Here are the top financial crime takeaways from the Wolfsberg Group’s risk assessment FAQs

An influential group comprised of the world’s largest banks has released a key guide to help the financial sector better gauge the risks of illicit entities across the financial crime spectrum, a tall order that will be broadly welcomed by banks struggling with such complex initiatives.

The Wolfsberg Group released the “Frequently Asked Questions on Risk Assessments,” because the precognitive, highly analytical exercises “are one element of the Financial Crime Compliance (FCC) toolkit and serve to highlight key risk areas, how well those risks are managed and support a risk-based allocation of resources to the highest risk areas, as well as the establishment of action plans for managing identified risks.” To read a copy of the report, please click here.

But critical to the exercise of ascribing a mathematical score and risk strata, such as low or high, to a given client, individual, business or region, is to not get lost in a sea of arcane data points, but to truly get to know and understand who the customer is, what they do, where they got their money and where and what type of other places or business types will they be interacting.

“No compliance program is ever going to improve on the old adage, ‘know your client,’ but as we all know, that is easier said than done,” said Peter Gallo, an international financial crime consultant.  “What Risk Management programs can do, of course, is identify which ones we need to know better, so that attention can be focused where it is most likely to be effective.”

The Wolfsberg Group is an association of eleven global banks, including Bank of America, Barclays, Citigroup, HSBC and JPMorgan Chase, which aims to develop guidance for the management of financial crime risks, particularly with respect to betting knowing and understanding customers and transaction patterns related to anti-money laundering (AML) and terror financing.

The group came together in 2000, at the Château Wolfsberg in north-eastern Switzerland, initially to work on drafting AML guidelines for private banking, which were published in 2000, revised in 2002 and again in 2012.

The group in the last decade has published pieces on the risk-based approach and compliance rules for the investment sector along with delving into the risks and controls required for politically-exposed persons, corruption and emerging payment techniques, such as prepaid cards.

The real key to any anti-money laundering program and related risk assessment is hidden within section 6.1.1. on “Clients,” Gallo said.

“Everything else – all the monitoring and controls in the world, every risk assessment ever carried out, the most comprehensive analysis of STR filings ever compiled – cannot change the basic fact that money laundering is a function of having clients who are engaged in criminal activity,” he said, adding that the initial customer due diligence is vital to a sound assessment.

Here are several of the key compliance takeaways:


  1. Set phasers: While there are numerous ways to conduct risk assessments, increasingly the most common approach used by FIs can be described as the “conventional/standard methodology,” and include three distinct phases, according to Wolfsberg.

The three phases of the risk assessment should cover:

Phase 1: Determine the inherent risk, such as clients, products, services and geographies

Phase 2: Assess the internal control environment, gauging both design and operating effectiveness. This is done by comparing the risk with the related mitigating or aggravating factors, including due diligence, suspicious activity reports, monitoring, training and independent testing.

Phase 3: Derive the residual risk, which would lead to strategic, long term actions and strategies, create a more tactical, or immediate risk, such as dropping a customer’s account or tuning the transaction monitoring to be more sensitive, and allow the bank to more quickly determine if the final risk score is in line with the overall risk appetite of the bank.


  1. Choose carefully: When undertaking a risk assessment, banks and other financial institutions should choose an appropriate format to collate the risk assessment that will generate risk ratings and track actions that arise through the course of the assessment itself, such as suspicious activity raising the risk of the entity.

Risk assessment tabulation options include the creation of a bespoke internal system to log risk assessment answers and generate risk ratings, the use of electronic spreadsheet programs and the manual calculation of risk ratings, with rigorously documented details of the backend methodology being used.

The risk assessment should cover the entirety of the financial institution’s business, though may be conducted in parts, or as part of a rolling cycle, to focus on separate areas, such as divisions, units or specific business lines. These can be done annually, or if little has changed, pushed to longer time periods.


  1. Highpothetically speaking: In most cases, banks use a three-tier risk structure, including low, medium and high. But, when assessing related controls, there are some unassailable, bedrock points, including:
  • A Strong control environment can lower the residual financial crime risk in comparison to the inherent risk
  • If the FI/business unit/business line receives a High rating of inherent money laundering risk, it can never achieve a residual money laundering risk rating of Low
  • In order to improve its residual ML risk, either the inherent money laundering risk can be reduced or the AML controls can be strengthened.

   4. Converged approach: Wolfsberg states that the definition of a money laundering risk assessment has morphed beyond laundering itself to include terror financing, sanctions and bribery and corruption.

Historically, money laundering risk assessments have focused on client, transaction and other risks associated with more traditional forms of money laundering.

“However, over time, additional financial crimes have become predicate offences to money laundering, and the breadth of AML compliance has similarly expanded to encompass a greater array of suspicious activities,” Wolfsberg said.

Therefore, a risk assessment process may involve an evaluation of multiple, and sometimes disparate, activities, including money laundering, international sanctions, bribery and corruption, fraud of various kinds, insider trading and market manipulation, tax evasion, amongst others, according to the group.

“Separating ‘corruption’ from ‘money laundering’ is something that has never made any sense to me,” Gallo said.

“Corruption is the underlying problem that corrodes the integrity of any country’s financial system, just as it does the legal system,” he said. “Of all money laundering predicate offences, bribery and corruption are probably the most strategically important; because it is bribery and corruption that facilitates all the others.

“If AML compliance is the ultimate ‘corporate social responsibility’ of the financial industry; it is the policies and the awareness of the bribery and corruption risks that have to be at the sharp edge of that responsibility.”