The three European Supervision Authorities have finalised their guidelines on how financial institutions can take a more risk-based approach to anti-money laundering and countering the financing of terrorism, under the Fourth AML Directive.

The guidelines set out factors that financial institutions should consider when assessing the money laundering or terrorist financing risks associated with a business relationship or occasional transaction. They also set out how financial institutions can adjust the extent of their customer due diligence (CDD) measures in a way that is commensurate to the risks they have identified.

One set of guidelines is general and applies to all financial institutions, while another set is sector-specific and applies to specific types of activity.

The guidelines set out a long list of factors that financial institutions should consider when identifying risks, including a wide range of possible sources of information, and risk factors relating to:

• The business activity, reputation, nature and behaviour of a customer and of a customer’s beneficial owner;
• Jurisdictions where a customer and its beneficial owner are based, have material business activities or are linked to;
• Products, services and transactions, such as transparency, complexity and value; and
• Delivery channels.

The guidelines then cover, in very general terms, how a financial institution should weight all these risk factors in order to categorise its business relationships and occasional transactions according to the perceived level of money laundering and terrorist financing risk.

Having done all that, a financial institution may apply simplified customer due diligence (SDD) where the perceived risk is low. But even here the financial institution has to undertake a complicated process of considering how to adjust (rather than to dispense with) the amount, timing or type of each CDD measure in a way that is commensurate to the low risk identified.

At the other end of the spectrum, a financial institution must apply enhanced customer due diligence (EDD) whenever it perceives the risk to be high, or in any of the cases where the Fourth AML Directive specifies the risk to be high (for example, where a customer or a customer’s beneficial owner is a politically exposed person, or where a transaction is unusually large or complex).

These guidelines are helpful in setting out the factors that may influence whether a client could be subject to SDD (or indeed will require EDD). However:

• The guidelines do not provide much indication of what exactly would place an observed factor into a high, medium or low risk category; or any detail on how multiple categorisations across the wide range of risk factors should be weighted together to produce a single overall identified risk score. 
• Financial institutions will therefore have to continue to define their own risk appetite and to translate this into an effective and robust customer risk assessment model that scores and weights each factor to give a fair overall reflection of the risk posed by a customer. 
• It will remain a significant challenge for financial institutions to apply this across multiple lines of business and large customer bases.
• Upfront investment in defining and tuning the risk assessment model therefore remains an imperative, not least because of the costs of large volumes of unnecessary CDD work and of correcting mistakes. 
• The amount of process involved in following the guidelines means that financial institutions will still have to devote considerable resources to risk identification and assessment, and to fine-tuning CDD, even for low risk business relationships and occasional transactions.

Also on the AML front, FATF has published its Mutual Evaluation Report on Ireland which concludes that “Ireland has a sound and substantially effective regime to tackle money laundering and terrorist financing….” In addition the Report highlights “National coordination mechanisms.……and the Private Sector Consultative Forum (PSCF) were fruitful in broadening the understanding of its ML and TF risks across all relevant agencies and with the private sector."