EBA proposed guidelines on the risk based approach and CDD risk factors

Written by Roland Guennou on Friday February 19, 2016

New EU Guidelines on Risk Factors and Simplified and Enhanced CDD: It’s all about the risk-based approach so get ahead with the ICA

The 4th EU Money Laundering Directive ratified in June 2015 (Directive (EU) 2015/849) requires European Supervisory Authorities (ESAs)* to issue by the implementation date (June 2017) specific guidelines on the identification of customer due diligence (CDD) risk factors to be used in anti money laundering/counter financing of terrorism (AML/CFT) risk assessment and on the application of simplified or enhanced customer due diligence measures (Art 17 and 18).

This is part of a broader set of measures institutionalising the adoption of a risk-based approach to CDD**.

Here’s what you should know.

What the guidelines cover

The draft guidelines were released for consultation by the Joint Committee of the European Supervisory Authorities in October 2015 and a public hearing was held in London on 15 December 2015 at the European Banking Authority’s offices. The consultation closed on 22 January 2016 with both the proposed guidelines and responses from industry bodies and firms available on the EBA website. The consultation process also includes a paper on risk-based supervision by national authorities.

The guidelines first lay out what risk factors firms should be taking into account when assessing money laundering risks grouped around four categories of customer, country, product and channel (see chart).

They then articulate how due diligence measures can be tailored for simplified or enhanced due diligence around the timing and quantity of CDD information, depth of verification, frequency of reviews and levels of approval.

Title II is generic while Title III offers sector-specific guidance across an interesting range of activities

What’s new?

While the guidelines are broadly consistent with current market best practices – at least amongst large institutions – they represent a welcome evolution in the EU AML/CFT regulatory framework in that:

  • they provide an EU-wide reference in the subject matter at a reasonable level of detail where best practices have so far been encapsulated in the industry efforts of individual jurisdictions. There is therefore hope that the guidelines will support their stated aim of a better consistency in the application of CDD across the single market
  • they institutionalise CDD as a risk assessment discipline based on the holistic discovery of risk factors identified during the CDD process. This should undoubtedly encourage all firms to move away from the box-ticking culture still often prevalent in the domain.

What’s next?

On the other hand market participants will be keen to hear more from European authorities on:

  • the measures of success of the guidelines’ implementation and what assessment mechanisms might be used by authorities to gauge the actual benefits of these measures and
  •  the timelines of the next steps in finalising the guidelines, which have not been to date shared by the ESAs. The deadline for the creation of the guidelines is the last implementation date of the Directive of June 26 2017.

The need for robust CDD qualification

Amongst the challenges on the journey towards a comprehensive risk-based approach to CDD, firms will be required to uplift their training and competence capabilities in view of the following.

  • Technical proficiency in collection of documentary evidence for identification and verification (ID&V), while still critical to successful CDD, will not be enough.
  • Instead, the application of risk-based CDD will require adequately trained know your customer professionals with increased levels of proficiency in the discovery, understanding and assessment of risk factors.
  • The holistic outcome of CDD and the acceptance of the AML/CFT risks of a customer relationship will require a complete and clearly documented rationale going far beyond the collection and verification of customer information.

Get ahead with the ICA

The ICA Advanced Certificate in Practical CDD launched in September 2015 provides a readily available first answer to these challenges to all financial services professionals involved in or impacted by CDD challenges.

This intermediate level course focuses on the core outcomes of customer due diligence and in particular the risk-based assessment of the acceptability of customer relationships.

It provides a hands-on learning journey through all key CDD disciplines of ID&V, understanding the customer’s profile and the purpose of the relationship, unwrapping ownership and control structures, performing sanctions, politically exposed persons (PEPs) and adverse media screening.

Based on a highly interactive, end-to-end case study, the course culminates in a complete risk assessment exercise illustrating the dynamics of analysing a wide range of risk factors.

For further information on this innovative new qualification, please visit the course’s home page.

Get involved

What do YOU think are the challenges with the implementation of the 4th Directive’s approach to risk-based CDD? Share your views by submitting your comments below.


(*) European Banking Authority (EBA), European Securities and Markets Authority (ESMA), European Insurance and Occupational Pensions Authority (EIOPA)
(**) The changes to the Directive to further institutionalise the adoption of a risk-based approach to customer due diligence also include the following.

  • Entrusting the EU Commission with the creation of a list of high-risk third countries (Art. 9) deemed strategically deficient in their AML/CFT regimes
  • Removing the blanket eligibility of regulated and listed firms to simplified due diligence (Art. 15) and the associated list of equivalent jurisdictions. Instead firms will be expected to individually assess the risks of the relationship before assigning a low-risk grade
  •  Listing a limited number of risk factors to be considered when assessing customer risk, as well as a number of higher risk factors and cases of mandatory EDD (correspondent banking, PEPs, high-risk countries)
  • Not allowing a systematic exemption from EDD for branches and affiliates of obliged entities in high-risk countries


To stay updated on the latest developments in governance,risk and compliance, anti money laundering and financial crime prevention, please follow us on either LinkedInFacebook and Twitter where you are guaranteed to be notified when our next blog post goes live!


If you're interested in an ICA qualification in AML and/or CDD more information can be found on our ICA certificates and diplomas page. Alternatively, please call +44(0)121 362 7506 and we’ll happily talk you through your study options.


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author