Skip to content

Does your firm have a written risk policy?

Question no. 3 from the supervisor

During an audit, one question you can almost certainly expect is: “Do you have a risk policy, and may I see it?” This requirement is laid down in Articles 2a and 2b of the AML. In practice, firms often struggle to respond to this question properly. That is why this article covers everything you need to know to answer with confidence and clarity. 

Customised Model Policy 

When drafting an AML policy, many firms use a standard model policy, such as the one provided by the Bar Association. While this provides an excellent starting point, it is not sufficient on its own. A good risk policy must be tailored to your specific practice and reflect the character and operations of your firm. The more personalised and practical the policy is, the better it can be integrated into your daily work processes. 

How do you achieve this? Below are three essential components for writing a sound, tailored AML risk policy.

1. Define your firm's risk appetite

Your AML policy should include your firm’s risk appetite and level of risk tolerance. This is documented in the firm-wide risk assessment. Describe the types of risks your firm encounters and how you assess them. Analyse the sectors your firm focuses on and the risk levels associated with those sectors or client types. Once these risks have been identified and clearly described, it becomes easier to detect and discuss them internally. This transforms your AML policy from a theoretical obligation into a practical and active tool within the workplace. 

2. Document the AML work process

It is important to document the entire process, from client onboarding and identification to reporting unusual transactions. This includes outlining how to handle exceptions and complex clients. What steps are taken when a client is a foreign company, particularly from a high-risk country? What is your procedure for reporting unusual transactions? How are existing clients monitored? Be sure to include how the four-eyes principle is ensured and what role a compliance officer may play. 

In our fourth article, we will explore AML procedures in more detail, which may help you further refine your policy.

 

3. Clarify the risk qualification process

The method for qualifying client risks should be clearly set out as part of the documented AML work process. Indicate how you categorise clients: what qualifies as low, medium or high risk? You can define what constitutes a high-risk profile within your firm by including a risk indicator checklist in your policy. 

AML legislation refers to both objective and subjective indicators. For subjective indicators, you must make your own assessment as to whether there is reason to suspect that the client may be linked to money laundering or terrorist financing. These assessments must be recorded in your policy. Make sure you also describe how escalation is handled and how the four-eyes principle is applied in such cases. 

 

The importance of a risk policy according to KC Legal 

We asked lawyer and tax advisor Friggo Kraaijeveld why a written risk policy is important for his firm. Friggo explained:“On the one hand, we are legally obliged to have one. On the other hand, the process of drafting this policy has made us far more aware of our business risks. We’ve formalised our internal processes, which allows us to work in a consistent and structured way. It has become a way of thinking and a great foundation for working more systematically. Plus, I would rather avoid a fine.” When asked for a tip for other firms, Friggo added: “Use the knowledge of others. Work with a specialist party who can support you with the format and content of the policy. At the same time, make sure the content stays true to the nature of your own firm. For us, developing the policy became a sort of ‘sanity check’.” 

 

Golden Tip: Visualise your process 

Once the three components are clearly described, document them in your policy. A golden tip is to visualise your workflow. Instead of writing several pages of text, you can sketch or design a visual representation, such as an infographic, that clearly outlines your AML procedures and escalation process. If you need help with this, don’t hesitate to get in touch. As part of our ‘Compliance as a Service’ offering, we regularly create these visualisations for firms. 

 

Four final tips for a functional policy 

  1. Ensure the policy truly reflects your firm’s approach. Make it your own, including handling of firm-specific exceptions. 
  2. Keep the policy up to date. Review it regularly and check whether it aligns with the latest legislation and internal practices. 
  3. Make it accessible. Ensure that all staff can easily find the policy. Store it on your intranet or, if applicable, in the knowledge centre of your AML software such as RegLab. 
  4. Make sure the policy is followed in practice. It must be a living part of your organisation. Organise internal knowledge sessions and regular training. 

 

Final Note 

During an inspection, the regulator may ask you to apply your AML policy to a few randomly selected files. If you cannot trace the policy’s application in those files, you risk a warning or even a fine. But if you follow the tips in this article, you will not only be able to answer confidently, but also demonstrate that you take your AML obligations seriously and apply them consistently.

⭠ Question no. 2 from the supervisor

Question no. 4 from the supervisor ⭢

Themed file: fully prepared for the supervisor’s audit

This article is part of a number of articles and downloads that will help you prepare yourself for the supervisor’s visit. This content is based on a supervisor's FAQs during an audit. Do you want to be 100% AML-proof and ready for the supervisor’s visit? Find all FAQs in our Knowledge Centre.

Knowledge centre

Download the ‘100% AML-proof’ checklist

Download