Signs It’s Time to Review Your Enterprise-Wide Risk Assessment (EWRA)

Signs It's Time to Review Your Enterprise- Wide Risk Assessment (EWRA)

In recent times, where the regulatory frameworks and the risk trends are continuously evolving, it is essential for the regulated entities in Singapore to regularly review and update their Enterprise-Wide Risk Assessment (EWRA) from the money laundering and financing of terrorism (ML/FT) perspective.

In this article, let us briefly discuss the EWRA and its significance, the top indicators warranting revision of the risk assessment, and the consequences of not updating the business risk assessment on time. This article also covers the best practices the regulated entity must consider while reviewing the Enterprise-Wide Risk Assessment.

What is Enterprise-Wide Risk Assessment and its significance?

AML Enterprise-Wide Risk Assessment is an independent process to determine the business’ risk profile regarding exposure to financial crime risk (specifically money laundering and terrorism financing).

EWRA involves identifying the risk factors that impact the business and determining the possibility of its occurrence and the impact it can have on the business. This helps derive the entity’s inherent ML/FT risk and determine the nature and extent of controls needed to mitigate this risk. Once the controls required are identified, the EWRA also requires the entity to evaluate the quality and adequacy of the existing controls and, if required, implement additional mitigation measures. In short, EWRA is an exercise of identifying the risk, mapping it to the business’s risk appetite, and designing and defining the appropriate risk management strategies.

EWRA is known as the foundation step of the AML program. As an outcome of the EWRA, the business understands the level of risk associated with its customer base, geographies, nature of products/services offered, delivery channels used, etc., and accordingly customizes its AML/CFT policies, procedures, and controls. It assists the entity in prioritizing the risk areas and allocating the resources optimally.

Why is a periodic review of ML/FT AML Risk Assessment critical?

The regulated entity must ensure its AML/CFT compliance framework efficiently identifies and manages the ML/FT risk during routine business operations. This AML structure, including the internal systems and processes, has been developed relying on the outcome of the ERWA. Hence, the relevance of the risk assessment must be tested periodically to ensure that the entity’s overall AML framework is aligned with its business profile, applicable AML regulations, and emerging risk patterns.

What key indicators suggest the need to update the Enterprise-Wide Risk Assessment?

Let us navigate the key reasons or signs that suggest reviewing and revising the entity’s Enterprise-Wide Risk Assessment.

Changes in Regulatory Requirements

One of the critical reasons warranting the regulated entity to review and update the ML/FT risk assessment is the amendment in the AML regulations applicable to the business. The authorities keep revising the regulatory framework to introduce newer controls and reporting requirements to address the risk emanating from sophisticated laundering methods developed by criminals. 

These changes impact the entity’s overall AML program in terms of impact on the existing risk scenarios and the risk mitigation measures in place.

For example, the authorities changed the classification of one country from high risk to medium risk. This calls for reconsidering the rules followed by the entity for its customer risk profiling. This movement in the classification of the entity’s customers significantly impacts the overall risk profile of the business. The regulated entity must reconsider the business risk associated with its customer bases and refine the need for risk mitigation resources deployed for managing the risks associated with customers from the concerned jurisdiction.

Hence, the entity must revise the risk and align the AML/CFT policies and procedures with these amended regulations.

Significant changes in the entity’s Business Profile

the EWRA is performed considering various risk factors such as –

Customer base:

  • the nature of clients the entity is engaged with,
  • the complexity of their ownership structure of clients,
  • nature of activities they conduct, etc.

Geographies:

  • location where the entity carries out its operations
  • the location of its branch and parent company
  • the jurisdiction the customers are coming from, etc.

Product/Services/Transaction:

  • the products and services offered
  • size and complexity of transactions
  • mode of payment, etc.

Delivery Channels:

  • customer onboarded mode (face-to-face or through virtual meeting)
  • distribution method used for delivering services/products
  • involvement of agents and intermediaries, etc.

Any significant change in these risk factors influences the business profile and may result in encounters with newer risks. For example, if the regulated entity starts its branch office in a country subject to FATF Greylist, it materially changes the business’s overall risk. Or, if the entity starts accepting payment in virtual assets (cryptocurrency), it increases the ML/FT risk of the business, as virtual assets are subject to increased risk of being misused by the launderers to move funds across the borders anonymously.

