The European Union's three financial super-regulators have published guidelines to govern the risk-based approach that the regulators of EU countries ought to take to anti-money laundering and terrorist finance supervision.

The European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority have issued these guidelines. They form part of the pan-EU regulators' endeavours to standardise supervisory practices throughout the European Union. These efforts, the EU claims, are consistent with the revamped standards that the Financial Action Task Force issued in 2012. By EU law, competent authorities and financial institutions must make every effort to comply within 12 months or, in the case of national regulators, tell the EU why they are not doing so within two months.

Competent authorities should apply the following four steps as part of an effective AML/TF risk-based supervision model.

• Step 1 – the identification of ML/TF risk factors.
• Step 2 – risk assessment.
• Step 3 – supervision that is commensurate with the risk that they have identified.
• Step 4 – monitoring, review and follow‐up, with the allocation of supervisory effort remaining up-to-date and relevant.

The EU's guidelines state: "Step 4 can initiate again the identification of relevant information (Step 1), which may inform a new or updated risk assessment (Step 2), which in turn triggers new supervisory actions to mitigate those risks (Step 3)."

They should note that this risk-based supervision is not a one‐off exercise but a continual and cyclical process. They may group firms that do not belong to the same financial group but share similar characteristics into 'clusters' (groups of subjects of assessment that share similar characteristics) and consider them as a single ‘subject of assessment’. Examples of characteristics firms within one cluster might share include their sizes, the nature of their business, the type of customers they serve, their geographic areas or activity and their delivery channels. In that case, some elements of the risk-based supervision process may becarried out at the collective level of the cluster itself, rather than at the level of each firm in that cluster. Competent authorities, however, should not normally cluster groups, but instead treat firms that form part of the same financial group as one ‘subject of assessment.’

Should a competent authority know, or have reasonable grounds to suspect, that the risk associated with an individual firm in a cluster varies significantly from that associated with other firms in the cluster, for example because the firm is beneficially owned by individuals whose integrity is in doubt, or because the firm’s internal control framework is deficient, the competent authority should remove that firm from the cluster and assess it either individually, or as part of a cluster of firms with a similar risk level.

The guidelines make the rather obvious point that a firm that is of enormous strategic value to a country's economy might not be the venue (or the likely venue) of a large amount of money laundering, while a small firm very well might.

When identifying ML/TF risk factors, competent authorities must always consider the European Commission's supranational risk assessment, the opinion of the centralised EU regulators about the MF/TF risk that the financial markets face, national risk assessments, and information from supervisors. This last includes guidance and findings from supervisory action such as notes for record, information gathered as part of the authorisation process, regulatory visits and enforcement action.

If a competent authority somewhere in the EU holds information that is 'relevant' - a word the guideline document does not explain - another one elsewhere in the EU that wants that information should "take steps to ensure" (not actually ensure) that gateways exist to make its 'timely' exchange possible. This presumably rules out any situation in which the headquarters of a private bank in one EU country cannot access account information about a globally active customer's account in another one.

The 'relevant information' stipulation also applies to the Single Supervisory Mechanism, the EU law that allows the European Central Bank to monitor the financial stability of banks based in participating states that came into force (for 'Euroland' only) in November 2014.

Competent authorities might also consider information from trade bodies such as the Wealth Management Association, Transparency International's corruption perceptions index, information from the Financial Action Task Force, newspaper reports, risk and intelligence reports from commercial organisations and information from academics.

Foreign AML risks

The document predictably exhorts national competent authorities to identify domestic 'risks' that relate to money laundering and terrorist finance. More surprisingly, it also tells them to identify the risks posed by other countries with which its 'subjects of assessment' (i.e. financial firms and/or groups, see above) maintain significant links. Indeed, it states explicitly that "where a subject of assessment maintains significant links with other EU member-states or 'third countries' [a term the paper does not define] so that subjects of assessment are exposed to ML/TF risks associated with these other countries, competent authorities should identify these risks." Presumably this means that every regulated firm in the EU with international business that has any exposure to money laundering at all can look forward to its regulator complying with this legal requirement and handing it a ready-made assessment of the risks that its foreign customers pose, thereby saving it the expense of doing it on its own account. If the regulator is uninterested in combating money laundering, however, it might keep its list secret and trot it out only on supervisory visits, using it as a pretext to find fault with the firm if its own list is not identical.

Much of the guideline document is a tour through the usual risk channels that regulators and regulated should take account, such as delivery channels, the nature and complexity of products, the structure of ownership of the particular banking group and capital adequacy. The prevailing 'corporate culture' is a factor as well, particularly the 'compliance culture' and the 'culture of transparency and trust' in relations with regulators.

Risk profiling

The EU's paper leaves it open to competent authorities to categorise the risk profiles of firms and their groups, suggesting that the traditional 'high, medium and low' categories are not the only options. By no means, however, does it call on them to share its assessments of firms with those firms themselves, merely stating that they should consider doing so.

There should be a risk assessment for each subject of assessment and for the supervised sector in which it dwells. Firms associated with higher ML/TF risks should be subject to more frequent and intrusive supervision. This also applies to firms that the regulator in question has included in a 'cluster' for the purposes of risk assessment.

The EU is comfortable with the idea of regulators weighting risk factors and mitigating factors differently, depending on their relative importance. It does, however, want them to "use similar factors for similar subjects of assessment." The aim here might be to steer countries away from the temptation to push business away from some foreign trading partners and towards others because of political considerations.

Supervision

The EU is urging - but not ordering - regulators not to rely on off-site supervision alone at the riskier end of things. As in all other areas, though, it wants them to allocate resources to each firm in a way that is commensurate with its ML/TF risk profile.

In the latter half of the paper it refers a good deal to 'supervisory plans' without explaining what it means by the term. It asks regulators to amend them in line with risks to which the firms or other 'subjects of assessment' are exposed. It asks them to keep records of any changes they make to 'the supervisory plan.' Under one heading entitled 'Overall AML/CFT supervisory
plan' it refers to an "overall supervision strategy." It asks them to "ensure the balance between...supervisory plans." All this implies that each regulator should have one plan for each firm/'subject of assessment' and one overarching one for many or all of them. All should be consistent with the overall ML/TF risks that it has identified. Ad hoc reviews of these plans should take place as and when each subject's risk profile changes.

This might be because of major external events; emerging ML/TF risks; findings from the supervision of firms; and changes to the ownership of qualifying holdings.

Training

The three super-regulators make pronouncements about the ways in which regulators ought to train their supervisory staff, but these are platitudinous. They say that they should train them to carry out risk-based supervision effectively and consistently; that training may include training courses; and that they should train their supervisors to assess the adequacy, proportionality and effectiveness of each subject of assessment's policies, procedures and wider governance arrangements.

Vague and non-binding exhortations pervade the EU's policy paper. Competent authorities should 'seek to' familiarise themselves with international best practices and consider participating in relevant international and European fora. Competent authorities should "seek to satisfy themselves" that their ML/TF risk assessment methods are applied consistently and effectively. They should 'consider' setting out the kind of information they want to obtain in order to identify risk factors - this presumably entails writing the information down and showing it to someone. In obtaining this information, they should consider the European Commission’s supranational risk assessment.

This assessment has yet to be completed, although the commission has published some sketchy preliminary findings. These mention no countries by name and can be found at http://fatfplatform.org/wp-content/uploads/2016/03/ML-TF-risks-scenarios-04022016-sent.pdf