Anti-Money Laundering (AML) framework of any regulated entity – be it a Financial Institution or a Designated Non-Financial Institution (DNFBP) regulated by any AML supervisory authority – would always be effective when its foundation is set with a comprehensive Enterprise-Wide Risk Assessment. This is no exception for the IFSC entities regulated by the International Financial Services Centre Authority (IFSCA).

Even the IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022 mandate the regulated entities to perform the Enterprise-Wide Risk Assessment.

In this article, let us explore the concept of Enterprise Wide Risk Assessment, or “AML Business Risk Assessment,” and what factors must be considered by an IFSC entity when assessing the potential money laundering or terrorism financing risk its business is vulnerable to.

What is an AML Enterprise-Wide Risk Assessment?

AML Enterprise-Wide Risk Assessment (EWRA) is the process regulated entities adopt to identify and assess the ML/FT risks of the business. The EWRA exercise involves the following:

  • identifying the risk factors that expose the business to money launderers and other financial criminals
  • assessing the possibility or likelihood of such risk materializing
  • evaluating the impact such risk can have on the business in the risk actually occurs
  • checking whether such risk is within the company’s ML/FT risk appetite
  • determining the controls necessary to mitigate the assessed business risks
  • evaluating the strength and adequacy of the existing controls to check whether these would be sufficient to manage the risks
  • if not, designing and implementing the additional controls and mitigation measures to ensure that the

It is not just a one-time task; the IFSC-regulated entities must periodically assess their business exposure to ML/FT risks and update the controls required to manage the risks effectively.

The results of the business risk assessment are used to customize the AML Program of the company, ensuring the optimal utilization of the resources targeted to manage the risk exposure, i.e., more resources to be deployed for high-risk elements while managing the low-risk areas with low or moderate resources.

Given the fact that the entire AML Program is based on the outcome of the EWRA, it is pertinent to ensure accuracy and comprehensiveness in identifying the risk parameters basis which the business risk assessment should be conducted.

The company must consider the nature and size of its business, along with other risk parameters such as the nature of the customers, geographies, products, and services offered, nature of transactions, delivery channels involved, etc.

Let us discuss these risk factors in detail.

What factors must be considered by an IFSC-regulated entity for Enterprise-Wide Risk Assessment?

The overall business exposure to money laundering or terrorism financing is an outcome of a combined evaluation of various factors, such as:

Risk Associated With Customer’s Profile​

Understanding the nature of the customers (including suppliers) the company engages with is crucial to EWRA. The regulated entity must consider the following customer-related aspects when assessing the overall business risk:

  • customer’s legal structure
  • nature of the customer’s business activities – whether regulated or unregulated
  • financial position of the customers
  • customer’s status as a Politically Exposed Person (PEP) or a close associate or relative of a PEP
  • ownership structure of the corporate customers (whether reasonable considering the business activities or excessively complex)
  • circumstances under which the customer intends to establish a business relationship
  • customer’s cooperation towards applying Customer Due Diligence measures
  • whether the customer is an existing customer or a new
  • whether any nexus with the Sanctions List or has any adverse media
  • customer is a legit setup, or has any nominee shareholders or any bearer shared issued

The analysis of the customer base would help the entity assess the contribution of the risk arising from the customers to the overall business risk and the controls required to manage the same.

Geographic Risk

The jurisdiction or the geographies in which the company is pertaining (having branches outside IFSC) and the customers’ location are pertinent in assessing the IFSC entity’s exposure to money laundering and terrorism financing risks.

In determining the location-based risk, the company must consider whether it has any direct nexus or through its customers with any of the following:

  • countries known to have weak or no AML/CFT regulatory framework
  • countries notorious for assisting terrorist activities or funding terrorist organizations
  • jurisdictions having higher rates of corruption
  • countries subject to any international sanctions or embargoes

The entity must consider the countries defined under the Financial Action Task Force (FATF)’s Grey List (Jurisdictions Subject to Increased Monitoring by FATF) or Blacklist (Countries subject to “Call for Action” by FATF).

Factoring in the locations of its business operations and the customer’s jurisdiction is essential to bring clarity around the ML/FT risks the business may face when foreign countries get involved and mitigation measures required to manage these risks.

Risk associated with Products and Services offered

The nature of the products and services offered by an IFSC-regulated entity highly influences the company’s overall ML/FT risks. A particular category of products or services poses a higher risk or has a high potential of being exploited by the financial criminal.

Products such as private banking or acting as nominee shareholders or directors are subject to a higher risk of being used as a conduit for money laundering. Similarly, the products offering anonymity are highly vulnerable to money laundering.

Further, the regulated entity must assess the risk before launching any product or introducing a new service practice.

Risk Related to the Nature of Transactions

The nature, volume, and complexity of the transactions are important aspects shaping the outcome of the EWRA. Some of the risk indicators related to transactions are:

  • Complex transactions involving multiple parties
  • Multiple transactions conducted in a short period just within the reporting threshold
  • Payment routed through an unassociated third-party account
  • Customer insisting on making large payments in cash or virtual digital assets
  • Inconsistency between the customer’s financial position and the value of the transaction
  • Sudden change in the transactional parameters almost near the end of the transaction

The transactions’ quantity and quality must be considered while assessing the business risk.

Delivery Channels

How the regulated entity delivers the product or services or onboards, the customers is also an essential factor determining the risk of the business.

The company must consider the following while assessing the risk posed by the delivery or distribution channels:

  • whether the customers are onboarded directly or through third-party intermediaries
  • business relationships established on a non-face-to-face basis
  • products sold or services delivered online or remotely

The mode through which the customer relationship is established, and customers are served poses a different level of financial crime risk and requires specific technological controls or applying due diligence measures on the involved agents or business partners.

Let AML India assist you with identifying the risk indicators and conducting Enterprise-Wide Risk Assessment

Performing AML Business-Wide Risk Assessment is insufficient, but ensuring its accuracy and relevance is pertinent to ensure that the IFSC-regulated entities timely detect and prevent money laundering and terrorist financing instances.

With thorough knowledge of the IFSCA AML Guidelines, AML India can help you with assessing your ML/FT business risk by understanding your business better with an in-depth analysis of factors you’re your customer base, your target market, your product and service lines, the way you conduct business transactions, etc. With a robust AML Entity-Wide Risk Assessment exercise, the outcome would navigate the company in developing the AML/CFT Program – including policies, procedures, and controls – to curb the ML/FT red flags and suspicious activities.

Let’s protect our economy against financial crimes!

About the Author

Jyoti Maheshwari


Jyoti is a Chartered Accountant and Certified Anti-Money Laundering Specialist (CAMS) with over 7 years of experience in regulatory compliance, policymaking, risk management, RegTech solution consultancy, and implementation. With an understanding of the different jurisdictional AML regulations, including PMLA, 2002 and IFSCA (AML, CFT, and KYC) Guidelines, has been closely working with clients to implement Anti-Money Laundering measures, including conducting Enterprise-Wide Risk Assessments, imparting AML training, etc.