Risk assessment in focus – Insights from recent high-profile decision by the Swedish FSA
The Financial Supervisory Authority’s decision to revoke the license from Intergiro, a Swedish fintech company providing embedded finance and digital banking solutions, due to deficiencies in the work against money laundering and financing of terrorism warrants attention for several reasons.
One reason is the unmistakable clarity that the decision communicates regarding the requirements for designing a relevant and well-founded general risk assessment. It sends an important message to more than a few financial institutions why they should be concerned to create assurance around the evaluation of business-adapted risk factors in the general risk assessment. In this article, we discuss the importance of having a realistic general risk assessment that properly reflects risks in the business.
The Swedish Financial Supervisory Authority (SFSA) recently decided to revoke Intergiro’s license due to serious deficiencies in the company’s work against money laundering and financing of terrorism. According to the SFSA, “particularly powerful measures” were required to manage the high risk of money laundering and terrorism financing that the company is exposed to in its operations. The authority criticized, among other things, how Intergiro’s general risk assessment was designed. It was described as too generic, and the stated risks lacked a clear connection to the company’s operations.
In its review, the SFSA repeatedly emphasized that the general risk assessment should be realistic and based on the actual exposure of the business. It pointed out significant deficiencies related to the assessment of risks related to how Intergiro’s products and services could be used for money laundering and financing of terrorism. The SFSA also criticized how Intergiro has handled customer risks and geographical exposure, as well as the lack of internal and external data in the risk assessment.
Properly establishing what constitutes high risk
Another specific deficiency noted by the SFSA was that Intergiro described a “high risk” in its assessment without clarifying whether it concerned the risk of money laundering, financing of terrorism, or another type of risk. It also expressed criticism that the risk assessment stated it was an unacceptable risk if a customer’s unique beneficiary owner could not be identified, without indicating how often this occurred in practice. Moreover, Intergiro was criticized for the country risk assessment attached to the general risk assessment, which did not identify or consider the actual geographical exposure in the business.
The SFSA decision points to several important issues related to the general risk assessment that Advisense, in our role as consultants, often encounter. One key issue is the importance of using and analyzing proper proprietary data to correctly determine the exposure of the business and then adapt the risk assessment based on this data. More concretely, the general risk assessment should include considerations and evaluations of the exposure the business has. Specific data should be explained and analyzed, and modus should be assessed based on internal information about how methods are used in the business. As part of this, it is necessary that the business considers how common a given modus is, and include external information from relevant actors.
Regarding risks related to the business’s customers, the general risk assessment should indicate whether the described risk is common among the company’s customers and to what extent it affects the risk that the company’s products and services are used for money laundering or financing of terrorism.
The comment by the SFSA about geographic risks points out that the actual geographical exposure must be handled in the general risk assessment. A general country risk list is not sufficient in itself. Risk assessments must go beyond generic or broad country-level risk ratings and instead directly address the specific countries and regions where a business is actually exposed, for example, where it has customers or conducts transactions. This means that simply referencing a standard list of high-risk countries is not enough, a tailored, detailed analysis of the actual geographic exposure is required to properly manage and mitigate risks
Lessons
The Intergiro decision is an important reminder to financial institutions that the general risk assessment must not be disconnected from the actual exposure of the business. Measures to avoid the causes noted in the Intergiro case and strengthen the conditions for successful operations include:
- Handling: By reviewing internal reports and managing data output from, for example, transaction monitoring models, ensure effective control of data in the business so that it can form the basis for the work with the general risk assessment.
- Analysis: Use the data to analyze the business’s risks in the general risk assessment.
- Assessment: Make an assessment based on the analyzed data.
A robust general risk assessment requires clear positions and is based on updated, business-specific information about risk exposure. With the right tools and methodology, the risk assessment can become a powerful tool for both regulatory compliance and risk management.
For more information about how we support our clients with expert advisory services within AML/CTF and financial crime prevention, please visit this page.