Global menu

Our global pages


New Wolfsberg Group Guidance on Effective Anti-Money Laundering and Combating Terrorist Finance Programmes

  • United Kingdom
  • Fraud and financial crime
  • Litigation and dispute management



1. With so many factors to consider, many firms can find it challenging to know where to start when it comes to ensuring there is an effective Anti-Money Laundering and Combating Terrorist Financing (AML/CTF) programme in place. The preparation of a firm-wide risk assessment (FWRA), supposedly one of a Financial Institution’s (FI) most powerful tools in understanding risk exposure and setting risk appetite, can be particularly difficult to get right.

2. In this article, we highlight the key points from the latest statement published by the Wolfsberg Group (the Group) on the steps that can be taken by FIs to assess risk faced in priority areasand to demonstrate the effectiveness of AML/CTF programmes.

3. As the Group explains, ultimately, each FI should be able to demonstrate effectiveness by telling its unique story, based on its risks and corresponding AML/CTF programme. This guidance is designed to provide some additional help in how best to achieve that goal. Whilst some of the advice is not new, there is an interesting new focus on resource-effectiveness and providing useful information to governments which echoes the call to move away from the ‘tick box’ compliance that we have heard about from the UK regulator in recent months.

4. This statement follows the Group’s Statement of Effectiveness in December 2019 which outlined the key elements of an effective AML/CTF programme (now known as The Wolfsberg Factors2) and its follow-up Statement on Developing an Effective AML/CTF Programme in August 2020 which set out the steps FIs could follow to evolve their AML/CTF programmes to focus on effective outcomes3.

Key Points for Assessing Risk in Defined Priority Areas

5. The Group warns that there is a tendency amongst FIs to focus AML/CTF risk assessments on technical compliance with supervisory expectations, instead of considering how effectively they can prevent and detect financial crime.

6. Countries are required by the Financial Action Task Force (FATF) to take steps in identifying, assessing and understanding the AML/CTF risks they are exposed to, in addition to implementing measures that would mitigate against these risks. In the UK, there is also a legal obligation on regulated firms to conduct a FWRA under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

7. The Group observes that FIs currently often produce FWRAs which are complex, and focused on data, documentation, and process rather than outcomes. This type of FWRA is unhelpful and in order to be effective, assessing risk in priority areas needs to be done differently. In particular, FIs should focus on threats related to specifically defined national or supra-national priorities.

8. Where specifically defined priorities do not exist, FIs are encouraged to leverage priorities described in the jurisdiction’s National Risk Assessment, or equivalent publication, as defined priority areas. In either case, the more detailed information relating to these risks that is shared by governments with FIs, whether publicly or privately, the better the FI will be able to evaluate, mitigate, and potentially provide useful information related to these threats to law enforcement in return.

9. UK firms should look to the Third National Risk Assessment which was published last year, offering guidance to regulated businesses as to where the ML/TF threat is highest. Some of the high risk areas in the UK are considered as being financial services, money service businesses, accounting services and legal services. In addition, the rating for crypto assets increased from low to medium, and the risk posed by art market participants and letting agency businesses was also acknowledged.

Key Points for Evaluating and Demonstrating Effectiveness

10. The Wolfsberg Factors should be used as a framework to evaluate and demonstrate the effectiveness of controls that are in place in defined priority areas. By way of high-level overview:

Complying with AML/CTF Laws and Regulations

  • The Group warns that FIs must understand the relevant laws and regulations of each applicable country or supra-national authority and be able to demonstrate compliance with each regime. This sounds obvious, but the Group notes that FIs spend significant time and resources on activities that are considered “expectations” of an AML/CTF programme but are not required by law or regulation. This is wasteful and counterproductive. Regulators should also be clear to differentiate between legal obligations and areas where a risk-based approach is permitted.

Providing Highly Useful Information to Government Authorities in Priority Areas

  • Firms can also demonstrate effectiveness by way of providing useful information to government authorities; although the extent to which this will apply will vary from one FI to another, as a result of different approaches governments take when it comes to defining priorities and providing reporting feedback to FIs.
  • As the guidance makes clear, for some FIs, it may be helpful to track engagement with, and information provided to, government authorities, including suspicious transaction reports (STRs) and suspicious activity reports (SARs). It provides a set of metrics which can be used internally by an FI to measure its effectiveness, or externally to demonstrate to supervisors that its programme is designed to, and does provide highly useful information. The metrics focus on the quality, not the quantity, of reporting.
  • The Group notes that the metrics are not to be used to compare one FI to another as some of the examples may not be applicable to all FIs depending on their size, risk profile, available government feedback and business model.

Reasonable and Risk-Based Controls to Detect, Prevent or Deter Financial Crime

  • As emphasised by FATF, effectiveness should be judged by outcomes rather than processes. As such, supervisors and FIs must focus on the practical element of whether controls make a material difference in assisting with the mitigation of risks and address AML/CTF priorities.
  • Controls are also required to be risk-based, meaning they must be focused on the higher risk areas that appear from an assessment of the threats faced by a FI.
  • Further, consideration must be given to the time and resources that are applied to ensure the effective implementation of risk-based controls. A control should be changed or completely removed where a cost benefit analysis shows that significant time and/or resource is nonetheless resulting in only minimal risk mitigation. FIs should consider the cost of failing to change or remove ineffective controls as part of their overall risk assessment of risk-based controls too.

The impact on FIs

11. This statement sets out a number of useful factors that can be taken into account by FIs to demonstrate effective AML/CTF programmes. Immediate questions for firms to consider include:

  • Does your FWRA identify and address the relevant defined priority areas?;
  • Have you conducted a gap analysis or can you otherwise evidence that you comply with each applicable AML/CTF law and regulation?;
  • Can you articulate how your AML/CTF programme provides highly useful information to government authorities in defined priority areas?;
  • Do you maintain a reasonable and risk-based set of controls that will mitigate risks of being used to facilitate illicit activity?;
  • Are you able to evidence effective law enforcement and government engagement?; and
  • Does your FI use STRs/SARs to identify networks of interconnected suspicious activity and ensure STRs/SARs are filed in priority areas aligned to financial crime priorities?

 [1] Nationally defined financial crime prevention priorities, most importantly those set by law enforcement or prosecuting authorities.

[2] These factors are: (i) complying with AML/CTF laws and regulations; (ii) providing highly useful information to relevant government agencies in defined priority areas; and (iii) establishing a reasonable and risk-based set of controls to mitigate the risk of FIs being used to facilitate illicit activity.

[3] The effective outcomes are: (i) assessing risk in defined priority areas; (ii) implementing and enhancing controls; (iii) prioritising resources; (iv) engaging with law enforcement; and (v) demonstrating the effectiveness of AML/ CTF programmes.

For more information, please contact: