Business Risk Assessment
The Assessment
Persons and entities designated under the legislation must carry out a business risk assessment to identify and assess the risks of money laundering and terrorist financing in the context of their business and the services provided. A designated business is to carry out an assessment of the risks of money laundering and terrorist financing involved in carrying out the person’s business.
A designated person who fails to comply with the obligations to undertake a business risk assessment is liable on conviction in the district court to a class a fine or imprisonment up to 12 months of both or on conviction on indictment to a fine or imprisonment up to 5 years or both.
Factors
This should take account of
- the type of customer that the designated person has;
- the products and services that the designated person provides;
- the countries or geographical areas in which the designated person operates;
- the type of transactions that the designated person carries out;
- the delivery channels that the designated person uses;
- other prescribed additional risk factors.
Guidance
It is to include
- any information in the national risk assessment which is of relevance to all designated persons or a particular class of designated persons of which the designated person is a member;
- any guidance on risk issued by the competent authority for the designated person;
- Â where the designated person is a credit institution or financial institution, any guidelines addressed to credit institutions and financial institutions issued by the European Banking Authority, the European Securities and Markets Authority or the European Insurance and Occupational Pensions Authority in accordance with the Fourth Money Laundering Directive.
Failure to carry out such an assessment is an offence.
Documented and Approved
The business assessment is to be documented unless the relevant regulator determines that it is not required in accordance with a particular procedure. The business risk assessment and related documents shall be kept up-to-date in accordance with internal policies, controls and procedures adopted as required by the legislation.
The business risk assessment must be approved by senior management. The business risk assessments must be made available on request to the persons’ regulator authority. Regulations may be made to prescribe additional risk factors to be taken into account.
Measures of Foot
For the purposes of determining the extent of measures to be taken, designated businesses must identify and assess the risk of money laundering and terrorist financing in relation to the customer transaction having regard to
- the business risk assessment
- the risk factors criteria above
- relevant risk variables, including the purpose of the account and relationship level of assets, regularity of transactions and additional prescribed risk
- presence of certain prescribed factors which increase or lower the risk
A determination shall be documented with the competent authority having regard to the size and nature of the entity and the need to accurately identify and assess the risk of money laundering and terrorist financing so directs. The competent authority/regulator may direct certain classes for whom it is the regulator to document determination in writing. Failure to document the determination is an offence subject to the same sanctions as set out above.