Risk assessment
The assessment of money laundering and terrorist financing risks at all levels of prevention is a cornerstone of anti-money laundering and countering of terrorist financing. Risks are assessed at various levels, all of which should be linked to one another.
Supranational risk assessment
Article 6 of the 4th Anti-Money Laundering Directive provides an obligation on the Commission to conduct an assessment of the risks of money laundering and terrorist financing affecting the internal market of the European Union and relating to cross-border activities. This risk assessment is called the Supra National Risk Assessment (SNRA).
In accordance with the Directive, the Commission shall update its report every two years, or more frequently, if appropriate.
The Commission published its latest SNRA report on 27 October 2022.
Links to the report and annexes:
SNRA Report 2022 (pdf)
Further information on the supranational risk assessment from The European Commission's website:
National risk assessment of money laundering and terrorist financing 2021
The preparation of the national risk assessment of money laundering and terrorist financing 2021 was coordinated by the Ministry of Finance and the Ministry of the Interior. The document describes the threats, vulnerabilities and risks arising from money laundering and terrorist financing in all sectors of obliged entities and in the activities of non-profit organisations (NPO sector). The risk assessment also examines money laundering and terrorist financing risks in relation to specific phenomena.
The national action plan for the risk assessment of money laundering and terrorist financing 2021–2023 has been prepared in conjunction with the risk assessment. The action plan presents the measures designed to mitigate the risks identified in the risk assessment. The risk assessment and the action plan reflect the approach to money laundering and terrorist financing risks in Finland and the means to control them.
Ministry of Finance press release 29 April 2021
National risk assessment of money laundering and terrorist financing 2023: partial update
Ministry of Finance press release 8 February 2024
(to be updated)
Requirements for the supervisor-specific risk assessment
The FIN-FSA shall prepare an assessment of the risks of money laundering and terrorist financing among the obliged entities supervised by it.
In preparing the supervisor-specific risk assessment, the FIN-FSA must take into account:
- the Commission supranational risk assessment and the risks of money laundering and terrorist financing indicated in the assessment;
- the national risk assessment and the national risks of money laundering and terrorist financing indicated in the assessment;
- the risks of money laundering and terrorist financing concerning the sector supervised by it and relating to the obliged entities and to their customers, products and services.
The risk assessment must be updated on a regular basis, and a summary of the risk assessment must be made public.
FIN-FSA’s supervisor-specific risk assessment
The FIN-FSA’s supervisor-specific risk assessment of anti-money laundering and terrorist financing is an extensive process consisting of several phases:
-
Assessment of inherent risk
The first phase comprises the determination of the so-called inherent risk level for each sector supervised by the FIN-FSA.
The FIN-FSA’s first summary of the level of inherent money-laundering risk levels related to different sectors was published on 17 March 2020.
The updated summary addresses the inherent risks of both money laundering and terrorist financing.
FIN-FSA's assessment of inherent risk 2020(pdf)
FIN-FSA's assessment of inherent risk 2022 (pdf) -
Sector-specific risk assessments
In the second phase of the risk assessment process, a risk assessment is prepared for each sector. In preparing the sector-specific risk assessment, use is made, for example, of information collected from obliged entities in the RA survey.
When summaries of sector-specific risk assessments are published, there will be separate communications.
Summary of the risk assessment on the payment service sector (pdf, published 24.8.2020)
Summary of money laundering risk assessment for life insurance sector (pdf 14.12.2020)
Summary of the risk assessment on the credit institution sector (pdf, published 17 October 2022)
Summary of the risk assessment for capital market participants (pdf, published 7 February 2023) -
Entity-specific risk assessments
As part of its supervisor-specific risk assessment, the FIN-FSA will determine a risk category for all of its supervised entities under the reporting obligation. The individual risk ratings of the obliged entities will not be made public.
The risk rating is assigned relative to other entities operating in the same sector.
The supervisor-specific risk assessment as a whole is an important part of the development of the FIN-FSA’s risk-based AML/CFT supervision framework
Further information on requirements concerning risk-based supervision from European Banking Authority:
In accordance with the AML Act, obliged entities shall prepare a risk assessment to identify and assess the risks of money laundering and terrorist financing. In preparing the risk assessment, each obliged entity shall take into account the nature, size and extent of its activities. The obliged entity shall have in place policies, procedures and controls that are sufficient with regard to the abovementioned factors to reduce and effectively manage the risks of money laundering and terrorist financing.
Why must a risk assessment be made?
The purpose of the risk assessment is to make each obliged entity identify and understand the risks of money laundering and terrorist financing related to its activities. Once the obliged entity has identified and assessed the risks, it will be able to adjust its risk management methods in proportion to the risk. A crucial part of the risk assessment process is to determine the obliged entity’s risk appetite, i.e. what level of risk it is willing to accept.
The AML Act also includes several obligations, compliance with which requires that a risk assessment of money laundering and terrorist financing is made first. For example, obliged entities must comply with their customer due diligence obligations based on the risks involved throughout the customer relationship. Risk-based compliance with the obligations is not possible without conducting a risk assessment.
In addition, it should be noted that the obliged entity must be able to demonstrate to the FIN-FSA that its methods concerning customer due diligence and ongoing monitoring are adequate in view of the risks of money laundering and terrorist financing.
How to prepare a risk assessment?
There is no standard format for a risk assessment, but each obliged entity makes it in a manner fitting its specific purpose.
However, the obliged entity should document how the risk assessment was made so that it is able to describe the process to the FIN-FSA where necessary. In the documentation, attention should be paid to the following considerations:
- Who is responsible for preparing the risk assessment and which parties are involved?
- Which sources are used in preparing the risk assessment and how?
- When and how is the risk assessment updated?
- How does the risk assessment affect compliance with customer due diligence requirements?
- For example, if customers are grouped into risk categories, how were the risk categories derived from the risk assessment?
The law does not provide exact content requirements for the risk assessment. In order for the obliged entity to be able to demonstrate the adequacy of its methods regarding risks, the risk assessment should include the entity's view on the following matters:
- How can the products or services provided by the obliged entity be utilised in laundering money or financing terrorism?
- How the risks of money laundering and financing of terrorism related to new and existing customers, countries or geographical areas, products, services and transactions as well as distribution channels and technologies have been taken into account (risk-based assessment)?
- What methods are used to prevent the use of the products and services in money laundering and/or terrorist financing? (management methods)
- What vulnerabilities are related to these management methods and what actions are taken to address these vulnerabilities?
- What is the assessment of the obliged agent on the level of risk remaining (residual risk) after the estimated impact of the management methods on the risk?
- View of whether the level of residual risk is acceptable or whether actions will be taken to reduce it further.
The results of the risk assessment steer the actions related to customer due diligence. Hence, the risk assessment must have an effect on the customer due diligence actions, and these may not be conflicting. For example, customers should not be categorised based on factors that have not be identified as risk factors in the risk assessment.
The Financial Supervisory Authority (FIN-FSA) has prepared a sanctions risk assessment for sectors supervised by the FIN-FSA under the Money Laundering Act and published the summary of the this risk assessment. The sanctions risk assessment assesses for each sector the policies, procedures and internal controls in place to comply with sanctions regulations and national freezing orders in relation to the sector’s risk exposure.
An appendix related to sanctions evasion, published in connection with the summary of the sanctions risk assessment, collates information obtained through cooperation between authorities and from reliable public sources on identified ways of evading sanctions.