FIAU lays out best practices for mandatory Business Risk Assessments

The Financial Intelligence Analysis Unit (FIAU) has released its Business Risk Assessment (BRA) report, which provides an analysis of business risk assessment practices in Malta, results of a high-level BRA review, and a guideline list for BRA good practices.

Its review of BRAs finds that the situation seems to have improved generally, with the proportion of institutions with BRAs in place having increased from 2019 to 2020 across all sectors surveyed.

Especially notably, 100 per cent of credit institutions submitted BRAs in 2020 and a 27 per cent increase in submissions in the real estate sector also took place from 2019 to 2020.

However, the FIAU identifies that its supervisory examinations, “often reveal a number of deficiencies in the BRA documents” of those companies surveyed.

As such, it lays out some of the best practices to ensure that BRAs meet its expectations:

BRAs should be tailor-made for, and understood by their subject person

The FIAU emphasises that the BRA document should not be an “off-the-shelf” document, but should be tailor-made to reflect the subject person’s “business model, operations and scenarios”.

Whilst the FIAU “positively noted” that there has been an increase in the number of subject persons engaging consultants to assist in producing the risk assessment document, it reminds subject persons to actively participate in this process, to ensure that the risk assessment reflects their own circumstances.

Additionally, it says that should a subject person adopt the BRA of another entity operating within the same group structure, the BRA should be updated to reflect the subject person’s own circumstances.

Furthermore, when third parties are commissioned to assist in the preparation of a BRA, it is important that the subject person understand this document.

It is important, the FIAU adds, that subject persons should understand the BRA methodology. It says that it has identified that “most subject persons have a good understanding of the processes used to carry out the BRA”, but that “others require some improvement”.

“It is imperative”, it says, that subject persons “challenge and understand the methodology used to carry out the BRA, to ensure that this is effective in deriving correct results”. 

BRAs must be implemented in practice

The FIAU also advises that BRAs should “reflect the actual control measures adopted”. During the course of examinations, it says, the FIAU, or the Malta Financial Services Authority and Malta Gaming Authority (as agents of the FIAU) identified instances where the controls defined by BRAs were not being applied.

“It is imperative that the BRA depicts a true picture of the subject persons’ activities, the perceived risks and the controls applied at the time when the risk assessment is carried out,” it says.

Unless the BRA results are applied consistently, “the purpose behind conducting the BRA is lost”.

Furthermore, the FIAU insists that the type and level of controls applied should justify any high effectiveness rating assigned in the BRA. 

Additionally, it says that reference should be made in BRAs to the risks and results identified by the National and Supra National Risk Assessment. It is not sufficient, it says, to simply refer to these in the introductory part of the BRA document.

Instead, the BRA should provide a clear example of how the aforementioned assessments were used as sources of information when identifying and assessing risk factors.

Residual risk must be calculated and acknowledged

Continuing, the FIAU says that BRAs should include a calculation of residual risk. It reflects that some BRAs reviewed included a negative residual risk rating, which would imply that there is no risk of money laundering or financing of terrorism. This, the FIAU says, is “practically impossible, as not all risks can be eliminated completely”. 

As such, it expects a clear indication of whether the residual risks for each risk factor fall within the applicable subject person’s risk appetite. Additionally, the FIAU says it should be stated in a BRA whether they intend to mitigate this residual risk with further measures. 

BRAs should be regularly reassessed as situations evolve

Another important point raised by the FIAU is that BRAs should be fluid and dynamic. 

“It is a known fact that risks are dynamic and the business model and external environment in which subject persons operate is fluid”, the organisation says, and as such, BRAs need to be regularly updated to respond to this.

The FIAU says that most subject persons it observed provided their supervisors with a copy of their BRA and demonstrated that it is treated as a “live document which is updated as risk scenarios change”. 

The FIAU also advises that subject persons should avoid approaching BRA exercises from “purely theoretical viewpoints” from a qualitative perspective.

Instead, BRAs should also consider risks using a data driven approach as this also has an impact on the level of risk. 

The organisation reminds that BRAs should be focused on money laundering risk considerations and those related to the financing of terrorism.

Whilst subject persons may find it beneficial to carry out other risk assessments, it acknowledges, these should not be done to the exclusion of the money laundering and financing of terrorism perspective.

The full document can be found on the FIAU website.