Skip to content

Does your office have a written risk policy?

Question no. 3 from the supervisor

Do you have a risk policy, and if so, can I see it? Expect this question during an audit (Sections 2a(1) and 2b(1) of the AML). In daily practice, it turns out answering this question satisfactorily can be something of a challenge.

Personalising the Model Policy

When writing a risk policy, offices often use a model policy like that of the Bar Association. This policy provides an excellent basis. It is even better to personalise it. The more tailor-made a risk policy is, the better it can be integrated into existing work processes. You may be wondering: “How exactly do I proceed?” Below are three essential elements for writing your very own solid policy.


#1: Your firm's risk appetite

Include the risk appetite of your office in your policy. Describe things like the risks your office identifies and how you feel about those risks. If you approach the AML policy like this, you make it concrete and less obscure. Analyze which sectors you are targeting and what risks these sectors or customers impose. Having identified and described those risks, you will be able to proceed more efficiently, making those risks more visible.


#2: The AML work process

It is important to describe in detail the entire work process, from accepting and identifying new clients to reporting any unusual transactions. This also applies to all exceptions and, for instance, 'complex' clients. How do you proceed when a foreign company is involved? Especially if it concerns an organisation from a high-risk country? What steps do you then follow? How do you act in the event of an unusual transaction report and how do you monitor existing clients? Also, do not forget to write down who does what, how you guarantee the four-eyes policy and what the role of a compliance officer is (if any). In the fourth blog post, we discuss in more detail the AML procedures. This is a good source of inspiration.


#3: Risk Qualification

The risk qualification method is part of the work process mentioned aboveBecause it is so specific, it is dealt with separately in this section. We advise every office to determine what a low, medium and high risk is and how to act in that case. You decide when a client has a high-risk profile. The easiest way to do this is to add a risk indicator list to your policy. 

Under the AML, you are dealing with objective and subjective indicators. With objective indicators you check the sanctions and high-risk country lists and if there is a PEP involved. With subjective indicators, you determine, based on your own consideration, whether there is reason to assume that the customer may be involved in money laundering or terrorist financing acts. You should record this consideration in your policy, i.e. which conclusions you draw and when. Unfortunately, there is no fixed list of subjective indicators available. You can, however, use the 'AML guideline and the AFM's sanctions law' for this. Define here how an escalation works and ensure a 4-eyes policy. 


The importance of a risk policy for KC Legal

We asked lawyer/tax expert Friggo Kraaijeveld why a risk policy is important to his office. Friggo: “On the one hand, we are legally obliged to draft this policy. On the other hand, by doing that, we become more aware of our business risks. We have formulated processes and can now act on them uniformly. It has become a way of thinking and offers an ideal starting point for process-based working. Moreover, I like to avoid fines.”

We asked Friggo to provide a tip for other offices. Here’s he how he commented: “Use the knowledge of others, like a specialist party who can help with the format and the parts to be treated. When giving substance to the policy, make sure that you stay close to yourself as an office. For us, drawing up the risk policy immediately became a kind of 'sanity check'.”


Golden tip

If you have sorted out these three parts, record them in your policy. Our golden tip for that? Visualise, i.e. sketch or draw, the work process and the escalation procedure. Instead of describing this in various pages, you can sketch the process in, for example, an infographic (a formatted image showing the process). Can't figure it out yourself? Please feel free to contact us. We regularly perform these visualisations within our 'Compliance' service.

Finally, some practical tips for writing, implementing, and keeping the policy up to date.

Make sure a policy is your office policy. Make it your own and keep in mind any exceptions for your office.

  1. Make sure your policy is up to date at all times. Check on a regular basis and schedule these checks. Also check whether the policy still complies with the latest legislation.
  2. It is important that the policy is easy to find for every employee. Save it in your intranet environment or, if you are using it, in the Knowledge Center of your AML software (e.g. RegLab).
  3. Ensure that the policy is put into practice by everyone. It should become a dynamic part of your office. Organize internal knowledge days and training sessions.

The supervisor will ask you to show your policy based on two (random) clients. If nothing can be found in the file, a reprimand or fine will follow. If you follow the tips in this article, you will prevent difficult conversations with the supervisor.

Themed file: fully prepared for the supervisor’s audit

This article is part of a number of articles and downloads that will help you prepare yourself for the supervisor’s visit. This content is based on a supervisor's FAQs during an audit. Do you want to be 100% AML-proof and ready for the supervisor’s visit? Find all FAQs in our Knowledge Centre.

Knowledge centre

Download the ‘100% AML-proof’ checklist