain terms how the parent of a Group of entities should

conduct a group-wide risk business risk assessment (“Group BRA”).[1]  The first requirement made clear up front is that the Group BRA must be the result of individual BRAs undertaken for each of the Group entities. In other words, it will not be enough for the parent to conduct a single Group BRA based on data collected from each of the local entities.  There will need to be evidence that the parent has fully assessed the FC risks to which each of the local entities are exposed prior to or as a component of completing its Group-wide BRA.

Regulated firms have previously been criticized for how they have completed their Group BRAs. Most recently in the UK, the Financial Conduct Authority called out Group BRAs in its May 2021 Dear CEO Letter,

For UK branches and/or subsidiaries of overseas firms, we have seen BWRAs completed at the Group entity level which do not cover specific risks present in the UK, and which require a separate risk assessment”.

Why is this being called out? Because time and again, AML supervisors are finding that FC risks of subsidiaries or other local entities are not being properly assessed at the Group level. This generally occurs for one of three reasons:

  1. The risk assessment scoring for a subsidiary is rolled up into the overall Group BRA numbers, tamping down or “reducing” the overall appearance of the FC risk exposure associated with a subsidiary (“the Convenience Factor”);
  2. A lack of knowledge or experience in how to develop a scoring methodology to conduct a BRA at the local and Group level (“the Simplest Way Factor”); and
  3. The Group BRA methodology is not sufficiently flexible to accommodate consideration of regional FC risks as part of its overall scoring process. Individual FC risk factors that do not “fit” the methodology is then not distinguished or assessed in their own right. (“It’s Too Hard Factor”).

Whether it’s Convenience, the Simplest Way or It’s Too Hard, the result is often the same. The actual risk exposure of a local entity is not properly assessed. The results of the Group BRA then serve to cloud over true extent of the FC risks present.

The possible clouding over of local FC risks was something we also pondered over based on the results of our benchmarking report, where just 2% rating their inherent risks as high, yet geographic exposure was observed driving risk ratings and organisations, particularly in for those entities that dealt with a larger number of countries, typically had higher risk ratings as a result, for this inherent risk category.

[1] See Guidance 4.3.

One of these things is not like the Other… Group Business Risk Assessments

One of the easiest examples through which to illustrate the importance of individual BRAs within a Group are some of the national risk assessments conducted by European Member States.   The inherent risks three of them identified illustrate how FC risks can be different from jurisdiction to jurisdiction:

Member StateJurisdictional RisksFC Associated Risks
Gibraltar:[1]  Spain Morocco, Northern AfricaMorocco is one of the leading cannabis producers in the world, supplying most of Europe’s demand.  A lot of the product is shipped via the Strait of Gibraltar. OCGs on both sides of the Strait can also exploit these same drug trafficking routes for migrant smuggling.   Main risk is at integration stage of money laundering where OCGS attempt to buy or rent properties or purchase high value goods in Gibraltar, normally in cash to launder those proceeds.[2]   Increase in radicalisation in northern Africa and the Sahel has led to is a corresponding increase in the threat of terrorist activity.
SpainNorth Africa, Latin America and jurisdictions from the former Soviet UnionExposed to organised crime as a point of access to the European Union. Main threats are related to the activities of OCGs involved in drug crimes, organised crime, tax and customs offences, counterfeiting and human trafficking.   Continues to face a high risk of TF from Islamic terrorist groups, including a slight increase in the risks of returning foreign terrorist fighters.   Risk of radicalised individuals supporting terrorist organisations by providing funds, including through the misuse of MSBs providers.
FinlandRussiaCan be seen as a “gatewaybetween EU countries and non-EU countries. Location in the vicinity of Russia and the impact of trade relations between countries must be considered.   Tax audits of companies engaged in eastern trade have identified tax-more/paradise companies and the widespread use of cash as recurrent phenomena. Main risk is at integration stage of money laundering also visible in real estate transactions made in Finland by Russian residents.

[1]  2020 National Risk Assessment for AML/CFT and PF – HM Government of Gibraltar (August 2020). Available at: chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/viewer.html?

The above examples also play a role in assessing the effectiveness of the measures used in a firm’s AML/CFT control framework. For example, if a Group uses a centralised KYC process or applies a Group-wide set of transaction monitoring rules, how do they assess whether they are effective at mitigating FC risks at the local level? How do they ensure that staff are trained to be aware of local FC risks that may differ from one Group member business to another?

Perhaps more critically, without really understanding which members of the Group might present the largest FC risk exposure, the question to be asked it: how can the Group ensure that resources are effectively allocated to mitigate those risks in an informed manner?

Next Steps – Planning for 2022 and Beyond

It’s likely the final version of the Guidance will be published in Q1 2022. Ordinarily, there is very little lead time over which firms can prepare operationally to comply with these requirements, so now is the time to start planning changes you may need to make in how your Group BRA is developed, reviewed and updated.

Harnessing a technology solution that allows your organisation to capture both the local and Group-wide FC risk profile of your organisation, will take the sting out of what might otherwise appear to be painful task.

For scaling firms conducting a Group BRA for the first time, introducing an automated solution that can support your business’ diversity of operations, without compromising the scope of FC risks needing assessment at the local level, is a great way to ensure your BRA

Here are some of the key measures described in the Guidelines, to assess your current Group BRA against:

  • Our Parent entity has access to sufficient data and information to take account and assess the Group-wide FC risk profile.
  • Our Group AML function has a cartography of all inherent FC risks to which each of our Group entity’s is exposed.
  • Our Group BRA is set up as the reflection of the total FC risk across our entities and the specific FC risks of each Group entity.
  • Our Group BRA results are presented as an aggregate of all risk assessments carried out on each Group entity, and shows a good understanding of the nature, impact and location of the ML/TF risks to which the Group, is exposed.
  • Our Group AML Officer is formally responsible for coordinating the drafting and effective implementation of individual entity BRAs and the Group BRA.
  • Our Group BRA procedures ensure that each Group entity performs their own BRA in a coordinated way but also captures “their own specificities”[1] and takes account of local AML/CFT regulations and guidance.
  • Our Group AML Officer is responsible for coordinating the development of AML/CFT policies and procedures across the Group, with a view to ensuring consistency and a high level of effectiveness.
  • Our Group BRA process ensure that local entity FC policies and procedures not only guarantee compliance with local AML/CFT requirements “but aim… to identify, control and reduce local ML/TF risks in a manner consistent with the principles applicable in this respect throughout the Group”.[2]

[1] Guidance 4.3.2.

[2] Guidance 43.3.

Follow us on LinkedIn and Twitter for a daily dose of financial crime news across the globe.

Posted in , ,