AML Risk Assessment before launch of a new product or service

Assessing the ML/FT risk exposure before launching a new product or service

The regulated entities in the UAE are required to assess the overall exposure of the business to financial crimes. For this, the Financial Institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs) must conduct the Enterprise-Wide Risk Assessment (EWRA) considering the relevant risk factors. One critical scenario that impacts the business’s ML/FT risk is the potential of the new products or new practice areas being exploited by the criminals for laundering illicit money or financing terrorist activities.

When the regulated entities evaluate the risk associated with the new products or services, it would be possible for the entities to develop and deploy the necessary risk mitigation measures.

Through this article, let’s explore what business risk assessment is, the significance of assessing the ML/FT risk before introducing any new business practices, products, or services, and the best practices to assess this risk thoroughly.

Understanding the AML Risk Assessment

An AML Business Risk Assessment is an exercise conducted to evaluate the potential threats to the entity’s business operations, considering the overall profile in terms of customer base, business model, geographies in which the entity operates, the nature of products or services offered, the size, volume, and complexity of the transactions, the delivery channels and distribution methods used by the entity.

The EWRA includes the following sub-processes:

  • Identifying the risk factors and the relevant risk scenarios that impact the business
  • Determining the likelihood of the risk scenario materializing, its frequency, and the extent of the impact it can have on the business (this is an inherent financial crime risk the business may face)
  • Mapping the controls needed against these risk parameters (whether already in place or any additional controls or systems are required)
  • Analysing the strength and effectiveness of these controls
  • Assessing the residual risk and comparing the same against the entity’s management-approved risk appetite

The assessed risk gives insight to the regulated entity on the potential vulnerabilities and the risk mitigation measures required to overcome these risks or at least minimize the impact. This understanding helps the entity to determine the resources required and its optimal allocation based on the severity of the risks. Moreover, EWAR forms a base for the entity for designing the internal AML/CFT policies, procedures, and controls to stay safe and compliant with AML regulations.

AML Risk Assessment before launch of a new product or service

Development and launch of a new product or service bring a good business opportunity but may expose the business to newer types of financial crime risks. Thus, the regulated entities must evaluate the potential ML/FT vulnerabilities that may surface exploitation of the new products or services. With timely assessment of the associated risk, the regulated entities can proactively determine the mitigation measures required before the financial criminals misuse the newly introduced offerings.

Best practices to be followed for assessing the potential ML/FT vulnerabilities associated with new product or service

Involving AML Compliance Team in product/service design

The product or service development team must involve the AML Compliance Officer while discussing the design and development aspects. The AML Compliance Officer’s feedback can prove valuable in managing the product design in a way that reduces the risk possibilities.

The Compliance Officer’s understanding of the AML regulations would help the entity develop a product or practice that meets the compliance requirements without specifically providing options to the criminals to place the illegal funds into the economy.

Role of AML Compliance Officer in UAE Preview

Identify the risk scenarios

The regulated entity must evaluate the possible circumstances of how the criminals can exploit the new product or services for money laundering or terrorism financing. The entity may refer to ML/FT typologies associated with similar products/services. Reference should also be made to reliable data sources publishing the information and statistics about the financial crime vulnerabilities faced by peers offering the same or similar products.

Further, the regulated entity may also rely on emerging technologies like Machine learning or Big Data to study the existing data, draw patterns, and highlight the expected risks from recently established products or services.

For example, if a dealer in precious metals and stones plans to start an eCommerce portal for selling the jewellery online. Before making this portal live, the dealer must consider the ML/FT threats, such as the possibility of criminals making multiple transactions of smaller values using different IDs or fake IDs, to what extent the online portal would favour anonymity or provide an opportunity to criminals to conceal the actual beneficiaries, etc.

Assessing the nature and degree of controls required

Once the risk associated with new products and services is identified, the regulated entity must determine the risk mitigation measures required for such risks. The nature of controls and systems needed to be well documented against the identified risk parameter and how effectively these controls can tackle the risks.

Continuing the above example, if the dealer in precious metals and stones is planning to accept the payment in virtual assets, then the entity should have controls around screening the virtual assets wallets or identifying the geolocation of the party to avoid exploitation by criminals from high-risk jurisdictions.

Creating awareness and training the team

It is essential to onboard the senior management and the staff on this new products/services AML journey. The regulated entity must impart required AML training to the team around potential risk situations that may arise with these products/services, the modified systems and controls implemented, and the expected role of the employees in managing the risks.

When the systematic approach is adopted for assessing the risk arising from new products and services, mitigating this risk and its impact on the business can be managed efficiently.

Implementing additional controls of modifying the existing ones

Once the controls have been identified, the regulated entities must check whether existing controls can be used or enhanced to manage the new product/service’s risk. If not, the additional controls must be incorporated into the existing systems, making them capable of handling the newer risk scenarios.

In the current example, the dealer in precious metals and stones would be required to enhance the existing KYC forms and the Customer Due Diligence measures to cover the identification of the customer (as non-face-to-face transactions pose a different level of risk) and inquiry around the mode of payment.

Further, the jeweller might not have the systems that allow the screening of crypto wallets. Here, the existing systems must be upgraded or replaced with an advanced tool that supports the identification of red flags related to virtual assets, monitors the crypto transactions, and triggers an alert when any suspicious activities are observed.

Significance of the AML Risk Assessment before launch of a new product or service

This beforehand assessment of the financial crime risk and implementation of the necessary controls will enable the regulated entities to check the exploitation of new products or services by the financial criminals.

The proactive approach of the entity demonstrates the entity’s commitment to combat financial crimes. It instils the trust and confidence of the customers and other stakeholders in the entity’s business practices.

Further, identifying the risk before introducing new products or services is also mandated under the UAE AML regulations. Thus, with this risk assessment, the entities avoid non-compliance fines and penalties, safeguarding the business against reputational damage and unnecessary legal hassle.

When the business and compliance goals are aligned for a newly developed product or service, the future hassle or complexities associated with the products can be eliminated, bringing the desired outcome of fresh offerings.

AML Risk Assessment before launch of a new product or service

Let AML UAE assist in identifying and managing the ML/FT risk associated with new products or services

The ML/FT risk assessment is crucial for the regulated entities before introducing or developing any new product or services to understand the new risk vulnerabilities and deploy the timely mitigation measures without allowing the launderers to exploit these new launches. In this journey, let AML UAE help you assess the risk arising from such a new product/service while you focus on business development. With a thorough understanding of the AML regulatory framework and the industry experience, we can assist you in assessing the overall business risk, implementing the required controls, and creating awareness amongst the team to stay AML compliant.

Let’s partner in your efforts to protect the economy’s integrity and security against financial criminals.

Make significant progress in your fight against financial crimes,

With the best consulting support from AML UAE.

Our recent blogs

Contact Form

side bar form

This field is for validation purposes and should be left unchanged.

Share via :

Share on facebook
Share on twitter
Share on linkedin

About the Author

Jyoti Maheshwari


Jyoti has over 6 years of hands-on experience in regulatory compliance, policymaking, risk management, technology consultancy, and implementation. She holds vast experience with Anti-Money Laundering rules and regulations and helps companies deploy adequate mitigation measures and comply with legal requirements. Jyoti has been instrumental in optimizing business processes, documenting business requirements, preparing FRD, BRD, and SRS, and implementing IT solutions.