ASK MAT – What is the difference between an AML/CTF/CPF “BRA” and a “CRA”?

ASK MAT – What is the difference between an AML/CTF/CPF “BRA” and a “CRA”?

MAT SAYS: Thank you for an excellent question. The difference between a firm's AML/CTF/CPF BRA and its CRA is significant. However, many in the regulator sector conflate the two, leading to regulatory sanctions and the possibility of not managing financial crime risk appropriately.

So, to answer your questions, we will start with the acronyms.

• BRA – or business risk assessment – although the proper term should be enterprise-wide or business-wide risk assessment, namely an EWRA-BWRA (in some jurisdictions, the term used is firm-wide [FWRA])
• CRA – or customer, or client risk assessment or in some jurisdictions, a customer/client relationship risk assessment, also known as a CRRA

To help answer your question, you will be pleased to hear the Jersey regulator, the JFSC, has recently issued a visit feedback on BUSINESS [BRA] and CUSTOMER RISK [CRA] ASSESSMENTS across the legal sector, focusing on compliance with legislative and regulatory requirements.

• See here https://www.comsuregroup.com/news/jfsc-business-bra-and-customer-risk-cra-assessments-feedback-across-the-legal-sector/

The JFSC paper is helpful because it highlights issues with “BRAs” and “CRAs”; however, it does not deal with the RAs requirements without ensuring the reader understands the differences between the two methodologies.

I will use the acronyms EWRA-BWRA and CRA in offering a breakdown on the differences between the two:

AML/CTF/CPF - EWRA-BWRA

• Enterprise-Wide Risk Assessment (EWRA) and Business-Wide Risk Assessment (BWRA) are comprehensive evaluations conducted by financial institutions to assess risks related to:
• Anti-Money Laundering (AML)
• Counter-Terrorist Financing (CTF)
• Counter-Proliferation Financing (CPF)
• These assessments focus on identifying and mitigating risks across the entire organisation. They consider factors such as:
• Inherent Risks: Risks present before any controls are applied.
• Control Environment: Effectiveness of existing controls.
• Residual Risks: Risks remaining after controls are applied and
• Effectiveness of the controls

AML/CTF/CPF - CRA

• A Customer Risk Assessment (CRA) focuses more specifically on evaluating the FINANCIAL CRIME risk associated with individual customers.
• A CRA measures the FINANCIAL CRIME threat risk by using customer data in Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) (customer data)
• The customer data is measured against
  • The firm's risk appetite and
  • External forces such as laws, regulations, and regulatory rules and guidance, e.g. PEPs, sensitive activities, FATF black/grey listed countries, and sanction countries.

• Furthermore, the customer data is then measured against predetermined themes that include:-
• Customer type
• Customer activity
• Customer Country exposure
• Customer relationships with other parties
• Customer transactions
• Ongoing Monitoring: Continuously assessing customer transactions and behaviour.
• A CRA measurement evaluates the:-
• The possibility of their customer being involved/connected to FINANCIAL CRIME, illicit activities and or property and
• Whether their customers' behaviour or circumstances fit the firm's CUSTOMER RISK APPETITE
• Key Differences
• Scope:
• EWRA/BWRA covers the entire organisation,
• CRA focuses on individual customers, whether individuals (natural persons) or legal persons.
• Purpose:
• EWRA/BWRA aims to identify and mitigate enterprise-wide risks,
• CRA aims to assess and manage risks posed by specific customers.
• Frequency:
• EWRA/BWRA is typically conducted quarterly, annually (dependent on risk appetite) or event-based,
• CRA is an ongoing process.

The above is a summary of the differences and should not be treated as a complete analysis of the differences between an AML/CTF/CPF EWRA-BWRA and a CRA, albeit it’s a good start 😊

AND BELOW THERE IS SOME FURTHER READING:-

Further COMSURE thoughts on CRAs can be found here:-

• ASK MAT: How does a Customer Risk Assessment (CRA) determine whether my customer is involved in illicit activities such as money laundering
• https://www.comsuregroup.com/news/ask-mat-how-does-a-customer-risk-assessment-cra-determine-whether-my-customer-is-involved-in-illicit-activities-such-as-money-laundering/

Here is an article written about EWRA/BWRA  that adds to the above:-

• https://www.comsuregroup.com/news/fca-enforcement-notice-good-and-bad-practices-on-business-wide-risk-assessment-bwra/

Mauritius Effective Customer Risk Assessment (CRA) Guide

• One of my favourite regulatory publications is the 30 December 2013 Mauritius Effective Customer Risk Assessment Guide
• See here - https://www.fscmauritius.org/media/1334/aml_cft_v4.pdf

OTHER REFERENCES

• Enterprise-wide Risk Assessment: Statement Structure https://www.acamstoday.org/enterprise-wide-risk-assessment-statement-structure/

COMSURE CRA 

• LOOK AT THE Comsure CRA https://itrackaml.com/iTrackPromo.mp4

"iTrackAML by Comsure" relaunch countdown clock