News

Embrace Risk-Based Approach – Highlights from the Finnish AML/CTF Regulations

The Finnish Financial Supervisory Authority (“FIN-FSA”) implemented new AML/CTF Regulations and Guidelines (“AML/CTF Regulations”)[1] this year after regulatory amendments, emphasizing a risk-based approach. Ineffectively applied, this approach can render a range of risks. Our Financial Crime Prevention experts unveil some of the key takeaways and considerations in light of the increased focus on risk-based approach.

Earlier this year, the FIN-FSA enforced new AML/CTF Regulations that emphasize a risk-based approach, aiming to prevent money laundering and terrorist financing (“ML/TF”) by addressing potential risks through regulatory amendments. The AML/CTF Regulations clearly place a responsibility on the senior management to determinate the risk-appetite – in other words, what are the accepted ML/TF risk limits in the entity’s activities. Moreover, expectations are that the FIN-FSA will place additional attention on de-risking and the societal responsibility of financial institutes.  

Obliged entities may feel that the newly imposed AML/CTF Regulations are a burden given that regulations are frequently updated as is already. However, a well implemented risk-based approach is a ticket to compliance cost efficiency and in the longer run also business efficiency.

Sara Salmela, FCG Risk & Compliance, Financial Crime Prevention

The Amendments

The new AML/CTF Regulations follow the updated AML/CTF Act[2], which came into force in March 2023. The Act includes amendments concerning inter alia the definition of what constitutes a suspicious transaction and clarifications on due diligence requirements. The amended AML/CTF Act states that customer due diligence measures must also properly ensure compliance with any sanctions regulations adopted in reference to EU sanctions and targeted asset freezes. Failing may result in administrative sanctions imposed by the supervisory authorities. Regulations and guidelines for customer due diligence related to compliance with sanctions regulation and freezing orders by FIN-FSA (“Sanctions Regulations”) are expected to be published in December[3].

Many organisations are seeking to come to terms with the inherent inefficiency of a ‘wholesale approach’ to risk assessment. Experts agree that a more risk-based approach to customer due diligence is where obliged entities have a lot of potential to improve. The flipside of applying the risk-based approach insufficiently, can be de-risking, on the topic of which the European Banking Authority published a guideline in March this year[4]. Jonna Ekström, Senior Legal Advisor at FIN-FSA, has also raised the concern of de-risking and stressed the importance of proportionality when applying risk-based approach. Ekström further highlights financial inclusion and the key role the obliged entities play in society[5].

The ability of an organization to establish a consequent understanding of what a risk-based approach entails across its business operations and customer relationships is a continuous process, linked to the business-wide risk assessment.

The ineffective application in practice can render a range of additional risks

Robust compliance as collateral

ML/TF has recently become a recurring theme in the headlines of the Finnish media, suggesting that banks lack efficient ML/TF risk management frameworks. No organisation wants to become clickbait because of bad press. Reputational damage is difficult to measure in monetary terms, but there are multiple unfortunate examples as published e.g., by the Helsingin Sanomat about how banks can take two months to open a bank account for foreign students, or that transfer of 30 euros are blocked suggesting poor customer due diligence and dysfunctional transaction monitoring[6]. The general public can potentially get the impression that a bank lacks proper processes. Restricting or terminating customers’ banking services without disclosing the causes can cause confusion.

Costs and resources

Compliance is gradually better understood as a business advantage, not only a regulatory obligation.

One could think that having stringent measures in place to manage the ML/TF risks would be an effective way to fight ML/TF crimes. This is often resulting from placing too much focus on the literal wording of the law, rather than identifying and understanding the high-risk indicators in the entity’s business operations, often resulting in the poor allocation of compliance resources. As the focus is shifted away from where the real risk exists, ML/TF risks might increase. In other words, when the obliged entities place measures that are not commensurate with the risk, it can ultimately increase the compliance costs, without actually mitigating the ML/TF risks.

A key is the capability of an organization to ensure that the business-wide risk assessment (customers, products, services, distribution channels, geographical markets, technology, sanctions) indeed links to and feeds into the individual customer due diligence measures and customer risk classification. It is also an increasing industry practice, and soon to be a regulatory requirement, for obliged entities to have sanctions covered in the business-wide risk assessment separately. The upcoming Sanctions Regulations will place pressure for obliged entities to assess and document sanctions risks based on scenarios, as the FIN-FSA distinguish between sanctions risks related to customers, products, services, distribution channels and geographical areas on a business area-specific basis. It further highlights to pay attention to certain economic sectors in terms of the so-called sectoral sanctions.

Highlights from the FIN-FSA AML/CTF Regulations

Risk assessment interlinked to customer risk level

Applying a risk-based approach when defining what information to collect to determine a customer’s risk level must reflect risk factors such as products, services and customer groups. The risk assessment must clearly determinate what risk level is applicable, whether to apply CDD or EDD, and what measures to take accordingly. In other words, better connect customer due diligence with the business-wide risk assessment. This may of course vary on a risk-sensitive basis, depending on the risk appetite of the obliged entity.

KYC information

When establishing and maintaining a customer relationship, information sources and what information to collect from the customer and for what purposes is at the centre of a successful risk-based approach.

Information sources and adverse media screening

It further sets forth necessary measures by obliged entities to examine the accuracy of information from several information sources, that might contribute to the risk-classification. Such can include various sources of available information on the customer or its beneficial owners including e.g., court decisions, information from media and official registers. Doing so, credibility and reliability of the information source must be considered. It is noted that information based only on media reports should be avoided. However, after the partial update of the AML/CTF Act, the so-called adverse media screening can and is encouraged to be used as a complimentary tool.

While the new guidelines will be instrumental to many obliged entities, we can still see that some issue areas may need quite a bit of interpretation. For example, regarding the issue of business-wide risk assessment versus customer risk classification and the role that the approaching FIN-FSA Sanctions Regulations will play in this context. Specifically, how can these aspects connect and be used supportively in the daily operations? Another is the ongoing debate regarding collecting and handling customer information from various sources, which is a complex issue at the intersection between AML compliance and GDPR.
Sara Salmela

For more information please contact:

Sara Salmela

Senior Associate

Send email

+358444932468