The new National Risk Assessment (NRA), published late last week, has significant implications for the UK payments sector. In this blog, we will highlight the key takeaways for practitioners, along with the necessary changes to look out for.  With the new NRA covering 163 pages of content, this blog  cannot touch on every item of interest and concern. As such, we have highlighted and drilled down on what we feel are the most pressing and critical components raised, and what your firm needs to do now to tackle them. 

Critical takeaways from the new National Risk Assessment 

The latest NRA has raised the money laundering risk for the regulated e-money and payment services provider (PSP) sector from medium to high. This, unsurprisingly, is the big headline, although, not an unexpected one. This increase is attributed, at a high level to the rapid scaling of the sector since 2020, the complexity and diversification of services, and the increased exposure to high-risk jurisdictions. This is all in the face of the NRA’s view that onboarding processes for EMIs and PSPs tend to be much simpler than that for high street banks. This, combined with the aforementioned growth of the sector, has displaced a certain amount of criminal activity away from traditional banks. 

While risk mitigation is seen as having improved in the PSP sector, the overall risk score has risen due to the following primary factors. 

  1. The sector’s attractiveness to criminals for cross-border fund management and laundering has grown, necessitating enhanced vigilance and robust AML controls.  

    ACTION:
    Firms are expected to review and potentially revise their customer acceptance policies to better identify and manage risks associated with simpler onboarding processes.

  2. Simpler onboarding processes and the use of virtual IBANs (VIBANs) have made the sector more susceptible to exploitation by criminals.

    ACTION: Firms are expected to strengthen enhanced due diligence (EDD) procedures for customers utilising VIBANs and those involved with cryptoasset services in a risk-based fashion.  

     

  3. The rise in cryptoasset firms acting as e-money agents has introduced higher money laundering and terrorist financing risks.

    ACTION: Firms are expected to initiate increased oversight and control of cryptoasset-related activities to mitigate associated risks.  


What this means for your AML/CTF framework 
 

The elevated money laundering risk necessitates immediate updates to risk assessment documents and methodologies. Firms must ensure their policies and procedures are aligned with the latest regulatory expectations. As a gut reaction, firms will, of course, work to update their business wide risk assessment (BWRA) since it is a mandatory requirement to include consultation of the NRA. However, keep in mind, as the BWRA sits atop the proverbial pyramid of AML/CTF documents, any changes to said assessment will have sweeping implications across firms’ framework (see our recent blog on building your BWRA for further guidance). 

  1. Business wide risk assessments (BWRAs), enterprise-wide risk assessments (EWRAs), and customer risk assessments (CRAs) must be updated to reflect the increased inherent risk and associated risks highlighted within the NRA, as applicable. Firms should re-evaluate their methodologies for assessing exposure to, in particular, high-risk jurisdictions and complex services.

  2.  Onboarding, due diligence, and periodic review policies must address vulnerabilities related to simpler onboarding processes and the absence of physical presence, with non-face to face relationships needing to be risk assessed with gusto. Enhanced due diligence procedures must be strengthened for high-risk customers and for those involved with cryptoasset services. 

  3. Existing transaction monitoring systems will need review and, if required, refinement to detect typologies related to increased money laundering and terrorist financing risks and cryptoasset-related illicit financial flows. Transaction monitoring systems should be updated to detect unusual patterns associated with cross-border fund movements, diversification of services, and complex payment patters, to name a few.

  4. Staff training modules should be updated to reflect the new vulnerabilities, emerging typologies, and enhanced information-sharing mechanisms. Further, training should be updated to ensure staff are aware of the requisite process and document changes mentioned so far in this blog.
  5. Given the increased number of EMIs and PSPs with e-money agents who are principally cryptoasset firms, as well as the risk of exposure to illicit actors through partnerships with unregulated or less-regulated entities, policies for agent and third-party due diligence, monitoring, and oversight must be significantly enhanced to ensure that all associated risks are captured and accounted for.

  6. Finally, senior management and boards will need to be actively engaged in overseeing the implementation of updated AML / CTF policies and controls. Compliance functions may require increased resources and expertise, particularly in areas concerning complex payment structures.  


How we can help
 

At fscom, our expert audit and advisory teams work at the front line of anti-financial crime and know what high quality AML/CTF frameworks look like and, more importantly, how they should be built to last and to exceed regulatory expectation. 

Contact our anti financial crime specialists today to arrange a review of the impact of the new NRA on your firm.


This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.