AML risk-based approach

AML risk-based approach for CySEC & CySEC regulated entities

The 4th Anti-Money Laundering Directive (AMLD 4), subsequently further enhanced by the 5th AML Directive (AMLD5), recognised that the risk of money laundering (ML) and terrorist financing (TF) can vary. This highlights the importance of adopting a risk-based approach, either as a supervisory authority or a supervised firm. Following this, the Cyprus Securities and Exchange Commission (CySEC), as well as CySEC regulated entities are required to identify, assess, and manage ML/TF threats by implementing tailored risk-sensitive procedures.

In this commentary, the SALVUS Regulatory Compliance team outlines important information about CySEC’s risk-based supervision and the AML/CFT obligations of CySEC regulated entities as follows:

1. What does CySEC risk-based supervision entail?
2. What is examined through an individual risk assessment?
3. What are the AML/CFT obligations for CySEC regulated entities?
4. How to achieve AML compliance

1. What does CySEC risk-based supervision entail?

European competent authorities and subsequently CySEC, are required to follow a four-step process for employing an effective AML/CFT risk-based supervision model. Any such model entails the authority to

  • identify ML/TF risk factors of different sectors and assess their exposure to ML/TF risks. Supervised entities are categorised within sectors based on specific characteristics they share, such as
    • the size and nature of their business,
    • the type of serviced clients,
    • the geographic area(s) they operate in,
    • their activity, and
    • their delivery channels.
  • conduct a risk assessment by taking a holistic view of the ML/TF risk factors identified from the basis of the sectoral and consequently the individual risk assessment of an entity.
  • apply AML/CFT supervision ensuring that entities exposed to significant ML/TF risks are subject to more frequent and intrusive supervision compared to the ones exposed to moderately or less significant risks.
  • perform periodic and ad-hoc reviews of the risk-based supervision model, integrate new information collected from sectoral and individual risk assessments, and respond to external developments.

2. What is examined through an individual risk assessment?

Besides the information and risk factors identified on a sectoral level, in order to understand the inherent risk factors applicable to an entity, CySEC collects, inter alia, information about

  • the ownership and corporate structure considering the organisation’s level of complexity and transparency,
  • the reputation and integrity of senior managers, directors, and shareholders,
  • the suitability and competence of the AML Compliance Officer (AMLCO),
  • the nature and complexity of the products and services offered, as well as the activities and transactions carried out,
  • the delivery channels used i.e., non-face-to-face, agents, intermediaries,
  • the types of customers serviced i.e., politically exposed persons, and
  • the geographical areas of business activities, especially when high-risk third countries are involved.

Furthermore, for an entity’s residual risk assessment, CySEC utilises different sources to collect information in respect of

  • the adequacy of mitigating measures and in particular
    • regarding the ML/TF risk management,
    • about the entity’s years of operation, liquidity or capital adequacy,
    • findings emanating from desk-based and off-site reviews,
    • through internal control function reports i.e., internal audit, compliance, and risk management.
  • the effectiveness of the mitigating measures in place
    • concerning the quality of internal governance arrangements including
      • internal audit and compliance functions
      • reporting lines
      • the involvement of the Board of Directors
      • the effectiveness of the AML/CFT policies and procedures
      • the ongoing training of the staff
    • based on findings from previous on-site inspections and testing,
    • regarding pending or imposed supervisory measures and sanctions, and
    • financial intelligence units relating to suspicious transaction reports.

Placing the above into perspective we highlight the importance of cultivating a strong AML compliance culture, communicated, and adopted throughout all levels of an organisation.

3. What are the AML/CFT obligations for CySEC regulated entities?

CySEC regulated entities, including Cyprus Investment Firms (CIF), Alternative Investment Funds (AIF) and Crypto Asset Services Providers (CASP), are subject to the provisions of the Cyprus AML Law and European AML directives and guidelines. Their obligations lie with the establishment of adequate and effective procedures for the identification and assessment of the ML/TF risks imposed on their business. Important procedures in this matter are

  • client onboarding, regarding the entire procedure which precedes the acceptance of a client, involving
    • pre-account opening customer due diligence,
    • collection of information and documents,
    • the assessment of the appropriateness of the client’s knowledge and expertise in relation to the products about to purchase,
    • the AML risk scoring assessment, and
    • the construction of a customer economic profile.
  • Customer Due Diligence (CDD), for the identification and verification of a customer, the collection of appropriate information and documentation referred to as Know your Customer (KYC) and their evaluation. The application of a risk-based approach enables the enforcement of different levels of CDD measures based on the risk that each client bears.
    • Simplified Due Diligence (SDD) for customers of lower risk and Enhanced Due Diligence (EDD) for customers of higher risk.
    • the application of different levels of CDD is reflected in the quantity, quality, and frequency of information requested and monitoring conducted.
  • AML risk scoring, for the evaluation of the ML/TF risks imposed by each client, taking into consideration the different risk factors used by CySEC on a sectoral level and on a client level.
    • the weighting of risk factors is a pivotal element which requires the judgment of each firm since it may vary from product to product, customer to customer and firm to firm and outlines the risk limits of an entity.
    • therefore, a business wide-risk assessment is necessary to be conducted.
  • ongoing monitoring and record keeping, are essential for the firm to ensure that evaluations and assessments remain current, business relationships risks remain relevant, as well as procedures in place continue being suitable and appropriate.
    • in this context, it is implied that customer identification records are maintained up-to-date, regular checks are performed on the validity and adequacy of customer information, detection, and investigation of unusual and suspicious transactions are performed on an ongoing basis.

In this respect, we encourage CySEC regulated entities to consider the risk-based approach as an ongoing, cyclical, and dynamic process rather than a one-off exercise.

4. How to achieve AML compliance

AML compliance encompasses the development of effective policies and controls as per the AML regulatory framework, which needs to remain relevant and up to date. Additionally, it requires professionals who are skilled and equipped with knowledge and expertise in designing and implementing such procedures, adding to the company’s overall AML compliance culture. The combination of the policies, controls, and procedures developed along with the professionals employed, forms each organisation’s first and most important level of defense when it comes to the prevention and mitigation of ML/TF risks.

For that purpose, it is important for the stakeholders of an organisation to pursue systematic and targeted training that will offer them the knowledge and competencies for enhancing company AML policies, procedures, and controls. Furthermore, to inform them about the AML regulatory developments and updates and the ways through which they will be incorporated into the firm’s day-to-day operations.

How SALVUS can be of value

We guide internal teams of Investment Firms, Investment Funds, Crypto-Asset Services Providers (CASP), and Payment and Electronic Money Institutions (EMI) towards compliance with demanding regulations through our Anti-Money Laundering (AML) Review service.

Additionally, SALVUS Funds collaborates with the Institute for Professional Excellence (IforPE), to offer self-study Continuous Professional Development (CPD) courses. Our Education team designs courses suitable for professionals entrusted with AML duties and responsibilities, as well as professionals working at Cyprus Investment Firms, CASP, EMI, and other regulated entities dealing with ML/TF threats. Our latest courses are:

Please contact us via email at info@salvusfunds.com or call us at +357 7000 7898 if you require guidance about your AML compliance obligations or information about our AML CPD courses.


Should you be interested to read more about Anti-Money Laundering, CIF Capital requirements or Crypto-Asset Services Providers, please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post