The Act on Combating Money Laundering and Terrorist Financing (hereinafter referred to as the "AML Act") imposes a number of obligations on obligated institutions. One of these is the requirement to identify and assess the risks associated with money laundering and terrorism financing related to the obligated institution's business profile, taking into account risk factors related to the client, the countries or geographic areas of operation, the types of products, services, transactions offered, and their delivery channels.

Although the content of this obligation has been formulated quite clearly by the legislator, in practice its implementation poses many practical problems.

The first question that arises is where to begin such risk identification and assessment?

The starting point for our considerations should be Article 27 of the AML Act. According to its wording:

1. Obligated institutions identify and assess the money laundering and terrorist financing risks associated with their activities, taking into account risk factors related to customers, countries or geographic areas, products, services, transactions, or their delivery channels. These actions are proportionate to the nature and size of the obligated institution.
2. When assessing risk, obligated institutions may take into account the applicable national risk assessment as well as the European Commission report referred to in Article 6 paragraphs 1-3 of Directive 2015/849.
3. The obligated institutions shall prepare the risk assessments referred to in par. 1 in paper or electronic form and, if necessary, but no less frequently than every two years, update them, in particular in connection with changes in risk factors relating to customers, countries or geographical areas, products, services, transactions or their delivery channels or the documents referred to in par. 2.
4. The obligated institutions may make the risk assessments referred to in paragraph 1 available to professional self-government bodies or associations of these obligated institutions.

As stated in the aforementioned provision, a risk assessment is simply a document in which an obligated institution identifies the risk associated with money laundering and terrorist financing and then determines the measures necessary to prevent these crimes. The main purpose of such an assessment is to identify threats and potential security gaps that expose the institution to the possibility of being exploited for money laundering or terrorist financing.

The AML Act requires that the identification and assessment process be adapted to the type and nature of the obligated institution in terms of the risk factors that apply to it and related to:

• customers,
• countries and geographical areas of operation,
• offered products and services,
• types of transactions carried out,
• delivery channels for products, services and particular types of transactions.

The calculations cited above constitute a minimum list of risk factors and must be considered in each assessment by the obligated institution. However, the list of factors specified in the AML Act is not exhaustive, and therefore additional aspects may be analyzed, such as:

• IT tools and systems used by the obligated institution,
• the degree of dependence of the obligated institution on external suppliers in the area related to AML/CFT,
• adequacy of the organizational structure and the number of employees responsible for performing AML/CFT obligations in relation to the identified risk,
• the scale of employee turnover and management of units responsible for AML/CFT processes,
• the effectiveness of the internal control system and its adequacy in relation to the size of the obligated institution,
• effectiveness of the AML/CFT training system.

It's worth utilizing additional sources of information in this process. Legislators point to two documents: the National Risk Assessment, referred to in Article 29 of the AML Act, and the European Commission's report on the assessment of money laundering and terrorist financing risks affecting the internal market and involving cross-border activity (hereinafter referred to as the Supranational Risk Assessment). It's also worth exploring information published by relevant authorities, including the General Inspectorate of Financial Information (GIIF), the Polish Financial Supervision Authority (PFSA), and studies prepared by the European Supervisory Authority, as well as leveraging expert knowledge.

Because the risk of money laundering and terrorism financing is not the same for every obligated institution, the AML Act does not provide a specific methodology for assessing such risk. According to the PFSA recommendation, the entire process will consist of four key elements:

• assessment of inherent risk, i.e. the risk occurring in the absence of actions taken to reduce the probability of risk occurrence and/or limit its effects, in relation to each risk factor listed in Article 27, Section 1 of the AML Act
• identifying risk mitigators and assessing their effectiveness,
• residual risk assessment, i.e. the risk remaining after the introduction of risk control procedures and mitigants and after assessing their effectiveness,
• defining the actions planned by the obligated institution to manage residual risk (if any).

Obliged institutions, after assessing the inherent and residual risk associated with the individual risk factors referred to above, should determine the institution’s vulnerability to risks related to money laundering and terrorism financing.

Finally, it is worth recalling that the analysis conducted must be prepared in written or electronic form and updated at least once every 2 years.

This alert is for informational purposes only and does not constitute legal advice.

|

|