The ML/FT risk assessment must be revisited upon any significant change in the business operations to proactively identify the new risk scenarios and modify the AML program to address the same.

Launch of New Products or Services

The AML regulations in Singapore require that the regulated entities assess the ML/FT risk that may arise from launching any new product or service. Such risk assessment must be conducted before placing the new offerings into the market. This outcome of the risk assessment shall help the regulated entity to modify the product design or practice area to ensure that the new product/service is aligned with AML regulations and does not offer any window for the criminals to exploit these offerings for laundering the funds or financing the terrorist activities.

For example, a management consultancy firm is considering expanding its business and assisting its corporate clients in purchasing properties against brokerage or commission. The real estate agency or brokerage-related services are prone to high risk, as the base item – real estate – is one of the ML/FT typologies. The regulated entity must reassess the business risk and enhance its AML program to address the risks associated with this new business practice.

This proactive approach shall help the entity design and follow the controls and stay cautious to avoid laundering funds using real estate property through its business.

What are the consequences of relying on outdated business risk assessment?

When the entity relies on the outdated business risk assessment, the AML/CFT controls and the overall AML framework would not effectively mitigate the ML/FT vulnerabilities. The following are the critical consequences of disregarding the exercise of reviewing and updating the Enterprise-Wide Risk Assessment when the situation calls for:

1. Increased Risk of being vulnerable to money laundering and terrorism financing:

If the entity’s risk assessment is not up-to-date with the emerging ML/FT techniques and methods used by the criminals, the possibility of the regulated entity being vulnerable to money laundering and terrorism financing rises. Without awareness of the new risks and trends, the entity cannot design and implement adequate controls, exposing it to financial crimes.

2. Regulatory Non-Compliance:

The Singapore AML regulations are evolving to align with the emerging ML/FT typologies. Regulated entities must update 

their business risk assessment to assess the revised risk and incorporate the regulatory changes in the overall AML program. Failure to comply with the latest regulations can lead to hefty fines and legal consequences.

3. Reputational Damage:

When the business risk assessment is outdated, the AML program would also be ineffective and irrelevant, demonstrating the lack of the entity’s commitment to combating financial crime. This can result in a loss of customer’s trust and confidence in the business, causing irreversible damage to the brand image of the entity.

What are some best practices to review and update the Enterprise-Wide Risk Assessment?

The following are some of the best practices that the regulated entity should adopt to review and reassess the business risk effectively:
  • The risk assessment methodology adopted by the entity must be aligned with the nature and size of the business and must be documented adequately.
  • The EWRA must consider the accurate and complete data to determine the risk profile from qualitative and quantitative perspectives. Comprehensive data from internal (business profile, customer and transactions related data, etc.) and external sources (new ML/FT risks and trends, outcome of National Risk Assessments) must be considered.
  • Relevant stakeholders must be involved while identifying the potential risk scenarios, such as risk management risk, AML Compliance Officer, etc. The inputs and insights from the various aspects of business can enhance the risk assessment’s quality and accuracy.
  • It is also suggested to implement appropriate technologies and software to conduct and monitor the entity’s business risk and highlight the circumstances impacting the business risks that require immediate attention.
  • The regulatory changes must be monitored to ensure necessary amendments are incorporated in the entity’s business risk assessment and, in turn, the overall AML framework.

Let AML Singapore assist you in maintaining your Enterprise-Wide Risk Assessment up-to-date

Ignoring the need for regularly monitoring and updating the business risk assessment can adversely impact the business, resulting in massive penalties, reputational damage, loss of customer’s trust and confidence, etc. To safeguard you against this impact, let AML Singapore be your guide.

AML Singapore, with its subject knowledge and experience, can help you maintain your business risk assessment up-to-date and relevant, allowing you to prioritize the resources and protect the business from being exploited by financial criminals.

Assess the business risk and adopt a proactive approach to combat financial crime.

Combat terrorism financing and safeguard your business now!

Let’s begin.

About the Author

Jyoti Maheshwari

CAMS, ACA

Jyoti has over 7 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.