ML/TF Risk Assessment methodology

A brief description of the bronID ML/TF Risk Assessment methodology.

The money laundering and terrorism financing (ML/TF) risk assessment is the foundation of your AML/CTF Program, and your AML/CTF efforts. Assessing your ML/TF risks is the first thing you must do to determine what measures you need to include in your AML/CTF Program. The measures you put in place, including your policies, procedures and controls must be appropriate to protect your business from being exploited by criminals. As every business is different, the developed measures and the combination of them will be unique to your particular circumstances.

bronID has developed a framework and tools to help you with your ML/TF risk assessment and development of mitigation policies, procedures and controls. Here's a step by step guide how we do this:

Step 1: Use the bronID Risk Assessment Tool to provide insights about your business. Here you will answer questions that are specific about your business and operations such as the number of employees, jurisdictions where you operate, type of customers you onboard and specifics about your product.

Step 2 (optional):  By using the scheduling tool, schedule an interview with a Compliance Adviser to go through your answers and iron out anything that might have been unclear in Step 1.

Step 3: The bronID algorithm will use the answers you provided in Step 1 and map them to different risk factors. By doing this, bronID will also assess the likelihood of some of these risk factors happening and the severity of these factors. This will give you the Inherent Risk, i.e. the ML/TF risk that your business faces without putting in place any mitigation measures.

Table 1: Likelihood of a risk factor happening

Probability of occurrence Likelihood Description
91-100% Almost certainly Occurs often during the provision of the service. Continuously experienced.
61-90% Likely Occurs several times during the provision of the service. Occurs frequently.
41-60% Possible Occurs sometime during the provision of the service. Occurs sporadically, or about half of the time.
11-40% Unlikely Possible to occur during the provision of the service. Remote chance of occurrence and expected to occur sometime during the provision of the service.
0-10% Rare Can assume will not occur during the provision of the service. Possible, but improbable. Occurs only very rarely.

Table 2: The impact/severity of an event happening

Impact ML/TF Impact Reputation Non-compliance
Negligible The service cannot be used in facilitating any illegal or criminal activities. Non-headline exposure, not at fault, no impact. Innocent procedural breach, evidence of good faith, little impact.
Minor The service can be used directly or indirectly to fund or support criminal activities with minor impact. Non-headline exposure, clear fault - settled quickly. Breach, objection/complaint lodged, minor harm with investigation.
Moderate The service can be used directly or indirectly to fund or support criminal activities with moderate impact such as:
  • minor cyber-crime and scams;
  • small scale business fraud and tax evasion;
  • small scale local and street crime.
Repeated non-headline exposure, slow resolution. Results with regulatory enquiry/briefing. Negligent breach, lack of good faith evident, performance review initiated. 
Significant The service can be used directly or indirectly to fund or support criminal activities with a significant impact such as:
  • serious financial crime;
  • organised maritime piracy;
  • organised environmental crime;
  • corruption;
  • extorsion;
  • major cyber-crime.
Headline profile, repeated exposure, at fault or unresolved complexities. Results with the involvement of the regulator. Deliberate breach or major negligence, formal investigation, disciplinary action. Results with regulatory involvement. 
Severe The service can be used directly or indirectly to fund an illicit activity that may result in loss of lives or have a severe impact on human well-being such as:
  • terrorist attacks;
  • human trafficking;
  • drug trafficking.
Maximum high-level headline exposure, regulatory censure, loss of credibility. Serious wilful breach, criminal negligence or act. Results with prosecution, dismissal and regulatory censure. 

Step 4: Having insight into the Inherent Risk of your business, you can now assess if this fits your risk appetite. If it doesn't and if you want lower you ML/TF risk and exposure, you must implement appropriate mitigation measures.

Table 3: Inherent Risk as a function of likelihood and impact

Likelihood Risk Score
Almost certainly Medium  Med High  Med High  High  High
Likely Low Med Medium  Med High  Med High  High
Possible Low Med Low Med Medium  Med High  Med High
Unlikely Low Low Med Low Med Medium  Med High
Rare Low Low Low Med Low Med Medium
Impact Negligible Minor Moderate Significant Severe

Step 5: Based on our expert knowledge, bronID will suggest measures that are appropriate to the risks you are facing. You can additionally select different measures from our Control Bank with a goal to reduce your Inherent Risk.

Step 6: bronID will calculate your Residual Risk, which is a function of your Inherent Risk minus the Control Effectiveness, i.e. the level to what the proposed or implemented measures reduce the risk of your business being abused for ML/TF.  Note that you will reassess the level of effectiveness over time as you collect more empirical data. If the Residual Risk does not fit your risk appetite, you should repeat Step 5 until the Residual Risk is down to a level that is acceptable for you.

Table 4: Residual Risk as a function of the Inherent Risk and the COntrol Effectivness

Control Effectiveness Residual Risk
Weak Low Low Med Medium  Med High High
Adequate Low Low Low Med Medium  Med High
Strong Low Low Low Low Med Medium
Inherent Risk Low Low Med Medium Med High High

Still require support?
Contact support