Comments and recommendations by the NBB
As an extension of the overall assessment of ML/FT risks, which must be performed in accordance with Article 16 of the Anti-Money Laundering Law, financial institutions are required, pursuant to Article 4 of the Anti-Money Laundering Regulation of the NBB, to define different risk categories and to apply apropriate due diligence measures specific to each category. These risk categories must specifically reflect each risk identified in the above-mentioned overall risk assessment and be based on objective risk factors that are combined in a consistent manner (cf. in particular the variables and risk factors referred to in Annexes I to III of the Law).
Based on the above, the risk classification should in theory include at least two risk categories (high and standard risk) and possibly a third one (low risk). However, it is important to note that this classification must ensure that appropriate due diligence measures are implemented in each situation. Regardless of the classification technique used, each financial institution must be able to demonstrate that its risk classification permits this objective to be attained (Art. 17, paragraph 2 of the Law). Hence it may be useful to classify situations which require identical due diligence measures in the same risk category. In that case, the number of risk categories will correspond to the number of risk situations requiring different risk mitigation measures. Thus, if several risks considered as high require different risk mitigation measures, depending on the nature of the risks concerned, it would be useful, in practice, to create the same number of corresponding risk categories. However, according to this principle, a risk classification comprising only two risk classes (high and standard risk) would only be relevant in the case of a financial institution whose overall risk assessment shows that it is essentially exposed to very homogeneous ML/FT risks which should not be considered as high, taking into account the homogeneity, from a risk viewpoint, of its activities, its customers, its distribution channels and the geographical areas concerned. In this case, although its overall risk assessment may lead it to consider that, as a general rule, all business relationships or transactions with its customers should in theory be qualified as "standard risks" and could therefore all be grouped into a single risk class and be subjected to a single set of risk reduction measures, this financial institution should also provide for a "high risks” category, which should contain business relationships or transactions that are found in the individual risk assessment to deviate from the forecast based on the overall risk assessment, so that enhanced due diligence measures are required.
From this perspective, it should be noted that, in accordance with Article 4 of the NBB Regulation, financial institutions should ensure that the risk categories they define enable them, if necessary, to classify a customer in a risk category other than that in which he should in theory be classified, if they identify, in the context of the individual risk assessment carried out in accordance with Article 19, § 2 of the Anti-Money Laundering Law, cases of high risk or cases of low risk. The definition of risk categories should also allow financial institutions to take into account the cases of enhanced due diligence referred to in Articles 37 to 41 of the Law.
While the risks specific to each institution must in the first place be reflected in the classification, based on the overall assessment performed by the institution concerned, a concrete analysis of the level of risk presented by each customer may have to lead to a shift from one risk category to another, that is different from the first category in which the risk would have been classified a priori according to the overall assessment.
Finally, each risk class must be matched by appropriate measures to manage the ML/FT risks thus identified and classified. These measures include, in particular, the customer acceptance policy and the due diligence measures (see page “Policies, procedures, processes and internal control measures”).