Section outline

    • National money laundering and terrorist financing risk assessments

      A quick guide by Kateryna Boguslavska, Project Manager Basel AML Index, Basel Institute on Governance

      What is a national risk assessment?

      A national risk assessment (NRA) illuminates the level and nature of money laundering and terrorist financing (ML/TF) risks that a country faces. It is a self-conducted exercise involving multiple public and private agencies in the country. An NRA:

      • ensures a shared understanding of ML/TF risks between relevant authorities, the private sector and other stakeholders;
      • helps policymakers to match current risks with the measures and resources needed to mitigate them;
      • is often used as a basis to develop anti-money laundering and counterfinancing of terrorism (AML/CFT) action plans and policies to address critical threats and vulnerabilities;
      • is an essential tool for accountability and joined-up efforts to prevent and combat ML/TF.

      Critical to a risk-based AML/CFT approach

      An NRA is part of a risk-based approach that aims to identify and mitigate risks and allocate resources efficiently and commensurate with the specified risk levels. If the assessment is wrong, incomplete or missing entirely, countries may fail in mitigating AML/CFT risks and deplete resources uselessly.

      An NRA is a crucial requirement of the Financial Action Task Force (FATF or GAFI), the international AML/CFT standard setter. It is “homework” that a country has to complete before the FATF conducts a Mutual Evaluation. The Mutual Evaluation process assesses countries for their technical compliance with the 40 FATF Recommendations — international AML/CFT standards — and their effective implementation of AML/CFT measures in line with 11 Immediate Outcomes.

      The NRA requirement is found in the FATF Recommendation 1, which requires all countries to “identify, assess and understand” the ML/TF risks they face. The logic is simple: the government has to ensure that its AML/CFT regime addresses the identified high risks. Simplified AML/CFT measures are allowed where countries identify low risks. The NRA is also the first requirement among the effectiveness criteria.

      For EU Member States, the EU 4th AML Directive sets out obligations for national risk assessments. Beyond national borders, the European Commission is responsible for assessing ML/TF risks at the supranational level, those affecting the internal market and those relating to cross-border activities.

      A collaborative, cross-sector exercise

      Conducting a national self-assessment is not solely a responsibility of the government authorities.

      Usually, the NRA exercise includes policymakers, prosecution and law enforcement authorities, financial intelligence units, intelligence agencies, regulatory and supervisory bodies, financial institutions, and designated non-financial businesses and professions (DNFBPs) such as lawyers and accountants.

      This is quite a complicated process, so the FATF recommends that countries have an authority or mechanism to coordinate activities to assess risks.

      Supervisory authorities play an especially important role. According to the FATF guidance on supervision: “On the one hand, supervisors’ understanding of their sectors and entities under their purview should feed into the NRA. On the other hand, the understanding of risks by supervisors should be informed by, and be consistent with, the NRA that includes input from a range of AML/CFT stakeholders.”

      Updating and publishing results

      The results of the NRA should be shared with — at the very least — all competent authorities, financial institutions and DNFBPs.

      Many governments also laudably publish and communicate about their NRAs on public channels such as the government website. For example, in April 2021 after its first NRA, Jersey conducted a public campaign and expert discussion on their results.

      There is no clear schedule for updates. For example, the UK has published NRAs every 2–3 years since 2015. The frequency largely depends on the changing nature of ML/TF risks in the country. For the NRA to be useful, it is important that it is reasonably up to date.

      Most countries could do a lot better

      FATF data from April 2022 show that only 11 countries, or 8.5 percent of those assessed, are fully compliant with Recommendation 1 on “identifying, assessing and understanding” money laundering risks. Three countries are fully non-compliant — the DRC, Haiti and Madagascar — and the rest have significant room for improvement.

      Sadly, when it comes to the effectiveness of countries’ efforts to assess ML/TF risks, according to the FATF’s Immediate Outcomes, not even one country achieves the highest mark. A quarter of countries are scored as having “negligible” effectiveness, with the remaining 75 percent still requiring major improvements.

      Why? Here are some common reasons:

      • A full NRA is not entirely conducted or not approved by the authorities. The assessment is limited to several industries.
      • Several actors from the private or public sectors do not participate in the assessment (real estate agents, car dealers, lawyers, investigators, etc.).
      • A risk-based approach is not applied. This includes not having a mechanism to deal with high-risk situations or to implement simplified procedures for low-risk situations.
      • Financial institutions are not required to document their risk assessments or update them. They may not have appropriate mechanisms to share this information with relative authorities.
      • Results of the NRAs are not well disseminated.

      Another common issue is a lack of data.

      Issues with data availability

      To conduct an NRA, countries need data. The availability of data and their quality may vary from country to country. A 2022 World Bank report on NRAs in eight advanced countries pointed out worryingly that “most NRAs relied on just one or two data sources. The quality of the data sources was never systematically assessed.”

      The FATF recommends not to rely exclusively on quantitative information but also include qualitative information such as expert judgements, private-sector inputs, case studies, typology studies, surveys and perception indexes. This is especially important for “low-capacity countries with limited data on criminal investigations or financial transactions.” 

      Perhaps due to difficulties in accessing data on terrorist financing, countries tend to underestimate their TF risks.

      Defining and identifying ML/TF risks

      A first step in conducting an NRA is to define what is meant by a “risk” and what elements can reliably be assessed. The FATF guidance sees ML/TF risk as a function of three factors:

      1. Threats — the environment in the country, level of crime, most frequent types of predicate offence, corruption, etc.
      2. Vulnerabilities — weaknesses in the AML/CFT systems or controls.
      3. Consequences — potential effects on the financial system, economy and society.

      It is difficult to predict potential consequences, so countries typically focus only on understanding threats and vulnerabilities. The World Bank shares a similar approach to understanding risk as a function of threats and vulnerabilities. Assessment of consequences is not treated as a separate independent factor.

      Unlike with the identification of national hazard or disaster risks, the probability/likelihood of ML/TF “events” is not a major factor. This is due to the specifics of financial crimes and the inability to predict them reliably.

      How to conduct an NRA — different methodologies

      There is no single or universal methodology for conducting an NRA, as the recent World Bank analysis pointed out. The World Bank, FATF and International Monetary Fund have suggested several different guidelines, tools or principles for the evaluation process. 

      Many countries use the World Bank’s tool for conducting an NRA. This consists of eight modules, covering topics such as financial product risk and sectoral vulnerabilities. It replaces an earlier NRA tool that used a matrix approach to assesses threats and vulnerabilities in five different areas. The World Bank may provide technical assistance for countries to launch an NRA.

      NRAs in the Basel AML Index

      The Basel AML Index, the Basel Institute’s tool for assessing ML/TF risks around the world, does not include NRAs as a standalone factor in ranking countries. This because FATF data — which already takes into account a country’s NRA — is a core element of the Basel AML Index methodology.

      NRAs are, however, the main basis of special reports on ML/TF risks in smaller jurisdictions including Jersey, Guernsey, Isle of Man, Gibraltar and the Cayman Islands. These are available to Expert Edition Plus subscribers. Expert Edition and Expert Edition Plus subscriptions are free for most organisations outside the private sector.

      Learn more