Business wide risk assessment
A business wide risk assessment involves identifying and assessing the risk of money laundering and terrorist financing in the activities of obliged entities. The risk assessment is intended to identify the main weaknesses and threats to the obliged entities, and it shall specify methods and means for managing and mitigating the identified risk of the activities being misused for money laundering and terrorist financing.
In accordance with Act no. 140/2018, obliged entities are obliged to conduct risk assessments of their operations and transactions. The risk assessment shall be updated at least every two years and when the need arises.
The risk assessment shall include a written analysis and assessment of the risk of money laundering and terrorist financing and, among other things, take into account risk factors related to customers, trading countries or regions, products, services, trading, technology and distribution channels. A risk assessment must always be carried out before new products or services are launched on the market and when new distribution channels and new technologies are put into use.
Obliged entities engage in substantially different activities and the scope of the entities' activities may vary. The risk assessment shall therefore take into account the size, nature and scope of the activities of obliged entities and the complexity of their operations.
Before carrying out a risk assessment, the obliged entity shall document the methodology it applies. It shall clearly state how the assessment is conducted, including, among other things, how the risk factors are identified, where and how data is obtained, how risk classification is carried out and what criteria are applied in the risk classification. The approach, which the obliged entity chooses to apply to its risk assessment, shall be substantiated. The methodology used shall be regularly reassessed and updated if necessary. When conducting a risk assessment, obliged entities must take the risk assessment of the National Commissioner of the Police into account.
The risk assessment shall, among other things, discuss:
- inherent risk, the classification of individual risk factors and the rational for the conclusion,
- the quality of controls and other methods to mitigate risk,
- residual risk and risk classification of individual risk factors.
The European Banking Authority EBA has issued guidelines on risk factors related to the actions of obliged entities in the financial sector against money laundering and terrorist financing. Obliged entities shall familiarise themselves with these guidelines and take them into account when preparing the risk assessment.
The preparation of a risk assessment is covered in greater detail in Regulation no. 545/2019, which stipulates, among other things, methodologies for risk assessment, risk classification, monitoring and supervision, management and procedures.
Useful links
- Conducting a risk assessment for money laundering and terrorist financing
- Regulation no. 545/2019 on risk assessment (Icelandic)
- Risk assessment of the National Commissioner of the Police (Icelandic)
- EBA Risk Factors Guidelines
- Risk assessment - Informative material of the steering group on measures against money laundering and terrorist financing (Icelandic)
- Risk factors in the banking sector (Icelandic)
- Risk factors in the securities and fund market (Icelandic)
- Risk factors in the life insurance market (Icelandic)
- Risk factors due to the issuance and handling of electronic money (Icelandic)
- Risk factors related to money remittance (Icelandic)
- Risk factors in the provision of payment services (Icelandic)