ML/TF Risk Assessment methodology

The money laundering and terrorism financing (ML/TF) risk assessment is the foundation of your AML/CTF Program, and your AML/CTF efforts. Assessing your ML/TF risks is the first thing you must do to determine what measures you need to include in your AML/CTF Program. The measures you put in place, including your policies, procedures and controls must be appropriate to protect your business from being exploited by criminals. As every business is different, the developed measures and the combination of them will be unique to your particular circumstances.

bronID has developed a framework and tools to help you with your ML/TF risk assessment and development of mitigation policies, procedures and controls. Here's a step by step guide how we do this:

Step 1: Use the bronID Risk Assessment Tool to provide insights about your business. Here you will answer questions that are specific about your business and operations such as the number of employees, jurisdictions where you operate, type of customers you onboard and specifics about your product.

Step 2 (optional): By using the scheduling tool, schedule an interview with a Compliance Adviser to go through your answers and iron out anything that might have been unclear in Step 1.

Step 3: The bronID algorithm will use the answers you provided in Step 1 and map them to different risk factors. By doing this, bronID will also assess the likelihood of some of these risk factors happening and the severity of these factors. This will give you the Inherent Risk, i.e. the ML/TF risk that your business faces without putting in place any mitigation measures.

Table 1: Likelihood of a risk factor happening

Probability of occurrence	Likelihood	Description
91-100%	Almost certainly	Occurs often during the provision of the service. Continuously experienced.
61-90%	Likely	Occurs several times during the provision of the service. Occurs frequently.
41-60%	Possible	Occurs sometime during the provision of the service. Occurs sporadically, or about half of the time.
11-40%	Unlikely	Possible to occur during the provision of the service. Remote chance of occurrence and expected to occur sometime during the provision of the service.
0-10%	Rare	Can assume will not occur during the provision of the service. Possible, but improbable. Occurs only very rarely.

Table 2: The impact/severity of an event happening

Impact	ML/TF Impact	Reputation	Non-compliance
Negligible	The service cannot be used in facilitating any illegal or criminal activities.	Non-headline exposure, not at fault, no impact.	Innocent procedural breach, evidence of good faith, little impact.
Minor	The service can be used directly or indirectly to fund or support criminal activities with minor impact.	Non-headline exposure, clear fault - settled quickly.	Breach, objection/complaint lodged, minor harm with investigation.
Moderate	The service can be used directly or indirectly to fund or support criminal activities with moderate impact such as: minor cyber-crime and scams; small scale business fraud and tax evasion; small scale local and street crime.	Repeated non-headline exposure, slow resolution. Results with regulatory enquiry/briefing.	Negligent breach, lack of good faith evident, performance review initiated.
Significant	The service can be used directly or indirectly to fund or support criminal activities with a significant impact such as: serious financial crime; organised maritime piracy; organised environmental crime; corruption; extorsion; major cyber-crime.	Headline profile, repeated exposure, at fault or unresolved complexities. Results with the involvement of the regulator.	Deliberate breach or major negligence, formal investigation, disciplinary action. Results with regulatory involvement.
Severe	The service can be used directly or indirectly to fund an illicit activity that may result in loss of lives or have a severe impact on human well-being such as: terrorist attacks; human trafficking; drug trafficking.	Maximum high-level headline exposure, regulatory censure, loss of credibility.	Serious wilful breach, criminal negligence or act. Results with prosecution, dismissal and regulatory censure.

‍

Step 4: Having insight into the Inherent Risk of your business, you can now assess if this fits your risk appetite. If it doesn't and if you want lower you ML/TF risk and exposure, you must implement appropriate mitigation measures.

‍

Table 3: Inherent Risk as a function of likelihood and impact

Likelihood	Risk Score
Almost certainly	Medium	Med High	Med High	High	High
Likely	Low Med	Medium	Med High	Med High	High
Possible	Low Med	Low Med	Medium	Med High	Med High
Unlikely	Low	Low Med	Low Med	Medium	Med High
Rare	Low	Low	Low Med	Low Med	Medium
Impact	Negligible	Minor	Moderate	Significant	Severe

‍

Step 5: Based on our expert knowledge, bronID will suggest measures that are appropriate to the risks you are facing. You can additionally select different measures from our Control Bank with a goal to reduce your Inherent Risk.

Step 6: bronID will calculate your Residual Risk, which is a function of your Inherent Risk minus the Control Effectiveness, i.e. the level to what the proposed or implemented measures reduce the risk of your business being abused for ML/TF. Note that you will reassess the level of effectiveness over time as you collect more empirical data. If the Residual Risk does not fit your risk appetite, you should repeat Step 5 until the Residual Risk is down to a level that is acceptable for you.

Table 4: Residual Risk as a function of the Inherent Risk and the COntrol Effectivness

Control Effectiveness	Residual Risk
Weak	Low	Low Med	Medium	Med High	High
Adequate	Low	Low	Low Med	Medium	Med High
Strong	Low	Low	Low	Low Med	Medium
Inherent Risk	Low	Low Med	Medium	Med High	High

‍

Help Centre

ML/TF Risk Assessment

ML/TF Risk Assessment methodology

Still require support?

Help Centre

Blog

About Us

Careers

Contact

Sectors

Features

Resources